skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: The Defender's Role in Cyber Security

Abstract

The embodiment of this work is a table top game to explore cyber security and network defense concepts and cost. The game structure is such that it provides players an immersive environment to play a given role in cyber security to investigate the result of infrastructure and response decisions.

Publication Date:
Research Org.:
Pacific Northwest National Lab. (PNNL), Richland, WA (United States)
Sponsoring Org.:
USDOE
Contributing Org.:
Battelle Memorial Institute, Pacific Northwest Division (PNNL)
OSTI Identifier:
1307216
Report Number(s):
DORCI; 004873MLTPL00
Battelle IPID 30860-E
DOE Contract Number:
AC05-76RL01830
Resource Type:
Software
Software Revision:
00
Software Package Number:
004873
Software CPU:
MLTPL
Source Code Available:
No
Other Software Info:
Copyright software available through PNNL Technology Commercialization office.
Country of Publication:
United States

Citation Formats

. The Defender's Role in Cyber Security. Computer software. Vers. 00. USDOE. 5 Aug. 2016. Web.
. (2016, August 5). The Defender's Role in Cyber Security (Version 00) [Computer software].
. The Defender's Role in Cyber Security. Computer software. Version 00. August 5, 2016.
@misc{osti_1307216,
title = {The Defender's Role in Cyber Security, Version 00},
author = {},
abstractNote = {The embodiment of this work is a table top game to explore cyber security and network defense concepts and cost. The game structure is such that it provides players an immersive environment to play a given role in cyber security to investigate the result of infrastructure and response decisions.},
doi = {},
year = {Fri Aug 05 00:00:00 EDT 2016},
month = {Fri Aug 05 00:00:00 EDT 2016},
note =
}

Software:
To order this software, request consultation services, or receive further information, please fill out the following request.

Save / Share:
  • Abstract not provided.
  • Abstract not provided.
  • Cyber security standards, guidelines, and best practices for control systems are critical requirements that have been delineated and formally recognized by industry and government entities. Cyber security standards provide a common language within the industrial control system community, both national and international, to facilitate understanding of security awareness issues but, ultimately, they are intended to strengthen cyber security for control systems. This study and the preliminary findings outlined in this report are an initial attempt by the Control Systems Security Center (CSSC) Standard Awareness Team to better understand how existing and emerging industry standards, guidelines, and best practices address cybermore » security for industrial control systems. The Standard Awareness Team comprised subject matter experts in control systems and cyber security technologies and standards from several Department of Energy (DOE) National Laboratories, including Argonne National Laboratory, Idaho National Laboratory, Pacific Northwest National Laboratory, and Sandia National Laboratories. This study was conducted in two parts: a standard identification effort and a comparison analysis effort. During the standard identification effort, the Standard Awareness Team conducted a comprehensive open-source survey of existing control systems security standards, regulations, and guidelines in several of the critical infrastructure (CI) sectors, including the telecommunication, water, chemical, energy (electric power, petroleum and oil, natural gas), and transportation--rail sectors and sub-sectors. During the comparison analysis effort, the team compared the requirements contained in selected, identified, industry standards with the cyber security requirements in ''Cyber Security Protection Framework'', Version 0.9 (hereafter referred to as the ''Framework''). For each of the seven sector/sub-sectors listed above, one standard was selected from the list of standards identified in the identification effort. The requirements in these seven standards were then compared against the requirements given in the Framework. This comparison identified gaps (requirements not covered) in both the individual industry standards and in the Framework. In addition to the sector-specific standards reviewed, the team compared the requirements in the cross-sector Instrumentation, Systems, and Automation Society (ISA) Technical Reports (TR) 99 -1 and -2 to the Framework requirements. The Framework defines a set of security classes separated into families as functional requirements for control system security. Each standard reviewed was compared to this template of requirements to determine if the standard requirements closely or partially matched these Framework requirements. An analysis of each class of requirements pertaining to each standard reviewed can be found in the comparison results section of this report. Refer to Appendix A, ''Synopsis of Comparison Results'', for a complete graphical representation of the study's findings at a glance. Some of the requirements listed in the Framework are covered by many of the standards, while other requirements are addressed by only a few of the standards. In some cases, the scope of the requirements listed in the standard for a particular industry greatly exceeds the requirements given in the Framework. These additional families of requirements, identified by the various standards bodies, could potentially be added to the Framework. These findings are, in part, due to the maturity both of the security standards themselves and of the different industries current focus on security. In addition, there are differences in how communication and control is used in different industries and the consequences of disruptions via security breaches to each particular industry that could affect how security requirements are prioritized. The differences in the requirements listed in the Framework and in the various industry standards are due, in part, to differences in the level and purpose of the standards. While the requirements in the Framework are fairly specific, many of the industry standard requirements are more general in nature. Additionally, the Framework requirements, derived from the ''Common Criteria for Information Technology Security Evaluation'', are component-based, while most of the industry standards are system-based. The findings of this study will allow the CSSC Framework Team and the standards organizations responsible for the reviewed standards to quickly grasp the relationship between their requirements and the Framework, as well as the relationship between their standard and other industry sectors. This will help identify areas for future work in developing improved security standards.« less

To initiate an order for this software, request consultation services, or receive further information, fill out the request form below. You may also reach us by email at: .

OSTI staff will begin to process an order for scientific and technical software once the payment and signed site license agreement are received. If the forms are not in order, OSTI will contact you. No further action will be taken until all required information and/or payment is received. Orders are usually processed within three to five business days.

Software Request

(required)
(required)
(required)
(required)
(required)
(required)
(required)
(required)