Diving Below the Cyber Waterline
The Danger of Existential Cyber-Attacks on Critical Systems and Assets
In a previous article entitled “The Cybersecurity Glass Ceiling,” I described the problem of complex systems, uncontrolled and rapidly expanding attack surface, and a lack of emphasis on principled engineering to build systems that are secure by design. In this article, I’d like to take a closer look at why reducing and managing system complexity is not only beneficial but essential to managing risk in hostile cyberspace.
To get an idea of the magnitude and importance of this problem, I highly recommend reading the Executive Summary of the Defense Science Board (DSB) Task Force Report, Resilient Military Systems and the Advanced Cyber Threat, published in January 2013. The report defined an existential cyber-attack as:
“An attack that is capable of causing sufficient wide scale damage for the government potentially to lose control of the country, including loss or damage to significant portions of military and critical infrastructure: power generation, communications, fuel and transportation, emergency services, financial services, etc.”
To describe the capabilities of potential attackers, the Task Force defined a threat hierarchy organized by the level of adversarial skills and breadth of available resources. The report described three tiers of adversarial capabilities and three classes of vulnerabilities in systems that can be exploited. The vulnerability classes include:
Adversaries attempt to exploit known vulnerabilities first as these vulnerabilities typically require the least amount of effort or expenditure of resources on their part (i.e., the low hanging fruit). With additional resources, adversaries can discover new vulnerabilities in systems that may either be known to developers and not yet mitigated or completely unknown, providing an opportunity to launch “no-notice” destructive attacks that cannot be repulsed (i.e., zero-day exploits). And finally, adversaries can invest significant levels of resources including money and time, to establish a long-term presence in organizational systems and create new vulnerabilities that previously did not exist [1].
When you analyze the types of cyber threats and vulnerabilities described in the DSB Report with respect to the complexity of today’s systems, a few observations can be made. First, two of the classes of vulnerabilities (i.e., the zero-day and adversary-created vulnerabilities) are either partially or totally “off the radar” of most organizations. Second, organizations are already overwhelmed in dealing with the large number of known vulnerabilities affecting their systems. Third, with the rapidly increasing attack surface in organizations due to the unbridled growth and complexity of systems, there are a growing number of unknown or undetermined vulnerabilities that continue to make organizations susceptible to highly destructive cyber-attacks including the existential cyber-attacks described in the DSB Report.
What’s the immediate action plan?
领英推荐
Bottom line: Vulnerabilities are “assumed” to be present in complex systems and those systems must be “engineered” to assure system function.
To avoid overloading the process and to prioritize the workload, organizations should consider conducting a criticality analysis to “triage” their systems. Focus on those systems that are the most critical first—where the loss of assets from a cyber-attack could be expected to have a severe or catastrophic adverse effect on the organization’s missions or business operations. Next, focus on the systems that are of lesser criticality—where the loss of assets could be expected to have a serious (but not severe or catastrophic) adverse effect on the organization’s missions or business operations. And finally, focus on the remaining systems where the loss of assets could be expected to have a limited or minimal adverse effect on the organization.
So, what is overarching message to be conveyed?
Today’s systems are too large and too complex to fully understand. The lack of understanding means that it is difficult to trust systems that have not demonstrated their “trustworthiness.” Shatter the “cybersecurity glass ceiling.” Build systems on strong foundations that are guided and informed by principled assured engineering. For critical systems and system components, smaller and simpler is better. Least functionality. Least privilege. Secure by design.
“ Everything should be made as simple as possible - but not simpler.” -- Albert Einstein (the first actual systems security engineer)
[1]??R. Ross, “The Need for Systems Thinking in Cybersecurity“ ISMG’s CyberEd.io interview.
[2]??R. Ross, J. Oren, M. McEvilley, NIST SP 800-160, Volume 1, “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.“
A special note of thanks to Mark Winstead, long-time cybersecurity and SSE colleague, who graciously reviewed and provided sage advice for this article.
M.S. Comp Science, BSEE, / Cyber Security, CISSP, RMF, GSLC, CCNA, ICS410, PML3, SE L3, IAM L3, CNSS 4011-4016
2 年You are so correct but they do not listen to us the truth is as cyber sme our degrees in computer science gives the engineering perspective also not just cyber
Cyber-Informed Engineer
3 年Cyber Informed Engineering FTW!
We've known for some decades how to construct secure but complex systems using deliberate layering, information hiding, and established engineering and scientific principles realized in reference monitor designs. Reference monitors encompass all the "goodness" of isolation and separation devoutly desired by devotees of hypervisors and supervisor architectures - but Reference Monitors ALSO include scientific application of thoroughly analyzed and completely understood access controls (Mandatory, or non-discretionary, Access Controls) that permit composition of complex systems based on the global security enforcement provided by the Reference Monitor. Designing and engineering reference monitors, including the analysis of the security policies they enforce for secrecy and integrity, IS rocket science. Using them to compose secure systems is no more rocket science than constructing a 3-story house out of brick an mortar. Composition is possible and straightforward when you can rely on the security properties of the underlying system to remain true and consistent, even in the face of nation-state adversary's attempts to introduce flaws and weaknesses. To attain this level of confidence requires devotion to assurance measures and techniques too often discarded. Apply the assurance techniques to the lowest layer - a reference monitor that leverages the electrical and physical properties of the hardware, combined with vetted and assured firmware that initializes the hardware and devices that need to be trusted, and that provides a small, thoroughly vetted and trusted security kernel can protect itself from subversion when combined with the life-cycle design, development, delivery, update and disposal procedures that make up Trusted Distribution. AT LEAST critical infrastructure systems need such devotion and protection. What remains is for risk managers and their organizations to rediscover how reference monitors can deliver security, scalability (through composition) and functionality (also through composition). #TCSEC documented one approach. Is there another?
* Demystifying Identity Security | Passionate for Cognitive Science *
3 年Well said, Ron Ross Complexities indirectly create an exploit opportunity for the adversaries as the system owner might not have viz into the entire attack surface and often looked at each attack vector in a silo.