sandro bologna aiic coordinatore gdl resilienza ......question: resilience of what, to what and for...
TRANSCRIPT
L R ili d ll I f t tt C iti h La Resilienza delle Infrastrutture Critiche Introduzione alle Linee Guida AIIC
Sandro BolognaAIIC Coordinatore GdL Resilienza Infrastrutture Critiche
Membri del GdL: Glauco Bertocchi, Giulio Carducci, Luigi Carrozzi, Simona Cavallini, Alessandro Lazari, Gabriele Oliva, Alberto Traballesi
AIIC ColloquiaProtezione Infrastrutture Critiche – dove guardare & dove investireRoma 30 Marzo 2017Roma 30 Marzo, 2017
1
2http://www.infrastrutturecritiche.it/new/media-files/2016/04/Guidelines_Critical_Infrastructures_Resilience_Evaluation.pdf
Th t d V l biliti f C l I f t t t N t l H dThreats and Vulnerabilities of Complex Infrastructures to Natural Hazards
England August 2004 (Boscastle Village) England August 2004 (Boscastle Village) Gudrun January 2005 (Sweden, Norway, Finland, ........) Kyrill January 2007 /Germany Austria Ceck ) Kyrill January 2007 /Germany, Austria, Ceck, ........) Klaus January 2009 (France, Spain, ....) Japan Earthquake March 2011 (Japan, magnitude 9.0)p q ( p , g ) Sandy Thunderstorm December 2012 (New York) England Floods 2015 (Lancashire, Yorkshire) Central Italy Earthquake and Snowfall January 2017
3
Threats and Vulnerabilities of Complex Infrastructures to Accidental Faults
• Toulouse (France) September 2001• Liege (Belgium) October 2002• Liege (Belgium) October 2002• Priolo (Italy) April 2006• Coryton (UK) October 2007y ( )• Viareggio (Italy) June 2009• Deepwater Horizon oil spill (2010)• Fukushima (Japan) March 2011• West Texas (USA) April 2013• Binhai (PRC) August 2015• Binhai (PRC) August 2015
4
Threats and Vulnerabilities of Complex Infrastructures to Terrorist Attacks
• United States September 2001• Madrid (Spain) March 2004
L d (UK) J l 2005• Londra (UK) July 2005• Mumbai (India) 2008• In Amenas (Algeria) 2013In Amenas (Algeria) 2013
5
Threats and Vulnerabilities of Complex Infrastructures to Cyber Attacks
• US - 2006: Hacker penetrated the Water Filtering Plant’s production system
• Estonia 2007: Including banks, ministries, newspapers and broadcasters organizationsUS 2009 Comp te Spies B each • US – 2009 Computer Spies Breach Fighter-Jet Project
• Iran- 2010: Stuxnet• 2011 Anonymous’ Cyber Attack on • 2011 Anonymous Cyber Attack on
Sony• 2012 Saudi Aramco cyber attack• 2014 Germany Steel Mill2014 Germany Steel Mill• 2015 Ukrainian black out
6
Adopted Infrastructure Resilience definition
“Infrastructure resilience is the ability to reduce the magnitude and/or duration of disruptive events Themagnitude and/or duration of disruptive events. The effectiveness of a resilient infrastructure or enterprise depends upon its ability to anticipate, absorb, adapt to, and/or rapidly recover from a potentially disruptive event.” (NIAC 2009 Critical Infrastructure Resilience: Final Report and Recommendations)Final Report and Recommendations)http://www.dhs.gov/xlibrary/assets/niac/niac_critical_infrastructure_resilience.pdf
7
Graphycal Representation of Resilience A negative event occurres (i.e. a threat exploits the
vulnerability of a given component)
The system detects the occurrency of negative event
The system reacts to the negative event and tries to recoverits state
Source: ANL/DIS-12-1 Resilience: Theory and Applications
8
Question: Resilience of what to what and for whom?9
Question: Resilience of what, to what and for whom?To assess a system’s resilience, one must specify which system configuration and which
disturbances are of interest
Question: Resilience of what, to what and for whom?T t ’ ili t if hi h t fi ti d hi hTo assess a system’s resilience, one must specify which system configuration and which
disturbances are of interest10
Question: Resilience of what to what and for whom?11
Question: Resilience of what, to what and for whom?To assess a system’s resilience, one must specify which system configuration and which
disturbances are of interest
A Critical Infrastructure is not only made of technologies butespecially of people, processes and organizations.R ili t t k i id ti ll th tResilience must take in consideration all these components,plus cultural background, to be complete and successful.
Organization
Govern
Processes
People TechnologyUsesPeople Technology
Source: Adapted from the USC Marshall School of Business Institute for Critical Information Infrastructure Protection
Resilience Dimensions
Thecnical Resilience Capacities
Personal
Resilience Capacities
P di ti
Organizational
Predictive
AbsorbtiveResilience Features
Cooperation
Reactive
Restorative
Redundancy Robustness Segregation
Hierarchical Representation of the Infrastructure Resilience Model13
Four Dimensions of Resilience
Cooperative Resilience
Four Dimensions of Resilience
Organizational Resilienceg
Personal Resilience
Technical (Logical & Physical) Resilience
RTU SCADA BIOMETRIC ID
LANPLC
I b ildi d l ti ili th t ib ti d b h f th f
DATABASECCTV TOUCH ID
In building and evaluating resilience the contribution made by each of these four dimensions needs to be considered
i
Monitoring
i i
RePreventive Training
Alarms
Robustness
esil
Technical Absorptive Redundancy
Segregation
ien
R ili
Adaptive ………….
Restorative ………….
ce
IResilience Personal …………… ……………………
Organisation ……………… ……………….
Preventive Reorganization
Indi
Partnership
Absorptive Rerouting
SubstitutionAdaptive
icat
Restorative
Networking
Organization
ors
Governance
Resilience Tree representing the resilience components that contribute to the system resilience 15
ResilienceIndicatorNAME
Description Description of the specific Resilience Indicator of the component subject to assessment
Sub‐system/system Dimension/capacity
To which sub‐system/system and dimension/capacity it applies: component/feature subject to assessment
Sector ApplicabilityRelevance
Relevance for the specific CI sector under evaluation
Evaluation method(s) Method used for ranking the specific resilienceEvaluation method(s) Method used for ranking the specific resilience indicator
Sources / References For more details and information
Template for Resilience Indicators Description16
Lo3‐ DATABASESCANNING
Description Database Scanners are a specialized tool usedDescription Database Scanners are a specialized tool usedspecifically to identify vulnerabilities in databaseapplications. In addition to performing someexternal functions like password cracking, the toolsl i h i l fi i f halso examine the internal configuration of thedatabase for possible exploitable vulnerabilities.
Dimension(s) TechnicallogicalSectorApplicabilityRelevance
Very important for CI sectors with large DB,e.g.financial sector
Evaluationmethod(s) DatabasevulnerabilitiesSources/References http://samate.nist.gov/index.php/Database_Scanni
ng_Tools.htmlhttp://www.mcafee.com/us/products/security‐
f d t bscanner‐for‐databases.aspx
Example for Resilience Indicator description for Technical-Logical dimension17
Roberto BaldoniRoberto Baldoni@robertobaldoni
18
Ph4‐ PERIMETERORLOCATIONSURVEILLANCESYSTEMS
Description The latest generation of computer vision technology isrevolutionizing concepts, applications, and products in videosurveillance and CCTV. This is of prime relevance to security forlarge outdoor facilities such as commercial airfields, refineries,power plants, and office/industrial campuses. Most airfields, forexample, have open (unfenced) perimeters, high volumeheterogeneous traffic, are easily accessed on foot or by water, andexist in areas where regulations providing a safety buffer aredifficult to legislate or enforce. And all airfields require 24x7outdoor monitoring – snow, fog, rain or shine. Likewise, mosthigh‐value facilities appealing to criminals and terrorists are inclose proximity to public areas (roads, residences, city, etc.).
