A vulnerability-driven cyber security maturity model for measuring national critical infrastructure protection preparedness

Critical infrastructures are vital assets for the public safety, economic welfare and national security of countries. Cyber systems are used extensively to monitor and control critical infrastructures. A number of infrastructures are connected to the Internet via corporate networks. Cyber security is, therefore, an important item of the national security agenda of a country. The intense interest in cyber security has initiated research focusing on national cyber security maturity assessments. However, little, if any, research is dedicated to maturity assessments of national critical infrastructure protection efforts. Instead, the vast majority of studies merely examine diverse national-level security best practices ranging from cyber crime response to privacy protection. This paper proposes a maturity model for measuring the readiness levels of national critical infrastructure protection efforts. The development of the model involves two steps. The first step analyzes data pertaining to national cyber security projects using grounded theory to extract the root causes of the susceptibility of critical infrastructures to cyber threats. The second step determines the maturity criteria by introducing the root causes to subject-matter experts polled in a Delphi survey. The resulting survey-based maturity model is applied to assess the critical infrastructure protection efforts in Turkey. The results are realistic and intuitively appealing, demonstrating that the maturity model is useful for evaluating the national critical infrastructure protection preparedness of developing countries such as Turkey

Best Practices for Critical Information Infrastructure Protection (CIIP): Experiences from Latin America and the Caribbean and Selected Countries

Over the past few decades, Latin America and the Caribbean (LAC) has witnessed numerous changes in its development, with most being beneficial. Positive changes relate to sizable growth and expansion of the region’s network infrastructure sectors, such as transport, energy, and information and communications technologies (ICT), among others. In many cases, ICT interconnects these critical infrastructures, creating substructures referred to as critical information infrastructures (CIIs). This publication is written to provide insights to the strategic thinking behind the creation of the national critical information infrastructure protection (CIIP) frameworks. It also builds its recommendations on in-depth analysis of the best CIIP practices around the world, with consideration of the region-specific landscape to originate a base line from which further development can be delineated

How to Think About Resilient Infrastructure Systems

abstract: Resilience is emerging as the preferred way to improve the protection of infrastructure systems beyond established risk management practices. Massive damages experienced during tragedies like Hurricane Katrina showed that risk analysis is incapable to prevent unforeseen infrastructure failures and shifted expert focus towards resilience to absorb and recover from adverse events. Recent, exponential growth in research is now producing consensus on how to think about infrastructure resilience centered on definitions and models from influential organizations like the US National Academy of Sciences. Despite widespread efforts, massive infrastructure failures in 2017 demonstrate that resilience is still not working, raising the question: Are the ways people think about resilience producing resilient infrastructure systems? This dissertation argues that established thinking harbors misconceptions about infrastructure systems that diminish attempts to improve their resilience. Widespread efforts based on the current canon focus on improving data analytics, establishing resilience goals, reducing failure probabilities, and measuring cascading losses. Unfortunately, none of these pursuits change the resilience of an infrastructure system, because none of them result in knowledge about how data is used, goals are set, or failures occur. Through the examination of each misconception, this dissertation results in practical, new approaches for infrastructure systems to respond to unforeseen failures via sensing, adapting, and anticipating processes. Specifically, infrastructure resilience is improved by sensing when data analytics include the modeler-in-the-loop, adapting to stress contexts by switching between multiple resilience strategies, and anticipating crisis coordination activities prior to experiencing a failure. Overall, results demonstrate that current resilience thinking needs to change because it does not differentiate resilience from risk. The majority of research thinks resilience is a property that a system has, like a noun, when resilience is really an action a system does, like a verb. Treating resilience as a noun only strengthens commitment to risk-based practices that do not protect infrastructure from unknown events. Instead, switching to thinking about resilience as a verb overcomes prevalent misconceptions about data, goals, systems, and failures, and may bring a necessary, radical change to the way infrastructure is protected in the future.Dissertation/ThesisDoctoral Dissertation Civil, Environmental and Sustainable Engineering 201

A Guide for Homeland Security Instructors Preparing Physical Critical Infrastructure Protection Courses

Over 350 academic programs in the United States currently offer instruction in the field of homeland defense and security. In spite of this growth at the program level over the past ten years, there still exists a shortage of instructors and coursework in critical infrastructure protection (CIP). Traditional instructor preparation (which is accomplished through the attainment of an advanced degree coupled with research and professional experience) does not currently produce enough instructors qualified in CIP because of the extremely limited number of CIP-related educational opportunities. Therefore, an alternate venue for instructor preparation must be provided. This article addresses that need by providing a guide for educators who desire to engage in a deliberate self-study program to develop sufficient expertise to teach a first course in physical CIP at the undergraduate or master’s degree level. This information is also useful for professionals who have had to assume CIP-related duties and functions without the benefit of supporting coursework. This article introduces a five-part framework for understanding CIP — policy, networks, level of hazard, level of protection, and system design — and provides resources for understanding each part of the framework. Each element of the framework is introduced and briefly explained and then resources are presented which will allow the reader to explore this particular topic in detail. Where possible, resources are presented as Web links to allow the reader to directly access the learning resource, free of charge. The article concludes with guidance for adapting the five-part framework and the materials presented in designing a CIP course tailored to the needs of a specific instructor and institution

A Guide for Homeland Security Instructors Preparing Physical Critical Infrastructure Protection Courses

Over 350 academic programs in the United States currently offer instruction in the field of homeland defense and security. In spite of this growth at the program level over the past ten years, there still exists a shortage of instructors and coursework in critical infrastructure protection (CIP). Traditional instructor preparation (which is accomplished through the attainment of an advanced degree coupled with research and professional experience) does not currently produce enough instructors qualified in CIP because of the extremely limited number of CIP-related educational opportunities. Therefore, an alternate venue for instructor preparation must be provided. This article addresses that need by providing a guide for educators who desire to engage in a deliberate self-study program to develop sufficient expertise to teach a first course in physical CIP at the undergraduate or master’s degree level. This information is also useful for professionals who have had to assume CIP-related duties and functions without the benefit of supporting coursework. This article introduces a five-part framework for understanding CIP — policy, networks, level of hazard, level of protection, and system design — and provides resources for understanding each part of the framework. Each element of the framework is introduced and briefly explained and then resources are presented which will allow the reader to explore this particular topic in detail. Where possible, resources are presented as Web links to allow the reader to directly access the learning resource, free of charge. The article concludes with guidance for adapting the five-part framework and the materials presented in designing a CIP course tailored to the needs of a specific instructor and institution

Impact Assessment of Hypothesized Cyberattacks on Interconnected Bulk Power Systems

The first-ever Ukraine cyberattack on power grid has proven its devastation by hacking into their critical cyber assets. With administrative privileges accessing substation networks/local control centers, one intelligent way of coordinated cyberattacks is to execute a series of disruptive switching executions on multiple substations using compromised supervisory control and data acquisition (SCADA) systems. These actions can cause significant impacts to an interconnected power grid. Unlike the previous power blackouts, such high-impact initiating events can aggravate operating conditions, initiating instability that may lead to system-wide cascading failure. A systemic evaluation of "nightmare" scenarios is highly desirable for asset owners to manage and prioritize the maintenance and investment in protecting their cyberinfrastructure. This survey paper is a conceptual expansion of real-time monitoring, anomaly detection, impact analyses, and mitigation (RAIM) framework that emphasizes on the resulting impacts, both on steady-state and dynamic aspects of power system stability. Hypothetically, we associate the combinatorial analyses of steady state on substations/components outages and dynamics of the sequential switching orders as part of the permutation. The expanded framework includes (1) critical/noncritical combination verification, (2) cascade confirmation, and (3) combination re-evaluation. This paper ends with a discussion of the open issues for metrics and future design pertaining the impact quantification of cyber-related contingencies

Cyber defensive capacity and capability::A perspective from the financial sector of a small state

This thesis explores ways in which the financial sectors of small states are able todefend themselves against ever-growing cyber threats, as well as ways these states can improve their cyber defense capability in order to withstand current andfuture attacks. To date, the context of small states in general is understudied. This study presents the challenges faced by financial sectors in small states with regard to withstanding cyberattacks. This study applies a mixed method approach through the use of various surveys, brainstorming sessions with financial sector focus groups, interviews with critical infrastructure stakeholders, a literature review, a comparative analysis of secondary data and a theoretical narrative review. The findings suggest that, for the Aruban financial sector, compliance is important, as with minimal drivers, precautionary behavior is significant. Countermeasures of formal, informal, and technical controls need to be in place. This study indicates the view that defending a small state such as Aruba is challenging, yet enough economic indicators indicate it not being outside the realm of possibility. On a theoretical level, this thesis proposes a conceptual “whole-of-cyber” model inspired by military science and the VSM (Viable Systems Model). The concept of fighting power components and governance S4 function form cyber defensive capacity’s shield and capability. The “whole-of-cyber” approach may be a good way to compensate for the lack of resources of small states. Collaboration may be an only out, as the fastest-growing need will be for advanced IT skillsets

