Attacks and Vulnerabilities
Critical infrastructure
Industrial Cyber Attacks
News
Regulation, Standards and Compliance
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

New SPARTA v1.4 framework features ISO 27001 mapping and D3FEND technique for space cyber threats

August 10, 2023
New SPARTA v1.4 framework features ISO 27001 mapping and D3FEND technique for space cyber threats

The Aerospace Corporation released Thursday v1.4 of its Space Attack Research and Tactic Analysis (SPARTA) framework, delivering significant updates. The latest version will offer TTP notional risk scores, ISO 27001 mapping, D3FEND technique and artifact mappings, additional references, and DEF CON 31 SPARTA presentation. 

In May, the agency released v1.3 of its SPARTA framework, providing a general information page, SPARTA navigator, and SPARTA Matrix Updates. That version also delivered 14 new countermeasures (CMs) and included the SPARTA Countermeasure Mapper. SPARTA is intended to provide unclassified information to space professionals about how spacecraft may be compromised using cyber and traditional counterspace means. The framework defines and categorizes commonly identified activities that contribute to spacecraft compromises. 

“This update builds on previous work published in Aerospace Report TOR-2021–01333-REV A which details a generic threat model and risk assessment approach that considers a high-level view of adversary capabilities and ranks them into tiers,” Brandon Bailey, Brad Roeher, and Randi Tinney, wrote in a Medium post. “Given the difficulty of establishing the likelihood of an attack due to the uniqueness of every mission and system implementation, this generic tiered adversary system is leveraged to illustrate adversary capability which contributes to the likelihood that an actor can execute certain SPARTA TTPs.”

They added that combined with analysis from Aerospace subject matter experts on the TTPs potential impact, this results in a NOTIONAL risk determination which can be represented in a standard 5×5 risk matrix. Three notional risk values are now provided for TTPs, sorted by system/mission criticality as High Criticality System covering critical infrastructure, military, intelligence, or similar; Medium Criticality System including civil, science/weather, commercial, or similar; and Low Criticality System covering academic, research, or similar.

“Ranging from 1–25, each of these three distinct values can be placed on the risk cube 5×5,” the authors added. “A combined table and tool are provided under the Tools menu via Notional Risk Scores. This table is sortable and searchable.”

They added that as with all SPARTA content, this process and the notional scores are expected to evolve over time. “There are plans to implement future functionality to allow more tailoring within the tool to better reflect system/mission-specific parameters. For the time being, it is up to SPARTA users to consider additional tailoring that should take place so that these notional scores are adjusted to reflect their own unique mission.”

For example, in tailoring considerations the notional values do not reflect specific architectures/technologies, existence of specific sub-systems/functions, mission objectives and the components critical to their success, mission importance of confidentiality, integrity, and availability of data, and mission-specific threat intelligence, including geo-political developments or future plans that might increase the likelihood of adversarial action. 

With many organizations/corporations across the world leveraging ISO 27001 to certify their systems are considered secure and are following best practices, the post identified that in some circumstances, ISO 27001 is applied beyond terrestrial system elements to include elements within the space segment as well. “Therefore, to help bridge the gap between SPARTA countermeasures and ISO 27001 a mapping has been performed. This mapping was performed using NIST’s published mapping between NIST 800–53 rev5 and ISO 270001,” the post added.

According to NIST, “the mapping of SP 800–53 Revision 5 controls to ISO/IEC 27001:2022 requirements and controls reflects whether the implementation of a security control from Special Publication 800–53 satisfies the intent of the mapped security requirement or control from ISO/IEC 27001 and conversely, whether the implementation of a security requirement or security control from ISO/IEC 27001 satisfies the intent of the mapped control from Special Publication 800–53.”

The Medium post said that there could be gaps or mistakes within the NIST to ISO mappings as this is the as-provided mapping from NIST and the space system context was not considered in this initial mapping. “Improvements will be made in future releases of SPARTA and driven by community feedback.”

Additionally, the intent of mapping SPARTA countermeasures to standards like NIST SP 800–53 and ISO 27001 is to provide SPARTA users with an additional perspective of the security principle as well as how the SPARTA countermeasure aligns with compliance/regulatory/best practices published by such standards bodies. The ISO relationships will also be exportable to Excel.

The authors also noted that MITRE published the Detection, Denial, and Disruption Framework Empowering Network Defense (D3FEND) in 2021. D3FEND is defined as a ‘knowledge graph of cybersecurity countermeasure techniques.’ Like SPARTA, D3FEND discusses cyber countermeasures which are actions that need to be taken to increase cyber defense. D3FEND’s goal is not to prescribe the exact implementation for a countermeasure, but rather, to provide a lexicon and framework for defensive techniques. 

Similar to other frameworks (i.e., ATT&CK, SPARTA, etc.), the D3FEND Matrix contains a definition of the countermeasure, how it works, considerations when using the countermeasure, and information about relevant types of digital artifacts.

“D3FEND provides its own reference that depicts which countermeasures will help mitigate against various ATT&CK elements. Similarly, SPARTA wanted to provide a translation/mapping of D3FEND techniques and artifacts to the relevant SPARTA countermeasures,” according to the Medium post. “This should enable users of SPARTA to bridge the gap between countermeasures/courses of action (COAs). Currently, SPARTA’s countermeasures provide varying levels of abstraction on details.” 

The agency also disclosed that mapping SPARTA countermeasures to NIST 800–53, ISO 27001, and now D3FEND gives SPARTA users additional context and data to improve cyber defenses on space systems. Additionally, each D3FEND technique within SPARTA will contain some of the same information as the D3FEND website but it will also bring in the SPARTA countermeasures and SPARTA TTPs that are applicable. The D3FEND relationships will also be exportable to Excel.

“In SPARTA version 1.3.2, over 20 TTP references were updated using CyberInflight’s Market Intelligence Team’s space attack database,” the post said. “In version 1.4, the integration of their data has been fully completed. Due to this integration, approximately 50 attacks were added to the appropriate techniques/sub-techniques under the reference section for each TTP.” 

It added that roughly 60 percent of the attacks from CyberInflight’s space attack database fall within the Reconnaissance and Resource Development tactics, which is a precursor to almost all attacks. “This reinforces how important the Protect Sensitive Information countermeasure is because threat actors are actively extracting sensitive design information. In some cases, threat actors’ objectives are simply Exfiltration or Theft, and these attacks could be achieving their objective simply by stealing the information,” the Medium post added. 

Under the General Information page, a new presentation has been posted titled: DEF CON 31: Building Space Attack Chains using SPARTA that demonstrates best practices for extracting TTPs from reports and building various attack chains using SPARTA. 

The Medium post added that SPARTA can be used to build attack chains to drive baseline countermeasures and security controls for the spacecraft. “Six hacks against spacecraft are presented and then combined into SPARTA’s navigator feature to demonstrate how a security engineer could better determine protections needed within their space system.”

On Wednesday, the Industry IoT Consortium (IIC) and the International Society of Automation (ISA) announced updates to the IoT Security Maturity Model (SMM): ISA/IEC 62443 Mappings for Asset Owners and Product Suppliers and Service Suppliers. The updates also consider significant updates to the 62443-2-1 standard for industrial automation and control systems (IACS) security programs. Mapping the SMM with the IEC 62443 requirement framework for industrial automation and control systems is useful to enable 62443 requirements to be related to SMM target setting and assessment.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings