critical infrastructure inter- dependencies: developing professionalism in cyber-security standards...
Post on 19-Dec-2015
217 views
TRANSCRIPT
Critical Infrastructure Inter-Critical Infrastructure Inter-Dependencies: Developing Dependencies: Developing
Professionalism in Cyber-Security Professionalism in Cyber-Security Standards to Achieve the Economic Standards to Achieve the Economic
Prosperity Essential to National SecurityProsperity Essential to National Security
John W. BagbyJohn W. BagbyProf. of ISTProf. of ISTPenn State Penn State
OverviewOverviewCritical Infrastructure Protection = CIP Critical Infrastructure Protection = CIP Critical Infrastructures & Key Resources = CIKR Critical Infrastructures & Key Resources = CIKR 85% of CIKR owned/controlled by Pvt. Sector85% of CIKR owned/controlled by Pvt. Sector
Freq. Cited: ‘02 Nat’l Strategy Homeland Security Freq. Cited: ‘02 Nat’l Strategy Homeland Security Cyber-Infrastructure Impact: Cross-CuttingCyber-Infrastructure Impact: Cross-Cutting
Transaction Processing, Communications, Control Transaction Processing, Communications, Control
Major Unresolved Challenges: Major Unresolved Challenges: Defining Critical Infrastructures; Provisionally: Defining Critical Infrastructures; Provisionally:
basic facilities, services, and installations needed for basic facilities, services, and installations needed for functioning of community/society, e.g., transportation & functioning of community/society, e.g., transportation & communications, water & power lines, schools, post offices, communications, water & power lines, schools, post offices, prisons prisons
Developing Effective, Acceptable Institutions Developing Effective, Acceptable Institutions Develop Nat’l Competencies to facilitate Planning Develop Nat’l Competencies to facilitate Planning
But, then coordination is likely soon to follow But, then coordination is likely soon to follow
CIP Goals - Avoid DisruptionCIP Goals - Avoid Disruption
National DefenseNational Defense
Continuity of GovernmentContinuity of Government
Economic Prosperity Economic Prosperity
Quality of Life Quality of Life
Recognize CIKR are Most Likely Terrorism Recognize CIKR are Most Likely Terrorism TargetsTargets
Running ThemesRunning Themes
Lack of Coordination within & between Lack of Coordination within & between SectorsSectors
CIKR Suffers Fragmentation:CIKR Suffers Fragmentation: Ownership, Control, Responsibility Ownership, Control, Responsibility
Tradeoffs in Nat’l PrioritiesTradeoffs in Nat’l Priorities Liberty, Private Property, Markets, CIP Liberty, Private Property, Markets, CIP
Political Compromises Political Compromises
Cyber-Infrastructure is Most Critical/KeyCyber-Infrastructure is Most Critical/Key
Tortured Policy Development for Tortured Policy Development for Critical InfrastructuresCritical Infrastructures
Evolved from vague concept before ‘90s of Evolved from vague concept before ‘90s of public works, form of public goodspublic works, form of public goodsThrough EOs & Pres. Directives in ‘90s Through EOs & Pres. Directives in ‘90s E.g., EO 13010 (‘96), PDD 63 (’98)E.g., EO 13010 (‘96), PDD 63 (’98)
Enshrined in legislation:Enshrined in legislation: Critical Infrastructures Protection Act (CIPA; Critical Infrastructures Protection Act (CIPA;
from ’01 PATRIOT Act)from ’01 PATRIOT Act) Homeland Security Act of ’02 Homeland Security Act of ’02
Still Evolving Still Evolving
What are Critical Infrastrucutres?What are Critical Infrastrucutres?
