NCCoE published cybersecurity framework profile for hybrid satellite networks, seeks public input

(Updated on Jun. 28, 2023, to add extended comment period date.)

The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), published Tuesday a draft of its cybersecurity framework profile for hybrid satellite networks. The draft document comes as the space sector is transitioning away from traditional vertically integrated entities and towards an aggregation of independently-owned and operated segments, thus becoming more critical for all stakeholders to share a common understanding of the risks and how they can be mitigated.

The agency had opened the document for public comment until 11:59 p.m. ET on July 5, 2023. However, on Jun. 28, it extended the comment period until 11:59 p.m. ET on July 14, 2023.

Titled ‘Draft NIST IR 8441, Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN),’ the document intends to help organizations engaged in the design, acquisition, and operation of satellite buses or payloads involving hybrid satellite networks. The move will help these industry stakeholders to understand the attack surface better, incorporate security, and achieve greater resilience for space systems that may be leveraged by critical infrastructure owners and operators, the U.S. Department of Defense (DoD), or other government missions, in a manner that is consistent with the sponsor organization’s risk tolerance. 

In collaboration with subject matter experts including satellite builders, consultants, acquisition authorities, operators (commercial and government), academia, and other interested parties, NIST has developed the HSN Cybersecurity Framework (CSF) profile to guide space stakeholders. The document applies the NIST Cybersecurity Framework to hybrid satellite networks with an emphasis on the interfaces between the participants of these satellite networks. 

The HSN Profile will help organizations identify systems, assets, data, and risks from the CSF that pertain to hybrid satellite networks; protect HSN services by utilizing cybersecurity principles and self-assessment; detect cybersecurity-related disturbances or corruption of hybrid satellite network services and data; respond to HSN service or data anomalies in a timely, effective, and resilient manner; and recover the HSN to proper working order after a cybersecurity incident.

The NCCoE released last November a final annotated outline for the CSF profile for HSN. The cybersecurity profile intends to identify an approach to assess HSN’s cybersecurity posture that provides services such as satellite-based systems for communications, position, navigation and timing (PNT), remote sensing, weather monitoring, and imaging.

The HSN profile will include informative references to existing standards, guidelines, and best practices. It provides information on risk management and applies the NIST CSF to assist with specific security implications. 

“The profile supports and is informed by cybersecurity risk management processes. Using the profile, organizations can make more informed decisions to select and prioritize cybersecurity activities and expenditures that help identify systems dependent on HSN, identify appropriate HSN sources, detect disturbances and manipulation of HSN services, manage the risk to these systems, and bolster resilience.” the draft document identified. “The HSN profile provides a starting point from which organizations can customize—based on need and risk tolerance—to develop the most appropriate processes to manage cybersecurity posture of their HSN. Organizations can use a profile in conjunction with existing cybersecurity risk management processes.” 

It added some examples of cybersecurity risk management processes including International Organization for Standardization (ISO) 31000:2018, ISO/International Electrotechnical Commission (IEC) 27005:2018, and NIST Special Publication 800-39. 

Created through collaboration between industry and government, the NIST-CSF provides prioritized, flexible, risk-based, and voluntary guidance based on existing standards, guidelines, and practices to help organizations better understand, manage, and communicate cybersecurity risks. 

The cybersecurity framework is outcome-based and focuses on cybersecurity functions rather than the components. A cybersecurity framework profile is not intended to provide specific implementation guidance. However, a Profile will supply Informative References to existing standards, guidelines, and practices that provide practical guidance to help an organization achieve the desired outcome of each Subcategory. 

The structure consists of three main components – the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. The Framework Core presents standards, guidelines, and practices within five concurrent and continuous functions that cover Identify, Protect, Detect, Respond, and Recover. 

The NCCoE document then moves to the HSN CSF profile section which addresses the fact that by design, the CSF is inherently flexible to accommodate different organizations’ unique environments and needs. “Users of this document should understand that deviations between their enterprise and the assumptions made in this Profile will impact the applicability of the Subcategories. Therefore, organizations are advised to review all Subcategories (including those considered not applicable) in the context of their organization.”

