VII

CYB 4303, Critical Infrastructure Protection in Cybersecurity 1

Course Learning Outcomes for Unit VII Upon completion of this unit, students should be able to:

2. Evaluate organization infrastructures for vulnerabilities. 2.1 Describe different types of risks affecting Critical Information and Key Resources (CIKR)

systems. 2.2 Explain the current state of critical infrastructure protection efforts. 2.3 Describe the importance of information security policies.

5. Analyze vulnerabilities of critical information and key resources (CIKR).

5.3 Identify current threats to the information technology sector.

6. Create components of a cybersecurity strategy in alignment with current national policies. 6.2 Illustrate the criteria behind security policies.

Required Unit Resources

Chapter 10: Supervisory Control and Data Acquisition

In order to access the following resources, click the links below. Barack Obama signed a directive on February 12, 2013, to advance critical infrastructure security. Click the link below to access the Presidential Policy Directive on Critical Infrastructure Security and Resilience (PPD 21). The White House, Office of the Press Secretary. (2013, Feb 12). Presidential policy directive – critical

infrastructure security and resilience [Press Release]. https://www.whitehouse.gov/the-press- office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil

For the following resource, you are required to read only Chapter 2. National Institute of Standards and Technology. (2011). NIST special publication 800-39. Managing

information security risk Chapter 2. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-39.pdf

For the following resource, you are required to read only Chapter 2. National Institute of Standards and Technology. (2018). NIST special publication (SP) 800-37. Risk

management framework for information systems and Organizations – Chapter 2. https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-2/draft/documents/sp800-37r2-draft- ipd.pdf

UNIT VII STUDY GUIDE

Threat, Risk, Control, and Prevention

CYB 4303, Critical Infrastructure Protection in Cybersecurity 2

UNIT x STUDY GUIDE

Title

Unit Lesson

Supervisory Control and Data Acquisition (SCADA) Networks As technology and global networks become more prevalent, so is the manner in which computer systems and applications communicate and function. SCADA networks are large-scale distributed networks used to monitor, collect, and control processes in energy, gas, chemical, and water supply systems among others (see Figure 1). According to Lewis (2020), SCADA systems usually have three elements.

• A remote terminal Unit (RTU) to connect to the SCADA network that collects data-converting discrete measurements into digital information for transmission.

• A master station and human machine interface, which are comprised of servers and software connected to the field equipment or RTUs.

• A communication infrastructure connecting the various elements to the SCADA network directly via fiber or satellite networks or through the Internet.

Many sectors such as the energy sector, which has numerous private entities, use SCADA remote terminal units (RTUs) to communicate to centralized information systems. The information gathered by these remote terminals must travel through enterprise networks then through lines connected to the Internet (see Figure 2 in the next section of this unit) to report pertinent information. The connectivity of enterprise networks to the SCADA network gives pause to many security analysts as attackers can penetrate the SCADA network by exploiting vulnerabilities on corporate networks (Lewis, 2020). Additional security concerns exist regarding the physical infrastructure of these networks. As an example, the electric utility systems have thousands of RTUs controlling infrastructure across vast geographical areas; these RTUs can be spread across miles, and, in many instances, these RTUs are not physically secured, or passwords are sent in clear text across the networks.

Securing SCADA Networks Supervisory control and data acquisition (SCADA) networks are part of the nation’s critical infrastructure key resources (CIKRs). These networks perform key functions across all 18 sectors providing essential services. SCADA’s collection, analysis, and control of data from equipment and devices such as power stations, pumps, and valves at remote location make it potentially vulnerable to disruption of services and data manipulation that could result in national and public safety concerns. According to Lewis (2020), SCADA

Figure 1 Sectors using SCADA systems. (Cockrill & Kirk, ,n.d., p. 9)

Figure 1. Sectors using SCADA systems (Cockrill & Kirk, n.d.; Gaida, 2016; Haiyin, n.d.; Augusto, 2016; PublicDomainPictures, 2011; Free-Photos, 2016; Hill, 2018; McElroy, 2015; Muhammad, 2017)

