maritime cyber security - stevens institute of technology cyber security project work plan 1...

MaritimeCyberSecurityProject

WorkPlan

1

MaritimeCyberSecurityWorkPlanDraft

August8,2016


WorkPlan

1

INTRODUCTION

OnJuly27,016,theAmericanBureauofShipping(ABS)receivednotificationofawardoftheMaritimeCyberSecurityprojectfortheMaritimeSecurityCenter(MSC)CenterofExcellenceattheStevensInstituteofTechnology.Theprojecthasatwoyearperiodofperformance.Thepurposeofthistaskorderistoperformresearchonsixseparatetopicsrelatedtomaritimecybersecurity.

RESEARCH TEAM

ABS’sCertifiedCybersecuritySpecialistshaveextensiveexperiencewithindustrialcontrolsystemsforships,offshoreinstallations,andfacilitiesandareuniquelyqualifiedtodeliveracomprehensivesecurityassessment.Ourpersonnelhavebeenselectedforthisassignmentbasedontheirpreviousexperienceinmaritimecybersecurity,controlsystems,themaritimeindustry,andfederalregulatoryanalysis.OurTeamhasexperienceintheanalysis,review,anddocumentationofvulnerabilitiesofbothcommercialITandprocessautomationsystems.Wehaveanalyzedcyberandphysicalsecuritythreats,risks,andvulnerabilities,andconductedsiteanalysesforawidearrayofoperationsandsystems.Theresearchwillbeperformedbythefollowingteam.

Principal Investigator

CrisDeWittleadsourSoftwareandControlSystemsgroup,providingarangeofcybersafetyandsecurityservicesforthemaritimeindustry.Mr.DeWittandhisteamconducttechnologyassessmentsforcybersecuritywithcontrolsystemsusedindrillships,ultra-deepwaterdrillingrigs,LNGvessels,andothercomplexautomationassets.Hehasalsopublishedoncybersecurityanditsimpactonoffshoreassets.

Risk Lead

Mr.Mowrer,theDirectorofHomelandSecurityRiskManagementTechnologiesatABSGConsultingInc.,hasbeenworkinginthemanagementconsulting,riskmanagement,dataanalytics,andinformationtechnologyfieldsforthepast18years.HehasmanagednumerousprojectsforUSCG,includingcybersecurityassessmentsfortheU.S.maritimeindustry;10annualphasesoftheMSRAM;the2006,2009,and2011NationalMaritimeStrategicRiskAssessments;andthePorts,Waterways,CoastalSecurity(PWCS)Risk-BasedPerformance

Research Analysts

Mr.RickScottisaRegisteredProfessionalEngineer(#64544,TX)withover40yearsofexperiencerangingfromengineertoseniorexecutiveinthehigh-technologymanufacturingandoffshoredrillingindustries.Hisspecialtiesinclude:softwareservicesmanagement,softwareproductdevelopment,andsoftwaresystemsintegration.HehaswitnessedtestingandcertifiedoffshoredrillingcontrolsoftwareforABSanddevelopedtheABScertificationprocessforsoftwaresystemsassessmentandcertification.

Otherresearchanalystswillbebroughtinoverthecourseoftheprojecttosupporttaskexecution.


WorkPlan

2

TECHNICAL APPROACH FOR RESEARCH QUESTIONS

ThefollowingsectionsdescribeourtechnicalapproachforeachoftheresearchquestionsincludedintheRFP

1. RISK-BASED PERFORMANCE STANDARDS

Question:Whatrisk-basedperformancestandardscanbedevelopedforcyberriskmanagementoftheMarineTransportationSystem(MTS)?Howwouldperformancestandardsinter-relatewithotherinfrastructuresectorsandtheirperformancestandards?Howwouldperformancestandardsinter-relatewithexistingsafetyandsecuritymanagementsystems?

TECHNICALAPPROACH

Thefollowingoutlinesthekeytasksinourtechnicalapproachtoanswerresearchquestion#1.Note:theresultsofSteps2-5provideafoundationalstructurethatwillsupporttheanalysisandcommunicationofresultsforseveraloftheresearchquestions.

