|
Ana Rodríguez-Hoyos, José Estrada-Jiménez, David Rebollo-Monedero, Jordi Forné, Rubén Trapero Burgos, Antonio Álvarez Romero, et al. (2019). Anonymizing Cybersecurity Data in Critical Infrastructures: The CIPSEC Approach. In Z. Franco, J. J. González, & J. H. Canós (Eds.), Proceedings of the 16th International Conference on Information Systems for Crisis Response And Management. Valencia, Spain: Iscram.
Abstract: Cybersecurity logs are permanently generated by network devices to describe security incidents. With modern
computing technology, such logs can be exploited to counter threats in real time or before they gain a foothold.
To improve these capabilities, logs are usually shared with external entities. However, since cybersecurity logs
might contain sensitive data, serious privacy concerns arise, even more when critical infrastructures (CI), handling
strategic data, are involved.
We propose a tool to protect privacy by anonymizing sensitive data included in cybersecurity logs. We implement
anonymization mechanisms grouped through the definition of a privacy policy. We adapt said approach to the
context of the EU project CIPSEC that builds a unified security framework to orchestrate security products, thus
offering better protection to a group of CIs. Since this framework collects and processes security-related data from
multiple devices of CIs, our work is devoted to protecting privacy by integrating our anonymization approach.
|
|
|
Marie Bartels. (2014). Communicating probability: A challenge for decision support systems. In and P.C. Shih. L. Plotnick M. S. P. S.R. Hiltz (Ed.), ISCRAM 2014 Conference Proceedings – 11th International Conference on Information Systems for Crisis Response and Management (pp. 260–264). University Park, PA: The Pennsylvania State University.
Abstract: This paper presents observations made in the course of two interorganizational crisis management exercises that were conducted in order to identify requirements for a decision support system for critical infrastructure operators. It brings into focus how different actors deal with the uncertainty of information that is relevant for other stakeholders and therefore is to be shared with them. It was analyzed how the participants articulated und comprehended assessments on how probable the reliability of a given data or prognosis was. The recipients of the information had to consider it when making decisions concerning their own network. Therefore they had to evaluate its reliability. Different strategies emerged.
|
|
|
Madhavi M. Chakrabarty, & David Mendonça. (2005). Design considerations for information systems to support critical infrastructure management. In B. C. B. Van de Walle (Ed.), Proceedings of ISCRAM 2005 – 2nd International Conference on Information Systems for Crisis Response and Management (pp. 13–18). Brussels: Royal Flemish Academy of Belgium.
Abstract: This paper develops a set of design considerations for information systems to support the management of interdependent critical infrastructure systems. Constraints on how these systems are managed are oriented along technical, political and organizational dimensions, though objectives along these dimensions may conflict and thus be difficult to satisfy. This paper harnesses methodologies from software engineering and cognitive science in order to specify opportunities for using information systems to support human-centered management of critical infrastructure systems. The particular focus of this work is on developing information systems to support visualization and visual problem solving. Progress to date is discussed in terms of an ongoing research project which uses as a test-bed data associated with lower Manhattan (New York, USA).
|
|
|
Tina Comes, & Bartel A. Van De Walle. (2014). Measuring disaster resilience: The impact of hurricane sandy on critical infrastructure systems. In and P.C. Shih. L. Plotnick M. S. P. S.R. Hiltz (Ed.), ISCRAM 2014 Conference Proceedings – 11th International Conference on Information Systems for Crisis Response and Management (pp. 195–204). University Park, PA: The Pennsylvania State University.
Abstract: Modern critical infrastructure (CI) systems are tightly coupled, resulting in unprecedented complexity and difficulty to predict, limit and control the consequences of disruptions caused by hazards. Therefore, a paradigm shift in disaster risk management is needed: instead of focusing on predicting events, resilience needs to be improved as a basis for adequate response to any event. This paper starts from a definition of CI resilience that provides a basis for quantitative and qualitative decision support. For the quantitative modelling approach, which aims at measuring the resilience of individual CIs, we focus on two CIs of fundamental importance for disaster response: transportation and power supply. The qualitative framework details relations between CIs. The results of this research are illustrated by a case study that analyses the impact of Hurricane Sandy. The findings highlight the need for a framework that combines qualitative and quantitative information from heterogeneous sources to improve disaster resilience.
|
|
|
Tina Comes, Valentin Bertsch, & Simon French. (2013). Designing dynamic stress tests for improved critical infrastructure resilience. In J. Geldermann and T. Müller S. Fortier F. F. T. Comes (Ed.), ISCRAM 2013 Conference Proceedings – 10th International Conference on Information Systems for Crisis Response and Management (pp. 307–311). KIT; Baden-Baden: Karlsruher Institut fur Technologie.
Abstract: This paper outlines an approach to support decision-makers in designing resilient critical infrastructure (CI) networks. As CIs have become increasingly interdependent disruptions can have far-reaching impacts. We focus on the vulnerability of CIs and the socio-economic systems, in which they are embedded, independent from any initial risk event. To determine which disruptions are the most severe and must be avoided, quantitative and qualitative assessments of a disruption's consequences and the perspectives of multiple stakeholders need to be integrated. To this end, we combine the results of consequence models and expert assessments into stress test scenarios, which are evaluated using multi-criteria decision analysis techniques. This approach enables dynamic adaption of the stress tests in the face of a fast changing environment and to take account of better information about interdependencies or changing preferences. This approach helps make trade-offs between costs for resilient CIs and potential losses of disruptions clearly apparent.
|
|
|
Elisa Canzani. (2016). Modeling Dynamics of Disruptive Events for Impact Analysis in Networked Critical Infrastructures. In A. Tapia, P. Antunes, V.A. Bañuls, K. Moore, & J. Porto (Eds.), ISCRAM 2016 Conference Proceedings ? 13th International Conference on Information Systems for Crisis Response and Management. Rio de Janeiro, Brasil: Federal University of Rio de Janeiro.
Abstract: Governments have strongly recognized that the proper functioning of critical infrastructures (CIs) highly determines the societal welfare. If a failed infrastructure is unable to deliver services and products to the others, disruptive effects can cascade into the larger system of CIs. In turn, decision-makers need to understand causal interdependencies and nonlinear feedback behaviors underlying the entire CIs network toward more effective crisis response plans. This paper proposes a novel block building modeling approach based on System Dynamics (SD) to capture complex dynamics of CIs disruptions. We develop a SD model and apply it to hypothetical scenarios for simulation-based impact analysis of single and multiple disruptive events. With a special focus on temporal aspects of system resilience, we also demonstrate how the model can be used for dynamic resilience assessment. The model supports crisis managers in understanding scenarios of disruptions and forecasting their impacts to improve strategic planning in Critical Infrastructure Protection (CIP).
|
|
|
Franclin Foping, & Ioannis M. Dokas. (2013). A saas-based early warning information fusion system for critical infrastructure safety. In J. Geldermann and T. Müller S. Fortier F. F. T. Comes (Ed.), ISCRAM 2013 Conference Proceedings – 10th International Conference on Information Systems for Crisis Response and Management (pp. 156–165). KIT; Baden-Baden: Karlsruher Institut fur Technologie.
Abstract: Maintaining the critical infrastructures, such as Drinking Water Treatment Plants (DWTP), transportation, power generation and communications systems, in a safe state is a complex problem. The effective collaboration, as well as the collection aggregation and dissemination of early warning information among the stakeholders of the Safety Management System (SMS) responsible for the safety of these critical infrastructures are some of the challenges that need to be addressed. This paper argues that the Software as a Service (SaaS) deployment model can offer new ways of enhancing the fusion of early warning information during the operation phase of critical infrastructures. It presents the requirements, the architecture and a number of features of a working prototype SaaS-based early warning information fusion system for DWTP safety issues in the Republic of Ireland. It is the first time that a SaaSbased working prototype system is reported of providing early warning information fusion services in the literature.
|
|
|
Joaquín López-Silva, Victor A. Bañuls, & Murray Turoff. (2015). Scenario Based Approach for Risks Analysis in Critical Infrastructures. In L. Palen, M. Buscher, T. Comes, & A. Hughes (Eds.), ISCRAM 2015 Conference Proceedings ? 12th International Conference on Information Systems for Crisis Response and Management. Kristiansand, Norway: University of Agder (UiA).
Abstract: This paper proposes a Cross Impact Analysis for supporting critical infrastructures risk analysis. This methodology contributes to decision-makers and planners with analytical tools for modeling complex situations. These features are generally useful in emergency management and particularly within the critical infrastructures scope, where complex scenarios for risk analysis and emergency plans design have to be analyzed. This paper will show by an example how CIA methodology can be applied for risks and identification analysis with an application to a Data Centre of a Critical Infrastructure.
|
|
|
Joeri van Laere, Peter Berggren, Per Gustavsson, Osama Ibrahim, Björn Johansson, Aron Larsson, et al. (2017). Challenges for critical infrastructure resilience: cascading effects of payment system disruptions. In eds Aurélie Montarnal Matthieu Lauras Chihab Hanachi F. B. Tina Comes (Ed.), Proceedings of the 14th International Conference on Information Systems for Crisis Response And Management (pp. 281–292). Albi, France: Iscram.
Abstract: Critical infrastructures become more and more entangled and rely extensively on information technology. A deeper insight into the relationships between critical infrastructures enables the actors involved to more quickly understand the severity of information technology disruptions and to identify robust cross-functional mitigating actions. This study illustrates how and why disruptions in the payment system in Sweden could create cascading effects in other critical infrastructures with potentially severe consequences for many citizens, government institutions and companies. Data from document studies, interviews and workshops with field experts reveal seven challenges for collective cross-functional critical infrastructure resilience that need to be dealt with: 1) Shortage of food, fuel, cash, medicine; 2) Limited capacity of alternative payment solutions; 3) Cities are more vulnerable than the countryside; 4) Economically vulnerable groups in society are more severely affected; 5) Trust maintenance needs; 6) Crisis communication needs; 7) Fragmentation of responsibility for critical infrastructures across many actors.
|
|
|
Philippe Kruchten, Carson Woo, Kafui Monu, & Mandana Sotoodeh. (2007). A human-centered conceptual model of disasters affecting critical infrastructures. In K. Nieuwenhuis P. B. B. Van de Walle (Ed.), Intelligent Human Computer Systems for Crisis Response and Management, ISCRAM 2007 Academic Proceedings Papers (pp. 327–344). Delft: Information Systems for Crisis Response and Management, ISCRAM.
Abstract: Understanding the interdependencies of critical infrastructures (power, transport, communication, etc.) is essential in emergency preparedness and response in the face of disasters. Unfortunately, many factors (e.g., unwillingness to disclose or share critical data) prohibited the complete development of such an understanding. As an alternative solution, this paper presents a conceptual model-an ontology-of disasters affecting critical infrastructures. We bring humans into the loop and distinguish between the physical and social interdependencies between infrastructures, where the social layer deals with communication and coordination among representatives (either humans or intelligent agents) from the various critical infrastructures. We validated our conceptual model with people from several different critical infrastructures responsible for disasters management. We expect that this conceptual model can later be used by them as a common language to communicate, analyze, and simulate their interdependencies without having to disclose all critical and confidential data. We also derived tools from it.
|
|
|
Leire Labaka, Josune Hernantes, Tina Comes, & Jose Mari Sarriegi. (2014). Defining policies to improve critical infrastructure resilience. In and P.C. Shih. L. Plotnick M. S. P. S.R. Hiltz (Ed.), ISCRAM 2014 Conference Proceedings – 11th International Conference on Information Systems for Crisis Response and Management (pp. 429–438). University Park, PA: The Pennsylvania State University.
