0011101010111010001010010101010101010100100101010100101000001011101

DRAFT PROSPECTUS V12.5

0011101010111010000011010101011101010101011110111100011011101001110
For
discussion purposes only
0110101011111100001010111010011001101111100001101001110100100010111
TM
0010111010000111011010010100101011111000101010100101010010101010100
1010100001111010101000010101010111110010010101010001100100010011101
0011101010111010001010010101010101010100100101010100101000001011101
0011101010111010000011010101011101010101011110111100011011101001110
0110101011111100001010111010011001101111100001101001110100100010111
0010111010000111011010010100101011111000101010100101010010101010100
1010100001111010101000010101010111110010010101010001100100010011101
0011101010111010001010010101010101010100100101010100101000001011101
0011101010111010000011010101011101010101011110111100011011101001110
0110101011111100001010111010011001101111100001101001110100100010111
0010111010000111011010010100101011111000101010100101010010101010100
1010100001111010101000010101010111110010010101010001100100010011101
TM
0011101010111010001010010101010101010100100101010100101000001011101
0011101010111010000011010101011101010101011110111100011011101001110
0110101011111100001010111010011001101111100001101001110100100010111
0010111010000111011010010100101011111000101010100101010010101010100
1010100001111010101000010101010111110010010101010001100100010011101
0011101010111010001010010101010101010100100101010100101000001011101
0011101010111010000011010101011101010101011110111100011011101001110
TM
3
0110101011111100001010111010011001101111100001101001110100100010111
0010111010000111011010010100101011111000101010100101010010101010100
DRAFT, Copyright (IC) , 2014
1
1010100001111010101000010101010111110010010101010001100100010011101

Interdisciplinary Consortium
for Improving Critical
Infrastructure Cybersecurity

(IC)
3

Filling a Critical Need for

Critical Infrastructure
Security of conventional information systems is
recognized as important
But still not fully effective (e.g., Target, Heartbleed,
etc.)
Security of our Cyber-Physical Infrastructure
E.g., computer controlled utilities, oil & gas sites,
chemical, water, financial services, telecom,
infrastructure, etc.
is even more important, but much less
research has been done.
Critical needs for Critical Infrastructure:
(1) Justify top management attention &
DRAFT, Copyright (IC) , 2014
adoption
2
3

Who is this important

to?
(Just about Everyone!)
White House Executive Order (2014): cyber threat
to critical infrastructure continues to grow and
represents one of the most serious national security
challenges we must confront ...
SEC Commissioner Luis A. Aguilar warned that
boards that choose to ignore, or minimize the
importance of cybersecurity oversight responsibility,
do so at their own peril
U.S. Secretary of Energy Ernest Moniz .. From
producing wells to tank batteries to pipelines,
computer networks are playing an increasingly
important role in the operations of the nation's oil and
gas industry cyber threats continue to increase in
frequency and sophistication
DRAFT, Copyright (IC)3, 2014

(IC)3 Mission
Research & Development of Strategies, Models,
and Tools that will enable critical infrastructure
organizations to more effectively address their
Cybersecurity needs
by applying interdisciplinary approaches to
common problems that affect all Critical
Infrastructure Sectors, and
building on, and aligning for multi-nationals, existing
government, and industry initiatives including:
White House / NIST Framework for Improving Critical
Infrastructure Cybersecurity
ISA/IEC-62443, ISO 27001/2, NIST SP 800, and other
guidelines/standards
NERC-CIP, HIPAA, Gramm-Leach-Bliley
Act, Homeland
DRAFT, Copyright (IC)3, 2014
Security Act and other government regulations

Initial Research Project

Areas
1. Determining the Barriers to, and Incentives for,
adoption of the Cybersecurity Framework.
2. Developing strategies to increase adoption by
the C-Suite, in each Critical Infrastructure sector.
3. Models linking Cyber-Risk to: delivering goods
and services, & financial & reputational costs.
4. Atomic Models & Network Architectures for
interconnected Control Systems survivability,
and Supply Chain resiliency.
5. Determining the Barriers to, and strategies for
creating a Cybersecurity Culture.
DRAFT, Copyright (IC)3, 2014

MIT House of Security

Integrity
Accessibility

Technolo
gy
Resourc
es for
Security

Financial
Resourc
es for
Security

Confidentiality

Business
Strategy
for
Security

Security
Policy &
Procedure
s

Security
Culture

A Fundamental Model for Measuring Cybersecurity

Effectiveness
The House of Security has been shown to be able to
provide measurements of perceptions, awareness,
profile, tier, maturity, and gaps in Cybersecurity.
It will be further developed to provide economic
DRAFT, Copyright (IC) , 2014
measurements of cyber-risk and the value of
3

Example Results from Prior

Research Proof of Concept
Using survey questions we assessed both perception
of the current state of security in the organization
and the desired state.
The delta is the measureable gap between desired
and actual.

Current State Assessments

Gap Analysis
by Three Companies: BigDRAFT, Copyright (IC) , 2014
Differences
3

Example:
Mapping the NIST Cybersecurity
Framework to the MIT House of
Security

Confidentiality
Availability
Integrity

The Cybersecurity
Framework Core:
Identify
Protect
Detect
Recover
Restore

Risk Management
Lens

The traditional
Cyber security
Triangle:

The MIT House of

Security mapping:
Confidentiality
Accessibility
Integrity
Technology Resources
Financial Resources
Business Strategy
Policy & Procedure
Security Culture

DRAFT, Copyright (IC)3, 2014

Proposed Initial Interdisciplinary

MIT Team Members

Stuart Madnick Professor of Information Technologies, MIT Sloan

School of Management & Professor of Engineering Systems, MIT School
of Engineering
Nazli Choucri Professor of Political Science, MIT School of
Humanities and Social Sciences
David Clark Senior Research Scientist in Computer Science and
Artificial Intelligence Laboratory (CSAIL)
Michael Coden Research Affiliate (former member of White House
cyber study)

Jerrold Grochow Research Affiliate (former MIT CIO and member of

MITei cyber study)

Nancy Leveson Professor of Aeronautics and Engineering Systems,

MIT School of Engineering
Andrew Lo Professor of Financial Engineering, MIT Sloan School of
Management
Allen Moulton Research Scientist, MIT School of Engineering
Michael Siegel Principal Research Scientist, MIT Sloan School of
DRAFT, Copyright (IC) , 2014
9
Management
3

Interdisciplinary Approach
(IC)3 will apply expertise from multiple disciplines in its
research on Cybersecurity issues of Critical
Infrastructure.
Faculty from MIT Sloan School of Management, MIT
School of Engineering, and MIT School of Humanities
(Political Science)
(IC)3 will address complex Cybersecurity issues using
techniques such as:
Multi-dimensional data aggregation & quality
System Dynamics, Modeling and Simulation
Internet, Network, and Communication Architecture
Applying Accident and Safety Theory to Cybersecurity
Cross border and international policy & implications
Control point analysis
Risk analysis and liability modeling
People and process modeling:
Copyright
(IC) , 2014
Users and operators DRAFT,
as well
as Cyber
criminals
3

10

(IC)3

TM

Applying Past and On-going MIT Research

to Improving Cybersecurity of Critical
Infrastructure
DRAFT, Copyright (IC)3, 2014

11

Applicable Past
Research
MIT House of Security: MIT has developed techniques to
measure perceptions of security in an organization
Accident and Safety research: MIT can extend its
research on accident prevention to preventing cyber events.
Control Points: MIT has studied best choke points to
interrupt a criminal enterprise.
Improving CERTs: MIT has studied and suggested ways to
improve and better coordinate the CERTs.
Bug Bounty: MIT has studied crowd source methods of bug
detection, such as bug bounty programs.
Tipping Point Analysis: MIT has used System Dynamics to
understand what will make complex systems unstable.
Simulation of Systems: MIT has a rich history in simulation
of complex systems under a wide variety of circumstances.
DRAFT, Copyright (IC)3, 2014

12

Use Accident Research on

Cyber Incidents
Apply accident and safety research to
cyber security failures.
MIT has researched accidents and how to
prevent them (including studying NASA
problems) for many years.
We are now treating a cyber incident/event as a
type of accident and using prior research to
identify, understand, and mitigate possible
cyber-hazards.
Examples, such as TJX and Stuxnet, have been
analyzed.
DRAFT, Copyright (IC)3, 2014

13

Control Points Analysis to

Disrupt Cybercrime
Ecosystem
Analyze complex cybercrime ecosystem.
We are taking a control points approach to
determine the best choke-point to interrupt
the overall cyber-criminal enterprise
(somewhat like follow the money.)
Sometimes that choke point is the Internet
service providers, sometimes it is the credit
card companies, sometimes it is the banks.
We will also study markets for malware and
ways to disrupt and discredit those markets
DRAFT, Copyright (IC)3, 2014

14

Improving CERTs
Improve CERTs (Computer Emergency
Response Teams).
MIT has talked with and studied the CERTs
around the world both national and
regional CERTs and corporate CERTs.
(CERTs are the FEMAs for computer catastrophes.)

