http://www.thei3p.org/rss/index.html en-us webmaster@thei3p.org From: ACM TechNews Issue: Apr. 18, 2007 Dartmouth is set to receive more funding from the U.S. Department of Homeland Security that will enable its Cyber Security Collaboration and Information Sharing Project to further study cyber security. The Institute for Information Infrastructure Protection (I3P) will receive $8.7 million to conduct new studies on insider threats, privacy protection, and the economics of cyber security, and the Institute for Security Technology Studies (ISTS) will receive $3 million and continue its research into security and privacy matters. "ISTS is excited to initiate several research projects that will develop cutting-edge technologies, including sensor networking, autonomic computing, video forensics, and public-key infrastructure," says ISTS executive director David Kotz. "Addressing real-world problems related to cyber security and infrastructure requires a multidisciplinary approach," says I3P Chair Martin Wybourne. "The unique character of the consortium enables faculty and students from many disciplines to join forces to further our understanding of the issues." Both institutes will also put some of the funds toward educational programs, seminars, and workshops for students. http://technews.acm.org/archives.cfm?fo=2007-04-apr/apr-18-2007.html#307719 From: ACM TechNews Issue: Apr. 18, 2007 Dartmouth is set to receive more funding from the U.S. Department of Homeland Security that will enable its Cyber Security Collaboration and Information Sharing Project to further study cyber security. The Institute for Information Infrastructure Protection (I3P) will receive $8.7 million to conduct new studies on insider threats, privacy protection, and the economics of cyber security, and the Institute for Security Technology Studies (ISTS) will receive $3 million and continue its research into security and privacy matters. "ISTS is excited to initiate several research projects that will develop cutting-edge technologies, including sensor networking, autonomic computing, video forensics, and public-key infrastructure," says ISTS executive director David Kotz. "Addressing real-world problems related to cyber security and infrastructure requires a multidisciplinary approach," says I3P Chair Martin Wybourne. "The unique character of the consortium enables faculty and students from many disciplines to join forces to further our understanding of the issues." Both institutes will also put some of the funds toward educational programs, seminars, and workshops for students. http://technews.acm.org/archives.cfm?fo=2007-04-apr/apr-18-2007.html#307719 Article in Connecticut Valley Spectator. v. 6, issue 16 (April 19, 2007)p. A7 null The U.S. Department of Homeland Security recently approved an $11.7 million funding increase for Dartmouth's Cyber Security Collaboration and Information Sharing Project. The award, which will be divided between two Dartmouth institutes, will provide $8.7 million to the Institute for Information Infrastructure Protection (I3P) and $3 million to the Institute for Security Technology Studies (ISTS). http://www.dartmouth.edu/~news/releases/2007/04/13.html More than 60 researchers from 12 different countries gathered at Dartmouth for a three-day academic conference on cyber security last week. The brand-new event gave attendees the opportunity to review papers and listen to speakers discuss the need to protect critical computer systems from cyber-terrorism.- article from the The Dartmouth. http://www.thedartmouth.com/article.php?aid=2007032701040#emailarticle This week, the world's leading experts in electronic information are meeting at Dartmouth to discuss the critical infrastructure that keeps these systems working. We talk about how vulnerabilities can affect everything from banking to transportation to oil pipelines, and what researchers say are the new frontiers in protecting the world's information infrastructure. This is an interview with Sy Goodman -I3P Member representative from Georgia Tech, and Charles Palmer- I3P Research Director. http://www.vpr.net/vt_edition/index.shtml On Monday, March 19, more than 60 leading researchers from around the world will convene on Dartmouth's campus for an intense three-day conference to address growing security concerns facing critical infrastructures, notably the electronic communications networks and physical systems on which most nations depend. http://www.dartmouth.edu/~news/releases/2007/03/16.html n early January, Charles C. Palmer, Chief Technology Officer of Security and Privacy at IBM's Thomas J. Watson Research Center, was named Director of Research for Dartmouth's Institute for Information Infrastructure Protection. "Charles brings to Dartmouth and the I3P a balanced perspective on cyber security issues that will benefit the coordination and impact of the I3P's work. Charles is also deeply interested in education and will be a wonderful asset to Dartmouth students. I very much look forward to working with him." said Martin Wybourne, vice provost for research at Dartmouth and chair of the I3P. Palmer will work closely with Wybourne and I3P member institutions to raise awareness of cyber security issues among decision makers and industry leaders and to draw national attention to the consortium's accomplishments. Eventually, he will help develop new avenues of research and also coordinate the activities of the I3P with other national efforts. "The I3P is a diverse, talented resource in the critical realm of cyber security," says Palmer. "With members drawn from universities, non-profit research organizations, and U.S. national laboratories, the institute brings an unparalleled perspective to cyber security. I can't think of a better collection of people to work with on such complex, pressing issues." An internationally recognized expert in the areas of cyber security and privacy-related technology, Palmer brings impressive technical skills to the I3P. For the past six years, he has managed the security, networking, and privacy departments at IBM Research and coordinated the company's security efforts worldwide. Palmer is also a sought-after public speaker who lectures frequently on network security around the world. "One of my passions," he says "is education. Dartmouth, with its reputation for incredible teaching and for hiring faculty and staff who really care about students, is a great place to be." The new director is also passionate about respecting privacy concerns while working to improve cyber security. "In the rush toward improving security," he says, "we have to be careful to respect the privacy of individuals. Maintaining a reasonable balance between security and privacy is not only possible but necessary." When asked what else drew him to the I3P, he adds, "I was impressed by the quality of the research and by the group's commitment to problem solving. The researchers not only have a sense of real-world issues, which I admire, but they bring a multi-disciplinary approach to their work. As a result, they have a raft of impressive security tools and best practices under development. Active in the broader cyber community, Palmer is a member of the Institute of Electrical and Electronics Engineers' Security and Privacy Magazine editorial board and also serves on the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Board. He has a bachelor's degree from Oklahoma State University, a master's degree in computer science from Tulane University and a Ph.D. from Polytechnic University in Brooklyn, New York. http://www.dartmouth.edu/~news/releases/2007/01/29.html Somewhere in the world, a cyber terrorist punches keys on a laptop, his attention focused on a pipeline thousands of miles away. Operating via public computer networks, the stealth terrorist successfully hacks into the network of a petroleum transport company, gaining control of a set of flow valves. Hazardous material is released that forces the evacuation of a nearby town and results in an expensive cleanup. To specifically address the urgent need for security technologies in the oil and gas industry, the I3P announced today that it will hold a two-day workshop in Houston, Texas on February 15 and 16, 2007. A multidisciplinary team of experts will present an overview of hypothetical cyber attacks on critical infrastructures and also demonstrate new tools that can prevent, detect and respond to future cyber intrusions. The workshop is intended for a broad audience of control systems engineers, operators, information and security officers and vendors, as well as security experts from government, industry associations and academia. Participants are expected to walk away with a greater understanding of potential risks to process control systems, system interdependencies, and the tools and technologies for ensuring secure systems. http://www.thei3p.org/repository/pcspressrel012207.pdf null http://www.thei3p.org/about/i3pcybersecforum.html Joost R. Santos, Yacov Y. Haimes, Chenyang Lian have recently submitted an article to the I3P. Abstract: Critical infrastructures (e.g., transportation, telecommunications, power, banking, etc.) are highly complex and interconnected. These interconnections take the form of flows of information, shared security, and physical flows of commodities, among others. In recent years, economic and infrastructure sectors have become increasingly dependent on networked information systems for efficient operations and timely delivery of products and services. In order to ensure the stability, sustainability, and operability of our critical economic and infrastructure sectors, it is imperative to understand their inherent physical and economic linkages, in addition to their cyber interdependencies. The inoperability input-output model (IIM) is a transformation of the classic Leontief model used for modeling: (1) the steady-state economic effects triggered by a consumption shift in a given sector (or set of sectors); and (2) the resulting ripple effects to other sectors. In the IIM, the inoperability metric is calculated for each sector; this is achieved by converting the economic impact (typically in monetary units) into a percentage value relative to the size of the sector. Disruptive events such as terrorist attacks, natural disasters, and large-scale accidents have historically shown cascading effects on both consumption and production. Hence, a dynamic I-O model extends the current IIM to demonstrate the interplay between combined demand and supply impacts. The result is a foundational framework for modeling cybersecurity scenarios for the oil and gas sector. A hypothetical case study examines a cyber attack that causes a 5-week shortfall in the crude oil supply in the Gulf Coast area. https://www.thei3p.org/repository/uvametricspaper1106.pdf Dates: January 2007 – December 2007 PI: D. McGrath. Project Description: Natural and man-made catastrophes overwhelm the emergency response resources of the communities where they strike. Whether the result of industrial accidents, terrorist attacks, or natural disasters, large numbers of casualties may result. An effective response to catastrophic events requires that personnel at all levels of command, including community first responders, hospital personnel, state, federal, and private-sector participants, must be appropriately prepared. Simulations with responders in-the-loop provides a safe environment for rehearsing response plans and evaluating new technologies for incident command. This project seeks to develop