International cyberresilience frameworks for critical infrastructures
Digitalization and hyperconnectivity brought to the industrial sphere have led the revolution known as industry 4.0, amplifying innovation and economic development of Spanish industries. But this integration and development are subject to cybersecurity risks and threats, which must be addressed in a coordinated manner to give effective responses that guarantee confidence in the services that organizations offer to society, especially when the services they offer are of an essential nature.
National Cybersecurity Strategies, standard models of cybersecurity and cyberresilience, as well as recognized measurement models and oriented to the evaluation of cybersecurity and cyberresilience in organizations, are vital instruments to help organizations evaluate, develop, and improve their strategies, methodologies, and procedures for protection against cyberthreats.
This article covers some of the most representative cybersecurity and cyberresilience frameworks that we can currently find in Spain, Europe, the US or the UK, and whose adoption can help organizations to continue improving their cybersecurity protection capabilities.
SPAIN - INCIBE: Model of Cyberresilience Improvement Indicators (CII)
The Cyberresilience Improvement Indicators (CII) model, created by INCIBE-CERT, is an instrument for diagnosing and measuring the capacity of organizations to withstand and overcome disasters and shocks from the digital sphere.
The CII model allows organizations to measure their ability to anticipate, resist, recover and evolve in the face of incidents that may affect the delivery of their services. The model defines 4 targets, which correspond to the resilience capabilities, and 9 functional domains: cybersecurity policy, risk management and training; vulnerability management and continuous monitoring; incident and continuity management; configuration and change management, and communication.
CII model cyberresilience goals
The CII model consists of three documents: the methodology, the dictionary of Indicators, and the form.
- The methodology contains the conceptual framework. Its objective is to help all stakeholders in measuring their cyberresilience capabilities and to have a procedure that allows to know the degree of maturity of their cyberresilience controls. The model is intended for use in the form of consultation that can be launched between organizations in any essential sector, or as a self-assessment tool for cyberresilience capabilities for those organizations.
- The indicator dictionary describes the metrics that support the CII model. This dictionary describes the Cyberresilience Improvement Indicators (CII) in organizations and companies in industrial sectors and industrial critical infrastructures with respect to IT (Information Technology) and OT (Operation Technology) environments. The different indicators are evaluated following the criteria of the scale of levels with which the organization identifies its status for each indicator: L0, L1, L2, L3, L4 or L5.
- The form consists of a template with which organizations can analyze their cyberresilience as described in the methodology.
The CII model, based among others on MITRE’s cyberresilience indicators framework, chooses 46 indicators to represent the different aspects of cyberresilience. These indicators are assessed according to maturity levels.
CII maturity levels, based on the Capability Maturity Model (CMM)
EU - ENISA: Resilience Metrics and Measurements: Technical Report
In February 2011, the European Network and Information Security Agency (ENISA) published a study on the network and services resilience measurement framework, with the objectives of clarifying key concepts related to the resilience of networks and services, and with respect to metrics and measurement frameworks in this context, as well as presenting a set of reference practices for measuring the effectiveness of efforts related to the resilience of communications networks and services, based on existing analysis techniques, methods and measurement frameworks.
ENISA's approach to resilience metrics is based on a two-dimensional taxonomy:
- Time dimension of the security incident, which can be in one of the following phases:
- Preparedness: metrics in this dimension measure how systems and services are prepared to deal with security incidents.
- Service delivery: metrics in this dimension measure the difference in service level before, during, and after the incident.
- Recovery: metrics in this dimension measure how quickly a service/network can recover from the incident.
- Reliability dimension, which includes:
- Trust, or ownership of a system to guarantee the service it offers. It typically includes measures of availability (ability to use a system or service) and reliability (continuous operation of a system or service), as well as integrity, ease of maintenance and availability.
- Security, or ownership of a system to be protected from unauthorized access or change. It includes aspects, such as authenticity, confidentiality, and non-repudiation.
- Operability, or ownership of a system to deliver the performance required by the service specification, as described in the QoS (Quality of Service) requirements.
ENISA’s approach to resilience metrics
In addition, ENISA proposes a model or pattern of resilience measures that contains the following fields:
ENISA metrics definition form model
USA - NIST: Framework for Improving Critical Infrastructure Cybersecurity
The framework proposed by the National Institute of Standards and Technology (NIST) of the USA to improve the cybersecurity of critical infrastructures, was born in 2014. The most recent version is v.1.1, which dates to 2018. The Framework for Improving Critical Infrastructure Cybersecurity provides a common language for understanding, managing, and expressing cybersecurity risk to internal and external stakeholders of a critical infrastructure. It can be used to help identify and prioritize actions to reduce cybersecurity risk, and is a tool for aligning policy, business, and technology approaches to managing that risk. It can be used to manage cybersecurity risk across organizations, or it can focus on providing critical services within an organization. Different types of entities, including industry coordination structures, associations, and organizations, may use the framework for different purposes, including the creation of common profiles.
The framework consists of 5 basic functions of cybersecurity, which are divided into 23 categories and 108 subcategories. Besides, it can be used to compare an organization's current cybersecurity activities with those described in the main framework. By creating a current profile, organizations can examine the extent to which they are achieving the results described in the main categories and subcategories, aligned with the five high-level functions: identify, protect, detect, respond, and recover.
Structure of the NIST resilience measurement framework
In turn, each category is composed of subcategories and references or equivalences with other cybersecurity frameworks.
Excerpt from the ‘identify’ tab of the NIST resilience measurement framework
United Kingdom - NCSC: Cyber Assessment Framework 3.0
The Cyber Assessment Framework (CAF) was originally part of the National Cyber Security Center's (NCSC) support for the UK's implementation of the EU NIS Directive in 2018. Today, the UK’s top essential operators are using the CAF to improve their cybersecurity. CAF provides a systematic and comprehensive approach to assess the extent to which the responsible organization manages cybersecurity risks for essential functions correctly. It is intended to be used by the responsible organization itself (self-assessment) or by an independent external body, possibly a regulator or a suitably qualified organization acting on behalf of a regulator.
The NCSC's principles of cybersecurity and resilience provide the foundation for CAF. The 14 principles, classified within each of the 4 objectives of the NIS directive, are written in terms of results, that is, of specifying what should be achieved rather than a checklist of what should be done.
Classification of CAF objectives and principles, finally adopted by the NIS directive
The CAF adds additional levels of detail to the top-level principles, including a collection of structured sets of good practice indicators (PGI). The result of the implementation of the CAF is 39 individual evaluations of good practice (which could resemble the concept of control).
National cybersecurity agencies are increasingly working on improving initiatives that bring good cybersecurity practices closer to organizations or key operators. An example of this is the frameworks we have presented. However, the onus is on organizations, which must prepare to face serious threats that may affect the integrity of data, information, applications, and infrastructure, minimizing exposure time and impact on the service. Especially in the areas where your most valuable assets reside. Is your organization ready for the challenge?