Cooperative Adversarial Security Assessments
Critical infrastructure and national security systems are under constant cyber threat. Assessments provide a disciplined approach to finding and fixing weaknesses. The CASA team serves national security and critical infrastructure sponsors whose needs exceed the services found in private industry. In addition, Sandia’s skill sets and other resources enable the team to evaluate one-of-a-kind systems for which the needed expertise is simply not available elsewhere.
The CASA team works with government and military partners, as well as civilian industry, to help them find and fix cybersecurity weaknesses in their critical systems. To perform this work effectively, CASA relies on the Labs’ deep pool of wide-ranging cybersecurity experience, an arsenal of proven assessment methodologies, and a holistic approach to understanding and safeguarding systems. Here’s how CASA is built.
A Firm Foundation: Broad skill sets, deep experience
Sandia possesses a wide range of security expertise in a variety of operational contexts. This subject-matter expertise is integrated into all CASA assessments to help characterize and analyze target systems.
CASA personnel bring decades of experience conducting assessments in a variety of technical areas. The team has performed hundreds of assessments with scopes ranging from specialized components to global enterprise networks. When necessary, the team can draw on specialized cyber expertise from across the Labs. For unusual systems, such as those related to space, nuclear deterrence, or cyber-physical systems, the team can also draw on subject matter experts in different technical fields, using their deep knowledge in that area to obtain a true system understanding.
Proven methodologies give assessments a reliable structure
Over the years, CASA teams have assessed systems based on land and at sea, in the air and in space. They have evaluated everything from specialized components to IT networks and global enterprises, from cutting-edge technology to decades-old legacy systems.
To model adversaries, identify consequences of concern and potential vulnerabilities, and to recommend mitigations, the team uses three proven, formal assessment methodologies:
- Information Design Assurance Red Team (IDART™) – is applicable in all stages of a system lifecycle but used primarily to analyze systems and security technologies during their design and development. The primary goal is to identify potential vulnerabilities and prevent them from being introduced.
- Dynamic Engagement Methods for Operative Networks and Systems (DEMONS) – focuses on production (or production-ready) networks and systems that are operating in their expected manner. Its goal is to identify existing vulnerabilities in configurations, workflows, and processing so they can be mitigated.
- Field Device Assessment Methodology (FDAM) – analyzes networked devices, such as remote sensors or controllers, within deployed operational-technology and industrial-control systems, with the goal of finding and mitigating vulnerabilities.
This array of choices allows CASA to assess a system in any phase of its lifecycle. The methodologies can also be used in varying combinations to assess unusual or hybrid systems, or to meet a specific sponsor need.
In each case, the CASA team uses the latest threat intelligence to appropriately model the tactics, techniques, and procedures across a spectrum of adversaries. This lets the team tailor the assessment to a sponsor’s industry, specific needs, and adversary of concern. Focusing an assessment in this way yields results that more accurately reflect the real-world threats the stakeholder is likely to encounter and provides an independent, objective view of weaknesses in the cybersecurity posture of the system under test.
An evolving, holistic approach
The CASA team’s predecessors at SNL began conducting formalized cybersecurity assessments in 1996. The earliest assessments employed a pure “red-team” approach, defined as “authorized, adversary-based assessments for defensive purposes.” But, as the “C” in CASA implies, the team’s assessment approach has evolved to emphasize cooperation between the assessment team and system owner.
This cooperation helps enable the more active, broadly scoped assessments made necessary by continual changes in technology and adversary capabilities. The result is a holistic approach that enhances the CASA team’s ability to identify consequences of concern and uncover unexpected attack vectors.
In assessing security at a coal-fired power plant, for example, the CASA approach might evaluate the security of support systems even though their failure would not directly prevent the plant from operating. By attacking the plant’s systems for scrubbing smokestack emissions, for instance, adversaries might nonetheless succeed at forcing the plant to shut down for environmental reasons.
This holistic approach includes the following:
- Understanding how policies influence user interactions with the system
- Determining how a system actually works (which may involve reverse engineering)
- Learning the conscious and unconscious assumptions of the system owners, operators, and users
- Identifying the differences between as-defined, as-implemented, and as-configured
When to use CASA, or not
Sandia National Laboratories provides a range of assessments adapted to complex and high-consequence systems, particularly when facing a range of capable adversaries or when existing within uncertain operating environments.
Still, a CASA assessment is not always the best choice. The following graphic identifies when CASA is useful, and when it is not.
CASA is useful when:
- Target system is complex, or a system of systems
- Developer focus is on function, not security
- Target system is deployed in a hostile environment
- Target system is attractive to dynamic, adaptable adversaries
- Security trade-offs must be weighed
- The target system is new, or being used in a new application that may have unknown consequences
- Target system history shows previously discovered vulnerabilities
- A qualitative measure of system security is desired
- Need to establish or evaluate training and doctrine
Pursue other options when:
- There are too many unknowns, ill-defined requirements, or unanswered questions about the target system and its operational environment
- Known security problems must be addressed first
- There is a greater risk of a given consequence from other sources
- Assessment function can be implemented by static model, test bench or tool
- Compliance testing or certification is sufficient