1. DoctrineReview.Wewillreviewkeymaritimecyberriskmanagementdoctrine,strategiesandpolicies(USCGCyberStrategy,USCGWesternHemisphereStrategy,paperfromMaritimeSecurityCenterMaritimeRiskSymposium)toinformourresearchrelatedtothisquestions.WewillmeetwithselectUSCG,DHS,DoD,andselectindustryexpertstogathertheirinsightonrisk-basedperformancestandards.

2. PerformanceStandardsReview.Wewillperformanin-depthliteraturereviewofrecognizedcyberriskmanagementperformancestandardsthatcouldbeapplicabletoMTS,including,butnotlimitedto:

• NISTFrameworkforImprovingCriticalInfrastructureCybersecurity• NISTSP800-82Revision2,GuidetoIndustrialControlSystemsSecurity• ISO27001:InformationSecurityManagementStandard• DepartmentofHomelandSecurity’s(DHS’s)andDepartmentofEnergy’s(DOE’s)Cybersecurity

CapabilityMaturityModel(C2M2)• InternationalSocietyforAutomation(ISA)IndustrialNetworkandSystemSecurity(ISA62443)• NISTSpecialPublication800-53,"SecurityandPrivacyControlsforFederalInformationSystems

andOrganizations,"• DoDInstruction8500.01,Cybersecurity

3. AssetInventories.Wewillinventorytherangeofassettypes(e.g.,ferryterminals,containerships,bridges,petroleumrefineries)andinfrastructuresectorsthatcommonlyoperatewithintheU.S.MTS.

4. AssetClassTaxonomy.Wewilldevelopastandardtaxonomyforclassifyingthesemaritimeassets,classes,andinfrastructuresectors.

5. SystemInventories.Wewillinventoryinformationtechnology(IT)andoperationaltechnology(OT)systemsthatarecommonlyfoundontheassetsandmapthemtotheassettaxonomy.

6. Safety/SecurityManagementSystemReview.Wewillperformaliteraturereviewofgoverningregulationsandstandardsforsafetyandsecuritymanagementsystemsapplicabletoeachassettypes.DuetothecomplexityoftheMTS,thereareawidevarietyofassetsthatoperatewithintheU.S.domainfallingundermanydifferentsafety/securityrequirements,including;USCG,DHS,OSHA,EPA,BSEE,DOT,IMO/BIMCO,ClassificationSocieties,state/localagencies,andPHMSA.Wewillreviewexistingrequirementsforsafety/securitymanagementsystemsundereachregimeandclearlyidentifythose


WorkPlan

3

whichcover,orcouldbeexpandedtocovercyberissues.Wewillthenmapeachregimetotheirapplicableassetclasses.

7. PerformanceStandardsCrosswalk.Basedon(1)applicableperformancestandards,(2)IT/OTsystemsand(3)theassociatedsafety/securitymanagementsystemsforeachassetclass,wewilldevelopacrosswalkidentifyingwhichperformancestandardelementsarecurrentlybeingaddressedbyvarioussafety/securitymanagementsystemsandwheregapsexist.

8. Conclusions&Recommendations.Basedontheresultsoftheprevioussteps,wewillsummarizeourconclusionscomparingstandardsrequirementsacrossinfrastructuresectorsandproviderecommendationsonwhichperformancestandardscould/shouldbeappliedtoeachassettypeandinfrastructuresector.

2. FRAMEWORK FOR CYBER POLICY

Question:WhattypeofcriteriashouldbeutilizedtodevelopanacademicallyrigorousframeworkforCyberPolicyfortheMTS?

TECHNICALAPPROACH

Thefollowingoutlinesthekeytasksinourtechnicalapproachtoanswerresearchquestion#2.

1. LiteratureReview.Wewillperformanin-depthreviewofcyberframeworks,focusingontheNISTFrameworkforImprovingCriticalInfrastructureCybersecurityandISO27001:InformationSecurityManagementStandard,toidentifythecriteriatheyincluded.

