CARVER+ShockCARVER+ShockVulnerability Vulnerability

Assessment ToolAssessment Tool“As Agile As the Enemy”“As Agile As the Enemy”

The Foundation for Institutional Development

The Cycle of Security

Assessment Mitigation

Occ

urre

nce

Time

Assessm

entMiti

gatio

n

Occurrence

Ass

essm

ent

Mitigation Occurrence

As time goes on, we must assess our vulnerabilities. As the biggest holes in our defenses are plugged, we either move onto the next weakest area, or an occurrence drives us to reassess

Security is a cycle, a business process, not an event

How Our System Works

Based off of Sun Tzu principles of War– Know Yourself– Know Your Enemy– Know Your Environment– Know What Your Enemy Knows About You

Use the CARVER+ Shock Vulnerability Assessment Tool

Can be used on all 13 Critical Infrastructures at any level

Critical Infrastructures

Agriculture Food Water Public Health Emergency Services Government Defense Industrial

Base

Information and Telecommunications

Energy Transportation Banking and Finance Chemical Industry Postal and Shipping

The Targeting Process“Know Yourself”

Each Critical Infrastructure is a Target System Target Systems (Sub-systems)

– A series of steps in the process Target Complexes!!!

– Targets in the same geographical area Target Components

– Specific pieces of machinery, structures, personnel, supplies, or computer files

– Critical to overall target system Critical Nodes

– Critical to operation of target component – How component is disabled

The Targeting Process

IdentifyTarget Systems

Does theSystem HaveSubsystems

Identify Sub-systems

IdentifyTarget

Complexes

IdentifyTarget

Components

Does thecomponent

have aCritical Node?

Identify CriticalNodes

List all CriticalNodes /

Components byComplex and

system

Identifying Critical Nodes

NO

YES

NO

YES

Sample Target System(Power)

Control Center

Target System

OrSubsystem{

Target Complexes

Target Components

The Target System

The process that grows, harvests, processes, transports, and distributes any foodstuff is a target system. Each step can be considered a target sub-system.

Grow

Harvest

ProcessTransport

DistributeConsume

The process that grows, harvests, processes, transports, and distributes any foodstuff is a target system. Each step can be considered a target sub-system.

Target Complexes

Harvest Facility

Processing Facility

Distribution(Retail)

TransportServices

Layer Farm

A target complex is be a subset of a target subsystem. A target complex is a concentrated, integrated series of targets. It consists of facilities and activities that are close to each other geographically or virtually. Within a target complex, individual targets will be identified

Target Components

Egg BreakerMachines

Production Animals

Feed

Plant WorkersInspectors

Grading and PackagingMachines

Target components are the pieces of the target you can see or touch. Target components can be

•Service providers (Humans, animals)

•Infrastructure (Buildings/equipment)

•Consumables (Feed, medicine, etc)

•Cyber (Hardware software, network)

CARVER + Shock(Assessment)

Criticality Accessibility Recuperability Vulnerability Effect Recognizability Shock

(Consider multiple attacks occurring at the same time)

Design Basis Threat“Know Your Enemy”

Develop a design basis threat to ensure continuity in planning/prioritization

Eliminates the need for Probability Can encompass more than one scenario Include:

– WHO Means (Methodology, MO, Weapons, Resources)

– HOW Type of Target (Include how they are selected)– WHY (Political, Financial, Theological)

Update as threat changes on a permanent basis

Red Teaming“Through the Eyes of the Enemy”

Uses Open Source Information Let’s you look at your target system

through the eyes of the enemy Helps determine where to commit

mitigation resources

Curriculum

Executive Overview– Informs government and corporate leadership on the program, tools

and techniques to be used, and benefits to their organization CARVER+Shock Vulnerability Assessment Tool

– Used during national level assessments in first phase– Highly scaleable– Ubiquitous across any infrastructure

Open Source Intelligence Course– Trains candidates to exploit open sources to obtain information on

their own weaknesses as well as their threat Red Team Course

– Trains analysts to view their facility as a target through the eyes of the enemy.