Phase 2: Risk Identification & Scoping - Training Guide

Mission Briefing

Greetings, Cyber Surveyor. With the governance framework now established, your next mission at Tachyon Heavy Industries' Mars Shipyard focuses on identifying and scoping the cybersecurity risks that threaten their mining vessel fleet. This phase is critical—you cannot defend against threats you haven't identified, and you cannot allocate resources effectively without understanding which systems face the greatest risk.

In the asteroid belt, where communication delays and physical isolation are realities, a comprehensive understanding of potential cyber threats is essential. The risk landscape you map now will guide all subsequent security decisions and determine the resilience of THI vessels against the corporate rivals and pirate factions that threaten them.

E26 Regulatory Context

IACS UR E26 explicitly requires risk assessment as a foundation for cybersecurity implementation. Section 4.1 (Identify) mandates:

• Identification of systems within scope of the regulation
• Documentation of system boundaries and interfaces
• Assessment of threats and vulnerabilities
• Evaluation of potential impacts on vessel safety
• Prioritization of risks based on likelihood and consequence

These assessments must be documented and will be reviewed during ABS certification.

Your Mission Objectives

As an ABSC Cyber Integrator, you must:

1. Define the scope of systems subject to E26 requirements
2. Identify and document system boundaries and interfaces
3. Conduct comprehensive threat modeling
4. Assess vulnerabilities in vessel systems
5. Evaluate and prioritize risks
6. Develop risk treatment strategies

The Challenges You Face

THI's mining vessels contain hundreds of interconnected systems from dozens of suppliers. Many of these systems were designed with functionality, not security, as the primary concern. You'll need to navigate:

• Limited documentation for legacy systems
• Resistance from suppliers to disclose security information
• Pressure to minimize the scope to reduce compliance costs
• Technical complexity of specialized mining equipment
• Evolving threat landscape in deep space operations

Quest Path: Risk Identification & Scoping

Step 1: System Scope Definition

Your first task is to determine which systems fall within the scope of E26 requirements, focusing on operational technology (OT) systems that could affect vessel safety if compromised.

Procedural Guide:

1. Review vessel design documentation for all five vessel classes
2. Identify systems that control or monitor physical processes
3. Determine which systems, if compromised, could endanger:
   • Human safety
   • Vessel integrity
   • Environmental protection
4. Document all IP-based interfaces between OT and other systems
5. Create a preliminary system scope register

Interactive Challenge: The THI Chief Engineer argues that the Quantum Crystalline Lattice Vault monitoring system should be excluded from E26 scope since it's "just a monitoring system with no control functions." How do you respond?

Options:

• Agree to exclude it to maintain good relations
• Explain that monitoring systems can be pathways to control systems
• Request a formal risk assessment to determine inclusion
• Escalate to the Cybersecurity Steering Committee

Optimal Approach: Explain that monitoring systems can provide attack pathways to control systems and request a formal risk assessment to determine inclusion. The assessment should consider whether compromise could lead to theft of valuable QCL or provide access to other critical systems.

Deliverable: System Scope Register

Step 2: System Boundary & Interface Documentation

For each system in scope, document its boundaries and interfaces with other systems to understand potential attack paths.

Procedural Guide:

1. Create system boundary diagrams for each in-scope system
2. Document all interfaces between systems, including:
   • Network connections
   • Data flows
   • Physical connections
   • Wireless communications
3. Identify security zones based on system criticality
4. Document trust relationships between systems
5. Identify potential attack vectors at system boundaries

Interactive Challenge: You discover an undocumented wireless maintenance interface on the Gravitational Anchor Control System of the Gravity Well-Class vessel. The interface allows direct access to control functions but has minimal security controls. What actions do you take?

Deliverable: System Boundary & Interface Documentation

Step 3: Threat Modeling

Identify potential threats to vessel systems based on attacker motivations, capabilities, and objectives.

Procedural Guide:

1. Develop threat actor profiles relevant to asteroid mining operations
2. Identify attacker motivations and objectives for each threat actor
3. Assess attacker capabilities and resources
4. Map potential attack scenarios for each threat actor
5. Determine likely attack vectors and techniques

Interactive Challenge: Intelligence reports indicate that the corporate rival Eclipse Mining Consortium has hired former THI engineers with knowledge of vessel systems. How does this change your threat model?

Deliverable: Threat Model Documentation

Step 4: Vulnerability Assessment

Identify weaknesses in vessel systems that could be exploited by attackers.

Procedural Guide:

1. Review system documentation for security weaknesses
2. Conduct interviews with system engineers and operators
3. Perform configuration reviews of critical systems
4. Identify common vulnerability types in similar systems
5. Document all identified vulnerabilities with supporting evidence

Interactive Challenge: The supplier of the Tachyon Pulse Drill control system refuses to provide detailed security information, claiming it's proprietary. How do you assess vulnerabilities without this information?

Deliverable: Vulnerability Assessment Report

Step 5: Risk Evaluation & Prioritization

Assess the likelihood and potential impact of each identified risk to prioritize mitigation efforts.

Procedural Guide:

1. Develop risk evaluation criteria aligned with E26 requirements
2. Assess the likelihood of successful attacks based on:
   • Threat actor capabilities
   • Vulnerability severity
   • Existing controls
3. Evaluate potential impacts on:
   • Human safety
   • Vessel operations
   • Environmental protection
   • Mission success
4. Calculate risk scores based on likelihood and impact
5. Categorize risks as Critical, High, Medium, or Low

Interactive Challenge: Your risk assessment identifies 47 distinct risks across the five vessel classes. THI management asks you to focus on the "top 5" for immediate action. How do you determine which risks to prioritize?

Deliverable: Risk Register with Prioritization

Step 6: Risk Treatment Planning

Develop strategies for addressing identified risks through various treatment options.

Procedural Guide:

1. For each prioritized risk, evaluate treatment options:
   • Risk reduction through security controls
   • Risk transfer through insurance or third-party services
   • Risk avoidance through system redesign
   • Risk acceptance with monitoring
2. Develop detailed treatment plans for critical and high risks
3. Identify resource requirements for risk treatment
4. Establish timelines for implementation
5. Define success criteria and verification methods

Interactive Challenge: The most effective mitigation for a critical vulnerability in the Gravitational Anchor System would require a three-month delay in vessel delivery. THI is resistant to this delay. What alternative approaches could you propose?

Deliverable: Risk Treatment Plan

Mission Completion Criteria

Your mission will be considered complete when:

1. All deliverables have been created and approved by key stakeholders
2. The System Scope Register clearly defines E26 boundaries
3. The Risk Register and Treatment Plan have been accepted by THI and ABS
4. The foundation has been established for security architecture design

Rewards and Advancement

Successful completion of this mission will:

• Provide a clear roadmap for subsequent security implementation
• Establish priorities for resource allocation
• Unlock access to Phase 3: Asset Inventory & Classification
• Earn you the "Risk Navigator" achievement in your surveyor profile

Knowledge Resources

• IACS UR E26 Section 4.1: "Identify"
• NIST Special Publication 800-30: Guide for Conducting Risk Assessments
• MITRE ATT&CK Framework for ICS
• ABS Consulting Threat Intelligence: Asteroid Belt Operations
• THI Vessel System Architecture Documentation

Remember, Surveyor: in cybersecurity, what you don't know can harm you. A thorough risk assessment now will prevent catastrophic failures later when vessels are operating in the unforgiving environment of deep space.

Good luck on your mission. The safety of future crews depends on your diligence.