An Introduction to Cyber Modeling and Simulation E-Book

Table of Contents

Cover

1 Brief Review of Cyber Incidents

1.1 Cyber’s Emergence as an Issue

1.2 Estonia and Georgia – Militarization of Cyber

1.3 Conclusions

2 Cyber Security – An Introduction to Assessment and Maturity Frameworks

2.1 Assessment Frameworks

2.2 NIST 800 Risk Framework

2.3 Cyber Insurance Approaches

2.4 Conclusions

2.5 Future Work

2.6 Questions

3 Introduction to Cyber Modeling and Simulation (M&S)

3.1 One Approach to the Science of Cyber Security

3.2 Cyber Mission System Development Framework

3.3 Cyber Risk Bow‐Tie: Likelihood to Consequence Model

3.4 Semantic Network Model of Cyberattack

3.5 Taxonomy of Cyber M&S

3.6 Cyber Security as a Linear System – Model Example

3.7 Conclusions

3.8 Questions

4 Technical and Operational Scenarios

4.1 Scenario Development

4.2 Cyber System Description for M&S

4.3 Modeling and Simulation Hierarchy – Strategic Decision Making and Procurement Risk Evaluation

4.4 Conclusions

4.5 Questions

5 Cyber Standards for Modeling and Simulation

5.1 Cyber Modeling and Simulation Standards Background

5.2 An Introduction to Cyber Standards for Modeling and Simulation

5.3 Standards Overview – Cyber vs. Simulation

5.4 Conclusions

5.5 Questions

6 Cyber Course of Action (COA) Strategies

6.1 Cyber Course of Action (COA) Background

6.2 Cyber Defense Measurables – Decision Support System (DSS) Evaluation Criteria

6.3 Cyber Situational Awareness (SA)

6.4 Cyber COAs and Decision Types

6.5 Conclusions

6.6 Further Considerations

6.7 Questions

7 Cyber Computer‐Assisted Exercise (CAX)

and Situational Awareness (SA) via Cyber M&S

7.1 Training Type and Current Cyber Capabilities

7.2 Situational Awareness (SA) Background and Measures

7.3 Operational Cyber Domain and Training Considerations

7.4 Cyber Combined Arms Exercise (CAX) Environment Architecture

7.5 Conclusions

7.6 Future Work

7.7 Questions

8 Cyber Model‐Based Evaluation Background

8.1 Emulators, Simulators, and Verification/Validation for Cyber System Description

8.2 Modeling Background

8.3 Conclusions

8.4 Questions

9 Cyber Modeling and Simulation and System Risk Analysis

9.1 Background on Cyber System Risk Analysis

9.2 Introduction to using Modeling and Simulation for System Risk Analysis with Cyber Effects

9.3 General Business Enterprise Description Model

9.4 Cyber Exploit Estimation

9.5 Countermeasures and Work Package Construction

9.6 Conclusions and Future Work

9.7 Questions

10 Cyber Modeling & Simulation (M&S) for Test and Evaluation (T&E)

10.1 Background

10.2 Cyber Range Interoperability Standards (CRIS)

10.3 Cyber Range Event Process and Logical Range

10.4 Live, Virtual, and Constructive (LVC) for Cyber

10.5 Applying the Logical Range Construct to System Under Test (SUT) Interaction

10.6 Conclusions

10.7 Questions

11 Developing Model‐Based Cyber Modeling and Simulation Frameworks

11.1 Background

11.2 Model‐Based Systems Engineering (MBSE) and System of Systems Description (Data Centric)

11.3 Knowledge‐Based Systems Engineering (KBSE) for Cyber Simulation

11.4 Architecture ‐Based Cyber System Optimization Framework

11.5 Conclusions

11.6 Questions

12 Appendix: Cyber M&S Supporting Data, Tools, and Techniques

12.1 Cyber Modeling Considerations

12.2 Cyber Training Systems

12.3 Cyber‐Related Patents and Applications

12.4 Conclusions

Bibliography

Index

End User License Agreement

List of Tables

Chapter 01

Table 1.1 Select cyber incidents.

