nach oben

Erschienen in:

2017 | OriginalPaper | Buchkapitel

14. Bridging the Gap from Cyber Security to Resilience

verfasst von : Paul E. Roege, Zachary A. Collier, Vladyslav Chevardin, Paul Chouinard, Marie-Valentine Florin, James H. Lambert, Kirstjen Nielsen, Maria Nogal, Branislav Todorovic

Erschienen in: Resilience and Risk

Verlag: Springer Netherlands

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

This chapter describes an evolution of practices in community and business assurance from protective programs based upon risk management to the emerging strategy of resilience. The chapter compares and contrasts these two basic approaches, identifying notable gaps where cyber security lags in the larger transformation. Recommendations address concepts, techniques, and strategies for integration of the cyber world with the physical and human worlds, and opportunities for future research.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Realising Critical Infrastructure Resilience

Nächstes Kapitel Cyber-Transportation Resilience. Context and Methodological Framework

Ablong L, Libicki MC, Galay AA (2014) Markets for cybercrime tools and stolen data: hackers’ bazaar. RAND Corporation Report RR-610-JNI. http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf

Abramovici M, Bradley P (2009) Integrated circuit security: new threats and solutions. In: Proceedings of the 5th annual workshop on cyber security and information intelligence research: cyber security and information intelligence challenges and strategies. ACM, p 55

Alberts D (2002) Information age transformation: getting to a 21st century military. DOD Command and Control Research Program, Washington, DC

Bell DE, LaPadula LJ (1973) Secure computer systems: Mathematical foundations (No MTR-2547-VOL-1). MITRE Corporation, Bedford

Bodeau D, Graubart R (2016) Cyber resilience metrics: key observations. Case No. 16–0779. The MITRE Corporation

Branlat M, Morison A, Woods DD (2011) Challenges in managing uncertainty during cyber events: lessons from the staged-world study of a large-scale adversarial cyber security exercise. Human Systems Integration Symposium, Vienna VA, 10–25 to 10–27, 2011

Caralli RA, Allen JH, Curtis PD, White DW, Young LR (2010) CERT resilience management model, Version 1.0: Improving Operational Resilience Processes. http://www.sei.cmu.edu/reports/10tr012.pdf

Cimellaro GP, Reinhorn AM, Bruneauc M (2010) Framework for analytical quantification of disaster resilience. J Eng Struct 32(2010):3639–3649CrossRef

Clark D, Berson T, Lin H (2015) At the Nexus of cybersecurity and public policy, some basic concepts and issues. National Research Council, The National Academies Press, Washington, DC. http://www.nap.edu/catalog/18749/at-the-nexus-of-cybersecurity-and-public-policy-some-basic

Collier ZA, Linkov I, DiMase D, Walters S, Tehranipoor M, Lambert JH (2014) Cybersecurity standards: managing risk and creating resilience. Computer 47(9):70–76CrossRef

Collier ZA, Panwar M, Ganin AA, Kott A, Linkov I (2016) Security metrics in industrial control systems. In: Colbert EJM, Kott A (eds) Cyber-security of SCADA and other industrial control systems. Springer, Cham, pp 167–185CrossRef

Dessavreand DG, Ramirez-Marquez JE (2015) Computational techniques for the approximation of total system resilience. In: Podofillini L, Sudret B, Stojadinovic B, Zio E, Kröger W (eds) Safety and reliability of complex engineered systems. CRC Press, Boca Raton, pp 145–150CrossRef

Diffie W, Hellman M (1976) New directions in cryptography. IEEE Trans Inf Theory 22(6):644–654MathSciNetCrossRefMATH

DiMase D, Collier ZA, Heffner K, Linkov I (2015) Systems engineering framework for cyber physical security and resilience. Environ Syst Decis 35(2):291–300CrossRef

Ernst & Young (2014) The DNA of the CIO: opening the door to the C-suite. http://www.ey.com/Publication/vwLUAssets/ey-the-dna-of-the-cio/$FILE/ey-the-dna-of-the-cio.pdf

