Think in functions, not in systems!
If you want to change only one thing about your approach to security in 2020, pick this one: Stop thinking in single systems, in little blocks. Think in functions instead.
And do that consistently. Consistently does not mean writing down the most critical functions once at the beginning of a risk analysis and let them gather dust, preserved in files you won’t ever touch again.
Consistently means thinking in functions in everyday business whenever you make a security-relevant decision. Having your most important functions so firmly ingrained in your thinking that you could easily list and sketch them if woken up at three in the night.
Consistently means talking less about server X and PLC Z, but about the function that both (most likely in combination with a few other system components) fulfill. Consistently means not protecting systems, but functions.
Because for me thinking in functions is such an enormously powerful concept and I keep repeating the arguments how it facilitates your security, below is the collection of my best arguments pro-functions, white on blue.
(You can find a longer version here.)
To round things up:
Because I don’t want you to gather the impression you’d be a lone pioneer when thinking in functions, here are three examples for security methods which use the function concept as central element:
- INL’s Consequence-based, cyber-informed Engineering (CCE) proposes the identification of “critical functions” as its first step.
- In the standard series IEC 62443 for Industrial automation and control systems (IACS) security, “essential functions” are a core concept.
- Systems Engineering (ISO/IEC 15288:2015) works with functions in general:
A system can be viewed […] as a collection of functions capable of interacting with its surrounding environment.
— ISO/IEC 15288:2015