Here are the 4 Topics We Cover in This Episode:
1) What is the Operational Resiliency Framework (ORF)?
The Operational Resiliency Framework (ORF) is a framework that is intended to be used by executives to ensure business continuity processes when their suppliers are knocked offline during natural disasters and cyber attacks.
2) Defining Minimum Viable Services
Step one, and the most important step, is defining a minimum level of service for all products and services. When disasters or cyber attacks occur, the minimum viable service will reveal the critical suppliers that need extra attention from a redundancy and monitoring perspective.
3) Resilience is Not Going to Stop a Cyber Attack
The ORF is not a compliance requirement nor will this framework stop a cyber attack. However, this framework is designed to help organizations respond when an attack has taken place and is ongoing. For example, if an attacker is already within the system, it’s important to keep valuable services running and ensure the suppliers that enable those critical services don’t go down. This framework goes beyond your perimeter to the suppliers and customers.
4) Satisfying a Chief Financial Officer’s Appetite for Security
While this is not a cyber security framework, technical controls and configurations on the suppliers is an important part of the process for minimum viable services to be up and running.
GEORGE: If there’s some type of catastrophic event, maybe it’s a cyber event, maybe it’s a natural disaster, maybe it’s a manmade something, whatever the disaster is, we wanna be able to ensure that people can continue their services at the minimum level that they need in order to continue those services.
LANDON: Welcome to the award-winning “Cyber5” podcast. Here, we discuss the most relevant cyber and physical security challenges facing enterprise businesses today. I’m your host, Landon Winkelvoss, co-founder of NISOS, the Managed Intelligence Company.
George, welcome to the show. We are on episode 85 of “The Cyber5”. Would you mind sharing a little bit about your background for our listeners please?
GEORGE: Okay, well, I am the Chief Technologist at the Foundations for Defensive Democracy. It’s a, I’d say, a small think tank in the DC area that focuses on foreign policy and national security. Under the national security piece of that, I run the Transformative Cyber Innovation Lab. So I look for advances in cyber security, which is, I think, the best job I’ve ever had. ‘Cause I get to work on a whole wide spectrum of cyber issues, anywhere from information operations to quantum, to software development, and, topic of this show, resilience, which I’m very, very supportive of.
So, in cyber security, and I don’t wanna get into too many of the questions right now, but I try to focus on resilience of, yeah, systems and data versus security of it.
LANDON: So let’s get into that. We’re talking about the operational resiliency framework, which very much deals with supply chain issues. Kind of give an overview of what the operational resiliency framework is. I mean, I know we have a lot of frameworks, you know, within cybersecurity.
GEORGE: So, the operational framework is, the operational resilience framework, is not so much like a NIST cybersecurity framework. It’s not based on strictly cybersecurity which makes it a little bit different. It’s based on the resiliency of a, not just the organization, but then the organization’s customers as well.
So it extends to your upstream and downstream piece of this but more like an enhanced business continuity management plan that focuses on resilience. And I say that because when you look at your business continuity, it’s again, not just cyber.
They’re not just looking at your cybersecurity and what happens if a system goes down, but what are you doing in your organization? What is your backup sites? What are the plans for ensuring continuity of your organization, your business processes? The ORF is different in that it doesn’t just look at what your company’s doing but it looks at what the services and products you’re providing to your customers. And then what do they need to continue as well.
So, it actually came about through a series of different events. And I’ll just start with the Sony hack of 2014, which got people thinking. The Sony hack of 2014 was victim to a malware called Destover. Went through and deleted data from the different servers. So critical data that you needed to go through and conduct business. It was similar to the Saudi Aramco hack that happened a couple years before that, the Shamoon malware. So, once that happened, the financial district, the banking industry got together and thought, “Well, what happens if our data is gone? That’s not gonna be great for the banking industry. It’s not gonna be great for our customers. So, where do we move from there?” It got, what I said, it got people thinking. And you know, from that, there was a paper written in the UK discussing the need for resilience. And then out of that was the Sheltered Harbor NIST ship was born, which then allowed banks to store their data at a different place, it ensured customer confidence, it ensure data security.
But there were, I guess the ORF came from, you know, three individuals, you know, them getting together, talking about how Sheltered Harbor was a great start in resilience but it didn’t really meet all of the needs ’cause it didn’t extend beyond the the organization and the individual customer’s data. So, Trey Maust, who’s the former CEO of Sheltered Harbor, Bill Nelson, the former CEO of the Financial Services Information Sharing and Analysis Center, and Mark Orsi, he’s the CEO of the Global Resilience Federation, GRF, they were discussing, “How do you ensure resilience?” GRF is an organization that focuses on resilience. They actually manage and run 17 different ISACS and ISAOs out there.
The information sharing analysis centers and sharing organizations that help organizations collaborate to work through issues, share hazards information, vulnerability information, threat information. They had gotten together and they said they needed a cross-sector approach to operational resilience. So from their discussion, the GRF then set up the Business Resilience Council in 2021 to start the initiative to develop an operational resilience framework for all sectors to go through and better understand what they needed in order to ensure that their customers were also going to be resilient. And that’s how the ORF was formed.
LANDON: That’s certainly very helpful. When I think of resilience, it changes organization to organization. There are no two networks that are the same, there are no two companies that are the same, right?
So if I’m thinking of, I’m an electric company, I have, you know, critical, I have, you know, NERC data that I have to ultimately comply with or, you know, regulations I have to comply with. And, of course, I have a corporate network that is mostly a Windows domain that is just for, you know the business folks, the marketing, sales, and you know, customer facing, you know, folks. And, of course, then I have an operational network which is, you know, an OT network and a production network that, you know let’s say runs on PLCs and Linux and those types of devices.
And of course they got a lot of devices connecting into that.
I guess where is the ORF supposed to differentiate between just like business to business that are ultimately just gonna be very different?
GEORGE: Well, there’s seven steps to the ORF. There’s seven rules. And the very first rule is to go through and implement industry recognized risk management information technology cybersecurity controls frameworks. So you’re doing your due diligence, due care. You’re doing what we’re supposed to be doing already.
The second step of this is understanding the outward facing role. Your customers that you have there, who are you interfacing with, what are their needs? And then once you’ve done that, once you’ve identified not just the internal pieces, but like I said, the external requirements that you have to support your customers, the third step is to identify their minimum viable services levels.
So, you know, as you were saying, there’s different organizations that do different things but they may not all require the same level of service from you in a time of an emergency. Even not a time emergency may require different levels of service, but then if there’s some type of catastrophic event, maybe it’s a cyber event, maybe it’s a natural disaster, maybe it’s a manmade something, whatever the disaster is, we wanna be able to ensure that people can continue their services at the minimum level that they need in order to continue those services.
So, as a part of the framework you, the organization, identify those customers, identify what those minimal levels of service are so that you can balance that in a time of emergency, and you can work your internal processes to support those external processes.
I’ll just say a simple example of that might be you have, you know, two customers. You’re providing water to a football stadium and you’re providing water to a hospital. So they’re both gonna require a lot of water, but then let’s just say there’s some type of emergency in town, disaster. Does the sports arena, the stadium, does it really need the water? Probably not. They’re gonna say, “If there’s some type of natural disaster, we’re not gonna be having games. We don’t need water.” And the hospital may end up requiring more water. So you’ve gotta be able to understand what those requirements are and then balance it, and then plan for that.
So, it’s not just ensuring that you have the prioritization of who they are, but then understanding how you’re going to get that service or product to them, How you’re, you know, backing up the information that you need and those, you know, configurations to the services and apps that are required to deliver those services, data, information, whatever the the product may be. So it’s really understanding the ecosystem and where you fit, and how you can continue that level of required service and operations.
LANDON: Walk through, you know, the operational impact of how you think this is actually gonna be implemented. You know, I guess, I mean, compliance and frameworks do not equal security.
GEORGE: No, and it’s not a compliance. This isn’t a requirement that people have to go through and comply. This is a set of rules that have been developed for business continuity management, risk management, executives who wanna ensure they’re continuing the business and services required for their customers, to ensure that continuity of the economy, the services, whatever it is. Nor does it actually prevent any type of security issue.
So it’s not gonna stop a cyber hack it’s not gonna prevent any type of breach. It’s just preparing for, I don’t wanna say the inevitable, ’cause I am a cybersecurity person. I feel like if you can build it, you can break it. So, there’s always a good chance that something isn’t going to work. So you have to be able to work through that. And yes, it’s not a regulation, it’s not a compliance requirement.
LANDON: So, if I understand correctly, and it’s probably worthwhile to kind of go down what GRF is all about, ’cause you mentioned the Global Resiliency Foundation. Is this essentially a framework really for the CEO and the C-Suite to ultimately keep business and services running, regardless of attack vector, natural disaster, or cyber attack, and for this to ultimately kind of make sense for a CEO who’s probably not following the latest in NIST, in ISAO, and all these different information security?
GEORGE: It’s for the CEO. I think one of the recommendations is how an executive for resilience, a Chief Resilience Officer. So, who is gonna ensure the continuity of services within your organization? Who’s gonna ensure that your customers are getting the level of attention and product service that they actually need? So it’s putting that together.