Chapter 02

Table 2.1 NIST SP 800‐30 risk assessment.

Table 2.2 Maturity levels for policy implementation and process assessment.

Table 2.3 Resilience lines of effort (LOEs).

Table 2.4 Resilience steps and system security assessment.

Table 2.5 Standard security description references.

Chapter 03

Table 3.1 Taxonomy and models for cyber defense.

Chapter 04

Table 4.1 Stages of Process for Attack Simulation and Threat Analysis (PASTA) threat modeling methodology.

Table 4.2 Operational examples.

Table 4.3 Proactive and reactive ARMOUR scenarios (DRDC (Canada) 2014a, b).

Table 4.4 ARMOUR operational scenarios

(DRDC (Canada) 2014a, b).

Table 4.5 Cyber effects and military activities.

Table 4.6 Cyber Operational Architecture Training System (COATS) scenarios.

Table 4.7 Cyber effects and attack type examples.

Chapter 05

Table 5.1 Example cyber standards.

Table 5.2 Cyber description tools (MITRE).

Chapter 06

Table 6.1 Cyber Decision Support System (DSS) metrics and example use.

Table 6.2 Situational Awareness and available M&S tools for improving cyber defense decision making.

Chapter 07

Table 7.1 Group training capabilities.

Table 7.2 Situational awareness learning – tactical and strategic processes and outcomes.

Table 7.3 LVC contributions to cyber CAX realism.

Table 7.4 CAX environment components.

Table 7.5 Description of Red Computer Network Attack (CNA) on Blue systems to demonstrate degradation effects on operator workstations.

Table 7.6 Individual training – games and administrator training.

Table 7.7 Example Cyber CAX and training levels.

Chapter 08

Table 8.1 System attributes – flexibility, scalability, and fidelity.

Table 8.2 Conceptual definitions of activities and modeling and simulation framework (MSF) equivalents.

Table 8.3 Cyber range types.

Table 8.4 Verification, Validation and Accreditation (VV&A) properties.

Table 8.5 Conceptual definitions of objects and modeling and simulation framework (MSF) equivalents.

Chapter 09

Table 9.1 Cyber modeling and the bathtub failure curve.

Table 9.2 Internal threat scenario examples.

Table 9.3 Example security metrics.

Table 9.4 Enterprise evaluation – areas and time periods.

Table 9.5 People/policy/process/technology example breakdown (vulnerability analysis).

Table 9.6 Situational awareness (SA) – levels and indicators.

Table 9.7 Example countermeasures as work packages.

Table 9.8 Deep packet inspection platform examples (Einstein and SORM).

Chapter 10

Table 10.1 Current US government cyber ranges.

Table 10.2 System Under Test (SUT) evaluation approaches.

Chapter 12

Table 12.1 Cyber M&S knowledge categories and examples.

Table 12.2 Factors affecting time requirements for threat modeling.

Table 12.3 Selected Underwriters Laboratory (UL) safe burglary ratings.

Table 12.4 Open‐source cyber threat reports – organizations and missions.

Table 12.5 Critical Security Controls (CSCs).

Table 12.6 Australian Signals Directorate computer network defense controls.

Table 12.7 Methods of measuring situational awareness.

Table 12.8 Cyber trainer examples (defense emphasis).

Table 12.9 Sample commercial training companies and offerings.

Table 12.10 Granted patents.

Table 12.11 Patent applications.

List of Illustrations

Chapter 01

Figure 1.1 Organizations targeted by China.

Figure 1.2 Map of N. Europe with Estonia (Google Maps).

Chapter 02

Figure 2.1 Assessment levels – enterprise risk, process modeling, and vulnerability analysis.

Figure 2.2 Information security – business impact and enterprise risk analysis.

Figure 2.3 Business blackout due to US east coast grid compromise (Maynard and Beecroft 2015).

Chapter 03

Figure 3.1 DoD’s cyber S&T priority steering council research roadmap (King 2011).

Figure 3.2 Cyber risk “bow‐tie” – prevention, attack, and remediation.

