cyber policy development (intensive) (cyberi 2020) · cyber policy development (intensive) (cyberi...

WILLIAM J. PERRY CENTER FOR HEMISPHERIC DEFENSE STUDIES INSTRUCTIONS FOR THE ONLINE APPLICATION FORM

CYBER POLICY DEVELOPMENT (INTENSIVE)

(CYBERi 2020)

Application Period: 25 October – 01 December, 2019 Online Phase: 04 – 15 May, 2020 Residential Phase: 01 – 05 June, 2020

NOTE: The CYBERi course is an intensive, specialized variant of the CYBER course. Because of the overlap

of topics, graduates of the Perry Center’s CYBER course are not eligible to apply.

🛑

WHO CAN USE THIS FORM TO APPLY

• Civilians (government and non-government) • Retired military • Non-military police • Active duty military who live in the Washington, DC metropolitan area.

WE WILL NOT ACCEPT APPLICATIONS DIRECTLY FROM ACTIVE DUTY MILITARY PERSONNEL WHO LIVE OUTSIDE OF WASHINGTON, DC. THOSE INDIVIDUALS MUST CONTACT THE OFFICE OF MILITARY COOPERATION (MILGROUP) AT THE UNITED STATES EMBASSY IN THEIR COUNTRY TO APPLY. For specific information, please contact our registrar’s office at [email protected]

� Please follow all of the instructions on these pages, as well as those located online on our web page at http://williamjperrycenter.org/academics, which contains additional information not found on this here, including the Academic Integrity and Non-Attribution statement, which you agree to abide by if selected for the course.

� Once you begin filling out the online application form, you will have to submit it in the same session. You will not be able to save your progress and return to it later. The application process includes answering some essay questions, located on the online form. The questions specific to this course are listed in section 6. Before loading the application form, you might wish to review the essay questions beforehand and write your responses separately. The online application form will let you copy and paste text into the appropriate text boxes.

� The application form is located at the following URL:

https://www.dscarc.org/default?regcenterid=11&eventid=55369&reltype=12479

Please keep in mind that the Perry Center shares this application system with other regional centers; therefore the form is initially presented to you in English. In the upper left-hand side of the page, there is a drop-down menu for automatic translation into various languages. This is designed to help you better understand the application form, but please keep in mind that machine translation is not perfect.

�

After you complete the online application form and have received your confirmation number, please send the following documents to [email protected] within five business days after having completed the application:

• Curriculum Vitae / résumé (4 page max) • Two letters of recommendation, one of which must come from your supervisor. If you do not have a

supervisor because you work independently, that letter may come from a third party. When you send your documents via e-mail, the subject line must contain your last name, country, and the confirmation code provided to you by the system. Example: SMITH – JAMAICA – QPLFHNJ1234. Acceptable file formats for your attachments are: DOC, DOCX, PDF, JPG, GIF, BMP, TIFF, and TXT. Please ensure that the combined total file size of your attachments does not exceed 8 MB. We will not grant deadline extensions due to messages being rejected by our e-mail server. Applications will not be considered complete until the Perry Center receives all of the required documents (application form, CV, letters of recommendation).

�

Upon submitting an application, you certify that you:

• Have read the general course description, candidate profile, and the application instructions on this document and web site.

• Understand that this includes an online phase of approximately four weeks before the residential phase begins in Washington, DC. You will actively participate in all of the online sessions and promptly complete assigned homework. Successful completion of the online phase is required to attend the residential portion of this course.

• Understand these instructions and agree to abide by the National Defense University’s Academic Integrity Policy.

• Understand that all courses are subject to availability of funds. • Meet the language requirements for this course, and (if selected to participate or placed on the waiting

list) will go to the US Embassy in your country to take an English reading comprehension exam if asked. • All information you have provided is accurate.

All applicants will receive notification via e-mail approximately ten weeks before the start of the residential phase if they have 1) been selected, 2) have been placed on the waiting list, or 3) have not been selected.

� ESSAY QUESTIONS

1. Describe (with specifics) your current job duties and work activities in relation to themes of critical infrastructure protection at policy and strategy level. (200 word max)

2. Describe your organization's mission (at the policy/strategy level) in relation to themes of critical infrastructure. (200 word max)

3. Describe how this course will help you personally (now or in the future), or your organization, to develop a policy (and/or strategy) for critical infrastructure in cybersecurity. (200 word max)

4. Based on the attached reading please answer the following question: What is your opinion on a multi-dimensional approach that enables a heightened awareness of risk-posture by highlighting the existence (strength) or absence (weakness) of relevant security factors? (250 word max)

« In accordance with Department of Defense policy, citizens of countries with designated income levels established by the World Bank are not eligible for scholarships. At this time, this restriction applies to the following Western Hemisphere nations: Antigua and Barbuda, Bahamas, Barbados, Canada, Chile, Panama, St. Kitts and Nevis, Trinidad and Tobago, and Uruguay. Citizens of these countries may still apply to courses, but in a self-funded status. Self-funded candidates must meet all eligibility standards and comply with all application requirements, including application deadlines, as well as being able to cover the expenses of their own travel, lodging, meals, and incidentals.

Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL

tdDE GRUYTER Journal of Homeland Security and EmergencyManagement. 2019; 20140111

Latechia White1 / Timothy Eveleigh2 / Tanju Bereket2

A Hybrid Hierarchical Framework TowardSecurity Effectiveness for Critical InfrastructureProtection and Resiliency: A Hospital Case Study1 GWU, EMSE, 2121 Eye St, NW,Washington, DC, USA, E-mail: [email protected] GeorgeWashingtonUniversity, EMSE,Washington, DC, USA

Abstract:A successful Denial of Service attack on a CI can indirectly have devastating and irreversible effects to thosethat depend on its services. Furthermore, recent disruptions have raised concerns regarding the resiliency, se-curity effectiveness and emergency preparedness of CIs and dependent resources. To address the persistentchallenge of protecting CIs and maintaining the essential services they provide, this research offers emergencymanagement personnel a conceptual framework to evaluate security effectiveness and estimate the cascadingeffects that may result from inadequate security measures. We combine the philosophy of multi-dimensionalmodeling, with the statistical engine of Bayesian Belief Networks to provide proactive, scenario-based interde-pendency analysis for CI protection and resiliency. The findings of this research resulted in a multi-dimensionalapproach that enables a heightened awareness of one’s risk-posture by highlighting the existence (strength) orabsence (weakness) of relevant security factors. Through stakeholder risk-assessment, preemptive implemen-tation of threat mitigation plans for dependent resources are permissible. Specifically, we provide this proof ofconcept, “what-if” analysis tool to assist in the reduction of vulnerabilities. To illustrate the conceptual frame-work, we provide a Healthcare and Public Health sector case study that evaluates the impact to a hospitalpatient given a successful DoS attack on a CI.Keywords: Bayesian networks, CI interdependency analysis, critical infrastructure protection, healthcare andpublic health, HHM, hierarchical framework, HPH, resiliency, security effectivenessDOI: 10.1515/jhsem-2014-0111

1 Introduction

Critical Infrastructures (CIs), as defined by the Department of Homeland Security (DHS), are the assets, systemsand networks, whether physical or virtual, so vital to the United States that their incapacitation or destructionwould have a debilitating effect on security, national economic security, national public health or safety, orany combination thereof (http://www.dhs.gov/xlibrary/assets/NIPP_Overview.pdf). CIs are large, complex,adaptive and highly interconnected; ripe with potential areas where system knowledge can easily go unex-amined and thus undiscovered. Implementing security measures without considering the multi-dimensionalaspect of interdependencies that are both internal and external to CIs can lead to undesirable consequences.This can ultimately imperil efforts to achieve CI protection goals. Moreover, goals can be negatively impacted byproviding an illusion of acceptable security where there are actually areas of unacceptable and intolerable risk –in spite of operators having employed every available tool, policy and standard. Within the multi-dimensionalregions of CIs there are cyber-based, temporal, geo-spatial, legislative, societal, economic and stakeholder at-tributes that can be explored and considered to uncover unknown insight into a CI’s true security posture.

According to Government Accountability Office (GAO) reports, over the past decade there has beena sustained increase in malicious penetrations to government information systems (GAO-11-463T 2011;GAO-12-92 2012; GAO-16-152 2015a; GAO-12-666T 2012b; GAO-15-573T 2015b; DHS 2016; http://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Oct-Dec2012.pdf). In 2012 alone,America’s power, water, financial institutions, nuclear systems and other key resources have experi-enced a 52 percent increase in targeted attacks by cyber criminals seeking to gain (or deny) accessto the nation’s CI (http://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Oct-Dec2012.pdf). According to new research, parties aligned with the Russian government have devel-oped a cyberweapon (CrashOverride) specifically designed to destroy industrial control systems of

Latechia White is the corresponding author.©2019Walter de Gruyter GmbH, Berlin/Boston.

1Brought to you by | NDU Library & Learning Center

AuthenticatedDownload Date | 10/21/19 6:53 PM

http://rivervalleytechnologies.com/products/

Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL

tdWhite et al. DE GRUYTER

CIs. Considered Stuxnet 2.0, CrashOverride hackers briefly shut down one-fifth of the electric powergenerated in Kiev (https://www.washingtonpost.com/world/national-security/russia-has-developed-a-cyber-weapon-that-can-disrupt-power-grids-according-to-new-research/2017/06/11/b91b773e-4eed-11e7-91eb-9611861a988f_story.html?utm_term=.89e606950738, accessed February 19, 2019). Recent ran-somware cyber-attacks such as WannaCry and Petya have affected more than 200,000 computers,causing chaos and disruption for CI/DR, including major hospitals, a nuclear disaster site, and elec-trical grids (https://www.cnet.com/news/petya-goldeneye-wannacry-ransomware-global-epidemic-just-started/, accessed February 19, 2019). It was noted by Healthcare Informatics: “this attack (Wan-naCry) shows that interconnected devices and systems are vulnerable to attack by nations, non-stateactors and just plain crooks. An attack of this scope points to the potential for an entirely differenttype of damage: shutting down entire businesses, hospital systems, banks, and critical infrastructure”(https://www.hcinnovationgroup.com/cybersecurity/article/13028537/exclusive-report-what-can-us-healthcare-it-leaders-learn-in-the-wake-of-wanna-cry, accessed February 19, 2019). Cyber criminals aredemonstrating their ability to access sensitive information, disturb the integrity of personal data and block theavailability of information systems. However, their ability to manifest the physical destruction traditionallyassociated with kinetic warfare has yet to be fully realized. Dually noted by the GAO and US adversaries, thenation’s CIs and Key Resources remain vulnerable to the potential devastation of cyber-attacks. As indicatedin the Presidential Policy Directive 21 (PPD 21), US CIs remain a high value target (PPD 21 2013). According tothese recent reports (EO, PPD and GAO), implementations of existing standards, policy, legislation, method-ology and tools have not provided sufficient confidence, guidance or rigor toward the effective protectionagainst these increasingly frequent and potentially destructive attacks (GAO-13-462T 2013; GAO-17-518T 2017;The White House 2013).

Current methodologies used to address the complex problem of improving cyber/physical security protec-tion of the enterprise, or specifically in this case the nation’s CIs, must expand beyond existing traditional ap-proaches. Most security methods used today are considered from a single-dimension. This is normally accom-plished by protecting virtual or physical access to architectural elements or components (network of routers,switches, servers, SCADA) from cyber-attacks, e.g. by configuring firewalls, implementing policies, limitingaccess to data servers, and training users. Current tools may measure direct threats but not cascading impactsbeyond the first order. For example, a medical center that experienced a power loss soon discovered that oncampus sewage pumping station was not on the emergency power grid. Identifying these indirect risks wouldbe of great value.

Although existing techniques and tools demonstrate a noble effort, they have proved to be neither sufficientnor effective. Further, organizations, CI owners and operators must have a method to assess the effectivenessof the security program they put in place. A serious gap exists in the tools available to assess the effectivenessof security measures which are designed to mitigate disruptions to essential CI services (NIST 2014; GAO-16-152; GAO-17-518T 2017). Also lacking are strategic methods to evaluate the subsequent impacts resulting frominterruptions to those services. Furthermore, a framework that empowers emergency management personnelto reduce negative impacts of a CI DoS by strategically improving implemented security measures does notreadily exist today (NACCHO 2016). Existing literature describe numerous approaches to CI interdependencyanalyses (Bloomfield, Chozos, and Nobles 2009; Borum et al. 2015; Di Giorgio and Liberati 2011; Dimase et al.2015; Eusgeld, Nan, and Dietz 2011; Haimes 1981; Kozik, Choraś, and Hołubowicz 2010; Ouyang 2014; Rinaldi,Peerenboom, and Kelly 2001; Sikula et al. 2015; Zio 2016). However, there is limited research on estimatingthe likelihood of negative impacts from those interdependencies or understanding the effectiveness of securitymeasures designed for their protection. This research fills a gap by providing a framework that allows emer-gency management personnel to estimate the likelihood of impacts using a construct that dynamically (throughscenario analysis) and proactively addresses and evaluates the relative effectiveness of implemented and/orproposed security measures designed to help minimize or negate undesirable effects of CI service disruptions.We expand on knowledge, experience, and recommendations offered by previously documented research ofnoted scholars.

The objective of this paper is to provide emergency management personnel a conceptual framework andmethodology to evaluate security effectiveness and effects of cascading risk that may result from inadequatesecurity measures. The following sections describes the study layout. Section 3 detail the methodology usedand data collected for this research. Section 4 examines alternative methods towards evaluating security effec-tiveness for CIs. Section 5 provides background for the hospital case study. In Section 6 and 7, we outline keydefinitions and apply our methodology to the hospital case study, respectively. Section 8 discusses potentialareas for future research. Finally, the paper closes with conclusions and implications of our research.




Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL

tdDE GRUYTER White et al.

2 Method and Data

This study utilized a focused cross-sectional survey to collect data from medical professionals employed at 10distinct hospitals. The survey was used to capture the knowledge and experience of medical professionals re-garding the use of metrics implemented by their respective hospital facility to measure effectiveness and/oremergency preparedness. Data was also collected to understand various impacts to a critically ill hospital pa-tient (dependent resource) given a CI failure or Denial of Service (DoS). Survey responses were collected via aweb-based, electronic tool (Survey Monkey). Using the expert elicitation method, the data was further used tovalidate the BBN model and expected results. Elicitation of specific data from medical experts was limited dueto the acknowledged vulnerability of hospitals and potential insight it may provide to adversaries. Thus, weuse a combination of real and notional data and present this research as a proof of concept.

The specific CI categories and hierarchical relationships used in this study were extracted from the Depart-ment of Homeland Security (DHS) National Infrastructure Protection Plan (NIPP) and their associated SectorSpecific Plans (SSP). Historical data was used as prior probabilities for the BBN analysis from sources suchas the DHS, Verizon 2013, 2014 and 2015 Breach Reports, Symantec Annual Security Threat Report ( 2010)and Verisign. Specific data for each CI was collected from government sources such as DHS in collaborationwith the Department of Energy (DOE), Water Waste and Sewage (Environmental Protection Agency) and Com-munications sector (National Communications Systems). Previous research performed by the DHS identifiedrelevant variables for CI protection and resiliency (CIP/R). We expanded that research by using those variablesas dimensional categories within this methodology.

