Phase 3: Asset Inventory & Classification - Training Guide

Mission Briefing

Greetings, Cyber Surveyor. Your previous missions have established governance and identified key risks. Now, your task at Tachyon Heavy Industries' Mars Shipyard advances to creating a comprehensive inventory of all assets that require protection under E26 regulations. This phase is crucial—effective cybersecurity depends on knowing exactly what you're protecting and how critical each component is to vessel operations.

In the harsh environment of space, where replacement parts may be weeks or months away, understanding the complete technology landscape of each vessel becomes a matter of survival. The asset inventory you develop now will serve as the foundation for all security controls and will be a living document throughout each vessel's operational life.

E26 Regulatory Context

IACS UR E26 explicitly requires a detailed asset inventory as part of the identification process. Section 4.1 (Identify) mandates:

• Documentation of all computer-based systems (CBS) within scope
• Classification of systems based on criticality to vessel operations
• Assignment of appropriate security level (SL) targets
• Maintenance of the inventory throughout the vessel lifecycle

This inventory must be comprehensive and will be a key document reviewed during ABS certification.

Your Mission Objectives

As an ABSC Cyber Integrator, you must:

1. Develop a comprehensive inventory of all hardware, software, and network components
2. Classify assets based on criticality to vessel operations
3. Assign appropriate security level (SL) targets to each asset
4. Document system boundaries and interfaces in detail
5. Establish procedures for maintaining the inventory throughout the vessel lifecycle

The Challenges You Face

THI's mining vessels contain thousands of individual components from hundreds of suppliers, many with complex dependencies and interactions. You'll need to navigate:

• Incomplete or outdated documentation from suppliers
• Systems with embedded components that may not be fully documented
• Legacy equipment with limited security capabilities
• Pressure to assign lower security levels to reduce implementation costs
• Evolving vessel designs as construction progresses

Quest Path: Asset Inventory & Classification

Step 1: Asset Discovery and Documentation

Your first task is to identify and document all computer-based systems and components within the E26 scope for each vessel class.

Procedural Guide:

1. Review vessel design documentation for all five vessel classes
2. Conduct workshops with system engineers to identify all components
3. Document hardware specifications, including:
   • Manufacturer and model
   • Firmware/OS version
   • Physical location
   • Network interfaces
4. Document software details, including:
   • Application name and version
   • Function and purpose
   • Dependencies
   • Update mechanisms
5. Document network components, including:
   • Switches, routers, and firewalls
   • Communication protocols
   • Network topology

Interactive Challenge: During a workshop, you discover that the Quantum Harvester-Class vessels use an undocumented proprietary protocol for communication between the Tachyon Pulse Drill and its control system. The protocol developer has gone out of business. How do you proceed with documenting this critical interface?

Options:

• Exclude it from the inventory as it cannot be fully documented
• Document what is known and flag it as a high-risk item
• Recommend replacing the system with a more standard solution
• Engage reverse engineering specialists to document the protocol

Optimal Approach: Document what is known about the protocol, flag it as a high-risk item requiring special attention, and recommend a security assessment through controlled reverse engineering to understand potential vulnerabilities.

Deliverable: Consolidated OT/IT Asset Inventory

Step 2: System Categorization and Criticality Assessment

For each identified asset, assess its importance to vessel operations and safety.

Procedural Guide:

1. Develop categorization criteria based on:
   • Impact on vessel propulsion
   • Impact on vessel safety systems
   • Impact on crew safety
   • Impact on mission objectives
2. Categorize each system as:
   • Category I: Critical (essential to vessel safety and operation)
   • Category II: Essential (important to vessel operation)
   • Category III: Important (supports vessel operation)
   • Category IV: Standard (non-critical to operation)
3. Document rationale for each categorization decision
4. Review categorizations with THI engineering and operations teams
5. Finalize system categories based on stakeholder input

Interactive Challenge: The THI Chief Engineer argues that the Void Hauler-Class cargo management system should be Category III (Important) rather than Category II (Essential) to reduce security requirements. Your analysis suggests that compromise could lead to cargo shifts affecting vessel stability. How do you resolve this disagreement?

Deliverable: System Categorization Matrix

Step 3: Security Level Target Assignment

Based on system categorization and risk assessment, assign appropriate security level targets to each asset.

Procedural Guide:

1. Review E26 security level requirements for different system categories
2. For each asset, determine the appropriate security level target (SL-T) based on:
   • System category
   • Potential impact if compromised
   • Exposure to threats
   • Interconnections with other systems
3. Document rationale for each SL-T assignment
4. Identify compensating controls for systems that cannot meet SL-T requirements
5. Review SL-T assignments with THI and ABS representatives

Interactive Challenge: The Gravitational Anchor Control System on the Gravity Well-Class vessel requires SL-T4 based on its criticality, but uses components that can only support SL-T3. What approaches can you recommend to address this gap?

Deliverable: Annotated Asset Inventory with SL-Targets

Step 4: Detailed Interface Mapping

Document all interfaces between systems to understand data flows and potential attack paths.

Procedural Guide:

1. For each system, identify all interfaces with other systems
2. Document interface characteristics:
   • Connection type (physical, wireless, network)
   • Protocol used
   • Data exchanged
   • Direction of data flow
   • Authentication mechanisms
3. Create visual interface maps showing system interconnections
4. Identify trust boundaries between systems of different security levels
5. Document security requirements for each interface

Interactive Challenge: You discover that the Environmental Control System interfaces with both critical propulsion systems and non-critical crew entertainment systems. How do you address this potential security boundary violation?

Deliverable: System Interface Documentation

Step 5: Asset Management Procedure Development

Establish processes for maintaining the asset inventory throughout the vessel lifecycle.

Procedural Guide:

1. Develop procedures for:
   • Adding new assets to the inventory
   • Updating existing asset information
   • Removing decommissioned assets
   • Periodic inventory validation
2. Define roles and responsibilities for inventory maintenance
3. Establish change management processes for system modifications
4. Create documentation templates for inventory updates
5. Define audit procedures to ensure inventory accuracy

Interactive Challenge: THI plans to implement a regular update program for vessel software systems once deployed. How should the asset management procedures account for these updates while maintaining security?

Deliverable: Asset Management Procedures

Mission Completion Criteria

Your mission will be considered complete when:

1. All deliverables have been created and approved by key stakeholders
2. The asset inventory comprehensively covers all five vessel classes
3. Security level targets have been assigned and justified for all assets
4. Asset management procedures have been implemented and tested
5. ABS has reviewed and accepted the inventory approach

Rewards and Advancement

Successful completion of this mission will:

• Provide a clear understanding of the complete attack surface
• Establish appropriate security requirements for each system
• Unlock access to Phase 4: Network Security Architecture
• Earn you the "Master Cataloger" achievement in your surveyor profile

Knowledge Resources

• IACS UR E26 Section 4.1: "Identify"
• IACS UR E27 Security Level Requirements
• NIST Special Publication 800-82: Guide to Industrial Control Systems Security
• ABS Consulting Asset Classification Guidelines
• THI Vessel System Architecture Documentation

Remember, Surveyor: you cannot protect what you don't know exists. A thorough asset inventory now will ensure that no system goes unprotected when vessels venture into the dangerous void of space.

Good luck on your mission. The safety of future crews depends on your thoroughness.