The guest this week is Dr Ron Ross, Fellow at the National Institute of Standards and Technology. He currently leads the NIST System Security Engineering Project (SSE) The jumping off point for this episode are two of his special publications-

- SP 810-160 Volume 1 (updated Nov 22) , ‘Engineering Trustworthy Systems’ which describes a basis for establishing principles, concepts, activities & tasks for engineering trustworthy secure systems.

- SP 810-160 Volume 2 – ‘Developing Cyber-Resilient Systems: A Systems Security Engineering Approach’ which focuses on cyber resiliency engineering

Key quotes:
"We live and die by information technology, whether that's a classic I.T. system, whether it's an operational technology like a power plant, SCADA system, part of the power grid, whether it's an I.O.T. device. The common denominator on all of these systems is that they're driven by software and firmware, and a lot of that code is not as trustworthy as it needs to be. So given that that's the deck that we've been dealt, how do we deal with that on a day-to-day basis? And that was really the driving force behind the two volumes of 800-160."

"The more information you have about the susceptibility of your system to these specific threats or vulnerabilities, and you can take those off the table, then that's always a good thing to do. Things like cyber-hygiene, I call it the basic blocking and tackling. And you know, if you can take 80% of the attacks off the table, you don't ever stop the attacks but that then still leaves the other 20%, and that's where cyber resiliency has to step up. But definitely with AI and machine learning our ability to understand threats and what they can do and how we can stop them is going to increase by orders of magnitude. But in complex systems, even that order of magnitude improvement is never going to be enough. And that leads us to the rest of our discussion today."

"We've kind of come to the conclusion that sophisticated adversaries - I'm not talking about the ones that we can stop with cyber hygiene, the 80%, but I'm talking about the 10-20% on the upper end - what happens when they get through your initial lines of defences, which are characterized by penetration resistance? Well now the bad guys are inside the house. Well, what if they came in the front door and then every room in your house there was a vault or a safe? That would be analogous to a security domain for each room in your house. And if you have the ability to add whatever safeguards and countermeasures you think are needed for that particular domain, assuming some of your valuables are more important than others, then you can tailor those controls and those safeguards to the specific criticality of the data or the valuables that you would like to and we're seeing those kinds of approaches now."

"It's not just about one aspect or one safeguard or one strategy. This is a multi-dimensional strategy with lots of different moving parts that are discussed in our cyber resiliency guideline, and are actually executed in a good engineering process that gives consumers a lot better hope of being able to operate those systems under attack and having a system that they have a confidence that they can recover and restore that system, even if it's in a degraded, debilitated state, they can get back to some sense of normal operations and not have the entire business or mission go under. "

Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com