The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

(1)

SOLUTION BRIEF

NIST FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY

The NIST Framework for

Improving Critical Infrastructure

Cybersecurity -

(2)

Healthcare Security Solutions:

Protecting Your Organization,

Patients, And Information

DRAFT

SOLUTION BRIEF

CA DATABASE MANAGEMENT FOR DB2 FOR z/OS

“Every company is constantly under attack. If anybody

tells you they’re not, it just means they don’t know.

It is a threat that is broad-based. It’s not just from one

source ... and it’s just unceasing.

1 ”.

(3)

ca.com 3 | SOLUTION BRIEF: NIST FRAMEWORK FOR CYBERSECURITY FOR CRITICAL INFRASTRUCTURE

The Increasing Threat to Critical Infrastructure

Attacks on sensitive IT systems and data increased during 2013, many of which caused substantial

financial and reputational damage to the companies involved. Still, a successful attack on the underpinnings

of the nation’s critical infrastructure would have far more catastrophic impacts than this.

The NIST Framework for Cybersecurity for Critical Infrastructure was approved in Feb, 2014, and is

intended to help establish guidelines and best practices for ensuring that our critical systems are

adequately protected. Although it is a voluntary framework, it is expected that it will be adopted by many

companies in order to strengthen their security posture.

An emphasis on flexibility

The NIST Framework was designed with a very high degree of flexibility for organizations that would like

to follow its guidelines. It is also technology-neutral, and incorporates existing industry standards and

best practices—no “re-inventing the wheel”. Most importantly, it enables each organization to profile its

own cybersecurity efforts, define a target profile, and then put in place a plan to reach that goal. In this

regard, its guidelines should be considered not as requirements but as scorecards that are based on the

unique business needs, risk appetite, and security demands for each environment and provide a guide for

continuous improvement based on changing risk and threat dynamics.

What is “critical infrastructure?”

When one thinks about the nation’s critical infrastructure, we usually think of the grid, water supplies, national

defense, and the like. But, the Framework makes clear that “critical infrastructure” is an expansive concept that

includes many systems that aren’t generally thought of in this context, such as: commercial facilities;

(4)

4 | SOLUTION BRIEF: NIST FRAMEWORK FOR CYBERSECURITY FOR CRITICAL INFRASTRUCTURE ca.com

Overview of the Framework

The Framework consists of three major elements:

Framework Core

– A set of cybersecurity activities, desired outcomes, and applicable references that are

common across critical infrastructure sectors. The Core presents industry standards, guidelines, and

practices in a manner that allows for communication of cybersecurity activities and outcomes across the

organization from the executive level to the implementation/operations level.

Framework implementation tiers –

Tiers describe the degree to which an organization’s cybersecurity

risk management practices exhibit the characteristics defined in the Framework. There are four tiers that

can be used to identify the “current state” of your cybersecurity effort.

These tiers and their brief characteristics include:

• Tier 1

(Partial): Informal cybersecurity risk management practices, ad hoc and reactive approach to risk

management

• Tier 2

(Risk-Informed): Management-approved risk management processes, awareness of risk at

organizational level, but lack of organization-wide approach

• Tier 3

(Repeatable): Risk management processes expressed as policy, organization-wide approach to

manage cybersecurity risk, risk-informed policies, processes and procedures

• Tier 4

(Adaptive): Adaptable cybersecurity practices based on lessons learned and predictive indicators,

continuous improvement incorporating advanced technologies and practices, active sharing of

information with partners both before and after cybersecurity events

Framework profile –

Describes outcomes based on the business need and risk assessment that the

organization has selected from the Core. This information enables you to identify opportunities for

improving cybersecurity by moving from “current state” to “target state”. To develop a Profile, an

organization can review all the Categories and SubCategories and, based on business drivers and a risk

assessment, determine which are most important. The Current Profile can then be used so support

prioritization and measurement of progress towards the Target Profile. It can also be used to support

communication within the organization.

The Framework Core—a little more detail

The Core consists of functions, categories, sub-categories, and related industry standards. But, note that

the Core does not represent a set of actions to perform - rather it defines outcomes that are helpful in

improving cybersecurity. The functions included in the Core include:

• Identify –

develop the organizational understanding to manage cybersecurity risk to systems,

applications, and data

• Protect –

implement safeguards to ensure the secure delivery of infrastructure services

• Detect –

implement the appropriate activities to identify a cybersecurity event

• Respond –

implement the appropriate activities to take action on a cybersecurity event

(5)

How to Use the Framework to Improve Cybersecurity

The Framework is not intended to replace your existing security processes. Rather, it is intended to

complement them, and to help you develop a profile of your current security state, as well as identify your

“desired state” of security, based on the guidelines in the Framework. This approach will enable you to

develop an action plan for improving your cybersecurity profile, consistent with your business needs, risk

appetite and available resources.

A simplified approach to leveraging the Framework is as follows:

• Prioritize and scope

– Determine your business priorities and scope your critical business systems that

support these priorities and objectives. Identify your regulatory requirements and risk appetite, and

identify areas of vulnerabilities and threats.

• Create a current cybersecurity profile –

Using the Framework, identify areas where your processes

meet your business needs, and those that need strengthening.

• Conduct a security risk assessment –

Determine the likelihood of a cybersecurity event, and the impact

that it would have on your organization, as well as include your appetite for ongoing risk.

• Create a target profile –

Given your current profile and risk appetite, what areas need improvement?

Determine where you would like to be in terms of the Framework profiles, and what your time frame is.

• Determine gaps –

What areas need strengthening for you to arrive at your desired target profile?

Identify these areas, analyze them, and prioritize their implementation. Identity resources required to

evolve each area of your profile to the desired state.

• Finalize an action plan –

Based on your priorities and required resources, lay out a path to reach your

target profile.

(6)

CA Security and the NIST Framework

Of the functions described above, the one most relevant to protection of systems and data is the Protect

function. The Protect categories describe outcomes relating to protecting systems and data from a variety of

threats, both internal and external. It also includes procedural topics such as awareness, training, and

management of technology assets—requirements that do not require a security solution.

The categories of the Protect function, and the name of any CA Technologies security solution that can

help with compliance for each category, is as follows:

Function

ID

Primary Product

Secondary Product

Protect PR.AC Access Control CA Privileged Identity Manager

PR.AT Awareness & _Training Not relevant to CA Solutions

PR.DS Data Security CA Privileged Identity Manager_{CA API Mgt & Security} CA Data Protection PR.IP Info Protection _Processes Not relevent to CA Solutions

PR.MA Maintenance CA Privileged Identity Manager PR.PT _TechnologyProtective CA Privileged Identity ManagerCA SSO

CA API Mgt & Security

(7)

Let’s look in more detail at how CA solutions can help an organization achieve outcomes that conform to

these requirements. Critical capabilities for Framework compliance are

bolded

.

Category: Access Control

PR.AC-1: Identities and credentials are managed for authorized devices and users

CA Privileged Identity Manager manages and secures privileged identities. It can restrict access to systems and accounts (including shared accounts) to only authorized users. Access to accounts is managed by CA Shared Account Management.

PR.AC-2: Physical access to

assets is managed and protected Not relevant to CA Security solutions PR.AC-3: Remote access is

managed CA Privileged Identity Manager manages remote connections to systems and devices. Host-based access controls can restrict remote connections according to criteria including IP address. It can also restrict remote connections to ensure they come from the proxy server.

PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties

CA Privileged Identity Manager provides fine-grained access controls that

can ensure separation of duties and least-privilege access. It does this at the OS kernel level, making it the most secure access control implementation. CA Shared Account Management provides both least privilege access and separation of duties by controlling who has access to shared,

privileged accounts.

The CA Identity Suite also help ensure proper access rights thru automation of access certifications and role-based provisioning processes.

PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate

CA Privileged Identity Manager can restrict inbound and outbound connections to systems and devices to specific IP addresses, helping to preserve network integrity.

Category: Data Security

PR.DS-1: Data-at-rest is

protected The CA Solution can protect specific files and folders, so it can protect “Data-at-rest”. Access to protected resources can be denied to even the superuser. PR.DS-2: Data-in-transit is

protected CA API Management & Security secures message-, and field-level confidentiality, integrity operations, and data-in-transit through protocol-, availability protection.

PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition

Not relevant to CA Security solutions

PR.DS-4: Adequate capacity to

ensure availability is maintained Not relevant to CA Security solutions PR.DS-5: Protections against

data leaks are implemented • CA Data Protection can discover, classify, and protect sensitive info against disclosure, theft, improper actions (email, USB device, etc) • The CA API Suite can protect against common data extraction threats,

validate request/response data schemas, and filter message content in transit PR.DS-6: Integrity checking

mechanisms are used to verify software, firmware, and information integrity

CA Privileged Identity Manager provides a “Trusted Program Execution” capability that can ensure that programs have not been modified before execution.

PR.DS-7: The development and testing environment(s) are separate from the production environment

(8)

Category: Maintenance

PR.MA-1: Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools

CA Privileged Identity Manager can manage and monitor maintenance sessions on critical systems and devices. It can control access to the identities used to provide maintenance, restrict that access to follow the principle of least privilege, and log all user actions. “Break Glass” functionality can enable emergency maintenance.

PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access

It can manage and also monitor remote maintenance of systems and devices.

Category: Protective Technology

PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy

It can log all actions taken by users, including administrators. It can track actions performed using shared accounts to individuals.

PR.PT-2: Removable media is protected and its use restricted according to policy

The CA Solution can prevent execution of any executable that is identified as non-essential.

PR.PT-3: Access to systems and assets is controlled, incorporating the principle of least functionality

• It also provides fine-grained access controls to systems and assets on

them to protect against unauthorized access

• CA SSO centrally controls access to Web apps from all devices

• CA Identity Suite helps ensure correct access entitlements for all users. Role discovery, provisioning, and automated access certification help ensure correct access rights.

• CA API secures access to service interfaces from all devices and applications

• CA Advanced Authentication enables risk-based, strong authentication of users, to protect against stolen credentials, or brute force

authentication attempts. PR.PT-4: Communications and

(9)

Summary of Key Security Capabilities

In order to conform to the guidelines of the Protect function, the following capabilities are very important:

Key Capability

Description

Benefit

Shared Account

Password Management Control access to privileged, administrative accounts with

password storage and automatic login capabilities.

Reduces the risk of unauthorized users gaining access to privileged accounts. Prevents password sharing.

Fine-Grained Access

Controls Control what access privileged users have based on their individual identity, even when using a shared administrative account.

Reduces risk by providing

administrators with only the minimum privileges they need to do their jobs.

User Activity Reporting / Video Session Recording

Records all user actions, tracking all records by individual, even when a shared account is used.

Makes it simple to find out “who did what” in a forensic investigation

End-to-End Encryption Protect all data-in-transit through data

encryption. Improved security and confidentiality of data

API Management &

Security Control access to APIs based on identity and access rights. Combat data extraction and other attacks.

Protect against external, targeted attacks and data leaks.

Strong, Risk-based

Authentication Enable strong, multi-factor authentication, with risk analysis based on contextual factors.

Improve security for all users, combat identity theft and stolen credential attacks.

(10)

10 | SOLUTION BRIEF: NIST FRAMEWORK FOR CYBERSECURITY FOR CRITICAL INFRASTRUCTURE

Copyright ©2014. CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document “as is” without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages.

CA does not provide legal advice. Neither this document nor any CA software product referenced herein shall serve as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, policy, standard, guideline, measure, requirement, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. You should consult with competent legal counsel regarding any Laws referenced herein. CS200-94681_1014

1 Wes Bush, Northrup Grumman Chief Executive

http://m.csoonline.com/article/732784/defense-contractor-under-cyberattack-for-three-years?source=CSONLE_nlt_salted_hash_2013-05-06 2 http://www.forbes.com/sites/ciocentral/2012/12/05/the-biggest-cybersecurity-threats-of-2013-2/

3 The Ponemon Institute, “The Risk of Insider Fraud: Second Annual Study.” February 2013