Visible to the public Policy Analytics for Cybersecurity of Cyber-Physical Systems: July 2022 (Y5, Q1)

Submitted by Nazli Choucri on Wed, 07/20/2022 - 4:11pm

Funding Type: Full proposal
Start Date: March 01, 2018
Expected Completion Date: April 30, 2023
Principal Investigator: Nazli Choucri
Public View

 

Accomplishments

Accomplishments during this reporting period: April 2022 - July 2022  (Year 5: Quarter 1) are summarized in this report.

 

Table of Contents

1. Project Problem and Objectives

2. Approach & Proof of Concept

3. Background Context for Year 5 Quarter 1

4. Completion of Basic Analytics & Proof of Concept - Year 5 Quarter 1

4.1 Completion of "Proof of Concept" Study

 

1.   Problem & Objectives

The hard problem of this project is policy governed secure collaboration. The purpose is to develop empirical methods to reduce barriers to operation of cybersecurity policies for cyber-physical systems. The focus is on analytics and applications. The approach is data-based and multimethod. The broader context is the divers, complex, and dense ecosystem cybersecurity-related policies and issuances for US Department of Defense, shown in the Figure below.

Figure 1:  Illustrating Density of Cyber Security Policy Documents 

In this context we highlight that:

 

  • Policies are usually articulated and presented in text form.
  • Directives are often distributed across different policy documents.
  • The target system to which policies applies is often put forth in text form.            

 

We have  developed analytics to “cut through” a complex policy ecosystem of security architecture. The goal is to stream line the policy-understanding and operational implementation.

 

2. Approach & Proof of Concept

We have framed, developed, and test our approach with the use of:

 

  • NIST Cyber Security Framework (CSF) as the policy  focus,
  • Cyber Security Policy Ecosystem consisting of the nine critical documents introduced earlier in the Project, and signaled later below, and
  • NIST Reference model for smart grid in electric power systems based on expert panel conclustions - serves as the test case and proof of concept.

CSF points to what has to be done and why. CSF also points to where the critical information is located in the distributed policy ecosystem; the user must work through the directives outlined by CSF for the system interest; when is a function of the research design as is how.

The policy directives are distributed throughout the policy ecosystem. It is extremely cumbersome for users to situate the required operational guidelines.

 

3.  Backgound Context for Year 5 Quarter 1

To provide context for this quarterly report, we review work to date:

 

First, we began with the generic or reference case of NIST smart grid for electric power systems by (all in-text form) as test-case, and:

 

  • Created the system structure from the NIST test using Design Structure Dependency matrix.
  • Generated metrics of system properties – and interconnections among properties – in order to create a data-based representation.
  • Transformed the metrics-system into a network model of the test-case.
  • Applied statistical methods to explore the system in terms of structural properties (i.e. actors, domains and interfaces).

 

Second, we focused on the Cyber Security Framework (largely in text form) for application of the security objectives and requirements to the test-case, and:

 

  • Identified the vulnerabilities of the system-as-is in order to situate the security objectives and requirements.
  • Determined the impacts of vulnerabilities following CVSS aggregating vulnerabilities across system domains.
  • Identified the security requirements for different security objectives.
  • Connected the security objectives and security requirements to the intended targets across system domains and properties

 

Third, we identified and mapped the dependency structure among the critical documents in the relevant Policy Ecosystem and differentiated between sector-specific directives and those of general applications for cybersecurity policy overall.

 

4.   Completion of Basic Analytics & Proof of Concept – Year 5 Quarter 1

Below we summarize the results to date:

 

4.1 Completion of "Proof of Concept" Study

Figure 3 below reviews once more the details of the data extraction and linkage process, shown earlier at a higher level of aggregation.  We have now completed the implementation of this plan as the Proof-of-Concept.

Note that the Figure 2 starts with the NIST smart grid system, and proceeds to the last step by connecting it to the Cyber Security Framework. All of the intervening steps are based on drawing upon the information presented in different documents of the policy ecosystem.

 

Figure 2:  Conceptual Representation of Empirical Analysis

 

Three important results require emphasis:

 

One: We have completed the entire design process and implemented it “top down”, so to speak – i.e. starting from the system-state.  

Two:  We have completed the first pass through “bottom up” which starts with the properties of the Cyber Security Framework,(step 6 in Figure 2) and then proceeds with application of the design and implementation  to system-state (step 1). 

Three: We have completed the operational information-linkages among documents that are essential for use, and or, implementation of CSF. 

 

Groups: