Visible to the public Policy Analytics for Cybersecurity of Cyber-Physical Systems: October 2019 (Y2, Q2)Conflict Detection Enabled

Submitted by Nazli Choucri on Wed, 09/25/2019 - 12:04pm

Funding Type: Full proposal
Start Date: March 01, 2018
Expected Completion Date: April 30, 2020
Principal Investigator: Nazli Choucri

Accomplishments

Accomplishments during this reporting period: July 1 - September 30, 2019 (Year 2: Quarter 2) are presented in the following sections of this report. By necessity, reference to Year 1 is made.

Table of Contents
1. Problem Statement
2. Analytics for Cyber Security Strategy & Policy
2.1 Year 1: Data Base for Test-bed
2.2 Year 2: Quarter 1 Progress
3. Year 2: Focus of Quarter 2
3.1 Workplan for Year 2
3.2 Research Corrective
4. References and Supporting Policy Documents

1. Problem Statement

As a general practice, all guidelines, directives and policy documents are presented in text form -- page-by-page and word-by-word -- and supported with figures, diagrams and tables as needed. By definition, text in any language undermines attention to, and obscures, feedback, delays, interconnections, cascading effects, indirect impacts and the like. Such features embedded deep into the idiom or structure of the textual form.

The text-form may be necessary, but it is not sufficient. In fact, it may create barriers to understanding, obscure the full nature of directives, and generate less than optimal results - all of which impede the pursuit of effective outcomes.

The overarching purpose of this project is to develop analytical methods to support national strategy for cybersecurity, as outlined in Presidential Executive Orders (EXORD) [1, 2] and National Defense Authorization Acts (NDAAs) [3, 4]. Operationally, our goal is to develop analytics for cyber security policies and guidelines targeted specifically to (a) extract the knowledge embedded in policy guidelines, and (c) assist the user community, analysts, and operators in implementation.

Our goal is to construct new tools that are applicable to policy directives, regulations, and guidelines for diverse issue areas. This means that we target applications other than those that provide the test bed for this project.Focusing on the salience of cybersecurity in both private and public sectors, we draw on major reports presented by the National Institute for Standards and Technology (NIST), and the data sources involved as the test-bed for this project.. The test-bed application case consists of only of policy documents as its database. As such, it is in a "controlled environment".

In earlier Quarterly Reports, we highlighted the Base Period and its results. We also stressed the close connection of (a) analytical tools and (b) policy relevance. We highlight this relationship once again, below.

2. Analytics for Cybersecurity Strategy & Policy

The point here is that our research on development of tools is designed for policy relevance in policy application contexts.

2.1 Year 1: Data Base for Test-bed
In Year 1 we aligned our project with national policy by consolidating our vision and mission around EXORD and NDAA statements as shown in Report for Year 2 Quarter 1 [6]. This alignment ensures that our research project remains anchored in national policy priorities. The previous Quarterly Reports [7-10] present the results of our work to date.
While the Test-Bed for method-development focuses on cybersecurity of smart grid, we stress that the methods and approaches in this project are not tied to specific types of policy guidelines or specific forms of infrastructure.

2.2 Year 2: Quarter 1 Progress
A related accomplishment was in Year 2, Quarter 1 Report, is clear articulation of the design for data extraction and linkage method. We stress once more that the material (text) comes from different policy documents. To simplify, the process consists of: please do the bullitt versions i. Text-to-Data
ii. Data-to-Metrics
iii. Metrics-to-Model
iv. Model-to-Analytics
The most complex in terms of human time is text-to-data for the specific case of the test-bed. The results of the first step are incorporated into one data base. A simplified view is reproduced below in Table 1 below.
Table 1 Simplified processes for "Text-to-Data"
The more accurate and detailed repreentation of both method and process, shown in the previous Quaretly Report [6].

3. Year 2: Focus of Quarter 2


3.1 Workplan for Year 2


Year 2 began with a review of rules and methods we have developed for extracting data from key documents and creating the linked database. This allows us to create (i) initial exploratory tools for analysis of system information, and (ii) a core dependency structure matrix (DSM) of the cyber-physical system by identifying the first level information dependencies in Figure 4. Earlier we presented an initial draft of the DSM, 3.2 Analysis of Dependency Matrix
The dependency matrix will be (a) examined closely and validated, (b) further transformed as needed into clusters and partitions of structure and process in order to (c) explore properties that reveal interconnections and "hidden features". It is also the basis upon which added policy imperatives - also in text form - are incorporated later on in expanded DSM forms.

