NIST Cybersecurity Initiatives. ARC World Industry Forum 2014
|
|
- Marian Young
- 8 years ago
- Views:
Transcription
1 NIST Cybersecurity Initiatives Keith Stouffer and Vicky Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL
2 National Institute of Standards and Technology (NIST) NIST s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. 3,000 employees 2,700 guest researchers 1,300 field staff in partner organizations Two main locations: Gaithersburg, Md., and Boulder, Colo. $840 million annual budget NIST Laboratories National measurement standards Manufacturing Extension Partnership Centers nationwide to help small manufacturers 2
3 Advanced Manufacturing IT and Cybersecurity Healthcare Ensuper NIST STILLFX S.Bonk Jovan Nikolic designersart TebNad Chuck Rausin/shutterstock.com NIST Priority Research Areas Forensic Science Disaster Resilience Cyberphysical Systems Advanced Communications 3
4 Executive Order Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties NIST is directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure This Cybersecurity Framework is being developed in an open manner with input from stakeholders in industry, academia, and government, including a public review and comment process, workshops, and other means of engagement. 4
5 The Cybersecurity Framework For the Cybersecurity Framework to meet the requirements of the Executive Order, it must: include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. provide a prioritized, flexible, repeatable, performancebased, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations able technical innovation and account for organizational differences include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework. 5
6 Development of the Preliminary Cybersecurity Framework Engage the Framework Stakeholders EO Issued February 12, 2013 NIST Issues RFI February 26, st Framework Workshop at Department of Commerce April 03, 2013 Collect, Categorize, and Post RFI Responses Completed April 08, 2013 Analyze RFI Responses Identify Common Practices/Themes May 15, nd Framework Workshop at CMU May 29-31, 2013 Ongoing Engagement: Open public comment and review encouraged and promoted throughout the process Identify Framework Elements Draft Outline of Preliminary Framework June rd Framework Workshop at UCSD July 10-12, 2013 Prepare and Publish Preliminary Framework 4 th Framework Workshop at UT Dallas Sept 11-13, 2013 Publish Preliminary Framework Oct 29,
7 From the Preliminary Framework to the Final Framework and Beyond Prepare and Publish Preliminary Framework Publish Preliminary Framework Oct 29, 2013 Begin 45 day Public Comment Period Additional Ongoing Public Engagement Stakeholder outreach discussions continue Public Comment Period Public comment period closes Dec 13, 2013 Ongoing Engagement: Open public comment and review encouraged and promoted throughout the process Cybersecurity Framework Version 1.0 Complete comment resolution & disposition Publish Final Cybersecurity Framework Feb 13, 2014 Framework Governance Framework maintenance and updates 7
8 Stakeholder Engagement Shaped the Framework Content The Framework language and communication is critical to success The Framework must reflect characteristics of people, processes, and technologies The Framework must be inclusive of and not disruptive to those good practices in use today The Framework must include the fundamentals Determination of risk tolerance for critical infrastructure must be informed by national interests Threat information must inform Framework implementation 8
9 Cybersecurity Framework Adoption An organization adopts the framework when it uses the Cybersecurity Framework as a key part of its systematic process for identifying, assessing, prioritizing, and/or communicating: cybersecurity risks, current approaches and efforts to address those risks, and steps needed to reduce cybersecurity risks as part of its management of the organization s broader risks and priorities 9
10 Voluntary Program for Critical Infrastructure Cybersecurity Enhancement The Department of Homeland Security (DHS) is leading the development of a Voluntary Program for Critical Infrastructure Cybersecurity Enhancement. The Voluntary Program will: Be the coordination point within the federal government for critical infrastructure owners and operators interested in improving their cyber risk management processes. Coordinate additional CSF outreach activities through partnership with Sector Specific Agencies, Sector Coordinating Councils, and other industry partners Voluntary Program Goals: 1. Support industry in increasing cyber resilience 2. Increase awareness and use of the CSF in support of the first goal For more information, please contact: DHSVoluntaryProgram@hq.dhs.gov 10
