THREAT DETECTION & MITIGATION ON THE ICE CUBES SERVICE
The ICE Cubes services has been commissioned on August 2018 onboard the ISS (International Space Station) to provide a commercial service allowing private entities to build and operate experiments hosted on the ISS in the ICE Cubes Facility. The ICE Cubes facility in ESA’s space laboratory Columbus offers plug-and-play installation for cube-sized experiments that relay experiment data back to Earth through the International Space Station’s infrastructure. The ICE Cubes control centre in Belgium offers unique continuous access to experiments. From anywhere in the world a customer can login to their ICE Cube through an internet connection. The data can be monitored at any time of the day and customers can even send commands to the experiment cubes to change parameters or start a next step in the experiment.
The ICE Cubes Services is comprised of the ICE Cubes Control Centre (ICMCC) in Zaventem, Belgium; customers/investigators connected from worldwide locations to their experiment onboard the ISS, through the ICMCC; the ICE Cubes Facility onboard the ISS, providing power and data to Cubes/Experiments; the ICE Cubes service provides Internet protocols (TCP/IP, UDP) to the investigators to monitor and control their Experiment/Cube, from their office to the ISS. The security aspect of the service, especially in terms of cyber security is of high priority.
The ICE Cubes service is based on a partnership between Space Applications Services and ESA and is part of ESA’s human and robotic exploration strategy to ensure access to the weightless research possibilities in low Earth orbit
The security of the ICE Cubes Services is governed by an internal security management plan. The following paragraphs present an overview of the aspect related to prevention, detection and mitigations of physical and cyber-attack of the service. In terms of prevention, the architecture of services is audited by external parties mandated by ESA. Processes are in place to ensure the security updates of the software services. Investigators connect to the ICMCC via VPN and are authenticated using two factors of authentication. Network traffic is monitored, security logs of the system components centralised. Physical access to the ICMCC is controlled via
Application and overall impact
The following points might benefit from a comprehensive security framework proposed by 7SHIELD:
- A unique dashboard centralizing the security status of the service: service status and reports, threat and environment forecast, attack detections, crisis responses;
- Improved threats detection, in particular, cyber-attack detections: awareness status, correlation of threat detection sources;
- Tracking and reporting of previous attacks, responses, updates and lessons learned; Remote notifications to the operator and security officer.
- Improved data authentication/authorization/non-repudiation system, response-mitigation tools and procedures.