Analytics for Cybersecurity Policy of Cyber-Physical Systems

Abstract

Guidelines, directives, and policy statements are usually presented in “linear” text form—word after word, page after page. However necessary, this practice impedes full understanding, obscures feedback dynamics, hides mutual dependencies and cascading effects and the like—even when augmented with tables and diagrams. The net result is often a checklist response as an end in itself. All this creates barriers to intended realization of guidelines and undermines potential effectiveness. We present a solution strategy using text as “data”, transforming text into a structured model, and generate network views of the text(s), that we then can use for vulnerability mapping, risk assessments, and control point analysis. For proof of concept, we draw on NIST conceptual model and analysis of guidelines for smart grid cybersecurity, more than 600 pages of text.