The Whitehouse has created a working group on Cyber-Physical Resilience to build resilience into Critical Infrastructure. They are looking at ways to prevent failure, disruption, and degradation.
If you had the opportunity, what would you want their top three priorities to be?
Hi, Alex, and thanks for the opportunity to share a created vision you have extended. This morning I happen to believe that physical aspect of Cybersecurity is very critical indeed looking in all 4 tiers. I think Recovery is an essential in resilience. Honestly Mitigation is another thing. Communication is certainly among the profound things I believe, and closing in on probably the Primitive tier, Tier #1, safety might not be a horrible idea as I think about governance on the large scale which is essential in building infrastructure particularly in Cybersecurity. I think about it on the 'ground level' with Asset Management following close behind. This is more or less because Risk Management relies on infrastructure, Business Management as well, and the other important pieces of foundation framework which is where my certification is. I 'm going to be honest in saying that safety is probably not one of my more proficient choices, but right off of the top of my head I include it since I am, replying on the whim here whereas I usually have time to study. I am hoping to read more ideas from the Inner Circle to see that others have the remaining spaces taken care of. Safety is a broad plank to walk frankly in building resilience I will agree, and argue that it would be a weak link in the design as it plays a more efficient role elsewhere in the technology. I am stomped right now, but later today I will regard your awesome inquiry further.With Warm Regard,Victor Williams, NIST Certitifed
This is a topic I am actually going to input some suggestions into with some research labs I officially work with in US using the open source zero trust networking project I work on (https://github.com/openziti). Right now, only 2 topics come to mind... maybe I will think of another later:
- How to provide standard, open source solutions which allow us to implement zero trust networking in OT/air-gapped environments which reduce risk from the network while being in their sovereign domain as is mandated by OT operating environment. While I am biased on OpenZiti being one of these, I wish there were other solutions to create an innovation race and pick the current 'winner' (see Linux/Kubernetes etc).
- How to incentivise critical infrastructure providers who are driven towards 100% uptime to drive revenue (with punishments for the downtime) and thus are incentives not to implement any technology (incl. security) which causes ANY delay to getting infrastructure back up. Maybe some sort of grace period while these technologies are being implemented and perfected for OT so that they do not cause extra downtime. Further, operators implementing more secure solutions should receive some sort of 'bonus' so that the revenue side of their business demands higher security by default/by-design.