Location: National Science Foundation (Stafford I Building)

4201 Wilson Boulevard, Arlington, VA 22230

Room 375

Thursday, October 22, 2015 (8:00 a.m.- 6:00 p.m.)

Friday, October 23, 2015 (8:00 a.m.- 3:00 p.m.)

The NWRR Workshop will be transmitted via Webex. To join the Workshop in this way, please register at: https://nsf.webex.com/mw0401lsp13/mywebex/default.do?siteurl=nsf&service=6. Please note that the registration needs to be done separately for each of the two days of the Workshop.

Objectives

Hurricane Sandy bluntly reminded us both how dependent we are and how much we take for granted the complex systems that provide energy, transportation, water, medical care, emergency response, and security at levels considered luxurious just a generation ago. Stuxnet, earnest bear and other cyber exploits targeted at operational technologies (OT) highlight the potential risk to these systems resulting from a malicious action, and the associated cascading effects. Presidential Policy Directive 21 (PPD-21), "Critical Infrastructure Security and Resilience" recognized the need to advance research and development (R&D) for resilient critical infrastructure. The National Workshop on Resilience Research (NWRR) will gather leading researchers from academic, government and private institutions to advance a research and development (R&D) strategy to accelerate integrated efforts for developing near-ready-for-proof-of-concept technologies and applications. The workshop will also identify policy and economic incentives that can overcome current barriers to early and widespread adoption of these technologies and applications. An integrated resilience strategy is inherently multi-disciplinary by nature, and will lead to holistically addressing resilience challenges that stand in the way of rapid transition of deployments by government and industry. The key objectives of the workshop are as follows:

1. Highlight the latest multidisciplinary concepts, processes and models for advancing critical infrastructure resilience
2. Develop a unified science of resilience to provide computational and system frameworks for analyzing and designing resilient mechanism.
3. Identify the market, legal and policy barriers to advancing critical infrastructure resilience measures
4. Correlate issues and needs associated with advancing resilience science and engineering into a common vocabulary and uniform understanding
5. Prioritize R&D needs and gap analysis to identify research needs for near and long term solutions
6. Identify simulation and analysis capabilities for validating resilience and testing interdependencies for notional critical infrastructure

Needs Statement

At the core of critical infrastructure operation are control systems and other OT. However, unlike the highly autonomous characterizations of OT believed by many to be at the heart of efficient, effective and resilient critical infrastructure systems, modern OT are effectively digital versions of the analog systems they replaced. While these networked platforms have provided a means to establish central monitoring and ease integration of feedback controls, the algorithms used for automation are primarily the same as those invented prior to the year 1950. Unfortunately, the ability to network distributed components has established a framework for additional cyber, cognitive and human complex interdependencies and a resulting system rigidity or brittleness, establishing the potential for cascading failures. Current OT lack the ability to anticipate and manage the risk of failures of the critical infrastructure system controlled, or even sensors and field devices, and require the operator/dispatcher to be the analyst and root cause expert mining the large volume of data received. Ultimately, modern OT lack the framework needed to achieve global production efficiencies, let alone the ability to recognize and optimize a response to a natural or manmade malicious or benign, unintended event, and therefore is a fundamental gap to establishing resilient critical infrastructure systems. Without a significant investment by the federal government to address this national gap in technology, policies and regulations, modern OT will remain the soft underbelly for cyber-attacks, a major impediment to implementing national Smart Grid, and the limiting technology to optimizing response to the next national-scale emergency like Hurricane Sandy.

Development of a national innovation strategy to advance R&D for critical infrastructure resilience involves collaborative effort across the federal agencies, universities, and industry owners and operators, as critical infrastructure resilience involves energy production and distribution, transportation, manufacturing and many other sectors, that are key elements to national security and the economy. While fundamental research in some of the national working groups could provide some scientific underpinnings, there is a critical need to build national consensus and collaboration across different stakeholders to meet the unique interdisciplinary, resilience challenges of control systems, including the cyber, cognitive and human complex interdependencies of dynamic, real-time systems. This is particularly important as, by their very nature, OT are inherently different than information technologies (IT) as OT are fundamentally necessary for every critical infrastructure to operate. Therefore, a national R&D strategy and an accompanying economic case for focusing on rapid transition and deployment of resilient next generation architectures is needed to prevent and/or deliver appropriate response to reoccurring major events that impact control systems in various economic sectors.

This R&D investment in OT has the potential to revolutionize current designs that to date have been left to evolve organically in the private sector, providing very reliable systems for routine day-to-day operation and minor disturbances, but lacking resilience in the face of human-made threats and major naturally-occurring disasters that our infrastructure currently needs. The development of such technologies and applications will underpin next generation designs for critical infrastructure, providing a common, resilient architecture for chemical and natural gas plants, power generation, transmission and distribution, oil production and distribution, refineries, nuclear facilities and defense systems, the failure of which can lead to loss of lives and major national disasters.

To align the focus of the breakout sessions, presentations over spanning broad topical areas are planned for this workshop:

1. Integrating and holistically evaluating degradation within cyber-physical architectures and then mitigation, which is a fundamental first step to advancing more autonomous architectures that achieve greater efficiencies of operation while also being threat-resilient.
2. Optimizing the benign human interaction within OT to achieve reproducibility of response, regardless of experience, achieving greater human resilience in response to threats
3. Enabling the need for a spectrum of cyber security technologies, including physical indicators for OT, and setting the basis for adapting the response of OT to threats and place defenders on a equal footing
4. Establishing distributed architectures that enable an adaptive and agile framework to recognize and respond to threats, stabilizing disturbances at the local level while maintaining a global optimum in performance
5. Understanding fundamental methods to advance resilience technologies and applications, including the current status of resilience science and engineering vis-a-vis the real world demand
6. Identifying policy-based and market-based incentives that advance the value proposition for investment and measurement of run-performance when these technologies and applications are implemented
7. Establishing metrics for assessing resilience including impact of cross-coupled critical infrastructures.
8. Creating scalable test-bed environments for metrics-based experimentation, including testing and validation of resilience R&D in sector-specific and multi-sector community contexts, where the survival of critical utilities is an underlying element to preserving the health and livelihood of individuals

Department of Homeland Security (DHS) has recognized certain "lifeline" sectors the have regional and national interdependencies. These include energy, water, transportation and telecommunications. These sectors will bracket the critical infrastructure of focus in this workshop, noting that these also affect defense systems.