370 likes | 596 Vues
International Conference on Critical Infrastructure Protection. A Computational Asset Vulnerability Model for Strategic Protection of Critical Infrastructure Richard White, Terrance Boult, and C. Edward Chow A Decision Support Tool for a Computational Unified Homeland Security Strategy
E N D
International Conference on Critical Infrastructure Protection A Computational Asset Vulnerability Model for Strategic Protection of Critical Infrastructure Richard White, Terrance Boult, and C. Edward Chow A Decision Support Tool for a Computational Unified Homeland Security Strategy Richard White, Aaron M. Burkhart, C. Edward Chow, and Logan L. Maynard Presented by C. Edward Chow International Federation for Information Processing Eighth Annual Working Group SRI International Arlington, VA March 17-19, 2014
Presentation Outline • Asset Vulnerability Model • AVM Analysis of Alternative Critical Infrastructure Protection Investment Strategies • AVM Decision Support Tool
Motivations 2001, Attacks on World Trade Center and Pentagon Exposed vulnerability of critical infrastructure. 2002, Homeland Security Act Made critical infrastructure protection Department of Homeland Security mission 2010, National Research Council Report “did not find any DHS risk analysis capabilities and methods that are yet adequate for supporting DHS decision making” 2002 HSA 2005 INIPP (I & II) 2006 NIPP 2009 NIPP 2013 NIPP
Risk Management Framework Step 2: Identify Infrastructure. The DHS database has “many unusual or out-of-place assets whose criticality is not readily apparent...”2007 DHS Inspector General Step 3: Assess Risks. Less than 11 percent of DHS’ assessments were conducted on high-priority assets. 2012 GAO Report Step 3: Analyze Risks. Unable to differentiate vulnerability across areas or states, DHS assigned constant value of “1” to “V” in R=T*V*C risk formulation. 2007 CRS Report Step 4: Implement Measures. Poor coordination between RMF working “inside the fence” and National Preparedness System working “outside the fence”. 2011 CRS Report 1 2 3 4 5
2010 National Research Council Report “DHS’s operationalization of that framework—it’s assessment of individual components of risk and their integration into a measure of risk—is in many cases seriously deficient and is in need of major revision.” Summary Challenges: • Dearth of Data • Transparency & Repeatability • Qualified Results • Comprehensive Scope • National Impact • Applicable Results
Infrastructure Risk Models 250 reported infrastructure risk models 41 (listed above) identified in two summary reports 22 (highlighted) offered information to draw some inferences 12 (identified with *) employed a threat-driven risk methodology 7 (identified with +) were described as “complicated” 14 (identified with ^) did not address “resiliency” 2 (identified with -) did not capture broader impacts of disaster 0 overcame challenges cited by National Research Council report
Asset Vulnerability Model • Baseline Analysis Θ = P(dis)*P(def)*P(den)*P(dim)*%(dam) • Cost-Benefit Analysis ΔΘ = P(Δdis)*P(Δdef)*P(Δden)*P(Δdim)*%(dam) • Decision Support Tools
Choice of Metric • 1988 Sandler & Lapan research used game theory to examine attacker’s choice of target. • Findings: • A coordinated defense is more efficient than an uncoordinated one. • The optimum defense strategy is to protect all targets equally, not necessarily maximally, • Attacker’s choice depended on perceived probability of failure, S&L designated as θ. Sandler & Lapan Attack Model
Θ Risk Formulation Θ = P(dis)*P(def)*P(den)*P(dim)*%(dam) Θ represents attacker probability of failure based on known defender data P(dis) = Probability an attack can be detected/disrupted # thwarted attacks / # known planned & executed attacks P(def) = Probability an attack can be defeated derived from Protective Measure Index (PMI) calculated by Argonne Nat’l Labs P(den) = Probability a worst case disaster can be averted derived from Resiliency Index also calculated by ANL P(dim) = Probability 100% survivors can be saved derived from DHS collected THIRA data %(dam) = % decrease in economic output* % increase in mortality rate change in GDP * change in national mortality from loss of asset
Comprehensive Scope Θ = P(dis)*P(def)*P(den)*P(dim)*%(dam) Prevent Protect Mitigate Respond Recover Right of “Boom” Left of “Boom”
National Impact Θ = P(dis)*P(def)*P(den)*P(dim)*%(dam) • 9/11 registered a 47% decrease in GDP and 20% increase in national homicide rates • Quantifying the magnitude component in terms of trending data: • Captures effects of both destructive and disruptive incidents • Expresses effects over time, beyond immediate consequences • Avoids difficulty of comparing lost lives and damaged property
Qualified Results Sensitivity Analysis • Interval Risk Reduction Worth • Ratio Risk Reduction Worth • F-V Measure of Importance • Fractional Risk Reduction Stable Formulation
Threat Localization • Asset-Driven Approach • Do Not Estimate Probability of Attack • Localize Threat • Chemical Plants • Dams • Energy • Financial Services • Food & Agriculture • Information Networks • Nuclear Reactors, Materials, & Waste • Transportation Systems • Water & Wastewater Systems
