Introducing the Cupcake Model
The Cupcake Model was created with ease-of-use and simplicity in mind. Existing frameworks that have been developed and utilized actively for business integration within its enterprise can anticipate a translation that is less complex, but provides strategists with a useful tool.
What is it?
- A holistic approach for performing a full critical infrastructure assessmenti, focusing on operation rather than data.
- Provides a straregic framework that elucidates all levels of management.
- Applicable for technical and management staff.
- Useful for segmenting areas of influence.
- Useful for identifying areas of concern.
Why do we need it?
- Useful guidance for easier identification and implementation.
- Differentiate all levels of operation, not just one or two.
- Provides a holistic methodology to apply to existing business operations, not just data.
- Includes industry practices, controls and standards.
The solution provided should be customized to your environment…yet simple and easy enough to implement and integrate. It is our belief that we use a simple, yet powerful model that will explain just how easy it is to implement. Put simply, it means that you cannot simply ‘cookie cut’ your problem with the same solution for each assessment; these assessments need to be customized for each and every customer.
Breakdown of the Cupcake Model
-
Cherry
Further polish of the presentation. Not necessary, but helpful.
-
Sprinkles
How the presentation is formatted and shown, and what format is used.
-
Frosting
Data used by the site, includes configurations, access control, etc.
-
Cake
The baseline of the site’s operation and all of its processes.
-
Filling
Support one or more processes and site operations; includes site monitoring, incident response, disaster recover, and more. This is the core of the business; essentially, it is it’s ‘heart’.
-
Liner
Controls that are applied to the site, its processes and operations.
It should be noted that there is no perfect cupcake, as there is no perfect assessment model. Taste will vary from person to person. No one cupcake is better than another. Each is unique, and just as tasty as the next. Simply put, cater your assesment based on customer needs; if the customer has no idea in terms of what to expect, provide several suggestions much like how a baker would ask a customer in how they want their cupcake made.
- Is the cupcake just plain, or is there something inside that makes it special?
- Does the cupcake have frosting? If yes, then is it made with sour cream, butter cream, cream cheese, ganache (chocolate-based), whipped cream, or just powered sugar?
- Are there any garnishments on top of the cupcake? If yes, is it sprinkles, sugary shapes (hearts, circles, diamonds), cardboard figures, or just writing using frosting?
- For the cake itself, is it carrot cake, zuchinni cake, banana bread, tiramisu, chocolate cake, angel food cake, or just plain vanilla cake?
- Does the cake have a filling? If yes, then is it frosting-based, pie filling, , jellies, peanut butter, cream cheese, candies, caramel, chocolate, pudding, or just simply nothing?
- Last, depending on the kind of cake used for the cupcake, this will determine what type of liner to use. The liner is important, in that it prevents the cupcake from sticking to the pan. Types of liners include: waxpaper, paper, aluminum, silicone, mylar, etc.
If you apply the principals of how to make your cupcake, you have many options to choose from. The same may be said about how you both conduct and then present findings for your customer’s assessment. One note to point out - even though a customer assessment may be performed within the same infrastructure sector, this DOES NOT mean that ‘once size fits all’. Just like your cupcake, each one is catered specifically for each customer accordingly.
What does this all mean?
Hopefully, this framework analogy has been useful explaining some of the basic principles when conducting a customer's security assessment. In the future, expect more details as to possible recommended formats, content specifics, and more.
Each part is important to experience the ‘full taste’ of the cupcake. Applying how the cupcake model fits with a suggested security asessment framework, the emphasis is to utilize a holistic approach whereby all aspects of an on-site audit is conducted: physical, logic, control systems, control groups, standards, and regulations (if applicable).
So…why do we want to use this model? The answer is simpler than what most would have thought - a holistic approach in performing assessments. Breakdown of each of the sections can be identified easily with little or no interpretation. It becomes intuitive.
-
Overview/Executive Summary
Summary as to why the process is necessary, and who asked for it.
-
Objective/State-Of-Work
Overall objective outlining agreed upon resources to be provided, and who will be performing the process.
-
Process Flow/Expected Results
Objective details in outline format; step-by-step process how it will match anticipated goals with expected results. This defines the metrics for the process, such that, at the end of the assessment, provided capative analysis of goals vs. actual results.
-
Physical/Site Review
Physical/site audit; includes 3G*, CCTV, access control (gates, fences, doors, etc.) for all incoming and outgoing traffic.
-
Information/Data Review
Information that is used for the site; this includes both data in-transit (transferred) as well as data at-rest (stored).
-
Information Technology (IT) Review
Equipment and software used to transport data to and from the site. This is representative of all enterprise-based equipment and software that is not part of the OT architectures (generally on-site premised).
-
Operational Technology (OT) Review
Equipment and software used to control and process SCADA and process/industrial control systems equipment to/from the site. The cutoff is at the site’s router/MPLS switch; once traffic has left the site premise, the responsibility falls onto IT.
-
SCADA/Control Systems Review
Equipment and firmware used to control physical equipment on site. Physical equipment can include (but is not limited to) the following: pumps, actuators, sensors, telemetry equipment, electrical switches, physical switches, relays, valves, motors, variable speed drives (VSD), variable frequency drives (VFD), locks, door, panels, signage, signals (transportation: rail, automotive, maritime), and other physical devices used by an electrical device.
-
Final Results/Controls Review
Final results from the assessment; if the on-site premise is controlled or regulated, match the controls expected against the controls measured, identifying which controls are either weak or non-existent in enforcement. Suggested standards for controls applications may include (but are not limited to) the following: NIST Cyber Security Framework (CSF), NIST Special Publication 800-53, IEC 62443.