Business Continuity for Critical Infrastructure Operators

Critical infrastructures often lack resilience and easily lose critical functionalities if hit by adverse events. Continuity management strategies for critical infrastructure operators and the networks that they form, rely also on the functionality of other interrelated networks. Disruptions in operations may affect society and for this reason, securing the operations of critical infrastructure operators is important. The technological impacts of CPS become evident to the resilience of all fields of critical infrastructure, but there is also human elements to take into account. The research question of this study is: How to enhance business continuity of critical infrastructure? This case study research uses qualitative methods collected by conducting interviews of resilience and continuity professionals who work with Finnish critical infrastructure. Resilience and continuity management are key for critical infrastructure operators. Important factors identified were identifying risks, critical activities, key personnel, creating guidelines and procedures, and open communication, which themes were recognised as important to improve resilience and manage continuity.</p

How to Think About Resilient Infrastructure Systems

abstract: Resilience is emerging as the preferred way to improve the protection of infrastructure systems beyond established risk management practices. Massive damages experienced during tragedies like Hurricane Katrina showed that risk analysis is incapable to prevent unforeseen infrastructure failures and shifted expert focus towards resilience to absorb and recover from adverse events. Recent, exponential growth in research is now producing consensus on how to think about infrastructure resilience centered on definitions and models from influential organizations like the US National Academy of Sciences. Despite widespread efforts, massive infrastructure failures in 2017 demonstrate that resilience is still not working, raising the question: Are the ways people think about resilience producing resilient infrastructure systems? This dissertation argues that established thinking harbors misconceptions about infrastructure systems that diminish attempts to improve their resilience. Widespread efforts based on the current canon focus on improving data analytics, establishing resilience goals, reducing failure probabilities, and measuring cascading losses. Unfortunately, none of these pursuits change the resilience of an infrastructure system, because none of them result in knowledge about how data is used, goals are set, or failures occur. Through the examination of each misconception, this dissertation results in practical, new approaches for infrastructure systems to respond to unforeseen failures via sensing, adapting, and anticipating processes. Specifically, infrastructure resilience is improved by sensing when data analytics include the modeler-in-the-loop, adapting to stress contexts by switching between multiple resilience strategies, and anticipating crisis coordination activities prior to experiencing a failure. Overall, results demonstrate that current resilience thinking needs to change because it does not differentiate resilience from risk. The majority of research thinks resilience is a property that a system has, like a noun, when resilience is really an action a system does, like a verb. Treating resilience as a noun only strengthens commitment to risk-based practices that do not protect infrastructure from unknown events. Instead, switching to thinking about resilience as a verb overcomes prevalent misconceptions about data, goals, systems, and failures, and may bring a necessary, radical change to the way infrastructure is protected in the future.Dissertation/ThesisDoctoral Dissertation Civil, Environmental and Sustainable Engineering 201

ENHANCING THE OPERATIONAL RESILIENCE OF CYBER- MANUFACTURING SYSTEMS (CMS) AGAINST CYBER-ATTACKS

Cyber-manufacturing systems (CMS) are interconnected production environments comprised of complex and networked cyber-physical systems (CPS) that can be instantiated across one or many locations. However, this vision of manufacturing environments ushers in the challenge of addressing new security threats to production systems that still contain traditional closed legacy elements. The widespread adoption of CMS has come with a dramatic increase in successful cyber-attacks. With a myriad of new targets and vulnerabilities, hackers have been able to cause significant economic losses by disrupting manufacturing operations, reducing outgoing product quality, and altering product designs. This research aims to contribute to the design of more resilient cyber-manufacturing systems. Traditional cybersecurity mechanisms focus on preventing the occurrence of cyber-attacks, improving the accuracy of detection, and increasing the speed of recovery. More often neglected is addressing how to respond to a successful attack during the time from the attack onset until the system recovery. We propose a novel approach that correlates the state of production and the timing of the attack to predict the effect on the manufacturing key performance indicators. Then a real-time decision strategy is deployed to select the appropriate response to maintain availability, utilization efficiency, and a quality ratio above degradation thresholds until recovery. Our goal is to demonstrate that the operational resilience of CMS can be enhanced such that the system will be able to withstand the advent of cyber-attacks while remaining operationally resilient. This research presents a novel framework to enhance the operational resilience of cyber-manufacturing systems against cyber-attacks. In contrast to other CPS where the general goal of operational resilience is to maintain a certain target level of availability, we propose a manufacturing-centric approach in which we utilize production key performance indicators as targets. This way we adopt a decision-making process for security in a way that is aligned with the operational strategy and bound to the socio-economic constraints inherent to manufacturing. Our proposed framework consists of four steps: 1) Identify: map CMS production goals, vulnerabilities, and resilience-enhancing mechanisms; 2) Establish: set targets of performance in production output, scrap rate, and downtime at different states; 3) Select: determine which mechanisms are needed and their triggering strategy, and 4) Deploy: integrate into the operation of the CMS the selected mechanisms, threat severity evaluation, and activation strategy. Lastly, we demonstrate via experimentation on a CMS testbed that this framework can effectively enhance the operational resilience of a CMS against a known cyber-attack

