Business Continuity for Cyber Threat

Transcription

1 Business Continuity for Cyber Threat April 1, 2014 Workshop Session #3 3:00 5:30 PM Susan Rogers, MBCP, MBCI Cyberwise CP S2 What happens when a computer program can activate physical machinery? Between the Stuxnet cyberweapon is estimated to have destroyed 1,000 Iranian nuclear-fuel centrifuges at the Natanz uranium enrichment plant.

2 Slide 2 S2 Susan, 10/15/2013

3 Cyber Threat to Critical Infrastructure Richard Clarke tells Fresh Air host Terry Gross. former Counter Terrorism Chief under Presidents Clinton and Bush A cyberattack could disable trains all over the country It could blow up pipelines. It could cause blackouts and damage electrical power grids so that the blackouts would go on for a long time. It could wipe out and confuse financial records, so that we would not know who owned what. It could disrupt traffic in urban areas by knocking out control computers. It could, in nefarious ways, do things like wipe out medical records. Protecting U.S. Critical Infrastructure We have entered into a new phase of conflict in which we use a cyberweapon to create physical destruction, said Retired General Michael Hayden in an interview on 60 Minutes. When you use a physical weapon, it destroys itself, in addition to the target, if it s used properly. A cyberweapon doesn t, explained Gen. Hayden. So there are those out there who can take a look at [the Stuxnet worm], study it and maybe even attempt to turn it to their own purposes. Such as launching a cyber attack against critical infrastructure here in the United States. One of the biggest targets for cyber terrorism is our critical infrastructure energy, in particular. About 75% of critical infrastructure is owned by private industry. Problem: How do you convince them they need to invest money in safeguard practices to protect their own assets but those of our country?

4 Framework to Motivate Market Interests 2/12/2013 U.S. Presidential policy & Executive Order signed to enhance Cyber security Critical Infrastructure (CI) Protection DHS & NIST charged to work with private sector to build voluntary standards & practices to increase cyber protection of CI Cyber Framework Workshops open to the public produce: 1) Risk framework 2) Basic activities 3) Gaps to close 4) Incentives Entrepreneurs & business encouraged to deploy the framework and bring innovation to close gaps Agenda & Goals Part I (3:00 3:30) NIST Cybersecurity Critical Infrastructure Framework Part II (3:30 4:30) Engage in BC Planning for Cyber Threat Part III (4:30 5:30) Exercising Cyber Contingency Planning

5 Part I - Framework NIST Cybersecurity Risk Framework For Critical Infrastructure NIST Risk Framework Mapping BC Process Motivation to Adopt Need for Baseline Standards The vulnerabilities allowing Stuxnet to succeed included insecure software (technology), improper IT security management (process), and insufficient security training of personnel (people) the usual people, process, and technology triad that underlies the security (or insecurity) of any system. NRECA / Cooperative Research Network Smart Grid Demonstration Project Guide to Developing a Cyber Security and Risk Mitigation Plan

6 Executive Order Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy and civil liberties National Institute of Standards and Technology (NIST) is directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure This Cybersecurity Framework is being developed in an open manner with input from stakeholders in industry, academia and government, including a public review and comment process, workshops and other means of engagement. Value of a Risk Framework Cyber risk = Operations Risk Baseline activities to strengthen critical infrastructure Integrate into risk & vendor management practices NIST Cybersecurity Risk Framework COSO ERM * The ERM framework by the Commission of Sponsoring Organizations of the Treadway Commission (COSO)

7 Framework Core Present Key Outcomes Align to known activities Map to standards & guidelines Baseline - if implemented will reduce % of breach, attack success & impact Framework to communicate maturity and risk environment Framework Categories Information Security focused Areas where Business Continuity & Vendor Management support effort

8 Framework Core Sample Profile, Gap Assessment, Tiers Profile = Alignment to Industry & Risk Tolerance Integration Tiers Tier I Partial Tier II Risk Informed Tier III Repeatable Tier IV Adaptive

9 Motivation to Adopt Viewpoint Critical Infrastructure Coordinating Councils Law Firms Insurance Co. Auditors Technology / Consultants Regulators Vendors Security Firms Regulated Entities Regulators Education FINRA Cybersecurity Survey, Jan nationletters/p The assessment addresses a number of areas related to cybersecurity, including firms : business continuity plans in case of a cyber-attack Mapping to BC Process & Controls Function Category Sub-Category BC Support Process IDENTIFY Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Risk Management Strategy (ID.RM): The organization s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk ID.RA-6: Risk responses are identified and prioritized ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders ID.RM-2: Organizational risk tolerance is determined and clearly expressed ID.RM-3: The organization s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis Business units include cyber threat in their risk assessment, with the intent to identify areas of contingency planning. Business units identify their processes and assets that are high risk based on cyber threat actor motivation. Results of risk assessments are aggregated, and approved by senior leadership. An organization's risk tolerance includes funding and approval of technology and business contingency planning activities that will reduce impact of cyber threat. The organization will meet their Regulator, and Customer's level of standards and practices for information security, business continuity and vendor management.

10 Part II Team BC Planning for Cyber Threat Threat Assessment BC Planning Cyber Threat Assessment Threat Source Motivation Impact, Probability, Controls Nation States Advantage: Terrorists political, economic, financial, military, Economic Espionage technological Criminals Activists/Hacktivists Ego notoriety, revenge External Opportunists Insiders Ideology Religious political, cultural

11 Cyber BC Planning Case Study Case study will be made available during the DRJ workshop. Materials will be electronically updated after the conference. Part III Exercising Cyber Contingency Planning Lessons Learned Takeaways Exercise Content

12 Lessons Learned From DDOS Attacks Feedback from Financial Industry Break Down Silos - There is a need to bring all together to address cyber, physical impact: business teams, fraud, BC, Incident response, corporate messaging. Need to adapt and respond to cyber impact quickly. During crisis response, decision making cannot be done by committee. During an attack you need to know what is normal versus and abnormal impact to critical assets. Need to prioritize business & customer impact and identify actions that will be taken in worst case or poor scenarios. BC Planning Takeaway Tech + Business Incident Command Cyber based tabletop exercises Expand BC & Incident response plans Incident command to define: roles, activities & decision authority Identify critical asset thresholds Crisis monitoring & anomaly detection reporting Extreme case scenario planning Lessons Learned From Cyber Exercises Cyber Exercise After Action Report Enhance response playbook to better account for a industry specific incident with the goal of strengthening the integration between industry groups, market participants, and government agencies. Improve coordination between business and technology leaders during cyber incident analysis and response. Enhance the role of exchanges, clearing firms, and trusted government partners in cyber incident response and crisis management. Increase awareness about government resources available to assist the sector. Augment existing guidelines and decision frameworks to determine if cyber incidents are systemic in nature. Institutionalize procedures for market open/close decisions during times of cyber incident response & crisis. BC Planning Takeaway Sector & enterprise playbooks Tech + Business Incident Command Formalize 3 rd party & government crisis routines Crisis monitoring reporting Procedures for worst case scenario

13 Cyber Exercise Case Study Case study will be made available during the DRJ workshop. Materials will be electronically updated after the conference. Take Away Activities Proactively address Cyber BC with your company s Info Sec, Risk Management & Critical Business leaders (see action plan). Connect into cyber mapping activities & dialogue: public-private partnerships, trade groups, etc Utilize materials for BC & Info Sec planning from: Stop, Think, Connect DHS Voluntary NIST framework

14 Cyber BC Action Plan (an approach) BC / DR Consider expanding your annual BC Plan update, BIA process, training and testing to include cyber threat contingency and communication concepts Info Sec Locate Sponsors (Risk, Tech, Business, Security) Expand RISK MANAGEMENT models, RCSA, Assessment, Metrics Read Security Policies & Plans Connect into Security Exercises Create supplements jointly with Info Security Pitch value, deliverables, benefit to business Determine Appetite for cyber contingency plans Incorporate BC/DR Lessons Learned BIA analysis for cyber threat BC /DR Plan enhancements Crisis Communication enhancement Share what we can do because of Planning 2013 Susan Rogers References & Resources The White House, Presidential Policy Directive -- Critical Infrastructure Security and Resilience, February 12, 2013, accessed August 6, 2013, Executive Order Improving Critical Infrastructure Cybersecurity, ISAC NIST Cybersecurity Framework DHS NIP National Cybersecurity Alliance DHS Presidential Directive 7 US-CERT Critical Infrastructure Cyber Community Voluntary Program Stop, Think, Connect COSO ERM Model - SIFMA Quantum Dawn 2 Exercise National Initiative for Cybersecurity Careers and Studies What are the implications of a cyber attack Ponemon Institute Cost of Cyber Crimes Study Verizon 2013 Data Breach Investigation Federal Reserve recommended standards FINRA Cybersecurity Survey, Jan SANS 20 Critical Security Controls

15 Contact Information Susan Rogers CEO, Cyberwise CP (610)