st05213-ad01.en10 GMES data security

8/7/2019 st05213-ad01.en10 GMES data security

1/52

PUBLIC

5213/10 ADD 1 1

EU SITCEN LIMITE EN

COUNCIL OF

THE EUROPEAN UNION

Brussels, 12 January 2010

5213/10

ADD 1

LIMITE

CSCGMES 1

CAB 2

CSC 3

COMPET 9RECH 6

COSDP 21

ADDENDUM TO THE NOTE

From : The Council Security Committee experts' sub-area for GMES data security

To : The Council Security Committee

Subject : Recommendations on GMES data security policy

- Analysis paper

I. Introduction

A. General framework

Data collected and processed within GMES, whether collected in support of the

European Unions policies for environment and for security may be potentially harmful

to the security of the European Union and/or its Member States, to their citizens, to

foreign policy concerns and, if relevant, to the conduct of European Union operations in

the following cases:

- they present an interest for defence and national security in a broad sense; that is thecase of security services but also some open services;


2/52

5213/10 ADD 1 2

EU SITCEN LIMITE EN

- they contain data coming from sources falling within the scope of control of nationalspace laws;

- they contain environmental and geographic data with dissemination restrictionsalready covered by European directives;

- they contain data coming from Third Countries of which the reliability may not beguaranteed and of which the use may present potential risks;

- non sensitive data that when merged or processed through specific algorithms fallinto the above mentioned criteria.

The potentially harmful status of a transaction is limited in time because it

immediately induces the risk evaluation process described in Heading IV. A. 1. If this

process proves the actual harmfulness of the transaction it will be dealt with using themost appropriate security response tool. One of the possible response tools may be the

classification of the data.

Before GMES enters its operational phase, the European Commission, which is

responsible for the overall implementation of the GMES initiative, has requested the

advice of the Council of the European Union on how to address the security dimension

of GMES data policy. The Council Security Committee has decided to create a

dedicated sub area 1 mandated to issue a recommendation paper by December 2009.

In this context, the principle of "full and open access to information produced by GMES

services and data collected through GMES infrastructure, subject to relevant security

restrictions" 2 is recalled. This should help promote the widest possible use and sharing

of earth observation data and information in line with the proposed Shared

Environmental Information System (SEIS) and in accordance with existing legislation

such as the INSPIRE Directive and national legislations, taking into account the Global

Earth Observation System of Systems (GEOSS) principles.

1 See doc. 13571/01/08 REV 1.2 See Art. 8,1, b) of the proposal for a Regulation of the European Parliament and of the

Council on the European Earth Observation programme (GMES) and its initial operations(2011-2013); doc. 10285/09.


3/52

5213/10 ADD 1 3

EU SITCEN LIMITE EN

B. Scope of the document

The aim of the document is to give recommendations to the European Commission on

the security dimension of GMES data policy and on possible dedicated security

structures for the operational phase of GMES with adequate links to its overall

governance.

The document shall cover the following items :

a)data security measures to avoid any violation of existing or future rules of security,as well as illegal or inappropriate dissemination of data collected and processed;

b)physical protection of infrastructures (hardware and software) against intentional andaccidental threats;

c)protection of GMES users and personnel involved in GMES; andd)risk assessment capabilities related to the elements listed above.

Due consideration will be taken of existing solutions developed at national or

international level for comparable systems, with a view to harmonise the security of the

system as a whole and of data collected, processed and stored. This is to ensure that thebest international standards on security (for instance ISO 27001), regarding potentially

harmful data (including classified data, if needed) are met.

C. Perimeter of the recommendations

For this purpose all efforts are to be made to define the perimeter and boundaries of the

"system of systems" to which the recommendations will apply. The same perimeter

shall cover the rules and procedures on security of systems and of data to be

implemented, considering, first of all, an evaluation of risks to the security both of

systems and of the data collected and processed.


4/52

5213/10 ADD 1 4

EU SITCEN LIMITE EN

The perimeter mainly covers European Union's infrastructures.

Member States contributions to GMES are also included in the perimeter, both as

owners of national systems, by which they cooperate within the GMES initiative,

providing and exchanging data and as end users of the systems. It is recognised however

that each national system participating to GMES follows its national procedures and

national laws and regulations on data policy.

The recommendations also address data exchanged with entities outside the perimeter of

GMES including third States and international organisations.

Considering the complexity of GMES the perimeter will be articulated in different

concentric circles with corresponding security requirements.

Within the perimeter of GMES a distinction should be made between :

a)Systems that are operated by the European Union and its agencies or by companiescontracted by the European Union;

b)Systems that are operated by international organisations for the European Union, itsMember States and GMES associated States (Norway, Switzerland etc);

c)Systems operated for GMES within and under the responsibility of a Member Stateof the European Union;

d)Systems operated by third States through partnerships and specific collaborations.

It is also necessary to distinguish between infrastructures, services, systems and data

managed and financed by the Commission in the framework of the GMES programme

(corresponding to points a, b and parts of the activities in point d above), on the one

hand, and other infrastructures, services and systems and data (the "GMES initiative"

coordinated by the Commission, of which the Community GMES programme is a part),

on the other hand.


5/52

5213/10 ADD 1 5

EU SITCEN LIMITE EN

D. Glossary and acronyms

A glossary of acronyms and definitions of the terms used in the document is to be found

in Annex 2. The definitions stated are working definitions for the purpose of the

recommendation paper (doc 5213/10) and this analysis paper.


6/52

5213/10 ADD 1 6

EU SITCEN LIMITE EN

II. General principles on GMES Security

The principle of "full and open access to information produced by GMES services and data

collected through GMES infrastructure, subject to relevant security restrictions" 3 is the

guiding principle to develop GMES data security. It means that security restrictions arising

from national security and foreign policy concerns can be requested if deemed appropriate.

In this respect, the GMES data control mechanism should fully take into account any

protection measure taken at national level.

The aim of GMES security is to design and deploy appropriate mechanisms to ensure that the

security risks related to GMES data are mastered, while remaining as transparent and flexiblefor the end users as possible.

A prerequisite therefore is that any GMES data is subject to a regular risk assessment. Most

data shall not be subject to specific security measures as long as no particular risk has been

identified and detected.

Upon identification of new threats or vulnerabilities the data security policy of GMES and

corresponding structures should permit a rapid adaptation of the security configuration to

meet the security environment and to reduce risks.

Changing threats, vulnerabilities or changes in likelihood or consequences can increase or

decrease security risk previously assessed. A review of security risks, including low and

accepted risks, should be undertaken periodically.

