Diving Below the Cyber Waterline

Diving Below the Cyber Waterline

The Danger of Existential Cyber-Attacks on Critical Systems and Assets

In a previous article entitled “The Cybersecurity Glass Ceiling,” I described the problem of complex systems, uncontrolled and rapidly expanding attack surface, and a lack of emphasis on principled engineering to build systems that are secure by design. In this article, I’d like to take a closer look at why reducing and managing system complexity is not only beneficial but essential to managing risk in hostile cyberspace.

To get an idea of the magnitude and importance of this problem, I highly recommend reading the Executive Summary of the Defense Science Board (DSB) Task Force Report, Resilient Military Systems and the Advanced Cyber Threat, published in January 2013. The report defined an existential cyber-attack as:

“An attack that is capable of causing sufficient wide scale damage for the government potentially to lose control of the country, including loss or damage to significant portions of military and critical infrastructure: power generation, communications, fuel and transportation, emergency services, financial services, etc.”

To describe the capabilities of potential attackers, the Task Force defined a threat hierarchy organized by the level of adversarial skills and breadth of available resources. The report described three tiers of adversarial capabilities and three classes of vulnerabilities in systems that can be exploited. The vulnerability classes include:

  • Known vulnerabilities
  • New or zero-day vulnerabilities
  • Adversary-created vulnerabilities

Adversaries attempt to exploit known vulnerabilities first as these vulnerabilities typically require the least amount of effort or expenditure of resources on their part (i.e., the low hanging fruit). With additional resources, adversaries can discover new vulnerabilities in systems that may either be known to developers and not yet mitigated or completely unknown, providing an opportunity to launch “no-notice” destructive attacks that cannot be repulsed (i.e., zero-day exploits). And finally, adversaries can invest significant levels of resources including money and time, to establish a long-term presence in organizational systems and create new vulnerabilities that previously did not exist [1].

When you analyze the types of cyber threats and vulnerabilities described in the DSB Report with respect to the complexity of today’s systems, a few observations can be made. First, two of the classes of vulnerabilities (i.e., the zero-day and adversary-created vulnerabilities) are either partially or totally “off the radar” of most organizations. Second, organizations are already overwhelmed in dealing with the large number of known vulnerabilities affecting their systems. Third, with the rapidly increasing attack surface in organizations due to the unbridled growth and complexity of systems, there are a growing number of unknown or undetermined vulnerabilities that continue to make organizations susceptible to highly destructive cyber-attacks including the existential cyber-attacks described in the DSB Report.

What’s the immediate action plan?

  1. Determine the intended behaviors and outcomes of systems—that is, each system’s desired capability.
  2. Determine the value of the organization’s assets. Assets may be tangible (a physical item such as hardware, software, firmware, computing platform, network device, or other technology component) or intangible (information, data, trademark, patent, copyright, intellectual property, image, or reputation).
  3. Decide how much loss the organization is willing to sustain for each type of asset. For example, when unintended outcomes of loss occur, what loss is not tolerable? 
  4. Employ a principled, assured systems engineering process to develop, deploy, and sustain systems that help organizations withstand adversity—that is, the conditions that can cause a loss of assets (e.g., threats, attacks, vulnerabilities, hazards, disruptions, and exposures) [2].
  5. Avoid creating “high-value targets” and “single points of failure.”

Bottom line: Vulnerabilities are “assumed” to be present in complex systems and those systems must be “engineered” to assure system function.

To avoid overloading the process and to prioritize the workload, organizations should consider conducting a criticality analysis to “triage” their systems. Focus on those systems that are the most critical first—where the loss of assets from a cyber-attack could be expected to have a severe or catastrophic adverse effect on the organization’s missions or business operations. Next, focus on the systems that are of lesser criticality—where the loss of assets could be expected to have a serious (but not severe or catastrophic) adverse effect on the organization’s missions or business operations. And finally, focus on the remaining systems where the loss of assets could be expected to have a limited or minimal adverse effect on the organization.

So, what is overarching message to be conveyed?

Today’s systems are too large and too complex to fully understand. The lack of understanding means that it is difficult to trust systems that have not demonstrated their “trustworthiness.” Shatter the “cybersecurity glass ceiling.” Build systems on strong foundations that are guided and informed by principled assured engineering. For critical systems and system components, smaller and simpler is better. Least functionality. Least privilege. Secure by design.

“ Everything should be made as simple as possible - but not simpler.” -- Albert Einstein (the first actual systems security engineer)

[1]  R. Ross, “The Need for Systems Thinking in Cybersecurity“ ISMG’s CyberEd.io interview.

[2]  R. Ross, J. Oren, M. McEvilley, NIST SP 800-160, Volume 1, “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.“

A special note of thanks to Mark Winstead, long-time cybersecurity and SSE colleague, who graciously reviewed and provided sage advice for this article.

