Grand Challenges - OR: Catalyst for Grand Challenges
Opportunities in security
By David P. Morton and Suvrajeet Sen
This is the third in a series of articles based on a report to the National Science Foundation titled, “O.R. as a Catalyst for Engineering Grand Challenges.”
The infrastructure of the United States, and the world, is increasingly interconnected. The ongoing integration of systems – including transportation, energy, water, communications, finance and more – has been central to their growth in scale and reach and has facilitated increases in their functional efficiency. At the same time, these interdependencies make systems more vulnerable to both intentional threats and unintentional hazards. Operations researchers and O.R. practitioners build operational models of such systems precisely because the system’s performance can depend, often in surprising and subtle ways, on how various subsystems interact. As interconnected systems grow in complexity, having a trusted operational model is ever more essential for assessing system vulnerabilities and, in turn, addressing the challenge of how to secure that system. O.R. is ideally positioned to address the challenges of: formulating operational models of suitable fidelity; understanding vulnerabilities using appropriate models for chance hazards and malicious attacks; and, allocating scarce resources to best secure the system.
In 2008, the U.S. National Academy of Engineering (NAE) unveiled its Engineering Grand Challenges. Here, we discuss how operations research can contribute to three of these challenges that involve security: 1) restore and improve urban infrastructure, 2) prevent nuclear terror, and 3) secure cyberspace.
Restore and Improve Urban Infrastructure
The U.S. Department of Homeland Security (DHS) identifies the nation’s critical infrastructure as involving the following sectors:
- Critical Manufacturing
- Food and Agriculture
- Banking and Finance
- Information Technology
- Healthcare and Public Health
- Chemical Industry
- Emergency Services
- Defense Industrial Base
- Nuclear Reactors, Material and Waste
- Commercial Facilities
- Transportation Systems
- Government Facilities
- Postal and Shipping
- National Monuments and Icons
For decades, O.R. has helped plan, design, construct, monitor and maintain critical infrastructure. The O.R. community has pioneered advances in planning, operating and securing electric power systems and markets; in pricing financial instruments and optimizing financial portfolios; in recommending policy and improving operations for healthcare systems, public health systems and emergency services; in designing and operating manufacturing systems and supply chains; in routing and flow control in communications and transportation networks; in planning, operating and securing water-supply networks; and much more. That said, with an aging but increasingly interconnected infrastructure, and evolving threats arising from changes in geopolitics, we need more research to secure our critical infrastructure.
A principled O.R. approach to securing such systems consists of three steps. First, we must understand how a system operates. We must have a working model, not only of how the system operates under nominal conditions, but also of how it will operate if any subset of its components is degraded or disabled. We cannot enumerate a handful of threat scenarios of how a system might be disrupted and expect it to span what we must consider. Rather, we require an operational model that we can systematically query.
The second step to secure infrastructure requires that we understand its vulnerabilities. To do so, we must distinguish unintentional hazards (e.g., natural disasters, malfunctions and human errors) and intentional threats (e.g., threats from vandals, criminals, saboteurs and terrorists). The O.R. literature is replete with probabilistic models to represent the former, and the O.R. tools of game theory and adversarial models can capture the capabilities of an intelligent, informed and determined attacker.
Given a model, or family of models, from the first two steps, the third step involves allocating scarce resources to best enhance system security. O.R. is particularly well suited for formulating models to guide such choices.
Key to securing critical infrastructure is recognizing that components in our systems will fail and our infrastructure will be attacked. We cannot enhance component reliability – and deter determined adversaries – to the point where failures and attacks disappear. The foremost goal in securing infrastructure is that our systems be resilient; i.e., after degradation, operation of a system should adapt to its new configuration with minimal loss of capability.
The notion of taking a system-level view and of aspiring to resilience in the face of inevitable hazards and threats is well recognized by U.S. National Security Strategy : “…the increasing interdependence of the global economy and rapid pace of technological change are linking individuals, groups, and governments in unprecedented ways. This enables and incentivizes new forms of cooperation to establish dynamic security networks... It also creates shared vulnerabilities, as interconnected systems and sectors are susceptible to the threats of climate change, malicious cyber activity, pandemic diseases, and transnational terrorism and crime.”
The O.R. literature includes significant work for securing infrastructure with a seminal paper by Brown et al.  describing the modeling framework we have just sketched and applying that framework to improving the security of our border, petroleum reserve and electric power grid. See, for example, [3, 4] for related work on securing air travel,  for work on securing municipal water systems and  for a recent overview.
Despite the success of this research, our foremost challenges in securing infrastructure remain. Modeling interdependencies in systems of vast physical scale and detail and of disparate time scales is truly challenging. Populating such models with appropriate data can be challenging because most of the U.S. critical infrastructure is privately owned and operated. Success with such challenges helps build a trusted model through the first step above. However, an all-inclusive operational model typically does not have enough structure to lend itself to rigorous application of the second step to assess system vulnerabilities, let alone to application of the third step to optimize system security. Understanding and communicating to the stakeholders which differences in levels of detail in an operational model make a difference when it comes to understanding system vulnerabilities remains a deep challenge.
Prevent Nuclear Terror
The efforts of terrorist organizations and rogue nations to obtain nuclear material and technology to produce a nuclear weapon are well documented. The United Nations’ International Atomic Energy Agency (IAEA) maintains an Illicit Trafficking Database. From 1993 to 2011, more than 2,000 incidents of unauthorized possession of nuclear and other radioactive material were reported. Sixteen of these incidents involved highly enriched uranium or plutonium (i.e., weapons-grade material). The IAEA reports that in cases where such information is available, the majority of these incidents involved traffickers attempting to sell illicit material. That said, motives of nuclear smugglers will likely change as the material changes hands from its origin to its intended destination.
The Domestic Nuclear Detection Office (DNDO) is part of the U.S. Department of Homeland Security. DNDO is charged with developing the Global Nuclear Detection Architecture (GNDA). Doing so requires coordination across multiple federal agencies including the U.S. Departments of Energy, Defense, State and the Nuclear Regulatory Commission. As part of the GNDA, the National Nuclear Security Administration (NNSA) works with other countries to: “Deter, detect, and interdict illicit trafficking in nuclear and other radioactive materials across international borders and through the global maritime shipping system. The goal is to reduce the probability of these materials being fashioned into a weapon of mass destruction or a radiological dispersal device (‘dirty bomb’) to be used against the United States or its key allies and international partners.”
Concern with this threat predates Sept. 11, 2001. The NNSA program has its origins in 1998, when the United States, with the Russian State Customs Committee, launched a program that included placing radiation portal monitors (RPMs) at Russian customs checkpoints to deter smuggling of nuclear material out of Russia. That program has since expanded to border crossings and sea ports across the globe.
Much of the work associated with deploying the GNDA has involved NNSA and DNDO installing RPMs at international and domestic seaports, airports, rail and road border crossings. Customers and border protection officers are equipped with mobile radiation detectors. DNDO is developing other mobile detectors that can be deployed in so-called surge operations informed by intelligence reports. Further initiatives aim to secure cities and address challenges of detecting smuggling attempts between authorized ports of entry including smuggling attempts via small maritime craft and general aviation.
Conventional wisdom seems to be that obtaining weapons-grade material may be the most serious hurdle faced by a would-be nuclear terrorist:
“It should not be assumed that terrorists or other groups wishing to make nuclear weapons cannot read.”
– Richard Garwin and Georges Charpak
“With modern weapons-grade uranium … terrorists, if they have such material, would have a good chance of setting off a high-yield explosion simply by dropping one half of the material onto the other half … even a high school kid could make a bomb in short order.”
– Luis Alvarez
For this reason, the NAE report has chosen to focus on nuclear material, outlining the challenges as follows:
- How to secure nuclear material: Securing nuclear material requires a model of the supply chain. The IAEA inspects state nuclear programs in an attempt to ensure material is not being misused or diverted; O.R. models should play a role in the timing and nature of these inspections. If a rogue nation has developed an illicit nuclear program, the international community has at its disposal various options including diplomacy, embargoes, poaching, sabotage and military strikes. Understanding how to best interdict such a program relies heavily on O.R. .
- How to detect material, especially at a distance: Much work in improving detection capability requires technological breakthroughs for better detectors. However, there are important opportunities for better detection algorithms; for deploying systems of detectors in multi-layered defense around cities and at border checkpoints; and, in developing inspection protocols at ports. O.R. has contributed in these areas; see, e.g., [8, 9, 10]. Further challenges exist in securing borders between ports of entry.
- How to render a potential device harmless: The U.S. nuclear arsenal has an elaborate system of safety technology designed to prevent accidental, and intentional but unauthorized, detonations. The U.S. has worked to down-blend, or secure, weapons-grade nuclear material at storage sites in former Soviet States, and O.R. tools could inform how to prioritize such activities. O.R. played a role in scheduling the dismantling process for U.S. nuclear weapons at the Pantex site .
- Emergency response, cleanup and public communication after explosion. This challenge has much in common with the discussion above on resilience of critical infrastructure. Here, we require modeling of interconnected systems of critical infrastructure having incurred a massive disruption. This challenge is ideally suited for O.R. tools for precisely the reasons sketched in the infrastructure section.
- Determining responsibility for an attack. The foremost challenge in attribution concerns nuclear forensics, which identify the source of the nuclear material. O.R. tools can enable “systems-based forensics,” e.g., given limited information regarding a captured nuclear smuggler, we may be able to infer via an “inverse problem” his origin and intended destination.
The O.R. community has already made significant contributions, but the challenge of preventing nuclear terror has engaged a small number of O.R. researchers, and there are significant opportunities to have greater impact. Moreover, in addition to nuclear and radiological threats, analogous challenges exist regarding chemical and biological attacks.
Information and control systems are deeply embedded in our critical infrastructure. These systems have been designed for efficiency, with security typically included as an afterthought. We literally “patch” security holes as they are exposed in our daily computing devices.
O.R. is in an ideal position to balance efficient operation of infrastructure systems and the ability of these systems to thwart, and be resilient to, cyber-attacks. Cybersecurity threats range from individual criminal hackers to organized criminal groups to terrorists to nation states. Adversaries can disrupt our critical infrastructure on a massive scale. China and Russia have probed the U.S. electric power grid. Traditional “perimeter” defenses, like firewalls, are eventually penetrated or otherwise bypassed. They do not deal with denial-of-service attacks, and they fail to deal with adversaries already inside the perimeter. Improving intelligence is key in protecting infrastructure, including cyberspace.
O.R.’s wide reach positions our community to provide the kind of understanding of system complexity identified in the The Networking and Information Technology Research (NITR) strategic plan , which calls for a “new system science … to provide unified foundations, models, tools, system capabilities and architectures that enable innovation in highly dependable cyber-enabled engineered and natural systems.” The new science that the report promotes appears to be at the intersection of three perspectives: 1) O.R. models and algorithms; 2) systems and controls; and 3) computer science. This multi-disciplinary approach has already started to take root, and we anticipate that this convergence will provide the foundations for cybersecurity.
Given the inherent vulnerabilities of cyber defenses, increased attention has been given to robust design. While a centralized electric power grid has enormous economies of scale, this architecture can be vulnerable to cyberattacks and unintentional hazards. Distributed generation allows micro- and regional grids to remain up and running as the larger grid recovers from a disruption. The proper design of a distributed generation network is precisely the type of network design problem long addressed by the O.R. community.
While software reliability has been studied in the O.R. community for decades, designing systems to handle cyber-threats is relatively uncharted territory. We expect that collaboration between O.R. groups and practitioners of cybersecurity will guide the manner in which security is designed into cybersystems. We draw attention to the following from the U.S. strategy for R&D to secure cyberspace :
“To operate effectively as a moving target in cyberspace, we must understand our system’s state, be aware of our surroundings, know the soundness of the structures on which we rely, and know what is happening around us ... Ultimately, we must provide knowledge-driven systems that remove the human from the loop in many system decisions. But for those decisions that do require human decision-making, the combination of high complexity and short processing time strains human cognitive processes, so we must provide novel methods of presenting information, directing attention, and navigating between analytics at different scales.”
The analytics cited highlight the interplay between data and decisions, calling for greater infusion of O.R. into cybersecurity. The challenges of cybersecurity rely on the ability to bring a variety of processes and resources together in a timely manner to enhance our ability to thwart adversaries, even as they are intent on continual barrages of attacks. Current statistical approaches for intrusion and anomaly detection often focus on attacks at a network node. However, denial-of-service attacks often cascade through a network, and so network-wide, i.e., higher dimensional, models become necessary. The O.R. community, especially the military O.R. community, has been a source of many ideas behind such cascading threats. This experience, together with O.R.’s close ties to computer science, should provide fertile ground for collaboration to face this important security challenge.
Contributors to the Report
“O.R. as a Catalyst for Engineering Grand Challenges,” a report to the National Science Foundation, was compiled by a team of contributors led by Suvrajeet Sen of the University of Southern California:
- Cynthia Barnhart, Massachusetts Institute of Technology
- John R. Birge, University of Chicago
- E. Andrew Boyd, PROS
- Michael C. Fu, University of Maryland
- Dorit S. Hochbaum, University of California-Berkeley
- David P. Morton, Northwestern University
- George L. Nemhauser, Georgia Institute of Technology
- Barry L. Nelson, Northwestern University
- Warren B. Powell, Princeton University
- Christine A. Shoemaker, National University of Singapore
- David D. Yao, Columbia University
- Stefanos A. Zenios, Stanford University
- U.S. White House, 2015, National Security Strategy.
- Brown, G.G., Carlyle, W.M., Salmerón, J., Wood, R.K., 2006, “Defending critical infrastructure,” Interfaces, Vol. 36, pp. 530-544.
- Pita, J., Jain, M., Western, C., Paruchuri, P., Marecki, J., Tambe, M., Ordonez, F., Kraus, S., 2008, “Security via randomization: A game-theoretic model and its application to the Los Angeles International Airport,” Proceedings of IEEE Conference on Technologies for Homeland Security.
- McLay, L.A., Jacobson, S.H., Lee, A.J., 2010, “Risk-based policies for aviation security checkpoint screening,” Transportation Science, Vol. 44, pp. 333-349.
- Murray, R., Haxton, T., Janke, R., Hart, W.E., Berry, J., Phillips, C., 2010, “Sensor network design for drinking water contamination warning systems: A compendium of research results and case studies using the TEVA-SPOT software,” (Technical Report EPA/600/R-09/141), National Homeland Security Research Center, Office of Research and Development, U.S. Environmental Protection Agency.
- Alderson, D.L., Brown, G., and Carlyle, W.M., 2015, “Operational models of infrastructure resilience,” Risk Analysis, Vol. 35, pp. 562-586.
- Brown, G.G., Carlyle, W.M., Harney, R., Skroch, E., Wood, R.K., 2009, “Interdicting a nuclear weapons project,” Operations Research, Vol. 57, pp. 866-877.
- Atkinson, M.P., Cao, Z., Wein, L.M., 2008, “Optimal stopping analysis of a radiation detection system to protect cities from a nuclear terrorist attack,” Risk Analysis, Vol. 28, pp. 353-371.
- Dimitrov, N.B., Michalopoulos, D., Morton, D.P., Nehme, M.V., Pan, F., Popova, E., Schneider, E.A., Thoreson, G.G., 2011, “Network deployment of radiation detectors with physics-based detection probability calculations,” Annals of Operations Research, 187, pp. 207-228.
- Wein, L.M., Wilkins, A.H., Baveja, M., Flynn, S.E., 2006, “Preventing the importation of illicit nuclear materials in shipping containers,” Risk Analysis, Vol. 26, pp. 1,377-1,393.
- Asgeirsson, E., Berry, J., Phillips, C.A., Phillips, D.J., Stein, C., Wein, J., 2004, “Scheduling an industrial production facility,” Proceedings of IPCO X, pp. 116–131.
- National Science and Technology Council, 2012, “The Networking and Information Technology Research (NITR) and Development Program Strategic Plan.”
- Executive Office of the President, National Science and Technology Council, 2011, “Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Plan.”