46 metrics to improve cyber resilience in an essential service

Posted date 23/11/2017
Juan Delfín Peláez Álvarez (INCIBE)
improve cyber resilience in an essential service

The protection of critical and strategic infrastructures in our country is a task that must be tackled by all the agents involved in a public-private cooperation framework. The Security and Industry CERT has been working since 2015 on different pilot projects with Operators of Critical and Strategic Infrastructures in order to complete a Report on the Status of Cyber-Resilience in Spanish Critical Infrastructures, as addressed in the article How do you know if a company is prepared to resist cyber-attacks?

Attacks against the IT systems of nuclear plants, the electrical supply of a region, the functioning of the operating rooms in a hospital, the transport network of a big city or the electoral system of a country are just some examples of cases we have seen in the media that have affected other countries. In Spain we are not immune from these events: the INCIBE-CERT has moved from managing 134 incidents in critical operators in 2015 to 479 in 2016, and during 2017 these figures have continued to rise.

What is cyber-resilience?

Cyber-resilience, as defined in the article Is your business safe? Assessment is the first step to success, is the ability to anticipate, resist, recover and evolve to overcome adverse conditions, such as attacks on information or technology resources; it's the strategy that any organization must follow to tackle the growth in their operating and information systems and the increase in cyber-attacks around the world.

Indicators for cyber-resilience improvement

The Security and Industry CERT is implementing, as a follow-up of the pilot measuring projects developed in 2015 and 2016, a new project aimed at helping critical and strategic infrastructures measure their cyber-resilience, called Indicadores para la Mejora de la Ciberresiliencia (Indicators for Cyber-Resilience Improvement, IMC). This project, developed within the framework of the National Scheme on Industrial Security (ENSI), provides 46 metrics ordered hierarchically by the different technological environments to be protected, differentiating between Information Technology (IT) and Operating Technology (OT) environments, also known as industrial technology, SCADA or ICS.

These 46 metrics measure four objectives and goals to be achieved and nine cyber-resilience categories or functional areas to be implemented, thus providing organizations with a precise x-ray of their security status that facilitates decision-making and leads to the improvement of their security systems.

10 Anticipate: 4 Cybersecurity policy, 4 Risk management, 2 Cybersecurity trainning; 13 Resist: 9 Vulnerability management, 4 Continuous supervision; 21 Recover, 9 Incident management, 12 continuity of service management; 4 Evolve: 1 Configuration and change management, 3 communication

Picture 1 Goals and Functional Areas of Cyber-resilience

Benefits of measuring cyber-resilience

Organizations in critical or strategic infrastructures sectors may have a self-assessed diagnostic that makes it easy to measure its ability and strength to face and overcome attacks against their IT systems in a homogeneous and standardised way.

The main benefits of measuring cyber-resilience are the following:

Knowing the strength level: Organization’s ability in cyber-resilience to face and resist attacks against its information or operating systems; Improving cyber-resilience:Identifying the functional security areas that may be improved within the organization through an appropriate action plan; Continuous review: Having a review framework that allows for regular self-assessment in order to improve the organization’s security system; Comparison of results: Facilitating the comparison of results against other organizations in the same sector and technological environment

Picture 2 Benefits of Measuring Cyber-Resilience

Which opportunities for improvement can you benefit from with these 46 metrics?

According to our experience in measuring cyber-resilience for the last two years, we can point some of the metrics where bigger opportunities for improvement have been found, and that must be taken into consideration by critical and strategic infrastructures through their highest governing bodies:

Cybersecurity Policy Organizations must include in their Cybersecurity policies some mechanisms that allow the signing of agreements for mutual cooperation and exchange of information on cyber-resilience with public bodies, in order to improve the early management of incidents, the management of vulnerabilities and the continuity of basic services.

Risk Management Risk analysis, management and treatment must include objective criteria based on the establishment of recovery time and recovery point objectives (RTOs and RPOs) that allow an appropriate management of risk and its elimination, mitigation, transfer or acceptance.

Continuity of service management Identification, analysis and correction of vulnerabilities in the organization's technological systems must be a continuous process that allows the establishment of temporary requirements for the correction of identified vulnerabilities; minimising the exposure time of the organization’s vulnerable assets based on impact.

CommunicationIn order for basic services to be re-established in a reasonable period of time in the event of an incident, the time required to restore the systems against different attacks on the organization must be measured.

Vulnerability managementIn the event of an incident, the organization must establish and define efficient mechanisms of external communication in terms of cyber-resilience with the main affected and interested parties, clients, suppliers, media, State security forces, emergency services, etc.

Form for measuring cyber-resilience

The form used to self-assess the Indicators for cyber-resilience improvement includes questions for the 9 functional areas of cyber-resilience, which must be answered by the security officer(s) within the company in order to cover all the areas affected by a possible lack of resilience in the organization, whether in Information Technology (IT) or in Operating Technology (OT) security systems.

This form must be completed taking into account a basic service provided by the organization, based on the principle of criticality, and the service with the highest level of criticality, i.e. in the case of an incident, the service with a higher economic, material or reputational impact on the organization.