Almost everyone recognizes the salience and ubiquity of cyber-physical systems (CPS), engineered systems where functionality derives from networked interaction of computational and physical processes. The tight integration of physical and computational features already created new generations of smart systems whose impacts are revolutionary, pervasive, and system transforming in the broadest sense of the term.
Context & Motivation
A profound revolution, driven by technology and market forces, already turns whole industrial sectors into producers of CPS. We have seen autonomous vehicles, military platforms, intelligent buildings, smart energy systems, intelligent transportation systems, robots, and smart medical devices, and the like. Industrial platforms, such as the Internet of Things, are becoming household items.
Such innovations come with critical correlates—notably new and emerging vulnerabilities, threats and attacks, and diffused uncertainty. The merging or coupling of computing and networking with physical systems create new capabilities, products, and processes. Physical systems can now be attacked through cyberspace, and cyberspace can be attacked through physical means. But even networks of networks that enable cyberspace are anchored in physical properties.
By definition, such guidelines and policies are written in linear, sequential text format that makes them difficult to integrate, or to understand the policy-technology-security interactions, thus limiting their full use for policy implementation as well as their potential for contributions to science of security.
Missing at this time are analytics to capture full benefits and opportunity costs embedded in guidelines and policy documents. In response, we developed a set off text-to-analytics methods and tools to assist in generating the value added at hand. These methods are constructed and introduced in applications to Cybersecurity Framework and NIST Guidelines for Smart Grid Cybersecurity.
Policy directives and guidelines texts for cyber security carry their own constraints. Some are explicit; others are not. It is not clear if the dilemma lies in design and substance of the policies, the paucity of metrics, or in the absence of informative analytics. RAND concluded that “…the policies governing cybersecurity are better suited to simple, stable, and predictable environments, leading to significant gaps in cybersecurity management.” More important, they are not based on any precepts we would consider as bearing on a science of security.
Technical Challenges
Several technical barriers impede full understanding of the cyber-physical properties of a smart grid enterprise. Among these are: (a) locating policy relevant decision points, (b) identifying vulnerabilities embedded in organizational process and technical operations (c) Differentiating intents of threat actor vs. vulnerability of system, (d) tracking damages and diffusion effects, (e) characterizing potential unknown-unknowns, or (f) metricizing functional relationships—to note the most obvious.
Previously we review ed the new trends, contributions, and identifiable limitations in cybersecurity research. We argue that these limitations are due largely to the lack of interdisciplinary cooperation required to address a problem that is clearly multifaceted.
We have also provided recommendations for terminology use when writing papers on cybersecurity and lay the groundwork for interaction between technical and nontechnical stakeholders. The vision and the objectives of our research and a solution strategy for analytics for smart grid cybersecurity are described in Analytics for Smart Grid Cybersecurity.
Contributions to NSA Science of Security and Privacy Program
We developed a multimethod modular approach applied to a generic system in a controlled environment. The “raw data” consists of texts of National Institute for Standard and Technology (NIST) Guidelines for Smart Grid Cybersecurity (NIST, 2014b), augmented by exploration of on user-specific customizations and generalizations.
This Project directly addresses the hard problem (Nicol et al., 2012) of “policy-governed secure collaboration” at the enterprise level (for smart grid). It is especially relevant to the Science of Security and Privacy Program because the work plan is (1) anchored in a formalized structured system model derived from critical policy texts, and (2) is designed to:
- Identify system-wide properties
- Situate vulnerabilities
- Map security requirements to security objectives
- Identify how system features interact with security requirements and affect cybersecurity of critical cyber-physical enterprises.
The Figure below serves as a useful three-fold introduction to the Project research design. First is a display of our near-, mid- and long- term research project goals. Second, is to situate the Hard Problem if “Policy Governed Secure Collaboration” as the primary focus of our work. Third, is to display all the Hard Problems — noted in the grey bar areas — and situates these across the phases research in the Project as a whole.
Source: Choucri, N., & Agarwal, G. (2018). Quarterly report “Policy Analytics for Cybersecurity of Cyber-Physical Systems” (Year 1, Quarter 1). Science of Security and Privacy Program.
Research Design
The research design and workplan for the Project on Analytics for Cybersecurity, consist of five tasks. Each task is a distinct phase of inquiry that allows for independent assessment. Each, however, is contingent – tied to and dependent – on products of the other.
Create Foundations for Cybersecurity Analytics
During Year 1, the focus is entirely on the required foundations for cybersecurity analytics that include: (1) Identify the policy relevant ecosystem; (2) Formalize rules for extracting data from text; (3) Identify missing pieces for implementation of cybersecurity measures; (4) Design internally consistent structure to organize, metricize, and manage critical information.
Establish Information Flows in System-wide Operations
Our objective in Years 2–3 was to construct model(s) of the systems structure and information flows represented in the policy texts. A key product is the dependency structure matrix of physical cyber system created by identifying first level information dependencies.
Examine Dependencies of Information Flows and System Architecture
Accordingly, the next step was to examine the dependencies of information flows and technical architecture. Our purpose here is to generate visual representations of information flows throughout the system using graph theory and network methods.
Formalize SoS Policy Analytics & Application of Pragmatics
The next goal was to formalize enterprise-wide system dependencies, including an essential properties of system disturbances (vulnerabilities and risks) in order to assess potential system impacts and attendant flow of implications.
Evaluation, Validation, Integration
The strategy for evaluation and validation includes (i) completing, validating, & implementing analytics derived from NIST smart grid “conceptual” model (NIST, 2014b), (ii) integrating the risk analysis and directives of NIST Cyber Security Framework v.1.1. (NIST, 2014a) and (iii) undertaking contingency analysis of security threats, in terms of “what if…”.
References:
- Chief Information Officer. (2013). DoD strategy for defending networks, systems, and data. US Department of Defense.
- Choucri, N., & Agarwal, G. (2017). Analytics for smart grid cybersecurity. Proceedings of the 2017 IEEE International Symposium on Technologies for Homeland Security (HST), 1–3.
- National Institute of Standards, and Technology. (2014a). Framework for improving critical infrastructure cybersecurity. U.S. Department of Commerce.
- National Institute of Standards, and Technology. (2014b). Guidelines for smart grid cybersecurity (NIST Inter-agency/Internal Report (NISTIR)-7628 Rev 1). U.S. Department of Commerce.
- Ramirez, R., & Choucri, N. (2016). Improving interdisciplinary communication with standardized cyber security terminology: A literature review. IEEE Access, 4, 2216–2243.
- Snyder, D., Powers, J. D., Bodine-Baron, E., Fox, B., Kendrick, L., & Powell, M. H. (2015). Improving the cybersecurity of US Air Force military systems throughout their life cycles (Technical report). RAND.