Improving Critical Infrastructure Cybersecurity TM

Download Report

Transcript Improving Critical Infrastructure Cybersecurity TM

00111010101110100010100101010101010101001001010101001010000010111011
00111010101110100000110101010111010101010111101111000110111010011101
DRAFT PROSPECTUS V12.2
01101010111111000010101110100110011011111000011010011101001000101110
For discussion purposes only
00101110100001110110100101001010111110001010101001010100101010101001
TM
10101000011110101010000101010101111100100101010100011001000100111011
00111010101110100010100101010101010101001001010101001010000010111011
00111010101110100000110101010111010101010111101111000110111010011101
01101010111111000010101110100110011011111000011010011101001000101110
00101110100001110110100101001010111110001010101001010100101010101001
10101000011110101010000101010101111100100101010100011001000100111011
00111010101110100010100101010101010101001001010101001010000010111011
00111010101110100000110101010111010101010111101111000110111010011101
01101010111111000010101110100110011011111000011010011101001000101110
00101110100001110110100101001010111110001010101001010100101010101001
10101000011110101010000101010101111100100101010100011001000100111011
00111010101110100010100101010101010101001001010101001010000010111011
00111010101110100000110101010111010101010111101111000110111010011101
01101010111111000010101110100110011011111000011010011101001000101110
00101110100001110110100101001010111110001010101001010100101010101001
TM
10101000011110101010000101010101111100100101010100011001000100111011
00111010101110100010100101010101010101001001010101001010000010111011
00111010101110100000110101010111010101010111101111000110111010011101
01101010111111000010101110100110011011111000011010011101001000101110
00101110100001110110100101001010111110001010101001010100101010101001
10101000011110101010000101010101111100100101010100011001000100111011
00111010101110100010100101010101010101001001010101001010000010111011
00111010101110100000110101010111010101010111101111000110111010011101
01101010111100I See0101110100110011011111000011010011101001000101110
00101110100001010000100101001010111110001010101001010100101010101001
TM
101010000110Cube0000011101010101111100100101010100011001000100111011
00111010101001000110100101010101010101001001010101001010000010111011
0011101010110(IC)300110101010111010101010111101111000110111010011101
01101010111110010110101110100110011011111000011010011101001000101110
DRAFT, Copyright (IC)3, 2014
1
00101110100001110110100101001010111110001010101001010100101010101001
Interdisciplinary Consortium
for Improving Critical
Infrastructure Cybersecurity
(IC)3
Filling a Critical Need for
Critical Infrastructure
• Security of conventional information systems is recognized as
important …
– But still not fully effective (e.g., Target, Heartbleed, etc.)
• Security of our Cyber-Physical Infrastructure …
– E.g., computer controlled utilities, oil & gas sites, chemical,
water, financial services, telecom, infrastructure, etc.
… is even more important, but much less research has been done.
• Critical needs for Critical Infrastructure:
– (1) Justify top management attention & adoption
– (2) Define actions that can be effective & measured
– (3) Define a culture of Cyber-Safety
– (4) Create a forum for CSO/CISO’s to advance Cybersecurity
DRAFT, Copyright (IC)3, 2014
2
Who is this important to?
(Just about Everyone!)
• White House Executive Order (2014): “… cyber threat to critical
infrastructure continues to grow and represents one of the
most serious national security challenges we must confront ...”
• SEC Commissioner Luis A. Aguilar … warned that “boards that
choose to ignore, or minimize the importance of cybersecurity
oversight responsibility, do so at their own peril …”
• U.S. Secretary of Energy Ernest Moniz .. “ From producing
wells to tank batteries to pipelines, computer networks are
playing an increasingly important role in the operations of the
nation's oil and gas industry … cyber threats continue to
increase in frequency and sophistication …”
DRAFT, Copyright (IC)3, 2014
3
3
(IC)
– Mission
• Research & Development of Strategies, Models, and Tools
that will enable critical infrastructure organizations to more
effectively address their Cybersecurity needs
– by applying interdisciplinary approaches to common
problems that affect all Critical Infrastructure Sectors, and
– building on, and aligning for multi-nationals, existing
government, and industry initiatives including:
• The White House / NIST “Framework for Improving Critical
Infrastructure Cybersecurity”
• NERC-CIP & ISA99 / IEC-62443
• The Cybersecurity Frameworks & Strategies of other countries
DRAFT, Copyright (IC)3, 2014
4
Initial Research Project
Areas
1. Determining the Barriers to, and Incentives for,
adoption of the Cybersecurity Framework.
