Asset Criticality in Mission Reconfigurable Cyber Systems and its Contribution to Key Cyber Terrain

The concept of a common operational picture has been utilized by the military for situational awareness in warfare domains for many years. With the emergence of cyberspace as a domain, there is a necessity to develop doctrine and tools to enable situational awareness for key-decision makers. Our study analyzes key elements that define cyber situational awareness to develop a methodology to identify assets within key cyber terrain, thus enabling situational awareness at the tactical level. For the purposes of this work, we treat critical assets to be key cyber terrain, given that no formal study has determined differences between asset criticality and key cyber terrain. Mission- and operationally- based questions are investigated to identify critical assets with the TOPSIS methodology. Results show that the ICS system can be evaluated using TOPSIS to identify critical assets contributing to key cyber terrain, enabling further research into other interconnected systems

CRUSOE: A Toolset for Cyber Situational Awareness and Decision Support in Incident Handling

The growing size and complexity of today’s computer network make it hard to achieve and maintain so-called cyber situational awareness, i.e., the ability to perceive and comprehend the cyber environment and be able to project the situation in the near future. Namely, the personnel of cybersecurity incident response teams or security operation centers should be aware of the security situation in the network to effectively prevent or mitigate cyber attacks and avoid mistakes in the process. In this paper, we present a toolset for achieving cyber situational awareness in a large and heterogeneous environment. Our goal is to support cybersecurity teams in iterating through the OODA loop (Observe, Orient, Decide, Act). We designed tools to help the operator make informed decisions in incident handling and response for each phase of the cycle. The Observe phase builds on common tools for active and passive network monitoring and vulnerability assessment. In the Orient phase, the data on the network are structured and presented in a comprehensible and visually appealing manner. The Decide phase opens opportunities for decision-support systems, in our case, a recommender system that suggests the most resilient configuration of the critical infrastructure. Finally, the Act phase is supported by a service that orchestrates network security tools and allows for prompt mitigation actions. Finally, we present lessons learned from the deployment of the toolset in the campus network and the results of a user evaluation study

Kinetic and Cyber

We compare and contrast situation awareness in cyber warfare and in conventional, kinetic warfare. Situation awareness (SA) has a far longer history of study and applications in such areas as control of complex enterprises and in conventional warfare, than in cyber warfare. Far more is known about the SA in conventional military conflicts, or adversarial engagements, than in cyber ones. By exploring what is known about SA in conventional, also commonly referred to as kinetic, battles, we may gain insights and research directions relevant to cyber conflicts. We discuss the nature of SA in conventional (often called kinetic) conflict, review what is known about this kinetic SA (KSA), and then offer a comparison with what is currently understood regarding the cyber SA (CSA). We find that challenges and opportunities of KSA and CSA are similar or at least parallel in several important ways. With respect to similarities, in both kinetic and cyber worlds, SA strongly impacts the outcome of the mission. Also similarly, cognitive biases are found in both KSA and CSA. As an example of differences, KSA often relies on commonly accepted, widely used organizing representation - map of the physical terrain of the battlefield. No such common representation has emerged in CSA, yet.Comment: A version of this paper appeared as a book chapter in Cyber Defense and Situational Awareness, Springer, 2014. Prepared by US Government employees in their official duties; approved for public release, distribution unlimited. Cyber Defense and Situational Awareness. Springer International Publishing, 2014. 29-4

Continuous Monitoring System Based on Systems\u27 Environment

We present a new framework (and its mechanisms) of a Continuous Monitoring System (CMS) having new improved capabilities, and discuss its requirements and implications. The CMS is based on the real-time actual configuration of the system and the environment rather than a theoretic or assumed configuration. Moreover, the CMS predicts organizational damages taking into account chains of impacts among systems\u27 components generated by messaging among software components. In addition, the CMS takes into account all organizational effects of an attack. Its risk measurement takes into account the consequences of a threat, as defines in risk analysis standards. Loss prediction is based on a neural network algorithm with learning and improving capabilities, rather than a fixed algorithm which typically lacks the necessary environmental dynamic updates. Framework presentation includes systems design, neural network architecture design, and an example of the detailed network architecture. Keywords: Continuous Monitoring, Computer security, Attack graph, Software vulnerability, Risk management, Impact propagation, Cyber attack, Configuration managemen

Quantifying Impact of Cyber Actions on Missions or Business Processes: A Multilayer Propagative Approach

