EnergyTech2015.com
ENERGIZING MBSE IN ORGANIZATIONS
Track 3 Session 4 Moderator: Matthew Hause
Implementing System Engineering disciplines and practices in an energy company and a panel discussion of how to promote the use of MBSE in the energy systems.
Gareth Digby: A Systems-based Approach To Cyber Investigations The presentation discusses the role of a systems-based approach to cyber investigations and demonstrates how such an approach can help the investigator ensure that a holistic view is take to the identification and analysis of appropriate evidence. Systems engineers are familiar with the need to consider the system within its environment while being aware of the interaction of the system with both people and other systems. These aspects also need to be considered when we investigate what has happened to a system as well as when we create systems.
One element of this systems-based approach is the Human-System-Environment matrix, which offers an appropriate framework to guide the collection of evidence. In particular the matrix emphasizes the temporal aspects associated with evidence gathering. In addition the cyber investigator is not dealing with a system in isolation. The systems-based approach discusses the need to identify the interfaces of the system with the greater system-of-systems.
The value of this systems-based approach to the various stages of a cyber investigation is described, including during the incident investigation, the collection of evidence and the analysis of data. This systems-based approach for an investigation gives the investigator the freedom to go in appropriate directions as the investigation proceeds while ensuring the investigator covers the breadth needed
2. Introduction
• This presentation outlines some of the issues associated
with cyber investigation evidence collection, analysis and
presentation
• Simple holistic, system thinking approaches are outlined
to help overcome the issues
3. Background
• The presentation builds on the Gareth Digby’s and Zane
Scott’s, the authors, experience
• Providing system thinking approaches to understand and
tackle complex problems
• Undertaking industrial investigations
5. An Incident
• “Failure is an unacceptable difference between expected
and observed performance”
• Leonards, American Society of Civil Engineers, 1982
• Three phases of process-related incidents
• Change from normal to an abnormal operating state
• Breakdown of control of abnormal operating phase
• Loss of control (of energy accumulations)
• Guidelines for Investigating Chemical Process Incidents, Center for
Chemical Process Safety, American Institute of Chemical Engineers,
2003
• Causes may be a combination of interrelated deficiencies
• Hence the complexity and confusion usually associated with an
incident
6. Evidence
• Evidence has to support opinion
• Evidence must be compelling and show through a
preponderance of evidence that the fact is proven
• Evidence has to be reliable
• The chain of custody must be maintained
ProvenKnown
10. Analyze
• We want to analyze the evidence and then develop a
hypothesis that we can test
• The Scientific Method:
• Collect data
• Establish potential causes and hypothesis
• Test for validity
12. Present
• Digital systems are inherently complex
• Evidence includes a temporal component
• The evidence, analysis and hypothesis have to be
explained to non-specialists
SimplifyClarify
13. The Conundrum
• Capture
• Look in appropriate places for evidence
• Analysis
• Consider all aspects
• Presentation
• Effective visualization of complex data
Use a systematic, holistic approach to collection, analysis
and presentation of evidence
14. People-System-Environment Matrix
Before During After
EnvironmentSystemPeople
• Encourages thinking
about the environment
and people as well as
the system of interest
• Reminds us to think
about the temporal
aspects
15. People-System-Environment Matrix
• Alternatively known as the 9-Box Matrix
• Developed by A. Chapanis and P. Fitts of the US Army
Aero Medical Laboratory
• Bibliography
• “Utilizing The Human, Machine and Environment Matrix In
Investigations”, D. Curry, et al, Packer Engineering,
Naperville, IL
16. Examples of Use
• Using the approach to document evidence from an
incident at an oil storage depot
• Using the approach to document evidence from an
assignment created for teaching computer forensics
17. Oil Storage Depot Incident Scenario
Based on a review of the Buncefield Major Incident Investigation Board reports
http://www.hse.gov.uk/comah/investigation-reports.htm
18. Example People-System-Environment
Matrix
Before During After
EnvironmentSystemPeople
Cold
Weather
Vapor
Contamination
Explosion
Containment
damage
Mist reported
before incident
Tank overfill causes
vapor cloud
Tank filling
overnight
Control room
operators start
transfer
Cold weather
conditions
Firefighters
respond
Firefighting foam
contaminates water
Why overfill?
Broken level alarm
Why ignition?
Possibly start of
fire pumps when
alarm raised
Why?Why?
19. Fictional Scenario
• In June 2009, King Claudius, following an incident in
which a banned play was performed, exiled Hamlet.
• However it came to light that Hamlet may have been
unknowingly setup by others.
• Apologies to Tom Stoppard, “Rosencrantz
& Guildenstern Are Dead”
28. Conclusion
The presentation has shown how issues associated with
the
• Collection
• Analysis
• Presentation
… of evidence in cyber investigations can be helped
through
• taking a holistic and systematic approach to the
identification of evidence and
• the use of existing systems methods to present the
temporal, interrelated nature of the evidence