2. Developing strategies to increase adoption by the CSuite, in each Critical Infrastructure sector.
3. Models linking Cyber-Risk to: delivering goods and
services, & financial & reputational costs.
4. Atomic Models & Network Architectures for
interconnected Control Systems’ survivability, and
Supply Chain resiliency.
5. Determining the Barriers to, and strategies for
creating a Cybersecurity Culture.
DRAFT, Copyright (IC)3, 2014
5
MIT House of Security
Integrity
Accessibility
Technology
Resources
for Security
Financial
Resources
for Security
Confidentiality
Business
Strategy for
Security
Security
Policy &
Procedures
Security
Culture
A Fundamental Model for Measuring Cybersecurity Effectiveness
 The House of Security has been shown to be able to provide measurements of
perceptions, awareness, profile, tier, maturity, and gaps in Cybersecurity.
 It will be further developed to provide economic measurements of cyber-risk
and the value of Cybersecurity activities allowing a calculation of Cyber-ROI.
DRAFT, Copyright (IC)3, 2014
6
Example Results from Prior
Research – Proof of Concept
• Using survey questions we assessed both perception of the
current state of security in the organization and the desired state.
• The delta is the measureable gap between desired and actual.
Accessibility
1.600
Security Culture
1.200
Vulnerability
0.800
0.400
Security Policy
0.000
Confidentiality
Company X
Company W
Company I
Overall
Financial Resources
Business Strategy
IT Resources
Current State Assessments
by Three Companies: Big Differences DRAFT, Copyright (IC)3, 2014
Gap Analysis
7
Example:
Mapping the NIST Cybersecurity
Framework to the MIT House of Security
• The traditional Cyber
security Triangle:
– Confidentiality
– Availability
– Integrity
• The MIT House of
Security mapping:
–
–
–
–
–
–
–
–
• The Cybersecurity
Framework Core:
–
–
–
–
–
Identify
Protect
Detect
Recover
Restore
DRAFT, Copyright (IC)3, 2014
Confidentiality
Accessibility
Integrity
Technology Resources
Financial Resources
Business Strategy
Policy & Procedure
Security Culture
8
Proposed Initial Interdisciplinary
MIT Team Members
• Stuart Madnick – Professor of Information Technologies, MIT Sloan School of
•
•
•
•
•
•
•
•
•
•
Management & Professor of Engineering Systems, MIT School of Engineering
Nazli Choucri – Professor of Political Science, MIT School of Humanities and Social
Sciences
David Clark – Senior Research Scientist in Computer Science and Artificial Intelligence
Laboratory (CSAIL)
Michael Coden – Research Affiliate (former member of White House cyber study)
Jerrold Grochow – Research Affiliate (former MIT CIO and member of MITei cyber study)
Nancy Leveson – Professor of Aeronautics and Engineering Systems, MIT School of
Engineering
Andrew Lo – Professor of Financial Engineering, MIT Sloan School of Management
Allen Moulton – Research Scientist, MIT School of Engineering
Michael Siegel – Principal Research Scientist, MIT Sloan School of Management
Richard Wang – Principal Research Scientist, MIT School of Engineering
John Williams – Professor of Civil and Environment Engineering and Engineering
Systems, MIT School of Engineering
DRAFT, Copyright (IC)3, 2014
9
Interdisciplinary Approach
• IC3 will apply expertise from multiple disciplines in its
research on Cybersecurity issues of Critical Infrastructure.
