SECR 5140-FL Critical Infrastructure Protection

1
SECR 5140-FLCritical Infrastructure Protection

• Dr. Barry S. Hess
• Spring 2 Semester
• 18 March 19 May 2006

2
Agenda

• Introductions
• Syllabus
• Research paper
• Lecture
• Discussion

3
My Introduction

• Background
• PhD, Chemical Engineering
• Systems engineer
• Modeling and simulation
• Operational intelligence analysis
• Information technology
• Relevant Experience
• Developed a methodology and conducted research
  and assessed cyber vulnerabilities for
  Internet-based and Open-Source data without
  hacking
• Performed open source vulnerability analyses of
  U.S. Government facilities
• Contact Information
• barry.hess_at_gmail.com
• 571.237.3418 (cell)

4
Your Introduction

• Name
• Background
• Why are you taking this class?
• What are your expectations?

5
Syllabus
6
Course Description

• This course is an overview and continuing
  analysis of the President's Commission on
  Critical Infrastructure Protection (PCCIP) and
  the efforts to ensure the safety of these vital
  assets. Originally, the commission studied the
  critical infrastructures that constitute the life
  support systems of the United States, determined
  their vulnerabilities, and proposed strategies
  for protecting those infrastructures into the
  future. Students will critically examine the
  Commission's report, critique its
  recommendations, and analyze how effective
  government is in light of past experiences and
  what may be required to ensure the future.

7
Course Objectives

• Understand the rationale behind and the results
  from the report of the Presidents Commission on
  Critical Infrastructure Protection.
• Understand the various nations critical
  infrastructures energy, banking and finance,
  transportation, vital human services, and
  telecommunications and assess how they need to
  be protected in the new context of the
  information age.
• Understand multitude of threats impacting
  critical infrastructures and examine resulting
  vulnerabilities.
• Compare the various roles of government, the
  military and private industry in providing
  effective critical infrastructure protection and
  the role of the security professional.
• Conduct graduate level research and demonstrate
  skills in written and oral communication

8
Course Schedule

• Week 1 Introduction and Course Overview. PCCIP
  background discussion and rationale for study
• Critical Foundations (CF) Report Read Foreword,
  Executive Summary, and Chapter 1
• Verton Read Chapters 1 2
• Week 2 The changes impacting society and
  associated threats and vulnerabilities
  information and communications sector
• CF Read Chapters 2 3, A-2 to A-10
• Verton Read Chapter 3, 4, App A
• Week 3 Research Topics Due. PCCIP findings
  establishing partnerships physical distribution
  sector
• CF Read Chapters 4 5, A-11 to A-23
• Verton Read Chapter 5 App B

• Week 4 Building and structuring the
  partnership energy sector
• CF Read Chapters 6 7, A-24 to A-36
• Verton Read Chapters 6 7
• Week 5 Awareness and education need for
  government leadership banking finance sector
• CF Read Chapters 8 9, A-37 to A-43
• Verton Read Chapter 8 App C
• Week 6 Legal initiatives research and
  development vital human services sector
• CF Read Chapters 10 11, A-44 to A-53
• Verton Read Chapters 9 App D
• Week 7 Implementation strategy
• CF Read Chapter 12
• Verton Read Chapters 10 11
• Week 8 Student Presentations Research Paper
  Due
• Week 9 Final Exam

9
Course Requirements

• Class Attendance / Participation 25
• Research Paper 25
• Oral Presentations 25
• Final Examination 25

Each requirement is worth 100 points The grade
scale is A 94 100 A- 90 94 B 87
89 B 84 86 B- 80 83 C 70 79 F
gt 70
10
Course Texts

• Primary texts
• Critical Foundations Protecting Americas
  Infrastructures, report of PCCIP
• Black Ice The Invisible Threat of
  Cyber-Terrorism, by Dan Verton
• Secondary texts
• The Clinton Administrations Policy on Critical
  Infrastructure Protection Presidential Decision
  Directive 63, White House
• National Strategy For Homeland Security Office
  of Homeland Security, White House Office of
  Homeland Security
• Physical Protection of Critical Infrastructures
  and Key Assets, White House Office of Homeland
  Security
• National Strategy to Secure Cyberspace, White
  House Office of Homeland Security
• National Incident Management System, Department
  of Homeland Security
• National Response Plan, Department of Homeland
  Security

11
Relevant Websites

• Department of Homeland Security
• http//www.dhs.gov/dhspublic/
• DHS/IAIP Daily Open Source Infrastructure Report
• http//www.dhs.gov/dhspublic/display?theme31cont
  ent4252
• dhsdailyadmin_at_mail.dhs.osis.gov
• CERT Coordination Center
• http//www.cert.org/
• IWS - The Information Warfare Site
• http//www.iwar.org.uk/cip/
• Critical Infrastructure Protection Project
• http//techcenter.gmu.edu/programs/cipp.html
• Memorial Institute for the Prevention of
  Terrorism
• http//www.mipt.org/Critical-Infrastructure-Protec
  tion.asp
• Revolution in Military Affairs (RMA) Debate
  (sponsored by Project on Defense Alternatives)
• http//www.comw.org/rma/fulltext/homeland.html7
• Institute for Security Technology Studies
• http//www.ists.dartmouth.edu/

12
Research Paper
13
Three Questions

• Would you want your employer to use your paper in
  your annual review?
• Would you give the paper to a prospective
  employer?
• Is your paper ready for publication?

14
Research Paper and Oral Presentation Requirements

• A 10-12 page (double-spaced) typewritten paper by
  week 8 of class
• Paper may be on any topic within the scope of
  class
• You must identify and prove your topic to the
  instructor (in writingone typewritten page) by
  week 3 of the class
• Must cite at least three relevant sources
• Students papers will use style guidance in A
  Manual for Writers of Term Papers, Theses and
  Dissertations, 6th edition, by Kate L. Turabian
• Each student will deliver a 10-15 minute oral
  presentation of the research paper to the class
  during week 8

15
Why Do Research?

• Joy of discovery
• Thrill of investigation
• Develop critical thinking
• Advance logical processes
• Cultivate argument basics

16
What is a Research Paper?

• It is an exposition of the results of your
  investigations on a topic
• It should be your own thoughts and ideas based on
  the facts that you have examined from a variety
  of sources
• A research paper is not collection of quotations
  that demonstrate that you can report what others
  have said
• The research paper shows off your ability to
  analyze, evaluate and synthesize the issues and
  document the discussion

17
Mechanics

• Grammar and spelling matter
• Use a 12 point standard font, e.g., Times,
  Geneva, Bookman, Helvetica, etc.
• Double spaced text on 8 1/2" x 11" paper with 1
  inch margins, single sided
• Number pages consecutively
• Minimize number of figures, tables, and
  illustrations
• Bibliography is not part of page count

18
Structure of Paper

• Brief presentation of your primary thesis, your
  research problem, three major sections of your
  investigation, and the solution / findings /
  recommendations that you will be making
• Definition of key terms and concepts. Cite
  references.
• The research problem, further described. An
  in-depth look at research problem, which
  describes what it is, with an illustrative
  scenario or example. This a synthesis and should
  be original work, therefore it may not be
  necessary to cite sources here. If there are
  controversial elements, mention them briefly.
• History of research on this topic. Explain why
  your research is unique and needed. Give a brief
  chronology of research, and the history of ideas.
  Provenance, antecedents, etc. Cite sources.
• "Evidence" section. Supporting statistics,
  examples, case studies, citations, supporting
  passages from key texts. Explain why statistics
  you cite are valid. Present counter-arguments /
  opposing viewpoints. Cite carefully.
• Further case studies or examples. Minimum of
  three supporting your thesis statement, one
  that takes thesis statement in new direction or
  explores subtopics, and one that makes one think
  of new aspects of thesis and research problem.
  Use citations and intersperse your thoughts
  analysis throughout.
• Debate points / controversial aspects. Discuss
  issues and present new ways of looking at primary
  thesis, and 3 or 4 primary sub-categories. This
  is your original work. Begin to question
  underlying assumptions that may problematize your
  investigation, and your conclusion, approaches,
  solution.
• A concluding summary that is more than a
  conclusion. Insights, recommendations, probable
  issues vis-a-vis the future. This can include a
  vision of the future, an illustrative scenario.

