A Hybrid Hierarchical Framework Toward Security Effectiveness for Critical Infrastructure Protection and Resiliency: A Hospital Case Study
-
Latechia White
,
Timothy Eveleigh
Abstract
A successful Denial of Service attack on a CI can indirectly have devastating and irreversible effects to those that depend on its services. Furthermore, recent disruptions have raised concerns regarding the resiliency, security effectiveness and emergency preparedness of CIs and dependent resources. To address the persistent challenge of protecting CIs and maintaining the essential services they provide, this research offers emergency management personnel a conceptual framework to evaluate security effectiveness and estimate the cascading effects that may result from inadequate security measures. We combine the philosophy of multi-dimensional modeling, with the statistical engine of Bayesian Belief Networks to provide proactive, scenario-based interdependency analysis for CI protection and resiliency. The findings of this research resulted in a multi-dimensional approach that enables a heightened awareness of one’s risk-posture by highlighting the existence (strength) or absence (weakness) of relevant security factors. Through stakeholder risk-assessment, preemptive implementation of threat mitigation plans for dependent resources are permissible. Specifically, we provide this proof of concept, “what-if” analysis tool to assist in the reduction of vulnerabilities. To illustrate the conceptual framework, we provide a Healthcare and Public Health sector case study that evaluates the impact to a hospital patient given a successful DoS attack on a CI.
References
Ayyub, Bilal M., Peter G. Prassinos, and John Etherton. 2010. “Risk-Informed Decision Making.” Mechanical Engineering 132 (1): 28–33.10.1115/1.2010-Jan-2Search in Google Scholar
Bayuk, Jennifer, and Ali Mostashari. 2013. “Measuring systems security.” Systems Engineering 16: 1–14.10.1002/sys.21211Search in Google Scholar
Bloomfield, R., N. Chozos, and P. Nobles. 2009. Infrastructure interdependency analysis: introductory research review. Adelard LLP.Search in Google Scholar
Borum, R., J. Felker, S. Kern, K. Dennesen, and T. Feyes. 2015. “Strategic Cyber Intelligence.” Information and Computer Security 23 (3): 317–332.10.1108/ICS-09-2014-0064Search in Google Scholar
Department of Homeland Security. 2016. http://www.dhs.gov/healthcare-and-public-health-sector.Search in Google Scholar
Di Giorgio, Alessandro, and Francesco Liberati. (2011). “Interdependency Modeling and Analysis of Critical Infrastructures Based on Dynamic Bayesian Networks.” In 2011 19th Mediterranean Conference on Control & Automation (MED), Corfu, Greece. 791–797, IEEE10.1109/MED.2011.5983016Search in Google Scholar
Dimase, D., Z. A. Collier, K. Heffner, and I. Linkov. 2015. “Systems Engineering Framework for Cyber Physical Security and Resilience.” Environment Systems & Decisions 35 (2): 291–300.10.1007/s10669-015-9540-ySearch in Google Scholar
Eusgeld, I., C. Nan, and S. Dietz. 2011. “‘System-of-Systems’ Approach for Interdependent Critical Infrastructures.” Reliability Engineering & System Safety 96: 679–686.10.1016/j.ress.2010.12.010Search in Google Scholar
Frigault, Marcel. 2010. Measuring network security using Bayesian network-based attack graphs. Ph.D. diss., Concordia University (Canada).Search in Google Scholar
Gass, Saul I. 2005. “Model World: The Great Debate-MAUT versus AHP.” Interfaces 35 (4): 308–312. Accessed February 27, 2015. http://search.proquest.com/docview/217112431?accountid=11243.10.1287/inte.1050.0152Search in Google Scholar
Ghorbani, A. A., and E. Bagheri. 2013. “The State of the Art in Critical Infrastructure Protection: A Framework for Convergence.” International Journal of Critical Infrastructures 4 (3): 215–244.10.1504/IJCIS.2008.017438Search in Google Scholar
Haimes, Yacov Y. 1981. “Hierarchical Holographic Modeling.” IEEE Transactions On Systems, Man, and Cybernetics 11 (9): 606–617.10.1109/TSMC.1981.4308759Search in Google Scholar
Haimes, Yacov Y. 2004. Risk Modeling, Assessment, and Management. Hoboken, NJ: Wiley-Interscience.10.1002/0471723908Search in Google Scholar
Haimes, Y. Y., J. Lambert, Duan Li, R. Schooff, and V. Tulsiani. 1995. “Hierarchical Holographic Modeling for Risk Identification in Complex Systems.” 1995 IEEE International Conference on Systems, Man and Cybernetics. Intelligent Systems for the 21st Century.Search in Google Scholar
Hubbard, Douglas W. 2010. How to measure anything finding the value of “intangibles” in business. 2nd ed. Hoboken, NJ: Wiley.10.1002/9781118983836Search in Google Scholar
Jaquith, Andrew. 2007. Security Metrics: Replacing Fear, Uncertainty, and Doubt. Upper Saddle River, NJ: Addison-Wesley.Search in Google Scholar
Kozik, Rafał, Michał Choraś, and Witold Hołubowicz. 2010. “Fusion of Bayesian and Ontology Approach Applied to Decision Support System for Critical Infrastructures Protection.” In Mobile Lightweight Wireless Systems. Springer Berlin Heidelberg.10.1007/978-3-642-16644-0_39Search in Google Scholar
Lewis, T. G. (2015). Critical infrastructure protection in homeland security: Defending a networked nation. Hoboken, New Jersey: Wiley.Search in Google Scholar
National Association of County and City Health Officials (NACCHO). 2014. Cyber Attack on U.S. Hospital Group Highlights Vulnerability of Critical Infrastructure. Accessed February 19, 2019. http://nacchopreparedness.org/cyber-attack-on-u-s-hospital-group-highlights-vulnerability-of-sector/.Search in Google Scholar
National Association of County and City Health Officials (NACCHO). 2015. The Role of Local Public Health in Healthcare Critical Infrastructure Protection. Accessed February 19, 2019. http://nacchopreparedness.org/the-role-of-local-public-health-in-healthcare-critical-infrastructure-protection/.Search in Google Scholar
National Association of County and City Health Officials (NACCHO). 2016. The Public Health Emergency Preparedness Landscape: Findings from the 2016 Preparedness Profile Assessment. Accessed February 19, 2019. https://nacchopreparedness.org/the-public-health-emergency-preparedness-landscape-findings-from-the-2016-preparedness-profile-assessment/.Search in Google Scholar
National Institute of Standards and Technologies (NIST). 2014. Framework for Improving Critical Infrastructure Cybersecurity.Search in Google Scholar
Ouyang, M. 2014. “Review on Modeling and Simulation of Interdependent Critical Infrastructure Systems.” Reliability Engineering & System Safety 121: 43–60.10.1016/j.ress.2013.06.040Search in Google Scholar
Pearl, Judea. 1988. Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. San Mateo, Calif.: Morgan Kaufmann Publishers.10.1016/B978-0-08-051489-5.50008-4Search in Google Scholar
Pederson, P., D. Dudenhoeffer, S. Hartley, and M. Permann. 2006. “Critical Infrastructure Interdependency Modeling: A Survey of US and International Research.”Search in Google Scholar
Pettigrew, J., J. Ryan, K. Salous, T. Mazzuchi, and W. Dc. 2009. Decision-Making by Effective Information Security Managers.Search in Google Scholar
Rinaldi, S. M., J. P. Peerenboom, and T. K. Kelly. 2001. “Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies.” IEEE Control Systems Magazine 21 (6): 11–25.10.1109/37.969131Search in Google Scholar
Roberts, Steven 2004. “Tips and Trends for Homeland Security and Critical Infrastructure Protection.” Journal of Homeland Security and Emergency Management 1 (4): Article 405.10.2202/1547-7355.1080Search in Google Scholar
Ryan, J. J. C. 2004. “Information Security Tools and Practices: What Works?” IEEE Transactions on Computers 53 (8): 1060–1063.10.1109/TC.2004.45Search in Google Scholar
Sanders, W. 2014. “Quantitative Security Metrics: Unattainable Holy Grail or a Vital Breakthrough Within Our Reach.” Security & Privacy, IEEE 12 (2): 67–69.10.1109/MSP.2014.31Search in Google Scholar
Satumtira, G., and L. Dueñas-Osorio. 2010. “Synthesis of modeling and simulation methods on critical infrastructure interdependencies research.” In: Sustainable infrastructure systems: simulation, imaging, and intelligent engineering, edited by K. Gopalakrishnan, S. Peeta. New York: Springer-Verlag.10.1007/978-3-642-11405-2_1Search in Google Scholar
Sikula, Nicole R., James W. Mancillas, Igor Linkov, and John A. McDonagh. 2015. “Risk management is not Enough: A Conceptual Model for Resilience and Adaptation-Based Vulnerability Assessments.” Environment Systems & Decisions 35 (2): 219.10.1007/s10669-015-9552-7Search in Google Scholar
Symantec. 2010. Critical Infrastructure Protection Study (Global Results) (October 2010) .Search in Google Scholar
The White House. 2013. Executive Order 13636 – Improving Critical Infrastructure Cybersecurity. https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.Search in Google Scholar
U.S. Government Accountability Office. 2011. “Cybersecurity: Continued Attention Needed to Protect Our Nation’s Critical Infrastructure and Federal Information Systems.” GAO-11-463T.Search in Google Scholar
U.S. Government Accountability Office. 2012a. Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use. GAO-12-92. Washington, D.C. December 9, 2011.Search in Google Scholar
U.S. Government Accountability Office. 2012b. Cybersecurity: Threats Impacting the Nation. GAO-12-666T. Washington, D.C. April 24, 2012.Search in Google Scholar
U.S. Government Accountability Office. 2013. Cybersecurity: A Better Defined and Implemented National Strategy Is Needed to Address Persistent Challenges. GAO-13-462T. Washington, D.C. March 7, 2013.Search in Google Scholar
U.S. Government Accountability Office. 2015a. Critical Infrastructure Protection: Measures Needed to Assess Agencies’ Promotion of the Cybersecurity Framework. GAO-16-152. Washington, D.C. December 17, 2015.Search in Google Scholar
U.S. Government Accountability Office. 2015b. Cybersecurity: Actions Needed to Address Challenges Facing Federal Systems. GAO-15-573T. Washington, D.C. April 22, 2015.Search in Google Scholar
U.S. Government Accountability Office. 2017. Information Security: DHS Needs to Continue to Advance Initiatives to Protect Federal Systems. GAO-17-518T. Washington, D.C. March 28, 2017.Search in Google Scholar
Vugrin, E., D. Warren, Mark A. Ehlen, and R. Chris Camphouse. 2010. A Framework for Assessing the Resilience of Infrastructure and Economic Systems. Sustainable and Resilient Critical Infrastructure Systems. K. Gopalakrishnan and S. Peeta, Berlin Heidelberg: Springer; 77–116.10.1007/978-3-642-11405-2_3Search in Google Scholar
Zio, Enrico. 2016. “Challenges in the vulnerability and risk analysis of critical infrastructures.” Reliability Engineering & System Safety 152: 137–150. ISSN 0951-8320.10.1016/j.ress.2016.02.009Search in Google Scholar
©2019 Walter de Gruyter GmbH, Berlin/Boston
Articles in the same Issue
- Opinions
- Grid Collapse Security, Stability and Vulnerability Issues: Impactful Issues Affecting Nuclear Power Plants, Chemical Plants and Natural Gas Supply Systems
- The Expanding Domestic Role of Western Armed Forces and its Implications
- Research Article
- Disaster Risk Analysis Part 2: The Systemic Underestimation of Risk
- Article
- A Hybrid Hierarchical Framework Toward Security Effectiveness for Critical Infrastructure Protection and Resiliency: A Hospital Case Study
Articles in the same Issue
- Opinions
- Grid Collapse Security, Stability and Vulnerability Issues: Impactful Issues Affecting Nuclear Power Plants, Chemical Plants and Natural Gas Supply Systems
- The Expanding Domestic Role of Western Armed Forces and its Implications
- Research Article
- Disaster Risk Analysis Part 2: The Systemic Underestimation of Risk
- Article
- A Hybrid Hierarchical Framework Toward Security Effectiveness for Critical Infrastructure Protection and Resiliency: A Hospital Case Study
