Вы находитесь на странице: 1из 8

Risk Management for Critical Infrastructure Protection (CIP)

Challenges, Best Practices & Tools

Eyal Adar Andreas Wuchner

Founder and CEO – iTcon Global IT Security Officer – Novartis
Eyal@itcon-ltd.com Andreas.Wuchner@novartis.com

Abstract elements has made RM an extremely important subject

for organizations. IT infrastructure has become
Risk Management (RM) has become increasingly
increasingly complex and vulnerable, and exposure to
important in dealing with Information and IT security
internal or external security incidents, whether they
over the past several years.
may have been intentional or unintentional, cannot be
This article aims at discussing the major accepted by any organization. Security measures,
challenges facing Critical Infrastructure Protection therefore, need to derive from focused and efficient
(CIP) RM, and outlines several methods and best implementation of RM.
practice guidelines that can be used to cope with it,
Resultantly, the risk management process has
become a major force, driving: creation of information
• Creating a RM framework and RM security strategies, build of security road maps,
measurement criteria prioritization of activities, and selection of safeguards.
• Usage of advanced Risk Analysis (RA) This approach is significantly strengthened by the
methods, and adoption of CIP models that can be used need to integrate new regulatory standards, such as
for RA Sarbanes Oxley and Basel II, which focuses on
• Development and implementation of RM tools reducing business, operational, and IT risks, and in
Use of RM tools can play a major role in this process, treating RM as an enterprise-wide process, rather than
as it can raise the efficiency of RM activities, and as a single isolated activity.
decrease reliance on any individual RA specialist’s RM also assists in overcoming one of the main
knowledge. The contribution of such tools is even limitations of Information Security: The ability to
greater, when dealing with Critical Infrastructures; as justify Return On Investment (ROI) through financial
it is very difficult for a single specialist to cope with profit. The concept of identifying and reducing risks,
the diversity and complexity of CIP Risk Assessment. i.e. preventing potential losses, is the closest we can
come to indirectly substituting the ROI model.
Therefore, the scope of security RM has been
1. Introduction broadened. RM can be viewed through different lenses
and levels within the organization. At the enterprise
level, departmental level, infrastructure levels and
Over the past few years, Risk Management (RM) even by evaluating RM at the level of a single IT
has become increasingly important in dealing with component.
Information and IT security. Additionally, RA is often performed by evaluators
The growing number of IT security threats, who come from different disciplines. This includes:
malicious intentions, and attack capabilities of hostile

Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
Information Security, IT Security, Internal Audit, 2. CIP: Risk Management Challenges
Privacy, External Regulations, and so forth.
The limitations inherent in RM as it is currently
being practiced, derive to a large extent from the fact,
that despite the growing need for a solution and
2.1 The Nature of CIP
increasing complexity of the processes involved,
usually, RM activities are still performed in a Critical Infrastructure Protection is a new field,
decentralized manner. Different RM activities within posing a complex set of requirements upon security
large enterprises, are often un-coordinated and only assessment. To protect critical infrastructures, a
partially congruent, and decision processes are comprehensive approach is needed.
predominantly influenced by local knowledge and the The success of RA to a large part depends on
"gut feeling" of the specialist on hand. This "pen and considering the unique aspects of each infrastructure.
paper" effort might sometimes result in the creation of Manufacturing electricity is unlike supplying
a document that its findings may remain unattended, communication, or e-Government services. The key
as often there is no process in place to assure the processes involved in each Critical Infrastructure
completion of all the risk mitigation activities. needs to be studied and their unique vulnerabilities
These limitations become even more critical when identified.
dealing with CIP RM. Here the level of complexity is This approach is very different from most of the
significantly greater and there is a need to deliver a analysis methodologies used today, which focus
comprehensive RM approach that takes into account mainly on Information and IT security. Here they are
all the different Critical Infrastructure aspects, and not by contrast regarded as closed environments detached
just the information layer. from their surroundings.
In this article we discuss the major challenges
facing CIP RM, and we outline several best practice
methods of coping with it. This includes:
2.2 Growth in Organizational Complexity
• Creating an RM framework and establishing
suitable RM measurement criteria
The complexity of organizational structures and
• Usage of advanced Risk Assessment (RA)
information systems within multi-national enterprises
methods, including adoption of appropriate CIP
has progressively been increasing over time.
models that can be used for RA
Key business processes may take place in
• Development and implementation of RM
different countries, and may use very different systems
and technologies. Each component involved in the
Use of RM tools can play a major role in this process may be capable of influencing the entire
process, as it can raise the efficiency of RM activities, process. Risk Management in a distributed
and decrease reliance on any individual RA organization, however, must focus on the entire
specialist’s knowledge. The contribution of such tools sequence of business activities, as well as on every
is even greater, when dealing with Critical individual component along the process chain.
Infrastructures, and could even be critical for
As a result, the RM specialist must be intimately
successful Risk Management. As, it is very unlikely
familiar with numerous environments, systems and
that a single specialist will be able to cope with the
technologies, in order to perform his task well. He
diversity and complexity of information required to
needs to be able to think flexibly and must possess the
properly conduct CIP risk assessment.
ability to correlate findings from diverse knowledge

2.3 Dynamic Aspects of Risk

A risk can be defined as any event that may result

in a missed business objective. In today’s economy,

Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
one’s only guarantee is ‘guaranteed business change’. complexity within environments requiring protection,
With this principle in mind, it becomes self evident and the number of increasing threats being posed,
that RM cannot be static. Properly managed RM is an there hasn't been a comparable increase in information
ongoing activity that facilitates and allows the security budgets.
business process owner to control and manage his Information security needs to be more efficient,
exposures. but not at the expense of reduced protection levels. It
Every existing risk cannot be prevented. needs to provide an optimal and cost-effective security
However, prior knowledge will allow the owner of the solution through appropriate use of RM.
business process to make informed decisions. With
preventive measures in place the owner may be able to
avoid or reduce exposure to existing risks. It may even
be possible to transfer the risk burden to an insurance 2.6 Human Factors
company. Some potential risks may just not be critical
enough, while others may just be too expensive to The major RM challenges facing organizations
cover, when they are put against the impact of the described earlier, combined with the fact that at
possible losses involved. present RM processes to a large extent depend on the
experience of the individual RM specialist, leads to the
conclusion that there is a need for highly skilled
2.4 Need for Compliance specialists meeting industry benchmarks and objective
criteria, to perform this task. Those individuals must
have a broad understanding of a diverse range of
Organizations use various types of media (such subjects (e.g., information security, security standards
as: computers, computer networks, tapes, disks, paper, and government regulations, organizational processes,
etc.), to store their information. This information can systems’ architecture, plus other technologies), in
be divulged via fax, mail or even simply verbally. RM order to carry out a thorough RA.
with regard to information is a very old discipline, and
most organizations are well aware of the processes The main problem is that specialists in a field
needed to maintain their CIA (Confidentiality, such as this are either very costly to hire, or extremely
Integrity and Availability) classification. difficult to find. Resultantly, performing a
Compliance with existing regulations is a key comprehensive RA is a serious financial burden even
requirement in organizations supervised by for medium to large sized organizations.
governmental agencies, such as the FDA (Food and Furthermore, it is highly risky for organizations,
Drug Administration). Following the Enron and MCI that sensitive RA processes, are to a large extent
cases, government agencies are continuously issuing dependent on the personal judgment, knowledge, and
new laws and directives (e.g., Sarbanes Oxley) that gut feeling of the individual specialist. Therefore,
additional industries must comply with. In the past, there is a need to offset subjective evaluations by
CIA was the basis of business impact analysis, with an standardizing some of the more complex decision
emphasis on confidentiality. New laws and making processes.
regulations, however, added a fourth dimension,
Compliance. The serious implication that may result
from non-compliance, including imposition of heavy
penalties, poses a heavy potential burden on 3. Adopting Best Practices to Defeat
organizations. Chaos

2.5 Efficiency and Cost Effectiveness 3.1 Framework and Measurements

The main challenge facing the information Building a global RM framework, and efficiently
security arena is how to achieve more for less. Many measuring its accomplishments, is one of the key
organizations view information security simply as ingredients in successful RM.
"extensive expenditure", rather than as a business The framework should centralize all RM activities
enabler. Consequently, despite increasing levels of within the organization. This centralized approach is

Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
important for achieving gapless risk coverage, and for The RM framework should cover all the RM
preventing an overlap of activities. Central lifecycle phases, and clearly define responsibilities for
coordination and prioritization of RA objectives, will each phase. A vague definition of responsibilities is
lead towards cost effectiveness and efficiency. likely to result in a vicious cycle, whereby a document
For example, creating a central RM know-how waits on the shelf, and the next document joins it, a
center will also significantly assist RM specialists in few months later.
their work.