AVM Cost-Benefit Analysis ΔΘ = P(Δdis)*P(Δdef)*P(Δden)*P(Δdim)*%(dam) P(Δdis) = Increased prob. attack can be detected/disrupted P(Δdef) = Increased prob. an attack can be defeated P(Δden) = Increased prob. Worst Case Disaster can be averted P(Δdim) = Increased prob. 100% survivors can be saved %(dam) = % decrease in economic output* %increase in mortality rate D(ΔΘ) = D(Δdis)+D(Δdef)+D(Δden)+D(Δdim)
AVM & RMF Step 2: Identify Infrastructure. Focus on infrastructure that may be subverted to precipitate domestic catastrophic attack (i.e., “localization”) Step 3: Assess & Analyze Risks. Use results from DHS security surveys and vulnerability analysis to calculate Θ on each asset and produce Baseline Analysis. Step 4: Implement Measures. Perform Cost-Benefit Analysis to identify optimum combination of protective improvement measures that provide highest protective gain ΔΘ for the least cost D(ΔΘ). 1 2 3 4 5
2AVM Analysis of Alternative Critical Infrastructure Protection Investment Strategies
Alternative Investment Strategies • Least Cost (LC) • Least Protected (LP) • Region Protection (RP) • Sector Protection (SP) • Highest DTheta (HD) • Highest Consequence (HC) • Random Purchases (RAN)
Strategy Simulation • Applied simulated investment strategy against 100 assets over 10-year period • Calculated probability of attack and tabulated annual damages • Collected results over 100 simulations • Performed simulations under three different conditions: • AVM18 varied probabilities of attack (0%-100%) • AVM19 varied attacker perceptions of Θ (0%-100%) • AVM20 used different attack model
Attack Models Target Selection • Sandler & Lapan. Attackers target asset with lowest Θ value. • Willie Sutton. Attackers target asset with highest Θ value. Attack Algorithm • Set Annual Attack Expectancy (AAE) = varied 0%-100% • Calculate Probability of Attack (POA) = random uniform value 0%-100% • If POA < AAE then proceed to calculate attack outcome • Select target based on above chosen criteria • Calculate Probability of Success (POS) = random uniform value 0%-100% • Calculate Probability of Failure (POF) = P(dis)*P(def)*P(den) • If POS > POF then proceed to calculate attack damages • Damages = P(dim)*%(dam)
Attack Profiles AVM18 • S&L Attack Model • Varying probability of attack • Constant Θ (20%) AVM19 • S&L Attack Model • Varying attacker perception of Θ • Constant probability of attack (32%) AVM20 • WS Attack Model • Varying probability of attack • Constant Θ (20%)
Investment Profiles AVM18 • S&L Attack Model • Varying probability of attack • Constant Θ (20%) AVM19 • S&L Attack Model • Varying attacker perception of Θ • Constant probability of attack (32%) AVM20 • WS Attack Model • Varying probability of attack • Constant Θ (20%)
Protective Purchase Profiles AVM18 • S&L Attack Model • Varying probability of attack • Constant Θ (20%) AVM19 • S&L Attack Model • Varying attacker perception of Θ • Constant probability of attack (32%) AVM20 • WS Attack Model • Varying probability of attack • Constant Θ (20%)
Damage Profiles AVM18 • S&L Attack Model • Varying probability of attack • Constant Θ (20%) AVM19 • S&L Attack Model • Varying attacker perception of Θ • Constant probability of attack (32%) AVM20 • WS Attack Model • Varying probability of attack • Constant Θ (20%)
Statistical Analysis • Which investment strategy results in the least damages over time? • Pairwise comparison using modified Tukey Honestly Significant Difference (HSD) method indicates Highest Consequence (HC) strategy best • Do attacker’s perception of Θ affect damage results? • Kruskal-Wallis test inconclusive • Do attacker’s method of selecting target affect damage results? • Kruskal-Wallis test indicates attacker’s method of target selection is significant factor • WS model resulted in higher damages than S&L model
Applicable Results National Research Council attributes of a good risk analysis: • Convey current risk levels • Support cost-benefit analysis • Demonstrate risk reduction effects across multiple assets at different levels of management • Measure and track investments and improvement in overall system resiliency over time
AVM Decision Support Tool • Web-based application • Provides interactive graphical display of AVM cost-benefit analysis • Facilitates selection and analysis of protective improvement measures
Protective Improvement Selection • Select by investment strategy: LC, LP, RP, SP, HD, HC, or RAN • Select individually • Edit selections
Analyze Protective Improvement Selections • Run simulated attacks using varying probability of attack over specified period • Graph projected damages
AVM-DST Lessons Learned • Stand-alone client model exceptionally fast because no network delays • Canvas JS renders charts significantly faster than Ext JS • Optimized sorting algorithm keeps browser from becoming unresponsive
Future Research AVM-DST • Expansion • Fidelity • Performance Enhancements AVM • Validation • Refinement • Further Analysis
Contributions • Risk model for strategic protection of critical infrastructure. • Overcomes challenges with current models • Compatible with DHS Risk Management Framework • Clarifies identification of critical infrastructure • Unifies efforts “inside” and “outside” the perimeter • Strategy analysis support • Demonstrated advantage of Highest Consequence investment strategy • Decision support for all levels of management • Convey current risk levels • Support cost-benefit-analysis • Demonstrate risk reduction across multiple assets • Measure and track improvement over time
AVM & AVM-DST Questions?