Quantitative Cybersecurity Risk Assessment (QCRA)
Navy SBIR FY2018.1

Sol No.: Navy SBIR FY2018.1
Topic No.: N181-043
Topic Title: Quantitative Cybersecurity Risk Assessment (QCRA)
Proposal No.: N181-043-0674
Firm: InfoBeyond Technology LLC
320 Whittington PKWY
STE 117
Louisville, Kentucky 40222
Contact: Bin Xie
Phone: (502) 371-0907
Web Site: http://www.infoBeyondtech.com
Abstract: Navy needs a standardized and automated tool for quantitative cybersecurity risk assessment that can be applied in the early design stage of Naval Control System (NCS) so that cybersecurity can be "built-in" during the acquisition lifecycle with less expense and design time. In this proposal, InfoBeyond advocates Multilevel Quantitative Cybersecurity Risk Assessment Using Bayesian Attack Graph (MQCRA) system to address this challenge. MQCRA automatically collect the cybersecurity data and generates the attack graph of the NCS system that represents the dependencies, relations and transition states between vulnerability and exploits as attack paths and computes the exploitation likelihood using Bayesian theory. Also, multiple risk metrics on different levels are designed to quantitatively assess the cybersecurity risk of the NCS regarding vulnerability exploitation possibility, mission impacts, cost, and recommended solutions, etc.. MQCRA enables quantitative risk assessment of an NCS system in the early design stage with following capabilities: (i) Automatic cybersecurity data collection and aggregation. (ii) Bayesian attack graph to generate/update attack paths, exploitation likelihoods, and risk metrics based on current/new arrival information, and (iii) Multilevel risk evaluation for full security risk awareness on different levels and user-friendly visualization to support decision-making in the early design stage.
Benefits: The ability to quantitatively assess the cybersecurity risk of NCS systems in the early design stage is critical to ensure accountability for cybersecurity risk management during the acquisition lifecycle. However, the current approaches are very limited to offer such capabilities in stringent operational conditions. Our proposed MQCRA system is an innovative approach that provides quantitative cybersecurity risk assessment of NCS that account for potential threats, vulnerabilities, mission impacts and recommended cybersecurity solutions for risk mitigation. Once it is developed as COTS/GOTS products, MQCRA leads to reliable and cost-effective cybersecurity applications with following benefits: (i) Automated cybersecurity data collection from NCS system in the early design stage; (ii) Automated and standardized cybersecurity risk quantification regarding on mission impact, cost, technique performance, cybersecurity policy using exploitation likelihoods of software vulnerabilities in the system; (iv) Bayesian network that can present the causal relation of vulnerabilities to find efficient solution to mitigate the risk with low cost; (iii) Explicitly design for NCS system with a weapon system showcase (Ship Self Defense System (SSDS)) for demonstration. In addition, it incorporates DoN Cyber requirement and policies and utilizes CVSS scores of vulnerability in NVD for risk assessment. It is designed as a software module that can be easily implemented for risk assessment in the early design stage of NCS system. Navy would gain significant value by providing capabilities of quantitative cybersecurity risk assessment of NCS systems in the early design stage. MQCRA can be used for improving the cybersecurity of many military and governmental information systems. MQCRA can also be applied in business and commercial applications and provides cost-effective and automated methods for protecting their valuable IT assets from cyberattack. The commercial market size is much larger than that of the military applications where more and more enterprises are moving their application service into cyberspace and cybersecurity becomes one of their primary concerns. Our effort for the commercial market is to transition the MQCRA technology into various applications and attract plenty of investments. We will closely work with Navy, Leidos, and Lockheed Martin to transfer this technology into military and commercial domains.