# Opener

CADR 101: A Primer on Cybersecurity Architecture Design Reviews

Published by Axio

A cybersecurity architecture design review (CADR) will help you fight ransomware. The TSA is now requiring these assessments for more and more critical infrastructure entities, given today’s cyber threat landscape. Our article provides a 101 on CADR assessment from ideation to execution, which has become a high demand offering from our professional services team, performed in close collaboration with our partner 1898 & Co.

High-impact ransomware attacks necessitated cybersecurity architecture design reviews

Ransomware attacks on critical infrastructure have garnered worldwide media attention. The notion a cybercriminal can disrupt the delivery of essential goods and services (energy, transportation, food) accelerated the development of a legislative response.

The Department of Homeland Security’s Transportation Security Administration (TSA) has introduced new security directives for critical infrastructure operators. These new directives emphasize the importance of proactive assessment, identifying gaps, and developing remediation plans.

This security objective has been designated as 1580/82-2022-01 and is an extension of Security Directive 1580-21-01. These directives aim to “reduce the risk that cybersecurity threats pose to critical railroad operations and facilities through implementing layered cybersecurity measures that provided defense-in-depth.”

A requirement for developing a cybersecurity assessment program has also been added that includes the execution of a Cybersecurity Architecture Design Review (CADR) to validate that the network architecture effectively isolates critical OT cyber systems from potential threats.

Critical infrastructure operators must now evaluate their OT (Operational Technology) environments alongside traditional IT systems. OT assets and networks control crucial processes, such as manufacturing automation, pipeline flow control, and wastewater management. These OT environments often rely on vendor-sourced assets and legacy technologies, and may lack adequate security measures. Furthermore, separating OT and IT networks can be challenging, leaving critical infrastructure operators exposed to potential cyber threats. This is where Cybersecurity Architecture Reviews (CADR) come into play as part of fulfilling requirements imposed by these new TSA directives.

Axio can perform a cybersecurity architecture design review for your organization

Axio, in collaboration with 1898 & Co., has developed a comprehensive CADR assessment process aligned with reputable methodologies and NIST Special Publication 800-82 Guide to Industrial Control Systems Security.

CADR is a high-value activity, even if one does not consider the new TSA directives. A cybersecurity architecture design review goes beyond traditional assessments by evaluating not only current practices and controls but also testing their effectiveness. By conducting a CADR assessment, critical infrastructure operators gain actionable knowledge about gaps in their OT environments. The CADR process examines the design, implementation, operation, and resilience of the OT environment, including its interaction with the IT environment. This comprehensive assessment enables organizations to not only defend against attacks but also respond and recover efficiently when needed.

The four components of a cybersecurity architecture design review

The CADR assessment consists of four core components. Firstly, a network architecture review provides a holistic view of the organization’s network boundaries, encompassing IT, OT, wireless, and emerging technologies like SD/WAN. Secondly, a system configuration and log review delve into the security configurations of critical assets in the IT and OT environments. This review emphasizes system hardening, patching, configuration management, and remote asset management practices to improve cyber hygiene. It also examines system logs to identify suspicious activity and unauthorized configuration changes. Thirdly, network traffic analysis offers real-time insights into the effectiveness of controls by identifying anomalous behaviors and potential threats affecting critical assets and traffic patterns. By monitoring and analyzing network traffic data, stakeholders gain a deeper understanding of their environment’s vulnerabilities and the performance of existing controls.

Lastly, leveraging the NIST 800-82 Guide, our team conducts interviews with key stakeholders to assess the implementation of leading practices for securing industrial control systems. This step helps identify gaps that could impact the organization’s cybersecurity posture and prioritize areas for improvement.

In summary, the four components of a cybersecurity architecture design review are:

  • Network architecture review
  • System configuration and log review
  • Network traffic analysis
  • Interviews with key stakeholders to identify gaps

CADR provides a practical view of the organization’s cybersecurity strategy

The CADR assessment process is specifically designed to address the unique challenges of industrial control systems and operational technology. It enables critical infrastructure operators to align with the TSA’s security directives and establish a baseline for developing effective defense-in-depth strategies. Notably, CADR goes beyond theoretical assessments by testing the real-world performance of controls, providing a practical view of the organization’s cybersecurity strategy.

While regulatory requirements for critical infrastructure security are evolving, investing in a CADR assessment offers numerous advantages beyond compliance. The ability to identify gaps, prioritize improvements, and test resilience under controlled conditions is a valuable investment. For risk managers, addressing critical gaps in cybersecurity before an attack occurs is far more cost-effective than dealing with business interruptions, lawsuits, fines, reputational damage, or potential loss of life and injury.

In target-rich industries heavily reliant on industrial control systems, a CADR assessment can be the difference between minor inconveniences and major disruptions that threaten the existence of a business.

What:

  • CADR (Cybersecurity Architecture Design Review) is a comprehensive assessment process.
  • Evaluates and improve your OT (Operational Technology) cybersecurity posture.

Why:

  • Enables critical infrastructure operators to proactively identify and address gaps in their OT environments.
  • Enhances your resilience against cyber threats.
  • Goes beyond traditional assessments by testing the effectiveness of practices and controls in real-world scenarios.

When

  • Immediately, due to TSA directives.
  • Operators must assess their OT environments and implement necessary protections to mitigate potential attacks.

Where

  • Critical infrastructure operators across various industries.
  • Including manufacturing, transportation, energy, and food processing.

Who

  • The CADR assessment is conducted by Axio and 1898 & Co., who have established themselves as leading experts in the field of cybersecurity and industrial control systems.
  • Our team carries out comprehensive assessments, leveraging expertise and knowledge of regulatory requirements, to support critical infrastructure operators in complying with security directives and improving their OT environment’s security.

How

  • The CADR assessment involves a thorough review of the OT environment’s design, implementation, operation, and resilience, ensuring compliance with security directives.
  • It includes evaluations of network architecture, system configurations, logs, and network traffic.
  • By identifying vulnerabilities and gaps before an attack occurs, organizations have the opportunity to strengthen their cybersecurity posture and remain resilient in the worst-case scenario.

 

If you’re interested in learning more about the CADR assessment and how to get started, please contact us at [email protected]. Our team is ready to support critical infrastructure operators in ensuring optimal resilience against cyber threats.