maritime cyber security - stevens institute of technology cyber security project work plan 1...
Post on 19-Mar-2018
219 Views
Preview:
TRANSCRIPT
MaritimeCyberSecurityProject
WorkPlan
1
MaritimeCyberSecurityWorkPlanDraft
August8,2016
MaritimeCyberSecurityProject
WorkPlan
1
INTRODUCTION
OnJuly27,016,theAmericanBureauofShipping(ABS)receivednotificationofawardoftheMaritimeCyberSecurityprojectfortheMaritimeSecurityCenter(MSC)CenterofExcellenceattheStevensInstituteofTechnology.Theprojecthasatwoyearperiodofperformance.Thepurposeofthistaskorderistoperformresearchonsixseparatetopicsrelatedtomaritimecybersecurity.
RESEARCH TEAM
ABS’sCertifiedCybersecuritySpecialistshaveextensiveexperiencewithindustrialcontrolsystemsforships,offshoreinstallations,andfacilitiesandareuniquelyqualifiedtodeliveracomprehensivesecurityassessment.Ourpersonnelhavebeenselectedforthisassignmentbasedontheirpreviousexperienceinmaritimecybersecurity,controlsystems,themaritimeindustry,andfederalregulatoryanalysis.OurTeamhasexperienceintheanalysis,review,anddocumentationofvulnerabilitiesofbothcommercialITandprocessautomationsystems.Wehaveanalyzedcyberandphysicalsecuritythreats,risks,andvulnerabilities,andconductedsiteanalysesforawidearrayofoperationsandsystems.Theresearchwillbeperformedbythefollowingteam.
Principal Investigator
CrisDeWittleadsourSoftwareandControlSystemsgroup,providingarangeofcybersafetyandsecurityservicesforthemaritimeindustry.Mr.DeWittandhisteamconducttechnologyassessmentsforcybersecuritywithcontrolsystemsusedindrillships,ultra-deepwaterdrillingrigs,LNGvessels,andothercomplexautomationassets.Hehasalsopublishedoncybersecurityanditsimpactonoffshoreassets.
Risk Lead
Mr.Mowrer,theDirectorofHomelandSecurityRiskManagementTechnologiesatABSGConsultingInc.,hasbeenworkinginthemanagementconsulting,riskmanagement,dataanalytics,andinformationtechnologyfieldsforthepast18years.HehasmanagednumerousprojectsforUSCG,includingcybersecurityassessmentsfortheU.S.maritimeindustry;10annualphasesoftheMSRAM;the2006,2009,and2011NationalMaritimeStrategicRiskAssessments;andthePorts,Waterways,CoastalSecurity(PWCS)Risk-BasedPerformance
Research Analysts
Mr.RickScottisaRegisteredProfessionalEngineer(#64544,TX)withover40yearsofexperiencerangingfromengineertoseniorexecutiveinthehigh-technologymanufacturingandoffshoredrillingindustries.Hisspecialtiesinclude:softwareservicesmanagement,softwareproductdevelopment,andsoftwaresystemsintegration.HehaswitnessedtestingandcertifiedoffshoredrillingcontrolsoftwareforABSanddevelopedtheABScertificationprocessforsoftwaresystemsassessmentandcertification.
Otherresearchanalystswillbebroughtinoverthecourseoftheprojecttosupporttaskexecution.
MaritimeCyberSecurityProject
WorkPlan
2
TECHNICAL APPROACH FOR RESEARCH QUESTIONS
ThefollowingsectionsdescribeourtechnicalapproachforeachoftheresearchquestionsincludedintheRFP
1. RISK-BASED PERFORMANCE STANDARDS
Question:Whatrisk-basedperformancestandardscanbedevelopedforcyberriskmanagementoftheMarineTransportationSystem(MTS)?Howwouldperformancestandardsinter-relatewithotherinfrastructuresectorsandtheirperformancestandards?Howwouldperformancestandardsinter-relatewithexistingsafetyandsecuritymanagementsystems?
TECHNICALAPPROACH
Thefollowingoutlinesthekeytasksinourtechnicalapproachtoanswerresearchquestion#1.Note:theresultsofSteps2-5provideafoundationalstructurethatwillsupporttheanalysisandcommunicationofresultsforseveraloftheresearchquestions.