3.2 Tasks & Accomlishments of Year 2 Quarter 2
Throughout Quarter 2, Year 2 we focused on important research steps:
* correctives;
* replicating structured DSM model;
* extensions;
* general applications of new method;
* validation of initial structural model;
* the automation issue.


4. References and Supporting Policy Documents

4.1 References


[1] Executive Office of the President. 2017. Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. E.O. 13800 of May 11, 2017; 82 FR 22391. Washington, DC: THE WHITE HOUSE. https://www.federalregister.gov/d/2017-10004

[2] Executive Office of the President. 2019. Securing the Information and Communications Technology and Services Supply Chain. E.O. 13873 of May 15, 2019; 84 FR 22689. Washington, DC: THE WHITE HOUSE. https://www.federalregister.gov/d/2019-10538

[3] John S. McCain National Defense Authorization Act for Fiscal Year 2019. Public Law No: 115-232 (08/13/2018). https://www.congress.gov/bill/115th-congress/house-bill/5515

[4] National Defense Authorization Act for Fiscal Year 2018. Public Law No: 115-91. https://www.congress.gov/115/plaws/publ91/PLAW-115publ91.pdf

[5] National Institute of Standards and Technology. 2018. Framework for Improving Critical Infrastructure Cybersecurity ver 1.1. Gaithersburg, MD: National Institute of Standards and Technology. https://doi.org/10.6028/NIST.CSWP.04162018

[6] Choucri, N. 2019. Analytics for Cyber-Physical System Cybersecurity: July 2019 (Y2 Q1). https://cps-vo.org/node/61552

[7] Choucri, N. 2018. Analytics for Cyber-Physical System Cybersecurity: June 2018 (Q1). https://cps-vo.org/node/54641

[8] Choucri, N. 2018. Analytics for Cyber-Physical System Cybersecurity: October 2018 (Q2). https://cps-vo.org/node/56209

[9] Choucri, N. 2019. Analytics for Cyber-Physical System Cybersecurity: January 2019 (Q3). https://cps-vo.org/node/57492 [10] Choucri, N. 2019. Analytics for Cyber-Physical System Cybersecurity: April 2019 (Q4). https://cps-vo.org/node/60244

4.2 Supporting Policy Documents

[1] Joint Task Force. 2018. Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, SP 800-37 Rev. 2. Gaithersburg, MD: National Institute of Standards and Technology. https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final

[2] Joint Task Force Transformation Initiative. 2014. Security and Privacy Controls for Federal Information Systems and Organizations, SP 800-53 Rev. 4. Gaithersburg, MD: National Institute of Standards and Technology. https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final

[3] The Smart Grid Interoperability Panel-Smart Grid Cybersecurity Committee. 2014. Guidelines for Smart Grid Cybersecurity, NISTIR 7628 Rev. 1. Gaithersburg, MD: National Institute of Standards and Technology. https://csrc.nist.gov/publications/detail/nistir/7628/rev-1/final

[4] Smart Grid and Cyber-Physical Systems Program Office and Energy and Environment Division, Engineering Laboratory. 2014. NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 3.0, SP 1108 Rev. 3. Gaithersburg, MD: National Institute of Standards and Technology. http://dx.doi.org/10.6028/NIST.SP.1108r3

[5] North American Electric Reliability Corporation. 2019. Critical infrastructure protection (CIP) Standards. https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx

[6] National Vulnerability Database [Online Database]. Gaithersburg, MD: National Institute of Standards and Technology. https://nvd.nist.gov

[7] Office of Cybersecurity, Energy Security, and Emergency Response. 2014. Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), Ver 1.1. Washington, DC: US Department of Energy. https://www.energy.gov/ceser/activities/cybersecurity-critical-energy-infrastructure/energy-sector-cybersecurity-0-1

[8] Vulnerability Metrics, Gaithersburg, MD: National Institute of Standards and Technology. https://nvd.nist.gov/vuln-metrics/cvss

Groups: