NIST Cyber Critical Infrastructure Guidelines

Meet Our Panelists

Allen Johnston, Ph.D.Associate Professor of Information Systems

Paul M. Di Gangi, Ph.D., CISSPAssistant Professor of Information Systems

Deborah Williams, CISSPProgram Manager

Matthew SpeareHead of Governance & Integration

Angella Carlisle, CISSP, CRISC, CHSPIT Security Manager

Dave Summitt, CISSPChief Information Security Officer

OUR NATION’S

Critical Infrastructure Gone Digital...

EO 13636: Improving Critical Cybersecurity Infrastructure

It is the policy of the United States to enhance the security and

resilience of the Nation’s critical infrastructure and to maintain a

cyber environment that encourages efficiency, innovation,

and economic prosperity while promoting safety, security,

business confidentiality, privacy, and civil liberties.

February 2013

What are the critical infrastructure sectors?

85%

PRIVATELY OWNED

Critical Sector Reg’s/Standards/Laws

Agriculture & Food 21 CFR 11

Commercial Facilities 25 CFR 542

Dams CIP 002-009 (Mandatory)

Energy CIP \002-009 (Mandatory)

Information Technology

N/A

Postal & Shipping N/A

Banking & Finance 12,16,17,31 CFR , (SOX,GLB, AML)

Communications N/A

Defense Industrial Base

NISPOM

Critical Sector Reg’s/Standards/Laws

Government Facilities N/A

National Monuments & Icons

N/A

Transportation Systems 49 CFR 193,1520

Chemical 6 CFR 27

Critical Manufacturing N/A

Emergency Services N/A

Healthcare & Public Health

45 CFR 164 (HIPAA)

Nuclear Reactors, Materials & Waste

10 CFR 73 (NRC)

Water 42 U.S.C. 300-2 (Law)

What are we already doing to protect these sectors?

But there are still gaps to the overall strategy!

Organizational Views on Cybersecurity

Adaptive

Repeatable

Informed

Partial

Adapts cybersecurity practices based on lessons learned & predictive indicators; organization-wide approach to

managing risk using risk-informed policies, processes, and procedures; actively shares information w/ partners

Risk management practices are formally approved, expressed in policy, and updated regularly; organization-

wide approach to managing risk using risk-informed policies, processes, and procedures; understands

dependencies w/partners

Risk management practices are approved by management, but may not have established organization-wide policy;

awareness of risk at organizational level but approach not established; not formally sharing w/ partners

Risk management practices are not formalized & risk managed in a reactive manner; implements risks

management on case-by-case basis; may not coordinate or collaborate w/ partners

Cybersecurity Framework

Cybersecurity Framework

Strategically-oriented for “Big Picture” View

Threat/Risk Centric Process Approach

Incentive Type Summary Description Grants Fixed cost, performance-based awards for investment in cybersecurity products and services for

prospective Framework adopters. Rate-Recovery for Price-Regulated Industries

Recovery of cybersecurity investments in the rates charged for services provided by Framework adopters through a price cap, in which the government allows a firm to charge up to a certain maximum price that is independent of the realized cost.

Bundled Insurance Requirements, Liability Protection, and Legal Benefits

A system of litigation risk mitigation for which those entities that adopt the Framework and meet reasonable insurance requirements are eligible to apply. Other types of legal benefits may include limited indemnity, higher burdens of proof, or limited penalties; case consolidations; case transfers to a single Federal court; creation of a Federal legal privilege that preempts State disclosure and/or discovery requirements for certain cybersecurity self-assessments.

Prioritizing Certain Classes of Training and Technical Assistance

The Federal Government offers several types of technical assistance to critical infrastructure owners and operators, including preparedness support, assessments, training of employees, and advice on best practices.

Procurement Considerations

Introduce a technical requirement in the procurement process for certain types of acquisitions for Framework adopters, or requirements for Framework adoption for Federal information and communications technology providers or other contracts, particularly those involving access to sensitive government information or essential services.

Streamline Information Security Regulations

Creation of a unified compliance model for similar requirements and eliminate overlaps among existing laws; streamlining of differences between U.S. and international law (perhaps through treaties); ensuring equivalent adoption; reducing audit burdens; and offering prioritized permitting.

Why should organizations adopt a non-mandatory framework?

Where are we in the timeline?

Panel Discussion Question:

What are the pressing issues for critical infrastructure organizations in the information security/assurance domain?

What are the initial reactions of organizations in your industry to the Critical Infrastructure guidelines that were recently released?

Panel Discussion Question:

How well does the Critical Infrastructure guidelines integrate with your existing regulatory requirements? What’s new that is currently not addressed?

Are the Critical Infrastructure guidelines likely to become a standard for your industry or do you see a different set of guidelines being adopted?

Panel Discussion Question:

What are the primary challenges your organization faces for implementing the Critical Infrastructure guidelines?

Panel Discussion Question:

Of the proposed incentives, grants, technical assistance, rate recovery, liability reform – which are most attractive to you?

How are the incentives being perceived within your industry for complying with the Critical Infrastructure guidelines?