Loading...

CSR CRE

2022 IEEE CSR Workshop on Cyber Resilience and Economics (CRE)

July 28, 2022


A combination of cyber technological feasibility and economic viability drives many of the decisions related to cybersecurity and cyber resiliency by both the defenders and attackers. In this context, technological feasibility is defined as any cyber resiliency technology that has the potential to be developed, fielded, and operationally controlled. In the case of economic viability, the resources required to defend, or attack must be available. We define resources in its broadest sense to include but not limited to the people, equipment, training, required funding, and asset value. On the defensive side, these technological and economic factors determine the cyber security and resiliency policies, procedures and technologies implemented to prevent and respond to cyber- attacks. On the offensive side, they not only determine the type of attack but also the effort expended to ensure its success. In short, these and other factors determine the asymmetric balance between the attackers and defenders.

The CRE 2022 Workshop, focusing on Cyber Resiliency: Strategies, Technologies, and Economics, will continue the exploration of foundational and applied advances in cyber resiliency strategies, policies, and technologies to shift the asymmetric balance in favour of the defender and identify and quantify the effect economic realities have on the decision processes. At the top level, national and organizational strategies and policies are required to understand what is to be achieved and the resources to be made available to protect critical resources and infrastructures. These strategies and policies must be supported by security and resiliency technologies. As a result, in addition to exploring various strategies, the workshop will seek to understand the capabilities, strengths/weaknesses, and benefits of various resiliency technologies whether existing or in research. The workshop will examine the parameters needed to accurately quantify asymmetric imbalance from both the offensive and defensive perspective; examine technical and non-technical approaches to shifting that balance, including the full range of costs/benefits of each approach; and explore and evaluate a range of options for defining and achieving optimality. It will bring together a diverse group of experts from multiple fields to advance the above concepts.

The CRE Workshop directly complements the conference’s objectives by serving to accelerate the recognition, adoption and application of cyber resilience of critical resources and infrastructures within industry, government and academia by addressing the key concerns of how these techniques and technologies can be realized within the practical constraints of cost, risk, and benefit.

Topics of Interest

Prospective authors are encouraged to submit previously unpublished contributions from a broad range of topics, which include but are not limited to the following:

› National and organizational cyber resiliency strategies and policies related to the development, deployment and use of cyber resiliency technologies.
› Existing IT/OT (and their interfaces) to achieve cyber resilience of CPS environments.
› Research activities in cyber resilience focused on IT and OT solutions, alignment of technical and mission resiliency, and preemptive resilience.
› Benefits and weaknesses of cyber resiliency technologies in CPS environments.
› Metrics, measurements, and economics of cyber resiliency & asymmetry.

› Technical and Economic barriers to the implementation of cyber resiliency technologies.
› Defining practical cyber resiliency and potential use cases and case studies.
› Relationship between resiliency and security in protecting CPS environments.
› Adversary and defender economics: assessing the impact of defender capabilities and actions to the attacker and vice versa.
› Frameworks for ROI analysis (cost, risk, benefit) to guide technology investment (research, development, and utilization).

Important Dates

Paper submission deadline: April 22 May 27, 2022 AoE
Authors’ notification: May 13 June 23, 2022 AoE
Camera-ready submission: May 27 June 30, 2022 AoE
Early registration deadline: June 24 June 30, 2022 AoE
Workshop date: July 28, 2022

Submission Guidelines

The workshop’s proceedings will be published by IEEE and will be included in IEEE Xplore. The guidelines for authors, manuscript preparation guidelines, and policies of the IEEE CSR conference are applicable to CRE 2022 workshop. Please visit the authors’ instructions page for more details. When submitting your manuscript via the conference management system, please make sure that the workshop’s track 2T3 CRE is selected in the Topic Areas drop down list.

Workshop Committees

Workshop chairs

Nicholas J. Multari, Pacific Northwest National Lab (US)
Rosalie McQuaid, MITRE Corporation (US)

Organizing committee

Nicholas J. Multari, Pacific Northwest National Lab (US)
Rosalie McQuaid, MITRE Corporation (US)
George Sharkov, European Software Inst CEE; Cybersecurity Lab (BG)
Volkmar Lotz, SAP Labs (FR)
Elena Peterson, Pacific Northwest National Lab (US)
Jeffrey Picciotto, MITRE Corporation (US)

Publicity chairs

Elena Peterson, Pacific Northwest National Lab (US)
Paul Rowe, MITRE Corporation (US)

