Finding a pragmatic assessment scheme
We start 2024 with a new series of cybersecurity blogs. In this first part we look at pragmatic approaches to threat analysis. As most industries are nowadays very much focused on cybersecurity, we are all faced with the challenges of defining what an acceptable cybersecurity residual risk is. Nothing different there to other technical areas, we require a strategy for hardware, software, and usability, that have varying input criteria and output acceptance. For cybersecurity there are numerous sources of information defined in reference material and international standards as we covered in our blog IEC 62304 – Part 4: Cybersecurity opening the flood gates. How do you approach the topic of a pragmatic strategy for defining an acceptable cybersecurity risk?
NIST SP 800-30
The center piece of cybersecurity threat strategies in both automotive (ISO SAE 21434) and the medical device industry (AAMI TIR 57), is the National Institute of Standards and Technology (NIST) SP 800-30. The approach is best illustrated diagrammatically from AAMI TIR 57.
The process generating a likelihood and impact level for threats, the combination of which yielding a risk outcome. ISO SAE 21434, taking a similar approach.
The factors that feed into this risk outcome are, however, sub-divided into many categories. In NIST SP 800-30, there are two key routes to reach the final risk score, based on adversarial or non-adversarial threats, the former having the greater number of factors. In figure 2 we have listed the 13 categories each having its own column and the qualitative risk level scale (a semi-quantitative scoring system is also defined in the document).
Some customers use this approach to define the risk score as illustrated in green in the right-hand column, but for adversarial with 10 columns contributing to the overall risk level, each with 5 or 6 potential ratings, this leads to a very complex assessment of cybersecurity risk acceptance. Where weighting of the result is required, based on specific input criteria is one of the challenges. However, it brings flexibility in the process that does not necessarily come from more pragmatic approaches.
The NIST series of standards brings many practical tips and guidance in all sorts of technological areas, hence an invaluable reference source.
Pragmatic Approaches to Assessing Cybersecurity Risk
With the release of version 4.0 of the Common Vulnerability Scoring System (CVSS) last year, we have an updated version of a well tried and tested open framework tool. Using such a tool certainly makes life easier for those defining the cybersecurity risk strategy and ultimately the acceptable residual risk. There has been criticism of the CVSS metrics over the years around suitability to address modern industry challenges, but V4.0 has improved many aspects of the scoring system.
The main advantage to using such a tool, and there are many others such as Common Weakness Enumeration (CWE), is that a scoring system and acceptance threshold does not need to be devised. The tools are readily available online and hence save a significant amount of effort when generating a cybersecurity risk management plan, as the tool defines the acceptance level.
That CVSS is used globally by a huge number of organizations and is extremely useful in providing a standardized approach to analyzing threats.