CYB 4303, Critical Infrastructure Protection in Cybersecurity 3

UNIT x STUDY GUIDE

Title

networks are vulnerable to denial of services attacks on sensors as sensors can be jammed resulting in premature power exhaustion, integrity attacks as sensors can be used to transmit misleading information, and phishing attacks that allow the attacker access to critical and protected information. There are different steps that can be implemented to secure SCADA systems establishing an effective cybersecurity protection program. According to Lewis (2020), some of the steps include the following:

• definition of clear cybersecurity roles and responsibilities for security administrators and end users,

• definition and documentation of systems serving critical functions and those containing sensitive data requiring additional levels of protection,

• establishment of a rigorous and continuing risk management program,

• establishment of cybersecurity protection based on defense-in-depth principles,

• implementation of routine self-audits and assessments,

• implementation of a Business Continuity Plan (BCP) including a Disaster Recovery Plan (DRP), and

• establishment of security policies and training programs to minimize the disclosure of sensitive information.

CIKRs’ Security Implications

There are numerous cyber and physical security implications across all CIKRs. Lewis (2020) alluded to that fact that security is freedom from undesirable risks. As we covered in Unit VII, standardization has contributed to a best practices approach to implementing and managing security. Uotila, Keil, and Maula (2017) underscored the fact that standards outline the interoperability and accountability of technology practices. Standards help in identifying inferior practices and adhering to methods and guidelines for security. Standards play a critical part in the implementation of risk mitigation from physical or cyberattacks. Standards organizations such as the National Institute of Standards and Technology (NIST) and the International

Figure 2: SCADA Network Architecture

CYB 4303, Critical Infrastructure Protection in Cybersecurity 4

UNIT x STUDY GUIDE

Title

Organization for Standardization (ISO) are constantly working on new proven methods and procedures relevant to information technology security. These organizations, through standards, facilitate a uniform approach to protocols and procedures across governmental agencies and the private sector as well.

Risk Management and Resilience Organizations and agencies across all different sectors must strive to provide a safe environment in which information, processes, and procedures can function, an environment that can maintain privacy and confidentiality ensuring the integrity, reliability, and availability of information and protection of its systems. The integrity of systems and information needs to adhere to proven risk management principles and risk mitigation strategies. Sancenito (2018) found that organizations must have a fundamental understanding of their business models to fully evaluate the organization’s exposure to risks. Table 1 lists examples of mitigation plans. Hajmohammad and Vachon (2016) outlined four strategies to control risks:

• avoidance—implementing safeguards to reduce or eliminate uncontrolled risks,

• transference—shifting risks or vulnerabilities to third parties or outside entities ,

• mitigation—reducing the potential impact of vulnerabilities, and

• acceptance—understanding the cost and consequences of the risk if left without control or mitigation.

Plan Description Examples When to deploy Timeframe

Incident Response Plan (IRP)

Activities and actions organizations take during an incident (attack)

• A list of steps taken during a disaster

• Intelligence gathering

• Information analysis

As incidents or disaster unfolds

Immediate and real-time reaction

Disaster Recovery Plan (DRP)

• Preparation for recovery should a disaster take place

• Strategies limiting losses before and during a disaster

• Step-by-step instructions to regain normalcy

• Procedures for the recovery of lost information or services

• Shutdown procedures to protect systems and data

Immediately after an incident is labeled a disaster

Short-term recovery

Business Continuity Plan (BCP)

Steps to ensure continuation of the systems, information, and overall business when the incident exceeds the DRP’s ability to restore operations

• Preparation steps for activation of secondary data centers

• Establishment of a hot site in a remote location

Immediately after the disaster is determined to affect the continued operations of the organization

Long-term operation

Table 1 – Mitigation plans scenarios (Wallace & Webber, 2010)

Risk management and resilience are achieved through proper protection. The Department of Homeland Security (DHS) (2010) defined protection as “a coordinated plan of action to prevent, deter, and mitigate all- hazards incidents on CIKR, and to respond to and recover from such natural disasters, terrorist attacks, or

CORE CONCEPT

Information technology security is a combination of science, engineering, and human factors. Secure systems are only as strong as the weakest link: each factor must be secured using multiple layers to provide defense-in-depth.