Figure 3.3 Semantic network of current and anticipated threats (Yufik 2014).

Figure 3.4 Scenarios through model development approach.

Figure 3.5 Cyber analysis elements.

Figure 3.6 Cyber modeling and simulation elements.

Figure 3.7 State model of attacker (behavioral example).

Figure 3.8 Cyber security as a linear system (Cam).

Chapter 04

Figure 4.1 Cyber‐range event process overview

.

Figure 4.2 Attack path model using “CIA” system states.

Figure 4.3 McCumber model.

Figure 4.4 Components of information security.

Figure 4.5 Cyber Operational Architecture Training System (COATS) (OV‐1).

Figure 4.6 Cyber effects and mission evaluation Rowe et al. (2017) – http://journals.sagepub.com/doi/abs/10.1177/1548512917707077?journalCode=dmsa

Figure 4.7 Risk bow‐tie (Nunes‐Vaz et al. 2011, 2014).

Figure 4.8 Strategic cyber decision making – leveraging M&S tools and cyber controls. US Army’s CobWEBS (Marshall 2015)

and Vencore Corporation’s CyberVAN are models currently used to evaluate defense concepts.

Chapter 05

Figure 5.1 Military operator and cyber IA overlaps.

Figure 5.2 Levels of Conceptual Interoperability Model.

Figure 5.3 Cyber “Bow‐Tie” – Prevention, Attack, and Remediation

Chapter 06

Figure 6.1 Three research phases in the evolution of the EBCOTE system.

Figure 6.2 The Mission Assurance Engineering (MAE) Process.

Figure 6.3 Mission needs, MOPs, MOEs, and KPPs.

Figure 6.4 AMICA – Information Technology (IT) to mission simulator.

Figure 6.5 Cyber decision support system.

Figure 6.6 General Methodology for Verification and Validation (GM‐VV) technical framework design and operational use concept.

Figure 6.7 Three layers of Information Operations – physical, informational, and cognitive.

Figure 6.8 SIEM data, CSCs, and key cyber terrain – the what, how, and why of cyber decision making.

Figure 6.9 Course of Action implementations (automated and human assisted).

Chapter 07

Figure 7.1 Bloom Taxonomy for learning domains.

Figure 7.2 Network, cyberspace, and mission operations – information flows and events (Stine 2012).

Figure 7.3 Live–Virtual–Constructive (LVC)

and skills development.

Figure 7.4 Generic CAX environment architecture.

Figure 7.5 Generic CAX environment architecture including a cyber layer.

Figure 7.6 COATS cyber injection architecture.

Figure 7.7 Network emulation (StealthNet) injection into Network System Under Test (NSUT) (Bucher 2012).

Chapter 08

Figure 8.1 Validity of base and lumped models in Experimental Frame (EF).

Figure 8.2 Architecture for System of Systems (SoS) Verification and Validation (V&V) based on M&S framework.

Figure 8.3 Emulator–simulator combination for Cyber–Physical System.

Figure 8.4 Time/data synchronization for combined emulation–simulation environment.

Figure 8.5 Development vs. operational testing – verification and validation.

Figure 8.6 VV&A goal–claim network structure.

Figure 8.7 Utility, validity, correctness, and meta‐properties relationship diagram.

Chapter 09

Figure 9.1 The bathtub curve – when and why of failures.

Figure 9.2 Systems engineering and project management for preventive cyber security.

Figure 9.3 The “V” model of systems engineering.

Figure 9.4 Enterprise security view – people, process, and technology domains.

Figure 9.5 Audit timeline – people/process/technology evaluation.

Figure 9.6 Enterprise connections (people/policy/process/technology) and COA planning.

Figure 9.7 Question & answer process (Q&A) for system entity structure (Ontology) development.

Figure 9.8 Enterprise model and parameterization.

Figure 9.9 Data to strategy evaluation.

Figure 9.10 Enterprise vulnerability – exploit rates by domain.

Figure 9.11 Mean time to exploit example.

Chapter 10

Figure 10.1 Cyber event process overview

.

Figure 10.2 Logical range and the control, event, and instrumentation planes

.