Abstract: Industrial accidents increasingly threaten society and economy; the increasing exposure and vulnerability of our modern interlaced societies contributes to intensifying their impact. Critical Infrastructures (CIs) have a prominent role, since they are vital for the welfare of the population and essential for the economic growth. As hazards are hard to predict, decision-makers need to implement adequate adaptation and mitigation strategies to improve CI resilience. Although CI resilience has attracted increasing attention, empirical studies are rare. Research on the implementation of policies aiming at identifying a clear sequence of measures to improve CI resilience is lacking. Therefore, we present a framework to identify resilience policies across four dimensions (technical, organizational, economic and social) and to define the temporal order in which the policies should be implemented. This research provides a framework grounded in our empirical work. Future work will aim at developing quantitative approaches to complement our results.
|
|
|
Sandra König, & Stefan Schauer. (2019). Cascading Threats in Critical Infrastructures with Control Systems. In Z. Franco, J. J. González, & J. H. Canós (Eds.), Proceedings of the 16th International Conference on Information Systems for Crisis Response And Management. Valencia, Spain: Iscram.
Abstract: Critical infrastructures (CIs) increase in complexity due to numerous dependencies on other CIs but also due to the ongoing digitalization in the industry sector. This yields an increased risk of failure of a single CI as the overall systems gets very fragile and sensitive to errors Failure of a single component may affect large parts of an infrastructure due to cascading effects. One way to support functionality of a CI is the use of Industrial Control Systems (ICS) that allow monitoring remote sites and controlling processes. However, this is an additional source for threats as recent cyber-attacks have shown. Further, the additional information for such cyber systems is often not efficiently combined with existing information on the physical infrastructure. We here propose a method to combine these two sources of information in order to estimate the impact of a security incident on CIs, taking into account cascading effects of threats. An implementation of the model allows simulation of the dynamics inside a CI and yields a record of the status of each asset of the CI. The way the assets change their states illustrates the consequences of an incident on the entire CI. Visualization of the results provides an overview on the situation of the entire CI at a certain point of time and a sequence of such visualization over an entire period of time illustrates the changes over time. The results from this analysis may be used to support security officers in analyzing the current (hybrid) state of their CI in case of an incident and thus increase the hybrid situational awareness.
|
|
|
Stefan Schauer, Stefan Rass, & Sandra König. (2021). Simulation-driven Risk Model for Interdependent Critical Infrastructures. In Anouck Adrot, Rob Grace, Kathleen Moore, & Christopher W. Zobel (Eds.), ISCRAM 2021 Conference Proceedings – 18th International Conference on Information Systems for Crisis Response and Management (pp. 404–415). Blacksburg, VA (USA): Virginia Tech.
Abstract: Critical infrastructures (CIs) in urban areas or municipalities have evolved into strongly interdependent and highly complex networks. To assess risks in this sophisticated environment, classical risk management approaches require extensions to reflect those interdependencies and include the consequences of cascading effects into the assessment. In this paper, we present a concept for a risk model specifically tailored to those requirements of interdependent CIs. We will show how the interdependencies can be reflected in the risk model in a generic way such that the dependencies among CIs on different levels of abstraction can be described. Furthermore, we will highlight how the simulation of cascading effects can be directly integrated to consistently represent the assessment of those effects in the risk model. In this way, the model supports municipalities' decision makers in improving their risk and resilience management of the CIs under their administration.
|
|
|
Stefan Schauer, Stefan Rass, Sandra König, Klaus Steinnocher, Thomas Schaberreiter, & Gerald Quirchmayr. (2020). Cross-Domain Risk Analysis to Strengthen City Resilience: the ODYSSEUS Approach. In Amanda Hughes, Fiona McNeill, & Christopher W. Zobel (Eds.), ISCRAM 2020 Conference Proceedings – 17th International Conference on Information Systems for Crisis Response and Management (pp. 652–662). Blacksburg, VA (USA): Virginia Tech.
Abstract: In this article, we want to present the concept for a risk management approach to assess the condition of critical infrastructure networks within metropolitan areas, their interdependencies among each other and the potential cascading effects. In contrast to existing solutions, this concept aims at providing a holistic view on the variety of interconnected networks within a city and the complex dependencies among them. Therefore, stochastic models and simulations are integrated into risk management to improve the assessment of cascading effects and support decision makers in crisis situations. This holistic view will allow risk managers at the city administration as well as emergency organizations to understand the full consequences of an incident and plan mitigation actions accordingly. Additionally, the approach will help to further strengthen the resilience of the entire city as well as the individual critical infrastructures in crisis situations.
|
|
|
Stefan Schauer, Stefan Rass, Sandra König, Thomas Grafenauer, & Martin Latzenhofer. (2018). Analyzing Cascading Effects among Critical Infrastructures. In Kees Boersma, & Brian Tomaszeski (Eds.), ISCRAM 2018 Conference Proceedings – 15th International Conference on Information Systems for Crisis Response and Management (pp. 428–437). Rochester, NY (USA): Rochester Institute of Technology.
Abstract: In this article, we present a novel approach, which allows not only to identify potential cascading effects within a network of interrelated critical infrastructures but also supports the assessment of these cascading effects. Based on percolation theory and Markov chains, our method models the interdependencies among various infrastructures and evaluates the possible consequences if an infrastructure has to reduce its capacity or is failing completely, by simulating the effects over time. Additionally, our approach is designed to take the intrinsic uncertainty into account, which resides in the description of potential consequences a failing critical infrastructure might cause, by using probabilistic state transitions. In this way, not only the critical infrastructure's risk and security managers are able to evaluate the consequences of an incident anywhere in the network but also the emergency services can use this information to improve their operation in case of a crisis and anticipate potential trouble spots.
|
|
|
Murray Turoff, Victor A. Bañuls, Linda Plotnick, & Starr Roxanne Hiltz. (2014). Development of a dynamic scenario model for the interaction of critical infrastructures. In and P.C. Shih. L. Plotnick M. S. P. S.R. Hiltz (Ed.), ISCRAM 2014 Conference Proceedings – 11th International Conference on Information Systems for Crisis Response and Management (pp. 414–423). University Park, PA: The Pennsylvania State University.
Abstract: This paper summarizes the development of a Cross Impact and Interpretive Structural Model of the interactions of 16 critical infrastructures during disasters. It is based on the estimates of seven professionals in Emergency Management areas and was conducted as an online survey and Delphi Process. We describe the process used and the current results, indicating some of the disagreements in the estimates. The initial results indicate some very interesting impacts of events on one another, resulting in the clustering of events into mini-scenarios.
|
|
|
Sarp Yeletaysi, Frank Fiedrich, & John R. Harrald. (2008). A framework for integrating GIS and systems simulation to analyze operational continuity of the petroleum supply chain. In B. V. de W. F. Fiedrich (Ed.), Proceedings of ISCRAM 2008 – 5th International Conference on Information Systems for Crisis Response and Management (pp. 586–595). Washington, DC: Information Systems for Crisis Response and Management, ISCRAM.
Abstract: Crisis and disaster management is a field that requires the understanding and application of tools and knowledge from multiple disciplines. Hurricanes Katrina and Rita in 2005 have proven that U.S. petroleum infrastructure is vulnerable to major supply disruptions as a direct result of disasters. Due to the structure of U.S. oil supply chain, primary oil production centers (i.e. PADD* 3) are geographically separated from primary demand centers (i.e. PADD 1), which creates a natural dependency between those districts. To better understand the extent of those dependencies and downstream impacts of supply disruptions, a multi-disciplinary research approach is necessary. The cross-disciplines in this research include disaster management, critical infrastructure and oil supply chain management, and the utilization of geographic information systems (GIS) and systems simulation. This paper specifically focuses on the framework for integrating GIS and systems simulation as analysis tools in this research.
|
|
|
Rae Zimmerman, & Carlos E. Restrepo. (2006). Information technology (IT) and critical infrastructure interdependencies for emergency response. In M. T. B. Van de Walle (Ed.), Proceedings of ISCRAM 2006 – 3rd International Conference on Information Systems for Crisis Response and Management (pp. 382–385). Newark, NJ: Royal Flemish Academy of Belgium.
Abstract: Information technologies and other critical infrastructures are interconnected in ways that can lead to vulnerabilities in the ability of these infrastructures to perform during natural disasters and acts of terrorism either to reduce adverse consequences or provide needed emergency response services. This research applies and adapts a number of indicators of infrastructure interdependency based on the authors' earlier research to determine where weak points and strengths occur in the interconnections between infrastructure technology and other infrastructure support services such as electric power and transportation, and where weak points create vulnerability that can be improved for more effective response in emergencies.
|
|