CYB 4303, Critical Infrastructure Protection in Cybersecurity 5

UNIT x STUDY GUIDE

Title

other incidents as quickly and effectively as possible” (p. 4). Protection takes different forms depending on the context. As an example, an information technology network protection entails a security strategy that emphasizes the use of software and procedures to reduce or eliminate vulnerabilities to existing threats on computer systems and physical protection to transmission lines and data centers. Thus, protection against potential threats comes from being prepared. According to DHS (2010), preparedness is defined as:

Activities necessary to build, sustain, and improve readiness capabilities to prevent, protect against, respond to, and recover from natural or manmade incidents. Preparedness is a continuous process involving efforts at all levels of government and between government and the private sector and nongovernmental organizations to identify threats, determine vulnerabilities, and identify required resources to prevent, respond to, and recover from major incidents. (p. 54)

To be successful, risk mitigation relies on preparedness, while recoverability relies on the resilience of organizations and agencies across all sectors. Resilience is “the ability to resist, absorb, recover from, or successfully adapt to adversity or a change in conditions” (Lewis, 2020, p. 413).

Summary Today’s business environment is referred to as the information age, which it is an understatement. Unlike 50 to 100 years ago, today’s business transaction and communications rely on global communication networks generating vast amounts of information. Since communication and transactions take place on information systems through interconnected networks reaching almost every corner of CIKRs, it is imperative that those resources be protected. No network or system is an isolated entity anymore. The security implications are many, from increased attack surfaces to amplified complexities. Because of this interconnectedness, cyber systems process information, control devices, and are essential to the operation of many sectors’ infrastructures (e.g., SCADA networks); thus cybersecurity is a multifaceted field requiring skilled personnel working on specialized areas. The relationship between sectors should not be underestimated, as the potential disruption of one sector will quickly create a ripple effect reaching into other sectors. The area of critical infrastructure protection is in a constant state of change as new threats and vulnerabilities surface every day, and changes in social, political, and geographical landscapes redefine existing threats. The most important aspect enabling CIKR protection is the proper coordination and cooperation between the public and private sectors. As the world continues to change, we must not forget that that infrastructure protection field is also in a constant emergent state and that we must adapt accordingly.

References Augusto, F. (2016). Water resources irrigation pipes pumping [Photograph]. Pixabay.

https://pixabay.com/en/water-resources-irrigation-2251633/ Cockrill, M., & Kirk, A. (n.d.). Critical Infrastructure Overview.

http://app.leg.wa.gov/committeeschedules/Home/Document/172346 Department of Homeland Security (2010). Critical Manufacturing Sector-Specific Plan - An annex to the

National Infrastructure Protection Plan. https://www.dhs.gov/sites/default/files/publications/nipp-ssp- critical-manufacturing-2010-508.pdf

Free-Photos. (2016). Wheat fields crops wheat field agriculture yellow [Photograph]. Pixabay.

https://pixabay.com/en/wheat-fields-crops-wheat-field-1149885/ Gaida, M. (2016). Industry facotry industrial plant metal neuss [Photograph]. Pixabay.

https://pixabay.com/en/industry-factory-industrial-plant-1140760/ Haiyin. (n.d.). Energy efficient house cutaway image for smart home automation concept. (ID 73397918).

