Geospatial Approach to Cybersecurity
Geospatial Approach to Cybersecurity
Cybersecurity: Implementing a
Platform to Secure Cyber
Infrastructure and Operations
The information contained in this document is the exclusive property of Esri. This work is protected under United States
copyright law and other international copyright treaties and conventions. No part of this work may be reproduced or
transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, or by any
information storage or retrieval system, except as expressly permitted in writing by Esri. All requests should be sent to
Attention: Contracts and Legal Services Manager, Esri, 380 New York Street, Redlands, CA 92373-8100 USA.
Esri, the Esri globe logo, ArcGIS, esri.com, and @esri.com are trademarks, service marks, or registered marks of Esri in the
United States, the European Community, or certain other jurisdictions. Other companies and products or services mentioned
herein may be trademarks, service marks, or registered marks of their respective mark owners.
G69472
Contents Page
Introduction ........................................................................................... 1
Problem Definition................................................................................ 1
Conclusion ............................................................................................ 11
Organizations can no longer ignore cyber threats or delegate security to the information
technology department. Cyber defense must be integrated into traditional security
activities, such as physical and personnel security as part of an overarching effort to
protect business operations from both external and internal threats. Cybersecurity
activities must be prioritized and aligned to strategic business activities.
This paper describes the implementation of the ArcGIS® platform as the GIS solution
that can deliver shared situational awareness for the various activities associated with
cybersecurity. The goal of this solution is to improve cyber defense and to enable a cross-
disciplinary approach to providing organizational mission assurance by maintaining the
availability of IT systems.
Problem Definition In the 2013 edition of its Data Breach Investigation Report, Verizon summarized 10 years
of data relating to cybersecurity (Verizon 2013). The report explains how over time,
cybersecurity incidents have become more frequent and more damaging to their targets.
During the same 10-year period, there were huge increases in the amount of resources
dedicated to improving cybersecurity. So why hasn't progress been made? When the
Business Software Alliance (BSA), a group of the world's leading software companies,
G69472
created a task force in 2002 to research this question, it reached the following
conclusions (Business Software Alliance 2003):
What's Missing What is missing is an indication of when and where the tasks should be implemented. No
organization is sufficiently resourced to maintain all controls, on all devices, at all times.
Not having a means to prioritize necessary actions could result in the implementation
becoming reactive and ad hoc, leaving exploitable holes in an organization's cyber
defenses and responses.
A mechanism is needed to determine the where and when that enables execution of
the tasks described so well in the various cyber frameworks. This mechanism must
be more than just a framework. It must be able to model an organization's entire
environment, both physical and cyber; assign collected data to the model; quickly
identify threats; and empower planners to determine the optimal courses of action.
June 2015 2
The Geospatial Approach to Cybersecurity: Implementing a
Platform to Secure Cyber Infrastructure and Operations
G69472
Cyberspace The primary motivation for modern organizations to rely so heavily on cyberspace is that
Reconsidered it allows them to efficiently, effectively, and economically coordinate activities across
dispersed locations in near real time. Cyberspace is critically dependent on
electromechanical devices and personnel that make up its components in the physical
domain or layer. The Department of Defense Joint Publication 1-02 defines Cyberspace
as "The interdependent network of information technology infrastructures and resident
data, including the Internet, telecommunications networks, computer systems, and
embedded processors and controllers."
The virtual environment includes four layer types: data, device, network, and geographic.
It is clear that cyberspace consists of a complex mix of data, devices, and people. The US
Army Training and Doctrine Command (TRADOC) states the virtual environment
consists of four different types of network layers, each of which has nodes that are
locatable in space-time. These include the data, device, network, and geographic layers.
Data layers are often assigned based on the type of node used, whether a person or
device. However, it is useful to think of each node layer as being defined by its type of
dataflow. For information to be exchanged at the social level, documents must flow in the
device layer. For documents to be exchanged, packets must flow at the network layer.
And for packets to be exchanged, electromagnetic energy flows between two specific
points in space-time, represented by the geographic layer.