The first step of risk management is to conduct a detailed risk assessment of GMES, its data

and its components.

3 Art. 8, 1, b) of the proposal for a Regulation of the European Parliament and of the Council

on the European Earth Observation programme (GMES) and its initial operations (20112013). See doc. 10285/09.


7/52

5213/10 ADD 1 7

EU SITCEN LIMITE EN

A. The Security of GMES

1. Components of GMES Security

a) The security of GMES information services (GMES Service Component);b) The security of the GMES Space Component and the GMES In Situ

Component;

c) The security of physical GMES infrastructure covering space and in situsystems of the European Union or made available by Member States and

international organisations;

d) The security of GMES data, which includes collecting, processing, storing andtransmitting GMES data generated within GMES or data fed into GMES;

e) The security of GMES users, which can be put at risk by GMES data andservices;

f) The security of the European Union, its Member States and their citizens;g) The security of GMES downstream services as they can pose threat to the

national security of the Member States and as they are key contributors to

GMES economy.

2. Responsibilities

A chain of responsibility regarding GMES data handling and data security should

be established for GMES, based on the results of a risk analysis of GMES, its data

and its components.

The European Commission is responsible for the overall implementation of the

GMES initiative.

However it is necessary to distinguish among the services that will use GMES

data between the services that are under programmatic control and the parts for

which the development is left to private initiative and that will contribute to the

development of the "GMES Economy".


8/52

5213/10 ADD 1 8

EU SITCEN LIMITE EN

In both cases, misuse of GMES data can pose security problems and appropriate

entities must be identified to manage the security of GMES data.

a) Components under programmatic control

Who holds the responsibility of a system under programmatic control varies

according to who operates the entity.

1) Some entities are operated under the responsibility of the EuropeanCommission by its agencies or by companies contracted by the European

Union;

2) Some entities are operated under the responsibility of internationalorganisations

3) Some entities are operated under the responsibility of a Member State ofthe European Union;

4) Some entities are operated by third States through partnerships andspecific collaborations.

An harmonisation of the security procedures and the establishment of clear

interfaces between the various entities responsible for the development and

operation of GMES based services should be considered. In any case national

security needs should be duly safeguarded.

b) Data outside programmatic control, yet within the European Union

Within the European Union the proper handling of GMES data is ensured

under the responsibility of the Member State in which the activity is taking

place.

Some Member States have developed specific legal tools to manage the use of

certain geospatial information on their territory (see Annex 4 : possible

implementation tools and examples).


9/52

5213/10 ADD 1 9

EU SITCEN LIMITE EN

In the GMES context and more broadly, an identification exercise of national

geospatial laws, regulations and procedures should be performed and, on that

basis, the possibility for an evolution of the INSPIRE directive and/or for

harmonising national laws, regulations and procedures should be considered

with respect to potential security risks relating to geospatial data.

c) Data outside programmatic control and outside the European Union

The data security dimension should be addressed specifically in the

collaboration with third States and/or international organisations involved in

or cooperating with GMES; the specific risks related to the distribution of datashould be considered.

B. Proposed methodology

1. General principle

The methodology proposed in this document is consistent with most methodsapplied when handling security in systems, organisations or infrastructures

(irrespective of their possible classification). Subsequently to a political decision

stating the need for securing the system, it consists of :

Risk analysis Security requirements Mitigation measures

Security compliance checks

The management of GMES Security shall be based on a proven, transparent and

fully understandablerisk assessment process.

The four stages of risk management (assessment, treatment, acceptance and

communication) shall be conducted as an iterative process that is permanently

readjusted, particularly as both the nature of the risks and the services delivered

by GMES will evolve in time.


10/52


11/52

5213/10 ADD 1 11

EU SITCEN LIMITE EN

A permanent operational security monitoring instrument should be

established across the various GMES systems and components to

dynamically monitor the risks related to GMES. It should connect to

dedicated monitoring centres performing similar functions within the

European Union, Member States and associated States.

(b) Potential targets and vulnerabilities

The identification of potential targets for attacks and vulnerabilities in the

GMES components and data generated should be performed as the GMES

initiative develops.

The security awareness of staff involved in all GMES elements should be

developed, as they are best placed to evaluate the vulnerability and potential

danger of the element they are working on.

Proper training should be offered to all staff involved in GMES concerning

the security dimension of geospatial data and other risks. An efficient

reporting chain should be established within the GMES Community.

This aspect should be documented in the security documents of GMES.

(c) Risk analysis chain

A risk analysis should be performed, which includes the following stages:

identify the assets and sources to be protected identify the types and levels of threats referred to a certain system or

sub system;

indicate specific vulnerabilities of the system; identify the security measures to be adopted.


12/52

5213/10 ADD 1 12

EU SITCEN LIMITE EN

3. GMES Security Management Document (SMD)

A standard documentation gathering the Security Management Document (GMES-

SMD) and composed of element-specific Security Management Documents (element-

SMDs) is to be issued for the GMES system and each of its elements.

These documents, drafted on the basis of a threat and vulnerabilities assessment,

should at least mention:

the risks identified by the threats and vulnerabilities assessment, the proposed mitigation measures and related documents, the various structures performing security functions within the GMES

perimeter,

the connections to external structures performing related functions. relevant procedures


13/52

5213/10 ADD 1 13

EU SITCEN LIMITE EN

III. Security and the overall GMES governance

A. Requested capabilities

The following capabilities should be considered, in terms of governance, to meet the

European Union and Member States data security needs:

To address the security implications of strategic choices in the GMESprogram;

To receive and share information on the threats level, and to determineaccordingly the potential harmfulness of a transaction and, in limited cases

and if deemed appropriate, the possible need for classification;

To monitor, within the GMES perimeter, vulnerabilities, suspiciousbehaviours and attempts of breaches into the system which pose a risk;

To monitor data at the most detailed level possible (transaction level) inorder to identify potentially harmful data and take appropriate measure

whilst limiting the impact on the normal functioning of the system;

To detect, investigate and mitigate security incidents, both internally andexternally; and

To prevent in a timely manner the dissemination of data that has beendesignated as harmful by a Member State.

B. Structure and mission of the Security Board

A GMES Security Board should be established. It would be responsible for advising

the European Commission on the security issues related to GMES and its

development. The opinion of the Security Board should be duly taken into account.

1. Structure

The Security Board should be composed of security and geospatial experts from

Member States. Third States and international organisations involved in GMES

could also be represented under specific conditions to be defined.