[Illustration]. Dreamstime. www.dreamstime.com

CYB 4303, Critical Infrastructure Protection in Cybersecurity 6

UNIT x STUDY GUIDE

Title

Hajmohammad, S., & Vachon, S. (2015). Mitigation, avoidance, or acceptance? Managing supplier sustainability risk. Journal of Supply Chain Management, 52(2), 48–65. https://doi- org.libraryresources.columbiasouthern.edu/10.1111/jscm.12099

Hill, T. (2018). Ladybower reservoir Upper Derwent Valley Derbyshire [Photograph]. Pixabay.

https://pixabay.com/en/ladybower-reservoir-3130007/ Lewis, T. G. (2020). Critical infrastructure protection in homeland security: Defending a networked nation (3rd

ed.). Wiley. McElroy, R. (2015). Dam river water landscape power hydroelectric [Photograph]. Pixabay.

https://pixabay.com/en/dam-river-water-landscape-power-929406/ Muhammad, F. (2017). Cooling system air conditioner technology roof [Photograph]. Pixabay.

https://pixabay.com/en/cooling-system-air-conditioner-2864859/ PublicDomainPictures. (2011). Storage tanks vats metal tanks barrels pastel tanks [Photograph]. Pixabay.

https://pixabay.com/en/storage-tanks-vats-metal-tanks-20959/ Sancenito, J. (2018). Corporate risk from extremist groups. Journal of Business Continuity & Emergency

Planning, 12(1), 17–26. https://libraryresources.columbiasouthern.edu/login?url=http://search.ebscohost.com/login.aspx?direc t=true&db=bcr&AN=131863434&site=ehost-live&scope=site

Uotila, J., Keil, T., & Maula, M. (2017). Supply-side network effects and the development of information

technology sandards. MIS Quarterly, 41(4), 1207-9-A19. https://libraryresources.columbiasouthern.edu/login?url=http://search.ebscohost.com/login.aspx?direc t=true&db=bsu&AN=125996711&site=ehost-live&scope=site

Wallace, M., & Webber, L. (2010). The disaster recovery handbook: A step-by-step plan to ensure business

continuity and protect vital operations, facilities, and assets (2nd ed.). American Management Association.

CYB 4303, Critical Infrastructure Protection in Cybersecurity 1

Course Learning Outcomes for Unit VII Upon completion of this unit, students should be able to:

2. Evaluate organization infrastructures for vulnerabilities. 2.1 Describe different types of risks affecting Critical Information and Key Resources (CIKR)

systems. 2.2 Explain the current state of critical infrastructure protection efforts. 2.3 Describe the importance of information security policies.

5. Analyze vulnerabilities of critical information and key resources (CIKR).

5.3 Identify current threats to the information technology sector.

6. Create components of a cybersecurity strategy in alignment with current national policies. 6.2 Illustrate the criteria behind security policies.

Required Unit Resources

Chapter 10: Supervisory Control and Data Acquisition

In order to access the following resources, click the links below. Barack Obama signed a directive on February 12, 2013, to advance critical infrastructure security. Click the link below to access the Presidential Policy Directive on Critical Infrastructure Security and Resilience (PPD 21). The White House, Office of the Press Secretary. (2013, Feb 12). Presidential policy directive – critical

infrastructure security and resilience [Press Release]. https://www.whitehouse.gov/the-press- office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil

For the following resource, you are required to read only Chapter 2. National Institute of Standards and Technology. (2011). NIST special publication 800-39. Managing

information security risk Chapter 2. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-39.pdf

For the following resource, you are required to read only Chapter 2. National Institute of Standards and Technology. (2018). NIST special publication (SP) 800-37. Risk

management framework for information systems and Organizations – Chapter 2. https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-2/draft/documents/sp800-37r2-draft- ipd.pdf

UNIT VII STUDY GUIDE

Threat, Risk, Control, and Prevention

CYB 4303, Critical Infrastructure Protection in Cybersecurity 2

UNIT x STUDY GUIDE

Title

Unit Lesson

Supervisory Control and Data Acquisition (SCADA) Networks As technology and global networks become more prevalent, so is the manner in which computer systems and applications communicate and function. SCADA networks are large-scale distributed networks used to monitor, collect, and control processes in energy, gas, chemical, and water supply systems among others (see Figure 1). According to Lewis (2020), SCADA systems usually have three elements.

