Critical Infrastructure in a CyberPhysicalHuman World

Transcription

1 Critical Infrastructure in a CyberPhysicalHuman World December 2015 Approved for Public Release; Distribution Unlimited The MITRE Corporation. All rights reserved.

2 Chris Folk, MBA, Director, National Protection Division- The MITRE Corporation 2 MITRE is: A private, independent, not-for-profit organization, chartered to work in the public interest MITRE manages and operates 7 FFRDCs to include the Homeland Security Systems Engineering and Development Institute (HSSEDI) for DHS Primary contributor to a number of Homeland Security related cybersecurity thought leadership, strategies and publications, including: Enabling Distributed Security in Cyberspace - Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action, published by DHS in 2011; The PROTeX series; 2012 and 2013 ; The Security Implications of the Internet of Things (AFCEA) 2015; MITRE Blog series on The CyberPhysicalHuman World of Homeland Security MITRE 2015; a Comprehensive and sustained National Education and Awareness Campaign for Cybersecurity (AFCEA) 2015 Advisor to Washington Cyber Roundtable, member AFCEA Cyber Committee; lead for Corporate Critical Infrastructure Security & Resilience (CISR) Strategy, lead for civil cybersecurity programs. Speaks regularly at national and international cyber and homeland security events.

3 Welcome to a Cyberphysicalhuman world! 3

4 Many Definitions Internet-of-things (IOT) NSTAC: An expansion of the global infrastructure through existing and evolving interoperable information and communication technologies. It incorporates the interconnection of physical and virtual systems to enable new and autonomous capabilities. IEEE: The IOT is a selfconfiguring and adaptive system consisting of networks of sensors and smart objects whose purpose is to interconnect all things, including every day and industrial objects, in such a way as to make them intelligent, programmable and more capable of interacting with humans. IETF: The IOT refers to the networked interconnection of everyday objects. An "IoT" means "a world-wide network of interconnected objects uniquely addressable, based on standard communication protocols" Gartner: The IOT is the network of physical objects that contains embedded technology to communicate and sense or interact with the object s internal state or the external environment Industrial Internet (II) GE: New ways of connecting the world s myriad of machines, facilities, fleets and networks with advanced, sensors, controls and software applications; harnessing the power of physics-based analytics, predictive algorithms, automation and deep domain expertise in material science, electrical engineering and other key disciplines required to understand how machines and larger systems operate; and connecting people, whether they be at work in industrial facilities, offices, hospitals or on the move at any time to support more intelligent design, operations, maintenance as well as higher quality service and safety. Internet-of-everything (IOE) CISCO: Brings together people, process, data, and things to make networked connections more relevant and valuable than ever before-turning information into actions that create new capabilities, richer experiences, and unprecedented economic opportunity for businesses, individuals, and countries. Allseen Alliance: The IOE is based on the idea that devices, objects and systems can be connected in simple, transparent ways to enable seamless sharing of information across all of them. Cyber physical systems (CPS) NIST: Cyber-Physical Systems or smart systems are coengineered interacting networks of physical and computational components. These systems will provide the foundation of our critical infrastructure, form the basis of emerging and future smart services, and improve our quality of life in many areas. 4

5 5 Common Themes Smart, connected systems used by people and organizations to operate and manage their lives and business Integration of the physical and computational in order to monitor and control physical processes

6 Why should we care? 6 IDC predicts by 2020 More data and information at risk for compromise Gartner predicts govt. and industry will, fail to protect 75% of sensitive data Cyber attacks can have physical impacts

7 7 What should we do? Resilient Infrastructure Traditional confidentiality, availability and integrity concerns are still important. We must also consider safety and reliability in an integrated, holistic way to develop resilient infrastructure Worry less about definitions, worry more about functions and uses. Are you using your smart phone to order take-out food? Are you using your smart phone to control your home security system? Are you using your smart phone to manage and monitor physical infrastructure? We need more rigorous design, development and assurance regimes for devices that can put human health and safety, national security, and critical infrastructure at risk

8 8 What should we do? Resilient Regions Foundational Precepts Every region should understand its own resilience Resilience includes three main areas: planning, preparedness, and prevention; mitigation during events; and response and recovery. Resilience should be addressed in a comprehensive cyberphysical manner. What Regions are Looking For Stakeholder information sharing opportunities Situational awareness for major incidents Regional Decision Support tools Regional Integrated Cyber- Physical Risk Assessments