The Final Report, highlights the generic features of problems addressed, the research methods, as well as the results. Noted below are only select elements pertaining to (i) core problem, (ii) goals and challenges, (iii) approach & methods), and (iv) project participants.
Core Problem
Mounting concerns about the safety and security of the nation’s critical infrastructure contributed to the development of an intricate ecosystem of cybersecurity policies, guidelines, directives and compliance measures.
These are all written in linear, sequential text form—word after word, chapter after chapter— and distributed across different documents. These documents are part of a policy ecosystem of basic properties for CPS structure and processes, also in text form. It is difficult to capture policy-technology-security interactions or engage in effective risk assessment.
In short, individually or collectively, these features inevitably undermine cybersecurity policy initiatives. The problem is this: Missing, to date, are fundamental policy analytics to support CPS cybersecurity and reduce barriers to policy implementation.
Goals & Challenges
In response to such pervasive problems, this project focused analytical methods to strengthen implementation of cybersecurity policies in support of the national strategy for cybersecurity.
Operationally, the goal is to create policy analytics for cybersecurity of CPS, designed to:
(1) overcome the impediments created by conventional text-based policy forms
(2) generate metric-based representation of policy texts
(3) align policy directives to intended targets in specified CPS system, and
(4) signal “how to” metricize cybersecurity policy for CPS and manage mission-related challenges, concerns or contingencies.
Strategically, the goal is to connect with diverse cybersecurity and related research communities in order to:
(1) expand scale and scope of reach,
(2) capture opportunities for validation of methods,
(3) draw on insights and evidence from our diverse MIT collaborations and initiatives related to the MIT SoS project, and
(4) reach out to stakeholder communities through communication, outreach, and response to requests for information.
Approach & Method
The approach is to view National Institute for Standards and Technology (NIST) as “laboratory”, a basic source of information, data, and analyses, and thus provide institutional consistency in data used for the core of the research design. The “raw” data consists of policy reports on CPS cybersecurity as well as NIST analyses of CPS properties for the “proof of concept” case.
Clearly, considerable efforts are always being made to “mine” NIST materials, our approach appreciates and is informed by such efforts, it is distinctive by developing a suite of cybersecurity policy analytics—based entirely on metricized text of policy documents and applied to metricized models of CPS. (The basic “proof of concept” for CPS cybersecurity is smart grid for electric power systems).
The overall method consist of five segments, namely:
(1) Transform policy guidelines from text to metrics and models,
(2) Validate both metrics and models through applications to other use cases, in other institutional and policy contexts,
(3) Identify policy-targeted CPS properties, vulnerabilities and impacts, map security requirements to security objectives,
(4) Situate responses of CPS to targeted policy controls, and
(5) Connect policy directives to CPS properties.
Project Participants
An interdisciplinary team, listed below, participated in various parts of the Project:
- Saurabh Amin, Associate Professor, Civil and Environmental Engineering, MIT (2018–2019);
- Jerome Anaya, Assistant, Political Science, MIT (2018–2019, 2022–2024);
- Lauren Fairman, Assistant, Political Science, MIT (2019–2021);
- Gaurav, MIT Consulting Researcher, (2018–2023), [a.k.a. Gaurav Agarwal];
- James Gordon, MIT Undergraduate Research Opportunity Program – UROP (2020);
- Nechama Huba, Student, Wellesley College, Junior–Senior (2021-2023);
- Allen Moulton, Research Scientist, Sociotechnical Systems Research Center (SSRC), MIT (2020);
- Joseph Ward, MIT Undergraduate Research Opportunity Program – UROP (2021).
Gaurav Agarwal served as the core data analyst and modeler, and Jerome Anaya provided sustained support for report preparation and submission.