• A remote terminal Unit (RTU) to connect to the SCADA network that collects data-converting discrete measurements into digital information for transmission.

• A master station and human machine interface, which are comprised of servers and software connected to the field equipment or RTUs.

• A communication infrastructure connecting the various elements to the SCADA network directly via fiber or satellite networks or through the Internet.

Many sectors such as the energy sector, which has numerous private entities, use SCADA remote terminal units (RTUs) to communicate to centralized information systems. The information gathered by these remote terminals must travel through enterprise networks then through lines connected to the Internet (see Figure 2 in the next section of this unit) to report pertinent information. The connectivity of enterprise networks to the SCADA network gives pause to many security analysts as attackers can penetrate the SCADA network by exploiting vulnerabilities on corporate networks (Lewis, 2020). Additional security concerns exist regarding the physical infrastructure of these networks. As an example, the electric utility systems have thousands of RTUs controlling infrastructure across vast geographical areas; these RTUs can be spread across miles, and, in many instances, these RTUs are not physically secured, or passwords are sent in clear text across the networks.

Securing SCADA Networks Supervisory control and data acquisition (SCADA) networks are part of the nation’s critical infrastructure key resources (CIKRs). These networks perform key functions across all 18 sectors providing essential services. SCADA’s collection, analysis, and control of data from equipment and devices such as power stations, pumps, and valves at remote location make it potentially vulnerable to disruption of services and data manipulation that could result in national and public safety concerns. According to Lewis (2020), SCADA

Figure 1 Sectors using SCADA systems. (Cockrill & Kirk, ,n.d., p. 9)

Figure 1. Sectors using SCADA systems (Cockrill & Kirk, n.d.; Gaida, 2016; Haiyin, n.d.; Augusto, 2016; PublicDomainPictures, 2011; Free-Photos, 2016; Hill, 2018; McElroy, 2015; Muhammad, 2017)

CYB 4303, Critical Infrastructure Protection in Cybersecurity 3

UNIT x STUDY GUIDE

Title

networks are vulnerable to denial of services attacks on sensors as sensors can be jammed resulting in premature power exhaustion, integrity attacks as sensors can be used to transmit misleading information, and phishing attacks that allow the attacker access to critical and protected information. There are different steps that can be implemented to secure SCADA systems establishing an effective cybersecurity protection program. According to Lewis (2020), some of the steps include the following:

• definition of clear cybersecurity roles and responsibilities for security administrators and end users,

• definition and documentation of systems serving critical functions and those containing sensitive data requiring additional levels of protection,

• establishment of a rigorous and continuing risk management program,

• establishment of cybersecurity protection based on defense-in-depth principles,

• implementation of routine self-audits and assessments,

• implementation of a Business Continuity Plan (BCP) including a Disaster Recovery Plan (DRP), and

• establishment of security policies and training programs to minimize the disclosure of sensitive information.

CIKRs’ Security Implications

There are numerous cyber and physical security implications across all CIKRs. Lewis (2020) alluded to that fact that security is freedom from undesirable risks. As we covered in Unit VII, standardization has contributed to a best practices approach to implementing and managing security. Uotila, Keil, and Maula (2017) underscored the fact that standards outline the interoperability and accountability of technology practices. Standards help in identifying inferior practices and adhering to methods and guidelines for security. Standards play a critical part in the implementation of risk mitigation from physical or cyberattacks. Standards organizations such as the National Institute of Standards and Technology (NIST) and the International

Figure 2: SCADA Network Architecture

CYB 4303, Critical Infrastructure Protection in Cybersecurity 4

UNIT x STUDY GUIDE

Title

Organization for Standardization (ISO) are constantly working on new proven methods and procedures relevant to information technology security. These organizations, through standards, facilitate a uniform approach to protocols and procedures across governmental agencies and the private sector as well.

