Cybersecurity Assessment and Risk Enumeration for Systems (CARES)
Navy SBIR FY2018.1


Sol No.: Navy SBIR FY2018.1
Topic No.: N181-043
Topic Title: Cybersecurity Assessment and Risk Enumeration for Systems (CARES)
Proposal No.: N181-043-0144
Firm: Charles River Analytics Inc.
625 Mount Auburn Street
Cambridge, Massachusetts 2138
Contact: Daniel Mitchell
Phone: (617) 491-3474
Web Site: http://www.cra.com
Abstract: While the resilience of Navy systems to cyber attacks is critically important, cybersecurity is still frequently bolted-on to deployed systems and is rarely built-in during the early design stages. Bolted-on security is costly and not as effective as building it in from the start. Current approaches for assessing security during the design stage tend to be manual, which is slow, expensive, and can also lead to conflicting recommendations. Tools in this space often provide qualitative results and struggle with a lack of detailed information that is often not available during the system design stage. Cybersecurity Assessment and Risk Enumeration for Systems (CARES) will provide a means for modeling systems during the early design stages. It will use systemic functional grammars to provide an expressive, scalable enumeration of the entire attack space. It will automatically produce a quantitative list of security vulnerabilities for the target system and provide a list of consistent recommendations for remediating the vulnerabilities, while taking into account the other needs of the system and designers, such as performance and cost.
Benefits: We expect the full-scope Cybersecurity Assessment and Risk Enumeration for Systems (CARES) program to have immediate and tangible benefits for system designers and cyber analysts across the DoD. CARES will provide a quantitative risk assessment and mitigations for cyber attacks on systems in the early design stage. We see a commercially viable market licensing or selling CARES as an application for assessing the cyber posture of any system in the design stages so cyber security can be built in instead of bolted on. CARES will also contribute several technical improvements to our CyModƒ,› software, increasing its appeal as a commercial product.

Return