Contact us

nick.multari@pnnl.gov
rmcquaid@mitre.org

Program committee

Michael Atighetchi, Raytheon (US)
Thomas Carroll, Pacific Northwest National Laboratory (US)
Yung Ryn Choe, Sandia National Laboratory (US)
Sabrina De Capitani di Vimercati, Universita degli Studi di Milano (IT)
Fabio De Gaspari, Sapienza University of Rome (IT)
Erich Devendorf, Air Force Research Laboratory (US)
Craig Jackson, Indiana University (US)
Doug Jacobson, Iowa State University (US)
Volkmar Lotz, SAP Labs (FR)
Rosalie McQuaid, MITRE Corporation (US)
Nicholas J. Multari, Pacific Northwest National Lab (US)
Takashi Nanya, University of Tokyo (JP)
Elena Peterson, Pacific Northwest National Lab (US)
Jeffrey Picciotto, MITRE Corporation (US)
Mohammad Rahman, Florida International University (US)
Indrajit Ray, Colorado State University (US)
Craig Rieger, Idaho National Laboratory (US)
Paul Rowe, MITRE Corporation (US)
Meghan Sahakian, Sandia National Laboratory (US)
O Sami Saydjari, Cyber Defense Agency (US)
George Sharkov, European Software Inst CEE; Cybersecurity Lab (BG)
Neeraj Suri, Univeristy of Lancaster (UK)
Reginald Sawilla, Government of Canada (CA)
Marco Vieira, University of Coimbra (PT)
Chris Walter, WW Technology Group (US)

Program Information

Thursday, July 28


10:00–11:40 CET

Technical session WS-CRE-1

Chair: N. J. Multari, Pacific Northwest National Lab (US)
Room: Nafsika

10:00–10:20

Welcome by the CRE Chairs

N. J. Multari and R. McQuaid

10:20–10:40

Policy-based profiles for intrusion response systems

K. Hughes

10:40–11:20

Invited talk: Towards trustworthy AI: The European human-centered approach

George Sharkov, European Software Institute (BG)

Abstract. In recent years, ethical issues across all technological fields, including artificial intelligence, have become a prominent topic for public discussion. The European Union, with its industry and academia at the forefront, is now viewed as a pioneer on the world stage for the implementation of an ethical approach toward an ethically driven, data-empowered society. Thanks to measures such as the General Data Protection Regulation, the European High-Level Expert Group on AI, the recently proposed AI Act, ensuring and providing access to trustworthy AI is no longer only a competitive advantage, but a basic necessity for the sector’s healthy growth.

Making the initial steps toward regulating AI has been a topic of interest in Europe, especially within recent years. While AI systems have many benefits, they also carry many risks that need to be addressed carefully and appropriately. Topics, such as compliance, lawful, ethical, and technologically robust AI have been developed to support an ethical approach to Artificial Intelligence and promote a sense of responsibility among organizations, governments, institutions, and companies of all sizes.

The EU risk-based approach towards requirements and recommendations for regulating Artificial Intelligence and ensuring the development of ethical and human-centered AI solutions, has become a fundamental approach towards the evolution of the potential of AI solutions. Certifying artificial intelligence systems based on their lawfulness, reliability, and human-centricity, however, is not a task easy to achieve. We will discuss some challenges, related to AI governance and certification as an important opportunity to shape the future and well-being of Europe.

Biography. Dr. George Sharkov is CEO of the European Software Institute CEE and a head of Cyber Security and Resilience Lab since 2003. He was an adviser to the Bulgarian Minister of Defense (2014-2021) and the National Cybersecurity Coordinator, leading the development of the national Cyber Resilience strategy. Member of the EU AI High Level Expert Group, SMEs voice at ETSI technical committees (TC CYBER and ISG “Securing AI”), ENISA Ad-Hoc Group on AI, ENISA Stakeholders Cybersecurity Certification Group. He holds PhD in AI and lecturing at 4 leading universities (software quality, cybersecurity and resilience, active security).

