Phase 10: Testing Execution - Training Guide

Mission Briefing

Greetings, Cyber Surveyor. Your previous missions have established governance, identified risks, cataloged assets, designed network security architecture, created comprehensive documentation, verified supplier compliance, implemented change management processes, ensured security during construction, and developed a thorough test program. Now, your mission at Tachyon Heavy Industries' Mars Shipyard advances to the moment of truth: executing the Cyber Resilience Test Program.

The time for planning and preparation is over. Now you must put the vessel's defenses to the test, challenging them with the same determination and ingenuity that real adversaries will employ. The Void Pirates and corporate espionage agents from rival mining corporations will not be gentle in their probing—neither should you be. Only by finding vulnerabilities now, in the safety of the shipyard, can you ensure they won't be exploited later in the unforgiving void of deep space.

Your task is to execute the test program developed in the previous phase, documenting results, addressing issues, and ultimately verifying that the vessel's cyber defenses are truly ready for the challenges that await beyond Mars orbit.

E26 Regulatory Context

IACS UR E26 requires thorough testing of all cybersecurity controls. Key requirements include:

• Execution of comprehensive security testing
• Documentation of test results and findings
• Verification that security controls meet requirements
• Remediation of identified vulnerabilities
• Validation of remediation effectiveness
• Final security verification before certification

The Astronomical Bureau of Shipping (ABS) will require evidence of successful testing before granting certification.

Your Mission Objectives

As an ABSC Cyber Integrator, you must:

1. Execute the test cases developed in the previous phase
2. Document test results and findings
3. Identify and classify security vulnerabilities
4. Coordinate remediation of identified issues
5. Verify effectiveness of remediation actions
6. Prepare final test reports for certification

The Challenges You Face

Executing security testing in a complex shipbuilding environment presents several challenges:

• Coordinating testing activities with ongoing construction
• Managing the risk of test-induced system failures
• Addressing unexpected findings under tight timelines
• Balancing thoroughness with schedule constraints
• Resolving conflicts between security requirements and operational needs
• Ensuring consistent test execution across different vessel systems

Quest Path: Testing Execution

Step 1: Test Environment Preparation

Your first task is to prepare the environments needed for effective security testing.

Procedural Guide:

1. Configure test environments for different test types:
   • Network security testing
   • System security testing
   • Detection and response testing
   • Recovery testing
2. Set up test tools and platforms
3. Establish baseline system states for testing
4. Create test accounts and access credentials
5. Configure monitoring to capture test results
6. Verify readiness of test environments

Interactive Challenge: While setting up the test environment for the Quantum Harvester's critical systems, you discover that the vessel's operational network is significantly different from the documentation provided. Several additional connections exist that weren't in the design, and some security zones appear to have been reconfigured. Testing is scheduled to begin tomorrow. How do you address this discrepancy?

Options:

• Delay testing until documentation is updated
• Proceed with testing based on the actual configuration
• Test only the systems that match the documentation
• Quickly update test plans to reflect the actual configuration

Optimal Approach: Document the discrepancies between the design and actual implementation, then update your test plans to reflect the actual configuration while flagging the differences as potential compliance issues. Proceed with testing based on the actual configuration, but include specific test cases to evaluate whether the undocumented connections create security vulnerabilities. In parallel, initiate a change management process to either update the documentation or modify the implementation to match the approved design.

Deliverable: Configured Test Environments

Step 2: Network Security Testing

Execute the tests designed to verify the security of the vessel's network architecture.

Procedural Guide:

1. Execute tests for:
   • Security zone isolation
   • Firewall rule effectiveness
   • Network access controls
   • Intrusion detection capabilities
   • Wireless network security
   • Remote access security
2. Document test results and observations
3. Identify and classify any vulnerabilities
4. Assess the impact of identified issues
5. Develop remediation recommendations
6. Prepare network security test report

Interactive Challenge: During testing of the Nebula Skimmer's network segmentation, you discover that traffic between the operational technology network and the crew entertainment system is not properly restricted. The network engineer argues that this is intentional to allow for system monitoring, but you can't find any documentation of this design decision or security risk assessment. How do you handle this finding?

Deliverable: Network Security Test Results

Step 3: System Security Testing

Execute the tests designed to verify the security of individual systems and components.