Source Susan Smith Nash, Ph.D. The University
of Oklahoma Research Paper Roadmap
http//www.beyondutopia.net/research/
19
Plagiarism

• Webster University Graduate School Policy
• PlagiarismUsing the works (i.e. words, images,
  other materials) of another person as one's own
  words without proper citation in any academic
  assignment. This includes submission (in whole or
  in part) of any work purchased or downloaded from
  a Web site or an Internet paper clearinghouse.
• If you knowingly use sources created by others,
  then it is incumbent upon you to give credit to
  those sources
• This is not only fair but it is also moral,
  ethical, legal, and an academic requirement
• Not giving credit is plagiarism, which basically
  means stealing information from someone else
• If you get caught plagiarizing, you will fail the
  course

20
Sourcing

• Primary sources are original, uninterpreted
  information
• Novels, speeches, eyewitness accounts,
  interviews, letters, autobiographies, or the
  results of original research
• State of the Union Address
• Secondary sources interpret, analyze or summarize
• Writings about the primary sources, about an
  author or about somebody's accomplishments
• Newspaper report on the State of the Union speech

21
Bibliography and Footnotes

• List all your sources and be thorough
• Follow the proper citation style
• Bibliography
• Sources are listed alphabetically, by author's
  last name
• Sources without authors are listed alphabetically
  by either the editor's last name or by the
  complete title of the work
• First line of each bibliographical entry starts
  flush at the left hand margin
• Second and subsequent lines are indented five
  spaces
• Titles should be capitalized correctly in each
  entry
• All entries are single-spaced
• Footnotes
• Turabian reference note format requires that the
  basic information about the source in footnotes
  is at the bottom of each page, beneath the text
• Within the text, above the list of footnotes, the
  place where a reference is introduced is shown by
  an Arabic numeral raised slightly above the line
  of text
• These reference numbers are placed just after the
  quoted or paraphrased material, and they appear
  in numerical order throughout the text
• Footnotes for all of the references which appear
  in a page of text must be placed at the bottom of
  the same page, divided from the text by an eight
  spaced line

22
Lecture
23
A Good Definition

• Critical infrastructures are systems and assets,
  whether physical or virtual, so vital to the
  United States that the incapacity or destruction
  of such systems and assets would have a
  debilitating impact on security, national
  economic security, national public health or
  safety, or any combination of those matters.
  USA Patriot Act

24
Executive Order 13010 of July 15, 1996Critical
Infrastructure Protection

• Certain national infrastructures are so vital
  that their incapacity or destruction would have a
  debilitating impact on the defense or economic
  security of the United States. These critical
  infrastructures include telecommunications,
  electrical power systems, gas and oil storage and
  transportation, banking and finance,
  transportation, water supply systems, emergency
  services (including medical, police, fire, and
  rescue), and continuity of government. Threats
  to these critical infrastructures fall into two
  categories physical threats to tangible property
  (physical threats), and threats of
  electronic, radio-frequency, or computer-based
  attacks on the information or communications
  components that control critical infrastructures
  (cyber threats). Because many of these
  critical infrastructures are owned and operated
  by the private sector, it is essential that the
  government and private sector work together to
  develop a strategy for protecting them and
  assuring their continued operation.

25
Executive Order 13010 of July 15, 1996Critical
Infrastructure Protection

• Mission
• The Commission shall
• (b) identify and consult with (i) elements of
  the public and private sectors that conduct,
  support, or contribute to infrastructure
  assurance (ii) owners and operators of the
  critical infrastructures and (iii) other
  elements of the public and private sectors,
  including the Congress, that have an interest in
  critical infrastructure assurance issues and that
  may have differing perspectives on these issues
• (c) assess the scope and nature of the
  vulnerabilities of, and threats to, critical
  infrastructures
• (d) determine what legal and policy issues are
  raised by efforts to protect critical
  infrastructures and assess how these issues
  should be addressed
• (e) recommend a comprehensive national policy and
  implementation strategy for protecting critical
  infrastructures from physical and cyber threats
  and assuring their continued operation

26
What is the Critical Infrastructure?

• By infrastructure we mean more than just a
  collection of individual companies engaged in
  related activities we mean a network of
  independent, mostly privately-owned, manmade
  systems and processes that function
  collaboratively and synergistically to produce
  and distribute a continuous flow of essential
  goods and services. EO 13010
• Critical infrastructure sectors
• Agriculture and Food
• Water
• Public Health
• Emergency Services
• Defense Industrial Base
• Telecommunications
• Energy
• Transportation
• Banking and Finance
• Chemicals and Hazardous Materials
• Postal and Shipping

27
What is Out There?

• Agriculture and Food
• 1,912,000 farms
• 87,000 food-processing plants
• Water
• 1,800 federal reservoirs
• 1,600 municipal wastewater facilities
• Public Health
• 5,800 registered hospitals
• Emergency Services
• 87,000 U.S. localities
• Defense Industrial Base
• 250,000 firms in 215 distinct industries
• Transportation
• Aviation
• 5,000 public airports
• Passenger Rail and Railroads
• 120,000 miles of major railroads
• Highways, Trucking, and Busing
• 590,000 highway bridges

• Telecommunications
• 2 billion miles of cable
• Energy
• Electricity
• 2,800 power plants
• Oil and Natural Gas
• 300,000 producing sites
• Banking and Finance
• 26,600 FDIC insured institutions
• Chemical Industry and Hazardous Materials
• 66,000 chemical plants
• Postal and Shipping
• 137 million delivery sites
• Key Assets
• National Monuments and Icons
• 5,800 historic buildings
• Nuclear Power Plants
• 104 commercial nuclear power plants
• Dams

Source The National Strategy for The Physical
Protection of Critical Infrastructures and Key
Assets Office of Homeland Security February 2003
These are approximate figures.
28
Discussion Question

• Why the seemingly sudden concern about protecting
  our infrastructure in the mid-90s?
• Did any thing(s) precipitate this increased level
  of concern?

29
Why the Concern?

• World Trade Center
• 26 February 1993
• Six dead 1,042 injured nearly 300 million in
  property damage
• Ramzi Yousef, Abdul Rahman, et al.
• Sarin Poisoning on Tokyo Subway
• 20 March 1995 (morning rush hour)
• 12 dead and over 5,500 were injured in the attack
• AUM Shinrikyo (a Japanese millenarian cult)
• Oklahoma City (Murrah Federal Building)
• 19 April 1995 (after child care drop off)
• 500 injured and 168 dead
• Timothy McVeigh, Terry Nichols, others?
• "Ping of Death"
• 1996 97
• Malicious packets to Internet with the intention
  of "crashing" servers
• Hacker community involved

30
The Nature of Possible Attacks

• Terrorists pursuit of their long-term strategic
  objectives includes attacks on critical
  infrastructures and key assets. Terrorists target
  critical infrastructures to achieve three general
  types of effects
• Direct infrastructure effects Cascading
  disruption or arrest of the functions of critical
  infrastructures or key assets through direct
  attacks on a critical node, system, or function.
• Indirect infrastructure effects Cascading
  disruption and financial consequences for
  government, society, and economy through public-
  and private-sector reactions to an attack.
• Exploitation of infrastructure Exploitation of
  elements of a particular infrastructure to
  disrupt or destroy another target.

Source The National Strategy for The Physical
Protection of Critical Infrastructures and Key
Assets Office of Homeland Security February 2003
31
Physical Threats

• Truck bomb
• Oklahoma City
• Khobar Towers
• World Trade Center (1993)
• Small boat bomb
• USS Cole
• Airplane
• World Trade Center (2001)
• Pentagon

32
Cyber Threats

• Denial of Service
• Amazon.com, Buy.com, CNN.com, eBay, ETrade and
  ZDNet (February 2000)
• Virus or Worm
• Melissa (1999)
• Code Red (2001)
• Trojan Horse
• Multiple variants (1999 2005)
• Spyware
• Defacement
• Changed web content

33
Lessons Learned

• Difficult to distinguish between attack or
  accident
• WTC (2001)
• Power outage (2003)
• Legal/law enforcement/military issues and
  boundaries still undefined
• Cuckoos Egg
• Kosovo
• Coordination between government (Federal, State,
  and Local) and private sector is key

34
Discussion
35
Discussion Question

• Can you give some examples of incidents that
  affected the critical infrastructure?

36
List of Incidents

• Wilson Bridge Jumper
• 4 Nov 1998
• Five hour delay 20 mile back-up
• North America Blackout
• 14 Aug 2003
• US (Virginia to Maine to Michigan) and Ontario,
  Canada
• Average duration 18.2 hour 61,800 MW demand
  affected
• Hurricane Isabel
• North Carolina to New York
• Power, water, transportation affected
• About 1,000,000,000 damage

37
Discussion Question

• How do you tell the difference between ordinary
  crime and cyber terrorism?

38
Assignment for Week 2
39
Briefing Assignment

• Prepare and present a ten minute discussion on
  the threat and vulnerabilities in your chosen
  infrastructure sector
• Cite sources

40
Additional Readings for Week 2

• Cyber Attacks During the War on Terrorism A
  Predictive Analysis
• Institute for Security Technology Studies
• http//www.ists.dartmouth.edu/library/analysis/cyb
  er_a1.pdf
• Cyberterrorism and the Home User
• Symantec Security Response
• http//securityresponse.symantec.com/avcenter/refe
  rence/cyberterrorism.and.home.user.pdf