THANK YOU FOR SUBSCRIBING
Gov CIO Outlook Weekly Brief
Be first to read the latest tech news, Industry Leader's Insights, and CIO interviews of medium and large enterprises exclusively from Gov CIO Outlook
Ollie Gagnon, Chief Strategist, Infrastructure Assurance and Analysis at Idaho National LaboratoryOperational risk captures “the uncertainties and hazards a company faces when it attempts to do its day-to-day activities,” results from “breakdowns in internal procedures, people, and systems,” and focuses on “how things are accomplished within an organization.” At a basic level, the operational risk to any public or private sector entity can be determined by analyzing the consequences, vulnerabilities, and threats within its procedures, workforce, and systems. Consequences is listed first for a reason. Before an organization can consider vulnerabilities within and threats to its operations, it must first have a solid understanding of the consequences existing inside its infrastructure landscape. If an asset is not consequential, then why would an organization spend often limited resources on protecting it by examining and addressing vulnerabilities, and considering threats?
The endeavor of tackling risk-informing pursuits focused on consequences is hard. Conducting in-depth dependency analysis and accounting for the rise in cyber-physical convergence has proven elusive for even the most well-resourced and internally connected operation. This is because organizational infrastructure landscapes are like fingerprints. No two are the same. This is also true for organizations that are part of the same critical infrastructure (CI) Sector, Sub-sector, and Segment. For example, members of the Government Sector, Personnel-Orientated Government Facility sub-sector, and Building or Structure (Agency Headquarters) segment on the surface may appear to have the same risks. However, there are differences in physical environment, suppliers, geographic footprint, organizational structure, workforce size and skill, and utility services among other things. No two entities within a single element of the greater 16 CI-sector taxonomy are exactly alike when it comes to risk.
While this may seem like a manageable endeavor for an organization to tackle, risk-informing pursuits such as in-depth dependency analysis and accounting for the rise in cyber-physical convergence have proven to be elusive for even the most well-resourced and internally connected operation. So where can an entity focus their efforts to gain a foundational understanding of the infrastructure environment to better understand risk with a focus on Consequence? This can be advanced through identification, binning, and prioritizing the infrastructure environment. Binning is where components are grouped together based on their similar category. The approach starts with documentation and binning both the cyber and physical components.
Documenting and Binning Cyber and Physical Components
The process of understanding an infrastructure landscape starts with bringing internal and external stakeholders and subject matter experts together to identify Information Technology (IT) and Operational Technology (OT) components, both cyber and physical. The National Institute of Standards and Technology (NIST) offers definitions of both IT and OT. IT is “any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency.” OT is “programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment).” Some examples include building automation systems, physical access control systems, and fire control systems. Once placed in similar categories, or binning, then determining how these components are connected is the next phase.
“If the organization has the right people (internal/external) identified either by name or position to include alternates as part of that soft or hard copy then you are an infrastructure landscape unicorn.”
Analyzing Dependencies
Once IT and OT components are identified and binned, the next step is to analyze the dependencies associated with these components, with a particular focus on those that involve core mission operations/processes and those that provide critical support such as utilities and safety/security. Both cyber and physical dependencies (internal/external) should be identified. The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) provides distinct definitions of dependencies. Cyber dependencies are those that “rely on information and data produced or managed by others.” This reliance not only includes reliance outside the organization but also within the organization. A cyber dependency example would be an internet service provider (external) as opposed to enterprise system (internal) supporting physical protection systems or building climate control system. Physical dependencies are where “operations rely on other infrastructure and supply chains to provide services and/or commodities as an input.”Again, the focus should also include reliance on internal elements. A physical dependency example would be commercial power (external) versus on site generator (internal) providing back up power providing full-load, partial, or life-safety support. As dependencies are identified, it is also important to identify points of IT/OT convergence.
Identifying Points of Convergence
In the simplest form, IT/OT convergence is the connection between two systems in some degree to drive efficiency, productivity, innovation, or some other entity-defined value. In the same context when describing how CI entities on the surface can seem very similar, IT/OT convergence at the entity level may seem similar for like CI environments but is also as unique as a fingerprint. Just as IT and OT systems can vary in their individual degree of complexity, the level of convergence can also be equally complicated. For the identification, binning, and dependencies mapping approach described here, it is important to recognize the points of convergence within systems and the degree of convergence, or how interrelated the systems are. Points of convergence are essential in defining potential consequences and ultimately informing operational risk. This is not only relevant to the current state of convergence within the organization’s core operational processes, but also in understanding where IT/OT convergence is going in the future within the organization’s CI Sector, Subsector, and Segment, and inside the individual organization’s operational environment. Understanding operational risks is also being informed through advances in technology; this growth, to include the level of adaption, also needs to be considered as part of the binning and dependency mapping approach.
Technology Advancements and Adaption
The explosive growth of the Internet of Things (IoT) and Industrial Internet of Things (IIoT), including potential attack surfaces, pose different challenges for each individual organization depending on their unique infrastructure landscape supporting core mission operations. This is further complicated by the evolution of wireless technology such as 5G over the next several years and eventually 6G in the future. As DHS CISA noted in July 2019, while the integration of 5G technology will bring significant benefits to CI stakeholders, there are potential vulnerabilities in the 5G Network in the areas of supply chain, network security, loss of competition and choice, and deployment. As each organization considers where they stand in understanding the infrastructure landscape described here, the potential consequences posed by identified points of convergence as part of risk will certainly be influenced by all these technology advancements and adaption factors now and foreseeable future. So how does an organization assess where they are at in relation to the binning and dependency mapping approach?
Assembling a Core Critical Operations Risk Team
The quickest litmus test to gauge how evolved your operation is on understanding the infrastructure landscape is for the organization to bring together the core team focused on critical operations. Once assembled, ask the team to list three critical systems, including their priorities, cyber and physical dependencies (internal/external), degree of IT/OT convergence, key stakeholders (internal/external), and incident response plans. If the response from the team is blank stares or requests for follow up, all the right people may not be in the room. If the right people are in the room and partial and conflicting responses on everything from priorities to expected incident consequences is the feedback, then spending some time on the infrastructure landscape to include binning and dependency (internal/external) mapping may be in order.
Public and private sector experience with conducting infrastructure assessments across the 16 CI sectors reveals that most entities know all the components to be binned, how they are connected, their complexities, and their potential consequences. The issue tends to be that the knowledge is fractured into operational silos within the entity and/or that all the right people needed to contribute to understanding the infrastructure landscape are not part of the process. In the binning and dependency mapping approach, the Facility Engineer/Maintenance and Security Manager have as much to contribute to understanding the cyber and physical infrastructure landscape as the Operations Manager/Director and Chief Information Officer. The people (internal/external) involved in directing, operating, maintaining, and supporting the cyber and physical infrastructure landscape are essential to understanding and ultimately enhancing security and resilience. Single Points of Failure (SPOF), sometimes referred to as critical nodes or Significant Areas/Assets (SAAs), within systems are an important consideration when assessing infrastructure. What is not equally recognized is people are often the SPOF from a process and operations knowledge perspective. The approach described here relies on the organization workforce, external suppliers, and other process stakeholders to be effective.
Final Thoughts
If an organization today can point to the soft or hard copy of the cyber and physical systems to include the dependency mapping, well-done! They are most likely at the very top of their CI Sector, Subsector, and Segment in understanding the first consideration of risk, Consequence. If the organization has the right people (internal/external) identified either by name or position to include alternates as part of that soft or hard copy then you are an infrastructure landscape unicorn. Unfortunately, there are very few unicorns out there! Experience has shown this is not easy stuff to accomplish or resource light, but the binning and dependencies mapping process outlined here is a simplified way to gain foundational understanding on prioritizing, addressing risks, future planning, and enhancing your incident response efforts. At the very least the collective team will be in sync in the pursuit to understand operational risk. Who knows, improved team dynamics may be an added benefit along the way!
Read Also
