Protecting Transportation Infrastructure

In the context of homeland security, critical infrastructures are "those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security, or economic well-being of citizens or the effective functioning of governments." Transportation infrastructures are a key component of a nation's critical infrastructures, covering physical assets such as airports, ports, and railway and mass transit networks as well as software systems such as traffic control systems. In effect, among various critical infrastructures spanning a range of economic sectors and government operations, transportation is widely viewed as one of the most significant and impactful. A 2002 study concerning the significance of infrastructure components and the consequences of a destructive event rated transportation as "extremely significant." Other components at this highest level of significance were communications, power, emergency response personnel and assets, and national security resources.     

Managing Your Security Future

ABSTRACT

Information technology organizations within most corporations are spending significant time and resources securing IT infrastructure. This increased need for security is driven by a number of factors. These factors include increased dependency on the Internet, financial and legal liability, protection of personal identity information and sensitive corporate data, increased numbers and age of legacy systems with limited vendor support, deploying complex systems, and new regulations governing corporate transactions. There a number of technologies on the market today that can mitigate most of these security factors. However, managers in IT organizations need to identify potential future threats and security technologies to assess and potentially mitigate risk through the deployment of those technologies. This article investigates three areas critical to the successful deployment and securing of information technology.     

Risk assessment for a video surveillance system based on Fuzzy Cognitive Maps

For various IT systems security is considered a key quality factor. In particular, it might be crucial for video surveillance systems, as their goal is to provide continuous protection of critical infrastructure and other facilities. Risk assessment is an important activity in security management; it aims at identifying assets, threats and vulnerabilities, analysis of implemented countermeasures and their effectiveness in mitigating risks. This paper discusses an application of a new risk assessment method, in which risk calculation is based on Fuzzy Cognitive Maps (FCMs) to a complex automated video surveillance system. FCMs are used to capture dependencies between assets and FCM based reasoning is applied to aggregate risks assigned to lower-level assets (e.g. cameras, hardware, software modules, communications, people) to such high level assets as services, maintained data and processes. Lessons learned indicate, that the proposed method is an efficient and low-cost approach, giving instantaneous feedback and enabling reasoning on effectiveness of security system.     

Understanding Risk

Abstract

Over an extremely short period of our history, computer systems and the Internet have become a critical element in our social and economic infrastructure. Most would agree that information systems and, dare I say, information security, have evolved into the most critical elements of our economic infrastructure. Security has been charged with a simple task: to plan, implement, and manage an integrated, heterogeneous security environment across hardware, operating systems, middleware, network protocols, applications, and databases. There is just one small problem. Security technology is relatively immature. Security tools are weak or lacking. The tools that are available are product based — not enterprisewide, which leads to many uncommon and unworkable solutions.     

An Achilles heel: denial of service attacks on Australian critical information infrastructures

Critical, or national, information infrastructure protection, referred to as either CIIP or NIIP, has been highlighted as a critical factor in overall national security by the United States, the United Kingdom, India and the European Community. As nations move inexorably towards so-called ‘digital economies’, critical infrastructure depends on information systems to process, transfer, store and exchange information through the Internet. Electronic attacks such as denial of service attacks on critical information infrastructures challenge the law and raise concerns. A myriad of issues potentially plague the protection of critical information infrastructures owing to the lack of legal regulation aimed at ensuring the protection of critical information infrastructures. This paper will highlight the legal concerns that relate to the denial of service attacks on critical information infrastructures and provide an introductory overview of the law as it relates to CIIP in Australia.     

Building E-Enterprise Security: A Business View

Abstract

Web technology has enabled many organizations to form an E-enterprise for effective communicating, collaborating, and information sharing. To gain competitive advantages, E-enterprises must integrate entire lines of business operations and critical business data with external organizations or individuals over the Web, which may introduce significant security risks to the organizations' critical assets and infrastructures. This article provides systems professionals with a multidimensional E-enterprise security view. The view puts forward practical steps and sustainable solutions for tackling the unique security challenges arising in an E-enterprise environment.     

Assuring Data Security Integrity at Ford Motor Company

Abstract

Security auditing methods have not changed markedly from those first developed for the stand-alone computer environments of the 1960s. These methods were adequate for their time, but modern information system technology has made auditing computer security a much more imposing problem. There are numerous reasons for this. Personal computers have placed powerful tools for exploration and hacking onto everyone's desk. Networks have revolutionized the exchange of information, but they have also provided a direct path for hackers to attack and compromise critical computer assets. Even more threatening, employees and contractors can often readily gain unrestricted access to even the most sensitive information simply because standards for protection have not been designed or implemented. In this environment, bookkeeping-based auditing methods not only fall short, but can create a misleading impression that security is under control.     

The Cyber Threat to National Critical Infrastructures: Beyond Theory

ABSTRACT

Adversary threats to critical infrastructures have always existed during times of conflict, but threat scenarios now include peacetime attacks from anonymous computer hackers. Current events, including examples from Israel and Estonia, prove that a certain level of real-world disorder can be achieved from hostile data packets alone. The astonishing achievements of cyber crime and cyber espionage – to which law enforcement and counterintelligence have found little answer – hint that more serious cyber attacks on critical infrastructures are only a matter of time. Still, national security planners should address all threats with method and objectivity. As dependence on IT and the Internet grow, governments should make proportional investments in network security, incident response, technical training, and international collaboration.     

