The first International Security Symposium took place at ESRIN from 9 to 10 February, 2010; present were representatives from international organisation in Europe.
ESA's aim in organising the Symposium was to provide a forum where organisations could share information on approaches to security and the challenges facing international organisations based in Europe, both in the current geopolitical climate and in the future. Representatives from each participating organisation made a presentation describing: the security objectives of their organisation and their relation to their corporate goals; their corporate approach to security; the level of compliance; their perceived challenges; and, future plans with respect to security. ESA's partners in the security industry were also invited to the Symposium where they were given the opportunity to present their products and demonstrate and/or describe how they are used at ESA.
Below is a summary of the outcome of the presentations and the open discussions that followed, focussing first on the commonalities that emerged among the various organisations and then on the areas where there were differences, to varying degrees, in the approach taken to security.
All the participating organisations have to strike a balance between the need for openness, deriving from their international orientation, and the need to implement varying degrees of security measures to protect their key assets and resources. Wherever more freedom is granted to users, more pro-activity is necessary by the support teams to prevent abuses.
Many participants focussed their presentation on the approach to security of their information technology system (INFOSEC). In this area, a number of monitoring tools (watchdogs, intrusion detection systems, etc…) are implemented and operated to assist operators in detecting anomalies. These tools can provide visibility of events and filter incidents, thus allowing immediate counteractions to be implemented to limit any damage.
The more open an organisation is, the more efficient and immediate must be the reaction to contain the damage of a mishap. Therefore, many of the participants’ security staff are vested with a strong operational authority, e.g. to detach an offending or faulty system from the corporate network or to turn it off with no warning or advance notice.
Great emphasis is placed by all on the behaviour of the individuals, both permanent staff, temporary staff and visitors, and their corresponding responsibilities. To ensure a high level of compliance, training and awareness campaigns, aimed at the buy-in by the majority of the workforce of the security measures put in operation, are of paramount importance.
In several cases these training activities are outsourced to professional companies for new entrants and specific categories of users, with attendance at training sessions often being mandatory.
The need to address security systematically via a risk assessment approach can be considered to be the 'state of the art' and is common to all participants. ISO 27001 standard is prevalent and is made use of to varying degrees; while for some it is just an inspiration, for others it is a target for compliance.
However, all organisations nowadays are faced with heavy budget restrictions in a time of crisis and a proper assessment of the security risks before any investment is made is a basic aspect of their business process, no matter what their core business may be.
A comparison of the different approaches to risk assessment, and the available results of the works in progress, could be the focus of the next edition of the Symposium.
Peculiarities and diversity
An analysis of peculiarities and diversity must branch off in different directions. The holistic approach to security such as that used by ESA, which addresses the four pillars of security (physical, information protection, personnel and Infosec) with a homogeneous process is not common to all.
Typically, technical/scientific organisations focus their security on Infosec, from where their main threats originate, and leave to their facility management department the protection of their perimeters. Institutional organisations such as the EU and its bodies tend to address their security setup in a more holistic way.
Trust in personnel is one of the commonalities but very different means are used to build this trust. For example, at some organisations the staff selection process includes vetting or screening procedures, others require all members of their permanent workforce to have a personnel security clearance and some admit virtually anybody to their premises and must keep an eye on their behaviour at all times.
Data handling policies are highly differentiated, based on the obvious differences in the respective core business. Different degrees of openness characterise the availability of mission data, with scientific organisations focussing on integrity and availability, whilst sometimes still granting a degree of data ownership to principal investigators.
Organisations that deal to some extent with data of commercial value secure data with commercial protection measures, or more rarely, with formal classification systems.
Few of the participants have a formal system for data classification in place, whereas legal protection of data and assets is a common need and is addressed with varying degrees of sophistication.
In general, the degree of attention that security has gained within such diverse organisations turned out to be surprisingly high. At the closure of the Symposium, participants were asked to fill in an evaluations sheet giving their suggestions for future events and their views on the event. In general the ratings were positive or very positive although some participants felt that the pace of the agenda was too intense, especially on the first day.
The general consensus was that another International Security Symposium should be held next year. A number of participants suggested that the next event should focus on a a couple of specific topics, which is also the view of the organisers. Among the suggestions for topics of interest were: physical security; logical, covert attacks; security procurement; space mission security; approaches to risk assessment; and specific threats to international organisations, possibly supported by keynote speeches from NSA specialists.
With regard to the contributions from industry, some participants felt they were too similar to 'sales pitches' not withstanding the clear instructions given to the speakers by the organisers to avoid this. It was suggested that at future events industry be asked to address specific case studies with practical demonstrations.
All the inputs received will be taken into account by the organisers when arranging the next Security Symposium.