Auditing IT Governance in the Navigation Sector

Auditing IT governance in the navigation sector is a challenge. The number of interdependencies and stakeholders in new navigation systems makes the process truly complex, and the increasing trend in subcontracting large parts of a system hides some of those interdependencies and other details in a huge number of contracts and other legal documentation. This obliges the auditor to become a true documentation archaeologist to assess an organization’s IT governance. It is important to understand the concept of cyber audits in the navigation sector, identify some of the factors that contribute to the complexity of projects in the navigation sector along the supply chain and recognize how COBIT^® can contribute to the different analyses performed.

Cyber Audits Within the Navigation Sector

Take for example the European Space Agency’s (ESA’s) internal audit function, which is responsible for coordinating and managing the cyber audits of the navigation programs under the management of the ESA. The associated programs’ budget is several hundred million euros per year. The main objective is the evaluation of the level of compliance with the information security management system and the security measures implemented by the different actors. This includes review of the defined security requirements and established security policies, guides and guidelines of the European Union and the different member countries involved, placing special emphasis on international cybersecurity standards. It also includes the coordination of the cybersecurity audits performed by the ESA with the collaboration of dozens of enterprises per year and the status of the cybersecurity and risk assessments performed. It also includes several analyses of IT governance.

According to European Union Space Policy,^{1, 2} the Global Navigation Satellites Systems (GNSS) programs play an important role in the European Economy, and the estimated budget for the space program for 2021-2027 is EU €15 billion in current prices.³ It includes two large systems within the scope of internal audit’s responsibility during the design and development of the two main navigation systems: Galileo and the European Geostationary Navigation Overlay Service (EGNOS).

The Main European Navigation Systems

The Galileo program is Europe's initiative for a state-of-the-art global satellite navigation system that provides a guaranteed highly accurate global positioning service under civilian control. While providing autonomous navigation and positioning services, the system established under the Galileo program is at the same time interoperable with other GNSS systems such as Global Positioning System (GPS) and Global Navigation Satellite System (GLONASS), the US and Russian global satellite navigation systems. The system, once fully deployed, will consist of 30 satellites to be deployed in a staggered approach, positioned in 3 circular medium earth orbit (MEO) planes at 23,222 km altitude above the Earth and the associated ground infrastructure.⁴

Once the Galileo system is fully operational, it will provide several services, including:

• Open Service (OS)—Freely accessible positioning accurate to 1 meter
• High Accuracy Service (HAS)—An additional navigation signal and added value services in a different frequency band
• Public Regulated Service (PRS)—Restricted to government-authorized users for sensitive applications that require a high level of service continuity
• Search and Rescue Service (SAR)—Helps to forward distress signals to a rescue coordination center by detecting emergency signals transmitted by beacons and relaying messages to them

EGNOS is the European satellite-based augmentation service (SBAS) that complements the existing satellite navigation services provided by the US GPS or by Galileo. It has been deployed to provide safety of life navigation services to aviation, maritime and land-based users over most of Europe.⁵

EGNOS supports several services, including the following:

• Open Service (OS)—Freely available to the public over Europe
• Safety of Life Service (SoL)—Provides the most stringent level of signal-in-space performance to all communities of SoL users over Europe
• EGNOS Data Access System (EDAS)—Represents the provision of additional data for professional users not provided by the EGNOS signal broadcast by geostationary satellites but by other distribution channels.

EGNOS improves the accuracy and reliability of GNSS positioning information, while also providing a crucial integrity message regarding the continuity and availability of a signal. In addition, EGNOS also transmits an extremely accurate universal time signal.

The Complexity of the Supply Chain in the Navigation Sector

One of the biggest challenges in coordinating cybersecurity auditing activity is the complexity of the supply chain responsible for the development and testing of the navigation systems. Figure 1 illustrates the supply chain structure of the contracts managed by the ESA related to the navigation systems and the cyber internal audit activities. Level 1 of the supply chain is the program responsible for developing and testing the system. Every program has its own supply chain structure: The first level is the prime contractor and the second level and below are composed of all the subcontractors of the prime contractor. The last level consists of all the vendors that provide commercial off-the-shelf products to different subcontractors and the prime contractor.

Figure 1—Supply Chain Structure Within the ESA Navigation Programs

Source: European Space Agency, Navigation Directorate. Reprinted with permission.

Note that figure 1 reflects only a sample, with 4 levels of the supply chain. Figure 2 illustrates metrics related to some of the contracts managed by the ESA related to the Galileo program. This gives an idea of the complexity of managing the cyber internal audit activity. In the case of the first contract, there are 240 unique main vendors, 15 subcontractors in level (number of subcontractors below the prime contractor), and 6 levels within the supply chain itself.

Figure 2—The Supply Chain of the Galileo Programs Within the ESA Navigation Programs

Source: European Space Agency, Navigation Directorate. Reprinted with permission.

COBIT as the Main IT Governance Framework

The cyber audit comprises both security and safety requirements. Performing all related tasks and activities requires several analyses to be performed. This includes the compliance analysis of international standards, such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) standard ISO/IEC 27000⁶ series to check the management of the security or ISO/IEC 22301⁷ to check the business continuity processes, and international models such as the Common Maturity Model Certification (CMMC)⁸ to evaluate the contractors and the level of maturity managing classified data or the IEC Technical Specifications (TS) IEC TS 62443⁹ series to perform audits related to industrial communication networks and security for networks and systems.

Within the IT governance evaluation, the main framework used by the ESA is COBIT^® 2019. It defines the components to build and sustain a governance system, including processes; organizational structures; policies and procedures; information flows; culture and behaviors; skills; and infrastructure. COBIT 2019 helps the ESA monitor governance and management objectives compliance. These objectives are grouped into 5 domains:

1. Evaluate, Direct and Monitor (EDM)
2. Align, Plan and Organize (APO)
3. Build, Acquire and Implement (BAI)
4. Deliver, Service and Support (DSS)
5. Monitor, Evaluate and Assess (MEA)

An example of a simulated program is illustrated in figure 3, provided by the ESA’s internal audit function’s computer-assisted audit techniques (CAAT). It includes several annual analyses such as the percentage of compliance of the processes used for governance of enterprise IT.

Figure 3—Samples of Assessments of the IT Governance Within the ESA

Source: European Space Agency, Navigation Directorate. Reprinted with permission.

The adoption of an internationally recognized framework such as COBIT can greatly assist in creating a structured approach to IT governance issues and eliminate part of the complexity derived from the supply chain processes. The identification of the interdependencies and relationships and the comprehension of how they contribute to overall IT governance needs to be done as early as possible in the program or project and continuously assessed throughout the life cycle of the system.

Conclusion

The concept of cyber audits in European Navigation Programs under the management of the ESA is complex based on the large budgets and the supply chain structure. The COBIT 2019 framework is used to assist and facilitate the IT governance audit function through the identification of the interdependencies and relationships along the supply chain and the comprehension of how they contribute to overall IT governance.

Endnotes

¹ European Council, “EU Space Policy,” December 2020
² European Council, “EU Shapes its Future Space Policy Programme,” 13 March 2019
³ European Council, “Long-Term EU Budget 2021-2027 and Recovery Package”
⁴ The European Space Agency, “What Is GALILEO?”
⁵ European Global Navigation Satellite Systems Agency, “What Is EGNOS?” 20 May 2020
⁶ International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 27001 Information Security Management, Switzerland
⁷ International Organization for Standardization (ISO), ISO 22301:2019 Security and Resilience—Business Continuity Management Systems—Requirements, Switzerland, 2019
⁸ Office of the Under Secretary of Defense, Acquisition and Sustainment, Cybersecurity Maturity Model Certification (CMMC), 18 March 2020
⁹  International Electrotechnical Commission (IEC) Technical Specification (TS), IEC TS 62443-1-1: 2009 Industrial Communication Networks—Network and System Security—Part 1-1: Terminology,Concepts and Models, Switzerland, 2009

Jose Ramon Coz Fernandez, Ph.D.

Has more than 20 years of experience in information and communication technology (ICT), auditing and cybersecurity. He is currently a cyber internal auditor for the European Space Agency. The scope of the audits under his responsibility cover programs and projects values at more than EU €1 billion per year and systems that are deployed in more than 20 countries. He is a researcher at the Complutense University (Madrid, Spain) and a professor at several institutions, universities and business schools. He collaborates as a reviewer for several international journals and he is a member of many committees and IT associations. He can be reached at Jose.Ramon.Coz@esa.int.