Cascading Effects of Cyber Security on Ohio Patrick Sheehan, Plans Branch Chief (Interim) Ohio Emergency Management Agency September 19, 2012 Today’s Cyber Threat • Cyber threats to critical infrastructure continue to evolve: – Foreign nationalists – Criminals – Hackers – Disgruntled employees • Attacks on government have increased 680% over the past five years – Cyber incidents happen every day – Negative impact to both economic and national security – Loss of classified information and intellectual property worth millions The “cyber threat is one of the most serious economic and national security challenges we face as a nation…America’s economic prosperity in the 21st century will depend on cyber security.” – President Barack Obama Planning Efforts • Cyber response requires a rapid response, which is highly dependent upon the development of trusted relationships between the public and private sector • May 2009 – Federal Cyberspace Policy Review document recommends development of cyber security incident response plans, but agencies have been slow to react • September 2010 – National Cyber Incident Response Plan (NCIRP) is developed by DHS, providing a federal strategy for coordinating operational response activities among all forms of government; however… • 85% of infrastructure is owned by the private sector No single agency has authority over cyberspace. Critical Infrastructure Sectors • 17 sectors federally identified by Homeland Security Presidential Directive-7 (HSPD-7) in 2003 – An 18th sector, Critical Manufacturing, was added in 2008 • Similar to Emergency Support Functions within EMA, each sector is managed by a lead or Sector-Specific Agency (SSA) • In accordance with the National Infrastructure Protection Plan (NIPP), each SSA is responsible for: – Developing and implementing a Sector-Specific Plan (SSP) – Encouraging the development of appropriate informationsharing and analysis mechanisms throughout the sector Critical Infrastructure Sectors • • • • • • • • • • Food and Agriculture Banking and Finance Chemical Facilities Commercial Facilities Communications Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy • Government Facilities • Healthcare and Public Health • Information Technology • National Monuments and Icons* • Nuclear Reactors, Materials, and Waste • Postal and Shipping • Transportation Systems • Water *Not applicable to Ohio Interdependencies and Cascading Effects Food and Agriculture • Critical interdependencies with Water, Transportation, Energy, Banking and Finance, Chemical, Dams • Sector accounts for 1/5th of the nation's economic activity • 75,000 mostly privately owned farms in Ohio • Contributes $93 billion to state’s economy and 33.5K jobs • Ohio’s diagnostic labs play a vital role in health and human safety: – Reducing food-borne illness by 10% would keep about 5 million Americans from getting sick each year – Preventing a single fatal case of E. coli O157 infection saves an estimated $7 million • More farms with automated systems “on-line” Banking and Finance • Critical interdependencies with Energy, Information Technology, Transportation Systems, and Communications Sectors • Especially vulnerable to large-scale power outages, echoing effects of natural disasters, and cyber attacks demonstrate the wide range of potential risks facing the sector • SSA – Ohio Department of Commerce • More than 4.5K Ohio-based financial institutions move money throughout and beyond the state and country • Public-private partnerships already in place – Financial Services-Information Sharing and Analysis Center (FS-ISAC • Highly-automated industry Chemical Facilities • Dependent on, depended upon by, and interdependent with Communications, Critical Manufacturing, Emergency Services, Energy, Food and Agriculture, Healthcare and Public Health, Information Technology, Transportation Systems, and Water Sectors • Majority of industry is privately owned • Employs nearly 46K Ohioans; contributes $20 billion to state • Products are used in thousands of applications, including medical devices, food processing, construction materials, paints, paper, plastics, pharmaceuticals, electronics, water treatment, and clothing. • Highly-regulated and increasingly web-based processes Commercial Facilities • Further sub-divided into: – Public assembly, sports league, gaming, lodging, outdoor events, entertainment and media, real estate, and retail venues • More vulnerable to cyber attacks because the general public can move freely throughout venues without the deterrent of highly visible security barriers • Majority of facilities are privately owned and operated, with minimal interaction with the Federal government and other regulatory entities. • Work closely with local law enforcement Communications • Critical interdependencies with: – Energy, Information Technology, Banking and Finance, Emergency Services, and Postal and Shipping Sectors • Underlying backbone for all day-to-day operations – public sector, private sector, and non-profit • Providers routinely share facilities and technology to ensure interoperability, leading to shared cyber vulnerabilities • Again, the private sector are owners and operators of the majority of communications infrastructure • Public safety HIGHLY dependent upon this sector! Critical Manufacturing • Added as a critical sector in 2008 • Critical interdependencies with all other sectors • Subdivided into Metal, Machinery, Electrical, and Transportation Manufacturing • Highly-automated, computerized manufacturing processes – More than $12.5 million recently approved for innovation in manufacturing technology through “Third Frontier Initiative” • Home to one of two “centroid” cities in the country (Dayton) – Within a one-day drive of 50% of North America’s population and near 70% of manufacturing capacity – Numerous seaports along Lake Erie Dams • Critical interdependencies with Emergency Services, Energy, Food and Agriculture, Transportation Systems, and Water • More than 1550 dams in Ohio, from temporary to Class 4 (small to large) • More than half (65%) are privately owned; 85% regulated • Increasingly computerized systems provide economic, environmental, and social benefits including: – Hydroelectric power, river navigation, water supply, wildlife habitat, waste management, flood control, and recreation Defense Industrial Base • Critical interdependencies with all other Sectors – Government is highly dependent upon this sector • Especially vulnerable to cyber attack due to nature of sector (military weapons manufacturing, research, & development) • Ohio is home to many bases, manufacturers, and research and development companies – GE Aviation, Joint Systems Manufacturing Center, Timken, Goodrich, Boeing, Honeywell, L3 Communications, Lockheed Martin, Armor Holdings • Dayton is designated as a national aerospace hub, ranking 5th in U.S. in production – Aircraft engine manufacturing accounts for nearly 75% – Wright-Patterson Air Force Base contributes $5.1 million to economy Emergency Services • Critical interdependencies with Communications, Information Technology, and Transportation Systems • All other sectors depend upon the ESS for protection – Presents unique challenges in protecting the ESS itself • SSA – Ohio Department of Public Safety • Broken down into subcategories of: – Law Enforcement, Fire and Emergency Services, Emergency Management, Emergency Medical Services, and Public Works • Complex and dispersed nature of the sector makes it difficult to disable the entire nationwide system; HOWEVER, this presents challenges in coordinating emergency responses across disciplines, regions, and levels of government Energy • Critical interdependencies with Transportation Systems – Highlighted by heavy reliance on pipelines to distribute products – All other sectors dependent upon Energy Sector for power and fuel • 80% privately owned • Many owners and operators have extensive experience abroad with infrastructure protection and have more recently focused their attention on strengthening industry cyber security • Ohio, or “The Solar Valley, is #2 in solar manufacturing • Home to Columbia Gas, Marathon, and AEP • 5th largest consumer of electricity in U.S. • “Shale Rush” (frocking) in last two years Government Facilities • SSA – Ohio Department of Administrative Services • More vulnerable to cyber attacks because many facilities are open to the public for business activities, commercial transactions, or recreational activities; while others contain highly sensitive information, materials, processes, and equipment • In addition to physical structures, the sector includes cyber elements that contribute to the protection of assets • Education Facilities Subsector – pre-K through 12th grade schools, higher education, business and trade schools – Recent rise in “cyber charter” schools presenting their own set of concerns Healthcare and Public Health • Critical interdependencies with Communications, Emergency Services, Energy, Food and Agriculture, Information Technology, Transportation Systems, and Water Sectors • SSA – Ohio Department of Health • Protects all sectors from hazards such as terrorism, infectious disease outbreaks, and other natural disasters • Collaboration and information sharing between the public and private sectors is essential to increasing resilience of the nation's HPH critical infrastructure. • Plays significant role in response and recovery across all other sectors in the event of disaster • Many medical manufacturers, pharmaceutical companies, and universities Information Technology • Critical interdependencies with the Communications Sector, first and foremost (the internet); although all other sectors, and even the general public, are highly dependent upon the sector itself • SSA – Ohio Department of Administrative Services, OIT • Complex and dynamic environment makes identifying threats and assessing vulnerabilities difficult and requires that tasks be addressed in a collaborative and creative fashion • Operated by a combination of owners, operators, and associations that maintain and reconstitute networks • Ohio Supercomputer Center in Columbus is largest in country • Blurring of the lines between communications & IT providers National Monuments & Icons • Not particularly applicable to Ohio, as our state has no nationally-recognized national monuments or icons located in or near it • Of more importance to national identity, as the sector is essentially composed of physical structures which are of greater vulnerability to intentional attacks. • While the public nature of the sector limits the range of protective measures available, there are minimal cyber issues associated with national monuments due to the nature of the mainly federally-owned assets Nuclear Reactors, Materials, and Wastes • Critical interdependencies with Chemical, Energy, Healthcare and Public Health, and Transportation Systems Sectors • Highly regulated sector – Cyber security of sector is of utmost importance due to the nature of the sector – Cyber Systems Security Roadmap • Two nuclear power plants, both located along Lake Erie and owned by FirstEnergy: – Davis-Besse Nuclear Power Plant in Oak Harbor, pressurized water reactor, license expiring in 2017 – Perry Nuclear Power Plant in North Perry, one of largest boiling water plants in the country, license expiring in 2026 Postal and Shipping • Critical interdependencies with all sectors, in particular: – Banking and Finance, Commercial Facilities, Government Facilities, Healthcare and Public Health, Communications, Energy, Information Technology, and Transportation Systems Sectors • Highly regulated and concentrated sector, with only a handful of providers holding 90% of the market share • Assets include over 400 high-volume automated processing facilities, 40K local delivery units, 50K transport vehicles, and dedicated information and communications networks • Vulnerable to cyber attacks because the sector delivers to virtually all state, national, and international ports Transportation Systems • Critical interdependencies with all sectors • Six key subsectors, or modes: – Aviation, Highway Infrastructure and Motor Carrier, Maritime Transportation Systems, Mass Transit and Passenger Rail, Pipeline Systems, Freight Rail • Many national transportation companies and 99 airports • Increasing cyber concerns, as automated public transit has seen a 4%-10% increase (depending upon metro area) in recent years, due to rising fuel costs Water • Critical interdependencies with all sectors, specifically: – Energy, Food and Agriculture, Transportation Systems, Emergency Services, Healthcare and Public Health • Includes both drinking water and wastewater utilities • Approximately 84% of the U.S. population receives their potable water from drinking water systems; 75% have their sanitary sewerage treated by wastewater systems – Roughly 5,000 facilities service 10.8 million Ohioans • Vulnerable to cyber attacks due to high automation. Disruptions could result in illness, casualties, or denial of service that would impact public health and economic vitality. Implications on Infrastructure • Increased Online Control = Greater Vulnerability – Electrical power grids – Water and transportation systems – Oil pipelines – Refineries – Power-generation plants – Water/Wastewater plants • Aging infrastructure is more vulnerable to sophisticated cyber crime Implications on Infrastructure “When transformers fail, so too will water distribution, waste management, transportation, communications, and many emergency and government services…Given the average of twelve month lead that is require to replace a damaged transformer today with a new one the economic and society disruption would be enormous.” –Dr. Stephen Flynn, Northeastern University Connecting Ohio’s Infrastructure • Strengthening our cyber security is imperative because of the delicate balance between critical infrastructure sectors. A cyber attack on one sector can have cascading effects across all 18 infrastructure sectors. • More public-private partnerships in the following sectors: – – – – – – – Banking and Finance Commercial Facilities Critical Manufacturing Defense Industrial Base Energy Information Technology Postal and Shipping • Interdependencies among the critical sectors have been identified; however, a means to strengthen them must be developed Moving Forward • Cyber security will play a greater role on emergency in the foreseeable future as cyber attacks continue to grow in numbers and sophistication • Consider societal, technological, and environmental changes in planning • Understand the impacts of new technology and how best to implement it • Incorporate cyber security into governance and response plans • Seek technologically-savvy employees who can model data, run analytics, and track mission effectiveness to enhance decision-making • Build interdependent information technology capabilities with redundancies • Incorporate technologies based on simulation into exercises It is imperative that we all work together – government, private sector, nonprofit, and the public Questions? Patrick Sheehan, Plans Branch Chief (Interim) Ohio Emergency Management Agency (614) 799-3693 Office pcsheehan@dps.state.oh.us Thank You