Phase 9: Cyber Resilience Test Program - Training Guide

Mission Briefing

Greetings, Cyber Surveyor. Your previous missions have established governance, identified risks, cataloged assets, designed network security architecture, created comprehensive documentation, verified supplier compliance, implemented change management processes, and ensured security during construction. Now, your mission at Tachyon Heavy Industries' Mars Shipyard advances to a critical validation phase: developing a comprehensive Cyber Resilience Test Program.

In the unforgiving environment of deep space, there are no second chances. Once a mining vessel departs for the asteroid belt, it must rely on its own defenses against cyber threats. The sophisticated attacks launched by the Void Pirates and corporate rivals like Quantum Extraction Enterprises grow more advanced each cycle. Your task is to design a testing program that will verify the vessel's ability to withstand these threats before it leaves the safety of the shipyard.

Remember: theoretical security is no security at all. Only through rigorous testing can you ensure that the security controls designed and implemented in previous phases will actually protect the vessel when it faces real-world attacks. The test program you develop will be the final proving ground for the vessel's cyber defenses.

E26 Regulatory Context

IACS UR E26 requires comprehensive testing of cybersecurity controls. Key requirements include:

• Development of a formal cybersecurity test program
• Testing of all security controls against defined requirements
• Verification of security zone and conduit implementations
• Validation of security monitoring and response capabilities
• Testing of recovery procedures and resilience
• Documentation of test results for certification

The Astronomical Bureau of Shipping (ABS) will require evidence of thorough testing before granting certification.

Your Mission Objectives

As an ABSC Cyber Integrator, you must:

1. Develop a comprehensive cyber resilience test strategy
2. Create detailed test plans for different security aspects
3. Design specific test cases and scenarios
4. Establish test environments and tools
5. Define acceptance criteria for security tests
6. Create test documentation templates for certification

The Challenges You Face

Developing an effective cyber resilience test program presents several challenges:

• Testing must be thorough without damaging operational systems
• Some attacks are difficult to simulate safely
• Testing must cover both technical controls and human factors
• Test environments must accurately represent operational conditions
• Limited time and resources for testing activities
• Balancing depth of testing with project timelines

Quest Path: Cyber Resilience Test Program

Step 1: Test Strategy Development

Your first task is to establish the overall strategy for testing the vessel's cyber resilience.

Procedural Guide:

1. Define the scope and objectives of the test program
2. Identify key security aspects requiring testing:
   • Network segmentation
   • Access control
   • System hardening
   • Monitoring and detection
   • Incident response
   • Recovery capabilities
3. Determine testing approaches for different aspects:
   • Automated testing
   • Manual testing
   • Penetration testing
   • Tabletop exercises
   • Simulation scenarios
4. Establish testing phases and milestones
5. Define roles and responsibilities for testing activities
6. Create resource requirements and testing timelines

Interactive Challenge: The THI Project Manager argues that full penetration testing of critical systems is too risky and might damage prototype systems or delay the delivery schedule. She wants to limit testing to basic vulnerability scanning and configuration reviews. How do you address this challenge while ensuring adequate testing?

Options:

• Insist on full penetration testing without compromise
• Develop a phased testing approach with gradually increasing intensity
• Create a sandboxed test environment for high-risk testing
• Reduce the scope of penetration testing to non-critical systems only

Optimal Approach: Propose a hybrid approach that uses a combination of methods: configuration reviews and vulnerability scanning for all systems, targeted penetration testing in a sandboxed environment that replicates critical systems, and carefully controlled live testing of non-destructive exploits on actual systems. Develop a detailed risk mitigation plan for each test to address the Project Manager's concerns.

Deliverable: Cyber Resilience Test Strategy

Step 2: Network Security Test Plan

Develop detailed plans for testing the vessel's network security implementation.

Procedural Guide:

1. Create test cases for:
   • Security zone implementation
   • Conduit security controls
   • Firewall configurations
   • Network monitoring systems
   • Intrusion detection/prevention
   • Wireless network security
2. Define test methodologies for each case
3. Establish success criteria for network security tests
4. Identify required test tools and environments
5. Develop test scripts and procedures
6. Create documentation templates for test results

Interactive Challenge: During initial testing of the Nebula Skimmer's network segmentation, you discover that traffic between certain security zones is not being properly controlled according to the design. The network engineer insists that the implementation is correct and that your test methodology is flawed. How do you resolve this disagreement?

