In our Article, we developed new metrics and assigned existing ones to NIST CSF 2.0 subcategories. However, companies may still face challenges in terms of implementing our methodology. To address this, we created a proof of concept tool that can be used to apply some of the proposed metrics to real-world scenarios. In this page, we provide a detailed description of the tool, including its functionality, features, uses, and limitations.

The tool's primary purpose is to facilitate the quantitative assessment of space system security metrics. It provides a platform for users, such as CISOs, CIOs, or those responsible for security in a company, to input data related to their security parameters. The tool calculates various metrics representing the state of the system’s cybersecurity posture. It is designed to allow for expansion and adaptation to specific company missions and risks, as well as future integration of additional metrics as new threats and cybersecurity frameworks evolve.

The Proof of Concept (PoC) was built using HTML, CSS, and JavaScript to create a lightweight, responsive, and interactive user interface accessible through a web browser. The HTML layout organizes the tool into different sections, each dedicated to a specific security metric. Color schemes based on NIST CSF functions are applied to visually differentiate the categories, enhancing the usability and clarity of the tool. Each metric calculation is implemented as a function that validates user inputs, performs mathematical calculations according to the metric formula, and displays the results. The code incorporates input validation to prevent errors, ensuring that users enter meaningful data.

A more advanced version of the tool can be used by space operators, cybersecurity analysts, and governmental organizations involved in the management and protection of space infrastructure. Concrete applications of the tool include:

1. Cybersecurity Audit and Compliance: Organizations can evaluate their compliance with industry standards such as the NIST CSF. The tool’s alignment with NIST subcategories ensures that metrics directly correspond to compliance requirements.

2. Operational Monitoring: Space operations centers can integrate the tool into their routine cybersecurity assessments, allowing for regular monitoring of key metrics such as signal integrity and command authentication.

3. Security Management and Resource Allocation: By assessing metrics, organizations can better evaluate security gaps and prepare their response for the future.

While the tool offers a useful starting point for assessing space cybersecurity metrics, several limitations must be addressed. The current version of the tool requires manual data input, limiting its capacity for real-time monitoring and dynamic assessment, which are crucial for space operations that require continuous threat detection. Additionally, the tool currently supports a fixed set of metrics. As threats evolve, new metrics and updates will be necessary to maintain its relevance. The tool also relies on predefined formulas and lacks the ability to learn from past incidents or adapt to patterns, limiting its capacity for predictive analysis.

The security metrics PoC tool can offer a solid baseline for assessing a space company’s level of security. Providing a user-friendly, metric-based approach to evaluating the security posture of space systems, the tool can significantly support compliance efforts and operational resilience. The tool’s design is aligned with NIST CSF standards, ensuring that it meets industry requirements for cybersecurity assessment, but can be further improved and shaped to reflect requirements and obligations as those defined in the NIS2 Directive or in the upcoming Space Law. Future improvements, including AI integration, real-time monitoring capabilities, and collaborative cloud deployment, can enhance its utility and provide a more sophisticated platform for defending space infrastructure against evolving threats.

Methodology

The extended version of the methodology is detailed in our article, but here we provide a summarized version of our approach.

After reviewing multiple methodologies for validating the robustness of security metrics, we developed a new approach grounded in existing literature. Our method synthesizes key principles from several well-known frameworks, including Andrew Jaquith's security metrics guidelines (Jaquith 2007), NIST SP 800-55 (NIST 2008), ISACA's Guideline G41 on Return on Security Investment (2010), and the PRAGMATIC approach by W. Krag Brotby (Brotby 2009a). This integration ensures that the validation process is thorough and multifaceted, specifically addressing the cybersecurity needs of space systems.

Our approach is based on the following principles:

• Consistency and Objectivity: Metrics are consistently measured without subjective bias, ensuring repeatability and reliability over time.

• Quantifiability: Metrics produce quantifiable data (e.g., percentages, averages) that can be objectively analyzed.

• Availability of Data: The required data is readily available from repeatable processes, ensuring practical implementation.

• Actionability: Metrics are designed to guide specific actions, making them highly relevant for decision-making.

• Contextual Relevance: Metrics are tailored to the unique security challenges of critical infrastructure, such as space systems.

• Applicability to NIST CSF 2.0: Metrics must align with the NIST CSF 2.0 framework, covering related subcategories.

• Independence: Metrics are based on objective evidence, reducing potential biases.

• Cost-Effectiveness: Metrics are designed to offer more value than the cost required to gather and implement them.

In addition to developing our metrics, we also conducted a literature review and analyzed documents from industry experts and stakeholders, such as CIS Controls, FISMA CIO metrics, ISO/IEC 27002, and MITRE's cyber resiliency metrics. This enabled us to map existing metrics to the NIST CSF 2.0 framework and identify gaps, particularly in areas like risk management for space systems.

By combining these methodologies, our approach ensures that the selected metrics meet the requirements of space systems but also comply with EU cybersecurity regulations, providing a solid foundation for future work in this field.