Schneier on Security
A blog covering security and security technology.
« Applying Game Theory to Cyberattacks and Defenses |
| Sending Coded Messages with Postage Stamps »
January 2, 2012
Allocating Security Resources to Protect Critical Infrastructure
Alan T. Murray and Tony H. Grubesic, "Critical Infrastructure Protection: The Vulnerability Conundrum," Telematics & Informatics, 29 (February 2012): 5665 (full article behind paywall).
Abstract: Critical infrastructure and key resources (CIKR) refer to a broad array of assets which are essential to the everyday functionality of social, economic, political and cultural systems in the United States. The interruption of CIKR poses significant threats to the continuity of these systems and can result in property damage, human casualties and significant economic losses. In recent years, efforts to both identify and mitigate systemic vulnerabilities through federal, state, local and private infrastructure protection plans have improved the readiness of the United States for disruptive events and terrorist threats. However, strategies that focus on worst-case vulnerability reduction, while potentially effective, do not necessarily ensure the best allocation of protective resources. This vulnerability conundrum presents a significant challenge to advanced disaster planning efforts. The purpose of this paper is to highlight the conundrum in the context of CIKR.
Posted on January 2, 2012 at 12:33 PM
• 9 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"... strategies that focus on worst-case vulnerability reduction, while potentially effective, do not necessarily ensure the best allocation of protective resources."
In many parts of the world, "critical infrastructure and key resources" are owned and operated by publicly-owned corporations. In such corporations, one must be prepared to show very clear, precise economic returns on resource allocation to executive-level decision-makers.
Sort of like showing me why I should spend my hard-earned $0.99 to rent the article for 24 hours or purchase it for $24.95 .
It's an interesting point though - who pays for this?
If a municipality had a new bridge built and the contractor included a $Bn in the quote for an airforce to protect it from enemy attack they would be laughed at.
Yet they are supposed to pay to protect a water treatment plant from enemy hackers.
While they are paying taxes for an airforce to protect it from much less likely fleets of enemy bombers.
the correct way to protect the water plant from enemy hackers is to not hook it up to the internet.
I have no idea why so many think everything has to be hooked to the internet. What's the benefit here? Those who operate the plant should be inside it, and able to fix problems when something goes wrong. If it needs remote monitoring, there are many ways to do that without the internet (they've been used for decades).
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.