Integrating Physical Protection

and Cyber Security Vulnerability

Assessments

Presented by Doug MacDonald

Information Release # PNNL-SA-99462

Definition

Wikipedia defines Vulnerability Assessments as …

“… the process of identifying, quantifying, and prioritizing (or ranking) the

vulnerabilities in a system”

Where vulnerabilities are defined as …

… the inability to protect an asset or target against a defined threat or

reduced system effectiveness resulting from reduced, compromised, or

lacking defensive measures

Introduction

Historical physical protection

systems

Evolution over the years

Added system vulnerabilities

Not properly identifying these

vulnerabilities can have

catastrophic consequences

Historically

Most physical protection vulnerability assessments and cyber security

analysis are performed in an independent or stove piped manner, and don’t

account for system level interactions or interdependencies

This provides a segmented or incomplete picture of the overall risk to an

asset

Need

Need to fully evaluate the physical protection domain and the cyber

security domain together to understand the overall performance of the

protection measures in place

Need to identify and quantify the areas of undetermined risk

Need

Need to fully evaluate the physical protection domain and the cyber

security domain together to understand the overall performance of the

protection measures in place

Need to identify and quantify the areas of undetermined risk

Need

Need to fully evaluate the physical protection domain and the cyber

security domain together to understand the overall performance of the

protection measures in place

Need to identify and quantify the areas of undetermined risk

Need

Need to fully evaluate the physical protection domain and the cyber

security domain together to understand the overall performance of the

protection measures in place

Need to identify and quantify the areas of undetermined risk

Evolution of the Assessment

Physical Security VA

Cyber Security Assessments

The integrated Cyber/Physical VA

Bringing the Domains Together

The blended approach used by PNNL to integrate the Cyber and Physical vulnerability assessment process is needed to properly identify and quantify the system level interactions and interdependencies

Blended approach development

4 year effort of experienced SMEs

Boots on the ground, firsthand knowledge

Years of experience with the systems in the field

Experts were cross-trained in the process and methodology each domain currently uses for assessments

Terminology (a common language)

Timely detection methodology

Experiences

The team modified the capability to evaluate every avenue of approach using both electronic and physical pathways

Assessments and Lessons Learned

Real-world assessment

Team of 10 SMEs

Scope was the entire system

Had just completed a comprehensive assessment

Several areas of concern based on the cyber/physical interplay

New modeling and simulation tools are needed to accurately capture and

thoroughly evaluate this blended cyber/physical approach

They must provide a comprehensive vulnerability assessment and risk

analysis tool

Incorporate elements like the ability to capture and quantify system level

interdependencies and interactions

And provide a “backtracking” capability

PACRAT

PNNL created a new software tool for the blended assessment that can …

Perform a comprehensive vulnerability assessment and risk analysis

with all of the most widely used features of today …

Plus added elements like the ability to capture and quantify system level

interdependencies and interactions

And a “backtracking” capability

The Physical and Cyber Risk Analysis Tool (aka PACRAT) is much more than

a vulnerability analysis tool, it’s an automated discovery and “what if” analysis

solution

Evaluating all physical and electronic pathways in a holistic fashion is the only

way to increase understanding of the systems in place, and their ability to

adequately protect assets

PACRAT

Each of these elements are needed to properly assess the overall protection

strategy and identify true risk

The ability to focus on the objective and “tune” the tool

PACRAT’s User Interface (the “dashboard”) and the output display (with color coded, statistical pathway analysis)

PACRAT

PACRAT is also provisioned for a Value Added Module to assist in “prioritizing”

investment upgrades

Automated “what if” analysis

Currently a manual, time consuming process

Not intended to eliminate the analyst

This automated function will “recommend” improvements based on the return on

investment (ROI)

High

Low

$

$$

$$$

Additional Areas for Improvement

Training and awareness

Organizational structure

Security culture

Defining the blended threat

Adversarial teams with both cyber and physical expertise

Performance values for cyber components

Examining the frequency of assessments

Quantifying consequences

Questions

16