Daniel Krawczyk

M.S. Comp Science, BSEE, / Cyber Security, CISSP, RMF, GSLC, CCNA, ICS410, PML3, SE L3, IAM L3, CNSS 4011-4016

3y

You are so correct but they do not listen to us the truth is as cyber sme our degrees in computer science gives the engineering perspective also not just cyber

Marcus H. Sachs, P.E.

SVP and Chief Engineer, Center for Internet Security | Cyber-Informed Engineer | Board Director

3y

Cyber Informed Engineering FTW!

We've known for some decades how to construct secure but complex systems using deliberate layering, information hiding, and established engineering and scientific principles realized in reference monitor designs. Reference monitors encompass all the "goodness" of isolation and separation devoutly desired by devotees of hypervisors and supervisor architectures - but Reference Monitors ALSO include scientific application of thoroughly analyzed and completely understood access controls (Mandatory, or non-discretionary, Access Controls) that permit composition of complex systems based on the global security enforcement provided by the Reference Monitor. Designing and engineering reference monitors, including the analysis of the security policies they enforce for secrecy and integrity, IS rocket science. Using them to compose secure systems is no more rocket science than constructing a 3-story house out of brick an mortar. Composition is possible and straightforward when you can rely on the security properties of the underlying system to remain true and consistent, even in the face of nation-state adversary's attempts to introduce flaws and weaknesses. To attain this level of confidence requires devotion to assurance measures and techniques too often discarded. Apply the assurance techniques to the lowest layer - a reference monitor that leverages the electrical and physical properties of the hardware, combined with vetted and assured firmware that initializes the hardware and devices that need to be trusted, and that provides a small, thoroughly vetted and trusted security kernel can protect itself from subversion when combined with the life-cycle design, development, delivery, update and disposal procedures that make up Trusted Distribution. AT LEAST critical infrastructure systems need such devotion and protection. What remains is for risk managers and their organizations to rediscover how reference monitors can deliver security, scalability (through composition) and functionality (also through composition). #TCSEC documented one approach. Is there another?

Pons Mudivai Arun

* Demystifying Identity Security | Passionate for Cognitive Science *

3y

Well said, Ron Ross Complexities indirectly create an exploit opportunity for the adversaries as the system owner might not have viz into the entire attack surface and often looked at each attack vector in a silo.

To view or add a comment, sign in

More articles by Ron Ross

  • Systems Security Engineering Framework

    Systems Security Engineering Framework

    An Engineering-Based Approach to Protecting Cyber-Physical Systems Security, like safety, reliability and resilience…

    3 Comments
  • Secure-by-Design Is More Than Just a Cybersecurity Risk Problem

    Secure-by-Design Is More Than Just a Cybersecurity Risk Problem

    Building trustworthy secure systems has a great deal in common with building a house. It starts with a good…

    14 Comments
  • Making Zero Trust “Trustworthy”

    Making Zero Trust “Trustworthy”

    A little over a year ago, I wrote an article about assurance that attempted to make a convincing argument as to why…

    14 Comments
  • New Year’s Resolution: More Assurance, Less Seat of the Pants

    New Year’s Resolution: More Assurance, Less Seat of the Pants

    Using Assurance Cases to Demonstrate Systems Are Trustworthy Secure With today’s cutting-edge computing technologies…

    24 Comments
  • Yet Another Wake Up Call

    Yet Another Wake Up Call

    A Time for Reflection and Change in Our Cyber Protection Strategy We are once again confronted with another serious…

    22 Comments
  • The Cybersecurity "Glass Ceiling"

    The Cybersecurity "Glass Ceiling"

    Adopting a Secure By Design Approach to Protect Critical Systems and Assets There is an emerging and troubling reality…

    11 Comments
  • Engineering Can Make Your Systems More Secure and "Stealthy"

    Engineering Can Make Your Systems More Secure and "Stealthy"

    In Bruce Schneier's recent blog post entitled "The Proliferation of Zero-days," he references the MIT Technology Review…

    9 Comments
  • A Bridge Too Far?

    A Bridge Too Far?

    The Power of Science and Engineering When we drive across a bridge, we have a reasonable expectation that the bridge we…

    13 Comments
  • Security Is Everyone’s Responsibility

    Security Is Everyone’s Responsibility

    Time for Stepping Up to the Plate and Requiring Accountability As the NIST team is entrenched in the 2021 update of SP…

    16 Comments
  • NIST Updates Cyber Resiliency Guidance for Critical Systems

    NIST Updates Cyber Resiliency Guidance for Critical Systems

    Why is cyber resiliency important? It's important because you can’t stop cyber-attacks. Even with “the right”…

    9 Comments

Insights from the community

Others also viewed

Explore topics