Visible to the public Policy Analytics for Cybersecurity of Cyber-Physical Systems: April 2022 (Y4, Q4)

Submitted by Nazli Choucri on Tue, 05/10/2022 - 2:46pm

Funding Type: Full proposal
Start Date: March 01, 2018
Expected Completion Date: April 30, 2023
Principal Investigator: Nazli Choucri
Public View

Accomplishments

Accomplishments during this reporting period: January 2022 - April 2022 (Year 4: Quarter 4) are summarized in this report.

Table of Contents

1. Project Problem and Objectives

1.1 Purpose: Multi-Method Data-Based Analytics for Policy

2. Operational Challenges

3. Re-View - Policy Ecosystem

3.1 Mapping CSF System & Operations

3.2 Detail Mapping: Test-Case System Structure & Linkage

4. Complexity of Cybersecurity Policy Ecosystem

5. End Note: What, Why, Where, When, How

1. Project Problem & Objectives

The hard problem of this project is policy governed secure collaboration. The purpose is to develop empirical methods to reduce barriers to operation of cybersecurity policies for cyber-physical systems. The focus is on analytics and applications. The approach is data-based and multimethod. The broader context is the divers, complex, and dense ecosystem cybersecurity-related policies and issuances for US Department of Defense, shown in the Figure below.

In this context we highlight that:

Cybersecurity policies are developing faster than their implementation.

  • The lag is due in large part to barriers for user-access to guidelines. Operational directives often are located in in different documents across the policy eco-system.
  • Barriers of any type reduce the value of policies to protect systems (and users) from known vulnerabilities in their operations

Policies are usually articulated and presented in text form.

  • Text means word after word, sentence after sentence etc. This form impedes precision and effective targeting to guidelines for "solution" of system "problem"
  • Capturing the value of policy depends on the precise representation of system-state and accurate understanding the existing vulnerabilities and their impacts.

Directives are often distributed across different policy documents

  • They can also be interconnected and difficult to situate
  • Creating burden on users for targeted implementation.

Our project seeks to develop analytics to "cut through" a complex policy ecosystem of security architecture.

1.1 Purpose: Multi-method Data-Based Analytics for Policy

It is difficult to overestimate the complexity of developing and implementing cybersecurity policies for cyber-physical systems. While considerable advances have been made, but these remain conceptual and descriptive and for the most part underspecified. This creates a dilemma for analysis and implementation. - and especially for specifying with some precision what is to be done, why, when and where as well as how.

We address the dilemma by developing a multimethod data-based approach to support policy analytics of metrics for model to assist the user in understanding and implementing policy directives for cybersecurity.

Operationally, we create a suite of analytics-for-policy with new operational methods to:

  • Transend constraints of policy-as text
  • Transform text into metrics
  • Construct models of the system-state (the test case) based on system metrics
  • Connect models to implementation directives
  • Enable effective linkages among policy directives for cybersecurity
  • Target specific "directive" to specific system problem-point.

2. Operational Challenges

At the onset we recognized three "high level" challenges, the resolution of which is essential for the research design and the proof of concept.

First, to be rendered compliant with the CSF, the system domains and the relevant properties must be identified clearly. This is essential in order to "map" the appropriate CSF directive on to the intended system property. The challenge is to create a representations of system properties in metric terms to create a system model.

Second, while for the most part the CSF directives are clearly stated and rich in details, as noted, the essential information is distributed across the entire cybersecurity policy ecosystem. The challenge is reducing the burden on users for locating directive of relevance of properties of system state.

Third, is to create the operational alignment of CSF directives on to system state, in this test case, namely smart grid for elect power systems. The challenge is that this must be done for system properties, at all levels of aggregation, and in all policy relevant details of properties of system state.

3. Re-View - Policy Ecosystem

Early on we introduced the policy ecosystem for the project. The figure below shows the nine documents above distributed across phase of the project research design. It identifies once more the systems specific policy documents (pertaining to the test case) in contrast to broader, more generic policy documents.

This is important as it differentiates between sector-specific directives and those that cut across all sectors -thus of broader use and general applications for cybersecurity policy overall.

3.1 Mapping CSF System & Operations

The figure below shows a highly stylized view of sequence in applications of CSF for contextual purposes largely.

3.2 Detail Mapping: Test-Case System Structure & Linkage

The Figure below shows the "details" of smart grid system structure and linkages for policy.

The test case must then be embedded in the directives d for implementation of CSF. Note the identifiers of individual policy documents, type of policy directive, and connection to system property. This involves a differentiation and disaggregation of system property and of policy directives.

4. Complexity of Cybersecurity Policy Ecosystem

The complexity of implementing CSF consists of:

(1) dependencies that are fundamental to implementation CSF,

(2) identity of individual documents,

(3) functions provided in each document,

(4) interfaces in the system structure, and

(5) the high degree of testability

5. End Note: What, Why, Where, When, How

Another way of summarizing the approach and highlighting what is being done, is by addressing what, why, where, when, and how:

  • What is about creating a data-based structure and model of the reference system and its domains from detailed text representations provided by NIST
  • Why is about transforming the data-based structure into a network model --- examine its statistical properties -- in order to serve as a platform to situate vulnerabilities and impacts, as well as security objectives and requirements
  • Where is about locating and extracting information from the ecosystem of CSF policy documents of directives pertaining vulnerabilities and impacts, security objectives and requirements,
  • When to implement the CSF directives is contingent on the completion of the network model on the one hand, and compilation of vulnerabilities and security objectives, on the other
  • How is about the use of the system network model to identify and align security requirements to system properties within and across domains.

Groups: