As we consider the construction of national and global situational awareness systems to secure our manifestly complex infrastructure we run into a range of hurdles. Several of the more critical hurdles relate to the scope of the datasets needed. How do we get huge amounts of data from millions of facilities? How do we keep these vast pools of knowledge from becoming an Achilles’ Heel that attackers leverage to bring down everything at once?
Fortunately, some of the answers to these questions come from making things simpler rather than harder. From doing less, rather than doing more.
Crossposted from the ICS-ISAC Blog
The success of television and radio shows in the United States has been determined since the dawn of these mediums based on Nielsen ratings. In this system less than 0.022% of American households participate in recording their viewing preferences. Studios and stations make decisions on what shows to produce and broadcast according to this tiny sample, resulting in a system which has on average performed adequately for the stakeholders involved.
Similarly, a great deal of value can emerge from knowledge sharing networks without requiring input from every facility. As we are able to bring individual facilities in different sectors and geographies into knowledge sharing relationships our ability to identify attacks and other unwanted activity grows dramatically. In fact, the greatest improvement in national and global situational awareness is likely to come from the initial stage of bringing only a very small handful of facilities into knowledge sharing networks.
And we do not need deep insight into most aspects of operations from most facilities. In fact, individual “knowledge packets” with little more information than a generalization of a facility’s identity combined with a description of an incident will in most cases provide most of the potential value. Where we can build sharing systems where external analysis centers can receive a single notification from “a wastewater facility in Colorado” that they experienced “unexpected traffic to a TCP port” we will have achieved the majority of the functionality needed to derive most of the awareness we desire.
These are the targets set for the Situational Awareness Reference Architecture (SARA) currently being compiled and demonstrated by the ICS-ISAC and its membership. Facilities, vendors, integrator and knowledge centers should be able to use SARA to enable the creation and sharing of enough knowledge to give rise to enough situational awareness to defend our shared infrastructure.
With such a low bar of information needed from facilities the common points of resistance are easily overcome. With such a low rate of participation needed the resources necessary are easily within reach.
Many answers to the complex challenges presented are found in simplicity. We do not need to have every facility involved before we get any benefits. We do not need facilities to share all of the information they have. We do not need to hold vast pools of data which could be turned against us.
We just need enough to know.