Chapter 11

Figure 11.1 UML 2 and SysML.

Figure 11.2 SysML diagram types.

Figure 11.3 Legacy simulation‐based acquisition development approach.

Figure 11.4 CAMIAC prototype architecture.

Figure 11.5 Federated Analysis of Cyber Threats (FACT) (MITRE 2015).

Guide

Cover

Table of Contents

Begin Reading

Pages

ii

iii

iv

v

1

2

3

4

5

6

7

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

45

46

47

48

49

50

51

52

53

54

55

56

57

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

Wiley Series in Modeling and Simulation

The Wiley Series in Modeling and Simulation provides an interdisciplinary and global approach to the numerous real‐world applications of modeling and simulation (M&S) that are vital to business professionals, researchers, policymakers, program managers, and academics alike. Written by recognized international experts in the field, the books present the best practices in the applications of M&S as well as bridge the gap between innovative and scientifically sound approaches to solving real‐world problems and the underlying technical language of M&S research. The series successfully expands the way readers view and approach problem solving in addition to the design, implementation, and evaluation of interventions to change behavior. Featuring broad coverage of theory, concepts, and approaches along with clear, intuitive, and insightful illustrations of the applications, the Series contains books within five main topical areas: Public and Population Health; Training and Education; Operations Research, Logistics, Supply Chains, and Transportation; Homeland Security, Emergency Management, and Risk Analysis; and Interoperability, Composability, and Formalism.

Founding Series Editors:Joshua G. Behr, Old Dominion UniversityRafael Diaz, MIT Global ScaleAdvisory Editors:Homeland Security, Emergency Management, and Risk Analysis Interoperability, Composability, and FormalismSaikou Y. Diallo, Old Dominion UniversityMikel Petty, University of Alabama

Operations Research, Logistics, Supply Chains, and TransportationLoo Hay Lee, National University of Singapore

Public and Population HealthPeter S. Hovmand, Washington University in St. LouisBruce Y. Lee, University of Pittsburgh

Training and EducationThiago Brito, University of Sao PaoloSpatial Agent‐Based Simulation Modeling in Public Health: Design, Implementation, and Applications for Malaria Epidemiologyby S. M. Niaz Arifin, Gregory R. Madey, Frank H. CollinsThe Digital Patient: Advancing Healthcare, Research, and Educationby C. D. Combs (Editor), John A. Sokolowski (Editor), Catherine M. Banks (Editor)

An Introduction to Cyber Modeling and Simulation

This edition first published 2019© 2019 John Wiley & Sons, Inc.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

The right of Jerry M. Couretas to be identified as the author of this work has been asserted in accordance with law.

Registered OfficeJohn Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA

Editorial Office111 River Street, Hoboken, NJ 07030, USA

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Wiley also publishes its books in a variety of electronic formats and by print‐on‐demand. Some content that appears in standard print versions of this book may not be available in other formats.

Limit of Liability/Disclaimer of WarrantyThe publisher and the authors make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties; including without limitation any implied warranties of fitness for a particular purpose. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for every situation. In view of on‐going research, equipment modifications, changes in governmental regulations, and the constant flow of information relating to the use of experimental reagents, equipment, and devices, the reader is urged to review and evaluate the information provided in the package insert or instructions for each chemical, piece of equipment, reagent, or device for, among other things, any changes in the instructions or indication of usage and for added warnings and precautions. The fact that an organization or website is referred to in this work as a citation and/or potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this works was written and when it is read. No warranty may be created or extended by any promotional statements for this work. Neither the publisher nor the author shall be liable for any damages arising here from.