14/52

5213/10 ADD 1 14

EU SITCEN LIMITE EN

2. Missions(a) To establish the GMES-SMD;(b) To make recommendations on the security implications and possible risks of

international cooperation, including the possible need for data protection-

related agreements;

C. Recommendation on the structure and mission of a GMES permanent operationalsecurity monitoring instrument

The creation of a permanent operational security monitoring instrument should be

envisaged in order to ensure the necessary reactivity requested for time sensitive

decisions and to offer security-related technical support to GMES.

1. Structure

The solution should offer an operational capability.

Implementation choices to be made later are however not prejudiced.

2.

Missions

(a) To provide security-related technical expertise to the GMES Security Boardand the various entities within GMES;

(b) to prepare and update the overall GMES SMD;(c) to interface with the security chains of the GMES elements;(d) to perform security assessments.


15/52

5213/10 ADD 1 15

EU SITCEN LIMITE EN

IV. Security of GMES data

A. Principles

GMES data will be processed through complex chains that will develop along with the

GMES initiative, inside but also outside the boundaries of GMES.

Many of the innovations to be expected from GMES will come out of a smart

processing of various heterogeneous data sets. The full and open access principle shall

trigger the creativity of the teams to invent and propose new services.

From a data security perspective it is necessary to be capable of tracing and controllingthe data flow within GMES, of mastering the dissemination of GMES data and of

ensuring post events investigations in case of security incidents.

1. Security handling of the data

Inside GMES data is collected, processed and stored. Most of data should be both

fully and openly accessible and disseminated, but a part of them may be

considered potentially harmful and should therefore be subject to some kind of

security controls.


16/52

5213/10 ADD 1 16

EU SITCEN LIMITE EN

An automatic process should be developed to identify potentially harmful

transactions (red flag). The criteria used for this exercise should be clearly

established although they would most probably have to remain undisclosed to the

public.

If and when a transaction is considered potentially harmful it is subject to a risk

evaluation that will confirm its harmfulness or not. The appropriate data security

response tool will be applied to the transaction actually considered harmful to

ensure the appropriate data dissemination; these tools can include possible control,

denial, delay or degradation of the data, as well as the classification of the data.

It is to be noted that some data or products can be potentially harmful for a verylimited period of time only (a few hours only for instance in the meteorological

sector) and that a flexible solution should be found to respond to this issue whilst

preserving the fullest open access possible after that limited period of time.

If following the transaction risk evaluation some potentially harmful data may

have to be classified, the relevant laws, regulations and procedures concerning

classified data shall apply.


17/52


18/52

5213/10 ADD 1 18

EU SITCEN LIMITE EN

2. Data management capabilities

The capability to offer reactive mitigation measures should be developed in

accordance with the analysis performed in the SMD

An appropriate mechanism should allow timely and tailored activation of the data

security mechanisms deployed at component level to mitigate any identified risk.

The following capabilities should be considered, to respond to the risks identified:

(a) to proposed and update the data dissemination plan;(b) to limit temporarily user access;(c)

to block, in certain circumstances, particular transaction(s).

3. Protection of the IT infrastructures

The IT infrastructures must be protected in function of the data that will be

received, hosted, produced or distributed.

C. Data Exchanged outside GMES

The GMES system will exchange data and products with other systems. With reference

to this exchange the following security principles should be followed and, as a

consequence, an appropriate configuration of the GMES system and security procedures

should be implemented:


19/52

5213/10 ADD 1 19

EU SITCEN LIMITE EN

1. Data coming from systems or entities outside GMES

A risk analysis should be performed for each data set provided to GMES from

external sources and appropriate mechanisms, including a possible dynamic

response, should be implemented, preferably in cooperation with the data

provider.

The various security mechanism proposed in this analysis paper should allow,

within the GMES perimeter, to have a certain degree of confidence in the data

exchanged and related risk.

To apply the same procedures to data coming from outside and entering GMES itis therefore necessary to trace back the origin of the data entering GMES and to

ensure interoperability with corresponding mechanisms applied on the entering

data.

The risks analysis performed on external data should include in particular the

following items :

Consequences of data denial, Reliability of the data acquired, Cyber-threats (viruses Trojan worms etc.).

2. Interoperability in the handling of data

The ongoing standardisation process regarding geospatial information, including

meta data, and international discussions by the European Union and its Member

States on that matter should cover data security.

3. Importing data from accredited systems handling classified information

a. Unclassified dataThe principles for importing unclassified data from systems handling

classified information should be the same as those for importing unclassified

data from any system or entity, cf. para IV.C.1 above.


20/52

5213/10 ADD 1 20

EU SITCEN LIMITE EN

b. Classified dataIn this case the relevant security regulations or agreements for the exchange of

classified information should apply.

Technical solutions should be defined, developed and implemented to assure

interconnections with systems handling classified information, in order to

allow the exchange, if needed, of classified data, by foreseeing an

accreditation of such identified and limited part of the GMES system, for this

specific purpose. In any case, the transmission of classified data should be

performed only by secured channels and following procedure set down in

relevant security regulations and on the basis of security agreements regarding

the exchange of classified information.

4. Protection of Member State(s), as owner of data flowing to GMES

Each national system participating to the GMES system follows its own national

laws, regulations and procedures regarding the access to its own system, the

tasking, programming, and uploading of the requests, the data downlink, data

processing and dissemination of data and products to the users.

Harmonisation of the various procedures related to the protection of Member

States data in GMES should be considered in order to favour interoperability and

increase overall GMES security whilst improving information exchange within

GMES.

5. Transmission of GMES data or products to, and interconnection with, systemshandling classified information

Systems using GMES data or products follow their own national laws, regulations

and procedures.

If the GMES element transmitting the data or product is a system handling

classified information, the relevant security laws, regulations and procedures

should apply and in particular the interconnection should be jointly accredited.


21/52

5213/10 ADD 1 21

EU SITCEN LIMITE EN

D. Data Policy and Security

1. IntroductionThe evolution of Information Technologies allows a very detailed and very

flexible implementation of data policies in the various systems including through

automatic features. It is therefore reasonable to foresee a combination of data

policy frameworks.

A general data policy of GMES is currently being defined by the European

Commission and will be referred to as the GMES Data Policy Framework

2. General principles on the security dimension of GMES data Policy

The GMES Data Policy Framework should be subject to a specific SMD which

should be discussed at the GMES Security Board. An appropriate mechanism to

allow a dynamic management of risks should be implemented.

Within the GMES data Policy Framework, any change in data policy at

component or system level should be subject to a security screening by the entities

in charge of data security and should be properly documented.

3. Documentation

For each GMES element, the data policy should be documented and include a

specific chapter on data security, referring to the SMD, with the various

responsibilities and points of contact.

Data security is a very important dimension of data policy and should be reflected

in the various documents describing GMES Data Policy.


22/52

5213/10 ADD 1 22

EU SITCEN LIMITE EN

For each level of GMES a specific document describing the Data Security Policy

should be issued and regularly updated in order to specify:

(a) which data is to be protected and the relevant related procedure(s);(b) the various responsibilities ;(c) the points of contact; and(d) the interfaces.


23/52

5213/10 ADD 1 23

EU SITCEN LIMITE EN

V. Security of GMES infrastructure at Component and Sub-Component level

The security of GMES system shall be ensured for each Component. Furthermore, specific

rules could be defined for Sub-Components, within each Component.

The security of GMES Components and Sub-Components shall be defined and developed

with the assumption that some data could be potentially harmful and should therefore be

protected or subject to dissemination restrictions. If deemed relevant, some information could

also be classified and the infrastructure could therefore need to be appropriately accredited.

A. Principles

1. Responsibility

The chain of responsibility in GMES is explained in Heading II.A.2.

The handling of security at component and system level relies on the individuals that

are responsible for system operations. Single points of contact should be identified

for security purposes.

2. Security assessment

The understanding of the risk environment related to the operation of a specific

GMES element must be shared :

between the individuals that operate it and thus develop a unique competencein understanding the security implications risks and vulnerabilities related to

their system; and

between the security governing bodies which can offer a dedicated securityexpertise and an overall and dynamic risk assessment regarding GMES.

A permanent dialogue should be established between them in order to perform

efficient data security. It is therefore necessary to develop within GMES a culture

of security.


24/52

5213/10 ADD 1 24

EU SITCEN LIMITE EN

3. Procedures

All GMES elements should perform a security risk analysis and be covered by a

SMD describing the various risks, mitigation measures, security structures as

described in Heading II.B.3.

The data policy including data security for each element should be documented as

described in Heading IV.D.2.

4. Security Organisation

The security organisation of a GMES element is under the responsibility of the

operator as presented in Heading V.A.1.

The security organisation and related procedures should constitute a dedicated

chapter of the corresponding SMD and any organisational or procedural change

related to data security should be submitted to the appropriate decision level.

B. Specific Infrastructures

1. Security of GMES In Situ and Service (and other non Space) physicalinfrastructures

In Situ data is operated in GMES under the responsibility of the Member States

which have evaluated the security constraints on the basis of existing services

delivered.

The contribution of Member States to GMES will generate new services to the

benefit of the European citizen.

It is possible that the criticality of these infrastructures will evolve along with the

success of GMES.


25/52

5213/10 ADD 1 25

EU SITCEN LIMITE EN

The re-evaluation of the risk and updating of security procedures will require a

global view on the risks and the security environment of GMES.

A regular dialogue should be set up between the managers of infrastructures

contributing to GMES on security matters.

2. Security of GMES Space infrastructure

(a) Introduction

The Space Component is a very important element of the Earth Observation

infrastructure of GMES.

The Space Component of GMES is composed of three types of systems :

1. Systems that are developed by the European Commission and theEuropean Space Agency specifically for GMES;

2. Contributing missions that are being developed within Member Statesincluding dual use systems;

3. Commercial missions, some of which are operated by countries outsidethe European Union.

(b) Specific risks related to the Space Mission

The Space Component consists of a space segment composed of one or

several spacecraft(s) and the associated ground facilities and one or several

payload(s) with their corresponding infrastructures.

The space mission is subject to a number of risks which are well mastered

and documented by the various space agencies and industries in Europe,

such as:

Launching Risks; Design Risks; Risk related to the Space Environment (collisions, solar flares).


26/52

5213/10 ADD 1 26

EU SITCEN LIMITE EN

However depending on the sensitivity of the mission some additional

vulnerabilities may need to be considered :

The ground facilities of the Space Segment can be targeted to disrupt oraccess the space system;

Data links of both payload and spacecraft are vulnerable to jamming,interception, or hacking;

Payloads can be temporarily or permanently disabled.

The SMD created for the space component should take the specificity of the

space missions into account and space experts included in the evaluation.

(c) Distribution of data from spaceThe distribution of the data in the case of a space mission can differ from in

situ data. The progress in space communication allows a diversity of

communication means:

Data can be broadcasted directly to the end users from a GMES payload; Data can be broadcasted via data relay satellites.

The use of space technology to distribute GMES data should meet generic

security constraints including data access control.

(d) Case of GMES dedicated space missions

The European Commission and the European Space Agency have developed

several space missions dedicated to GMES: the Sentinels. Data security has

been addressed in accordance with the principles mentioned above.

Regarding risks assessment that have been performed on the space missions

it is necessary to apply the principles described for the management of the

transition period and especially to review the risk analysis performed for the

Space Mission with Security experts in light with the overall risk assessment

of GMES.


27/52

5213/10 ADD 1 27

EU SITCEN LIMITE EN

The space missions dedicated to GMES should be subject to a risk analysis

and necessary update should be foreseen to meet the resulting security

requirements on the systems.

(e) Case of commercial space contributing missionsFor the commercial space mission or missions that are not under control of

the European Union or of its Member States additional risks should be

considered:

Denial of data which can be requested by the operating State or throughexclusive license right; and

Acquisition of wrong data. Unless the data is certified, it is very difficultto detect.

A specific risk analysis should be performed for the use by GMES of data

from space missions that are not under direct control of GMES States and an

appropriate interface security management should be developed.

3. Security of Information Technology (IT) infrastructure

(a) Introduction

GMES is an information system of systems.

In order to promote cross-fertilization between the various GMES services,

and to develop a GMES economy, interconnection and shared information

systems will play a key role in the development of GMES.

It is therefore logical to consider the GMES IT infrastructure from a global

standpoint although it is composed of several networks and heterogeneous

systems.


28/52

5213/10 ADD 1 28

EU SITCEN LIMITE EN

(b) Data Security and IT Infrastructure

GMES IT infrastructure is composed of systems, sub systems and elements

which will collect, process, store and distribute data across the various

components of GMES.

The specific constraints on GMES data and suggested capabilities have been

addressed in chapter IV. Most of these will have a direct impact on the IT

infrastructure which will be locally managed.

