Select ONE of attack types from the syllabus… (physical or cyber) UK Govt. Office of Science, Foresight project. 2/27 Physical Security -Perimeter Defense -Defense in Depth -Monitoring – Anderson, R. Physical Protection. Security Engineering. V.2. -Office of Technology Assessment. (1992) Appendix E. Physical Protection Systems. Suggested: -Marine Corps. Physical Security Security Administration. Career Road Map. 3/1 Cybersecurity -Castle Model -Assumption of Breach -Cyber-Physical Systems and Operational Risk -Leuprecht et al. (2016) Beyond the Castle Model of cyber-risk and cybersecurity. Govt. Information Quarterly. – Carr. The Classification of Valuable Data in an Assumption of Breach Paradigm. Georgetown Journal of International Affairs. – Langner, R. (2013) Bound to Fail: Why Cybersecurity Risk Cannot be Managed Away. Brookings. Suggested: -Lewis Chapters 6-10 3/6 Robustness, Resilience, Recovery -Resilience -Redundancy -Recovery Curves -Clark-Ginsberg, A. (Undated) What’s the Difference between Reliability and Resilience? ICS CERT. -Moteff, J. (2012) Critical Infrastructure Resilience: The Evolution of Policy and Programs and Issues for Congress. CRS. -Volpe National Transportation Systems Center. (2013) Infrastructure Resiliency: A Risk-Based Framework. Suggested: -GMU CIP Report. January 2014. Resilience. Select ONE of sectors from the syllabus… (or a subsector) 3/8 Risk Transfer -Insurance -Cloud Computing -Can You Transfer Vulnerabilities and Consequences? PAPER 2 DUE -DoE. (2013) Insurance as a Risk Management Instrument for Energy Infrastructure Security and Resilience. -NYS 2100 Commission. Recommendations to Improve the Strength and Resilience of the Empire State’s Infrastructure. Pgs 145-158. Suggested: -DHS. (2014) Insurance for CyberRelated Critical Infrastructure Loss: Key Issues. -Czajowksi et al. (2017) Identifying and Reducing Barriers to Infrastructure Catastrophic Risk Insurance – Transportation Infrastructure Systems. Wharton. 3/13 SPRING BREAK 3/15 SPRING BREAK 3/20 Hurricane Sandy -New York City -Urban and Complex Infrastructure -Coastal Infrastructure – FEMA. (2013) Hurricane Sandy AAR – New York City. (2013) Hurricane Sandy AAR -Stockton, P. (2016) Superstorm Sandy: Implications for Designing a Post-Cyber Attack Power Restoration System. JHUAPL. 3/22 Electrical Sector -Dependencies of Other Sectors on Grid -Creation and Governance of Grid -Smart Grid -Lewis Chapter 13 -NYS 2100 Commission. Recommendations to Improve the Strength and Resilience of the Empire State’s Infrastructure. Pgs 79-110. 3/27 Water Sector -Water and Waste Water -Ownership and Management -Lewis Chapter 11 -GMU CIP Report. August 2014. Water. 3/29 Transportation Sector -Differences in subsector ownership and regulation (Aviation v. Roads) PAPER 3 DUE -Lewis Chapters 15-16 -NYS 2100 Commission. Recommendations to Improve the Strength and Resilience of the Empire State’s Infrastructure. Pgs 43-78. Suggested: -GMU CIP Report. July 2012. Surface Transportation. -GMU CIP Report. April 2015. Transportation. 4/3 IT and Communications Sectors -Critical Information Infrastructure Protection (CIIP) approach -Concentration and “Natural” Monopolies -From Wire to Wireless to Fiber -Lewis Chapter 5 -BSI. (2004) Critical Infrastructure Protection: Survey of World-Wide Activities. Suggested: -GMU CIP Report. November 2012. Communications. 4/5 Financial Sector -Replacement of Physical Infrastructure With Virtual Infrastructure -Global Interdependencies -Lewis Chapter 17 -DHS NIPP. (2015) Healthcare and Public Health Sector Specific Plan. Suggested: -GMU CIP Report. October 2013. Financial Services. -DHS NIPP. (2007) Healthcare and Public Health Sector Specific Plan. 4/10 Health/Public Health -Health Sector Landscape EXERCISE 2 -Lewis Chapter 14 -DHS NIPP. (2016) Healthcare and Public Health Sector Specific Plan. Suggested: -GMU CIP Report. March 2015. Healthcare. 4/12 Government and Emergency Services -Gov’t facilities -DIB -Emergency Services -Elections? – DHS. (2012) Emergency Services Sector Cyber Risk Assessment. Suggested: 3/29 Transportation Sector -Differences in subsector ownership and regulation (Aviation v. Roads) PAPER 3 DUE -Lewis Chapters 15-16 -NYS 2100 Commission. Recommendations to Improve the Strength and Resilience of the Empire State’s Infrastructure. Pgs 43-78. Suggested: -GMU CIP Report. July 2012. Surface Transportation. -GMU CIP Report. April 2015. Transportation. 4/3 IT and Communications Sectors -Critical Information Infrastructure Protection (CIIP) approach -Concentration and “Natural” Monopolies -From Wire to Wireless to Fiber -Lewis Chapter 5 -BSI. (2004) Critical Infrastructure Protection: Survey of World-Wide Activities. Suggested: -GMU CIP Report. November 2012. Communications. 4/5 Financial Sector -Replacement of Physical Infrastructure With Virtual Infrastructure -Global Interdependencies -Lewis Chapter 17 -DHS NIPP. (2015) Healthcare and Public Health Sector Specific Plan. Suggested: -GMU CIP Report. October 2013. Financial Services. -DHS NIPP. (2007) Healthcare and Public Health Sector Specific Plan. 4/10 Health/Public Health -Health Sector Landscape EXERCISE 2 -Lewis Chapter 14 -DHS NIPP. (2016) Healthcare and Public Health Sector Specific Plan. Suggested: -GMU CIP Report. March 2015. Healthcare. 4/12 Government and Emergency Services -Gov’t facilities -DIB -Emergency Services -Elections? – DHS. (2012) Emergency Services Sector Cyber Risk Assessment. Suggested: Find a real example of that kind of attack on that kind of target… • i.e. Google “terrorist attack” and “court house” (physical attack and govt facilities) or “cyber attack” and “hospital” (cyber attack and health/public health)… be creative • Find a good – WELL DOCUMENTED – incident that you’d be interested in becoming expert on: • Make sure you find an incident you can document well (if you can only find 1-2 articles about it, your paper will NOT be good – 3-5 real articles is the minimum to do this well) • Incidents in the US are often covered well in the news, but feel free to use international incidents if they’re well documented (these problems happen everywhere) • Do not use any of the incidents from writing assignment 2! WRITING ASSIGNMENT 2 INCIDENTS DO NOT USE!!!! Physical Security Measur For your incident: 2 pages: • Establish who the key stakeholders were • Threat: Who were the attackers? • Vulnerability: Who owned and operated the infrastructure? • Consequence: Who bore the impact of the attack/had to deal with the consequences? (including response and recovery) • Defending the asset • Who did/should’ve defended the asset? • Did they do a good job? • Could others have helped or improved security? • Govt – Law Enforcement/Security • Govt – Regulators • Industry Partners/Industry Groups For your incident 1.5-2 pages: • Apply 3 of the following concepts from the class to your incident • Robustness • Recovery • Risk Transfer • Interdependence • Public vs. Private Sector Incentives and Risk Management Approaches • Criticality • Adversary Risks – Targeting • Adversary Risks – Strategic Actors/Strategic Decision Making • Physical Security- Perimeter Security • Physical security – Defense in Depth • Cybersecurity – Castle Model • Cybersecurity – Assumption of Breach