Visible to the public Policy Analytics for Cybersecurity of Cyber-Physical Systems: July 2020 (Y3, Q1)Conflict Detection Enabled

Submitted by Nazli Choucri on Fri, 07/10/2020 - 4:34pm

Funding Type: Full proposal
Start Date: March 01, 2018
Expected Completion Date: April 30, 2020
Principal Investigator: Nazli Choucri
Public View

Accomplishments

Accomplishments during this reporting period: April 01, 2020 -- July31, 2020 (Year 3: Quarter 1) are presented following the outline below.

Table of Contents

1. Project Overview

1.1 Problem & Purpose
1.2 Research Design

2. Highlights of Years 1-2

2.1 Text-to-Data
2.2 Data-to-Framework

3. Note on Relevance to Enterprise

3.1 Completion of Database

4. Year 3 Work Plan - Overview

5. Program Outreach Activities

6. References

1. Project Overview

1.1 Problem & Purpose

Policy documents, guidelines, directives, and regulations are routinely presented in text form, page-by-page and word-by-word, supported by figures, diagrams, and tables as needed. Rooted in the legal tradition, this practice reinforces a linear logic, usually with a checklist for meeting requirements.

The paradox is that the text form is an impediment to the implementation of policies and directives and creates opportunity costs. Below are generic opportunity costs of text-based policy documents. See Table 1.

Table 1: Opportunity Costs

This project supports the national strategy for cybersecurity, as outlined in Presidential Executive Orders (EXORD) [1-2] and the National Defense Authorization Acts (NDAAs) [3-5]. This focus is situated between users and the Cybersecurity Framework (CSF) [6] in order to facilitate access to, and use of, CSF.

The Cybersecurity Framework is mandatory in the public sector (See [1]) and greatly encouraged for the private sector. However, the mission-specific application is left to the user--with only general guidance provided by CSF directives. The goal is to provide tools to facilitate policy implementation. Operationally, our goal is to develop analytics for cybersecurity policies and guidelines designed to:

a. Extract knowledge embedded in policy guidelines,

b. Explore implications of policy directives, and

c. Reduce, if not eliminate, the opportunity costs shown in Table 1.

1.2 Research Design

The research design is organized in modular terms, anchored in a structured model of properties for complex cyber-physical systems. The design and analyses are generic in the sense that they are relevant to, and provide insight for, the cybersecurity of various complex cyber-physical systems. The research design for the entire project, in a simplified form, is shown in Figure 1.

Figure 1. Overall Project Design

2. Highlights of Years 1-2

In Year 1, we aligned our project to national policy by consolidating our vision and mission around EXORD [1-2] and NDAA [3-5] statements, detailed in the Year 2, Quarter 1 report [7-10] and presented at the 2019 Summer Science of Security Privacy Quarterly Meeting at the University of Kansas [11]. This alignment ensures that the project remains anchored in national policy. Specifically, we refined the foundations for cybersecurity analytics to better:

a. Identify the policy relevant ecosystem;

b. Formalize rules for extracting data from text;

c. Identify missing pieces for implementation of cybersecurity measures.

By the end of Year 1, we converged on the best-operational sequence of a test-bed for method-development that focused on the cybersecurity of the smart grid for electric power systems. Nonetheless, the methods and approached of this project are not tied to specific types of policies, guidelines, or directives.

The refinement of the research design yielded a robust proof-of-concept for both the content and sequence of steps in our analytics for policy. The design now consists of specific tasks:

a. Text-to-Data


b. Data-to-Framework

c. Framework-to-Metrics


c. Metrics-to-Model

d. Model-to-Analysis

The method is essential for any application. It must be completed before it is customized for a specific enterprise.

By the end of Year 2, we had completed the first two tasks: (i) Text-to-Data, and (ii) Data-to-Framework, as summarized below.

2.1 Text-to-Data

The Text-to-Data task during Year 1 yielded a linked database of nine policy documents, as presented in an earlier report. The documents in Table 2 are of three types:

a. General, or sector-independent, policy directives and guideline documents relevant to any system or enterprise (in column 1).

b. Guidelines and directives documents specific to operations and cybersecurity of smart grid for electric power systems (column 2).

c. Policy documents for enterprise specific application of NIST Cybersecurity Framework (as identified in column 1) to the electric smart grid enterprise (as identified in column 3).

Table 2. Core NIST Documents for Cybersecurity Sources: [6, 12-19]

2.2 Data-to-Framework

Year 2 focused on data organization and metrics for the Data-to-Framework, the system "as-is," namely, to:

a. Construct an internally consistent structure and framework for organizing, metricizing, and managing critical information, and

b. Create an initial, baseline, design structure matrix (DSM) of the cyber-physical system.

3. Note on Relevance to Enterprise

3.1 Completion of Database

If an enterprise uses our linked database and seeks to customize the results to its own properties, then it must incorporate enterprise specific knowledge into the essential structure of the cybersecurity directives.

