Dependability Initiative – Working

Group on Interdependencies and

Vulnerabilities
Marcelo Masera

Brussels
Brussels,, June 6th, 2001

Joint Research Centre

European Commission
 Contents
• Cyber-security @ JRC
• The Dependability Initiative
– Site DEPPY
• Working Group on Interdependencies and
Vulnerabilities
– Objectives
– Membership
– Tasks
– Mechanisms

DDSI meeting - June 6 2

 Our focus areas
Citizen empowerment On-line dispute
resolution /
e-confidence

Incident analysis,
Protection against cyber-abuse cyber-crime
Privacy Cyber-crime forum
Transactions
Testing criteria
Contents
for PETs

ISP ISP

Observatory on
Information Attacks
ISP information
infrastructure Critical infrastructures
security
(vulnerabilities,
assurance and interdependencies CERTs)
ISP ISP

DDSI meeting - June 6 3

 5th Framework Programme
• Trust and dependability: horizontal concerns
• Dependability Initiative:
– IST 2000/1 CPA4: Towards dependable and survivable
systems and infrastructures
• dependability and survivability of the global information
infrastructure
– IST 1999 CPA2: Dependability in services and
technologies
– On-line Forum: http://deppy.jrc.it
• Preparation for 6th FwP:
– Workshop “Interdependencies and vulnerabilities in
Information Infrastructures” – 27/28 March

DDSI meeting - June 6 4

 The Dependability Initiative
JRC supports the operation of the DEPPY site
http://deppy.jrc.it

DDSI meeting - June 6 5

Archive of documents

DDSI meeting - June 6 6

 Archive of events

DDSI meeting - June 6 7

 Deppy folders

DDSI meeting - June 6 8

 Deppy calendar

DDSI meeting - June 6 9

Deppy discussion groups

DDSI meeting - June 6 10

 Workshop
• “Interdependencies and Vulnerabilities in
Information Infrastructures”
– 27-28 March, Brussels
– Sessions:
• Telecommunications
• Information assets
• Health care
• Energy and utilities
• Finance
– Result:
• Report (available at deppy)
• Working Group

DDSI meeting - June 6 11

 Workshop conclusions
1. Short-term actions (2001-2002)
• European Working Group on Interdependencies and
Vulnerabilities
• Information collection and exchange
• Scenario exercises
• Elicitation of R&D challenges
2. Medium-term actions (2003-2007)
• R&D challenges (Dependability Initiative in 6th Framework
Programme)
• Interdisciplinary & complexity
• Dependency loops & non-linearity
• Modelling and simulation, risk models
• Migration to new technologies
• Benchmarking
• Prevention, tolerance, removal, prediction

DDSI meeting - June 6 12

 WG objectives
Purpose
• · European constituency
• · Partnership for collaboration and information exchange
• · Channel for forwarding policy concerns

Three main goals:

• · Information exchange scheme
• · Promotion of scenario exercises
• · Collaboration in awareness raising activities

DDSI meeting - June 6 13

 WG membership
• As wide as possible
– all EU member states,
– associated to the R&D Framework Programme (candidates
for EU membership, EFTA-EEA, Switzerland, Israel)

– all relevant business sectors (i.e. telecommunications,

finance, health-care, energy, transport, etc.)

Self-coordination among first participants

DDSI meeting - June 6 14

 WG tasks
– Task a. Information Exchange
• threats, vulnerabilities, interdependencies and risk assessment
methods, possibly giving place to a common information
system.
• collaboration with any existing sectoral or national initiative
• consideration of sector-related issues (energy, electric power,
health-care, finance, emergency planning and civil protection,
logistics-transport, security-emergency, defence)

DDSI meeting - June 6 15

 WG tasks /2
– Task b. Scenario Exercises
• Purpose
1. common comprehension of the problem
2. supporting state-of-the-art practice

• Unequal experience at EU level:

– lessons learned and best/good practices from existing
exercises.
– identification of technical challenges that could benefit for
collaborative international R&D projects

DDSI meeting - June 6 16

 WG tasks /3
– Task c. Awareness Raising Actions
• collaborative initivatives, tapping on existing experience
(national, sectorial)
• different audiences: authorities (national, European), business
decision-makers, general public
• focus on the cross-European and international dimensions of
the problem

DDSI meeting - June 6 17

 JRC’s role
• Operation and maintenance of the site
– Deppy + mailing list
• Hosting of meetings
• Reporting on progress

DDSI meeting - June 6 18

 IA attributes
• IA Attributes:
– Access control
– Authorisation Interfacing
– Availability
Security
– Identification Control Life-cycle
Integrity
– Authentication
– Confidentiality Exception
– Integrity processing
© ISTPA
– Non-repudiation
– Timeliness
– Privacy (!)

DDSI meeting - June 6 19

 Interdependencies
Information
asset Z (t)

Information
Infrastructure A Information
asset Z (t+d)
Infrastructure

Energy / material / organisational

dependency

• Interdependencies:
– Likelihoods are not independent
– Difficulties in analysing time evolutions (simulation?)
• Need to consider ”Mission”

DDSI meeting - June 6 20

 Mission & Survivability
Security
• Traditionally: barrier to isolate application from intentional (&
accidental) threats that could harm information assets

• Now: Tolerance of application/information to the presence of

intentional (& accidental) threats
• Threats to the application/information
• Threats to the communications system

Survivability
• Ability to provide essential services in the presence of
attacks and failures, and recover full services in a timely
manner

Security: information assets Survivability: mission

DDSI meeting - June 6 21

 Concluding remarks
• Need to understand dependencies on the
Information Infrastructure as it plays a central role
• Need of clear concepts (risks, assets, threats,
vulnerabilities, dependencies) before methodologies
• Need to understand the role and characteristics of
information assets as links among infrastructures
• Need for evidence on actual facts (information
exchange, cross-sectorial, international)

DDSI meeting - June 6 22