Ensuring the security of cyberspace is one of the most significant challenges of the modern world because of its complexity. As the cyber environment is getting more integrated with the real world, the direct impact of cybersecurity problems on actual business frequently occur. Therefore, operational and strategic decision makers in particular need to understand the cyber environment and its potential impact on business. Cyber risk has become a top agenda item for businesses all over the world and is listed as one of the most serious global risks with significant financial implications for businesses. Risk analysis is one of the primary tools used in this endeavor. Impact assessment, as an integral part of risk analysis, tries to estimate the possible damage of a cyber threat on business. It provides the main insight into risk prioritization as it incorporates business requirements into risk analysis for a better balance of security and usability. Moreover, impact assessment constitutes the main body of information flow between technical people and business leaders. Therefore, it requires the effective synergy of technological and business aspects of cybersecurity for protection against cyber threats. The purpose of this research is to develop a methodology to quantify the impact of cybersecurity events, incidents, and threats. The developed method addresses the issue of impact quantification from an interdependent system of systems point of view. The objectives of this research are (1) developing a quantitative model to determine the impact propagation within a layer of an enterprise (i.e., asset, service or business process layer); (2) developing a quantitative model to determine the impact propagation among different layers within an enterprise; (3) developing an approach to estimate the economic cost of a cyber incident or event. Although there are various studies in cybersecurity risk quantification, only a few studies focus on impact assessment at the business process layer by considering ripple effects at both the horizontal and vertical layers. This research develops an approach that quantifies the economic impact of cyber incidents, events and threats to business processes by considering the horizontal and vertical interdependencies and impact propagation within and among layers

Influence Operations and the Human Domain

As the nature of contemporary warfare continues to evolve geographically, demographically, and politically, it is increasingly crucial for commanders and staffs conducting full-spectrum counterinsurgency operations to truly understand the complexity of the operating environment and to employ forces and assets in a predictive and multispectral manner. In wars that are irregular in character, in which armed groups recruit from, hide among, and are willing to attack communities, the nature of the conflict is a fight for the population.5 In these environments, the preponderance of effort must be focused on influencing the population more effectively than the adversary.6 This is the fight for the human domain.https://digital-commons.usnwc.edu/ciwag-case-studies/1013/thumbnail.jp

Cyber Law and Espionage Law as Communicating Vessels

Professor Lubin\u27s contribution is Cyber Law and Espionage Law as Communicating Vessels, pp. 203-225. Existing legal literature would have us assume that espionage operations and “below-the-threshold” cyber operations are doctrinally distinct. Whereas one is subject to the scant, amorphous, and under-developed legal framework of espionage law, the other is subject to an emerging, ever-evolving body of legal rules, known cumulatively as cyber law. This dichotomy, however, is erroneous and misleading. In practice, espionage and cyber law function as communicating vessels, and so are better conceived as two elements of a complex system, Information Warfare (IW). This paper therefore first draws attention to the similarities between the practices – the fact that the actors, technologies, and targets are interchangeable, as are the knee-jerk legal reactions of the international community. In light of the convergence between peacetime Low-Intensity Cyber Operations (LICOs) and peacetime Espionage Operations (EOs) the two should be subjected to a single regulatory framework, one which recognizes the role intelligence plays in our public world order and which adopts a contextual and consequential method of inquiry. The paper proceeds in the following order: Part 2 provides a descriptive account of the unique symbiotic relationship between espionage and cyber law, and further explains the reasons for this dynamic. Part 3 places the discussion surrounding this relationship within the broader discourse on IW, making the claim that the convergence between EOs and LICOs, as described in Part 2, could further be explained by an even larger convergence across all the various elements of the informational environment. Parts 2 and 3 then serve as the backdrop for Part 4, which details the attempt of the drafters of the Tallinn Manual 2.0 to compartmentalize espionage law and cyber law, and the deficits of their approach. The paper concludes by proposing an alternative holistic understanding of espionage law, grounded in general principles of law, which is more practically transferable to the cyber realmhttps://www.repository.law.indiana.edu/facbooks/1220/thumbnail.jp

Outsourced incident management services

With increasing use of information and communication technologies (ICT), many organizations are outsourcing information security services to managed security service providers (MSSP). This project reports results on current practice and experiences with outsourced incident management services. The research was conducted as a case study performing a qualitative study of six large MSSPs, one emerging MSSP and an independent expert. The findings reveal multiple challenges that both customers and providers are currently facing, including suggestions for addressing them. This information will be useful for organizations looking to improve their practices. This research seeks to build awareness of the challenges posed by relying on outsourced services for incident management. It describes how these services are benefiting or affecting current incident management teams and some of the future needs of this field. Furthermore, it contributes with a categorization of the services offered by some of the most significant MSSPs in the market

