See things clearly
The other day, a little behind the times, I watched the fourth of the series of ‘Die Hard’ movies.
Detective Lieutenant John McClane had his hands full yet again, battling devious cyber criminals in Washington D.C.
The bad guys set out to ultimately do a bit of electronic money pilfering, and as part of their cunning plan they disrupt some of the computer-reliant critical networks that typically support a modern city. By hacking into systems and interrupting key flows of data they,
The boss of the FBI Cyber Division is stunned when his organisation’s systems are hacked. But he is also unaware that the tecchie genius behind the chaos, a disgruntled ex-employee of the government, programmed a failsafe system to automatically send the baddies critical U.S. banking and governmental data when this happened.
Thankfully for the citizens of the U.S., McClane is on the case. As he closes in on his foe, they talk by phone. The bad guy reflects on his time working for the government and his warnings to the authorities about a society’s vulnerability to failure of interconnected networks,
“...I’m the good guy here. I told them this could happen if they didn’t prepare. Did I get a thank you? No. I got crucified – but they wouldn’t listen...I am doing the country a favour...everything I’ve broken can be fixed, if the country is willing to pay for it...”
Although the movie has a few tecchie holes in the plot, it gives some idea of how potentially vulnerable today’s societies are to technological failure caused by ‘cyber attack’.
It occurs to me that the authorities in the film would have found the “CyberCity” useful in predicting the effects of, and mitigating, the cyber attack they endured.
The CyberCity is a 48 square feet model, a 3D map of an urban area and its infrastructure, designed to
“...show you can cause physical damage or change in a city environment entirely using computers.”
It is used in the U.S. by the SANS Institute, ‘which leads information-security training for military, government, and civilian officials’. The map has
“...a working electric grid, transportation system, and banking network. And it’s routinely under attack by hackers whose plans are worse than stealing credit card numbers: they want to destroy the city itself...CyberCity has its own train network, a hospital, a bank, a military complex, and a coffee shop complete with free Wi-Fi. The town is virtually populated by 15,000 people, each with their own data records and electronic hospital files...”
The technology and systems that make the city run are modelled on the real world, and incorporate the same vulnerabilities.
Using the model, ‘what-ifs’ can be performed. The potential ‘kinetic effects’ (things in the physical world breaking down) of a cyber attack, associated with interruptions to key data flows, can be clearly understood.
Live video streams from cameras mounted around the model enable students to run remote cyber-attack missions,
“...Scenarios controlled over computers will play out on the board in this tiny town...In one training ‘mission’, terrorists hack into the power grid, cause a blackout, and reconfigure the power company’s computers so that utility workers can’t get into them. The challenge: hack the computers and get the lights back on. They will, in fact, flicker on and off in CyberCity...”
The model may be low-budget, and be built using stuff from a hobby shop, but it is,
“...the simplest way to illustrate how dominoes fall in the real world...”
And that is a key point.
As complexity increases in today’s highly inter-connected, data-reliant business world, we need simple ways of understanding how things are put together to make things work, and precisely how critical systems are dependent on each other.
Simple models like CyberCity are a great way of communicating the top-level physical impacts of interruptions to data flow on the key networked infrastructures that enable modern civilisation.
But to best defend the integrity of critical data flows themselves, we also need simple ways to understand and communicate how data flows through the complex matrix of people, process and technology that constitute the modern business. And we need the same degree of clarity on how data flows between businesses.
After all, how can you best defend a flow if you don’t have clarity on how everything is put together to enable the flow?
This is where OBASHI is very useful.
Our breakthrough modelling technology models how assets that enable and support data flow – people, process and technology - interact.
OBASHI Business and IT diagrams (B&ITs) are printouts from the model - simple maps of the business that are easily understandable to all stakeholders, business and technical.
Our Dataflow Analysis Views (DAVs), meanwhile, ‘join-the-dots’ and show how each flow of data traverses the business from start point to end point.
Taken together, B&ITs and DAVs are a standard way of being able to clearly see and easily communicate how the modern organisation works.
In a cybersecurity context, OBASHI helps stakeholders make the best-informed decisions about minimising cyber risk to data flow reliant physical systems and networks. “What-ifs” can be modelled in OBASHI, and the security impacts analysed, before major change in the business is attempted.
At critical moments during Die Hard 4.0, the various characters make key decisions after consulting simple maps that display how things work. They are able to see clearly how, for example, traffic flows through the city, how gas flows through the power grid, and how people flow through buildings.
In a world of growing cyber risks, businesses need similarly simple ways of understanding and communicating how data flows through and between organisations.
We might be biased, but we think the clarity provided by OBASHI gives you the best chance of keeping the cyber bad guys at bay.
Add a Comment