3 Comparative Analysis of Alternative Methods

Review of literature from noted scholars (Ayyub, Prassinos, and Etherton 2010; Bayuk and Mostashari 2013;Borum et al. 2015; Di Giorgio and Liberati 2011; Dimase et al. 2015; Ghorbani and Bagheri 2013; Haimes 2004;Pettigrew et al. 2009; Rinaldi, Peerenboom, and Kelly 2001; Roberts 2004; Ryan 2004; Sanders 2014; Satumtiraand Dueñas-Osorio 2010; Sikula et al. 2015) identified relevant attributes/criteria to effectively achieve the goalof generating a comprehensive framework, given complex adaptive systems, such as CIs:

1. Align/trace to security goals

2. Strategic/systems engineering approach

3. Performance based metrics

4. Quantitative and qualitative assessment

5. Scenario or what-if analysis for decision making

6. Accommodates uncertainty

7. Allows for limited data

8. Assess security effectiveness of security measures

9. Extensible application

10. Assess indirect consequences/Interdependency analysis

Although these scholars have acknowledged these attributes as imperative components to model/provide/im-prove effective security – current models, methods and techniques at most only incorporate two or three com-ponents. Thus, the ability to assess the effectiveness of security implementations on a holistic level has beenlimited.

Over 35 models, techniques and approaches were reviewed, with data sourced from Ouyang (2014) andEusgeld, Nan, and Dietz (2011), Idaho National Labs (Pederson et al. 2006) and Satumtira and Dueñas-Osorio(2010) and Vugrin et al. (2010), to assess how each technique synergized the multi-dimensional, multi-objective,qualitative, stochastic, and hierarchical nature of CIs and dependent resources (CI/DR). Although each modelwas in various stages of maturity (R&D, Internal-only, operational), they were each designed for the purpose ofanalyzing CI interdependencies. Many were design for a specific CI (internal dependencies), others intendedto manage cross-sector dependencies. It was unclear which tools were designed to evaluate multi-order effects




Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL


(indirect consequences of negative events), which is of great interest to this study. In the models reviewed, re-siliency was handled, at most from the perspective of redundancy. Many of the tools had the ability to performsensitivity analysis and the ability to determine various “strength” of dependencies (i.e. which dependencyhad the greatest impact on another CI). Various decision analysis techniques were built in to determine orindicate priority and relative importance; however, very few of the models illustrated the ability to assess di-mensional interdependencies (legislative, societal, economic, stakeholder, etc.). At most, a few models had theability to incorporate temporal, spatial, and geographic data. Five models were highly regarded by the DHS:Athena, CARVER, Critical Infrastructure Modeling system (CIMS), Knowledge Display and Aggregation Sys-tem (KDAS), and Maritime Security Risk Analysis Model (MSRAM). Each of the five models are consideredModel-Based Risk Analysis (MBRA) tool, known for their ability to aid in risk-informed decisions (Lewis 2015).CARVER, Athena, KDAS and MSRAM were each designed specifically for military and government entities,while CIMS targeted emergency planners and responders as end users. Of all the models evaluated, no toolclearly articulated how or if effectiveness was assessed; and the extent to which resiliency was addressed waslimited to identifying redundant components/measures. No tool addressed resiliency as it is defined by theNIPP (Ouyang 2014). The ability to handle minimal data and account for uncertainty was only managed bytools with a stochastic engine, however, even those tools did not address effectiveness from the perspective ofboth protection and resiliency, nor from various dimensions, as previously described.

Although we were unable to physically manipulate the models evaluated for this research, the data avail-able served well in filtering various capabilities and limitations of each tool. While each tool appeared to serve avaluable fit for its purpose, it did not appear evident that they lent themselves to trivial modification for exten-sibility to incorporate additional/lacking features. A tool is most valuable and effective when designed fromits core to allow for modular growth that enhances or provides additional capability, vice adding on to a toolthat was not built to be dynamically modified. Consequently, we sought to establish the Bayesian Approachto Security Effectiveness with metrics, modeling, and decision-support (BASE m2d) conceptual framework, atool that asserts to provide what existing tools lack, a comprehensive approach to assess security effective-ness of measures proposed/implemented for CI protection and resiliency; while also providing modularity forimprovements and/or additional functionality.

To address the complex, multi-attribute, multi-dimensional, and categorical/hierarchical perspectives ofthe problem, we chose the HHM philosophy. Haimes originally designed HHM to identify sources of risk(Haimes et al. 1995). Although modified in this study from its original design, we maintain and leverage theintegrity of the HHM philosophy and concept for its ability to not only identify sources of risk but to assist inthe identification of relevant variables hierarchically, in various categories and from multiple dimensions. Ap-proaches such as Analytical Hierarchy Process (AHP), Multi-Attribute Utility Theory (MAUT) or Multi-CriteriaDecision Analysis were evaluated as comparable frameworks; and although each of these methods also assist indecision-making and allow for a structured way of framing the problem, the need to assign relevant weights toeach criteria to show importance was not necessary to meet the objectives of this conceptual study (Gass 2005).Instead, to demonstrate our preliminary concept, variables were elicited from existing research previously col-lected from experts at the DHS and documented in the NIPP. CI experts determined that the variables identifiedwithin the NIPP held equal weight at the highest level of evaluation. To scope individual components of ourframework we leverage (extend) vetted research to focus this research on demonstrating the comprehensiveframework. We acknowledge that criterion weights are a reality and weights may vary depending on budgetconstraints and available resources; and should be re-evaluated/weighted on a case by case basis, which wouldsuggest the use of the decision analysis models such as AHP and others. We recommend this as a future en-hancement to our preliminary framework. The HHM component of this tool is a modular component whichcan be modified or replaced as the user desires.

Additionally, graphical probabilistic models such as Markov Random Fields (Markov Networks) andBayesian Belief Networks were explored to address the uncertainty of complex system interdependencies andthe very real occurrence of limited data; preferably, a probabilistic model that allows for scenario/what-if anal-ysis, with a user friendly interface, and one that does not require great statistical knowledge. Markov Networksare known for their power and flexibility (undirected, allowing cycles); BBNs are restricted by comparison (di-rected, acyclic). We discovered that both Markov Networks and BBNs would suffice for our purposes; however,we chose BBN simply based on our familiarity and its ease of use.

As a result, the findings of this research resulted in a hybrid of two hierarchical techniques that encompasseach of the ten (10) aforementioned attributes. We implement this conceptual framework, BASE m2d, usinga risk assessment via scenario or what-if analysis to inform decision-makers on where best to allocate properresources to maintain a specific and appropriate level of service to preserve human life and assess emergencypreparedness in the event of a CI failure.




Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL


4 Case Study Background

Public trust depends upon the sustainability, resilience, integrity and availability of national Healthcare andPublic Health (HPH) critical infrastructure (NACCHO 2014). Continuity of healthcare and public health ser-vices are critical to response and recovery following a disaster or emergency (NACCHO 2015). Results from thisresearch reveal that hospital engineers have performed due diligence to ensure if power is disrupted or watersupplies have been tainted or halted, backup generators and alternate water supplies are available to maintaincritical services. However, this research further revealed that most hospitals have not performed additional riskassessments to evaluate implemented security measures to allow them to understand, evaluate and reduce thepotential impact of a CI DoS (e.g. water, power) to a patient or medical device.

Understanding how and where to properly address and allocate security measures in a budget-constrainedenvironment will prove invaluable to ensure these critical resources/services are uninterrupted (or have mini-mal or acceptable impact). This case study models a critically ill patient in ICU who depends on medical equip-ment (dialysis, defibrillator, etc.) for survival. Given a DoS to a CI (power, water, etc.), the hospital could besubsequently impacted if the proper back-up resources are not engaged or available in a timely manner

Multi-order, cascading effects are important to understand given they can occur as a result of a direct orindirect attack or occurrence. A CI failure or DoS (resulting in a partial shutdown or complete shutdown) canbe due to a successful attack, whether virtual or physical, intentional or unintentional, potentially having a 2nd,3rd or 4th order effect (Figure 1). The case study modeled here examines the 4th order effect to a patient that isdepending on CI services to sustain life.

