Framework for Improving Critical Infrastructure Cybersecurity

Transcription

1 Framework for Improving Critical Infrastructure Cybersecurity September 2016

2 National Institute of Standards and Technology (NIST) About NIST NIST s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. 3,000 employees 2,700 guest researchers 1,300 field staff in partner organizations Two main locations: Gaithersburg, MD and Boulder, CO NIST Priority Research Areas Advanced Manufacturing IT and Cybersecurity Healthcare Forensic Science Disaster Resilience Cyber-physical Systems Advanced Communications

3 Why Cybersecurity? Sophisticated Threat for Critical Infrastructure Cyber Physical Systems (SCADA, ICS, IoT) Penetration of networks Increased downtime Part of Effective Risk Management Increase in customer trust relationships Higher availability Streamlined information security

4 Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties President Barack Obama Executive Order 13636, 12 February

5 Based on the Executive Order, the Cybersecurity Framework Must... Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks Provide a prioritized, flexible, repeatable, performancebased, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk Identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations Be consistent with voluntary international standards 5

6 Development of the Framework Engage the Framework Stakeholders EO Issued February 12, 2013 NIST Issues RFI February 26, st Framework Workshop April 03, 2013 Collect, Categorize, and Post RFI Responses Completed April 08, 2013 Identify Common Practices/Themes May 15, 2013 Analyze RFI Responses 2 nd Framework Workshop at CMU May 2013 Draft Outline of Preliminary Framework June 2013 Ongoing Engagement: Open public comment and review encouraged and promoted throughout the process and to this day Identify Framework Elements 3 rd Workshop at UCSD July th Workshop at UT Dallas Sept 2013 Prepare and Publish Framework 5 th Workshop at NC State Nov 2013 Published Framework Feb

7 The Cybersecurity Framework Is for Organizations Of any size, in any sector in (and outside of) the critical infrastructure That already have a mature cyber risk management and cybersecurity program That don t yet have a cyber risk management or cybersecurity program With a mission of helping keep up-to-date on managing risk and facing business or societal threats 7

8 Taxonomy Value Proposition Plant classification is the placing of known plants into groups or categories to show some relationship. Scientific classification follows a system of rules that standardizes the results, and groups successive categories into a hierarchy. For example, the family to which lilies belong is classified as: Kingdom: Plantae Phylum: Magnoliophyta Class: Liliopsida Order: Liliales Family: Liliaceae Genus:... Species:... Value Proposition Accurate communication Quickly categorize known Logically name unknown Inherent properties understood based on name

9 Cybersecurity Framework Components Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Cybersecurity activities and informative references, organized around particular outcomes Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics 9

10 Implementation Tiers Risk Management Process Integrated Risk Management Program External Participation Partial Risk Informed Repeatable Adaptive The functionality and repeatability of cybersecurity risk management The extent to which cybersecurity is considered in broader risk management decisions The degree to which the organization benefits my sharing or receiving information from outside parties 10 10

11 Core Cybersecurity Framework Component What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? Function Category ID Asset Management ID.AM Business Environment ID.BE Governance ID.GV Identify Risk Assessment ID.RA Protect Detect Respond Recover Risk Management Strategy Access Control Awareness and Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications ID.RM PR.AC PR.AT PR.DS PR.IP PR.MA PR.PT DE.AE DE.CM DE.DP RS.RP RS.CO RS.AN RS.MI RS.IM RC.RP RC.IM RC.CO 11

12 Profile Cybersecurity Framework Component Ways to think about a Profile: A customization of the Core for a given sector, subsector, or organization A fusion of business/mission logic and cybersecurity outcomes Identify Protect Detect Respond Recover An alignment of cybersecurity requirements with operational methodologies A basis for assessment and expressing target state A decision support tool for cybersecurity risk management 12

13 Supporting Risk Management with Framework 13

14 Framework 7 Step Process 3.2 Establishing or Improving a Cybersecurity Program Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a Current Profile Step 4: Conduct a Risk Assessment Step 5: Create a Target Profile Step 6: Determine, Analyze, and Prioritize Gaps Step 7: Implementation Action Plan 14

15 What is Risk Management? Potential Loss Protection Costs versus 15

16 FARM The Risk Management Process ASSESS FRAME MONITOR RESPOND NIST SP , Managing Information Security Risk 10/5/

17 Frame - Know Your Business (ID.BE) Do you know how your business operates? Do you know what resources your business uses? Information, data, people, technologies Do you know where your information is? Do you know who has access to the information / systems your business uses? Do you know what to protect? 10/5/

18 Exercise 1 Identifying and prioritizing your organization s information types (ID.AM) Cost of revelation (Confidentiality) Cost to verify information (Integrity) Cost of lost access (Availability) Legal costs (Fines, Penalties, Notification) Type of Information Employee PII $$ $$$ $$$ Repair Costs $ $$ Type of Information Type of Information Score 7 18

19 Exercise 2 - Develop an Inventory (ID.AM) 1. What systems (technology / people / organizations) touch your information? 2. Add the information type scores or use the highest score 3. Consider any constraints (e.g. FIPS 199) Description (make, model, serial number, service ID, etc.) Location Type of Information (from Exercise 1) Score 1 J. Smith s Cell Phone ( Blue Box, # ) Mobile, BW Network Employee PII; Calendar; ; 7 (Moderate) /5/

20 Exercise 3 Identify threats to your business (ID.RA) Confidentiality Info Type / Technology Info Type / Technology Customer PII on J. Smith s Cell Phone Theft Accidental Disclosure Integrity Accidental alteration Intentional alteration High Mod Mod Low Availability Accidental destruction (fire, water, user error) Low (Have off-site backups) Overall Likelihood High 10/5/

21 Frame Create a Target Profile Identify Risks Mitigations Profile Protect Detect Respond Recover

22 Assess - Risk Assessment A threat acts on a vulnerability and creates risk with determinable likelihood and negative impact (consequence) Threat: Phishing asking for sensitive info Vulnerability: Staff has not been trained to identify and ignore phishing s Risk: How likely is it to occur? What are the consequences if it does? (Exercise 2) 22

23 10/5/

24 Respond Gap Analysis and Execution Identify Protect Detect Respond Recover Identify Protect Detect Respond Recover Gaps

25 Monitor As much as necessary Frame Prioritized Execution Assess Gap Analysis Respond

26 Apply Slide Management-level Policy What do you want to protect What security requirements you will enforce Who is in charge of what Training requirements Procedures (the details) Who, What, When, Where, How Manufacturing Profile

27 Manufacturing Profile

28 Profile Ecosystem TAXONOMY National Institute of Standards and Technology Cybersecurity Framework Core REQUIREMENTS 1 Req A 2 Req B 3 Req C Req ZZ Community or Organization Crosswalks Mappings PRIORITIES 1 Req A High 2 Req B Mod 3 Req C Low Req ZZ High Organization or Community Cybersecurity Framework Profile 28

29 Key Attributes It s a framework, not a prescription It provides a common language and systematic methodology for managing cyber risk It is meant to be adapted It does not tell a company how much cyber risk is tolerable, nor does it claim to provide the one and only formula for cybersecurity Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite companies to become standard practices for everyone The framework is a living document It is intended to be updated over time as stakeholders learn from implementation, and as technology and risks change That s one reason why the framework focuses on questions an organization needs to ask itself to manage its risk. While practices, technology, and standards will change over time principals will not 29

30 Common Patterns of Use Integrate the Functions into Your Leadership Vocabulary and Management Tool Sets Determine Optimal Risk Management Using Implementation Tiers Measure Current Risk Management Using Implementation Tiers Reflect on Business Environment, Governance, and Risk Management Strategy Categories Develop a Profile of Cybersecurity Priorities, Leveraging (Sub)Sector Profiles When Available 30

31 Framework Next Steps NIST will proceed with a Minor update that aims to clarify and refine the Framework while minimizing disruption to stakeholders. Updates may include: Updating the Informative References Clarifying guidance on the Implementation Tiers Cyber Threat Intelligence in the Core Guidance for applying the Framework in supply chain risk management And more.. Look for refinement to take place outside of the Core as well. The Framework Roadmap Frequently Asked Questions Related work products and NIST publications Framework Governance Methodology Framework Self-assessment criteria NIST seeks to release a Framework draft for comment in early

32 Stakeholder Recommended Actions NIST applauds stakeholders for their efforts around the Framework thus far. To sustain the growth of a healthy Framework ecosystem, NIST asks that stakeholders: Customize the Framework for your sector or community Publish a sector or community Profile or relevant crosswalk. Advocate for the Framework throughout your sector or community, with related sectors and communities. Publish summaries of use or case studies of your Framework implementation. Share your Framework resources with NIST at cyberframework@nist.gov. 32

33 Resources Where to Learn More and Stay Current The National Institute of Standards and Technology Web site is available at NIST Computer Security Division Computer Security Resource Center is available at The Framework for Improving Critical Infrastructure Cybersecurity and related news and information are available at For additional Framework info and help