1. DoctrineReview.Wewillreviewkeymaritimecyberriskmanagementdoctrine,strategiesandpolicies(USCGCyberStrategy,USCGWesternHemisphereStrategy,paperfromMaritimeSecurityCenterMaritimeRiskSymposium)toinformourresearchrelatedtothisquestions.WewillmeetwithselectUSCG,DHS,DoD,andselectindustryexpertstogathertheirinsightonrisk-basedperformancestandards.
2. PerformanceStandardsReview.Wewillperformanin-depthliteraturereviewofrecognizedcyberriskmanagementperformancestandardsthatcouldbeapplicabletoMTS,including,butnotlimitedto:
• NISTFrameworkforImprovingCriticalInfrastructureCybersecurity• NISTSP800-82Revision2,GuidetoIndustrialControlSystemsSecurity• ISO27001:InformationSecurityManagementStandard• DepartmentofHomelandSecurity’s(DHS’s)andDepartmentofEnergy’s(DOE’s)Cybersecurity
CapabilityMaturityModel(C2M2)• InternationalSocietyforAutomation(ISA)IndustrialNetworkandSystemSecurity(ISA62443)• NISTSpecialPublication800-53,"SecurityandPrivacyControlsforFederalInformationSystems
andOrganizations,"• DoDInstruction8500.01,Cybersecurity
3. AssetInventories.Wewillinventorytherangeofassettypes(e.g.,ferryterminals,containerships,bridges,petroleumrefineries)andinfrastructuresectorsthatcommonlyoperatewithintheU.S.MTS.
4. AssetClassTaxonomy.Wewilldevelopastandardtaxonomyforclassifyingthesemaritimeassets,classes,andinfrastructuresectors.
5. SystemInventories.Wewillinventoryinformationtechnology(IT)andoperationaltechnology(OT)systemsthatarecommonlyfoundontheassetsandmapthemtotheassettaxonomy.
6. Safety/SecurityManagementSystemReview.Wewillperformaliteraturereviewofgoverningregulationsandstandardsforsafetyandsecuritymanagementsystemsapplicabletoeachassettypes.DuetothecomplexityoftheMTS,thereareawidevarietyofassetsthatoperatewithintheU.S.domainfallingundermanydifferentsafety/securityrequirements,including;USCG,DHS,OSHA,EPA,BSEE,DOT,IMO/BIMCO,ClassificationSocieties,state/localagencies,andPHMSA.Wewillreviewexistingrequirementsforsafety/securitymanagementsystemsundereachregimeandclearlyidentifythose
MaritimeCyberSecurityProject
WorkPlan
3
whichcover,orcouldbeexpandedtocovercyberissues.Wewillthenmapeachregimetotheirapplicableassetclasses.
7. PerformanceStandardsCrosswalk.Basedon(1)applicableperformancestandards,(2)IT/OTsystemsand(3)theassociatedsafety/securitymanagementsystemsforeachassetclass,wewilldevelopacrosswalkidentifyingwhichperformancestandardelementsarecurrentlybeingaddressedbyvarioussafety/securitymanagementsystemsandwheregapsexist.
8. Conclusions&Recommendations.Basedontheresultsoftheprevioussteps,wewillsummarizeourconclusionscomparingstandardsrequirementsacrossinfrastructuresectorsandproviderecommendationsonwhichperformancestandardscould/shouldbeappliedtoeachassettypeandinfrastructuresector.
2. FRAMEWORK FOR CYBER POLICY
Question:WhattypeofcriteriashouldbeutilizedtodevelopanacademicallyrigorousframeworkforCyberPolicyfortheMTS?
TECHNICALAPPROACH
Thefollowingoutlinesthekeytasksinourtechnicalapproachtoanswerresearchquestion#2.
1. LiteratureReview.Wewillperformanin-depthreviewofcyberframeworks,focusingontheNISTFrameworkforImprovingCriticalInfrastructureCybersecurityandISO27001:InformationSecurityManagementStandard,toidentifythecriteriatheyincluded.
