Gem: Minimal Viable Delivery Objective
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
This week a gem in the deluge of mostly repetitive cyber security information and initiatives coming out of the US Government. The President's Council of Advisors on Science & Technology (PCAST) issued their Strategy For Cyber-Physical Resilience. A lot of it is reshuffling chairs, better information sharing, and other usual suspects. And yet the first item in the document is the gem:
Minimal Viable Delivery Objective
As I wrote in August 2022 in OT Cyber Security Regulation (if I were omnipotent):
The key here is to avoid the temptation to say everything is critical, and this is a more difficult task with political ramifications in a large country. For example, the US has over 140,000 water facilities. It would be difficult to get enough talent to handle this number.?What are the 100 or 1,000 that are critical?
2. Determine minimal effective operations required for each company identified in Step 1.
In a perfect world, everything would run at 100% of capacity at all times. We know this doesn’t happen, so there is usually excess capacity. In addition, the community can live in a degraded state without having an unacceptable quality of life, impact to the economy, or environmental damage.?
The government and the critical infrastructure entity shall determine the minimal effective operations criteria. How much drinkable water is required? How much product must flow through the pipeline to which locations? How much product must be manufactured in what timeframe? How much power must be produced?
The ability in step 1 to limit the number of regulated critical infrastructure entities and the political will to approve degraded operations are key. Remember though, I’m omnipotent.
3. Determine required recovery time objective (RTO) for minimal effective operations in the event of a cyber incident.
Again in a perfect world the critical infrastructure never goes down, but in the real world it does go down for a variety of non-cyber reasons. For water, pipelines, refineries, manufacturing, and many other sectors the RTO may be days. The government and the entity need to discuss what the RTO needs to be, with the government regulator making the final decision.?
领英推荐
The report is 50 pages long and is not as direct as an earlier PCAST presentation that gave an example that was spot on, exactly the format the government needs to determine, put out, and regulate around. Pull quote:
Bounded Impact: expressions of minimum delivery goals e.g.: No more than 50,000 people will be without x (e.g., water, food, electricity, communications) for more than 1 week.
An important and related recommendation in the report is to stress test organizations where outages could exceed the bounded impact. The US Government already does this in the financial sector.
Bravo PCAST team and members, although I wish PCAST had issued a two-page report with this item in very plain language.
The danger, dare I say likelihood, is this will get lost among the flood of guidance documents and initiatives coming out of the US Government. The most important, the thing that would make the biggest difference, can become one among many not wrong, but low impact items and get little attention and not be done.
Even in the PCAST report it is one item, albeit the first which is great, among many. Some of the other items are bureaucratic and easier to check off like the Cyber Solarium and National Cyber Strategy Implementation Plan. Start this initiative, explore this idea, stand up this role or task force, ... Not bad and may be necessary, and the next step, the output is key and as yet mostly lacking objectives.
Let's hope it gets attention and action.
It will take maturity and political will to not take the easy way out, if this becomes an objective, and set the bounded impact so that no one is inconvenienced. For example, Colonial Pipeline was required to get operations running in seven days. They did it in six days. There were lines and panic, and the outage resulted in a loss of efficiency and commerce. Still it was not catastrophic. Seven days may be the right RTO, the bounded impact. Aliquippa and Oldsmar water would likely fall below the bounded impact.
I urge those with influence to give this recommendation attention and priority.
Cyber-Physical Resilience and Integrated Risk Management
8 个月Good post Dale Peterson Understanding the minimal viable service delivery objectives considering ones own needs is important. Understanding the same relating to the impact on other national critical functions is also important. This is at the core of why we at Fusion3 Consulting are supporting the use of the ORF called out in this report within the ServiceNow platform. We can then take advantage of how the ORF aligns with and adds value to each domain and function associated with the #iso27001, #fybersecurityframework and other standards and frameworks enabled by ServiceNow's underpinnings to support this. We need to identify efficiency to reduce this complex effort at every step.
CEO Global Resilience Federation, President BRC, MFG-ISAC, K12 SIX and ProSIX
8 个月See below for a good read that gave rise to the Minimum Viable Service Delivery Objective in PCAST report - the Operational Resilience Framework (ORF). Key tasks in ORF are to define minimum viable service levels and establish corresponding service delivery objectives. Understanding where a service breaks for customer groups is essential: https://www.grf.org/orf #operationalresilience #bcm #bcdr #ciso #resilience #criticalinfrastructure
Specialist ICS/OT Security Engineer | Network Architect Administrator | Author
8 个月The PCAST strategy on critical infrastructure prioritisation signifies an evolution in cyber-physical security, focusing resources on vital areas. This is essential in ICS/OT for operational continuity. Implementation is challenging, requiring strong political will and an understanding of infrastructure complexities. The strategy's nuanced approach, including Bounded Impact and specific Recovery Time Objectives, acknowledges that incident prevention isn't always possible, advocating for preparedness against manageable degradation. Success hinges on actionable guidelines, regular sector stress tests, and practical public-private cooperation. It's about balancing security with operational efficiency, a critical step for national resilience.
Senior Engineer @ SEL -- CISSP, Security+, DoD Expert
9 个月Great points Dale! It is a tough read not having participation from Industry and Utility Owners. This doesn't happen without Public / Private Partnerships and Collaboration! You have to have the people that know the systems from the initial concept. Without their influence or "buy-in" this doesn't get anywhere close to root cause or the ground truth. On the signature pages, I see a lot of National Labs, non-profits, and Universities.?The only industry represented are by IT firms such as Microsoft, Google,?NVIDIA, 3M, Mastercard, Aerospace Organization,?and AMD. I believe we should be seeing customers such as Duke, Southern Co, SG&E, PG&E, Berkshire Hathaway, National Grid, and even the Government Power Authorities from a Utility perspective.? “Electric” was mentioned 14 times in the document without even a signature from NERC or FERC???At least the American Water Works Associate was represented.??