European Commission (2013) Cybersecurity strategy of the European Union: an open, safe and secure cyberspace. https://eeas.europa.eu/policies/eu-cyber-security/cybsec_comm_en.pdf

European Union Agency for Network and Information Security (2014) An evaluation framework for National Cyber Security Strategies. ISBN: 978-92-9204-109-0, DOI: 10.2824/3903

FIRST (2015) Common vulnerability scoring system v3.0: specification document. CVSS v3.0 specification (v1.7). https://www.first.org/cvss/cvss-v30-specification-v1.7.pdf

FORBES (2014) Why cyber security is not enough: you need cyber resilience. http://www.forbes.com/sites/sungardas/2014/01/15/why-cyber-security-is-not-enough-you-need-cyber-resilience/#461e9a695799. Retrieved 7 November, 2016

Ford R, Cavalho M, Mayron L, Bishop M (2012) Toward metrics for cyber resilience. In: 21st EICAR (European Institute for Computer Anti-Virus Research) annual conference proceedings

Garcia A, Horowitz B (2007) The potential for underinvestment in internet security: implications for regulatory policy. J Regul Econ 31(1):37–51CrossRef

Haimes YY (1991) Total risk management. Risk Anal 11(2):169–171CrossRef

Horowitz B, Crawford J (2007) Application of collaborative risk analysis to cyber security investment decisions. Fin Ser Technol Consorti Innov J 2(1):2–5

Husdal J (2010) A conceptual framework for risk and vulnerability in virtual enterprise networks. In: Ponis S (ed) Managing risk in virtual enterprise networks: implementing supply chain principle. IGI Global, Hershey, pp 1–27. doi:10.4018/978-1-61520-607-0.ch001

Identity Theft Resource Center (2016) Data breach reports. May 31, 2016. http://www.idtheftcenter.org/images/breach/DataBreachReports_2016.pdf

IRGC (2010) Emerging risks: sources, drivers, and governance issues. International Risk Governance Council, Geneva. https://www.irgc.org/risk-governance/emerging-risk/irgc-concept-of-contributing-factors-to-risk-emergence/sources-drivers-and-governance-issues/

IRGC (2015a) Comparing methods for terrorism risk assessment with methods in cyber security. Workshop report, International Risk Governance Council, Lausanne. https://www.irgc.org/wp-content/uploads/2016/01/Terrorism-Cyber-Security-28-29-May-2015-Workshop-Report.pdf

IRGC (2015b) Cyber-security risk governance, workshop report, International Risk Governance Council, Lausanne https://www.irgc.org/wp-content/uploads/2016/01/Cyber-Security-Risk-Governance-29-30-October-2015-Workshop-Report.pdf

Kaplan S, Garrick BJ (1981) On the quantitative definition of risk. Risk Anal 1(1):11–27CrossRef

Karvetski CW, Lambert JH (2012) Evaluating deep uncertainties in strategic priority-setting with an application to facility energy investments. Syst Eng 15(4):483–493CrossRef

Kaspersky Lab (2015) Kaspersky security bulletin 2015: overall statistics for 2015. https://securelist.com/analysis/kaspersky-security-bulletin/73038/kaspersky-security-bulletin-2015-overall-statistics-for-2015/

Kelic A, Collier ZA, Brown C, Beyeler WE, Outkin AV, Vargas VN, Ehlen MA, Judson C, Zaidi A, Leung B, Linkov I (2013) Decision framework for evaluating the macroeconomic risks and policy impacts of cyber attacks. Environ Syst Decis 33(4):544–560CrossRef

Lambert JH, Keisler JM, Wheeler WE, Collier ZA, Linkov I (2013a) Multiscale approach to the security of hardware supply chains for energy systems. Environ Syst Decis 33(3):326–334CrossRef

Lambert JH, Parlak AI, Zhou Q, Miller JS, Fontaine MD, Guterbock TM, Clements JL, Thekdi SA (2013b) Understanding and managing disaster evacuation on a transportation network. Accid Anal Prev 50(1):645–659CrossRef

Lambert, J.H., C.W. Karvetski, D.K. Spencer, B.J Sotirin, D.M. Liberi, H.H. Zaghloul, J.B. Koogler, S.L. Hunter, W.D. Goran, R.D. Ditmer, and I. Linkov 2012. Prioritizing infrastructure investments in Afghanistan with multiagency stakeholders and deep uncertainty of emergent conditions. ASCE J Infrastruct Syst 18(2): 155–166.

Linkov I, Eisenberg DA, Plourde K, Seager TP, Allen J, Kott A (2013) Resilience metrics for cyber systems. Environ Syst Decis 33(4):471–476CrossRef

Linkov I, Bridges T, Creutzig F, Decker J, Fox-Lent C, Kröger W et al (2014) Changing the resilience paradigm. Nat Clim Chang 4(6):407–409CrossRef

Lowrance WW (1976) Of acceptable risk: science and the determination of safety. William Kaufman Inc.

Maitra AK (2015) Offensive cyber-weapons: technical, legal, and strategic aspects. Environ Syst Decis 35(1):169–182CrossRef

McIntyre A, Becker B, Halbgewachs R (2007) Security metrics for process control systems. SAND2007-2070P. Sandia National Laboratories, U.S. Department of Energy, Albuquerque

National Infrastructure Advisory Council (2013) Strengthening regional resilience through national, regional, and sector partnerships: DRAFT report and recommendations. November 21, 2013. http://www.dhs.gov/sites/default/files/publications/niac-rrwg-report-final-review-draft-for-qbm.pdf

NIST (2011) Managing information security risk: organization, mission, and information system view. NIST Special Publication 800–39. National Institute of Standards and Technology, US Department of Commerce, Gaithersburg

NIST (2014) Framework for improving critical infrastructure cybersecurity, version 1.0. National Institute of Standards and Technology, US Department of Commerce, Gaithersburg

Panda Security (2010) The cyber-crime black market: uncovered. http://www.pandasecurity.com/mediacenter/src/uploads/2014/07/The-Cyber-Crime-Black-Market.pdf

Parlak A, Lambert JH, Guterbock T, Clements J (2012) Population behavioral scenarios influencing radiological disaster preparedness and planning. Accid Anal Prev 48:353–362CrossRef

Pfleeger SL, Cunningham RK (2010) Why measuring security is hard. IEEE Secur Privacy 8(4):46–54CrossRef

Pollet, J. (2002, November 19–21) Developing a solid SCADA strategy. Sicon/02 – sensors for industry conference. Houston, Texas, USA

Ponemon Institute (2016) 2016 cost of data breach study: global analysis. Ponemon Institute Research Report, Published June 2016

PwC (2016) Global economic crime survey 2016. http://www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf. Accessed 29 June 2016

Rinaldi S, Peerenboom J, Kelly T (2001) Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Syst Mag 21(6):11–25CrossRef

Roege P, Hope T, Delaney P (2014) Resilience: modeling for conditions of uncertainty and change. MODSIM World 2014, Newport News, VA, 15–17 April 2014, paper no. MS1476. http://daviescon.com/wp-content/uploads/2012/08/Final-Energy-Resilience-MODSIM-2014-Paper_14-Mar-14.pdf

Savage K, Coogan P, Lau H (2015) The evolution of ransomware. Symantec. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf

Shannon CE (1948). A mathematical theory of communication. Bell Syst Tech J 27(3):379–423

Shannon CE (1949) Communication theory of secrecy systems. Bell Syst Tech J 28(4):656–715MathSciNetCrossRefMATH

Shakarian P, Lei H, Lindelauf R (2014) Power grid defense against malicious cascading failure. Presented at 13th international conference of autonomous agnets and multiagent systems, Paris, France, 5–9 May 2014, arXiv:1401.1086

Simmons GJ (1985, April). The practice of authentication. In: Workshop on the theory and application of of cryptographic techniques (pp. 261–272). Springer, Berlin/Heidelberg

Smirnov A, Kashevnik A, Shilov N, Makklya A, Gusikhin O (2013, November) Context-aware service composition in cyber physical human system for transportation safety. In: ITS Telecommunications (ITST), 2013 13th international conference on (pp 139–144). IEEE

Sridhar S, Hahn A, Govindarasu M (2012) Cyber–physical system security for the electric power grid. Proc IEEE 100(1):210–224CrossRef

Stouffer K, Falco J, Scarfone K (2011) Guide to Industrial Control Systems (ICS) security. Special Publication 800–82. National Institute of Standards, Gaithersburg. http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf

Teng K, Thekdi SA, Lambert JH (2012) Identification and evaluation of priorities in the business process of a risk or safety organization. Reliab Eng Syst Saf 99:74–86CrossRef

Teng K, Thekdi SA, Lambert JH (2013) Risk and safety program performance evaluation and business process modeling. IEEE Transac Syst Man Cybernetics Part A 42(6):1504–1513CrossRef

Thorisson H, Lambert JH, Cardenas JJ, Linkov I (2016) Resilience analytics for power grid capacity expansion in a developing region. To appear in Risk Analysis

Tierney K, Bruneau M (2007) Conceptualizing and measuring resilience: A key to disaster loss reduction. TR News 250:14–17

Tversky A, Kahneman D (1973) Availability: a heuristic for judging frequency and probability. Cogn Psychol 5(2):207–232

US Department of Energy (2002) 21 steps to improve cyber security of SCADA networks. US Department of Energy, Washington, DC. http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/21_Steps_-_SCADA.pdf

US Department of Energy (2014) Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). Version 1.1. http://energy.gov/sites/prod/files/2014/02/f7/ES-C2M2-v1-1-Feb2014.pdf

US Department of Homeland Security (2016a) National Planning Frameworks web site: http://www.fema.gov/national-planning-frameworks

US Department of Homeland Security (2016b) Cyber Resilience Review (CRR): method description and self-assessment user guide. US Department of Homeland Security. https://www.us-cert.gov/sites/default/files/c3vp/csc-crr-method-description-and-user-guide.pdf

US White House (2013) Presidential Policy Directive 21 – critical infrastructure security and resilience. https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil

US White House (2016) Presidential Policy Direction 41 – United States cyber incident coordination. https://www.whitehouse.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-incident

Veitch CK, Henry JM, Richardson BT, Hart DH (2013) Microgrid cyber security reference architecture, Version 1.0. SAND2013-5472. Sandia National Laboratories, Albuquerque, New Mexico

Woods DD (2012) Chapter 9: Resilience and the ability to anticipate. In: Pariès MJ, Wreathall MJ, Woods DD, Hollnagel E (eds) Resilience engineering in practice: a guidebook. Ashgate Publishing Ltd, Farnham

World Economic Forum (2015) Partnering for cyber resilience: towards the quantification of cyber threats. http://www3.weforum.org/docs/WEFUSA_QuantificationofCyberThreats_Report2015.pdf

Xiong G, Zhu F, Liu X, Dong X, Huang W, Chen S, Zhao K (2015) Cyber-physical-social system in intelligent transportation. IEEE/CAA J Automat Sin 2(3):320–333MathSciNetCrossRef

Young W, Leveson NG (2014) An integrated approach to safety and security based on systems theory. Commun ACM 57(2):31–35CrossRef

Titel: Bridging the Gap from Cyber Security to Resilience
verfasst von: Paul E. Roege
Zachary A. Collier
Vladyslav Chevardin
Paul Chouinard
Marie-Valentine Florin
James H. Lambert
Kirstjen Nielsen
Maria Nogal
Branislav Todorovic
Verlag: Springer Netherlands
Buch: Resilience and Risk
Print ISBN: 978-94-024-1122-5

Electronic ISBN: 978-94-024-1123-2

Copyright-Jahr: 2017
DOI: https://doi.org/10.1007/978-94-024-1123-2_14

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"