2. ScopeDefinition.WewillfirstdefinethescopeofthecyberpolicyfortheMTS.Thescopeshouldaddressanumberoffactors,including,butnotlimitedto:assetclasses,IT/OTsystems,threattypes,andwhetherthepolicycoversbothcybersafetyandcybersecurityconcerns.WewillthendefinethegoalsandobjectivesforcybersecurityintheMTS.ThescopeandgoalswillbedevelopedbasedontheresultsoftheliteraturereviewandguidancefromUSCG,DHS,andDoDexperts.
3. EffectedPartyIdentification.Basedonthescope,wewillthenresearchandidentifypartieseffectedbythepolicy,suchasfederal,state,andlocalgovernmentagencies,maritimefacilityowner/operators,vesselowner/operators,industrygroups,ports,internationalorganizations,andclassificationsocieties.
4. EffectedProcessIdentification.Wewillidentifyanddescribeprocessesanddecisionsimpactedbypolicyforeacheffectedparty.Processessuchascybersecurityassessments,audits,securityplandevelopment,securityplanreview,andvesselsurveysarelikelytobeeffectedbypolicychanges.
5. CriteriaIdentification.Wewillrecommendalloftherelevantcriteriathatshouldbeincludedinacyberframework,spanningthephaseofdetection,identification,protection,response,andrecovery.
3. CRITICAL POINTS OF FAILURE
Question:Basedonamulti-nodeanalysis,whatarethecriticalPointsofFailurewithinthecybersystemsupportingtheMTS?
TECHNICALAPPROACH
Thefollowingoutlinesthekeytasksinourtechnicalapproachtoanswerresearchquestion#3.
MaritimeCyberSecurityProject
WorkPlan
4
1. DoctrineReview.Wewillleveragethereviewofkeymaritimecyberriskmanagementdoctrine(Question1,Step1)toidentifyscenariosofconcernandtheassociateddefinitionstodevelopanunderstandingofcriticalitythresholds.WewillthenmeetwithUSCG,DHS,andDoDdecisionmakerstoclearlydefine“criticalpointsoffailure”andidentify“criticalitythresholds”.Thesedefinitionsshouldaddressaspectsofsystemvulnerabilityofandpotentialconsequencesofsystemexploitation(e.g.,physicalconsequences).
2. AssetClassScreening.Wewillidentifythesubsetofassetclasseswithcyberscenarioconsequencepotentialexceedingthecriticalitythreshold.
3. GeneralArchitectureDevelopment.WewilldevelopgeneralarchitectureprofilesforeachoftheassetclassbasedonthecommonsystemsidentifiedinQuestion1,Task5.ThesewilladdressbothITandOTsystemsandintegration.
4. CorruptionVectorandPenetrationPointTaxonomy.Wewilldevelopahierarchicaltaxonomyofcorruptionvectorsandtheirassociatedpenetrationpoints.Wewillthenmapthepotentialcorruptionvectorsandpenetrationpointsforeachgeneralarchitecture.
5. ScenarioDevelopment.Foreachgeneralarchitecture/assetclasscombinations,wewillidentifyspecificscenariosthatcouldresultinconsequencesabovethecriticalitythreshold.
6. RiskAssessment.Wewillperformahighlevelriskassessmentconsideringthreat,vulnerability,andconsequencefactors.Duetothegeneralnatureoftheassessment,wewillchooseaqualitativeorsimplequantitativeriskmethodologytoassesstherisk.Methodsmayincludebowtie,eventtree/faulttree,orpreliminaryriskanalysis.
7. ResultsDocumentation.Wewilldocumenttheresultsoftheriskassessmentprocess,identifyingcriticalpointsoffailureandarticulatingthemasafunctionofassetclasses,systems,corruptionvectors,andpenetrationpoints.
4. REQUIREMENTS FOR MARITIME CYBER RANGE
Question:Whatarethecriticalrequirementsthatshouldbeconsideredwhendevelopinganacademicallyrigorousandmulti-useMaritimeCyberRange?
TECHNICALAPPROACH
Thefollowingoutlinesthekeytasksinourtechnicalapproachtoanswerresearchquestion#4.
1. UseCaseDevelopment.Wewillfirstinvestigateknowncyberrangemodels(e.g.,U.S.MarineCorps,ABS)todeterminetheirrelevanceandapplicabilitytothisproject.Wewillinterviewrepresentativesfromthemostrelevantrangestodiscusslessonslearnedandbestpractices.Ifneeded,wewillhostaworkshopwithmaritimegovernmentrepresentativestodiscussfindingsanddefinecyberrangeobjectivesforthisproject.Basedonworkshopguidanceandscenariosofinterestidentifiedintask3,wewilldocumentmethodsfordevelopingusecases.
2. SystemBehaviorDefinition.Wewilldocumentmethodsfordevelopingexpectedsystembehaviordefinitions(includingintegrationamongsystems)forsystemsofinterest
3. TestBoundaryDevelopment.Wewilldocumentmethodsfordevelopingtestboundariesforselectarchitectures
4. TestRequirements.Wewilldocumentmethodsfordefiningtestrequirements5. EquipmentandSoftwareRequirements.Wewilldocumentmethodsfordevelopingtestequipmentand
softwarerequirements.
MaritimeCyberSecurityProject
WorkPlan
5
6. TestDocumentation.Wewilldocumentmethodsforrecordingandinterpretingtestresults7. DevelopTrainingRequirements.Wewilldocumentcompetenciesthatusersoftherangerequireto
conductexperiments.Competencieswilladdressallphasesoftheexperiment,including,butnotlimitedto:initialrangeconfiguration,conductoftheexperiment,resultsdocumentation,andprocedureforreturningrangetobaselinestate.
5. FRAMEWORK FOR POINT OF FAILURE DETECTION METHODOLOGY
Question:WhatmethodologiescanbeutilizedorinventedtodevelopaframeworktoanalyzeapointofFailureDetectionMethodology?
TECHNICALAPPROACH
Thefollowingoutlinesthekeytasksinourtechnicalapproachtoanswerresearchquestion#5.
1. ScopeDefinition.Wewillfirstdefinetheanalyticalscopeofthefailuredetectionmethodology.Thescopewillbeinformedbytheoutputsoftasksfromquestions1and3.Specifically,theinrelationtogeneralarchitecturesandscenariosofconcern.Wewilldocumenthowotherindustriesandgovernmentagenciesdetectpointsoffailureandwhichperformancestandardsandframeworkstheyuse.
2. DecisionDefinition.Wewillfirstdefinekeydecisionmakers(e.g.,governmentleaders,assetowners).Foreachdecisionmakertype,wewillidentifythedecisionstobesupportedbyresultsofmethodology.Thiswillincludetheoptionsavailabletothedecisionmaker.
3. InformationRequirements.Wewillidentifythetypesandqualityofinformationthatisrequiredtosupporteachdecision.Therecanbeawidevarietyofinformationneeded,suchaslistingofspecificcriticalvulnerabilities,rankingoftheoverallintegrity/vulnerabilityofanasset,qualitative/quantitativeriskscoreforanasset(TVC).Wewilldefinetherequirementsfortheappropriatelevelofinformation.
4. MethodologyIdentification.Wewillthenidentifyrelevantmethodologiescapableofgeneratingtherequiredinformation.Wewilldescribeeachmethodology,liststrengthsandweaknesses,andcompareacrossmethodologies.
5. ConclusionsandRecommendations.Wewillrecommendanyidentifiedenhancementstotherelevantmethodologies.
6. MARITIME CYBER DETERRENT STRATEGY EFFECTIVENESS
Question:Whatmethodologiescanbeemployedtoconductaquantitativeanalysisofmaritimecyberdeterrentstrategyeffectiveness?
TECHNICALAPPROACH
Thefollowingoutlinesthekeytasksinourtechnicalapproachtoanswerresearchquestion#6.
1. DefineCurrentCyberDeterrentStrategy.Wewillmeetwithgovernmentrepresentativestocapturetheelementsoftheircurrentcyberstrategyandmeanstheyusetodevelopstrategyandmeasureeffectiveness.Wewilldocumentthemulti-layerstrategyinacomprehensiveframework,likelyusingbow-tiemethodology.
