Frameworks for Cyber Security: From IT, OT and Sustainability Perspectives

I recently advised an organisation in the internal audit and cyber-risk management for their?critical infrastructure attached to the cloud. This article shares knowledge and perspectives on cyber security frameworks and gains maturity. If you need any support, please reach out to me via?[email protected]

In the modern world, cyber resilience is crucial beyond IT (information technology), ensuring the sustainability and continuity of critical infrastructures (i.e., operational technologies). With the increasing reliance on information technologies, critical infrastructures have become more vulnerable to cyber-attacks, posing significant risks to public safety, economic welfare, and national security. Therefore, adopting a holistic approach that covers technical, policy, human, and behavioural aspects of cyber security is imperative.

Following a cyber security framework enables understanding a holistic view and a structured approach to identify, assess, and manage cyber risks. It helps organisations establish effective controls to protect their data and systems against cyber threats. This allows organisations to improve their cyber security posture and resilience and mitigate the impacts. Further, they help to comply with relevant regulations and compliances (e.g., General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS)). This article will explore some popular frameworks that can be easily adapted to cyber resilience and increase maturity.

We start by defining a cyber attack process. The?Lockheed Martin Kill Chain ?framework describes the phases of a cyber attack, from the initial reconnaissance to the exfiltration of data. It helps organisations to better understand and defend against advanced persistent threats (APTs) and other sophisticated cyber attacks. The Kill Chain framework is composed of seven phases:

1. Reconnaissance: Attackers gather information about their target and identify potential vulnerabilities.
2. Weaponisation: Attackers develop and create the tools to exploit the identified vulnerabilities.
3. Delivery: Attackers deliver the weaponised payload to the target, often through spear-phishing emails or other social engineering tactics.
4. Exploitation: Attackers execute the weaponised payload to exploit the identified vulnerabilities.
5. Installation: Attackers install backdoors or other malware to establish a foothold in the target's network.
6. Command and Control: Attackers establish and remotely control a channel to communicate with the infected system.
7. Actions on Objectives: Attackers achieve their goals, including stealing data, causing damage, or disrupting operations.

This provides a lifecycle, tactics and techniques of a cyber attack and helps to develop defensive strategies to detect, prevent, and respond to different risk phases.

To efficiently and proactively identify and act on those risk phases, NIST (National Institute of Standards and Technology) introduced a voluntary high-level abstraction framework consisting of standards, guidelines and best practices to manage cyber-security risk.

The NIST cyber security framework (CSF) provides a foundation for developing cyber resilience models, such as?Cyber Training and Technology Platforms (CTTP). The?CCTP?model adopts AI, IoT, and machine learning to simulate, identify, detect/predict, evaluate and respond to threats proactively. Using?emulation, simulation, and gamification tools, virtual labs and digital twins can be created which resemble the organisation's existing system, procedures and policies. These virtual environments create a sandbox to test and evaluate new technologies and policies, restore the default state, and start over without affecting the system. Therefore, organisations can be self-aware of their cyber resilience strategies and capabilities and build a proactive cyber risk management culture.

The?THREAT-ARREST?cyber-ranges platform?(above)?is an abstract of a?CTTP?model that provides a simulated environment for cyber security training and testing. It provides a hands-on experiential learning environment to practice cyber security skills in a realistic and safe environment. The platform can simulate a range of cyber threats and attacks, such as denial of service attacks, ransomware attacks, and network intrusions that could impact critical infrastructure. Personnel can practice responding to these threats, identifying vulnerabilities, and developing effective mitigation strategies.

Regarding the learning process,?the STRIDE?threat modelling framework (above) helps identify and mitigate threats along the process maturity. STRIDE stands for?Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Each of these categories represents a different type of threat that could be used to exploit vulnerabilities in a system. Awareness of such threats helps implement strong authentication and access controls, deploy intrusion detection and prevention systems, or establish redundancy and backup systems to ensure continuity of operations in the event of a cyber attack.

The?Essential Eight Maturity Model , developed by the?Australian Cyber Security Centre (ACSC), provides a framework for assessing an organisation's cyber security?maturity level?by prioritising implementing eight mitigation strategies. The?Essential Eight?principles primarily centre around?cloud services and enterprise mobility, key success factors for today's businesses. The model is based on the ACSC's experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing, and assisting organisations in implementing?Essential Eight. The model emphasises the complementary nature of the mitigation strategies and their focus on various cyber threats, requiring organisations to achieve a maturity level across all eight strategies prior to higher maturity.

The leading organisations and authorities have recently merged different data, privacy and cyber security frameworks to support organisations in broader cyber-resilience strategies and higher maturity levels. For instance,?ENISA (European Union Agency for Cybersecurity) ?mapped the main security objectives between the?NISD (Network Information Systems Directive) ?and?GDPR .?Further, ISO issued the?ISO-27701 ?standard to establish a privacy information management system by combining the?ISMS (Information Security Management System) ?requirements with?ISO/IEC-29100 ?principles. Moreover,?NIST (National Institute of Standards and Technology) ?published the Privacy Framework, which follows the structure of the framework for improving critical infrastructure cyber security. These efforts highlight the importance of combining different cyber security frameworks to address the complex and evolving threats faced by organisations. The following diagram shows various compliance, standards and frameworks that emerged in various parts of the world for cyber resilience.

The breadth and depth of such a converged strategy are reflected in the following?Australian Defence Force (ADF) cyberspace professional framework .

The framework encompasses defensive and offensive cyber security measures to enhance resilience. It encompasses various perspectives such as education, governance, audit, regulations, and policies. To adopt this framework, the workforce needs to possess a wide range of skills. This requires a short, medium, and long-term vision towards achieving cyber resilience. As an example, The ADF framework complements the NICE (National Initiative for Cybersecurity Education) framework that addresses cyber skills development.

From the sustainability perspective, cyber security is critical in achieving the?UN's Sustainable Development Goals (SDGs) , as it is viewed as a transversal issue in development cooperation and partnerships (impacting SDG-17 ). This is reflected in the?EU's Digital4Development policy framework . The ultimate objective of cyber security is to provide citizens with a secure, resilient, and peaceful cyberspace free from malicious activities. This objective is essential to realising?SDG-9 , which aims to build resilient infrastructure, promote sustainable industrialisation and foster innovation, and?SDG-4 , which emphasises providing quality education. Further,?SDG-8 ?promotes decent work and economic growth, while?SDG-16 ?focuses on building peace, justice, and strong institutions which recognise the significance of cyber security in achieving sustainable development. By prioritising cyber security, countries can ensure the safety and security of their digital and critical infrastructures, thus enabling them to participate fully in the global economy and achieve long-term development goals.

Conclusion

The significance of cyber security frameworks cannot be overstressed, especially when it comes to governance, sustainability, and national security. With the ever-increasing threat of cyber-attacks and data breaches, governments and organisations must prioritise risk management strategies to safeguard their digital and physical assets. Implementing robust cyber security frameworks in line with strategic goals provides a mature and structured approach to auditing, identifying, assessing, and mitigating cyber risks, ensuring the protection of critical infrastructure and information systems.