Cyber resilience

Cyber resilience refers to an entity's ability to continuously deliver the intended outcome, despite cyber attacks.[1] Resilience to cyber attacks is essential to IT systems, critical infrastructure, business processes, organizations, societies, and nation-states. A related term is cyberworthiness,[2] which is an assessment of the resilience of a system from cyber attacks. It can be applied to a range of software and hardware elements (such as standalone software, code deployed on an internet site, the browser itself, military mission systems, commercial equipment, or IoT devices).

Adverse cyber events are those that negatively impact the availability, integrity, or confidentiality of networked IT systems and associated information and services.[3] These events may be intentional (e.g. cyber attack) or unintentional (e.g. failed software update) and caused by humans, nature, or a combination thereof.

Unlike cyber security, which is designed to protect systems, networks and data from cyber crimes, cyber resilience is designed to prevent systems and networks from being derailed in the event that security is compromised.[4] Cyber security is effective without compromising the usability of systems and there is a robust continuity business plan to resume operations, if the cyber attack is successful.

Cyber resilience helps businesses to recognize that hackers have the advantage of innovative tools, element of surprise, target and can be successful in their attempt. This concept helps business to prepare, prevent, respond and successfully recover to the intended secure state. This is a cultural shift as the organization sees security as a full-time job and embedded security best practices in day-to-day operations.[5] In comparison to cyber security, cyber resilience requires the business to think differently and be more agile on handling attacks.

The objective of cyber resilience is to maintain the entity's ability to deliver the intended outcome continuously at all times.[6] This means doing so even when regular delivery mechanisms have failed, such as during a crisis or after a security breach. The concept also includes the ability to restore or recover regular delivery mechanisms after such events, as well as the ability to continuously change or modify these delivery mechanisms, if needed in the face of new risks. Backups and disaster recovery operations are part of the process of restoring delivery mechanisms.

Frameworks

[edit]

Resilience, as defined by Presidential Policy Directive PPD-21, is the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions.[7] Cyber resilience focuses on the preventative, detective, and reactive controls in an information technology environment to assess gaps and drive enhancements to the overall security posture of the entity. The Cyber Resilience Review (CRR) is one framework for the assessment of an entity's resiliency created by the Department of Homeland Security. Another framework created by Symantec is based on 5 pillars: Prepare/Identify, Protect, Detect, Respond, and Recover.[8]

The National Institute of Standards and Technology's Special Publication 800-160 Volume 2 Rev. 1[9] offers a framework for engineering secure and reliable systems—treating adverse cyber events as both resiliency and security issues. In particular 800-160 identifies fourteen techniques that can be used to improve resiliency:

Cyber Resiliency Techniques[10]
Technique Purpose
Adaptive Response Optimize the ability to respond in a timely and appropriate manner.
Analytic Monitoring Monitor and detect adverse actions and conditions in a timely and actionable manner.
Coordinated Protection Implement a defense-in-depth strategy, so that adversaries have to overcome multiple obstacles.
Deception Mislead, confuse, hide critical assets from, or expose covertly tainted assets to, the adversary.
Diversity Use heterogeneity to minimize common mode failures, particularly attacks exploiting common vulnerabilities.
Dynamic Positioning Increase the ability to rapidly recover from a non-adversarial incident (e.g., acts of nature) by distributing and diversifying the network distribution.
Dynamic Representation Keep representation of the network current. Enhance understanding of dependencies among cyber and non-cyber resources. Reveal patterns or trends in adversary behavior.
Non-Persistence Generate and retain resources as needed or for a limited time. Reduce exposure to corruption, modification, or compromise.
Privilege Restriction Restrict privileges based on attributes of users and system elements as well as on environmental factors.
Realignment Minimize the connections between mission-critical and noncritical services, thus reducing the likelihood that a failure of noncritical services will impact mission-critical services.
Redundancy Provide multiple protected instances of critical resources.
Segmentation Define and separate system elements based on criticality and trustworthiness.
Substantiated Integrity Ascertain whether critical system elements have been corrupted.
Unpredictability Make changes randomly and unexpectedly. Increase an adversary's uncertainty regarding the system protections which they may encounter, thus making it more difficult for them to ascertain the appropriate course of action.

See also

[edit]

References

[edit]
  1. ^ Björck, Fredrik; Henkel, Martin; Stirna, Janis; Zdravkovic, Jelena (2015). Cyber Resilience - Fundamentals for a Definition. Advances in Intelligent Systems and Computing. Vol. 353. Stockholm University. pp. 311–316. doi:10.1007/978-3-319-16486-1_31. ISBN 978-3-319-16485-4.
  2. ^ Roland L. Trope (March 2004). "A Warranty of Cyberworthiness". 2 (2, pp. 73-76). IEEE Security and Privacy. doi:10.1109/MSECP.2004.1281252. {{cite journal}}: Cite journal requires |journal= (help)
  3. ^ Ross, Ron (2021). "Developing Cyber-Resilient Systems: A Systems Security Engineering Approach" (PDF). NIST Special Publication. 2 – via NIST.
  4. ^ "Cyber Resilience". www.itgovernance.co.uk. Retrieved 2017-07-28.
  5. ^ Council, Editors, Forbes Technology. "Cybersecurity Is Dead". Forbes. Retrieved 2017-07-28. {{cite news}}: |first= has generic name (help)CS1 maint: multiple names: authors list (link)
  6. ^ Hausken, Kjell (2020-09-01). "Cyber resilience in firms, organizations and societies". Internet of Things. 11: 100204. doi:10.1016/j.iot.2020.100204. hdl:11250/2729453. ISSN 2542-6605.
  7. ^ "What Is Security and Resilience? | Homeland Security". www.dhs.gov. 2012-12-19. Retrieved 2016-02-29.
  8. ^ "The Cyber Resilience Blueprint: A New Perspective on Security" (PDF).
  9. ^ (NIST), Ron Ross; (MITRE), Richard Graubart; (MITRE), Deborah Bodeau; (MITRE), Rosalie McQuaid (December 2021). "SP 800-160 Vol. 2 Rev 1., Developing Cyber-Resilient Systems: A Systems Security Engineering Approach". csrc.nist.gov. Retrieved 2022-08-11.
  10. ^ (NIST), Ron Ross; (MITRE), Richard Graubart; (MITRE), Deborah Bodeau; (MITRE), Rosalie McQuaid (December 2021). "SP 800-160 Vol. 2 Rev 1., Developing Cyber-Resilient Systems: A Systems Security Engineering Approach". csrc.nist.gov. Retrieved 2022-08-11.