1. Cybersecurity for CIPCybersecurity R&D NeedsBased on GAO Report GAO-04-321Technology Assessment: Cybersecurity for Critical Infrastructure Protection Presented by Naba Barkakati, Ph.D.Center for Technology and EngineeringU.S. Government Accountability Office 1

2. Cybersecurity for CIPOutline Background Cybersecurity R&D agendas Sampling of current research Research areas that need attention Longer term research needs Discussions 2 3. Cybersecurity for CIPBackgroundGAOs assessment of the use of cybersecurity technologies for CIP addresses the following questions: 2. What are the key cybersecurity requirements in each of the criticalinfrastructure protection sectors? 2. What cybersecurity technologies can be applied to critical infrastructureprotection? What technologies are currently deployed or currentlyavailable but not yet widely deployed for critical infrastructure protection?What technologies are currently being researched for cybersecurity? Arethere any gaps in cybersecurity technology that should be betterresearched and developed to address critical infrastructure protection? 3. What are the implementation issues associated with using cybersecuritytechnologies for critical infrastructure protection, including policy issuessuch as privacy and information sharing?GAO Report GAO-04-321, May 2004, http://www.gao.gov/new.items/d04321.pdfTECHNOLOGY ASSESSMENT: Cybersecurity for Critical Infrastructure Protection 3 4. Cybersecurity for CIPSources of Cybersecurity R&D Agenda 1. Institute for Information Infrastructure Protection (I3P), Cyber SecurityResearch and Development Agenda (Jan. 2003) 2. INFOSEC Research Council, Information Assurance R&D Strategy:National Needs and Research Programs (July 2, 2002) 3. NSF/OSTP, New Vistas in CIP Research and Development: SecureNetwork Embedded Systems, Report of the NSF/OSTP Workshop onInnovative Information Technologies for Critical InfrastructureProtection (Sept. 19-20, 2002) 4. National Security Telecommunications Advisory Committee(NSTAC), Research and Development Exchange Proceedings:Research and Development Issues to Ensure Trustworthiness inTelecommunications and Information Systems That Directly orIndirectly Impact National Security and Emergency Preparedness(Mar. 13-14, 2003) 5. National Research Council, Trust in Cyberspace (Washington, D.C.:National Academy Press, 1999) 4 5. Cybersecurity for CIP Typical Research Areas Identified in Research AgendasResearch areaDescriptionBuilding secure systems from insecure components Biological metaphors (autonomic); Intelligent microsystems.Correction of current vulnerabilitiesTools and techniques to help system administrators fix current vulnerabilities; Human factors in security.Denial-of-service attacksIdentify and deter denial-of-service and distributed denial-of-service attacks.Detection, recovery, and survivability Prediction of events; Reconstitution of system of systems; Autonomic computing; Global network surveillance and warning (similar to public health surveillance).Law, policy, and economic issues Market issues; Standards; TradeoffsSecurity engineering tools and techniquesTools and methods for building more secure systems; Architecture for improved security; Formal methods; Programming languages that enforce security policy; Generative programming.Security metrics Data to support analysis; Metrics and models for economic analysis, risk analysis, etc.; Technical metrics to measure strength of security.Security of foreign and mobile codeAbility to confine and encapsulate code; Tamper-proof software.Security of network embedded systems Security of real-time control systems such as SCADA.Security policy management Maintain a defined risk posture; Protect a defined security perimeter.Traceback, forensics, and attribution of attacks Correct attribution and retribution; Automatic counterattack.Trust models for data and distributed applications Peer-to-Peer (P2P) security; Establishing trust in data.Vulnerability identification and analysisAutomated discovery and analysis of vulnerabilities; Code scanning tools; Device scanning.Wireless securityDevice and protocol level wireless security; Monitoring wireless network;Addressing DDoS attacks in wireless networks. 5 6. Cybersecurity for CIPSome Comments on Current Research Focus is often on short-term results and rapid transition to products => high-risk theoretical and experimental investigations are not alwaysencouraged and researchers avoid taking broad, system wide views Typical complaint - - too many research agendas, not enough action Comment - - research topics are too often narrowly defined and focuson topics that are most likely to get funded Transition from university research into products can be timeconsuming and there is no well-defined approach (SEMATECH model) Comment - - if cybersecurity is important to national security, it may beappropriate to adopt the DoD R&D model where postulated threatmodels drive R&D in a progression from basic research throughexploratory development, ending in government-funded engineeringdevelopment of products and systems.6 7. Cybersecurity for CIPSampling of Current Research TopicsControl category Research topicsAccess controls Biometric access using facial recognition Role-based access controlSystem integrity Storage devices that can detect changes to critical files Network interfaces that can throttle worm/virus propagations Software analysis for vulnerability detection Code integrity verification Proof-carrying