Phase 4: Network Security Architecture - Training Guide

Mission Briefing

Greetings, Cyber Surveyor. Your previous missions have established governance, identified risks, and cataloged assets. Now, your task at Tachyon Heavy Industries' Mars Shipyard advances to designing the network security architecture that will protect vessel systems from cyber threats. This phase is critical—it establishes the structural framework that will segregate systems, control communication paths, and implement defense-in-depth strategies.

In the vacuum of space, where external support may be days or weeks away, a vessel's network architecture is its primary defense against cyber attacks. The security zones and conduits you design now will determine how effectively the vessel can contain breaches and protect critical systems when facing sophisticated corporate espionage or opportunistic pirate attacks.

E26 Regulatory Context

IACS UR E26 explicitly requires a robust network security architecture as part of the protection process. Section 4.2 (Protect) mandates:

• Implementation of network segmentation based on system criticality
• Establishment of security zones with defined trust boundaries
• Control of data flows between zones through secure conduits
• Implementation of defense-in-depth strategies
• Protection of external communication interfaces

These architectural elements must be documented in the Cybersecurity Design Description (CSDD) and will be key components reviewed during ABS certification.

Your Mission Objectives

As an ABSC Cyber Integrator, you must:

1. Design a comprehensive network security architecture for each vessel class
2. Establish appropriate security zones based on system criticality
3. Define secure conduits for necessary cross-zone communications
4. Implement defense-in-depth strategies for critical systems
5. Design security monitoring capabilities for threat detection
6. Develop incident response procedures for security breaches

The Challenges You Face

THI's mining vessels contain complex networks of interconnected systems with varying security requirements. You'll need to navigate:

• Operational requirements for system integration that may conflict with security best practices
• Legacy systems with limited security capabilities
• Physical space constraints for network equipment
• Bandwidth and latency considerations for deep space operations
• Balancing security with usability for crew interactions

Quest Path: Network Security Architecture

Step 1: Security Zone Definition

Your first task is to define security zones that group systems with similar security requirements and criticality levels.

Procedural Guide:

1. Review the asset inventory and security level targets
2. Group systems based on:
   • Security level requirements
   • Functional relationships
   • Physical location
   • Operational dependencies
3. Define at least five distinct security zones:
   • Command Zone (Red): Critical navigation, propulsion, and life support
   • Operations Zone (Orange): Mining operations and cargo management
   • Engineering Zone (Yellow): Maintenance and diagnostic systems
   • Crew Zone (Green): Crew facilities and entertainment
   • External Zone (Blue): External communications
4. Document zone boundaries and contained systems
5. Define trust relationships between zones

Interactive Challenge: The Comet Chaser-Class vessel has limited physical space for network equipment due to its compact design. How do you implement proper zone separation with these constraints?

Options:

• Reduce the number of security zones to simplify implementation
• Use logical separation instead of physical separation where necessary
• Recommend design changes to accommodate security equipment
• Implement compensating controls for zones that cannot be physically separated

Optimal Approach: Use logical separation with enhanced monitoring and access controls where physical separation is impossible, while implementing compensating controls such as enhanced encryption, strict access control, and comprehensive logging for these areas.

Deliverable: Security Zone Definition Document

Step 2: Conduit Design

For each required communication path between security zones, design secure conduits that enforce appropriate security controls.

Procedural Guide:

1. Identify all necessary communication paths between zones
2. For each path, define security requirements based on:
   • Criticality of connected systems
   • Sensitivity of transmitted data
   • Potential attack vectors
3. Design conduit security controls, including:
   • Firewalls and filtering rules
   • Protocol validation
   • Authentication requirements
   • Encryption standards
4. Document data flow policies for each conduit
5. Establish monitoring requirements for conduit traffic

Interactive Challenge: The Gravitational Anchor System in the Command Zone needs to send status updates to the Mining Operations display in the Operations Zone. How do you design this cross-zone communication to maintain security while ensuring operational effectiveness?

Deliverable: Conduit Specification Document

Step 3: Network Topology Design

Create detailed network topology designs that implement the security zones and conduits.

Procedural Guide:

1. Design physical network topology, including:
   • Network equipment placement
   • Cable routing and physical protection
   • Redundancy for critical connections
2. Design logical network topology, including:
   • IP addressing scheme
   • VLAN configuration
   • Routing policies
3. Specify network equipment requirements, including:
   • Switches and routers
   • Firewalls and security gateways
   • Intrusion detection/prevention systems
4. Document network resilience features
5. Create network diagrams for each vessel class

Interactive Challenge: The Void Hauler-Class vessel requires high-bandwidth connections between cargo processing systems in different security zones. How do you design the network to accommodate these requirements without compromising security?

Deliverable: Network Topology Design Document

Step 4: Defense-in-Depth Strategy

Develop a comprehensive defense-in-depth approach that implements multiple layers of security.

Procedural Guide:

1. For each security zone, define multiple security layers:
   • Perimeter defenses
   • Network-level controls
   • Host-based security
   • Application security
   • Data protection
2. Implement principle of least privilege for all systems
3. Design security controls that address different attack vectors
4. Establish redundant security mechanisms for critical systems
5. Document how defense-in-depth mitigates identified risks

Interactive Challenge: The Quantum Harvester-Class vessel's Tachyon Pulse Drill control system requires special protection due to its proprietary nature and critical function. How do you implement defense-in-depth for this system?

Deliverable: Defense-in-Depth Strategy Document

Step 5: Security Monitoring Design

Design comprehensive security monitoring capabilities to detect and alert on potential security incidents.

Procedural Guide:

1. Identify key monitoring points in the network architecture
2. Define monitoring requirements for different security zones
3. Design log collection and analysis infrastructure
4. Establish alert thresholds and escalation procedures
5. Design security dashboards for different stakeholders

Interactive Challenge: The vessels will operate in the asteroid belt where communication with Earth may be delayed or interrupted. How do you design security monitoring to function effectively in this environment?

Deliverable: Security Monitoring Design Document

Step 6: Incident Response Procedure Development

Establish procedures for responding to security incidents detected through monitoring.

Procedural Guide:

1. Define incident classification criteria
2. Establish response procedures for different incident types
3. Assign roles and responsibilities for incident response
4. Create communication protocols for incident notification
5. Develop containment, eradication, and recovery procedures

Interactive Challenge: A suspected advanced persistent threat has been detected in the Operations Zone of a Gravity Well-Class vessel during a critical mining operation. The vessel is three light-hours from the nearest support. What incident response procedures should be followed?

Deliverable: Incident Response Procedures

Mission Completion Criteria

Your mission will be considered complete when:

1. All deliverables have been created and approved by key stakeholders
2. The network security architecture has been reviewed by THI engineering teams
3. Implementation plans have been developed for each vessel class
4. ABS has reviewed and accepted the architecture approach

Rewards and Advancement

Successful completion of this mission will:

• Establish the structural framework for all security implementations
• Create clear boundaries between systems of different criticality
• Unlock access to Phase 5: Cybersecurity Design Documentation
• Earn you the "Master Architect" achievement in your surveyor profile

Knowledge Resources

• IACS UR E26 Section 4.2: "Protect"
• NIST Special Publication 800-82: Guide to Industrial Control Systems Security
• ISA/IEC 62443: Network and System Security for Industrial Automation
• ABS Consulting Network Segmentation Best Practices
• THI Vessel Network Infrastructure Specifications

Remember, Surveyor: in space, network architecture is not merely about connectivity—it's about survival. A well-designed security architecture now will be the vessel's shield against the invisible threats that lurk in the digital void.

Good luck on your mission. The safety of future crews depends on your design.