DEVELOPING CYBER-RESILIENT SYSTEMS - Abstract & Introduction

DEVELOPING CYBER-RESILIENT SYSTEMS

 

ABSTRACT

NIST Special Publication (SP) 800-160, Volume 2, focuses on cyber resiliency engineering an emerging specialty systems engineering discipline applied in conjunction with systems security engineering and resilience engineering to develop survivable, trustworthy secure systems. Cyber resiliency engineering intends to architect, design, develop, implement, maintain, and sustain the trustworthiness of systems with the capability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises that use or are enabled by cyber resources. From a risk management perspective, cyber resiliency is intended to help reduce the mission, business, organizational, enterprise, or sector risk of depending on cyber resources.

 

INTRODUCTION
THE NEED FOR CYBER-RESILIENT SYSTEMS
he need for trustworthy secure systems2 stems from a variety of stakeholder needs that are driven by mission, business, and other objectives and concerns. The principles, concepts, and practices for engineering trustworthy secure systems can be expressed in various ways, depending on which aspect of trustworthiness is of concern to stakeholders. NIST Special Publication (SP) 800-160, Volume 1 [SP 800-160 v1], provides guidance on systems security engineering with an emphasis on protection against asset loss.3 In addition to security, other aspects of trustworthiness include reliability, safety, and resilience. Specialty engineering disciplines address different aspects of trustworthiness. While each discipline frames the problem domain and the potential solution space for its aspect of trustworthiness somewhat differently, [SP 800-160 v1] includes systems engineering processes to align the concepts, frameworks, and analytic processes from multiple disciplines to make trade-offs within and between the various aspects of trustworthiness applicable to a system of interest.

 

NIST SP 800-160, Volume 2, focuses on the property of cyber resiliency, which has a strong relationship to security and resilience but provides a distinctive framework for its identified problem domain and solution space. Cyber resiliency is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.

Cyber resiliency can be sought at multiple levels, including for system elements, systems, missions or business functions and the system-of-systems that support those functions, organizations, sectors, regions, the Nation, or transnational missions/business functions. From an engineering perspective, cyber resiliency is an emergent quality property of an engineered system, where an “engineered system” can be a system element made up of constituent components, a system, or a system-of-systems. Cyber-resilient systems are systems that have security measures or safeguards “built in” as a foundational part of the architecture and design and that display a high level of resiliency. Thus, cyber-resilient systems can withstand cyber-attacks, faults, and failures and continue to operate in a degraded or debilitated state to carry out the mission-essential functions of the organization. From an enterprise risk management perspective, cyber resiliency is intended to reduce the mission, business, organizational, or sector risk of potentially compromised cyber resources.

 

Cyber resiliency supports mission assurance in a contested environment for missions that depend on systems that include cyber resources. A cyber resource is an information resource that creates, stores, processes, manages, transmits, or disposes of information in electronic form and that can be accessed via a network or using networking methods. However, some information resources are specifically designed to be accessed using a networking method only intermittently (e.g., via a low-power connection to check the status of an insulin pump, via a wired connection to upgrade software in an embedded avionic device). These cyber resources are characterized as operating primarily in a disconnected or non-networked mode.

CYBER-RESILIENT SYSTEMS
Cyber-resilient systems operate like the human body. The human body has an effective immune system that can readily absorb a continuous barrage of environmental hazards and provides the necessary defense mechanisms to maintain a healthy state. The body also has self-repair systems to recover from illnesses and injuries when defenses are breached. But cyber-resilient systems, like the human body, cannot defend against all hazards at all times. While the body cannot always recover to the same state of health as before an injury or illness, it can adapt. Similarly, cyber-resilient systems can recover minimal essential functionality (e.g., functionality to meet critical mission needs). Understanding the limitations of individuals, organizations, and systems is fundamental to managing risk.

 

Systems incorporate cyber resources as system elements and may be susceptible to harm7 resulting from the effects of adversity8 on those resources and particularly to harm resulting from cyber-attacks. In some cases, susceptibility to harm may exist even with the employment of traditional cybersecurity safeguards and countermeasures intended to protect systems from adversity. The cyber resiliency problem is defined as how to achieve adequate mission resilience by providing (1) adequate system resilience9 and (2) adequate mission/business function and operational/organizational resilience in the presence of possible adversities that affect cyber resources. The cyber resiliency problem domain overlaps with the security problem domain since a system should be securely resilient.

 

The cyber resiliency problem domain is informed by an understanding of the threat landscape and, in particular, the advanced persistent threat (APT). The APT stems from an adversary that possesses significant levels of expertise and resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors, including cyber, physical, and deception. These objectives include establishing and extending footholds within the systems of targeted organizations for the express purposes of exfiltrating information; undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The APT pursues its objectives repeatedly over an extended period, adapts to defenders’ efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives [SP 800-39] [CNSSI 4009].11 In addition, the APT can take advantage of human errors (e.g., lapses in basic cybersecurity), exploit other stresses on systems (e.g., increased or unusual system use in response to a natural disaster or other event), and execute sophisticated supply chain attacks.

 

All discussions of cyber resiliency focus on assuring mission or business functions and are predicated on the assumption that the adversary will breach defenses and establish a long-term presence in organizational systems. A cyber-resilient system is a system that provides a degree of cyber resiliency commensurate with the system’s criticality.

 

---

ABSTRACT

NIST SP(Special Publication) 800-160, 제2권은 생존 가능하고 신뢰할 수 있는 보안 시스템을 개발하기 위해 시스템 보안 공학 및 복원력 공학과 함께 적용되는 새로운 특수 시스템 공학 분야인 사이버 복원력 공학에 초점을 맞추고 있다. 사이버 복원력 공학은 사이버 자원을 사용하거나 활성화되는 불리한 조건, 스트레스, 공격 또는 손상을 예측하고, 견디고, 복구하고, 이에 적응할 수 있는 능력을 갖춘 시스템의 신뢰성을 설계, 설계, 개발, 구현, 유지 및 유지하는 것을 의도한다. 위험 관리 관점에서 사이버 복원력은 사이버 자원에 의존하는 임무, 비즈니스, 조직, 기업 또는 부문 위험을 줄이는데 도움을 주기 위한 것이다.

 

INTRODUCTION

사이버 복원성 시스템의 필요성
신뢰할 수 있는 보안 시스템에 대한 그의 필요성2는 임무, 비즈니스 및 기타 목표와 관심에 의해 주도되는 다양한 이해관계자 요구에서 비롯된다. 신뢰할 수 있는 보안 시스템을 엔지니어링하는 원리, 개념 및 관행은 이해관계자가 관심을 갖는 측면에 따라 다양하게 표현될 수 있다. NIST SP(Special Publication) 800-160, Volume 1 [SP 800-160 v1]은 자산 손실에 대한 보호에 중점을 둔 시스템 보안 엔지니어링에 대한 지침을 제공한다. 3 보안 외에도 신뢰성, 안전성 및 복원력의 다른 측면도 포함한다. 전문 엔지니어링 분야는 신뢰성의 다양한 측면을 다룬다. 각 분야가 신뢰성 측면의 문제 영역과 잠재적 솔루션 공간을 다소 다르게 프레임화하지만 [SP 800-160 v1]은 관심 있는 시스템에 적용 가능한 다양한 측면의 신뢰성 내 및 간에 트레이드오프를 만들기 위해 여러 분야의 개념, 프레임워크 및 분석 프로세스를 정렬하는 시스템 엔지니어링 프로세스를 포함한다.

NIST SP 800-160, 2권은 보안 및 복원력과 강한 관계를 가지지만 식별된 문제 영역과 솔루션 공간에 대해 독특한 프레임워크를 제공하는 사이버 복원력의 속성에 초점을 맞추고 있다. 사이버 복원력은 사이버 자원을 사용하거나 활성화된 시스템에서 불리한 조건, 스트레스, 공격 또는 손상을 예측하고, 견디고, 복구하고, 이에 적응하는 능력이다.

사이버 복원력은 시스템 요소, 시스템, 임무 또는 비즈니스 기능 및 이러한 기능, 조직, 섹터, 지역, 국가 또는 초국적 임무/비즈니스 기능을 지원하는 시스템 오브 시스템을 포함하여 여러 수준에서 모색될 수 있다. 공학적 관점에서, 사이버 복원력은 공학적 시스템의 신흥 품질 속성이며, 여기서 "공학적 시스템"은 구성 요소, 시스템 또는 시스템 오브 시스템으로 구성된 시스템 요소일 수 있다. 사이버 복원력 시스템은 아키텍처 및 설계의 기본 부분으로서 보안 조치 또는 보호 장치를 "빌트인"하고 높은 수준의 복원력을 나타내는 시스템이다. 따라서, 사이버 복원력 시스템은 사이버 공격, 장애 및 장애를 견딜 수 있고 조직의 임무 필수 기능을 수행하기 위해 저하되거나 약화된 상태에서 계속 작동할 수 있다. 기업 위험 관리 관점에서, 사이버 복원력은 잠재적으로 손상된 사이버 자원의 임무, 비즈니스, 조직 또는 섹터 위험을 감소시키기 위한 것이다.

사이버 복원력은 사이버 자원을 포함하는 시스템에 의존하는 임무에 대해 경합 환경에서 임무 보장을 지원한다. 사이버 자원은 정보를 전자적 형태로 생성, 저장, 처리, 관리, 전송 또는 처분하는 정보 자원으로 네트워크를 통해 접근하거나 네트워킹 방법을 사용할 수 있다. 그러나, 일부 정보 자원들은 (예를 들어, 저전력 연결을 통해 인슐린 펌프의 상태를 확인하고, 내장된 바이오닉 디바이스에서 소프트웨어를 업그레이드하기 위해 유선 연결을 통해) 오직 네트워킹 방법을 사용하여 액세스되도록 특별히 설계된다. 이러한 사이버 자원들은 주로 단절된 또는 비-네트워크 모드에서 동작하는 것을 특징으로 한다.

사이버 복원력이 뛰어난 시스템
사이버 복원력이 있는 시스템은 인체와 같이 작동한다. 인체는 연속적으로 쏟아지는 환경의 위험을 쉽게 흡수하고 건강한 상태를 유지하기 위해 필요한 방어 메커니즘을 제공하는 효과적인 면역체계를 가지고 있다. 또한 인체는 방어망이 뚫렸을 때 질병과 부상으로부터 회복하기 위한 자가 복구 시스템을 가지고 있다. 그러나 사이버 복원력이 있는 시스템은 인체와 마찬가지로 모든 위험으로부터 항상 방어할 수는 없다. 신체가 항상 부상이나 질병 이전과 같은 건강 상태로 회복할 수는 없지만 적응할 수는 있다. 마찬가지로 사이버 복원력이 있는 시스템은 최소한의 필수 기능(예: 중요한 임무 요구를 충족시키는 기능)을 복구할 수 있다. 개인, 조직 및 시스템의 한계를 이해하는 것은 위험을 관리하는 데 기본적이다.

시스템은 사이버 자원을 시스템 요소로 통합하며, 역경8이 해당 자원에 미치는 영향 및 특히 사이버 공격으로 인한 위해로 인한 위해7에 취약할 수 있다. 일부 경우, 위해에 대한 취약성은 역경으로부터 시스템을 보호하기 위한 전통적인 사이버 보안 보호 장치 및 대응 조치의 사용에도 존재할 수 있다. 사이버 복원력 문제는 사이버 자원에 영향을 미치는 가능한 적이 존재하는 상황에서 (1) 적절한 시스템 복원력9 및 (2) 적절한 임무/업무 기능 및 운영/조직 복원력을 제공함으로써 적절한 임무 복원력을 달성하는 방법으로 정의된다. 시스템이 안전하게 복원력을 가져야 하기 때문에 사이버 복원력 문제 도메인은 보안 문제 도메인과 겹친다.

사이버 복원력 문제 영역은 위협 환경, 특히 APT(Advanced Persistent Threat)에 대한 이해를 통해 알 수 있다. APT는 사이버, 물리적 및 속임수를 포함한 다양한 공격 벡터를 사용하여 목표를 달성할 수 있는 기회를 창출할 수 있는 상당한 수준의 전문 지식과 자원을 보유한 적으로부터 비롯된다. 이러한 목표에는 정보 유출이라는 명시적인 목적을 위해 대상 조직의 시스템 내에 발판을 마련하고 확장하는 것, 임무, 프로그램 또는 조직의 중요한 측면을 손상시키거나 방해하는 것, 또는 미래에 이러한 목표를 수행하기 위해 자신을 포지셔닝하는 것 등이 포함된다. APT는 장기간에 걸쳐 목표를 반복적으로 추구하고, 이에 저항하기 위한 방어자의 노력에 적응하며, 목표를 실행하는 데 필요한 수준의 상호작용을 유지하기로 결심한다[SP 800-39][CNSI 4009].11 또한 APT는 인간의 오류(예: 기본적인 사이버 보안의 공백)를 이용하고, 시스템에 대한 다른 스트레스(예: 자연 재해 또는 기타 이벤트에 대응하는 시스템 사용 증가 또는 비정상적인)를 이용하고, 정교한 공급망 공격을 실행할 수 있다.

사이버 복원력에 대한 모든 논의는 임무나 비즈니스 기능을 보장하는 것에 초점을 맞추고 있으며, 상대가 방어망을 뚫고 조직 시스템에 장기적으로 존재할 것이라는 가정을 전제로 한다. 사이버 복원력 시스템은 시스템의 중요성에 상응하는 수준의 사이버 복원력을 제공하는 시스템이다.