Library of Congress Cataloging‐in‐Publication Data

Names: Couretas, Jerry M., 1966– author.Title: An introduction to cyber modeling and simulation / Jerry M. Couretas.Description: Hoboken, NJ : John Wiley & Sons, 2019. | Series: Wiley series in modeling and simulation | Includes bibliographical references and index. |Identifiers: LCCN 2018023900 (print) | LCCN 2018036433 (ebook) | ISBN 9781119420811 (Adobe PDF) | ISBN 9781119420835 (ePub) | ISBN 9781119420873 (hardcover)Subjects: LCSH: Computer simulation. | Computer security. | Cyberinfrastructure.Classification: LCC QA76.9.C65 (ebook) | LCC QA76.9.C65 C694 2018 (print) | DDC 005.8–dc23LC record available at https://lccn.loc.gov/2018023900

Cover Design: WileyCover Image: © MimaCZ/Getty Images

Dedication

This book is dedicated to Monica, Sophie, and Ella, for the time and patience that they provided to bring this work to fruition. I would also like to thank Jorge and Aida Carpio, for their support and mentoring. Finally, to my parents, Gus and Mary, for providing an example of persistence and faith.

Professionally, I would like to thank Mr. Rick Stotts for introducing me to modern cyber, Professor Bernard Zeigler, for his ongoing support from my student days to the present.

1Brief Review of Cyber Incidents

When it comes to national security, I think this [i.e., cyber warfare] represents the battleground for the future. I’ve often said that I think the potential for the next Pearl Harbor could very well be a cyber‐attack. If you have a cyber‐attack that brings down our power grid system, brings down our financial systems, brings down our government systems, you could paralyze this country.1

Leon Panetta

The 1988 Morris Worm, designed to estimate the size of the Internet, caused the shutting down of thousands of machines and resulted in the Defense Advanced Research Projects Agency (DARPA) funding the first Computer Emergency Response Team (CERT) at Carnegie Mellon University (CMU). As shown in Table 1.1, cyberattacks have continued since 1988, with effects that range from data collection to controlling critical infrastructure.

Table 1.1 Select cyber incidents.

Year

Cyberattack

Objective

Effects

1988

Morris Worm

Understand the number of hosts connected to the Internet

Removed thousands of computers from operation

2003

Slammer Worm

Denial of service

Disabled Ohio's Davis–Besse nuclear power plant safety monitoring system for nearly 5 h

2008

Conficker

Implant malware on target machines

Control target machines

2010

STUXNET

Take control of Siemens industrial control systems (ICS’)

Destroyed centrifuges used for Iranian nuclear program

2012

Saudi Aramco (oil provider) business systems (aka Al Shamoon)

Wipe disks on Microsoft Windows‐based systems

Destroyed ARAMCO business systems to cause financial losses due to their inability to bill customers for oil shipments

2013

South Korean Banks

“DarkSeoul” virus used to deny service and destroy data

Destroyed hard drives of selected business systems

US Banks

Distributed Denial of Service (DDoS)

Caused financial losses through banks’ inability to serve customers

Rye Dam (NY)

Access control gates for opening and closing at will

Controlled dam gate system

2014

Sony Pictures

Data breach

Downloaded a large amount of data and posted it on the Internet; 3 wk before the release of a satirical film about North Korea

2015

Office of Personnel Management (OPM) breach

Gain access to information on US Government Personnel

Downloaded over 21 million US Government and contractor personnel files

2017

Equifax breach

Gain access to consumer credit information

Downloaded credit history and private information on over 143 million consumers

Table 1.1 also provides a mix of documented cyber incidents, with only the Morris Worm in question, as to malevolent intent. Due to the multiple actors and actions, involving cyberattacks, a conversation around “resilience” (e.g. NIST Cybersecurity Framework) provides a means for communicating about how the overall system will continue to perform, in the face of adversity. In addition, resilience frames the discussion about an organization’s operational risk; due to cyber, in this case. More specifically, the resilience view provides a means to organize the challenges associated with measuring and quantifying the broad scope of an organization’s cyberattack surface by:

Recognizing that the autonomy and efficiencies that information systems provide are too valuable to forego, even if the underlying technologies provide a potential threat to business operations.

Understanding that cyber “security” (i.e. the ability to provide an effective deterrent to cyberattacks) is not achievable for most organizations in the short term, so resilience is one way to develop organizational policies and processes around

mitigation scenarios for general cyberattacks

comparing tacitly accepted cyber risk to business risks that we already transfer (e.g. hurricanes, earthquakes, natural disasters, etc.) to other organizations (e.g. insurance companies).

