How to Achieve Cyber Resilience
In industry and in government it is not a question of if you will be cyber-attacked and potentially breached, but when. The cyber-attack surface has grown exponentially larger in recent years with the meshing of OT and IT systems, and the greater connectivity brought by the Internet of Things. Also, the threat actors themselves, that include nation states, criminal enterprises, insider threats, and hacktivists, have become more sophisticated and capable. Their activities are increasingly being focused on critical infrastructure, including the energy and utilities industry.
The energy ecosystem includes power plants, utilities, nuclear plants, and the electric grid. Protecting the sector’s critical ICS, OT, and IT systems from cybersecurity threats is complex, as much of the energy critical infrastructure components have unique operational frameworks and access points, and they integrate a variety of legacy systems and technologies.
Because of the changing digital ecosystem, and the consequences of being breached, creating a cybersecurity framework that encompasses resiliency has a top priority for mitigating both current and future threats. There are multiple components to that framework that need to be explored. This is the first blog of a four-part series that will focus on the key elements of a cyber resiliency framework, (1) verification, (2) visibility, and (3) velocity. Another objective with this series is to intersect/combine cyber resiliency and NERC CIP compliance.
What is Cyber Resilience?
A joint DNI, DHS Report sees cyber resilience as “important for mission-essential systems that support our national security, homeland security, essential government services, and the critical infrastructure that supports the nation’s economy. Cyber resiliency is that attribute of a system that assures it continues to perform its mission-essential functions even when under cyber-attack. For services that are mission-essential, or that require high or uninterrupted availability, cyber resiliency should be built into the design of systems that provide or support those services.“
In August of 2021, NIST updated its guide on Cybersecurity Resilience by sharing a new definition: The NIST Draft “turns the traditional perimeter defense strategy on its head and moves organizations toward a cyber resiliency strategy that facilitates defending systems from the inside out instead of from the outside in. This guidance helps organizations anticipate, withstand, recover from, and adapt to adverse conditions, stresses, or compromises on systems – including hostile and increasingly destructive cyber-attacks from nation states, criminal gangs, and disgruntled individuals.” SP 800-160 Vol. 2 Rev. 1 (Draft), Developing Cyber-Resilient Systems: SSE Approach | CSRC (nist.gov)
To initiate a strategy for verification, visibility, and velocity within a cyber resiliency framework for mission-essential systems such as utilities, you also need perspectives to build on the DNI/DHS definition of what constitutes cyber resilience from practitioners in the field. We asked leading experts to share their definition of resilience in the context of a cyber system.
According to George Platsis, Senior Lead Technologist, Proactive Incident Response & Crisis Management at Booz Allen Hamilton, utilities, and individual organizations should have that candid talk and define what “cyber resilience” means to them. He notes that the Lawrence Livermore National Laboratory defines their Cyber and Infrastructure Resilience Program’s mission as the ability to enhance the security and resilience of the nation’s critical infrastructure systems and networks to cyber, physical, and environmental hazards and to enable their reliable and sustainable design and operation now and into the future. George interprets that as “the ability to keep the business going, regardless of hazard.”
Marcus Sachs, Research Director for Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, and former Senior Vice President and Chief Security Officer at the North American Electric Reliability Corporation, sees resilience as the “ability to recover, or the ability to endure some sort of pain.” For any organization, and that includes utilities, from small distribution up to transmission and generation. If you’re able to continue to operate in the face of an adversary, or be able to recover very, very quickly, should something bad happen, that’s good resilience. Realistically, we’re going to have interruptions. So, how quickly can you recover from an interruption, is a good gauge of your resiliency.”
Patrick C. Miller, CEO at Ampere Industrial Security and Founder and President Emeritus of the Energy Sector Consortium, states that “by and large, most utilities know that resilience means continuing to operate under negative, degraded or even adversarial operating conditions. They understand this from many perspectives, with a long history of response and recovery after natural disasters and other human/animal-caused outages (car/pole, backhoe, squirrels, etc.). Adding cyber to that, whether through accidental or malicious human action, is nothing outside of their world.”
Benjamin Stirling, Former Manager of Generation Cybersecurity at Vistra, believes that frameworks for classifying Process that you are protecting are integral to cyber resilience. He says that the first step in risk analysis for OT and ICS cybersecurity is understanding and classifying the process. He notes that protecting a water treatment plant at a site versus a burner management system at a site may be two very different things. “Once you have this risk categorization piece done, then you can suggest how you’re going to protect those assets and begin to have a methodology. You can go down a path where you can have a reasonable risk-based approach to resilience.
Paul Ferrillo, Privacy and Cybersecurity Partner at Seyfarth Shaw LLP, perhaps has a description of the topic that many can relate. He defines cyber resilience much as a boxing match, as being able to take a punch right in the face and hitting the canvas and getting back up again. For him, resilience is getting back on the internet, doing your backups, restoring your backup tapes, and getting back into play.
All these cybersecurity experts concur that cyber resilience is generally defined as being able recover and go forward and continue to operate in the event of an incident. Sometimes that is easier said than done, especially with morphing of threats, a dearth of skilled cybersecurity workforce, and the regulatory requirements of maintaining critical infrastructure that is often owned by the private sector and government by the public sector.
Also, there is no one size cyber resilience framework that fits all cases, even in the same industry such as utilities. The ability to be cyber resilient starts with a risk management focus and allocation of resources and training to varying threat scenarios to get to the end goal of being able to recover quickly and remain operational. It also requires a customized strategy augmented by automation tools to keep systems optimally prepared and running.
In further discussions with the SME practitioners, it was clearly surmised that cyber risk management is the nexus for helping best secure cyberspace, especially in OT/ICS operating environments. This will require creating a cyber-resilience framework that will assess situational awareness, adhere to compliance mandates, align policies & training, optimize technology integration, promote information sharing, establish mitigation capabilities, and maintain cyber resilience in event of incidents. This is where the specific elements of verification, visibility, and velocity need to be enabled to achieve cyber resilience.