Published on Jan 09, 2025

Dependencies - Why Did That Bring Our Network Down: Cyber Know Yourself Series

By Dr. Jonathan Avooske, Vice President of Information Advantage

‍

This is Article 3 in the Cyber Know Yourself Series - covering the critical components that must be understood by all cyber professionals and explained clearly to leadership. Here we are focused on dependencies; the full series covers critical digital infrastructure, attack surface and attack vectors, dependencies, supply chain, and survivability.

‍

Dependencies

‍

Dependencies are capabilities inside or outside the boundary of multiple items that normal operations are dependent upon. Multiple items can represent mission/ network/ process/ applications/ data etc. Dependencies are impactful. Many dependencies are unknown.

‍

The following questions must be addressed by the mission, platform, or network owners:

What are the network dependencies?
What dependencies are the most critical?
How do you know?
How can you find out?
What can you do?

‍

Recent examples of events that caused operational impacts to organizations that did not realize they had a dependence or a critical dependence with no planned workaround:

Malformed packets degraded Century Link, now Lumen, in the United States. Resulted in the loss of 911 service to 17 million people for 37 hours in 2019.
Confirmed hack of SolarWinds by Russian actors in 2019 culminating in the unwitting distribution of malware in 2020
Faulty update to software distributed in 2024 by CrowdStrike.

‍

In each of the chosen examples above, many impacted organizations did not understand their dependency or the operational impact. Sun Tzu said so long ago, “Know Yourself.” This means understanding the details of each capability, how it works, what is normal, and performing “what if” planning to identify opportunities for organizing the most effective and resilient communications and operations efforts during emergencies.

‍

P.A.C.E. Planning Framework

‍

The P.A.C.E planning framework is a particularly good planning method, as it identifies parties which need to communicate during emergencies, and the four best ways of communicating as technology degrades or becomes unavailable.

‍

The four layers of communications that make up the PACE method include:

Primary

The primary method of communication is typically the most effective and used for everyday communications. Primary communications methods include Fiber Optic Cable.

‍

Alternate

Alternate communications such as Military SatCom offers less capacity than fiber and can be affected by weather.

‍

Contingency

Contingency methods could be Commercial SatCom offering comparable capacity to MilSatCom but using a commercial carrier.

‍

Emergency

Emergency communication methods could be terrestrial Radio Frequency at much slower data rates.

‍

Colonial Pipeline lost the ability to bill customers due to a ransomware attack on the billing system. Planning in advance for such events utilizing problem “what-if” scenarios and a method like P.A.C.E is critical. In this case, the company might have been ready with an alternate means for billing when the core capability went down. This type of effort costs money but is less impactful than shutting down.

‍

Justifying the need for risk assessments to identify the best solution path can be expensive, but as we are finding out, doing nothing can be even more expensive.

‍

There are too many examples where the development and implementation of an effective PACE Plan could have prevented near catastrophe. However, it requires understanding all dependencies and understanding the criticality and operational impact of each.

‍

FTI has a proven methodology for “Knowing Yourself” within the Find, Fix, & Sustain (F2S) approach. If you’d like to understand more, we can be reached at Cyber@FTIDefense.com.

‍

About FTI

FTI provides deep data expertise, technology, and services that enhance the ability of the DoD, Intelligence Community, and other agencies of the Federal Government to make the best decisions possible. Drawing on nearly four decades of innovation, FTI's extensive portfolio of intellectual property and operational technologies has been augmented by more than $200 million of U.S. government and FTI R&D investment, and solutions can often be mission-ready in a matter of weeks at a fraction of the cost of alternatives. Headquartered in Beavercreek, Ohio, FTI operates in 34 states, works at all classification levels, and offers seven facilities of varying clearance levels nationwide.

‍

About FTI’s Information Advantage Group

Based on FTI’s Find, Fix, Sustain (F2S) framework, our defensive/resilient cyber solutions offer a portfolio of advanced technologies and services to help maintain and optimize cyber defense, including mission cyber risk analysis, supply chain Illumination, blue and gray space analysis, penetration testing, radio frequency (RF) analysis, and cyber-enhanced threat intelligence analysis. Stay in touch to learn more about how we can assist your organization in strengthening its digital preparedness and positioning for recovery. For further discussion or more information, please e-mail us at Cyber@FTIdefense.com.

‍