Deliverable: Network Security Test Plan

Step 3: System Security Test Plan

Develop detailed plans for testing the security of individual systems and components.

Procedural Guide:

1. Create test cases for:
   • System hardening
   • Access control implementation
   • Authentication mechanisms
   • Patch management
   • Malware protection
   • Secure configuration
2. Define test methodologies for each case
3. Establish success criteria for system security tests
4. Identify required test tools and environments
5. Develop test scripts and procedures
6. Create documentation templates for test results

Interactive Challenge: The Comet Chaser's Mineral Extraction Control System uses proprietary technology that standard security testing tools cannot properly assess. The supplier offers their own security verification report but refuses to allow third-party testing of their system. How do you ensure adequate security testing of this critical system?

Deliverable: System Security Test Plan

Step 4: Detection and Response Test Plan

Develop detailed plans for testing the vessel's ability to detect and respond to security incidents.

Procedural Guide:

1. Create test cases for:
   • Security monitoring systems
   • Alert generation and escalation
   • Incident detection capabilities
   • Response procedures and playbooks
   • Communication during incidents
   • Containment and eradication procedures
2. Define test methodologies for each case
3. Establish success criteria for detection and response tests
4. Identify required test tools and scenarios
5. Develop tabletop exercises and simulation scenarios
6. Create documentation templates for test results

Interactive Challenge: During a simulated attack scenario on the Gravity Well's navigation system, the response team successfully detects the intrusion but takes over 4 hours to implement containment procedures—far longer than the 1-hour target in the security requirements. The team argues that the scenario was unrealistically complex. How do you address this test failure?

Deliverable: Detection and Response Test Plan

Step 5: Recovery and Resilience Test Plan

Develop detailed plans for testing the vessel's ability to recover from security incidents and maintain operations.

Procedural Guide:

1. Create test cases for:
   • Backup and recovery procedures
   • System restoration capabilities
   • Failover mechanisms
   • Degraded mode operations
   • Data integrity verification
   • Return to normal operations
2. Define test methodologies for each case
3. Establish success criteria for recovery and resilience tests
4. Identify required test tools and scenarios
5. Develop recovery exercise scenarios
6. Create documentation templates for test results

Interactive Challenge: Testing the Void Hauler's recovery capabilities requires temporarily disabling critical operational systems, which could damage sensitive equipment if power is interrupted for too long. The Engineering Lead refuses to authorize the test as designed. How do you modify your testing approach while still validating recovery capabilities?

Deliverable: Recovery and Resilience Test Plan

Step 6: Test Program Documentation

Prepare comprehensive documentation of the test program for implementation and certification.

Procedural Guide:

1. Compile all test plans into a cohesive program
2. Create test schedules and resource allocations
3. Develop risk mitigation strategies for testing activities
4. Create reporting templates for test results
5. Establish documentation requirements for certification
6. Develop executive summary for THI management and ABS surveyors

Interactive Challenge: During review of your test program documentation, an ABS surveyor notes that your test plans don't explicitly address several requirements in the latest revision of UR E26, which was updated after you began developing the test program. The vessel delivery is scheduled in just three weeks. How do you address this documentation gap?

Deliverable: Comprehensive Test Program Documentation

Mission Completion Criteria

Your mission will be considered complete when:

1. The comprehensive test strategy has been approved by all stakeholders
2. Detailed test plans have been developed for all security aspects
3. Test cases and scenarios have been created and validated
4. Test environments and tools have been established
5. Test documentation has been accepted by ABS
6. The test program is ready for execution

Rewards and Advancement

Successful completion of this mission will:

• Ensure that the vessel's security controls will be thoroughly validated
• Establish a framework for ongoing security testing throughout the vessel's lifecycle
• Unlock access to Phase 10: Testing Execution
• Earn you the "Test Master" achievement in your surveyor profile

Knowledge Resources

• IACS UR E26 Section 5.1: "Demonstration of compliance during design and construction phases"
• ISA/IEC 62443-3-3: "System security requirements and security levels"
• ABS CyberSafety® Volume 2: "Requirements for the ABS CyberSafety® Notation"
• NIST SP 800-115: "Technical Guide to Information Security Testing and Assessment"
• OWASP Testing Guide

Remember, Surveyor: in cybersecurity, assumptions are the enemy of assurance. Only through rigorous testing can you transform security theory into proven protection. The test program you develop now will be the crucible in which the vessel's cyber defenses are proven worthy of the challenges that await in deep space.

Good luck on your mission. The true security of the fleet will be revealed through your tests.