Figure 1. An Example Depicting Typical RM Lifecycle

3.2 Advanced RA Methods

Success of the framework will largely depend on
measurement criteria being used, and its effectiveness
in measuring the contribution of the framework to the RA methods designed for complex organization
organization. and systems must be integrated within the RM
Primary objectives of measurement criteria are: frameworks of large Critical Infrastructures.
• Clearly defining business driven objectives Since the RA field is not yet fully standardized,
and different RA methods cover different RA aspects,
• Creating a roadmap and activity plans
it is important to pre-select the RA method that is
• Integrating management expectations suitable for the specific needs of the organization.
• Assimilating RM activities within the Following are some examples of several leading
organization RA methods:
• Risk identification and mitigation • Common Criteria for Information
• Compliance with regulations and standards Technology Security Evaluation (CC 2.1)1: This
method is based on the International Standard
• Reporting and escalating process
ISO/IEC 15408:1999. It is meant to be used for
• Periodic "current status" evaluations security evaluation of IT products and systems. The
• Means of analysis of efficiency and cost- CC is useful for development of products and for

Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
procurement of commercial products and systems. The dimensional vector of an incident’s impact. These
CC addresses neither the evaluation methodology nor models are described in the paper entitled “Summary
the administrative and legal framework, however, it of the Cross Connections Between WP6
could be used for such evaluation purposes. Deliverables”, published in the ACIP project, by Mr.
• Operationally Critical Threat, Asset, and Walter Scmitz, IABG,5 which dealt with the creation
Vulnerability Evaluation (OCTAVE®)2: The of the European roadmap for CIP analysis and
Octave approach is a systematic way for an assessment research.
organization to address its information security risks,
sorting through the complex web of organizational and
technological issues. The OCTAVE approach includes 3.4 Critical Infrastructure Layers
a set of criteria that defines the requirements for a
comprehensive, self-directed information security risk
evaluation, and a set of methods consistent with the Understanding the various risks associated with
criteria. Octave was developed by Software Critical Infrastructures requires an understanding of
Engineering Institute at Carnegie Mellon University. the four basic infrastructure layers. This includes:

• Consultative, Objective and Bi-functional • Business/Strategic Layer: This involves

Risk Analysis (COBRA)3: The COBRA approach central business processes and the implications of their
consists of a range of risk analysis, consultative and protection.
security review tools. These were developed largely in • Organizational Layer: The organization, its
recognition of the changing nature of IT and security, structure, procedures, and human behavior aspects.
and the demands placed by business upon these areas. • Cyber Layer: Data, communication and
It is BS7799 compatible. information systems, including management systems
• End to End Security Assessment for the physical layer. For example, Supervisory
(EESA™)4: EESA deals with Critical Information Control and Data Acquisition (SCADA).
Infrastructure Protection (CIIP). It analyzes the • Physical Layer: Physical devices (e.g., in the
“Security Quality of Service” (SQOS) along the path electricity infrastructure: the generators, breakers, and
of critical processes within a business environment or cables).
system and evaluates whether the security mechanisms
along it, are adequate for protecting against likely
threats. The uniqueness of EESA lies in the fact that
the analysis covers both strategic issues as well as very 3.5 Dependency Between Layers
detailed technical security design issues. Ranging from
business layer to IT layers, it provides an In order to evaluate Critical Infrastructures, each
interdisciplinary, business oriented assessment layer needs to be evaluated, and the impact security
method. incidents may have upon it, analyzed. The underlying
mechanisms affecting security between layers, and the
implications resulting from an incident occurring in
3.3 CIP Models That Can be Used for RA one layer and affecting other layers (intra-
dependency), should be analyzed as well. Finally,
there is a need to involve understanding the manner in
Today, most RA methods mainly focus on which an incident taking place in one infrastructure,
information systems, which they treat as isolated may impact upon other infrastructures (inter-
entities. dependency).
Integration of some of the leading CIP models
within RA methodologies is critical if specific CIP
needs are to be met. This includes CIP models, such
as: CIP layers, implications resulting from
dependencies between layers, and the multi-

ssel/EESA-basics.pdf http://www.iabg.de/acip/doc/wp6/D61_summary.pdf

Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
Figure 2. Dependency Between CIP Layers

However, the impact of an incident within a

3.6 Multi-Dimensional Impact Vectors complex infrastructure might have several dimensions.
Figure 3 illustrates the effect of a multi-dimensional
impact upon critical infrastructures. This should also
Another important aspect is the need to examine be incorporated within analysis processes.
the various implications of an incident. Most RA
methods relate to the effect of an incident as having
either a ‘0’ (negative) or a ‘1’ (positive) value.

