Information Security Consulting

Background
Artemis Rocket Engineering (ARE) is a leading engineering and manufacturing organisation headquartered in Washington DC, USA, with subsidiary facilities in Los Angeles, California and Houston, Texas.

Since the late-1940s, ARE has been heavily involved in the design, testing and construction of rocket propulsion systems. ARE’s primary claim to fortune was its support of NASA’s Gemini and Apollo space programs in the 1950s and 1960s, which saw American astronauts land on the moon. During this period, which the ARE management team refers to as the ‘Golden Era’ of the organisation, ARE was responsible for the design and manufacture of components on the 111-metre-high Saturn V rockets that powered American astronauts into space – and the moon.

Since this period, ARE has remained heavily invested in NASA’s research and exploration initiatives, supporting the Space Shuttle Program and the launch of smaller, unmanned research vessels. For decades, ARE has often been viewed as pioneers of space rocket propulsion technology given their:
• Significant and highly specialised knowledge within their engineering teams
• Many years’ worth of information available to these teams given previous designs, innovations, tests and research programs that extend back to the ‘Golden Era’
• Workforce capability and specialised, adaptable manufacturing machinery.

In the last decade, ARE has seen a significant shift in the competitive landscape. NASA’s funding has been significantly and progressively cut since the 1980s. Therefore, the industry has moved from a select few organisations directly supporting NASA’s initiatives (including Boeing, McConnell Douglas and ARE) to a more diversified base, where hundreds of smaller organisations are engaged or subcontracted to design and manufacture aerospace components to reduce costs.

The 1990s and 2000s have also seen the introduction of well-funded civilian aerospace entities (such as Virgin Galactic, SpaceX and Blue Origin), which places ARE under direct pressure to sustain its market share. These competitors have undergone rapid growth and forced change on the industry, funding and rocket propulsion technology in a short time. Recently, ARE has also become aware that smaller European and Asian engineering firms have entered the market. This has caused some concern to the industry: a selection of these firms, while engaging in public knowledge-sharing and partnering arrangements with other aerospace entities (including ARE) on research projects, were also revealed to be backed by their respective, foreign Governments (as revealed through a series of investigative reports by a German newspaper).

ARE’s key ongoing competitive advantage is its capability that allows ARE to construct high-precision rocket propulsion systems in-house, rather than sub-contracting this to specialised, external firms. This helps to ensure that designs are not compromised through transfer to third-party factories. This capability is heavily reliant on a specialist group of ARE researchers/ engineers that focus on high-precision manufacturing tooling expertise, translating rocket designs and manufacturing requirements into updates of the manufacturing line device software (i.e. the actual units that machine the rocket components). This capability is codified (to an extent) in local ‘patterns’ and ‘wikis’ in the Houston office, with the researchers/ engineers spread across the Los Angeles and Houston sites. Researchers/ engineers focused on manufacturing technologies and software frequently collaborate and share designs over email, teleconferences and via photos transmitted via Whatsapp (a free cloud-based messaging solution).

With the recent announcements from NASA’s Mars Exploration Program (that the US Government intends to send a manned team to Mars by the late 2020s), ARE is poised to bid on a series of specialist and highly-technical contracts expected in August or September 2020. These contracts are to provide engineering consultation services to the Program, but more importantly, to design and manufacture cutting-edge reusable rockets capable of landing and taking off from launch/ landing sites.

To this end, ARE is already in the process of adapting and upscaling its TAPEX-3 rocket system. The original TAPEX-1 was the world’s first reusable rocket, capable of both taking off and landing on launch pads, in an era where rockets were often discarded and left to burn up in Earth’s atmosphere once used – an expensive proposition. The TAPEX-1 rocket system was itself adapted from ARE’s work in a research project funded by the US Government from 1997-2002, which created a rocket system of great efficiency that few other missile systems can match.

The Ask
Given ARE’s impending response to NASA’s tender, ARE recognises that the tender substantially increases the risk of possible theft of its designs, test data, manufacturing and research support applications and its manufacturing capability by suspected foreign entities backing its research partners and civilian competitors. Therefore, ARE desire a complete and full information security assessment to determine current adequacy of its security strategy and all components of its security control environment given the heightened probability of industrial and suspected nation state espionage.

Memo on ARE’s Security Capability (provided by Ingrid, the Chief Technology Officer)
While ARE’s corporate headquarters are located in Washington DC, it maintains around 10 research and development and manufacturing facilities around Los Angeles and Houston in the USA. The Washington office is a nondescript five-storey building within the city centre, housing ARE’s senior management team, political advisors (who lobby and work with the US Government and its agencies, including NASA) and corporate functions (Finance, Human Resources, Information Technology, Legal, etc). The Los Angeles office is the heart of ARE’s research and design work, given proximity to local research institutions such as CalTech and the Jet Propulsion Laboratory (JPL), whereas the heart of ARE’s manufacturing is located in Houston. Ingrid is aware that the manufacturing-oriented researchers/ engineers based in Los Angeles often share their knowledge of the manufacturing capability, software updates and designs with their local Los Angeles-based colleagues responsible for rocket propulsion system design. Researchers/ engineers frequently travel between sites.

ARE maintains a small internal Information Technology (IT) team of 18 personnel lead by the Chief Technology Officer Ingrid, predominantly related to maintaining the availability of its systems and networks. The team is responsible for overall management of its IT infrastructure and applications.
Ingrid’s IT managers include Vikram (Network and Security Administrator), Yeun (Applications and Infrastructure Administrator) and Carlos (IT Operations). This is summarised below.

IT Management Primary Duties / Description Assignment
Chief Technology Officer Ultimately responsible for the management of IT infrastructure and application. Ingrid
Network and Security Administrator Responsible for designing and implementing ARE’s network architectures across its three sites. Maintains network device configurations, including firewalls. Monitors network performance, secures network access, etc. Vikram
Applications and Infrastructure Administrator Responsible for effective installation, configuration, update, maintenance and monitoring of ARE’s IT infrastructure, databases and applications. Yeun
IT Operations Responsible for managing the IT business unit’s budget and other general duties, including policy maintenance and occasional compliance training. Carlos

Ingrid acknowledges that much of the historical focus on security was on the application of preventative, logical controls to protect their network perimeter. Information security is generally accepted by ARE senior management to be the responsibility of her team. This led to a change of Vikram’s job title to incorporate security given his work in installing and configuring ARE’s firewalls and network security devices. Vikram and Yeun are also seen as the de facto leads for the ARE incident response process given network and infrastructure monitoring solutions fall within their remit. Typically, the incidents reported through to Vikram and Yeun (via a hotline phone number on the intranet) relate to network and infrastructure outages.

The Los Angeles Research and Development Facility and Houston Manufacturing sites share the Corporate office’s network based in Washington DC. Los Angeles and Houston are segregated via additional firewalls to create separate network sub-zones. An intrusion detection system and data loss prevention tools were both installed as better practice – however, the data loss prevention tool was disabled as it was found to be generating too many false positives. Virtual Private Network (VPN) services are also maintained to assist with remote work (as it encrypts data in transit) and ‘Bring Your Own Devices’ (BYOD) owned by employees. Much of ARE’s Research and Development team use BYOD due to convenience for their design work, which may increase security risk exposure as data at rest is not secured.

The general IT infrastructure consists of 35 networked servers running print, email, Microsoft Office, financial accounting, management analytics, specialised engineering, test and design software (e.g. Computed Aided Design programs) used by the researchers and engineers, in addition to industrial control systems that run the manufacturing devices and storage of designs, procedures and in-house developed code. Engineering and design data is spread across ARE servers, local ARE workstations used by the researchers and engineers as well as in physical archives and the ‘little black books’ of physical notes that the researchers and engineers are required to keep on-site. In her role, Ingrid does not have visibility of the physical security of her infrastructure, as this remains the responsibility of local site coordinators. These coordinators maintain a reporting line through to the Chief Operations Officer (COO), Ingrid’s peer.

All IT and network infrastructure across ARE’s three sites are maintained by members of Vikram’s and Yeun’s team. Yeun is responsible for deploying antivirus software on ARE workstations, but retains limited control of BYOD given ARE’s general culture of ‘research and convenience first’ due to the ongoing desire for innovation and momentum.

Ingrid and her team are also generally aware of the information stored on the IT infrastructure that they manage. However, her Chief Technology Officer role focuses more on availability and maintenance of the IT infrastructure – she believes that the information on servers and endpoints (including BYODs and workstations) remains a ‘business problem’.

Given their positioning on Government contracts, Ingrid has been required to demonstrate compliance to industry standards, including ISO27001, ISO27002 and ISO27005. This has required that they draft a high-level security policy, perform an occasional IT security risk assessment (usually prior to an audit taking place – the risk register is quite high-level and not closely governed) and provide annual e-learning training to the teams on acceptable use of systems and general good security practices (such as using strong passwords). Management attests to compliance against the security policy on an annual basis – however, this is not preceded by any detailed, internal analysis and is viewed as an administrative activity. Compliance to the ISO2700x standards are measured by external consultants on an annual basis – however, these take the form of brief audits conducted over a period of two days and do not result in detailed analysis or recommendations. These recommendations are generally accepted by ARE management, but are not implemented in detail given ongoing organisational focus on engineering design and manufacturing ‘value add’ activities.

The COO has authored a separate set of physical security policies that Ingrid has not had input into. As the local site coordinators in Los Angeles and Houston are generally responsible for operations of the sites themselves, Ingrid is aware that her security policy has been adapted to suit local operations and needs, though the coordinators retain limited management experience. 

You are required to submit a comprehensive proposal to ARE that addresses their needs and concerns. The proposal shall have the following sections (maximum of 9 pages not including title page, references and appendices, each section must start on a new page):

  1. Title Page
  2. Executive Summary (maximum of 1 page)
  3. Information Security Risk Management
  4. Information Security Strategy
  5. Information Security Policy
  6. Information Security Culture
  7. Information Security Education, Training, and Awareness
  8. Information Security Controls