Presentation is loading. Please wait.

Presentation is loading. Please wait.

100111010101110100010100101010101010101001001010101001010000010111011 100111010101110100000110101010111010101010111101111000110111010011101 101101010111111000010101110100110011011111000011010011101001000101110.

Similar presentations

Presentation on theme: "100111010101110100010100101010101010101001001010101001010000010111011 100111010101110100000110101010111010101010111101111000110111010011101 101101010111111000010101110100110011011111000011010011101001000101110."— Presentation transcript:

1 I See Cube (IC) I See Cube (IC) (IC) 3 DRAFT, Copyright (IC) 3, 2014 TM TM

2 Security of conventional information systems is recognized as important … – But still not fully effective (e.g., Target, Heartbleed, etc.) Security of our Cyber-Physical Infrastructure … – E.g., computer controlled utilities, oil & gas sites, chemical, water, financial services, telecom, infrastructure, etc. … is even more important, but much less research has been done. Critical needs for Critical Infrastructure: – (1) Justify top management attention & adoption – (2) Define actions that can be effective & measured – (3) Define a culture of Cyber-Safety – (4) Create a forum for CSO/CISO’s to advance Cybersecurity 2 DRAFT, Copyright (IC) 3, 2014

3 White House Executive Order (2014): “… cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront...” SEC Commissioner Luis A. Aguilar … warned that “boards that choose to ignore, or minimize the importance of cybersecurity oversight responsibility, do so at their own peril …” U.S. Secretary of Energy Ernest Moniz.. “ From producing wells to tank batteries to pipelines, computer networks are playing an increasingly important role in the operations of the nation's oil and gas industry … cyber threats continue to increase in frequency and sophistication …” 3 DRAFT, Copyright (IC) 3, 2014

4 Research & Development of Strategies, Models, and Tools that will enable critical infrastructure organizations to more effectively address their Cybersecurity needs – by applying interdisciplinary approaches to common problems that affect all Critical Infrastructure Sectors, and – building on, and aligning for multi-nationals, existing government, and industry initiatives including: White House / NIST “Framework for Improving Critical Infrastructure Cybersecurity” ISA/IEC-62443, ISO 27001/2, NIST SP 800, and other guidelines/standards NERC-CIP, HIPAA, Gramm-Leach-Bliley Act, Homeland Security Act and other government regulations Cybersecurity Frameworks, Strategies, and regulations of other countries 4 DRAFT, Copyright (IC)3, 2014

5 1.Determining the Barriers to, and Incentives for, adoption of the Cybersecurity Framework. 2.Developing strategies to increase adoption by the C- Suite, in each Critical Infrastructure sector. 3.Models linking Cyber-Risk to: delivering goods and services, & financial & reputational costs. 4.Atomic Models & Network Architectures for interconnected Control Systems’ survivability, and Supply Chain resiliency. 5.Determining the Barriers to, and strategies for creating a Cybersecurity Culture. 5 DRAFT, Copyright (IC) 3, 2014

6 6 Technology Resources for Security Financial Resources for Security Business Strategy for Security Security Policy & Procedures Security Culture Accessibility Confidentiality Integrity A Fundamental Model for Measuring Cybersecurity Effectiveness  The House of Security has been shown to be able to provide measurements of perceptions, awareness, profile, tier, maturity, and gaps in Cybersecurity.  It will be further developed to provide economic measurements of cyber-risk and the value of Cybersecurity activities allowing a calculation of Cyber-ROI. DRAFT, Copyright (IC) 3, 2014

7 Using survey questions we assessed both perception of the current state of security in the organization and the desired state. The delta is the measureable gap between desired and actual. 7 Gap Analysis DRAFT, Copyright (IC) 3, 2014 Current State Assessments by Three Companies: Big Differences

8 The traditional Cyber security Triangle: – Confidentiality – Availability – Integrity The Cybersecurity Framework Core: – Identify – Protect – Detect – Recover – Restore 8 The MIT House of Security mapping: – Confidentiality – Accessibility – Integrity – Technology Resources – Financial Resources – Business Strategy – Policy & Procedure – Security Culture DRAFT, Copyright (IC) 3, 2014

