Abstract
Cyber resilience is an active research area offering a novel approach to Cyber Security. The term appeared due to the concerning number of cyber-attacks on critical infrastructure. The National Institute of Standards and Technology (NIST) developed a framework to assist organisations with techniques and approaches to improving cyber resilience. However, there are a sparsity of case studies that speak to the adoption or measurement of these novel approaches within a complex industrial control environment. This paper presents a case study analysis of a manufacturing plant assessment drawing on key themes from the NIST literature. The paper presents how well NIST constructs can be adopted to find cyber-resilient enhancement opportunities and to decide if an evaluation of the results could supply a quantitative baseline measure of an organisation’s overall resilience. Conclusions drawn show that although the framework did partially aid with the analysis process, the frameworks ease of adoption assume an organisation has a conventional cyber security foundation; NIST should make this clear within their guidance. Furthermore, the accompanying evaluation process was not sufficient to quantitatively measure the overall cyber resilience maturity for this case study.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Björk F, Henkel M, Stirna J, Zdravkovic J (2015) Cyber resilience—fundamentals for a definition. In: Rocha A, Correia A, Costanzo S, Reis L (eds) New contributions in information systems and technologies. Advances in intelligent systems and computing. Springer International Publishing, Cham, pp 3–4
Bodeau D, Graubart R, Heinbockel W, Laderman E (2015) Cyber resiliency engineering aid—the updated cyber resiliency engineering framework and guidance on applying cyber resiliency techniques. Mitre Corporation, Bedford, MA
Carías JF, Arrizabalaga S, Labaka L, Hernantes J (2021) Cyber resilience self-assessment tool (CR-SAT) for SMEs. IEEE Access 9(1):80741–80762
Cherdantsevaa Y et al (2016) A review of cyber security risk assessment methods for SCADA systems. Comput Secur 56(1):1–27
Groenendal J, Helsloot I (2021) Cyber resilience during the COVID-19 pandemic crisis: a case study. J Conting Crisis Manag 29(4):439–444
Haque MA, Teyou GKD, Shetty S, Krishnappa B (2018) Cyber resilience framework for industrial control systems: concepts, metrics, and insights. IEEE, Miami, pp 25–30
Johnson C (2016) Why we cannot (yet) ensure the cyber-security of safety-critical systems. Safety-Critical Systems Club, Brighton, pp 171–182
Kott A, Linkov I (2019) Cyber resilience of systems and networks, 1st edn. Springer, Cham
Kott A, Linkov I (2021) To improve cyber resilience, Measure it. Computer 54(2):80–85
Leversage DJ, Byres EJ (2008) Estimating a system’s mean time-to-compromise. IEEE Secur Priv 1(1):52–60
Linkov I, Kott A (2018) Fundamental concepts of cyber resilience: introduction and overview. In: Linkov I, Kott A (eds) Cyber resilience of systems and networks. Springer, Cham, pp 1–25
Linkov I et al (2013) Resilience metrics for cyber systems. Environ Syst Decis 33(1):471–476
Linkov I et al (2014) Changing the resilience paradigm. Nat Clim Chang 4(1):407–409
Maglaras LA et al (2018) Cyber security of critical infrastructures. ICT Express 4(1):42–45
Mitre Corp. (2012) Cyber resiliency metrics, measures of effectiveness, and scoring. Mitre Corporation, Bedford, MA
MITRE, 2017. Attack matrix for enterprise. [Online] Available at: https://attack.mitre.org [Accessed 15th Jan 2021].
National Institute of Standards and Technology (2012) Guide for conducting risk assessments. NIST SP 800–30 Rev, 1st edn. U.S. Department of Commerce, Washington, D.C.
National Institute of Standards and Technology (2013) Security and privacy controls for federal information systems and organizations NIST SP 800–53. U.S. Department of Commerce, Washington, D.C.
National Institute of Standards and Technology (2014) Framework for improving critical infrastructure cybersecurity (Version 1.0). U.S. Department of Commerce, Washington, D.C.
National Institute of Standards and Technology (2018) Framework for improving critical infrastructure cybersecurity (Version 11). U.S. Department of Commerce, Washington, D.C.
National Institute of Standards and Technology (2021) Developing cyber resilient systems: a systems security engineering approach. NIST SP 800–160. U.S. Department of Commerce, Washington, D.C.
Office of Cybersecurity, Energy Security, and Emergency Response, 2012. Cybersecurity capability maturity model (C2M2). [Online] Available at: https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2 [Accessed 1 June 2021].
Reeder JR and Hall T (2021) Cybersecurity’s pearl harbor moment: lessons learned from the colonial pipeline ransomware attack. The Cyber Defence Review, 1 August, pp. 15–39
Simonovich L (2020) Thriving in a digitized environment. [Online] Available at: https://www.securitymagazine.com/articles/93849-leo-simonovich-thriving-in-a-digitized-environment [Accessed 1 October 2021]
Singh R, Hutton ST, Donahoo MJ, Sicker D (2021) Toward grading cybersecurity & resilience posture for cyber physical systems. Elsevier, McKinney
Williams T (1992) The Purdue enterprise reference architecture, a technical guide for CIM planning and implementation I, 1st edn. Instrument Society of America, Research Triangle
Acknowledgements
The authors acknowledge the support of the Knowledge Economy Skills Scholarships (KESS) and Thales Ltd. KESS is a pan-Wales higher-level skills initiative led by Bangor University on behalf of the HE sectors in Wales. It is part funded by the Welsh Government’s European Social Fund (ESF) convergence programme for West Wales and the Valleys.
Funding
This work was supported by KESS in collaboration with Thales Ltd. (Grant Number 21439).
Author information
Authors and Affiliations
Contributions
Conceptualization: KP and IW; Methodology: KP and IW; Formal analysis and investigation: KP; Writing and preparation of original draft: KP; Writing, reviewing, and editing of the manuscript: IW; Project/funding facilitator: IW; Supervision: IW.
Corresponding author
Ethics declarations
Conflict of interest
The authors have no financial or proprietary interests in any material discussed in this article.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Perrett, K., Wilson, I.D. A cyber resilience analysis case study of an industrial operational technology environment. Environ Syst Decis 43, 178–190 (2023). https://doi.org/10.1007/s10669-023-09895-1
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10669-023-09895-1