null

You’ve been hired to work within the United States Cyber Attack Response and Strategy (CARS) Unit, an arm of the Pentagon that defends against newly reported or anticipated cyber threats, thwarts future attacks, and executes counter-offenses. In your new role, you may be asked to coordinate with or lend assistance to other government agencies (e.g., DHS, the White House) and/or private companies to improve their cybersecurity posture.
After a few months in your new position, you and the rest of your team are called into a special briefing. Commander Karen Garrett discloses that a well-known adversary is expected to step up cyber-targeting of critical industries and government agencies during the early hours of the following morning.
Commander Garrett announces, “As you know, we shift priorities rather quickly at CARS. It’s key in this instance to defend forward. Starting today, I am launching a new mission, Operation Aquarius.” She nods to you: “You will be working through DHS in helping critical industries become aware of the constantly changing threat landscape posed by this and other adversaries.”
She continues: “As you may know, DHS has identified 16 critical infrastructure sectors. Although you may be asked to help with a company in any of these sectors, for your first assignment, you will choose one based on your expertise and interest. You will be helping that company assess its current cybersecurity risk and determine ways to improve its posture. For maximum impact, I would like you to focus on one or two of the company’s business-critical IT systems.
“I will send further instructions soon. I’ll notify you should we receive additional intelligence on the adversary’s actions. That’s all for now.”
As she leaves the briefing room and everyone begins murmuring about next steps, you consider the value of your profession and hope this assessment can help inform and defend critical infrastructure across the nation.
Step:1
Commander Garrett has directed you to select an organization in the critical infrastructure sectors. Choose a company or organization that has publicly available information sufficient to support a reasonable risk assessment based on your interests and background. Do not use insider or proprietary information: All the information you collect must be readily available for anyone to access.
You will describe in your proposal how you intend to collect your information. Before you focus on an organization, you first need to get a good footing on a formal risk assessment methodology and how to apply that methodology to an organization’s IT assets.

The National Institute of Standards and Technology (NIST) is a United States federal agency that provides standards for industries in science and technology. NIST is a key resource used by your organization. Because you will be following NIST’s risk assessment methodology to create your risk assessment report, you must understand the different steps that make up a risk assessment, including evaluating the likelihood of a specific threat manifesting into an attack or intrusion and the impact of that event.

Critical Infrastructure Sectors 

·

Overview 

·

Chemical Sector 

·

Commercial Facilities Sector 

·

Communications Sector 

·

Critical Manufacturing Sector 

·

Dams Sector 

·

Defense Industrial Base Sector 

·

Emergency Services Sector 

·

Energy Sector 

·

Financial Services Sector 

·

Food and Agriculture Sector 

·

Government Facilities Sector 

·

Healthcare and Public Health Sector 

·

Information Technology Sector 

·

Nuclear Reactors, Materials, and Waste Sector 

·

Transportation Systems Sector 

·

Water and Wastewater Systems Sector 

·

STEP:2
By understanding and qualitatively capturing the impact of all threats an organization faces, you are assessing its risk exposure. You may first need to get a good feel for a few basic cybersecurity concepts and terms: 
Confidentiality, Integrity, and Availability (CIA): The Security Triad
 and 
Threats, Attacks, and Vulnerabilities
.
In the next step, you’ll review an example of the NIST risk assessment methodology in practice.

Commander Garrett provides a template for this risk assessment methodology. Please familiarize yourself with this template and the methodologies it uses.
·
Risk Assessment Report Template

STEP:# 3
You are now ready to focus on an enterprise/company in a critical industry. Choose one or two of the company’s business-critical IT systems as the focus of your assessment. You might want to brush up on your knowledge of 
IT (Information Systems and Data) assets
.
Information Technology (IT) Assets
The term security in its most basic sense means the protection of assets from harm. Assets are anything of value, including physical, tangible items such as buildings, people, and the items they use, and intangible assets, such as information or knowledge. In the computer security realm, most organizations divide the overall practice of security into two categories: physical security and information security.
An information technology (IT) asset is any system resource that needs to be protected in order for an organization to meet its information security objectives and goals. IT assets include the computer hardware, software, communication systems, and data critical to business operations. Further, IT assets include the facilities that house system operations and equipment, and the policy and procedure documentation. 
The assets of a computer system can be categorized as follows:
· Hardware, which is the system equipment such as computer systems and other data processing, data storage, and data communications devices.
· Software, including the operating system, firmware, middleware, database management system, system utilities, and applications.
· Data contained in an information system, including files and databases, or in a service provided by a system, or system capability. Data can also refer to the operation of a system, e.g., security-related data like password files, data required for efficient routing in a network, and performance data.
· Communication facilities and networks, including local and wide area network communication links, bridges, routers, etc.

After you’ve chosen an enterprise and determined which of its critical systems you will focus on, begin your search for relevant information to include in your proposal. Examples of relevant information include
· enterprise and purpose (i.e., the nature of its business),
· IT systems you’ve chosen to assess,
· management or basic organization structure of organizations within your company, and
· identification of relevant aspects of the company’s computing and network infrastructure.
Note: Do not try to access unpublished information through social engineering or through attempted cyberattacks or intrusion attempts.

STEP:4

Begin Writing Your Annotated Bibliography
  
Begin by compiling a set of resources, carefully documenting the significance of each one and noting how it might be useful in the context of the work ahead of you. Use the template and NIST materials to guide your efforts. You will submit this document, called an annotated bibliography, with the proposal in the next step.

In this step, you will develop and submit your proposal and annotated bibliography for review and approval.
The project proposal should be a one-and-a-half-page (double-spaced) description of the company you propose to analyze, with a summary of the scope (IT systems associated with this company, and the assets impacted) of the risk assessment you are expected to conduct. The proposal should identify the subject company with a brief explanation of why you chose the subject for this assignment.
An important step in developing your risk assessment report will be the construction of an annotated bibliography. Having developed and described a subject company and scope of analysis in the proposal, the next step is to identify and assess the value of potential research material. You should identify five or six significant articles relevant to your subject company (or the industry sector of the company), identifying and assessing risks in a context similar to the scope of your report.
For a report of this nature, you may expect to find useful sources in both business-focused (e.g., Source Premier, and Company Resource Center, ABI/INFORM) and technically focused databases (e.g., ACM Digital Library, IEEE, Gartner.com, NIST, ISO). The annotated bibliography will consist of 100 to 150 words per article describing the main ideas of the article, a discussion of the usefulness of such an article in understanding various aspects of your report, and other comments you might have after reading the article. For each article, there should be a complete reference in APA format.
Once approved, your annotated bibliography will form the basis of the sources for your report. You may also add materials as you develop your report.

Step 6: Identify Vulnerabilities and Threats in Your Subject Company
Share your observations thus far with your colleagues. Note the company you have selected and provide insight to the vulnerabilities you have detected. Based on what you’ve learned about your chosen company, its field, and the assets you have chosen to focus on, post the following:
· at least one vulnerability (i.e., weakness) in each asset; 
· possible threats; and  
· the business functions impacted by the threats if realized, and in what ways (e.g., availability of a key database, confidentiality of a customer data).