NIST Cybersecurity Initiatives Keith Stouffer and Vicky Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL
National Institute of Standards and Technology (NIST) NIST s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. 3,000 employees 2,700 guest researchers 1,300 field staff in partner organizations Two main locations: Gaithersburg, Md., and Boulder, Colo. $840 million annual budget NIST Laboratories National measurement standards Manufacturing Extension Partnership Centers nationwide to help small manufacturers 2
Advanced Manufacturing IT and Cybersecurity Healthcare Ensuper NIST STILLFX S.Bonk Jovan Nikolic designersart TebNad Chuck Rausin/shutterstock.com NIST Priority Research Areas Forensic Science Disaster Resilience Cyberphysical Systems Advanced Communications 3
Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties NIST is directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure This Cybersecurity Framework is being developed in an open manner with input from stakeholders in industry, academia, and government, including a public review and comment process, workshops, and other means of engagement. 4
The Cybersecurity Framework For the Cybersecurity Framework to meet the requirements of the Executive Order, it must: include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. provide a prioritized, flexible, repeatable, performancebased, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations able technical innovation and account for organizational differences include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework. 5
Development of the Preliminary Cybersecurity Framework Engage the Framework Stakeholders EO 13636 Issued February 12, 2013 NIST Issues RFI February 26, 2013 1 st Framework Workshop at Department of Commerce April 03, 2013 Collect, Categorize, and Post RFI Responses Completed April 08, 2013 Analyze RFI Responses Identify Common Practices/Themes May 15, 2013 2 nd Framework Workshop at CMU May 29-31, 2013 Ongoing Engagement: Open public comment and review encouraged and promoted throughout the process Identify Framework Elements Draft Outline of Preliminary Framework June 2013 3 rd Framework Workshop at UCSD July 10-12, 2013 Prepare and Publish Preliminary Framework 4 th Framework Workshop at UT Dallas Sept 11-13, 2013 Publish Preliminary Framework Oct 29, 2013 6
From the Preliminary Framework to the Final Framework and Beyond Prepare and Publish Preliminary Framework Publish Preliminary Framework Oct 29, 2013 Begin 45 day Public Comment Period Additional Ongoing Public Engagement Stakeholder outreach discussions continue Public Comment Period Public comment period closes Dec 13, 2013 Ongoing Engagement: Open public comment and review encouraged and promoted throughout the process Cybersecurity Framework Version 1.0 Complete comment resolution & disposition Publish Final Cybersecurity Framework Feb 13, 2014 Framework Governance Framework maintenance and updates 7
Stakeholder Engagement Shaped the Framework Content The Framework language and communication is critical to success The Framework must reflect characteristics of people, processes, and technologies The Framework must be inclusive of and not disruptive to those good practices in use today The Framework must include the fundamentals Determination of risk tolerance for critical infrastructure must be informed by national interests Threat information must inform Framework implementation 8
Cybersecurity Framework Adoption An organization adopts the framework when it uses the Cybersecurity Framework as a key part of its systematic process for identifying, assessing, prioritizing, and/or communicating: cybersecurity risks, current approaches and efforts to address those risks, and steps needed to reduce cybersecurity risks as part of its management of the organization s broader risks and priorities 9
Voluntary Program for Critical Infrastructure Cybersecurity Enhancement The Department of Homeland Security (DHS) is leading the development of a Voluntary Program for Critical Infrastructure Cybersecurity Enhancement. The Voluntary Program will: Be the coordination point within the federal government for critical infrastructure owners and operators interested in improving their cyber risk management processes. Coordinate additional CSF outreach activities through partnership with Sector Specific Agencies, Sector Coordinating Councils, and other industry partners Voluntary Program Goals: 1. Support industry in increasing cyber resilience 2. Increase awareness and use of the CSF in support of the first goal For more information, please contact: DHSVoluntaryProgram@hq.dhs.gov 10
