J.R.C. Fernández^*1 and R.B. Hijón²

¹GNSS Cyber Internal Auditor, Directorate of Navigation, European Space Agency – ESTEC, Noordwijk, Netherlands

²GCS Cyber Internal Auditor, GMV SolucionesGlobales Internet S.A.U., Tres Cantos, Madrid, Spain

Submitted on 27 December 2024; Accepted on 12February 2025; Published on 19 February 2025

To cite this article:J.R.C. Fernández and R.B. Hijón, “Cybersecurity Audits of the Supply Chain within the Galileo Ground Control Segment,”Trans. Appl. Sci. Eng. Technol., vol. 1, no. 1, pp. 1-9, 2025.

Copyright: 

Abstract

Auditing the compliance of cybersecurity processes, regulations, requirements, and policies in the navigation sector is a real challenge. The number of interdependencies and the stakeholders in the new navigation systems make the processes truly complex, and the increasing trend in subcontracting big parts of a system hides some of those interdependencies and other details in a huge number of assets and other regulatory and legal documentation obliges the auditors to become archeologists to assess the cybersecurity status. In this article, the authors introduce the experience of cybersecurity audits in the navigation sector within the ground control segment (GCS) andexplain some of the factors that contribute to the complexity of this activity.

Keywords: cybersecurity audits; space; ground segment; governance; supply chain; requirements; regulation

Abbreviations:GCS: Ground Control Segment; ESA:European Space Agency; EC: European Commission; EUSPA: European Space Programme Agency; PNT: Positioning, Navigation, And Timing; EGNOS: European Geostationary Navigation Overlay Service; GNSS: Global Navigation Satellite Systems; GOS:Galileo Open Service; SAR: Search and Rescue; RLS: Return Link Service; OSNMA: Open Service Navigation Message Authentication; HAS: High Accuracy Service; PRS: Public Regulated Services; LEO: Low Earth Orbit; OS: Open Service; CS: Commercial Service; GCCs: Galileo Control Centres; GMS: Ground Mission Segment; FOC: Full Operational Capability; G2G: Galileo Second Generation; TC: Telecommands; TM: Telemetry; TTCF: Telemetry Tracking and Control Facility; TT&C: telemetry, tracking, and control; ISACA: Information Systems Audit and Control Association; CISA: Certified Information Systems Auditor; CAATs: computer-assisted audit techniques; NIST: National Institute of Standards and Technology; SSDF: Secure Software Development Framework; IOV: In-Orbit Validation

1. Introduction

Cybersecurity audits are not easy to perform. The number of dependencies present in the modern systems within the navigation sector makes the process truly complicated and the findings, when available, are difficult to interpret and understand. The required security controls span over the assets and the responsibility of one or the other party in the supply chain within a complex program is not always obvious. However, the mission is clear, and the cybersecurity auditor needs to ensure that the processes, controls, and safeguards are in place as originally designed, regardless of the added complexity.

In this article, the authors will start by introducing the historical background of the navigation systems in Europe, and then they offer a summary of the Galileo system and the Ground Control Segment (GCS). After that, the concept of cybersecurity audits is explained in detail and the cyber internal audit framework used during the last five years is presented. The paper is finished with some conclusions and recommendations that will facilitate the work of cyber auditors and assessors working in space or other fields.

2. Historical Background

For more than 25 years, the European Space Agency (ESA) has been collaborating with the European Commission (EC) and recently with the European Space Programme Agency (EUSPA), in the development of various strategic capabilities related to Positioning, Navigation, And Timing (PNT), making Europe the international leader in this type of capabilities.

The first initiative came from ESA in 1982, with an initial user study of the navigation segment. It then formally proposed the European Geostationary Navigation Overlay Service (EGNOS) program in collaboration with the EC and Eurocontrol [1]. In 1996, the EC made a communication to the Council and European Parliament for the development of capabilities related to global navigation systems [2]. In May 1999, the ESA Ministerial Council approved the Galileo SAT program; in June 1999 the EU Transport Council approved a first resolution on Galileo, and in November 2001, the ESA Ministerial meeting approved the development of Galileo (Phase C/D, with an initial budget of 550 million Euros). Since then, PNT capabilities have advanced considerably and are now essential for Europe's future.

One of the major successes born of ESA's initiatives is the Galileo system, which is the first global navigation and positioning satellite system designed specifically for civilian purposes. It provides Europe with independence from other Global Navigation Satellite Systems (GNSS) but remains interoperable with them. The capabilities offered by the Galileo system are:

• Capabilities covered by the Galileo Open Service (GOS) which offers single and dual frequency positioning and UCT time determination. This service improves positioning for users, especially in cities where tall buildings can block satellite signals. Galileo's timing accuracy of 30 nanoseconds enables more efficient synchronization in banking, telecommunications, and energy networks [3].
• The Search and Rescue (SAR) / Galileo service is responsible for global search and rescue operations, locating and assisting people in distress. Launched in December 2016, it transmits radio beacon distress signals to SAR crews via payloads on Galileo satellites, supported by 3 ground stations strategically located in Europe. In January 2020, the SAR/Galileo Return Link Service (RLS) was activated, allowing not only to locate people but also to send them an automatic message confirming receipt of their request for help [4].
• In 2023, Galileo has made significant progress, including the introduction of Open Service Navigation Message Authentication (OSNMA). This feature assures GOS users that navigation messages come from the system without modification [5].
• The Galileo High Accuracy Service (HAS) provides free information for accurate positioning using the Galileo signal (E6-B) and a real-time precise point positioning algorithm. It was activated on January 24, 2023 [6].
• The Public Regulated Services (PRS) capability set represents a major advance in Galileo, offering encrypted navigation services for authorized government users and sensitive applications. Their access is controlled by operational and technical measures, including government encryption. PRS supports various emergency and public safety services in Europe, such as law enforcement, humanitarian aid, and border control [7].

Capabilities are currently being developed to improve PNT using low-orbit satellite systems. In 2022, the ESA Ministerial conference approved an innovative project, Low Earth Orbit (LEO) PNT, which envisages the deployment of a constellation of low-orbit satellites with stronger signals (potentially capable of penetrating indoors) and on new frequencies. These capabilities, combined with the new geometries made possible by the current Galileo satellites, will increase the resilience of the services [8].

According to the EUSPA study [9], the revenue generated by the upstream GNSS markets is concentrated in U.S. companies, with the highest percentage (29%), followed closely by Europe (25%). Japan, China, and South Korea have 36% of the global market. The downstream (payload management, data processing, data distribution) in the component and receiver manufacturing sector is dominated by North American companies, which also have a relevant share, albeit to a lesser extent, of the value-added service providers. The embedded systems market is more geographically distributed, although dominated by smartphone companies.

Sticking to Europe, PNT capabilities have had a very significant economic impact in European countries over the last two decades. In fact, the budget for PNT programs, within the overall budget of the ESA, has been very important in recent years, both in terms of the amount and the level of investment in these programs. The benefits generated and expected by GNSS amount to 2 billion for the whole of Europe (EU27 plus the United Kingdom, Norway, and Switzerland) for the period 1997–2027. Highly skilled employment generated for the same period is expected to exceed 100,000 employees. However, there may be some overestimation by considering only the positive impact on capacity growth and cost reduction, and not taking into account the possible destruction of activities that do not adapt to change and unskilled jobs. For example, a study by RAND [10] offers conclusions along the latter line.

3. Galileo Overview

Galileo is Europe’s own GNSS, which provides a highly accurate, guaranteed global positioning service under civilian control [11, 12]. The system is designed to provide:

• Open Service (OS): Free of charge positioning & timing service.
• PRS: Positioning & timing service for users requiring high continuity of service (European governmental use).
• Support to Commercial Service (CS): Galileo provides support to external commercial service providers.
• Support to SAR.

