In our previouspost we discussed the benefits that cyber resilience brings to organisations. These benefits highlight the importance of resiliency, especially if we consider the impact of orchestrated, sophisticated cyber-attacks to national critical infrastructures, such as energy, water, transportation, healthcare and financial.
The importance of cyber resiliency is captured in the NIST SP 800-160 Vol.2, Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems, where it is mentioned that:
For the nation to survive and flourish in the 21st century where hostile actors in cyberspace are assumed and IT will continue to dominate every aspect of our lives, we must develop trustworthy, secure IT components, services, and systems that are cyber resilient.
The question that arises is how organisations can achieve cyber resiliency. NIST, MITRE and the US Department of Homeland Security (DHS) have defined and elaborated on the techniques to achieve cyber resiliency. These techniques are the tools for organisations to meet the goals and the objectives of cyber resilience.
Cyber resiliency goals and objectives
The foundations of cyber resiliency are conventional security, cybersecurity, and continuity of operations. However, cyber resiliency assumes that a stealthy, persistent, and sophisticated adversary has already compromised corporate networks and system components and established a foothold within an organization.
Based on this assumption, MITRE defines the goals of cyber resiliency as:
AnticipateMaintain situational awareness for adversity
Withstand Continue essential business functions despite adversity
Recover Restore business functions during and after adversity
Evolve Adapt business functions to changes in the technical, operational, or threat environments
While goals are at the strategic level, objectives are closer to the tactical level and serve as a bridge between techniques and goals. Objectives enable different stakeholders to assert their different resiliency priorities based on mission or business functions. The cyber resiliency objectives are described briefly in the table below.
Cyber resiliency techniques
Cyber resiliency techniques are approaches to achieving one or more cyber resiliency objectives that can be applied to the architecture of business functions and the cyber resources that support them. Applying these resiliency techniques and design principles to critical infrastructures is particularly important not only to prevent the disruption of vital lifeline services, but also to prevent long-term damage to the physical infrastructure itself.
According to NIST SP 800-160 Vol.2, engineering cyber resilient systems involves the following characteristics that should be considered when designing new systems or enhancing existing ones.
Focus on the mission and business objectives
Focus on the effects of stealthy and continuous computer hacking processes, often orchestrated by a well-resourced criminal group or state actor that targets a specific entity.
Assume that the adversary will compromise or breach the organization
Assume that the adversary will maintain a prolonged presence in the organization
Considering the cyber resiliency goals, objectives and characteristics described above, the following table provides an overview of the techniques that organisations can use to meet these requirements.
The definitions of cyber resiliency techniques are intentionally broad to insulate the definitions from changing technologies and threats, thus limiting the need for frequent changes to the set of techniques.
The cyber resiliency techniques should be applied selectively to the architecture design based on the business mission and their supporting system resources. Trade-offs will need to be made as these techniques have natural synergies as well as conflicts when used together.
To assist organisations to apply the cyber resiliency techniques, NIST has identified different technical approaches. However, applying a cyber resiliency technique will not require the use of all approaches which are representative of it, and not all techniques will be applied to a given system-of-interest. Cyber resiliency techniques should be mapped to the specific peculiarities of each industry or organisation.
The topic of cyber resiliency techniques cannot be exhausted or covered in full extend in a single post. Interested parties and organisations are encouraged to read the following publications:
ADACOM has a well-established approach toinformation resilience, supported by a robust implementation framework. We follow a holistic approach towards protecting all types of sensitive information, in all phases of the information lifecycle throughout all business verticals, regardless of the underlying business and technology ecosystem. Our aim is to maximize the resilience of critical business information and keep information trustworthy even when the organization is under stress.
ADACOM’s Digital Resilience Readiness Service, undertakes an assessment of the Digital Resilience controls effectiveness & maturity, and provides Organizations with a Roadmap and a Strategy for Digital Resilience enhancement.
Digital Resilience Readiness Service includes the following:
Assessment of the level of effectiveness and maturity of of the security controls related to cyber resiliense