Goal Setting and Trust in a Security Management Context

ABSTRACT

Information security can be viewed as the efficient control of uncertainty arising from malicious acts intended to exploit valuable assets and in the context of information systems the valuable assets under consideration are data. A large part of information security approaches is technical in nature with less consideration on people and organizational issues. The research presented in this paper adopts a broader perspective and presents an understanding of information security in terms of a socio-organizational perspective. In doing so, it uses the goal-setting approach to identify any possible weaknesses in security management procedures in relation to trust among the members of information technology groups in communicating efficiently security risk messages. Data for the research were collected through in-depth interviews within three case studies. Interview results suggest that goal setting and trust are interrelated in managing information security. The research contributes to interpretive information systems with the study of goal setting and trust in a security management context.     

Trends in process control systems security

The protection of critical infrastructure systems is a hotly debated topic. The very label "critical infrastructure" implies that these systems are important, and they are: they support our everyday lives, from the water and food in our homes to our physical and financial welfare. This article explores the recent evolution of programmable logic controllers (PCSs) and their environments, explains the need for improved security in these systems, and describes some of the emerging research areas that offer promise in PCS security.     

The Revenge of Distance: Vulnerability Analysis of Critical Information Infrastructure

The events of 11 September 2001 brought an increased focus on security in the United States and specifically the protection of critical infrastructure. Critical infrastructure encompasses a wide array of physical assets such as the electric power grid, telecommunications, oil and gas pipelines, transportation networks and computer data networks. This paper will focus on computer data networks and the spatial implications of their susceptibility to targeted attacks. Utilising a database of national data carriers, simulations will be run to determine the repercussions of targeted attacks and what the relative merits of different methods of identifying critical nodes are. This analysis will include comparison of current methods employed in vulnerability analysis with spatially constructed methods incorporating regional and distance variables. In addition to vulnerability analysis a method will be proposed to analyse the fusion of physical and logical networks, and will discuss what new avenues this approach reveals. The analysis concludes that spatial information networks are vulnerable to targeted attacks and algorithms based on distance metrics do a better job of identifying critical nodes than classic accessibility indexes. The results of the analysis are placed in the context of public policy posing the question do private infrastructure owners have sufficient incentives to remedy vulnerabilities in critical networks.     

Security and Control in the Cloud

ABSTRACT

Cloud computing is a new IT delivery paradigm that offers computing resources as on-demand services over the Internet. Like all forms of outsourcing, cloud computing raises serious concerns about the security of the data assets that are outsourced to providers of cloud services. To address these security concerns, we show how today's generation of information security management systems (ISMSs), as specified in the ISO/IEC 27001:2005, must be extended to address the transfer of security controls into cloud environments. The resulting virtual ISMS is a standards-compliant management approach for developing a sound control environment while supporting the various modalities of cloud computing.

This article addresses chief security and/or information officers of cloud client and cloud provider organizations. Cloud clients will benefit from our exposition of how to manage risk when corporate assets are outsourced to cloud providers. Providers of cloud services will learn what processes and controls they can offer in order to provide superior security that differentiates their offerings in the market.     

Information Security Assessment: Procedures and Methodology: When investing in technology isn’t enough

It very often happens while setting up or renovating company IT infrastructure that most of the investment goes into purchasing new products. In particular, this may occur in the area of security, which is often not given the attention it deserves. The worst error one can commit is that of spending hundreds of thousands of dollars on perimeter protection products (firewalls, content filtering, etc.) and rearguard products (intrusion detection systems) without having assessed vulnerabilities and assets, and developed a post-implementation security management program.     

The state of security

The information security train has been running at 100 miles per hour for a few years now - unfortunately, though, we're going in reverse. The security market first focused on the perimeter, firewalls, and antivirus technologies, determined to keep the bad stuff from entering the infrastructure, only to then consider the network, with the logical sequence thus leading to protecting applications. However, the sole reason that information technology exists is to lever the critical asset - data. Security, as we define it, is data and network integrity - the protection of and access to the data. Ideally, security should have started with placing the protection as close to the assets (data) as possible, not the opposite; Folks, we got it backwards.     

澳大利亚信息安全保障体系建设及对我国的启示

澳大利亚信息安全组织管理工作由联邦政府负责,其司法部发挥着非常重要的作用。近几年,澳大利亚政府通过不断完善信息安全有关法规标准、推动政府部门相互协作、重视关键基础信息保护、增强全民信息安全保护意识、建立安全专门人才培养体系、完善信息产品测评认证体系等方面工作,逐步构建起较为完整的信息安全保障体系。     

Security threats to critical infrastructure: the human factor

In the twenty-first century, globalisation made corporate boundaries invisible and difficult to manage. This new macroeconomic transformation caused by globalisation introduced new challenges for critical infrastructure management. By replacing manual tasks with automated decision making and sophisticated technology, no doubt we feel much more secure than half a century ago. As the technological advancement takes root, so does the maturity of security threats. It is common that today’s critical infrastructures are operated by non-computer experts, e.g. nurses in health care, soldiers in military or firefighters in emergency services. In such challenging applications, protecting against insider attacks is often neither feasible nor economically possible, but these threats can be managed using suitable risk management strategies. Security technologies, e.g. firewalls, help protect data assets and computer systems against unauthorised entry. However, one area which is often largely ignored is the human factor of system security. Through social engineering techniques, malicious attackers are able to breach organisational security via people interactions. This paper presents a security awareness training framework, which can be used to train operators of critical infrastructure, on various social engineering security threats such as spear phishing, baiting, pretexting, among others.     

Policy challenges in building dependability in global infrastructures

[This paper was given at Compsec 2002, in London, on 30 October 2002].Global or continental critical infrastructures — including electric power, telecommunications, and the Internet — are now the control plane for advanced economies. The occasional failures of these key infrastructures illustrate not only our dependence, but also the unanticipated interdependencies between systems. For example, the 1998 failure of a single telecommunications satellite, Galaxy 4, led to an outage of nearly 90% of all pagers in the United States, while also causing a number of unanticipated failures: many banking and financial services (credit card purchases, automated teller machines) were interrupted, as was communications with doctors and emergency workers [1].With awareness of economic and social dependence on these distributed infrastructures has come a growing concern about their reliability and security. Defense against deliberate attack — critical infrastructure protection — emerged as part of the US national security posture in the mid-1990s with the work of the President’s Commission on Critical Infrastructure, and was codified by Presidential Decision Directive 63 in 1998. Other nations are also beginning to develop national strategies for infrastructure protection.Reliability is more than protection against deliberate attack. An accidental cut of a fiber optic trunk shut down air traffic control along the east coast of the US for a day. A cascading series of events, starting with a tree limb falling, caused much of the western US to lose electricity.The challenge of improving the reliability of global networked infrastructures presents us with significant analytical and decision-making complexities, with both technical and policy relevant dimensions [2]. This paper — using principally examples from the Internet and other distributed IT systems — presents two perspectives on these complexities. First is to present critical global infrastructures as complex adaptive systems, which share certain characteristics that policy makers and managers need to account for. Secondly, the balance of the paper outlines five major dimensions of the analytical and decision-making complexity, and presents the research and policy-making agendas that need to be addressed if we are to significantly improve the reliability of global infrastructures.Neither of these perspectives is purely technical or engineering based. Success in increasing the reliability of global infrastructures will require much more analytically sophisticated research in, among other topics, the issue areas identified here — in addition to ongoing technology-based research.     

POPEYE: providing collaborative services for ad hoc and spontaneous communities

Next generation collaborative systems will offer mobile users seamless and natural collaboration amongst a diversity of agents, within distributed, knowledge-rich and virtualized working environments. This ambitious goal faces numerous challenges from the underlying communication infrastructure to the high level application services, with the aim to provide services with the appropriate quality (such as persistence, synchronization, and security). Most currently available tools supporting collaboration address either rather traditional and rigid intra-organizational collaboration scenarios or, at the opposite, completely free and unstructured open communities’s interactions. Emerging dynamic, flexible and ad hoc collaboration schemes are hardly or not supported at all. The POPEYE framework offers collaborative services for applications that aim to enable spontaneous collaboration over P2P wireless ad hoc groups, where fixed infrastructure is not a prerequisite, where virtual communities can emerge spontaneously and share data with the appropriate quality of service for business applications (persistence, synchronization, security, etc.).     

关键基础设施面临的信息安全挑战及对策建议

近年来,随着关键基础设施控制系统的标准化、智能化、网络化发展,针对关键基础设施的网络攻击日益增多.电力、石化、轨道交通等涉及国计民生的关键基础设施一旦被攻击,很可能造成灾难性后果.关键基础设施信息安全成为悬在各国政府头上的达摩克利斯之剑,采取措施加强其信息安全保障能力势在必行.本文首先介绍了关键基础设施的基本概念以及关键基础设施中应用的典型工业控制系统,分析了关键基础设施信息安全事件的特点,阐述了工业控制系统面临的信息安全挑战,并针对这些挑战提出了相应的措施建议.     

Information assurance the West Point way

At the US Military Academy at West Point, New York, we approach the topic of protecting and defending information systems as a matter of national security. The time has long passed where we could consider cyberattacks as merely a nuisance; the threat from a cyberattack is very real. Our national information infrastructure is not just essential to the USA economy; it is a life-critical system. Presidential Decision Directive 63 (which called for a national effort to assure vulnerable and interconnected infrastructure security, such as telecommunications, finance, energy, transportation, and essential government services) officially recognizes this, and numerous reports have validated it. As military academy educators, our duty is to provide an education that empowers our graduates with the skills needed to protect the many critical information systems that the military uses.