Operations Security (OPSEC) at a Crossroads: Part I   

by Jack Emanuelson   

When discussing Operations Security (OPSEC) in any depth, it is important to first point out that the acronym has taken on more than one meaning.There are, for instance, many companies with OPSEC in their company names that offer products which have little to do with the OPSEC five-step risk management process. Probably the most confusing application is operational security as an umbrella term for all security afforded to an asset. This paper, however, addresses operations security, which grew out of the Vietnam War, gained formal recognition in U.S. National Security Decision Directive 298 in 1988[1], and is essential to meeting today's expanded threats to national security and the private sector. 

OPSEC is a five-step risk management process that focuses on only the most sensitive or critical information that, in the hands of an adversary, could limit success or give an adversary a decisive advantage. OPSEC follows the common risk management format but employs several unique steps:

1. Identify the critical information.

2. Analyze the threat.

3. Analyze vulnerabilities.

4. Assess risk and decide what actions, if any, are needed to bring risk  to an acceptable level.

5. Implement leadership's OPSEC plan and supervise, implement and monitor change to the risk environment.

Critical information refers to specific facts about the assets under consideration. Such assets can include business/military objectives, other activities, facilities and equipment and people. Critical information in the hands of an adversary could cause failure or unacceptable consequences and has the potential to lessen the value of the asset.

Most everyone has a system of identifying critical information. For example, national defense information may be Top Secret, while business information may be Company Confidential. The first order of business is to identify this information through a detailed analysis of the threat, how the threat could potentially adversely impact assets, whether or not potential adversaries have the capability to execute the threat, and the information they must have to succeed. Even if an organization doesn't employ the full five-step OPSEC process, simply identifying and securing critical information in a safe or on an information system is a good security practice.

Analyzing the threat involves several activities. An organization needs to know what the threat means as it relates specifically to it and its assets:

1) Who is the adversary?

2) What is the adversary's intent and does it have the capability to achieve its target? Why is this person or group considered an adversary? Are there multiple adversaries? In a business environment, for instance, different competing companies may have their own objectives, each requiring a separate set of information held by the targeted organization. 

3) Given the adversary's objective, what information held by the organization does the adversary need to carry out its intent? 

Having developed a potential adversary approach that identifies the adversary, its intent and capabilities, and the information that it needs to gain its objective, the organization should express its concern as both whatever 'win' means to the adversary and what 'loss' means to the organization.

Analyzing vulnerabilities doesn't only refer to the ways an adversary might directly collect critical information, since the organization should have already identified this critical information and secured it. The next step is to look for OPSEC indicators that could allow an adversary to deduce the critical information. This is the crux of the OPSEC process. The organization determines if there is open-source information or observable activity that an adversary could use to piece together, interpret or infer critical information.

Identifying indicators of critical information is relatively easy for a military operation. Where the attack will take place, at what time, and with what resources and forces -- all are pieces of critical information that should have been classified and properly protected. But what about activities such as the logistics preparation for the battle? Are military planners giving critical information away as they communicate with and gather the troops, equipment and supplies? Are doctrine and procedures carried out the same way for each operation, thereby establishing patterns and enabling an adversary to predict the next move based on observing prior activities? In a business environment, is a company giving away the introduction of a new product by purchasing materials not previously used, or by openly advertising for new hires with unique research experience? The search for such indicators is what makes OPSEC a unique risk management process and separates it from routine security functions.   

A vulnerability exists when an OPSEC indicator appears in open sources or is observable, and an adversary is then capable of collecting, processing and acting on the information. Indicators, for example, may exist on a web site, on an organization's or employee'sFacebook, LinkedIn or Twitter account, on an invoice showing a dramatic increase/decrease in purchases of a raw material or drug ingredient, or from the observation of increased manufacturing activity. When all indicators have been analyzed and their relevance to the critical information established, it is time to analyze how the adversary might collect the indicators -- and to begin thinking about how to stop this flow of information.   

(As an aside, an organization doesn't always suppress all indicators. Instead, it might use an indicator to channel an adversary's decision-making process to its advantage. In the private sector, this control of indicators must meet legal requirements. In a military environment OPSEC might be part of the military deception plan, subject to a different, but definitive, set of policy requirements.)

Assessing risk is based on the preceding steps in the OPSEC process. To this point it has been the OPSEC analyst who has taken the tasking from leadership and conducted fact gathering and analysis. The results of this analysis must now be presented to leadership for decision. The OPSEC analysis team must present its conclusions and recommendations to leadership in a format that leadership can understand and act on. The OPSEC team recommends measures to lessen the risk and describes their anticipated effectiveness (i.e., risk reduction). Leadership then decides if the risk is acceptable to them or not. If the risk is unacceptable, leadership approves a course of action and an OPSEC implementation plan. It is important to note, however, that the OPSEC analysis team and leadership may view risk from different vantage points (e.g., the degree of risk might be judged low by an OPSEC analyst who considers threat, vulnerability and impact on equal terms, while leadership may be totally consumed by a fear of adverse impact).

Implementing the OPSEC plan is the last step in the OPSEC process. Implementation doesn't just happen -- someone must be given the responsibility and authority to carry out the plan. Further, the risk environment is often dynamic and must be continually monitored to determine if any of the risk components have changed: new adversaries; changes in adversarial intent or capability; critical information added or no longer critical; changed threat intelligence capabilities; new indicators or means of collecting them; and effectiveness of current OPSEC measures.

Jack Emanuelson is an independent contractor specializing in OPSEC and information assurance. He earned his BS in Business Administration from the American University, an MBA from George Washington University, and is a graduate of the U.S. Army Command & General Staff College. He previously occupied the David G. Boak Operations Security Chair at the National Cryptologic School. Jack is retired from the U.S. Civil Service and is a Lieutenant Colonel, AUS (Ret).

[Editor's Note: Part II of Jack Emanuelson's discussion of OPSEC will appear in the March issue of The Risk Communicator]  

 
Secure Mission Solutions, a  

SARMA Silver Patron, is a trusted partner in delivering security-focused services and solutions to enable mission success. An end-to-end integrated security solutions provider, Secure Mission Solutions specializes in the electronic, information, communications, network, and cyber security domains. Headquartered in Reston, VA, Secure Mission Solutions has over 15 years of experience facilitating mission assurance through its core capability areas: (1) Cyber Security and Information Assurance; (2) Critical Infrastructure Protection; (3) Communications and Network Engineering; (4) Command & Control; and (5) Intelligence Services. 

Dedicated to the mission of those that protect America and its citizens, Secure Mission Solutions is proud of the support it provides to a broad range of customers that includes the Department of Defense, Army Corps of Engineers, Department of Homeland Security, the Intelligence Community and various other government agencies.  

Secure Mission Solutions personnel are subject matter experts employing a full suite of CND services in support of the High Performance Computing Modernization Program (HPCMP) Computer Network Defense Service Provider (CNDSP). Its engineers were instrumental in the development and management of the HPCMP Computer Emergency Response Team (CERT) and conducted 24x7 intrusion detection and incident reporting capabilities across the Defense Research and Engineering Network (DREN) and Secret DREN (SDREN). Responsible for the design, development, testing and maintenance of the third certified and accredited CNDSP, Secure Mission Solutions engineers are employed by the HPCMO to provide vulnerability assessment support; Information Operations Condition (INFOCON) implementation; Information Assurance Vulnerability Management (IAVM) support; network security monitoring and intrusion detection; attack sensing and warning; situational awareness; incident reporting, response and analysis; as well as CND training. Through their dedication and customer-oriented approach, Secure Mission Solutions personnel have been extremely influential in the continued growth and success of the HPCMP.

Secure Mission Solutions provides cutting-edge physical security solutions to a broad range of customers to ensure the protection of vital American infrastructure at home and abroad. In support of the Pentagon Force Protection Agency's (PFPA) Privilege Management Program (PMP), its technical experts developed HSPD-12, Federal Identity Credential Access Management (FICAM) and FIPS 201 compliant solutions, including the design, build and testing to enroll the 80,000-plus personnel of the Pentagon and National Capital Region (NCR) facilities. Secure Mission Solutions integrated HSPD-12 compliant CAC/PIV smart cards, local and national database card authentication, multi-modal fingerprint and iris biometric verification, as well as provisioning privileges for physical access, parking, visitors and vendor credential production. The company's Critical Asset Protection teams also provide physical and electronic security solutions to our nation's most critical assets such as iconic dams and hydroelectric facilities for the Bureau of Reclamation. In addition, Secure Mission Solutions is the primary contractor supporting the development and fielding of Integrated Commercial Intrusion Detection Systems (ICIDS-IV) by providing physical intrusion detection, access control and CCTV services for all Army sites requiring physical security controls.

In support of the US Cyber Command (USCYBERCOM), Secure Mission Solutions is providing state-of-the-art CND operations coupled with leading-edge knowledge of the global cyber threat domain. Its highly experienced IA analysts and incident handlers support the Host-Based Security System (HBSS) at the DoD Enterprise Operation level as well as Tier 3 Incident Handling within the USCYBERCOM Joint Operations Center (JOC) on a 24/7/365 schedule. Secure Mission Solutions also supports the J34 Media, Malware and Analysis Branch in conducting malware analysis in support of computer security incidents. This task includes malware analysis and exploitation of data from compromised systems in support of ongoing analysis. On a daily basis the company's analysts perform open and closed source research on emerging threats and vulnerabilities and develop and compile mitigation strategies related to emerging threats and vulnerabilities, as well as providing incident response and analysis findings. In addition, they perform CND analysis on recent events and strategic analysis of sophisticated attack patterns over the last year or longer.

SARMA continues to support the needs of the security community by providing added value and keeping our membership rates as low as possible. In particular, we support federal, state and local government employees with a reasonable Government Member rate, and seek to encourage the education of students in the security analysis field by keeping the Student Member rate at an affordable level.

New in 2012, the enhanced SARMA membership program includes the following: 

• Welcome letter and personalized membership certificate

• 10% discount on all event registrations

• An expanded event schedule
• Annual Conference
• SARMA Advisory Council meetings
• Networking socials
• Educational events
• Job fairs
• Webinars
• Policy forums

• Monthly SARMA newsletter

• Exclusive and free members-only events and webinars

• Board meetings, networking socials
• Annual meeting
• Monthly committee meetings

• Access to exclusive information   
• Annual Conference speaker presentations 
• Conference attendee lists
• SARMA member directory ("opt-in" only)
• Free digital subscription to partner organization newsletters
• Detailed calendar of third-party events of interest to the security risk community

• Opportunities to become involved in various SARMA committees and efforts benefiting the security risk community