End-to-End Supply Chain Protection - Phase 1 Tender, Netherlands - 96178183

Procurement Summary

Country : Netherlands

Summary : End-to-End Supply Chain Protection - Phase 1

Deadline : 13 Mar 2024

Other Information

Notice Type : Tender

TOT Ref.No.: 96178183

Document Ref. No. :

Competition : ICB

Financier : Agency for the Cooperation of Energy Regulators (ACER)

Purchaser Ownership : Public

Tender Value : Refer Document

Purchaser's Detail

Name :Login to see tender_details

Address : Login to see tender_details

Email : Login to see tender_details

Login to see details

Tender Details

Tenders are invited for End-to-End Supply Chain Protection - Phase 1

Supply chain attacks are stealthy and sophisticated ways of compromising high value targets by exploiting weaknesses and vulnerabilities in the supply chain of the final target, and by taking advantage of target's trust on its supply chain. While mechanisms to verify the authenticity e.g. of a software, firmware, etc. do exist (e.g. by digitally signing them), these are not deemed sufficient to protect from or mitigate supply chain attacks, due to the reason a supplier's compromise can also have resulted in digitally signed tampered software. Supply chain attacks had a detrimental impact the last few years, and this trend is expected to continue in the upcoming years. Therefore, additional mitigation measures are needed to protect from supply chain attacks. To mitigate supply chain attacks, the following three pillars will be developed: Cross-verify authenticity of products during their whole lifecycle (i.e. already from the development phase) using secure mechanisms. Track product interdependencies and their interfaces and cross-verify their authenticity too. Provide authenticity information to satellites to be verified as part of the integrity/authenticity verification mechanism. Verifying the identity, integrity and authenticity of a satellite, its subsystems and their components is vital to ensure that it can be trusted for its intended purpose. The verification of the identity, integrity and authenticity has to be performed using well-defined security services that rely on appropriate cryptographic means (e.g. hashes, digital signatures), ad-hoc (on demand) and periodically (for reporting purposes), using independent from other operations communication channels. These services and associated mechanisms shall not cover on-board software management only, and shall not be limited to software only, but, instead, they shall be able to verify the integrity and authenticity of any module (software, firmware, other, e.g. FPGA implementations) independently and securely, in a read-only way. The mechanism will be used as an additional, independent, protection mechanism ensuring the integrity authenticity of a satellite and reporting for security monitoring purposes any potential discrepancies identified. The models developed in this activity and associated security services shall be capable of verifying the satellite identity as well as the integrity and authenticity of any part of a spacecraft that could be reprogrammable/reconfigurable. In case a satellite is reconfigurable by any means (software, firmware, hardware security module), the mechanisms to be developed by this activity shall also be capable of being updated securely, preserving the configuration and inventory history in a read-only way. The cryptographic mechanisms to be implemented shall be quantum resistant (i.e. using Post Quantum Cryptography (PQC)). After the completion of this first phase, a second phase is foreseen for thehardware implementation and end-to-end system verification of the model suitable for mitigating supply chain attacks and verifying end-to-end integrity and authenticity of satellite components.The final outcome of the full activity, considering phase 1 and phase 2, includes software, hardware (e.g. FPGAs), a testbed and an engineering model demonstrating the aforementioned functionalities.This proposed phase 1 activity encompasses the following tasks: Definition of the requirements for protecting integrity and authenticity of the security services, systems, subsystems and components involved in the supply chain of the Space Industry from development to operation. Definition of requirements of a mechanism to track product interdependencies and their interfaces. Design and development on software of an independent, cryptographically secure, integrity verification and authenticity PQCready cryptographic mechanism that can be used across vendors but also between ground and space segment. Risk assessment and mitigation techniques. Component and functional verification in laboratory environment.Read more

Documents

 Tender Notice