This weekend I ran across an interesting blog about cybersecurity that has made me pause and re-think some things. Mainly it has reminded me of the classic story about a number of blind men examining an elephant; each describing the animal solely based upon the one body part that they touched. Just maybe we have been looking at cybersecurity that way.
Russell Thomas has taken a systems approach to looking at cybersecurity that brings a fresh perspective to the issue. I’m not talking system in just the hardware/software sense; he blends in organizational and personnel concerns as well as adding in adversaries into his system. To give you an idea about how involved this analysis gets here is his final system diagram representing the various interactions between what he calls the Ten Dimensions of Cyber Security Performance
Russell Thomas’ Ten Dimensions of Cyber Security Performance
His blog post is a tad bit lengthy (I know, pot calling kettle black) but this is a complex subject. Actually it is so complex that his post includes links to posts about specific details. For example, here are his 10 dimensions:
Optimize Exposure: attack surface and vulnerabilities, including assets, people, processes, & technologies
Effective Threat Intelligence: understanding the threat agents
Effective Design & Development: security & privacy by design
Effective External Engagement: responsibilities and risk drivers
Effective Learning & Agility: OODA at an organization level
Responsibility & Accountability: including governance and compliance
In some ways his discussions are a little on the academic side, but it is probably time that we started to include some academic rigor in our discussions of this complex topic. Besides, it is obvious that Russell [name corrected, 7-16-13 23:20 CDT] also has significant amounts of practical experience working with computer systems and people. So, every time that you start to think that this is some disconnected academic discussion, he’ll zing you with a real world example that makes eminent sense.
I’m still working on what changes I would make to take this out of the IT side of the house and bring it to the plant floor. I haven’t seen anything that I would take out, but I might want to add some touches specific to control systems.
I highly recommend that anyone connected with control system security should take a look at this blog post. Thinking about how we can tie the entire enterprise into this cybersecurity thing just makes so much sense that it is about time we start to think about how our individual parts fit into the system in which we work. This is an interesting first step.