synthetic environments that approximate the effects of catastrophic events (biological, nuclear, chemical), as well as the resources that emergency responders at all levels would apply in response to these events. The research will build on previous work in synthetic environment research for emergency response at ISTS. Models, data, and simulation frameworks (including game engines) will be employed to build multi-resolution simulations of catastrophic scenarios. By working with local and regional emergency response organizations, we will create data driven simulations that realistically represent the capabilities and limitations of catastrophic event responders. null Project Name: ARTEMIS Automated Remote Triage and Emergency Information Management System Dates: January 2007 – December 2007 PIs: S. McGrath, G. Blike, J. Buckey. Project Description: Mass casualty events, such as Hurricane Katrina, demonstrate the critical need for improved medical monitoring, assessment and tracking technologies. The Automated Remote Triage and Emergency Management Information System (ARTEMIS) project seeks to address this need through research, development and field-testing of critical path technologies to enhance situational awareness of medical decision makers (EMTs, scene commanders, definitive care sites, etc.). The ARTEMIS project focuses on protecting responders and improving patient care by providing relevant and timely information regarding the physiological state and location of monitored individuals. ARTEMIS research efforts to date have produced a personal monitoring hardware platform, automated triage and sensor data processing approaches and algorithms, handheld-based applications for field medical personnel, and a prototype command and control system for event management. The proposed work will leverage prior results to address the following outstanding critical path challenges: real-time physiological sensor data processing, classification and fusion; medical models for automated complex injury and resource constrained triage protocols; and multi-tier situational awareness approaches for high-pace environments. null Dates: July 2006 – August 2007 PI: Ray Balkom. Project Description: Robotic platforms offer the potential for increasing situational awareness through rapid emergency deployment of distributed remote sensors; augmenting navigation in urban environments; reducing hazards for human emergency responders; information gathering; and victim rescue or relief. One can envision corps of robots that are ubiquitous in emergency response assistance and management, expanding the capability of response coordinators and first responders to enhance situational awareness, while keeping people out of harm’s way. The proposed research advances the use of semi-autonomous and autonomous mobile robots towards this end by enabling such robots to perform automated terrain diagnostics and assess mobility. Such robots could be sent ahead of manned vehicles to map “trafficability” of terrain, plan routes, and relay information back to a convoy. This information will in turn enhance the on-board robot intelligence and ultimately will enable both manned and unmanned vehicles to avoid immobilization and safely negotiate off-road terrain and paved roads that may have been damaged by landslides, mudslides, and flooding. null Project Title: MetroSense: scalable secure sensor systems Dates: September 2006 – September 2007 PIs:Andrew Campbell, David Kotz, George Cybenko. Project Description: Sensor networks will provide a foundation to protect and monitor our national infrastructure, including economically important businesses with global reach (e.g., stock markets), critical transport and industrial facilities, the enterprise, and the border. These tiny, low-cost wireless devices embed on-board sensing, are fully programmable, and can spontaneously form large sensor webs with thousands of distributed sensor devices. In this project, we will study, analyze, propose, deploy, and evaluate MetroSense, a radically different scalable secure sensor architecture and system capable of reliable real-time monitoring and data fusion for large-scale critical infrastructure, resources, and assets. MetroSense opportunistically leverages mobile sensors when available to deal with sparse coverage and communications when sensing. We plan to develop a campus-area sensing architecture based on three integrated components (sensing and communications, sensor security, and sensor fusion) and deploy the system incrementally across campus with the goal of using static and mobile sensors for reliable monitoring and data fusion of campus plant, spaces, and people flow. Results from this project will serve as a foundation for building secure sensor networks capable of monitoring large-scale critical infrastructure. null SPECIAL REPORT: Workshops identify threats to process control systems Recent industry workshops have identified the issues of cyber and physical security risks to process control systems (PCS). This article was published in Oil & Gas Journal- Vol. 104, Issue 38 (Oct. 9, 2006), Please note: You must be a subscriber to read the full article. http://www.ogj.com/currentissue/index.cfm?p=7&v=104&i=38 The I3P has announced a preliminary call for I3P 2007 Post-Doc Fellowship applications. http://www.thei3p.org/fellowships/2007postdoccallprelim.html With the opening of the I3P's new website, the public may order specific I3P publications online. http://www.thei3p.org/publications/order.html ISTS researchers set up an exercise at the recent GOVSEC conference. This article was published in Wired Magazine http://www.wired.com/wired/archive/14.10/posts.html?pg=2 he Georgia Tech Information Security Center (GTISC) today announced it is creating