Coordinating the challenges associated with an organization’s people being a key source of cyber vulnerability.

Resilience, therefore, provides an overarching approach, with some elements already modeled, for bundling the exposure associated with cyber and moving the discussion to a more manageable set of risks; analogous to operational challenges already mitigated or transferred through an organization’s policies and processes. In addition, cyber risk management requires analytical evaluation and testable scenarios that enable contingency planning for each respective organization. Cyber risk assessment is a growing area of interest, and an inspiration for developing cyber modeling and simulation techniques.

1.1 Cyber’s Emergence as an Issue

The issue of cyber security, somewhat slow to be recognized during information technology’s rapid rate of development and dissemination into business enterprises over the last half century, often gets the same level of news coverage as natural disasters or stock market anomalies. While an Office of Personnel Management (OPM)2 breach disclosing the private information of millions of US civil servants gets a few days of news, a new iPhone release will create weeks of chatter on social networks. Cyber insecurity is much less interesting to the general public than the Internet’s entertainment and socialization prospects.

The same market growth for personal computing technologies, however, adds to unforeseen security challenges that networked technologies provide. Increased connectivity, often leading to tighter coupling (i.e. both technically and socially), challenges “open” information system architectures and their intended benefit. In addition, this increased connectivity provides, for the first time, an artificial domain, or space, through which nefarious actors can exercise potentially catastrophic effects. Cyber’s ability to deny or manipulate entire regions of a state, at time constants much shorter than current management structures can handle, is a relatively recent realization. For example, by 2015, reports (Frankel et al. 2015; Maynard and Beecroft 2015) on the potentially catastrophic nature of a cyberattack started to emerge. Along with the increasing importance of cyber, as a physical threat, there is an increased awareness, via news coverage (Figure 1.1).

Figure 1.1 Organizations targeted by China.

Source: Mandiant (2014), Fireeye https://www.fireeye.com/content/dam/fireeye‐www/services/pdfs/mandiant‐apt1‐report.pdf.

In addition to Figure 1.1’s profile of commercial cyber activity, military applications are expanding as well, with notable uses in Estonia and Georgia over the last decade.

1.2 Estonia and Georgia – Militarization of Cyber

For three weeks in 2007, the Republic of Estonia suffered a crippling cyberattack that left government, political, and economic facets of the country helpless (Yap 2009) (Figure 1.2).

Figure 1.2 Map of N. Europe with Estonia (Google Maps).

This scenario provides a template to examine the policy, training, and technology options of a cyber‐attacked state. Estonia’s policy options were limited for a number of reasons, including:

difficulty of attribution

lack of international standards

current political environment

Ultimately, unless a cyberattack causes indisputable damage, loss of human life, and can be traced back to a source with high certainty, it is unlikely that a state will conventionally respond in self‐defense. Currently, there are no clear international laws,3 or rules of engagement, that govern the rights of any sovereign state in the event of a cyberattack, without people dying or significant physical damage. The current approach is to take the existing laws and treaties and interpret them to fit cyber domain activities.

However, unlike a conventional attack, there are many more factors that blur the line in cyberspace. Attribution is usually spread across different sovereign states with limited physical evidence. Without a common, and agreed upon, definition of what constitutes a cyberattack, how can nations defend themselves without risking ethical, legal, and moral obligations? The fundamental dilemma a state faces is to balance its retaliatory options with the requisite legal justifications, if they cannot be confident of the source for the attack.

