This document discusses cyber resilience frameworks. It defines cyber resilience as the ability to continuously deliver intended outcomes despite adverse cyber events. Cyber resilience involves people, processes, technology, and facilities working together. Frameworks like NIST SP 800-160 v2, the DHS Cyber Resilience Review, and the MITRE Cyber Resiliency Engineering Framework provide guidance on implementing cyber resilience. NIST focuses on engineering systems for resilience while DHS assesses operational readiness and MITRE emphasizes anticipating, withstanding, recovering from, and adapting to cyber attacks. The document compares cybersecurity to cyber resilience and explains how the frameworks help organize concepts to improve cyber defenses.

1. UNDERSTANDING CYBER
RESILIENCE: PEOPLE,
PROCESS, TECHNOLOGY,
FACILITIES
CHRISTOPHE FOULON

2. ABOUT ME I focus on helping to secure
people and process with a
solid understanding of the
technology involved. I have
10+ years as an experienced
Information Security Manager
and Cybersecurity Strategist
with a passion for customer
service, process improvement
and information security.

3. AGENDA:
UNDERSTANDING CYBER
RESILIENCE: PEOPLE, PROCESS,
TECHNOLOGY, FACILITIES
•Definition
•Important Concepts
•Cybersecurity vs Cyber resilience
•Frameworks aimed at achieving cyber
resilience

4. CYBER RESILIENCE - DEFINITION
“the ability to
continuously deliver
the intended outcome
despite adverse cyber
events” (Stockholm
University, 2018)

5. CYBER RESILIENCE - DEFINITION
“is the ability to anticipate, withstand,
recover from, and adapt to adverse
conditions, stresses, attacks, or
compromises on systems that use or
are enabled by cyber resources
regardless of the source” (NIST 800-
160v2 2018).

6. IMPORTANT
CONCEPTS
•It involves the close
collaboration of people,
processes, technology and
facilities to delivery true
resilience.
•The ability to continuously
deliver, intended outcome,
adverse cyber events

7. An outcome (service) cannot be
delivered without the below
components
•people to operate and monitor the service
•information and data to feed the process
and to be produced by the service
•technology to automate and support the
service

8. CYBERSECURITY VS CYBER
RESILIENCE
Cybersecurity focuses on
protecting information
systems through people,
processes or technologies to
reduce or minimize the
impact of cyber attacks.

9. CYBERSECURITY VS CYBER
RESILIENCE
Cyber Resilience focuses on
ensuring that there is a
combination of cyber security
and business resilience
processes to reduce or
minimize the impact on
services or systems and
ensuring that they continue to

10. CYBERSECURITY VS CYBER
RESILIENCE
•Or another way to describe it:
•Security Vs Security and keeping things
running!

11. THE ABILITY TO CONTINUOUSLY
DELIVER
To achieve this outcome
organizations/governments
must designs systems in a
manner in which they are able
to “continuously change or
modify these delivery
mechanisms” (Stockholm
University, 2018) and…

12. THE ABILITY TO
CONTINUOUSLY
DELIVER
… can “withstand cyber-
attacks, faults, and
failures and continue to
operate even in a
degraded or debilitated
state” (NIST 800-160v2
2018).

13. THE ABILITY TO
CONTINUOUSLY
DELIVER
People:
•Do the people have the
needed skills to perform
their duties?
•Do you have sufficient
staff to do deliver the

14. THE ABILITY TO CONTINUOUSLY
DELIVER
Process:
Are people trained to
use alternative systems
or processes or resort
manual processes
should technological
solution degrade or go
offline?

15. THE ABILITY TO
CONTINUOUSLY
DELIVER
Facilities:
Are there alternative
means of providing
power or connectivity if
those are lost or an
alternative site to deliver
services?

16. •Is there load balancing
and/or auto-scaling of
services to cope with
demand changes or attacks?
•Is there ability to switch
between systems which
provide the services which
THE ABILITY TO CONTINUOUSLY
DELIVER
Technolo
gy:

17. INTENDED OUTCOME
To achieve this result,
the
organizations/govern
ments must be able to
provide access to the
needed system or
service.

18. INTENDED OUTCOME
•Metrics that measure
availability of intended
outcomes then to include
up time measurements
expressed in 99.999%
availability.
•Other areas include
ensuring the integrity,
confidentiality or safety
of the systems or services

19. ADVERSE CYBER
EVENTS
The definition of
adverse cyber
events can include
both natural
disasters/disturbanc
es or human-caused
disasters/disturbanc
es

20. ADVERSE CYBER
EVENTS
These events typically
affect the availability,
integrity,
confidentiality
(Stockholm University,
2018) or safety of the
system, service or
cyber resource (NIST

21. TECHNOLOGY:
Distributed Denial of
Service attach from a
botnet of infected
computers all
requesting cyber
resources from a
target victims
website/websites

22. FACILITIES:
An earthquake
hitting the North
East Coast of the
USA causing damage
and loss of power to
data centers and the
building in which
they employees were
reporting too.

23. Overall Example
•The Intended Outcome: To deliver Social Security
benefits to recipients
•Adverse Cyber event: Distributed Denial of Service
Attack on Social Security Website and recourses
•Ability to continually deliver: Social Security delivery
utilize Content Delivery Networks to cache majority
of content, while using their security to segregate
out legitimate users needed additional access from
the Social Security website

24. FRAMEWORKS FOR ACHIEVING
CYBER RESILIENCE
We will discuss different frameworks geared at
assessing or increasing cyber resiliency with
different approaches.
•NIST SP 800-160 v2 (NIST 2018) - Systems
perspective
•DHS Cyber Resilience Framework (US-CERT
2018) – Operational readiness perspective
•MITRE Cyber Resiliency Engineering Framework

25. HOW THESE FRAMEWORKS HELP?
Why is there a cyber security framework
(CSF)?
•They help organize the various concepts
in to meaningful patterns
•Provide an overview and guidelines for
implementation

26. CYBERSECURITY FRAMEWORK
HISTORY
•Presidential Executive Order 13636
(Archives.gov 2018) on 02/12/2013
directing improving Critical Infrastructure
Cybersecurity
• Version 1.0 of the Framework was
released on 02/12/2014 and later
version 1.1 on 04/16/2018 (NIST 2018)

27. NIST SP 800-160 V2 (NIST 2018)
SYSTEMS SECURITY ENGINEERING CYBER
RESILIENCY CONSIDERATIONS FOR THE
ENGINEERING OF TRUSTWORTHY SECURE
SYSTEMS
•Focuses on the property of Cyber Resiliency
which exists at the intersection of security and
resilience (NIST 800-160v2 2018).
•Provides a definition of what cyber resilience is
and how to achieve it through frameworks for
implementing cyber resilience risk models,
solution frameworks and constructs (NIST 800-
160v2 2018).

28. FIGURE 1 RESILIENCY OUTLINE
(USACE 2016)
“Cyber resiliency
engineering practices
are the methods,
processes, modeling
and analytic
techniques used to
identify and analyze
proposed cyber
resiliency solutions”
(NIST 800-160v2
2018).

29. “Solutions include
combinations of
technologies, architectural
decisions, systems
engineering processes, and
operational policies,
processes, procedures, or
practices which solve
problems” (NIST 800-160v2
2018) while providing the
needed level of resiliency
FIGURE 2 CYBER RESILIENCE IN 7 STEPS
(MYMHASOLUTIONS.COM 2018)

30. DHS CYBER RESILIENCE REVIEW (CRR)
(US-CERT 2018)
•CRR assesses enterprise
programs and practices across a
range of ten domains including
risk management, incident
management, service continuity,
and others (US-CERT 2018).
•The CRR would be used in the
analysis of the current state and
what actions might be needed to
Figure 3 Mapping the CRR to the
Domains (CMU 2018)

31. MITRE CYBER RESILIENCY
ENGINEERING FRAMEWORK (MITRE
2018)
Cyber Resilience is at
the intersection
resilience engineering,
cyber security, and
mission assurance
engineering (MITRE
2018)
Figure 4 Key Sources for the
Cyber Resiliency Engineering Framework (MITRE 2018)

32. Cyber resiliency
goals:
•Anticipate
•Withstand
•Recover
•Evolve
(MITRE 2018)
Figure 5 Cyber Resiliency Goals and Objectives
(MITRE 2018)

33. MITRE (MISSION FOCUSED) VS
NIST (SYSTEM
FOCUSED)
Figure 6 MITRE Cyber Resiliency as
part of Cybersecurity
(MITRE 2018)
Figure 7 NIST Cyber Security Framework
(Securityaffairs.co 2018)

34. WHEN YOU USE WHICH
FRAMEWORK?
NIST - Government Agencies and those
working with them, or adopt a similar
standardized framework

35. WHEN YOU USE WHICH FRAMEWORK?
DHS CRR – designed for business to use to
help assess their resilience in the current
state and take the needed steps to mature
to their desired future state

36. WHEN YOU USE WHICH
FRAMEWORK?
MITRE – geared at system designers who
want to incorporate MITRE approach on
resiliency, which is presented in a more
truncated fashion that the more extensive
NIST guidelines

37. QUESTIONS?