2. ScopeDefinition.WewillfirstdefinethescopeofthecyberpolicyfortheMTS.Thescopeshouldaddressanumberoffactors,including,butnotlimitedto:assetclasses,IT/OTsystems,threattypes,andwhetherthepolicycoversbothcybersafetyandcybersecurityconcerns.WewillthendefinethegoalsandobjectivesforcybersecurityintheMTS.ThescopeandgoalswillbedevelopedbasedontheresultsoftheliteraturereviewandguidancefromUSCG,DHS,andDoDexperts.

3. EffectedPartyIdentification.Basedonthescope,wewillthenresearchandidentifypartieseffectedbythepolicy,suchasfederal,state,andlocalgovernmentagencies,maritimefacilityowner/operators,vesselowner/operators,industrygroups,ports,internationalorganizations,andclassificationsocieties.

4. EffectedProcessIdentification.Wewillidentifyanddescribeprocessesanddecisionsimpactedbypolicyforeacheffectedparty.Processessuchascybersecurityassessments,audits,securityplandevelopment,securityplanreview,andvesselsurveysarelikelytobeeffectedbypolicychanges.

5. CriteriaIdentification.Wewillrecommendalloftherelevantcriteriathatshouldbeincludedinacyberframework,spanningthephaseofdetection,identification,protection,response,andrecovery.

3. CRITICAL POINTS OF FAILURE

Question:Basedonamulti-nodeanalysis,whatarethecriticalPointsofFailurewithinthecybersystemsupportingtheMTS?

TECHNICALAPPROACH



WorkPlan

4

1. DoctrineReview.Wewillleveragethereviewofkeymaritimecyberriskmanagementdoctrine(Question1,Step1)toidentifyscenariosofconcernandtheassociateddefinitionstodevelopanunderstandingofcriticalitythresholds.WewillthenmeetwithUSCG,DHS,andDoDdecisionmakerstoclearlydefine“criticalpointsoffailure”andidentify“criticalitythresholds”.Thesedefinitionsshouldaddressaspectsofsystemvulnerabilityofandpotentialconsequencesofsystemexploitation(e.g.,physicalconsequences).

2. AssetClassScreening.Wewillidentifythesubsetofassetclasseswithcyberscenarioconsequencepotentialexceedingthecriticalitythreshold.

3. GeneralArchitectureDevelopment.WewilldevelopgeneralarchitectureprofilesforeachoftheassetclassbasedonthecommonsystemsidentifiedinQuestion1,Task5.ThesewilladdressbothITandOTsystemsandintegration.

4. CorruptionVectorandPenetrationPointTaxonomy.Wewilldevelopahierarchicaltaxonomyofcorruptionvectorsandtheirassociatedpenetrationpoints.Wewillthenmapthepotentialcorruptionvectorsandpenetrationpointsforeachgeneralarchitecture.

5. ScenarioDevelopment.Foreachgeneralarchitecture/assetclasscombinations,wewillidentifyspecificscenariosthatcouldresultinconsequencesabovethecriticalitythreshold.

6. RiskAssessment.Wewillperformahighlevelriskassessmentconsideringthreat,vulnerability,andconsequencefactors.Duetothegeneralnatureoftheassessment,wewillchooseaqualitativeorsimplequantitativeriskmethodologytoassesstherisk.Methodsmayincludebowtie,eventtree/faulttree,orpreliminaryriskanalysis.

7. ResultsDocumentation.Wewilldocumenttheresultsoftheriskassessmentprocess,identifyingcriticalpointsoffailureandarticulatingthemasafunctionofassetclasses,systems,corruptionvectors,andpenetrationpoints.

4. REQUIREMENTS FOR MARITIME CYBER RANGE

Question:Whatarethecriticalrequirementsthatshouldbeconsideredwhendevelopinganacademicallyrigorousandmulti-useMaritimeCyberRange?