NIST SP 800-53, Rev 4: Overview Security and Privacy Controls for Federal Information Systems and Organizations Purpose: Provide guidelines for selecting and specifying security controls for organizations and information systems supporting the executive agencies of the federal government to meet the requirements of FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines apply to all components of an information system that process, store, or transmit federal information. The guidelines have been developed to achieve more secure information systems and effective risk management within the federal government. 11
NIST SP 800-53, Rev 4: What s New Clarification of the term baseline The security controls and control enhancements listed in the initial baselines are not a minimum, rather a proposed starting point for controls/control enhancements may be removed or added based on the tailoring guidance Expanded tailoring guidance Addition of Overlays Privacy New Appendix J Minimum Assurance Revised Appendix E Strengthening of specification language 12
NIST SP 800-53, Rev 4: Privacy Appendix J Privacy and security are complementary and mutually reinforcing Appendix J complements security controls Privacy control families are the same as those in the FEA Security and Privacy Profile, v3, Sept 2010 Appendix J is based on Fair Information Practice Principles from the Privacy Act of 1974 E-Government Act of 2002, Section 208 Privacy-related OMB guidance The objective of Appendix J is to promote closer cooperation between privacy and security officials Intended for organizational privacy officials (e.g., CPOs) working with: Program managers Information system developers Information technology staff Information security personnel Each control is intended to be applied with respect to an organization s distinct mission and operational needs 13
NIST SP 800-53, Rev 4: Overlays Overlays complement initial security control baselines Provide the opportunity to add or eliminate controls Provide security control applicability and interpretations Establish community-wide parameter values for assignment and/or selection statements in security controls and control enhancements Extend the supplemental guidance for security controls, where necessary Types of Overlays Communities of interest (e.g., healthcare, intelligence, financial) Information technologies/computing paradigms (e.g., cloud/mobile, Smart Grid) Industry sectors (e.g., chemical, manufacturing) Types of information systems (e.g., industrial/process control systems, weapons systems) Types of missions/operations (e.g., counter terrorism, first responders) 14
Industrial Control System (ICS) Overlay The ICS overlay is a partial tailoring of the controls and control baselines in SP 800-53, Revision 4, and adds supplementary guidance specific to ICS. The concept of overlays is introduced in Appendix I of SP 800-53, Revision 4. The ICS overlay is intended to be applicable to all ICS systems in all industrial sectors. Further tailoring can be performed to add specificity to a particular sector (e.g., pipeline, energy). The ICS overlay will be included as Appendix G in NIST SP 800-82, Revision 2. Ultimately, an overlay may be produced for a specific system (e.g., the XYZ company) 15
Industrial Control Systems (ICS) Overview Industrial Control Systems (ICS) is a general term that encompasses several types of control systems including: Supervisory Control and Data Acquisition (SCADA) systems Distributed Control Systems (DCS) Other control system configurations such as Programmable Logic Controllers (PLC) ICS are specialized Information Systems that physically interact with the environment Many ICS are components of the Critical Infrastructure 16
SCADA Examples SCADA systems are used in the electricity sector, oil and gas pipelines, water utilities, transportation networks and other applications requiring remote monitoring and control. 17
DCS Examples Manufacturing Electric Power Generation Refineries 18
ICS Security Challenges Real time constraints - IT security technology can impact timing, inhibit performance (response times are on the order of ms to s) Balancing of performance, reliability, flexibility, safety, security requirements Difficulty of specifying requirements and testing capabilities of complex systems in operational environments Security expertise and domain expertise required, but are often separated 19
ICS Security Standards and Guidelines Strategy Add control systems domain expertise to: Already available Information Security Risk Management Framework Provide workable, practical solutions for control systems without causing more harm than the incidents we are working to prevent This expertise takes the form of specific cautions, recommendations & requirements for application to control systems - throughout both technologies and programs NIST SP 800-82 Guide to Industrial Control System (ICS) Security ICS Overlay for NIST SP 800-53, Rev 4 security controls 20
