From Vulnerability to Immunity (Cyber Resilience) — Part 1

Cyber Resilience (In straightforward definition) refers to an organisation’s or system’s ability to withstand cyber incidents. It encompasses a holistic approach to managing cyber risks, minimising the impact of cyber threats and maintaining essential functions and operations before, during and after a cyber attack.

I want to illustrate the Cyber Resilience by our human body. It is exceptionally resilient when confronted with thousands of viruses (i.e. known and unknown vulnerabilities) or sudden injuries (i.e. security incidents). Our body has different defence layers to detect, prevent, and respond (to thousands of pathogens) and recover damaged cells using basic to advanced mechanisms (i.e. cyber security capabilities).

However, no human body can be resilient forever. There is a limit to our body’s resiliency (ageing effect) which varies from someone to another (i.e. each enterprise has different capabilities & maturity levels). Cyber Resilience involves a combination of detection, preventive measures, incident response, and the ability to quickly restore or recover systems and operations to normalcy following a security incident, similar to our body’s immune system.

Resilience is like an umbrella in a thunderstorm, heavy rainy, snowy and windy weather (worst case scenario). You need it, but without proper gears, such as a waterproof coat, anti-slipping boot and other protective items, you will likely slip down, get injured or get sick. It would help if you carried out all the gears needed to sudden change in the weather. Although, there are better solutions for unforeseen and unpredictable weather.

It’s time now to embrace the complexity of critical infrastructures through scenario planning and simulation to help identify the level of resilience needed to survive cyber catastrophes by modeling and simulation analysis.

The resilience capacities are outlined below (absorptive, adaptive, and recovery and restorative). These three pillar capacities are needed to strengthen the system’s flexibility for cascading, escalating and common-cause failures.

There’re different models, frameworks and regulations for Cyber Resilience, such as:

• CERT Resilience Management Model (CERT-RMM) by SEI
• Resiliency Maturity Model (RMM) by SMI
• Resiliency Maturity Model (RMM) by SMR
• Resiliency Framework for Electric Energy by INL
• Cyber Resiliency Engineering Framework (CREF) by MITRE
• Developing Cyber-Resilient Systems by NIST
• EU Cyber Resilience Act (CRA) by the European Commission
• UK Cyber Resilience Act (CRA) by the UK Government

It’s important to remember to set a clear resilience goal and objectives as it will help you to identify needed techniques. It’s challenging and expensive to consider all the systems to be resilient, so the following principles/guidance would help to start your cyber resilience journey:

1. Always systems compromised
2. Focus on the crown jewel’s assets
3. Reduce your exposure to the attack surfaces
4. Support agility and adaptability everywhere
5. Adversary’s capabilities advancing overtime

Risk vs Resilience Assessment:

Risk assessment methods determine the negative consequences of potential undesired events and mitigate the organisation’s exposure to those undesirable outcomes. In contrast, resilience assessment evaluates the system’s flexibility to withstand potential shocks without irreversible or unacceptable performance, structure and function declines.

Part 2 will cover the following:

• Cyber Resilience Assessment (CRA)
• Cyber Resilience Maturity Model (RMM)
• Cyber Resilience Matrix (CRM)