integrating physical protection and cyber security ... · integrating physical protection and cyber...
TRANSCRIPT
Integrating Physical Protection
and Cyber Security Vulnerability
Assessments
Presented by Doug MacDonald
Information Release # PNNL-SA-99462
Definition
Wikipedia defines Vulnerability Assessments as …
“… the process of identifying, quantifying, and prioritizing (or ranking) the
vulnerabilities in a system”
Where vulnerabilities are defined as …
… the inability to protect an asset or target against a defined threat or
reduced system effectiveness resulting from reduced, compromised, or
lacking defensive measures
Introduction
Historical physical protection
systems
Evolution over the years
Added system vulnerabilities
Not properly identifying these
vulnerabilities can have
catastrophic consequences
Historically
Most physical protection vulnerability assessments and cyber security
analysis are performed in an independent or stove piped manner, and don’t
account for system level interactions or interdependencies
This provides a segmented or incomplete picture of the overall risk to an
asset
Need
Need to fully evaluate the physical protection domain and the cyber
security domain together to understand the overall performance of the
protection measures in place
Need to identify and quantify the areas of undetermined risk
Need
Need to fully evaluate the physical protection domain and the cyber
security domain together to understand the overall performance of the
protection measures in place
Need to identify and quantify the areas of undetermined risk
Need
Need to fully evaluate the physical protection domain and the cyber
security domain together to understand the overall performance of the
protection measures in place
Need to identify and quantify the areas of undetermined risk
Need
Need to fully evaluate the physical protection domain and the cyber
security domain together to understand the overall performance of the
protection measures in place
Need to identify and quantify the areas of undetermined risk
Evolution of the Assessment
Physical Security VA
Cyber Security Assessments
The integrated Cyber/Physical VA
Bringing the Domains Together
The blended approach used by PNNL to integrate the Cyber and Physical vulnerability assessment process is needed to properly identify and quantify the system level interactions and interdependencies
Blended approach development
4 year effort of experienced SMEs
Boots on the ground, firsthand knowledge
Years of experience with the systems in the field
Experts were cross-trained in the process and methodology each domain currently uses for assessments
Terminology (a common language)
Timely detection methodology
Experiences
The team modified the capability to evaluate every avenue of approach using both electronic and physical pathways
Assessments and Lessons Learned
Real-world assessment
Team of 10 SMEs
Scope was the entire system
Had just completed a comprehensive assessment
Several areas of concern based on the cyber/physical interplay
New modeling and simulation tools are needed to accurately capture and
thoroughly evaluate this blended cyber/physical approach
They must provide a comprehensive vulnerability assessment and risk
analysis tool
Incorporate elements like the ability to capture and quantify system level
interdependencies and interactions
And provide a “backtracking” capability
PACRAT
PNNL created a new software tool for the blended assessment that can …
Perform a comprehensive vulnerability assessment and risk analysis
with all of the most widely used features of today …
Plus added elements like the ability to capture and quantify system level
interdependencies and interactions
And a “backtracking” capability
The Physical and Cyber Risk Analysis Tool (aka PACRAT) is much more than
a vulnerability analysis tool, it’s an automated discovery and “what if” analysis
solution
Evaluating all physical and electronic pathways in a holistic fashion is the only
way to increase understanding of the systems in place, and their ability to
adequately protect assets
PACRAT
Each of these elements are needed to properly assess the overall protection
strategy and identify true risk
The ability to focus on the objective and “tune” the tool
PACRAT’s User Interface (the “dashboard”) and the output display (with color coded, statistical pathway analysis)
PACRAT
PACRAT is also provisioned for a Value Added Module to assist in “prioritizing”
investment upgrades
Automated “what if” analysis
Currently a manual, time consuming process
Not intended to eliminate the analyst
This automated function will “recommend” improvements based on the return on
investment (ROI)
High
Low
$
$$
$$$
Additional Areas for Improvement
Training and awareness
Organizational structure
Security culture
Defining the blended threat
Adversarial teams with both cyber and physical expertise
Performance values for cyber components
Examining the frequency of assessments
Quantifying consequences