NIST SP 800-82 Guide to Industrial Control Systems Security Provide guidance for establishing secure ICS, including implementation guidance for SP 800-53 controls Content Overview of ICS Risk Management ICS Security Program Development and Deployment Network Architecture ICS Security Controls Appendixes ICS Threats, Vulnerabilities, and Incidents Activities in Industrial Control Systems Security Emerging Security Capabilities ICS Overlay Downloaded over 2,500,000 times since initial release and is heavily referenced by the public and private industrial control community 21
Major ICS Security Objectives Restricting logical access to the ICS network and network activity This includes using a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. Restricting physical access to the ICS network and devices Unauthorized physical access to components could cause serious disruption of the ICS s functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards. 22
Major ICS Security Objectives Protecting individual ICS components from exploitation This includes deploying security patches in as expeditious a manner as possible, after testing them under field conditions; disabling all unused ports and services; restricting ICS user privileges to only those that are required for each person s role; tracking and monitoring audit trails; and using security controls such as antivirus software and file integrity checking software where technically feasible to prevent, deter, detect, and mitigate malware. Maintaining functionality during adverse conditions This involves designing the ICS so that each critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS or other networks, or does not cause another problem elsewhere, such as a cascading event. 23
NIST SP 800-82, Rev 2 NIST SP 800-82, Rev 2 is a major update Updates to ICS threats and vulnerabilities Updates to ICS risk management, recommended practices and architectures Updates to current activities in ICS security Updates to security capabilities and technologies for ICS Additional alignment with other ICS security standards and guidelines New tailoring guidance for NIST SP 800-53, Rev 4 security controls including introduction of overlays ICS overlay for NIST SP 800-53, Rev 4 security controls that will provide tailored security control baselines for Low, Moderate, and High impact ICS 24
NIST SP 800-53 Security Baselines LOW Baseline - Selection of a subset of security controls from the master catalog consisting of basic level controls MOD Baseline - Builds on LOW baseline. Selection of a subset of controls from the master catalog basic level controls, additional controls, and control enhancements HIGH Baseline - Builds on MOD baseline. Selection of a subset of controls from the master catalog basic level controls, additional controls, and control enhancements Categorization based on the potential level of impact if the Availability, Integrity or Confidentiality of the system or information on the system is compromised. 25
Low Impact System 26
ICS Impact Level Definitions Low Impact ICS Product Examples: Non hazardous materials or products, Non-ingested consumer products Industry Examples: Plastic Injection Molding, Warehouse Applications Security Concerns: Protecting people, Capital investment, Ensuring uptime 27
Moderate Impact Systems 28 28
ICS Impact Level Definitions Moderate Impact ICS Product Examples: Some hazardous products and/or steps during production, High amount of proprietary information Industry Examples: Automotive Metal Industries, Pulp & Paper, Semi-conductors Security Concerns: Protecting people, Trade secrets, Capital investment, Ensuring uptime 29
High Impact System 30
High Impact System!!! 31
ICS Impact Level Definitions High Impact ICS Product Examples: Critical Infrastructure, Hazardous Materials, Ingested Products Industry Examples: Utilities, PetroChemical, Food & Beverage, Pharmaceutical Security Concerns: Protecting human life, Ensuring basic social services, Protecting environment 32
World Record High Impact System 33 33
NIST SP 800-82, Rev 2 Schedule NIST will collaborate with the public and private sectors over the next year to produce SP 800-82, Rev 2 Two drafts for public comment are expected First public draft expected spring 2014 Final public draft expected late summer 2014 NIST SP 800-82, Rev 2 is expected to be finalized late 2014 34
Contact Information Keith Stouffer 301 975 3877 keith.stouffer@nist.gov Engineering Laboratory Vicky Pillitteri 301 975 8542 victoria.yan@nist.gov Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive Gaithersburg, MD 20899 35