The Infrastructure Mapping Project's goal is to provide meaningful analysis of critical infrastructure and its interdependencies with vital sectors of the US and global economy. In this pursuit we map a wide variety of networks and phenomena ranging from the Internet the power grid and spam. The approaches to mapping cover a wide variety of methodologies both spatial and topologic. Of the work thus far three project three have become cohesive products physical infrastructure mapping, cybersecurity simulation and diversity as defense (aka predator prey).
The physical infrastructure mapping work is the most developed of the three. The research has produced sophisticated vulnerability heat mapping tools, criticality ranking tools, and system failure simulations. Some of the most difficult problems in critical infrastructure protection are determining what is truly critical in the infrastructure, quantifying what the effects of failure are, and sorting out methods of mitigation. The tools developed as part of this project have made good progress at providing answers for the above questions in regards to information infrastructure and its interdependency with other critical assets.
Once vulnerabilities have been identified another difficult hurdle is deciding what policy response will be most effective in solving the problem. Our second project approaches this problem by developing simulations to determine the costs and benefits of implementing cybersecurity policies. The tool can test current cybersecurity policy initiatives such as federal government RFP requirements and the proposed Corporate Information Security Accountability Act. At a more granular level the tool can test the cost and benefits of a wide variety of cybersecurity defense strategies for various network configurations.
Often times malicious attacks on networks cannot be predicted or defended against ahead of time - for instance the recent SQL worm diffused globally in less than 10 minutes. When indefensible attacks exist it is useful to develop strategies to mitigate such scenarios. Along these lines we have developed a predator prey simulation, where predators are malicious attacks like viruses, worms, DDOS, etc. and prey are operating systems, servers, routers etc. One of the unique aspects of Internet attacks (predators) is that they only affect one particular type of hardware or software (prey). A worm that exploits Microsoft will not also work against Unix. The predator prey simulation examines what diversity of prey population is needed to ensure any one predator does not cause a catastrophic failure to the network. Diversity as defense has applications at many levels ranging from competition policy to procurement regulations.
In addition to the three existing projects new research is underway examining the interdependencies in critical infrastructure. A working paper examining the spatial interdependencies of the electric power grid and telecommunications will be up shortly and some of the preliminary visualizations can be seen in the gallery.
We believe IMP's research projects formulate some important problems in critical infrastructure protection going forward. The projects have also provided first steps towards building a framework to help solve problems and put forth effective public policy recommendations.