Paulo Esteves-Verissimo

Rehana Yasmin, Paulo Esteves-Verissimo, Ali Shoker

The New Space era has led to a rapid increase in satellites operated by independent entities in near-Earth orbit. This shift enables richer space services but also requires secure, near-real-time coordination, making efficient authentication of space assets critical for next-generation missions. Traditional ground-dependent Public Key Infrastructure (PKI) suffers from latency and operational bottlenecks that limit scalability and availability in dynamic space environments. This paper proposes architectural designs for space-based PKI that shift certificate management and validation from ground infrastructure into space, reducing reliance on ground stations while enabling interoperability and cross-entity collaboration. Two deployment schemes are introduced: a space-ground integrated PKI with in-orbit validation authorities, and a fully autonomous space-based PKI with in-space issuance and validation. We analyze deployment trade-offs in scalability, availability, security, cost, and operational complexity in multi-operator environments. A baseline latency analysis is provided to illustrate performance implications of in-orbit trust management.

Ali Shoker, Rehana Yasmin, Paulo Esteves-Verissimo

The increasing interest in Autonomous Vehicles (AV) is notable due to business, safety, and performance reasons. While there is salient success in recent AV architectures, hinging on the advancements in AI models, there is a growing number of fatal incidents that impedes full AVs from going mainstream. This calls for the need to revisit the fundamentals of building safety-critical AV architectures. However, this direction should not deter leveraging the power of AI. To this end, we propose Savvy, a new trustworthy intelligent AV architecture that achieves the best of both worlds. Savvy makes a clear separation between the control plane and the data plane to guarantee the safety-first principles. The former assume control to ensure safety using design-time defined rules, while launching the latter for optimizing decisions as much as possible within safety time-bounds. This is achieved through guided Time-aware predictive quality degradation (TPQD): using dynamic ML models that can be tuned to provide either richer or faster outputs based on the available safety time bounds. For instance, Savvy allows to safely identify an elephant as an obstacle (a mere object) the earliest possible, rather than optimally recognizing it as an elephant when it is too late. This position paper presents the Savvy's motivations and concept, whereas empirical evaluation is a work in progress.

Rafal Graczyk, Paulo Esteves-Verissimo, Marcus Voelp

Over the last decades, space has grown from a purely scientific struggle, fueled by the desire to demonstrate superiority of one regime over the other, to an anchor point of the economies of essentially all developed countries. Many businesses depend crucially on satellite communication or data acquisition, not only for defense purposes, but increasingly also for day-to-day applications. However, although so far space faring nations refrained from extending their earth-bound conflicts into space, this critical infrastructure is not as invulnerable as common knowledge suggests. In this paper, we analyze the threats space vehicles are exposed to and what must change to mitigate them. In particular, we shall focus on cyber threats, which may well be mounted by small countries and terrorist organizations, whose incentives do not necessarily include sustainability of the space domain and who may not be susceptible to the threat of mutual retaliation on the ground. We survey incidents, highlight threats and raise awareness from general preparedness for accidental faults, which is already widely spread within the space community, to preparedness and tolerance of both accidental and malicious faults (such as targeted attacks by cyber terrorists and nation-state hackers).

Charalambos Konstantinou, George Stergiopoulos, Masood Parvania et al.

Cyber-physical systems (CPS) incorporate the complex and large-scale engineered systems behind critical infrastructure operations, such as water distribution networks, energy delivery systems, healthcare services, manufacturing systems, and transportation networks. Industrial CPS in particular need to simultaneously satisfy requirements of available, secure, safe and reliable system operation against diverse threats, in an adaptive and sustainable way. These adverse events can be of accidental or malicious nature and may include natural disasters, hardware or software faults, cyberattacks, or even infrastructure design and implementation faults. They may drastically affect the results of CPS algorithms and mechanisms, and subsequently the operations of industrial control systems (ICS) deployed in those critical infrastructures. Such a demanding combination of properties and threats calls for resilience-enhancement methodologies and techniques, working in real-time operation. However, the analysis of CPS resilience is a difficult task as it involves evaluation of various interdependent layers with heterogeneous computing equipment, physical components, network technologies, and data analytics. In this paper, we apply the principles of chaos engineering (CE) to industrial CPS, in order to demonstrate the benefits of such practices on system resilience. The systemic uncertainty of adverse events can be tamed by applying runtime CE-based analyses to CPS in production, in order to predict environment changes and thus apply mitigation measures limiting the range and severity of the event, and minimizing its blast radius.

