Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical

Infrastructure Cybersecurity

18 November 2015

[email protected]

About NIST

•

NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.

• 3,000 employees

• 2,700 guest researchers

• 1,300 field staff in partner organizations

• Two main locations: Gaithersburg, MD and Boulder, CO

NIST Priority Research Areas

National Institute of Standards and Technology

Advanced Manufacturing IT and Cybersecurity Healthcare Forensic Science Disaster Resilience Cyber-physical Systems Advanced Communications

Computer Security Division

Biometrics – Software Assurance – Domain Name Security – Identity Management – FISMA – Security Automation – National Vulnerability Database – Configuration

Checklists – Digital Signatures – Risk Management – Authentication – IPv6 Security Profile – Supply Chain – NICE – Health IT Security – Key Management – Secure Hash – PKI – Privacy Engineering– Smart Grid – Continuous Monitoring –

Small Business Outreach – Mobile Devices – Standards – Cloud Computing – Usability – NSTIC – Passwords – Hardware Security – Electronic Voting – Wireless – Security Awareness – Vulnerability Measurement – Security Metrics –

Public Safety Communications – NCCoE

providing standards and guidelines, tools,

metrics, and practices to protect

Improving Critical Infrastructure Cybersecurity

“It is the policy of the United States to enhance the

security and resilience of the Nation’s critical

infrastructure and to maintain a cyber environment

that encourages efficiency, innovation, and economic

prosperity while promoting safety, security, business

confidentiality, privacy, and civil liberties”

President Barack Obama

Framework Core

Cybersecurity Framework Component

What processes and assets need protection?

What safeguards are available?

What techniques can identify incidents?

What techniques can contain impacts of incidents?

What techniques can restore capabilities?

Profile

Cybersecurity Framework Component

6 Identify Identify Protect Protect Detect Detect Respond Respond Recover Recover

Ways to think about a Profile:

• A customization of the Core for a

given sector, subsector, or

organization

• A fusion of business/mission logic

and cybersecurity outcomes

• An alignment of cybersecurity requirements with

operational methodologies

• A basis for assessment and expressing target state

• A decision support tool for cybersecurity risk

Implementation Tiers

Cybersecurity Framework Component

7

•

Allow for flexibility in implementation and bring in concepts of maturity models

•

Reflect how an organization implements the Framework Core functions and manages its risk

•

Progressive, ranging from Partial (Tier 1) to Adaptive (Tier 4), with each Tier building on the previous Tier

•

Characteristics are defined at the organizational level and are applied to the Framework Core to determine how a category is implemented. None Partial Repeatable Risk Informed Adaptive

Industry Use

The Framework is designed to complement existing business and cybersecurity operations, and has been used to:

• Self-Assessment, Gap Analysis, Budget & Resourcing Decisions • Standardizing Communication Between Business Units

• Harmonize Security Operations with Audit

• Communicate Requirements with Partners and Suppliers • Describe Applicability of Products and Services

• Identify Opportunities for New or Revised Standards • Categorize College Course Catalogs

• As a Part of Cybersecurity Certifications

• Categorize and Organize Requests for Proposal Responses

The Framework also supports:

• Consistent dialog, both within and amongst countries

• Common platform on which to innovate, and Identify market

Current & Near-Term Framework Activities

Collect

,

Reflect

, and

Connect

– understand where

industry is having success, help others understand

those successes, and facilitate relationships that

support use and implementation

•

Continue education efforts, including creation of

self-help and re-use materials for those who are new to

the Framework

•

Continue awareness and outreach with an eye

toward industry communities who are still working

toward basal Framework knowledge and

implementation

•

Educate on the relationship between Framework

and the larger risk management process, including

how organizations can use Tiers

Since the Release of the Cybersecurity Framework

6th _{Cybersecurity Framework Workshop}

Goal: Raise awareness, encourage use as a tool, highlight examples of sector-specific efforts, implementation efforts, gather feedback

O ct . 2 9-₃₀ , 2 01₄ F lo rid a C en te r f_o r C yb er se cu rit_y

Update on the Cybersecurity Framework

Summary posted that includes analysis of RFI responses, feedback from the 6th _{workshop, an}

update on Roadmap areas, and next steps

D ec em b er ₅ , 2 01₄

Request for Information: Experience with the Cybersecurity Framework

Questions focused on: awareness, experiences, and roadmap areas A u g u st ₂ 6, ₂₀ 14

1 Year Anniversary of the Release

NIST Cybersecurity Framework site update to include: FAQs, Upcoming Events, and Industry Resources. Ongoing, targeted outreach continues

F eb ru ar y 1 2, ₂₀ 15 February 13, 2015

White House Releases Fact Sheet on Cybersecurity and Consumer Protection

February 13, 2015

White House Releases

Fact Sheet on Cybersecurity and Consumer Protection

Examples of Industry Resources

11

The Cybersecurity Framework in Action: An Intel Use Case

Energy Sector Cybersecurity Framework Implementation Guidance Cybersecurity Guidance

for Small Firms

Cybersecurity Risk Management and Best Practices Working Group 4: Fin al Report

On-Going NIST Community Dialogs

•

Standards Organizations

•

British Standards Institute, Cloud Security Alliance,

AXELOS, etc.