Procedural Guide:

1. Execute tests for:
   • System hardening effectiveness
   • Access control implementation
   • Authentication mechanisms
   • Patch management
   • Malware protection
   • Secure configuration
2. Document test results and observations
3. Identify and classify any vulnerabilities
4. Assess the impact of identified issues
5. Develop remediation recommendations
6. Prepare system security test report

Interactive Challenge: Your testing reveals that the Comet Chaser's navigation system has several critical vulnerabilities, including default credentials that haven't been changed and unnecessary services running. When you report this to the system integrator, they claim that modifying these settings would void the manufacturer's warranty and support agreement. The vessel is scheduled for delivery in two weeks. How do you address this security issue?

Deliverable: System Security Test Results

Step 4: Detection and Response Testing

Execute the tests designed to verify the vessel's ability to detect and respond to security incidents.

Procedural Guide:

1. Execute tests for:
   • Security monitoring effectiveness
   • Alert generation and escalation
   • Incident detection capabilities
   • Response procedures and playbooks
   • Communication during incidents
   • Containment and eradication procedures
2. Document test results and observations
3. Identify and classify any gaps in detection or response
4. Assess the impact of identified issues
5. Develop improvement recommendations
6. Prepare detection and response test report

Interactive Challenge: During a simulated attack on the Gravity Well's mineral extraction system, you discover that while the security monitoring system correctly detects the intrusion, the alerts are not properly routed to the response team due to a configuration error. When notified manually, the response team successfully contains the attack, but valuable time is lost. How do you document and address this finding?

Deliverable: Detection and Response Test Results

Step 5: Recovery and Resilience Testing

Execute the tests designed to verify the vessel's ability to recover from security incidents and maintain operations.

Procedural Guide:

1. Execute tests for:
   • Backup and recovery procedures
   • System restoration capabilities
   • Failover mechanisms
   • Degraded mode operations
   • Data integrity verification
   • Return to normal operations
2. Document test results and observations
3. Identify and classify any gaps in recovery capabilities
4. Assess the impact of identified issues
5. Develop improvement recommendations
6. Prepare recovery and resilience test report

Interactive Challenge: Testing the Void Hauler's recovery capabilities reveals that while system backups are successfully created, the restoration process fails for several critical systems due to version incompatibilities in the recovery environment. The backup system passed all previous verification checks. How do you address this significant finding so close to vessel delivery?

Deliverable: Recovery and Resilience Test Results

Step 6: Remediation Verification

Verify that identified issues have been properly remediated before final certification.

Procedural Guide:

1. Track remediation status for all identified issues
2. Prioritize verification of critical vulnerabilities
3. Execute verification tests for remediated issues
4. Document verification results
5. Assess residual risk for any unresolved issues
6. Prepare final test verification report

Interactive Challenge: Most of the critical vulnerabilities identified during testing have been remediated, but three medium-severity issues remain unresolved due to technical constraints. The THI Project Manager wants to proceed with certification, arguing that these issues pose minimal risk and can be addressed in a future update. The ABS surveyor is requesting a formal risk assessment and mitigation plan. How do you handle this situation?

Deliverable: Remediation Verification Report

Mission Completion Criteria

Your mission will be considered complete when:

1. All planned security tests have been executed
2. Test results have been documented and analyzed
3. Critical and high-severity issues have been remediated
4. Remediation effectiveness has been verified
5. Residual risks have been assessed and accepted
6. Final test reports have been prepared for certification

Rewards and Advancement

Successful completion of this mission will:

• Verify that the vessel's cyber defenses are effective against real threats
• Identify and address vulnerabilities before they can be exploited
• Unlock access to Phase 11: Documentation Control & Class Liaison
• Earn you the "Security Validator" achievement in your surveyor profile

Knowledge Resources

• IACS UR E26 Section 5.1: "Demonstration of compliance during design and construction phases"
• ISA/IEC 62443-3-3: "System security requirements and security levels"
• ABS CyberSafety® Volume 2: "Requirements for the ABS CyberSafety® Notation"
• NIST SP 800-115: "Technical Guide to Information Security Testing and Assessment"
• OWASP Testing Guide

Remember, Surveyor: in the unforgiving environment of deep space, there are no security patches, no emergency response teams, and no second chances. The thoroughness of your testing now will determine whether the vessel's defenses hold when faced with real attacks in the asteroid belt. Be diligent, be thorough, and leave no vulnerability unexplored.

Good luck on your mission. The true security of the fleet will be revealed through your tests.