The activities, business models, and datasharing activities are diverse and of varying
quality.
MIT (IC)3 can suggest ways to improve and
better coordinate
the CERTS and the clients15
DRAFT, Copyright (IC) , 2014
3

Vulnerability
Detection
Improving Vulnerability Discovery and
Detection:
MIT has studied crowd source methods of bug
detection, such as bug bounty programs.
Using techniques such as System Dynamics
modeling

MIT (IC)3 can determine which types of

vulnerability discovery and detection
techniques provide the results with the
greatest value, including bug bounty, open
source, and other approaches.
DRAFT, Copyright (IC)3, 2014

16

Cyber-Hardening
& Patch Management
Patch distribution and management is
complex in general and even more so for
critical infrastructure situations
Computer components are embedded within
machinery (which cannot be easily shut down)
and involve multiple manufacturers
e.g., the equipment/system may be made by
Siemens, but controlled by computers running
Windows software.

MIT has developed models to explore differing

strategies and incentive systems to make patch
distribution and management more effective.
DRAFT, Copyright (IC) , 2014
17
3

Tipping Point
Analysis
MIT has used System Dynamics models and
simulations to analyze the stability of
countries by understanding the capacity of the
system to withstand disruptions and the range
of loads that could be applied to the system.
This can be applied to complex critical
infrastructure cyber systems (eg: smart grid,
refinery, emergency services, telecom,
financial systems, etc.) to determine the
tipping points that would render such a
system unstable.
Monitoring and Alerts measuring how close
DRAFT, Copyright (IC) , 2014
18
an organization, or interconnected
3

Multivariate
Simulation
Simulation of system performance and
resilience under different conditions.
We can model systems under various
circumstances, such as when one or more
subsystems have failed or are under attack.
We can assess how the systems mission is
affected by multiple simultaneous attacks.
Such simulations can be used to create
strategies and plans to mitigate the effects.
DRAFT, Copyright (IC)3, 2014

19

Metrics
Organizations today have no effective way
of measuring the quality of their Cyber
Security efforts.

The old adage if you cant measure it, you

cant manage it applies to Cybersecurity.

MIT (IC)3 can develop metrics which

organizations can use to Quantify and
Qualify their Cyber Security capabilities,
and the organizations ability to withstand
cyber attacks and carry out its mission.
A measureable Cybersecurity Maturity Model for
describing the Quality of the Cybersecurity at an
DRAFT, Copyright (IC) , 2014
20
organization and the ROI of the Cybersecurity.
3

Holistic Cyber-Risk Model

Holistic Risk Analysis Model is needed to
address:
Multi-vendor environment
Multi-purpose use of equipment/systems
Multi-national & multi-cultural considerations
Cross-sector validity and usability
Multi-level system dependencies and vulnerabilities
People, process and accident/safety considerations

Allowing simulation, including all of the above

factors, of taking different actions to predict
what the benefits and costs will be.
DRAFT, Copyright (IC)3, 2014

21

(IC)3

TM

Patrons, Partners, and Members

DRAFT, Copyright (IC)3, 2014

22

Why Join (IC)3 ?

Existing organizations are trying to address
todays threat and how to stop attacks in
progress, but:
The CSO/CISO is too busy bailing water to plug the holes
in the boat

(IC)3 is focusing MITs uniquely qualified

interdisciplinary researchers on the fundamental
principles of cyber space, cyber crime, &
cybersecurity applied to Critical Infrastructure:
Enabling the CSO/CISO to plug the holes in the
boat
Giving CSO/CISOs tools to
Strategically develop measureable, cost
DRAFT, Copyright (IC) , 2014
effective, Cybersecurity
strategies getting 23
3

Operation of (IC)3
The day-to-day operation of (IC)3 is managed by the
Director of (IC)3 with the support of the (IC)3 Associate
Director.
The (IC)3 Advisory Board, in consultation with the Director
of (IC)3, will determine the research focus areas for each
year.
The (IC)3 faculty working with full-time MIT research staff
and graduate students, often in cooperation with Sponsor
organizations, will conduct the research.
(IC)3 will organize and conduct two research topic-specific
workshops each year.
(IC)3 will organize and conduct its Annual Conference,
covering the wide range of its research topics, each year.
DRAFT, Copyright (IC)3, 2014

24

Types of Sponsors
and Benefits *
Patrons: $450,000 per year commitment for 3 years (can be 1 year for
first year) Includes all items below plus:

Ability to suggest research projects and refinements, be considered for

inclusion
A dedicated faculty contact, with monthly consultations
One on-site faculty presentation to the organizations governing board

Partners: $120,00 per year commitment for 3 years (can be 1 year for
first year) Includes all items below plus:

Ability to suggest research areas

Ability to re-distribute select research content to existing clients and
customers1 Ability to contact designated faculty via telephone

Members: $35,000 if three year commitment or $45,000 if one

year commitment
Send 2 people to annual conference and 2 workshops per year
Access to research in the MIT-(IC)3 research database1
* Details on additional benefits contained in the Sponsorship Agreement
1 Subject to 3rd party rights and bearing appropriate legends
3
DRAFT, Copyright (IC) , 2014

25