L R ili d ll I f t tt C iti h La Resilienza delle Infrastrutture Critiche Introduzione alle Linee Guida AIIC

Sandro BolognaAIIC Coordinatore GdL Resilienza Infrastrutture Critiche

Membri del GdL: Glauco Bertocchi, Giulio Carducci, Luigi Carrozzi, Simona Cavallini, Alessandro Lazari, Gabriele Oliva, Alberto Traballesi

AIIC ColloquiaProtezione Infrastrutture Critiche – dove guardare & dove investireRoma 30 Marzo 2017Roma 30 Marzo, 2017

1

2http://www.infrastrutturecritiche.it/new/media-files/2016/04/Guidelines_Critical_Infrastructures_Resilience_Evaluation.pdf

Th t d V l biliti f C l I f t t t N t l H dThreats and Vulnerabilities of Complex Infrastructures to Natural Hazards

England August 2004 (Boscastle Village) England August 2004 (Boscastle Village) Gudrun January 2005 (Sweden, Norway, Finland, ........) Kyrill January 2007 /Germany Austria Ceck ) Kyrill January 2007 /Germany, Austria, Ceck, ........) Klaus January 2009 (France, Spain, ....) Japan Earthquake March 2011 (Japan, magnitude 9.0)p q ( p , g ) Sandy Thunderstorm December 2012 (New York) England Floods 2015 (Lancashire, Yorkshire) Central Italy Earthquake and Snowfall January 2017

3

Threats and Vulnerabilities of Complex Infrastructures to Accidental Faults

• Toulouse (France) September 2001• Liege (Belgium) October 2002• Liege (Belgium) October 2002• Priolo (Italy) April 2006• Coryton (UK) October 2007y ( )• Viareggio (Italy) June 2009• Deepwater Horizon oil spill (2010)• Fukushima (Japan) March 2011• West Texas (USA) April 2013• Binhai (PRC) August 2015• Binhai (PRC) August 2015

4

Threats and Vulnerabilities of Complex Infrastructures to Terrorist Attacks

• United States September 2001• Madrid (Spain) March 2004

L d (UK) J l 2005• Londra (UK) July 2005• Mumbai (India) 2008• In Amenas (Algeria) 2013In Amenas (Algeria) 2013

5

Threats and Vulnerabilities of Complex Infrastructures to Cyber Attacks

• US - 2006: Hacker penetrated the Water Filtering Plant’s production system

• Estonia 2007: Including banks, ministries, newspapers and broadcasters organizationsUS 2009 Comp te Spies B each • US – 2009 Computer Spies Breach Fighter-Jet Project

• Iran- 2010: Stuxnet• 2011 Anonymous’ Cyber Attack on • 2011 Anonymous Cyber Attack on

Sony• 2012 Saudi Aramco cyber attack• 2014 Germany Steel Mill2014 Germany Steel Mill• 2015 Ukrainian black out

6

Adopted Infrastructure Resilience definition

“Infrastructure resilience is the ability to reduce the magnitude and/or duration of disruptive events Themagnitude and/or duration of disruptive events. The effectiveness of a resilient infrastructure or enterprise depends upon its ability to anticipate, absorb, adapt to, and/or rapidly recover from a potentially disruptive event.” (NIAC 2009 Critical Infrastructure Resilience: Final Report and Recommendations)Final Report and Recommendations)http://www.dhs.gov/xlibrary/assets/niac/niac_critical_infrastructure_resilience.pdf

7

Graphycal Representation of Resilience A negative event occurres (i.e. a threat exploits the

vulnerability of a given component)

The system detects the occurrency of negative event

The system reacts to the negative event and tries to recoverits state

Source: ANL/DIS-12-1 Resilience: Theory and Applications

8

Question: Resilience of what to what and for whom?9

Question: Resilience of what, to what and for whom?To assess a system’s resilience, one must specify which system configuration and which

disturbances are of interest

Question: Resilience of what, to what and for whom?T t ’ ili t if hi h t fi ti d hi hTo assess a system’s resilience, one must specify which system configuration and which

disturbances are of interest10

Question: Resilience of what to what and for whom?11

Question: Resilience of what, to what and for whom?To assess a system’s resilience, one must specify which system configuration and which

disturbances are of interest

A Critical Infrastructure is not only made of technologies butespecially of people, processes and organizations.R ili t t k i id ti ll th tResilience must take in consideration all these components,plus cultural background, to be complete and successful.

