Critical infrastructure, interconnected risks, and resiliency. Why - - PowerPoint PPT Presentation

Critical infrastructure, interconnected risks, and resiliency.

Why wo(men) should care?

FABRIKAM RESIDENCES

A little bit about me ☺

• Many years later in 2016, I went back to one of my dream schools– Harvard University,

and through their continuing education department as an experienced adult who wanted to work on her life’s purpose, decided to get a degree in Economics with Government and International Security specialisation.

• Here I worked on all the ideas that had been brewing in my head for all these years!!
• Towards the end of my study in 2020, I founded, “Women in Crisis Response” on the core

principles of UNSCR 1325 and Human Security, to fulfill my purpose of helping women and girls achieve safety and security in lie by helping them break the barriers that hold them back from development, both in career and in personal lives, so that other girls who dream

• f becoming who they want to become have the support to help them fulfill their

potential.

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

• I identify as South-Asian woman from

Mumbai, India. I started off in my computer career as a data entry operator for a brief period right out of my vocational college where I got a diploma in Computer Science and Engineering in 1995.

• Later working as lab programmer, software

engineer, analyst, subject matter expert, consultant, etc., slowly progressed through various roles within IT and IS whilst pursuing a Masters in Computer Applications back then.

• I wanted to become an Aeronautical Engineer,

study astrophysics and work for NASA; well but that never happened, as evident! ☺ I became an IT/IS expert instead and consulted

• n security risks for applications and systems

and I really enjoyed my job and work as a cybersecurity subject matter expert – am now just a different type of engineer!!

• I had to drop out of my master's program due

to socioeconomic conditions that made it impossible to work and study or bear the cost

• f my education anymore, and the educational

loan system was not accessible to me at that time.

Me in 2011 ;) Me in 2020 :) Me as a kid!! ;) Life happens and its tough! :)

Presentation layout

• Critical Infrastructure, Industry 4.0, Cybersecurity – Understanding the terms and

interrelationships

• Understanding interconnected threats and vulnerabilities
• Cognitive and other socio-structural limitations
• Building resilience through preparedness and capacity planning
• Understanding Gaps
• Addressing barriers to entry and thrive in the industry – Gender perspective
• Appendix

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

What is Critical Infrastructure?

• Critical Infrastructure are essential public services such as hospitals, banking,

schools, electricity grids, water treatment plants etc.,

Why talk about this?

• Traditionally, these public and civil services have existed in our physical world for

hundreds of years but are now increasingly being interconnected via the internet and automated. This forms the core of what we now call Industry 4.0

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Here’s a very good definition from the UK Centre for Protection of National Infrastructure

• National Infrastructure are those facilities, systems, sites, information,

people, networks and processes, necessary for a country to function and upon which daily life depends.

• It also includes some functions, sites and organisations which are not

critical to the maintenance of essential services, but which need protection due to the potential danger to the public (civil nuclear and chemical sites for example).

https://www.cpni.gov.uk/critical-national-infrastructure-0

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Industry 4.0

https://pattiengineering.com/blog/faqs-on-iiot/

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Industrial Control Systems (ICS)

• Industrial control systems are a set of components, devices, and systems

that together control, administer, and manage the critical infrastructure. A typical ICS consists of the following systems:

• Process Control System (PCS)
• Distributed Control Systems (DCS)
• Programmable Logic Controllers (PLC)
• Supervisory Control and Data Acquisition (SCADA)
• Safety Instrumented Systems (SIS)
• Human Machine Interface (HMI)
• Remote Terminal Unit (RTU)

https://www.msec.be/verboten/seminaries/ICS_archs_and_sec_essentials/ICS_Overview.pdf

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

NIST Guide to Industrial Control Systems (ICS) Security

• No. ICS Security varies from IT

Security because the attack vectors and the impact surface bleed into civilian lives and threaten many aspects of Human Security as defined by UNHRC ICS basically works in two main types of scenarios

• Process based Industries
• Discrete based Industries

The convergence of Electrical and Mechanical opens new types of vectors previously thought impenetrable Perceive a pivoted attack in a process-based industry? Too many

• perational processes that make

defense-in-depth difficult if not impossible. Safety matters most, then comes Reliability of processes. CIA triad comes next Golden Rule: “MUST NOT HARM PEOPLE”

ICS Security, is it not the same as IT Security?

