Critical Infrastructure Security Vulnerability Assessment. A New Approach. Norman Bird - Senior Technical Lead - Nuclear Security

Similar documents
A New Approach For Assessing Operational Nuclear Security Performance. An Overview

Principles for a National Space Industry Policy

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Why you should adopt the NIST Cybersecurity Framework

The NIS Directive and Cybersecurity in

Drinking Water Emergency Management Ministry of the Environment 2012 Drinking Water Leadership Summit October 25, 2012

CYBER SECURITY AIR TRANSPORT IT SUMMIT

The Office of Infrastructure Protection

National Policy and Guiding Principles

The NIST Cybersecurity Framework

Cyber Security Strategy

Certified Information Security Manager (CISM) Course Overview

Department of Defense. Installation Energy Resilience

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Solutions Technology, Inc. (STI) Corporate Capability Brief

COUNTERING IMPROVISED EXPLOSIVE DEVICES

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

Accelerate Your Enterprise Private Cloud Initiative

National Policing Community Security Policy

Emergency Support Function #12 Energy Annex. ESF Coordinator: Support Agencies:

Integrated C4isr and Cyber Solutions

Securing strategic advantage

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Industrial control systems

Boundary Security. Innovative Planning Solutions. Analysis Planning Design. criterra Technology

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Defence services. Independent systems and technology advice that delivers real value. Systems and Engineering Technology

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Paul Shillcock Transport for London, UK

Industry role moving forward

Strategic Transport Research and Innovation Agenda - STRIA

Approaches and Tools to Quantifying Facility Security Risk. Steve Fogarty, CSO

Cybersecurity & Digital Privacy in the Energy sector

Securing Your Digital Transformation

DHS Cybersecurity: Services for State and Local Officials. February 2017

DISASTER RISK MANAGEMENT (DRM/DRR) TEAM

Business Continuity Management

Cybersecurity. Securely enabling transformation and change

Cesium Co. Ltd., Company Profile. Certification. Laboratory. Metrology Standards. When Performance Matters. Testing Quality

TEL2813/IS2820 Security Management

CONE 2019 Project Proposal on Cybersecurity

Version: V2.0. Integrated Building. Architecture. 19 April dimension data advanced infrastructure

THE ISSUE. TITLE: The East Midlands Business link. Author: Andrew Groom

The Perfect Storm Cyber RDT&E

CORPORATE PRESENTATION

Security Awareness Training Courses

Manchester Metropolitan University Information Security Strategy

Securing Europe's Information Society

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

Business Continuity Planning

Developing an integrated approach to the analysis of MOD cyber-related risks

THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

Directive on Security of Network and Information Systems

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Bradford J. Willke. 19 September 2007

PIPELINE SECURITY An Overview of TSA Programs

AADMER Work Programme

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Action Plan to enhance preparedness against CBRN security risks

External Supplier Control Obligations. Cyber Security

ISAO SO Product Outline

ENISA EU Threat Landscape

Cyber Security Technologies

The Office of Infrastructure Protection

Port Facility Cyber Security

The Office of Infrastructure Protection

Alternative Fuel Vehicles in State Energy Assurance Planning

Cities, Infrastructure & Industrial Solutions

Improving the Resilience of Critical Infrastructure from Natural Hazards

THE POWER OF TECH-SAVVY BOARDS:

CIPMA CRITICAL INFRASTRUCTURE PROTECTION MODELLING & ANALYSIS. Overview of CIP in Australia

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Security Management Models And Practices Feb 5, 2008

Address C-level Cybersecurity issues to enable and secure Digital transformation

Plan of action for Implementation of the Sendai Framework for Disaster Risk Reduction in Central Asia and South Caucasus Region

locuz.com SOC Services

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

The Australian Government s Approach to Critical Infrastructure Resilience

Optimizing wind farms

SDLC Maturity Models

Provisional Translation

Updates to the NIST Cybersecurity Framework

Security Secure Information Sharing

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

STATE ENERGY RISK ASSESSMENT INITIATIVE ENERGY INFRASTRUCTURE MODELING AND ANALYSIS. National Association of State Energy Of ficials

