At BCG, we created a methodology for determining hidden cyber vulnerabilities. This cyber methodology is called STACHT (pronounced “stacked”), which stands for “system theoretic analysis of cyber hazards and threats.” When you adopt this methodology, you can identify hidden cybersecurity vulnerabilities using a six-step method. The methodology depends upon two basic principles:
- Hazardous versus nonhazardous states: Systems in a hazardous state can potentially be compromised. Systems in a non-hazardous state cannot be compromised. As the environment changes, systems can migrate one state to the other. The goal of STACHT analysis is to systematically determine how to keep all systems in a non-hazardous state and to preemptively detect and prevent systems from migrating to a hazardous state.
- Controller-controlled process modeling: All systems and environments are modeled using a fundamental building block of the STACHT modeling approach: You can model every element of your organization’s information technology (IT) and operational technology (OT) as a two-part process consisting of a “controlled process” and a “controller.” The controller provides “actions” to the controlled process, and the controlled process provides “feedback” to the controller. You can then model all of your complex IT and OT systems using a hierarchy of these building blocks.
Using a model built from a hierarchy of controller-controlled process building blocks, you can uncover hidden vulnerabilities with a six-step approach:
- Identifying in-scope systems and their vulnerabilities: Take stock of critical assets like personally identifiable information, financial transactions, physical assets (e.g., industrial control systems, medical technology and electric grids), human capital, business operations, and intellectual property, and map these assets to their associated systems and applications — then develop a catalog of existing or potential vulnerabilities in the associated systems and applications.
- Understanding threat profiles: Develop a detailed attack tree analysis that identifies all the attack vectors each critical asset faces. These attack trees should consider attack motives, targets, threats and vulnerabilities; prioritize attacks and threats based both on impact and likelihood.
- Spectrum analysis: Group your systems, applications and their controls on a two-axis spectrum graph describing control coverage on the Y-axis and control effectiveness on the X-axis, as shown below:
- Control coverage: Your coverage for a system will vary from “systems are not covered by controls” at the bottom of the Y-axis to “systems are well covered by several controls” at the top of the Y-axis.
- Control effectiveness: Your effectiveness for a control will vary from: “Controls are not effective” at the left of the X-axis to “mature and effective controls exist at the right of the X-axis. Then match the systems with the controls.
- By analyzing this spectrum, you can identify which systems and applications have similar vulnerabilities that you can protect by mapping vulnerabilities to controls. Conducting a spectrum analysis enables you to gain a more detailed understanding of the current cybersecurity vulnerabilities and controls in place.
- Identifying human-based scenarios: You should review individual systems for the potential for humans to make errors and for contributing social, organizational, managerial, policy, regulatory and legislative factors. Create control loops that describe cyber-secure behavior, and examine how cyber controls can degrade to a hazardous state over time. Using the spectrum analysis in step three, you can show the potential vulnerabilities in your systems and the cyber-controls in place to mitigate each vulnerability. For example, review all the sensitive data and physical assets: Are the assets encrypted? Which users have access to each asset? Is multifactor authentication required to access an asset? Questions like these will help you place each asset (data and physical) on a spectrum of coverage and effectiveness.
- Identifying process-based scenarios: Review systems and applications to see how process design, execution, controls, and supporting processes can contribute to or mitigate vulnerabilities. Like in the human-based-scenario step, you can create control loops that describe cyber-secure behavior, as well as how those cyber controls can degrade to a hazardous state over time.
- Generating holistic views of vulnerable or cyber-hazardous environments: The final step in STACHT centers around synthesizing your findings to create a holistic view of vulnerability environments, identify at-risk technology and processes and create a systematic list of recommendations to prevent a cyber-secure system from migrating into a hazardous state.
This approach is different from traditional cyber incident analysis because it prevents systems from migrating to hazardous states where they could be compromised, and because the models include, in addition to technology: people, processes, managerial policies, regulatory requirements and legislation. It allows organizations to understand causal factors leading to cyber incidents and implement effective controls to address potential vulnerabilities before they become vulnerable.
You can use this analysis to show how the interrelationships between legislation, regulation, management policies, personnel, procedures, applications, clouds, data and hardware can cause a system to degrade from a cyber-secure state to a cyber-hazardous state in which it may be compromised.
In a cyber analysis, an organization may have a policy to “never give out the SysAdmin password to a third party,” and another policy to “do whatever it takes to get a crashed business-critical system back online.” An employee might give a supplier remote access and the SysAdmin password — so that the third party can quickly repair the downed system. This moves the system from a secure state to a hazardous state, where malware on the third party’s computers could infect your systems. To mitigate issues like these, you should use STACHT to create clear priorities in policies that the cybersecurity control always takes precedence over the cyber-business policy and that the employee will never be punished for making the decision to enforce security over speed of restoration.
When you adopt STACHT, you have a systematic way to set up security requirements which prevent inside and external threats from exploiting vulnerabilities and prevent cyber incidents from occurring. Once your organization understands the relationships between all the policies, procedures and technologies, and relates them to the concepts of a cyber-secure state versus a cyber-hazardous state, you have a powerful methodology to prevent your systems — including data and cyber-physical systems — from entering a cyber-hazardous state.
originally posted on Forbes.com by Michael Coden
