1. CARVER+Shock Vulnerability Assessment Tool “As Agile As the Enemy” The Foundation for Institutional Development

2. The Cycle of Security Assessment Mitigation Occurrence Time Assessment Mitigation Occurrence Assessment Mitigation Occurrence As time goes on, we must assess our vulnerabilities. As the biggest holes in our defenses are plugged, we either move on to the next weakest area, or an occurrence drives us to reassess Security is a cycle, a business process, not an event

3. How Our System Works  Based off of Sun Tzu principles of War –Know Yourself –Know Your Enemy –Know Your Environment –Know What Your Enemy Knows About You  Use the CARVER+ Shock Vulnerability Assessment Tool  Can be used on all 13 Critical Infrastructures at any level

4. Critical Infrastructures  Agriculture  Food  Water  Public Health  Emergency Services  Government  Defense Industrial Base  Information and Telecommunications  Energy  Transportation  Banking and Finance  Chemical Industry  Postal and Shipping

5. The Targeting Process “Know Yourself”  Each Critical Infrastructure is a Target System  Target Systems (Sub-systems) –A series of steps in the process  Target Complexes!!! –Targets in the same geographical area  Target Components –Specific pieces of machinery, structures, personnel, supplies, or computer files –Critical to overall target system  Critical Nodes –Critical to operation of target component –How component is disabled

6. The Targeting Process

7. Sample Target System (Power) Control Center Target System Or Subsystem { Target Complexes Target Components

8. The Target System  The process that grows, harvests, processes, transports, and distributes any foodstuff is a target system. Each step can be considered a target sub-system. Grow Harvest Process Transport Distribute Consume  The process that grows, harvests, processes, transports, and distributes any foodstuff is a target system. Each step can be considered a target sub-system.

9. Target Complexes Harvest Facility Processing Facility Distribution (Retail) Transport Services Layer Farm A target complex is be a subset of a target subsystem. A target complex is a concentrated, integrated series of targets. It consists of facilities and activities that are close to each other geographically or virtually. Within a target complex, individual targets will be identified

10. Target Components Egg Breaker Machines Production Animals Feed Plant Workers Inspectors Grading and Packaging Machines Target components are the pieces of the target you can see or touch. Target components can be Service providers (Humans, animals) Infrastructure (Buildings/equipment) Consumables (Feed, medicine, etc) Cyber (Hardware software, network)

11. CARVER + Shock (Assessment)  Criticality  Accessibility  Recuperability  Vulnerability  Effect  Recognizability  Shock (Consider multiple attacks occurring at the same time)

12. Design Basis Threat “Know Your Enemy”  Develop a design basis threat to ensure continuity in planning/prioritization  Eliminates the need for Probability  Can encompass more than one scenario  Include: –WHO Means (Methodology, MO, Weapons, Resources) –HOW Type of Target (Include how they are selected) –WHY (Political, Financial, Theological)  Update as threat changes on a permanent basis

13. Red Teaming “Through the Eyes of the Enemy”  Uses Open Source Information  Let’s you look at your target system through the eyes of the enemy  Helps determine where to commit mitigation resources

14. Curriculum  Executive Overview –Informs government and corporate leadership on the program, tools and techniques to be used, and benefits to their organization  CARVER+Shock Vulnerability Assessment Tool –Used during national level assessments in first phase –Highly scaleable –Ubiquitous across any infrastructure  Open Source Intelligence Course –Trains candidates to exploit open sources to obtain information on their own weaknesses as well as their threat  Red Team Course –Trains analysts to view their facility as a target through the eyes of the enemy.