Research and Developmen for Criical Infrasrucure Proecion John Davis Commissioner
R&D Issue for Criical Infrasrucure Proecion Wha should be done? Wha invesmen is needed? Who should do i? Wha is he proper balance beween he public and privae secor for R&D invesmen?
The Goal of R&D Is o Develop Technologies ha Would Mee Assurance Objecives Proec infrasrucure, deec inrusions Technology R&D Lessen (miigae) he effecs of incidens if hey occur Assis in he managemen of incidens Threas Faciliae recovery from incidens
R&D Is Only One Piece of he Overall Infrasrucure Assurance Puzzle Educaion and Training Awareness Technology R&D Policy Sandards, Personnel, Incenives, ec.
Observaions New echnologies are needed o effecively deal wih he curren and fuure vulnerabiliies Research is sponsored by muliple agencies of he governmen Annual funding range for informaion assurance R&D is $150M (governmen): $120M - 355M (indusry) Research invesmen is inadequae, and progress is oo slow
Observaions (con d( con d) Privae secor will no inves significan resources in long-erm research for sound business reasons Privae secor develops echnology (i.e., he ools, echniques, mehods, and equipmen used in building he various infrasrucures) Privae secor develops echnology for in-house applicaion & perceived markes Nex Generaion Inerne (NGI) provides an opporuniy o rebuild he Inerne wih high assurance
Process for Developing Inegraed R&D Recommendaions NSA Sudy: INFOSEC research in he DoD and Inelligence Communiy NRC Inerim Repor: Informaion Sysems Trusworhiness DARPA Informaion Survivabiliy NAS, DSB, DoD, and oher Sudies Inegraed R&D Recommendaions DOE Naional Lab R&D Sudies; Surveys and Inerviews Informaion and Communicaions Elecric Power Oil & Gas Transporaion & Sorage Transporaion Banking & Finance Waer Emergency Services Governmen Services Crosscuing/Inerdependencies Bellcore R&D for Nework Assurance in 2010 IDA Sudy: Privae secor research in informaion assurance Sakeholder Inpu (e.g. Council on Compeiiveness)
Elecric Power Sysem R&D Sudy R&D Team: Argonne Naional Lab (lead) Brookhaven Naional Lab Lawrence Berkeley Naional Lab Los Alamos Naional Lab Oak Ridge Naional Lab Pacific Norhwes Naional Lab Sandia Naional Lab Threa and Vulnerabiliy Issues: Resrucuring Transmission sysem reliabiliy Physical hreas o ransmission faciliies Cyber hreas o SCADA sysems Disgrunled employees Sakeholders Conaced: Bonneville Power Adminisraion (BPA) Commonwealh Edison Edison Elecric Insiue (EEI) Elecric Power Research insiue (EPRI) Norh American Elecric Reliabiliy Council (NERC) Wisconsin Public Service Commission Ohers R&D Program Topics: On-line securiy assessmen Real-ime conrol mechanisms Transmission and disribuion echnology Evaluaion of curren and fuure elecric power sysems Informaion securiy
Waer Supply R&D Sudy R&D Team: Argonne Naional Lab Oak Ridge Naional Lab Pacific Norhwes Naional Lab (lead) Threa and Vulnerabiliy Issues: Chemical hreas Biological hreas Physical Naural hazards Cyber Aging infrasrucure Sakeholders Conaced: Ciy and sae governmen offices - deparmens of public works - environmenal proecion - emergency managemen/response Environmenal Proecion Agency Bureau of Reclamaion Naional Cener for Public Healh Ohers R&D Program Topics: Auomaed deecion and analysis Inegraed sysem saus monioring echnology Remoe sensing and GIS Improved mehods of waer purificaion Proocols for on-line SCADA sysems
Process for Developing Inegraed R&D Recommendaions NSA Sudy: INFOSEC research in he DoD and NRC Inerim Repor: Inelligence Informaion Sysems Communiy Trusworhiness DARPA Informaion Survivabiliy NAS, DSB, DoD, and oher Sudies Inegraed R&D Recommendaions DOE Naional Lab R&D Sudies; Surveys and Inerviews Informaion and Communicaions Elecric Power Oil & Gas Transporaion & Sorage Transporaion Banking & Finance Waer Emergency Services Governmen Services Crosscuing/Inerdependencies Bellcore R&D for Nework Assurance in 2010 IDA Sudy: Privae secor research in informaion assurance Sakeholder Inpu (e.g. Council on Compeiiveness)
Informaion Securiy Research and Technology
INFOSEC Research and Technology Program INFOSEC Research Council hp://doe-is.llnl.gov INFOSEC Science and Technology Sudy Group Academic capabiliy developmen Universiy research program
Technical Workshops Naional Technical Baseline for INFOSEC Technology Forecasing Civilian Universiies DoD Universiies Faculy, Saff, Sudens Securiy Soluions Naional Securiy Needs U.S. Governmen Sponsors INFOSEC Research Council NIST DARPA DISA NSA Warfigher needs MILITARY DOE CIA SERVICES Securiy Soluions Indusry and Academia INFOSEC Science & Technology Sudy Group Leading Expers Research Insiues FFRDCS & Indusry Research Saff Members
Informaion Sysems Trusworhiness Inerim Briefing: April 16, 1997 Sephen D. Crocker & Fred B. Schneider Co-chairs Majory S. Blumenhal, Direcor Compuer Science and Telecommunicaions Board
Trusworhiness is... A se of aribues o jusify dependence: Users mus ge righ oupus, unaffeced by environmenal realiies including: Hardware failures Acs of malice by users and inruders A holisic propery: Propery of a sysem, no only of componens. Involves many ineracing sub-properies.
Evolving a Naional Informaion Assurance Research Agenda: Evolving a Naional Informaion Assurance Research Agenda: Issues and Opinions From Commercial Informaion Technology Providers William T. Mayfield Ron S. Ross
21 Technology Providers Inerviewed Large Companies IBM Hewle-Packard Sun Microsysems Novell 3COM CISCO Lucen Technologies AT&T Inel Moorola Oracle Sybase Microsof Niche Companies Gemini Compuing Secure Compuing Corp. Trused Informaion Sysems Rapor Securiy Dynamics Spyrus Haysack Compuing WheelGroup
IDA Sudy Findings Finding 1. The informaion needed o definiively quanify commercial IA research funding was no available. Finding 2. All he companies inerviewed indicaed ha heir R&D invesmens in IA echnology were increasing and ha for mos companies, his rend should coninue for he nex few years. Finding 3. A gross esimae of commercial IA R&D funding ranges beween $120 million o $355 million per year. Finding 4. The U.S. commercial IA R&D aciviy is fairly robus.
Bellcore Key Recommendaions on R&D The key recommendaions of his sudy are ha he governmen should mainain a leas is curren level of R&D funding and ake seps o promoe R&D in criical areas ha direcly impac nework assurance Securiy (OS securiy, sofware inegriy, crypography, inrusion deecion, and firewalls) Disribued conrol (middleware - OAM, services) Nework assurance measuremen infrasrucure (merics, crieria, echniques, and ools) Inerprovider policy rouing/archiecure Advance services (QoS, mulicas) Sabiliy of dynamic IP and ATM rouing proocols New echnologies, services, and applicaions
Research Is Needed o: Secure informaion while sored, in ransi, and in process Monior and deec acive hreas, and noify in real ime Assess vulnerabiliy of boh elemens and enire infrasrucures Manage risk and suppor decision making Proec infrasrucures physically and miigae damage Plan for coningencies and emergency response and recovery
R&D Needs Were Grouped ino Six Topical Caegories Informaion assurance Monioring and hrea deecion Vulnerabiliy assessmen and sysems analysis Risk managemen and decision suppor Proecion and miigaion Coningency planning, inciden response, and recovery
Informaion Assurance is a Key Componen o he Funcioning of Our Inerdependen Infrasrucures Objecives Proec communicaions infrasrucure Proec informaion while sored, processed, and ransmied Specific R&D needs Securiy archiecures Advanced conceps and heory Managemen of informaion proecion Encrypion echnologies Sysem characerizaion Human/social
Monioring and Threa Deecion Would Provide Early Threa Warning Objecives Idenify aacks wih reliable, auomaed monioring and deecion echnologies Characerize aacks using daa reducion and analysis ools Specific R&D needs Auomaed monioring and deecion Inelligence/informaion collecion Daa reducion and analysis Infrasrucure informaion sysem
Vulnerabiliy Assessmen & Sysems Analysis Tools Idenify Weaknesses in Sysems & Componens Objecives Idenify criical nodes, examine inerdependencies, and undersand complex sysems Address physical and cyber securiy issues in an inegraed mode Specific R&D needs Vulnerabiliy assessmen ools Infrasrucure and nodal analysis ools Complex sysem modeling Tes beds Verificaion echnologies
Risk Managemen and Decision Suppor Tools Aid in he Allocaion of Limied Resources and Reduce Risk Objecives Evaluae risks from hisorical, curren, and fuure hreas Suppor real-ime decision making Specific R&D needs Risk managemen ools Consequence modeling and analysis Decision analysis Real-ime predicive models Lessons learned sysems
Proecion and Miigaion Measures Proec Infrasrucures From a Wide Specrum of Threas Objecives Proec and improve he effeciveness of exising infrasrucures Miigae poenially large disrupions Specific R&D needs Real-ime sysem conrol Infrasrucure hardening Isolaion & conainmen echnologies
Coningency Planning, Inciden Response, & Recovery Technologies Are Needed o Minimize Impacs Objecives Suppor effecive crisis and consequence managemen Aid in rapid recovery and resoraion of services Specific R&D needs Coningency, response, and recovery planning ools Response echnologies (e.g, o suppor emergency responders) Recovery echnologies (e.g., deconaminaion, informaion recovery echnologies)
Increased R&D Is Needed Now R Research sponsored mosly by he governmen; long erm, new conceps, naional scale D Developmen sponsored mosly by indusry; ools, echniques, mehods, and equipmen creaed and offered for sale by he privae secor, and insalled o upgrade exising infrasrucures
A Join R&D Effor Involving Governmen, Indusry, & Academia Should Be Esablished Risks cu across he public and privae secors Much of he relevan echnical and empirical daa on infrasrucure operaions, inerdependencies, and vulnerabiliies are held by he privae secor Training, educaion, and awareness programs are needed o develop a cadre of knowledgeable people ( infrasrucure assurance praciioners ) Successful implemenaion will require closer cooperaion beween governmen, academia, and he privae secor
Recommendaions Conduc a deailed analysis of infrasrucure R&D needs and prioriies prior o esablishing a final Naional R&D Program for Infrasrucure Assurance Designae appropriae governmen deparmens and agencies o manage infrasrucure-specific R&D effors Promoe he science of complex, inerdependen sysems and conduc in-deph research ha addresses naional infrasrucure issues
Recommendaions (con d( con d) Esablish a naional reposiory of validaed infrasrucure-relaed models & daa (e.g., es beds) Creae forums ha bring ogeher researchers, infrasrucure owners and operaors, & governmen o discuss common problems, requiremens, & soluions Promoe educaion, raining, & cerificaion programs o ensure proper implemenaion & uilizaion of new echnologies, mehods, & ools
R&D Srucure Privae Secor R&D Organizaions Infrasrucure owners and operaors Parnerships PCCIP Follow-on Eniy for R&D Governmen (e.g., OSTP, NCS) Coordinaion Advisory and Working Groups (e.g., NSTAC, TSWG) Requiremens and Prioriies Informaion & Communicaions Elecric, Oil, Gas Transporaion Banking & Finance Waer Emergency Services Governmen Services Inerdependencies NSA/ DARP/ DOC DOE DOT Treasury EPA FEMA FEMA/GSA DoD/NSF Ceners of Excellence (e.g., Universiies, Naional Laboraories, R&D Insiues)
Recommended Governmen Infrasrucure Assurance R&D Invesmens Invesmen ($ Millions) R&D Invesmen Caegory FY98 FY99 FY00 FY01 FY02 FY03 FY04 Informaion Assurance 150 300 360 420 480 540 600 Oher Areas of Infrasrucure Assurance 100 200 240 280 320 360 400 Toal 250 500 600 700 800 900 1,000 Naional Research Council sudy o validae or adjus invesmen
R&D Issue for Criical Infrasrucure Proecion Wha should be done? Wha invesmen is needed? Who should do i? Wha is he proper balance beween he public and privae secor for R&D invesmen?