Transcript Chief Patrick Sheehan presentation

Cascading Effects of Cyber
Security on Ohio
Patrick Sheehan, Plans Branch Chief (Interim)
Ohio Emergency Management Agency
September 19, 2012
Today’s Cyber Threat
• Cyber threats to critical infrastructure continue to evolve:
– Foreign nationalists
– Criminals
– Hackers
– Disgruntled employees
• Attacks on government have increased 680% over the past five years
– Cyber incidents happen every day
– Negative impact to both economic and national security
– Loss of classified information and intellectual property worth millions
The “cyber threat is one of the most serious economic and national security
challenges we face as a nation…America’s economic prosperity in the 21st
century will depend on cyber security.” – President Barack Obama
Planning Efforts
• Cyber response requires a rapid response, which is highly
dependent upon the development of trusted relationships
between the public and private sector
• May 2009 – Federal Cyberspace Policy Review document
recommends development of cyber security incident
response plans, but agencies have been slow to react
• September 2010 – National Cyber Incident Response Plan
(NCIRP) is developed by DHS, providing a federal strategy for
coordinating operational response activities among all forms
of government; however…
• 85% of infrastructure is owned by the private sector
No single agency has authority over cyberspace.
Critical Infrastructure Sectors
• 17 sectors federally identified by Homeland Security
Presidential Directive-7 (HSPD-7) in 2003
– An 18th sector, Critical Manufacturing, was added in 2008
• Similar to Emergency Support Functions within EMA, each
sector is managed by a lead or Sector-Specific Agency (SSA)
• In accordance with the National Infrastructure Protection Plan
(NIPP), each SSA is responsible for:
– Developing and implementing a Sector-Specific Plan (SSP)
– Encouraging the development of appropriate informationsharing and analysis mechanisms throughout the sector
Critical Infrastructure Sectors
•
•
•
•
•
•
•
•
•
•
Food and Agriculture
Banking and Finance
Chemical Facilities
Commercial Facilities
Communications
Critical Manufacturing
Dams
Defense Industrial Base
Emergency Services
Energy
• Government Facilities
• Healthcare and Public
Health
• Information Technology
• National Monuments and
Icons*
• Nuclear Reactors, Materials,
and Waste
• Postal and Shipping
• Transportation Systems
• Water
*Not applicable to Ohio
Interdependencies and
Cascading Effects
Food and Agriculture
• Critical interdependencies with Water, Transportation, Energy,
Banking and Finance, Chemical, Dams
• Sector accounts for 1/5th of the nation's economic activity
• 75,000 mostly privately owned farms in Ohio
• Contributes $93 billion to state’s economy and 33.5K jobs
• Ohio’s diagnostic labs play a vital role in health and human
safety:
– Reducing food-borne illness by 10% would keep about 5
million Americans from getting sick each year
– Preventing a single fatal case of E. coli O157 infection saves
an estimated $7 million
• More farms with automated systems “on-line”
Banking and Finance
• Critical interdependencies with Energy, Information
Technology, Transportation Systems, and Communications
Sectors
• Especially vulnerable to large-scale power outages, echoing
effects of natural disasters, and cyber attacks demonstrate the
wide range of potential risks facing the sector
• SSA – Ohio Department of Commerce
• More than 4.5K Ohio-based financial institutions move money
throughout and beyond the state and country
• Public-private partnerships already in place – Financial
Services-Information Sharing and Analysis Center (FS-ISAC
• Highly-automated industry
Chemical Facilities
• Dependent on, depended upon by, and interdependent with
Communications, Critical Manufacturing, Emergency Services,
Energy, Food and Agriculture, Healthcare and Public Health,
Information Technology, Transportation Systems, and Water
Sectors
• Majority of industry is privately owned
• Employs nearly 46K Ohioans; contributes $20 billion to state
• Products are used in thousands of applications, including
medical devices, food processing, construction materials,
paints, paper, plastics, pharmaceuticals, electronics, water
treatment, and clothing.
• Highly-regulated and increasingly web-based processes
Commercial Facilities
• Further sub-divided into:
– Public assembly, sports league, gaming, lodging, outdoor
events, entertainment and media, real estate, and retail
venues
• More vulnerable to cyber attacks because the general public
can move freely throughout venues without the deterrent of
highly visible security barriers
• Majority of facilities are privately owned and operated, with
minimal interaction with the Federal government and other
regulatory entities.
