Task

It can be useful to look at cyber-attacks in the news to prepare ourselves for similar events. While the available information may be lacking, by analysing current events we can build scenarios to gain insights into adversary tactics, techniques and procedures as well as defences which we can adopt to mitigate similar attacks.

This assessment will continue from our case study which we started in the SITA cyber-attack part I presentation. This should include: identification of the root cause(s) of the incident; technical solution; non-technical solutions as well as broader impacts on the industry.

Introduction 

On February 24, 2021, SITA, a major IT provider to the aviation sector (Farrer, 2021) suffered a cyber-attack, with a breach of their Passenger Service System (PSS) leading to the theft of data of over 2.1 million airline passengers from at least 11 airlines. As outlined in the initial presentation, this data included passenger data from SITA customers and Star Alliances members (Ilascu, 2021). This data was published for sale on the dark web (Securin Inc, 2021).

SITA issued a brief statement following the attack (SITA, 2021a), but given that further information is lacking, a combination of open source intelligence and some speculation will aid us in building our scenario, based on the following: 

• A Lufthansa representative claimed “the hackers entered the reservation system of an Asian airline” prior to the SITA breach (Ilascu, 2021). 
• While investigating an Air India breach, Group-IB discovered a connection to SITA and claimed it was a result of the SITA attack (Rostovtsev, 2021).
• SITA denied this connection (Brewster, 2021), but stopped short of ruling out any connection.
• Air India is based in Asia, the same location claimed by Lufthansa (Ilascu, 2021).
• Air India had access to the stolen data at the time of the attack, being a SITA customer between at least 2016 (Enterprise IT World, 2016) and 2022 (Joshi, 2022), it has also been a Star Alliance member since 2014 (Star Alliance, 2019).
• Data was exfiltrated from Air India on 25 February 2021 (Rostovtsev, 2021), converting this to Atlanta time (the location of the SITA servers) gives us 24th February, the date of the initial access to SITA systems.

Using these facts, our scenario is:

• Patient zero, a customer of SITA and also a Star Alliance member was breached.
• The adversary used stolen credentials from patient zero to gain initial access to the SITA Passenger Service System.
• These credentials gave the adversary sufficient privileges to maintain a presence in SITA systems for 22 days to undertake discovery, collection and lateral movement.
• The adversary also used these privileges to locate and exfiltrate the data they wanted.
• SITA identified the breach and evicted the adversary from their systems. 

While this may not be the actual mechanism of the attack, this plausible scenario can be used for analysis and to draw lessons from. In this report we will identify the root causes of the attack’s success, then recommend mitigations of a technical and non-technical nature for the attack, this will be informed by NIST-CSF, ISO27K and MITRE ATT&CK Enterprise. We will then look at industry wide policy and business implications of the attack before concluding.

Root causes

It may be tempting to include the breach of patient zero as a root cause. However this is not productive because it could have as easily been an insider that undertook the attack on SITA. For the purposes of this report we will limit scope to between when the adversary accessed and when they where evicted from, SITA systems. 

Three root causes have been identified in relation to the SITA breach: access with compromised credentials, supply chain data leaks, lack of monitoring of authorised users.

1 Access with compromised credentials

After exfiltrating plaintext passwords from patient zero (Rostovtsev, 2021), the adversary gained access to SITA systems. 

This root cause maps to a combination of MITRE ATT&CK Techniques, Valid Account (MITRE, 2023a) and Trusted Relationship (MITRE, 2022d) – the customer was a trusted relationship and their stolen credentials were the valid account. These techniques can be used as part of several Tactics including Initial Access, Maintain Persistence, Privilege Escalation and Defence Evasion, to gain access to remote systems without the need for malware or other tools which makes detection more difficult (MITRE, 2023a). These techniques seem ideal for supply chain attacks as an “overlap of permissions” may enable access between accounts or systems by adversaries (MITRE, 2023a) as well as taking advantage of access that “may not be protected or receives less scrutiny” (MITRE, 2022d). These techniques appear to have delivered, with the patient zero credentials being sufficient for the adversary to gain access to SITA systems and to achieve their goal.

2 Supply chain data leaks 

The aviation supply chain is “one of the most complex and relied upon networks in the world.” (Schmidt, 2016, p. 187) which experiences  “supply chain risk and cyber attacks”  (Koepsel, 2016, p. 60). As we touched on in the introductory presentation, being complex and dynamic, this attack could be classified as a supply network attack, supply networks often involve more than one supply chain and can have connections between active and non-active members (Braziotis et al., 2013, p. 646) which we saw exploited in this attack.

Presumably due to data sharing agreements, SITA was holding passenger data of Star Alliance members – including those who weren’t SITA customers – for frequent flyer recognition purposes. Because patient zero was both a SITA customer and Star Alliance member they had access to both sets of passenger data (Ilascu, 2021). This created a data leak from Star Alliance to SITA, with the adversary able to exfiltrate the data of both of these intersecting supply chains.

3 Lack of monitoring of authorised users

Once the adversary had gained access to SITA servers with stolen credentials, they undertook discovery, lateral movement, collection and finally exfiltration as per the MITRE ATT&CK tactic definitions (MITRE, 2023b). This is a root cause because even if root causes 1 and 2 are mitigated, a lack of authorised user monitoring would allow an insider to conduct this attack. SITA is an IT provider to 90% of the aviation sector (Farrer, 2021) as well as an advocate for civil aviation cybersecurity, particularly detection (Uniting Aviation, 2020, para. 7–10). Considering this, and the fact that they evicted the adversary within 22 days (Sinha, 2021) of initial access – faster than the average of 302 days (IBM, 2023, p. 21) – we will assume they had effective monitoring in place. But it appears that they were focused on monitoring for unauthorised access, probably supplemented by human review of logs or anomalous activity. 

Technical solutions 

We will now look at technical controls specific to the root causes, in a later section we will look at how these contribute to broader measures to improve cybersecurity. To inform this, we will combine a standards based and attack lifecycle approach.

