Cyber-resilience: the key to overcoming incidents

The digitization of societies, global markets and the increasing dependence on technology carry an increased number of cybersecurity incidents. Such unwanted events threaten individuals, organizations and even nations. When they are deliberate, attackers take advantage of the pervasiveness, flexibility, and immediacy that technology offers in order to execute their actions. If these attacks affect a country's infrastructure or digital service providers, the daily activities of institutions and citizens could be affected.

In March of this year, the Norwegian metallurgy company Norsk Hydro logged a ransomware attack called LockerGoga and, as a result, both the corporate network and production processes at various facilities in Norway, Qatar, Brazil and other countries were affected.  Also in 2019, the aviation company Airbus suffered a security incident in the information systems of their commercial aircraft division, where there was unauthorized access to a series of data. Tribune Publishing, a company in charge of producing the main newspapers in the United States, fell victim to a cyberattack by a ransomware from the Ryuk family. As a result, this attack paralyzed the printing and delivery of several of the country's major newspapers.

In 2018, INCIBE-CERT managed 111,519 cybersecurity incidents, 722 of which affected strategic operators. These figures show the need to improve the cybersecurity capabilities of infrastructures (facilities, networks, systems and physical and ICT equipment) that support essential services, and those serving as the basis for some digital service providers in our country.

• The essential services, according to Law 8/2011, of 28 April, which establishes measures for the protection of critical infrastructure (hereinafter the PIC Law), are "those necessary for the maintenance of the basic social functions, health, security, social and economic well-being of citizens, or the effective operation of State Institutions and Public Administrations".
• The digital services are those information society services determined by  (transposition of the NIS Directive) which also regulates the security obligations to be met by the providers of these services.

Anticipate, resist, recover and evolve.

In a global, digitized world, it no longer makes sense to build impregnable fortresses; instead, the ability to anticipate threats, absorb the impact of attacks, and respond quickly and flexibly must be developed to ensure that key systems can continue with normal activity. Cyber-resilience is defined as the capacity for a process, business, organization, or nation to anticipate, resist, recover, and evolve to improve its capacity to overcome adverse conditions, stress or attacks on the cyber resources that it needs in order to function.

"The security and resilience of public sector information and communications networks and systems and essential services" is the first objective of the Spanish National Cybersecurity Strategy 2019. In the face of the digital incident and threat landscape, cyber-resilience is emerging as an essential feature for organizations, particularly digital service providers or those that provide essential services.

Organizations need to develop the capacity to respond to crises, initiated in systems and networks, without their activity being affected. This quality is vital when it comes to those organizations involved in providing some essential service or certain digital services. It's not just about protection but also learning about and adapting to incidents. Therefore, these operators and service providers’ proactivity and active commitment is crucial.

The PIC Law defines strategic sector as "each of the differentiated areas within the employment, economic and productive activity, which provides an essential service or which guarantees the exercise of the authority of the State or the security of the country". In its appendix, it identifies the following strategic sectors: administration, water, food, energy, space, chemical industry, nuclear industry, research facilities, health, financial and tax system, information and communication technologies (ICT) and transportation. Moreover, according to RD-L 12/2018, the digital services that normal development of economic and social activities depend on belong to one of these three groups: online markets, search engines and cloud computing services.

The goal of cyber-resilience for an organization, whether or not it belongs to a strategic sector, whether or not it provides one of these digital services, is to maintain its primary purpose and integrity in the face of a cybersecurity threat or attack to an ideal level. Continuous detection processes must be established given that total prevention will never be guaranteed.

How to implement cyber-resilience?

Given how diverse organizations are, their internal complexity and the interdependencies among them, a way to implement cyber-resilience cannot be generalized. In any case, it is essential to start an adaptation process and consider that it should be extended to our entire ecosystem (partners, suppliers, customers...). The next steps should be established:

• Prioritize services according to the impact (economic, environmental, public and social, people affected) their loss or impairment may cause.
• Understand the threats affecting the services and prioritize according to their criticality.
• Implement preventive actions against current and future threats.
• Develop remediation processes to minimize the damage that can be caused by incidents.
• Continuously detect vulnerabilities and correct them in order to reduce the attack surface.
• Develop and maintain communication processes within the company.
• Regularly implement improvement actions to minimize risks, and repeat the cycle of steps for continuous improvement.

Measure cyber-resilience

Knowing its cyber-resilience status enables an organization to be ready to improve the aspects that protect and maintain the service. For example, this knowledge will help to implement processes for detecting incidents before they happen, and responding to them as soon as possible. Similarly, measuring its cyber-resilience will allow the organization to acquire a level of maturity to restore, in a minimum set time, the provision of the essential service to normal in the event of an incident. Finally, this knowledge will promote strengthening cyber-resilience and the continuous improvement of these processes.

One way to measure and improve an organization's cyber-resilience status is to follow a maturity model. In other words, a model that defines the levels established for good practices to be followed. INCIBE’s model for Cyber-resilience Improvement Indicators(CII) adopts the following maturity levels from the standards:

• NON-EXISTENT: this measure or measures are not being applied at this time.
• INITIAL / AD-HOC: when the organization does not provide a stable environment to apply these measures. These measures’ success or failure depends on the competence and good will of the people, although it is difficult to predict their reaction to an emergency situation. Despite its chaotic nature, it’s better than nothing.
• REPEATABLE, but INTUITIVE: when there is a minimum of planning that, accompanied by people's goodwill, provides a guideline for when the same circumstances are repeated. Under new circumstances the outcome is unpredictable.
• DEFINED PROCESS: a catalogue of processes is available, and kept up to date, to address this aspect of cyber-resilience. These guarantee the consistency of the actions between the different parts of the organization, which adapt their particular processes to the general one.
• MANAGED AND MEASURED: when you have a system of measures and metrics to know the processes’ performance (effectiveness and efficiency) to address this aspect of cyber-resilience. Management is able to set qualitative objectives and has the means to assess whether and to what extent they have been met.  
• OPTIMIZED: at this level the organization is able to improve system performance through continuous process improvement in order to address this aspect of measurement and indicator result based cyber-resilience.

To evaluate its situation, the organization must measure a series of process parameters regarding these levels and execute the necessary actions to bridge the gap between its level and the optimum level. The measures to be adopted are designed within four cyber-resilience goals: anticipate, resist, recover and evolve. For example, for the metric of a goal, to anticipate (knowing if the cyber-resilience requirements have been established), the following graph indicates how each level is reached.

The CII model, based on the cyber-resilience indicators framework from MITRE,  among others, selects 46 indicators to represent different aspects of cyber-resilience. These will serve to gain insight into the four cyber-resilience goals. They are organized into nine general objectives:

The IMC Model includes a Dictionary with explanations of each indicator, its correlation with standards (ISO27001, NIST SP800-53, ENS, the NIS Directive and its transposition in  Royal Decree-Law 12/2018, of 7 September, among others) and a Form for organizations to periodically assess their cyber-resilience.

To promote cyber-resilience we need to measure it in the infrastructures supporting essential services and in the digital service providers, because if they are affected by an incident, they can seriously damage the economy, society and national security. Using the CII model, INCIBE and CNPIC (National Centre for the Protection of Infrastructure and Cybersecurity) periodically carry out cyber-resilience measurements in these organizations to promote the improvement of cyber-resilience in those tasked with offering these services to the whole population.

A cyber-resilient company is one that can anticipate, detect, resist, recover from, and evolve in the face of serious threats that affect the integrity of data, information, applications, and infrastructure, minimizing exposure time and service impact. Above all, in the areas where their most valuable assets reside. Are you in a cyber-resilient organization? Do you want to know how your cyber-resilience evolves over time?