Science & Technology Directorate: R&D Overview

the steps that IS Services should take to ensure that this document is aligned with the SNH s KIMS and SNH s Change Requirement;

Office of Infrastructure Protection Overview

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

Seagate Supply Chain Standards and Operational Systems

Disaster Recovery and Business Continuity Planning (Mile2)

Transcription:

Critical Infrastructure Security Vulnerability Assessment A New Approach Norman Bird - Senior Technical Lead - Nuclear Security Critical Infrastructure Protection and Resilience Europe (CIPRE) Securing Europe s Critical Infrastructure 12 th 13 th February 2014 London -UK

Overview Based on work undertaken by NNL Technology delivery in partnership with ARES Security As this case study involves a real nuclear facility I cannot discuss specific results

Background - Critical Infrastructure Desire: Steady-state operations No incidents (man-made, natural or malicious) Mitigation: Appropriate regulation Appropriate threat / risk mitigation Good design (incorporating appropriate resilience) Good operation (incl. effective security at all times) Effective maintenance and guarding Human aspects - best practices, reliability, awareness Financial: Justify expenditure and investment decisions, (CapEx, OpEx, etc.) Optimise return on investment (ROI) CapEx Capital Expenditure, OpEx Operational Expenditure, ROI Return On Investment

Background -(Nuclear)Critical Infrastructure? Desire: Steady-state operations No incidents (man-made, natural or malicious) Mitigation: Appropriate regulation Appropriate threat mitigation Good design (resilience) Good operation (effective security at all times) Effective maintenance and guarding Human aspects - Best practices, reliability, awareness Financial: Justify expenditure and investment decisions, (CapEx, OpEx, etc.) Optimise return on investment

Background NNL At a glance Strategic: International nuclear R&D centre of excellence Support new build and clean up Safeguard nuclear expertise, facilities and skills Trusted advisor Collaborations/Partnerships/Links Socio-economic focus Operational: Nuclear infrastructure operator Do our own threat assessments Operate nuclear facilities requiring outcome-based security compliance

Background Infrastructure information Imagery from Bing Maps

Background Modelling / Simulation Not new Often confused with CAD etc. Extensively used in civil nuclear sector to date (safety, process, design, etc.) An emerging technique (for security) Modelling of infrastructure is now an international, open source and leisure timeactivity Imagery from Google Earth and Google Streetview

Background Information and the Threat Source: http://www.fas.org/irp/dni/osc/osc071906.pdf

Case Study M and S Approach Established and matured in US for over a decade Proven and endorsed technology for significant government programmes Accredited in US: DHS (Certified) DoD (Accredited) DoE (Accreditation in Progress) Used by NNL in their national early adopter role for nuclear industry and critical national infrastructure DHS US Dept of Homeland Security, DoD US Department of Defense, DoE US Department of Energy

Case Study -Aims Evaluate against a (complex) UK nuclear infrastructure asset Evaluate if there are substantial benefits over existing techniques Illustrate possible wider UK national infrastructure use in future Provide independent reach back, technical / software support / assessment services and training

Process -Overview -(5 Steps) DATA PHASE MODELLING PHASE SIMULATION PHASE OUTPUT PHASE VERIFICATION PHASE

Process -(Data) Step 1 DATA PHASE 2D CAD information 3D CAD information GIS information Aerial Photography Satellite Imagery Facility Record Drawings Facility Security Measures Security Performance Data Physical Systems / Sensors Guard Force Adversary Performance Data Environmental Criteria Plant Operational Criteria Threat Scenario Criteria Vulnerability of Facility

Process -(Modelling) Step 2 DATA PHASE MODELLING PHASE 2D CAD information 3D CAD information GIS information Aerial Photography Satellite Imagery Facility Record Drawings Facility Security Measures Security Performance Data Physical Systems / Sensors Guard Force Adversary Performance Data Environmental Criteria Plant Operational Criteria Threat Scenario Criteria Vulnerability of Facility

