Phase 8: System Integrator Construction Phase Requirements - Training Guide

Mission Briefing

Greetings, Cyber Surveyor. Your previous missions have established governance, identified risks, cataloged assets, designed network security architecture, created comprehensive documentation, verified supplier compliance, and implemented change management processes. Now, your mission at Tachyon Heavy Industries' Mars Shipyard advances to a critical implementation phase: defining and enforcing cybersecurity requirements during the actual construction of the vessels.

The construction phase represents a period of particular vulnerability. As systems are integrated, configured, and tested, temporary access points are created, default credentials are used, and security controls may not yet be fully operational. The Void Pirates and corporate espionage agents from rival mining corporations are well aware of these vulnerabilities—several recent attacks across the solar system have specifically targeted vessels during construction.

Your task is to ensure that system integrators—the teams responsible for bringing together the various systems into a functioning vessel—follow rigorous security practices throughout the construction process. The security controls you've designed in previous phases must be properly implemented, and temporary construction access must not create permanent vulnerabilities.

E26 Regulatory Context

IACS UR E26 includes specific requirements for security during the construction phase. Key requirements include:

• Security controls for temporary construction networks and access points
• Secure configuration procedures during system integration
• Protection of default credentials and temporary access methods
• Security testing during construction milestones
• Documentation of security implementation during construction
• Verification that "as-built" systems match security design specifications

The Astronomical Bureau of Shipping (ABS) will require evidence that these requirements were met during construction before granting certification.

Your Mission Objectives

As an ABSC Cyber Integrator, you must:

1. Develop comprehensive security requirements for system integrators
2. Create secure construction environment specifications
3. Establish secure integration procedures for different system types
4. Implement security verification at construction milestones
5. Develop procedures for transitioning from construction to operational security
6. Create documentation of security implementation for certification

The Challenges You Face

Implementing security requirements during the construction phase presents several challenges:

• Multiple integration teams working simultaneously across the vessel
• Pressure to meet construction deadlines that may conflict with security procedures
• Temporary construction access needs that may bypass permanent security controls
• Limited security awareness among some construction personnel
• Complex coordination between different system suppliers during integration

Quest Path: System Integrator Construction Phase Requirements

Step 1: Construction Security Framework Development

Your first task is to establish the overall security framework for the construction phase.

Procedural Guide:

1. Define security zones within the construction environment
2. Establish security requirements for:
   • Construction networks
   • Integration workstations
   • Test equipment
   • Temporary access methods
3. Create security roles and responsibilities for construction teams
4. Develop security incident response procedures for the construction phase
5. Establish security monitoring requirements during construction

Interactive Challenge: The construction manager for the Quantum Harvester argues that implementing your proposed security controls for the construction network will add two weeks to the build schedule and increase costs significantly. How do you address this challenge while maintaining necessary security?

Options:

• Insist on full implementation of all controls without compromise
• Work with the construction team to phase in controls in a way that minimizes schedule impact
• Reduce security requirements during construction with enhanced monitoring
• Allow exceptions for the most schedule-critical systems

Optimal Approach: Work collaboratively with the construction team to develop a phased implementation approach that prioritizes the most critical security controls first, while establishing enhanced monitoring for areas where controls must be delayed. Create a detailed implementation schedule that integrates with the construction timeline to minimize disruption.

Deliverable: Construction Phase Security Framework

Step 2: Secure Integration Procedures

Develop detailed procedures for securely integrating different systems during construction.

Procedural Guide:

1. Create integration procedure templates for different system types
2. Define security requirements for each integration stage:
   • Initial installation
   • Configuration
   • Testing
   • Commissioning
3. Establish secure handling procedures for:
   • Default credentials
   • Factory settings
   • Initial configurations
   • Integration tools
4. Develop verification checklists for secure integration
5. Create documentation requirements for integration activities

Interactive Challenge: During integration of the Nebula Skimmer's atmospheric control system, you discover that the integration team has been sharing a single set of administrative credentials among all technicians to simplify the process. This violates your secure integration procedures, but the team insists it's the only practical way to meet the schedule. How do you resolve this security issue?

Deliverable: Secure System Integration Procedures

Step 3: Construction Environment Security

Establish security controls for the physical and logical environments where construction takes place.