We will use ISO27K because I agree with SITA that ISO27K is an appropriate standard for ensuring the protection of the aviation sector, it is an international standard and its implementation across the sector would provide common context for cybersecurity (Strong, 2019). We will add business context by overlaying the NIST-CSF (Appendix E contains relevant NIST-CSF and ISO27K mappings), its functions and categories create an intuitive structure to aid understanding of the controls to non-technical stakeholders, this will also contribute to engagement and awareness uplift.

Looking from the adversary’s perspective may identify potential gaps in our standards based controls and add to our defence-in-depth. To aid this we will apply the MITRE ATT&CK Enterprise framework. This was chosen because it is a thorough, tested and maintained framework. MITRE is also actively engaged in aviation cybersecurity with aviation being a “focus area” of theirs (MITRE, 2022b) and their Center for Advanced Aviation System Development (CAASD) “serving as a hub for collaboration across global aviation stakeholders” (MITRE, 2022c), making it an appropriate attack lifecycle framework. 

Recommendations

Root cause one: Access with compromised credentials

To prevent adversaries from using compromised credentials to gain access to SITA systems, strong authentication should be implemented. Strong authentication builds on two-factor and multi-factor authentication, requiring that one factor being single use, making it useless if stolen. A number of options are available such as one-time passwords, time-based codes or biometrics. I recommend using an authentication app such as Microsoft Authenticator, these are more secure than other methods of Multifactor Authentication (MFA) because the authentication request is sent via the service (Okta, 2023).

To reinforce strong authentication, Attribute Based Access Control (ABAC) should be implemented. ABAC grants access to systems based on the user’s attributes, for example their role, object (what they are trying to access) attributes such as file labels, and environmental attributes such as location, time, IP address and device ID. A set of policies will then use these attributes to determine access (Hu et al., 2014, p.7). By implementing ABAC with a policy to restrict access of authenticated users based on location, IP address, device ID and time, the adversary’s login attempt could have been detected and prevented. 

Enhancing logging would also enable more informed analysis, by including logon attempts, user activity, application and network traffic logs, in the event of a successful attack the security team will be able to use the information to undertake forensics and help prevent future attacks.

Appendix A contains applicable standards and MITRE ATT&CK details which informed these mitigations.

Root cause two: Supply chain data leaks

This root cause is an architectural vulnerability, when coupled with the Valid Account Technique is difficult to protect against, however we can build on the mitigations we put forward for Access with compromised credentials. 

Federated identity management would mitigate this root cause. Instead of sharing customer lists and their data, using federated identity management, each airline would retain their data and act as an identity provider with SITA acting as the federation provider, working as such:

• Airline A wants to verify that a passenger is a frequent flyer with Airline B
• Airline A provides Airline B with the customer’s identifier
• Airline B then checks and responds to Airline A, without the need for sharing personal information.

As the data remains with its respective airline, the data is effectively segmented and would require successful attacks on multiple targets to gather.

A federated model could mitigate this particular attack by protecting identities, however other data may still be exposed to theft in this type of breach. Micro-segmentation would help mitigate this root cause at a more general level by limiting the ability of adversaries to undertake discovery, lateral movement, collection and exfiltration. It can also enhance monitoring by informing where and what to monitor and allow security teams to focus on systems and connections of higher value as well as providing more structured data for logs and forensics (CloudFlare, 2022).

Appendix B contains applicable standards and MITRE ATT&CK details which informed these mitigations.

Root cause three: Lack of monitoring of authorised users

Situational-awareness is knowing what’s going on around us so we can be ready to respond, monitoring is key to maintaining this. We have a range of tools available such as firewalls; system logs; intrusion detection and prevention systems for collecting data. We can also monitor anomalous user behaviour with tools such as AWS CloudWatch or Azure User and Entity Behavior Analytics. 

This can all be brought together in a Security Incident Event Management (SIEM) system to give a holistic overview, combined with micro-segmentation implemented for root cause 2, to inform our situational awareness. The volume of data collected can present a challenge in itself, we will look at this in more detail in our non-technical mitigations.

Appendix C contains applicable standards and MITRE ATT&CK details which informed these mitigations.

What SITA has done

According to SITA, following the attack, “cybersecurity embedded”, or, security-by-design has been a key motivator in their approach to business (SITA, 2022b, p. 25). This is confirmed in their 2022 Security Technical and Operational Measures which outlines “embedding security into software development” with various standards including the Open Web Application Security Project Software Assurance Maturity Model (OWASP SAMM) as well as Microsoft’s Secure Development Lifecycle (SDL) (SITA, 2022a).

In response to this attack, SITA has introduced a new product offering, partnering with Versa Networks to deploy a Software Defined Network solution called SITA Connect Go (SITA, 2022c) which leverages Secure Access Service Edge (SASE). SASE, pronounced sassy, delivers integrated network-as-a-service and security-as-a-service capabilities (Gartner, 2022) such as Software Defined Wide Area Network, Zero-Trust Network Access, Cloud Access Security Broker, Next Generation Firewall and Secure Web Gateways with a view to close gaps in security which previously existed in the security stack (Ginn & Brown, 2022).

The Versa Networks website states that their SASE product assumes breach and implements zero trust network access which leverages micro-segmentation and isolation and enforces authentication of all devices and users this includes checking policy, users and their context as well as identities of applications and devices. It also restricts network access based on IP address or location, Versa claims this mitigates lateral movement as well as “threats from unmanaged devices connecting to the network”. It also shares threat intelligence to all devices in the network following an attack (Versa Networks, 2022a).

Comparing this to the recommendations above, we can see that SITA have taken a step in the right direction as their new product and approach to security seems capable of mitigating Access with compromised credentials ( with MFA, ABAC, advanced monitoring) and Lack of monitoring of authorised users (with Continuous Diagnostics and Mitigation (CDM), Continuous assessment and monitoring of risk and trust) (Versa Networks, 2022b)) of the attack. SASE can also integrate with external identity providers as well as acting as an identity broker itself (Mehta & Mehta, 2021, pp. 7, 53), given that implementing federated identity would prevent the need for sharing customer identities, combined with the above mentioned micro-segmentation, it may also be able to mitigate Supply chain data leaks.