The Cybercrime Triangle

Information technology can increase the convergence of three dimensions of the crime triangle due to the spatial and temporal confluence in the virtual world. In other words, its advancement can lead to facilitating criminals with more chances to commit a crime against suitable targets living in different real-world time zones without temporal and spatial orders. However, within this mechanism, cybercrime can be discouraged “…if the cyber-adversary is handled, the target/victim is guarded, or the place is effectively managed” (Wilcox & Cullen, 2018, p. 134). In fact, Madensen and Eck (2013) assert that only one effective controller is enough to prevent a crime. Given this condition of the crime triangle, it must be noted that each of these components (the offender, the target, and the place) or controllers (i.e., handler, guardian, and manager) can play a pivotal role in reducing cybercrime. To date, scholars and professionals have analyzed the phenomenon of cybercrime and developed cybercrime prevention strategies relying predominantly on cybercrime victimization (suitable targets) but have yet to utilize the broader framework of the crime triangle commonly used in the analysis and prevention of crime. More specifically, the dimensions of cybercrime offenders, places, or controllers have been absent in prior scientific research and in guiding the establishment and examination of cybercrime prevention strategies. Given this gap, much remains to be known as to how these conceptual entities operate in the virtual realm and whether they share similarities with what we know about other crimes in the physical world. Thus, the purpose of this study is to extend the application of the “Crime Triangle,” a derivative of Routine Activity Theory, to crime events in the digital realm to provide scholars, practitioners, and policy makers a more complete lens to improve understanding and prevention of cybercrime incidents. In other words, this dissertation will endeavor to devise a comprehensive framework for our society to use to form cybersecurity policies to implement a secure and stable digital environment that supports continued economic growth as well as national security. The findings of this study suggest that both criminological and technical perspectives are crucial in comprehending cybercrime incidents. This dissertation attempts to independently explore these three components in order to portray the characteristics of cybercriminals, cybercrime victims, and place management. Specifically, this study first explores the characteristics of cybercriminals via a criminal profiling method primarily using court criminal record documents (indictments/complaints) provided by the FIU law library website. Second, the associations between cybercrime victims, digital capable guardianship, perceived risks of cybercrime, and online activity are examined using Eurobarometer survey data. Third, the associations between place management activities and cybercrime prevention are examined using “Phishing Campaign” and “Cybersecurity Awareness Training Program” data derived from FIU’s Division of Information Technology

Critical Information Infrastructure

학위논문(석사)--서울대학교 대학원 :국제대학원 국제학과(국제통상전공),2019. 8. 신성호.우리나라의 국가 사이버안보는 관리체계가 다양한 정부부처들 간에 분산되어 있음은 물론, 공공, 민간, 군사 부문들 간에도 조정과 연계체계 매우 부실하다. 따라서 고도로 지능화되고 복잡해 지고 있는 각종 사이버 공격에 제대로 대처하는 데 한계를 노출하고 있다. 그리고 사이버안보체계의 안정성 면에서도 문제가 적지 않다. 따라서 국가 사이버안보체계 전반에 대한 점검과 재구조화가 필요한 시점이다. 이러한 배경 하에서, 본 논문의 목적은 거버넌스(governance) 관점에 입각하여 핵심정보인프라 분야에서의 국가 사이버안보체계의 실태와 문제점을 분석하고 또한 미국의 사이버안보체계에 대한 사례분석을 행하며, 이를 토대로 핵심정보인프라 분야에서의 사이버안보체계 강화방안을 제언하고자 하는 것이다. 이러한 연구목적을 달성하기 위하여 본 논문은 우선 사회과학 분야에서 널리 사용되고 있는 거버넌스 관점의 등장배경, 의의, 거버넌스 능력 등에 관한 이론적 논의를 행하였다. 다음에는 이러한 이론적 논의를 참조하여 거버넌스의 구성요소, 거버넌스의 성공 요건 등을 중심으로 분석틀을 설정하였다. 이어서 일종의 벤치마킹을 위한 시도로 미국의 사이버안보체계의 실태를 거버넌스 관점에 입각하여 사례분석을 행하였다. 다음 장에서는 앞에서 설정된 분석틀에 입각하여 우리나라 사이버안보 거버넌스 체계의 실태와 문제점을 실증적으로 분석하였다. 마지막으로는 미국의 사이버안보 거버넌스 체계에 대한 사례 분석과 우리나라의 사이버안보체계의 실태 및 문제점에 대한 분석을 토대로, 보다 안정적이고 지속가능한 사이버안보 거버넌스 체계를 구축하기 위한 구체적인 정책방안들을 제시하였다.Koreas national cybersecurity governance system is characterized by high levels of fragmentation and instability, unable to form coherent national-level response to increasingly sophisticated and devastating cyber attacks, with the public, private and military sector each struggling to provide for its own cybersecurity. The purpose of this paper is to analyze the contemporary situation and underlying problems of South Koreas national cybersecurity in the area of critical information infrastructure from the governance perspective, then suggest relevant policy measures to bolster cybersecurity of critical information infrastructure. In order to fulfill the objective, this paper first examines the theories pertinent to the concept and emergence of the governance perspective in the disciplines of social science. Then, the components of governance and the requirements for successful governance are explored in order to establish the dimensions of analysis. Subsequently, the paper undertakes a case study of the U.S. cybersecurity governance system to draw relevant policy implications. The following chapter examines the contemporary situation and underlying problems of South Koreas cybersecurity governance, in accordance with the five dimensions of the governance system. This paper concludes with policy suggestions to consolidate a stable and sustainable cybersecurity governance system in Korea.CHAPTER I. Introduction 1.1 Research Background 1 1.2 Research Purpose and Research Questions 5 CHAPTER II. Theoretical Underpinning and Research Design 2.1 Theoretical Underpinning 8 1) Cybersecurity 8 2) Critical Infrastructure or Critical National Infrastructure 9 3) Critical Information Infrastructure 11 4) Emergence of Governance Perspective 12 5) Conceptualizing Governance 14 6) Governance Capacity and Good Governance 17 7) Conditions for Governance Formation 18 8) Requirements for Successful Governance 19 2.2. Literature Review 22 1) Literatures on Regional and Global Cybersecurity Governance 22 2) Literatures on Cybersecurity Governance in South Korea 24 3) Common Limitations of Precedent Studies 27 2.3 Research Method: Document Research and Case Study 28 2.4 Rationale for U.S. Cybersecurity Governance as Case Study 32 2.5 Dimensions of Analysis 33 CHAPTER III. The Cybersecurity Governance System of the United States 3.1 An Overview of Cybersecurity Legislation and Policies in the U.S. 35 3.2 Legal and Institutional Systems: Roles and Responsibilities 43 3.3 Federal Cybersecurity Budget 45 3.4 Public-Private Partnership: Critical Infrastructure Sector Partnership 47 3.5 Federal Cybersecurity Monitoring and Evaluation Systems 51 CHAPTER IV. An Analysis of South Koreas National Cybersecurity Governance System on Critical Information Infrastructure 4.1 An Overview of South Koreas National Cybersecurity Challenges 53 4.2 An Analysis of the Cybersecurity Governance System of South Korea 57 1) Legal and Institutional Systems 57 2) Administrative System for Critical Information Infrastructure 67 3) Finance and Budget Systems 76 4) Public-Private Partnership 79 5) Monitoring and Evaluation Systems 81 CHAPTER V. Policy Measures to Consolidate the National Cybersecurity Governance System in South Korea 5.1 Policy Suggestions to Consolidate the Cybersecurity Governance System 1) Legal and Institutional Systems 84 2) Administrative System 86 3) Finance and Budget Systems 90 4) Public-Private Partnership 92 5) Monitoring and Evaluation Systems 95 5.2 Engineering Cyber Resilient Governance 101 CHAPTER VI. Conclusion        6.1 Conclusion and Implications 105        6.2. Future Avenues of Research 109 Bibliography 110Maste