Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
Information Security, IT Security, Internal Audit, 2. CIP: Risk Management Challenges
Privacy, External Regulations, and so forth.
The limitations inherent in RM as it is currently
being practiced, derive to a large extent from the fact,
that despite the growing need for a solution and
2.1 The Nature of CIP
increasing complexity of the processes involved,
usually, RM activities are still performed in a Critical Infrastructure Protection is a new field,
decentralized manner. Different RM activities within posing a complex set of requirements upon security
large enterprises, are often un-coordinated and only assessment. To protect critical infrastructures, a
partially congruent, and decision processes are comprehensive approach is needed.
predominantly influenced by local knowledge and the The success of RA to a large part depends on
"gut feeling" of the specialist on hand. This "pen and considering the unique aspects of each infrastructure.
paper" effort might sometimes result in the creation of Manufacturing electricity is unlike supplying
a document that its findings may remain unattended, communication, or e-Government services. The key
as often there is no process in place to assure the processes involved in each Critical Infrastructure
completion of all the risk mitigation activities. needs to be studied and their unique vulnerabilities
These limitations become even more critical when identified.
dealing with CIP RM. Here the level of complexity is This approach is very different from most of the
significantly greater and there is a need to deliver a analysis methodologies used today, which focus
comprehensive RM approach that takes into account mainly on Information and IT security. Here they are
all the different Critical Infrastructure aspects, and not by contrast regarded as closed environments detached
just the information layer. from their surroundings.
In this article we discuss the major challenges
facing CIP RM, and we outline several best practice
methods of coping with it. This includes:
2.2 Growth in Organizational Complexity
• Creating an RM framework and establishing
suitable RM measurement criteria
The complexity of organizational structures and
• Usage of advanced Risk Assessment (RA)
information systems within multi-national enterprises
methods, including adoption of appropriate CIP
has progressively been increasing over time.
models that can be used for RA
Key business processes may take place in
• Development and implementation of RM
different countries, and may use very different systems
tools
and technologies. Each component involved in the
Use of RM tools can play a major role in this process may be capable of influencing the entire
process, as it can raise the efficiency of RM activities, process. Risk Management in a distributed
and decrease reliance on any individual RA organization, however, must focus on the entire
specialist’s knowledge. The contribution of such tools sequence of business activities, as well as on every
is even greater, when dealing with Critical individual component along the process chain.
Infrastructures, and could even be critical for
As a result, the RM specialist must be intimately
successful Risk Management. As, it is very unlikely
familiar with numerous environments, systems and
that a single specialist will be able to cope with the
technologies, in order to perform his task well. He
diversity and complexity of information required to
needs to be able to think flexibly and must possess the
properly conduct CIP risk assessment.
ability to correlate findings from diverse knowledge
areas.
Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
one’s only guarantee is ‘guaranteed business change’. complexity within environments requiring protection,
With this principle in mind, it becomes self evident and the number of increasing threats being posed,
that RM cannot be static. Properly managed RM is an there hasn't been a comparable increase in information
ongoing activity that facilitates and allows the security budgets.
business process owner to control and manage his Information security needs to be more efficient,
exposures. but not at the expense of reduced protection levels. It
Every existing risk cannot be prevented. needs to provide an optimal and cost-effective security
However, prior knowledge will allow the owner of the solution through appropriate use of RM.
business process to make informed decisions. With
preventive measures in place the owner may be able to
avoid or reduce exposure to existing risks. It may even
be possible to transfer the risk burden to an insurance 2.6 Human Factors
company. Some potential risks may just not be critical
enough, while others may just be too expensive to The major RM challenges facing organizations
cover, when they are put against the impact of the described earlier, combined with the fact that at
possible losses involved. present RM processes to a large extent depend on the
experience of the individual RM specialist, leads to the
conclusion that there is a need for highly skilled
2.4 Need for Compliance specialists meeting industry benchmarks and objective
criteria, to perform this task. Those individuals must
have a broad understanding of a diverse range of
Organizations use various types of media (such subjects (e.g., information security, security standards
as: computers, computer networks, tapes, disks, paper, and government regulations, organizational processes,
etc.), to store their information. This information can systems’ architecture, plus other technologies), in
be divulged via fax, mail or even simply verbally. RM order to carry out a thorough RA.