Non-technical mitigations 

Recommendations

There are a number of non-technical mitigations to prevent an attack of this nature occurring again. 

Firstly, policies to support the above technical recommendations will need to be created and implemented. Without policy, adoption may stall and the desired outcomes may not be achieved.

Supply chains need to be mapped and cybersecurity policies and agreements made with members up and down stream – both suppliers and customers. This should include education and training so that all supply chain members (including SITA staff) are aware of cybersecurity risks and understand their responsibility to mitigate them.

Security-by-design should be integrated in business processes and ways-of-working, so that business processes will always be in an authorised state – in other words systems and data are secure at each stage and transition of the process – even in the event of a breach. This will add teeth to awareness and training as it means that everyone is living and breathing cyber-awareness just by following the secure processes.​

The technical solutions suggested generate a lot of data which needs resources to undertake analysis – resources that are scarce due to a global cyber skills shortage (Oltsik, 2023). In fact, globally we collect security monitoring in such quantities that analysing it is now one of big data’s biggest problems (Amjad et al., 2016, p. 124). A lack of analysis impedes decision making, so we need a way of refining the data we collect. Cyber-risk monitoring (Amjad et al., 2016) enables the definition and monitoring of business events – events that impact business operations – not just IT events. For example, a failed login attempt from a known IP and device from a user with a history of forgetting their password may have a lower priority than a failed login attempt from an unknown IP and device. This will allow security teams to prioritise their resources in a more efficient and effective manner.

These measures will complement the technical mitigations, enhancing their performance and helping to secure against insider attacks as well as against social engineering and other attacks on wetware. Given that these recommendations will have organisational wide impacts, to aid in implementation and adoption, I recommend setting up a cyber fusion centre which will bring together business, IT and security expertise to de-silo and allow sharing of knowledge. This will inform an organisation-wide approach to cybersecurity which is fit for purpose and enables “faster and more effective diagnosis and remediation when incidents occur” (Amjad et al., 2016, p. 130).

Appendix D contains applicable standards and MITRE ATT&CK details which informed these mitigations.

What SITA has done

SITA has initiated a number of organisational wide non-technical solutions. 

Their governance structure has changed in response to the attack, with the creation of the Cyber Security Committee (SITA, 2021a, p. 14), which evolved into the Cyber and Privacy Committee which monitors all “enhancements of the Enterprise Security Improvement Plan and Privacy Program” (SITA, 2022b, p. 9). They are also enhancing their mandatory staff training, creating  “a better learning experience” which includes privacy and data protection, cybersecurity and privacy-by-design (SITA, 2021a, p. 36) to facilitate an uplift in cyber posture.

They have updated their Security Technical and Operational Measures, which appears to be a high level cybersecurity policy. In 2018 it was a one page document with very high level and generic security guidance including: guarding against unauthorised access, ensuring service continuity and protecting confidentiality and integrity of data (SITA, 2018b).

Following the attack, their 2022 Security Technical and Operational Measures is much more detailed, spanning three pages and including the following security topics (SITA, 2022a):

1. Information security governance
2. Human resources security
3. Security in third party relationships
4. Physical security
5. Asset management
6. Secure development lifecycle
7. Incident management
8. Independent information security audit and certifications

The document specifies that these apply to SITA at a global level and each topic contains relevant ISO27K controls and GDPR principles. 

Implications across the industry

This incident will have implications across the industry. I believe the three most significant will be in supply chain cybersecurity, adopting an attackers mindset in preparing defences and the adoption of zero trust network architecture. 

Adopting an attackers mindset in defence

Standards provide an excellent framework for implementing cybersecurity policy, but as we saw in this attack, they can leave vulnerabilities if they aren’t appropriately contextualised to the organisation. ISO27K has applicable standards and controls that could have mitigated this attack for example, ISO27002 Control 6.7 Remote working and Control 8.5 Secure authentication would have seen the use of multi-factor authentication and considerations “such as access from an unusual location, from an unusual device or at an unusual time.” (International Organization for Standardization, 2022), which could have detected the unusual IP address used by the adversary to access their systems (Rostovtsev, 2021). But in SITA’s case, it appears they were applied to defend against unauthorised access, not authorised access with compromised credentials or by insiders. By adopting an attacker’s mindset, we can complement standards by considering the principle of easiest penetration as well as misuse cases, the attack lifecycle and frameworks such as MITRE ATT&CK can help inform this.

Using these different perspectives should provide overlapping controls and help enhance defence-in-depth, as well as an uplift in culture and awareness through enhanced understanding of the nuances of defence.

Supply chain security

Aviation supply chain cybersecurity is an area that needs attention, and is becoming even more important with the introduction of third party application support in next generation Air Traffic Management systems currently being rolled out globally (Thompson, 2019). The ICAO Cybersecurity Action Plan calls for cooperation across the sector to manage supply chain risks and threats (ICAO, 2022, p. 11) indicating that, in alignment with the above non-technical recommendation, “cyber-security standards should exist for the entire supply chain” (Koepsel, 2016, p. 51). 

The lack of clear oversight in supply chains creates an environment where “malicious actors thrive” (Muncaster, 2021) making it critical for organisations to include their supply chains in their cybersecurity strategies (Mehan, 2014). This is easier said than done, while Section 4 of Executive Order 14028 called for the enhancement of software supply chain security (Biden, 2021, p.26637), supply chain cybersecurity is still an evolving field, particularly in aviation (Hally, 2022). This is complicated by insufficient attention having been paid to aviation technology supply chains to date (Koepsel, 2018, p. 64) and that they are “one of the most complex and relied upon networks in the world” (Schmidt, 2016, p. 187). 

As a starting point, organisations have standards available to guide them on supply chain cybersecurity:

• NIST-CSF Supply Chain Risk Management (ID.SC)
• ISO 27002 5.21 Managing information security in the ICT supply chain
• ICAO SARP 4.9.1 & 4.9.2 of Annex 17 of the Chicago Convention (Pecharromán, 2020)

We will extend on this in the following zero trust section.

