# Cyber Resilience

## What is cyber resilience?

Our world increasingly depends on interconnected computers and smart devices. Activities that were once manual or analog—managing the electric grid, controlling the flow of pipelines, operating energy facilities, financial transactions—now occur in the digital world. Computers enable these processes to run more efficiently and to benefit from advances including automation and artificial intelligence. However, they also create the possibility of cyberattacks or other disruptions that pose a threat to national security.

Cyber resilience, which is also sometimes referred to as cyber resiliency, is the ability to weather adverse events in a computing environment. The National Institute of Standards and Technology (NIST) defines cyber resilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Cyber resilience applies to both physical and virtual assets.

Cyber resilience is a broader approach to cybersecurity, the effort to harden and defend cyber systems against possible attacks. While cybersecurity is a critical component of cyber resilience, cyber resilience bolsters the notion of defending systems with the idea that systems should be able to continue operating and/or bounce back quickly if a security breach happens.

“The quest for ‘failure-proof’ systems [in information technology] ultimately—and ironically—failed,” wrote the authors of a 2018 report from the consulting firm Accenture, The Nature of Effective Defense: Shifting from Cybersecurity to Cyber Resilience. “The goal is systems that are highly automated, distributed, over-designed, and redundant. In other words, they’re ready for anything.”

## The emergence of cyber resilience as a concept

Cyber resilience as a national priority in the United States emerged in early 2013 with the Presidential Policy Directive (PPD-21) on Critical Infrastructure Security and Resilience. The directive laid out a strategy for a national effort to strengthen the security and resilience of essential facilities such as nuclear reactors, wastewater systems, and dams. Identifying 16 critical infrastructure sectors, the PPD-21 tasked the U.S. Department of Homeland Security (DHS) and other national agencies to work together on evaluating and managing cyber risks in these sectors.

“Although PPD-21 launched the topic into highly visible discussions, several organizations had been working on cyber resilience previously,” write the authors of a 2018 paper prepared for the DHS, pointing to Carnegie Mellon University’s Computer Emergency Response Team and the MITRE Corporation as examples of entities that were developing this idea as early as 2010.

## Why cyber resilience is important

Cyber resilience makes it possible for critical services—the open channels on which we depend daily, such as the flow of electricity, water, data, goods, and money—to continue in an emergency. Accordingly, the National Infrastructure Advisory Council has identified five sectors that must be part of cyber resilience planning: electricity, water, transportation, communications, and financial services.

Any one of these sectors is important enough on its own, but cyber resilience also recognizes the interdependency of these sectors—water and communications require electricity, and vice versa, and digital financial services and transportation networks demand electricity and communications. Some of the equipment that makes these activities possible, such as high-voltage transformers on the electric grid, would take months or years to replace if irreparably damaged in an attack or disaster. By preventing such damage, cyber resilience assures that expensive, important assets remain in service for as long as possible.

Infrastructure in these critical sectors is sometimes referred to as cyber-physical, because there are real-world facilities and equipment dependent on computerized monitors and controls. Examples of cyber-physical systems include automated vehicles, robots, and energy facilities such as oil refineries or nuclear power plants. When an attack on cyber-physical assets is successful, the effects can be swift and potentially wide-reaching.

A cyber-resilient network is built to assure that the most important parts will continue to function even if they are compromised by an attack or another type of disruption. The ability to resist or recover from cyberattacks can be a matter of life and death. Cyber resilience may also prevent billions of dollars in damage. A 2021 report from the research firm Cybersecurity Ventures estimated that ransomware—a malicious software that essentially holds valuable information hostage until the rightful owners pay for its return—alone will exact $265 billion in damage annually by 2031, with attacks occurring every 2 seconds. Ransomware is only one type of security breach. Cybersecurity Ventures estimated in late 2020 that global cybercrime costs would reach$10.5 trillion annually by 2025.

Not all malicious computer attacks are cyber-physical (meaning they directly affect equipment), but they have real-world consequences, nonetheless.

## Cyber resilience principles

An effort to achieve cyber resilience generally follows four strategic principles outlined by NIST.

1. Anticipate: “Deterrence, avoidance, and prevention are strategies for anticipating potential
threats,” write the authors of Developing Cyber Resilient Systems: A Systems Security Engineering Approach, a 2019 NIST report. Planning for threats and regularly changing a system’s surface to make it more difficult for attackers are two preventive measures.
2. Withstand: A system can be built to withstand potential threats even when they are not detected. This might involve building in tolerance for some level of damage, repairing damage automatically, deflecting attacks by routing them to systems other than the ones targeted, and removing compromised system elements and either replacing them or enabling processes to run without them.
3. Recover: If a breach occurs, a system might revert to an earlier state, reconstitute itself by duplicating critical functions, or repurpose existing system elements to support compromised areas. “Detection can support the selection of a recovery strategy. However, a system can apply these strategies independent of detection to change the attack surface,” the NIST report said.
4. Adapt: The NIST report suggests “correction (i.e., removing or applying new controls
to compensate for identified vulnerabilities or weaknesses) and redefinition (i.e., changing
the system’s requirements, architecture, design, configuration, or operational processes)” as key adaptation tactics.

## Evaluating cyber resilience

The Cybersecurity & Infrastructure Security Agency, which is part of the DHS, offers assessment resources such as a Cyber Resilience Review. Its assessment tools include a question set designed to help organizations identify which services are most critical, what plans need to be in place to make sure those services continue, what staff training might be required to enhance cyber resilience, and other key aspects of planning for adverse events.

## Cyber resilience techniques

The 2019 NIST report offers an overview of 14 cyber-resilience techniques. These include analytic monitoring, which involves analyzing a spectrum of properties and behaviors “on an ongoing basis and in a coordinated way;” privilege restriction, which can be used to limit system access only to those who need it; redundancy, the bedrock cybersecurity notion of multiple, protected instances of the same resource; and deception, the purposeful obscuring or tainting of assets to mislead an adversary.

## Cyber resilience challenges

Cyber resilience involves a variety of difficult tasks, the approach to which must constantly evolve to meet ever-changing threats. A resilient system cannot simply buffer against potential problems—a big job in and of itself. It must also detect breaches, respond to damage, and create redundancies that will maintain operations in the face of an attack. This mission does not change, even as technologies become more complex, data becomes more voluminous, and risks proliferate.

While the need for cyber-resilience measures is now firmly established, the number of subject matter experts available to implement these measures is limited. Cybersecurity experts are in short supply, with almost half a million open positions in 2021 and unfilled jobs globally exceeding 3 million. Programs like the Department of Energy’s CyberForce aim to fill this gap by engaging college students and recent graduates in cyber competitions and career events. Pacific Northwest National Laboratory has supported these types of events since 2017.

The type of expertise needed to address evolving cyber threats also needs to become more sophisticated. A 2018 paper from the DHS noted “an urgent need to educate and train a new breed of professional who could be called Hybrid Cyber-Electrical [Subject Matter Experts].” This training would bridge the gap between IT security professionals and control system engineers who have separate but overlapping roles in enhancing cyber resilience.

## Cyber resilience research at Pacific Northwest National Laboratory

For more than 20 years, Pacific Northwest National Laboratory (PNNL) has been building and defending the United States’ computational assets. As part of this leadership, PNNL researchers are working on technologies to defend critical infrastructure from cyber threats. These include next-generation capabilities for cyber analytics and situational awareness, resilient system design, assured automation for cyber systems, consequence prediction of cyber effects, and real-time dynamic response.

In 2012, PNNL launched the Asymmetric Resilient Cybersecurity (ARC) Initiative, a multi-year research agenda to create both robustness and resilience across all levels of the computing enterprise. ARC is a multidisciplinary effort that starts with a theoretical foundation of complex systems based on modeling and metrics. Scientists are also building individual technologies to bolster cyber resilience and methods that can validate given cyber resilience approaches.

“The truth is, you don’t always know where the adversary is and what they’re after. So what we’re focusing on is what we can sense inside the system and using that as a key to respond and react,” said Chris Oehmen, PNNL research scientist. The goal, he said, is a loop that can sense what’s going on, process information, recommend responses that humans can take, and automate other responses.

Additionally, the Resilience through Data-Driven, Intelligently Designed Control (RD2C) Initiative focuses on improving the resiliency of cyber-physical systems that provide sensing and control for critical infrastructures, such as the electric power grid and transportation systems. Launched in 2021, the laboratory-directed research initiative brings together researchers from across PNNL with the goal of developing novel sensing and control approaches and algorithms for these systems.

Another research program, Proactive Adaptive Cybersecurity for Control (PACiFiC) is focused on delivering more secure, reliable, robust, and resilient control systems. PACiFiC spans a variety of research areas, from a toolkit for assessing secure design and development principles to automatic detection and reaction methods to real-world based simulations.

PNNL is home to the Center for High Fidelity Science in Operational and Information Technology, an experimental environment including testbeds, models, datasets, methodologies, orchestration, and expertise. The center provides highly realistic settings for scientifically rigorous cyber-physical research. The center includes CyberNET and PowerNET, two simulation testbeds that can provide a scientific basis for cyber resilience approaches within cyber networks and on the power grid, respectively. Additionally, PNNL’s Internet of Things Common Operating Environment serves as a lab and testbed for interconnected devices and is doing work for the Department of Energy, DHS, and utilities.

PNNL leads resilience for the Federal Energy Management Program, deploying new resilience assessment and planning methods and tools. One of those tools is the Technical Resilience Navigator, which helps organizations manage the risk to critical missions from disruptions in energy and water services.

PNNL scientists and researchers have also developed cybersecurity maturity models to help organizations, including those in the energy sector, assess their cybersecurity program and identify areas of improvement.

Cyber resilience is a relatively new field, and PNNL experts are helping pioneer the terminology, frameworks, and technologies that will be central to defending critical national assets now and in the future. In 2021, PNNL researchers defined the term “macro cyber resilience” in a special issue of the Journal of Information Warfare. While micro cyber resilience is focused on individual devices, the macro variety safeguards the functionality of interconnected complex systems, such as those that support the electric grid. PNNL’s researchers contributed to a 2021 report from the National Academies of Sciences on enhancing community resilience, and they participated in cybersecurity summits and research partnerships that advance our understanding of cyber resilience threats and solutions.

As engineers build new marine renewable-energy devices that could provide power to coastal communities and power ocean-observing machines, yet another set of potential vulnerabilities emerges. In 2020, PNNL authored the first-ever cybersecurity guidance report for such devices on behalf of the Department of Energy’s Water Power Technologies Office.

In coming years, PNNL scientists and engineers will continue to advance the foundational science and research methods for cybersecurity as the cyber resilience frontier expand and grows more complex.