Barry M. Horowitz

A Macro-Economic Framework for Evaluation of Cyber Security Risks Related to Protection of Intellectual Property

The article is based on the premise that, from a macro-economic viewpoint, cyber attacks with long-lasting effects are the most economically significant, and as a result require more attention than attacks with short-lasting effects that have historically been more represented in literature. In particular, the article deals with evaluation of cyber security risks related to one type of attack with long-lasting effects, namely, theft of intellectual property (IP) by foreign perpetrators. An International Consequence Analysis Framework is presented to determine (1) the potential macro-economic consequences of cyber attacks that result in stolen IP from companies in the United States, and (2) the likely sources of such attacks. The framework presented focuses on IP theft that enables foreign companies to make economic gains that would have otherwise benefited the U.S. economy. Initial results are presented.

An architectural systems engineering methodology for addressing cyber security

This paper discusses important shortcomings of current approaches to systems security engineering. The value and limitations of perimeter security designs are examined. An architectural approach to systems security engineering is introduced as a complementary means for strengthening current approaches. Accordingly, this paper outlines a methodology to identify classes of new reusable system security solutions and an architectural framework based on reuse of the patterns of solutions. It also introduces a new methodology for security metrics intended to stimulate critical solution design tradeoff analyses as part of security design reuse considerations. Examples of problems, potential architectural solutions, and corresponding security metrics are provided.

Economic costs of firm‐level information infrastructure failures: Estimates from field studies in manufacturing supply chains

Purpose – This paper presents a method for estimating the macro‐economic cost of a firm‐level information system disruption within a supply chain.Design/methodology/approach – The authors combine field study estimates with a Leontief‐based input‐output model to estimate the macro‐economic costs of a targeted internet outage that disrupts the supply chain.Findings – The authors find that supply chain vulnerability or resiliency to cyber disruptions is not necessarily dependent on the types of technology employed, but rather how the technology is used to enable supply chain processes and the type of attack experienced. The authors find that some supply chains like oil and gas could be significantly impacted by certain cyber disruptions. However, similar to other causes of supply chain disruptions such as labor disputes or natural disasters, the authors find that firms can be very resilient to cyber disruptions.Research limitations/implications – The validity of the approach is limited by the accuracy of par...

A System-Aware Cyber Security architecture

As exemplified in the 2010 Stuxnet attack on an Iranian nuclear facility, attackers have the capabilities to embed infections in equipment that is employed in nuclear power systems. In this paper, a new systems engineering focused approach for mitigating such risks is described. This approach involves the development of a security architectural formulation that integrates a set of reusable security services as an architectural solution that is an embedded component of the system to be protected. The System-Aware architectural approach embeds security components into the system to be protected. The architecture includes services that (1) collect and assess real-time security relevant measurements from the system being protected, (2) perform security analysis on those measurements, and (3) execute system security control actions as required. This architectural formulation results in a defense that is referred to as System-Aware Cyber Security. This includes (1) the integration of a diverse set of dynamically interchangeable redundant subsystems involving hardware and software components provided from multiple vendors to significantly increase the difficulty for adversaries by avoiding a monoculture environment, (2) the development of subsystems that are capable of rapidly changing their attack surface through hardware and software reconfiguration (configuration hopping) in response to perceived threats, (3) data consistency checking services (e.g., intelligent voting mechanisms) for isolating faults and permitting moving surface control actions to avoid operations in a compromised configuration, and (4) forensic analysis techniques for rapid post-attack categorization of whether a given fault is more likely the result of an infected embedded hardware or software component (i.e., cyber attack) or a natural failure. In this paper we present these key elements of the System-Aware Cyber Security architecture and show, including an application example, how they can be integrated to mitigate the risks of insider and supply chain attacks. In addition, this paper outlines an initial vision for a security analysis framework to compare alternative System-Aware security architectures. Finally, we summarize future research that is necessary to facilitate implementation across additional domains critical to the nations interest.

Integrated peer-to-peer applications for advanced emergency response systems. Part I. Concept of operations

The catastrophes of September 11, 2001 put Arlington Countys emergency response system to the test. They revealed capabilities and limitations otherwise overlooked during previous standard emergency response assessments. There were three key issues in the response to 9/11 that are recurring in jurisdictions across the nation: 1) reliance on voice-oriented communications; 2) limited situational awareness; and 3) lack of interoperability. A concept of operations integrating current commercially available technology in a system designed for the emergency response coordinator addresses these issues. To visualize this concept, a graphical user interface that displays the required functionalities described in the concept of operations is presented. High-ranking emergency response personnel from Arlington County, Virginia have conveyed that this solution is, indeed, feasible. The next step towards implementation includes exploring peer-to-peer networks in integrating the technologies described.

Adaptive Two-Player Hierarchical Holographic Modeling Game for Counterterrorism Intelligence Analysis

Intelligence gathering and analysis for countering terrorism is a vital and costly venture; therefore approaches need to be explored that can help determine the scope of collection and improve the efficacy of analysis efforts. The Adaptive Two-Player Hierarchical Holographic Modeling (HHM) Game introduced in this paper is a repeatable, adaptive, and systemic process for tracking terrorism scenarios. It builds on fundamental principles of systems engineering, systems modeling, and risk analysis. The game creates two opposing views of terrorism: one developed by a Blue Team defending against acts of terrorism, and the other by a Red Team planning to carry out a terrorist act. The HHM process identifies the vulnerabilities of potential targets that could be exploited in attack plans. These vulnerabilities can be used by the Blue Team to identify corresponding surveillance capabilities that can help to provide warning of a possible attack. Vulnerability-based scenario structuring, comprehensive risk identification and the identification of surveillance capabilities that can support preemption are all achieved through the deployment of HHM.State variables, which represent the essence of the system, play a pivotal role in the Adaptive Two-Player HHM Game, providing an enabling roadmap to intelligence analysts. Indeed, vulnerabilities are defined in terms of the systems state variables: Vulnerability is the manifestation of the inherent states of a system (e.g., physical, technical, organizational, cultural) that can be exploited by an adversary to cause harm or damage. Threat is a potential adversarial intent to cause harm or damage by adversely changing the states of the system. Threat to a vulnerable system may lead to risk, which is a measure of the probability and severity of adverse effects.Each player in the Adaptive Two-Player HHM Game deploys the same modeling tools. This ensures that the results from different models can be compared and integrated. If the membership of different teams is drawn from groups with different value systems, skills, and experience, it can be expected that modeling results will differ. This should help to identify the appropriate mix of skills for a modeling team to develop a robust model. In addition, Bayesian analysis is central to the adaptive characteristics of the proposed methodology. Not only do new samples of evidence serve as likelihood functions to generate additional probabilities for given scenarios, but the probabilities associated with one scenario can be used as likelihood functions for other scenarios. This cross-updating process is further exploited by the construction of multiple decompositions, each representing a different perspective, e.g., geographical, functional, temporal. A food-poisoning scenario with Red and Blue Teams was developed to demonstrate the approach.

Assembling off-the-shelf components: "Learn as you Go" systems engineering

The process of developing new information systems has evolved from custom software development to assembly of off-the-shelf components. The change has significantly reduced both the costs and time to develop new capabilities, and as a notable result, e-business systems have been implemented at a very rapid pace. An assembly sequence (components to be assembled, corresponding dates and costs) has several risks including: 1) technical risk: successful (or not) function of assembled components by planned schedule milestones; 2) operational risk: achieving (or not) the desired business value by using the new system of assembled components; and 3) programmatic (schedule and cost) risks: accomplishing the assembly within time and budget constraints. As assembly proceeds, estimates of technical performance and operational value at the time of system completion can be adjusted, and one should consider what early milestones of component assembly suggest about later milestones. The technical community can be both hesitant to reveal and ascertain the results of combining off-the-shelf products into a working system, and it is typical to have significant cost and schedule overruns due to technical problems that are discovered late in system assembly. The operational community can be surprised by the results achieved in applying new capabilities, causing significant changes to what was originally desired from a new system. This paper presents a framework for planning and adjusting milestone sequences in assembling off-the-shelf software components. The framework balances technical and operational risks within established cost and time constraints.

Toward Agile and Resilient Large-Scale Systems: Adaptive Robust National/International Infrastructures

How to manage or control a heterogeneous, widely dispersed, yet globally interconnected system is a serious technological problem in any case. It is even more complex and difficult to control it for optimal efficiency and maximum benefit to the ultimate consumers while still allowing all its business components to compete fairly and freely.This paper briefly describes our on-going work in our holistic approach to analysis of the national and global infrastructure development that builds on advances in the mathematics of complexity, methods of probabilistic risk assessment and techniques for fast computation and interactive simulation with the goal of increased agility and resilience for large-scale systems.As an example, a model and simulation of the “Electric Enterprise” (taken in the broadest possible sense and connected to telecom, water, oil/gas and financial networks) have been developed. The model uses autonomous, adaptive agents to represent both the possible industrial components, and the corporate entities that own these components. Objectives are: 1) To develop a high-fidelity scenario-free modelling and optimization tool to use for gaining strategic insight into the operation of the deregulated power industry; 2) to show how networks of communicating and cooperating intelligent software agents can be used to adaptively manage complex distributed systems; 3) to investigate how collections of agents (agencies) can be used to buy and sell electricity and participate in the electronic marketplace; and ultimately to create self-optimizing and self-healing capabilities for the electric power grid and the interconnected critical infrastructures.From a broader view, we have integrated these into a composite analysis technique, these advances raise an unprecedented new possibility for projecting the future implications—social, economic, environmental, human health, political, and technical—of major societal development activities and technology programs for nations individually and the world as a whole. Taken together, they promise both a real-time outlook and a future perspective on the spectrum of outcomes that might result from alternative national decision pathways. Such projection capability could reveal the development options, results, and implications for any strategy for any type of nation, whether primitive, underdeveloped, developing, or industrial. Forcing functions, critical junctures, and pinch points could be identified so that scarce development resources can be allocated to maximize benefit and minimize unintended consequences. The full realization of this next step in analysis of technology will require several years of dedicated international effort, but the need is urgent and the potential payoff great. The technical—and organizational—underpinnings for such a holistic analysis approach have been demonstrated. It remains for us to build from them a global tool for a better future.

System-Aware Cyber Security

In this paper we outline the need for a new systems engineering architecturally focused approach for addressing the growing threats of debilitating cyber attacks: System-Aware Security. This novel security architecture resides at the application layer and is based on smart reusable system security services. We layout an initial vision for this architectural formulation and show how it can potentially enhance the security of systems by complementing the traditional perimeter security model. In addition, we outline an ongoing research activity involving the development of an initial application for a specific System-Aware Security architecture embedded in a command and control system. The architecture includes three interactive situational adapting smart reusable security services: data continuity checking, configuration hopping, and honey pots. Finally, we describe how these services could be converted into reusable design patterns to stimulate reuse in additional systems.

The integration of diversely redundant designs, dynamic system models, and state estimation technology to the cyber security of physical systems

As exemplified in the 2010 Stuxnet attack on Iranian nuclear facilities, cyber attackers have capabilities to embed disruptive infections into equipment that is employed within physical systems. This paper presents a cyber security design approach that addresses cyber attacks that include modification of operator displays used for support in managing software controlled automated systems. This class of problems is especially important because our nations critical infrastructures include such systems. In addition, many other systems, such as surveillance systems, navigation systems, and communications systems, are candidates for such solutions as they continue to become more and more automated. The suggested design approach builds upon fault–tolerant and automatic control system techniques that, with important and necessary modifications, are the basis for providing improved cyber security. In particular, the appropriate combination of diversely redundant security designs coupled with system dynamics models and state estimation techniques provide a potential means for detecting purposeful adjustments to operator displays. This paper provides a theoretical approach for designing such solutions and a corresponding set of examples with simulation–based results. In addition, the paper includes a discussion of important implementation requirements for greater assurance of such physical system security solutions.