Integrating Physical Protection and Cyber Security Vulnerability Assessments

Size: px

Start display at page:

Download "Integrating Physical Protection and Cyber Security Vulnerability Assessments"

Margaret Burke
10 years ago
Views:

1 Integrating Physical Protection and Cyber Security Vulnerability Assessments Presented by Doug MacDonald Information Release # PNNL-SA-99462

2 Definition Wikipedia defines Vulnerability Assessments as the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system Where vulnerabilities are defined as the inability to protect an asset or target against a defined threat or reduced system effectiveness resulting from reduced, compromised, or lacking defensive measures

vulnerabilities are defined as the inability to protect an asset or target against a

3 Introduction Historical physical protection systems Evolution over the years Added system vulnerabilities Not properly identifying these vulnerabilities can have catastrophic consequences

vulnerabilities Not properly identifying these

4 Historically Most physical protection vulnerability assessments and cyber security analysis are performed in an independent or stove piped manner, and don t account for system level interactions or interdependencies This provides a segmented or incomplete picture of the overall risk to an asset

and don t account for system level interactions or interdependencies This

5 Need Need to fully evaluate the physical protection domain and the cyber security domain together to understand the overall performance of the protection measures in place Need to identify and quantify the areas of undetermined risk

understand the overall performance of the protection

6 Need Need to fully evaluate the physical protection domain and the cyber security domain together to understand the overall performance of the protection measures in place Need to identify and quantify the areas of undetermined risk

7 Need Need to fully evaluate the physical protection domain and the cyber security domain together to understand the overall performance of the protection measures in place Need to identify and quantify the areas of undetermined risk

8 Need Need to fully evaluate the physical protection domain and the cyber security domain together to understand the overall performance of the protection measures in place Need to identify and quantify the areas of undetermined risk

9 Evolution of the Assessment Physical Security VA Cyber Security Assessments The integrated Cyber/Physical VA

10 Bringing the Domains Together The blended approach used by PNNL to integrate the Cyber and Physical vulnerability assessment process is needed to properly identify and quantify the system level interactions and interdependencies Blended approach development 4 year effort of experienced SMEs Boots on the ground, firsthand knowledge Years of experience with the systems in the field Experts were cross-trained in the process and methodology each domain currently uses for assessments Terminology (a common language) Timely detection methodology Experiences The team modified the capability to evaluate every avenue of approach using both electronic and physical pathways

Years of experience with the systems in the field Experts were cross-trained in the process and methodology each domain currently uses for assessments Terminology (a

11 Assessments and Lessons Learned Real-world assessment Team of 10 SMEs Scope was the entire system Had just completed a comprehensive assessment Several areas of concern based on the cyber/physical interplay New modeling and simulation tools are needed to accurately capture and thoroughly evaluate this blended cyber/physical approach They must provide a comprehensive vulnerability assessment and risk analysis tool Incorporate elements like the ability to capture and quantify system level interdependencies and interactions And provide a backtracking capability

and thoroughly evaluate this blended cyber/physical approach They must provide a comprehensive vulnerability assessment and risk analysis

12 PACRAT PNNL created a new software tool for the blended assessment that can Perform a comprehensive vulnerability assessment and risk analysis with all of the most widely used features of today Plus added elements like the ability to capture and quantify system level interdependencies and interactions And a backtracking capability The Physical and Cyber Risk Analysis Tool (aka PACRAT) is much more than a vulnerability analysis tool, it s an automated discovery and what if analysis solution Evaluating all physical and electronic pathways in a holistic fashion is the only way to increase understanding of the systems in place, and their ability to adequately protect assets

The Physical and Cyber Risk Analysis Tool (aka PACRAT) is much more than a vulnerability analysis tool, it s an automated discovery and what if analysis solution

13 PACRAT Each of these elements are needed to properly assess the overall protection strategy and identify true risk The ability to focus on the objective and tune the tool PACRAT s User Interface (the dashboard ) and the output display (with color coded, statistical pathway analysis)

focus on the objective and tune the tool PACRAT s User Interface (the

time consuming process Not intended to eliminate the analyst This automated

14 PACRAT PACRAT is also provisioned for a Value Added Module to assist in prioritizing investment upgrades Automated what if analysis Currently a manual, time consuming process Not intended to eliminate the analyst This automated function will recommend improvements based on the return on investment (ROI) High Low $ $$ $$$

15 Additional Areas for Improvement Training and awareness Organizational structure Security culture Defining the blended threat Adversarial teams with both cyber and physical expertise Performance values for cyber components Examining the frequency of assessments Quantifying consequences

teams with both cyber and physical expertise Performance values for

16 16 Questions

The Next Generation of Security Leaders

The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish