Presented to: Presented by: NAVAIR Cyber Risk Assessment PMI Southern Maryland Chapter Dr. David A. Burke, Director Senior Leader (SL) NAVAIR Cyber Warfare Detachment (CWD) Edward R. Morgan, Principal Engineer NAWCAD 4.11.3/NAVAIR CWD 19 June 2018 NAVAIR Public Release 2018-575. Distribution Statement A – “Approved for public release; distribution is unlimited” Presented at: Project Management Institute (PMI) Southern Maryland Chapter NAS Patuxent, MD 19 June 2018
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Presented to:
Presented by:
NAVAIR Cyber Risk Assessment
PMI Southern Maryland Chapter
Dr. David A. Burke, Director Senior Leader (SL)
NAVAIR Cyber Warfare Detachment (CWD)
Edward R. Morgan, Principal Engineer
NAWCAD 4.11.3/NAVAIR CWD
19 June 2018
NAVAIR Public Release 2018-575.
Distribution Statement A –
“Approved for public release;
distribution is unlimited”
Presented at:
Project Management Institute
(PMI) Southern Maryland Chapter
NAS Patuxent, MD
19 June 2018
Page 2 NAVAIR Public Release 2018-575. Distribution Statement A – “Approved for public release; distribution is unlimited”
Critical Questions
• How can I define risk management within cyberspace?
• How do I determine cyber risks that will affect my system and program?
• How can I measure the cyber risk relative to all of the traditional safety of flight risks and mission risks?
• How and when can I prioritize a cyber risk vs. other risks during my program execution?
• How can I build in resilience against cyber attacks?
Page 3 NAVAIR Public Release 2018-575. Distribution Statement A – “Approved for public release; distribution is unlimited”
Cyber Risk Management
Page 4 NAVAIR Public Release 2018-575. Distribution Statement A – “Approved for public release; distribution is unlimited”
Cyber Risk Assessment (CRA)
• What is a CRA?
– A systems engineering cyber attack tree based decomposition of a platform or weapon system
• Identify all entry points into the system
• Identify target list (key components & functions that adversary would want to affect)
• Create weighted attack paths from entry points to targets
• Why is it used?
– Identify: potential threat vectors, risks associated with threat vectors, potential threats from boundary systems
– Scope what vectors need to be validated via testing
• What does it produce?
– CRA Report
– Cybersecurity risk matrices
Page 5 NAVAIR Public Release 2018-575. Distribution Statement A – “Approved for public release; distribution is unlimited”
CRA Methodology
Page 6 NAVAIR Public Release 2018-575. Distribution Statement A – “Approved for public release; distribution is unlimited”
Attack Surface Understanding Scope & Information Gathering
Collecting System and Mission Information for
Cyber Attack Surface Enumeration (CASE)
Cyberspace Relevance
Incrementally
defining/capturing the
characterization
of each nodes
CASE Presentation - Data & Graph
CASE Support Role
Inputs to other analyses and decisions
RMF
CYBERSAFE
Attack Surface Enumeration Process
Main Function - Categorize nodes and its
relationships
SETR/MBSE
Contract
Language
Cybersecurity
Requirements
CTT
Page 7 NAVAIR Public Release 2018-575. Distribution Statement A – “Approved for public release; distribution is unlimited”
CRA Major Aspects MISSION DECOMPOSITION
RESILIENT POSTURE
THREAT POSTURE
ATTACK SURFACE POSTURE
Page 8 NAVAIR Public Release 2018-575. Distribution Statement A – “Approved for public release; distribution is unlimited”
1.1.1 Level of Effort (LOE)/Susceptibility Table C-1 ASSESSMENT SCALE – LOE/SUSCEPTIBILITY FOR THREAT EVENTS
Table C-2 ASSESSMENT SCALE – LEVEL OF EFFORT MODIFIER WITHIN SYSTEM ARCHITECTURE
Category LOE Modifier Description Example
Availability of Details Table C-7 Value Access to security-relevant details associated with the mission system asset
3
Supply Chain Exposure Table C-8 Value Exposure of hardware, software/firmware supply chain, and/or internal government logistics processes
2
Accessibility/Reachability Table C-9 Value Ability for an actor to interact with the mission system asset, and accounts for architectural complexity and operational contexts including mission geographic location; does not account for security controls
4
Usage Window/Frequency Table C-10 Value Window(s) of time associated with the usage of the mission system asset
5
Security Controls Table C-11 Value Thoroughness and effectiveness of the design, engineering and implementation of technical security controls (i.e., protect, detect) and the recency of security assessment to test their sufficiency
4
Hygiene Table C-12 Value Supportability of the mission system component by vendor (e.g., legacy OS unsupported by vendor) or maintenance organization based on relative age, patch level, and known or unknown vulnerability
5
Total 23
Average (Total / 6 ) Rounded 4
Qualitative Values
Semi-Quantitative Values
Description
Very Low 5 The amounts of (i) capability and (ii) time (i.e., difficulty) to accomplish a specific threat must average to a very low level to make the threat event’s Level of effort very low.
Low 4 The amounts of (i) capability and (ii) time (i.e., difficulty) must average to a low level to make the threat event’s Level of effort low.
Moderate 3 The amounts of (i) resources and (ii) time (i.e., difficulty) to accomplish a specific threat must average to a moderate level to make the threat event’s Level of effort moderate.
High 2 The amounts of (i) capability and (ii) time (i.e., difficulty) to accomplish a specific threat must average to a high level to make the threat event’s Level of effort high.
Very High 1 The amounts of (i) capability and (ii) time (i.e., difficulty) to accomplish a specific threat must average to a very high level to make the threat event’s Level of effort very high.
CRA Products
Page 9 NAVAIR Public Release 2018-575. Distribution Statement A – “Approved for public release; distribution is unlimited”