Figure 1: CI Interdependency Multi-Order Effects.

5 Key Definitions

5.1 Security Effectiveness for the Operational Environment

Relative effectiveness is best defined in its operational environment. In this study, the operational environment isbounded by the components’ internal and external (interfaces) to the CIs and dependent resources in question.The following definitions are important to note:

Security – the extent to which security measures provide protections that detect, deter, neutralize and mitigatepotential threats, while also providing resiliency measures to resist, respond, recover, absorb and adapt to availingthreats.Security Effectiveness – the degree to which security implementations provide adequate protective and resilientmeasures, allowing business operations to be maintained at an agreed upon level of service per the enterprise secu-rity goal.Risk Management Effectiveness – determined by “whether and how much risk was actually reduced or whetherrisk was acceptable…” (Hubbard 2010)




Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL


Security effectiveness, as defined above, implies that implemented security measures should not impede, in-terrupt or disturb critical operations of the enterprise, unless by design in order to protect systems or personsfrom active attack.

Effective protection for one organization or CI may not apply to another organization or CI. Measures ap-plied for a specific threat may not be as effective for a different threat. The same paradigm applies when measur-ing in different operational environments and for different security goals. A more targeted solution considerswhat is relative or relational to the problem and specific influences to the overall system. As a result, this re-search addresses security effectiveness more appropriately as relative security effectiveness. Specifically, thisresearch asserts relative security effectiveness is best achieved by first defining the operational environment,understanding associated dependencies, identifying the goal or target to be protected, and evaluating the prob-lem with a specific threat in mind.

6 Applying BASE m2d to a Hospital Case Study

The Bayesian Approach to Security Effectiveness with metrics, modeling and decision-support (BASE m2d)framework uses a hospital case study to demonstrate the overall methodology. Described herein are the stepsto perform a self-assessment using the CI/DR-HHM, calculate the SSEI and perform “what-if” analyses todetermine the potential impact to a dependent resource (hospital or patient) given a successful DoS to one ormore CIs (water, power, communications). Figure 2 represents the general flow of the BASE m2d framework.

Figure 2: General Flow of BASE m2d Framework.

The following sections describe the ten-step methodology of the BASE m2d framework. The first three stepsdefine the problem-solution space; Steps 4–7 assess the current security posture using metrics, the operationalenvironment from multiple stakeholder perspectives using HHM, the overall relative effectiveness using SSEI,and the likelihood of impact using BBN; while Steps 8–10 estimate the relative risk, and describe the iterativedecision analysis process.

6.1 Step 1 and 2: Define Operational Environment and Security Goals

The strategic implementation of this framework begins by establishing security goals within the operationalenvironment. The Department of Homeland Security National Infrastructure Protection Plan (NIPP) has de-veloped value propositions and/or security goals for each CI identified in the plan. Establishing security goals




Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL


includes documenting what is important to the organization and considers perspectives of all stakeholders,to include CI owners/operators, dependent CI owners/operators, vendors, consumers/customers, etc. Manydecision-makers focus resources in areas that have little to no impact on what they value, and without thefull consideration of the operational impact; thus, leading to security compliance with little security effective-ness. Once goals are established within the operational environment, measures can be directly implemented tomonitor progress toward achieving those goals in accordance with the value proposition.

HPH Security Goal: For the HPH sector or hospitals, it is crucial that they maintain (resilience) a certainlevel of business continuity to preserve human life and to protect the confidentiality of information fortheir patients and personnel.

The HPH security goal identified above can be divided into two separate targets to protect: human life andpatient information. This case study focuses on preserving human life to demonstrate the capabilities of themodel; however, the model is extensible to include an analysis of the impact of a successful attack on patients’personal information, as well. That case is excluded here based on the threat (DoS) in question, which is oftenemployed for purposes other than to exploit personal data.

6.2 Step 3: Identify Dependencies

Internal and external dependencies (also known as potential attack paths) to the protection target or securitygoal (hospital, patient), within the operational environment can indicate vulnerabilities. Specifically, if thereis a penetrable entry or exit point (link) to/ from the target, strategic consideration should be given to ap-ply appropriate measures of protection or resiliency to prevent undesired effects in the event of an attack ornatural disaster. Links/dependencies may be identified as having virtual and/or physical access and shouldbe prioritized, especially in a budget constrained environment. Identifying dependencies between CIs (water,power, communications) and dependent resources (hospital, medical devices, patient) provides the topologyto construct the general Bayesian Belief Network.

7 The Metrics

7.1 Step 4: Assess/Measure the Security Posture

Relevant metrics should be identified and implemented to assess the current security posture of the organi-zation, particularly metrics that acknowledge and indicate internal/external degradation of the infrastructure.Metrics chosen should pass the “so-what” test and should be selected in relation to the security goal within itsoperational environment. They should be identified and defined around the problem space. Without metrics,organizations will find it difficult to accurately gauge effectiveness and articulate improvement. When metricscan be quantified as a number or percentage, are contextually relevant, and measured consistently, they confercredibility to the overall assessment (Jaquith 2007). Jaquith goes on to state that good metrics should facilitatediscussion, insight, and analysis.

Security metrics are the servants of risk management, and risk management is about making decisions. Therefore,the only security metrics we are interested in are those that support decision making about risk for the purpose ofmanaging that risk (Jaquith 2007)

Getting the right metrics requires asking the right questions. Cyber-attacks may cause a temporary disrup-tion (minutes to hours), while natural disasters such as tornadoes or hurricanes may cause long-term outages(weeks to months). A question such as “are failover settings for the backup generator sufficient to not have anegative effect on the patient, in the event that power is disrupted at the hospital’s main plant,” should leadto identifying the appropriate metrics that ensure the ability to proactively monitor status and plan accord-ingly. Medical devices dependent on CI services would benefit from metrics such as mean time between failure(MTBF) for monitoring or alarm if a failover system (power, water) exceeds a certain value. Asking how longa backup generator can support a critically ill patient surviving on a ventilator before asphyxiation or braindamage occurs should also result in relevant metrics. Although the answer to this question may depend on theseverity of the patient’s illness, the reliability and sustainability of the medical equipment should be measured,understood and baselined accordingly, to assist in proper planning.

Penetration testing should also be performed and results included in the overall assessment to continuouslymonitor and capture anomalies due to unsolicited or unintentional physical or cyber access. These combined




Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL


techniques provide an understanding of the current security posture and insight into the strength or weaknessof the enterprise.

The BBN model developed for this research is structured such that if current measures indicate an unaccept-able impact to the patient, additional or alternative security measures should be implemented and assessed.Threshold and objective parameters should be considered for each metric (there may be cases where thresholdparameters may be sufficient). Identifying these parameters and monitoring for trends or outliers will allowemergency personnel to take appropriate actions prior to an undesirable event. Such metrics would be use-ful to ensure resiliency. Step 4 results in the identification and assessment of relevant performance metrics bystakeholders that further assist in understanding and monitoring the health of the enterprise.

Below, we provide an example set of performance metrics to be used for the protection and resilience of CIsor dependent resources is provided in Table 1 and Table 2.

Table 1: Reference Metrics for Critical Infrastructure Protection.

Critical Infrastructure Protection

Factors Definitions Effectiveness Metric

DetectThe measures implemented that determine if anunauthorized action has occurred or is occurring.

time to detect unauthorized access

DeterThe measures implemented that are perceived byadversary as too difficult to defeat

# of (internally/externally) advertised securitymeasures in place compared to actual occurrences

NeutralizeThe measures implemented that preventdamage/disruption/exfiltration after anunauthorized action has occurred or is occurring.

# of unauthorized access or attacks contained(DMZ) / total unauthorized accesses or attacks

ReduceThe measures implemented that reduce thepotential impact of an attack or unauthorized access

% reduction in attack surface

Table 2: Reference Metrics for Critical Infrastructure Resilience.

