Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Interdisciplinary Consortium
for Improving Critical
Infrastructure Cybersecurity
(IC)
3
(IC)3 Mission
Research & Development of Strategies, Models,
and Tools that will enable critical infrastructure
organizations to more effectively address their
Cybersecurity needs
by applying interdisciplinary approaches to
common problems that affect all Critical
Infrastructure Sectors, and
building on, and aligning for multi-nationals, existing
government, and industry initiatives including:
White House / NIST Framework for Improving Critical
Infrastructure Cybersecurity
ISA/IEC-62443, ISO 27001/2, NIST SP 800, and other
guidelines/standards
NERC-CIP, HIPAA, Gramm-Leach-Bliley
Act, Homeland
DRAFT, Copyright (IC)3, 2014
Security Act and other government regulations
Technolo
gy
Resourc
es for
Security
Financial
Resourc
es for
Security
Confidentiality
Business
Strategy
for
Security
Security
Policy &
Procedure
s
Security
Culture
Example:
Mapping the NIST Cybersecurity
Framework to the MIT House of
Security
Confidentiality
Availability
Integrity
The Cybersecurity
Framework Core:
Identify
Protect
Detect
Recover
Restore
Risk Management
Lens
The traditional
Cyber security
Triangle:
Interdisciplinary Approach
(IC)3 will apply expertise from multiple disciplines in its
research on Cybersecurity issues of Critical
Infrastructure.
Faculty from MIT Sloan School of Management, MIT
School of Engineering, and MIT School of Humanities
(Political Science)
(IC)3 will address complex Cybersecurity issues using
techniques such as:
Multi-dimensional data aggregation & quality
System Dynamics, Modeling and Simulation
Internet, Network, and Communication Architecture
Applying Accident and Safety Theory to Cybersecurity
Cross border and international policy & implications
Control point analysis
Risk analysis and liability modeling
People and process modeling:
Copyright
(IC) , 2014
Users and operators DRAFT,
as well
as Cyber
criminals
3
10
(IC)3
TM
11
Applicable Past
Research
MIT House of Security: MIT has developed techniques to
measure perceptions of security in an organization
Accident and Safety research: MIT can extend its
research on accident prevention to preventing cyber events.
Control Points: MIT has studied best choke points to
interrupt a criminal enterprise.
Improving CERTs: MIT has studied and suggested ways to
improve and better coordinate the CERTs.
Bug Bounty: MIT has studied crowd source methods of bug
detection, such as bug bounty programs.
Tipping Point Analysis: MIT has used System Dynamics to
understand what will make complex systems unstable.
Simulation of Systems: MIT has a rich history in simulation
of complex systems under a wide variety of circumstances.
DRAFT, Copyright (IC)3, 2014
12
13
14
Improving CERTs
Improve CERTs (Computer Emergency
Response Teams).
MIT has talked with and studied the CERTs
around the world both national and
regional CERTs and corporate CERTs.
(CERTs are the FEMAs for computer catastrophes.)
The activities, business models, and datasharing activities are diverse and of varying
quality.
MIT (IC)3 can suggest ways to improve and
better coordinate
the CERTS and the clients15
DRAFT, Copyright (IC) , 2014
3
Vulnerability
Detection
Improving Vulnerability Discovery and
Detection:
MIT has studied crowd source methods of bug
detection, such as bug bounty programs.
Using techniques such as System Dynamics
modeling
16
Cyber-Hardening
& Patch Management
Patch distribution and management is
complex in general and even more so for
critical infrastructure situations
Computer components are embedded within
machinery (which cannot be easily shut down)
and involve multiple manufacturers
e.g., the equipment/system may be made by
Siemens, but controlled by computers running
Windows software.
Tipping Point
Analysis
MIT has used System Dynamics models and
simulations to analyze the stability of
countries by understanding the capacity of the
system to withstand disruptions and the range
of loads that could be applied to the system.
This can be applied to complex critical
infrastructure cyber systems (eg: smart grid,
refinery, emergency services, telecom,
financial systems, etc.) to determine the
tipping points that would render such a
system unstable.
Monitoring and Alerts measuring how close
DRAFT, Copyright (IC) , 2014
18
an organization, or interconnected
3
Multivariate
Simulation
Simulation of system performance and
resilience under different conditions.
We can model systems under various
circumstances, such as when one or more
subsystems have failed or are under attack.
We can assess how the systems mission is
affected by multiple simultaneous attacks.
Such simulations can be used to create
strategies and plans to mitigate the effects.
DRAFT, Copyright (IC)3, 2014
19
Metrics
Organizations today have no effective way
of measuring the quality of their Cyber
Security efforts.
21
(IC)3
TM
22
Operation of (IC)3
The day-to-day operation of (IC)3 is managed by the
Director of (IC)3 with the support of the (IC)3 Associate
Director.
The (IC)3 Advisory Board, in consultation with the Director
of (IC)3, will determine the research focus areas for each
year.
The (IC)3 faculty working with full-time MIT research staff
and graduate students, often in cooperation with Sponsor
organizations, will conduct the research.
(IC)3 will organize and conduct two research topic-specific
workshops each year.
(IC)3 will organize and conduct its Annual Conference,
covering the wide range of its research topics, each year.
DRAFT, Copyright (IC)3, 2014
24
Types of Sponsors
and Benefits *
Patrons: $450,000 per year commitment for 3 years (can be 1 year for
first year) Includes all items below plus:
Partners: $120,00 per year commitment for 3 years (can be 1 year for
first year) Includes all items below plus:
25