Presentation is loading. Please wait.

Presentation is loading. Please wait.

100111010101110100010100101010101010101001001010101001010000010111011 100111010101110100000110101010111010101010111101111000110111010011101 101101010111111000010101110100110011011111000011010011101001000101110.

Similar presentations

Presentation on theme: "100111010101110100010100101010101010101001001010101001010000010111011 100111010101110100000110101010111010101010111101111000110111010011101 101101010111111000010101110100110011011111000011010011101001000101110."— Presentation transcript:

1 I See Cube (IC) I See Cube (IC) TM I nterdisciplinary C onsortium for I mproving C ritical I nfrastructure C ybersecurity TM (IC) 3 DRAFT, Copyright (IC)3, 2015 (v13) TM TM

2 Filling a Critical Need for Critical Infrastructure Security of conventional information systems is recognized as important … – But still not fully effective (e.g., Target, Heartbleed, etc.) Security of our Cyber-Physical Infrastructure and IoT … – E.g., computer controlled utilities, home sensors, oil & gas sites, chemical, water, financial services, telecom, infrastructure, etc. … is even more important, but much less research has been done. Critical needs for Critical Infrastructure: – (1) Justify top management attention & adoption – (2) Define actions that can be effective & measured – (3) Define a culture of Cyber-Safety – (4) Create a forum for CSO/CISO’s to advance Cybersecurity 2

3 Who is this important to? (Just about Everyone!) White House Executive Order (2014): “… cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront...” U.S. Secretary of Energy Ernest Moniz … “ From producing wells to tank batteries to pipelines, computer networks are playing an increasingly important role in the operations of the nation's oil and gas industry … cyber threats continue to increase in frequency and sophistication …” SEC Commissioner Luis A. Aguilar … warned that “boards that choose to ignore, or minimize the importance of cybersecurity oversight responsibility, do so at their own peril …” 3

4 Initial Interdisciplinary MIT Team Members Director: Stuart Madnick – Professor of Information Technologies, MIT Sloan School of Management & Professor of Engineering Systems, MIT School of Engineering Associate Directors: Michael Coden – Research Affiliate (former member of White House cyber study), MIT Sloan School of Management & Michael Siegel – Principal Research Scientist, MIT Sloan School of Management Administration: Jocelyn Climent Nazli Choucri – Professor of Political Science, MIT School of Humanities and Social Sciences David Clark – Senior Research Scientist in Computer Science and Artificial Intelligence Laboratory (CSAIL), MIT School of Engineering Jerrold Grochow – Research Affiliate (former MIT CIO and member of MITei cyber study), MIT Sloan School of Management Qi Hommes - Lecturer, MIT Engineering Systems Division, MIT School of Engineering Nancy Leveson – Professor of Aeronautics and Engineering Systems, MIT School of Engineering Andrew Lo – Professor of Financial Engineering, MIT Sloan School of Management Allen Moulton – Research Scientist, MIT School of Engineering Richard Wang – Principal Research Scientist, MIT School of Engineering John Williams – Professor of Civil and Environment Engineering and Engineering Systems, MIT School of Engineering Raphael Yahalom - Research Affiliate (formerly co-founder of Onaro and cybersecurity researcher at Cambridge University and Hebrew University of Jerusalem), MIT Sloan School of Management 4

5 Examples of (IC) 3 Research MIT House of Security: (IC) 3 has developed techniques to measure perceptions of security in an organization. Accident and Safety research: (IC) 3 can extend its research on accident prevention to preventing cyber events. Control Points: (IC) 3 has studied best “choke points” to interrupt a criminal enterprise. Information Sharing & Improving CERTs: (IC) 3 has studied ways to improve and better coordinate the CERTs. Bug Bounty: (IC) 3 has studied crowd source methods of bug detection, such as “bug bounty” programs. Tipping Point Analysis: (IC) 3 has used System Dynamics to understand what will make complex systems unstable. Simulation of Systems: (IC) 3 has a rich history in simulation of complex systems under a wide variety of circumstances. 5

6 Example: MIT House of Security 6 Technology Resources for Security Financial Resources for Security Business Strategy for Security Security Policy & Procedures Security Culture Accessibility Confidentiality Integrity A Fundamental Model for Measuring Cybersecurity Effectiveness  The House of Security has been shown to be able to provide measurements of perceptions, awareness, profile, tier, maturity, and gaps in Cybersecurity.  It will be further developed to provide economic measurements of cyber-risk and the value of Cybersecurity activities allowing a calculation of Cyber-ROI.

7 Example Results from Using the MIT House of Security Using survey questions we assessed both perception of the current state of security in the organization and the desired state. The delta is the measureable gap between desired and actual. 7 Gap Analysis Current State Assessments by Three Companies: Big Differences

8 Use Accident Research on Cyber Incidents Apply “accident” and safety research to “cyber security” failures. MIT has researched accidents and how to prevent them (including studying NASA problems) for many years. We are now treating a cyber incident/event as a type of “accident” and using prior research to identify, understand, and mitigate possible “cyber-hazards.” – Examples, such as Stuxnet and TJX, have been analyzed. – Uncovered vulnerabilities not in previous reports 8

9 Control Points Analysis to Disrupt Cybercrime Ecosystem Analyze complex cybercrime ecosystem. We are taking a “control points” approach to determine the best “choke-point” to interrupt the overall cyber-criminal enterprise (somewhat like “follow the money.”) Sometimes that choke point is the Internet service providers, sometimes it is the credit card companies, sometimes it is the banks. We also study markets for malware and ways to disrupt and discredit those markets 9

10 Improving Information Sharing & The Role of CERTs Improve CERTs (Computer Emergency Response Teams). MIT (IC) 3 has talked with and studied the CERTs around the world — both national and regional CERTs and corporate CERTs. The activities, business models, and data-sharing activities are diverse and of varying quality. MIT (IC) 3 can suggest ways to improve and better coordinate the CERTS and the clients they serve. 10

11 Vulnerability Detection Improving Vulnerability Discovery and Detection: MIT has studied crowd source methods of bug detection, such as “bug bounty” programs. – Using techniques such as System Dynamics modeling MIT (IC) 3 can determine which types of vulnerability discovery and detection techniques provide the results with the greatest value, including “bug bounty,” open source, and other approaches. 11

12 Cyber-Hardening & Patch Management Patch distribution and management is complex in general and even more so for critical infrastructure situations – Computer components are embedded within machinery (which cannot be easily shut down) – Involve multiple manufacturers e.g., the equipment/system may be made by Siemens, but controlled by computers running Windows software. – MIT models, using System Dynamics, explore differing strategies and incentive systems to make patch distribution and management more effective. 12

13 Dynamics of Threats and Resilience (using System Dynamics modeling) * Verizon Data Breach Report 67% were aided by significant errors (of the victim) How did breaches (threats) occur? * 64% resulted from hacking 38% utilized Malware How are security and threat processes (resilience) managed? * 13 Over 80% of the breaches had patches available for more than 1 year 75% of cases go undiscovered or uncontained for weeks or months

14 Tipping Point Analysis MIT has used System Dynamics models and simulations to analyze the stability of countries by understanding – the capacity of the system to withstand disruptions – the range of loads that could be applied to the system. A similar analysis can be applied to complex critical infrastructure cyber systems, (e.g., smart grid, refinery, emergency services, telecom, financial systems, etc.), to determine the “tipping points” that would render the system unstable. Monitoring and Alerts – measuring how close an organization, or interconnected organizations, is coming to a “tipping point.” 14

15 Metrics Organizations today have no effective way of measuring the quality of their Cyber Security efforts. – The old adage “if you can’t measure it, you can’t manage it” applies to Cyber Security as much as any other function in a modern organization. MIT (IC) 3 is developing metrics that organizations can use to Quantify and Qualify their Cyber Security capabilities, and the organizations ability to withstand cyber attacks and carry out its mission. – A measureable Cybersecurity Maturity Model for describing the Quality of the Cybersecurity at an organization and the ROI of the Cybersecurity. 15

16 Holistic Cyber-Risk Model Holistic Risk Analysis Model is needed to address: – Multi-vendor environment – Multi-purpose use of equipment/systems – Multi-national & multi-cultural considerations – Cross-sector validity and usability – Multi-level system dependencies and vulnerabilities – People, process and accident/safety considerations Allowing simulation, including all of the above factors, of taking different actions – to predict what the benefits and costs will be. 16

17 (IC) 3 TM Patrons, Partners, and Members 17

18 Why Join (IC) 3 ? Existing organizations are trying to address today’s threat and plan for future threats, but: – “The CSO/CISO is too busy bailing water to plug the holes in the boat” (IC) 3 is focusing MIT’s uniquely qualified interdisciplinary faculty and researchers on the fundamental principles of cyber space, cyber crime, & cybersecurity applied to Critical Infrastructure: – “Enabling the CSO/CISO to plug the holes in the boat” – Creating tools to Strategically develop measureable, cost effective, Cybersecurity strategies – getting ahead of the curve Implement Cyber-safety awareness and culture change A confidential academic forum in which to benefit from the experiences of CSO/CISOs from multiple sectors 18

19 Operation of (IC) 3 The day-to-day operation of (IC) 3 is managed by the Director of (IC) 3 with the support of the (IC) 3 Associate Director. The (IC) 3 Advisory Board, in consultation with the Director of (IC) 3, will determine the research focus areas for each year. The (IC) 3 faculty working with full-time MIT research staff and graduate students, often in cooperation with Sponsor organizations, will conduct the research. (IC) 3 will organize and conduct two research topic-specific workshops each year. (IC) 3 will organize and conduct its Annual Conference, covering the wide range of its research topics, each year. 19

20 Types of Sponsors and Benefits * Patrons: $450,000 per year – commitment for 3 years (can be 1 year for first year) Includes all items below plus: – Ability to suggest research projects and refinements, be considered for inclusion – A dedicated faculty contact, with monthly consultations – One on-site faculty presentation to the organization’s governing board Partners: $120,00 per year – commitment for 3 years (can be 1 year for first year) Includes all items below plus: – Ability to suggest research areas – Ability to re-distribute select research content to existing clients and customers 1 Ability to contact designated faculty via telephone Members: $35,000 if three year commitment or $45,000 if one year commitment – Send 2 people to annual conference and 2 workshops per year – Access to research in the MIT-(IC) 3 research database 1 * Details on additional benefits contained in the Sponsorship Agreement 1 Subject to 3 rd party rights and bearing appropriate legends From more information, go to 20

Download ppt "100111010101110100010100101010101010101001001010101001010000010111011 100111010101110100000110101010111010101010111101111000110111010011101 101101010111111000010101110100110011011111000011010011101001000101110."

Similar presentations

Ads by Google