codeCryptography PKI for communications and computational security Certification authority with defense against denial-of-service attacks Quantum cryptography Quantum key distributionAudit and monitoring High-speed network monitoring for worm/virus detection Emergent behavior detection Honeynets to entice and deceive would-be attackersConfiguration management and assurance Survivable systems Trusted computing Evaluation and certification of systems 7 8. Cybersecurity for CIPCybersecurity Research Areas That Need Continuing Attention Research AreaDescription Vulnerability identification and Techniques and tools to analyze code, devices, analysis and systems in dynamic and large-scaleenvironments Composing secure systems fromHow to build complex heterogeneous systems that insecure componentsmaintain security while recovering from failures Security metrics and evaluationMetrics that express the costs, benefits, andimpacts of security controls from multipleperspectives economic, organizational,technical, and risk Wireless securityDevice and protocol level wireless security,monitoring wireless network, and respond todistributed denial-of-service attacks in wirelessnetworks Socio-economic impact of Legal, policy, and economic implications of security cybersecuritytechnologies and their possible uses,structure and dynamics of the cybersecuritymarketplace, role of standards and best practices,implications of policies intended to directresponses to cyber attacks. Security for network embeddedDetect, understand, and respond to anomalies in systemslarge, distributed SCADA networks that areprevalent in electricity, oil, gas, and water sectors.8 9. Cybersecurity for CIPSome Research Areas Already Receiving Attention NSF program - - cybersecurity research in areas such as trustworthy computing technology, evaluation and certification methods, efforts to prevent denial-of-service attacks, and long-term data-archiving technology; also includes multidisciplinary research that covers the social, legal, ethical, and economic aspects of cybersecurity. DHS Science and Technology Directorate - - planned/ongoing programs in the following areas: prevention and protection against attacks; monitoring, attack detection and response; mitigation of effects, remediation of damage, and recovery; and forensics and attribution. Other DHS research programs: infrastructure security (network protocols and process control systems) and foundations for cyber security (economic assessment activities, large scale data sets for testing). Recognize that Federal R&D program managers face tough choices because there are many R&D needs vying for a limited amount of R&D dollars. 9 10. Cybersecurity for CIPNeed for Longer-term Research Anticipate dramatic growth in the use of computing and networks. Need options for securing Web Services and other complex,interconnected computing systems, and for ensuring that they will bereliable, highly available, self-managed, and self-repairing afterdisruption. Protect privacy but resolve the quandary that the same technologiesthat can protect private data may also help criminals and terrorists.Need both technical as well as legal and social advances. Many cite the Internet itself as a problem because it was created by acooperative, mutually trusting research community, and was designedwith file transfers as its primary mission. 10 11. Cybersecurity for CIP Sampling of Long-Term Research AreasResearch area DescriptionPrivacy Better tools for ensuring the privacy of sensitive information; Legal basis of privacy in an era ofcomputer networks; Emergence of new social patterns disruptive of traditional property ownershiprules; Technologies to enforce privacy.Fault-tolerance Technologies for embedding fault-tolerance into the major commercial platforms, such as Webservices.Scalability Managing systems that may include thousands or tens of thousands of machines. Progress in thisarea would reduce the cost of operating large systems.New monitoring capabilities New techniques for monitoring distributed applications, for diagnosing problems such as denial-of-service attacks and for reacting when problems occur.Self-management Technology for deployment of large numbers of machines without a great deal of managementand control by humans.Self-healingTechnology for diagnosing the problem and carrying out an automated repair of systems that aredamaged because of mundane problems or cyber attacks. This is a hard problem, becauseproblems build on one another to produce a large number of symptoms that may vary greatlydespite their common root cause.Rearchitecting the Internet Revisit the core architecture of the Internet, moving from a single network for all uses model toone in which network connections might be portals to a small number of side-by-side networks,sharing the same hardware infrastructure but offering different properties. Development of such acapability will require many years of research but could ultimately provide better options forcybersecurity and robustness.11 12. Cybersecurity for CIPDiscussions, Contact Information Discussions -- To download/view GAO report, visit GAOs Web site (www.gao.gov) To order a copy call 202-512-6000 (first copy is free, additional copies $2 each) Contact Information: Naba Barkakati, Ph.D. Center for Technology and Engineering, ARM U.S. Government Accountability Office 441 G St NW, Room 6K17G Washington, D.C. 20548 Phone: 202-512-4499Fax: 202-512-5939 E-mail: barkakatin@gao.gov 12