1 Common Criteria Discussions CCSDS Security Working Group Spring 2008 Meeting March 2008 Washington DC (Marriott Courtyard Crystal City, Virginia)

2 Background ISO – Common Criteria for Information Technology Security Evaluation – International standard – Security requirements – Common evaluation methodology – Mutual evaluation recognition (25 countries) Protection Profiles – Designed as an “acquisition” document » Desired security services Security Targets – Designed as a vendor “technical delivery” specification » Documents the security services provided in a product with respect to a Protection Profile

3 Type of PPs Already Written Access control devices Boundary protection devices/systems (aka firewalls) Databases Detection devices/systems (IDS) ICs, Smart Cards, devices and systems Key Management systems Network and Network-related devices/systems Operating systems Other devices/systems (e.g., ATM, biometric, certificate issuing) Digital Signature products

4 Why Common Criteria? Advocate the use of PPs to specify (in standardized terms) the full extent of a system’s security requirements.

5 Space PPs What would a space PP consist of? – Profiles of mission security requirements? » Formalization, in CC terms, of security requirements, by mission type, a la security architecture? – PPs for space ‘unique’ systems, e.g., » C&DH/command & control » Solid state recorders » Shared bus » Others?

6 Example – Cash Machine 1 This Protection Profile has been developed to specify the requirements in terms of functionalities and levels of assurance applicable to ACDs/ATMs. Many transactions can be carried out via an ACD/ATM. The target has therefore been deliberately restricted to matters connected with the use of a card, the identification of the cardholder (the confidentiality of the PIN, etc) and the dispensing of cash (the integrity of the interfaces with the server, etc). The target of evaluation comprises: a central processing unit (the “brain” which conditions or coordinates its overall operation), a cash dispenser (a hardware device for taking banknotes from cash cassettes and delivering them to the cardholder), a card reader (for smart cards and possibly stripe cards), an input device for the cardholder to use (subsequently termed the “keypad”). The Protection Profile relates mainly to interchanges between these various components, which are normally grouped together within a single hardware enclosure (see the diagram above), but any other architecture may be considered. 1 Bull, Dassault, Diebold, NCR, Siemens Nixdorf, Wang Global

7 Discussion Does this make sense? Should we attempt to do this? Will anyone use it – or even care about it? Do the National Space Agencies use the Common Criteria – or should they? – US requires FISMA (Federal Information Security Management Act) » NIST Federal Information Processing standards » No mention of CC evaluated products – What about everyone else?

8 Example: US Federal Aviation Administration (FAA) FAA has developed a Protection Profile library of templates Three PP classes (characteristics) resulting in 18 different PPs – Mission: » Mission critical National Airspace System (NAS) » Mission support/administrative – Technology and Security Enclave: » Wide area network » Local area network/facility communications » Applications system – Risk: » High risk/critical system » Moderate risk/essential system » Low risk/routine system FAA PP Library Link

9

10 National Airspace System (NAS) NAS is very much akin to a distributed mission control center From the FAA PP for high risk WAN: – The TOE is a high risk WAN that will operate within the U.S. National Airspace System (NAS). The NAS is defined as “the common network of U.S. airspace; air navigation facilities, equipment and services; airports or landing areas; aeronautical charts, information and services; rules, regulations and procedures; technical information; and manpower and material. The NAS encompasses everything and everyone providing FAA-regulated flight operations support services to aviators in airspace for which the United States has jurisdiction or responsibility. Included are system components shared jointly with the military. The NAS is an evolving system of technologies, procedures, and people intended to meet the needs of NAS users and service providers. In short, the NAS is a system of systems that executes a safety-critical mission on a 7x24 basis nationwide.

11 Example: FAA PP Assets & Sensitivities InformationSecurity Classification I. FAA Operational Voice and Data 1.1 Air to Ground VoiceSBU 1.2 Air to Ground DataSBU 1.3 Ground to Ground VoiceSBU 1.4 Ground to Ground Data SBU 1.5 Ground to Air VoiceSBU 1.6 Ground to Air DataSBU II. System Hardware, Software, Firmware 2.1 Cryptographic Keys, other security credentialsSSI 2.2 Cryptographic EquipmentSSI 2.3 Application System (hardware, software, firmware)FOUO 2.4 LAN/WAN telecommunications infrastructure (hardware, software, firmware)FOUO/SSI 2.5 System Operation and Management hardware, software, firmwareFOUO/SSI 2.6 Security management hardware, software, firmwareFOUO/SSI 2.7 End-user system hardware, software, firmwareFOUO/SSI 2.8 Interfaces to Military, Law Enforcement, and Other Government AgenciesFOUO/SSI Key: NR - not rated, public information SBU - sensitive but unclassified FOUO - for official use only SSI - security sensitive information

12 Way Forward? Write a space system Protection Profile? – What program/system? – Should we/can we write a “system” PP? » ISS » Constellation » ATV » Planetary explorer » Near-earth explorer » Meteorological » Other? – Or should we write a PP to cover a segment of a system? » Mission control system » Launch control system » Public data dissemination system » Other? If this is a good thing do we have volunteers?

13 Discussion/Direction