Framework for Improving Critical Infrastructure Cybersecurity
Size: px
Start display at page:

Download "Framework for Improving Critical Infrastructure Cybersecurity"

Transcription

1 Framework for Improving Critical Infrastructure Cybersecurity 18 November 2015

2 National Institute of Standards and Technology About NIST NIST s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. 3,000 employees 2,700 guest researchers 1,300 field staff in partner organizations Two main locations: Gaithersburg, MD and Boulder, CO NIST Priority Research Areas Advanced Manufacturing IT and Cybersecurity Healthcare Forensic Science Disaster Resilience Cyber-physical Systems Advanced Communications

3 Computer Security Division providing standards and guidelines, tools, metrics, and practices to protect information and information systems Biometrics Software Assurance Domain Name Security Identity Management FISMA Security Automation National Vulnerability Database Configuration Checklists Digital Signatures Risk Management Authentication IPv6 Security Profile Supply Chain NICE Health IT Security Key Management Secure Hash PKI Privacy Engineering Smart Grid Continuous Monitoring Small Business Outreach Mobile Devices Standards Cloud Computing Usability NSTIC Passwords Hardware Security Electronic Voting Wireless Security Awareness Vulnerability Measurement Security Metrics Public Safety Communications NCCoE

4 Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties President Barack Obama Executive Order 13636, 12 February 2013

5 Framework Core Cybersecurity Framework Component What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities?

6 Profile Cybersecurity Framework Component Ways to think about a Profile: Identify A customization of the Core for a Protect given sector, subsector, or Detect organization Respond Recover A fusion of business/mission logic and cybersecurity outcomes An alignment of cybersecurity requirements with operational methodologies A basis for assessment and expressing target state A decision support tool for cybersecurity risk management 6

7 Implementation Tiers Cybersecurity Framework Component Risk Informed Partial None Repeatable Adaptive Allow for flexibility in implementation and bring in concepts of maturity models Reflect how an organization implements the Framework Core functions and manages its risk Progressive, ranging from Partial (Tier 1) to Adaptive (Tier 4), with each Tier building on the previous Tier Characteristics are defined at the organizational level and are applied to the Framework Core to determine how a category is implemented. 7

8 Industry Use The Framework is designed to complement existing business and cybersecurity operations, and has been used to: Self-Assessment, Gap Analysis, Budget & Resourcing Decisions Standardizing Communication Between Business Units Harmonize Security Operations with Audit Communicate Requirements with Partners and Suppliers Describe Applicability of Products and Services Identify Opportunities for New or Revised Standards Categorize College Course Catalogs As a Part of Cybersecurity Certifications Categorize and Organize Requests for Proposal Responses The Framework also supports: Consistent dialog, both within and amongst countries Common platform on which to innovate, and Identify market opportunities where tools and capabilities may not exist today 8

9 Current & Near-Term Framework Activities Collect, Reflect, and Connect understand where industry is having success, help others understand those successes, and facilitate relationships that support use and implementation Continue education efforts, including creation of selfhelp and re-use materials for those who are new to the Framework Continue awareness and outreach with an eye toward industry communities who are still working toward basal Framework knowledge and implementation Educate on the relationship between Framework and the larger risk management process, including how organizations can use Tiers

10 Since the Release of the Cybersecurity Framework st Augu Questions focused on: awareness, experiences, and roadmap areas , 2 Request for Information: Experience with the Cybersecurity Framework Goal: Raise awareness, encourage use as a tool, highlight examples of sector-specific efforts, implementation efforts, gather feedback 4, r for Oct. ente da C y Flori rsecurit Cybe 6th Cybersecurity Framework Workshop Year Anniversary of the Release 2015 NIST Cybersecurity Framework site update to include: FAQs, Upcoming Events, and Industry Resources. Ongoing, targeted outreach continues 12, uary Febr February 13, 2015 White House Releases Fact Sheet on Cybersecurity and Consumer Protection, ber 5 Summary posted that includes analysis of RFI responses, feedback from the 6th workshop, an update on Roadmap areas, and next steps m Dece Update on the Cybersecurity Framework

11 Examples of Industry Resources The Cybersecurity Framework in Action: An Intel Use Case Cybersecurity Guidance for Small Firms Energy Sector Cybersecurity Framework Implementation Guidance Cybersecurity Risk Management and Best Practices Working Group 4: Fin al Report CFORUM and other online communities of interest 11

12 On-Going NIST Community Dialogs Standards Organizations British Standards Institute, Cloud Security Alliance, AXELOS, etc. Domestic Industry Not only Critical Infrastructure, but also Non-CI Product and Services Regulator Every Federal Financial Services regulator Auditor Information Systems Audit and Control Association The Big 4 Audit Firms Insurance Legal 12

13 International Dialogs Twenty four (24) countries have participated in discussion with NIST, including dialog with: The European Union, and 11 out of 28 Member States 4 out of 5 of the Five Eyes 5 countries in Asia 4 countries in the Middle East The U.S. and the U.K. continue the dialog about harmonizing the U.K. Cyber Essentials with the Cybersecurity Framework 13

14 NIST Challenges High variance in sector communications = high variance in socialization = high variance in engagement Making sure that Federal organizations stay clear FISMA mandatory Cybersecurity Framework optional, value-add Balancing adoption of version 1.0 with the growing desire for an update Servicing high demand with limited resources Determining the best long-term governance model to preserve or enhance value to industry 14

15 Discussion Questions Will it soon be time for a Framework update? If so, what needs to be changed/removed/added? Are there dimensions of Framework that are well-suited for industry maintenance and evolution? What would a productive, combined industry-government relationship look like? Would a peer-recognition program help increase the likelihood that industry organizations would share information about their cyber security and risk management experiences? What practical advice/lessons learned/surprising use cases can you offer. What have your learned about your organization

16 Background

17 CEOs Cyber Risk Dilemma Our Board has a duty to protect its assets (including digital assets) and shareholder value. Share Value = EPS X P:E Multiple We consider factors affecting earnings, cash and PE Multiples (incl. brand erosion indices) Yet we still have a difficult time linking cyber risk and share value.

18 Continued Board Challenges & Questions 1. Briefings in Tech language, not in EPS or P:E multiple factor terms 2. Where is Cyber in Board Risk Committee? 3. Who highlights cyber impact in 10Q financials, footnotes or MDA narratives? 4. Is there a cyber allocation in the ERM budget? 5. Do they quantify the cyber impact on financial and reputation exposure and its share value impact?

19 Framework Roadmap Items Work Outside the Framework Team Authentication National Strategy for Trusted Identities in Cyberspace Automated Indicator Sharing Draft SP Cyber Threat Info Sharing Conformity Assessment conversations, as needed Cybersecurity Workforce National Initiative for Cybersecurity Education Data Analytics Draft Big Data Interoperability Framework Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management SP SCRM for Fed IS and Orgs Technical Privacy Standards Draft IR 8062 Privacy RM for Fed IS 19

20 Framework Roadmap Items Work Within the Framework Team Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Collaboration with NICE Data Analytics Federal Agency Cybersecurity Alignment Draft SP to be released in 2016 International Aspects, Impacts, and Alignment Ongoing outreach Supply Chain Risk Management Technical Privacy Standards 20

21 Project Description Objective: Create a Bulk Liquids Transportation Cybersecurity Framework Profile Value: By creating a Subsector level Cybersecurity Framework Profile, we are: Minimizing future work by each organization Decreasing the chance that organizations accidentally omit a requirement Reducing errors due to varying interpretations 21

22 Building a Profile A Profile Can be Created in Three Steps 1 2 Cybersecurity Requirements Legislation Regulation Mission Objectiv Priority e 1 A 2 B 3 C Subcategory Operating Methodologies 3 Guidance and methodology on implementing, Internal & External Policy managing, and Best Practice monitoring 22

23 Conceptual Profile Value Proposition 2 Cybersecurity Requirements Subcategory 1 Priority Operating 3 Methodologies I II A 1 moderate B C D E 2 high III 3 moderate F G 98 moderate IV V VI VII VIII When you organize yourself in this way: Compliance reporting becomes a byproduct of running your security operation Adding new security requirements is straightforward Adding or changing operational methodology is nonintrusive to on-going operation 23

24 Resource and Budget Decisioning What Can You Do with a CSF Profile As-Is Subcategory Priority moderate high moderate moderate Year 1 To-Be Year 2 To-Be Year 1 Year 2 Gaps Activities Activities small X large X medium X none reassess and supports on-going operational decisions too 24

25 Customizing a Subsector CSF Profile Subsector CSF Profile customization Organization -Specific CSF Profile Cybersecurity Requirements Subcategory Priority A 1 moderate Operating Methodologies I II B C D E 2 high III 3 moderate F G 98 moderate IV V VI VII VIII Cybersecurity Requirements Subcategory Priority A 1 moderate B C D E F Organization Policy G H 2 high 3 high moderate Moderate Operating Methodologies I II III Additional practice IV V VI VII VIII IX 25

26 Resources Where to Learn More and Stay Current The National Institute of Standards and Technology Web site is available at NIST Computer Security Division Computer Security Resource Center is available at The Framework for Improving Critical Infrastructure Cybersecurity and related news and information are available at /cyberframework For additional Framework info and help Matt Barrett

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information