And on the, you know just to kind of side step us a little bit and talk about the NIST and the cybersecurity, every organization should be doing their own cybersecurity practices, following the frameworks that are out there. But they could also prepare for resilience. When you go through and look at the NIST cybersecurity framework, your identify, protect, detect, respond, restore.
It was put together with the idea that you did not have an adversary in the system. If just from a, you know, a resilience conversation, if you wanted to go through that entire framework and look at the tasks that are in there and ask yourself, “If the adversary is already in the system how does it change what this actual task is?” So, you start to find different solutions like, “Oh, well the adversary is in the system so I need to be able to do something else other than impose a control.” You’ve gotta be able to work through that and ensure that you can continue your operations. Whatever the mission may be, whatever the critical functions may be, they have to be able to withstand having the adversary in the system causing some type of impeded service.
LANDON: How long have you been doing cybersecurity?
GEORGE: 23 years.
LANDON: All right. In your experiences, particularly with this framework, right, like, you know how CEOs are. CEOs care about sales and product, right?
I’m just curious, have you seen CEOs actually, you know, demonstrate an interest in caring about security at a tactical, as well as strategic level, as it pertains to business risk over the past five or six years?
GEORGE: I have seen CISOs, CEOs out there looking at the tactical and strategic risk. This actually gets into a whole different topic of your Chief Information Security officer and how well they’re communicating to the CEO what the actual issue is, and understanding, and having that person understand, “What’s the impact of the risk?” And then the CEO making the decision, “Okay, this is the risk. I’m gonna take it or I’m not gonna take the risk. I’m gonna accept it or not.” Depending on what those goals are for the company.
This framework, the operational resilience framework, doesn’t really get into accepting risk or having to accept risk. It’s just, I guess if you have to think of it in terms of this cybersecurity framework, it’s the identified. It extends the identified piece of it to not just know your hardware and your software, not just know the vulnerabilities there, but know who your customers are and what they expect from you, and what they have to have from you in order to continue their services in some type of emergency or degraded state.
So that’s where this really differentiates to be able to help your consumers, help your customers. ‘Cause it’s not so inward facing, it’s outward facing. It extends beyond your organization. So, you wanna be able to ensure that you are maximizing your internal business processes so that it’s the most efficient for your customers.
You know, my example earlier with the, you know, stadium and a hospital, if you’re working at a hundred percent efficiency within your company to meet those requirements of both those organizations, but then there’s a change and now they don’t require the same levels or it’s changed because of something, then internally you need to say, “Okay we’re not going to produce this particular product or provide this particular service.” Because things have changed and you need to understand what that is and how you’re gonna adjust operations accordingly.
LANDON: You mentioned earlier Sheltered Harbor, that this is derived from Sheltered Harbor. I guess that makes the insinuation that Sheltered Harbor is somehow incomplete. I’m just curious where… Is that true? And where else does that fall short with regard to the rest of the business?
GEORGE: Sheltered Harbor takes the customer’s data and stores it, which I think is a traditional understanding of business continuity management. We’re gonna have the data backed up and you could then bring that data back up in the case of an emergency.
The operational resilience framework goes beyond just backing up the consumer data, the customer data, data. You may not have to bring the system back up that was originally housing the data. Maybe it’s a different system, maybe it’s a subset of the data. So it’s not a hundred percent to a hundred percent. It’s the data that you absolutely have to have for those critical services.
It also prioritizes, like I said, what the requirements are from you to your customers.
So you have that order of battle on what you need to conquer or what you need to provide, when and where and at how much. So that’s also a difference. I think those are the two big areas. And it sounds from the, I guess, the data that also the technical information that’s required for the data. You know, what’s the configuration of the applications, the networks, the systems, that are gonna be in place to deliver that service or information to your customer?
So it really looks at if there’s some type of emergency, there’s some type of, you know, degraded service, what absolutely has to be where and how do you get it there? And that doesn’t mean that the server that you had that went down, that whole server needs to be back up at a hundred percent. No, maybe it’s just the, like I said, a subset of it.
LANDON: I think this is a good place to wind down, for sure. Is there anything else that you want to talk about or discuss?
GEORGE: Well, I will say that this is a first cut of the rules and there is a conference end of October that they’re gonna be rolling out the plan. We’ve had people go through peer review, different companies, different sectors, the rules. The plan is to continually refine and update the rules annually and then build on it. So it’s not a done thing. It’s an improving process to ensure resilience. So, it may change, it will improve.
LANDON: George, I look forward to having you back on the show to talk about how this is actually working and I appreciate your expertise today.