• Faculty from MIT Sloan School of Management, MIT School of
Engineering, and MIT School of Humanities (Political Science)
• IC3 will address complex Cybersecurity issues using
techniques such as:
–
–
–
–
–
–
–
–
Multi-dimensional data aggregation & quality
System Dynamics, Modeling and Simulation
Internet, Network, and Communication Architecture
Applying Accident and Safety Theory to Cybersecurity
Cross border and international policy & implications
Control point analysis
Risk analysis and liability modeling
People and process modeling:
• Users and operators as well as Cyber criminals
DRAFT, Copyright (IC)3, 2014
10
(IC)3 TM
Applying Past and On-going MIT Research
to Improving Cybersecurity of Critical
Infrastructure
DRAFT, Copyright (IC)3, 2014
11
Applicable Past Research
• MIT House of Security: MIT has developed techniques to
measure perceptions of security in an organization
• Accident and Safety research: MIT can extend its research
on accident prevention to preventing cyber events.
• Control Points: MIT has studied best “choke points” to
interrupt a criminal enterprise.
• Improving CERTs: MIT has studied and suggested ways to
improve and better coordinate the CERTs.
• Bug Bounty: MIT has studied crowd source methods of bug
detection, such as “bug bounty” programs.
• Tipping Point Analysis: MIT has used System Dynamics to
understand what will make complex systems unstable.
• Simulation of Systems: MIT has a rich history in simulation
of complex systems under a wide variety of circumstances.
DRAFT, Copyright (IC)3, 2014
12
Use Accident Research on
Cyber Incidents
• Apply “accident” and safety research to “cyber
security” failures.
• MIT has researched accidents and how to prevent
them (including studying NASA problems) for many
years.
• We are now treating a cyber incident/event as a type of
“accident” and using prior research to identify,
understand, and mitigate possible “cyber-hazards.”
– Examples, such as TJX and Stuxnet, have been analyzed.
DRAFT, Copyright (IC)3, 2014
13
Control Points Analysis to
Disrupt Cybercrime Ecosystem
• Analyze complex cybercrime ecosystem.
• We are taking a “control points” approach to
determine the best “choke-point” to interrupt the
overall cyber-criminal enterprise (somewhat like
“follow the money.”)
• Sometimes that choke point is the Internet service
providers, sometimes it is the credit card companies,
sometimes it is the banks.
• We will also study markets for malware and ways to
disrupt and discredit those markets
DRAFT, Copyright (IC)3, 2014
14
Improving CERTs
• Improve CERTs (Computer Emergency Response
Teams).
• MIT has talked with and studied the CERTs around the
world — both national and regional CERTs and
corporate CERTs.
(CERTs are the FEMAs for computer catastrophes.)
• The activities, business models, and data-sharing
activities are diverse and of varying quality.
• MIT (IC)3 can suggest ways to improve and better
coordinate the CERTS and the clients they serve.
DRAFT, Copyright (IC)3, 2014
15
Vulnerability Detection
• Improving Vulnerability Discovery and
Detection:
• MIT has studied crowd source methods of bug
detection, such as “bug bounty” programs.
– Using techniques such as System Dynamics modeling
• MIT (IC)3 can determine which types of
vulnerability discovery and detection techniques
provide the results with the greatest value,
including “bug bounty,” open source, and other
approaches.
DRAFT, Copyright (IC)3, 2014
16
Cyber-Hardening
& Patch Management
• Patch distribution and management is complex in
general and even more so for critical
infrastructure situations
– Computer components are embedded within
machinery (which cannot be easily shut down) and
involve multiple manufacturers
• e.g., the equipment/system may be made by
Siemens, but controlled by computers running
Windows software.
– MIT has developed models to explore differing
strategies and incentive systems to make patch
distribution and management more effective.
DRAFT, Copyright (IC)3, 2014
17
Tipping Point Analysis
• MIT has used System Dynamics models and simulations to
analyze the stability of countries by understanding the
capacity of the system to withstand disruptions and the
range of loads that could be applied to the system.
• This can be applied to complex critical infrastructure cyber
systems (eg: smart grid, refinery, emergency services,
telecom, financial systems, etc.) to determine the “tipping
points” that would render such a system unstable.