11 NIST SP , Rev 4: Overview Security and Privacy Controls for Federal Information Systems and Organizations Purpose: Provide guidelines for selecting and specifying security controls for organizations and information systems supporting the executive agencies of the federal government to meet the requirements of FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines apply to all components of an information system that process, store, or transmit federal information. The guidelines have been developed to achieve more secure information systems and effective risk management within the federal government. 11
12 NIST SP , Rev 4: What s New Clarification of the term baseline The security controls and control enhancements listed in the initial baselines are not a minimum, rather a proposed starting point for controls/control enhancements may be removed or added based on the tailoring guidance Expanded tailoring guidance Addition of Overlays Privacy New Appendix J Minimum Assurance Revised Appendix E Strengthening of specification language 12
13 NIST SP , Rev 4: Privacy Appendix J Privacy and security are complementary and mutually reinforcing Appendix J complements security controls Privacy control families are the same as those in the FEA Security and Privacy Profile, v3, Sept 2010 Appendix J is based on Fair Information Practice Principles from the Privacy Act of 1974 E-Government Act of 2002, Section 208 Privacy-related OMB guidance The objective of Appendix J is to promote closer cooperation between privacy and security officials Intended for organizational privacy officials (e.g., CPOs) working with: Program managers Information system developers Information technology staff Information security personnel Each control is intended to be applied with respect to an organization s distinct mission and operational needs 13
14 NIST SP , Rev 4: Overlays Overlays complement initial security control baselines Provide the opportunity to add or eliminate controls Provide security control applicability and interpretations Establish community-wide parameter values for assignment and/or selection statements in security controls and control enhancements Extend the supplemental guidance for security controls, where necessary Types of Overlays Communities of interest (e.g., healthcare, intelligence, financial) Information technologies/computing paradigms (e.g., cloud/mobile, Smart Grid) Industry sectors (e.g., chemical, manufacturing) Types of information systems (e.g., industrial/process control systems, weapons systems) Types of missions/operations (e.g., counter terrorism, first responders) 14
15 Industrial Control System (ICS) Overlay The ICS overlay is a partial tailoring of the controls and control baselines in SP , Revision 4, and adds supplementary guidance specific to ICS. The concept of overlays is introduced in Appendix I of SP , Revision 4. The ICS overlay is intended to be applicable to all ICS systems in all industrial sectors. Further tailoring can be performed to add specificity to a particular sector (e.g., pipeline, energy). The ICS overlay will be included as Appendix G in NIST SP , Revision 2. Ultimately, an overlay may be produced for a specific system (e.g., the XYZ company) 15
16 Industrial Control Systems (ICS) Overview Industrial Control Systems (ICS) is a general term that encompasses several types of control systems including: Supervisory Control and Data Acquisition (SCADA) systems Distributed Control Systems (DCS) Other control system configurations such as Programmable Logic Controllers (PLC) ICS are specialized Information Systems that physically interact with the environment Many ICS are components of the Critical Infrastructure 16
17 SCADA Examples SCADA systems are used in the electricity sector, oil and gas pipelines, water utilities, transportation networks and other applications requiring remote monitoring and control. 17
18 DCS Examples Manufacturing Electric Power Generation Refineries 18
19 ICS Security Challenges Real time constraints - IT security technology can impact timing, inhibit performance (response times are on the order of ms to s) Balancing of performance, reliability, flexibility, safety, security requirements Difficulty of specifying requirements and testing capabilities of complex systems in operational environments Security expertise and domain expertise required, but are often separated 19
20 ICS Security Standards and Guidelines Strategy Add control systems domain expertise to: Already available Information Security Risk Management Framework Provide workable, practical solutions for control systems without causing more harm than the incidents we are working to prevent This expertise takes the form of specific cautions, recommendations & requirements for application to control systems - throughout both technologies and programs NIST SP Guide to Industrial Control System (ICS) Security ICS Overlay for NIST SP , Rev 4 security controls 20
