Understanding Holistic Effects of Cyber Events on Critical Infrastructure Shane Cherry Infrastructure Analysis and Technology Development National and Homeland Security Directorate March 20, 2018 INL/CON-17-42513
Information Technology vs. Operational Technology Information Technology: The study or use of systems (especially computers and telecommunications) for storing, retrieving, and sending information Oxford Dictionary Operational Technology: The hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices such as switches, pumps, valves, etc. such as those used in critical infrastructure systems. International Society of Automation
Increased IT-OT Connectivity Our national critical infrastructure consists of systems of geographically distributed assets, from regional and national networks to micro-scale controllers and sensors Increasingly, these assets, across all scales, are connected via IT and OT networks and thus potential cyber targets
Increased Focus on OT Related Cyber Activity
Increase in Cyber Events Related to Operational Technologies In Fiscal Year 2016, DHS ICS-CERT coordinated 305 unique vulnerabilities and responded to 290 incidents associated with industrial control systems ICS-CERT Year in Review, 2016 Large-scale cyberattack to electrical grid could lead to $243B - $1T loss to the U.S. economy Health and safety impacts would include increased rate of illness and death in impacted areas Impact to DoD (and DHS) missions would significantly impact the security of the United States Lloyd s and University of Cambridge Centre for Risk Studies; President s Council of Economic Advisors, February 2018
Elements of Cyber Physical Interactions
Interdependency Discovery Approach All-Hazards Analysis Framework (A-HA)
Interdependency Mapping
Developing Multi-Scale Facility Profiles Regional Scale Dependencies Process Scale Dependencies Control System Scale Dependencies Notional System
Modeling Functional Impacts
Holistic Cyber-Physical Analysis Process Reported OT Vulnerabilities or Threats Identify Standard OT Components Across Sectors Potentially Affected and Model Functional Impacts Link to Potential Facility Locations Model Potential Cascading Impacts Provide Actionable Information to Decision Makers and Stakeholders
Esri and INL: Partnering for Cyber Resilience
Application of GIS to Cybersecurity Brian Biesecker Technical Director, Intelligence Community Esri
Fundamental Problems that GIS can help you solve Identify mpacts to your mission, operations, business activities, critical systems, or critical infrastructure from a Cyber Attack, IT outage or impairment Prioritize the work of your IT Team or Cyber Security Team in the context of your most important missions, operations, business activities, critical systems, or critical infrastructure Provide shared situational awareness across your organization Refine your Cyber Forensics Analysis efforts
Cyberspace Re-Considered It s mappable Utility Network Social / Persona Layer Device Layer Logical Network Layer Physical Network Layer Geographic Layer Each device in cyberspace is owned by someone (no global commons ) Electro-mechanical devices exist in space-time and interact with physical events Geography is required to integrate and align cyberspace with other data
Cross Domain Consequence Analysis Electric IT / SCADA Control System Control System
Cross Domain Consequence Analysis Information Technology Industrial Control Systems Critical Infrastructure
The Cyber Supply Line A vector of devices and network paths Control System Data Flow LAN Bldg Net WAN Cyber Supply Line LAN Bldg Net Campus #1 Campus #2 Cyber Supply Line (CSL) is a consistent path through the infrastructure CSL focuses resources on only the devices that are critical Managing data flows is similar to traffic routing; an Esri core competency
Enhancing Cyber Common Operating Pictures Geography provides deeper understanding Cyber Comms COP Server w/geoevent Extension Intrusion Detection System IP-Geo Lookup Server Intrusion Data
Integrating to improve information sharing Share Situational Awareness Executives / Commanders Enterprise - focused Operations Process-focused IT Infrastructure Device-Focused Awareness Recovery Prevention Protection Response Cyber Security Event-focused
ArcGIS Integration with Cyber Security Tools Executive Dashboards - Status Reports, Trends, Brand Sentiment, Financials Cyber Tools & Data- IDS/IPS, HBSS, Virus Scanning, Patch Monitoring Desktop Web Device Ops Data - Mission Activity, Status Reports, Real-time monitoring Portal Ops Dashboard IT Tools & Databases - IT Inventory, Device Locations, Health and Status Monitoring HR Database - Personnel, Orgs, Locations, Travel Server Online Content and Services Facilities Data - CAD & GIS of Buildings and Campuses, Electric, Water, HVAC, Facilities Monitoring, Physical Security
Data Linkages Missions / Operations to Critical Systems / Infrastructure Critical Systems to Components Components to Their location Components to Their logical network connection Logical Network to Physical Network Logical / Physical Network to Network Devices Cyber Threats to Components IT Health and Status to Components Impacted Components to Impacted Mission
Cyber Summary