with regard to information is a very old discipline, and
most organizations are well aware of the processes The main problem is that specialists in a field
needed to maintain their CIA (Confidentiality, such as this are either very costly to hire, or extremely
Integrity and Availability) classification. difficult to find. Resultantly, performing a
Compliance with existing regulations is a key comprehensive RA is a serious financial burden even
requirement in organizations supervised by for medium to large sized organizations.
governmental agencies, such as the FDA (Food and Furthermore, it is highly risky for organizations,
Drug Administration). Following the Enron and MCI that sensitive RA processes, are to a large extent
cases, government agencies are continuously issuing dependent on the personal judgment, knowledge, and
new laws and directives (e.g., Sarbanes Oxley) that gut feeling of the individual specialist. Therefore,
additional industries must comply with. In the past, there is a need to offset subjective evaluations by
CIA was the basis of business impact analysis, with an standardizing some of the more complex decision
emphasis on confidentiality. New laws and making processes.
regulations, however, added a fourth dimension,
Compliance. The serious implication that may result
from non-compliance, including imposition of heavy
penalties, poses a heavy potential burden on 3. Adopting Best Practices to Defeat
organizations. Chaos
The main challenge facing the information Building a global RM framework, and efficiently
security arena is how to achieve more for less. Many measuring its accomplishments, is one of the key
organizations view information security simply as ingredients in successful RM.
"extensive expenditure", rather than as a business The framework should centralize all RM activities
enabler. Consequently, despite increasing levels of within the organization. This centralized approach is
Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
important for achieving gapless risk coverage, and for The RM framework should cover all the RM
preventing an overlap of activities. Central lifecycle phases, and clearly define responsibilities for
coordination and prioritization of RA objectives, will each phase. A vague definition of responsibilities is
lead towards cost effectiveness and efficiency. likely to result in a vicious cycle, whereby a document
For example, creating a central RM know-how waits on the shelf, and the next document joins it, a
center will also significantly assist RM specialists in few months later.
their work.
Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
procurement of commercial products and systems. The dimensional vector of an incident’s impact. These
CC addresses neither the evaluation methodology nor models are described in the paper entitled “Summary
the administrative and legal framework, however, it of the Cross Connections Between WP6
could be used for such evaluation purposes. Deliverables”, published in the ACIP project, by Mr.
• Operationally Critical Threat, Asset, and Walter Scmitz, IABG,5 which dealt with the creation
Vulnerability Evaluation (OCTAVE®)2: The of the European roadmap for CIP analysis and
Octave approach is a systematic way for an assessment research.
organization to address its information security risks,
sorting through the complex web of organizational and
technological issues. The OCTAVE approach includes 3.4 Critical Infrastructure Layers
a set of criteria that defines the requirements for a
comprehensive, self-directed information security risk
evaluation, and a set of methods consistent with the Understanding the various risks associated with
criteria. Octave was developed by Software Critical Infrastructures requires an understanding of
Engineering Institute at Carnegie Mellon University. the four basic infrastructure layers. This includes:
2
http://www.cert.org/octave/
3
http://www.riskworld.net/
4
http://www.iabg.de/acip/doc/ergebnisse_workshop_2002_12_brue
5
ssel/EESA-basics.pdf http://www.iabg.de/acip/doc/wp6/D61_summary.pdf
Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
Figure 2. Dependency Between CIP Layers
Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
3.7 Development and Implementation of RM Some tools, try to calculate risk probabilities and
Tools risk rates by using a variety of risk analysis formulas
such as ALE (Annual Loss Expectancy), and financial
metrics. Their scope is however limited, since there is
Tools for RA and RM are a developing field. little ability within the organizations to actually
Over the next few years, as risk analysis activity is provide the data necessary to quantify these metrics.
increasingly centralized, the use of tools to automate
this process will undoubtedly also increase. Other products also maintain databases that store
Some potential benefits of RM tools are: large amounts of information concerning threats,
• Optimization of resource management and vulnerabilities and countermeasures. Although, this
budgeting by automating processes. This includes the reduces the amount of time (and of expert personnel)
usage of predefined templates and report generators. required to research the information for the risk
assessment process, the tools that implement this still
• Optimization of IT security spending through focus on the single IT component and not on all the
efficient identification of risk areas. CIP processes.