Dimensions TechnicalphysicalSectorApplicabilityRelevance
Tobeestimatedbythesectorspecificexperts
Evaluationmethods DegreeofimplementationSources/References http://www.sitepitalia.it/products/security/surveillance‐and‐
perimeter‐monitoring‐systemhttp://www.objectvideo.com/rad‐services/publications.html
19
Example for Resilience Indicator description for Technical-Physical dimension
PE1 ‐ Employees are trained andmade aware of resilience requirementsPE1‐ Employeesaretrainedandmadeawareofresiliencerequirements
Description Employeesreceivestandardtrainingand,furthertothat,areintroducedtothebasicconceptsofresilience.
Dimensions PersonalandorganizationalSectorA li bilit
Tobeestimatedbythesectorspecificexperts.HumanResourcesD t t h ld h i ifi t l i thi l tiApplicability
RelevanceDepartmentshouldhaveasignificantroleinthisevaluation
Evaluationmethods
Presence/absencemethodsSources/References
M.Mullen“OnTotalForceFitnessinWarandPeace”– MILITARYMEDECINE,175,8:1,2010CarlinLeslie,AirForcePublicAffairsAgencyOL‐P“ComprehensiveAirmanFitness:ALifestyleandCulture”,August19,2014.
Example for Resilience Indicator description for Personal dimension
20
Example for Resilience Indicator description for Personal dimension
Or5– GovernanceFramework‐ RoleandresponsibilitiesdefinitionforResilience
Description Provide the organizational model to enable the resilience coordination, command and controlwithin organizations such as the roles and responsibilities assumed by institutions and otherbusiness or governmental entities to face national interest incidents. For example withinorganizations role and responsibilities of designated personnel responsible for managing crisisprocedures performing risk management process or responding security threats andprocedures, performing risk management process or responding security threats andemergencies are to be identified and explained. At national level for the US Department ofHomeland Security manages a bottom‐up network of entities from local first responders tonationwide threat analysis and emergency response centers like the National Cybersecurity andCommunications Integration Center (NCCIC).
Dimensions OrganizationalSectorApplicabilityRelevance
Tobeestimatedbythesectorspecificexperts
Evaluationmethods
Presence&MaturitylevelofAdoptionbytheOrganization
Sources/References
www.cosla.gov.uk/system/files/private/cw130219item12annex.pdf
https://wwwhsdl org/?view&did=733614https://www.hsdl.org/?view&did 733614
http://www.cio.ca.gov/ois/government/documents/pdf/iso_roles_respon_guide.pdf
E l f R ili I di t d i ti f O i ti l di i
21
Example for Resilience Indicator description for Organizational dimension
Co1‐ Organization’srelationshipwithbusinesspartners
Description A partnership is where two or more people need to work together to accomplish a goal while building trust and a mutually benefiial relationship This meaish a goal while building trust and a mutually benefiial relationship. This means the partnership is voluntarily agreed upon, built on the desire to have trust, and based on agreed‐upon mutual benefits.Relationships impact every aspect of business operations. Collaboration may occuras individual one‐to‐one partnerships or it may involve multiple parties workingas individual one to one partnerships or it may involve multiple parties workingtogether such as external alliance partners, suppliers, internal divisions andcustomers. An organization must therefore take a structured approach topartnering and be confident that the relationship will complement and enhanceexisting business activitiesexisting business activities.
