Maria Cristina BRUGNOLI – Roma - March 29-th MOTIA FINAL CONFERENCE ''Project Presentation” Project Impact assessment and qualitative evaluation Maria

Maria Cristina BRUGNOLI – Roma - March 29-th

MOTIA FINAL CONFERENCE ''Project Presentation”

Project Impact assessment and qualitative evaluation

Maria Cristina Brugnoli Maria Cristina Brugnoli

CASPUR, Università di Tor VergataCASPUR, Università di Tor [email protected]

Rome “Piazza di Spagna - 29 Marzo 2012


Outline

• Overview and main objectives

• Interview schedule

• Description of the field

• General feedback

• Highlights on major items

• Specific feedback from the end users

• Application of SNA methodology to CI analysis and modelling


Overview

Investigation of CI in Italy and proposed metrics for the

qualitative evaluation and modelling of CI


Outline of the activity

• Qualitative investigation and definition of agencies characteristics in relation to CI

• Case study: organizations and agencies in Italy

• Focus: qualitative characterization of ICT CI chain, relation btw organizations and ICT infrastructures, and within the ICT infrastructures as a whole

• Field (organisations having an extensive us of the ICT Infrastructure):• Public services and administration

• Service providers

• Civil security and emergency services


Objectives

• to gauge initial responses to the MOTIA concept and MOTIA specific R&D objectives;

• to gauge initial reactions in relation to the metrics and methodology proposed by the project and get suggestions for further improvements also in order to shape the overall characteristics of the inter-dependences ICT infrastructures;

• to identify other actors that make an extensive use of the telecommunication infrastructure and that could be interested in the project results;

• to support and provide insights for the project dissemination and overall assessment activities.


Interview schedule

• Warm-up

• Field

• Investigation of ICT and TLC technologies (used in the organizational)

• Focus on Critical infrastructures

• Presentation of MOTIA Concept

• Collection of feedback on MOTIA interest and impact

• Plus and minus, suggestions and sum up


PUBLIC SERVICES (field characteristics)

Public administration:

• ICT networks used by the administrations are very heterogeneous

• In general personnel know-how is quite low

• Awareness of SEC and Critical Infrastructure is low

• There is a strong will to be involved in the IT adoption/improvement activities

• There is a strong will on creating the path for a PA as services enabling also business continuity

• Still more focussed on the ICT internal service rather than the external ones (…very low pressure from the customers

Public emergency services:

• ICT networks and services used by the administrations are very heterogeneous

• There is very high interest in web-based and mobile based apps

• The personnel know-how is high and competent in technologies

• Willingness to pay for more expensive services if needed

• Awareness of SEC and Critical Infrastructure is relevant but has low impact the decision making

• Quite high constrains (security in particular)

• Relation with the operator is quite satisfying

• Disaster recovery services has not been evaluated yet


General reactions and suggestions

High level of impact at EU and national level

Interest in the project although is less clear is…:

the methodology that MOTIA is willing to implement

concrete results of the project

potential impact in the “daily activities” of the end users

New “simplified” concept (for non-technical audience) Technical characterization of user needs and impact assessment

(CASPUR/ENEA internal meeting) Definition of practical and concrete tools to be easily adopted by

the end users List of EU/national action items and recommendations (to be

disseminated also through lobbying activities) MOTIA white paper…? (e.g. linking the impact ass. results with

other data, also considering the specific characteristics of the Italian case study)


Field: characteristics of the end users

ABI Lab (2):

+ 150 banks

4 areas (SEC, IT, organization, and commercial)

participate to several EU and IT boards (high connection with the EU)

produces reports and surveys

are in charge of many communication and dissemination activities

ICT networks for banks are very heterogeneous

ENAV (1):

manages all Italian air traffic

4 control centres, 35 airports, and 34 radars

participate to several EU and IT boards, is under the regulation of Eurocontrol (very high connection with the EU)

moving all the communication on IP (currently 3 different networks + video surveillance net)

Poste Italiane (1):

one of the backbones of the Italian economy (loss in case of disaster: 60 M Euros per day!)

complex offer with variety of services (postal, commercial, bank,…)

are on the market, but still many characteristic of the public company

participate to the most important IT boards (low connection with the EU, high with the IT)

ad hoc service networks with TI and Fastweb


General reaction on the MOTIA project

Positive: • Strong interest and expectations• The topic and the objectives are clear• Availability in supporting and participating to

the project (also in providing representation at EU level)

• Not shy in presenting their needs and remarks• Willingness to pay for more expensive services if

needed• SEC and Critical Infrastructure have enormous

impact on the BID…• Awareness of SEC and Critical Infrastructure

relevant is high but has not impact the decision making

• Nowadays there is more attention on SEC that on Critical Infrastructure, MOTIA is welcome!


