Presentation is loading. Please wait.

Presentation is loading. Please wait.

Categorizing and Assessing the Severity of Disruptive Cyber Incidents

Published byErin Rogers Modified over 6 years ago

Similar presentations

Presentation on theme: "Categorizing and Assessing the Severity of Disruptive Cyber Incidents"— Presentation transcript:

1 Categorizing and Assessing the Severity of Disruptive Cyber Incidents
Dr Charles Harry Maryland Global Initiative on Cybersecurity Center for International and Security Studies at Maryland

2 The Problem for Policy Makers
Policymakers, security experts, and journalists frequently cite terrifying statistics “U.S. hit by 77,000 Cyber Attacks in 2015 ­– a 10 Percent Jump.” – Newsweek …but federal reporting requirements define “cyber incidents” broadly, as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.” Some events are significant (e.g OPM) others might be a nuisance (e.g lone phishing attack)

3 PPD 41-Attempting to Define Significant Cyber Events
Presidential Policy Directive 41 (PPD-41) released in July 2016 laid out the Obama administration’s principles for executive branch responses to significant cyber incidents. It represented an important step towards clarifying when the federal government should get involved, which agency should take the lead, and how it should work with other public and private actors, depending on the nature, severity, and target of a cyber attack. Yet, it failed to draw important distinctions between different types of cyber events or to provide a standard method of ranking a particular incident on its 0-5 point severity scale. The lack of shared terminology and assessment methodology creates other serious problems. It leaves public officials, industry leaders, media sources, and private individuals unable to differentiate between cyber incidents that are a nuisance versus those that could seriously disrupt critical operations for an extended period of time.

4 Categorize the Cyber Threat
Two types of events Exploitive Cyber Events (e.g data is stolen) Disruptive Cyber Events (e.g systems don’t work) Exploitive Disruptive Exploitation of Sensors Message Manipulation Exploitation of End Hosts External service Disruption Exploitation of Network Appliances Internal Communication Disruption Exploitation of Network Infrastructure Data Deletion or Encryption Attack Exploitation of Data in Transit Equipment Attack

5 Categories of Disruption
Representative Examples of Cyber Events in each Category Message Manipulation Turkish hackers replaced the homepage of a Russian Bank with messages boasting about the shooting down of a Russian jet over the Turkey-Syrian border. External Denial of Service Two South African organizations had their websites overwhelmed with traffic by DDoS attacks conducted in response to alleged anti-white policies espoused by the groups. Internal Communication Interference A Newport Beach, California, cybersecurity firm was the victim of hackers who accessed and reset a core router. That created a cascading failure across the entire internal network, making most of the firm’s IT systems unavailable. Data Attack The Lansing Board of Water and Light had its system and internal network rendered inoperable due to the propagation of a ransomware attack. Equipment Attack A Ukrainian power company experienced several different cyber events, including the disconnection of breakers thereby denying power to thousands of customers.

6 Counting Disruptive Attacks
Sample: 2,030 cyber events evaluated from media sources from January through August 2016 Not representative of the true population

7 Measuring the Effect of Disruptive Cyber Events
Disruptive: Cyber Disruptive Index (CDI) Scope: Number and importance of nodes in network Magnitude: Effect on the productivity of effected nodes in network Duration: How long are the disrupted nodes effected

8 Cyber Disruption Index
Consumer Disruption Index (CDI) scaled between 0-1 CDI = (Scope x Magnitude x Duration) Rating of the Scope of the Event Rating of Magnitude of the Event Rating of Duration of the Event Insignificant number and/or importance of devices (0.2) Minimal number and/or importance of devices (0.4) Significant number and/or importance of devices (0.6) Massive number and/or importance of devices (0.8) All devices in a network (1.0) Insignificant impact on productive capacity of devices (0.2) Minimal impact on productive capacity of devices (0.4) Significant impact on productive capacity of devices (0.6) Massive impact on productive capacity of devices (0.8) Complete loss of productive capacity of devices (1.0) Insignificant (minutes) system down time (0.2) Minimal (minutes to hours) system down time (0.4) Significant (hours to days) system down time (0.6) Massive (days to weeks) system down time (0.8) Total (weeks to indefinite) system down time (1.0)