• Work closely with local law enforcement
Communications
• Critical interdependencies with:
– Energy, Information Technology, Banking and Finance,
Emergency Services, and Postal and Shipping Sectors
• Underlying backbone for all day-to-day operations –
public sector, private sector, and non-profit
• Providers routinely share facilities and technology to
ensure interoperability, leading to shared cyber
vulnerabilities
• Again, the private sector are owners and operators of the
majority of communications infrastructure
• Public safety HIGHLY dependent upon this sector!
Critical Manufacturing
• Added as a critical sector in 2008
• Critical interdependencies with all other sectors
• Subdivided into Metal, Machinery, Electrical, and
Transportation Manufacturing
• Highly-automated, computerized manufacturing processes
– More than $12.5 million recently approved for innovation
in manufacturing technology through “Third Frontier
Initiative”
• Home to one of two “centroid” cities in the country (Dayton)
– Within a one-day drive of 50% of North America’s
population and near 70% of manufacturing capacity
– Numerous seaports along Lake Erie
Dams
• Critical interdependencies with Emergency Services, Energy,
Food and Agriculture, Transportation Systems, and Water
• More than 1550 dams in Ohio, from temporary to Class 4
(small to large)
• More than half (65%) are privately owned; 85% regulated
• Increasingly computerized systems provide economic,
environmental, and social benefits including:
– Hydroelectric power, river navigation, water supply,
wildlife habitat, waste management, flood control, and
recreation
Defense Industrial Base
• Critical interdependencies with all other Sectors
– Government is highly dependent upon this sector
• Especially vulnerable to cyber attack due to nature of sector
(military weapons manufacturing, research, & development)
• Ohio is home to many bases, manufacturers, and research
and development companies
– GE Aviation, Joint Systems Manufacturing Center, Timken, Goodrich,
Boeing, Honeywell, L3 Communications, Lockheed Martin, Armor
Holdings
• Dayton is designated as a national aerospace hub, ranking 5th
in U.S. in production
– Aircraft engine manufacturing accounts for nearly 75%
– Wright-Patterson Air Force Base contributes $5.1 million to economy
Emergency Services
• Critical interdependencies with Communications, Information
Technology, and Transportation Systems
• All other sectors depend upon the ESS for protection
– Presents unique challenges in protecting the ESS itself
• SSA – Ohio Department of Public Safety
• Broken down into subcategories of:
– Law Enforcement, Fire and Emergency Services, Emergency
Management, Emergency Medical Services, and Public Works
• Complex and dispersed nature of the sector makes it difficult
to disable the entire nationwide system; HOWEVER, this
presents challenges in coordinating emergency responses
across disciplines, regions, and levels of government
Energy
• Critical interdependencies with Transportation Systems
– Highlighted by heavy reliance on pipelines to distribute products
– All other sectors dependent upon Energy Sector for power and fuel
• 80% privately owned
• Many owners and operators have extensive experience
abroad with infrastructure protection and have more recently
focused their attention on strengthening industry cyber
security
• Ohio, or “The Solar Valley, is #2 in solar manufacturing
• Home to Columbia Gas, Marathon, and AEP
• 5th largest consumer of electricity in U.S.
• “Shale Rush” (frocking) in last two years
Government Facilities
• SSA – Ohio Department of Administrative Services
• More vulnerable to cyber attacks because many facilities are
open to the public for business activities, commercial
transactions, or recreational activities; while others contain
highly sensitive information, materials, processes, and
equipment
• In addition to physical structures, the sector includes cyber
elements that contribute to the protection of assets
• Education Facilities Subsector – pre-K through 12th grade
schools, higher education, business and trade schools
– Recent rise in “cyber charter” schools presenting their own
set of concerns
Healthcare and Public Health
• Critical interdependencies with Communications, Emergency
Services, Energy, Food and Agriculture, Information
Technology, Transportation Systems, and Water Sectors
• SSA – Ohio Department of Health
• Protects all sectors from hazards such as terrorism, infectious
disease outbreaks, and other natural disasters
• Collaboration and information sharing between the public and
private sectors is essential to increasing resilience of the
nation's HPH critical infrastructure.
• Plays significant role in response and recovery across all other
sectors in the event of disaster
• Many medical manufacturers, pharmaceutical companies, and
universities
Information Technology
• Critical interdependencies with the Communications Sector,
first and foremost (the internet); although all other sectors,
and even the general public, are highly dependent upon the
sector itself
• SSA – Ohio Department of Administrative Services, OIT
• Complex and dynamic environment makes identifying threats
and assessing vulnerabilities difficult and requires that tasks
be addressed in a collaborative and creative fashion
• Operated by a combination of owners, operators, and
associations that maintain and reconstitute networks
• Ohio Supercomputer Center in Columbus is largest in country
• Blurring of the lines between communications & IT providers
National Monuments & Icons
• Not particularly applicable to Ohio, as our state has no
nationally-recognized national monuments or icons located in
or near it
• Of more importance to national identity, as the sector is
essentially composed of physical structures which are of
greater vulnerability to intentional attacks.
• While the public nature of the sector limits the range of
protective measures available, there are minimal cyber issues
associated with national monuments due to the nature of the
mainly federally-owned assets
Nuclear Reactors, Materials,
and Wastes
• Critical interdependencies with Chemical, Energy, Healthcare
and Public Health, and Transportation Systems Sectors
• Highly regulated sector
– Cyber security of sector is of utmost importance due to the nature of
the sector
– Cyber Systems Security Roadmap
• Two nuclear power plants, both located along Lake Erie and
owned by FirstEnergy:
– Davis-Besse Nuclear Power Plant in Oak Harbor, pressurized water
reactor, license expiring in 2017
– Perry Nuclear Power Plant in North Perry, one of largest boiling water
plants in the country, license expiring in 2026
Postal and Shipping
• Critical interdependencies with all sectors, in particular:
– Banking and Finance, Commercial Facilities, Government Facilities,
Healthcare and Public Health, Communications, Energy, Information
Technology, and Transportation Systems Sectors
• Highly regulated and concentrated sector, with only a handful
of providers holding 90% of the market share
• Assets include over 400 high-volume automated processing
facilities, 40K local delivery units, 50K transport vehicles, and
dedicated information and communications networks
• Vulnerable to cyber attacks because the sector delivers to
virtually all state, national, and international ports
Transportation Systems
• Critical interdependencies with all sectors
• Six key subsectors, or modes:
– Aviation, Highway Infrastructure and Motor Carrier, Maritime
Transportation Systems, Mass Transit and Passenger Rail, Pipeline
Systems, Freight Rail
• Many national transportation companies and 99 airports
• Increasing cyber concerns, as automated public transit has
seen a 4%-10% increase (depending upon metro area) in
recent years, due to rising fuel costs
Water
• Critical interdependencies with all sectors, specifically:
– Energy, Food and Agriculture, Transportation Systems, Emergency
Services, Healthcare and Public Health
• Includes both drinking water and wastewater utilities
• Approximately 84% of the U.S. population receives their
potable water from drinking water systems; 75% have their
sanitary sewerage treated by wastewater systems
– Roughly 5,000 facilities service 10.8 million Ohioans
• Vulnerable to cyber attacks due to high automation.
Disruptions could result in illness, casualties, or denial of
service that would impact public health and economic vitality.
Implications on Infrastructure
• Increased Online Control = Greater Vulnerability
– Electrical power grids
– Water and transportation systems
– Oil pipelines
– Refineries
– Power-generation plants
– Water/Wastewater plants
• Aging infrastructure is more vulnerable to
sophisticated cyber crime
Implications on Infrastructure
“When transformers fail, so too will water
distribution, waste management,
transportation, communications, and many
emergency and government services…Given the
average of twelve month lead that is require to
replace a damaged transformer today with a
new one the economic and society disruption
would be enormous.”
–Dr. Stephen Flynn, Northeastern University
Connecting Ohio’s Infrastructure
• Strengthening our cyber security is imperative because of the
delicate balance between critical infrastructure sectors. A cyber
attack on one sector can have cascading effects across all 18
infrastructure sectors.
• More public-private partnerships in the following sectors:
–
–
–
–
–
–
–
Banking and Finance
Commercial Facilities
Critical Manufacturing
Defense Industrial Base
Energy
Information Technology
Postal and Shipping
• Interdependencies among the critical sectors have been
identified; however, a means to strengthen them must be
developed
Moving Forward
• Cyber security will play a greater role on emergency in the foreseeable
future as cyber attacks continue to grow in numbers and sophistication
• Consider societal, technological, and environmental changes in planning
• Understand the impacts of new technology and how best to implement it
• Incorporate cyber security into governance and response plans
• Seek technologically-savvy employees who can model data, run analytics,
and track mission effectiveness to enhance decision-making
• Build interdependent information technology capabilities with
redundancies
• Incorporate technologies based on simulation into exercises
It is imperative that we all work together – government, private sector, nonprofit, and the public
Questions?
Patrick Sheehan, Plans Branch Chief (Interim)
Ohio Emergency Management Agency
(614) 799-3693 Office
[email protected]
Thank You