Policy Analytics for Cybersecurity of Cyber-Physical Systems: January 2021 (Y3, Q3)
Funding Type: Full proposal
Start Date: March 01, 2018
Expected Completion Date: April 30, 2020
Principal Investigator: Nazli Choucri
Public View
Accomplishments
Accomplishments during this reporting period: October 2020 - January 2021 (Year 3: Quarter 3) are presented according to the contents below.
Table of Contents
1. Project Objectives
1.1 Problem & Purpose
1.2 Operational Focus
1.3 Research Design
2. New NIST Revision/New Data - Impacts on Research Design
2.1 New Imperative
3. Result of Year 3, Quarter 3: Essential Update
3.1 Critical Connectivity
3.2 Context: Year 3 - Work Plan
4. The "Re-do" Tasks: Year 3, Quarter 3
5. References
1. Project Objectives
This Quarterly Report can best be understood in the context of the overall project objectives - problems and purpose. Table 1 shows an overview of the project.
| Table 1. Project Overview |
|
|
1.1 Problem & Purpose
Policy documents, guidelines, directives, and regulations are routinely presented in text form, page-by-page and word-by-word, and supported by figures, diagrams, and tables as needed. Rooted in legal tradition, this practice reinforces a linear logic, usually with a checklist for meeting requirements.
The paradox is that the text form is an impediment to the implementation of policies and directives and creates opportunity costs. Below are generic opportunity costs as text-based policy documents. See Table 2.
| Table 2. Opportunity Costs |
|
|
1.2 Operational Focus
The focus is situated on users and the Cybersecurity Framework (CSF) [1] in order to facilitate access to, and the use of, CSF.
The Cybersecurity Framework is mandatory in the public sector (See [2]) and greatly encouraged for the private sector. However, the mission-specific application is left to the user--with only general guidance provided by CSF directives. The goal is to provide tools to facilitate policy implementation. Operationally, our goal is to develop analytics for cybersecurity policies and guidelines designed to:
a. Extract knowledge embedded in policy guidelines,
b. Explore implications of policy directives, and
c. Reduce, if not eliminate, the opportunity costs shown in Table 2.
While our applications for method development and testing focus on one complex and pervasive cyber-physical system - the smart grid for electric power systems - the problem defined and the methods developed are generic in form.
We selected this application because of its salience and, importantly, in order to build on the extensive work done by NIST. It is an excellent main application of the Cybersecurity Framework.
1.3 Research Design
The research design is in modular terms and anchored in a structured model of properties for complex cyber-physical systems. The design and analyses are generic in the sense that they are relevant to, and provide insights for, the cybersecurity of various complex cyber-physical systems. Figure 1 presents a simplified view.
| Figure 1. Overall Project Design - Simplified |
|
|
2. New NIST Revision/New Data - Impacts on Research Design
2.1 New Imperative
In September 2020, NIST released Version 5 of its Document labelled 800-53--NIST SP 800-53, REV. 5 SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS. By that time, we had completed the task of using NIST 800-53 Version 4 to connect CSF requirements to necessary controls.
This was a necessary step in the overall sequence of the research design (listed below):
a. Text-to-Data
b. Data-to-Framework
c. Framework-to-Metrics
d. Metrics-to-Model
e. Model-to-Analytics
By necessity, we must now "re-do" the process that connects policy requirements to control mechanisms. This is essential to advance down from (a), above, to (e)--thereby completing a full application.
3. Result of Year 3, Quarter 3: Essential Update
Recall that the linkage method - presented in a previous quarterly report - is designed to create an integrated database, extracted from the nine documents shown in Figure 2. It consists of a specific set of variables that represent:
- System State, "as-is," focusing on system actors and activities (labelled as nodes) and logical interfaces among them
- Security Objectives, as stated by NIST
- Impact Level on nodes and logical interfaces
- Security Requirements for nodes and logical interfaces
- Vulnerability Classes that may affect a node or logical interface
- Situation of Cybersecurity Framework functions and subcategories on nodes and the logical interface(s) between any two nodes
3.1 Critical Connectivity
The central role of NIST 800-53 document listed as (2) below, cannot be overstated. Its revision by NIST necessitates a "re-do" of our research following the "as-is" system state analysis.
| Figure 2. Smart Grid Cybersecurity Directives |
|
|
3.2 Context: Year 3 - Work Plan
Year 3 are designed to examine system structure and process of information flows, technical architecture, and system management, focusing on (i) Framework-to-Metrics and (ii) Metrics-to-Model. Specifically, the goal is to:
a. Analyze in detail the system-wide structure and information flows,
b. Generate visual representations of structure and information flows using graph theory and network models & methods,
c. Use these representations to identify critical nodal or control points (direct or indirect) that may be targets for policy or targets for unwanted interventions, and to the extent possible,
d. Distinguish between factors related to human/management versus technical operations/connections.
The foundation for the analysis in Year 3 is the framework DSM.
4. The "Re-do" Tasks: Year 3, Quarter 3
These steps above, completed in Year 3, Quarter 2, would, in principle, enable us to:
a. Identify critical control points for each node & logical interface base on the:
i. Centrality of nodes based on logical interfaces
ii. Calculation & consolidation of impact scores for each C-I-A security objective.
b. Locate and consolidate security requirements for each C-I-A security objective
c. Create representations of additional data generated in (c) and (d) for both DSM and network views.
However, the new and critical imperative is to "re-do" the connections, taking into account NIST 800-53 Rev. 5.
This unexpected but essential deviation from the research plan prevented us from proceeding to the next step--beyond the DSM of the "as-is" system. The irony is that we had indeed "gone beyond" this step using Version 4 of the NIST 800-53 and its document connecting functions.
The challenge is to identify the critical features of Rev. 5 and compare these to Rev. 4 to determined the differences; in any event, to "re-do."
We have completed the "re-do" situation directly related to the document Rev. 5. We now have to "re-do" the role and function of Rev. 5 throughout our research design.
5. References
[1] National Institute of Standards and Technology (NIST). 2018. Framework for Improving Critical Infrastructure Cybersecurity. Version 1.1. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
[2] U.S. President. Executive Order. "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, Executive Order 13800 of May 11, 2017." Federal Register Vol. 82, No. 93 (May 11, 2017): 22391-22397. https://www.federalregister.gov/d/2017-10004.