9 Stuart Madnick – Professor of Information Technologies, MIT Sloan School of Management & Professor of Engineering Systems, MIT School of Engineering Nazli Choucri – Professor of Political Science, MIT School of Humanities and Social Sciences David Clark – Senior Research Scientist in Computer Science and Artificial Intelligence Laboratory (CSAIL) Michael Coden – Research Affiliate (former member of White House cyber study) Jerrold Grochow – Research Affiliate (former MIT CIO and member of MITei cyber study) Nancy Leveson – Professor of Aeronautics and Engineering Systems, MIT School of Engineering Andrew Lo – Professor of Financial Engineering, MIT Sloan School of Management Allen Moulton – Research Scientist, MIT School of Engineering Michael Siegel – Principal Research Scientist, MIT Sloan School of Management Richard Wang – Principal Research Scientist, MIT School of Engineering John Williams – Professor of Civil and Environment Engineering and Engineering Systems, MIT School of Engineering 9 DRAFT, Copyright (IC) 3, 2014

10 (IC) 3 will apply expertise from multiple disciplines in its research on Cybersecurity issues of Critical Infrastructure. Faculty from MIT Sloan School of Management, MIT School of Engineering, and MIT School of Humanities (Political Science) (IC) 3 will address complex Cybersecurity issues using techniques such as: – Multi-dimensional data aggregation & quality – System Dynamics, Modeling and Simulation – Internet, Network, and Communication Architecture – Applying Accident and Safety Theory to Cybersecurity – Cross border and international policy & implications – Control point analysis – Risk analysis and liability modeling – People and process modeling: Users and operators as well as Cyber criminals 10 DRAFT, Copyright (IC) 3, 2014

11 11 DRAFT, Copyright (IC) 3, 2014

12 MIT House of Security: MIT has developed techniques to measure perceptions of security in an organization Accident and Safety research: MIT can extend its research on accident prevention to preventing cyber events. Control Points: MIT has studied best “choke points” to interrupt a criminal enterprise. Improving CERTs: MIT has studied and suggested ways to improve and better coordinate the CERTs. Bug Bounty: MIT has studied crowd source methods of bug detection, such as “bug bounty” programs. Tipping Point Analysis: MIT has used System Dynamics to understand what will make complex systems unstable. Simulation of Systems: MIT has a rich history in simulation of complex systems under a wide variety of circumstances. 12 DRAFT, Copyright (IC) 3, 2014

13 Apply “accident” and safety research to “cyber security” failures. MIT has researched accidents and how to prevent them (including studying NASA problems) for many years. We are now treating a cyber incident/event as a type of “accident” and using prior research to identify, understand, and mitigate possible “cyber-hazards.” – Examples, such as TJX and Stuxnet, have been analyzed. 13 DRAFT, Copyright (IC) 3, 2014

14 Analyze complex cybercrime ecosystem. We are taking a “control points” approach to determine the best “choke-point” to interrupt the overall cyber-criminal enterprise (somewhat like “follow the money.”) Sometimes that choke point is the Internet service providers, sometimes it is the credit card companies, sometimes it is the banks. We will also study markets for malware and ways to disrupt and discredit those markets 14 DRAFT, Copyright (IC) 3, 2014

15 Improve CERTs (Computer Emergency Response Teams). MIT has talked with and studied the CERTs around the world — both national and regional CERTs and corporate CERTs. (CERTs are the FEMAs for computer catastrophes.) The activities, business models, and data-sharing activities are diverse and of varying quality. MIT (IC) 3 can suggest ways to improve and better coordinate the CERTS and the clients they serve. 15 DRAFT, Copyright (IC) 3, 2014

16 Improving Vulnerability Discovery and Detection: MIT has studied crowd source methods of bug detection, such as “bug bounty” programs. – Using techniques such as System Dynamics modeling MIT (IC) 3 can determine which types of vulnerability discovery and detection techniques provide the results with the greatest value, including “bug bounty,” open source, and other approaches. 16 DRAFT, Copyright (IC) 3, 2014

17 Patch distribution and management is complex in general and even more so for critical infrastructure situations – Computer components are embedded within machinery (which cannot be easily shut down) and involve multiple manufacturers e.g., the equipment/system may be made by Siemens, but controlled by computers running Windows software. – MIT has developed models to explore differing strategies and incentive systems to make patch distribution and management more effective. 17 DRAFT, Copyright (IC) 3, 2014

18 MIT has used System Dynamics models and simulations to analyze the stability of countries by understanding the capacity of the system to withstand disruptions and the range of loads that could be applied to the system. This can be applied to complex critical infrastructure cyber systems (eg: smart grid, refinery, emergency services, telecom, financial systems, etc.) to determine the “tipping points” that would render such a system unstable. Monitoring and Alerts – measuring how close an organization, or interconnected organizations, is coming to a “tipping point.” 18 DRAFT, Copyright (IC) 3, 2014

19 Simulation of system performance and resilience under different conditions. We can model systems under various circumstances, such as when one or more subsystems have failed or are under attack. We can assess how the system’s mission is affected by multiple simultaneous attacks. Such simulations can be used to create strategies and plans to mitigate the effects. 19 DRAFT, Copyright (IC) 3, 2014

20 Organizations today have no effective way of measuring the quality of their Cyber Security efforts. – The old adage “if you can’t measure it, you can’t manage it” applies to Cybersecurity. MIT (IC) 3 can develop metrics which organizations can use to Quantify and Qualify their Cyber Security capabilities, and the organizations ability to withstand cyber attacks and carry out its mission. – A measureable Cybersecurity Maturity Model for describing the Quality of the Cybersecurity at an organization and the ROI of the Cybersecurity. 20 DRAFT, Copyright (IC) 3, 2014

21 Holistic Risk Analysis Model is needed to address: – Multi-vendor environment – Multi-purpose use of equipment/systems – Multi-national & multi-cultural considerations – Cross-sector validity and usability – Multi-level system dependencies and vulnerabilities – People, process and accident/safety considerations Allowing simulation, including all of the above factors, of taking different actions – to predict what the benefits and costs will be. 21 DRAFT, Copyright (IC) 3, 2014

22 22 DRAFT, Copyright (IC) 3, 2014

23 Existing organizations are trying to address today’s threat and how to stop attacks in progress, but: – “The CSO/CISO is too busy bailing water to plug the holes in the boat” (IC) 3 is focusing MIT’s uniquely qualified interdisciplinary researchers on the fundamental principles of cyber space, cyber crime, & cybersecurity applied to Critical Infrastructure: – “Enabling the CSO/CISO to plug the holes in the boat” – Giving CSO/CISOs tools to Strategically develop measureable, cost effective, Cybersecurity strategies – getting ahead of the curve Implement Cyber-safety awareness and culture change A confidential academic forum in which to benefit from the experiences of CSO/CISOs from multiple sectors 23 DRAFT, Copyright (IC) 3, 2014

24 The day-to-day operation of (IC) 3 is managed by the Director of (IC) 3 with the support of the (IC) 3 Associate Director. The (IC) 3 Advisory Board, in consultation with the Director of (IC) 3, will determine the research focus areas for each year. The (IC) 3 faculty working with full-time MIT research staff and graduate students, often in cooperation with Sponsor organizations, will conduct the research. (IC) 3 will organize and conduct two research topic-specific workshops each year. (IC) 3 will organize and conduct its Annual Conference, covering the wide range of its research topics, each year. 24 DRAFT, Copyright (IC) 3, 2014

25 Patrons: $450,000 per year – commitment for 3 years (can be 1 year for first year) Includes all items below plus: – Ability to suggest research projects and refinements, be considered for inclusion – A dedicated faculty contact, with monthly consultations – One on-site faculty presentation to the organization’s governing board Partners: $120,00 per year – commitment for 3 years (can be 1 year for first year) Includes all items below plus: – Ability to suggest research areas – Ability to re-distribute select research content to existing clients and customers 1 Ability to contact designated faculty via telephone Members: $35,000 if three year commitment or $45,000 if one year commitment – Send 2 people to annual conference and 2 workshops per year – Access to research in the MIT-(IC) 3 research database 1 * Details on additional benefits contained in the Sponsorship Agreement 1 Subject to 3 rd party rights and bearing appropriate legends 25 DRAFT, Copyright (IC) 3, 2014

Download ppt "100111010101110100010100101010101010101001001010101001010000010111011 100111010101110100000110101010111010101010111101111000110111010011101 101101010111111000010101110100110011011111000011010011101001000101110."

Similar presentations

Ads by Google