Automating Security Risk and Requirements Management for Cyber-Physical Systems

Cyber-physische Systeme ermöglichen zahlreiche moderne Anwendungsfälle und Geschäftsmodelle wie vernetzte Fahrzeuge, das intelligente Stromnetz (Smart Grid) oder das industrielle Internet der Dinge. Ihre Schlüsselmerkmale Komplexität, Heterogenität und Langlebigkeit machen den langfristigen Schutz dieser Systeme zu einer anspruchsvollen, aber unverzichtbaren Aufgabe. In der physischen Welt stellen die Gesetze der Physik einen festen Rahmen für Risiken und deren Behandlung dar. Im Cyberspace gibt es dagegen keine vergleichbare Konstante, die der Erosion von Sicherheitsmerkmalen entgegenwirkt. Hierdurch können sich bestehende Sicherheitsrisiken laufend ändern und neue entstehen. Um Schäden durch böswillige Handlungen zu verhindern, ist es notwendig, hohe und unbekannte Risiken frühzeitig zu erkennen und ihnen angemessen zu begegnen. Die Berücksichtigung der zahlreichen dynamischen sicherheitsrelevanten Faktoren erfordert einen neuen Automatisierungsgrad im Management von Sicherheitsrisiken und -anforderungen, der über den aktuellen Stand der Wissenschaft und Technik hinausgeht. Nur so kann langfristig ein angemessenes, umfassendes und konsistentes Sicherheitsniveau erreicht werden. Diese Arbeit adressiert den dringenden Bedarf an einer Automatisierungsmethodik bei der Analyse von Sicherheitsrisiken sowie der Erzeugung und dem Management von Sicherheitsanforderungen für Cyber-physische Systeme. Das dazu vorgestellte Rahmenwerk umfasst drei Komponenten: (1) eine modelbasierte Methodik zur Ermittlung und Bewertung von Sicherheitsrisiken; (2) Methoden zur Vereinheitlichung, Ableitung und Verwaltung von Sicherheitsanforderungen sowie (3) eine Reihe von Werkzeugen und Verfahren zur Erkennung und Reaktion auf sicherheitsrelevante Situationen. Der Schutzbedarf und die angemessene Stringenz werden durch die Sicherheitsrisikobewertung mit Hilfe von Graphen und einer sicherheitsspezifischen Modellierung ermittelt und bewertet. Basierend auf dem Modell und den bewerteten Risiken werden anschließend fundierte Sicherheitsanforderungen zum Schutz des Gesamtsystems und seiner Funktionalität systematisch abgeleitet und in einer einheitlichen, maschinenlesbaren Struktur formuliert. Diese maschinenlesbare Struktur ermöglicht es, Sicherheitsanforderungen automatisiert entlang der Lieferkette zu propagieren. Ebenso ermöglicht sie den effizienten Abgleich der vorhandenen Fähigkeiten mit externen Sicherheitsanforderungen aus Vorschriften, Prozessen und von Geschäftspartnern. Trotz aller getroffenen Maßnahmen verbleibt immer ein gewisses Restrisiko einer Kompromittierung, worauf angemessen reagiert werden muss. Dieses Restrisiko wird durch Werkzeuge und Prozesse adressiert, die sowohl die lokale und als auch die großräumige Erkennung, Klassifizierung und Korrelation von Vorfällen verbessern. Die Integration der Erkenntnisse aus solchen Vorfällen in das Modell führt häufig zu aktualisierten Bewertungen, neuen Anforderungen und verbessert weitere Analysen. Abschließend wird das vorgestellte Rahmenwerk anhand eines aktuellen Anwendungsfalls aus dem Automobilbereich demonstriert.Cyber-Physical Systems enable various modern use cases and business models such as connected vehicles, the Smart (power) Grid, or the Industrial Internet of Things. Their key characteristics, complexity, heterogeneity, and longevity make the long-term protection of these systems a demanding but indispensable task. In the physical world, the laws of physics provide a constant scope for risks and their treatment. In cyberspace, on the other hand, there is no such constant to counteract the erosion of security features. As a result, existing security risks can constantly change and new ones can arise. To prevent damage caused by malicious acts, it is necessary to identify high and unknown risks early and counter them appropriately. Considering the numerous dynamic security-relevant factors requires a new level of automation in the management of security risks and requirements, which goes beyond the current state of the art. Only in this way can an appropriate, comprehensive, and consistent level of security be achieved in the long term. This work addresses the pressing lack of an automation methodology for the security-risk assessment as well as the generation and management of security requirements for Cyber-Physical Systems. The presented framework accordingly comprises three components: (1) a model-based security risk assessment methodology, (2) methods to unify, deduce and manage security requirements, and (3) a set of tools and procedures to detect and respond to security-relevant situations. The need for protection and the appropriate rigor are determined and evaluated by the security risk assessment using graphs and a security-specific modeling. Based on the model and the assessed risks, well-founded security requirements for protecting the overall system and its functionality are systematically derived and formulated in a uniform, machine-readable structure. This machine-readable structure makes it possible to propagate security requirements automatically along the supply chain. Furthermore, they enable the efficient reconciliation of present capabilities with external security requirements from regulations, processes, and business partners. Despite all measures taken, there is always a slight risk of compromise, which requires an appropriate response. This residual risk is addressed by tools and processes that improve the local and large-scale detection, classification, and correlation of incidents. Integrating the findings from such incidents into the model often leads to updated assessments, new requirements, and improves further analyses. Finally, the presented framework is demonstrated by a recent application example from the automotive domain