A Better Approach to Assessing Operational Cybersecurity Threat Readiness
Operational cyber technology systems such as industrial control systems are no longer simple or isolated. They are now complex, highly integrated, increasingly automated and connected to distributed cloud networks. While this greatly enhances the ways that the system can be operated in a safe and efficient manner, it also expands the ways they can be used to cause damage and harm. Cyber technology performance verification and assurance must be expanded to cover the cybersecurity challenges presented by these new, integrated and highly distributed industrial control architectures.
Traditional cybersecurity verification methods that use techniques such as network scanning, penetration testing (white hat hacking), or social engineering (email phishing, for example) can be useful and effective. However, they do not provide sufficient coverage to fully evaluate and verify cybersecurity. These types of functional tests are by their nature limited to protection against known threats at a particular point in time.
The set of known threats that can trigger the use of the cyber technology to cause damage to the cyber technology and the vessel, or harm to people and the environment is not constrained. New threats are continually developed, deployed, and discovered. These new threats include things such as malicious/intended new malware or non-malicious/unintentional system upgrades or operator errors.
The evaluation of cybersecurity should be based on the specific organizational and technology maturity with respect to the management and use of operational cyber technology. The evaluation methods themselves must continually evolve and improve as the maturity changes. Organizational and technology maturity models have proven to be an effective way to provide this enhanced evaluation capability.
Cybersecurity maturity models measure an organizational or technology-based system’s ability to provide five critical functions:
- Identification of both known and unknown threats,
- Protection against them gaining access to the system,
- Detection when they do gain access,
- Response to them when they trigger, and
- Recovery from the damage or harm they cause.
These five functions are part of the National Institute of Standards and Technology (NIST) framework for improving critical infrastructure cybersecurity.
A maturity model-based evaluation of cybersecurity performance is a two-step process. First, both the known and unknown threats to the system must be profiled. This profile identifies what the known and unknown (potential) threats are and defines protection methods for each threat. “Identify” and “protect” are the two highest priority functions in the NIST model.
Athens Group Services has developed a unique threat profiling method known as Threat Mode Effects Criticality Analysis (TMECA®). The TMECA® combines a real-time qualitative analysis of threat modes with a quantitative process for ranking and evaluating the impact of those threats. TMECA® is particularly well suited for cybersecurity risk assessment on industrial control systems, as it can be performed at any time in the asset lifecycle, on “as-designed” as well as “as-delivered” systems.
The threat mode profile defines the threat characteristics (nature, source, access, transport, target, and trigger), determines the threat effects, the threat criticality (severity x likelihood), and ranks the threats for mitigation purposes.
Following the threat profiling, an organizational & technology maturity evaluation against the threat profiles is executed. Athens Group Services uses our own unique model which combines the NIST Framework for cybersecurity, the DoE Cybersecurity Capability Maturity Model (C2M2), and the Athens Group Services software systems quality maturity model into a single comprehensive measure of both the cyber technology system and cybersecurity maturity.
Upon completion of the threat profiling and organizational & technology maturity evaluation, it is highly recommended that an application and maturity-specific cybersecurity verification test plan is designed and executed to evaluate and verify the actual cybersecurity capability against the threat profile. This evaluation should include all of the traditional methods of network penetration, scanning, and social engineering.
The result of this approach is an evaluation and verification that your people, processes, and technology are capable of continually managing and improving cybersecurity in a manner that continually reduces the risk of a cyber threat impacting your operations.
As operational technology systems become increasingly automated and connected to distributed cloud networks, we stand uniquely qualified to understand how cyber technology verification and assurance must be improved to protect against evolving cyber threats. Contact us for more information about how we can help your organization protect itself in an increasingly risky environment.
To see the latest Athens Group Services developments, please follow us on Linkedin and Twitter.