TECHNICALAPPROACH


1. UseCaseDevelopment.Wewillfirstinvestigateknowncyberrangemodels(e.g.,U.S.MarineCorps,ABS)todeterminetheirrelevanceandapplicabilitytothisproject.Wewillinterviewrepresentativesfromthemostrelevantrangestodiscusslessonslearnedandbestpractices.Ifneeded,wewillhostaworkshopwithmaritimegovernmentrepresentativestodiscussfindingsanddefinecyberrangeobjectivesforthisproject.Basedonworkshopguidanceandscenariosofinterestidentifiedintask3,wewilldocumentmethodsfordevelopingusecases.

2. SystemBehaviorDefinition.Wewilldocumentmethodsfordevelopingexpectedsystembehaviordefinitions(includingintegrationamongsystems)forsystemsofinterest

3. TestBoundaryDevelopment.Wewilldocumentmethodsfordevelopingtestboundariesforselectarchitectures

4. TestRequirements.Wewilldocumentmethodsfordefiningtestrequirements5. EquipmentandSoftwareRequirements.Wewilldocumentmethodsfordevelopingtestequipmentand

softwarerequirements.


WorkPlan

5

6. TestDocumentation.Wewilldocumentmethodsforrecordingandinterpretingtestresults7. DevelopTrainingRequirements.Wewilldocumentcompetenciesthatusersoftherangerequireto

conductexperiments.Competencieswilladdressallphasesoftheexperiment,including,butnotlimitedto:initialrangeconfiguration,conductoftheexperiment,resultsdocumentation,andprocedureforreturningrangetobaselinestate.

5. FRAMEWORK FOR POINT OF FAILURE DETECTION METHODOLOGY

Question:WhatmethodologiescanbeutilizedorinventedtodevelopaframeworktoanalyzeapointofFailureDetectionMethodology?

TECHNICALAPPROACH


1. ScopeDefinition.Wewillfirstdefinetheanalyticalscopeofthefailuredetectionmethodology.Thescopewillbeinformedbytheoutputsoftasksfromquestions1and3.Specifically,theinrelationtogeneralarchitecturesandscenariosofconcern.Wewilldocumenthowotherindustriesandgovernmentagenciesdetectpointsoffailureandwhichperformancestandardsandframeworkstheyuse.

2. DecisionDefinition.Wewillfirstdefinekeydecisionmakers(e.g.,governmentleaders,assetowners).Foreachdecisionmakertype,wewillidentifythedecisionstobesupportedbyresultsofmethodology.Thiswillincludetheoptionsavailabletothedecisionmaker.

3. InformationRequirements.Wewillidentifythetypesandqualityofinformationthatisrequiredtosupporteachdecision.Therecanbeawidevarietyofinformationneeded,suchaslistingofspecificcriticalvulnerabilities,rankingoftheoverallintegrity/vulnerabilityofanasset,qualitative/quantitativeriskscoreforanasset(TVC).Wewilldefinetherequirementsfortheappropriatelevelofinformation.

4. MethodologyIdentification.Wewillthenidentifyrelevantmethodologiescapableofgeneratingtherequiredinformation.Wewilldescribeeachmethodology,liststrengthsandweaknesses,andcompareacrossmethodologies.

5. ConclusionsandRecommendations.Wewillrecommendanyidentifiedenhancementstotherelevantmethodologies.

6. MARITIME CYBER DETERRENT STRATEGY EFFECTIVENESS

Question:Whatmethodologiescanbeemployedtoconductaquantitativeanalysisofmaritimecyberdeterrentstrategyeffectiveness?

TECHNICALAPPROACH


1. DefineCurrentCyberDeterrentStrategy.Wewillmeetwithgovernmentrepresentativestocapturetheelementsoftheircurrentcyberstrategyandmeanstheyusetodevelopstrategyandmeasureeffectiveness.Wewilldocumentthemulti-layerstrategyinacomprehensiveframework,likelyusingbow-tiemethodology.


WorkPlan

6

2. DecisionDefinition.Wewillthendefinekeydecisionmakers(e.g.,governmentleaders,assetowners)whowilluseofthecyberdeterrentstrategyeffectivenessmeasurementmodel.Foreachdecisionmakertype,wewillidentifythedecisionstobesupportedbyresultsofmethodology.Thiswillincludetheoptionsavailabletothedecisionmaker.

3. InformationRequirements.Wewillidentifythetypesandqualityofinformationthatisrequiredtosupporteachdecision.

4. MethodologyIdentification/Development.Wewillidentifyrelevantmethodologiescapableofgeneratingtherequiredinformation.Wewilldescribeeachmethodology,liststrengthsandweaknesses,andcompareacrossmethodologies.Ifneeded,wewilldeveloportailormethodologiestomeettheinformationrequirements.

5. Recommendations.Wewillrecommendanyidentifiedenhancementstotherelevantmethodologies.

MILESTONES AND OUTPUTS

Table1listsourplannedoutputs,timing,andassociatedresearchquestions.Whiletheperiodofperformanceisfortwoyears,theresearchteamproposesdeliveryofallrequiredmilestoneswith16monthsofthecontractaward.

Table1.MilestonesandOutputs

Output Time

AssociatedResearchQuestion

1 CyberPolicyFrameworkDocument 4monthsfromaward 22 PointsofFailureAnalysisReport 7monthsfromaward 33 PointsofFailureDetectionReport 7monthsfromaward 54 Risk-BasedPerformanceStandards

Recommendation6monthsfromaward 1

5 ComparativeAnalysisofPerformanceStandardstoExistingSafety&SecurityMeasures

8monthsfromaward 1

6 ComparativeAnalysisofPerformanceStandardstoOtherInfrastructureResults

12monthsfromaward 1

7 CyberRangeRequirementsReport 16monthsfromaward 48 CyberDeterrenceEffectivenessModel 15monthsfromaward 69 CyberDeterrenceEffectivenessModelAnalysis

ResultsReport16monthsfromaward 6

10 Deliveryandsocializationofoutputs 1monthfromcompletionofeachoutput

all

TheGanttchartindescribesouroveralltimelineforthisprojectandexecutionofthetasksdescribedinthetechnicalapproachforeachofthesixresearchquestions.Thisnotionalprojectscheduleisbasedonourunderstandingoftheresearchobjectivesandourabilitytocompletetheprojectwithintherequiredperiodofperformance.Itisbaseduponsoundprojectmanagementprinciplesandresourceallocationsthatwillensurewe


WorkPlan

7

completetheoutputslistedinTable1withintherequiredtimetable.Thedeliverydatesfortheoutputsareshownasblacktrianglesinthefigure.Note:thisscheduleassumesanAugust2016award.Ifawardisdelayed,theschedulewillbeupdatedaccordingly.

Figure1.ProjectGanttChart

Aug Sep Oct Nov Dec Jan Feb MarApr May Jun Jul Aug Sep Oct Nov Dec Jan Feb MarApr May Jun JulQuestion1:Risk-basedPerformanceStandards1 DoctrineReview2 PerformanceStandardsReview3 AssetInventories4 AssetClassTaxonomy5 SystemInventories6 Safety/SecurityManagementSystemReview7 PerformanceStandardsCrosswalk8 ConclusionsandRecommendationsQuestion2:FrameworkforCyberPolicy1 LiteratureReview2 ScopeDefinition3 EffectedPartyIdentification4 EffectedProcessIdentification5 CriteriaIdentificationQuestion3:CriticalPointsofFailure1 DoctrineReview2 AssetClassScreening3 GeneralArchitectureDevelopment4 CorruptionVectorsandPenetrationPoints5 ScenarioDevelopment6 RiskAssessment7 ResultsDocumentationQuestion4:RequirementsforMaritimeCyberRange1 UseCaseDevelopment2 SystemBehaviorDefinition3 TestBoundaryDevelopment4 TestRequirements5 EquipmentandSoftwareRequirements6 TestDocumentation7 DevelopTrainingRequirementsQuestion5:PointofFailureDetectionFramework1 ScopeDefinition2 DecisionDefinition3 InformationRequirements4 MethodologyIdentification5 ConclusionsandRecommendationsQuestion6:MaritimeCyberDeterrentStrategyEffectiveness1 DecisionDefinition2 InformationRequirements3 MethodologyIdentification/Development4 Recommendations

