ESA Open Invitation to Tender AO8886
Open Date: 30/08/2017
Closing Date: 11/10/2017 13:00:00

Status: ISSUED
Reference Nr.: 17.112.02
Prog. Ref.: TRP
Budget Ref.: E/0901-01 – TRP
Special Prov.: AT+BE+CH+CZ+DE+DK+EE+ES+FI+FR+GB+GR+HU+IE+IT+LU+NL+NO+PL+PT+RO+SE+SI
Tender Type: C
Price Range: 200-500 KEURO
Products: Ground Segment / Mission Operations / Mission Control / Engineering Support (GS S/W dev. and maintenance, …)
Techology Domains: System Design & Verification / System Verification and AIT / Advanced AIT Methods
Establishment: ESOC
Directorate: Directorate of Operations
Department: Ground Systems Engineering Department
Division: Ground Segment Engineering Support Off.
Contract Officer: Hurtz, Anne Maria
Industrial Policy Measure: C1 – Activities in open competition limited to the non-Larg…
Last Update Date: 30/08/2017
Update Reason: Tender issue

This activity covers the development and demonstration through prototyping of the technology for modular disruptivesecurity testing and user security awareness management for the ground segment.Disruptive security testing and penetration testing are essential tools to integrate secure ground segment engineering. They verify the robustness of newly developed as well as legacy software. Theyare as well core requirements in the new ESA secure software engineering standard. To execute them on operational or productive systems is not advisable since it may impact the business function. The objective of the proposed study is to develop the technology for a customisable virtual environment (the box) that allows penetration testing and security awareness management. The box will be based on a suitable security-specialised operating system and will allow manual and automated execution of customisable security attacks against the software running inside the box. It will produce evidence reports of the successful penetrations and, based on well-known security practises, will suggest countermeasures. The box can either automate the testing (using well-known attacks) or the user can execute it manually. The box will allow the definition of new attack scripts to be added to the list of automated tests. As a second objective, the box will also provide the capability to perform security awareness management. It will be possible to pre-configure a box for specific software and then pass it on to users and stakeholders with step-by-step automated attack pattern instructions. The users can perform the attack themselves and observe the results. The intention is to raise their awareness vis-a-vis the security vulnerabilities of the software products they own or are using. This will help to raise the awareness that it is necessary toinvest properly into secure software engineering.The expected Outcomes are:- Development of a penetration testing specialised virtual environment, including all necessary technology to monitor software processes and track in detail the successful and unsuccessful attacks- Graphical toolset that allows definition of automated attack scripts, produces attack traces and evidence records- Awareness management instantiation engine that allows to create specialised copies of the box focused on security awareness managementfor specific systems and applications. These copies shall be accompanied with a tutorial including a step-by-step description of attacks which can be run by the users themselves.This activity includes the following tasks :- Technology development based on existing technology in the area of security-specialised virtualisation environment (e.g. secure operating systems)- Development of the virtual box implementing the previously identified technology and supporting the functionality stated above- Development of the graphical toolset to support the automation of penetration attack scripts and produce attack traces and evidence records- Development of the awareness management instantiation engine- Execution of a proof-of-concept using one of the critical applications developed by the HSO ground segment engineering department (e.g. mission control system, space debris office software, etc.) with direct involvement of technical officers.Procurement Policy C1 : Activities in open competition limited to the-non-Large-System Integrators.

If you wish to access the documents related to the Invitation to Tender, you have to log in to the ESA Portal.