SA Climate Ready: A Pathway for Climate Action & Adaptation

San Antonio is one of the fasted growing cities in the nation. Every day, we are working to plan for and accommodate the estimated one million additional residents that will arrive in San Antonio by 2040. In much the same way, it’s our collective responsibility to prepare for a future that is projected to have hotter temperatures, longer droughts and more intense rain events, as a result of our changing climate. That is why working with the City Council, one of my first acts as your Mayor was to sign the Paris Climate Agreement. Throughout the SA Climate Ready process, people from across the community have helped craft a sustainable community approach by examining best practices and policies around how we build; how we power our homes, cars and businesses; how we travel; how we conserve water and green space; how we reduce air pollution; and, perhaps most importantly, how we take care of our most vulnerable neighbors. When it comes to climate action and adaptation, our borders do not stop at the city limits or county line. Working with stakeholders across jurisdictional lines will continue to be the way we achieve progress. San Antonio is a warm, welcoming and culturally diverse community where we cherish tradition and heritage while nurturing forward-looking policies that keep our home healthy and vibrant. Protecting our community’s quality of life, economy, military and historic treasures is a leading priority

Cybersecurity for Manufacturers: Securing the Digitized and Connected Factory

As manufacturing becomes increasingly digitized and data-driven, manufacturers will find themselves at serious risk. Although there has yet to be a major successful cyberattack on a U.S. manufacturing operation, threats continue to rise. The complexities of multi-organizational dependencies and data-management in modern supply chains mean that vulnerabilities are multiplying. There is widespread agreement among manufacturers, government agencies, cybersecurity firms, and leading academic computer science departments that U.S. industrial firms are doing too little to address these looming challenges. Unfortunately, manufacturers in general do not see themselves to be at particular risk. This lack of recognition of the threat may represent the greatest risk of cybersecurity failure for manufacturers. Public and private stakeholders must act before a significant attack on U.S. manufacturers provides a wake-up call. Cybersecurity for the manufacturing supply chain is a particularly serious need. Manufacturing supply chains are connected, integrated, and interdependent; security of the entire supply chain depends on security at the local factory level. Increasing digitization in manufacturing— especially with the rise of Digital Manufacturing, Smart Manufacturing, the Smart Factory, and Industry 4.0, combined with broader market trends such as the Internet of Things (IoT)— exponentially increases connectedness. At the same time, the diversity of manufacturers—from large, sophisticated corporations to small job shops—creates weakest-link vulnerabilities that can be addressed most effectively by public-private partnerships. Experts consulted in the development of this report called for more holistic thinking in industrial cybersecurity: improvements to technologies, management practices, workforce training, and learning processes that span units and supply chains. Solving the emerging security challenges will require commitment to continuous improvement, as well as investments in research and development (R&D) and threat-awareness initiatives. This holistic thinking should be applied across interoperating units and supply chains.National Science Foundation, Grant No. 1552534https://deepblue.lib.umich.edu/bitstream/2027.42/145442/1/MForesight_CybersecurityReport_Web.pd