Process -(Simulation) Step 3 DATA PHASE MODELLING PHASE SIMULATION PHASE 2D CAD information 3D CAD information GIS information Aerial Photography Satellite Imagery Facility Record Drawings Facility Security Measures Security Performance Data Physical Systems / Sensors Guard Force Adversary Performance Data Environmental Criteria Plant Operational Criteria Threat Scenario Criteria Vulnerability of Facility

Process -(Output) Step 4 DATA PHASE 2D CAD information 3D CAD information GIS information Aerial Photography Satellite Imagery Facility Record Drawings Facility Security Measures Security Performance Data Physical Systems / Sensors Guard Force Adversary Performance Data Environmental Criteria Plant Operational Criteria Threat Scenario Criteria Vulnerability of Facility MODELLING PHASE SIMULATION PHASE OUTPUT PHASE

Process -(Verification) Step 5 DATA PHASE MODELLING PHASE SIMULATION PHASE OUTPUT PHASE 2D CAD information 3D CAD information GIS information Aerial Photography Satellite Imagery Facility Record Drawings Facility Security Measures Security Performance Data Physical Systems / Sensors Guard Force Adversary Performance Data Environmental Criteria Plant Operational Criteria Threat Scenario Criteria Vulnerability of Facility VERIFICATION PHASE (Future) Exercises Update data libraries and results based on real performance outcomes

Early results (Typical)

Early learning Accurate model information Early risk review mechanism Alignment with site visits (both site & model verification) Model simplification (don t need to model everything) Access to timely technical support / SMEs Early pooling of expert opinion around a centric model Early operational appreciation SME = Subject Matter Expert

Early challenges Inaccuracy in as built records Obtaining as built knowledge Obtaining verified performance data Managing sensitive data and results Managing the what if syndrome (and preventing scope creep) These challenges were all overcome in the case study

Typical examples of results output

Performance-basedinfrastructure assurance Quantitative performance assessment (Graded RAG approach) Challengeable and demonstrable threat mitigation Threat scenario is capable of being rehearsed / exercised Model can be re-verified from further exercises Managing output expectations: Practical Cost effective Operationally achievable Acceptable RAG = Red, Amber, Green. Note: The % threshold levels defined on this slide are also being used as a methodology to assess nuclear security effectiveness / threat mitigation at US nuclear infrastructure sites.

Case study M and S benefits Improved quantitative infrastructure assessment Enhanced security appreciation / optimisation Core model for determining minimum performance standards Reproducible / repeatable demonstration of assurances Efficient re-assessment of DBT impact Auditable platform(for further exercising, testing and improved consistency of approach for cost benefit analysis) DBT Design Basis Threat Outcome Modelled / measured security effectiveness

Conclusions Facilitates improved decision making Demonstrates operational effectiveness Helps to manage / mitigate the threat to infrastructure Helps to optimise security standards, costs, performance, compliance and expectations Future?

Future -(Dynamic) threat assessment National (and Public) Expectation (I.e. Design Basis) ALL THREATS STATUS VIEW Infrastructure Operation (I.e. Outcome-based) THREAT SCENARIO Strategic aim being closer parity between expectation (design) and infrastructure operation (delivery) using M and S

Summary Wider infrastructure uses: Transport Hubs Airports, Ports etc. Transport networks and movements Utilities, Telecomms Chemicals, Oil and Gas Key national infrastructure points Energy Defence, Borders and Emergency Services Commerce National and international risk governance / agencies Foreign embassies Temporary hardened assets (Events etc.) Contingency planning and resilience Where risk reduction and resilience are essential to continuity

Acknowledgements NNL Modelling and Simulation Team NNL Site Security Management ARES Security Civil Nuclear Constabulary (CNC) University of Central Lancashire (UCLan) (Joint authors of the case study summary Norman Bird NNL and Prof. Laurence Williams - UCLan)

Thank you for listening Questions? For further information contact: Norman Bird norman.bird@nnl.co.uk or visit www.nnl.co.uk/commercial-services/security.aspx

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback