Timing and Resilience in Cyber Conflict: A Theoretical Framework

The critical infrastructure is a cyber physical system (CPS) of the global economy, transportation, health and quality of life systems that is poised to fail under precisely, or even loosely, coordinated attacks. Since inception, systems assets within critical infrastructures were seemingly safe from the exploitation or attack by nefarious cyberspace actors. Now, critical infrastructure is a target because the resources to exploit the cyber physical systems exist. The fragility of critical infrastructure networks is a product of poor planning and an aging technology-dependent distributed system. That fragility is amplified with a decreasing learning curve associated with the growing population of cyber-actors. To compound this aggregated problem, the immeasurable scale of connected and complex networked cyber physical systems limits the resources with which the system, itself, can adequately monitor the entirety of its ongoing processes. A lack of ability to effectively monitor complex systems, and correctly identify when an anomaly is present motivates the research this work uses to build its position. System owners are obligated to maintain a high level of protection measures against exploitation resources, characterized in terms of patience, stealth, replication-ability and extraordinary robustness. The difficulty lies in knowing when, how and where to fortify a critical infrastructure against an impending attack. Models currently exist that theorize the value of knowing the attacker's capabilities in the cyber realm, taking into consideration of the strength of the target, but they are not designed to respond to the inherent fast timing of an attack, an impetus that can be derived based on open-source reporting, common knowledge of exploits and the physical architecture of the infrastructure. This dissertation seeks to build a framework and architecture with a useful model that will inform systems owners how to align infrastructure architecture in a manner that is responsive to the capability, willingness and timing of the attacker. This research group will use existing theoretical models for estimating the functional parameters, and through analysis, develop a decision tool for would-be target owners. Systems owner requires a decision system that can be scalable across temporal and physical boundaries and is capable of detecting an anomaly, and then informing the system owner of an attack's potential dispersion. The complement to this capability need is a system which demonstrates a triad of availability, namely in the terms of resilience, adaptability and predictability. An architecture is introduced to ensure that the observed anomaly, if allowed to persist, will only do so at the thresholds within the triad set by the system owner. While not static through time iterations, the thresholds provide a situationally aware decision to allow an overall availability, consistent with the need and utility of a critical infrastructure service.