MaritimeCyberSecurityProject
WorkPlan
6
2. DecisionDefinition.Wewillthendefinekeydecisionmakers(e.g.,governmentleaders,assetowners)whowilluseofthecyberdeterrentstrategyeffectivenessmeasurementmodel.Foreachdecisionmakertype,wewillidentifythedecisionstobesupportedbyresultsofmethodology.Thiswillincludetheoptionsavailabletothedecisionmaker.
3. InformationRequirements.Wewillidentifythetypesandqualityofinformationthatisrequiredtosupporteachdecision.
4. MethodologyIdentification/Development.Wewillidentifyrelevantmethodologiescapableofgeneratingtherequiredinformation.Wewilldescribeeachmethodology,liststrengthsandweaknesses,andcompareacrossmethodologies.Ifneeded,wewilldeveloportailormethodologiestomeettheinformationrequirements.
5. Recommendations.Wewillrecommendanyidentifiedenhancementstotherelevantmethodologies.
MILESTONES AND OUTPUTS
Table1listsourplannedoutputs,timing,andassociatedresearchquestions.Whiletheperiodofperformanceisfortwoyears,theresearchteamproposesdeliveryofallrequiredmilestoneswith16monthsofthecontractaward.
Table1.MilestonesandOutputs
Output Time
AssociatedResearchQuestion
1 CyberPolicyFrameworkDocument 4monthsfromaward 22 PointsofFailureAnalysisReport 7monthsfromaward 33 PointsofFailureDetectionReport 7monthsfromaward 54 Risk-BasedPerformanceStandards
Recommendation6monthsfromaward 1
5 ComparativeAnalysisofPerformanceStandardstoExistingSafety&SecurityMeasures
8monthsfromaward 1
6 ComparativeAnalysisofPerformanceStandardstoOtherInfrastructureResults
12monthsfromaward 1
7 CyberRangeRequirementsReport 16monthsfromaward 48 CyberDeterrenceEffectivenessModel 15monthsfromaward 69 CyberDeterrenceEffectivenessModelAnalysis
ResultsReport16monthsfromaward 6
10 Deliveryandsocializationofoutputs 1monthfromcompletionofeachoutput
all
TheGanttchartindescribesouroveralltimelineforthisprojectandexecutionofthetasksdescribedinthetechnicalapproachforeachofthesixresearchquestions.Thisnotionalprojectscheduleisbasedonourunderstandingoftheresearchobjectivesandourabilitytocompletetheprojectwithintherequiredperiodofperformance.Itisbaseduponsoundprojectmanagementprinciplesandresourceallocationsthatwillensurewe
MaritimeCyberSecurityProject
WorkPlan
7
completetheoutputslistedinTable1withintherequiredtimetable.Thedeliverydatesfortheoutputsareshownasblacktrianglesinthefigure.Note:thisscheduleassumesanAugust2016award.Ifawardisdelayed,theschedulewillbeupdatedaccordingly.
Figure1.ProjectGanttChart
Aug Sep Oct Nov Dec Jan Feb MarApr May Jun Jul Aug Sep Oct Nov Dec Jan Feb MarApr May Jun JulQuestion1:Risk-basedPerformanceStandards1 DoctrineReview2 PerformanceStandardsReview3 AssetInventories4 AssetClassTaxonomy5 SystemInventories6 Safety/SecurityManagementSystemReview7 PerformanceStandardsCrosswalk8 ConclusionsandRecommendationsQuestion2:FrameworkforCyberPolicy1 LiteratureReview2 ScopeDefinition3 EffectedPartyIdentification4 EffectedProcessIdentification5 CriteriaIdentificationQuestion3:CriticalPointsofFailure1 DoctrineReview2 AssetClassScreening3 GeneralArchitectureDevelopment4 CorruptionVectorsandPenetrationPoints5 ScenarioDevelopment6 RiskAssessment7 ResultsDocumentationQuestion4:RequirementsforMaritimeCyberRange1 UseCaseDevelopment2 SystemBehaviorDefinition3 TestBoundaryDevelopment4 TestRequirements5 EquipmentandSoftwareRequirements6 TestDocumentation7 DevelopTrainingRequirementsQuestion5:PointofFailureDetectionFramework1 ScopeDefinition2 DecisionDefinition3 InformationRequirements4 MethodologyIdentification5 ConclusionsandRecommendationsQuestion6:MaritimeCyberDeterrentStrategyEffectiveness1 DecisionDefinition2 InformationRequirements3 MethodologyIdentification/Development4 Recommendations
