This weekend I ran across an interesting
blog about cybersecurity that has made me pause and re-think some things.
Mainly it has reminded me of the classic story about a number of blind men
examining an elephant; each describing the animal solely based upon the one
body part that they touched. Just maybe we have been looking at cybersecurity
that way.
Russell Thomas has taken a systems approach to looking at
cybersecurity that brings a fresh perspective to the issue. I’m not talking
system in just the hardware/software sense; he blends in organizational and
personnel concerns as well as adding in adversaries into his system. To give
you an idea about how involved this analysis gets here is his final system
diagram representing the various interactions between what he calls the Ten
Dimensions of Cyber Security Performance
Russell Thomas’ Ten Dimensions of Cyber Security Performance
His blog post is a tad bit lengthy (I know, pot calling
kettle black) but this is a complex subject. Actually it is so complex that his
post includes links to posts about specific details. For example, here are his
10 dimensions:
Optimize Exposure: attack surface and vulnerabilities,
including assets, people, processes, & technologies
Effective Threat Intelligence: understanding the threat
agents
Effective Design & Development: security &
privacy by design
Effective External Engagement: responsibilities and
risk drivers
Effective Learning & Agility: OODA at an
organization level
Responsibility & Accountability: including
governance and compliance
In some ways his discussions are a little on the academic
side, but it is probably time that we started to include some academic rigor in
our discussions of this complex topic. Besides, it is obvious that Russell [name corrected, 7-16-13 23:20 CDT] also
has significant amounts of practical experience working with computer systems
and people. So, every time that you start to think that this is some disconnected
academic discussion, he’ll zing you with a real world example that makes
eminent sense.
I’m still working on what changes I would make to take this
out of the IT side of the house and bring it to the plant floor. I haven’t seen
anything that I would take out, but I might want to add some touches specific
to control systems.
I highly recommend that anyone connected with control system
security should take a look at this blog post. Thinking about how we can tie
the entire enterprise into this cybersecurity thing just makes so much sense
that it is about time we start to think about how our individual parts fit into
the system in which we work. This is an interesting first step.
Posts
2 comments:
Thanks for the review and feedback.
One slight correction: You have my name as "Robert" in several places in this post. It should be "Russell"
Mea Culpa. I have made the appropriate correction. My apologies.
Post a Comment