•

Domestic Industry

•

_{Not only Critical Infrastructure, but also Non-CI}

•

Product and Services

•

Regulator

•

Every Federal Financial Services regulator

•

Auditor

•

Information Systems Audit and Control Association

•

“The Big 4” Audit Firms

•

Insurance

International Dialogs

Twenty four (24) countries have participated in

discussion with NIST, including dialog with:

•

The European Union, and 11 out of 28

Member States

•

_{4 out of 5 of the Five Eyes}

•

5 countries in Asia

•

_{4 countries in the Middle East}

•

The U.S. and the U.K. continue the dialog

about harmonizing the U.K. Cyber Essentials

with the Cybersecurity Framework

NIST Challenges

•

High variance in sector communications

= high variance in socialization

= high variance in engagement

•

Making sure that Federal organizations stay clear

FISMA  mandatory

Cybersecurity Framework  optional, value-add

•

Balancing adoption of version 1.0 with the growing

desire for an update

•

Servicing high demand with limited resources

•

Determining the best long-term governance model to

preserve or enhance value to industry

Discussion Questions

•

Will it soon be time for a Framework update? If so, what

needs to be changed/removed/added?

•

Are there dimensions of Framework that are well-suited

for industry maintenance and evolution? What would a

productive, combined industry-government relationship

look like?

•

Would a peer-recognition program help increase the

likelihood that industry organizations would share

information about their cyber security and risk

management experiences?

•

What practical advice/lessons learned/surprising use

cases can you offer.

CEOs Cyber Risk Dilemma

Our Board has a duty to protect its assets

(including digital assets) and shareholder value.

Share Value = EPS X P:E Multiple

We consider factors affecting earnings, cash and

PE Multiples (incl. brand erosion indices)

Yet we still have a difficult time linking cyber

risk and share value.

Continued Board Challenges & Questions

1. Briefings in Tech language, not in EPS or P:E

multiple factor terms

2. Where is Cyber in Board Risk Committee?

3. Who highlights cyber impact in 10Q financials,

footnotes or MDA narratives?

4. Is there a cyber allocation in the ERM

budget?

5. Do they quantify the cyber impact on financial

and reputation exposure and its share value

impact?

Framework Roadmap Items

Work Outside the Framework Team

Authentication

Automated Indicator Sharing Conformity Assessment

Cybersecurity Workforce Data Analytics

Federal Agency Cybersecurity Alignment

International Aspects, Impacts, and Alignment

Supply Chain Risk Management Technical Privacy Standards

19

National Strategy for Trusted Identities in Cyberspace Draft SP 800-150 Cyber Threat Info Sharing

conversations, as needed

National Initiative for Cybersecurity Education Draft Big Data Interoperability Framework

SP 800-161 SCRM for Fed IS and Orgs Draft IR 8062 Privacy RM for Fed IS

Framework Roadmap Items

Work Within the Framework Team

Authentication

Automated Indicator Sharing Conformity Assessment

Cybersecurity Workforce Data Analytics

Federal Agency Cybersecurity Alignment

International Aspects, Impacts, and Alignment

Supply Chain Risk Management

Technical Privacy Standards 20

Collaboration with NICE

Draft SP to be released in 2016

Project Description

Objective: Create a Bulk Liquids Transportation

Cybersecurity Framework Profile

Value: By creating a Subsector level

Cybersecurity Framework Profile, we are:

•

Minimizing future work by each organization

•

Decreasing the chance that organizations

accidentally omit a requirement

•

Reducing errors due to varying

interpretations

Building a Profile

A Profile Can be Created in Three Steps

22 Subcategory 1 2 3 … 98 Mission Priority Objective 1 A 2 B 3 C

Cybersecurity

Requirements

Legislation Regulation

Internal & External Policy Best Practice

Operating

Methodologies

Guidance and methodology on implementing, managing, and monitoring

1

1

2

2

₃

3

Conceptual Profile

Value Proposition

23

Cybersecurity

Requirements Subcategory Priority MethodologiesOperating

A 1 moderate _III B C 2 high III D E 3 moderate IVV F … … _VIIVI G 98 moderate VIII 1 1 2 2 33

When you organize yourself in this way:

• Compliance reporting becomes a byproduct of

running your security operation

• Adding new security requirements is straightforward

• Adding or changing operational methodology is

Resource and Budget Decisioning

What Can You Do with a CSF Profile

24

Sub-category Priority

Gaps

Year 1

Activities

Year 2

Activities

1

moderate

small

X

2

high

large

X

3

moderate

medium

X

…

…

…

98

moderate

none

reassess

As-Is As-Is Year 1 To-Be Year 1 To-Be Year 2 To-Be Year 2 To-Be

Customizing a Subsector CSF Profile

25

Subsector

CSF Profile

Organization

-Specific CSF

Profile

cu st o m iza ti o n cu st o m iza ti o n

Cybersecurity Requirements Subcategory Priority Operating Methodologies

A 1 moderate _III B C 2 high III D E 3 moderate IVV F … … _VIIVI G 98 moderate VIII

Cybersecurity Requirements Subcategory Priority Operating Methodologies

A 1 moderate _III

B

C 2 high Additional practiceIII

D

E 3 high IVV

F

Organization Policy … … VIIVI

G 98 moderate VIII

The National Institute of Standards and Technology Web site is available at http://www.nist.gov

NIST Computer Security Division Computer Security Resource Center is available at http://csrc.nist.gov/

The Framework for Improving Critical Infrastructure Cybersecurity and related news and information are available at www.nist.gov

/cyberframework

For additional Framework info and help [email protected]

Matt Barrett

[email protected]

202.748.1624

Resources