It is necessary to protect the IT infrastructure and to apply the principles of

IT security.

(c) Cyber-threats and cyber-defence

With the development of large IT infrastructure that have a increasing

impact on the world economy new risks are emerging.

Computer attacks differ from traditional criminal or terrorist action because

they can reach massive scales very rapidly, they are extremely difficult to

detect, trace, and investigate.

Most organisations dealing with large or sensitive IT infrastructure have

developed internally or have outsourced their protection through dedicated

security services such as Computer Emergency Response Teams (CERTs).

Experience shows that cyber attacks are often specific to the targeted

infrastructure and their mitigation requires both a competence in IT security

but also a good understanding of the domain and of the risks induced.

Given the importance of GMES and more generally of geospatial

information on Europe economy, it seems appropriate to develop, along

with GMES, a dedicated capability to cover geospatial cyber security using

the expertise that contributes to the development of the GMES initiative.


29/52

5213/10 ADD 1 29

EU SITCEN LIMITE EN

A specific expertise related to the IT risks related to GMES geospatial

information infrastructure should be maintained and should be interfaced

with the various entities and components within GMES.


30/52

5213/10 ADD 1 30

EU SITCEN LIMITE EN

VI. Management of existing components and transition period.

GMES as a system of systems will rely on many existing infrastructures, including several

elements that have been developed by the European industry in the framework of the various

research projects sponsored by the European Commission in the context of Research and

Development Framework Programs and by the European Space Agency.

Data security issues have often been addressed and several solutions exist to reduce the risks

associated with the handling, processing and distribution of GMES data.

The data security recommendation should take this heritage into account and ensure that the

recommendations formulated will allow a smooth integration of the existing solutions whileglobally mastering the risks related to GMES data security.

A. Review the process

An inventory of all data security analyses and studies that have been performed in

the framework of GMES, or by organisations that will be involved in GMES

operations, should be made and this material should be used in the context of the

GMES SMD.

B. Connect to the GMES Security Governance

All data security mechanisms (user access control, public key infrastructures etc)

that have been developed in the framework of GMES, or by organisations that will

be involved in GMES operations, should be identified and possible interfaces with

the GMES security structures as proposed in this document should be worked on.

C. Take if necessary complementary measures

The GMES Security Board should have the capability to make recommendations to

the Commission on possible improvements in the data security of existing GMES

components.


31/52

5213/10 ADD 1 31

EU SITCEN LIMITE EN

_____________________


32/52

5213/10 ADD 1 32

ANNEX 1 EU SITCEN LIMITE EN

ANNEX 1

Background on GMES

1. GMES (Global Monitoring for Environment and Security) is a European initiative for theimplementation of information services dealing with environment and security. It is being

built up gradually.

2. GMES is a civil system under civil control and will comprise an observation infrastructure(the GMES Space Component and the GMES In-Situ Component) and Information services

(GMES Service Component). The GMES Space Component will rely on existing or planned

European space infrastructure (satellites of ESA, EUMETSAT and those made available byMember States) and space infrastructure co-financed by the European Union and ESA,

which is developed specifically for GMES (Sentinels). The GMES In-Situ Component will

rely on a large number of facilities, instruments and services owned and operated at national,

regional and intergovernmental levels inside and outside the European Union 4. Regarding

the GMES Service Component, it is foreseen that co-funding of operational services should

be ensured by the GMES programme. The European Union will be responsible for

developing a data policy, to include data security, for data and information produced under

its control, i.e. in particular information produced by GMES services and data collected

through infrastructures the development of which is co-financed by the European Union.

3. The GMES initial period (2001-2003) was launched by Council Resolution 2001/C 350/02of 13 November 2001 5, which also called for an action plan aimed at achieving an

operational capability based on the development of an extended range of high added-value

integrated services. The GMES pilot phase started in 2004. Three fast-track services

(emergency response, land monitoring, and marine) have been presented in September 2008

at the occasion of a "GMES Forum" held in Lille. A communication to the Council and the

European Parliament, "Global Monitoring for Environment and Security (GMES) : we care

for a safer planet" 6, was adopted by the Commission on 12 November and the Council has

adopted conclusions on the matter at its meeting on 2 December 2008 7.

4 See communication by the Commission, doc. 14906/08 + ADD 1 + ADD 2

5O.J. C350 of 11.12.2001, p. 4.

6 Doc. 14906/08 + ADD 1 + ADD 2.7 Doc. 16722/08.


33/52

5213/10 ADD 1 33


4. The GMES operational phase, foreseen to start by 2011, will represent a challenge withregard to the programme's financial viability, since Community pre-competitive research

funding cannot be used to fund operational activities. It is anticipated that a first part of the

GMES governance and financing8

- two building blocks for the operational phase - should

be defined in the course of 2010.

5. GMES services must be able to guarantee the required quality of service, all the more sowhen the customers also include public decision-makers. This calls inter alia for defining an

overall GMES data policy, which will be coordinated by the Commission. Data security is

one specific aspect of the GMES overall data policy.

6. Effective handling of data security within GMES must take due account of Member States'data security requirements, since some of the GMES earth observation data and products

could have security implications for Member States of the European Union. It would also

help GMES operational services fulfil basic data security criteria especially for security

users, by identifying and mitigating risks such as proliferation of data and products,

disclosure of interest or doubts about the reliability of GMES services.

8 See doc. 10285/09 + ADD 1 + ADD 2.


34/52

5231/10 ADD 1 34


ANNEX 2

Glossary of acronyms and working definitions

Accreditation : process leading to a formal statement by the Security Accreditation Authority

(SAA) that a system is approved to operate with a defined level of classification, in a

particular security mode in its operational environment and at an acceptable level of risk,

based on the premise that an approved set of technical, physical, organisational and

procedural security measures has been implemented. [See doc. 13885/09 Appendix A,

Council Regulation on the security rules for protecting EU classified information]

Authenticity: the guarantee that information is genuine and from bona fide sources. [See doc.13885/09 Annex IV, Council Regulation on the security rules for protecting EU classified

information]

Availability: the property of being accessible and usable upon request by an authorised entity. [See

doc. 13885/09 Annex IV, Council Regulation on the security rules for protecting EU

classified information]

Confidentiality: the property that information is not disclosed to unauthorised individuals, entities

or processes. [See doc. 13885/09 Annex IV, Council Regulation on the security rules for

protecting EU classified information]

Data Policy Framework: The general data policy document of GMES that is currently being

defined by the European Commission. The Framework will serve as the reference for the

various data policies that will be implemented at component and system level.

ESA : European Space Agency

Full and open access: general principle proposed by the European Commission in line with the

GEOSS data sharing principles. " full and open access to information produced by GMES

services and data collected through GMES infrastructure, subject to relevant security


35/52

5231/10 ADD 1 35


restrictions " [See Art. 8,1, b) of the proposal for a Regulation of the European Parliament and

of the Council on the European Earth Observation programme (GMES) and its initial

operations (2011-2013); doc. 10285/09]

GEOSS : Global Earth Observation System of Systems

GMES : Global Monitoring for Environment and Security

GMES data: any piece of information that is used and exchanged within the GMES perimeter.

GMES element : GMES Component, GMES service or GMES system or sub system.

GMES product / GMES service: Product / service provided by a GMES service provider.

Hidden Security: security, procedures, equipment or systems transparent for the GMES users.

Integrity: the property of safeguarding the accuracy and completeness of information and assets.

[See doc. 13885/09 Annex IV, Council Regulation on the security rules for protecting EU

classified information]

Metadata (or ancillary data) : information describing data sets and data services and making it

possible to discover, inventory and use them.

Non-repudiation: the ability to prove an action or event has taken place, so that this event or action

cannot subsequently be denied. [See doc. 13885/09 Annex IV, Council Regulation on the

security rules for protecting EU classified information]

Potentially harmful transaction: data set characterised by its information content, target area, time

of generation and data exchange actors, that has been judged, against clearly established

criteria, to potentially cause a threat to security of the European Union and/or its Member

States, to their citizens, to foreign policy concerns and, if relevant, to the conduct of European

Union operations. This status, limited in time, induces a risk evaluation and the choice of the

relevant response tool to be applied.


36/52

5231/10 ADD 1 36


Programmatic Control: areas under programmatic control of the European Union are all

infrastructures, services and systems that are developed and/or exploited directly by the

European Union, or by other entities on behalf of the European Union. In line with the

Financial Regulation of the European Commission, the contractual arrangements for the

centralised or de-centralised management of these development and exploitation activities

must contain detailed rules for the scrutiny of these activities, and the appropriate security

rules, where applicable

Restriction due to national security or foreign policy concerns : possibility for the entities

responsible for GMES security to exert control or restrict dissemination on potentially

harmful GMES transactions.

Risk : the potential that a given threat will exploit internal and external vulnerabilities of an

organisation or of any of the systems it uses and thereby cause harm to the organisation and to

its tangible or intangible assets. It is measured as a combination of the likelihood of threats

occurring and their impact. [See doc. 13885/09 Appendix A, Council Regulation on the

security rules for protecting EU classified information]

Security needs : needs identified by specific user communities for their secure use of GMES data.

SMD : Security Management Document

GMES-SMD : GMES Security Management Document

Element SMD : Element Security Management Document

Threat : a potential cause of an unwanted incident which may result in harm to an organisation

of or any of the systems it uses; such threats may be accidental or deliberate (malicious) and

are characterised by threatening elements, potential targets and attack methods. [See doc.

13885/09 Appendix A, Council Regulation on the security rules for protecting EU classified

information]

Traceability : recording of the path followed by a data within a system, or more globally a

production process, by means of documented recorded identification.


37/52

5231/10 ADD 1 37


Vulnerability : a weakness of any nature that can be exploited by one or more threats. A

vulnerability may be an omission or it may relate to a weakness in controls in terms of their

strength, completeness or consistency and may be of a technical, procedural, physical,

organisational or operational nature. [See doc. 13885/09 Appendix A, Council Regulation on

the security rules for protecting EU classified information]

________________________


38/52

5231/10 ADD 1 38


ANNEX 3

Examples of Data security Needs and Risks

I. Examples of users' needs regarding data securityA. Meteorology

During a dedicated workshop, the case of meteorology was addressed as an example

of what future operational GMES services and GMES architecture could be. The data

security needs from the space component EUMETSAT, of the network component

EUMETNET and of a Member State's weather service provider (Finland) have beenpresented were very similar.

Actors of meteorology insist on :

1. Long term nature and need for confidence in quality of data for climate andclimate change users requires:

Protecting data from malicious attack Storing data for future use Creating a stable long term high quality climate data series Ensuring data sources are sustainable for future use (funding, technology

compatibility, )

2. Wide variety of data and broad user base requires a data policy : To ensure the information is used by the right people e.g.

Military information Aviation information Commercial users

To ensure the authenticity of the information e.g. Warnings from national authorities National climate data sets


39/52


40/52

5231/10 ADD 1 40


This is certainly an issue that needs further examination in a multidisciplinary

approach.

C. GEO needs for military operations

Geospatial data is critical for operations.

For Planning GEO Products ranging from 1:500K to 1:100K are requested while

Imagery Products are increasingly used.

The age of mapping products and method of production as well as the existence of up

to date sources is key.

The aim is to provide designated version of the Recognised Environmental Picture

(REP) common to the EUMS, the OHQ, FHQ and Battle Groups.

II. Examples of identified risks related to Geospatial data

The list below is not exhaustive. It cannot substitute or be used for a risk analysis but aims at

illustrating some of the discussions that have taken place in the workshops of the CSC

GMES.

A. OSINT

Open Source Intelligence is the collection and analysis of information from open

sources which are sources publicly available and legally obtainable (as opposed to

covert or classified sources).

In OSINT dispersed pieces of the puzzle are : no lack of information, but an overload.

The challenge is to locate what is relevant in an ocean of material.

Instead of being exclusive, obtained information can be complementary and highlight

and help to understand other information obtained.

Internet was created to let the information flow freely but the right information in

the wrong hands can be a source of problems

Applied to GMES data OSINT Techniques could divert GMES services not intended

to produce sensitive information into criminal or hostile activities.


41/52

5231/10 ADD 1 41


B. Cyber threatsAs any major information infrastructure GMES can be target of Cyber-attacks.

This threat is increasing.

Few recent large scale events took place in the recent years:

Data Denial of Service attacks on Estonian networks (April-May 2007) Defacement attacks on more than 300 private and official sites in Lithuania

(June-July 2008)

Three major cables cuts in the Mediterranean (January, February andDecember 2008)

At the same time entry barriers for malicious attackers are lowering

According to UK House of Lords report on Personal Internet Security, thecompetition to supply botnets has decreased the cost of renting a platform for

spamming to around 3-7 US cents per zombie per week

One report averaged the weekly rental rate for a botnet at USD 50 60 per 1000 2 000 bots.

Considering GMES in the framework of Critical Information Infrastructures Protection

as proposed by the European Commission in the Strategy for a Secure Information

Society COM(2006)251 could be considered.

C. Use of geospatial data for criminal, terrorist or adversary purposes

The EUSC has presented how geospatial services based upon geo information not

primarily designed for security can be used for security including criminal, terrorist or

adversary purposes.


42/52

5231/10 ADD 1 42


1. Detection of smuggling routesFor instance use of low resolution land cover imagery have been used to allow

identification of possible smuggling role that can be used by both smuggler or

border control authorities.

2. High resolution mapsBy combining different layers of data including maps, Google data, satellite

imagery, etc a product more relevant, accurate and up to date (updated with recent

satellite imagery) can be produced which can lead to a potential detrimental use

Terrorist could use such products to plan an attack. They would get benefit from

accurate, recent and very detailed information useful for their objectives.For example the Mumbai terrorist attacks have been planned using Google Earth

Imagery.

3. Geospatial Contingency Support Packages (GCSP)As for event planning products, GCSP are bringing together data from several

sources including in some case terrain data with precise geo-location (photos of

embassies, governmental buildings, etc). They can be used to prepare and conduct

non combatant evacuation operations

Rebels or terrorists could use such products to plan an attack.


43/52

5213/10 ADD 1 43


ANNEX 4

Possible implementation tools and examples

I. Examples of legal tools

A. National Laws, regulations and procedures

1. French geospatial law

The Law n2008-518 (3 June 2008) relative to space operations in its Title VII"Data originating from space" relates to primary operator programming or

receiving data originating from space on French territory:

Art 23 states that primary operators for data of a specified quality must first make a

declaration

Art 24 the administrative authority verifies that operators activities do not

jeopardize fundamental national interest, international commitments and foreign

policy; it can restrict operators activities at any time

2. German national data security policy for space-based earth remote sensing

The Satellitendatensicherheitsgesetz SatDSiG of the 30. Sep. 2009 aims at

fostering the civil use and commercialization of remote sensing data by

maximizing the data flow to scientific and commercial users and creating legal

certainty, while safeguarding security and foreign policy interests of German, EU,

NATO, friendly or allied countries.

This law is limited to German satellites, satellites operated by German nationals or

legal persons, satellites operated from Germany non-military satellites; High-

Grade earth remote sensing systems. High Grade derives from the systems

capacity for acquiring data of particularly high information content, first-time or

primary marketing/dissemination.


44/52

5213/10 ADD 1 44


Based upon a sensitivity check at transaction level (detailed below) that is self

implemented by the operator the data can be directly disseminated or require a

permit that is delivered through a computer assisted decision process within a

competent body of the German Government.

3. Italian regulation on data policy

A document approved on March 7th, 2007, Politica dei dati e Condivisione delle

Risorse (National Data Policy and Resource Sharing- DPRS ) lays down general

principles of national Data Policy of distribution of data regarding the civil

component of the CSK system. According to these regulations:

Raw data generated by the CSK system are not available for commercialusers. Moreover the categories of data that may be distributed for commercial

purposes (standard products and high level products) are defined;

Data and product below a meter (sub-metric products) generated by CSKsystem are on the exclusive availability of IT MoD only;

CSK system, both during the programming of requests and for the distributionof data a and products operate under Shutter Control, exercised by IT

governmental security organizations;


45/52

5213/10 ADD 1 45


An specific Committee, called Organo di Indirizzo e Coordinamento con leIstituzioni (OICI), formed by representative appointed by ASI, IT MoD and of

IT Security organizations has been envisaged. It is in charge to:

- Define guidelines for the utilization of the civil component of the system;- assure the coordination with other Ministers and internal governmental

Bodies in order to harmonize the distribution of data and products

according to the security and foreign policy needs.

As CSK is a dual system, specific attention has been reserved to the security of

infrastructures of various subsystem on which it is based, first of all in order to

protect the data; Some Security Requirements (SSRS)have been layed down, referred to each

sub-system on which CSK system is based ;

These sub-system and the whole CSK system have been evaluated ITCE.VA(Security Evaluation Centers) and accredited by a Certification Body

(IT NSA).

B. European Directives

1. INSPIRE (Directive 2007/2/EC)

The main objectives of Directive 2007/2/EC of the European Parliament and

of the Council of 14 March 2007 establishing an Infrastructure for Spatial

Information in the European Community (INSPIRE) are to :

establish a European Spatial Data Infrastructure; exchange spatial information between public services for the performance

of public tasks with a direct or indirect impact on the environment.

In its Art. 1, the INSPIRE Directive lays down general rules to establish an

infrastructure for spatial information in Europe :

for the purposes of Community environmental policies and; policies or activities which may have an impact on the environment.


46/52

5213/10 ADD 1 46


A secondary objective is to provide access to spatial data and services for

citizens

The following remarks can be made.

INSPIRE is to be based on the infrastructures for spatial informationestablished and operated by the Member States;

INSPIRE is a distributed infrastructure; INSPIRE does not require collection of new spatial data; INSPIRE does not affect existing Intellectual Property Rights.

Article 13 of the INSPIRE Directive says :"1. By way of derogation from Article 11(1), Member States may limit public

access to spatial data sets and services through the services referred to in point

(a) of Article 11(1) where such access would adversely affect international

relations, public security or national defence.

By way of derogation from Article 11(1), Member States may limit public

access to spatial data sets and services through the services referred to in

points (b) to (e) of Article 11(1), or to the e-commerce services referred to in

Article 14(3), where such access would adversely affect any of the following:

(a) the confidentiality of the proceedings of public authorities, where such

confidentiality is provided for by law;

(b) international relations, public security or national defence;

(c) the course of justice, the ability of any person to receive a fair trial or the

ability of a public authority to conduct an enquiry of a criminal or disciplinary

nature;

(d) the confidentiality of commercial or industrial information, where such

confidentiality is provided for by national or Community law to protect a

legitimate economic interest, including the public interest in maintaining

statistical confidentiality and tax secrecy;(e) intellectual property rights;


47/52

5213/10 ADD 1 47


(e) the confidentiality of personal data and/or files relatind to a natural person

where that person has not consented to the disclosure of the information to the

public, where such confidentiality is provided for by national or Community

law;

(f) the interests or protection of any person ho supplied the information

requested on a voluntary basis without being under, or capable of being put

under, a legal obligation to do so, unless that person has consented to the

release of the information concerned;

(g) the protection of the environment to which such information relates, suct

as the location of rare species.

