Cyber Resiliency Engineering Framework

Deborah J. Bodeau & Richard Graubart
September 2011

 

by MITRE

 

Executive Summary Executive Summary
Missions, business functions, organizations, critical infrastructures, and nations are increasingly dependent on cyberspace. The need for cyber resiliency – for information and communications systems and those who depend on them to be resilient in the face of persistent, stealthy, and sophisticated attacks focused on cyber resources – is increasingly recognized. The relatively new discipline of cyber resiliency engineering has been defined to meet the challenge of how to evolve architectures, cyber resources, and operational processes to provide cost-effective cyber resiliency.
Cyber resiliency engineering is a part of mission assurance engineering, and is informed by a variety of disciplines, including information system security engineering, resilience engineering, survivability, dependability, fault tolerance, and business continuity and contingency planning. Cyber resiliency engineering considers (i) the ways in which an evolving set of architectural resilience practices contribute to the resilience of a set of cyber resources in light of the cyber threat, and (ii) the engineering trade-offs associated with those practices. Examples of sets of cyber resources include mission or business segments, common infrastructures, shared services, systems-of-systems, networks, systems, and data repositories.
This paper presents an initial framework for cyber resiliency engineering. The framework identifies cyber resiliency goals, objectives, and practices; the threat model for cyber resiliency; architectural layers or domains to which cyber resiliency practices could be applied; and aspects of cost to consider as part of the trade-off analysis for alternative strategies and implementations. The framework is intended to evolve as the discipline of cyber resiliency engineering matures.

 

Cyber resiliency goals are
 Anticipate: maintain a state of informed preparedness in order to forestall compromises of mission/business functions from adversary attacks,
 Withstand: continue essential mission/business functions despite successful execution of an attack by an adversary,
 Recover: restore mission/business functions to the maximum extent possible subsequent to successful execution of an attack by an adversary, and
 Evolve: to change missions/business functions and/or the supporting cyber capabilities, so as to minimize adverse impacts from actual or predicted adversary attacks.
Reaching these goals requires achieving cyber resiliency objectives: understand, prepare, prevent, constrain, continue, reconstitute, transform, and re-architect. Cyber resiliency objectives are applied to systems, architectures, and mission/business functions synergistically to improve resiliency. These in turn are supported by a set of cyber resiliency practices. The set of resilience practices considered by cyber resiliency engineering is evolving, as research and investigation provide possible solutions and as experience applying the practices to architectures, systems, and operational processes is gained. The set of resilience practices considered in this framework are adaptive response, privilege restriction, deception, diversity, substantiated integrity, coordinated defense, analytic monitoring, non-persistence, dynamic positioning, redundancy, segmentation, unpredictability, dynamic representation, and realignment. Each practice has operational as well as technical aspects.

 

Cyber resiliency engineering supports a wide range of stakeholders, including
 Mission commanders (or business function heads), who need to know how well they can perform their missions (or business functions).
 Cyber defenders (e.g., Computer Network Defense staff; staff in a Security Operations Center or a Cyber Security Operations Center), who need to achieve cyber resiliency goals in their operational environments.
 Providers and operators of information and communications technologies and services (e.g., the manager of a fixed-site facility that provides computing resources to multiple missions or users, the provider of a common infrastructure or set of shared services), who need to ensure adequate cyber resiliency for their offerings.
 Program managers (as informed by systems engineers and architects), who need to make decisions related to cost-benefit trade-offs of cyber resiliency investments and decisions related to programmatic risk management.
 Architects and systems engineers, who need to decide which cyber resiliency practices to apply, where, how, and in what timeframe.
 Test and exercise planners, who need to decide how to represent threats to cyber resiliency in their efforts.
The framework presented in this paper provides a way to structure discussions and analyses of cyber resiliency goals, objectives, practices, and costs. It also serves to motivate and characterize cyber resiliency metrics. The framework is intended to evolve as the discipline of cyber resiliency engineering matures.

 

---

임무, 비즈니스 기능, 조직, 중요 인프라 및 국가는 점점 더 사이버 공간에 의존하고 있다. 정보 통신 시스템 및 이에 의존하는 사람들이 사이버 자원에 초점을 맞춘 지속적이고 은밀하며 정교한 공격에 직면하여 회복력을 가질 수 있도록 사이버 복원력의 필요성이 점점 더 인식되고 있다. 비교적 새로운 사이버 복원력 공학 분야는 비용 효율적인 사이버 복원력을 제공하기 위해 아키텍처, 사이버 자원 및 운영 프로세스를 어떻게 진화시킬 것인가에 대한 도전에 부응하기 위해 정의되었다.
사이버 복원력 공학은 임무 보장 공학의 일부이며, 정보 시스템 보안 공학, 복원력 공학, 생존 가능성, 신뢰성, 내결함성, 비즈니스 연속성 및 우발성 계획을 포함한 다양한 분야에서 정보를 제공한다. 사이버 복원력 공학은 (i) 진화하는 아키텍처 복원력 관행 세트가 사이버 위협에 비추어 사이버 자원 세트의 복원력에 기여하는 방식과 (ii) 그러한 관행과 관련된 엔지니어링 트레이드오프를 고려한다. 사이버 자원 세트의 예로는 임무 또는 비즈니스 세그먼트, 공통 인프라, 공유 서비스, 시스템 오브 시스템, 네트워크, 시스템 및 데이터 저장소가 있다.
본 논문은 사이버 복원력 공학을 위한 초기 프레임워크를 제시한다. 프레임워크는 사이버 복원력 목표, 목표 및 관행, 사이버 복원력에 대한 위협 모델, 사이버 복원력 관행이 적용될 수 있는 아키텍처 계층 또는 도메인, 대안 전략 및 구현을 위한 트레이드오프 분석의 일부로 고려해야 할 비용 측면을 식별한다. 프레임워크는 사이버 복원력 공학 분야가 성숙함에 따라 진화하기 위한 것이다.

사이버 복원력 목표는
 예상: 상대방의 공격으로 인한 임무/업무 기능의 손상을 미연에 방지하기 위해 정보에 입각한 준비 상태를 유지한다,
 내구성: 상대의 공격을 성공적으로 수행했음에도 불구하고 필수적인 임무/업무 기능을 계속 수행합니다,
 복구: 공격을 성공적으로 수행한 후에 가능한 한 최대 범위로 미션/비즈니스 기능을 복구하고
 진화: 실제 또는 예측된 상대 공격으로 인한 악영향을 최소화하기 위해 임무/업무 기능 및/또는 지원 사이버 기능을 변경합니다.
이러한 목표에 도달하려면 사이버 복원력 목표, 즉 이해, 준비, 예방, 제약, 지속, 재구성, 변환 및 재구축을 달성해야 한다. 사이버 복원력 목표는 복원력을 향상시키기 위해 시스템, 아키텍처 및 미션/비즈니스 기능에 시너지 효과로 적용된다. 이들은 차례로 일련의 사이버 복원력 관행에 의해 지원된다.

연구와 조사가 가능한 해결책을 제공하고 그 관행을 아키텍처, 시스템 및 운영 프로세스에 적용한 경험이 축적됨에 따라 사이버 복원력 공학에 의해 고려된 복원력 관행 세트가 진화하고 있다. 이 프레임워크에서 고려된 복원력 관행 세트는 적응 대응, 권한 제한, 속임수, 다양성, 실질화된 무결성, 조정된 방어, 분석 모니터링, 비영구성, 동적 포지셔닝, 중복성, 분할, 예측 불가능성, 동적 표현 및 재조정이다. 각 관행은 운영적 측면뿐만 아니라 기술적 측면도 있다.

사이버 복원력 엔지니어링은 다음을 포함한 광범위한 이해 관계자를 지원합니다
 임무를 얼마나 잘 수행할 수 있는지 알아야 하는 임무 지휘관(또는 업무 기능 책임자).
 운영 환경에서 사이버 복원력 목표를 달성해야 하는 사이버 방어자(예: 컴퓨터 네트워크 방어 직원, 보안 운영 센터 또는 사이버 보안 운영 센터 직원).
 정보 통신 기술 및 서비스의 제공자 및 운영자(예를 들어, 다수의 미션 또는 사용자에게 컴퓨팅 자원을 제공하는 고정 사이트 시설의 관리자, 공통 인프라 또는 공유 서비스 세트의 제공자)는 제공물에 대한 적절한 사이버 복원력을 보장할 필요가 있다.
 사이버 복원력 투자의 비용-편익 절충과 관련된 의사결정 및 프로그램적 위험 관리와 관련된 의사결정을 해야 하는 프로그램 관리자(시스템 엔지니어 및 설계자에 의해 안내됨).
 어떤 사이버 복원 관행을 적용할 것인지, 어디서, 어떻게, 어떤 기간에 적용할 것인지 결정해야 하는 설계자 및 시스템 엔지니어.
 사이버 복원력에 대한 위협을 어떻게 표현할지 결정해야 하는 테스트 및 연습 계획자.
본 논문에서 제시한 프레임워크는 사이버 복원력 목표, 목표, 관행 및 비용에 대한 논의와 분석을 구조화하는 방법을 제공한다. 사이버 복원력 측정지표에 동기를 부여하고 특성화하는 역할도 한다. 이 프레임워크는 사이버 복원력 공학의 학문이 성숙함에 따라 진화하고자 한다.