Surviving under attack: cyber resilience

06/07/21

As repeatedly recalled on these pages, and reiterated a few days ago by the Delegated Authority of Information system for the security of the Republic, Italy is lagging behind many European countries in adopting a national structure for information security.

Despite the vastness of the impact of a cyber attack caused by the strong interconnection of systems and applications that reflects the interaction between people, companies and organizations, everyone can see it. the impression is that many still consider the cyber attack as an event whose effects are limited and responsibilities easily attributable. Just remember it as an attack ransomware, not excessively sophisticated, has forced the blockade of one of the most important pipelines in the US with repercussions on thousands of companies and millions of people.

The lack of awareness of the consequences of a cyber attack is the cause of the inertia with which this matter is dealt with. And it is precisely on this awareness that an authoritative exponent of ours Security Information Department recently declared - with good reason - that we need to rethink the way we organize and manage the security of the cyber domain: A qualitative leap is needed which no longer only targets the security of systems and networks analyzed as autonomous entities, but which, in combination with this, aims to ensure their Resilience in the event of an effective attack. We add that in the Italian context it is necessary even earlier strengthen all systems and networks to eliminate all vulnerabilities and weaknesses for which remedies exist and which, if not eliminated, constitute the Achilles heel which can render even sophisticated defense measures ineffective.

Let's try to define resilience in the cyber domain in the light of the typical constructs of the academic world and the evidence of business risk management.

The information and industrial control systems, like what has happened to the defense and security systems of nations, have clearly experienced the susceptibility to advanced cyber threats. The numerous incidents have in fact shown that it is not possible to be sure that the IT resources of organizations, even when designed and maintained according to the best security standards, will be able to work under the attack of sophisticated, well-equipped adversaries who employ combinations of capacities cyber, military and intelligence.

The future challenge must therefore be faced starting from the assumption that, in using - or depending on - network resources, there is a high risk that someone will breach the perimeter defenses and establish themselves in a more or less evident and more or less lasting way. , within the security perimeter like a cancer growing inside a living being.

From this derives the consideration that it is not enough at all to limit oneself to securing the assets individually, that sooner or later - it is only a matter of time - they will be "punctured"; but that it is instead necessary to go beyond, and create resilient networks, information systems and IT services, that is, capable of to anticipate, resist, recover e to adapt under adverse conditions, stress, attacks and compromises: a bit like the human body does, which presents yes a immune system capable of absorbing environmental hazards and providing defense mechanisms to stay healthy, but which also has, if necessary, auto repair systems to recover from diseases and injuries; and that, moreover, when it fails to recover the pre-illness state of health, it is able to adapt to the supervening condition.

For some time, the academic world has proposed a conceptual model that allows the development of resilient cyber systems on the aforementioned "human body" model and that creates resilience skills from the earliest stages of life cycle development: the so-called resilience by design.

Il National Institute of Standards and Technology, in fact, he defined a framework of computer engineering starting from the definition of four fundamental skills, namely: anticipate, that is, the ability to anticipate problems; the one of Withstand that is, to resist stress, ensuring the missions or functions deemed essential; the one of Recover, ie the restoration of the latter, if impacted during or after the accident; and finally, Adapt, the ability to change mission or functions as technical or operational aspects change or the threat evolves.

For each of these capacities, a wide range of objectives is proposed to be pursued: Prevent, ie prevention of attacks, to preclude their execution; Prepare, that is, hypothesize and test a series of courses of action to face adversity; Continue, that is, maximizing the duration and feasibility of a system's critical mission during the accident; Constraint, that is, limit the damage; Reconstitute, that is, restore essential functions; Understand, that is to understand what is happening, to have a clear representation, incident during, on the status of the impacted resources and on the dependencies that exist with other resources; Transform, that is, to modify the critical mission or function to adapt it to the changed operational, technical or threat context; and finally Re-Architect, that is, modifying architectures to manage adversity and deal with environmental changes more effectively.

But if the four capabilities and the eight proposed objectives represent the "what" to do to obtain resilient systems on the network, the "how" is determined by the definition of specific cyber resilience techniques, to be implemented with different implementation approaches and according to defined design principles. , many of which are the subject of research and development in collaborative activities between academia, companies and public administration.

The techniques are different. Only a few are cited as examples, referring to the necessary in-depth analysis.

It goes fromAnalytics Monitoring which ensures the monitoring and analysis of system properties or user behavior, al Contextual Awareness with which the efficiency of the critical resources of the system is monitored according to the threats in progress and the response actions.

Other techniques are instead deliberately aimed at countering the opponent's actions, such as Disappointment - methods of deception with which one intends to mislead, confuse the opponent, for example by hiding critical resources from him or exposing secretly polluted resources - or Unpredictability, with which changes occur in the system in a causal or unpredictable way.

Other methods allow the protection mechanisms to operate in a coordinated and efficient way - coordinated protection - or they facilitate the use of heterogeneity approaches to minimize the impacts of different threats that exploit common vulnerabilities, such as the case of techniques called Diversity.

Preventive techniques such as Dynamic Positioning allow you to dynamically distribute or reallocate functionality or system resources to remove them from the attention of the attacker; or of Substantiated Integrity which allow to ascertain whether critical elements of the system have been compromised.

Finally, others ensure redundancy or segmentation functionality.

In short, once again the technical solutions, conceptual approaches and quality standards are present and well supervised by the academic and regulatory world. An impulse to their contextualization in the various local areas will also take place thanks to the establishment of the network of European Digital Innovation Hubs which, thanks to the establishment of regional consortia between universities, research centers, companies and public administration, will provide direct support to small and medium-sized enterprises, the most exposed to risks and whose fragility can become a cause of weakness of the entire country system.

It is up to the governance capacity of public and private organizations to understand the new threats; be clear about the assets of interest and the related security and resilience needs; understand the growing complexity of the fifth domain to effectively manage the uncertainty associated with this complexity; integrate security requirements, functions and services into management and technical processes within the systems development life cycle; and finally to prioritize the design and implementation of secure and resilient systems capable of protecting the activities of interested parties.

Orazio Danilo Russo and Giorgio Giacinto

To learn more:

https://formiche.net/2021/06/agenzia-cyber-tempo-scaduto-lallarme-di-gabrielli/

https://www.agi.it/economia/news/2021-05-11/colonial-pipeline-ransomware-12504743/

https://www.cybersecitalia.it/cybersecurity-roberto-baldoni-bisogna-passare-alla-resilience-by-design/12483/

https://ec.europa.eu/commission/presscorner/detail/en/ip_20_2391

https://digital-strategy.ec.europa.eu/en/activities/edihs

https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-081.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v2.pdf

Photo: US Army / US Air Force / web