2. The grounds for limiting access, as provided for in paragraph 1, shall beinterepreted in a restrictive way, taking into account for the particular case the

public interest served by providing this access. In every particular case, the

public interest served by disclosure shall be weighed against the interest

served by limiting or conditioning the access. Member States may not, by

virtue of points (a), (d), (f), (g) and (h) of paragraph 1, limit access to

information on emissions into the environment.

3. Within this framework, and for the purposes of the application of point (f)

of paragraph 1, Member States shall ensure that the requirements of Directive

95/46/EC are complied with."

According to Article 17(7) of the INSPIRE Directive, "By way of derogation

from this Article, Member States may limit sharing when this would

compromise the course of justice, public security, national defence or

international relations."

2. Critical infrastructure protection (Directive 2008/114/EC)

The Council Directive 2008/114/EC of 8 December 2008 on the identification

and designation of European critical infrastructures and the assessment of the

need to improve their protection is part of an overall EU programme for the

protection of critical infrastructure (EPCIP) which also includes


48/52

5213/10 ADD 1 48


a financial programme (CIPS); external relations; contingency planning; Support for Member States concerning National Critical Infrastructure; Measures designed to facilitate the implementation of EPCIP, including

the EPCIP action plan.

According to the Directive, Critical Infrastructure (CI) means any asset,

system or part thereof that is essential for the maintenance of vital societal

functions, health, safety, security, economic or social well-being, the

destruction or disruption of which would have a significant impact. AEuropean Critical Infrastructure is a CI the destruction or disruption of which

would have a significant impact on at least two Member States

Directive 2008/114 is based on the following principles:

all-hazards approach, but priority to threat from terrorism; step-by step, sector-based approach currently covering Transport and

Energy; and subsequently other sectors such as ICT;

ultimate responsibility for ECI protecting with MS and operators; complements and builds on existing work; trust and confidentiality.

Once a Member State has designated a CI as ECI in agreement with those MS

affected, this entails in particular the obligation to:

inform other MS which may be affected; engage in bilateral or multilateral discussions with those MS; inform the infrastructure operator of ECI of the designation.

In all designated ECI, an operator security plan should be in place, including

an identification of important assets, a risk analysis and Identification,

selection and prioritisation of counter-measures and procedures, distinguishing

between permanent and graduated security measures. Additionally, MS must

designate a security liaison officer for each ECI.


49/52

5213/10 ADD 1 49


The role of the Commission is to :

assist MS in the identification of ECI (on request); draw the attention of a MS to the possible existence of ECI; develop (non-binding) guidelines; consider further developments on the basis of reports from the MS.

II. Examples of data control tools

Mechanisms using metadata (or ancillary data) could be implemented with a view to

ensuring maximum traceability in data exchanges and remain as transparent as possible to

the end users. They could include :

A. User Access Control: example of EUMETSAT

In the framework of the Initial Joint Polar System (IJPS) with U.S., EUMETSAT has

the obligation to be capable of implementing selective denial on access to data from

U.S. instruments on EUMETSAT satellites in case of crisis or war. This has been

implemented through EUMETCast with data encryption and individual user

identification. The system has been tested and approved by U.S. DoD Metop-A is now

the operational U.S. NOAA satellite in the mid-morning orbit. No similar procedure

currently exists for EUMETSAT Members.

A network established to give clear contact points to all users worldwide :

NMSs of Member States act as EUMETSAT Licensing Agents for real-timeusers in their countries. Some have delegated part of their duties to EUMETSAT.

EUMETSAT is in charge of all licences outside Member States, internationalorganisations, and delegated activities.

EUMETSAT is also central distributor for all derived products, archived data,software.


50/52

5213/10 ADD 1 50


Slide: 38 Council Security Committee, Brussels 18 February 2009

Components: Parts and Typical Costs of a EUMETCast Terminal

DVB Standard Hardware

LNB Ku-/C-band & Satellite Dish 200/1500 EUR

DVB PCI Card 100 EUR

DVB Multicast Client Software 60 EUR

PC, Hard Disk, Ethernet 1000 EUR

1.400/2700 EUR

EUMETCast Key Unit (EKU) 40 EUR

There is a central entry point: EUMETSAT web site where all users register on-line.

Most users are licensed electronically, through web-based tool.

User registration are passed to Licensing Agent where relevant.

Each user of real-time data needs decryption key unit (EKU) (cf picture) managed

centrally at EUMETSAT.

B. Transaction ControlExample of transaction control through an algorithmic definition of sensitivity (source

SatDSiG).

If the data request is sensitive, a permit is required.


51/52

5213/10 ADD 1 51


C. Data dissemination plans example of LRIT

The long-range identification and tracking (LRIT) of ships aims to enhance security for

government authorities. LRIT provides ship identity and current location information in

sufficient time for a government to evaluate the security risk posed by a ship off its

coast and to respond, if necessary, to reduce the risk.

LRIT Data Distribution Plan (DDP): defines rules and access rights (i.e. which users

can receive what LRIT info). The DDP Server is managed by IMO and is populated by

SOLAS Contracting Governments, following IMO technical specifications.

The LRIT Data Distribution Plan (DDP) is principally a database that holds information

needed to allow the international LRIT system to operate correctly. The DDP is


52/52

consulted by any Data Center in order to determine whether a request for LRIT

information should be allowed under the rules for the distribution of LRIT data.

The DDP information includes:

1. a list of the unique identification codes assigned to key elements in the LRITsystem;

2. the coordinates which define the various geographical areas declared by ContractingGovernments within which they wish to exercise their rights to receive or restrict the

distribution of LRIT information as a Flag or Coastal State; and

3. a list of the ports and port facilities within the territory and places under thejurisdiction of each Contracting Government.

LRIT System Security

Current LRIT information can have both a security and a commercial value. It must

therefore be strictly protected from unauthorized access in storage and when it is being

exchanged. The LRIT Performance Standard provides for the protection of LRIT data

through the protection not only of the databases themselves, but also the communication

links used to exchange data. Recommended methods of data protection include:

authorization prior to access; authentication of those accessing the data; confidentiality

(usually by encryption of the data) and data integrity checking.

III. Other capabilities that can be used for security

A. CertificationTelecom example : self-certification.

B. LicensingEach user of GMES (with the exception of the owners) could be granted the use of data

and products according to terms and conditions described in a licence of use.

st05213-ad01.en10 GMES data security

Documents

Transcript of st05213-ad01.en10 GMES data security