Procedural Guide:

1. Define security requirements for:
   • Construction networks
   • Temporary wireless access points
   • Integration workstations
   • Test equipment
   • Physical access controls
2. Create network segmentation requirements for construction environments
3. Establish secure remote access procedures for supplier support
4. Develop malware protection requirements for construction systems
5. Create procedures for secure data transfer during construction

Interactive Challenge: The Comet Chaser is being constructed in THI's older shipyard facility, which lacks many of the physical and network security controls available in the main facility. The vessel is already under construction, and moving it would cause significant delays. How do you adapt your construction environment security requirements to this challenging situation?

Deliverable: Construction Environment Security Specifications

Step 4: Security Milestone Verification

Develop processes to verify security implementation at key construction milestones.

Procedural Guide:

1. Identify security-critical construction milestones
2. Create verification procedures for each milestone
3. Develop testing protocols for security controls
4. Establish documentation requirements for milestone verification
5. Create remediation procedures for security issues found during verification
6. Develop reporting templates for milestone security status

Interactive Challenge: During a milestone verification of the Gravity Well's network segmentation, you discover that several critical security zones have been connected directly, bypassing the planned security controls. The integration team claims this was necessary to resolve integration issues and that implementing the designed segmentation would require dismantling and rebuilding significant portions of the vessel's network infrastructure. How do you proceed?

Deliverable: Security Milestone Verification Procedures

Step 5: Credential and Access Management

Establish procedures for managing credentials and access during the construction phase.

Procedural Guide:

1. Create requirements for:
   • Temporary construction accounts
   • Default credential management
   • Access provisioning and deprovisioning
   • Privileged access during construction
   • Authentication methods
2. Develop procedures for transitioning from construction to operational credentials
3. Establish audit requirements for access during construction
4. Create secure storage requirements for construction credentials
5. Develop procedures for emergency access during construction

Interactive Challenge: Near the completion of the Void Hauler's construction, you discover that dozens of temporary administrative accounts created for various integration tasks have not been properly documented or deprovisioned. Some accounts belong to contractors who are no longer working on the project. The vessel is scheduled for final systems testing in three days. How do you address this security issue?

Deliverable: Construction Phase Credential Management Procedures

Step 6: As-Built Security Verification

Develop processes to verify that the completed vessel's security implementation matches design specifications.

Procedural Guide:

1. Create verification procedures for:
   • Network security implementation
   • System hardening
   • Access control configuration
   • Security monitoring implementation
   • Patch and update status
2. Develop testing protocols for security controls
3. Establish documentation requirements for as-built verification
4. Create procedures for addressing discrepancies
5. Develop final security verification report templates

Interactive Challenge: The final as-built verification of the Quantum Harvester reveals that several security controls specified in the design were modified during construction. The changes appear to be functionally equivalent but don't match the documented design that was previously approved by ABS. The vessel delivery deadline is approaching rapidly. How do you handle this discrepancy for ABS certification?

Deliverable: As-Built Security Verification Methodology

Mission Completion Criteria

Your mission will be considered complete when:

1. All system integrators are following the established security requirements
2. Construction environments meet security specifications
3. Security is being verified at all construction milestones
4. Credential and access management procedures are being followed
5. As-built security verification confirms proper implementation
6. Documentation is ready for ABS certification review

Rewards and Advancement

Successful completion of this mission will:

• Ensure that security designs are properly implemented during construction
• Prevent the introduction of vulnerabilities during the integration process
• Unlock access to Phase 9: Cyber Resilience Test Program
• Earn you the "Integration Sentinel" achievement in your surveyor profile

Knowledge Resources

• IACS UR E26 Section 5.1: "Demonstration of compliance during design and construction phases"
• ISA/IEC 62443-2-4: "Security program requirements for IACS service providers"
• ABS CyberSafety® Volume 2: "Requirements for the ABS CyberSafety® Notation"
• NIST SP 800-53 Control Family: Configuration Management
• IEC 61508: "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems"

Remember, Surveyor: the most sophisticated security design is worthless if not properly implemented. Your vigilance during the construction phase ensures that the security controls designed in earlier phases become reality in the finished vessel, protecting it throughout its operational life in the dangerous void of space.

Good luck on your mission. The security of the entire fleet depends on your attention to detail during this critical phase.