Outputs
Tasks 2016 2017 2018
1
2
3
6
4 5
7
89
MaritimeCyberSecurityProject
WorkPlan
8
PROJECT MANAGEMENT
Wemaintainatailoredsystemoforganization,projectcontrolsandstandardizedprocesses,toensurethatMSCreceiveshigh-qualitydeliverablesthatmeetorexceedthestatedrequirements.Throughour152-yearhistorysupportingnearlyallaspectsofmaritimeindustry,wedevelopedaprojectmanagementmethodologythatisnotonlygroundedinqualityandintegritybutalsobasedupontheprinciplesdescribedintheProjectManagementInstitute’s(PMI)“AGuidetotheProjectManagementBodyofKnowledge(PMBOK®)-FifthEdition.”Ourprogrammanagementphilosophyincludes(1)providinganexperiencedprojectmanager(PM)withappropriatedecision-makingauthority,(2)followingstructuredrepeatableprocesses,and(3)utilizingourOracle-basedGlobalEnterpriseManagementSystem(GEMS)managementsystemtoproviderealtimetracking/oversightofalltaskactivities.Table9providesanoverviewofourprojectmanagementprocesses.
Table2.ProjectManagementProcesses&Metrics
PMBOK®Guide-FifthEditionProjectManagementProcessGroups
Initiating Ourfinancial/contractmanagementsystemestablishescostcodeidentificationnumbersforperformancetrackingofindividualprojectsandtasks.
PlanningOurPMestablishesbudget,scheduleanddefinitionofdeliverablesforthecallorder.WewilluseMSProjectforplanningandmonitoringprogressthroughoutprojectexecution.
Execution
Theexecutionphaseofthetaskinvolvesconducting,monitoring,andmanagingallaspectsofmeetingthecallorderrequirements.Ingeneral,weconductbi-weeklymeetingsacrossthetaskteamatwhichtimethePMreviewsschedule,percentcompletionondeliverables,budgetpercentcomplete,variancebetweenprojectandbudgetstatus,andplanstocorrectanyproblems/deficienciesidentified.
Controlling&Monitoring
OurGEMSsystemprovidesreal-timeprojectdetailreports(weeklyormoreoftenifdesired).ThereportsprovidekeymetricsthatallowthePMtodetermineifataskisprogressingasplannedorrequirescorrectiveactions.GEMSautomaticallysendsemailalertstothePMwhendefinedtaskmilestonesaresurpassed.
ClosingThePMinitiatesprojectclosureassoonasallcontractdeliverablesandallchargesaremadeandthefinalinvoiceisapproved.Arequiredafter-taskreviewisperformedtoidentifyideas/methods/processesforperformanceimprovementonfuturecallorders.
OurPMwillprovidebimonthlystatusreportstoMSCrepresentativeswhich:
• Summarizesprogressmadeduringtheperiod• Outlinesworkanticipatedforthenextperiod• HighlightsanykeyissuesrequiringMSCattention• Provideskeyperformancemetrics
o Percentcompletionondeliverableso Budgetpercentcompleteo Variancebetweenprojectandbudgetstatus
• Invoicessentduringtheperiod
MaritimeCyberSecurityProject
WorkPlan
9
DHS STAKEHOLDER ENGAGEMENT
InadditiontoworkingwithDHSScienceandTechnology(S&T),wewillengagethefollowingstakeholdersforTechnicalReviewsandcommentsaswellasCyberDeterrenceEffectivenessModelinput:
• USCGAssistantCommandantforPreventionPolicy(CG-5P)• USCGOfficeofPort&FacilityCompliance(CG-FAC)• USCGDomesticPortSecurityEvaluationDivision(CG-PSA-2)• USCGOfficeofStandardsEvaluation&Development(CG-REG)• USCGCyberCommand(CGCYBERCOM)• USCGResearch&DevelopmentCenter(CG-RDC)
BENEFITS TO DHS STAKEHOLDERS
• AwarenessofcriticalfailurepointsintheMTS• Enhancedcommunicationandinformationsharingbetweenstakeholders• Informedpolicy-making
top related