Systemic Cyber Risk Reduction

In today's system of systems world, cybersecurity can no longer be treated as a "too-hard-to-measure" problem. For the nation's critical infrastructure, underpinned by a dependent web of hardware, software, services, and other connected componentry, the consequences of a cyber incident in this community possibly impacting National Critical Functions is very real. Reducing cyber risk is imperative for the national security and economic resilience. 

Working with government and industry partners, CISA's National Risk Management Center is adding analytic rigor to the ability for organizations to quantify cyber risk impact for cybersecurity measures they have in place in order to develop actionable metrics, and use this information to reduce shared risk to the Nation's security and economic security.

Overview

The convergence of information technology (IT) and operational technology (OT) platforms have brought about a digital transformation, allowing organizations to improve operations by increasingly linking operations and infrastructure to digital architecture. Real-time insights, game-changing efficiencies, better customer service are a few benefits. However, with the hyper-connected environment of IT and OT and its usage becoming more complex, especially with the advent of 5G and Internet of Things, so are the prevalence of cyber risks.

Recent events such as the SolarWinds Orion cyber campaign, ransomware impacting schools, or data exfiltration compromising Americans' sensitive information emphasize the cascading impact of cyber risks on our daily lives and to National Critical Functions. Cyber risks cannot be managed in silos, fragmented among specific individuals or departments (e.g., IT department, finance team, legal, etc.) responsible for a piece of an organization's risks with little or no in-between interaction. By leveraging data from entities within and outside their circle, organizations can fully realize the possible extent of their vulnerabilities (if exploited), such as to other sectors or industries; identify clusters of common vulnerabilities and drivers of risk; and evaluate investments in cyber controls to holistically and collectively manage these risks.

Importance of Cyber Risk Data from Multiple Sources

For the nation's critical infrastructure - mainly owned and operated by the private sector - the consequences of a cyber incident can extend beyond the initially targeted organization to its larger ecosystem of vendors, supplies, and customers and ultimately impact national security and economic resilience. This is why information sharing is essential to furthering cybersecurity for the Nation. Data from multiple sources allows for a more holistic understanding of the crosscutting and shared risks that may have cascading impacts within and across organizations, sectors, and NCFs.

In a world when your risk can be my risk and vice versa, sharing data provides valuable insight into how cyber risk manifests itself in an interconnected world and the possible collateral damage it can do. This information can be used to identify, prioritize, and analyze where concentrated pockets of risks exists. Rather than simply having a list of security-related elements to check off, organizations can use this data to develop metrics that assess the effectiveness of security controls in place, conduct cost-benefit analysis to avoid a risk, and calculate the costs if it were to occur with more accuracy and reliability.

Through this data, we can also understand the relationship between threat, vulnerability, and consequence on critical functions with more precision than before.

CISA's Role in Reducing Systemic Cyber Risk

Simply put, what gets measured can be managed. CISA's goal to reduce systemic cyber risk is centered around finding concentrated sources of risk that, if mitigated, not only provide the organizations cost benefits for heightened risk management but also manage critical risks to the Nation's security and economic security. To achieve this, CISA has established three lines of effort: building the underlying architecture for cyber risk analysis to critical infrastructure, developing cyber risk metric, and promoting tools to address concentrated sources of cyber risk.

Build the Underlying Architecture for Cyber Risk Analysis to Critical Infrastructure

Technologies and software are constantly changing or being updated. As such, security measures must keep us. CISA will leverage the National Critical Function's (NCF) Risk Architecture - a dynamic engine that captures multiple data layers to understand how entities come together to produce critical functions, and what assets, systems, networks, and technologies underpin those functions. By having a granular understanding of the provisioning of an NCF will allow CISA to measure cyber risk at a national level in terms of functional consequence to critical infrastructure.

For example, "supply water" is an NCF composed of multiple sub-functions (e.g., Treat Contamination), entities (e.g., municipal water utility), assets (e.g., specific reservoir operated by the water utility), and enabling componentry (e.g., internet-connected valves at the reservoir), that interact and depend on one another for provisioning. The connectedness and dependencies of these elements means that a component-level vulnerability, such as an exploitable industrial control system flaw within the valve, can impact the entire NCF as well as other dependent NCFs.

The NCF Risk Architecture will capture all these data layers in a dynamic analytic tool that will allow us to answer questions such as: what is the likelihood that a cyber incident can degrade a system in such a way that a function cannot be delivered? And, if that function is down, what is the impact in terms of core priorities such as safety, security, and economic competitiveness? How do we ensure that cyber incidents cannot cause national security impacts?

Ultimately, this architecture will bring greater insight into potential cyber risk impacts across the critical infrastructure community and enable more targeted, prioritized, and strategic risk mitigation efforts.

Cyber Risk Metric Development

Organizations are constantly investing in security measures and some are attempting to quantify the cost benefit of certain security controls (e.g., Domain Name System Security Extensions (DNSSEC)). CISA will bring these stakeholders as well as others together to discuss how to use these existing efforts to connect the relationship between threat, vulnerabilities, and consequence on critical functions to develop metrics that quantify cyber risk in terms of functional loss with more precision than before.

• Threat: natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or (e.g., a DoS attack)
• Vulnerabilities: physical feature or operational attribute that renders an entity, asset, system, or network, open to exploitation or susceptible to a given hazard (e.g., a software flaw that lets hackers into a network)
• Consequence: effect of an event, incident, or occurrence (e.g., stolen data leading to damaged reputation and financial loss)

Promoting Tools to Address Concentrated Sources of Cyber Risk

Central to CISA's venture to reduce systemic cyber risk is finding concentrated sources of risk that, if mitigated, provide heightened risk management and cost benefits. In the critical infrastructure community (underpinned by a dependent web of hardware, software, services, and other connected componentry) cyber risk creates an opportunity for cascading or correlated impact to NCFs.

Additionally, cybersecurity threat actors are not constrained by geographic boundaries. For example, the ubiquity of coding flaws across connected systems can open up millions of IoT devices across numerous sectors and industries to remotely exploited.

Over the last two years, we've worked through a public-private Information and Communications Technology (ICT) Supply Chain Risk Management Task Force to identify supply chain threats, including those derived from software and develop guidance and tools to help ICT companies and their customers, including the Federal government, reduce risk from software supply chains.

CISA aims to transition our Task Force work for use across the critical infrastructure community in the year ahead, working closely with other federal partners who have been active in the software assurance and software bill of materials (SBOM) space. We'll explore other ways to reduce software risk as well, including development of innovative solutions we are funding from the National Laboratories.