Critical Infrastructure Resilience

Factors Definitions Effectiveness Metric

ResistThe measures implemented that withstandunauthorized actions or attacks

% of failed attempts (external)

RespondThe measures implemented that are enabled upondetection of unauthorized access

time to shutdown services, access, or alter pathupon detection of unauthorized access

RecoverThe measures implemented that enablere-instatement of services after unauthorized attack

time to reinstate services after attack or disruption

AbsorbThe measures implemented that contain orminimize the impact of an attack

% of detected attacks contained or quarantined

AdaptThe measures implemented that activate alternativeservices upon attack or detection of attack

% of service availability after attack; # of redundantsystems for critical services

7.2 Step 5: Assess Multiple Dimensions/Perspectives (CI-HHM)

[Steps 5 and 6 are closely linked. Step 5 details the self-assessment process using HHM which is required tocalculate the Systems Security Effectiveness Index (SSEI), discussed in Step 6].

Hierarchical Holographic Modeling (HHM) is one approach to multi-dimensional modeling (modelingfrom various, multiple perspectives). The philosophy of HHM is grounded in the fundamental principle that




Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL


complex, large-scale systems such as CIs cannot be sufficiently appreciated or modeled in a planar or singularcontext. Haimes (1981) states:

“The HHM approach (philosophy) recognizes that no single vision or perspective of a system is adequateto represent a system and its component parts. Instead, the HHM approach identifies and coordinatesmultiple, complementary decompositions of a complex system.”

HHM was chosen for this study to incorporate societal, legislative, environmental, spatial and other relevantdimensional perspectives that may contribute to the strength or weakness of security posture. A CI/DR-HMM,developed for this research, is defined here as the HHM generated specifically for the purposes of evaluatingCIs or dependent resources. The HHM categories and variables were extracted from a multitude of sources, toinclude the Department of Homeland Security NIPP.

The HHM philosophy provides comprehensive, multi-dimensional insight into an otherwise hidden prob-lem/solution space to measure security effectiveness. This extensible CI/DR-HHM is provided with hierarchi-cal and dimensional categories to allow the CI/DR owner/operator to perform a self-assessment of his/herinfrastructure. Each category (threats, vulnerability, protection, resiliency and interdependency) is used by thestakeholders to assess the security measures currently in place or proposed. Each stakeholder responds to a se-ries of the same questions from the perspective of their own discipline (e.g. engineer, IT specialist, doctor/nurse,hospital administrator, etc.). This includes a combined stakeholder threat and vulnerability analyses, for exam-ple, to determine the extent to which each discipline effectively implements measures to reduce vulnerabilities,employ threat modeling, plan for protection and resiliency, and considers interdependencies of other CIs andrelevant resources. The strength (or weakness) of security measures employed by an organization is calculatedbased on a combined stakeholder self-assessment of each CI/DR-HMM category. The quantified results iden-tify areas of deficiency, thus implying areas where improvements can be made. The CI owner or dependentresource facilitator should evaluate (weight and priority) each CI/DR-HHM category per their risk toleranceand goals.

Figure 3 illustrates the third order (hierarchical) graphical representation of the CI/DR-HHM, with generalweights uniformly distributed among its five categories. Adjacent to each sub-category is the max weight aCI/DR owner/operator would self-assess the effectiveness of the security measures they have in place. Thedecision-maker combines the results of the self-assessment completed by multiple stakeholders (internal andexternal), such as risk managers, engineering, IT and medical professionals to calculate the SSEI, described inStep 6.

Figure 3: HHM for Critical Infrastructure or Dependent Resources (CI/DR-HHM).

Using the CI/DR-HHM categories provided in Figure 3, relevant questions should be devised by the orga-nization and each question should have a measurable component for monitoring and improvement. Qualitativeresponses to questions such as “do we have measures in place to protect (blank)” (yes/no); “if so, what are they




Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL


and are they sufficient?” Table 3 provides a general CI/DR-HHM scale to score the self-assessments for eachcategory. A general SSEI scale was developed for this study to illustrate the concept (Table 3 and Table 4).

Table 3: CI/DR-HHM SSEI Scoring Scale (by Category).

SSEI Threshold Objective

Excellent 0.17 0.20Good 0.13 0.16Fair 0.09 0.12Poor 0.05 0.08Non-Existent 0 0.04

Categories are identified as the main variables within the CI-HHM (threats, vulnerabilities, protections, resilience andinterdependencies). Each of the five CI subset categories can have a maximum value of 20 percent (0.20).

Table 4: CI/DR-HHM SSEI Scoring Scale (Total).

SSEI Threshold Objective

Excellent 0.80 0.100Good 0.60 0.79Fair 0.40 0.59Poor 0.20 0.39Non-Existent 0 0.19

The individual scores of the five categories are calculated from Figure 2 and Table 4, then combined for the overall CI-HHM score. Thistotal will be used to select the current effectiveness level of the SSEI in Table 5.

A CI or enterprise can have a strength/weakness value per category in the range from 0 – 20 percent (0 –0.20) as shown in Table 3. This weight or value implies that the enterprise has implemented security measures(for that category) to a certain level of effectiveness in accordance with their value proposition or goals. Theresults from the CI/DR-HHM category assessment ultimately contribute to the overall SSEI “score” (Table 4)or level of the strength/weakness of an organization’s security posture. Subsequently, the SSEI is used withinthe BBN analysis to estimate impact. This step results in an understanding of specific areas of strength andweakness of the enterprise and facilitates the ability to better allocate resources to security measures identifiedas deficient so as to reduce negative consequences.

7.3 Step 6: Assess Strength/Weakness (Calculate the SSEI)

The Systems Security Effectiveness Index SSEI is a calculated value, resulting from Steps 4 and 5 to under-stand (quantify) the relative security effectiveness and posture of CIs and/or dependent resources. This indexis designed to allow owners/operators the ability to assess and communicate the strength and weakness ofimplemented and/or proposed security measures. The SSEI serves as an evaluation of the risk mitigation stepsa CI or dependent resource has taken to protect against service disruptions. The BASE m2d framework is thevehicle developed to apply the index. We show how an organization can use their self-evaluation of securityeffectiveness to estimate the multi-order impact(s) of a CI service disruption.

The SSEI is value is based on the risk management steps taken to reduce the probability of a successful at-tack. Emergency management personnel or decision-makers are to assess their effectiveness index based on thedegree to which they implement measures and reduce risk identified in the CI/DR-HHM categories (Figure 3).Security measures should include people, process, technology, e.g. “what, if any, security measures do we havein place, in the form of people, processes and technology, to detect, deter, neutralize and reduce cyber/physicalattacks?”

Table 5: Area of Improvement/Deficiency (Calculated SSEI).

CI-HHM SSEI (overall) Area forImprovement

Category Effectiveness Score <difference>

Threat (max 0.20) 0.155 0.045




Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL


Accidental/Internal 0.040 0.010Accidental/External 0.035 0.015Intentional/Internal 0.040 0.010Intentional/External 0.040 0.010Vulnerability (max 0.20) 0.120 0.080Personnel 0.025 0.025Physical 0.030 0.020Operational 0.040 0.010Info-Security 0.025 0.025Protection (max 0.20) 0.178 0.022Detect 0.048 0.002Deter 0.050 0.000Neutralize 0.045 0.005Reduce 0.035 0.015Resilience (max 0.20) 0.156 0.044Resist 0.028 0.012Respond 0.037 0.003Recover 0.021 0.019Absorb 0.030 0.010Adapt 0.040 0.000Interdependency (max 0.20) 0.136 0.064Internal 0.095 0.005External 0.041 0.059Total 0.745 0.255

Table 5 illustrates scores elicited from a Department of Energy (power) engineering expert. The CI/DR-HHM self-assessment scores resulted in an overall SSEI score of 0.745 (75%) out of a total possible score of 1.0(100%). This particular CI owner, with appropriate stakeholders, assessed their category relative effectivenessscores as follows: Threat (0.155 of max possible 0.20), Vulnerability (0.120 of max 0.20), Protection (0.178 of max0.20), Resilience (0.156 of max 0.20) and Interdependency (0.136 of max 0.20). Table 4 denotes that a score of0.745 falls in the range of “good security posture.”

