Different approaches have been used for relating cyber resiliency to risk. In this tip, we will take a look at...
14 techniques identified by the National Institute of Standards and Technology, or NIST, for improving cyber resiliency through a system engineering approach.
Earlier this year, NIST published its draft of SP 800-160 Vol. 2, "Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems," a handbook that offers a systems engineering framework intended to help organizations respond to advanced persistent threats (APTs) -- specifically to achieve cyber resiliency that can be used to anticipate, recover from and adapt to attacks or compromises on cybersecurity resources.
Organizations can use some or all of the cyber resiliency constructs, such as goals, objectives, techniques, approaches and design principles, and apply them to the technical, operational and threat environments of the systems to be engineered. The system lifecycle processes and cyber resiliency constructs can be employed at any stage of the lifecycle of new systems, system upgrades or repurposed systems.
In its draft publication, NIST identified 14 cyber resiliency techniques and numerous approaches to building cyber resiliency. Organizations can use risk factors assessed during the systems engineering process to help choose the most relevant techniques and implementation approaches. Selection criteria includes achievement of goals and objectives, risk management strategy, system tailoring, cyber resiliency conflicts and architectural locations.
The cybersecurity resiliency techniques described in the new document are based on the technical processes described in the ISO/IEC 15288 standard for systems engineering. For each technical process, we take a look at some cyber resiliency engineering purposes, outcomes and considerations.
The 14 cyber resiliency techniques identified by NIST include the following:
- Business or mission analysis process. This focuses on analyzing business or mission challenges and prioritizing cyber resiliency goals and objectives, while also listing assumptions on the adversaries' capabilities. The analysis covers constraints or limitations on the cyber resiliency techniques and approaches and design principles depending on the organization's risk management strategy. It also includes methods of measuring the success of carrying out the objectives.
- Stakeholder needs and requirements definition process. This begins with identifying methods for achieving cyber resiliency objectives. Stakeholders' requirements help determine asset susceptibility to APTs and identify strategic cyber resiliency design principles consistent with the organization's risk management strategy.
- System requirements definition process. This identifies system requirements for cyber resiliency based on stakeholder requirements, given cyber resiliency design constraints. It considers the type of system, existing investments in technologies and processes, the intended effects on adversaries and the maturity of technologies. This analysis helps to determine which cyber resiliency techniques and implementation approaches are applicable and defines cyber resiliency performance measures of system requirements.
- Architecture definition process. This addresses stakeholders' concerns regarding an adversary's persistent entry into the system. This process considers the cyber resiliency view of the system architecture alternatives and identifies the outcomes of the exploitation of vulnerabilities. Ensuring architecture is more secure should be part of strategic design principles.
- Design definition process. This considers both cyber resiliency design and security design characteristics, as well as applications of design constraints in the system requirements definition process. It determines the technologies to support the application of cyber resiliency design principles.
- System analysis process. This relates cyber resiliency analysis objectives to security analysis objectives and considers how the adversary may be able to achieve a persistent foothold in the system. It also provides examples of specific threat events. It analyzes alternative design decisions or cyber resiliency solutions on threat events.
- Implementation process. This identifies the security aspects that constrain the ability to achieve cyber resiliency objectives or to meet cyber resiliency needs.
- Integration process. This identifies and defines how the cyber resiliency solutions are integrated, securely, in the organization.
- Verification process. This aims at verifying the cyber resiliency solutions are able to satisfy the previously defined system requirements.
- Transition process. This is used to develop cyber resiliency goals and objectives, while providing threat and APT training for all stakeholders. Threat-informed frameworks and tools are employed to gather data as input into validation of the cyber resiliency of the system.
- Validation process. This ensures that system fulfills its business or mission objectives by satisfying its stakeholder requirements and makes available for systems or services needed to achieve the cyber resiliency aspects of the validation strategy.
- Operation process. This focuses on the cyber resiliency aspects of the operation strategy, while considering how tradeoffs between the execution of business or mission tasks, security, safety, privacy and other aspects of trustworthiness are made in the operational environment under different circumstances.
- Maintenance process. This indicates in its cyber resiliency engineering purpose and outcomes; there are no changes from systems security engineering purpose and outcomes.
- Disposal process. This analyzes how the removal of systems or system elements can decrease cyber resiliency, as well as establishes stakeholder understanding and acceptance of those risks as they relate to other systems, mission, business functions or the organization.
Information security professionals are encouraged to understand the 14 cyber resiliency techniques described in NIST's new handbook from a system engineering perspective, and then tailor them to their organization's risk management strategy. Further discussions of how to use cybersecurity solutions to reduce risk should be ongoing so the organization can adapt and apply cyber resiliency solutions for mitigating risks.