See things clearly
“Cyber Security and the UK’s Critical National Infrastructure” was published during September by Chatham House, home of the UK’s Royal Institute of International Affairs.
The report discusses cybersecurity in the UK, not only in government, but also relating to the UK’s ‘essential services such as water, gas, electricity, communications and banking’ [CNI].
As it points out, these services ‘are all ICT-dependent to a large degree. With this dependency can come vulnerability to aggressors, criminals and even the merely mischievous’,
“...knowledge-based economies are in a period of transition into an era of near-total dependency on ICT....” (p.5)
“This dependency has arguably become the defining feature of a modern, interconnected and knowledge-based society and economy.” (p.1)
It is refreshing to read a research report on ICT that devotes much of its time to discussing ‘dependencies’. A whole chapter is devoted to ‘Managing Cyber Dependencies’, and a ‘Dependency’ sub-section begins,
Given that society is increasingly dependent on cyber-enabled technologies...it would be reasonable to assume that these technologies are underpinned by redundancy, resilience and close scrutiny...Yet certain kinds of scrutiny, such as methodical audit practices, regarding ICT in a wider business environment appear to be rare in the area of cyber security. (p.11)
Which tallies with our view, described in ‘A new perspective on cybersecurity’, that for various business and technical reasons
“IT has never...been able to clearly show the connections and dependencies between the assets that enable the flow of data through the organisation...Which means... it’s not easy to understand and communicate exactly how the business works.”
To me, what is especially interesting about the report, is that its original intention was,
to develop a methodology to map the types and relative criticality of ICT dependencies within the UK CNI stakeholder environment. (p.27)
However, this goal had to be abandoned, because the research interviews with senior business managers, ‘uncovered a disparate patchwork of knowledge, capabilities, processes and attitudes’.
Nevertheless, the authors of the research make a critical point about mapping dependencies so as to mitigate risk,
“One of the most striking observations was the lack of awareness of an organization’s vulnerability to the high-level consequences of an ICT failure in another element of its value or operational chain (i.e. the business implications of a cyber attack that could cause the cessation of critical supplies or processes)....lack of mapping makes it difficult to undertake the fundamental tasks of risk management...” (p.13)
Here at OBASHI, we have adapted the well-proven practices of the Oil & Gas industry, so as to enable the mapping of dependencies in today’s IT reliant organisations.
In Oil & Gas, digital sensors are attached to every asset in a plant, and digital flows (representing product flows) are clearly understood and constantly monitored.
Should a flow be interrupted, control room operators and automatic systems monitoring the real-time performance of the plant will intervene quickly, and take appropriate action to maintain safe operations.
Computer models allow all relevant stakeholders to see clearly how individual assets interact – things like pipes, valves, pumps, meters and sensors. And easily understandable maps, called Piping & Instrumentation Diagrams, are printed from the computer models to enable clear communication between business managers and technical specialists.
The Oil & Gas industry knows how everything is put together to make their business work – there is clarity about the flows of product through and between all businesses in Oil & Gas. This means that failures which threaten the well-being of the business are very rare.
How is this relevant to ICT?
Our breakthrough modelling technology enables a comparable approach to be taken, because the OBASHI software can portray flows of data through people, process and technology in any organisation.
Business and IT diagrams (B&ITs) are printouts from a computer model of how assets (including people) interact - simple maps of the business that are easy to understand.
Dataflow Analysis Views (DAVs), meanwhile, ‘join-the-dots’ and show how a flow of data traverses the business.
Taken together, B&ITs and DAVs are a standard way of being able to clearly see and easily communicate how the modern business works.
In a cybersecurity context, that helps stakeholders make the best-informed decisions about minimising risk.
One of the key recommendations of the Chatham House report is that
“The issue of cyber risks needs to be made accessible for those who are neither familiar with technology nor highly IT-literate.” (p. xi)
Clarity on the interdependencies of people, processes and technology, and how data flows through them and between them, is the key to making that a reality.
Add a Comment