Dimensions CooperativeSectorApplicabilityRelevance
Tobeestimatedbythesectorspecificexperts
RelevanceEvaluationmethods
Degreeofimplementation
Sources/ http://www.bsigroup.com/LocalFiles/en‐GB/bs‐11000/resources/BSI‐BS‐11000‐References implementation‐guide‐UK‐EN.pdf
Example for Resilience Indicator description for Cooperational dimensionExample for Resilience Indicator description for Cooperational dimension
22
40Lo1
102030
Lo2Lo5
010
Lo3Lo4
Radar Chart is suggested to represent ALL Indicators for the same DIMENSION(Technical Physical, Technical Logical, Personel, Organizational, Cooperation)
23
ChiefKEY ROLES IN THE ORGANISATION
First challenge: Different Responsibles for the CIs Key Roles
Chief Executive Officer
Chief Information
Officer
Chief Security Officer
Chief Information and Security
Officer
Human Resources Director
Security Liason Officer
Business continuity manager
Supply chain manager
Other
CEO CIO CSO CISO HR Director SLO BCM SCM ….
RESILIENCE INDICATORS
Lo01Lo02Lo03….
Ph01Ph02Ph03….
Pe01Pe02Pe03…..Or01Or01Or02Or03…
Co01Co01Co02Co03…
The general matrix with resilience indicators by row and possible key role in the
24
The general matrix with resilience indicators by row and possible key role in the organisation by column that should be customized for each specific CI
operator/owner
Second challenge: how to estimate a numerical value for the CI Resilience
RESILIENCE: How to Construct Composite Resilience Indexat different levels of abstraction
RSYSTEM = f(RTECH, RPERS, RORG, RPART)
The Challenge
Data emanating from the four dimensions have to be correlated and a composed value of resilience for the overall CI inferred using tailored aggregation algorithm account for the dependency level between theaggregation algorithm account for the dependency level between the resilience of the different dimensions and layers.
25
From the INCOSE Systems Engineering Handbook, fourth edition, 2015:
“Resilience is an emergent and nondeterministic property of a
From Resilience Engineering to Resilience Evaluation
Resilience is an emergent and nondeterministic property of a system” It is emergent because it cannot be determined by the examination of It is emergent because it cannot be determined by the examination of
It is nondeterministic because the wide variety of possible system It is nondeterministic because the wide variety of possible system y
individual elements of the system. The entire system and the interaction among the elements must be examined.
yindividual elements of the system. The entire system and the interaction among the elements must be examined.
y p ystates at the time of the disruption cannot be characterized either deterministically or probabilistically.
y p ystates at the time of the disruption cannot be characterized either deterministically or probabilistically.
“The purpose of engineering a resilient system is to determine the architecture and/or other system
14 “Resilience Principles” are defined, supporting 6 “System Attributes” that will enhance resilience:architecture and/or other system
characteristics that will anticipate, survive, and recover from a disruption or multiple disruptions”
enhance resilience: Resilience of Engineered Systems
Capacity
• Absorption• Absorption
Buffering
• Layered defense• Layered defense
Adaptability
• Drift correction• Drift correctiondisruption or multiple disruptions p• Physical
redundancy• Functional
redundancy
p• Physical
redundancy• Functional
redundancy
y• Reduce
complexity• Reduce hidden
interactions
y• Reduce
complexity• Reduce hidden
interactions
• Neutral state• Human in the
loop• Loose coupling
• Neutral state• Human in the
loop• Loose coupling
Flexibility
• Reorganization• Repairability• Reorganization• Repairability
Tolerance
• Localized capacity• Localized capacity
Cohesion
• Internode interaction
• Internode interaction
Adapted from: Jackson, S., & Ferris, T. (2013). Systems Engineering, 16(2), 152-164, Figure 2: Resilience Taxonomy. Available at:https://www.researchgate.net/publication/277141735_Resilience_Principles_for_Engineered_SystemsAccessed on August 23, 2016.
Thank you for your attentiony y
for any further information
Sandro Bologna
for any further information
gAIIC Coordinatore GdL Resilienza Infrastrutture [email protected]
http://www.infrastrutturecritiche.it/new/
27