9 Applying the CDI Survey data of Kaspersky customers from April 2013 through May 2014. 18% of the 3,900 respondents from small, medium, and large organizations had experienced a DDoS event A DDoS Event is categorized as a External Service Disruption Event in our framework

10 Applying the CDI to DDoS Events
Magnitude Slight Page Viewing Delays (Score of 0.2) Significant Page Viewing Delays (Score of 0.6) Transaction Failures or Complete Disruption (Score of 1.0) Duration Less than 10 minutes to an hour (Score of 0.2) 96 14 4 Several Hours (Score of 0.6) 77 24 5 Full Day to Several Weeks (Score of 1.0) 89 20 Scope is fixed as .4 for all DDoS events because they impact only a single, albeit important, node in the targeted network (e.g. web server).

11 Possible Scenarios, Risk, and Critical Infrastructure
Disruptive Category Service Power Distribution Control: Industrial Control System CDI Prob. EV Message Manipulation Change security guidance and recommendations through manipulation of trusted guides/policies .08 Medium (.50) .04 External Denial-of-Service Disrupt network communications between control stations and power distribution centers Use large scale DDoS to attack any externally hosted corporate application .60 .50 High (.75) .45 .38 Internal Denial-of-Service Access internal routers and reset to factory settings to drop all network communications Filter or malform specific application protocols to prevent or induce error between systems .30 Low (.25) .15 Data Attack Use the Ransomware HDD Cryptor to encrypt data on the ICS workstations Use the Kill Disk malware to delete data on the workstations in the ICS network .80 .40 Physical Attack Ghost the HMI to flip breakers Modify the HMI to turn breakers on and off randomly Change code in the PLCs to modify specific breakers .70 Medium (.50) .20 .35 x =

12 Reducing Risk Against a Key Service
What technology can I use to prevent a specific attack? What changes in architecture can I use to reduce the probability of attack? What recovery systems or process can I implement to reduce down-time? What investments do I need to make in awareness training or security to reduce the probability of attack?

13 Reducing Risk Against a Key Service
What technology can I use to prevent a specific attack? What changes in architecture can I use to reduce the probability of attack? What recovery systems or process can I implement to reduce down-time? What investments do I need to make in awareness training or security to reduce the probability of attack?

14 Managing Risk Across Critical Infrastructure
Power Generation Power Transmission Power Distribution Customer Locations

15 Managing Risk Across Critical Infrastructure
Power Generation

16 Managing Risk Across Critical Infrastructure
Power Transmission

17 Managing Risk Across Critical Infrastructure
Power Distribution

18 Managing Risk Across Critical Infrastructure
Customer Locations

19 Mapping Critical Infrastructure

20 Questions?

Download ppt "Categorizing and Assessing the Severity of Disruptive Cyber Incidents"

Similar presentations

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.

Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.
Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.

Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.

Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
3rd Party Risk Categorization Process

3rd Party Risk Categorization Process
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.

K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
CYBER TERRORISM BY: ASHLEIGH AUSTIN AND HUNTER BURKETT.

CYBER TERRORISM BY: ASHLEIGH AUSTIN AND HUNTER BURKETT.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.

INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
A Global Approach to Protecting the Global Critical Infrastructure Dr. Stephen D. Bryen.

A Global Approach to Protecting the Global Critical Infrastructure Dr. Stephen D. Bryen.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
EUROPEAN SECURITY POLICY A SNAPSHOT ON SURVEILLANCE AND PRIVACY DESSI WORKSHOP, CPH 24 JUNE 2014 Birgitte Kofod Olsen, Chair Danish Council for Digital.

EUROPEAN SECURITY POLICY A SNAPSHOT ON SURVEILLANCE AND PRIVACY DESSI WORKSHOP, CPH 24 JUNE 2014 Birgitte Kofod Olsen, Chair Danish Council for Digital.

Similar presentations

Ads by Google