Adoption of zero trust network architecture

Many aviation systems “were designed with a significantly weaker threat model in mind” (Dave et al., 2022, p. 10) with open designs (Elmarady & Rahouma, 2021, p. 143997) resulting in insecure systems (Dave et al., 2022, p. 7). I believe this approach was reflected in the way SITA and Star Alliance handled passenger data and the way SITA allowed access to their systems. An “aviation intranet” as outlined in the ICAO’s Global Air Navigation Plan 2012-2030 (GANP) (ICAO, 2016, p. 72) will enable sector growth by connecting all airspace users (Elmarady & Rahouma, 2021, p. 144013), however this level of interconnectivity “presents elevated cyber-attack opportunities” (Latifi, 2016, p. 202).

In order to facilitate this level of interconnection we will see a shift to zero trust network architecture – spanning business systems to aircraft components which will restrict adversaries when they breach. Zero trust network architecture requires explicit verification, least privilege access and assumption of breach. This means that users – humans or otherwise – must authenticate and authorise using all available data points, including anomaly detection to gain the minimum privileges for the minimum period required to undertake a task (Microsoft, 2023b). It also assumes breach, recognising that there is no such thing as perfect security and that the goal is to an adversary’s progress and minimise loss and damage before eviction. Micro-segmentation is key to zero trust, in combination with explicit verification and end-to-end encryption it impedes progression of the attack lifecycle. For defenders it allows isolation of threats before they spread (CloudFlare, 2022).

It could also benefit threat intelligence, since we are expecting and prepared for breach, we can gather more pertinent data when it occurs, perhaps luring the adversary (MITRE, 2022a) to a honeynet for observation. This could lead to clearer definitions of trust boundaries and inform iterative improvements to architecture, practices, monitoring and response.

Conclusion

Following an attack in 2021 SITA made a shift to security-by-design which has impacted their approach to cybersecurity in their: products, with adoption of SASE architecture; governance, creating the Cyber and Privacy Committee; and in awareness, with new staff training.

In this report we have included open source intelligence to build a scenario for analysis, we then presented three root causes for the success of the attack, these were:

1. Access with compromised credentials
2. Supply chain data leaks
3. Lack of monitoring of authorised users

We then presented technical solutions for each of these. We arrived at these through an application of NIST-CSF, ISO27K and MITRE ATT&CK. We looked at each root cause individually with a view to work into a holistic solution. For access with compromised credentials we recommended strong authentication, ABAC and enhancement of logging. To mitigate supply chain data leaks we put forward federated identity management and micro-segmentation. Finally for lack of monitoring of authorised users we looked at improving situational awareness with improved monitoring and a SIEM. 

Looking at non-technical mitigations we looked at policy support for the technical mitigations as well as training and education to improve cyber posture. To support this, the integration of security-by-design into business processes was introduced to ensure that systems, processes and data remain in authorised states. To handle the increased data being gathered by our technical mitigations, a shift to cyber risk management was recommended, which brings more focus and relevance to event data collection to allow more efficient and effective use of resources.

We also reported on SITA’s response to the attack, their technical response has been to implement a SASE solution, this has wide ranging implications and includes our technical recommendations. They have also made significant changes to their governance, training and policy.

We brought this all together to look at implications for the sector, exploring the combination of a standards based approach with application of an attack lifecycle to bring rigour to applying an attacker’s mindset to cybersecurity. There is also a need to focus on supply chain cybersecurity, supported by the adoption of zero trust throughout the aviation sector. In SITA’s case, these recommendations could complement their current response and help to generate organisational wide engagement, improved adoption of solutions and uplift. More generally, these recommendations were made to mitigate the threats facing a sector that is modernising and growing while facilitating growing interconnection.

References

Air Inuit. (2021). Notice of cybersecurity incident at former service provider – Sita. https://www.airinuit.com/uploads/alerts/SITA/SITA_INCIDENT_Website_Notice_FINAL.pdf 

Amjad, A.,  Nicholson, M., Stevenson, C., & Douglas, A. (2016). From security monitoring to  cyber risk monitoring. Deloitte Review. https://www2.deloitte.com/content/dam/insights/us/articles/future-of-cybersecurity-operations-management/DR19_FromSecurityMonitoringToCyberRiskMonitoring.pdf 

ASD. (2021). Implementing network segmentation and segregation. Cyber.Gov.Au. https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/network-hardening/implementing-network-segmentation-and-segregation 

Biden, J. (2021, May 17). Improving the nation’s cybersecurity. Federal Register. https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity 

Bracken, B. (2021, March 5). Massive supply-chain cyberattack breaches several airlines. Threatpost. https://threatpost.com/supply-chain-cyberattack-airlines/164549/ 

Braziotis, C., Bourlakis, M., Rogers, H., & Tannock, J. (2013). Supply chains and supply networks: Distinctions and overlaps. Supply Chain Management: An International Journal, 18(6), 644–652. https://doi.org/10.1108/scm-07-2012-0260 

Brewster, T. (2021, June 10). Are the FBI’s ‘most wanted’ Chinese spies hacking the airline industry? Forbes. https://www.forbes.com/sites/thomasbrewster/2021/06/10/are-the-fbis-most-wanted-chinese-spies-hacking-the-airline-industry/?sh=54976ea6237d 

Brown, R., Ta,  van, Bienstock, D., Ackerman, G., & Wolfram, J. (2023, August 9). APT41 targeting U.S. state government networks. Mandiant. https://www.mandiant.com/resources/blog/apt41-us-state-governments 

CloudFlare. (2022). What is microsegmentation? Cloudflare. https://www.cloudflare.com/en-au/learning/access-management/what-is-microsegmentation/ 

Collier, B., Clayton, R., Hutchings, A., & Thomas, D. (2021). Cybercrime is (often) boring: Infrastructure and alienation in a deviant subculture. The British Journal of Criminology, 61(5), 1407–1423. https://doi.org/10.1093/bjc/azab026 

Dave, G., Choudhary, G., Sihag, V., You, I., & Choo, K.-K. R. (2022). Cyber security challenges in aviation communication, navigation, and surveillance. Computers & Security, 112, 102516. https://doi.org/10.1016/j.cose.2021.102516 

Elmarady, A. A., & Rahouma, K. (2021). Studying cybersecurity in civil aviation, including developing and applying aviation cybersecurity risk assessment. IEEE Access, 9, 143997–144016. https://doi.org/10.1109/access.2021.3121230 

Enterprise IT World. (2016). Customer story: Air India | SITA. http://www.enterpriseitworld.com/wp-content/uploads/2017/09/Air-India-Customer-Story-A4-HR-Final-Final.pdf 

Farrer, M. (2021, March 5). Airline data hack: Hundreds of thousands of Star Alliance passengers’ details stolen. The Guardian. https://www.theguardian.com/world/2021/mar/05/airline-data-hack-hundreds-of-thousands-of-star-alliance-passengers-details-stolen 

Gartner. (2022, September 28). Definition of secure access service edge (SASE) – Gartner information technology glossary. Gartner. https://www.gartner.com/en/information-technology/glossary/secure-access-service-edge-sase 

Ghosh, S. (2021, May 30). Air India data breach highlights concerns around third-party risk and supply-chain security. CSO Online. https://www.csoonline.com/article/570797/air-india-data-breach-highlights-concerns-around-third-party-risk-and-supply-chain-security.html 

Ginn, J., & Brown, D. H. (2022). Diving into Secure Access Service Edge: A technical leadership guide to achieving success with SASE at market speed. Packt Publishing Ltd.

Hally, L. (2022, June 30). Evolving aviation cybersecurity. A Cyber Security Blog by Luke Hally. https://www.lukehally.com.au/cyber-ops/a-review-of-aviation-cybersecurity/ 

Hally, L. (2023, June 3). Advanced cyber risk monitoring. A Cyber Security Blog by Luke Hally. https://www.lukehally.com.au/cyber-risk-resilience/advanced-cyber-risk-monitoring/ 

Hu, V., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R., & Scarfone, K. (2014). Guide to attribute based access control (ABAC) definition and considerations. National Institute of Standards and Technology. http://dx.doi.org/10.6028/nist.sp.800-162 

Hughes, M. (2021, March 5). Oh SITA: Airline IT provider confirms passenger data leaked after major “cyber-attack.” The Register. https://www.theregister.com/2021/03/05/oh_sita_airline_it_provider/ 

IBM. (2023). Cost of a data breach report 2023. https://www.ibm.com/downloads/cas/E3G5JMBP 

ICAO. (2016). 2016–2030 Global Air Navigation Plan. ICAO. https://www.icao.int/publications/Documents/9750_5ed_en.pdf 

ICAO. (2022). Cybersecurity Action Plan. https://www.icao.int/aviationcybersecurity/Documents/CYBERSECURITY%20ACTION%20PLAN%20-%20Second%20edition.EN.pdf 

Ikeda, S. (2021, March 8). Aviation IT giant SITA breached in extensive supply chain attack; frequent flier programs of major airline … CPO Magazine. https://www.cpomagazine.com/cyber-security/aviation-it-giant-sita-breached-in-extensive-supply-chain-attack-frequent-flier-programs-of-major-airlines-compromised/ 

Ilascu, I. (2021, March 5). SITA data breach affects millions of travelers from major airlines. BleepingComputer. https://www.bleepingcomputer.com/news/security/sita-data-breach-affects-millions-of-travelers-from-major-airlines/amp/ 

Intelligent Discovery. (2020). AWS cloudwatch security alarms best practice. Intelligent Discovery. https://www.intelligentdiscovery.io/controls/cloudwatch 

International Organization for Standardization. (2022, February). Who should adopt ISO/IEC 27002? ISO. https://www.iso.org/standard/75652.html 

Joshi, G. (2022, July 6). Tech revamp: Air India inks A deal with Amadeus for passenger service system. Simple Flying. https://simpleflying.com/air-india-deal-with-amadeus/ 

Koepsel, K. M. (2016). Commercial aviation and cyber security: A critical intersection. SAE International.

Koepsel, K. M. (2018). The aerospace supply chain and cyber security: Challenges ahead. SAE International.

Kropotov, V., McArdle, R., & Yarochkin, F. (2020, July 21). Hacker infrastructure and underground hosting 101:where Are cybercriminal platforms offered? Security News. https://www.trendmicro.com/vinfo/au/security/news/cybercrime-and-digital-threats/hacker-infrastructure-and-underground-hosting-101-where-are-cybercriminal-platforms-offered 

Latifi, S. (2016). Information technology: New generations: 13th International Conference on Information Technology. Springer.

Mandiant. (2022). Apt41, a dual espionage  and cyber crime operation. Mandiant. https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf 

Mehan, J. (2014). CyberWar, CyberTerror, CyberCrime and CyberActivism: An i-depth guide to the role of standards in the cybersecurity environment. IT Governance Publishing.

Mehta, K., & Mehta, A. (2021). SASE For Dummies®, Versa Networks Special Edition. John Wiley & Sons, Inc. https://versa-networks.com/documents/ebooks/sase-for-dummies.pdf 

Microsoft. (2023a). Enable entity behavior analytics to detect advanced threats. Microsoft Learn. https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics 

Microsoft. (2023b). Zero trust model – Modern security architecture. Microsoft Security. https://www.microsoft.com/en-au/security/business/zero-trust 

Microsoft. (2023c, February 8). Zero Trust and Windows device health – Windows Security. Microsoft Learn. https://learn.microsoft.com/en-us/windows/security/security-foundations/zero-trust-windows-device-health 

MITRE. (2022a). MITRE Engage matrix. MITRE Engage. https://engage.mitre.org/matrix/?activity=lures 

MITRE. (2022b, August 24). Aviation & transportation. MITRE. https://www.mitre.org/focus-areas/aviation-transportation 

MITRE. (2022c, August 25). CAASD. MITRE. https://www.mitre.org/our-impact/rd-centers/center-advanced-aviation-system-development 

MITRE. (2022d, September 21). Trusted relationship, technique T1199 – Enterprise. MITRE ATT&CK®. https://attack.mitre.org/techniques/T1199/ 

MITRE. (2023a, March 30). Valid accounts, technique T1078 – Enterprise. MITRE ATT&CK®. https://attack.mitre.org/techniques/T1078/ 

MITRE. (2023b, April 14). Cloud administration command, technique T1651 – Enterprise. MITRE ATT&CK®. https://attack.mitre.org/techniques/T1651/ 

Muncaster, P. (2021, March 5). SITA supply chain breach hits multiple airlines. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/sita-supply-chain-breach-hits/?__cf_chl_jschl_tk__=pmd_22d96108ea7a7a023a70a6e1ae2d307113653a31-1626767310-0-gqNtZGzNAfijcnBszQp6 

Nair, P. (2021, March 5). Supply chain attack jolts airlines. GovInfoSecurity. https://www.govinfosecurity.com/supply-chain-attack-jolts-airlines-a-16123 

NIST. (2023, July). NIST SP 800-53, Revision 5 Control Mappings to ISO/IEC 27001. https://csrc.nist.gov/files/pubs/sp/800/53/r5/upd1/final/docs/sp800-53r5-to-iso-27001-mapping.docx 

Okta. (2023). Strong Authentication: Definition & Security Factors. https://www.okta.com/au/identity-101/what-is-strong-authentication/ 

Olenick, D. (2021, June 15). Report: China-Connected APT41 likely behind attacks on airlines. https://www.bankinfosecurity.asia/report-china-connected-apt41-likely-behind-attacks-on-airlines-a-16873 

Oltsik, J. (2023, September 11). The global cybersecurity skills shortage: Still crazy after all these years. CSO Online. https://www.csoonline.com/article/651940/the-global-cybersecurity-skills-shortage-still-crazy-after-all-these-years.html 

Pecharromán, J. (2020, December 1). Cybersecurity in Annex 17. https://www.icao.int/NACC/Documents/Meetings/2020/ACI/P02-CybersecurityAnnex17-ENG.pdf 

Praveer, R. R. (2021, June 16). SITA PSS issues clarification on Air India hacking & involvement of APT41. myLawrd. https://www.mylawrd.com/sita-pss-issues-clarification-on-air-india-hacking-involvement-of-apt41/ 

PWC. (2021). Cyber Threats 2021:  A Year in Retrospect. https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf 

Rostovtsev, N. (2021, June 10). Big airline heist. Group-IB. https://www.group-ib.com/blog/colunmtk-apt41/ 

Schmidt, A. (2016). Cyberterrorism: combating the aviation industry’s vulnerability to cyberattack. Suffolk Transnational Law Review, 39(1). 

Securin Inc. (2021, July 9). Back-to-Back air India attacks indicating more than just a data breach? – Securin. Securin – Continuously Improve Your Security Posture. https://www.securin.io/back-to-back-air-india-attacks-indicating-more-than-just-a-data-breach/ 

Silk, R. (2021, March 19). Airline data breach targets a fraudster favorite Loyalty programs. Travel Weekly. https://www.travelweekly.com/Travel-News/Airline-News/Airline-data-breach-targets-a-fraudster-favorite-Loyalty-programs 

Singapore Airlines. (2021, March 4). Data incident at SITA affecting some KrisFlyer members. Latest News and Announcements. https://www.singaporeair.com/en_UK/sg/media-centre/news-alert/?id=kltm93p0 

Sinha, S. (2021, May 22). Air India data breach: SITA says cyber attackers ‘accessed some systems for 22 days at Atlanta centre.’ Times Of India. https://timesofindia.indiatimes.com/india/air-india-data-breach-sita-says-cyber-attackers-accessed-some-systems-for-22-days-at-atlanta-centre/articleshow/82864982.cms 

SITA. (2017). SITA Information Security Services. SITA Information Security Services. https://www.sita.aero/solutions/sita-at-airports/sita-communications-and-data-exchange/sita-information-security-services/ 

SITA. (2018a). Horizon the next steps. https://comms.sita.aero/rs/089-ZSE-857/images/SITA_HORIZON_THE_NEXT_STEPS_Interactive.pdf 

SITA. (2018b). Security Technical and Operational Measures.

SITA. (2021a). SITA activity report 2021. SITA Activity Report 2021. https://www.sita.aero/sita-activity-report-2021/ 

SITA. (2021b). SITA statement about security incident. SITA Statement about Security Incident. https://www.sita.aero/pressroom/news-releases/sita-statement-about-security-incident/ 

SITA. (2022a). Security Technical and Operational Measures.

SITA. (2022b). Sita activity report 2022. https://www.sita.aero/globalassets/docs/surveys–reports/activity-report-2022.pdf 

SITA. (2022c, October 3). SITA Connect go. SITA Connect Go. https://www.sita.aero/solutions/sita-at-airports/sita-communications-and-data-exchange/sita-connect/sita-connect-go/ 

Sorrells, M. (2021, March 5). sita cyber attack accesses passenger data for multiple airlines. PhocusWire. https://www.phocuswire.com/sita-cyber-attack-accesses-passenger-data-for-multiple-airlines 

Star Alliance. (2019, May). Star Alliance member airlines. Star Alliance. https://www.staralliance.com/en/members?airlineCode=AI 

Strong, T. (2019, March 21). We need complete confidence in data security. We Need Complete Confidence in Data Security. https://www.sita.aero/pressroom/blog/we-need-complete-confidence-in-data-security/ 

Thompson, I. (2019, February 23). Reach for the Onesky, Australia’s integrated air traffic management system. Australian Aviation. https://australianaviation.com.au/2019/02/reach-for-the-onesky-australias-integrated-air-traffic-management-system/ 

Uniting Aviation. (2020, April 29). ANC Talks: SITA brings cybersecurity to the discussions. Uniting Aviation. https://unitingaviation.com/news/security-facilitation/anc-talks-sita-brings-cybersecurity-to-the-discussions/ 

Versa Networks. (2022a, May 4). Top 10 benefits of SASE (secure access service edge). Versa Networks. https://versa-networks.com/sase/benefits/ Versa Networks. (2022b, May 4). What Are the Major SASE components? Versa Networks. https://versa-networks.com/sase/components/

Versa Networks. (2022b, May 4). What Are the Major SASE components? Versa Networks. https://versa-networks.com/sase/components/ 

Appendix A

Relevant standards for root cause one, access with compromised credentials.

Table A1: Applicable ISO27K / NIST standards

ISO27K	NIST-CSF
5.16 Identity management	PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
5.17 Authentication information	PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
	PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
5.18 Access rights	PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
8.2 Privileged access rights	PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
8.20 Networks security	PR.AC-3 Remote access is managed
8.22 Segregation of networks	PR.AC-3 Remote access is managed
8.5 Secure authentication	PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
	PR.AC-7 * 3 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

Table A1: Applicable MITRE ATT&CK details

MITRE TT	MITRE Detection	MITRE Mitigations
Initial Access:Valid Account (ID: T1078) Known procedure of APT41Trusted Relationship (ID: T1199)	• Logon Session (ID:DS 0028)• Logon Session Creation• Logon Session Metadata• User Account (ID: DS0002)• User Account Authentication• Application Log (ID DS0015)• Network Traffic (ID: DS0029)	• Account Use Policies (ID: M1036)• Password Policies (ID: M1027)• Privileged Account Management (ID: M1026)• User Account Management (ID: M1018)• Multi-factor Authentication (ID: M1032)

Appendix B

Relevant standards for root cause two, supply chain data leaks.

Table B1: Applicable ISO27K / NIST standards

ISO27K	NIST-CSF
5.13 Labelling of information	PR.DS-5 Protections against data leaks are implemented
5.14 Information transfer	PR.AC-5 Network integrity is protected (e.g., network segregation, network segmentation)
5.15 Access control	PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
8.22 Segregation of networks	PR.AC-5 Network integrity is protected (e.g., network segregation, network segmentation)
8.26 Application security requirements	PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
	PR.AC-5 * 2 Network integrity is protected (e.g., network segregation, network segmentation)
8.3 Information access restriction	PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
8.20 Networks security	DE.AE-1 A baseline of network operations and expected data flows for users and systems is established and managed
	PR.DS-5 Protections against data leaks are implemented

Table A2: Applicable MITRE detection & mitigations

MITRE Detection	MITRE Mitigations
• User Data Transfer Analysis (D3-UDTA)• Credential Compromise Scope Analysis (D3-CCSA)• Job Function Access Pattern Analysis (D3-JFAPA)• Resource Access Pattern Analysis (D3-RAPA)• Session Duration Analysis (D3-SDA)• User Data Transfer Analysis (D3-UDTA)• User Geolocation Logon Pattern Analysis (D3-UGLPA)	• Local File Permissions (D3-LFP)• Disk Encryption (D3-DENCR}• File Encryption (D3-FE)

Appendix C

Relevant standards for root cause three, lack of monitoring of authorised users.

Lack of monitoring of authorised users.

Table C1: Applicable ISO27K / NIST standards

ISO27K	NIST-CSF
5.17 Authentication information	PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
8.15 Logging	DE.CM-3 Personnel activity is monitored to detect potential cybersecurity events
8.16 Monitoring activities	DE.CM-1: The network is monitored to detect potential cybersecurity events
8.3 Information access restriction	PR.DS-5 Protections against data leaks are implemented
5.22 Monitoring, review and change management of supplier services	DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events
	DE.AE-1 A baseline of network operations and expected data flows for users and systems is established and managed

Table C2: Applicable MITRE ATT&CK details

Mitre ATT&CK Tactic & Techniques	MITRE Detection	MITRE Mitigations
Lateral Movement:Remote Services (T1021)Initial AccessValid Account (ID: T1078)Exfiltration:Data Transfer Size Limits (ID: T1030)Transfer Data to Cloud Account (ID: T1537)Exfiltration Over Web Service (ID: T1567)Discovery:File and Directory Discovery (ID: T1083)	• Network Traffic (ID:DS0029)• Cloud Storage (ID: DS0010)• Snapshot (ID: DS0020)• Command (ID: DS0017) – command execution• File (ID: DS0022) – file access• Network Traffic (ID: DS0029) – Network Connection Creation, Network Traffic Content,Network Traffic Flow• Process (DS0009) – OS API Execution, Process Creation	• Network Intrusion Prevention (ID: M1031)• Filter Network Traffic (ID: M1037)• User Account Management (ID: M: 1018)• Data Loss Prevention (ID: M1057)

Appendix D

Relevant standards for non-technical mitigations for all root causes.

Table D1: Applicable ISO27K / NIST standards

ISO27K	NIST-CSF
5.10 Acceptable use of information and other associated assets	PR.DS-2 Data-in-transit is protected
5.14 Information transfer	ID.AM-3 Organizational communication and data flows
	PR.DS-2 Data-in-transit is protected
	PR.DS-5 Protections against data leaks are implemented
5.15 Access control	PR.DS-5 Protections against data leaks are implemented
5.16 Identity management	PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
5.17 Authentication information	PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
5.19 Information security in supplier relationships	ID.BE-1 The organization’s role in the supply chain is identified and communicated
	ID.SC-1 Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
	ID.SC-3 Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
5.20 Addressing information security within supplier agreements	ID.BE-1 The organization’s role in the supply chain is identified and communicated
	ID.SC-3 Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
	ID.SC-3 Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
5.21 Managing information security in the ICT supply chain	ID.BE-1 The organization’s role in the supply chain is identified and communicated
	ID.SC-1 Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
	ID.SC-3 Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
5.22 Monitoring, review and change management of supplier services	DE.CM-6 External service provider activity is monitored to detect potential cybersecurity events
	DE.AE-1 A baseline of network operations and expected data flows for users and systems is established and managed
	ID.BE-1 The organization’s role in the supply chain is identified and communicated
	ID.SC-2 Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process
	ID.SC-4 Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
6.3 Information security awareness, education and training	PR.AT-1 All users are informed and trained
	PR.AT-2 Privileged users understand their roles and responsibilities
	PR.AT-3 Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
8.20 Networks security	DE.AE-1 A baseline of network operations and expected data flows for users and systems is established and managed
	PR.DS-2 Data-in-transit is protected
	PR.DS-5 Protections against data leaks are implemented
8.21 Security of network services	PR.AC-3 Remote access is managed
8.22 Segregation of networks	PR.DS-5 Protections against data leaks are implemented
	PR.DS-5 Protections against data leaks are implemented
8.24 Use of cryptography	PR.DS-5 Protections against data leaks are implemented
8.26 Application security requirements	PR.DS-2 Data-in-transit is protected
	PR.DS-5 Protections against data leaks are implemented
8.3 Information access restriction	PR.DS-5 Protections against data leaks are implemented

Appendix E

Table E1: NIST-CSF to ISO27K mapping.

NIST-CSF	ISO27K	Root Cause
DE.CM-6 External service provider activity is monitored to detect potential cybersecurity events	5.22 Monitoring, review and change management of supplier services	Other mitigations
DE.AE-1 A baseline of network operations and expected data flows for users and systems is established and managed	5.37 Documented operating procedures	Other mitigations
	8.20 Networks security
	8.20 Networks security
	8.21 Security of network services
	8.32 Change management
ID.AM-3 Organizational communication and data flows	5.14 Information transfer	Other mitigations
ID.BE-1 The organization’s role in the supply chain is identified and communicated	5.19 Information security in supplier relationships	Other mitigations
	5.20 Addressing information security within supplier agreements
	5.21 Managing information security in the ICT supply chain
	5.22 Monitoring, review and change management of supplier services
ID.SC-1 Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders	5.19 Information security in supplier relationships	Other mitigations
	5.21 Managing information security in the ICT supply chain
ID.SC-2 Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process	5.22 Monitoring, review and change management of supplier services	Other mitigations
ID.SC-3 Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.	5.19 Information security in supplier relationships	Other mitigations
	5.20 Addressing information security within supplier agreements
	5.20 Addressing information security within supplier agreements
	5.21 Managing information security in the ICT supply chain
ID.SC-4 Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.	5.22 Monitoring, review and change management of supplier services	Other mitigations
PR.AC-3 Remote access is managed	8.21 Security of network services	Other mitigations
PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)	5.16 Identity management	Other mitigations
	5.17 Authentication information
PR.AT-1 All users are informed and trained	6.3	Other mitigations
	8.7 Protection against malware
PR.AT-2 Privileged users understand their roles and responsibilities	5.2 Information security roles and responsibilities	Other mitigations
	6.3 Information security awareness, education and training
PR.AT-3 Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities	5.2 Information security roles and responsibilities	Other mitigations
	5.4 Management responsibilities
	6.3 Information security awareness, education and training
PR.DS-2 Data-in-transit is protected	5.10 Acceptable use of information and other associated assets	Other mitigations
	5.14 Information transfer
	5.8 Information security in project management
	8.20 Networks security
	8.26 Application security requirements
PR.DS-5 Protections against data leaks are implemented	5.10 Acceptable use of information and other associated assets	Other mitigations
	5.13 Labelling of information
	5.14 Information transfer
	5.15 Access control
	5.3 Segregation of duties
	6.1 Screening
	6.1 Screening
	6.5 Responsibilities after termination or change of employment
	6.6 Confidentiality or non-disclosure agreements
	7.5 Protecting against physical and environmental threats
	7.6 Working in secure areas
	7.8 Equipment siting and protection
	8.20 Networks security
	8.22 Segregation of networks
	8.22 Segregation of networks
	8.24 Use of cryptography
	8.26 Application security requirements
	8.3 Information access restriction
	8.4 Access to source code.
New	8.23 Web filtering	Root Cause 1
PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes	5.16 Identity management
	5.17 Authentication information
	5.18 Access rights
	8.2 Privileged access rights
	8.5 Secure authentication
PR.AC-3 Remote access is managed	6.2 Terms and conditions of employment	Root Cause 1
	6.7 Remote working
	7.9 Security of assets off-premises
	8.1 User endpoint devices
	8.20 Networks security
	8.22 Segregation of networks
PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)	8.5 Secure authentication	Root Cause 1
	5.17 Authentication information
ID.AM-4 External information systems are catalogued	7.9 Security of assets off-premises	Root Cause 2
PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties	5.15 Access control	Root Cause 2
	5.3 Segregation of duties
	8.18 Use of privileged utility programs
	8.26 Application security requirements
	8.3 Information access restriction
	8.4 Access to source code.
PR.AC-5 Network integrity is protected (e.g., network segregation, network segmentation)	8.26 Application security requirements	Root Cause 2
	5.14 Information transfer
	8.22 Segregation of networks
PR.DS-5 Protections against data leaks are implemented	5.8 Information security in project management	Root Cause 2
	8.18 Use of privileged utility programs
DE.CM-3 Personnel activity is monitored to detect potential cybersecurity events	8.15 Logging	Root Cause 3
New	8.16 Monitoring activities	Root Cause 3
PR.AC-5 Network integrity is protected (e.g., network segregation, network segmentation)	8.26 Application security requirements	Root Cause 3
	5.14 Information transfer
	8.20 Networks security
	8.22 Segregation of networks
PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)	5.34 Privacy and protection of PII	Root Cause 3
	8.5 Secure authentication
	5.16 Identity management
	5.17 Authentication information
	5.34 Privacy and protection of PII
PR.DS-1 Data-at-rest is protected	5.10 Acceptable use of information and other associated assets	Root Cause 3
PR.DS-2 Data-in-transit is protected	5.10 Acceptable use of information and other associated assets	Root Cause 3
	5.14 Information transfer
	8.20 Networks security
	8.26 Application security requirements
PR.DS-5 Data-in-transit is protected	5.15 Access control	Root Cause 3
PR.DS-5 Protections against data leaks are implemented	5.10 Acceptable use of information and other associated assets	Root Cause 3
	5.14 Information transfer
	5.3 Segregation of duties
	7.5 Protecting against physical and environmental threats
	7.6 Working in secure areas
	7.8 Equipment siting and protection
	8.2 Privileged access rights
	8.20 Networks security
	8.22 Segregation of networks
	8.26 Application security requirements
	8.3 Information access restriction
	8.4 Access to source code.