Policy Analytics for Cybersecurity of Cyber-Physical Systems: April 2020 (Y2, Q4)
Funding Type: Full proposal
Start Date: March 01, 2018
Expected Completion Date: April 30, 2020
Principal Investigator: Nazli Choucri
Public View
Accomplishments
Accomplishments during this reporting period: January 01, 2020 -- March 31, 2020 (Year 2: Quarter 4) are presented following the outline below.
Table of Contents
1. Project Overview: Analytics for Cybersecurity Strategy & Policy
1.1 Problem Statement
1.2 Project Purpose
1.3 Operational Focus
1.4 Research Design
2. Summary of Progress to Date as Context for Year 2, Quarter 4
3. Tasks & Accomplishments of Year 2, Quarter 4
3.1 Completion of Database
3.2 Essential Structure for Enterprise Cybersecurity
3.2.1 Utility to the enterprise is as follows
3.2.2 What is required from the enterprise?
4. Work Plan for Year 3 (April 2020-March 2021)
5. References
1. Project Overview
1.1 Problem Statement
As a general practice, guidelines, directives, and policy documents are presented in text form, page-by-page and word-by-word--supported with figures, diagrams and tables as needed. Rooted in the legal tradition, this practice reinforces a linear logic where sequence dominates in terms of a checklist for meeting requirements. The paradox is that the checklist per se constitutes an impediment to implementation of policies and directives.
Table 1 highlights the basic features of the problem statement, presented in the form of opportunity costs. These opportunity costs are generic in nature and hold for all text-based policy documents, guidelines, and directives.
| Table 1: Opportunity Costs |
 |
1.2 Project Purpose
The overarching purpose of this project is to support the national strategy for cybersecurity, as outlined in Presidential Executive Orders (EXORD) [1-2] and the National Defense Authorization Acts (NDAAs) [3-5]. Operationally, our goal is to develop analytics for cybersecurity policies and guidelines targeted specifically to:
(a) Reduce, if not eliminate entirely, the opportunity costs in Table 1,
(b) Extract knowledge embedded in policy guidelines, and
(c) Assist user communities, analysts, and operators in their implementation.
1.3 Operational Focus
We situate this research project at the interface of users and CSF in order to facilitate access to, and use of, Cyber Security Framework [6]. The Cyber Security Framework (CSF) is mandatory in the public sector and greatly encouraged for the private sector. CSF provides general guidance and directives of a broadly defined nature. But the mission-specific application is left to the user--with only the general guidance provided by CSF. It is up to the user to proceed as best determined.
The general purpose here is to help users and, in the process, provide tools to explore mission-related properties, concerns, or contingencies. For this reason, we have designed the entire project with a modular frame, anchored in a structured model of system properties. Different users may have different requirements and/or draw on results (or products) generated at different phases of this project
1.4 Research Design
To introduce the results of Year 2, Quarter 4 results, we note once more the research design for the entire project, as simplified in Figure 1.
| Figure 1. Overall Project Design |
 |
In an earlier Report we also identified the key NIST and other documents for our investigations. A revised updated version is shown in Table 2.
| Figure 2. Core NIST Documents for Cybersecurity Sources: [6-14] |
 |
2. Summary of Progress to Date as Context for Year 2, Quarter 4
As in Year 1 we aligned our project with national policy by consolidating our vision and mission around EXORD [1-2] and NDAA [3-5] statements, shown in the Report for Year 2, Quarter 1 [15] (https://cps-vo.org/node/61552) and presented at the Summer of 2019's Science of Security and Privacy Quarterly Meeting at the University of Kansas [16]. This alignment ensures that our project remains anchored in national policy priorities. The test-bed for method-development focuses on cybersecurity of smart grid for electric power systems. However, we stress that the methods and approaches of this project are not tied to specific types of policies, guidelines, or directives.
In general, the research design must always meet some "proof of concept" for robustness at the operational stage. The refinement of operational steps throughout Y2, Quarters 1-3 yielded a robust proof-of-concept for both the sequence and content of each research component, namely:
(a) Text-to-Data
(b) Data-to Framework
(c) Framework-to-Metrics
(d) Metrics -to-Model
(e) Model to Analytics
3. Tasks and Accomplishments of Year 2, Quarter 4
3.1 Completion of Database
Consistent with our research plan, in Quarter 4 of Year 2, the database for Smart Grid cybersecurity has been completed -- based on the essential method defined earlier. The method is now organized into five modules as follows:
- Module 1: "As-Is" System State
- Module 2: Security Objectives & Impact Level
- Module 3: Security Requirements
- Module 4: Vulnerability Classes
- Module 5: Cybersecurity Framework
3.2 Essential Structure for Enterprise Cybersecurity
At this point, the team focused again on two essential "So What?" questions:
(a) What is the utility of this research to an enterprise?
(b) What is required from an enterprise to utilize the work for their context?
3.2.1 Utility to the enterprise is as follows:
First, the research allows the enterprise to identify sub-categories of NIST Cybersecurity Framework [6] that are applicable to a specific logical interface and actors (based on informative references between NIST CSF sub-categories and security controls of NIST SP800:53 Rev 4 [7]).
Second, it enables the assessment of implementation for cybersecurity. The enterprise profile will be more quantitative as well as traceable because it can be linked to the current implementation state of select security controls of NIST SP800:53 [7].
Third, this work enhances enterprise risk management because it allows for:
(a) Use of a standard-based approach (using NIST Risk Management Framework [12], and Cyber Vulnerability Scoring System, CVSS, Ver 3.1 [8]) for quantification of cybersecurity vulnerabilities, and
(b) Determination of vulnerability impacts and their quantification as well.
3.1.2 What is required from the enterprise?
If an enterprise uses the modular database system we have developed, and seeks to customize the results to its own properties, then it is necessary to incorporate enterprise specific knowledge into the Essential Structure of Cybersecurity Directives.
4. Work Plan for Year 3 (April 2020-March 2021)
Our tasks in Year 3 are to examine the dependencies of information flows and technical architecture.
(a) Analyze in detail the system-wide information flows,
(b) Generate visual representations of information flows using graph theory and network models and methods,
(c) Use these representations to identify critical nodal or control points,
(d) Distinguish between human/management vs. technical operations and connections, and
(e) Identify modalities of interface or integration of human and technical systems.
5. References
[1] U.S. President. Executive Order. "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, Executive Order 13800 of May 11, 2017." Federal Register Vol. 82, No. 93 (May 11, 2017): 22391-22397. https://www.federalregister.gov/d/2017-10004.
[2] U.S. President. Executive Order. "Securing the Information and Communications Technology and Services Supply Chain, Executive Order 13873 of May 15, 2019." Federal Register Vol. 84, No. 96 (May 17, 2019): 22689-22692. https://www.federalregister.gov/d/2019-10538.
[3] National Defense Authorization Act for Fiscal Year 2020. Public Law No: 116-92. https://www.congress.gov/bill/116th-congress/senate-bill/1790.
[4] John S. McCain National Defense Authorization Act for Fiscal Year 2019. Public Law No: 115-232. https://www.congress.gov/bill/115th-congress/house-bill/5515/text
[5] National Defense Authorization Act for Fiscal Year 2018. Public Law No: 115-9. https://www.congress.gov/bill/115th-congress/house-bill/2810/text
[6] National Institute of Standards and Technology (NIST). 2018. Framework for Improving Critical Infrastructure Cybersecurity. Version 1.1. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
[7] National Institute of Standards and Technology (NIST). 2015. Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53 Rev. 4. https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final
[8] FIRST. 2020. "Common Vulnerability Scoring System Version 3.1 Calculator." https://www.first.org/cvss/calculator/3.1. Last accessed March 29, 2020.
[9] National Institute of Standards and Technology (NIST). 2014. Guidelines for Smart Grid Cybersecurity. NISTIR 7628 Rev. 1. https://csrc.nist.gov/publications/detail/nistir/7628/rev-1/final
[10] National Institute of Standards and Technology (NIST). 2014. NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 3.0. Special Publication 1108r3. https://www.nist.gov/system/files/documents/smartgrid/NIST-SP-1108r3.pdf
[11] North American Electric Reliability Corporation (NERC). 2020. Critical Infrastructure Protection (CIP) Standards. https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx. Last accessed March 29, 2020.
[12] National Institute of Standards and Technology (NIST). 2018. Risk Management Framework for Information Systems and Organizations: A System Life Cycle "Approach for Security and Privacy. Special Publication 800-37 Rev. 2. https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
[13] National Institute of Standards and Technology (NIST): Information Technology Laboratory. 2020. "National Vulnerability Database". https://nvd.nist.gov. Last accessed March 29, 2020.
[14] U.S. Department of Energy (DOE). 2014. Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). Version 1.1. https://www.energy.gov/ceser/activities/cybersecurity-critical-energy-infrastructure/energy-sector-cybersecurity-0-1