““Infrastructures” E.O. 13010 (7.15.96)Infrastructures” E.O. 13010 (7.15.96) Framework of interdependent networks and systems comprising Framework of interdependent networks and systems comprising
identifiable industries, institutions (including people and identifiable industries, institutions (including people and procedures), and distribution capabilities that provide a reliable procedures), and distribution capabilities that provide a reliable flow of products and services essential to the defense and flow of products and services essential to the defense and economic security of the U.S., the smooth functioning of economic security of the U.S., the smooth functioning of government at all levels, and society as a wholegovernment at all levels, and society as a whole
““Critical?” E.O. 13010 (7.15.96)Critical?” E.O. 13010 (7.15.96) ““certain national infrastructures are so vital that their incapacity certain national infrastructures are so vital that their incapacity
or destruction would have a debilitating impact on the defense or or destruction would have a debilitating impact on the defense or economic security of the U.S.” economic security of the U.S.”
CIPA’s Critical Infrastructures:CIPA’s Critical Infrastructures: “…“…systems and assets, whether physical or virtual, so vital to the systems and assets, whether physical or virtual, so vital to the
United States that the incapacity or destruction of such systems United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national and assets would have a debilitating impact on security, national economic security, national public health or safety, or any economic security, national public health or safety, or any combination of those matters.” combination of those matters.”
What are Key Resources?What are Key Resources?
Catch-All for Other Important ThingsCatch-All for Other Important Things Targets if destroyed would create local disaster or Targets if destroyed would create local disaster or
profoundly damage Nation’s morale or confidence, profoundly damage Nation’s morale or confidence, including symbols, historical attractions, national, including symbols, historical attractions, national, state, or local monuments & icons state, or local monuments & icons
Classic Examples are National Icons Classic Examples are National Icons Statue of LibertyStatue of Liberty
Emotional Inspiration Emotional Inspiration But note symbolism important to terrorism in:But note symbolism important to terrorism in:
World Trade Center as Center of Capitalism (Financial Mkts) World Trade Center as Center of Capitalism (Financial Mkts)
Pentagon as Symbol of US National MightPentagon as Symbol of US National Might
Initial (now evolving) List of CIKRInitial (now evolving) List of CIKR
TelecommunicationsTelecommunications
Electrical power systemsElectrical power systems
Gas & oil storage & transportationGas & oil storage & transportation
Banking and financeBanking and finance
TransportationTransportation
Water supply systemsWater supply systems
Emergency services: medical, police, fire, rescueEmergency services: medical, police, fire, rescue
Continuity of government Continuity of government
Granularity of CIKRGranularity of CIKR
Added Later:Added Later: Cyber-Infrastructure Cyber-Infrastructure Defense Industrial BaseDefense Industrial Base ChemicalsChemicals Postal & shipping servicesPostal & shipping services
Standard Industrial Classifications (SIC) Standard Industrial Classifications (SIC) Scoping CIRK is THE challenge of I/O Analysis Scoping CIRK is THE challenge of I/O Analysis
Role of “Lead (Regulatory) Agencies” Role of “Lead (Regulatory) Agencies” CoordinationCoordination Information SharingInformation Sharing Research, Enhancing Capabilities Research, Enhancing Capabilities
An Evolving Scope: An Evolving Scope: Defining Critical InfraStructures Defining Critical InfraStructures
Fragmented Historical DevelopmentFragmented Historical Development Presidential Decision Directive 63 (PDD 63) Presidential Decision Directive 63 (PDD 63) Executive Order 13o10 Executive Order 13o10 USA PATRIOT ActUSA PATRIOT Act Homeland Security Act Homeland Security Act National Strategy for Homeland Security National Strategy for Homeland Security National Strategy for Physical Infrastructure National Strategy for Physical Infrastructure
Protection Protection Homeland Security Presidential Directive No. 7 Homeland Security Presidential Directive No. 7
(12.17.03, HSPD-7)(12.17.03, HSPD-7)
Risks/Benefits of CooperationRisks/Benefits of Cooperation
Information Sharing as Root Cure Information Sharing as Root Cure Identifies threats, promulgates responsesIdentifies threats, promulgates responses
Implementation through Coordination using various Implementation through Coordination using various “Authorities” & Institutional Structures “Authorities” & Institutional Structures ISACs as the Central Information NodeISACs as the Central Information Node
ISAC Model Based on Center for Disease Control (CDC) ISAC Model Based on Center for Disease Control (CDC)
CIP Progress Somewhat Less Impressive CIP Progress Somewhat Less Impressive Risks of CooperationRisks of Cooperation
Signaling Vulnerabilities Signaling Vulnerabilities Revealing Confidences, Undermining IP, Competitive Revealing Confidences, Undermining IP, Competitive
Intelligence Intelligence Coordination ends in Collusion: “Contrivance Against the Public”Coordination ends in Collusion: “Contrivance Against the Public” Untoward Merger of Government & Business Untoward Merger of Government & Business
Interdependency Analytical Tool: I/O Interdependency Analytical Tool: I/O
Input-Output Analysis: Matrix Tables Input-Output Analysis: Matrix Tables
Purpose:Purpose: Identify Interdependencies Identify Interdependencies Develop Policy with Derived InsightsDevelop Policy with Derived Insights
Deployed matrix algebraic (simultaneous Deployed matrix algebraic (simultaneous equations) linking of economic sectorsequations) linking of economic sectors Depicts all flows of goods, services in an economyDepicts all flows of goods, services in an economy Technique depends on robust & accurate record of Technique depends on robust & accurate record of
inter-industry transaction flows inter-industry transaction flows Sources: Commerce Dept., Trade Assns, Financial Discl. Sources: Commerce Dept., Trade Assns, Financial Discl.
Wassily Leontief Wassily Leontief
Russian-born, German Russian-born, German educated, American educated, American academic Economistacademic Economist
Harvard, NYU (’75-99)Harvard, NYU (’75-99) B:1906; D:1999B:1906; D:1999
Received the 1973 Nobel Received the 1973 Nobel Prize for this Groundbreaking Prize for this Groundbreaking Work Work
The Structure of American The Structure of American Economy, 1919-1939 Economy, 1919-1939 (NY; (NY; Oxford Univ. Press, 1951) Oxford Univ. Press, 1951)
Inspired modern work, large-Inspired modern work, large-scale empirical macro-scale empirical macro-economics economics
Interdependency Analytical Tool: I/O Interdependency Analytical Tool: I/O
I/O Traditional Usefulness I/O Traditional Usefulness
Planned & Developing Economies Planned & Developing Economies
Central Control Device Central Control Device
View Big Picture: Forest, then Each Tree View Big Picture: Forest, then Each Tree
I/O Traditional Limitations I/O Traditional Limitations
Planned & Developing EconomiesPlanned & Developing Economies
Central Control Analytic Device Central Control Analytic Device
Sensitivity Analysis for Substitutes Sensitivity Analysis for Substitutes
Advantages: I/O Application to CIPAdvantages: I/O Application to CIP
Reveals inter-dependencies & sensitivities of links Reveals inter-dependencies & sensitivities of links among economic sectors among economic sectors
Considerable experience in infrastructure planning by Considerable experience in infrastructure planning by local, municipal, regional planning authorities local, municipal, regional planning authorities
Deployed Increasingly by civil engineering to develop Deployed Increasingly by civil engineering to develop forecasting models for transportation & public works forecasting models for transportation & public works infrastructures infrastructures
Recent applications to risk assessment of critical infrastructure Recent applications to risk assessment of critical infrastructure vulnerabilities vulnerabilities
Shows promise where public sector orchestrates other Shows promise where public sector orchestrates other infrastructure inter-dependencies deploying control or infrastructure inter-dependencies deploying control or regulatory structures of central planning regulatory structures of central planning
Disadvantages: I/O Disadvantages: I/O Application to CIPApplication to CIP
Primarily relegated to developing or planned Primarily relegated to developing or planned economies & some US regional/urban planningeconomies & some US regional/urban planning Predictable resistance from free-market economists & Predictable resistance from free-market economists &
conservative ideologues preference for ltd. Govt. conservative ideologues preference for ltd. Govt.