Figure 3. Multi-Dimensional Security Incident Impact Vectors

Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
3.7 Development and Implementation of RM Some tools, try to calculate risk probabilities and
Tools risk rates by using a variety of risk analysis formulas
such as ALE (Annual Loss Expectancy), and financial
metrics. Their scope is however limited, since there is
Tools for RA and RM are a developing field. little ability within the organizations to actually
Over the next few years, as risk analysis activity is provide the data necessary to quantify these metrics.
increasingly centralized, the use of tools to automate
this process will undoubtedly also increase. Other products also maintain databases that store
Some potential benefits of RM tools are: large amounts of information concerning threats,
• Optimization of resource management and vulnerabilities and countermeasures. Although, this
budgeting by automating processes. This includes the reduces the amount of time (and of expert personnel)
usage of predefined templates and report generators. required to research the information for the risk
assessment process, the tools that implement this still
• Optimization of IT security spending through focus on the single IT component and not on all the
efficient identification of risk areas. CIP processes.
• Providing a computerized methodology that
increases the ability of handling large, complex Developing the next generation of Risk
systems – that a "one-man" approach would have Management tools will probably change the Risk
difficulty coping with. Management environment in medium to large sized
• Providing centralized management and organizations. Each security officer will have an RM
measurement capabilities, for the RM processes within tool on his desk, to assist him in dealing with the full
the entire organization. range of RM activities within the organization. An
• Improve policy and regulation compliance interesting example of such tool under development is
processes, by creating compliance workflows, the White Cyber Knight™6, which will provide a
throughout the organization. comprehensive approach towards risk management in
large organizations.
• Allow some RA tasks to be delegated to non-
security experts, thus covering more security areas
White Cyber Knight™ is an expert RM system.
with fewer professional resources.
The tool is designed for CIP, with an emphasis on
• Provide a comprehensive computerized Critical Information Infrastructure Protection (CIIP).
methodology that reduces the need to rely on The tool is based on an advanced RA engine. It is
subjective knowledge and gut feelings. capable of providing a comprehensive Risk Map, that
At present, the first generation of tools is very is driven by a wide variety of aspects, affecting
limited. They focus mainly on RA, and provide only organizations security. This includes: human behavior,
basic RM capabilities. However, this might change. policies and regulations, critical business processes,
Existing tools are to a large extent questionnaire- architecture of IT systems, and technical
based and only aid in the process of risk management vulnerabilities, among others. The tool it designed to
within large organizations. They use asset mapping, meet RM needs in large organizations, but can
whereby a range of values is assigned to the effectively be used by medium-sized organizations as
organization’s assets, and each of these is evaluated well. It provides the ability to manage security risks in
for compliance with different industry standards. For distributed environments, to follow-up risk mitigation
example, financial services are evaluated for activities, and finally, allows the Chief Security
compliance with the Sarbanes Oxley Act, data services Officer (CSO ) and the IT manager to measure their
in the Health industry with HIPAA compliance, etc. success over time.

By automating and formalizing the risk Use of RM tools such as this can play a major role
management process, the organization can benefit in in the RM process, since it can raise the efficiency of
terms of efficiency, but with tool capabilities as they RM activities, and decrease reliance on any individual
exist today, they are unable to provide an accurate risk analyst’s knowledge. The contribution of such
appraisal of the inherent cross boundary security risks tools is even greater, when dealing with Complex
within organizations or across disciplines which Critical Infrastructures, as it is highly unlikely any
decision makers can effectively make use of.

Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
single specialist is able to cope with the diversity and [2[Anthony H. Cordseman, “Cyber-Threats, Information
complexity of CIP risk assessment requirements. Warfare, and Critical Infrastructure Protection,” Library of
Congress, 2002
However, use of RM tools, cannot exist in a [3] Professor Heinz Thielmann, Eyal Adar, "End to End
Security Assessment Für CIP", Digma magazine June 2004.
vacuum. They will be possible only within a strong
See: http://www.digma.info
global RM framework and suitable measurement
criteria on which to be based. It would furthermore [4] Bernhard M. Hämmerli, Eric Luiijf, Willi Stein, Eyal
Adar, "ECN, European CIIP Newsletter".
require use of advanced RA methods, plus CIP models
that can be used for RA. See: http://www.ci2rco.org/
[5] Dunn Myriam, Isabelle Wigert,
"The International CIIP Handbook 2004"
These elements are interdependent, and only by See: http://www.isn.ethz.ch/crn/
selectively combining their best features can a
[6] EU-US collaboration team for CIP. See:
successful RM campaign be instituted, and to
adequately face the challenges of an ever changing
and ever demanding security risk environment. [7] Sandro Bologna, Ruaridh Macdonald,,
"Advanced Modeling and Simulation Methods and
Tools for Critical infrastructure Protection", ACIP project,
References: See: http://www.iabg.de/acip/doc/wp4/D4_5_v0_1_RM.pdf

[1] Greg Miles, Russ Rogers, Ed Fuller, Matthew Paul

Hoagberg and Ted Dykstra, "Security Assessment, Case
Studies for Implementing the NSA IAM",Syngress
Publishing, ISBN: 1-932266-96-8

Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE