Space-based assets are essential for critical societal functions across sectors like energy, transportation, communication, agriculture, and government. As these services become more integrated into daily life and reliance on cyber–physical systems grows, the interconnectivity and commercialization of space assets increases the attack surface and cybersecurity risks. Recent incidents affecting space infrastructure underscore the urgent need for robust cybersecurity measures. Legislators in the EU and other countries are addressing cyber risks to space and ground assets by developing minimum protection requirements. To support these measures, this paper evaluates whether existing security metrics in the literature cover all NIST functions, categories, and subcategories in the Cybersecurity Framework 2.0 (CSF 2.0). This framework provides a strong foundation for industry sectors and can serve as a baseline to ensure compliance with directives like NIS2. Our analysis reveals imbalances in academic discourse, with certain CSF 2.0 functions underrepresented. Then, we propose new metrics to address unaddressed NIST categories and adapt existing metrics to better suit the space domain. Considering practical challenges in implementing and monitoring these metrics, we propose a tool to facilitate their calculation and visualize security status. We also present a case study resembling real-world space infrastructure that demonstrates our tool's applicability and the value of the designed metrics. Our research has managerial implications, supporting managers, CIOs, and CISOs in making informed decisions, helping companies understand their security levels, and complying with existing and forthcoming space sector regulations. We advocate for using security metrics to assess compliance with regulations like NIS2, CER, or upcoming space laws, demonstrating to policymakers that metrics can be integrated into policies to enhance their effectiveness.

Developing security metrics for space systems: A study considering the NIST Cybersecurity Framework 2.0 and the NIS2 / Casaril, F., Galletta, L.. - In: INTERNATIONAL JOURNAL OF CRITICAL INFRASTRUCTURE PROTECTION. - ISSN 1874-5482. - 51:(2025). [10.1016/j.ijcip.2025.100805]

Developing security metrics for space systems: A study considering the NIST Cybersecurity Framework 2.0 and the NIS2

Galletta L.
2025

Abstract

Space-based assets are essential for critical societal functions across sectors like energy, transportation, communication, agriculture, and government. As these services become more integrated into daily life and reliance on cyber–physical systems grows, the interconnectivity and commercialization of space assets increases the attack surface and cybersecurity risks. Recent incidents affecting space infrastructure underscore the urgent need for robust cybersecurity measures. Legislators in the EU and other countries are addressing cyber risks to space and ground assets by developing minimum protection requirements. To support these measures, this paper evaluates whether existing security metrics in the literature cover all NIST functions, categories, and subcategories in the Cybersecurity Framework 2.0 (CSF 2.0). This framework provides a strong foundation for industry sectors and can serve as a baseline to ensure compliance with directives like NIS2. Our analysis reveals imbalances in academic discourse, with certain CSF 2.0 functions underrepresented. Then, we propose new metrics to address unaddressed NIST categories and adapt existing metrics to better suit the space domain. Considering practical challenges in implementing and monitoring these metrics, we propose a tool to facilitate their calculation and visualize security status. We also present a case study resembling real-world space infrastructure that demonstrates our tool's applicability and the value of the designed metrics. Our research has managerial implications, supporting managers, CIOs, and CISOs in making informed decisions, helping companies understand their security levels, and complying with existing and forthcoming space sector regulations. We advocate for using security metrics to assess compliance with regulations like NIS2, CER, or upcoming space laws, demonstrating to policymakers that metrics can be integrated into policies to enhance their effectiveness.
2025
Cybersecurity governance
NIST CSF 2.0
Satellite cybersecurity
Security metrics
Space law
File in questo prodotto:
File Dimensione Formato  
1-s2.0-S1874548225000666-main.pdf

accesso aperto

Tipologia: Versione Editoriale (PDF)
Licenza: Creative commons
Dimensione 2.12 MB
Formato Adobe PDF
2.12 MB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.11771/41700
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 2
  • OpenAlex 1
social impact