The Identify Function is foundational to cybersecurity and the risk management process. Cybersecurity assessments and risk management should start with the Identify Function. The activities in the Identify Functions are foundational to the effective use of the Cybersecurity Framework, enabling an organization to focus and prioritize its efforts consistent with its risk management strategy and business needs. Consideration of the organization’s mission and business objectives, threat environment, assets, and vulnerabilities will have a significant influence on the overall risk management decision and will impact the other four Functions.

The objectives of the Identify Function include identifying the business or operational environment and organization’s purpose, detecting all assets, including hardware, software, personnel, roles, responsibilities, and the assets’ criticality, identifying infrastructure that provides HSN functionality, and determining the current and trending vulnerabilities, threats, and impacts should the threat be realized. 

The Identify Function within the CSF defines six categories which cover asset management; business environment; governance; risk assessment; risk management strategy, and supply chain risk management. Each category has at least one subcategory that directly applies to HSN.

The Protect Function includes development, implementation, and verification measures to prevent the loss of assurance or functionality within the HSN. It also enables the response to and recovery from cybersecurity events with planning and preparation activities, while the execution of risk mitigation is addressed in the Response and Recovery Functions. 

The objectives of the Protect Function include protecting the systems that format and transmit information to the elements of the HSN at the required level of assurance and protecting the systems that receive and process data from independent organizations within the HSN. Should a threat be realized, protect users and applications that depend on HSN data by enabling them to maintain a sufficient level of operations through verified response and recovery plans. 

The Protect Function covers access control, awareness and training, data security, information protection processes and procedures, product maintenance, and protective technology. 

The Detect Function addresses the development and deployment of appropriate activities to monitor for anomalous events and notify users and applications upon their occurrence. The Detect Function is informed by the Identify Function and is enabled by the Protect Function. 

The objectives of the Detect Function include enabling detection through monitoring and consistency checking, establishing a process for deploying detection capabilities and handling/disposition of detected anomalies and events. The Detect Function may leverage capabilities such as automation and management tools such as Security Information and Event Management to assist in detecting previously uncovered threats and minimize false positives. These capabilities involved data parsing, analytics, and the sharing of information. 

“In an HSN environment, all the data message formatting and transmission must be compatible,” the document identified. “If practical, comply with standards-based solutions for data formatting, message formatting, and message transmission to facilitate interoperability, integration, and sharing.”

The activities in the Respond Function support the ability to contain the impact of an incident by developing and implementing appropriate responses to a detected cybersecurity attack or anomalous incident. The Respond Function actions are triggered by the outputs generated by the Detect Function. The Protect Function enables the Respond Function to execute the proper response to an event according to a predefined plan.

The objectives of the Response Function are to contain events using a verified response procedure; communicate the occurrence and impact of the event on satellite operations and stakeholders; develop processes to respond to and mitigate new known or anticipated threats or vulnerabilities, and evolve response strategies and plans based on lessons learned.

The Recover Function develops and implements the appropriate activities to maintain resilience and restore any capabilities or services that were impaired due to a cybersecurity event. The activities in the Recover Function support timely recovery to normal operations and return the organization to its proper working state after an incident has occurred. The Recover Function’s effectiveness depends on the implementation of the previous functions.

The objectives of the Recover Function are to restore the HSN services to a proper working state using a verified recovery procedure so that systems dependent on those services can function properly. It also works on communicating the recovery activities and status of the HSN services to stakeholders and evolving recovery strategies and plans based on lessons learned.

Last month, a bipartisan legislative bill that would require the Cybersecurity and Infrastructure Security Agency (CISA) to help protect owners and operators of commercial satellites against disruptive cyberattacks advanced in the U.S. Senate. The bill was advanced by the Senate Homeland Security and Governmental Affairs Committee and now moves to the full Senate for consideration.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.