Device status is the mechanism that couples the various layers. If a router fails at the
network level, some subset of hosts at the device level will be denied required packets.
The loss of packets results in the devices being unable to exchange documents and some
users being denied required information. It is the loss of information, not devices, that
directly impacts a mission. This analysis demonstrates that cyberspace is not virtual; it is
hierarchical. This vertical analysis adds rigor to the mission impact assessment of cyber
disruptions. Without this structure, mission-impact assessment has often been ad hoc.
G69472
The Geographic The geographic layer serves as the common integrating framework for all the layers
Layer and previously discussed. Integration is achieved by geolocating all nodes, including
the ArcGIS Platform people, user devices, and infrastructure devices, and the edges that connect them
within a layer and between layers. Geospatially enabling the common operational
picture (COP) allows users to consider the effect of noncyber, kinetic events in
relation to cyber devices. Traditional geospatial datasets, such as weather, land use,
and population density, can provide value to cyberspace operators when assessing
risk to their communications networks. Regardless of the cause of the disruption,
cyber operators must be able to anticipate the risk of failure for certain, critical
devices and then determine the mission impact of those device failures.
Mapping all the layers to the geographic layer provides the common baseline from
which comprehensive shared situational awareness can be achieved. A
comprehensive GIS platform must be able to support user workflows, collaboration,
and dynamic situational awareness to meet a variety of mission requirements. The
technology is available on many devices and networks, providing personnel with
access to information and data to support decisions for awareness, prevention,
protection, response, and recovery. Information can be quickly accessed, understood,
and shared to support coordinated actions.
The GIS platform can be used to fuse location and cyber activity data and other
information to better anticipate, detect, respond to, and recover from cyber incidents.
It is easily integrated into an organization's existing command and control structure
to ensure that leadership has access to complete and accurate data for decision
making. GIS platforms are already widely used within national security including
defense, national intelligence, critical infrastructure protection, and emergency
management organizations. Extending this capability to incorporate cyber alongside
more traditional domains is incredibly powerful and allows for improved
synchronization of security efforts.
Cyber Operations The Department of Defense Joint Publication 1-02 defines Cyberspace Operations as
Defined "The employment of cyberspace capabilities where the primary purpose is to achieve
objectives in or through cyberspace." Operations conducted in cyberspace can be
divided into three activities based on the process being affected and the location of
the network on which the activities are being conducted. These activities include
network operations (NETOPS), defensive cyber operations, and offensive cyber
operations.
June 2015 4
The Geospatial Approach to Cybersecurity: Implementing a
Platform to Secure Cyber Infrastructure and Operations
G69472
This paper focuses on defensive cyber operations; however, the solution can be applied to
offensive operations where permitted.
A Geospatial Cybersecurity is a broad area that encompasses the protection of assets from cyber-crime
Solution to and terrorism and other network service disruptions that affect operations. Cybersecurity
Cybersecurity is achieved through active monitoring, detection of outages or malicious activity, and the
timely reaction to disruptions. While security in the cyber world is different from that of
the physical world, many similar security concepts can be applied to both. A key concept
is that location is the foundation on which all activity can be organized, visualized, and
shared for efficient decision making. The role of geospatial technology in the support of
physical security is well-known and understood. It is used for situational awareness, data
management, multiple intelligence (multi-INT) fusion, analysis, and information sharing.
GIS enables organizations to apply these concepts to the protection of cyber resources to
quickly discover and prioritize cyber threats by creating a geospatial solution that
integrates all existing data to reduce uncertainty. The goal is to enable early detection and
organization-wide agility when responding to cyber intrusions. Figure 2 depicts the cyber
defense process as a series of five assessments which must be made (in order) for each
suspect event. Geospatial analysis can support two of these assessments: (1) the
geospatial model for perimeter defense to assist with an assessment of whether or not a
compromise was attempted and (2) Cyber Supply Line (CSL)-based mission impact
assessment.
G69472
This graphic depicts the cyber defense process and highlights Esri's two focus areas: the geospatial
model for perimeter defense and the Cyber Supply Line (CSL)-based mission-impact assessment.
