Cyber-attacks are asymmetric in nature, with hackers having low risk, defenders high risks and an impossibly large surface area to protect. Identifying critical systems is how an organisation can mitigate the large surface areas to protect.
What is a critical system?
“A critical system is any system whose failure may result in a loss in revenue, the loss of human life, harm to the environment, or a threat to the longevity of an organisation.” - Bozzano, M. & Villafiorita, A. 2010
There are three key areas to assess for their criticality; information systems, networks and data. These are to be evaluated across the three axes below.
Confidentiality - Is keeping sensitive information private, restricted to essential individuals (i.e. credit card). Unauthorised exposure is often prevented using data encryption. Cyber attacks are designed to remain undetected for as long as possible; when a breach is detected, the attackers act more daringly to gain as much data as possible; encryption is vital.
Integrity - Achieved by identifying unauthorised and unintentional alterations, maintaining systems and data integrity. Including initiatives that are pre-emptive and mitigation measures to restrict editing and recover unapproved changes.
Cyber-attacks that affect the integrity of information systems are sophisticated; effects include significant reputational damage when they become known by the public.
Availability - Is achieved by systems administrators who are authorised users of a system, network or data. They resolve software conflicts; keeping systems current via upgrades. Hardware is also maintained with bottlenecks avoided, and communication bandwidth is available.
Cyber-attacks impede user access to critical data. Ransomware and DDOS attacks may lead to loss of availability. Organisations must have preventative measures and an incident response process to enable availability.
When assessing critical systems, organisations sometimes become confused about the differences between mission-critical, business-critical, and safety-critical.
There are important nuances, and here is a simple example. A train control system, which manages the travelling trains on track, is critical; if it stops, trains become unsighted, and services will need to stop. The asset management system that catalogues the railway’s trains and assets is business-critical, but trains still run if it stops.
Cyber resilience is restoring the critical systems, “getting the trains running again.”