development, analysis and evaluation of ......setting the scene … m the world is quickly embracing...
TRANSCRIPT
Development, Analysis and Evaluationof Cyber Resilience Strategies
Development, Analysis and Evaluationof Cyber Resilience Strategies
Lehmann/Helmbrecht ICT Resilience Erice 2016
Prof. Dr. Axel LehmannProf. Dr. Udo Helmbrecht
Institut für Technische Informatik, Universität der Bundeswehr München, Germany
European Union Agency for Network &Information Security, Greece
Development, Analysis and Evaluation ofCyber Resilience Strategies
Development, Analysis and Evaluation ofCyber Resilience Strategies
Lehmann/Helmbrecht ICT Resilience Erice 2016
m Outline
q Expected Trends and Opportunities of the Cyber Worldq Cyber Resilience:
Requirements, Methods, Challenges
q Objectives & Tasks of the Proposed Project No 12
Setting the scene …Setting the scene …
m The world is quickly embracing digital in every part of our life. m e-banking, e-health, e- commerce, e- education, e-everything are
all now totally dependent on an open, safe and secure cyberspace.
m We are witnessing the development and deployment of smart manufacturing, the Internet of Things and computer controlled critical infrastructures.
m Digital is challenging the delivery of old business models, while at the same time providing opportunities for the new world.
m We have to ensure the trust of its citizens and industry to have the necessary confidence to work and live in the digital world.
Lehmann/Helmbrecht ICT Resilience Erice 2016
6technologiesarerevolutionizingITmarkets…
SOURCE: Gartner,MGI,Teamanalysis,CAGR=compound annualgrowthrate
Descriptionoftechnology Growthtrend
Bigdata• Global 33%CAGR2011-
2015• Ability torun complex
calculations on bigamounts ofdatainameaningful timeframe
Cloudcomputing
• Global 27%CAGR inpublic cloud servicesrevenues
• Hosting ofsoftware oncentralizedserverswith high-speed accessthrough theInternet
Mobiletechnology
• Massive increase ofmobilecomputing power, storage, andbandwidth
Naturaluserinterfaces
• 30%reduction inpagevisits per click
• Creationof newkinds ofinterfaces thatallow formoreintuitive handling ofITsystems
Computation,storage,andnetworks
• Global 15%CAGR inenterprise storagemarket
• Possibility tostorelargeamountsofdataand transferthedatawithhigh bandwidth between computers
Sensorsandactuators
• Potential $4-11economic impactestimated in2025
• Introduction of cheapsensors andactuatorstocollect hugeamountsofdata
• Global 27%CAGR inmobile-to-mobile communicationsrevenues
Lehmann/Helmbrecht ICTResilience Erice2016
5Gmobilecommunication
Lehmann/Helmbrecht ICTResilience Erice2016
Opportunity1:SmartGrids
From:http://cleantechnica.com/2014/02/19/global-smart-grid-investment-grows-china-leads-us-falls-behind
Lehmann/Helmbrecht ICTResilience Erice2016
Opportunity2:SmartHomes
Image: http://www.refitsmarthomes.org/index.php/about/
Lehmann/Helmbrecht ICTResilience Erice2016
Opportunity3:eHealth
Image: http://www.solutions-magazine.com/le-health-bruxellois-se-developpe/
Lehmann/Helmbrecht ICTResilience Erice2016
Challenges
Complexnetworksandservices
Lowqualitysoftware&hardware
Asymmetricthreatsallowingremoteattacks
Increasingorganisedcybercrimeandindustrialespionage
Lackofinternationalagreementsandregimes
Lehmann/Helmbrecht ICTResilience Erice2016
Automated Driving – tesla Autopilot
WhyCyberSecurityisaPlanetaryEmergency
> Learn from:
Development, Analysis and Evaluation ofCyber Resilience Strategies
Development, Analysis and Evaluation ofCyber Resilience Strategies
Lehmann/Helmbrecht ICT Resilience Erice 2016
m Outline
q Expected Trends and Opportunities of the Cyber World
q Cyber Resilience:
Requirements, Methods, Challengesq Objectives & Tasks of the Proposed Project No 12
Definition: Resilience of a System Definition: Resilience of a System
Lehmann/Helmbrecht ICT Resilience Erice 2016
“… the ability of an organization or asystem to continue to carry out itsmission during a disruptive event andthen return to normal operations once thestress of the disruption is relieved”
(US Dep. of Homeland Security)
Resilience Analysis …..Resilience Analysis …..
Lehmann/Helmbrecht ICT Resilience Erice 2016
…. requires to consider 4 stages of event management to maintain system resilience:
- Plan/prepare (w.r.t. malfunction, failures, attack, etc.)- Absorb (isolating disruption)- Recover (return to pre-event functionality, performance)- Adapt (implement lessons learned)
(National Academy of Sciences)
Resilience of a System in Cyber Space …..Resilience of a System in Cyber Space …..
Lehmann/Helmbrecht ICT Resilience Erice 2016
m … has to consider …
- > ubiquitous, pervasive, mostly invisible computing
- > interconnectivity between (sub-)systems -> “System-of-Systems”
-> global connectivity through internet -> “hyperconnectivity” (World Economic Forum)
Resilience
ThreatAgentDomain
Threats Means
Metrics (ref)isExpressedBy
Lehmann/Helmbrecht ICT Resilience Erice 2016
Lehmann/Helmbrecht ICT Resilience Erice 2016
For Resilience of Critical Infrastructures …For Resilience of Critical Infrastructures …
Lehmann/Helmbrecht ICT Resilience Erice 2016
- ….. 5 strategic layers have to be considered:- Global layer- Enterprise / Private layer- Information layer- Technology layer- Physical layer
- Simulation-based analyses of propagation of disruptive events through the layered system architecture (dependency graphs; SATURN: Self-Organizing Adaptive Technology Underlaying Resilient Networks)
( Creese, Goldsmith, Adetoye, IEEE,2011)
Important Factors of ICT- / Cyber-Resilience EngineeringImportant Factors of ICT- / Cyber-Resilience Engineering
Lehmann/Helmbrecht ICT Resilience Erice 2016
m Minimizing risks caused by faults, errors, failures, misuse, attacks, accidents or disasters in ICT-systems:
ICT-Risk = Threats * Vulnerabilities * Assets
m IT- / Cyber Resilience Engineering requires:q Identification of key IT assets
q Controls to protect those assets from harmq Ability of those systems to operate under stress and recover
from disruptive eventsq Processes for … protection and sustainment activities
q Development of appropriate metrics and measures
Expected Major Trends of ICTs ….Expected Major Trends of ICTs ….
Lehmann/Helmbrecht ICT Resilience Erice 2016
m … technological innovations, e.g.:q Low-energy-consuming Micro-… to …High-Performance-
Computers (Exabyte)
q “More Moore” & “More than Moore” on a chip ->
-> Cost-effective sensors /actors
-> Cyber physical systems
Expected Major Trends of ICTs ….Expected Major Trends of ICTs ….
Lehmann/Helmbrecht ICT Resilience Erice 2016
… organization / computing principles, e.g.:q Organic computing: self-x-properties,
(x = adapting, organizing, repair)q Neural computing (artificial neural nets)
q Artificial Intelligence applications
Expected Major Trends of ICTs ….Expected Major Trends of ICTs ….
Lehmann/Helmbrecht ICT Resilience Erice 2016
…. lead to major chances & risks:q Increasing interconnectivity between components & systems
q Evolutionary “System of Systems” development-> Increasing size of a system´s state space
-> Emergent system behaviour !!!
q Key challenge w.r.t. cyber resilience :-> “Mastering” System-State-Space-Complexity of
ICT-systems /-applications !!??
Major Problem ofUbiquitous Computing & Communication ....Major Problem ofUbiquitous Computing & Communication ....
§ ... is „System State Space Explosion“:
q Simple functional analysis requires:Ø reachability analysis for each state in state spaceØ feasible for state space size ≤ 10100 !!
n Numerical Analyses (of non-functional parameters, e.g. performance / reliability)
n for state space: ≤ 108 (approx. < 1/2 day on a PC)≤ 109 (still computable on a PC)≤ 1010 (on a PC Cluster)
⇒ Full state space exploration is practically impossible:⇒ result in emergent system behaviour !!
Lehmann/Helmbrecht ICT Resilience Erice 2016
ConclusionsConclusions
Lehmann/Helmbrecht ICT Resilience Erice 2016
m Summaryq Key Challenge: How can we master the (system state space)
complexity of ubiquitous ICT-systems !?m Conclusion
q Need to better understand / analyse emergent systems
behaviour ( by mathem. modelling & simulation )q Intelligent control for protection and self-adaptation
q Policies (principles)q Standards & Guidelines
q Tests for validation 6 certification
Development, Analysis and Evaluation ofCyber Resilience Strategies
Development, Analysis and Evaluation ofCyber Resilience Strategies
Lehmann/Helmbrecht ICT Resilience Erice 2016
m Outline
q Expected Trends and Opportunities of the Cyber World
q Cyber Resilience:
Requirements, Methods, Challenges
q Objectives & Tasks of the Proposed Project No 12
Development, Analysis and Evaluation ofCyber Resilience StrategiesDevelopment, Analysis and Evaluation ofCyber Resilience Strategies
Lehmann/Helmbrecht ICT Resilience Erice 2016
Proposed Project:
Ø Efficient concepts and algorithms for system state space exploration (e.g. by model checking)
Ø Identification of major sources of ICT vulnerabilities and risks
Ø Development of efficient mathematical and logical modeling methods (e.g. Markovian models, reasoning methods)
Ø Simulation experiments (e.g. data farming) for risk and vulnerability analysis
Ø Analyses and evaluation of resilience strategies
Thank you very muchfor your interestand attention!
Lehmann/Helmbrecht ICT Resilience Erice 2016
Lehmann/Helmbrecht ICT Resilience Erice 2016
EuropeanUnionAgencyforNetwork&InformationSecurity
POBox1309,71001Heraklion,Greece
Tel:+302814409710
www.enisa.europa.eu
UniversitätderBundeswehrMünchenInstitutfürTechnische InformatikFakultätfürInformatik
D-85577Neubiberg,Bavaria,Germany
Tel:+498960042648
www.unibw.de