Fundamental Concepts of Cyber Resilience: Introduction and Overview

Linkov, I., & Kott, A. (2019). Fundamental concepts of cyber resilience: Introduction and overview. Cyber resilience of systems and networks, 1-25.

 

Motivation: Why Cyber Resilience? Society is increasingly reliant upon complex and interconnected cyber systems to conduct daily life activities. From personal finance to managing defense capabilities to controlling a vast web of aircraft traffic, digitized information systems and software packages have become integrated at virtually all levels of individual and collective activity. While such integration has been met with immense increases in efficiency of service delivery, it has also been subject to a diverse body of threats from nefarious hackers, groups, and even state government bodies. Such cyber threats have shifted over time to affect various cyber functionalities, such as with Direct Denial of Service (DDoS), data theft, changes to data code, infection via computer virus, and many others. Attack targets have become equally diverse, ranging from individuals to international companies and national government agencies. At the individual level, thousands of personal data records including credit card information and government identification is stolen on a daily basis – disrupting the lives of many persons and generating billions of dollars in fraud or other losses. At the corporate level, hacking attempts targeted at the Sony Corporation, Equifax, and other similarly sized organizations demonstrate the potential for hackers to gain entry to sensitive information stored in company databases, and potentially impact the security of millions of users. Lastly, state-based cyber threats arise from individual hackers and other large states alike, such as with daily intrusion attempts that occur within the Department of Defense. While many cyber threats are thwarted, many are able to exact lasting and widespread damage in terms of security, financial losses, social disorder, and other concerns. In warfare, cyber threats may soon become one of the main factors that decide whether a war is won or lost (Kott et al 2015). Whereas traditional risk assessment comprises a calculation of product of threats, vulnerabilities, and consequences for hazards and their subsequent exposures, risk assessment becomes limited in the cybersecurity field as approaches are needed to address threats and vulnerabilities that become integrated within a wide variety of interdependent computing systems and accompanying architecture (DiMase et al. 2015; Ganin et al. 2017). For highly complex and interconnected systems, it becomes prohibitively difficult to conduct a risk assessment that adequately accounts for the potential cascading effects that could occur through an outage or loss spilling over into other systems. Given the rapid evolution of threats to cyber systems, new management approaches are needed that address risk across all interdependent domains (i.e., physical, information, cognitive, and social) of cyber systems (Linkov et al. 2013a, b). Further, the unpredictability, extreme uncertainty, and rapid evolution of potential cyber threats leaves risk assessment efforts all the more unable to adequately address cybersecurity concerns for critical infrastructural systems. For this reason, the traditional approach of hardening of cyber systems against identified threats has proven to be impossible. The only true defense that cybersecurity professionals could take to harden systems from the multitude of potential cyber threats would include the disallowance of cyber systems from accessing the internet. Therefore, in the same way that biological systems develop immunity as a way to respond to infections and other attacks, so too must cyber systems adapt to everchanging threats that continue to attack vital system functions, and to bounce back from the effects of the attacks (Linkov et al. 2014). For these reasons, cyber resilience refers to the ability of the system to prepare, absorb, recover and adapt to adverse effects, especially those associated with cyber-attacks. (We will discuss the exact definitions later.) Here, depending of the context, we use the term cyber resilience to refer mainly to the resilience property of a system or network; sometimes we also use the term as referring to the features or components of the system that enable cyber resilience.

 

Resilience and Systems

Cyber resilience should be considered in the context of complex systems that comprise not only physical and information but also cognitive and social domains (Smith, 2005). Cyber Resilience ensures that system recovery occurs by considering interconnected hardware, software and sensing components of cyber infrastructure (Fig 1). It is thus constitute a bridge between sustaining operations of the system while ensuring mission execution.

Resilience has roots in many disciplines and integrates ecological, social, psychological, organizational, and engineering perspectives and definitions. Resilience engineering, for example, has been defined as “the ability of systems to anticipate and adapt to the potential for surprise and failure,” and has been associated with a shift in safety paradigm acknowledging that system coping is important when prevention is impossible (Hollnagel, Woods, & Leveson, 2006). Ecological resilience, on the other hand, refers to the ability of the system to absorb and withstand shocks, with an emphasis on persistence (Holling, 1996). Resilience is used as a metaphor to describe how systems react to stressors, and to bridge the gap in understandings between fields, resilience needs to be discussed less abstractly, separating the metaphor from the science. Across the many diverse lines of inquiry, there are weak linkages between concepts and methods for resilience. Useful ideas and results accumulate and partially overlap but it is often difficult to find the common areas. In addition, the different technical languages hamper communication of ideas about resilience across the different contributing disciplines and application problems. Despite multi-disciplinary nature of resilience and multiple definition, there are common themes and resilience features across these multiple disciplines (Connolly et al (2017). Resilience defined by the National Academies of Science (NAS) as “the ability to prepare and plan for, absorb, recover from, and more successfully adapt to adverse events” is emerging as one of the most widely used by various organizations and governance agencies (Larkin et al., 2015). The common resilience features include critical functions (services), thresholds, cross- scale (both space and time) interactions, and memory and adaptive management. The concept of critical functionality is important to understanding and planning for resilience to some shock or disturbance. Thresholds play a role in whether a system is able to absorb a shock, and whether recovery time or alternative stable states are most salient. Recovery time is essential in assessing system resilience after a disturbance where a threshold is not exceeded. Finally, the concepts of memory describes the degree of self-organization in the system, and adaptive management provides an approach to managing and learning about a system’s resilience opportunities and limits, in a safe-to-fail manner. Connelly et al., 2017 related these features to the National Academy of Sciences definition of resilience (Table 1), including the temporal phases of the NAS definition to emphasizing the importance of time in all conceptualizations of resilience.

 

동기: 왜 사이버 복원력인가? 사회는 일상 생활 활동을 수행하기 위해 점점 더 복잡하고 상호 연결된 사이버 시스템에 의존하고 있다. 개인 금융에서 국방 기능 관리, 항공기의 방대한 트래픽을 통제하는 것에 이르기까지 디지털화된 정보 시스템과 소프트웨어 패키지는 사실상 모든 수준의 개인 및 집단 활동에서 통합되었다. 이러한 통합은 서비스 제공 효율성의 엄청난 증가를 맞이하였지만, 불법 해커, 단체 및 심지어 주 정부 기관으로부터도 다양한 위협의 대상이 되었다. 이러한 사이버 위협은 시간이 지남에 따라 직접 서비스 거부(DDoS), 데이터 도난, 데이터 코드 변경, 컴퓨터 바이러스 감염 및 기타 많은 것들과 같은 다양한 사이버 기능에 영향을 미치는 것으로 변화하였다. 공격 목표는 개인에서 국제 회사 및 국가 정부 기관에 이르기까지 마찬가지로 다양해졌다. 개인 수준에서는 신용 카드 정보 및 정부 신원 확인을 포함한 수천 개의 개인 데이터 기록이 매일 도난당하여 많은 사람들의 삶을 방해하고 수십억 달러의 사기 또는 기타 손실을 발생시킨다. 기업 수준에서 소니, 에퀴팩스 및 기타 유사한 규모의 조직을 대상으로 한 해킹 시도는 해커가 회사 데이터베이스에 저장된 중요한 정보를 입력하고 잠재적으로 수백만 명의 사용자의 보안에 영향을 미칠 수 있는 가능성을 보여준다. 마지막으로, 국가 기반 사이버 위협은 국방부 내에서 매일 발생하는 침입 시도와 같이 개별 해커 및 기타 큰 국가에서 동일하게 발생한다. 많은 사이버 위협이 차단되지만 많은 사이버 위협이 보안, 재정 손실, 사회 장애 및 기타 우려 사항 측면에서 지속적이고 광범위한 피해를 유발할 수 있다. 전쟁에서 사이버 위협은 곧 전쟁의 승패를 결정하는 주요 요인 중 하나가 될 수 있다(Kott et al 2015). 전통적인 위험 평가는 위험 및 그에 따른 노출에 대한 위협, 취약성 및 결과의 산출물로 구성되는 반면, 사이버 보안 분야에서는 다양한 상호 의존적 컴퓨팅 시스템 및 이에 수반되는 아키텍처 내에 통합되는 위협 및 취약성을 해결하기 위한 접근 방식이 필요함에 따라 위험 평가가 제한된다(DiMase et al. 2015; Ganin et al. 2017). 매우 복잡하고 상호 연결된 시스템의 경우, 다른 시스템으로 유출되는 정전 또는 손실을 통해 발생할 수 있는 잠재적인 캐스케이딩 효과를 적절하게 설명하는 위험 평가를 수행하는 것이 엄청나게 어려워진다. 사이버 시스템에 대한 위협의 빠른 진화를 고려할 때, 사이버 시스템의 모든 상호 의존적 영역(즉, 물리적, 정보, 인지적 및 사회적)에 걸쳐 위험을 해결하는 새로운 관리 접근 방식이 필요하다(Linkov et al. 2013a, b).

더욱이, 잠재적인 사이버 위협의 예측 불가능성, 극도의 불확실성 및 빠른 진화는 위험 평가 노력이 중요한 인프라 시스템에 대한 사이버 보안 우려를 적절하게 대처할 수 없게 만든다. 이러한 이유로, 확인된 위협에 대해 사이버 시스템을 강화하는 전통적인 접근법은 불가능한 것으로 입증되었다. 사이버 보안 전문가들이 수많은 잠재적 사이버 위협으로부터 시스템을 강화하기 위해 취할 수 있는 유일한 진정한 방어책은 사이버 시스템이 인터넷에 접근하는 것을 불허하는 것이다. 따라서, 생물학적 시스템이 감염 및 기타 공격에 대응하는 방법으로 면역을 개발하는 것과 동일한 방식으로, 사이버 시스템도 중요한 시스템 기능을 계속 공격하고 공격의 영향에서 다시 회복하는 끊임없이 변화하는 위협에 적응해야 한다(Linkov et al. 2014). 이러한 이유로, 사이버 복원력은 특히 사이버 공격과 관련된 부작용을 준비, 흡수, 복구 및 적응하는 시스템의 능력을 의미한다. (정확한 정의는 추후 논의) 여기서, 우리는 맥락에 따라 사이버 복원력이라는 용어를 주로 시스템 또는 네트워크의 복원력 속성을 지칭하는 데 사용하며, 때로는 사이버 복원력을 가능하게 하는 시스템의 특징 또는 구성 요소를 지칭하는 용어로도 사용한다.



복원력 및 시스템

사이버 복원력은 물리적, 정보적 영역뿐만 아니라 인지적, 사회적 영역을 포함하는 복잡한 시스템의 맥락에서 고려되어야 한다(Smith, 2005). 사이버 복원력은 사이버 인프라의 상호 연결된 하드웨어, 소프트웨어 및 감지 구성 요소를 고려함으로써 시스템 복구가 이루어지도록 한다(그림 1). 따라서 임무 수행을 보장하면서 시스템의 지속적인 운영을 위한 브릿지를 구성한다.

회복탄력성은 많은 분야에 뿌리를 두고 있으며 생태학적, 사회학적, 심리학적, 조직학적, 공학적 관점과 정의를 통합하고 있다. 예를 들어 회복탄력성 공학은 "시스템이 놀라움과 실패의 가능성을 예측하고 적응하는 능력"으로 정의되었으며, 예방이 불가능할 때 시스템 대처가 중요하다는 것을 인식하는 안전 패러다임의 변화와 관련이 있다(Hollnagel, Woods, & Leveson, 2006). 반면 생태적 회복탄력성은 시스템이 충격을 흡수하고 견딜 수 있는 능력으로 지속성에 중점을 두고 있다(Holling, 1996). 회복탄력성은 시스템이 스트레스 요인에 어떻게 반응하는지를 비유적으로 설명하는 것으로, 분야 간 이해의 차이를 해소하기 위해서는 과학과 은유를 분리하여 덜 추상적으로 논의될 필요가 있다. 회복탄력성에 대한 개념과 방법은 다양한 다양한 탐구 라인에 걸쳐 약한 연관성을 가지고 있다. 유용한 아이디어와 결과가 축적되고 부분적으로 중복되지만 공통된 영역을 찾기 어려운 경우가 많다. 또한, 서로 다른 기술 언어는 서로 다른 기여 학문과 응용 문제에 걸쳐 회복력에 대한 아이디어 전달을 방해한다. 회복력의 다학제적 특성과 다중 정의에도 불구하고, 이러한 여러 학문에 걸쳐 공통된 주제와 회복력 특징이 있다(Connolly et al.(2017). 미국 국립과학원(NAS)이 "악의적 사건에 대비하고 계획하며, 흡수하고, 회복하고, 보다 성공적으로 적응할 수 있는 능력"으로 정의한 회복력은 다양한 조직 및 거버넌스 기관에서 가장 널리 사용되는 기능 중 하나로 부상하고 있다(Larkin et al., 2015). 공통된 회복력 특징에는 임계 기능(서비스), 임계값, 교차 규모(공간 및 시간 모두) 상호 작용, 메모리 및 적응적 관리가 포함된다. 임계 기능의 개념은 일부 충격이나 교란에 대한 회복력을 이해하고 계획하는 데 중요하다. 임계값은 시스템이 충격을 흡수할 수 있는지, 복구 시간 또는 대안적인 안정 상태가 가장 현저한지 여부에 따라 역할을 한다. 복구 시간은 임계값을 초과하지 않는 교란 후 시스템 회복력을 평가하는 데 필수적이다. 마지막으로, 메모리의 개념은 시스템의 자체 구성 정도를 설명하며, 적응적 관리는 시스템의 회복력 기회와 한계에 대해 안전하게 실패할 수 있는 방식으로 관리하고 학습할 수 있는 접근법을 제공한다. Connelly et al., 2017은 이러한 기능을 복원력의 모든 개념화에서 시간의 중요성을 강조하기 위한 NAS 정의의 시간적 단계를 포함하여 복원력에 대한 미국 국립과학원 정의(Table 1)와 관련시켰다.