The Galileo System consists of three segments (Figure 1):

• Space Segment: The Galileo satellite constellation is currently populated with the first-generation Galileo constellation, there are 28 satellites in orbit. The second generation of Galileo satellites is being developed.
• Ground Segment: The Ground Segment is in charge of controlling and monitoring satellites and the preparation of navigation information to be broadcast.
• User Segment: The receiving devices of the end users.

There are two Galileo Control Centres (GCCs) based in Europe, one located in Oberpfaffenhofen (Germany) and another one in Fucino (Italy). The Ground Segment, Ground Control Segment (GCS), and Ground Mission Segment (GMS), are deployed at both sites in the Full Operational Capability (FOC) phase when the full constellation of satellites is deployed.

FIGURE 1: The GCS ground control centres.

The Galileo GCS is responsible for the monitoring and control of all satellites in the Galileo constellation, plus all ground resources necessary for this task.

The GMS is dedicated to generating and providing worldwide positioning and timing services (OS, PRS) and supporting the dissemination of services based on external entities: CS, SAR.

Galileo Second Generation (G2G) is in its initial phase and the primary objectives are to introduce new state-of-the-art services and technologies (post-quantum cryptography, deployed microservices, improved automation, and new user interfaces, etc.), increase the accuracy and robustness of the system, strengthen cybersecurity, and reduce the system’s maintenance costs. These upgrades will help to make the ground segment flexible, scalable, expandable, robust, autonomous, and agile. For the first time at Galileo, the development will be carried out following “Agile” methodologies.

4. Galileo Ground Control Segment

The GCS forms part of the Galileo Ground Segment architecture. Its prime responsibility is to control and manage the Galileo satellite constellation. The functional access from the GCS to the spacecraft for satellite control and management is via the generation and uplink of telecommands (TC) and the reception and processing of spacecraft telemetry (TM).

To achieve this main objective, the different functions of GCS are assigned to functional elements and system applications, the following being the most representative:

GCS elements and simulators of the communication with the satellite constellation:

• Telemetry Tracking and Control Facility (TTCF)
• Spacecraft & Constellation Control Facility (SCCF), including Site Data Handling Set (SDHS)
• Satellite Constellation Planning Facility (SCPF)
• Flight Dynamics Facility (FDF)
• Operations Preparation Facility (OPF), including the operational procedures editor (MOIS)
• Key Management Facility (KMF)
• Central Monitoring and Control Facility (CMCF)
• Constellation Simulator (CSIM) and Satellite Secure Unit Simulator (CLACSIM)
• TTCF emulation (TTCF-E)

In addition, there are several system applications in charge of the monitoring and control of the satellite constellation, cybersecurity status, data archive, and task orchestration.

All those elements and system applications are deployed in the GCS platform composed of hardware, software (including all common segment services), continuous integration / continuous deployment platforms, and networks.

The GCS assets are deployed within the European-based GCCs and the globally distributed telemetry, tracking, and control (TT&C).

5. Cybersecurity Audits

We can consider a cyber audit as the process carried out by independent professionals specifically trained for this purpose, which consists of collecting and evaluating evidence to determine if the controls, processes, and information systems safeguard the business asset, if the information system effectively carries out its designed purpose, and if the organization uses resources efficiently and complies with the laws and regulations established while granting the confidentiality, integrity, and availability required.

Although the cyber audit function and the role associated with this function could be seen by many as a relatively new function within the audit departments, we can assure that it has been exercised for many years. The Information Systems Audit and Control Association (ISACA) established the Certified Information Systems Auditor (CISA) certification in 1978, and since then, the number of people in possession of this certification has only grown over time. Currently, more than 150,000 candidates have obtained the CISA certificate [13]. Consequently, we can see that the cyber security auditor is a profile demanded by companies and organizations since it adds value to their business and mission.

