Phase 7: Change & Configuration Management - Training Guide

Mission Briefing

Greetings, Cyber Surveyor. Your previous missions have established governance, identified risks, cataloged assets, designed network security architecture, created comprehensive documentation, and verified supplier compliance. Now, your mission at Tachyon Heavy Industries' Mars Shipyard advances to a critical operational phase: implementing robust Change & Configuration Management processes.

In the dynamic environment of spacecraft construction, changes are inevitable. New technologies emerge, requirements evolve, and unexpected challenges arise. Each change, however necessary, introduces potential security risks if not properly managed. Your task is to establish processes that allow THI to adapt and evolve their vessel designs while maintaining the cybersecurity integrity established in earlier phases.

The stakes are high—the Void Pirates have been known to exploit poorly managed system changes to insert backdoors during construction. Meanwhile, corporate rivals like Quantum Extraction Enterprises have attempted to compromise vessels through unauthorized modifications to critical systems. Your change management framework will be the shield that protects THI vessels from these threats throughout their construction and operational life.

E26 Regulatory Context

IACS UR E26 explicitly requires robust change and configuration management processes. Key requirements include:

• Formal processes for evaluating security impact of changes
• Documentation of all changes to security-relevant systems
• Verification that changes do not compromise security controls
• Configuration baseline documentation and management
• Processes for emergency changes with appropriate security controls
• Audit trails of all changes for certification and compliance

The Astronomical Bureau of Shipping (ABS) will require evidence of these processes before granting certification.

Your Mission Objectives

As an ABSC Cyber Integrator, you must:

1. Develop a comprehensive Change Management Framework
2. Establish Configuration Management processes and tools
3. Create security impact assessment procedures for proposed changes
4. Implement change verification and validation processes
5. Develop configuration baseline documentation
6. Establish audit and compliance monitoring for changes

The Challenges You Face

Implementing effective change and configuration management in THI's complex shipbuilding environment presents several challenges:

• Multiple teams making simultaneous changes across vessel systems
• Pressure to implement changes quickly to meet construction deadlines
• Complex dependencies between systems that may be affected by changes
• Legacy systems with limited documentation and change control capabilities
• Balancing security requirements with operational flexibility

Quest Path: Change & Configuration Management

Step 1: Change Management Framework Development

Your first task is to establish the overall framework for managing changes to vessel systems.

Procedural Guide:

1. Define change types and categories:
   • Emergency changes
   • Standard changes
   • Major changes
   • Minor changes
2. Establish change management roles and responsibilities
3. Create change request and approval workflows
4. Develop change documentation requirements
5. Establish change review boards and meeting schedules
6. Create change management policies and procedures

Interactive Challenge: THI's Engineering Director argues that the change management process you've proposed will slow down construction and innovation. She wants a "streamlined" process with minimal documentation for "minor" changes. How do you respond to this challenge?

Options:

• Insist on full documentation for all changes without exception
• Create an expedited process for truly minor changes while maintaining security oversight
• Allow engineering teams to self-approve minor changes with periodic audits
• Compromise by reducing documentation but maintaining approval requirements

Optimal Approach: Develop a tiered approach with expedited processes for pre-approved categories of minor changes, while maintaining appropriate security oversight. Create clear criteria for what qualifies as "minor" and implement periodic audits to ensure the expedited process isn't being misused for significant changes.

Deliverable: Change Management Framework and Procedures

Step 2: Security Impact Assessment Process

Develop a systematic approach to evaluating the security impact of proposed changes.

Procedural Guide:

1. Create security impact assessment templates
2. Define criteria for different levels of security impact
3. Establish assessment procedures for different change types
4. Develop guidance for identifying security implications
5. Create decision matrices for common change scenarios
6. Establish escalation procedures for high-impact changes

Interactive Challenge: A critical update is needed for the Quantum Harvester's Gravitational Extraction Array control system to fix a performance issue. The supplier insists the update must be implemented immediately during the current construction phase, but they cannot provide detailed documentation of the changes made to their proprietary code. How do you handle the security impact assessment?

Deliverable: Security Impact Assessment Methodology

Step 3: Configuration Management Implementation

Establish processes and tools for managing the configuration of vessel systems.

Procedural Guide:

1. Define configuration items for different vessel systems
2. Establish configuration baseline documentation requirements
3. Select and implement configuration management tools
4. Develop version control procedures for system configurations
5. Create configuration audit processes
6. Establish configuration backup and recovery procedures

Interactive Challenge: The Nebula Skimmer's atmospheric control system has dozens of configurable parameters that affect both performance and security. The system lacks built-in configuration management capabilities, and the supplier provides limited documentation. How do you establish effective configuration management for this system?

Deliverable: Configuration Management System and Procedures

Step 4: Change Verification and Validation

Develop processes to verify and validate that changes are implemented correctly and do not compromise security.

Procedural Guide:

1. Establish testing requirements for different change types
2. Create verification procedures for security controls post-change
3. Develop regression testing protocols for affected systems
4. Establish validation criteria for successful changes
5. Create rollback procedures for failed changes
6. Develop post-implementation review processes

Interactive Challenge: A change to the Comet Chaser's navigation system passes all technical verification tests, but during validation, you discover it creates an unexpected integration issue with the vessel's communication system that could potentially be exploited by attackers. The change has already been implemented across three vessels under construction. How do you proceed?

Deliverable: Change Verification and Validation Procedures

Step 5: Emergency Change Management

Develop specialized procedures for handling emergency changes that require rapid implementation.

Procedural Guide:

1. Define criteria for emergency changes
2. Create streamlined approval processes for emergencies
3. Establish minimum security requirements for emergency changes
4. Develop post-emergency review procedures
5. Create documentation requirements for emergency changes
6. Establish notification protocols for emergency situations

Interactive Challenge: During final testing of the Gravity Well's mineral extraction system, a critical vulnerability is discovered that could allow remote exploitation. The system is integrated throughout the vessel, and a fix must be implemented within 24 hours before the vessel moves to the next construction phase. How do you manage this emergency change while maintaining security?

Deliverable: Emergency Change Management Procedures

Step 6: Audit and Compliance Monitoring

Establish processes for monitoring and auditing changes to ensure ongoing compliance with security requirements.

Procedural Guide:

1. Develop change audit procedures and schedules
2. Create compliance monitoring tools and dashboards
3. Establish key performance indicators for change management
4. Develop reporting templates for ABS certification
5. Create procedures for addressing audit findings
6. Establish continuous improvement processes

Interactive Challenge: Your audit reveals that several unauthorized changes were made to the Void Hauler's cargo management system during the last construction phase. The changes appear to be performance optimizations made by well-meaning engineers, but they bypassed the change management process entirely. How do you address this compliance issue?

Deliverable: Change Audit and Compliance Monitoring System

Mission Completion Criteria

Your mission will be considered complete when:

1. The Change Management Framework has been implemented and tested
2. Configuration Management processes and tools are operational
3. Security impact assessment procedures are being consistently applied
4. Change verification and validation processes are demonstrably effective
5. ABS has reviewed and approved the change management approach
6. THI staff have been trained on all new processes

Rewards and Advancement

Successful completion of this mission will:

• Ensure that security is maintained throughout vessel evolution
• Provide clear processes for managing necessary changes
• Unlock access to Phase 8: System Integrator Construction Phase Requirements
• Earn you the "Change Master" achievement in your surveyor profile

Knowledge Resources

• IACS UR E26 Section 5: "Maintenance of security during operation"
• ISA/IEC 62443-2-1: "Security program requirements for IACS asset owners"
• ABS CyberSafety® Volume 3: "Change Management"
• ITIL Change Management Best Practices
• NIST SP 800-128: "Guide for Security-Focused Configuration Management"

Remember, Surveyor: in the ever-evolving landscape of spacecraft technology, change is inevitable. Your mission is not to prevent change, but to ensure that each change enhances the vessel without compromising its security. The processes you establish now will protect THI vessels throughout their operational life in the dangerous void of space.

Good luck on your mission. The adaptability and security of the entire fleet depends on your success.