21 NIST SP Guide to Industrial Control Systems Security Provide guidance for establishing secure ICS, including implementation guidance for SP controls Content Overview of ICS Risk Management ICS Security Program Development and Deployment Network Architecture ICS Security Controls Appendixes ICS Threats, Vulnerabilities, and Incidents Activities in Industrial Control Systems Security Emerging Security Capabilities ICS Overlay Downloaded over 2,500,000 times since initial release and is heavily referenced by the public and private industrial control community 21
22 Major ICS Security Objectives Restricting logical access to the ICS network and network activity This includes using a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. Restricting physical access to the ICS network and devices Unauthorized physical access to components could cause serious disruption of the ICS s functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards. 22
23 Major ICS Security Objectives Protecting individual ICS components from exploitation This includes deploying security patches in as expeditious a manner as possible, after testing them under field conditions; disabling all unused ports and services; restricting ICS user privileges to only those that are required for each person s role; tracking and monitoring audit trails; and using security controls such as antivirus software and file integrity checking software where technically feasible to prevent, deter, detect, and mitigate malware. Maintaining functionality during adverse conditions This involves designing the ICS so that each critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS or other networks, or does not cause another problem elsewhere, such as a cascading event. 23
24 NIST SP , Rev 2 NIST SP , Rev 2 is a major update Updates to ICS threats and vulnerabilities Updates to ICS risk management, recommended practices and architectures Updates to current activities in ICS security Updates to security capabilities and technologies for ICS Additional alignment with other ICS security standards and guidelines New tailoring guidance for NIST SP , Rev 4 security controls including introduction of overlays ICS overlay for NIST SP , Rev 4 security controls that will provide tailored security control baselines for Low, Moderate, and High impact ICS 24
25 NIST SP Security Baselines LOW Baseline - Selection of a subset of security controls from the master catalog consisting of basic level controls MOD Baseline - Builds on LOW baseline. Selection of a subset of controls from the master catalog basic level controls, additional controls, and control enhancements HIGH Baseline - Builds on MOD baseline. Selection of a subset of controls from the master catalog basic level controls, additional controls, and control enhancements Categorization based on the potential level of impact if the Availability, Integrity or Confidentiality of the system or information on the system is compromised. 25
26 Low Impact System 26
27 ICS Impact Level Definitions Low Impact ICS Product Examples: Non hazardous materials or products, Non-ingested consumer products Industry Examples: Plastic Injection Molding, Warehouse Applications Security Concerns: Protecting people, Capital investment, Ensuring uptime 27
28 Moderate Impact Systems 28 28
29 ICS Impact Level Definitions Moderate Impact ICS Product Examples: Some hazardous products and/or steps during production, High amount of proprietary information Industry Examples: Automotive Metal Industries, Pulp & Paper, Semi-conductors Security Concerns: Protecting people, Trade secrets, Capital investment, Ensuring uptime 29
30 High Impact System 30
31 High Impact System!!! 31
32 ICS Impact Level Definitions High Impact ICS Product Examples: Critical Infrastructure, Hazardous Materials, Ingested Products Industry Examples: Utilities, PetroChemical, Food & Beverage, Pharmaceutical Security Concerns: Protecting human life, Ensuring basic social services, Protecting environment 32
33 World Record High Impact System 33 33
34 NIST SP , Rev 2 Schedule NIST will collaborate with the public and private sectors over the next year to produce SP , Rev 2 Two drafts for public comment are expected First public draft expected spring 2014 Final public draft expected late summer 2014 NIST SP , Rev 2 is expected to be finalized late
35 Contact Information Keith Stouffer Engineering Laboratory Vicky Pillitteri Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive Gaithersburg, MD
Industrial Control Systems Security Guide
Industrial Control Systems Security Guide Keith Stouffer, Engineering Lab National Institute of Standards and Technology NIST SP 800-82, Rev 2 and ICS Cybersecurity Testbed Keith Stouffer Project Leader,
More informationHow To Write A Cybersecurity Framework
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
More informationNIST Cybersecurity Framework. ARC World Industry Forum 2014
NIST Cybersecurity Framework Vicky Yan Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy
More informationCybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
More informationCybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014
Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security
More informationCritical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Critical Infrastructure Cybersecurity Framework Overview and Status Executive Order 13636 Improving Critical Infrastructure Cybersecurity Executive Order: Improving Critical Infrastructure Cybersecurity
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 8 April 2015 cyberframework@nist.gov Agenda Mission of NIST Cybersecurity at NIST Cybersecurity Framework
More informationCybersecurity Framework: Current Status and Next Steps
Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 NARUC Winter Committee Meeting Committee & Staff Committee on Critical Infrastructure February 15,
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2014 ISACA Pittsburgh Information Security Awareness Day Victoria Yan
More informationNIST Cybersecurity Framework Manufacturing Implementation
NIST Cybersecurity Framework Manufacturing Implementation Keith Stouffer Project Leader, Cybersecurity for Smart Manufacturing Systems Engineering Lab, NIST Manufacturing Cybersecurity Research at NIST
More informationNational Institute of Standards and Technology Smart Grid Cybersecurity
National Institute of Standards and Technology Smart Grid Cybersecurity Vicky Yan Pillitteri Advisor for Information Systems Security SGIP SGCC Chair Victoria.yan@nist.gov 1 The National Institute of Standards
More informationNo. 33 February 19, 2013. The President
Vol. 78 Tuesday, No. 33 February 19, 2013 Part III The President Executive Order 13636 Improving Critical Infrastructure Cybersecurity VerDate Mar2010 17:57 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00001
More informationExecutive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014
Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to
More informationApril 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,
More informationENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE JANUARY 2015 U.S. DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY Energy Sector Cybersecurity Framework Implementation
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity 18 November 2015 grance@nist.gov cyberframework@nist.gov National Institute of Standards and Technology About NIST NIST s mission is to develop
More informationEmerging SCADA and Security Solutions Presented by; Michael F. Graves, P.E. Chris Murphy, CISSP
Emerging SCADA and Security Solutions Presented by; Michael F. Graves, P.E. Chris Murphy, CISSP July 25, 2014 Topics Improved 4G Communications Mobile Devices Cyber Security Threats Cyber Security Guidance
More informationBest Practices in ICS Security for System Operators. A Wurldtech White Paper
Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity April 2016 cyberframework@nist.gov Pre-Cybersecurity Framework Threat Landscape 79% of reported victims were targets of opportunity 96% of
More informationInformation Security for Managers
Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize
More informationGuide to Industrial Control Systems (ICS) Security
Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations
More informationNIST Cybersecurity Framework What It Means for Energy Companies
Daniel E. Frank J.J. Herbert Mark Thibodeaux NIST Cybersecurity Framework What It Means for Energy Companies November 14, 2013 Your Panelists Dan Frank J.J. Herbert Mark Thibodeaux 2 Overview The Cyber
More informationFISMA Implementation Project
FISMA Implementation Project The Associated Security Standards and Guidelines Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive environment
More informationStandards for Security Categorization of Federal Information and Information Systems
FIPS PUB 199 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Standards for Security Categorization of Federal Information and Information Systems Computer Security Division Information Technology
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationCybersecurity for Medical Devices
Cybersecurity for Medical Devices Suzanne O Shea Kathleen Rice January 29, 2015 Why Is This Important? Security Risks in the Sensors of Implantable Medical Devices Over the last year, we ve seen an uptick
More informationGuide to Industrial Control Systems (ICS) Security
Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations
More informationCybersecurity as a Risk Factor in doing business
Cybersecurity as a Risk Factor in doing business 1 Data is the new raw material of business Economist UK, 2013. In trying to defend everything he defended nothing Frederick the Great, Prussia 1712-86.
More informationNetwork/Cyber Security
Network/Cyber Security SCAMPS Annual Meeting 2015 Joe Howland,VC3 Source: http://www.information-age.com/technology/security/123458891/how-7-year-old-girl-hacked-public-wi-fi-network-10-minutes Security
More informationGuide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security
Special Publication 800-82 INITIAL PUBLIC DRAFT Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security Recommendations of the National Institute of Standards
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationNICE and Framework Overview
NICE and Framework Overview Bill Newhouse NIST NICE Leadership Team Computer Security Division Information Technology Lab National Institute of Standards and Technology TABLE OF CONTENTS Introduction to
More informationThis is a preview - click here to buy the full publication
TECHNICAL REPORT IEC/TR 62443-3-1 Edition 1.0 2009-07 colour inside Industrial communication networks Network and system security Part 3 1: Security technologies for industrial automation and control systems
More informationState Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4
State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes
More informationGet Confidence in Mission Security with IV&V Information Assurance
Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving
More informationBilling Code: 3510-EA
Billing Code: 3510-EA DEPARTMENT OF COMMERCE Office of the Secretary National Institute of Standards and Technology National Telecommunications and Information Administration [Docket Number: 130206115-3115-01]
More informationCybersecurity Framework Security Policy Mapping Table
Cybersecurity Framework Security Policy Mapping Table The following table illustrates how specific requirements of the US Cybersecurity Framework [1] are addressed by the ISO 27002 standard and covered
More informationRelease of the Draft Cybersecurity Procurement Language for Energy Delivery Systems
Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems Energy Sector Control Systems Working Group Supporting the Electricity Sector Coordinating Council, Oil & Natural Gas
More informationCYBER SECURITY GUIDANCE
CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires
More informationINTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program
INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program FINAL REPORT NO. OIG-12-037-A SEPTEMBER 27, 2012 U.S. Department of Commerce Office
More informationManaging Security and Privacy Risk in Healthcare Applications
Managing Security and Privacy Risk in Healthcare Applications 5 th Annual OCR / NIST HIPAA Security Rule Conference June 6, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory
More informationSecurity Control Standard
Department of the Interior Security Control Standard Risk Assessment January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information
More informationOffice of Inspector General
Office of Inspector General DEPARTMENT OF HOMELAND SECURITY U.S. Department of Homeland Security Washington, DC 20528 Office of Inspector General Security Weaknesses Increase Risks to Critical DHS Databases
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity
More informationNCCIC CYBER INCIDENT SCORING SYSTEM OVERVIEW
NCCIC CYBER INCIDENT SCORING SYSTEM OVERVIEW Many incident taxonomies and classification schemes provide excellent guidance within the scope of a single enterprise s security operations center (SOC). However,
More informationHelp for the Developers of Control System Cyber Security Standards
INL/CON-07-13483 PREPRINT Help for the Developers of Control System Cyber Security Standards 54 th International Instrumentation Symposium Robert P. Evans May 2008 This is a preprint of a paper intended
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationSCOPE. September 25, 2014, 0930 EDT
National Protection and Programs Directorate Office of Cyber and Infrastructure Analysis (OCIA) Critical Infrastructure Security and Resilience Note Critical Infrastructure Security and Resilience Note:
More informationNational Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity
National Cybersecurity Challenges and NIST Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity Though no-one knows for sure, corporate America is believed to lose anything
More informationBusiness Continuity for Cyber Threat
Business Continuity for Cyber Threat April 1, 2014 Workshop Session #3 3:00 5:30 PM Susan Rogers, MBCP, MBCI Cyberwise CP S2 What happens when a computer program can activate physical machinery? Between
More informationEnvisioning Collaboration for Medical Device and Healthcare Cybersecurity
Envisioning Collaboration for Medical Device and Healthcare Cybersecurity Moderator William Maisel, MD, MPH Food and Drug Administration October 21, 2014 Please send questions or comments on this session
More informationCybersecurity Audit Why are we still Vulnerable? November 30, 2015
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event
More informationSeptember 28, 2 012 MEMORANDUM FOR. MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President
004216 THE WHITE HOUSE WASHINGTON MEMORANDUM FOR September 28, 2 012 MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President MR. STEPHEN D. MULL Executive
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More informationWhich cybersecurity standard is most relevant for a water utility?