• Monitoring and Alerts – measuring how close an
organization, or interconnected organizations, is coming
to a “tipping point.”
DRAFT, Copyright (IC)3, 2014
18
Multivariate Simulation
• Simulation of system performance and resilience
under different conditions.
• We can model systems under various circumstances,
such as when one or more subsystems have failed or
are under attack.
• We can assess how the system’s mission is affected
by multiple simultaneous attacks.
• Such simulations can be used to create strategies and
plans to mitigate the effects.
DRAFT, Copyright (IC)3, 2014
19
Metrics
• Organizations today have no effective way of
measuring the quality of their Cyber Security efforts.
– The old adage “if you can’t measure it, you can’t manage
it” applies to Cybersecurity.
• MIT (IC)3 can develop metrics which organizations can
use to Quantify and Qualify their Cyber Security
capabilities, and the organizations ability to withstand
cyber attacks and carry out its mission.
– A measureable Cybersecurity Maturity Model for describing
the Quality of the Cybersecurity at an organization and the
ROI of the Cybersecurity.
DRAFT, Copyright (IC)3, 2014
20
Holistic Cyber-Risk Model
• Holistic Risk Analysis Model is needed to address:
–
–
–
–
–
–
Multi-vendor environment
Multi-purpose use of equipment/systems
Multi-national & multi-cultural considerations
Cross-sector validity and usability
Multi-level system dependencies and vulnerabilities
People, process and accident/safety considerations
• Allowing simulation, including all of the above
factors, of taking different actions – to predict
what the benefits and costs will be.
DRAFT, Copyright (IC)3, 2014
21
(IC)3 TM
Patrons, Partners, and Members
DRAFT, Copyright (IC)3, 2014
22
Why Join
3
(IC) ?
• Existing organizations are trying to address today’s threat and
how to stop attacks in progress, but:
– “The CSO/CISO is too busy bailing water to plug the holes in the boat”
• (IC)3 is focusing MIT’s uniquely qualified interdisciplinary
researchers on the fundamental principles of cyber space, cyber
crime, & cybersecurity applied to Critical Infrastructure:
– “Enabling the CSO/CISO to plug the holes in the boat”
– Giving CSO/CISOs tools to
• Strategically develop measureable, cost effective,
Cybersecurity strategies – getting ahead of the curve
• Implement Cyber-safety awareness and culture change
• A confidential academic forum in which to benefit from the
experiences of CSO/CISOs from multiple sectors
DRAFT, Copyright (IC)3, 2014
23
Operation of
3
(IC)
• The day-to-day operation of the (IC)3 is managed by the Director
of the (IC)3 with the support of the (IC)3 Associate Director.
• The (IC)3 Advisory Board, in consultation with the Director of
(IC)3, will determine the research focus areas for each year.
• The (IC)3 faculty working with full-time MIT research staff and
graduate students, often in cooperation with Sponsor
organizations, will conduct the research.
• (IC)3 will organize and conduct two research topic-specific
workshops each year.
• (IC)3 will organize and conduct its Annual Conference, covering
the wide range of its research topics, each year.
DRAFT, Copyright (IC)3, 2014
24
Types of Sponsors
and Benefits *
• Patrons: $450,000 per year – commitment for 3 years (can be 1
year for first year) Includes all items below plus:
– Ability to help specify research projects, possibly in conjunction with patron’s
organization
– A dedicated faculty contact, with monthly consultations
– One on-site faculty presentation to the organizations governing board
• Partners: $120,00 per year – commitment for 3 years (can be 1 year
for first year) Includes all items below plus:
– Ability to influence research projects
– Ability to re-distribute research to their own clients and customers
– Ability to contact designated faculty via telephone
• Members: $35,000 if three year commitment or $45,000 if
one year commitment
– Send 2 people to annual conference and 2 workshops per year
– Access to all research in the MIT-(IC)3 research database.
* Details on additional benefits contained in the Sponsorship Agreement
DRAFT, Copyright (IC)3, 2014
25