Geospatial Model Defensive cyber activities include detecting specific adversaries that pose a threat to an
for Perimeter organization's network and preventive measures that focus on mitigating risks and
Defense vulnerabilities.
Cyber defense is best understood as a sequence of five questions. Any suspicious activity,
regardless of the organization or discipline that attempts it, can be grouped according to
the response to the following questions. Organizing cyber defense by response provides
an open system in which any new technology/techniques can be easily incorporated.
These questions assume there is an existing network that is instrumented in various ways
to provide data:
Technologies such as firewalls and intrusion detection systems can be used to determine
if an organization's network is being threatened. Many of these devices face limitations
such as high false alarm rates or the inability to identify novel attack vectors, for
example, viruses and vulnerable access points. Determining whether a compromise was
successful involves comparing data from both perimeter security and host-based security
devices. The defense team must then determine the technical impact for all confirmed
compromises. There are usually three outcomes: (1) The compromise puts critical data or
functionality at risk, (2) the compromise provides access to other machines that put
critical data or functionality at risk (i.e., a pivot attack), or (3) the compromise is limited
to the victimized device. If either of the first two cases is true, a mission-impact
assessment must be conducted to determine which organizational functions/missions are
at risk. The final step is to determine the most appropriate mix of response options:
(1) remediation, (2) network hardening, or (3) intervention at the source.
June 2015 6
The Geospatial Approach to Cybersecurity: Implementing a
Platform to Secure Cyber Infrastructure and Operations
G69472
Based on the results of Verizon's data breach investigation, it seems that the IT and cyber
defense communities are well positioned for prevention and response activities. What is
difficult to determine is which network connections pose the greatest risk and how to
assess the potential mission impact of those threats. Most organizations include perimeter
security devices, such as intrusion detection systems, in their arsenals.
Cyber Supply Line- The key concept that makes a common framework possible is that cyberspace is just a
Based Mission mechanism for delivering data to where it is needed. If the data isn't delivered or is
Impact Assessment wrong, then missions fail. Cyber mission assurance isn't about maintaining the entire
network; it is about protecting the critical portions that are needed to deliver information
from one particular source location to a specific destination in support of critical
missions.
When prioritizing critical destinations, certain devices are deemed critical under all
conditions. For example, authentication servers and databases containing sensitive data
will always be critical. However, extending the static approach too far will limit an
organization's agility and ability to prioritize responses. Some devices are only critical
under certain conditions. The cyber supply line was designed to address this dynamic
aspect of cyber defense.
Esri defines the CSL as all devices that enable a particular kind of data to be moved from
one source to one destination. If multiple destinations are designated for a given
dataflow, a cyber supply line exists from the common source to each user location
because each will transit a different subset of the cyberspace infrastructure. In a packet-
switched network, each CSL will be between 16 and 18 hops in length. A hop is defined
as two devices composed of a combination of routers, switches, clients and servers, and
the circuit that connects them. A circuit is simply an identifiable transmission media such
as a length of cable, a satellite downlink, or a connection in a wireless network. Each
device has a defined location in space-time, each is owned by an organization, and each
has strict dependencies on support systems such as electrical and environmental control.
If a device is on a CSL, a mission depends on its working correctly.
The Interaction between the CSL and the Virtual Environment's Four Layer Types
G69472
CSLs provide a common solution for business specialists and technologists to exchange
requirements, priorities, and reports. To establish operational focus, an organization's
leadership must prioritize the dataflows that are most critical, given existing business
conditions. These requirements must be communicated to planners who may be widely
dispersed across an organization. For example, leadership may state that secure voice
communication between headquarters and a tactical command post be maintained
throughout the duration of a humanitarian assistance operation on a different continent.
The NETOPS team takes each of the prioritized dataflows verified by leadership and
identifies the mission network over which the data will likely flow. The mission network
is created by identifying the shortest path then purposely failing each device to determine
all likely routes the packets can take. Each route is a possible CSL. The goal of the
NETOPS team is to prioritize its resources to ensure that priority data flows remain
operational during a cyber attack by focusing its resources on devices on the mission
network. Due to the recent trend toward network convergence, in which different types of
data such as voice and video use the same infrastructure, separate dataflows will
experience significant overlap at the mission network level. This establishes a cycle in
which the efforts expended by NETOPS technicians on a single device will help ensure
that multiple dataflows are secure. However, convergence does not alleviate the need to
assess each prioritized dataflow. This analysis sets the stage for an agile response to any
threats that may occur.
It is important to note that shared situational awareness is provided for each mission
network rather than as a single, all-encompassing infrastructure solution. The goal is to
determine the impact of a disturbance on each of the organization's priority missions.
Allowing a customer to quickly model a network of interest facilitates mission impact
assessment and provides operational focus for the many support organizations during
remediation. In addition to hardening each device on a mission network, the NETOPS
and cyber defense teams closely monitor these devices to quickly identify any event that
might negatively impact a CSL.
Disruption of a CSL can occur if even a single device is disrupted, so the CSL sets the
priorities for reporting. Just as this methodology allows precise requirements to be
communicated from organization leadership to its technical staff, it also allows an
organization's technical staff to easily communicate status and mission impact to the
leadership. This consolidates and improves vertical communication within an
organization. Additionally, the CSL can be used to establish seamless horizontal
integration by providing precise communications requirements between organizations
and their Internet and telecommunication service providers.
Since every device on a CSL is critical to overall performance, awareness of any event
that could negatively affect a device must be immediate and widespread. Any
collaborative scheme that requires all participants to maintain constant communication
with one another cannot possibly be agile enough to defend priority resources in the
cyber environment. Providing an effective common operational picture (COP) is a
dramatic improvement over face-to-face communications in both quality and agility.
June 2015 8
The Geospatial Approach to Cybersecurity: Implementing a
Platform to Secure Cyber Infrastructure and Operations
G69472
Owned versus Used It is important to understand the distinction between 'owned' and 'used' networks when
Networks considering CSLs. An organization will have complete knowledge of all the devices in a
network that it owns. However, that knowledge is often very fragmented, residing at
different locations and in different formats. Therefore, it is difficult to get a
comprehensive picture of the network and its dependencies, especially in a crisis.
The CSL stack organizes the data in each level in the form of directed graphs, which
allows users at each layer to model the consequence of various changes to the networks.
Since disruptions at lower layers have significant effects at higher layers, the shared
situational awareness must account for interrelationships of the various layers. The status
of the device serves to couple the layers; each layer considers dependencies that can
cause a malfunction within it. When a disruption is identified, models at all higher layers
are rerun to determine if a given device change could cause mission failure.
If data from the network provider is unavailable, estimating techniques are required to
complete the CSL model. It is unlikely that the estimates will be completely accurate, but
they need not be. The goal is not for the executives to change the Internet to support their
CSL; it is to change their behavior in light of Internet conditions that threaten the CSL.
This is directly analogous to automobile navigation devices. They help the driver plan the
most efficient route between two locations and report variables that affect the chosen
route such as traffic conditions, road closures, and weather alerts. Drivers have no ability
to affect any of these variables; however, they may decide to alter their route or the
starting time or cancel the trip altogether if conditions don't support the drive. These are
the same options available to executives when they lose confidence that particular CSLs
will support their communication needs under the current environmental circumstances.
The CSL-based shared situational awareness simply offers a tool to support risk analysis
and management of the resources an organization can control.
G69472
Implementing the From the vast number of devices that make up cyberspace, the general solution strategy is
Cybersecurity to select only those that contribute to delivering a particular dataflow between two
Workflow identified locations during a particular span of time. Once the CSL is identified, risk
analysis is conducted to determine the resiliency of the network to various device
disturbances. This allows the executive and technical teams to determine an overall
confidence in the ability of the network to support a particular mission and prioritize
actions to monitor and respond to possible service interruptions. This shared situational
awareness for the mission establishes a context useful for preparing for an operation
before it begins; prioritizing, reporting, and responding to various conditions while the
operation is under way; and improving organizational response should something go
wrong.
The first step is to collect an organization's fragmented data into a single geodatabase.
The geodatabase is the common information model; meaning it is the central data
repository for storing and managing spatial data.
The cyberspace to geospace nexus is the mapping of devices to locations. For devices
owned by an organization, this mapping can be accomplished using existing IT inventory
and facilities data. For all other devices, third-party databases can be used to provide
approximate geolocations based on Internet Protocol (IP) addresses. Combining
cyberspace and geospace data in this way enables model extension by executing external
joins to geospatial datasets, using the coordinates of the device location. It also includes
cyber datasets using device attributes such as IP and media access controller (MAC)
addresses. The primary advantage of the geodatabase is to show how these similarities
are distributed over space and time.
The next step is to conduct analysis on how the data will flow between devices to
establish the mission network. The GIS platform provides all data fusion and analysis
tools needed to allow organizations to derive information from their ever-increasing data
stores. ArcGIS Network Analyst is an extension which combines nodes (devices) and
edges (the circuits that connect the devices) into a single data structure. This allows a
cyber analyst to run various scenarios that describe how the data will flow over the
network between the two identified end points (source and destination locations).
Once the CSL is constructed, it can be published in a variety of ways across the
organization through either a secure server or cloud-based architecture.
June 2015 10
The Geospatial Approach to Cybersecurity: Implementing a
Platform to Secure Cyber Infrastructure and Operations
G69472
The purpose of the CSL concept is to provide a means by which cyber operational
overlays can be integrated with other operational overlays (such as the power grid) then
placed within the locational context of a basemap. The combination of operational
overlays and a basemap provides a static model, as discussed earlier in this paper.
This architecture supports the real-time geospatial analysis of streaming data. Users can
configure interfaces and analytic models to ingest streaming data, conduct automated
analysis, save the new results, and generate a data stream and/or alerts to mobile users.
The CSL can be used to focus the organization's attention on the dynamic data and sensor
feeds that will have the greatest impact on a particular cyber mission. Streamed data, such
as weather forecasts, flood reports, electrical outages, and even social media reports of
social unrest, can be ingested into the platform and geospatially aligned to the CSL. This
will determine the data's relevance, and then it will be assessed to determine its impact on
the reliability of communications over the CSL. As such, the CSL provides the solution
for a multi-INT, multidisciplinary approach to securing an organization's dataflows.
Access to data isn't sufficient to provide value to various workflows, so Esri developed a
suite of tools to help organizations make the best use of the data being distributed.
Distribution techniques in Operations Dashboard for ArcGIS, Esri Maps for Office, Esri
Story Map apps, Briefing Books, and ArcGIS Explorer Desktop can be used to find and
visualize geospatial information and produce map-based presentations for leadership. Esri
technology is used to create web applications (web apps) by providing application
program interfaces (APIs) for web technologies including JavaScript. If a robust client
application is needed, developers can use ArcGIS Runtime SDKs to create applications
customized to do what users require, such as gather information in the field in a
connected or a disconnected environment. All these distribution methods can be accessed
by smartphones, tablets, and other handheld devices running on Linux, Android, iOS, or
Windows Mobile.
Conclusion This technical paper describes two approaches to resolve the critical issue of
cybersecurity: a geospatial model for perimeter defense and a CSL-based mission-impact
assessment. The advantage of the CSL model is that it can organize and manage mission-
assurance activities by identifying all devices that support data paths deemed critical by
an organization. Much of the ongoing work in cybersecurity is excellent but widely
dispersed in location and purpose. The CSL model creates a solution to integrate that
work, align it with other security disciplines, and focus both based on the priority
dataflows established by the organization. Any framework that can successfully
accomplish this feat must have a strong geospatial foundation.
A powerful GIS platform, such as ArcGIS, includes tools, workflows, and applications
that can be implemented with an organization's existing cybersecurity data and
technologies to improve the following:
■ Data management
■ Analysis and fusion
■ Visualization for situational awareness
■ Information sharing
Contact Esri
Offices worldwide
esri.com/locations
Printed in USA