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Process vs Discrete based industry

https://www.batchmaster.co.in/blog/difference-between-discrete-and-process-manufacturing/

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Cybersecurity permeates many aspects of our lives

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

And why should we as civilians care?

Internet of Things blurs the line between Electrical and Mechanical What were secure through obscurity are now deemed unsecure for the very same reasons Engineering, Operational, Architecture, and Design professionals can no more detach themselves from the matters of security As they embark on designing infrastructure for cities and industrial systems, thinking about safety, security, and privacy becomes essential

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

And we depend on these services on a daily basis

So what?

• And What are the risks of connecting these devices to the internet after all?

Internet of Things?

• IoT and IIoT – Do we really need our personal coffee maker, our toaster, our

refrigerator, or our TV on the internet?

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Understanding Risks

R isk, Th reat, Vu ln erab ility, Imp act, Likelih ood

Source: http://www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdf p5

Understanding interconnected risks

Is the civilian world ready for the impact from new generation warfare?

Defense and military organisations like NATO have formally recognized Cyberspace* as a new frontier in defense, along with land, air and sea, meaning battles could henceforth be waged on computer networks This means that the alliance could use cyber weapons to manage global threats to systems and infrastructure used by NATO allies (North America and European countries) So what about other countries? Are they prepared?

* Source: https://www.nato.int/cps/en/natohq/topics_78170.htm

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

This Is Not A Map Of Coronavirus Infections – This Is Computer Virus! Mirai Botnet Infections Around The World In 2016

Source: https://www.imperva.com/blog/malware-analysis-mirai-ddos-botnet/ https://www.vice.com/en_us/article/9a3zy8/heres-a-live-map-of-the-mirai-malware-infecting-the-world

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

CCTV Cameras, DVRs, Routers

IF IFRC Ty Types of f Dis isasters

Geophysical biological climatological meteorological hydrological

https://www.ifrc.org/en/what-we-do/disaster-management/about-disasters/definition-of-hazard/

Accelerate, increase frequency, complexity, and severity of the disasters

+ + Man-made complex emergencies, famines, wars & conflicts, displaced populations, industrial and other accidents

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Cyber Vulnerabilities

https://www.us-cert.gov/ics/content/overview-cyber-vulnerabilities

Sending commands directly Exporting HMI Screen Changing the database Man-in-the- middle

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Mobile Phones have their own problems!

https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

• Networking Protocols have limitations
• Back compatibility and forward compatibility are

bigger issues

• Software maintenance brings additional complexity

in highly interconnected systems especially if they are coupled with ICS systems

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Fact: Humans have cognitive limitations

AI code can also have these bias and limitations built in as a result.

Humans are fallible!

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

But we also work under many limitations

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Preparedness and Capacity Planning

Confid entiality, Integ rity, Privac y, Availab ility, A u th entication , A u th orisation , A c c ess Control

Understanding the value of what we want to protect

https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Can I help to protect our ICS?

O f C o u r s e ! Yo u m u s t j o i n i n t h e w o r k f o r c e f o r t h e f u t u r e ! S k i l l s r e q u i r e d t o d e f e n d o u r I C S

Understanding Network Protocols and how they might differ in Industrial systems Understanding Policies and Safety Regulations in Industrial zones Understanding how Electrical, Electronics and Mechanical devices work together in Industrial systems Understanding Risks, Vulnerabilities, threats, and impact on communities due to an industrial system failure Understanding defenses, Business Continuity and Resilience Needs of each system Understanding Cultures and Geopolitics of the world

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Learn the relevant Cloud services

https://aws.amazon.com/iot/solutions/industrial-iot/

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

• Learn MITRE’s threat modeling: a good intro is here:
• https://digitalguardian.com/blog/what-mitre-attck-framework
• Learn about Kill Chains – there are various – start here: https://www.varonis.com/blog/mitre-attck-framework-complete-guide/

and here: https://medium.com/datadriveninvestor/att-ck-model-c40a113aab4

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

International Relations & International Security

• Take courses in International Relations
• Study how various nations perceive

cybersecurity

• Take courses in International Security
• Study what international laws apply to

the field of cyber security

• A good place to start would be the

NATO website

• The Tallinn 2.0 manual is a great

resource to understand cyber laws and

• ther international laws that apply in a

cyberspace conflict

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

A Learning Map

Understanding Key Terms Establishing Priorities Understanding Threat Landscape Risk Preferences and Decision- making Continuous Improvement The People Factor Communicating The Technology Factor Learning Applying Theory to Practice Recording Lessons from the field Taking practice back into classroom

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Understanding Gaps

How Cybersecurity Gaps lead to Security issues?

• * Source: http://www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdf p5
• ** https://ihl-databases.icrc.org/ihl/385ec082b509e76c41256739003e636d/6756482d86146898c125641e004aa3c5

Digital technologies increasingly feature in asymmetric warfare, enabling attacks by smaller countries and non-state actors on larger states– Global Risks Report 2020 World Economic Forum* War zones no longer limited to a distinct geographic area So What? Think Interconnected risks…

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

The 2019 ISC2 Cybersecurity Workforce Report shows there aren’t enough people to monitor, prevent, deter, and defend in the cyberspace

And attacks are growing…

See Cybersecurity Workforce Gap on p7, 8 https://www.isc2.org/-/media/ISC2/Research/2019-Cybersecurity-Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019.ashx?la=en&hash=D087F6468B4991E0BEFFC017BC1ADF59CD5A2EF7

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Global Cybersecurity Ranking 2018

https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2018-PDF-E.pdf

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Potential Labour Force Women

• vs. Men
• Female potential labour force

is greater across all income groups compared to men despite barriers to entry and work; there are more qualified

• r underutilized women in the

workforce.

• We must match potential to

Workforce gap, particularly in Technology and Cybersecurity

See World Employment and Social Outlook Trends 2020 Report by International Labour Organisation https://www.ilo.org/wcmsp5/groups/public/---dgreports/---dcomm/---publ/documents/publication/wcms_734455.pdf p30

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

But there are barriers

Women in STEM?

Without Women in STEM we will not be able to close the highly skilled workforce gaps today and in the future. Without Women in STEM we will not be able to mentor women for future Cybersecurity-based positions

See https://www.weforum.org/agenda/2018/02/does-gender-equality-result-in-fewer-female-stem-grads

The Cybersecurity Workforce Current State… improving… but very slowly

Source: https://cybersecurityventures.com/women-in-cybersecurity/

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Male vs female cybersecurity workforce composition

2017 Global Information Security Workforce Study: Women in Cybersecurity see pages 7 and 13

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

• Only 2 of the 8

groups show greater women to men ratio – People and Culture and Content Production.

See World Economic Forum Gender Gap Report 2020 p37: http://www3.weforum.org/docs/WEF_GGGR_2020.pdf

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Disproportional sharing of roles

• Many job roles can be shared more evenly

with women but are not!

• With more cyber security positions filled

by women, we can backfill the cybersecurity workforce gap

But there are challenges such as discrimination…

see pages 7 and 13

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

The Cybersecurity Workforce Gender Issues: Forms of discrimination

2017 Global Information Security Workforce Study: Women in Cybersecurity see pages 7 and 13

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Women can help tackle this growing challenge of attacks on our societies. Women workforce today is either underutilized or unemployed due to many socio-cultural barriers Growing Attacks and comparatively fewer defenses is under preparation and is a Threat to National and International Security

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Appendix

Five terms to know well

https://electrical-engineering-portal.com/scada-dcs-plc-rtu-smart-instrument

• SCADA
• Distributed control system (DCS)
• Programmable logic controller

(PLC)

• Remote terminal unit (RTU) and
• Smart instrument

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

SCADA (Supervisory Control and Data Acquisition)

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

These systems are used in distribution systems such as water distribution and wastewater collection systems,

• il and natural gas pipelines,

electrical utility transmission and distribution systems, and rail and

• ther public transportation

systems. SCADA systems integrate data acquisition systems with data transmission systems and HMI software to provide a centralized monitoring and control system for numerous process inputs and

• utputs.

SCADA systems are designed to collect field information, transfer it to a central computer facility, and display the information to the operator graphically or textually, thereby allowing the

• perator to monitor or control

an entire system from a central location in near real time. Based on the sophistication and setup of the individual system, control of any individual system,

• peration, or task can be

automatic, or it can be performed by operator commands.

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Distributed Control Systems (DCS)

• DCS are used to control production

systems within the same geographic location for industries such as oil refineries, water and wastewater treatment, electric power generation plants, chemical manufacturing plants, automotive production, and pharmaceutical processing facilities.

• Typical control devices include

Programmable Logic Controller, a Process Controller, a loop controller, a machine controller

Stouffer, Keith & Falco, Joseph & Kent, Karen. (2006). Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security.

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

A great intro deck

https://www.msec.be/verboten/seminaries/ICS_archs_and_sec_essentials/ICS_Overview.pdf

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Cyber-Physical NIST defines this as: “Cyber-Physical Systems (CPS) comprise interacting digital, analog, physical, and human components engineered for function through integrated physics and logic.” See NIST Special Publication 1500-201 for more details on CPS. * Internet of Things Cloud-enabled electromechanical components can now beam continuous data not just about their status and wellbeing but also about the various parameters of inputs and output data.

* https://www.nist.gov/el/cyber-physical-systems

What is the 4th Industrial Revolution and how does it matter?

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Measuring Risk

https://www.carmelowalsh.com/wp-content/uploads/2014/03/Irisk_full_web.png

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Some well-known cyber attacks on industrial systems

https://www.techrepublic.com/article/infographic-charts-history-and-potential-risks-of-the-industrial-internet-of-things/

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

• Robotics extend beyond traditional tasks of assembling and disassembling parts to a more

nuanced cognitive functions with computing approaches such as Machine Learning and Artificial Intelligence

• Automation will replace certain types of roles, refine many processes, and reduce inefficiency

thereby leading to better outcomes for owners of capital

• Connected electromechanical components will drive businesses forward by collecting and

relaying descriptive, diagnostic, and predictive analytics in real-time

• Opportunities to interact in real-time and keeping pace with the changing market demands now

become less costly due to this interconnectedness.

Understanding how a modern connected world changes the future

• f industries

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

• Manufacturers, Corporations, and institutions that produce goods will now find themselves

interconnected to the vast network within their own organizations and beyond, with other suppliers, vendors, and manufacturers

• Impact from lack of raw materials or inputs into next stages of production are minimized due to efficient

continuous data sharing through predictive analytics

• The need to interconnect brings in new players into the field of vendors and suppliers of components and

services for e.g., new types of software programs will be required to ensure advanced robots can communicate to an industrial sensor or manage an actuator

• New IT software and hardware leads to several known and unknown vulnerabilities to surface in

previously physically safe industrial processes

Understanding how a modern connected world changes the future of industries

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

• Given the tight coupling with computing and networking systems,

it also suffers from susceptibility to several new and radical forms

• f threats not previously anticipated when these systems were

initially invented between 18th-20th centuries.

• These threats are applicable to various components within the

entire environment and the impact of an industrial system breaking down could potentially threaten civilian lives in a widespread disaster – for example breakdown of an actuator at a wastewater treatment plant could pollute an entire ecosystem of water bodies in an area

• It is therefore crucial to conduct a thorough risk analysis of the

environment in question so that appropriate resilience systems could be built in Industry 4.0 Threats and Opportunities

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji

Smart Grid Threat Landscape

https://www.enisa.europa.eu/publications/smart-grid-threat-landscape-and-good-practice-guide

Critical infrastructure, interconnected risks, and resiliency: Why women should care? - By Godha Bapuji