Which cybersecurity standard is most relevant for a water utility? Don Dickinson 1 * 1 Don Dickinson, Phoenix Contact USA, 586 Fulling Mill Road, Middletown, Pennsylvania, USA, 17057 (*correspondence:
More informationAssessing the Effectiveness of a Cybersecurity Program
Assessing the Effectiveness of a Cybersecurity Program Lynn D. Shiang Delta Risk LLC, A Chertoff Group Company Objectives Understand control frameworks, assessment structures and scoping of detailed reviews
More informationInformation and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework
Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework Don t screw with my chain, dude! Jon Boyens Computer Security Division IT Laboratory November
More informationCloud Computing Technologies Achieving Greater Trustworthiness and Resilience
Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience Cloud Standards Customer Council Public Sector Cloud Summit March 24, 2014 Dr. Ron Ross Computer Security Division Information
More informationMaturation of a Cyber Security Incident Prevention and Compliance Program
Maturation of a Cyber Security Incident Prevention and Compliance Program Utilities & Energy Compliance & Ethics Conference February 25, 2013 Houston, Texas Anna Wang Principal Consultant Imminent Cyber
More informationBuilding Security In:
#CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015 A Little About Me
More informationApplying IBM Security solutions to the NIST Cybersecurity Framework
IBM Software Thought Leadership White Paper August 2014 Applying IBM Security solutions to the NIST Cybersecurity Framework Help avoid gaps in security and compliance coverage as threats and business requirements
More informationCybersecurity and internal audit. August 15, 2014
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
More informationSecurity Risk Management For Health IT Systems and Networks
Health IT Standards Committee Meeting Security Risk Management For Health IT Systems and Networks NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Setting the stage. NATIONAL INSTITUTE OF STANDARDS AND
More informationRethinking Cyber Security for Industrial Control Systems (ICS)
Rethinking Cyber Security for Industrial Control Systems (ICS) Bob Mick VP Emerging Technologies ARC Advisory Group bmick@arcweb.com 1 Rethinking Cyber Security We Now Have Years of Experience - Security
More informationLOGIIC Remote Access. Final Public Report. June 2015 1 LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION
LOGIIC Remote Access June 2015 Final Public Report Document Title LOGIIC Remote Monitoring Project Public Report Version Version 1.0 Primary Author A. McIntyre (SRI) Distribution Category LOGIIC Approved
More informationRE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity
October 10, 2014 Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 RE: Experience with the Framework for Improving Critical Infrastructure
More informationWhat Risk Managers need to know about ICS Cyber Security
What Risk Managers need to know about ICS Cyber Security EIM Risk Managers Conference February 18, 2014 Joe Weiss PE, CISM, CRISC, ISA Fellow (408) 253-7934 joe.weiss@realtimeacs.com ICSs What are they
More informationInformation Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1
APPENDIX A Appendix A Learning Continuum A-1 Appendix A Learning Continuum A-2 APPENDIX A LEARNING CONTINUUM E D U C A T I O N Information Technology Security Specialists and Professionals Education and
More informationRoadmaps to Securing Industrial Control Systems
Roadmaps to Securing Industrial Control Systems Insert Photo Here Mark Heard Eastman Chemical Company Rockwell Automation Process Solutions User Group (PSUG) November 14-15, 2011 Chicago, IL McCormick
More informationAudit of the Department of State Information Security Program
UNITED STATES DEPARTMENT OF STATE AND THE BROADCASTING BOARD OF GOVERNORS OFFICE OF INSPECTOR GENERAL AUD-IT-15-17 Office of Audits October 2014 Audit of the Department of State Information Security Program
More informationJOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015
JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement
More informationNIST Cyber Security Activities
NIST Cyber Security Activities Dr. Alicia Clay Deputy Chief, Computer Security Division NIST Information Technology Laboratory U.S. Department of Commerce September 29, 2004 1 Computer Security Division
More informationApplying Framework to Mobile & BYOD
Applying Framework to Mobile & BYOD Framework for Improving Critical Infrastructure Cybersecurity National Association of Attorneys General Southern Region Meeting 13 March 2015 cyberframework@nist.gov
More informationSecurity Controls Assessment for Federal Information Systems
Security Controls Assessment for Federal Information Systems Census Software Process Improvement Program September 11, 2008 Kevin Stine Computer Security Division National Institute of Standards and Technology
More informationCybersecurity Enhancement Account. FY 2017 President s Budget
Cybersecurity Enhancement Account FY 2017 President s Budget February 9, 2016 Table of Contents Section 1 Purpose... 3 1A Mission Statement... 3 1.1 Appropriations Detail Table... 3 1B Vision, Priorities
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationsecurity standards and guidelines within one year of the publication date unless otherwise directed by OMB or NIST.2
NIST Special Publication 800-53 Revision 21 Recommended Security Controls for Federal Information Systems Ron Ross Stu Katzke Arnold Johnson Marianne Swanson Gary Stoneburner George Rogers I N F O R M
More informationDiscussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples The
More informationActions and Recommendations (A/R) Summary
Actions and Recommendations (A/R) Summary Priority I: A National Cyberspace Security Response System A/R 1-1: DHS will create a single point-ofcontact for the federal government s interaction with industry
More informationResponse to NIST: Developing a Framework to Improve Critical Infrastructure Cybersecurity
National Grid Overview National Grid is an international electric and natural gas company and one of the largest investor-owned energy companies in the world. We play a vital role in delivering gas and
More informationAn Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST Special Publication 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Joan Hash, Pauline Bowen, Arnold Johnson, Carla
More informationNew Era in Cyber Security. Technology Development
New Era in Cyber New Era in Cyber Security Security Technology Technology Development Development Combining the Power of the Oil and Gas Industry, DHS, and the Vendor Community to Combat Cyber Security
More informationOpening Up a Second Front for Cyber Security and Risk Management
Opening Up a Second Front for Cyber Security and Risk Management Annual Computer Security Applications Conference December 4, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory
More informationRE: ITI comments in response to NIST RFI: Improving Critical Infrastructure Cybersecurity Executive Order 13636: Preliminary Cybersecurity Framework
December 12, 2013 Adam Sedgewick Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Via e-mail to: csfcomments@nist.gov
More informationAn Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST Special Publication 800-66 Revision 1 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Matthew Scholl, Kevin Stine, Joan
More informationUsing the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6
to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized
More informationCybersecurity. Cloud. and the. 4TH Annual NICE Workshop Navigating the National Cybersecurity Education InterState Highway September 2013
Cybersecurity and the Cloud 4TH Annual NICE Workshop Navigating the National Cybersecurity Education InterState Highway September 2013 Well, I'll hazard I can do more damage on my laptop sitting in my
More informationDiane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Submitted via email: cyberframework@nist.gov April 8, 2013 Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Re: Developing a Framework
More informationSubject: Critical Infrastructure Identification, Prioritization, and Protection
For Immediate Release Office of the Press Secretary The White House December 17, 2003 Homeland Security Presidential Directive / HSPD-7 Subject: Critical Infrastructure Identification, Prioritization,
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationFREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication
More informationMEDICAL DEVICE Cybersecurity.
MEDICAL DEVICE Cybersecurity. 2 MEDICAL DEVICE CYBERSECURITY Introduction Wireless technology and the software in medical devices have greatly increased healthcare providers abilities to efficiently and
More informationDecember 17, 2003 Homeland Security Presidential Directive/Hspd-7
For Immediate Release Office of the Press Secretary December 17, 2003 December 17, 2003 Homeland Security Presidential Directive/Hspd-7 Subject: Critical Infrastructure Identification, Prioritization,
More informationPROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM
PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM Don Dickinson Phoenix Contact USA P.O. Box 4100 Harrisburg, PA 17111 ABSTRACT Presidential Executive Order 13636 Improving
More informationRebecca Massello Energetics Incorporated
Cybersecurity Procurement Language for Energy Delivery Systems Rebecca Massello Energetics Incorporated NRECA TechAdvantage February 25, 2015 Talking Points What is this document? Who can use this document
More informationCompliance Risk Management IT Governance Assurance
Compliance Risk Management IT Governance Assurance Solutions That Matter Introduction to Federal Information Security Management Act (FISMA) Without proper safeguards, federal agencies computer systems
More informationIT Security Management Risk Analysis and Controls
IT Security Management Risk Analysis and Controls Steven Gordon Document No: Revision 770 3 December 2013 1 Introduction This document summarises several steps of an IT security risk analysis and subsequent
More information