Using Threat Vulnerability Asset (TVA) Methodology to Identify Cyber Threats and System Vulnerabilities in Emergency Management
In 2015, IEM published a primer for emergency managers describing the Internet of Things (IoT) and how it may be leveraged to advance the field of emergency management (Coffey, 2015). Sensor feeds from surveillance cameras and other sources, for example, can provide real-time information that can be used to potentially alter evacuation routes and synchronize updates for thousands of evacuees as they navigate road closures or exit routes. Sensors in shelters and personal health monitoring apps can be leveraged during mass care response efforts to better facilitate the management of care. IEM warned, however, that as critical infrastructure becomes “smarter,” it also becomes more vulnerable to potential cyberattacks that will globally cost organizations billions in recovery costs annually (Ponemon Institute, 2017).
Effect of 911 System Breach
Just this past March, Baltimore’s 911 dispatch system was breached, and the computer-assisted dispatch (CAD) system and 911 phone system was disabled. For approximately 17 hours, the CAD system could not automatically relay the location of incoming calls to dispatchers. Incoming calls had to be relayed by call center support staff manually. Just days before the Baltimore incident, Atlanta was struck by the “SamSam” ransomware attack that interrupted bill collection services, downed the airport’s wireless internet, and interfered with other city services. The City of Atlanta paid nearly $3 million to restore critical systems. Earlier this year, the Department of Homeland Security and the FBI issued a joint alert that Russian government cyber actors have targeted the U.S. critical infrastructure sector, including nuclear power plants, various SCADA systems and other parts of the U.S. national power grid.
Increased Difficulty in Protecting Information Systems that Support Disaster Planning
As the field of emergency management (EM) emerges and incident response programs become increasingly interconnected via multi-tiered infrastructures, global web services and extensive cloud computing, it has become increasingly difficult to protect the information systems that support disaster planning and recovery systems from new zero-day breaches, cyberattacks and ransomware (Mejias and Balthazard, 2014). According to a study in 2016, approximately 90% of all information systems have been breached or compromised by unauthorized personnel (Ponemon Institute, 2016). Because of their supportive and critical nature, information technology (IT) systems associated with emergency management activities must assist EM management and be able to quickly identify and assess their vulnerabilities and mitigate those risks.
Prior research has demonstrated that the impact of cyberattacks may be significantly mitigated by using vulnerability assessment methodologies (Mejias and Balthazard, 2014). A vulnerability assessment is defined as the systematic identification of an organization’s most critical IT resources, the threats against those critical resources, the current IT safeguards designed to protect those resources, and the identification of the most vulnerable IT resources of that information system infrastructure. Understandably, limited resources make it financially and operationally infeasible for organizations and, particularly, municipalities to protect all IT resources that support their emergency management and disaster recovery systems while maintaining continuity of operations.
Efficient Approach to Identifying Vulnerabilities
Threat Vulnerability Asset (TVA) methodology has been identified as a simplistic but efficient approach to identifying system vulnerabilities and mitigating the effect of cyberattacks. The TVA methodology combines the best and most useful components of the OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation™) method, VAMM (Vulnerability Assessments & Mitigation Methodology), and CRAMM (CCTA Risk Analysis and Management Method), providing a systematic approach to identifying and prioritizing cyber threats and addressing system vulnerabilities. The TVA methodology has been increasingly used by organizations that seek a low-cost and uncomplicated vulnerability assessment methodology for identifying cyber threats and their system vulnerabilities (Mejias and Balthazard, 2014). The following sequential components constitute the TVA methodology:
- Identification of Organizational and Cyber Security Mission
Before any identification of critical assets, processes or threats are undertaken, the mission of the organization must be clearly defined. Oftentimes, such mission statements are completely absent or not clearly established by management. As the strategic and business goals of an organization are better articulated (often with assistance from IT staff and the TVA team), the organization’s information security mission and policies can also be formulated as the TVA team continues their development of the TVA methodology.