Sensitivity Analysis Adjustment DifficultiesSensitivity Analysis Adjustment Difficulties Challenges in Varying Input Substitutes Challenges in Varying Input Substitutes
Resolution of CIP coordination problem Resolution of CIP coordination problem undermines need for a central (govt) authority undermines need for a central (govt) authority However, authority necessary for public policy However, authority necessary for public policy
implementation of CIP derived from I/O analysis implementation of CIP derived from I/O analysis
Dawning of Some Success in Dawning of Some Success in Applying I/O to CIP; a/k/a IIMApplying I/O to CIP; a/k/a IIM
Civil Engineers & Regional Planners: but not Economists Civil Engineers & Regional Planners: but not Economists I/O Application to narrow CIKR contexts I/O Application to narrow CIKR contexts
a/k/a - inoperability input-output model (IIM)a/k/a - inoperability input-output model (IIM)
EX: recent 2000s particularly 2008-2009EX: recent 2000s particularly 2008-2009 Journals:Journals:
J.Infrastruct.Syst.; J. Homeland Sec.& Emerg. Mgt.; Syst.Eng.; J.Infrastruct.Syst.; J. Homeland Sec.& Emerg. Mgt.; Syst.Eng.; Int’l.J.Log.Mgt.Int’l.J.Log.Mgt.
Treatise & Visualization Device: Treatise & Visualization Device: Macaulay, Tyson, Critical Infrastructure: Understanding Its Macaulay, Tyson, Critical Infrastructure: Understanding Its Component Parts, Vulnerabilities, Operating Risks, and Component Parts, Vulnerabilities, Operating Risks, and Interdependencies, CRC Press, ‘09 Interdependencies, CRC Press, ‘09 Macaulay, Tyson, U.S. Critical Infrastructure Interdependency Macaulay, Tyson, U.S. Critical Infrastructure Interdependency Wheel ’09 Wheel ’09
Sectors & Contexts:Sectors & Contexts:GeoSpatial, Electric Pwr, healthcare, Disaster, Inter-Regional GeoSpatial, Electric Pwr, healthcare, Disaster, Inter-Regional Interdependency Mfg. Supply Chain, Counter-TerrorismInterdependency Mfg. Supply Chain, Counter-Terrorism
Challenges of Applying I/O to CIP Challenges of Applying I/O to CIP
Accurate & Complete Data Collection Accurate & Complete Data Collection Long live the Commerce Dept!Long live the Commerce Dept!
Host of I/O Technique AssumptionsHost of I/O Technique AssumptionsSensitivity Analytics for Substitutes Sensitivity Analytics for Substitutes requires robust micro-economics requires robust micro-economics Antitrust, econ-regulated indus. (FCC, CAB, Antitrust, econ-regulated indus. (FCC, CAB,
ICC) ICC)
SIC Granularity Needed SIC Granularity Needed Many More Evaluation Tools are NeededMany More Evaluation Tools are Needed
Macaulay’s Critical Infrastructure Macaulay’s Critical Infrastructure Interdependency Wheel Interdependency Wheel
Macaulay’s Critical Infrastructure Macaulay’s Critical Infrastructure Interdependency WheelInterdependency Wheel
Interim ObservationsInterim ObservationsCyber-Infrastructure is the Key Cross-Cutting Cyber-Infrastructure is the Key Cross-Cutting CIKRCIKR
IT Governance lies at the Heart of the Threat IT Governance lies at the Heart of the Threat Analysis, Remediation & Safeguarding for Analysis, Remediation & Safeguarding for Cyber-InfrastructureCyber-Infrastructure
Development of an Environment of Development of an Environment of Professionalism for IT Professionals Promises to Professionalism for IT Professionals Promises to Contributes Most to Cyber-Infrastructure Contributes Most to Cyber-Infrastructure ProtectionProtection
Development of Coherent IT Professional Duties Development of Coherent IT Professional Duties Will Contribute Most to CIP Will Contribute Most to CIP