Critical Infrastructure Protection and Policy - PowerPoint PPT Presentation

Loading...

PPT – Critical Infrastructure Protection and Policy PowerPoint presentation | free to download - id: 2bf7f-N2E1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Critical Infrastructure Protection and Policy

Description:

... but affect prestige, morale, confidence (e.g. WTC, Golden Gate Bridge) ... E.g. bridge. Indirect. Attack leads to behavioral/psychological. Exploitation ... – PowerPoint PPT presentation

Number of Views:513
Avg rating:3.0/5.0
Slides: 19
Provided by: hscottma
Learn more at: http://www.ce.cmu.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Critical Infrastructure Protection and Policy


1
Critical Infrastructure Protection (and Policy)
  • H. Scott Matthews
  • March 25, 2004

2
HW 3 Review (Mean35)
3
Threat
  • Any circumstance or event with the potential to
    cause harm to a system in the form of
    destruction, disclosure, adverse modification,
    and/or the denial of service.
  • Examples Hackers, electrical storms
  • Need to know likelihood of threats
  • Sources National Information Systems  Security
    (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
    - generalized form of it

4
Vulnerability
  • Weakness in a system, or its components (e.g.,
    system security procedures, design, controls)
    that could be exploited by a threat
  • Examples Software bugs, structural design 

5
Risk
  • The likelihood that a particular threat using a
    specific attack, will exploit a particular
    vulnerability of a system that results in an
    undesirable consequence
  • Risk Assessment
  • Process of analyzing threats to and
    vulnerabilities of a system and the potential
    impact the loss of system would have. 
  • Resulting analysis is used as a basis for
    identifying appropriate and cost-effective
    counter-measures.   
  • Computing expected loss functions

6
Risk Management
  • The process concerned with identification,
    measurement, control and minimization of
    security risks in systems to a level commensurate
    with the value of the assets protected.  

7
Classic Warden Defense Model
Leaders
Organic Essentials
Infrastructure
Population
Military
8
New Defense Model
Military
Phys. Infrastructure
Leaders
Population
Econo-Tech. Infrastructure
9
Strategic Objectives of Plan
  • Identify and protect infrastructures and assets
    most critical to society
  • Provide warnings for specific, imminent threats
  • Over time protect other assets through federal,
    state, local govt and private sector
    collaboration
  • Homeland Security a Shared Responsibility
  • Source The National Strategy for the Physical
    Protection of Critical Infrastructures and Key
    Assets, White House, Feb 2003.

10
To Achieve Strategic Vision
  • Understand motivation of enemies
  • Understand preferred tactics
  • Comprehensive assessment of
  • Assets and vulnerabilities
  • Challenges of mitigating risk
  • Key assets may not be part of critical
    infrastructure but affect prestige, morale,
    confidence (e.g. WTC, Golden Gate Bridge)

11
Effects of Attacks
  • Direct - loss of service
  • Attack on a critical node, system, function
  • E.g. bridge
  • Indirect
  • Attack leads to behavioral/psychological
  • Exploitation
  • Using one to destroy another
  • May involve interdependencies

12
Guiding Principles
  • Assure safety, confidence, service
  • Responsibility, accountability
  • Collaborative partnerships govt/industry
  • Market Solutions where possible
  • Information sharing
  • International cooperation
  • Development of technology and expertise
  • Safeguard privacy and freedoms

13
Responsibility Chain
  • Federal Govt - oversee coordinate, set
    policies, ensure 3 strategic objs
  • State and Local - identify and secure their
    assets, emergency response, act as central points
    for requesting help, coordinate information flows
  • Private Sector - owns most of CI
  • Continue to perform RA/RM, reassess
  • Help identify vulnerabilities of national concern

14
Whats Missing?
  • Anything non-terrorist
  • Natural disasters
  • Accidents
  • Focus on terrorist-based attacks, while timely,
    is short-sighted given the range of threats and
    vulnerabilities to CI

15
Interdependencies
  • A new emphasis on critical infrastructures
  • PDD-63 in 1998 after Oklahoma City
  • Generally worried about hackers interfering with
    operation of physical infrastructures
  • Use of digital to disrupt physical suggests
    interdependency
  • There are many non-hacking interdependencies
  • Natural events can exploit them too
  • Perhaps can be better understood and managed with
    information systems

16
Key Questions
  • What tools can be used to predict?
  • How can everyday operation be balanced with
    security concerns?
  • What are performance measures?
  • Who are stakeholders?
  • How to deal with risk and uncertainty?

17
Complex Adaptive Systems (CAS)
  • Collective, systemic behavior emergent
  • I.e. follows patterns that result from, but not
    predictable from, nonlinear interactions with a
    large number of subsystems
  • Capabilities change over time
  • Greater than sum of its parts
  • May be possible to model/ manage/ understand via
    agent-based systems
  • Software systems where simple decision rules are
    followed and tracked via information given to them

18
Six Dimensions of Infras. Interdependencies
(Rinaldi)
  • Infrastructure environment
  • Coupling
  • Response behavior
  • Failure types
  • Infrastructure characteristics
  • State of Operation
About PowerShow.com