CARVER+Shock CARVER+Shock Vulnerability Vulnerability Assessment Tool Assessment Tool “As Agile As the Enemy” “As Agile As the Enemy” The Foundation for Institutional Development
CARVER+ShockCARVER+ShockVulnerability Vulnerability
Assessment ToolAssessment Tool“As Agile As the Enemy”“As Agile As the Enemy”
The Foundation for Institutional Development
The Cycle of Security
Assessment Mitigation
Occ
urre
nce
Time
Assessm
entMiti
gatio
n
Occurrence
Ass
essm
ent
Mitigation Occurrence
As time goes on, we must assess our vulnerabilities. As the biggest holes in our defenses are plugged, we either move onto the next weakest area, or an occurrence drives us to reassess
Security is a cycle, a business process, not an event
How Our System Works
Based off of Sun Tzu principles of War– Know Yourself– Know Your Enemy– Know Your Environment– Know What Your Enemy Knows About You
Use the CARVER+ Shock Vulnerability Assessment Tool
Can be used on all 13 Critical Infrastructures at any level
Critical Infrastructures
Agriculture Food Water Public Health Emergency Services Government Defense Industrial
Base
Information and Telecommunications
Energy Transportation Banking and Finance Chemical Industry Postal and Shipping
The Targeting Process“Know Yourself”
Each Critical Infrastructure is a Target System Target Systems (Sub-systems)
– A series of steps in the process Target Complexes!!!
– Targets in the same geographical area Target Components
– Specific pieces of machinery, structures, personnel, supplies, or computer files
– Critical to overall target system Critical Nodes
– Critical to operation of target component – How component is disabled
The Targeting Process
IdentifyTarget Systems
Does theSystem HaveSubsystems
Identify Sub-systems
IdentifyTarget
Complexes
IdentifyTarget
Components
Does thecomponent
have aCritical Node?
Identify CriticalNodes
List all CriticalNodes /
Components byComplex and
system
Identifying Critical Nodes
NO
YES
NO
YES
Sample Target System(Power)
Control Center
Target System
OrSubsystem{
Target Complexes
Target Components
The Target System
The process that grows, harvests, processes, transports, and distributes any foodstuff is a target system. Each step can be considered a target sub-system.
Grow
Harvest
ProcessTransport
DistributeConsume
The process that grows, harvests, processes, transports, and distributes any foodstuff is a target system. Each step can be considered a target sub-system.
Target Complexes
Harvest Facility
Processing Facility
Distribution(Retail)
TransportServices
Layer Farm
A target complex is be a subset of a target subsystem. A target complex is a concentrated, integrated series of targets. It consists of facilities and activities that are close to each other geographically or virtually. Within a target complex, individual targets will be identified
Target Components
Egg BreakerMachines
Production Animals
Feed
Plant WorkersInspectors
Grading and PackagingMachines
Target components are the pieces of the target you can see or touch. Target components can be
•Service providers (Humans, animals)
•Infrastructure (Buildings/equipment)
•Consumables (Feed, medicine, etc)
•Cyber (Hardware software, network)
CARVER + Shock(Assessment)
Criticality Accessibility Recuperability Vulnerability Effect Recognizability Shock
(Consider multiple attacks occurring at the same time)
Design Basis Threat“Know Your Enemy”
Develop a design basis threat to ensure continuity in planning/prioritization
Eliminates the need for Probability Can encompass more than one scenario Include:
– WHO Means (Methodology, MO, Weapons, Resources)
– HOW Type of Target (Include how they are selected)– WHY (Political, Financial, Theological)
Update as threat changes on a permanent basis
Red Teaming“Through the Eyes of the Enemy”
Uses Open Source Information Let’s you look at your target system
through the eyes of the enemy Helps determine where to commit
mitigation resources
Curriculum
Executive Overview– Informs government and corporate leadership on the program, tools
and techniques to be used, and benefits to their organization CARVER+Shock Vulnerability Assessment Tool
– Used during national level assessments in first phase– Highly scaleable– Ubiquitous across any infrastructure
Open Source Intelligence Course– Trains candidates to exploit open sources to obtain information on
their own weaknesses as well as their threat Red Team Course
– Trains analysts to view their facility as a target through the eyes of the enemy.