Within the navigation programs, the cybersecurity audit is described as the evaluation of the level of compliance of the information security management system and implemented security measures with defined requirements, security policies in place, and appropriate safety standards.

The requirements include the assignment of specific roles such as cyber internal auditors, responsible for planning and executing cybersecurity audits, or cyber security managers, responsible for managing compliance of the specific cyber security requirements in each of the contracts, and throughout the entire supply chain.

One of the biggest challenges in coordinating this activity related to the cyber audits is the complexity of the supply chain. Figure 2 shows the supply chain structure of the contracts managed by the ESA related to the Galileo Program and the cyber internal audit activities.

FIGURE 2: Structure of the supply chain of the navigation programs within the European Space Agency.

The level zero of the supply chain is the program. Every program has its own structure of the supply chain. One of the programs is Galileo. The first level of the supply chain is the prime contractor. The second level and below of the supply chain is composed of all the subcontractors of the prime contractor, and the last level is composed of all the vendors that provide the COTS to the different subcontractors and/or the prime contractor. Note that in Figure 2, only a sample with four levels of the supply chain is reflected.

6. Cyber Internal Auditors

The responsibilities and competencies of the cyber internal auditors assigned to each contract within the supply chain generally include:

1. Verification of internal control of applications and information systems: The cyber internal auditor is responsible for verifying that the controls required by the business are present in the information systems to ensure that the company's assets are properly protected and used according to business requirements.
2. Analysis of the information systems administration: The cyber internal auditor is responsible for ensuring that the administration and effectiveness of the information systems administration are adequate from a security risk point of view.
3. Analysis of the integrity, reliability, and certainty of information related to information systems: The cyber internal auditor is responsible for ensuring that the information in the systems is truthful and reliable based on business needs.
4. Audit of the operational risk of the information systems: The cyber internal auditor is responsible for ensuring that the risk levels of the information systems are acceptable to the organization, or for providing senior management with that measurement of risks in the information systems so they can make a decision regarding the risk response.
5. Analysis of information risk management and implicit security: The cyber internal auditor is responsible for ensuring that the risk management processes are resulting in risk levels within the tolerance thresholds approved by senior management.
6. Verification of the level of continuity of operations: The cyber internal auditor should confirm that the processes assuring the continuity of operations related to information systems are enough to meet the needs of the business.
7. Analysis of information systems and their adaptation to the needs of the company/entity: The cyber internal auditor is responsible for evaluating the processes of acquisition or development of information systems based on their adequacy with the requirements established by the business, in order to evaluate the alignment of the supply of information systems with the needs of the business.

The cyber internal auditor could also provide additional value to the company or entities involved by performing the following functions:

• Plan audit activities: The cyber internal auditors program and define the scope of the audits so that the audit objectives defined by the business are met.
• Request and analyze documentation to express an opinion: The cyber internal auditors gather information from the information systems and processes established within the scope of the audits.
• Analysis of data through tools and synthesis of conclusions: The cyber internal auditors must obtain data about the information systems and processes related to cybersecurity and obtain conclusions based on the objectives and scope defined in the audit.
• Field work, interviews, and on-site reviews: The cyber internal auditors should make reviews of the information systems and processes related to cybersecurity directly, as well as have meetings with the parties involved in the information systems.
• Strategic advice for the business: The cyber internal auditors should be able to provide strategic advice for the business, always maintaining its independence, in relation to information systems and processes associated to cybersecurity, as an expert knowledgeable about the company's business processes and interdependencies between the different systems.

7. ESA GNSS Cyber Internal Audit Framework

As the main objective is to facilitate the activities performed by the cyber internal auditors, the ESA provides a Cyber Internal Audit Framework, identified as EGCIAF, to all the entities involved. The EGCIAF includes, as the main elements, the principles and objectives of the cybersecurity audits, the audit execution procedure, the main templates to prepare the cyber internal audit plans and reports, the computer-assisted audit techniques (CAATs), and the compliance architecture (Figure 3).