Table 6 also identifies a difference score (column 3), which denotes area or room for improvement. Given theoverall score of 0.745, there is a total area of improvement of 0.255. Specific areas can be identified to improveas the results are incorporated into the BBN model, e.g. the Vulnerability category self-assessment resulted ina difference score of 0.080 (having the highest difference score). With an overall SSEI of 0.745, the BBN eval-uation infers a “degraded” impact to the patient. To improve this potentially unacceptable impact, the CI op-erator would use the difference scores to take appropriate measures to increase overall security effectiveness,ultimately improving their protection and resiliency. Further explanation is provided in BBN section to follow(Step 7).

Table 6: SSEI Assessment.

Given our implemented security measures, were our penetration methods able to assess the following (in regards tocyber or physical (natural or manmade) attacks)?Protection ResiliencyDetect ResistDeter RespondNeutralize RecoverReduce Absorb

Adapt

The examination of dimensional (category) elements of the CI/DR-HHM is critical to the overall comprehen-sive security effectiveness evaluation. This research reveals that societal, environmental, legislative and stake-holder perspectives and actions contribute to either strengthening or weakening protection and/or resiliencymeasures. An example to assess security measures from a dimensional (stakeholder) perspective follows.

Example: HHM-Stakeholder Dimension: The questions in Table 6 should be asked from the perspective ofeach stakeholder (engineer, IT professional, CI owner/operator, Physical security, etc.).

A complete self-assessment would follow the same logic and questioning from the perspective of otherdimensions, e.g. for the legislation/governance/policy dimension, “are there laws/standards/policies in place(in the form of people, processes or technology) that enable or prevent our ability to detect, deter, neutralize or




Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL


reduce cyber/physical threats?” If so, what are they and are they strategically employed to protect our securitygoal(s)? This step exits with an SSEI score to be incorporated next into the BBN analysis.

8 The Model

8.1 Step 7: Assess Impact Likelihood (Construct the BBN)

In this study, a Bayesian Belief Networks (BBN) is generated illustrating the dependencies and potential impactsof successful penetrations originating from CIs. The BBN is used here for its ability to account for uncertaintyand limited available data of CI probability of attacks and interdependency/impact data. In general, BBNscan be used as visual representations of physical and/or logical access into and within an enterprise, informa-tion system network, CI, or dependent resource. They are graphical illustrations of probabilistic dependencies(links) between variables (nodes). Similarly, an attack graph illustrates all paths that an attacker may exploit,both virtually and physically, to access the target, which as discussed in Frigault’s work (2010), can be repre-sented as a Directed Acyclic Graph (DAG). The DAG and the dependencies are such that any node given itsparents within the graph is independent of its non-descendants (Pearl 1988).

BBNs employ the fundamental premise of the Bayes Theorem:

P(A|B) = P(B|A)P(A)P(B)

P(hypothesis|evidence) = P(evidence|hypothesis) P(hypothesis)P(evidence)

The stated probability of an event or hypothesis is conditional based on the available/known evidence in therelevant context. This condition is made explicit by the notation P(A|B), which reads as “the probability of eventA given the evidence B.” BBN is a method for understanding evidence in the context of previous knowledge orexperience (Pearl 1988). The utility of BBNs has become increasingly popular over the past decade in variousfields of study to demonstrate reliability, predictions, diagnosis, and decision analysis, among other uses.

A BBN attack graph is provided at its highest level of nodal hierarchy, mapping the CI interdependenciesof an Healthcare and Public Health (HPH) CI sector element (e.g. hospital). Figure 4 is offered as a simplifiedexample to help understand and elucidate this research’s use of BBN. The fundamental question for analysis is“what is the probability of a hospital patient’s degraded health (with the possibility of death) given an attackon the power plant and/or the water facility on which the patient ultimately depends?” This is determinedby identifying through expert judgment or historical data the marginal probability of an attack on nodes B, Cand D; and subsequently calculating the joint probability to determine the potential impact to node E (usingBayes Theorem). Upon calculating the probability of an attack on the hospital, that assessment is propagatedtoward computing the probability of its associated links (F and G). The joint probability of nodes F and G isthen calculated to assess the vulnerability of H, the hospital patient’s degraded health or death.




Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL


Figure 4: Simplified BBN.

The assessment of each node is iteratively improved given updated data/knowledge for that node, thuscontinuously reducing the uncertainty and adding more information fidelity for decision making. Althoughthis study considers each CI as a black box, it should be noted that one will increase the fidelity of a node byexamining the hierarchy within each node. Internal to each node one would consider an aggregate of factorssuch as security measures currently in place, historical attack data that may be available for that node, etc. –ultimately providing additional insight into the “strength” weight or security effectiveness level for that node– assessing it to be less/more vulnerable to penetration.

For this study, the proof of concept is demonstrated by using historical and relative notional data (priorprobabilities), while the unknown values are calculated through the Bayesian software simulation tool Neticav5.15 (http://www.norsys.com/index.html) to infer the CI interdependency impacts to dependent resources.

The case is considered where essential interdependent CIs to the hospital have performed their self-assessment of security effectiveness per the CI-HHM provided and have scored themselves accordingly. Todemostrate the model’s functionality, a reduced structure of the BBN is illustrated (Figure 4) after perfominga sensitivity analysis using the nine total CIs that a hospital depends on for services according to the NIPP.The model structure and preliminary results were vetted by medical professionals to confirm the model andvarious scenarios correctly represented their expectations.

The Conditional Probability Tables (CPT) and prior probabilities used in the hospital patient healthcareBBN model were generated using data obtained from combined sources: medical professionals, NIPP, DoE,DHS, Verisign, SSP, Verizon Breach Reports, Symantec, and EPA along with best estimates and theoreticaldata from scenario analysis. Illustrated in the Figure 4 BBN, are various security effectiveness states of the CIs,given a successful DoS Attack or No_Attack (on Power CI), resulting in either No_Effect, Partial_Shutdown,or Complete_Shutdown. The following definitions provide further understanding of the “what-if” scenarioanalysis model: No_Effect is defined as an event/attack having no significant impact/disruption, while a Par-tial_Shutdown indicates that the main source has been impacted and services are only being provided by thebackup or a temporary alternate source. A Complete_Shutdown indicates that both the main source and thebackup are no longer providing service.

In Figure 5, the basic structure of the BBN with links is illustrated from the interdependent CIs and theirassociation to the hospital, subsequently noting the links from the hospital to the medical devices on which apatient may be dependent to sustain life. Also noted, the network with nodes that indicate a successful Attackor No_Attack on a CI, highlighted in red.




Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL


Figure 5: Representation of BASE m2d Model of DoS Attack on CIs (w/o SSEI).

The CI_DoS Attack nodes in red. Upon compilation, the dependent nodes are then calculated to assess thepotential impact to the hospital and subsequently to the patient. The patient is assumed to be in the ICU andtotally dependent on the medical device (dialysis, ventilator, etc.). This model structure allows one to assessthe impact to either the hospital or patient target node of interest. Additional nodes can be added, ultimatelyadding to the complexity of the interdependent nature of the CI, enterprise or organization.

The estimated self-assessment from each CI is now folded into the SSEI nodes indicating the CI strength orweakness. Until the SSEI rating/score is entered, the BBN model assumes a uniform distribution, essentiallystating that the score is unknown at the time of compilation. Upon knowing/evaluating the respective CI SSEIor posture, that value is be inserted as a Finding or Evidence in the model. However, the other CIs will beestimated or varied to perform an appropriate “what-if” scenario analysis. As more evidence or data is knownor observed, the results of the model are improved. This step results in estimating the likelihood of impact to apatient given a cascading failure from a DoS attack on a CI.

BASE m2d allows the decision-maker to assess from CI or dependent resource, i.e. “illustrate how the CI’sSSEI strength/weakness potentially impacts the hospital or the patient,” An operator could go further to assessor determine “what is the minimum SSEI one could have so as to not have a critical impact?” The scenarios to beevaluated are numerous, each potentially enabling the decision-maker to make more informed and proactiveimprovements for better protections.

Figure 6 illustrates how the use of SSEI HHM (blue nodes) assessments can be used to make decisions toultimately improve a CI element’s security posture. Upon determining the SSEI score from the self-assessment,the CI-HHM BBN model was used to evaluate impacts to a CI facility, dependent hospital or patient given asuccessful DoS. Figure 6 also illustrates how Water CI and Communication CI have experienced a successfulpenetration, which yields a “Poor” relative effectiveness index. The model indicates that given a “Poor” index,the probability of Complete_Shutdown on Water and Communications is 43.2% and 31.3%, respectively, givena successful DoS attack on Power (due to their interdependence). Additionally, the impact to the hospital isnoted as having a 45.5% probability of providing “No_Service” to dependent resources given the CI vulnera-bilities. Subsequent actions by the hospital to improve the index should result in a lower likelihood of providing“No_Services” to the hospital.




Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL


Figure 6: Representation of SSEI Analysis given DoS Attack on Power CI.

Further analysis revealed a 43% probability of potential “critical” impact to the patient. A “critical” impactscore to the patient indicates a life-threatening result due to the grave nature of the patient’s condition andtheir total dependence on the medical device that is providing services. Given an unsatisfactory score of poten-tial patient impact, the SSEI self-assessment (difference scores) that was previously performed is re-assessed.This re-assessment specifically seeks to target/improve security measures that would strengthen or reduce theimpact to the target goal (patient). This evaluation is an iterative process with the goal of continual, targeted,security effectiveness improvement.

Decisions can be made given various trades from the scenario analysis, taking into account the security goal,risk priorities and budget constraints. The “difference scores” indicated in the SSEI table allows the CI operatorto strategically target specific areas of improvement for better protections.

8.2 Steps 8–10: Decision Analysis

he decision-maker has now examined, based on his security goals, “What can go wrong and its impact?” (Steps1–6), “How likely is it to go wrong?” (Step 7), and “What are the possible outcomes?” (Steps 1–7). From Step7, we have learned the likelihood of impact to the patient in the event of a CI DoS attack. Step 8–10 uses thisinformation to make strategic decisions based on relevant goals. Upon estimating the risk to the patient, ascategorized in the model (Step 8), the decision-maker proceeds to Step 9 to determine if the risk is acceptableto sustain life until alternative protective or resilient measures take effect. Step 10 responds to the respectiveanswer: If “Yes,” re-assess periodically for new threats or assessments; If “No,” implement new/additionalmeasures based on self-assessment risk analysis (difference scores).

The BASE m2d methodology seeks to empower emergency management personnel with the ability to makerisk-informed decisions given the realities of the world we live today – uncertainty; sophisticated adversaries;limited data; adaptive, complex, interdependent infrastructure. With the insight gained from using the multi-dimensional approach, we have potentially uncovered otherwise hidden areas of risk. Coupled with BBN, theuser can operationalize the stakeholder information to make strategic decisions.

9 Future Research

The SSEI scale can be improved, verified and validated by CI owners/operators and further assessed againstprevious cases of enterprises or CIs that have experienced DoS attacks to test predictability and reliability.

This research also recommends that for a complex, interdependent system of CIs to effectively provide crit-ical services to dependent resources, more effective and efficient standards need to be implemented. Standardsthat mandate CIs communicate (share information) across CIs and to those that depend on their services, in ac-cordance with a security effectiveness taxonomy understood by the impacted community of stakeholders. The




Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL


SSEI concept introduced in this research, if further developed, would allow CIs to communicate in a commonlanguage at a confidential or sensitive information level, if necessary. This would allow appropriate securitymeasures to be considered from the perspective of their own internal security effectiveness evaluation, as wellas the external interdependent sources security effectiveness levels/evaluation. As an example, during the in-dividual self-assessment, knowing the SSEI of other CIs as well as your own SSEI, would more accurately aiddecision-makers in a more efficient allocation of resources to effectively maintain their security goal/target atan acceptable level of protection with the appropriate resiliency, given a successful penetration or attack. For ex-ample, if a CI that is providing critical services has a SSEI of 0.65, a dependent resource may want to ensure thathis/her internal/individual SSEI compensates for the weakness of that CI, potentially with a more immediatefailover system for power, or maintain a larger back-up water source or more robust filtration system.

10 Conclusion & Implications of Research for Health and Emergency Preparedness

Strategic and proactive solutions that mitigate CI service interruptions and evaluate potential impacts if a dis-ruption does occur are invaluable for disaster prevention. BASE m2d allows CI owner/operators the capabilityto proactively assess their situational awareness or security posture through scenario analysis, strategicallybased on the organization’s security goals. The ability to quantify the potential impacts to a critically-ill hos-pital patient using numeric and qualitative data is instrumental for decision-makers seeking to preemptivelyexecute necessary security measures to demonstrate emergency preparedness, in the event of a DoS. For hos-pitals, maintaining public health by providing continuity of services and ultimately preserving human life isof the highest priority; this is followed closely by the goal of maintaining the confidentiality and integrity ofpatient records and billing information. This framework provides CI owners and dependent resources with atool to assess the external and internal nth order dependencies and impacts to ensure emergency preparednessthrough various scenarios or what-if analysis [e.g. assess how the degradation in power and/or water servicesmay impact the ability of a hospital to provide necessary services to a patient to sustain life]. The approach alsoallows for an analysis of impact(s) between the CIs [e.g. how degradation in power may impact water resourcesand/or communications]. Further, the source of these impacts can easily go undetermined without multi-orderinterdependency risk analyses.

Probabilistic modeling has been proven beneficial in evaluating complex environments or systems (Di Gior-gio and Liberati 2011). The implementation of a BBN allows for realistic situations where there is uncertaintyor limited data available, which is often the case when designing/modeling predictive scenarios to understandthe cascading effects of potential natural disasters or various cyber threat events. The fusion of a qualitativecomponent (HHM) with BBN modeling further contributes to the reality of the overall system assessment,adding more fidelity from the observations/evidence. BBNs assist in identifying the most critical componentsof a system and the most probable hazardous scenarios. Joined with the SSEI, decision-makers can identify themost vulnerable components of the system they hope to protect, thus understanding where security measuresmay need to be strengthened.

Although this framework is demonstrated using a specific threat (DoS) to assess a specific purpose (impactto public health) given various possible vulnerabilities (people, processes, tools, networks or physical assets),the applications of this approach extend beyond what is demonstrated here.

