Critical Infrastructure Resilience Institute (CIRI)
The Critical Infrastructure Resilience Institute (CIRI), led and managed by the University of Illinois at Urbana-Champaign, will conduct research and education to enhance the resiliency of the Nation's critical infrastructures and the businesses and public entities that own and operate those assets and systems. The Institute will explore the organizational, policy, business, and technical dimensions of critical infrastructure's dependence on cyber assets. CIRI will examine how computer hardware and software both contribute to and threaten resiliency and how industry makes decisions about cyber assets which contribute to resilience.
Jeff Binder, Director
Randall Sandone, Assistant Director
David Nicol, Principal Investigator/Chief Scientist
CIRI’s Research Areas:
Understanding Resilient Critical Infrastructure Systems
Application of Critical Infrastructure in the Real World
The Business Case for Infrastructure Resiliency
Future of Resilience
Education and Workforce Development
Theme 1: Understanding Resilient Critical Infrastructure Systems
Regulatory Options for Managing Systemic Risks Project
PI: Rebecca Slayton, Cornell, Co-PI: Herb Lin, Stanford University
Risk management is foundational to critical infrastructure resilience, including one of the most essential infrastructures: the electrical power grid. However, regulations currently assess risk at the level of individual organizations, and thus may be neglecting systemic risks posed by cyber weapons. Such weapons may be able to propagate across and compromise a large number of low risk assets, causing a catastrophic failure without compromising any high risk assets. This project will help to identify specific sources of systemic risk across organizations, and will develop a method for evaluating the potential effectiveness of regulatory strategies to protect critical infrastructure from systemic cybersecurity risks.
Supply Chain Cybersecurity Assurance For Critical Infrastructure Project
PI: John Villasenor, University of California at Los Angeles
The need for ensuring the security of the nation’s critical infrastructure is well recognized. However, the infrastructure today is far from secure. This is due to a combination of interrelated factors. First, the systems involved are already extremely complex, and are rapidly becoming more so as the number of devices, connections, and linkages constituting these systems continues to increase. Second, critical infrastructure involves a complex mix of legacy systems and new technologies, resulting in interactions and dependencies that the original designers of the legacy systems could not have envisioned. Third, with the growth of the “Internet of Things,” the number of devices that are part of critical infrastructure systems is rapidly growing. In addition, the potential cyberattackers of today are far more sophisticated and have access to far more powerful tools than in the past. Against this backdrop, this project is focused on the supply chain, which constitutes an underappreciated and critically important security exposure for critical infrastructure. While significant progress has been made in quality assurance for software and components used to build critical infrastructure systems, there has been much less attention and progress in making the supply chain robust against intentionally compromised hardware and/or software that might be designed specifically to remain undetected in tests formulated to detect accidental design flaws. Cyberattacks on critical infrastructure launched using built-in hardware and/or software vulnerabilities could have a devastating impact. To address this threat, this project will focus on the challenges posed by cyberattacks based in the critical infrastructure supply chain, and will produce new critical infrastructure assessment methods that will increase the ability to pre-emptively detect intentionally compromised hardware and software, and also provide the ability to respond rapidly and effectively to mitigate attacks after they are launched. More specifically, under this project, we will develop, test, and disseminate to the U.S. critical infrastructure community a set of methodologies and associated solutions (including, for example, simulation software modules and frameworks) that will enable that community to much more effectively 1) identify systemic supply chain-related vulnerabilities, 2) preemptively mitigate at least some of those vulnerabilities, 3) and quickly and effectively respond to attacks launched from DHS-14-ST-061-COE-CIRC 12 FY2015 CIRI Management and Workplan the supply chain that might exploit the subset of those vulnerabilities that escape advanced mitigation.
Evaluation of Potential Vulnerability Assessment Methodologies and Tools
PI: Santanu Chaudhuri, University of Illinois at Urbana-Champaign
Co-PI: Maria Jaromin, University of Illinois at Urbana-Champaign
There are many different methodologies used in specific critical infrastructure sectors to collect and analyze information to deliver a vulnerability assessment. The two vulnerability assessment mechanisms primarily used by the Office of Infrastructure Protection (IP) are the Infrastructure Survey Tool and the since-retired Site Assistance Visit. The University of Illinois proposes to conduct a comparative study evaluating different vulnerability assessment methodologies and tools applicable to a range of critical infrastructures. The project will consist of three tasks. The initial task will focus on the literature review leading to identification and evaluation of different vulnerability assessments used by DHS for specific critical infrastructure sectors. The second task will provide evaluation and comparison of available tools, especially the Infrastructure Survey Tool, assessment of the applied models and suggestions for improvements as well as a gap analysis. The third task will focus on preparing a study and developing recommendations for addressing the near and long-term needs of DHS and the critical infrastructure community.
Theme 2: Application of Critical Infrastructure in the Real World
Resilience Governance Project
PIs: Stephen Flynn, Northeastern University, Matthias Ruth, Northeastern University
Co-PIs: Sean Burke, Northeastern University, Noah Dormady, Ohio State University
This project will provide an analysis of the governance challenges to advancing greater awareness and management of the risks arising from regional lifeline infrastructure interdependencies, to include current disincentives for greater cross-sector, multi-jurisdictional collaboration. This effort will include an extended case study of resilience governance challenges and innovative management approaches in the metro-Boston area that will inform national education and training programs. It will also develop a decision matrix to support the formation of a regional action plan that can inform public and private sector decision makers on how they should prioritize their efforts for addressing lifeline infrastructure interdependencies.
Changing Flood Risk - Extreme Precipitation, Sea Level Rise, and Inundation Project
PI: Eric P Salathé, University of Washington Bothell
Climate change is a major driver of changing flood risk due to impacts on sea level rise, heavy rainfall events, and the accumulation and persistence of snow. In particular, relatively little is known about the future changes of extreme precipitation at the regional level. The goals of this project are to link models and approaches, spanning from global-scale to regional climate models, to hydrologic models and ultimately to reach-scale hydrodynamic modeling. The analysis is developing pilot studies using river basins in the Pacific Northwest that are subject to both rain and snowmelt driven floods. Results will be generalized for application to other regions. This work will directly integrate with the companion project on Scenario-based Flood Risk Mapping, which will translate the geophysical flood scenarios to develop non-stationary risk projections.
Scenario-based Flood Risk Mapping Project
PI: Bob Freitag, University of Washington Himanshu Grover, University of Washington
New techniques in predicting flood levels will incorporate information about variability in possible flood levels, variability that captures changes in climate conditions and uncertainty in the climate model variables used to make the predictions. This project explores how to present new kinds of predictive information to community life-line infrastructure stakeholders, and how to get data from those stakeholders that allows them to integrate predictions of potential flood levels with the corresponding impacts on infrastructure.
Theme 3: The Business Case for Infrastructure Resiliency
Analyzing and Supporting the Development of the Cyber-insurance Market as a Market-Based Solution for Cyber Resiliency Project
PI: Jay Kesan, University of Illinois at Urbana-Champaign
Co-PIs: David Nicol, University of Illinois at Urbana-Champaign, Sachin Shetty, Tennessee State University
This project applies methodologies for assessing cyber-risk to the area of cyberinsurance, to understand the business case for offering insurance for cyber events. It will define a resulting set of initiatives and prescriptions to facilitate expansion of a cyber-insurance market. It will develop a database of court cases involving cyber-insurance.
Measuring and Rewarding Resilience Project
PIs: Howard Kunreuther, PI, University of Pennsylvania, Erwann Michel-Kerjan, University of Pennsylvania, Stephen Flynn, Northeastern University
Co-PI: Sean Burke, Northeastern University
This project supports the development of market-based incentives for advancing critical infrastructure resilience. It does this by identifying the barriers and opportunities for the insurance industry and financial sector to reward investments in measures that mitigate risk and speed recovery from disruptions to regional lifeline infrastructures. The project will determine, in a systematic, quantifiable and holistic way, why it is that lifeline critical infrastructure sectors are currently uninsured or underinsured. It will evaluate possible metrics for resilience that are likely to generate flexible resilience investments. In so doing, it will provide a roadmap for creating an important source of demand for the critical infrastructure resilience solutions developed by science and engineering researchers.
Measuring Business and Economic Resilience in Disasters
PI: Adam Rose, University of Southern California
Co-PIs: Noah Dormady, Ohio State University, Kathleen Tierney, University of Colorodo Boulder
This project is advancing the theory and measurement of economic resilience – how businesses utilize remaining resources as efficiently as possible in the aftermath of a disaster to maintain functionality. The work will also provide new insights and transition products that can be utilized by DHS and other agencies to strengthen the resilience of our critical infrastructure and provide more efficient planning for disaster and risk management.
Theme 4: Future of Resilience
Enabling Resilient Manufacturing via Trustworthy Digital Threads Project
PI/Co-PIs: William P. King, University of Illinois at Urbana-Champaign, Marianne Winslett, University of Illinois at Urbana-Champaign
The digital thread for a manufactured product consists of all the data generated during its lifecycle, including the information captured during design, fabrication, supply chain, customer delivery, and in-service usage and maintenance. The ability to access this information in highly granular detail offers significant advantages to manufacturing organizations, including business metrics such as manufacturing cost and time to market. Digital thread also offers new vulnerabilities for manufacturing organizations. The purpose of this five-year project is to conceive, design, develop, test, and transition to the field a production-grade architecture for trustworthy digital threads that satisfies the needs of the critical manufacturing sector, enhances manufacturing productivity, and significantly improves the robustness and resilience of the manufacturing sector. The project team’s industrial partners, connections to the digital thread research underway at DMDII, and access to the cybersecurity modeling and specification work at NIST will help ensure that trust, data provenance, and data integrity are integrated into digital thread industry standards as they evolve and coalesce.
First Responder Cybersecurity: Responsive Connectivity in Critical Infrastructure and the Internet of Things Project
PI: David Manz, Pacific Northwest National Laboratories
Current emergency response notification of events is often slow and disconnected. A small structure fire or commercial natural gas leak usually requires a human witness who would then use 9-1-1 emergency response or directly contact an emergency management authority. Even if there is automated detection, it is often not tied directly into all the relevant emergency response stakeholders. The ubiquitous Internet of Things (IoT) will provide an avenue for this information to be either detected or passed on to the appropriate authorities. If some part of the IoT was onsite, perhaps through a household Intelligent Electronic Device (IED) or a Smart Grid Advanced Metering Infrastructure (AMI) component, the automated information logged could be used to detect and promulgate the emergency event information more quickly. The “Security Attributes of Smart Grid Systems” report to Congress explicitly addresses emergency response communication in question 3. The proposed research directly addresses the issues raised in the congressional report. How do first responders communicate in concert with the critical infrastructure and the IoT? Furthermore, this proposal fulfills the DHS Long Range Broad Agency Announcement (BAA) Topical Areas of Command, Control, & Interoperability and Infrastructure and Geophysical – technologies. Specifically addressed are the areas of “Integrated incident management components and systems to improve public and first responder safety,” and “Concepts, methodologies, and/or technologies to improve protection of or enhance performance of responders as they carry out life-saving tasks.” The DHS highlights the key role emergency response and disaster preparedness plays in securing our communities and protecting critical infrastructure. The ability to symbiotically benefit both elements will leverage greater responsiveness and effectiveness for first responders and provide enhanced availability and resiliency for national critical infrastructure.
Theme 5: Education and Workforce Development
Advancing Resiliency in Critical Power and Industrial Control Infrastructure through Workforce Education and Real-World Testing Project
PI/Co-PIs: Danny Reible, Annette Sobel, Texas Tech University, Mark Harral, Group Nire and Susan Williams, Angelo State University
A team comprised of Texas Tech University (TTU), Angelo State University (ASU) and Group NIRE have created a work force development program for CIRI. The project will develop and train homeland security professionals for the current and future workforce through a combination of university programs at TTU and ASU, and a unique demonstration and test bed facility that provides both data and training for electric grid-microgrid, distributed generation assets, and real-time weather forecast. It must be able to take advantage of the inherent capabilities of distributed power and control systems and to continually recognize and update security and capabilities of these systems. It is toward building such a workforce, particularly in rural and small urban communities and in the underserved Hispanic population, that this program is directed. The initial efforts will focus on the development of seminars/CEU modules that will serve as training tools in critical infrastructure resilience for both TTU and ASU students and outside professionals. Two of the seminars will include bringing in industry experts as well as Group NIRE staff to show specific examples of issues faced by critical infrastructure entities. The issues covered will be extreme weather and extreme mechanical failure/post event analysis. One of the seminars will include potential cyber security attacks and a trip to Group NIRE’s field site to trouble shoot a loss of communication issue and detail how to restore communications utilizing radio networks/troubleshooting. Funding provided by DHS will establish a simple way to create more CEU/education modules to be added in future years and also start the development of aggregator software to train students remotely via a hands-on simulator approach.
For current publications visit ciri.illinois.edu.
Student Opportunities at CIRI
CIRI is looking for enthusiastic, qualified students to work on a wide variety of projects that address critical infrastructure resilience. We can be reached by submitting a resume and areas of interest via the University of Illinois Applied Research Institute website here.
For information on current technology under development, visit ciri.illinois.edu
Angelo State University
Ohio State University
Pacific Northwest National Laboratories
Tennessee State University
Texas Tech University
University of California at Los Angeles
University of Colorodo Boulder
University of Illinois at Urbana-Champaign
University of Pennsylvania Wharton School
University of Washington
For Current Resources, please visit ciri.illinois.edu