RESIST: the ability of organizations to withstand disasters and disruptions from the digital realm

Nowadays, many organizations provide essential digital and information systems-related services that are basic to a country’s strategic operation. Any disruption that may alter these services can have a huge impact on the economy, environment or population. As such, in recent years cybersecurity threats are some of the risks that have seen the most growth and they can critically affect these services. The absence of security measures means a high risk of exposure to leaks, loss or lack of information, inability or difficulty in identifying vulnerabilities and service continuity, increased chances of becoming infected, etc.

Given the importance of these services that all countries need to operate properly, the questions that arise are obvious: could Spanish organizations resist the impact of a cyberthreat and continue to provide their essential service? With what level of service? For how long? These reflections are especially sensitive in organizations in the Administration, Water, Food, Energy, Space, Chemical Industry, Nuclear Industry, Research Facilities, Health, Financial and Taxation System, Information and Communication Technologies (ICT) and Transport sectors, which are the sectors catalogued as critical by the Critical Infrastructure Protection law (PIC Law, in Spanish) 8/2011 of 28 April, which establishes measures for the protection of critical infrastructures.

These issues may be resolved using INCIBE’s Cyberresilience Improvement Indicators (CII) model, a tool to diagnose and measure the capacity of organizations to anticipate, resist, recover and evolve from incidents. The capacity to resist makes it possible to determine whether an organization is capable of continuing to provide its essential services in the event of a cyberattack.

To measure the objectives of this aim, its two functional domains are analyzed: vulnerability management and continuous supervision.

Vulnerability management

The functional domain of vulnerability management within the resist goal measures the ability to identify, analyze and manage vulnerabilities in assets that support the delivery of essential services. Below are 9 actions that allow us to achieve this goal:

• Establish a process for identifying vulnerabilities that allows organizations proactively discover them, consulting available information sources (manufacturers, INCIBE-CERT...). If the essential service belongs to an OT (Operational Technologies) environment, the aim is to investigate those vulnerabilities that may affect its components (PLC, RTU, HMI, SCADA, Controller, etc.).
• Establish and maintain a classification, categorization and prioritization process for vulnerabilities that affect the provision of the essential service so that each vulnerability is assigned a level of criticality. For example, a vulnerability can be prioritized using the CVSS (Common Vulnerability Score System).
• Establish a vulnerability analysis process to obtain an assessment of its impact, relevance and scope in the organization.
• Establish and maintain an updated repository of vulnerabilities that affect the systems, products and software used. This should contain updated information on their life cycle, with specific information on each vulnerability, including the measures required to address them.
• Take actions to manage exposure to identified vulnerabilities in order to identify and review possible strategies to correct vulnerabilities; particularly, for those that the organization considers the highest priority or critical.
• Observe exposure to identified vulnerabilities by regularly monitoring and reporting on unresolved vulnerabilities.
• Estimate the average time from the identification of a vulnerability until the notification to the responsible party. For example, determining the average time that elapses from when a worker identifies an alert on their computer related to the security of the same, until it is communicated to the systems manager.
• Estimate the average time from when a security patch is announced until it is applied to the affected vulnerability. For example, by determining the average time from when a new software update is released until it is applied to all computers and systems in the organization.
• Estimate the average time to resolve identified vulnerabilities that cannot be resolved by updates or patches. For example, by applying different measures, determining the average time spent isolating the system, protecting its perimeter or simply removing it.

The dictionary of indicators, in the section on correlation of these points, can give ideas to further study these actions. Although these actions described are the bare minimum, more actions can be obtained based on different methodologies, such as:

• ISO/IEC 27001:2017
  • National Vulnerability Database.
  • National Security Framework (Spanish Esquema Nacional de Seguridad).
  • Critical Infrastructure Protection: Legislación Nacional y Europea.
• NIS
  • Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
  • Royal Decree-Law 12/2018, of 7 September, on security of networks and information systems.

Continuous supervision

The functional domain of continuous supervision within the resist goal measures the capacity to collect, compile and distribute information on the behavior and activities of systems and people, to support the continuous process of identifying and analyzing risks to the organization's assets and essential services that may adversely affect their operation and delivery. For this, the following 4 exercises are recommended:

• Continuous supervision of essential services: This involves planning and implementing continuous supervision (24x7) of the provision of the essential service to detect potential cyberincidents.
• Monitor the existence of unauthorized software and hardware in the systems that support the essential services. For example, by having a permissions policy that does not allow software installation, as well as a physical control that does not permit the modification of and access to the hardware.
• Supervise communication networks to detect unauthorized connections. For example, through an intrusion detection system or a firewall.
• Establish an incident reporting procedure that provides information on the time that passes from the identification of the incident and its arrival to those in charge of resolving it. For example, an estimate of this time can be obtained as a result of testing the continuity plan.

These actions are just one example of the suggested measures within the CII (Cyberresilience Improvement Indicators). However, there are different alternatives and lines of action with which to achieve this goal, such as those described in the aforementioned methodologies (ISO/IEC 27001:2017 and NIS).

By following these measures, companies can address an increase in cyberattacks and data leaks, and come closer to being able to guarantee the recovery of their services with the minimum possible impact after suffering the consequences of a cyberattack.

All organizations are exposed to attacks, but the most important thing is to have the capacity to be prepared to detect them and to proactively anticipate and implement protection measures. Therefore, it is very important for any organization committed to the resilient provision of its service to be goal-oriented, to anticipate, resist, recover and evolve. However, the resist goal, in particular, deserves a special mention as it is related to an organization's ability to continue providing its services despite the successful execution of a cyberattack.