Spotlight on Lablet Research #29 - Analytics for Cyber-Physical Systems Cybersecurity (archived)

Spotlight on Lablet Research #29 -

Analytics for Cyber-Physical Systems Cybersecurity

Lablet: Vanderbilt University
Sub-Lablet: Massachusetts Institute of Technology

The overarching purpose of this project is to develop analytical methods to support the national strategy for cybersecurity, as outlined in Presidential Executive Orders and National Defense Authorization Acts. Operationally, the goal is to provide analytics for cybersecurity policies and guidelines designed specifically to (a) overcome the limitations of the conventional text-based form, (b) extract knowledge embedded in policy guidelines, and (c) assist the user community –analysts and operators – in implementation. Strategically, the goal is to construct a platform of new tools for application to policy directives, regulations, and guidelines across diverse domains and issue areas. The platform, and tools, are designed to enable users to explore mission-related system properties, issues, concerns, or contingencies.

Cyber-Physical Systems (CPS) are embedded in an increasingly complex ecosystem of cybersecurity policies, guidelines, and compliance measures designed to support all aspects of operation during all phases of the system's life cycle. By definition, such guidelines and policies are written in linear and sequential text form – word after word – often with different parts presented in different documents. This situation makes it difficult to integrate or understand policy-technology-security interactions. As a result, it also impedes effective risk assessment. Individually or collectively, these features inevitably undermine initiatives for cybersecurity. Missing are fundamental policy analytics to support CPS cybersecurity and facilitate policy implementation. This project, led by Principal Investigator Nazli Choucri, MIT, is designed to develop a set of text-to-analytics methods and tools, with a "proof of concept" focused on the smart grid of electric power systems. The challenge is to develop a structured system model from text-based policy guidelines and directives in order to (a) identify major policy-defined system-wide parameters, (b) situate vulnerabilities and impacts, (c) map security requirements to security objectives; and (d) advance research on the responses of multiple system features to diverse policy controls – all of which are necessary to strengthen the fundamentals of cybersecurity for cyber-physical systems.

The "raw" data base consists of major reports prepared by the National Institute for Standards and Technology (NIST). Clearly, considerable efforts are always being made to "mine" NIST materials; however, few initiatives explore the potential value-added of drawing on multi-methods for knowledge extraction and/or of developing analytical tools to support user understanding of policy directives, analysis, and eventually to enable action. While the research team’s approach appreciates and is informed by such efforts, it transcends them by developing a platform for multi-method cybersecurity policy analytics – based entirely on the contents of policy documents. The case application, as "proof of concept," focuses on the cybersecurity of the smart grid for electric power systems.

When NIST issued a fifth revision (Rev. 5) of its document 800:53, it impacted the formal connections, or interfaces, between multiple sources of "raw" data for this project. It also coupled very closely the controls and control families for security and privacy. Further, this revision raised serious questions about the implications of this new version of 800:53 regarding current NIST perspectives and priorities pertaining to security.

For this project, especially important is the fact that the researchers faced a necessary "re-do" of research steps, and a review of results, with respect to: Data Linkage Process; information pertaining to security controls and control families; an unexpected entanglement between the security and the privacy controls, and control families, thereby creating new ambiguities; data-based signals that, in the security domain, "everything is related to everything else and to privacy as well"; and serious impediments to the "reversing the arrows" test and a validation strategy for our research design and results. The team devoted themselves to the "re-do" as well as to delineating and understanding the implications of the "entanglements" of security and privacy controls for policy implementation of the Cybersecurity Framework (CSF). The validated "re-do" shows an unexpected result, namely that privacy and security controls are heavily dependent on each other, thus creating "noise" in a focused analysis of security controls.

The practical uses of research and results so far have been identified as follows:

Data Linkages: The full value of the CSF is difficult to capture given the set of intervening tasks required and the distributed nature of the database. CSF points to what has to be done and why, but not how. It is up to the user to work through the process outlined by CSF. In this case, the practical use is created by providing a method to streamline access to, and use of, essential data required to implement the security-related actions required by CSF. Because CSF points to a number of individual documents hosting different directives, the users' task is to identify and make connections among them as needed. Moreover, modifications and updates by NIST on the content of key intervening documents require users, in turn, to identify the updates and determine requirements for change.

Metrics & Measures: Given that policy documents and directives are conveyed in text form, in linear and sequential order, it is common practice to retain information in that form. The research team developed a method to transform text into metrics to deal with numerals, not letters. The practical use is compelling: metrics and measures enable more precision, with more flexibility in scale and scope of analysis, than can ever be done with the text form. This in itself takes away much of the built-in ambiguity of policy documents. Since the method is portable, it can be applied to all forms of policy texts - irrespective of issue area or domain.

One part of the research design focuses on analytics for the cyber-physical system itself; the other part is on analytics for cybersecurity policies and directives. Both "parts" share a common process that must be applied to each side separately because the data are separate. The team simplified the process in terms of: Text to Data; Data to Metrics; and Metrics to Model. Part I is completed with the smart grid network model. This generates and identifies the nodes and the logical interfaces. Earlier the team focused on task testing for Part II and identified empirically the logical interfaces for the system "as is" that connect to CSF directives. The results for the computed base network model of the reference system for the NIST Smart Grid are presented as a cyber-physical system. NIST provides very detailed information on vulnerability impacts for violation of each of the security objectives (confidentiality, integrity, and availability). In order to facilitate action, a net assessment for vulnerability impacts on the system across three dimensions and three levels of intensity is needed and can be performed using the Common Vulnerability Scoring System (CVSS). The figure below shows the consolidation of analysis and results in one integrated system view, including the centrality score for each test case of the smart grid electric power system.

NIST Smart Grid reference network with edge weighted by the impact level based on CVSS 3.0.

The contribution of this work to addressing the Hard Problem of Policy Governed Secure Collaboration is the value of "text-as-data" in a complex cyber-physical system where threats to operations serve as driving motivations for policy responses. The research outputs of this core project include, but are not limited to: (a) methods to examine the implications of cybersecurity directives and guidelines directly applicable to the system in question; (b) information about relative vulnerability pathways throughout the whole or parts of the system-network, as delineated by the guidelines documents; (c) insights from contingency investigations, that is, "what...if...", (d) design framework for information management within the organization; and (e) ways to facilitate information flows bearing on decision-making for cybersecurity.

Background on this project can be found here.

For the most recent updates about the project, please see: https://cps-vo.org/node/48269