Sunday, November 5, 2017

Cyber Resilience- what I've found (Part 1)

A year or so ago I came upon the idea of "cyber resilience", which is a general concept of 'hardening' or toughing, or making more resilient, our IT/cyber systems.  I started seeing the terms used a lot, and many of the times I've seen it has been in use of ideas that we need to focus MORE on resilience then cybersecurity, or that cyber resilience is the next step beyond cybersecurity.

Here are some of the articles I read:  one, two, three.

I have a lot of problems with this idea.  This lead me to do research on the topic and I developed a presentation which I've given twice, most recently at the 2017 ISSA International Conference.  Below you'll find my research.

Now, this is not to say I'm not in agreement with the idea of cyber resilience.  What I have a problem is that its separate from or a next step from cybersecurity.  If people think this, I think they don't understand what cybersecurity SHOULD be.
I see cybersecurity as as subset of information security, more about systems that are internet-connected.  But we should NOT be ignoring all of information security.

So if we look at the 5 core elements of information security (taking a cue from the NIST CSF), we need ALL of these.  I think too often cybersecurity is focused ONLY on protect, detect, and a little on respond.  That doesn't work.  Resilience is included (IMO) in the rest of this (identify, respond and recover).

OR, if we look at the CIA triad: Confidentiality, Integrity, and Availability, resilience IS availability.  Heck, that's what I knew it as years ago when I was working as a sysadmin for a large global company.  We working to make our systems more available.  You know, 5 Nines and all that?  (99.999% uptime etc) That's now called resilience.

Or to put it another way, which I used in my recent presentation, was take a look at how power companies prepare for upcoming hurricanes, something I see living in Florida.  Now, just before the hurricane hits, they have teams ready to go in to restore power, which are deployed after things are clear.  These teams, depending on the area, can be working for weeks to restore power: replace or fix cables, poles, transformers, etc.

But another thing they do is prepare for things before a hurricane hit to minimize the impact, to lessen the chance of loosing power.  In my area, they have been doing this by replacing old wooden poles with new, stronger concrete poles, burying power lines from the poles to the houses, trimming trees etc.

So the teams prepared to go into action after the hurricane is equivalent to your traditional disaster recovery plan.  But all the work to strengthen the power grid is making it resilient.  It's an investment that often has to be sold to management.

Ok.  So here are the frameworks, models, organizations and resources I found in my research:


The Software Engineering Institute at Carnegie-Mellon University is probably best known for creating the Capability Maturity Model (CMM), and also the CERT Division.  Within the CERT Division is the Cyber Risk and Resilience Management work area.

A big part of there work is the CERT Resilience Management Model, which is a maturity model for "Operational Resilience", similar to the CMM being a maturity model for (original) software and system management.

V1.1 of the CERT-RMM was published as a book from Addison-Wesley, but v1.2 is available as a free download from the site.

They have other materials for cybersecurity you should check out.

Cyber Resilience Review (CRR)

Provided by the DHS's US-CERT, the CRR was actually created by SEI's CERT Division and is based on their CERT RMM.  The review can be done either as a self assessment or an on-site assessment facilitated by DHS personnel.

Full info on the CRR is found HERE.  You can find info on the CRR and download all materials.

The CRR is built around 10 domains:
  1. Asset Management
  2. Controls Management
  3. Configuration and Change Management
  4. Vulnerability Management
  5. Incident Management
  6. Service Continuity Management
  7. Risk Management
  8. External Dependency Management
  9. Training and Awareness
  10. Situational Awareness
There are other resources for the CRR, such as crosswalks to the NIST Cyberframerwork, FFIEC CAT, etc.

I recommend that you check out the US-CERT site, as they have a lot of other cybersecurity resources.

World Economic Forum

The World Economic Forum, established in 1971, is a global organization that does public-private partnership to help improve the world.  They have several initiatives, and under their Digital Economy initiative, they have had a project focused on cyber resilience for several years.

They have a variety of reports and materials, all available for download:

As part of their work, they worked with xxx, whose people put out a book: Beyond Cybersecurity.

There most recent work in this area is a blog posting: Why being a responsible leader means being cyber-resilient.


MITRE is a not-for-profit organization that operates research and development centers sponsored by the federal government: FFRDCs—federally funded research and development centers.  One is focused on cybersecurity

They have created a bit for cyber resilience.  They've held 7 Annual Secure and Resilient Cyber Architectures Invitational & Training Event, the most recent in May of 2017.

They've created a Cyber Resilience Engineering Framework (CREF).  They have Cyber Resilience Metrics.  Even a good FAQ

National Forum for Public Private Collaboration

First established as the Global Forum for Advanced Cyber Resilience, it was meeting the CEO of the group that spurred me on doing this research.

They have worked up a common lexicon and the current projects appear to be developing business use cases for cyber resilience for several sectors.  They also had a collaboration event in September of 2017. 

Will be interesting to see where this group goes with what its doing.


Resilia is a best practice program from Axelos, who manages the ITIL certification program.  It includes a couple of certifications for Foundation and Practitioner.  Not sure the value of this program, as I don't see much mention of it in the marketplace.

But do check it out.