While policy frameworks are still evolving to deal with cyber as a conflict domain, newly employed technologies provide unprecedented platforms for launching cyberattacks. For example, the major part of Estonia’s assault suddenly stopped roughly a month after it began, suggesting that a botnet had been leased for the attacks. One Estonian official concluded that the attacks represented “a new form of public–private partnership” where the attacks were executed by organized crime, but directed by the Kremlin. “In Estonia,” said then US National Security Agency chief General Keith Alexander, “all of a sudden we went from cybercrime to cyberwarfare.”4

Some experts (Krepinevich 2012) believe the Estonia attack provided a way for Moscow to test its new technology, cyber weaponry, as a “proof of concept,” in which the Russian Business Network (RBN) was given a target to show the Russian authorities how valuable cyber could be. In this way, the attacks on Estonia might be compared to how the Spanish Civil War provided a testing ground for German, Italian, and Soviet equipment and war‐fighting concepts. While the evidence is circumstantial, it appears that just as Germany used its military’s experience in Spain to assist in its development of the blitzkrieg form of warfare that it employed against Poland, the Low Countries, and France, shortly thereafter, the Russians used lessons learned from Estonia to better integrate cyber operations with traditional military operations in Georgia.

A year after the Estonia attacks, Georgia suffered the world’s first mixed cyber–conventional attacks (Beidleman 2009). The cyberattacks were staged to kick off shortly before the initial Russian airstrikes as part of the Russian invasion in August 2008. The cyberattacks focused on government websites, with media, communications, banking, and transportation companies also targeted.

These botnet‐driven DDoS attacks were accompanied by a cyber blockade that rerouted all Georgian Internet traffic through Russia and blocked electronic traffic in and out of Georgia. The impact of the cyberattacks on Georgia was significant, but less severe than the Estonia attacks since Georgia is a much less‐advanced Internet society. Nonetheless, the attacks severely limited Georgia’s ability to communicate its message to the world and its own people, and to shape international perception while fighting the war.

1.3 Conclusions

Modeling the broadly scoped set of systems that “cyber” currently covers, along with their associated effects, is a challenge without specifying the technical, process, or policy aspects of a scenario in question. While constructive modeling and simulation has made great contributions to describing the technical aspects of engineered systems for their testing and development, murky process and policy threads are still very much present in most cyber case studies – often providing the real security issues for the systems at risk. For example, computer technologies are often, simply, the implementation of processes for complex systems that support us. A “cyber” attack is really an attack on one of these processes we trust for our day‐to‐day business.

Cyber’s overarching use has implications across both a country’s business systems and its supporting civil infrastructure. Understanding the current state, in the cyber domain, therefore requires accurately assessing our systems and evaluating their maturity from a cyber standpoint. Using these assessments for defensive, or resiliency, analysis is the first step to verify M&S for cyber systems. Real‐world cyber scenarios then use these assessments, as baselines, to represent both the scope and scale of networks with technologies and configurations that can easily span multiple generations of information technology.

Notes

1

“Cybersecurity ‘battleground of the future,’”

United Press International

, 10 February 2011, available at

http://www.upi.com/Top_News/US/2011/02/10/Cybersecurity‐battleground‐of‐thefuture/UPI‐62911297371939/

, accessed on 10 January 2012.

2

https://www.wired.com/2016/10/inside‐cyberattack‐shocked‐us‐government/

3

The Tallinn Manual (

https://ccdcoe.org/tallinn‐manual.html

) provides one approach for adapting laws of war to cyberspace.

4

Keith B. Alexander, statement before the House Armed Services Committee, 23 September 2010, p. 4.

2Cyber Security – An Introduction to Assessment and Maturity Frameworks

There are security implications that result from our incorporating computer automation, or cyber, into business systems and industrial control systems that underpin almost everything we do. Assessing these cyber systems, to ensure resilience, is performed through a number of well‐known frameworks to develop an initial understanding, or baseline, of our current system security levels.

Assessments often begin with an asset prioritization, a “Crown Jewels Analysis1” (MITRE) being one example, with more detailed evaluations developed from this initial structure. Figure 2.1 provides an example “Enterprise Risk Analysis” structuring designed to perform this high‐level prioritization, with detailed process modeling showing system dependencies for structural evaluation. Component‐level assessment, or penetration testing, is then used at the technology level to inventory the system’s architecture.

Figure 2.1 Assessment levels – enterprise risk, process modeling, and vulnerability analysis.

As shown in Figure 2.1, network evaluation spans from an overall key asset prioritization to specific network components. This can include using dependency or attack graphs, during process modeling, to highlight specific scenarios.

2.1 Assessment Frameworks