Detailed Plan

<u>Overview</u>

Understanding the risk posture for organizations, systems and applications is critical in developing mitigation strategies, managing the risk tolerance, and communicating security plans.

Beyond the message of how to remediate a risk finding, it is also important to easily and properly score and report through a framework that is consistent and well known to the community at large.

We propose a Risk Profile for Cardano stakepool operators who manage individual nodes across the network. The risk profile would be a streamlined process with several stages. The audit will build upon standards developed by the US National Institute of Science and Technology (NIST), the European Union Agency for Cybersecurity (ENISA), and the International Standards Organization (ISO). We will work closely with the SPOCRA community of stakepool operators to identify the key security vulnerabilities, complete audits of a wide group of stakepool operators, and to disseminate the proposed surveys.

The first stage which is the focus of this proposal will address the inherent risk profile. This will be an easy-to-follow psychometric evaluation of the key areas of risk defined by the model. It is a self-assessment that provides an initial risk profile based on the stakeholder's own responses to allow the framework to easily score and point out weak areas of risk and concern within the system.

A companion proposal, Cardano Risk Control System, submitted to the F6 Disaster: When all is a Stake challenge is a six-month project focused on the second phase of validation of the self-audits. A third phase, focused on modeling risk management scenarios, will be proposed during Fund 7.

<u>Proposed Objectives and Key Results (OKRs)</u>

Building and developing the approach for a Risk Profile will require the implementation of an application that will easily integrate into a great community of risk, for which the risk profile can be one of the variables in contributing to the overall risk catalog for the stakeholders's unit under management.

To accomplish this we propose the following objectives and key results:

1. Integrate Cardano Stakepools onto the NOXMON C2RM (Control Cyber Risk Management) tool

a. 5 major and 10 minor security indicators have been identified for stakepool operation

b. 2 stakepool operators have validated the operation of the website integration

2. Develop templates for independent Stakepool node assessment

a. 10 assessment questions have been composed and validated for the survey

b. 10 stakepool operators have been identified to participate in the initial survey

3. Reporting engine for stakepool operators to publish current findings on the Stakepool Node assessments

a. 2 stakepool operators have contributed to the development of the reporting engine

b. 5 stakepool operators have published survey results with the SPOCRA community

<u>Schedule</u>

Nov 2021 - Integrate NOXMON Stakepool tool

Lead: Alexander Miranda

Support Staff: Nelson, Stiglics, Span, Web Developer

Staff Budget: $12,065

Computer Supplies: $1,268

Dec 2021 - Templates for Stakepool assessment

Lead: Lauris Stiglics

Support Staff: Miranda, Nelson, Span, Web Developer

Staff Budget: $12,782

Survey Supplies: $551

Jan 2021 - Reporting engine

Lead: Nelson

Support Staff: Miranda, Stiglics, Span, Web Developer

Staff Budget: $13,334

Six Month Milestone: Propose and Complete Phase II Control System

Twelve Month Milestone: Propose and Complete Phase III Risk Analysis of Cardano Stakepools

<u>References</u>

A. W. Miranda and S. Goldsmith, "Cyber-physical risk management for PV photovoltaic plants," in 2017 International Carnahan Conference on Security Technology (ICCST), 2017, pp. 1–8.

H. Sridhar, S., M. A., Govindarasu, Framework for Improving Critical Infrastructure Cybersecurity, Vol. 100, Gaithersburg, MD, 2018, pp. 210–224.

A. Dedeke, Cybersecurity Framework Adoption: Using Capability Levels for Implementation Tiers and Profiles, IEEE Security & Privacy 15 (5) (2017) 47–54. doi:10.1109/MSP.2017.3681063.

R. Azmi, W. Tibben, K. T. Win, Review of cybersecurity frameworks: context and shared concepts, Journal of Cyber Policy 3 (2) (2018) 258–283. doi:10.1080/23738871.2018.1520271.

NIST Cybersecurity Framework, Website: <https://www.nist.gov/cyberframework>

ENISA Cybersecurity Standards and Certification, Website: <https://www.enisa.europa.eu/topics/standards>

ISO Information Security Management System (ISMS) Standards, Website: <https://www.itgovernanceusa.com/shop/product/isoiec-27001-2013-and-isoiec-27002-2013-standards>

<u>Team</u>

Dr. Kenric Nelson is President and Founder of Photrek, which is developing novel approaches to Complex Decision Systems, including the dynamics of cryptocurrency protocols, sensor systems for ecological studies, and robust machine learning methods. His recent experience includes Research Professor with Boston University's Department of Electrical & Computer Engineering and Sr. Principal Systems Engineer with Raytheon Company. He has pioneered novel approaches to measuring and fusing information, which has been applied to improving the accuracy and robustness of radar signal processing, sensor fusion, cybersecurity, and machine learning algorithms. His education in electrical engineering includes completing a B.S. degree summa cum laude from Tulane University, an M.S. degree from Rensselaer Polytechnic Institute, and a Ph.D. degree from Boston University. His professional education includes an Executive Certificate from MIT Sloan and a certification with the Program Management Institute.

Nelson is the Principal Investigator for the project and is currently leading the "Diversify Voting Influence" project. Nelson ran the AdaStar staking node during Cardano's Incentivized Test Network for the Shelley development. His expertise in designing and analyzing complex systems will be applied to ensuring that the cybersecurity assessments are aggregated in a risk-averse manner.

Dr. Alexander Miranda is a Technology Risk Professional – A technologist and Information security executive with 15 years of diversified experience and proven leadership capabilities in security best practices, architecture, engineering, operations, governance, risk management, and compliance. Adept at building innovative security solutions to address complex challenges, and effective in fostering relationships with stakeholders to support business objectives. Broad experience in the private and public sectors, with both large corporate environments and small startup ventures.

Lauris Stiglics was elected a Cardano Catalyst Circle member representing the Stakepool Operators. He is a founding member of SPOSCRA an alliance of stakepool operators seeking to "fill a need in the (Cardano) community - a trade guild to represent and support Stake Pool Operators in order to maintain a healthy, secure, and decentralized Cardano network infrastructure. " Stiglics operates Stakepool247.

Ron Span holds a degree in computer science (1993) and completed professional studies in business and economics (1994) Span has 25 years of experience leading cutting-edge advances in Information Technology. He has continuously expanded his responsibilities in programming, consultancy, pre-sales, and professional services management working for an international company working with large enterprise clients. More recently Span has lead business development efforts for an international operation consultancy company working with large enterprise clients. Since 2016, Span has run his own software company and is leading several start-up companies, including software development within the Cardano community.

Span describes his avocation for the Cardano community: " What IOHK wanted to achieve impressed me. After reading their first published whitepaper, I was convinced of the approach, the network, and the connections within the space. So I decided to contribute to this project. As such, I became an early stake pool operator that ran nodes on ITN and HTN and read the many papers and technical documentation provided by the team of IOHK and its researchers. Contributing to the Cardano community with a community-based solution delegationtracker.com built on basis of stake pool rewards. Being one of the 8 companies selected for the original Plutus Dev Partner program. Now I am joining this exciting project to contribute to better security of the Cardano network in which I think I can help on basis of running Cardano stake pools for years as an SPO. There is literally no day passing by without being a part of the exciting developments for Cardano."