New Technical Guideline BSI TR-03184-2 – Cybersecurity for the ground segment of space systems

With the publication of Technical Guideline BSI TR-03184-2, the German Federal Office for Information Security (BSI) sets a new benchmark for information security in the ground segment of space systems. It was developed in close cooperation with experts from the space and information security industry and is part of a comprehensive strategy for securing critical infrastructure in the space sector. It complements Part 1 of the Guideline, which deals with the space segment, and builds upon the requirements of the IT Baseline Protection Profile for the ground segment. 

Objective and Area of Application

TR-03184-2 Guideline aims to establish a consistent and high level of security for the ground segment of space systems. It is targeted at operators, manufacturers and service providers involved in the development, operation and maintenance of ground segments. The Guideline is applicable to all protection requirement categories (normal, high, very high) and can be used for both new and existing systems. It conforms to the international standards ISO 27001/27002 and follows the methodology of BSI's IT-Grundschutz (IT Baseline Protection). 

Structure and Content of the Guideline

The Guideline is divided into several central sections:

• System structure and delimitation: Definition of the operational ground segment, which includes all components necessary for controlling the space segment on the ground (e.g. ground control stations, TTC antenna stations, communication networks).
• Lifecycle business processes: All phases are considered, from conception and design to production, operational preparation, operation and decommissioning.
• Applications and threats: Identification and description of typical applications (e.g. on-board software management, antenna control, simulators, operations tools) and the associated hazards.
• Assessment of protection requirements: Assessment of protection requirements based on mission characteristics such as mission type, orbit, constellation size, stakeholders and infrastructure.
• Risk treatment and mitigation measures: Systematic assignment of coping measures to identified hazards, supported by a comprehensive table as a central tool of the Guideline.
• Cryptographic requirements: Recommendations for the use of encryption, authentication and key management, including requirements for crypto-agility and protection against quantum cryptographic attacks. 

Legal Requirements and Compliance

Although the TR-03184-2 Guideline is formally only a recommendation, its orientation towards international standards means that it is of considerable importance for compliance in the area of critical infrastructure. Companies operating in the space sector must observe the following legal and regulatory requirements in particular:

• Proof of adequate protection: The Guideline can become part of service descriptions and contracts. The client and contractor must jointly define and document the need for protection and the resulting measures.
• Incorporation of industry standards: The TR Guideline is compatible with ISO 27001/27002 and can be combined with other compliant procedures. It also refers to international frameworks such as NIST Cybersecurity Framework, ECSS, CCSDS and Mitre ATT&CK.
• Documentation obligations: The implementation of the TR requires comprehensive documentation (structural analysis, determination of protection requirements, risk analysis, implementation of measures), all of which may be subject to audits and regulatory inspections.
• Contractual safeguards for outsourced services: If parts of the ground segment are operated "as a service" by external service providers, contractual regulations for compliance with the protection requirements and regular audits are mandatory. 

Concrete Measures for Companies

To meet the requirements of TR-03184-2, companies must take the following measures: 

1. Structural analysis and inventory: Complete recording of all IT systems, applications and components of the ground segment. Map these elements to the applications outlined in the TR.
2. Assessment of protection requirements: Assessment of the protection requirements for each component and each business process based on the mission characteristics and the protection objectives of confidentiality, integrity and availability.
3. Threat identification: Use the hazard catalogs contained in the TR and check for project-specific features.
4. Risk assessment: Carry out a standardized risk analysis (e.g. according to ISO 27005 or BSI standard 200-3) for all identified hazards.
5. Selection and implementation of security controls: Allocation and qualitative design of measures according to protection requirements. Consideration of technical, organizational and personnel measures.
6. Cryptographic safeguards: Development and implementation of a cryptographic concept that meets the requirements of TR-02102-1. Consideration of crypto-agility and protection against future threats (e.g. quantum computing).
7. Documentation and ongoing review: Complete documentation of all steps and regular review and adaptation of measures to new threats and technological developments.
8. Training and awareness: Conduct training and awareness-raising programs for all employees, especially those with access to critical systems and information.
9. Contractual and organizational safeguards for service providers: Ensure that external service providers and partners also meet the requirements of the TR and regularly demonstrate compliance.

Examples of Common Threats and Countermeasures

• Incorrect transmission of on-board software: use of integrity checks (e.g. hash functions, checksums), encrypted communication, physical tamper protection.  
• Outflow of sensitive data from satellite models: implementation of access controls, restricted zones, encrypted storage and transmission, supervision of external personnel.  
• Sabotage of antenna systems: establishment of security perimeters, access controls, surveillance, protection against drone attacks.  

Conclusion and Recommendations 

TR-03184-2 Guideline is a milestone for cyber security in the aerospace sector and sets new standards for the protection of the ground segment. Companies are strongly encouraged to treat the Guideline as a quasi-binding standard and to systematically implement the measures described. This is of central importance not only from a technical perspective, but also with regard to liability risks, regulatory requirements and ensuring competitiveness in the global space industry.

For practical implementation, it is advisable to involve information security and legal experts at an early stage in order to integrate the requirements of the TR Guideline into existing processes and contracts in an efficient and legally compliant manner. 

Contact and Support

As a law firm specializing in aviation, aerospace, NewSpace and SpaceTech, we provide you with comprehensive support in the analysis, implementation and documentation of the requirements of BSI TR-03184-2 Guideline. Contact us – we will support you from the initial assessment through successful auditing and beyond.