Rafal Graczyk, Marcus Voelp, Paulo Esteves-Verissimo

Satellites, are both crucial and, despite common misbelieve, very fragile parts our civilian and military critical infrastructure. While, many efforts are focused on securing ground and space segments, especially when national security or large businesses interests are affected, the small-sat, newspace revolution democratizes access to, and exploitation of the near earth orbits. This brings new players to the market, typically in the form of small to medium sized companies, offering new or more affordable services. Despite the necessity and inevitability of this process, it also opens potential new venues for targeted attacks against space-related infrastructure. Since sources of satellite ephemerides are very often centralized, they are subject to classical Man-in-the-Middle attacks which open venues for TLE spoofing attack, which may result in unnecessary collision avoidance maneuvers, in best case and orchestrated crashes, in worst case. In this work, we propose a countermeasure to the presented problem that include distributed solution, which will have no central authority responsible for storing and disseminating TLE information. Instead, each of the peers participating to the system, have full access to all of the records stored in the system, and distribute the data in a consensual manner,ensuring information replication at each peer node. This way, single point of failure syndromes of classic systems, which currently exist due to the direct ephemerids distribution mechanism, are removed. Our proposed solution is to build data dissemination systems using permissioned, private ledgers where peers have strong and verifiable identities, which allow also for redundancy in SST data sourcing.

Paulo Esteves-Verissimo, Jérémie Decouchant, Marcus Völp et al.

Contact tracing is an important instrument for national health services to fight epidemics. As part of the COVID-19 situation, many proposals have been made for scaling up contract tracing capacities with the help of smartphone applications, an important but highly critical endeavor due to the privacy risks involved in such solutions. Extending our previously expressed concern, we clearly articulate in this article, the functional and non-functional requirements that any solution has to meet, when striving to serve, not mere collections of individuals, but the whole of a nation, as required in face of such potentially dangerous epidemics. We present a critical information infrastructure, PriLock, a fully-open preliminary architecture proposal and design draft for privacy preserving contact tracing, which we believe can be constructed in a way to fulfill the former requirements. Our architecture leverages the existing regulated mobile communication infrastructure and builds upon the concept of "checks and balances", requiring a majority of independent players to agree to effect any operation on it, thus preventing abuse of the highly sensitive information that must be collected and processed for efficient contact tracing. This is enforced with a largely decentralised layout and highly resilient state-of-the-art technology, which we explain in the paper, finishing by giving a security, dependability and resilience analysis, showing how it meets the defined requirements, even while the infrastructure is under attack.

Diego Kreutz, Jiangshan Yu, Fernando M. V. Ramos et al.

While the centralization of SDN brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against different threats. The literature on SDN has mostly been concerned with the functional side, despite some specific works concerning non-functional properties like 'security' or 'dependability'. Though addressing the latter in an ad-hoc, piecemeal way, may work, it will most likely lead to efficiency and effectiveness problems. We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a systemic approach. As a general concept, we propose ANCHOR, a subsystem architecture that promotes the logical centralization of non-functional properties. To show the effectiveness of the concept, we focus on 'security' in this paper: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms, in a global and consistent manner. Essential security mechanisms provided by anchor include reliable entropy and resilient pseudo-random generators, and protocols for secure registration and association of SDN devices. We claim and justify in the paper that centralizing such mechanisms is key for their effectiveness, by allowing us to: define and enforce global policies for those properties; reduce the complexity of controllers and forwarding devices; ensure higher levels of robustness for critical services; foster interoperability of the non-functional property enforcement mechanisms; and promote the security and resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms, including the formalisation of the main protocols and the verification of their core security properties using the Tamarin prover.