In this case, it means that the enterprise must:

a. Map its own system to the NIST "as-is" system. Given that our work is based on a sector independent framework and guideline documents, any enterprise that intends to use the work will need to map its own system components and policies to the relevant reference documents.

b. Identify system specific vulnerabilities. Based on the mapping above, an enterprise will also need to develop an assessment of the threat landscape as well as the vulnerabilities identified, and known by, the system owners.

In this connection, the methods we develop and tools provided would greatly facilitate the task of the enterprise.


4. Year 3 Work Plan - Overview

Overall, our next task in Year 3 is to examine the system structure and process of information flows, technical architecture, and system management, focusing on (i) Framework-to-Metrics and (ii) Metrics-to-Model. Specifically, we will:

a. Analyze in detail the system-wide structure and information flows,

b. Generate visual representations of structure and information flows using graph theory and network models & methods,

c. Use these representations to identify critical nodal or control points (direct or indirect) that may be targets for policy or targets for unwanted interventions, and to the extent possible,

d. Distinguish between human/management and technical operations/connections.

5. Program Outreach Activities

The team began working on three independent outreach activities focusing on:

a. Educational outreach for cybersecurity

b. Cyber-International Relations System for Knowledge, Policy & Sustainability

c. Specific collaboration with NSA SoS Champion

6. References

[1] U.S. President. Executive Order. "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, Executive Order 13800 of May 11, 2017." Federal Register Vol. 82, No. 93 (May 11, 2017): 22391-22397. https://www.federalregister.gov/d/2017-10004.

[2] U.S. President. Executive Order. "Securing the Information and Communications Technology and Services Supply Chain, Executive Order 13873 of May 15, 2019." Federal Register Vol. 84, No. 96 (May 17, 2019): 22689-22692. https://www.federalregister.gov/d/2019-10538.

[3] National Defense Authorization Act for Fiscal Year 2020. Public Law No: 116-92. https://www.congress.gov/bill/116th-congress/senate-bill/1790.

[4] John S. McCain National Defense Authorization Act for Fiscal Year 2019. Public Law No: 115-232. https://www.congress.gov/bill/115th-congress/house-bill/5515/text

[5] National Defense Authorization Act for Fiscal Year 2018. Public Law No: 115-9. https://www.congress.gov/bill/115th-congress/house-bill/2810/text

[6] National Institute of Standards and Technology (NIST). 2018. Framework for Improving Critical Infrastructure Cybersecurity. Version 1.1. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

[7] Choucri, Nazli. 2018. "Analytics for Cyber-Physical System Cybersecurity: June 2018 (Q1). https://cps-vo.org/node/54641. April 10.

[8] Choucri, Nazli. 2018. "Analytics for Cyber-Physical System Cybersecurity: October 2018 (Q2). https://cps-vo.org/node/56209 October 09.

[9] Choucri, Nazli. 2018. "Analytics for Cyber-Physical System Cybersecurity: January 2019 (Q3). https://cps-vo.org/node/57492. December 17.

[10] Choucri, Nazli. 2018. "Analytics for Cyber-Physical System Cybersecurity: April 2019 (Q4). https://cps-vo.org/node/60244. April 10.

[11] Choucri, Nazli. 2019. "Analytics for Cyber-Physical Systems." Presented at 2019 Summer Science of Security and Privacy Quarterly Meeting at KU. July 9-10. https://cps-vo.org/node/61617

[12] National Institute of Standards and Technology (NIST). 2015. Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53 Rev. 4. https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final

[13] FIRST. 2020. "Common Vulnerability Scoring System Version 3.1 Calculator." https://www.first.org/cvss/calculator/3.1. Last accessed March 29, 2020.

[14] National Institute of Standards and Technology (NIST). 2014. Guidelines for Smart Grid Cybersecurity. NISTIR 7628 Rev. 1. https://csrc.nist.gov/publications/detail/nistir/7628/rev-1/final

[15] National Institute of Standards and Technology (NIST). 2014. NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 3.0. Special Publication 1108r3. https://www.nist.gov/system/files/documents/smartgrid/NIST-SP-1108r3.pdf

[16] North American Electric Reliability Corporation (NERC). 2020. Critical Infrastructure Protection (CIP) Standards. https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx. Last accessed March 29, 2020.

[17] National Institute of Standards and Technology (NIST). 2018. Risk Management Framework for Information Systems and Organizations: A System Life Cycle "Approach for Security and Privacy. Special Publication 800-37 Rev. 2. https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final

[18] National Institute of Standards and Technology (NIST): Information Technology Laboratory. 2020. "National Vulnerability Database". https://nvd.nist.gov. Last accessed March 29, 2020.

[19] U.S. Department of Energy (DOE). 2014. Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). Version 1.1. https://www.energy.gov/ceser/activities/cybersecurity-critical-energy-infrastructure/energy-sector-cybersecurity-0-1

Groups: