Designing for ResilienceJuly 24, 2017
MITRE just concluded another Secure and Resilient Cyber Architectures Invitational, the seventh. Discussions at this year’s event explored the ways design principles could be used, identified concerns for metrics to assess operational gaps and compare alternatives, and spoke to the on-going need to keep critical processes going despite disruptions, such as those resulting from cyber attacks.
As organizations look to assure operations in the face of adversary activities, such as the increasing ransomware threat, they need to consider addressing how networks are designed and operated. But, consider this paradox: heterogeneity within an organization can potentially minimize the propagation of malware, yet homogeneous services can greatly enable a stricken organization to continue operating by bringing in knowledge workers from other locations. Understanding the effectiveness and costs of resiliency is key to solving these contradictions.
Cyber resiliency is about anticipating, withstanding, recovering, and evolving operations in the face of advanced cyber threats. Or put more simply, it’s about conducting mission or business functions, possibly at a reduced but effective level, despite ongoing and often undetected cyber attacks. It’s also about living with—and working with—change, as technologies and their business uses continue to evolve.
Cyber resiliency, like other aspects of trustworthiness—security, privacy, safety, and reliability—must be addressed in the design of systems and operational processes. This year’s Invitational offered Cyber Resiliency Design Principles, based on the Cyber Resiliency Engineering Framework (CREF).
With business—and potentially human life—on the line, we must continue to look at cyber resiliency as a necessary consideration in designing systems and business processes.