- Identification and Ranking of Critical Resources
Next, the TVA team works closely with IT and organizational management and identifies those IT resources and core processes that are critical to the ongoing operation of the organization. The systematic identification and prioritization of the organization’s most critical IT resources allows the TVA team to focus on which critical resources and assets should receive the most protective attention (i.e., IT safeguards). The following general categories provide an excellent “first pass” to identify, group, and rank critical organizational resources (Whitman and Mattord, 2016):
- Processes, Operations
- Data and Information
- Software Applications (e.g., operating systems and security components)
- Hardware (e.g., system devices, network infrastructure components)
- Identification and Ranking of Threats to Critical Resources
Organizations face a wide range of cyber and non-cyber threats, including natural disasters (tornado, earthquake, hurricane), technological failures (power, software and system) and human-error (theft, sabotage, technological obsolescence). While the TVA team realizes that the threat landscape for an organization is constantly changing and that evolving threats and exploits will continue in real time, the identification and ranking of the threat agents is the next critical step required in identifying system vulnerabilities. The TVA team also works closely with the organization’s IT personnel to identify the range of threats that would most compromise the security, confidentiality and availability of the organization’s critical resources and processes.
- Analysis of Current System Vulnerabilities
Once the TVA team identifies and ranks the critical resources and the greatest threats to these resources, the TVA team with IT management is able to analyze the organization’s current IT safeguards and their individual capacity to mitigate the effect of cyberattacks to those critical resources. The “Current State TVA matrix” (Figure 1) summarizes an illustration of an organization’s ranked critical resources (first row), ranked threats (first column), current IT safeguards, and the resulting triangulation of these three TVA components
The TVA matrix example in Figure 1 illustrates how the components of the TVA methodology are integrated into a TVA grid or template. The TVA grid provides management with a rapid but effective overview of the organization’s current “logical” system vulnerabilities based upon the identified and prioritized critical resources, threats, and the organization’s current IT safeguards as identified by the TVA team.
- Recommendation of New IT Safeguards
The Current State TVA matrix shown in Figure 1 for this illustrative EM system reveals imbalances in the distribution of its IT safeguards. Specifically, it appears that the relatively higher-ranked critical resources such as 911 Phone Systems and Public Safety Radios have fewer safeguards and may have vulnerabilities to Social Engineering threats. Conversely, the least-ranked critical asset in this Current State TVA matrix, Internet (online notification), appears to have a disproportionate abundance of IT safeguards. An imbalance in IT safeguards in a TVA matrix indicates that IT safeguards must be strategically reassigned to address current identified vulnerabilities.
The Recommended State TVA Matrix shown in Figure 2 reflects emergency management’s awareness of the system vulnerabilities currently facing the organization and the reallocation of new IT safeguards to address these identified vulnerabilities.
Using TVA Methodology to Identify EM System Vulnerabilities
The year 2017 brought some of the most damaging natural disasters that the U.S. has ever experienced, including the devastating fires in Colorado, Oregon, Montana, and California to the hurricanes in Texas (Harvey), Florida (Irma), and Puerto Rico (Maria) to name a few. 2017 also brought the most cybercrime on a global level recorded to date. Clearly, there will be an increasing critical role for EM systems in responding to cyber-terrorism and global computer malware that destroy and encrypt organizational data files and compromise SCADA and critical infrastructure that support the U.S. electric grid, water, natural gas, and 911 communication systems.
The TVA methodology provides managers and EM IT staff with an efficient “first logical step” for prioritizing critical assets, threats, and analyzing how current IT safeguards are addressing current system vulnerabilities. TVA methodology also provides the foundation for additional vulnerability assessments such as penetration testing to confirm these identified system vulnerabilities. In a collaborative effort, IEM is leveraging their 30+ years of emergency management and IT expertise with CSU-Pueblo and their NSA-designated institutional Cybersecurity program to offer TVA methodology techniques to EM and homeland security entities. This academic-industry collaboration will help emergency management organizations better identify their IT system vulnerabilities and mitigate the effects of an increasing range of cyber threats.
- Coffey, A. (2015, September). Retrieved online.
- Ponemon Institute Research Report (2016, May). Retrieved online.
- Ponemon Institute Research Report (2017, June). Retrieved online.
- Whitman, M.E., and Mattord, H.J. Management of Information Security (4th ed.), SBN-13: 978-1305501256; ISBN-10: 130550125X, Cengage Learning, Stamford, CT 06902. 2016.
This article was originally published in the IAEM Bulletin, Vol. 35, No. 6 June 2018.
Authors: Roberto J. Mejias, Ph.D., Colorado State University-Pueblo; Morgan A. Shepherd, Ph.D., University of Colorado-Colorado Springs; Mark D. Gonzales, Colorado State University-Pueblo, Pueblo County CSEPP; and Sid Baccam, Ph.D., Senior Scientist and Manager of Information Solutions & Emerging Technologies, IEM