4303 II

CYB 4303, Critical Infrastructure Protection in Cybersecurity 1

Course Learning Outcomes for Unit II Upon completion of this unit, students should be able to:

2. Evaluate organization infrastructures for vulnerabilities. 2.1 Describe different types of risks affecting Critical Information and Key Resources (CIKR)

systems. Required Unit Resources Chapter 2: Risk Strategies In order to access the following resource, click the link below. For the following resource, you are only required to read Chapter 2, pp. 4–17. National Institute of Standards and Technology. (2012). Guide for conducting risk assessments [NIST Special

Publication 800-30]. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf Unit Lesson

Introduction Managing risk takes many resources, specifically when the area of risk management encompasses a nation’s large critical infrastructure sectors. Risk management is a shared responsibility among all critical infrastructure agencies and private sector stakeholders. Furthermore, because incidents can cascade across sectors, state, and national boundaries, a comprehensive risk management and mitigation process necessitates the involvement of federal, state, and local agencies as well as other critical infrastructure partners in the private sector.

UNIT II STUDY GUIDE Infrastructure Protection: Risks and Threats, Part I

CYB 4303, Critical Infrastructure Protection in Cybersecurity 2

UNIT x STUDY GUIDE Title

The Federal Information Security Modernization Act (FISMA) was established in 2002 and amended in 2014. The law put in place standards and guidelines for the implementation of security in the nation’s critical sectors. These standards and guidelines include FIPS 199, FIPS 200, and NIST Special Publications 800-53, 800-59, 800-60, 800- 160, 800-137, and 800-18 (National Institute of Standards and Technology [NIST], 2018). These standards and guidelines form a risk management framework (See Figure 1), which provides a process integrating security and risk management activities.

Risk Strategies In order to understand threats, we must know about risks. According to Lewis (2020), risk is an expected gain or loss given the probability of specific events. The loss from risk can be in financial loss, casualties (as in lives), or time. Unit I stated that protection of assets or critical infrastructures had its beginnings in engineering (Roman aqueducts) and safety (the Great Wall of China). Risk strategy or management has extended to other applications across many fields and industries in government, commercial, and industrial sectors. Given the global economy and the interconnectedness of all critical sectors (see Figure 2), any process or daily operations in which these sectors are engaged are exposed to risks. Risk and reward go together, and the probability of risk to the success or failure of protection in any sector has significantly increased with the advancement of technology. To protect critical infrastructures successfully, we must be able to manage risks through planning and strategy as well as actively predict risks across the landscape. As humans evolve, more risks are introduced, and as more interconnectedness exists between sectors, the larger or wider the negative ripple effect of risks or effects of risks grows. The increased reliance on information technology (IT) systems is one of the most significant risks facing the nation today.

Figure 1 Risk Management Framework (NIST, 2018)

CYB 4303, Critical Infrastructure Protection in Cybersecurity 3

UNIT x STUDY GUIDE Title

Risk Analysis Risk analysis aids in predicting risks through probability. Lewis (2020) showed that the formula for calculating risk was derived by a famous Swiss mathematician as R=Pr(c)C; thus risk (R) is the product of the probability (Pr) of a particular event taking place and its consequence (c) measured in financial loss, casualties (C), or time. Thus, a risk has three elements:

1. an event (c), 2. a probability of occurrence of that event (Pr), and 3. the consequences of that event (impact of that event) (C).

If we look at the risk function carefully, we can also see that, generally, if the probability of the event or the consequences increase, so does the risk. As an example, the likelihood of a plane falling from the sky is small, but the consequences if it does happen are very high in terms of lives and damage to structures on the ground. “The risk of any event is large if the product of likelihood and consequence is large but small if the product is small. Probability and consequence are handmaidens in the estimation of risk” (Lewis, 2020, p. 23). In risk analysis, we also need to consider the cause or source of that risk carefully. This cause is referred to as the hazard. Often, risk is minimized simply by being aware of hazards and taking measures to avoid them or overcome them.

Banking & Finance •Banking & Stock Markets •Sector-specific agency: Treasury

Emergency Law Enforcement Services •Justice/FBI •Sector-specific agency: FBI

Emergency Services •Emergency Fire and Continuity of Government

•Sector-specific agency: FEMA

Energy •Electric Power, Gas and Oil production and

storage •Sector-specific agency: Energy

Information & Communications •Telecommunications and the Internet •Sector-specific agency: Commerce

Public Health Services •Public health, surveillance, laboratory

services, and personal health services •Sector-specific agency: HHS

Transportation •Aviation, Highways, Mass Transit, Rail,

Pipelines, Shipping •Sector-specific agency: Transportation

Water Supply •Water and its distribution •Sector-specific agency: Environmental

Protection Agency

Figure 2. Eight critical infrastructure sectors (Lewis, 2020; 12019, 2012; Breher, 2015; Muhammad, 2018; LEEROY Agency, 2014; lkaika, 2015; Petra, 2009; Pexels, 2016; skeeze, 2015)

CYB 4303, Critical Infrastructure Protection in Cybersecurity 4

UNIT x STUDY GUIDE Title

Sources of Risks Sources of risks can be categorized by their cause as internal or external. Internal risks Internal causes of risks include those arising from internal protection design or human behavior. Examples include security procedures that do not compensate for new malware threats or a disgruntled employee who can bypass security from inside a network. Additionally, technology and communication failures can be the source of internal risks. Common causes of risk are skill availability, capability, motivation, and performance, among others. These types of risk can be classified as follows:

1. Technical – the wrong or insufficient technology is implemented for a solution. 2. Management – Decision-making at the management level is made without knowing the facts. 3. Safety – The safety of systems or people is insufficient, or safety is nonexistent. 4. Organizational – Business continuity is not implemented or usually delegated to the IT areas.

External risks External risks are usually associated with global factors such as political, economic, and regulatory conditions. Generally, external sources of risk are factors beyond the control of specific sectors or country. These may include power shifts in specific areas of the world, economic conditions prompted by conflicts, or regulatory laws introducing significant changes on processes in a given sector.

Risk Management Risk management refers to the process of identifying and managing risk through the development, selection, and management of strategies for controlling or avoiding those risks. The Project Management Institute Body of Knowledge (PMBOK® Guide) (PMI, 2017) offers three definitions of risk management.

1. Risk management is the formal process by which risk factors are systematically identified, assessed, and provided for.

2. Risk management is a formal, systematic method of managing concentrating on identifying and controlling areas or events that have a potential for causing unwanted change.

3. Risk management is the art and science of identifying, analyzing, and responding to risk factors. Risk management attempts to predict and control possible future events proactively rather than reactively. The goal of risk management is not only to reduce the likelihood of an event taking place, but also the magnitude of its impact as well. As an example, a reaction to a security crisis may waste a lot of precious time when contingencies could have been developed. Thus, risk management operates on the theory that an identified risk is a risk understood and acknowledged. Risk management also quantifies and predicts the impact on assets.

Catastrophe Theory Catastrophe theory refers to unique (discontinuous) events taking place because of continuous change. As an example, in many ways, the collapse of the stock market in 2008 was the result of continuous or evolving financial factors or events (Lewis, 2020). Christopher Zeeman advanced catastrophe theory from methods postulated by French mathematician Rene Thom (Zeeman, 1974). In essence, catastrophe theory is an approach or method for explaining the evolution of forms in nature. Thus, this theory is applicable where

CORE CONCEPTS

Risk “is not a vulnerability or threat. Generally, vulnerability is a weakness in an asset that may be exploited to cause damage. Threat is typically associated with human attacks – terrorism – while natural disasters are typically associated with a hazard such as an earthquake or hurricane” (Lewis, 2020, p. 24).

CYB 4303, Critical Infrastructure Protection in Cybersecurity 5

UNIT x STUDY GUIDE Title

gradual (continuous) change or forces produce unexpected events (effects). Lewis (2020) goes into detail on the three major theories, Perrow’s normal accident theory (NAT), Bak’s theory of punctuated equilibrium, and complex adaptive systems theory. What catastrophe theory tells us is that we do not know what we do not know. Unlike risk management, catastrophe theory addresses events that we do not know about and for which we cannot calculate probability or impact. As an example, it was logically improbable on 9/11 that suicide terrorists would turn commercial passenger aircrafts into missiles. An important distinction needs to be made between risks and an event (catastrophe). Risks are not tangible; a risk is the anticipation of an event. Beck (2006) noted that the moment a risk becomes real—for example, in the form of a denial of service attack—it ceases to be a risk, and it becomes an event.

Summary Today’s societies face new kinds of risks that are the risks of a new interconnected global world. The experience of global risks introduced by technology represents a new kind of world order, a technological world where national boundaries do not exist and where the distant threat is not so remote anymore. Furthermore, this technological interconnectedness and its interdependence have created new risk levels. The potential for an event (catastrophe) to take place has exponentially increased due to the complexity of technological systems and chain of effects because of their global interconnectedness. As an example, a cyberattack on key government systems could simultaneously affect the electric grid sector as well as the financial sector. Risk management, along with a resilience assessment, are part of the solution for potential risks faced by CIKRs. In most sectors, redundancies have been built to “resist, absorb, and adapt to adversity” (Lewis, 2020, p. 41). Still, we must keep in mind that risks are not only technological in nature. Risks are also present because of environmental conditions such as earthquakes and hurricanes, along with human error.

References 12019. (2012). Surgery-operation-hospital [Photograph]. Pixabay. https://pixabay.com/en/surgery-operation-

hospital-79584/ Beck, U. (2006). Living in the world risk society. Economy and Society, 35(3), 329-345. doi:

10.1080/03085140600844902 Breher, T. (2015). Bank note Dollar USD US-dollar money funds bills [Photograph]. Pixabay.

https://pixabay.com/en/bank-note-dollar-usd-us-dollar-941246/ Lewis, T. G. (2020). Critical infrastructure protection in homeland security: Defending a networked nation (3rd

ed.). Wiley. LEEROY Agency. (2014). Antenna tower transmission communication [Photograph].

https://pixabay.com/en/antenna-tower-transmission-498438/ lkaika. (2015). Pipe water plumbing industrial construction [Photograph]. Pixabay.

https://pixabay.com/en/pipe-water-plumbing-industrial-1159854/ Muhammad, F. (2018). Emergency room hospital ambulance rescue Houston [Photograph]. Pixabay.

https://pixabay.com/en/emergency-room-hospital-ambulance-3323451/ National Institute of Standards and Technology. (2018). Risk Management. Pixabay.

https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview Petra. (2009). Mi promotion Sasketchewan prairie oil production [Photograph]. Pixabay.

https://pixabay.com/en/mi-promotion-sasketchewan-prairie-1044575/

CYB 4303, Critical Infrastructure Protection in Cybersecurity 6

UNIT x STUDY GUIDE Title

Pexels. (2016). Train transportation platform railroad metro [Photograph]. Pixabay. https://pixabay.com/en/train-transportation-platform-1285288/

Project Management Institute. (2017). A Guide to the Project Management Body of Knowledge (PMBOK®

Guide) (6th ed.). Project Management Institute, Inc. skeeze. (2015). Police highway patrol SWAT team California CHP [Photograph]. Pixabay.

https://pixabay.com/en/police-highway-patrol-swat-team-755410/ Zeeman, E. C. (1974). Levels of structure in catastrophe theory illustrated by applications in the social and

biological sciences. Proceedings of the International Congress of Mathematicians.