SPARTA: CYBER SECURITY FOR SPACE MISSIONS
SPARTA v1.6 — What’s New?
The SPARTA framework offers space professionals a taxonomy of potential cyber threats to spacecraft and space missions. v1.6 includes four notable updates.
Authors: Brandon Bailey, Brad Roeher, and Randi Tinney
Version 1.6 Update #1: NASA’s Space Security Best Practice Guide Mapping
The Space Security: Best Practices Guide (BPG) from NASA provides guidance on mission security implementation in the form of principles which are coupled with applicable security controls that cover both the space vehicle and the ground segment.
According to the BPG, “the principles are meant to be easily achievable regardless of mission, program, or project size, scope, or whether international, corporate, or university. The principles selected focus on a risk-based approach to mitigating vulnerabilities, that are impediments to mission success. These principles were identified as an initial starting point of critical implementations for NASA missions to consider. The underlying security principles and associated controls were identified through an iterative process to address today’s cyber actors Tactics, Techniques, and Procedures (TTPs) used in attempts to compromise mission capabilities.”
The BPG outlines security principles for the “Space Mission” in section 3.2 and for the “Ground” in section 3.3. Given SPARTA’s focus on the space segment, there is substantial overlap in the principles identified in section 3.2 of the BPG and SPARTA’s countermeasures. SPARTA’s countermeasures cover similar principles and/or best practices in their own right; therefore, Aerospace has mapped the 14 NASA BPG principles related to the space segment against SPARTA’s countermeasures. In all cases there were multiple SPARTA countermeasures that aligned with the principles discussed in the BPG. The intention of this mapping is not to replace the BPG but augment the BPG principles with additional context and information to help system engineers implement the principles.
Additionally, this mapping will provide implementers of the BPG a wealth of resources since the mapping will enable correlation to SPARTA techniques, their associated risk scores from the notional risk scoring tool, example requirements, as well as additional cross correlations to NIST 800–53, ISO 27001, and D3FEND. Leveraging SPARTA in addition to the BPG as a source for threat-informed techniques offers benefits by providing a correlation between attacks and their associated defense strategies.
The intent of mapping SPARTA countermeasures to the BPG and standards like NIST SP 800–53 and ISO 27001 is to provide SPARTA users with additional perspective of the security principle as well as how the SPARTA countermeasure aligns with compliance/regulatory/best practices published by such standards bodies. Below is a sample excerpt from the table that contains the mappings.
Version 1.6 Update #2: Notional Risk Score Elaboration
In August of 2023 with version 1.4 of SPARTA, the Aerospace Corporation developed and incorporated space-cyber Notional Risk Scores (NRS) into the SPARTA framework, associating a notional evaluation of attack techniques leveraging a risk matrix. The intention of NRS is to provide practitioners with a starting point for space-cyber risk management, from which they can apply specific details (e.g., a reference architecture) to tailor NRS to evaluate their mission-specific space-cyber risks. NRS is a starting point for space developers and other approaches could be used to ensure less subjectivity as described in Towards Principled Risk Scores for Space Cyber Risk Management.
However, when performing risk assessments in a generic sense for a space system as SPARTA has done, subjectivity and subject matter expertise must be used in lieu of mission-specific technical details. The NRS page has been updated with a more detailed explanation of the approach used to calculate the 5x5 risk score for each technique within SPARTA. In addition to explaining the process, users can now download the NRS scores via an Excel Spreadsheet that contains all default NRS scores to include the 5x5 risk score and the applicable impact and likelihood scores for each system criticality level.
Version 1.6 Update #3: Using SPARTA to Conduct Space Vehicle Cyber Assessments
This presentation was created to assist assessors, penetration testers, and/or red teamers on a methodology to perform cyber assessments against space vehicles. To maximize value to the reader, it is recommended the reader is familiar with SPARTA content and comes from a testing background. An outline, including prerequisite/assumed knowledge, of the material within that presentation is below.
• Prerequisite(s) and assumed knowledge
– Space system knowledge; specifically, space vehicles
– Has conducted some level of offensive operations on a system
– Understands SPARTA / reviewed SPARTA resources (https://sparta.aerospace.org/resources/)
• Outline
– Space 101 (if needed — can skip if space SME)
– Assessments of Space Vehicles:
- Determining which techniques can have high impact and/or high likelihood
– Decomposing the space vehicle, mission, and attack surface - Build procedures to implement the techniques to execute on the SV
- Determine the actual impact in context of the mission upon execution of the technique(s)
- Determining risk based on results
– Using SPARTA to help with recommendation / countermeasures
– Alternative approach for assessing space vehicles
Update #4: Additional References
In SPARTA version 1.6, approximately 30 new unique references were added across 70 SPARTA techniques and all 9 tactics. See the update page for a listing of the techniques that have additional references. Extensive literature review was conducted across hundreds of sources for correlation to the techniques. The intent of this exercise was to provide open-source evidence where appropriate.