Risk Management and Resilience Organizations and agencies across all different sectors must strive to provide a safe environment in which information, processes, and procedures can function, an environment that can maintain privacy and confidentiality ensuring the integrity, reliability, and availability of information and protection of its systems. The integrity of systems and information needs to adhere to proven risk management principles and risk mitigation strategies. Sancenito (2018) found that organizations must have a fundamental understanding of their business models to fully evaluate the organization’s exposure to risks. Table 1 lists examples of mitigation plans. Hajmohammad and Vachon (2016) outlined four strategies to control risks:

• avoidance—implementing safeguards to reduce or eliminate uncontrolled risks,

• transference—shifting risks or vulnerabilities to third parties or outside entities ,

• mitigation—reducing the potential impact of vulnerabilities, and

• acceptance—understanding the cost and consequences of the risk if left without control or mitigation.

Plan Description Examples When to deploy Timeframe

Incident Response Plan (IRP)

Activities and actions organizations take during an incident (attack)

• A list of steps taken during a disaster

• Intelligence gathering

• Information analysis

As incidents or disaster unfolds

Immediate and real-time reaction

Disaster Recovery Plan (DRP)

• Preparation for recovery should a disaster take place

• Strategies limiting losses before and during a disaster

• Step-by-step instructions to regain normalcy

• Procedures for the recovery of lost information or services

• Shutdown procedures to protect systems and data

Immediately after an incident is labeled a disaster

Short-term recovery

Business Continuity Plan (BCP)

Steps to ensure continuation of the systems, information, and overall business when the incident exceeds the DRP’s ability to restore operations

• Preparation steps for activation of secondary data centers

• Establishment of a hot site in a remote location

Immediately after the disaster is determined to affect the continued operations of the organization

Long-term operation

Table 1 – Mitigation plans scenarios (Wallace & Webber, 2010)

Risk management and resilience are achieved through proper protection. The Department of Homeland Security (DHS) (2010) defined protection as “a coordinated plan of action to prevent, deter, and mitigate all- hazards incidents on CIKR, and to respond to and recover from such natural disasters, terrorist attacks, or

CORE CONCEPT

Information technology security is a combination of science, engineering, and human factors. Secure systems are only as strong as the weakest link: each factor must be secured using multiple layers to provide defense-in-depth.

CYB 4303, Critical Infrastructure Protection in Cybersecurity 5

UNIT x STUDY GUIDE

Title

other incidents as quickly and effectively as possible” (p. 4). Protection takes different forms depending on the context. As an example, an information technology network protection entails a security strategy that emphasizes the use of software and procedures to reduce or eliminate vulnerabilities to existing threats on computer systems and physical protection to transmission lines and data centers. Thus, protection against potential threats comes from being prepared. According to DHS (2010), preparedness is defined as:

Activities necessary to build, sustain, and improve readiness capabilities to prevent, protect against, respond to, and recover from natural or manmade incidents. Preparedness is a continuous process involving efforts at all levels of government and between government and the private sector and nongovernmental organizations to identify threats, determine vulnerabilities, and identify required resources to prevent, respond to, and recover from major incidents. (p. 54)

To be successful, risk mitigation relies on preparedness, while recoverability relies on the resilience of organizations and agencies across all sectors. Resilience is “the ability to resist, absorb, recover from, or successfully adapt to adversity or a change in conditions” (Lewis, 2020, p. 413).

