cmplid:// is designed to support a very specific methodology of security analysis.  The method is resource-based, attribute-information, and objective-supporting.  Each of these aspects of the method provides increased  efficiency or increased effectiveness in the management of a security program.  However, the basic method is extremely flexible and allows organizations to implement their program in a manner that makes most sense to them.

To explain this a bit more fully, let’s compare the traditional approach for Nuclear Cyber Security programs based on NEI 08-09 (All controls must be addressed for all CDAs), the EPRI approach (Defined in the 2016 EPRI Technical Report: Cyber Security Technical Assessment Methodology), with the recommended cmplid:// approach.

First an overview of the cmplid:// method, called Unified Security Management or USM

Resource-Based:  Each of the security controls defined within a managed security program (NEI 08-09 Appendices A, D, & E) apply to one or more Resource Types.  Consider the following examples:

• D 1.1 Access Control Policy and Procedure, will be written for one or more organizations within a nuclear licensee
• D 1.3 Access Enforcement will generally require configuring applications and operating systems appropriately
• E 9.2 Awareness Training will be taught to groups of people
• E 6 Defense in Depth will largely by implemented through the architecture and configuration of networks and network appliances

Attribute-Informed: Characteristics of the Resources will determine both the applicability of required security controls and the implementation thereof.  This is pretty consistent for all of the three methods discussed, though the words used to describe the process may be different.  Consider the following examples:

• D 1.1 Access Control Policy and Procedure, will be written for all organizations that require unique access control mechanisms for CDAs
• D 1.3 Access Enforcement is only necessary when a device provides logical access to itself and will be implemented with passwords for devices that support passwords, PINs for devices that support PINs, etc…
• E 9.2 Awareness Training will be taught to all personnel with access to CDAs
• E 6 Defense in Depth will be required for all networks that contain CDAs and will be implemented through unidirectional devices for all networks that contain Level 3 CDAs and Firewalls and IDS for all networks that contain Level 2 CDAs

Objective-Supporting:  The goal of the cyber security analysis is to determine where the Threat Vectors for the NEI 08-09 controls exist within resources within scope of the program.  cmplid:// uses the concepts of Security Objectives and Consequences to identify Threat Vectors.  Consider the following examples:

• D 1.1 Access Control Policy and Procedure,
  • Security Objective: Ensures resources within scope of the security program are developed, implemented, and maintained according to appropriate organizationally defined standards.
  • Consequence: Resources within scope of the security program will be inconsistently managed according to personnel specific proclivities or tribal knowledge.
• D 1.3 Access Enforcement
  • Security Objective: Ensures logical access accounts have only the permissions required to fulfill their required business objectives.
  • Consequence: Logical user account permissions will exceed required business objectives.
• E 9.2 Awareness Training
  • Security Objective: Ensures resources within scope of the security program are developed, implemented, and maintained according to appropriate organizationally defined standards.
  • Consequence: Resources within scope of the security program will be inconsistently managed according to personnel specific proclivities or tribal knowledge.
• E 6 Defense in Depth
  • Security Objective:  Ensures protected systems cannot communicate with unauthorized systems.
  • Consequence: Protected systems will be able to communicate with insecure systems.

The basic process then for using the cmplid:// recommended approach is to identify the Resources within scope of the cyber security program (Hardware, Software, Networks, Media, Source Code (if any), Information, Locations, Networks, and Organizations) and characterize those Resources using a library of Attributes derived from the NEI 08-09 content to determine what controls must be applied and how to apply them.  cmplid:// stores the analysis of the cyber security program Standards (NEI 08-09 Appendices A, D, and E) and the values associated with each of the Resources relevant Attributes in order to consistently manage the program.  As implementation mechanisms, or even the Standards themselves change, e.g. NEI 08-09 Addendum 1, the structured data within cmplid:// can be updated and new assessment results can be documented to ensure the program is being managed across the plant or fleet appropriately.

Using cmplid:// with the other methods

The traditional approach, All controls must be addressed for all CDAs, would be implemented in cmplid:// simply by designating all controls as applicable to CDAs.  Each of the controls determined to be Common Controls could be auto-answered during the assessment process to ensure consistent implementation throughout the plant or fleet.

The EPRI method doesn’t really deviate much from the cmplid:// method, all of the basic functionality is essentially the same.  One minor difference is semantic: what the EPRI method defines as Vulnerabilities, cmplid:// defines as Consequences.  The primary difference is that the EPRI method does not limit itself to those vulnerabilities/consequences derived from the NEI 08-09 content, but seeks to derive all  vulnerabilities/consequences possible based on the characteristics of the CDAs themselves.

This is obviously a very high-level discussion of these methods, for further information or to receive a copy of a whitepaper that details the USM Methodology within the context of the NIST Risk Management Framework (RMF) send us an email at info@cmplid.com.