A Gilded Cage: Cassini/Huygens Navigation Ground Data System Engineering for Security

On October 15, 1997, the Cassini/Huygens mission began a seven year journey across the solar system that culminated in the entry of the spacecraft into Saturnian orbit on June 30, 2004, that is projected to conclude on September 15, 2017. Cassini/Huygens Spacecraft Navigation is the result of a complex interplay between several teams within the Cassini Project, performed on the Ground Data System. The work of Spacecraft Navigation involves rigorous requirements for accuracy and completeness often carried out under uncompromising critical time pressures. There was a clear need for a secure, highreliability/high-availability computational environment to support Navigation data processing. As a part of this effort, security design (based around the cornerstone principles of Confidentiality, Integrity, and Availability) was a critical element in the system architecture. It is a mistaken, albeit popular, notion that security interferes with usability, and that secure systems should be hard to use. This design sought to find the complementary intersection between security and usability, a point where maximal usability and security converged, unhindered by obtrusive security measures while still confident their work is secure. This paper examines the process used to determine the point of maximal security and usability ‐ a “gilded cage” to protect the system users from hostile external threat, while making their experience on the system as user friendly (in terms of unobtrusive security measures) and efficient as possible. We examined system requirements, obtained user feedback, and developed a secure model for the overall system. This secure system model was then augmented to include a model of user activity and data flows. An iterative control system approach was employed to observe user action and data flow and modify the user model accordingly. The goal was to determine what unused parts of the system could be used to compromise security and disallow access to those areas.