15
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 and Risk Approach June 9, 2016 [email protected]
Framework for Improving Critical Infrastructure Cybersecurity
Implementation of Executive Order 13636
and Risk ApproachJune 9, 2016
Executive Order:Improving Critical Infrastructure Cybersecurity
“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting
safety, security, business confidentiality, privacy, and civil liberties”
President Barack ObamaExecutive Order 13636, Feb. 12, 2013
• The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure
• Version 1.0 of the framework was released on Feb. 12, 2014, along with aroadmap for future work; to allow for adoption, Framework version 2.0 was and is still not planned for the near term
2
April 2016 Workshop plots evolution of NIST Cybersecurity Framework
• Dell survey published in Dec 2015, states 82% of federal IT security employees surveyed state they are using sections of the framework within their own cybersecurity programs, with 53% using the entire guide.
• Of those using the framework, 74% state it’s used as a foundation for their cybersecurity roadmap, helping to improve organizational security; it’s “just a good policy” no matter what sector is moving to embrace it.
• NIST posted a Request For Information in Dec 2015, seeking to learn from the private sector how organizations are sharing the framework’s best practices, what parts of the framework are utilized more than others and what sections need to be updated.
• The diversity of the 105 organizations that responded surprised NIST, given that the framework was originally geared toward protecting critical infrastructure. Submitted comments ranged from aerospace company Boeing to telecom giant AT&T, to the likes of Microsoft and trade groups like CompTIA and NASCIO.
The April 2016 workshop concluded there are opportunities to make small changes, clarifications, and maybe to expand some areas, but
not a version 2.0.3
The Framework in a Nutshell
4
• A guide to insuring you include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks
• Provides a guide to a prioritized, flexible, repeatable, performance-based, approach, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk
• Identifies areas for improvement to be addressed through futurecollaboration with particular sectors and standards-developingorganizations
• Be consistent with voluntary international standards (more later in the presentation)
Key Points about the Cybersecurity Framework
17
• It’s a framework, not a prescription• It provides a common language and systematic methodology for managing
cyber risk
• It does not tell a company how much cyber risk is tolerable, nor does it claim to provide “the one and only” formula for cybersecurity
• Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite companies to become standard practices for everyone
• The framework is a living document• It is intended to be updated over time as stakeholders learn from
implementation, and as technology and risks change• That’s one reason why the framework focuses on questions an organization
needs to ask itself to manage its risk. While practices, technology, and standards will change over time— principals will not
Framework Core
What assets need protection?
What safeguards areavailable?
What techniques can identifyincidents?
What techniques can containimpacts of incidents?
What techniques can restorecapabilities?
6
When considered together, these Functions provide a high-level, strategic view of the life cycle of an organization's management of cybersecurity risk.
Framework Core Excerpt
7
Function Category Subcategory Informative References
Establish or Improve a Cybersecurity Program
Step 1: Prioritize and Scope—Requests that organizations scope and prioritize business/mission objectives and high‐level organizational priorities. This information allows organizations to make strategic decisions regarding the scope of systems and assets that support the selected business lines or processes within the organization.Step 2: Orient—Provides organizations an opportunity to identify threats to, and vulnerabilities of, systems identified in the Prioritize and Scope step.Step 3: Create a Current Profile—Identifies the requirement to define the current state of the organization's cybersecurity program by establishing a current state profile.Step 4: Conduct a Risk Assessment—Allows organizations to conduct a risk assessment using their currently accepted methodology. The information used from this step in the process is used in Step 5.Step 5: Create a Target Profile—Allows organizations to develop a risk‐informed target state profile. The target state profile focuses on the assessment of the Framework Categories and Subcategories describing the organization's desired cybersecurity outcomes.Step 6: Determine, Analyze, and Prioritize Gaps—Organizations conduct a gap analysis to determine opportunities for improving the current state. The gaps are identified by overlaying the current state profile with the target state profile.Step 7: Implement Action Plan—After the gaps are identified and prioritized, the required actions are taken to close the gaps and work toward obtaining the target state.
8
Ongoing Risks and Controls
9
Controls That Feed Risk Management
10
The Process Flow
11
An Easy Approach to Ratings
A simplified risk rating guideline:
To assess likelihood, rate four factors –– Skill (1 = high skill – 5 = low skill)
– Ease of access (1 = very difficult – 5 = very simple)
– Incentive (1 = low – 5 = high)
– Resource (1 = expensive & rare equipment – 5 = little resource) Likelihood overall is highest individual rating
– Rare
– Unlikely
– Possible
– Likely
– Almost Certain Impact index is rated relative to Information Asset Profile
– Insignificant (minor impact – absorbed as part of daily activity)
– Minor (Absorbed at Group level – at least one Low CIA )
– Moderate (Absorbed at Business Unit Level – Medium CIA)
– Major (Absorbed at Corp – at least 1 High CIA)
– Catastrophic (Absorbed at Corp – multiple High CIA)12
The Complete Methodology
13
Thank you!
Questions?
ResourcesWhere to Learn More and Stay Current
The National Institute of Standards and Technology Web site is available at http://www.nist.gov
NIST Computer Security Division Computer Security Resource Center is available at http://csrc.nist.gov/
The Framework for Improving Critical Infrastructure Cybersecurity and related news and information are available at www.nist.gov/cyberframework
For additional Framework info and help [email protected]