References

Ayyub, BilalM., Peter G. Prassinos, and John Etherton. 2010. “Risk-InformedDecisionMaking.” Mechanical Engineering 132 (1): 28–33.Bayuk, Jennifer, and AliMostashari. 2013. “Measuring systems security.” Systems Engineering 16: 1–14.Bloomfield, R., N. Chozos, and P. Nobles. 2009. Infrastructure interdependency analysis: introductory research review. Adelard LLP.Borum, R., J. Felker, S. Kern, K. Dennesen, and T. Feyes. 2015. “Strategic Cyber Intelligence.” Information and Computer Security 23 (3): 317–332.Department of Homeland Security. 2016. http://www.dhs.gov/healthcare-and-public-health-sector.Di Giorgio, Alessandro, and Francesco Liberati. (2011). “InterdependencyModeling and Analysis of Critical Infrastructures Based onDynamic

BayesianNetworks.” In 2011 19th Mediterranean Conference on Control & Automation (MED), Corfu, Greece. 791–797, IEEEDimase, D., Z. A. Collier, K. Heffner, and I. Linkov. 2015. “Systems Engineering Framework for Cyber Physical Security and Resilience.” Envi-

ronment Systems & Decisions 35 (2): 291–300.Eusgeld, I., C. Nan, and S. Dietz. 2011. “‘System-of-Systems’ Approach for Interdependent Critical Infrastructures.” Reliability Engineering &

System Safety 96: 679–686.Frigault, Marcel. 2010.Measuring network security using Bayesian network-based attack graphs. Ph.D. diss., Concordia University (Canada).Gass, Saul I. 2005. “ModelWorld: The Great Debate-MAUT versus AHP.” Interfaces 35 (4): 308–312. Accessed February 27, 2015.

http://search.proquest.com/docview/217112431?accountid=11243.




Aut o

mat

ically

gene

rate

dro

ugh

PDFb

yPro

ofCh

eckf

rom

Rive

rVal

leyT

echn

olog

iesL


Ghorbani, A. A., and E. Bagheri. 2013. “The State of the Art in Critical Infrastructure Protection: A Framework for Convergence.” InternationalJournal of Critical Infrastructures 4 (3): 215–244.

Haimes, Yacov Y. 1981. “Hierarchical HolographicModeling.” IEEE Transactions On Systems, Man, and Cybernetics 11 (9): 606–617.Haimes, Yacov Y. 2004. Risk Modeling, Assessment, and Management. Hoboken, NJ:Wiley-Interscience.Haimes, Y. Y., J. Lambert, Duan Li, R. Schooff, and V. Tulsiani. 1995. “Hierarchical Holographic Modeling for Risk Identification in Complex Systems.”

1995 IEEE International Conference on Systems, Man and Cybernetics. Intelligent Systems for the 21st Century.Hubbard, DouglasW. 2010. How to measure anything finding the value of “intangibles” in business. 2nd ed. Hoboken, NJ:Wiley.Jaquith, Andrew. 2007. Security Metrics: Replacing Fear, Uncertainty, and Doubt. Upper Saddle River, NJ: Addison-Wesley.Kozik, Rafał, Michał Choraś, andWitoldHołubowicz. 2010. “Fusion of Bayesian andOntology Approach Applied to Decision Support System

for Critical Infrastructures Protection.” In Mobile Lightweight Wireless Systems. Springer Berlin Heidelberg.Lewis, T. G. (2015). Critical infrastructure protection in homeland security: Defending a networked nation. Hoboken, New Jersey:Wiley.National Association of County and City Health Officials (NACCHO). 2014. Cyber Attack on U.S. Hospital Group Highlights Vulnerability of Critical

Infrastructure. Accessed February 19, 2019. http://nacchopreparedness.org/cyber-attack-on-u-s-hospital-group-highlights-vulnerability-of-sector/.

National Association of County and City Health Officials (NACCHO). 2015. The Role of Local Public Health in Healthcare Critical Infrastructure Pro-tection. Accessed February 19, 2019. http://nacchopreparedness.org/the-role-of-local-public-health-in-healthcare-critical-infrastructure-protection/.

National Association of County and City Health Officials (NACCHO). 2016. The Public Health Emergency Preparedness Landscape: Findings fromthe 2016 Preparedness Profile Assessment. Accessed February 19, 2019. https://nacchopreparedness.org/the-public-health-emergency-preparedness-landscape-findings-from-the-2016-preparedness-profile-assessment/.

National Institute of Standards and Technologies (NIST). 2014. Framework for Improving Critical Infrastructure Cybersecurity.Ouyang,M. 2014. “Review onModeling and Simulation of Interdependent Critical Infrastructure Systems.” Reliability Engineering & System

Safety 121: 43–60.Pearl, Judea. 1988. Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. SanMateo, Calif.: Morgan Kaufmann Publishers.Pederson, P., D. Dudenhoeffer, S. Hartley, andM. Permann. 2006. “Critical Infrastructure InterdependencyModeling: A Survey of US and

International Research.”Pettigrew, J., J. Ryan, K. Salous, T.Mazzuchi, andW.Dc. 2009. Decision-Making by Effective Information Security Managers.Rinaldi, S. M., J. P. Peerenboom, and T. K. Kelly. 2001. “Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies.”

IEEE Control Systems Magazine 21 (6): 11–25.Roberts, Steven 2004. “Tips and Trends for Homeland Security and Critical Infrastructure Protection.” Journal of Homeland Security and Emer-

gency Management 1 (4): Article 405.Ryan, J. J. C. 2004. “Information Security Tools and Practices:WhatWorks?” IEEE Transactions on Computers 53 (8): 1060–1063.Sanders,W. 2014. “Quantitative SecurityMetrics: Unattainable Holy Grail or a Vital BreakthroughWithin Our Reach.” Security & Privacy, IEEE

12 (2): 67–69.Satumtira, G., and L. Dueñas-Osorio. 2010. “Synthesis ofmodeling and simulationmethods on critical infrastructure interdependencies

research.” In: Sustainable infrastructure systems: simulation, imaging, and intelligent engineering, edited by K. Gopalakrishnan, S. Peeta. NewYork: Springer-Verlag.

Sikula, Nicole R., JamesW.Mancillas, Igor Linkov, and John A.McDonagh. 2015. “Riskmanagement is not Enough: A ConceptualModel forResilience and Adaptation-Based Vulnerability Assessments.” Environment Systems & Decisions 35 (2): 219.

Symantec. 2010. Critical Infrastructure Protection Study (Global Results) (October 2010) .TheWhite House. 2013. Executive Order 13636 – Improving Critical Infrastructure Cybersecurity. https://obamawhitehouse.archives.gov/the-

press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.U.S. Government Accountability Office. 2011. “Cybersecurity: Continued AttentionNeeded to Protect Our Nation’s Critical Infrastructure and

Federal Information Systems.” GAO-11-463T.U.S. Government Accountability Office. 2012a. Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can Be Done to Pro-

mote Its Use. GAO-12-92.Washington, D.C. December 9, 2011.U.S. Government Accountability Office. 2012b. Cybersecurity: Threats Impacting the Nation. GAO-12-666T.Washington, D.C. April 24, 2012.U.S. Government Accountability Office. 2013. Cybersecurity: A Better Defined and Implemented National Strategy Is Needed to Address Persistent

Challenges. GAO-13-462T.Washington, D.C.March 7, 2013.U.S. Government Accountability Office. 2015a. Critical Infrastructure Protection: Measures Needed to Assess Agencies’ Promotion of the Cybersecurity

Framework. GAO-16-152.Washington, D.C. December 17, 2015.U.S. Government Accountability Office. 2015b. Cybersecurity: Actions Needed to Address Challenges Facing Federal Systems. GAO-15-573T.Washing-

ton, D.C. April 22, 2015.U.S. Government Accountability Office. 2017. Information Security: DHS Needs to Continue to Advance Initiatives to Protect Federal Systems. GAO-17-

518T.Washington, D.C.March 28, 2017.Vugrin, E., D.Warren,Mark A. Ehlen, and R. Chris Camphouse. 2010. A Framework for Assessing the Resilience of Infrastructure and Economic Sys-

tems. Sustainable and Resilient Critical Infrastructure Systems. K. Gopalakrishnan and S. Peeta, Berlin Heidelberg: Springer; 77–116.Zio, Enrico. 2016. “Challenges in the vulnerability and risk analysis of critical infrastructures.” Reliability Engineering & System Safety 152: 137–

150. ISSN 0951-8320.




cyber policy development (intensive) (cyberi 2020) · cyber policy development (intensive) (cyberi...

Documents