a partnership with BellSouth (NYSE: BLS - News) and Internet Security Systems (Nasdaq: ISSX - News) to explore security surrounding the emerging Voice over Internet Protocol (VoIP) technology. As communication services migrate to Internet-based platforms, it is important that the security and dependability users expect in the current public switched networks be maintained with these new converged technologies. At the GTISC VoIP Security Summit held in April 2005, GTISC initiated a dialogue with security and telecommunications industry leaders, including ISS and BellSouth, to proactively address security associated with this emerging technology. http://biz.yahoo.com/prnews/060927/clw029.html?.v=62 he Georgia Tech Information Security Center (GTISC) today announced it is creating a partnership with BellSouth (NYSE: BLS - News) and Internet Security Systems (Nasdaq: ISSX - News) to explore security surrounding the emerging Voice over Internet Protocol (VoIP) technology. As communication services migrate to Internet-based platforms, it is important that the security and dependability users expect in the current public switched networks be maintained with these new converged technologies. At the GTISC VoIP Security Summit held in April 2005, GTISC initiated a dialogue with security and telecommunications industry leaders, including ISS and BellSouth, to proactively address security associated with this emerging technology. http://biz.yahoo.com/prnews/060927/clw029.html?.v=62 February 15, 2007 - Houston, TX If you want to learn about cutting-edge findings and solutions for securing oil and gas control systems against cyber attacks, then you need to put this event on your calendar. Don't miss this new opportunity to hear about the latest research results from the I3P team! The previous I3P workshop held in June 2006 in California attracted great attendance and interest from oil and gas companies and their control system vendors and security providers. At this follow-up event in Houston on February 15, 2007, the I3P team will present and demonstrate their latest results and tools. This time the I3P is coming to the home of America 's oil and gas industry to further reach out to and support this critical infrastructure industry. The workshop will be held at the Sheraton Houston Brookhollow Hotel. More details about the event, including on-line registration, will become available here by November 15, 2006. We are looking forward to seeing you in Houston in February! For questions or more information, please contact: Eric Goetz, I3P Assistant Director for Research and Analysis (603) 646 0692 https://www.thei3p.org/research/scada/cscworkshop.html Submitted to Risk Analysis. This paper demonstrates the capability of the Inoperability Input-Output Model (IIM) to illuminate risk management tradeoffs through an example strategic preparedness process that requires the decomposition of regions and economic sectors and the integration of vulnerability analyses. Strategic preparedness in this paper connotes a decision process and its associated actions, implemented in advance of a natural or man-made disaster, aimed at reducing disaster consequences (e.g., recovery time and cost) and/or their likelihood to a level considered acceptable (through the decisionmakers’ implicit and explicit acceptance of various risks and tradeoffs). The result of the method enables regions to valuate various strategic preparedness options and to appreciate the inherent tradeoffs among those options. The methodology, which was inspired by Hurricanes Katrina and Rita and the lessons learned there from, is demonstrated through the use of the available databases collected by various agencies and groups. We account for some of the major impacts of these two hurricanes and illustrate hypothetical, reduced impacts resulting from various strategic preparedness decisions. Our analysis indicates the power of using the IIM--a well-defined modeling structure--to guide the decisionmaking processes involved in developing a preparedness strategy. null null http://www.thei3p.org/about/siedsconfpaper0606.pdf I3P Task 5 addresses crossdomain information sharing among the oil and gas sectors. A visible industry consensus illustrates a recognized need to share information at various levels and among various stakeholders of the industry. Crossdomain information sharing (CDIS) provides a means to securely share information among industry asset owners and vendors. Any information that can be used to prevent, recognize, and mitigate an attack on infrastructure systems proves valuable. A comprehensive CDIS design will best identify and address coordinated attacks on the oil and gas sector, and contribute to the identification of coordinated attacks on the national critical infrastructure. Knowledge gathered from industry at the I3P workshop in June, 2005 and in subsequent forums and surveys has provided the Task 5 team with the following set of requirements for information sharing in this industry. User anonymity with authentication Sharing of various types of data (best practices data, incident information, system status, surveillance data, and reference information) Alerting Controlled access to shared information Analysis capabilities Gaps identified in current information sharing solutions include the ability to provide anonymous yet authenticated communication, an automated and interactive analysis capability, controlled access to shared information, and a searchable database of incident information with forensic data and attack details. A CDIS design was developed by the Task 5 team to bridge the existing gaps in capabilities and technology and enable the sharing of information across various sectors of a user community. A CDIS proof of concept is being developed by the I3P team, demonstrating a subset of overall requirements and addressing specific, identified gaps. This proof of concept will facilitate anonymous reporting of critical incident information by authenticated members of the asset owner and vendor community, analysis and storage of that information, and communication of analysis output back to the user community. Information will be shared based on releasability rules and protected from unauthorized access or disclosure. https://www.thei3p.org/about/researchreport8.pdf Cybersecurity in the Extended Enterprise Over a period extending from December 2004 to August 2005 we interviewed 13 information security (“InfoSec”) and supply chain executives at a Fortune 500 manufacturing firm (“Host”) with plants and sales worldwide, members from its electrical and auto BUs, and 14 similar executives and directors at seven of its suppliers. The field study was designed to understand how firms assess and manage information security risk, and the risks the host firm faced as a result of using the IT infrastructure to integrate its supply chain. Below we break out the learnings by theme; here we note the key takeaways (current as of the time of the interviews): The host is adopting information security measures that are effective with coping with present threats such as worms/virii, web site hacking, and break-ins. As of the time of the interviews, the host was not considering the InfoSec implications of every new IT-enabled business initiative. The host has few critical IT integrations with business partners, leading us to conclude that the host’s internal IT infrastructure is at low risk due to the compromise of an extended enterprise partner. We believe there is a good chance that this situation is different today, due to the outsourcing of many core logistics functions in the Auto BUs. None of the supply chains of the interviewed suppliers were at risk from internet disruptions. This includes very large to very small suppliers by size. The most noticeable effect from the supplier’s point of view would be an impact on customer service due to the unavailability of email. With one exception, suppliers had an appropriate level of information security as judged by their cyber-hygiene record (i.e., no virii, break-ins, or website defacements in the past year). Cyberevents at the exception did not The host has considerable power to drive increased InfoSec capability in its supply chain by directly asking for capabilities, or merely suggesting by making an InfoSec practices and capabilities questionnaire part of the contract process. In comparison with firms interviewed as part of this and similar studies in other sectors, the host is above average in its organizational commitment to and achievement with regard to information security. While larger firms tend to have more structured means for managing information security, they are not necessarily “better” at information security as measured by the number of successful attacks. Of the InfoSec management paradigms seen during this field study, a “systemic” paradigm used at supplier D was the best at identifying and managing the risk to business continuity from an InfoSec event. https://www.thei3p.org/about/cdscasestudy0606.pdf A June 2006 update on the I3P sponsored PCSS research project is now available. http://www.thei3p.org/about/scadaonepagedesc0606.pdf The I3P has selected Kenneth Crowther (University of Virginia), Ruy DeOliveria (Purdue University), and Sean Peisert (University of California, Davis) as the 2007-2008 I3P Post-Doctoral Fellows. To learn more about the Fellows and their projects, please follow the link provided. http://www.thei3p.org/education/participants.html This is a 2 page update on the I3P Cyber Security Economics Project. http://www.thei3p.org/research/economics/econ1pager0606.pdf In March, the I3P launched a major SCADA Security research project involving 10 organizations, 6 goals, and $8.5 million over a two year period. This is one of the largest and most exciting efforts to date. Speakers on August 11 included Robert Cunningham (MIT Lincoln Laboratory) and George Cybenko (Thayer School of Engineering, Dartmouth College). null The need for simple tools to measure the benefits of cyber security enhancements was ranked as the number one imperative among security leaders at Fortune 500 firms, according to a report published by the Institute for Information Infrastructure Protection (I3P) and the Tuck School of Business's Center for Digital Strategies (CDS) The report, entitled "Embedding Information Security Risk Management into the Extended Enterprise," summarizes the findings from a workshop co-hosted by CDS and I3P in March 2006. In the workshop, chief information security officers (CISOs) from Fortune 500 firms—including 3M, Align Technology, Bank of America, Bose, BP, Cisco Systems, Colgate, Dell, Dow Chemical, Eastman Chemical, Eaton, Hewlett-Packard, IBM, Lowe's, Medtronic, Staples, Time Warner Cable, and the U.S. Army—debated the challenges of organizing for security. Executives discussed how to embed security into the organization, touching on issues of organizational structure and culture; measurement; and investment. The objective was to develop an action plan for the next 12-18 months. http://www.dartmouth.edu/~news/releases/2006/06/07.html Workshop to focus on infrastructure protection for oil & gas industry I3P to showcase initial results of $8.5 million research and technology development initiative LA JOLLA, CALIF.-- Process control systems security for the oil and gas industry is the topic of a workshop to be conducted by the Institute for Information Infrastructure Protection Thursday, June 8, in conjunction with the spring meeting of the Process Controls System Forum June 6-7 in La Jolla, Calif. Known as I3P, the institute is offering the workshop as part of an $8.5-million research initiative to help protect process control systems for the oil and gas industry and other critical infrastructure sectors. The program will demonstrate the initiative's initial results and will demonstrate new tools and technologies that industry can use to help secure their process control systems. The workshop also will provide a forum for practitioners to define industry requirements, help guide future research efforts and develop opportunities for technology transfer. Attendance is free with registration to the PCSF meeting. One-day registration for June 8 is $100. See the I3P web site http://www.thei3p.org/scada/workshop2/ for details. The workshop is designed for control systems engineers, operators and managers, including chief information, security, and information security officers; control systems security experts from government, industry associations and academia; and vendors of control systems, security systems and services, information technology and communications for the oil and gas sector. The research initiative began in spring 2005 and is being conducted by a team of 10 I3P member institutions. There are several objectives: understand and characterize vulnerabilities and threats affecting process control systems; develop metrics and models for the assessment and management of control systems security; and develop tools and technologies to enable next-generation control systems with built-in security. The I3P is a consortium of academic institutions, federally funded laboratories and non-profit organizations that brings together experts to identify and help mitigate threats aimed at the U.S. information infrastructure. The consortium is managed by Dartmouth College and funded by the Department of Homeland Security and the National Institute of Standards and Technology. The research team includes security specialists from Dartmouth College, the University of Illinois Urbana-Champaign, MIT Lincoln Laboratory, the MITRE Corporation, New York University, Pacific Northwest National Laboratory, Sandia National Laboratory, SRI International, the University of Tulsa and the University of Virginia. Release date: May 9, 2006 CONTACTS Judith Graybeal Media Relations Pacific Northwest National Laboratory (509) 375-4351 graybeal@pnl.gov Susan Knapp Public Affairs Dartmouth College (603) 646-3661 Susan.E.Knapp@Dartmouth.edu https://www.thei3p.org/scada/workshop2/ Eva Andrijcic and Barry Horowitz will have an article entitled "A Macro-Economic Framework for Evaluation of Cyber Security Risks Related to Protection of Intellectual Property" published in a upcoming issue of Risk Analysis. ABSTRACT: The paper is based on the premise that, from a macro economic viewpoint, cyber attacks with long lasting effects are the most economically significant, and as result require more attention than attacks with short lasting effects that have historically been more represented in literature. In particular, the paper deals with evaluation of cyber security risks related to one type of attack with long lasting effects, namely, theft of intellectual property by foreign perpetrators. An International Consequence Analysis Framework (ICAF) is presented to determine 1) the potential macro-economic consequences of cyber attacks that result in stolen intellectual property (IP) from companies in the United States (US), and 2) likely sources of such attacks. The framework presented focuses on IP theft that enables foreign companies to make economic gains that would have otherwise benefited the US economy. Initial results are presented. null I3P Research Report no. 6 - " I3P Preliminary Risk Characterization Report" is now available. Developed under Institute for Information Infrastructure Protection (I3P) Risk Characterization Effort, this white paper discusses risk characterization for SCADA operations in the oil and gas industry and summarizes major concerns voiced at the I3P Workshop held in June, 2005. The purpose of this risk characterization effort is to combine experience and viewpoints from industry asset owners, vendors, and government, with known technical threat and vulnerability data in an effort to develop a more comprehensive picture of the risks associated with cyber-threats against SCADA systems in critical infrastructure sectors. In this paper, risk is characterized in terms of identifying threats, recognizing common vulnerabilities in SCADA systems, consequences, and identifying measures effective in protecting these architectures. Impacts on business created by cyber security incidents are recognized, providing a realistic view of effects on operations, personnel, the organization, and the national critical infrastructure. Data utilized in characterizing risks to SCADA systems include technical knowledge from SCADA researchers, stakeholder perspectives from the workshop, and gap analyses performed by I3P activities. Understanding and characterizing this risk enables the development of strategies for preventing, detecting, mitigating, and recovering from cyber-security incidents with focused and defined objectives. This characterization can be used by industry as a starting point to assess major areas of concern in their own operations, the possible consequences of an attack, and the return on investment of implementing defenses, thereby aiding in protection of the national critical infrastructure. http://www.thei3p.org/about/researchreport6.pdf Guanling Chen and Robert S. Gray recently published a paper as part of the proceedings of InfoScale to be held in May 2006. Guanling Chen is a former I3P Fellow now at the University of Massachusetts Lowell. http://www.thei3p.org/about/chengray306.pdf