Cyber Resilience by design is much more than cyber security by design
Despite US$100B annual investments in cyber security, the investments are failing and costs are unsustainable. Cyber security by design is a proactive approach focusing on the prevention of cybercrime. UK’s NCSC provides 5 principles of being cyber secure by design:
- Establish the context before designing a system
- Make compromise difficult
- Make disruption difficult
- Make compromise detection easier
- Reduce the impact of compromise
Cyber resilience, on the other hand, refers to an entity's ability to deliver the intended outcome on a continuous basis despite adverse cyber events. It is not just about managing cyber security risks to ensure continuity of services; it is also about doing it in an agile manner to anticipate the dynamically changing risk landscape. Resilience by design is the intentional design to protect from possible vulnerabilities, to reduce the risks from possible threats, recover quickly from an attack, and to continue the business services while limiting the impact of the successful attack. This requires a cultural shift across all layers to adopt security and resilience best practices into daily operations.
Cyber Resilience of smart services
Advanced technologies, wider use of digital connectivity, increasing population, rapid urbanization, innovation, natural disasters and the use of internet-of-everything are not just redesigning the service offerings but also changing the way we consume these services. An example is the shift from office to home working due to Covid19. The planned installation of digital infrastructure by smart city authorities focuses on building cyber-physical environments that connect a single environmental unit to multiple components of a city. Europol report describes how the increasingly connected services and adaptation by criminals during Covid-19 point to the changing criminal landscape and possible emerging threats. These threats do not have a historical precedence making it tougher to be prepared.
The impact of a cyber-attack is naturally much higher for a static service compared to a dynamic service. For example, a static service such as smart garbage collection can be associated with predictable cyber risks of data manipulation and theft; whereas, a smart transport service can cause harm to human life and result in a national security issue. Additionally, a cyber-attack on one automated vehicle can have localised impacts, but a cyber-attack on fleets of automated vehicles can cause large-scale global incidents, particularly when focussed on specific global manufacturers. Control centres such as traffic management centres that tend to have legacy equipment makes achieving operational resilience a challenge.
There is a lack of common approach and expertise to implement standards and guidelines for cyber resilience of connected services. The operators and consumers of a service need to understand its cyber resilience capability and the associated risks/liabilities. Another key issue is accountability. There is no CEO of a smart city. Hence, to be able to investigate an incident that can ascertain liabilities with legally admissible evidence, the cyber-resilient service design need to include digital forensics by design. An agile, adaptable and forward-looking cyber resilience by design strategy going hand-in-hand with smart city developments is clearly the need of the hour.
Service Resilience Capability Assessment
Our research team at University College London is working on a Service Resilience Capability Assessment software tool (SR-CAT) that embeds risk-based assurance framework mapped to NCSC, NIST, DCMS, BSI and ENISA security guidelines. SR-CAT aims to help a) procure and claim resilient urban IoT services and b) assure operational/liability risks. SR-CAT can reduce effort, cost and complexity in applying changing standards to protect investments in the smart city transformations. We welcome collaborations from the industry.
Accenture Report 2020 : https://www.accenture.com/gb-en/insights/security/invest-cyber-resilience