FIGURE 3: ESA GNSS Cyber Internal Audit Framework components.

The compliance architecture includes the EC Cyber Policy and several international standards used during the execution of the audit as the reference to audit the controls, such as the ISO/IEC 27000-series (ISMS Family of Standards for an Information Security Management System) [14], the National Institute of Standards and Technology (NIST) Special Publication 800-53 [15], the Center for Internet Security Critical Security Controls (CIS CSC) for Effective Cyber Defence  [16] or the ISO 22301 Societal security - business continuity management systems [17].

In the case that there is a software development process involved as part of the contracts, the compliance architecture includes the NIST Secure Software Development Framework (SSDF) [18], the security risks for web applications guidelines (OWASP) [19], or the SAFECode Agile recommendations [20].

This compliance architecture also includes the main European Union regulations and norms divided into ten different areas: 1) policies, 2) institutional, 3) cybercrime, 4) digital single market, 5) data protection (as the General Data Protection Regulation, GDPR), 6) incident response, 7) critical infrastructures, 8) classified information, 9) network and system security, and 10) PRS.

Another critical component of the EGCIAF architecture is the CAATs. The CAATs are a significant tool for auditors to gather information independently, to provide a means to gain access and to analyze data for a predetermined audit objective, and to report the audit findings with emphasis on the reliability of the records produced and maintained in the system. The reliability of the source of the information used provides reassurance on the findings generated.

The CAATs provided by the EGCIAF usually include:

• Utility software - is a subset of software, including a database management system with report generators, that provides evidence to the cyber internal auditors about system control effectiveness.
• Test data - involve the cyber internal auditors using a sample set of data to assess whether logic errors exist in a program and whether the program meets its objectives.
• Application software for continuous online audits - review of an application system that provides information about internal controls built into the system.
• Generalized audit software - provides an independent means to gain access to data and evidence for analysis.
• Awareness and training materials - provides with random and demo data that allows the cyber internal auditors to understand the capabilities of the CAATS.

The audit findings and conclusions from the cyber audit needs to be supported by appropriate analysis and interpretation of the evidence. An increasingly important advantage of CAATs provided by the EGCIAF is the ability to improve audit efficiency, particularly in paperless environments, through continuous online auditing techniques.

These CAATs offered by the EGCIAF to the supply chain provide a lot of advantages, including a reduced level of audit risk, greater independence from the auditee, broader and more consistent audit coverage, faster availability of information, improved exception identification, greater opportunity to quantify internal control weaknesses, enhanced sampling, and cost savings over time.

8. Cyber Internal Audits within the GCS

In the last five years, Galileo GCS contracts have incorporated cybersecurity requirements that include periodic cybersecurity internal audits of the project development and integration environments, these are performed by highly qualified personnel. The main objective of these audits is to determine the security maturity level of the companies that are part of the GCS consortium.

The GCS project has a budget of approximately 250M€, of which 15% is allocated to cybersecurity, involving 275 qualified professionals of which approximately 27% work directly in cybersecurity-related matters. Given the complexity of the project, GMV is the prime contractor of GCS, with highly committed experienced auditors since the first audit campaign in 2019 along the supply chain.

GCS team incorporated in its management processes the realization of annual internal cybersecurity audits with full scope, i.e., the development and integration environments of GCS Segment Services and nine elements, developed by six different companies, in six different locations spread between Spain and Germany. To these, we must add the two GCCs located in Germany and Italy, and seven antennas located in seven sites around the world.

In the FOC phase, the GCS was led by GMV as prime contractor and had six subcontractors (N-2), six-element providers (N-3) including certification labs and external auditors, and several additional companies that provided support for specific segment tasks. In the G2G, within the In-Orbit Validation (IOV) phase, the complexity of the supply chain is even higher, with a greater number of second and third-level subcontractors and companies that support the GCS [21].

Each internal cybersecurity audit campaign evaluates the maturity status of GCS against a static list of controls established in EGCIAF, the ESA GNSS Cyber Internal Audit Framework (section 7). The stability and the CAATs associated with the framework make it possible to have dashboards showing the evolution of the segment's security maturity level over time. Some illustrative graphs generated by the CAATs with fictitious data are explained.

Figure 4 shows the maturity level of different domains, according to the NIST Cybersecurity Framework version 1.1.

FIGURE 4: Example of NIST Cybersecurity Framework CSF v1.1 dashboard.

Figure 5 shows the maturity level of different domains, according to the ISO/IEC 22301:2019 standard [22], where the meaning of the values associated with the maturity levels are the following: 0.2 (initial), 0.4 (repeatable), 0.6 (defined), 0.8 (managed and measurable), 1.00 (continuous improvement)]. In this case, the dashboard shows two different audit campaigns: 2022 and 2023. The dashboard helps us to see the improvement achieved between the two campaigns.

Figure 6 shows the maturity level of different capabilities included within the ISO/IEC 27001:2022 standard [23].

Following the same approach as with the ISO/IEC 22301:2019 standard, Figure 7 shows the maturity levels of different domains of the NIST SP 800-53 Review version 5 [24]. In this case as well, the dashboard shows two different audit campaigns: 2022 and 2023. The dashboard helps us to see the improvement achieved between the two campaigns.

Another sample related to the software development processes is shown in Figure 8, with the maturity level of different groups of the NIST SSDF, with the improvement achieved between the two campaigns (in this case, 2024 and 2023).

For the risk assessments, the CAATs provided as part of the EGCIAF also include an overview of the status of the risks associated with the cybersecurity audit campaign, as shown in Figure 9.

FIGURE 5: Example of ISO/IEC 22301:2019 dashboard.

FIGURE 6: Example of ISO/IEC 27001:2022 dashboard.

FIGURE 7: Example of NIST SP 800-53 r5 dashboard.

FIGURE 8: Example of the NIST SSDF dashboard.

FIGURE 9: Example of a risk assessment.

9. Conclusion

Cybersecurity audits in a program as demanding as Galileo, with hundreds of requirements, norms, regulations, and standards to comply with, require a very high level of experience. Auditors must master not only technologies and well-known standards but must also have management and coordination capabilities for multidisciplinary teams.

The pillars that support the key to the success of such complex audits are:

• Firstly, the teamwork led by the ESA navigation cybersecurity auditor in close collaboration with the lead auditors of the prime contractors and the rest of the cybersecurity auditors along the supply chain.
• Secondly, have a consolidated Cyber Internal Audit Framework (EGCIAF) that simplifies the audit process, minimizing human errors and facilitating the monitoring of proposed improvement initiatives.
• Thirdly, and no less important, the coordination and collaboration with the audited teams with the aim of minimizing the impact on the projects: identifying key stakeholders, optimizing meetings, both in number and content, and providing simplified questionnaires, specific CAATs, and templates.

From now on, with the new contracts of the G2G [25], new challenges arise that will be considered in incoming cybersecurity audits: new regulations applicable to companies, such as the NIS2 Directive [26], a new development methodology based on SAFE [27], new security requirements with the concept of security by design [28], new technologies and development, and integration processes.

References

1. The First Galileo Satellites. Galileo In-Orbit Validation Element”, ESA Publications Division, BR-251, GIOVE, 2006. ISBN: 92-9092-497-7.
2. The European Union and Space: fostering applications, markets and industrial competitiveness, Lex - 31993L0042 - EN, Brussels, 04.12.1996 COM(96)617 final. [Online].
3. European GNSS (Galileo) Open Service. Service Definition Document, Issue 2.1, Nov. 2021. [Online].
4. Galileo SAR (2023) Search and Rescue (SAR) / Galileo Service. Service Definition Document, Issue 2.0, Jan. 2020. [Online].
5. M. Götzelmann, E. Köller, I. Viciano-Semper, D. Oskam, E. Gkougkas, and J. Simon, “Galileo open service navigation message authentication: Preparation phase and drivers for future service provision,” Navigation, vol. 70, no. 3, 2023.
6. Galileo High Accuracy Service (HAS), Info Note, ISBN 978-92-9206-050-3.
7. PRS equals protection,” EUSPA, Jun. 2021. [Online].
8. Industry invited to bid for low-Earth orbit satnav demo,” European Space Agency, Jun. 21, 2023. [Online].
9. EUSPA EO and GNSS Market Report, European Union Agency for the Space Programme, 2022. [Online].
10. Analyzing a more resilient National Positioning, Navigation and Timing Capability, RAND Research Report nº RR-2970-DHS. [Online].
11. What is Galileo? ESA Web Portal. [Online].
12. Galileo Programme, EU Agency for the Space Programme Web Portal, Oct. 18, 2022. [Online].
13. Information Systems Audit and Control Association (ISACA) Annual Report, 2022. [Online].
14. I. Topa and M. Karyda, “From theory to practice: guidelines for enhancing information security management,” Information & Computer Security, vol. 27, no. 3, pp. 326–342, Jul. 8, 2019.
15. NIST 800-53 - Security and Privacy Controls for Information Systems and Organizations, Special Publication SP 800-53, National Institute of Standards and Technology, 2020.
16. Center for Internet Security (CIS), “CIS Critical Security Controls, Version 8,” 2019. [Online].
17. A. Calder, ISO 22301:2019 and Business Continuity Management – Understand How to Plan, Implement and Enhance a Business Continuity Management System (BCMS), IT Governance Publishing, 2021. [Online]. Available: JSTOR.
18. M. Souppaya, K. Scarfone, and D. Dodson, Secure Software Development Framework (SSDF) Version 1.1: (Draft), National Institute of Standards and Technology, 2022. [Online].
19. Open Web Application Security Project (OWASP), “Top 10 Web Application Security Risks,” 2017. [Online].
20. E. Baize, “SAFECode Overview,” ACM SIGAda Ada Letters, vol. 39, no. 1, pp. 17–19, 2020.
21. GCS Design Definition File (G2G-DDF-GMV-G2IOVGCS-X-0001), 22/09/2023.
22. J. C. Brás, et al., “Understanding how intelligent process automation impacts business continuity: Mapping IEEE/2755: 2020 and ISO/22301: 2019,” IEEE Access, vol. 11, pp. 134239–134258, 2023.
23. M. Malatji, “Management of enterprise cyber security: A review of ISO/IEC 27001:2022,” in Proc. 2023 Int. Conf. on Cyber Management and Engineering (CyMaEn), Bangkok, Thailand, 2023, pp. 117–122.
24. A. Amiruddin, H. G. Afiansyah, and H. A. Nugroho, “Cyber-risk management planning using NIST CSF v1.1, NIST SP 800-53 Rev. 5, and CIS Controls v8,” in Proc. 2021 Int. Conf. on Informatics, Multimedia, Cyber and Information System (ICIMCIS), Jakarta, Indonesia, 2021, pp. 19–24.
25. Galileo Second Generation enters full development phase, ESA Web Portal, Galileo Second Generation. [Online].
26. N. Vandezande, “Cybersecurity in the EU: How the NIS2-directive stacks up against its predecessor,” Computer Law & Security Review, vol. 52, p. 105890, 2024.
27. J. Pries-Heje and M. M. Krohn, “The safe way to the agile organization,” in Proc. XP2017 Scientific Workshops, 2017.
28. A. Hale, B. Kirwan, and U. Kjellén, “Safe by design: where are we now?,” Safety Science, vol. 45, no. 1–2, pp. 305–327, 2007.