It’s not if we’re breached, but when… In cyber security, the fortress mentality is the view that all threats can be kept outside of the organisation’s networks, with defensive measures in place making the network impenetrable. This ignores the potential threat posed by insiders – both accidental and malicious - but also presents the (often misguided) assumption that all systems within the network can be made completely secure in a cost-effective way.
Warnings against following a fortress mentally to cyber security have been around for years. One example is Franz-Stefan Gady, writing in 2010 for the Foreign Policy Journal (‘The Cyber Fortress Mentality’) where he stated that ‘any fortress wall is vulnerable’ referring to the use of fortresses during several conflicts in North America. The most determined attacker will identify a way to penetrate a network.
I follow the viewpoint that we should follow an approach that offers layered security, or defence-in-depth; acknowledging that although this may not be successful at preventing every single attack, we can act to contain that attack and continue our business-critical functions, which brings me nicely to cyber resilience.
Let’s start thinking about cyber resilience
NIST SP800-160 defines cyber resiliency as: ‘the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.’ Cyber security and cyber resilience have traditionally been considered together as part of a holistic approach towards managing risks and countering threats. As the concepts of security and resilience have matured, it is apparent that considering these concepts separately does, in some instances, allow for deeper considerations to be made, that influence the overall defensive posture employed for any given system or capability.
Effective cyber resilience requires a holistic approach that considers cyber-related security at multiple levels; encompassing information, technology and facilities, as well as the people and processes. I want to move this on a stage and start talking about cyber mission assurance (CMA). The Department of Homeland Security helps me by stating in their Cyber Resilience and Response Document: ‘Cyber resiliency is that attribute of a system that assures it continues to perform its mission-essential functions even when under cyber-attack. For services that are mission-essential, or that require high or uninterrupted availability, cyber resiliency should be built into the design of systems that provide or support those services.’
So, what is cyber mission assurance?
The MITRE Corporation defines mission assurance as ‘a process to ensure that assigned tasks or duties can be performed in accordance with the intended purpose or plan... to sustain... operations throughout the continuum of operations.’
Mission assurance was being discussed long before cyber was considered to be the fifth operating domain by the North Atlantic Treaty Organisation (NATO). It is a cause-agnostic process that seeks to continue mission-essential functions during a time of degraded performance and very much aligns with the thinking behind cyber resilience.
Extending this to cyber, the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) states that ‘a military operation with a strong level of cyber mission assurance is one capable of continuing its mission-essential functions even in the presence of cyber-attacks, not one that simply aims to prevent these attacks.’
This concept behind CMA is vitally important and can be applied beyond that of the military.
Cyber mission assurance isn’t just for the military
The CCDCOE definition is all well and good for the military, but how can that be related to a private sector organisation? The line I take, is there should actually be no difference. Every organisation, regardless of what sector they exist in, will have specific ‘missions’ which they need to conduct.
In the case of a maritime port, this may be the protection of the scheduling system, which details when and where each ship will be berthed and off-loaded. In the case of an airport, it’s protecting the ability to provide air traffic control to all inbound and outbound aircraft.
Every organisation should be in the position to identify their mission-essential, or business-critical functions and to ensure that these are appropriately protected with up-to-date incident response and business continuity plans.
Cyber mission assurance should be through-life, not an after-thought
Achieving an appropriate level of CMA should be the sum of the successful integration of a number of cyber security or cyber resilience activities throughout the system’s lifecycle. CMA must be considered at the system conception stage, allowing the system to be designed in line with the mantra of ‘secure by design’ and cyber resiliency.
There are a number of frameworks that can assist with the systems engineering aspects, such as the MITRE Cyber Resiliency Engineering Framework and the National Institute of Standards and Technology (NIST) Special Publication 800-160. The most important thing is that these requirements and designs are reviewed on a regular basis to confirm that they meet the needs of the organisation and the changing threat landscape.
The role that supporting elements, such as the security operations centre, should also be determined and integrated into the CMA policy of the organisation.
Governance is key!
Given that we can describe most systems as socio-technical, we must take consideration of not just the technical solution, but also the processes that support this; including how humans interact with the system. To that end, the security of any technical solution is not the only dimension that we need to consider. In fact, people (and organisations) have a huge contribution to play with regards to cyber resilience and CMA and are central to the success of any activity.
The recent National Cyber Security Centre (NCSC) Board Toolkit is a really useful resource aimed at the c-suite (executive-level managers).
The key governance structures should be put in place to ensure that:
- Senior management are playing an active role and are supportive of the CMA approach. The benefits that such an approach would offer the organisation should be tangible and clearly articulated.
- A suitable security individual, i.e. a security assurance coordinator, is appointed to oversee all CMA activities, including endorsing plans and empowering security working groups.
- Create a suitable training and awareness plan for all employees and provide training and awareness to senior management. The whole of the organisation must be part of any strategy to ensure that a CMA approach is effective. Individuals must understand how their actions and behaviours support the cyber security objectives and the culture of the organisation.
What if we are breached?
Regardless of whether we have conducted a threat-led or impact-led risk assessment and have introduced suitable mitigations and controls into our enterprise, we simply cannot prevent every single attack. The mantra remains true: we have to be successful every time, whereas the attacker just has to be successful once.
Organisations must have an effective incident response and continuity management plan in place to ensure that:
- The cyber incident can be contained; appropriate response measures are taken and the system is returned back to a known good state.
- The organisation can continue its business-critical functions throughout the compromise. This business continuity plan should be clearly defined and, at a very minimum, be table-topped to refine and develop it. As a side note, I have often been told that exercising the business continuity plan would be too disruptive - so I have offered comments along the lines of ‘so how do you expect it to be successful?’
- Lessons from the compromise and recovery procedures are documented and the plans updated accordingly.
Every organisation is different
Every organisation is different. Some will be small businesses that just operate traditional IT, whereas others will be multi-national companies with a mix of IT and operational technology, possibly including industrial control systems. It is for each organisation to work out exactly what approach works for them, but my message is simple: Have a plan!