Summary Today’s business environment is referred to as the information age, which it is an understatement. Unlike 50 to 100 years ago, today’s business transaction and communications rely on global communication networks generating vast amounts of information. Since communication and transactions take place on information systems through interconnected networks reaching almost every corner of CIKRs, it is imperative that those resources be protected. No network or system is an isolated entity anymore. The security implications are many, from increased attack surfaces to amplified complexities. Because of this interconnectedness, cyber systems process information, control devices, and are essential to the operation of many sectors’ infrastructures (e.g., SCADA networks); thus cybersecurity is a multifaceted field requiring skilled personnel working on specialized areas. The relationship between sectors should not be underestimated, as the potential disruption of one sector will quickly create a ripple effect reaching into other sectors. The area of critical infrastructure protection is in a constant state of change as new threats and vulnerabilities surface every day, and changes in social, political, and geographical landscapes redefine existing threats. The most important aspect enabling CIKR protection is the proper coordination and cooperation between the public and private sectors. As the world continues to change, we must not forget that that infrastructure protection field is also in a constant emergent state and that we must adapt accordingly.

References Augusto, F. (2016). Water resources irrigation pipes pumping [Photograph]. Pixabay.

https://pixabay.com/en/water-resources-irrigation-2251633/ Cockrill, M., & Kirk, A. (n.d.). Critical Infrastructure Overview.

http://app.leg.wa.gov/committeeschedules/Home/Document/172346 Department of Homeland Security (2010). Critical Manufacturing Sector-Specific Plan - An annex to the

National Infrastructure Protection Plan. https://www.dhs.gov/sites/default/files/publications/nipp-ssp- critical-manufacturing-2010-508.pdf

Free-Photos. (2016). Wheat fields crops wheat field agriculture yellow [Photograph]. Pixabay.

https://pixabay.com/en/wheat-fields-crops-wheat-field-1149885/ Gaida, M. (2016). Industry facotry industrial plant metal neuss [Photograph]. Pixabay.

https://pixabay.com/en/industry-factory-industrial-plant-1140760/ Haiyin. (n.d.). Energy efficient house cutaway image for smart home automation concept. (ID 73397918).

[Illustration]. Dreamstime. www.dreamstime.com

CYB 4303, Critical Infrastructure Protection in Cybersecurity 6

UNIT x STUDY GUIDE

Title

Hajmohammad, S., & Vachon, S. (2015). Mitigation, avoidance, or acceptance? Managing supplier sustainability risk. Journal of Supply Chain Management, 52(2), 48–65. https://doi- org.libraryresources.columbiasouthern.edu/10.1111/jscm.12099

Hill, T. (2018). Ladybower reservoir Upper Derwent Valley Derbyshire [Photograph]. Pixabay.

https://pixabay.com/en/ladybower-reservoir-3130007/ Lewis, T. G. (2020). Critical infrastructure protection in homeland security: Defending a networked nation (3rd

ed.). Wiley. McElroy, R. (2015). Dam river water landscape power hydroelectric [Photograph]. Pixabay.

https://pixabay.com/en/dam-river-water-landscape-power-929406/ Muhammad, F. (2017). Cooling system air conditioner technology roof [Photograph]. Pixabay.

https://pixabay.com/en/cooling-system-air-conditioner-2864859/ PublicDomainPictures. (2011). Storage tanks vats metal tanks barrels pastel tanks [Photograph]. Pixabay.

https://pixabay.com/en/storage-tanks-vats-metal-tanks-20959/ Sancenito, J. (2018). Corporate risk from extremist groups. Journal of Business Continuity & Emergency

Planning, 12(1), 17–26. https://libraryresources.columbiasouthern.edu/login?url=http://search.ebscohost.com/login.aspx?direc t=true&db=bcr&AN=131863434&site=ehost-live&scope=site

Uotila, J., Keil, T., & Maula, M. (2017). Supply-side network effects and the development of information

technology sandards. MIS Quarterly, 41(4), 1207-9-A19. https://libraryresources.columbiasouthern.edu/login?url=http://search.ebscohost.com/login.aspx?direc t=true&db=bsu&AN=125996711&site=ehost-live&scope=site

Wallace, M., & Webber, L. (2010). The disaster recovery handbook: A step-by-step plan to ensure business

continuity and protect vital operations, facilities, and assets (2nd ed.). American Management Association.