Organization

Govern

Processes

People TechnologyUsesPeople Technology

Source: Adapted from the USC Marshall School of Business Institute for Critical Information Infrastructure Protection

Resilience Dimensions

Thecnical Resilience Capacities

Personal

Resilience Capacities

P di ti

Organizational

Predictive

AbsorbtiveResilience Features

Cooperation

Reactive

Restorative

Redundancy Robustness Segregation

Hierarchical Representation of the Infrastructure Resilience Model13

Four Dimensions of Resilience

Cooperative Resilience

Four Dimensions of Resilience

Organizational Resilienceg

Personal Resilience

Technical (Logical & Physical) Resilience

RTU SCADA BIOMETRIC ID

LANPLC

I b ildi d l ti ili th t ib ti d b h f th f

DATABASECCTV TOUCH ID

In building and evaluating resilience the contribution made by each of these four dimensions needs to be considered

i

Monitoring

i i

RePreventive Training

Alarms

Robustness

esil

Technical Absorptive Redundancy

Segregation

ien

R ili

Adaptive ………….

Restorative ………….

ce

IResilience Personal …………… ……………………

Organisation ……………… ……………….

Preventive Reorganization

Indi

Partnership

Absorptive Rerouting

SubstitutionAdaptive

icat

Restorative

Networking

Organization

ors

Governance

Resilience Tree representing the resilience components that contribute to the system resilience 15

ResilienceIndicatorNAME

Description  Description of the specific Resilience Indicator of the component subject to assessment 

Sub‐system/system Dimension/capacity 

To which sub‐system/system and dimension/capacity it applies: component/feature subject to assessment 

Sector ApplicabilityRelevance

Relevance for the specific CI sector  under evaluation 

Evaluation method(s) Method used for ranking the specific resilienceEvaluation method(s) Method used for ranking the specific resilience indicator

Sources / References  For more details and information 

Template for Resilience Indicators Description16

Lo3‐ DATABASESCANNING

Description Database Scanners are a specialized tool usedDescription Database Scanners are a specialized tool usedspecifically to identify vulnerabilities in databaseapplications. In addition to performing someexternal functions like password cracking, the toolsl i h i l fi i f halso examine the internal configuration of thedatabase for possible exploitable vulnerabilities.

Dimension(s) TechnicallogicalSectorApplicabilityRelevance

Very important for CI sectors with large DB,e.g.financial sector

Evaluationmethod(s) DatabasevulnerabilitiesSources/References http://samate.nist.gov/index.php/Database_Scanni

ng_Tools.htmlhttp://www.mcafee.com/us/products/security‐

f d t bscanner‐for‐databases.aspx

Example for Resilience Indicator description for Technical-Logical dimension17

Roberto BaldoniRoberto Baldoni@robertobaldoni

18

Ph4‐ PERIMETERORLOCATIONSURVEILLANCESYSTEMS

Description The latest generation of computer vision technology isrevolutionizing concepts, applications, and products in videosurveillance and CCTV. This is of prime relevance to security forlarge outdoor facilities such as commercial airfields, refineries,power plants, and office/industrial campuses. Most airfields, forexample, have open (unfenced) perimeters, high volumeheterogeneous traffic, are easily accessed on foot or by water, andexist in areas where regulations providing a safety buffer aredifficult to legislate or enforce. And all airfields require 24x7outdoor monitoring – snow, fog, rain or shine. Likewise, mosthigh‐value facilities appealing to criminals and terrorists are inclose proximity to public areas (roads, residences, city, etc.).

Dimensions TechnicalphysicalSectorApplicabilityRelevance

Tobeestimatedbythesectorspecificexperts

Evaluationmethods DegreeofimplementationSources/References http://www.sitepitalia.it/products/security/surveillance‐and‐

perimeter‐monitoring‐systemhttp://www.objectvideo.com/rad‐services/publications.html

19

Example for Resilience Indicator description for Technical-Physical dimension

PE1 ‐ Employees are trained andmade aware of resilience requirementsPE1‐ Employeesaretrainedandmadeawareofresiliencerequirements

Description Employeesreceivestandardtrainingand,furthertothat,areintroducedtothebasicconceptsofresilience.

Dimensions PersonalandorganizationalSectorA li bilit

Tobeestimatedbythesectorspecificexperts.HumanResourcesD t t h ld h i ifi t l i thi l tiApplicability

RelevanceDepartmentshouldhaveasignificantroleinthisevaluation

Evaluationmethods

Presence/absencemethodsSources/References

M.Mullen“OnTotalForceFitnessinWarandPeace”– MILITARYMEDECINE,175,8:1,2010CarlinLeslie,AirForcePublicAffairsAgencyOL‐P“ComprehensiveAirmanFitness:ALifestyleandCulture”,August19,2014.

Example for Resilience Indicator description for Personal dimension

20

Example for Resilience Indicator description for Personal dimension

Or5– GovernanceFramework‐ RoleandresponsibilitiesdefinitionforResilience

Description Provide the organizational model to enable the resilience coordination, command and controlwithin organizations such as the roles and responsibilities assumed by institutions and otherbusiness or governmental entities to face national interest incidents. For example withinorganizations role and responsibilities of designated personnel responsible for managing crisisprocedures performing risk management process or responding security threats andprocedures, performing risk management process or responding security threats andemergencies are to be identified and explained. At national level for the US Department ofHomeland Security manages a bottom‐up network of entities from local first responders tonationwide threat analysis and emergency response centers like the National Cybersecurity andCommunications Integration Center (NCCIC).

Dimensions OrganizationalSectorApplicabilityRelevance

Tobeestimatedbythesectorspecificexperts

Evaluationmethods

Presence&MaturitylevelofAdoptionbytheOrganization

Sources/References

www.cosla.gov.uk/system/files/private/cw130219item12annex.pdf

https://wwwhsdl org/?view&did=733614https://www.hsdl.org/?view&did 733614

http://www.cio.ca.gov/ois/government/documents/pdf/iso_roles_respon_guide.pdf

E l f R ili I di t d i ti f O i ti l di i

21

Example for Resilience Indicator description for Organizational dimension

Co1‐ Organization’srelationshipwithbusinesspartners

Description A partnership is where two or more people need to work together to accomplish a goal while building trust and a mutually benefiial relationship This meaish a goal while building trust and a mutually benefiial relationship. This means the partnership is voluntarily agreed upon, built on the desire to have trust, and based on agreed‐upon mutual benefits.Relationships impact every aspect of business operations. Collaboration may occuras individual one‐to‐one partnerships or it may involve multiple parties workingas individual one to one partnerships or it may involve multiple parties workingtogether such as external alliance partners, suppliers, internal divisions andcustomers. An organization must therefore take a structured approach topartnering and be confident that the relationship will complement and enhanceexisting business activitiesexisting business activities.

Dimensions CooperativeSectorApplicabilityRelevance

Tobeestimatedbythesectorspecificexperts

RelevanceEvaluationmethods

Degreeofimplementation

Sources/ http://www.bsigroup.com/LocalFiles/en‐GB/bs‐11000/resources/BSI‐BS‐11000‐References implementation‐guide‐UK‐EN.pdf

Example for Resilience Indicator description for Cooperational dimensionExample for Resilience Indicator description for Cooperational dimension

22

40Lo1

102030

Lo2Lo5

010

Lo3Lo4

Radar Chart is suggested to represent ALL Indicators for the same DIMENSION(Technical Physical, Technical Logical, Personel, Organizational, Cooperation)

23

ChiefKEY ROLES IN THE ORGANISATION

First challenge: Different Responsibles for the CIs Key Roles

Chief Executive Officer

Chief Information 

Officer

Chief Security Officer

Chief Information and Security 

Officer

Human Resources Director

Security Liason Officer

Business continuity manager

Supply chain manager

Other

CEO CIO CSO CISO HR Director SLO BCM SCM ….

RESILIENCE INDICATORS

Lo01Lo02Lo03….

Ph01Ph02Ph03….

Pe01Pe02Pe03…..Or01Or01Or02Or03…

Co01Co01Co02Co03…

The general matrix with resilience indicators by row and possible key role in the

24

The general matrix with resilience indicators by row and possible key role in the organisation by column that should be customized for each specific CI

operator/owner

Second challenge: how to estimate a numerical value for the CI Resilience

RESILIENCE: How to Construct Composite Resilience Indexat different levels of abstraction

RSYSTEM = f(RTECH, RPERS, RORG, RPART)

The Challenge

Data emanating from the four dimensions have to be correlated and a composed value of resilience for the overall CI inferred using tailored aggregation algorithm account for the dependency level between theaggregation algorithm account for the dependency level between the resilience of the different dimensions and layers.

25

From the INCOSE Systems Engineering Handbook, fourth edition, 2015:

“Resilience is an emergent and nondeterministic property of a

From Resilience Engineering to Resilience Evaluation

Resilience is an emergent and nondeterministic property of a system” It is emergent because it cannot be determined by the examination of It is emergent because it cannot be determined by the examination of

It is nondeterministic because the wide variety of possible system It is nondeterministic because the wide variety of possible system y

individual elements of the system. The entire system and the interaction among the elements must be examined.

yindividual elements of the system. The entire system and the interaction among the elements must be examined.

y p ystates at the time of the disruption cannot be characterized either deterministically or probabilistically.

y p ystates at the time of the disruption cannot be characterized either deterministically or probabilistically.

“The purpose of engineering a resilient system is to determine the architecture and/or other system

14 “Resilience Principles” are defined, supporting 6 “System Attributes” that will enhance resilience:architecture and/or other system

characteristics that will anticipate, survive, and recover from a disruption or multiple disruptions”

enhance resilience: Resilience of Engineered Systems

Capacity

• Absorption• Absorption

Buffering

• Layered defense• Layered defense

Adaptability

• Drift correction• Drift correctiondisruption or multiple disruptions p• Physical 

redundancy• Functional 

redundancy

p• Physical 

redundancy• Functional 

redundancy

y• Reduce 

complexity• Reduce hidden 

interactions

y• Reduce 

complexity• Reduce hidden 

interactions

• Neutral state• Human in the 

loop• Loose coupling

• Neutral state• Human in the 

loop• Loose coupling

Flexibility

• Reorganization• Repairability• Reorganization• Repairability

Tolerance

• Localized capacity• Localized capacity

Cohesion

• Internode interaction

• Internode interaction

Adapted from: Jackson, S., & Ferris, T. (2013). Systems Engineering, 16(2), 152-164, Figure 2: Resilience Taxonomy. Available at:https://www.researchgate.net/publication/277141735_Resilience_Principles_for_Engineered_SystemsAccessed on August 23, 2016.

Thank you for your attentiony y

for any further information

Sandro Bologna

for any further information

gAIIC Coordinatore GdL Resilienza Infrastrutture Critiches.bologna@infrastrutturecritiche.it

http://www.infrastrutturecritiche.it/new/

27