This is a new publication written by Andy Ozment, Stuart E. Schechter, and Rachna Dhamiji, researchers at MIT Lincoln Laboratory, and produced in conjunction with the the I3P sponsored Economics Project. https://www.thei3p.org/research/scada/Ozmentpaper22106.pdf The I3P recently released three new reports as part of their Research Report series. The reports are Research Report no. 3 "Process Control System Security Technical Risk Assessment : Analysis of Problem Domain"; Research Report no. 4 "Requirements for Cross Domain Information Sharing Within SCADA Environments (Including Use Cases)"; and Research Report no. 5 "I3P Economics Project Workshop Report". Links to these reports are available on the I3P Publications page. https://www.thei3p.org/about/publications.html The I3P SCADA Project was described on page 6 of the January 9, 2006 issue of Natural Gas Week. This article is "pay-for-view" and may be accessed by searching 'I3P' at the Energy Intelligence site. http://www.energyintel.com Program Description - The Institute for Information Infrastructure Protection (I3P) seeks to advance its national research agenda through a research fellowship program. The I3P fellowship program helps to build a nationwide cadre of investigators focused on critical research challenges and provides expanded research opportunities at I3P Consortium member institutions. http://www.thei3p.org/fellowships/index.html Indiana plans to launch its Northwest Indiana Computation Grid in January 2006, linking research facilities at Purdue University, University of Notre Dame, Argonne National Laboratory in Chicago, and other government facilities. The grid hooks into Notre Dame's plans for a research computing center and Purdue's Cyber Center. The grid gained support from Senator Richard Lugar (R-IN) and Representative Visclosky (D-IN) for $6.5 million in Energy Department funding as a tool for homeland security research. http://www.fcw.com/article91840-01-03-06-Web&RSS=yes This report has been published as number 2 in the I3P Research Report series. Written by Rae Zimmerman, Jeffrey S. Simonoff, and Carlos E. Restrepo (Institute for Civil Infrastructure Systems, New York University) - This report analyzes international terrorist attacks using a database from the National Memorial Institute for the Prevention of Terrorism (MIPT) which includes information about terrorist attacks from all over the world affecting all sectors, including oil and gas. The report looks at annual data for the period 1990-2005 with a special emphasis on attacks occurring in countries with the highest number of attacks during this period. Section 1 provides an introduction to the report. Section 2 looks at the number of incidents, including total incidents over time, attacks on the oil and gas sector as a percentage of total terrorist attacks, and incidents over time by geographical region. In Section 3 the number of fatalities associated with the attacks is examined, along with the fatalities associated with attacks on the oil and gas sector as a percentage of all fatalities associated with terrorist attacks. Section 4 looks at injuries associated with the attacks, and the injuries associated with attacks on the oil and gas sector as a percentage of all injuries associated with terrorist attacks. Section 5 provides a brief discussion about the association between injuries and fatalities. Section 6 contains a discussion of the kinds of components attacked. Finally, Section 7 ends with some concluding remarks. http://www.thei3p.org/research/scada/i3presrep2.pdf Dartmouth's Public Key Infrastructure (PKI) Laboratory and Sun Microsystems have launched a collaboration pairing "Dartmouth's expertise in secure and trusted computing with Sun's OpenSolaris Project, an open source operating system that is being enhanced through community input and dialogue." Sun has also named Dartmouth's PKI Lab a Sun Center of Excellence in recognition of its contribution to "computing, research, and education." Dartmouth's team will be basing their work on Bear/Enforcer, the world's first Trusted Platform Module-based computing platform, which was originally developed at the PKI lab. http://www.dartmouth.edu/~news/releases/2005/11/18.html An interview with Marcus Sachs (SRI International)is the cover story in the November 2005 issue of SC Magazine. http://mag1.olivesoftware.com/am/welcome/SCM/SCM-2005-11.asp Ulf Lindqvist (SRI International) was the speaker at a recent University of California, Berkeley-Team for Research in Ubiquitous Secure Technology (TRUST) seminar. His presentation identified some cyber security concerns for the industry, provided an overview of the I3P research program and how it relates to other efforts in this area, and highlighted some specific tools and technologies under development by the I3P SCADA research team. http://trust.eecs.berkeley.edu/pubs/11.html Professor Rae Zimmerman (Institute for Civil Infrastructure Systems. NYU) presented at the U.S. Climate Change Science Program Workshop: Climate Science in Support of Decisionmaking. November 14-16, 2005, Washington, DC https://www.thei3p.org/research/scada/zimmerman1105.pdf The Information Trust Institute at the University of Illinois Urbana-Champaign has won a $1 million grant from the US Small Business Administration (SBA) to develop and design validation tools for security, privacy, correctness, dependability, safety, and survivability on critical information systems. ITI will focus its research in three areas: electric power, enterprise systems, and defense systems. http://www.engr.uiuc.edu/news/?xId=067607840756 DHS invited ER3C (Emergency Readiness and Response Research Center) to exhibit in the federal demonstration area at the 7th Annual Technologies for Critical Incident Preparedness Conference in San Diego. Hundreds of visitors from DHS, DOD, academia, industry and city and state emergency response agencies stopped by the booth to see what they have produced and to tell their own stories. Dennis McGrath, Mark Stanovich, Rebecca Segal, and Doug Hill were there for ER3C to keep the demos rolling and to clarify the capabilities ISTS brings to Domestic Preparedness. Dennis McGrath participated in a panel discussion on simulation and training. McGrath spoke about his SEERS research, in particular about how ER3C has used game engines to create low cost simulations for training, exercises, and testing prototypes; and the need to integrate simulations with real emergency response information systems. null Ben Cook (Sandia National Lab) and Ulf Lindqvist (SRI International) gave a presentation at the recent NPRA Conference- Process Control Session. https://www.thei3p.org/research/scada/npra2005.pdf "The Economist" cites a book by Ashish Arora, professor of economics and public policy, which argues that technology patents fosters innovation by making technologies easier to trade. Arora co-wrote "Markets for Technology, the Economics of Innovation and Corporate Strategy" with Andrea Fosfuri and Alfonso Gambardella exploring how patent law creates technology markets. Arora is Research Director of the Software Industry Center at Carnegie Mellon. http://www.heinz.cmu.edu/whatsnew/2005/arora-patents.html As part of its "Critical Conversations on Infrastructure Protection" series, George Mason University's Critical Infrastructure Protection Program will hold a panel discussion on homeland security, preparedness, and response. Called "After the Storms: Repairing the Damage", the talk will feature former FEMA (Federal Emergency Management Agency) director James Lee Witt, homeland security experts and representatives from private industry. The panel has yet to be announced. http://cipp.gmu.edu/news/afterTheStorm.php National Cyber Infrastructure Bulletin; no. 1 (Oct. 2005) A June 2005 I3P workshop examined the security of process control systems in the oil and gas industry. Participants included representatives from leading oil and gas companies, Supervisory Control and Data Acquisition (SCADA) and IT vendors, and government experts and researchers. The bulletin covers the major findings from the workshop. https://www.thei3p.org/about/i3pbulleting1.pdf I3P Research Report No. 1.This report presents the initial findings of the first phase of security metrics research. The study examines existing security metrics and their potential usefulness to PCS stakeholders: industry, PCS vendors and integrators, and government. This document is an initial report that lays the foundation for the team’ planned collaborative development of security metrics with PCS stakeholders. https://www.thei3p.org/about/researchreport1.pdf E-mail security company CipherTrust will sponsor the Georgia Tech Information Security Center (GTISC) Distinguished Lecture Series for 2005 and 2006. The Distinguished Lecture Series is free and open to the public and designed to educate the public about security issues while bringing together members of the information security community in Atlanta. The first lecture in the series was given by Anthony Michael Rutkowski, Vice President for Regulatory Affairs in the Communication Services Division at VeriSign. http://www.forbes.com/businesswire/feeds/businesswire/2005/09/15/businesswire20050915005440r1.html Eugene Spafford, executive director of CERIAS at Purdue, in IEEE-sponsored briefing with members of Congress, warned that without increased funding for cybersecurity, growth in organized crime and identity theft could drain the economy. Spafford argued that it would take a major failure of critical computers nationwide to raise public support for better security. The event and Spafford's remarks were reported by both IEEE and the magazine Red Herring. http://www.cerias.purdue.edu/news_and_events/news/view_story.php?id=190 On September 18, 2005, several members of the Emergency Readiness & Response Research Center (ER3C) team joined in an exercise scenario which simulated an act of terrorism at the Mount Sunapee Resort. ISTS played multiple roles which included data collection and the use of the remote triage technology (ARTEMIS). The ARTEMIS team attached their sensor systems to three casualties and one firefighter and collected excellent pulse-oximetry data. The team learned that the ARTEMIS system was not obtrusive to the firefighters work and discovered design and operational issues that can be addressed in the future. null Purdue University in Lafayette, Indiana, has launched the Cyber Center, a cyber infrastructure linking computer resources to enhance research. According to James Bottum, Purdue, vice president for IT, the Center will leverage the interdisciplinary nature of modern research with information technology. One key area of research at the Center will be sensor and wireless networks for homeland security and other purposes. A quarter of a $10 million grant from the Lilly Endowment will fund the center for the first three years, while administrators hope to raise $25 million from other sources. http://www.fcw.com/article90140-08-18-05-Web&RSS=yes The National Science Foundation (NSF) expects to make 36 new awards totaling $36 million through its 2005 Cyber Trust program. The awards, ranging from $200,000 to $7.5 million, include two new centers--one focused on the design and technology for trustworthy voting systems and the other on securing electric power grids. Recipients of the awards include I3P Consortium members Johns Hopkins University, Dartmouth College, and the University of Illinois. http://www.nsf.gov/news/news_summ.jsp?cntn_id=104352