Welcome back to cyber. Is this? Of course. I'm your instructor, Brad Roads. We are going to now talk about trusted systems and networks in domain one of Issa.
So this lesson is gonna briefly cover the TSN trusted systems network analysis methodology. And then we're gonna talk about why the heck do we do TSN? What does that mean? Azzan. Isi. And what should you know?
So the TSN analysis methodology is really focused on looking at commercial off the shelf technologies and how they are integrated into government systems. And so we do three things. Here we do a criticality analysis right, which is if I am going to rely solely on something that I procured
commercial off the shelf for from industry.
I need to understand what is the consequence that that thing fails or the company goes out of business or something like that.
Then we also look a threat assessments and vulnerability assessment. We're gonna talk a lot more coming up about risk management, but this should be somewhat familiar when you see those risk assessment charts on the right hand side of this chart
and then we have to do specific work looking at countermeasures on how they're tied to, whether it's prevention, detection or response. So those three types remember those Those were important those three types of countermeasures and what we select to allow us to mitigate the risk. So,
just like anything in a risk management or risk assessment methodology, which is what TSN is,
is, uh, TSN analysis is we're going to take and do an initial risk assessment of if I did know mitigation and then I'm going to select countermeasures, do that mitigation and then re calculate my risk to see what my mitigated risk is. That allows me to make a good decision. Whether or not using a commercial off the chief
shelf piece of technology
is valuable or not. Sometimes, as it sees, we have to go back to our bosses and tell them, No, don't buy that thing. Even with countermeasures in place, it may be too risky to use, but let me give you a practical example.
It is very possible, however, that we could purchase a system that's been online for years, that uses old Web technology that we've got to keep running because the solution set that's going to replace it isn't going to be built for years, war built for months. And so when that happens, right, we then have to figure out
what countermeasure is going to be put in place that allows us to keep working at. So if it's a like a Web application,
right, we could potentially employ something like a counter measures such as a Web application, Firewall Away half to keep operating a system. And so TSN analysis allows us to look at criticality threats and vulnerabilities related to various commercial off the shelf systems, mitigate risk and then decide if it's worth it
to actually utilize those capabilities or purchase those capabilities.
So why TSN? Well, TSN really came out of the construct of the US Department of Defense when, in the nineties and early two thousands we realized, or they realize that it's really, really hard to build complex systems at that. Sometimes it's much easier to go out and purchase those systems from industry.
So when we go out and buy commercial off the shelf systems, whether we're in the government or wearing commercial industry buying from a vendor, right,
we need to do some work as issues we need to look at vulnerabilities.
Remember the supply chain concerns we talked about? We gotta look at those, right? And then we need to determine Can we actually mitigate the risk of using those technologies? Um, sometimes solutions are procured that stay in operation for 5, 10, 15 years. Pretty typical to find that in the I. C. S skate a side of the house, especially in things like, uh,
critical systems like power generation, water treatment, stuff like that.
When you purchase something or make a major a major infrastructure upgrade, your expecting that's going to run for years. Well, sometimes we do tsn after the fact, because we have to keep those systems, those old systems operating long after they have become obsolete because the cost to replace them It's so high
that it doesn't make sense. It's much
cheaper to mitigate the risk with countermeasures appropriate countermeasures than it is to actually replace them. And so TSN is applicable to both the acquisition side of the House and the operations and maintenance side of the house. Long term, especially with systems that we keep online. Years after they've been, they've achieved obsolescence.
So that's why we do tsn
so in this video, we looked at the TSN analysis methodology. You need to remember criticality vulnerability, threats and then countermeasures. You're going to see that I promise you, as you go through your time is an easy or even on the sip concentration materials themselves that you're going to see that
we talked about why we do TSN. We have to secure commercial off the shelf systems. That's
that's the bulk of it on. We secure those systems when we're buying them. We look at securing those systems after we bought them, and even potentially long after they become obsolete. Because it is expensive to replace those systems, especially if they're, say, critical infrastructure,
We'll see you next time.