A Methodology Towards Security Effectiveness for Critical Infrastructure and Dependent Resources Open Access
Downloadable ContentDownload PDF
A successful Denial of Service (DoS) attack on a Critical Infrastructure (CI) can indirectly have devastating and irreversible effects to those that depend on its services. The mere possibility that physical destruction or loss of human life can result (indirectly) from a successful attack on a CI gives reason to re-assess the effectiveness of security measures in place to protect and provide resiliency. Although existing literature describe numerous approaches to CI interdependency analyses, it does not sufficiently identify or address a method to dynamically (through scenario analysis) and proactively evaluate and quantify the relative effectiveness of implemented and/or proposed security measures against multi-order cascading effects given a CI disruption. To address the persistent challenge of protecting CIs and maintaining the essential services that they provide, a method to evaluate security effectiveness with an operational framework is offered to assist proactive, scenario-based interdependency analysis of CI Protection and Resiliency (CIP/R). This methodology is provided for CI owners and stakeholders to evaluate their posture and ultimately make provisions for a more proactive response before potential disaster. The Bayesian Approach to Security Effectiveness through metrics, modeling and decision-making (BASE m2d) conceptual framework was developed by this research to address this pervasive problem. Specifically, this research illustrates the framework by examining multi-order effects on hospital operations, thereby assessing the likelihood of impact to a patient’s health given a successful cyber or physical (natural or man-made) attack on a dependent CI. A survey was provided to medical professionals at 10 different hospitals to help identify current risk management processes used by the medical professionals to understand, assess, and validate patient impact given DoS to a dependent CI (Power, Water, and Communications). The probabilistic Bayesian module allowed for a scenario-based, what-if impact analysis, given limited available data. This research revealed, despite the known dependence on CIs, no standardized metrics or processes are used to assess patient impact for risk mitigation given a DoS. Also noted was a lack of general preparedness, training, and methods of sharing information in the event of a DoS on a dependent CI. Consequently, the findings of this research resulted in a hybrid, hierarchical, multi-dimensional approach grounded in systems engineering principles.