13:20–14:20 CET

Lunch break

16:20–18:00 CET

Technical session WS-CRE-2

Chair: N. J. Multari, Pacific Northwest National Lab (US)
Room: Nafsika

16:20–16:40

Recap by the CRE Chairs

N. J. Multari and R. McQuaid

16:40–17:00

Using potential effects on threat events (PETE) to assess mitigation effectiveness and return on investment (ROI)

D. Bodeau, R. Graubart, and R. Mcquaid

17:00–17:40

Invited talk: The top 10 challenges (Ty’s and Cy’s) on the road to cyber resiliency

Scott Foote, Phenomenati Consulting (US)
Steve Foote, Phenomenati Consulting (US)

Abstract. This talk will examine the common challenges and “market forces” which organizations will encounter on their road to building resilient systems, as well as dive into concrete remediation strategies and tactics that enable those systems to operate more Resiliently in today’s contested domain of Cyber. The first half of the discussion will focus on emergent aspects of the Cyber environment and fundamental concerns/shortcomings with contemporary system architectures. Useful techniques to counter these detrimental trends will be enumerated and deliberated. The latter half of the session will directly address the predominant pressures in today’s acquisition environment of Cyber-related systems. These forces often work diametrically against achieving improvements in Resiliency. Approaches for successfully dealing with these pressures will be examined and reviewed.

Biography. Scott is a senior executive and entrepreneur, with more than 35 years of technology experience in cybersecurity and the broader software industry. He has an acute ability to understand and map business needs to models, architectures, solutions, and technologies. An influential communicator skilled at “making the Complex, Simple” and “the Abstract, Concrete”, Scott has authored several thought leading pieces on cybersecurity from the original “Risk Formula” (in the 90s), to “Risk-Based Access Control” and the Cyber SA model of “Network, Mission, and Threat” (in the 00s), to the recent “SOC Taxonomy” and “5 What Imperatives” of security awareness.

Driven to bring “Order to Chaos”, his leadership experience includes building and leading growth-dominated products and services teams, organizations, and startups from 10s to 1000; and spans the solution lifecycle, with a specific focus on complex systems engineering and solution roadmap planning.

Scott is also a frequent speaker at industry events, is a member of several industry consortia, sits on a number of advisory boards and has been a member of the board of directors for enswers, Inc., Axixa Corporation, Realocity, Inc., Protinuum, LLC, and the Boston Affiliate of the Susan G. Komen Breast Cancer Foundation.

Biography. Steve is an accomplished software engineering executive, designing and implementing impactful enterprise applications and development teams which provide a competitive advantage for his clients. While leading software development organizations ranging from 4 to 600+ engineers, he has successfully applied his extensive knowledge of advanced software engineering, computer architecture, cyber security, mobile technologies, and enterprise applications to a variety of clients including finance, healthcare, pharmaceutical, commerce, law enforcement, intelligence, military, judicial, and treasury applications. Presently, Steve is leading the instantiation of software factories for a number of clients. These factories apply state-of-the-art, secured engineering practices (agile, cloud, mobile computing, DevSecOps) to produce advanced capabilities.

Steve’s own interest in agile software development stems from his years of experience in the commercial software market. While working in industry for companies including Oracle Corporation, Steve applied agile methodologies to the design of financial applications and industrial control systems, using advanced AI techniques and distributed processing capabilities that were the precursor to today’s Industrial IoT devices. Recognizing the need to better manage all of these distributed computing devices, Steve co-founded a company to deliver distributed systems management into the commercial marketplace. During that time, Steve patented a technique for implementing software agents on the early IoT devices for the purposes of securing them and managing them remotely.

Over the course of his career, Steve has published approximately 1,000 articles, reports, and white papers on topics including application development, advanced database applications, enterprise business applications (ERP), and cyber security (including the cover article for Information Security magazine in 1999 – 11/98). In recognition for his expertise in enterprise technologies, Steve was asked to serve as the lead judge for 3 consecutive years at the Best Practices in Enterprise Management Awards, an event covered by FORTUNE Magazine. In addition, Steve is the co-inventor of a patent regarding “Event management systems for distributed computing environments”. And Steve has served as an expert witness for multiple technology-related intellectual property lawsuits, at the U.S. state and federal level. He has also been a member of the board of directors for several companies including: the Hurwitz Group; enswers, Inc.; and Realocity, Inc.

18:00–18:20 CET

Coffee break

18:20–20:00 CET

Technical session WS-CRE-3

Chair: N. J. Multari, Pacific Northwest National Lab (US)
Room: Nafsika

18:20–18:40

Process mining for asymmetric cybersecurity audit

R. Turner

18:40–19:40

Panel discussion: Potential support and obstructions to cyber resilience

— Paul Nielsen, Carnegie Mellon University/Software Engineering Institute (US)

Paul D. Nielsen is Director and Chief Executive Officer of the Carnegie Mellon University Software Engineering Institute (SEI), a leader and key innovator in areas central to U.S. Department of Defense including software quality, artificial intelligence engineering, mission assurance, network and system resilience, and the increasing overlap of software and systems engineering. Nielsen is a member of the U.S. National Academy of Engineering (NAE); a Fellow of the American Institute of Aeronautics and Astronautics (AIAA); the Institute for Electrical and Electronics Engineers (IEEE); and the International Council on Systems Engineering (INCOSE); and a frequent speaker and panelist at conferences, workshops, and symposia. He serves on the Defense Science Board and several other advisory boards. Prior to joining the SEI in 2004, Nielsen served in the U.S. Air Force, retiring as a major general and commander of Air Force research after 32 years of distinguished service. Nielsen holds PhD and MS degrees in Applied Science from the University of California (Davis).

 

— George Sharkov, European Software Institute (BG)

Dr. George Sharkov is CEO of the European Software Institute CEE and a head of Cyber Security and Resilience Lab since 2003. He was an adviser to the Bulgarian Minister of Defense (2014-2021) and the National Cybersecurity Coordinator, leading the development of the national Cyber Resilience strategy. Member of the EU AI High Level Expert Group, SMEs voice at ETSI technical committees (TC CYBER and ISG “Securing AI”), ENISA Ad-Hoc Group on AI, ENISA Stakeholders Cybersecurity Certification Group. He holds PhD in AI and lecturing at 4 leading universities (software quality, cybersecurity and resilience, active security).

Scott Foote, Phenomenati Consulting (US)

Scott is a senior executive and entrepreneur, with more than 35 years of technology experience in cybersecurity and the broader software industry. He has an acute ability to understand and map business needs to models, architectures, solutions, and technologies. An influential communicator skilled at “making the Complex, Simple” and “the Abstract, Concrete”, Scott has authored several thought leading pieces on cybersecurity from the original “Risk Formula” (in the 90s), to “Risk-Based Access Control” and the Cyber SA model of “Network, Mission, and Threat” (in the 00s), to the recent “SOC Taxonomy” and “5 What Imperatives” of security awareness.

Driven to bring “Order to Chaos”, his leadership experience includes building and leading growth-dominated products and services teams, organizations, and startups from 10s to 1000; and spans the solution lifecycle, with a specific focus on complex systems engineering and solution roadmap planning.

Scott is also a frequent speaker at industry events, is a member of several industry consortia, sits on a number of advisory boards and has been a member of the board of directors for enswers, Inc., Axixa Corporation, Realocity, Inc., Protinuum, LLC, and the Boston Affiliate of the Susan G. Komen Breast Cancer Foundation.

Steve Foote, Phenomenati Consulting (US)

Steve is an accomplished software engineering executive, designing and implementing impactful enterprise applications and development teams which provide a competitive advantage for his clients. While leading software development organizations ranging from 4 to 600+ engineers, he has successfully applied his extensive knowledge of advanced software engineering, computer architecture, cyber security, mobile technologies, and enterprise applications to a variety of clients including finance, healthcare, pharmaceutical, commerce, law enforcement, intelligence, military, judicial, and treasury applications. Presently, Steve is leading the instantiation of software factories for a number of clients. These factories apply state-of-the-art, secured engineering practices (agile, cloud, mobile computing, DevSecOps) to produce advanced capabilities.

Steve’s own interest in agile software development stems from his years of experience in the commercial software market. While working in industry for companies including Oracle Corporation, Steve applied agile methodologies to the design of financial applications and industrial control systems, using advanced AI techniques and distributed processing capabilities that were the precursor to today’s Industrial IoT devices. Recognizing the need to better manage all of these distributed computing devices, Steve co-founded a company to deliver distributed systems management into the commercial marketplace. During that time, Steve patented a technique for implementing software agents on the early IoT devices for the purposes of securing them and managing them remotely.

Over the course of his career, Steve has published approximately 1,000 articles, reports, and white papers on topics including application development, advanced database applications, enterprise business applications (ERP), and cyber security (including the cover article for Information Security magazine in 1999 – 11/98). In recognition for his expertise in enterprise technologies, Steve was asked to serve as the lead judge for 3 consecutive years at the Best Practices in Enterprise Management Awards, an event covered by FORTUNE Magazine. In addition, Steve is the co-inventor of a patent regarding “Event management systems for distributed computing environments”. And Steve has served as an expert witness for multiple technology-related intellectual property lawsuits, at the U.S. state and federal level. He has also been a member of the board of directors for several companies including: the Hurwitz Group; enswers, Inc.; and Realocity, Inc.