• Providing a computerized methodology that
increases the ability of handling large, complex Developing the next generation of Risk
systems – that a "one-man" approach would have Management tools will probably change the Risk
difficulty coping with. Management environment in medium to large sized
• Providing centralized management and organizations. Each security officer will have an RM
measurement capabilities, for the RM processes within tool on his desk, to assist him in dealing with the full
the entire organization. range of RM activities within the organization. An
• Improve policy and regulation compliance interesting example of such tool under development is
processes, by creating compliance workflows, the White Cyber Knight™6, which will provide a
throughout the organization. comprehensive approach towards risk management in
large organizations.
• Allow some RA tasks to be delegated to non-
security experts, thus covering more security areas
White Cyber Knight™ is an expert RM system.
with fewer professional resources.
The tool is designed for CIP, with an emphasis on
• Provide a comprehensive computerized Critical Information Infrastructure Protection (CIIP).
methodology that reduces the need to rely on The tool is based on an advanced RA engine. It is
subjective knowledge and gut feelings. capable of providing a comprehensive Risk Map, that
At present, the first generation of tools is very is driven by a wide variety of aspects, affecting
limited. They focus mainly on RA, and provide only organizations security. This includes: human behavior,
basic RM capabilities. However, this might change. policies and regulations, critical business processes,
Existing tools are to a large extent questionnaire- architecture of IT systems, and technical
based and only aid in the process of risk management vulnerabilities, among others. The tool it designed to
within large organizations. They use asset mapping, meet RM needs in large organizations, but can
whereby a range of values is assigned to the effectively be used by medium-sized organizations as
organization’s assets, and each of these is evaluated well. It provides the ability to manage security risks in
for compliance with different industry standards. For distributed environments, to follow-up risk mitigation
example, financial services are evaluated for activities, and finally, allows the Chief Security
compliance with the Sarbanes Oxley Act, data services Officer (CSO ) and the IT manager to measure their
in the Health industry with HIPAA compliance, etc. success over time.
By automating and formalizing the risk Use of RM tools such as this can play a major role
management process, the organization can benefit in in the RM process, since it can raise the efficiency of
terms of efficiency, but with tool capabilities as they RM activities, and decrease reliance on any individual
exist today, they are unable to provide an accurate risk analyst’s knowledge. The contribution of such
appraisal of the inherent cross boundary security risks tools is even greater, when dealing with Complex
within organizations or across disciplines which Critical Infrastructures, as it is highly unlikely any
decision makers can effectively make use of.
6
http://www.whitecyberknight.com
Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
single specialist is able to cope with the diversity and [2[Anthony H. Cordseman, “Cyber-Threats, Information
complexity of CIP risk assessment requirements. Warfare, and Critical Infrastructure Protection,” Library of
Congress, 2002
However, use of RM tools, cannot exist in a [3] Professor Heinz Thielmann, Eyal Adar, "End to End
Security Assessment Für CIP", Digma magazine June 2004.
vacuum. They will be possible only within a strong
See: http://www.digma.info
global RM framework and suitable measurement
criteria on which to be based. It would furthermore [4] Bernhard M. Hämmerli, Eric Luiijf, Willi Stein, Eyal
Adar, "ECN, European CIIP Newsletter".
require use of advanced RA methods, plus CIP models
that can be used for RA. See: http://www.ci2rco.org/
[5] Dunn Myriam, Isabelle Wigert,
"The International CIIP Handbook 2004"
These elements are interdependent, and only by See: http://www.isn.ethz.ch/crn/
selectively combining their best features can a
[6] EU-US collaboration team for CIP. See:
successful RM campaign be instituted, and to
http://www.eecs.berkeley.edu/CIP/US-EU/agenda.html
adequately face the challenges of an ever changing
and ever demanding security risk environment. [7] Sandro Bologna, Ruaridh Macdonald,,
"Advanced Modeling and Simulation Methods and
Tools for Critical infrastructure Protection", ACIP project,
References: See: http://www.iabg.de/acip/doc/wp4/D4_5_v0_1_RM.pdf
Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE