Integrating Physical Protection and Cyber Security Vulnerability Assessments Presented by Doug MacDonald Information Release # PNNL-SA-99462
Definition Wikipedia defines Vulnerability Assessments as the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system Where vulnerabilities are defined as the inability to protect an asset or target against a defined threat or reduced system effectiveness resulting from reduced, compromised, or lacking defensive measures
Introduction Historical physical protection systems Evolution over the years Added system vulnerabilities Not properly identifying these vulnerabilities can have catastrophic consequences
Historically Most physical protection vulnerability assessments and cyber security analysis are performed in an independent or stove piped manner, and don t account for system level interactions or interdependencies This provides a segmented or incomplete picture of the overall risk to an asset
Need Need to fully evaluate the physical protection domain and the cyber security domain together to understand the overall performance of the protection measures in place Need to identify and quantify the areas of undetermined risk
Need Need to fully evaluate the physical protection domain and the cyber security domain together to understand the overall performance of the protection measures in place Need to identify and quantify the areas of undetermined risk
Need Need to fully evaluate the physical protection domain and the cyber security domain together to understand the overall performance of the protection measures in place Need to identify and quantify the areas of undetermined risk
Need Need to fully evaluate the physical protection domain and the cyber security domain together to understand the overall performance of the protection measures in place Need to identify and quantify the areas of undetermined risk
Evolution of the Assessment Physical Security VA Cyber Security Assessments The integrated Cyber/Physical VA
Bringing the Domains Together The blended approach used by PNNL to integrate the Cyber and Physical vulnerability assessment process is needed to properly identify and quantify the system level interactions and interdependencies Blended approach development 4 year effort of experienced SMEs Boots on the ground, firsthand knowledge Years of experience with the systems in the field Experts were cross-trained in the process and methodology each domain currently uses for assessments Terminology (a common language) Timely detection methodology Experiences The team modified the capability to evaluate every avenue of approach using both electronic and physical pathways
Assessments and Lessons Learned Real-world assessment Team of 10 SMEs Scope was the entire system Had just completed a comprehensive assessment Several areas of concern based on the cyber/physical interplay New modeling and simulation tools are needed to accurately capture and thoroughly evaluate this blended cyber/physical approach They must provide a comprehensive vulnerability assessment and risk analysis tool Incorporate elements like the ability to capture and quantify system level interdependencies and interactions And provide a backtracking capability
PACRAT PNNL created a new software tool for the blended assessment that can Perform a comprehensive vulnerability assessment and risk analysis with all of the most widely used features of today Plus added elements like the ability to capture and quantify system level interdependencies and interactions And a backtracking capability The Physical and Cyber Risk Analysis Tool (aka PACRAT) is much more than a vulnerability analysis tool, it s an automated discovery and what if analysis solution Evaluating all physical and electronic pathways in a holistic fashion is the only way to increase understanding of the systems in place, and their ability to adequately protect assets
PACRAT Each of these elements are needed to properly assess the overall protection strategy and identify true risk The ability to focus on the objective and tune the tool PACRAT s User Interface (the dashboard ) and the output display (with color coded, statistical pathway analysis)
PACRAT PACRAT is also provisioned for a Value Added Module to assist in prioritizing investment upgrades Automated what if analysis Currently a manual, time consuming process Not intended to eliminate the analyst This automated function will recommend improvements based on the return on investment (ROI) High Low $ $$ $$$
Additional Areas for Improvement Training and awareness Organizational structure Security culture Defining the blended threat Adversarial teams with both cyber and physical expertise Performance values for cyber components Examining the frequency of assessments Quantifying consequences
16 Questions