Outputs

Tasks 2016 2017 2018

1

2

3

6

4 5

7

89


WorkPlan

8

PROJECT MANAGEMENT

Wemaintainatailoredsystemoforganization,projectcontrolsandstandardizedprocesses,toensurethatMSCreceiveshigh-qualitydeliverablesthatmeetorexceedthestatedrequirements.Throughour152-yearhistorysupportingnearlyallaspectsofmaritimeindustry,wedevelopedaprojectmanagementmethodologythatisnotonlygroundedinqualityandintegritybutalsobasedupontheprinciplesdescribedintheProjectManagementInstitute’s(PMI)“AGuidetotheProjectManagementBodyofKnowledge(PMBOK®)-FifthEdition.”Ourprogrammanagementphilosophyincludes(1)providinganexperiencedprojectmanager(PM)withappropriatedecision-makingauthority,(2)followingstructuredrepeatableprocesses,and(3)utilizingourOracle-basedGlobalEnterpriseManagementSystem(GEMS)managementsystemtoproviderealtimetracking/oversightofalltaskactivities.Table9providesanoverviewofourprojectmanagementprocesses.

Table2.ProjectManagementProcesses&Metrics

PMBOK®Guide-FifthEditionProjectManagementProcessGroups

Initiating Ourfinancial/contractmanagementsystemestablishescostcodeidentificationnumbersforperformancetrackingofindividualprojectsandtasks.

PlanningOurPMestablishesbudget,scheduleanddefinitionofdeliverablesforthecallorder.WewilluseMSProjectforplanningandmonitoringprogressthroughoutprojectexecution.

Execution

Theexecutionphaseofthetaskinvolvesconducting,monitoring,andmanagingallaspectsofmeetingthecallorderrequirements.Ingeneral,weconductbi-weeklymeetingsacrossthetaskteamatwhichtimethePMreviewsschedule,percentcompletionondeliverables,budgetpercentcomplete,variancebetweenprojectandbudgetstatus,andplanstocorrectanyproblems/deficienciesidentified.

Controlling&Monitoring

OurGEMSsystemprovidesreal-timeprojectdetailreports(weeklyormoreoftenifdesired).ThereportsprovidekeymetricsthatallowthePMtodetermineifataskisprogressingasplannedorrequirescorrectiveactions.GEMSautomaticallysendsemailalertstothePMwhendefinedtaskmilestonesaresurpassed.

ClosingThePMinitiatesprojectclosureassoonasallcontractdeliverablesandallchargesaremadeandthefinalinvoiceisapproved.Arequiredafter-taskreviewisperformedtoidentifyideas/methods/processesforperformanceimprovementonfuturecallorders.

OurPMwillprovidebimonthlystatusreportstoMSCrepresentativeswhich:

• Summarizesprogressmadeduringtheperiod• Outlinesworkanticipatedforthenextperiod• HighlightsanykeyissuesrequiringMSCattention• Provideskeyperformancemetrics

o Percentcompletionondeliverableso Budgetpercentcompleteo Variancebetweenprojectandbudgetstatus

• Invoicessentduringtheperiod


WorkPlan

9

DHS STAKEHOLDER ENGAGEMENT

InadditiontoworkingwithDHSScienceandTechnology(S&T),wewillengagethefollowingstakeholdersforTechnicalReviewsandcommentsaswellasCyberDeterrenceEffectivenessModelinput:

• USCGAssistantCommandantforPreventionPolicy(CG-5P)• USCGOfficeofPort&FacilityCompliance(CG-FAC)• USCGDomesticPortSecurityEvaluationDivision(CG-PSA-2)• USCGOfficeofStandardsEvaluation&Development(CG-REG)• USCGCyberCommand(CGCYBERCOM)• USCGResearch&DevelopmentCenter(CG-RDC)

BENEFITS TO DHS STAKEHOLDERS

• AwarenessofcriticalfailurepointsintheMTS• Enhancedcommunicationandinformationsharingbetweenstakeholders• Informedpolicy-making

maritime cyber security - stevens institute of technology cyber security project work plan 1...

Documents