General reaction on the MOTIA project

Less clear is…:

• the methodology that MOTIA is willing to implement

• concrete results of the project

• potential impact in the “daily activities” of the end users


Major items identified

• Technical aspects and ICT implementation

• Provisioning of ICT services

• Regulatory and political aspects

• Organizational issues


ICT implementation

• Redundancy (civil security), prevention (banks), and early warning (postal services), services differentiation (service providers), as strategies to avoid failure

• Very high constrains (customers, national provisioning of services, security and safety)

• System do not support traceability of events

• “…the ICT system is a “black box” in the house of the operator…”

• Testing and verification are crucial (and to be realized each time a changes is implemented)

• Strong need of high level guidelines and methodology


Provisioning of ICT services

Relation with the operators• Collaboration • Exchange of information • Post- services consultancy • More transparency and collaboration • More exchange of information • Operators are seen as “Critical Operators”Other expectations and needs• Customization and personalization of

services • More post-services• Availability in supporting during the

testing and during the other crucial/critical activities

• Disaster recovery as a not satisfied issues


Regulatory and political aspects

• National and European legislation, need of clear directive at IT and EU level

• Relation and lobbying at EU level

• Each sector should have its own regulation

• Specific regulation in regard to the operators and ICT providers obligations


Organizational issues

• Lack of transparency and collaboration

• No clear information on the actual services provided

• Low level knowledge of the “failure chain” and its evolution

• Strong need of collaboration at all level of personnel


Specific user feedback: Banks and postal services

Characteristics

• low level of ICT knowledge

• strong pressure from the customers

• strong push from the customers

• regulation and policies is a benefit

Needs

• creation of an unique infrastructure for the bank-system

• more support after technology deployment (“what we have is just an email contact!”)

• creation of a Map of “Critical operators” and ICT services providers

• creation of standard (basic) agreements, based on a “minimum set” of assured services


Specific user feedback

Characteristics

Needs• Improvement and introduction of a ad hoc alerting

system is strongly suggested• Disaster recovery at the moment is too expensive• Recovery timeframe (+ABI)• Business continuity (+ABI) • More collaboration on decision making at high

level management • Need to analysis the CI at physical, IP and

management level • Operation should work closely with the end users


Specific user feedback (Civil security)

Characteristics• Regulation and policies are a benefit for us• No constrains from costs (ENAV)

Needs• EU guidelines and cooperation with the other

countries• Exchange of best practices and know-how• high quality of ICT providers and operators (high

competence)• Support in the transition/evolution towards IP • Understanding of how ATM can be properly places

into IP-based communications • New methodologies for moving from complexity to

synergy


Level of satisfaction


Knowledge and awareness


Needs and expectations


CIs qualitative vs quantitative analysis and modeling

• Literature review on CI qualitative evaluation and modeling (none of them were exhaustive…)

• High-level view Socio-technical system (Little, 2004) and CI vulnerabilities model (McEntire, 2001)

• In depth analysis: Network Analysis approach, where the CI can be analysed using SNA

• Current work: transforming qualitative R&D results into data for the construction of the CI network


SNA approach for CI

• SNA is a mature methodology used to to understand and visualize social groups characteristics

• Usually SNA is used to map and measure relationships and flows between people, groups, and organizations

• In MOTIA use SNA in a broad sense mapping not only social relations but also relations (as interdependencies) between machines, IT services and other tangible and intangible entities and mixed groups

• The social-driven analysis of the CI will provide insights for the definition and evaluation of the CI vulnerability attitude (also on the basis of CI liabilities and capacities)

• As an outcome for each of the organisational case studies we will be able to define the observed CI network graph and its characterization


Related work

The paper proposed the analysis of CI vulnerability. An example (the case of Canada Province-A) is given to illustrate the ideas and results presented in the paper. The analysis is conducted on the interdependencies of the main infrastructures of the area.

Chai C., Liu X., Zhang W . J., Deters R., Liu D, “Social Network analysis of the vulnerability of interdependent critical infrastructures”, International

Journal of Critical Infrastructures, Vol 4, No. 3 – 2008.


Civil security and emergency services

OperatorOperator

Primary agency (1)

Primary agency (1)

Telco operators

Telco operators

AgencyoperatorsAgency

operatorsEquip.Equip.

OP (2) OP (2) OP (3)OP (3)

LobbyingLobbying

TestingTestingTrainingTraining

ServicesServices

Legal and tech

Legal and tech


Postal services

OperatorOperator

Primary agency (1)

Primary agency (1)

Telco operators

Telco operators

Equip.Equip.

OP (2) OP (2) OP (3)OP (3)

LobbyingLobbying

ServicesServices


Analysis

• identification of different layers (social, legal, know-how,…)

• identification of different actors in the chain

• in-degree/out-degree

• number and type of lines/links

• number of nodes

• density

• proximity

Documents

Maria Cristina BRUGNOLI – Roma - March 29-th MOTIA FINAL CONFERENCE ''Project Presentation” Project Impact assessment and qualitative evaluation Maria