Framework For Improving Critical Infrastructure

2y ago
30 Views
2 Downloads
4.99 MB
53 Pages
Last View : 2m ago
Last Download : 2m ago
Upload by : Oscar Steel
Transcription

Framework for Improving CriticalInfrastructure CybersecurityOctober 2016cyberframework@nist.gov

Improving Critical Infrastructure Cybersecurity“It is the policy of the United States to enhancethe security and resilience of the Nation’scritical infrastructure and to maintain a cyberenvironment that encourages efficiency,innovation, and economic prosperity whilepromoting safety, security, businessconfidentiality, privacy, and civil liberties”Executive Order 1363612 February 20132

Based on the Executive Order, the CybersecurityFramework Must. Include a set of standards, methodologies, procedures,and processes that align policy, business, andtechnological approaches to address cyber risks Provide a prioritized, flexible, repeatable, performancebased, and cost-effective approach, includinginformation security measures and controls, to helpowners and operators of critical infrastructure identify,assess, and manage cyber risk Identify areas for improvement to be addressed throughfuture collaboration with particular sectors andstandards-developing organizations Be consistent with voluntary international standards3

Development of the FrameworkEngage theFrameworkStakeholdersEO 13636 Issued – February 12, 2013NIST Issues RFI – February 26, 20131st Framework Workshop – April 03, 2013Collect,Categorize, andPost RFIResponsesCompleted – April 08, 2013Identify Common Practices/Themes – May 15, 2013Analyze RFIResponsesOngoing Engagement:Open public commentand review encouragedand promotedthroughout theprocess and to this day2nd Framework Workshop at CMU – May 2013Draft Outline of Preliminary Framework – June 2013IdentifyFrameworkElements3rd Workshop at UCSD – July 20134th Workshop at UT Dallas – Sept 2013Prepare andPublishFramework5th Workshop at NC State – Nov 2013Published Framework – Feb 20144

The Cybersecurity Framework Is for Organizations Of any size, in any sector in (and outside of) the critical infrastructureThat already have a mature cyber risk management and cybersecurity programThat don’t yet have a cyber risk management or cybersecurity programWith a mission of helping keep up-to-date on managing risk and facingbusiness or societal threats5

Cybersecurity Framework ComponentsAligns industry standards andbest practices to the FrameworkCore in a particularimplementation scenarioSupports prioritization andmeasurement whilefactoring in businessneedsCybersecurity activities andinformative references,organized around blescommunication of cyberrisk across s how cybersecurityrisk is managed by an organizationand degree the risk managementpractices exhibit key characteristics6

Key Properties of Cyber Risk ManagementIntegrated Risk Management ProgramRisk ManagementProcessExternalParticipation7

Implementation TiersRiskManagementProcessIntegrated ialRiskInformedRepeatableAdaptiveThe functionality and repeatability of cybersecurity riskmanagementThe extent to which cybersecurity is considered in broaderrisk management decisionsThe degree to which the organization benefits my sharing orreceiving information from outside parties88

Adaptation of Implementation skInformedRepeatableAdaptiveWhether people have assigned roles, regular training, takeinitiative by becoming champions, etc.NIST Risk Management Process NIST Integrated Risk Management ProgramWhether tools are implemented, maintained, evolved,provide effectiveness metrics, etc.NIST External Participation Whether the organization understands its role in theecosystem, including external dependencies with partners99

CoreCybersecurity Framework ComponentSeniorExecutivesImplementation/Operations Broadenterpriseconsiderations Deeptechnicalconsiderations Abstracted riskvocabulary Highlyspecializedvocabulary10

CoreCybersecurity Framework ComponentFunctionWhat processes andassets needprotection?What safeguards areavailable?IdentifyProtectWhat techniques canidentify incidents?DetectWhat techniques cancontain impacts ofincidents?RespondWhat techniques canrestore capabilities?RecoverCategoryIDAsset ManagementBusiness EnvironmentGovernanceRisk AssessmentID.AMID.BEID.GVID.RARisk Management StrategyID.RMAccess ControlAwareness and TrainingData SecurityPR.ACPR.ATPR.DSInformation Protection Processes & ProceduresPR.IPMaintenanceProtective TechnologyAnomalies and EventsPR.MAPR.PTDE.AESecurity Continuous MonitoringDE.CMDetection ProcessesResponse tsRecovery S.ANRS.MIRS.IMRC.RPRC.IMRC.CO11

Connecting Technologists and LeadershipCybersecurity Framework12

ProfileCybersecurity Framework ComponentWays to think about a Profile: A customization of the Core for agiven sector, subsector, ororganization A fusion of business/mission logicand cybersecurity outcomesIdentifyProtectDetectRespondRecover An alignment of cybersecurity requirements withoperational methodologies A basis for assessment and expressing target state A decision support tool for cybersecurity riskmanagement13

Supporting Risk Management with Framework14

Framework 7 Step Process3.2 Establishing or Improving a Cybersecurity Program Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a Current Profile Step 4: Conduct a Risk Assessment Step 5: Create a Target Profile Step 6: Determine, Analyze, and Prioritize Gaps Step 7: Implementation Action Plan15

Building a ProfileA Profile Can be Created in Three ionInternal & External PolicyBest ingMethodologies3Guidance and methodologyon implementing,managing, andmonitoring16

Reconcile RequirementsUse Cybersecurity Framework Profiles to Align and Deconflict ZZOrg PolicyEnvironmentLawStaticBRegulationDynamic17

Set PrioritiesUse Cybersecurity Framework Profiles to Determine ModMod3LowLowLow.ModModBusinessObjectivesThreat Profile98LawStaticRegulationDynamic18

Resource and Budget DecisioningWhat Can You Do with a CSF ProfileAs-IsSubcategory123/98Year 1To-BeYear 2To-BeYear 1Year 2Priority Gaps Budget Activities Activitiesmoderate small Xhighlarge Xmoderate medium X//moderate none/ reassess/and supports on-going operational decisions too19

Profile EcosystemTAXONOMYREQUIREMENTSPRIORITIES11Req A1Req AHigh22Req B2Req BMod33Req C3Req CLow.9898Req ZZ98Req ZZHighNational Institute ofStandards andTechnologyCybersecurityFramework CoreCommunityOrganization k Profile20

Guidance on OMB Circular A-130 UpdateRoadmap Item - Federal Agency Cybersecurity AlignmentUpdated OMB Circular A-130 Appendix IIIResponsibilities for Protecting Federal Information ResourcesSection 4.n The Framework is not intended to duplicate the current informationsecurity and risk management practices in place within the Federal Government.However, in the course of managing information security risk using the establishedNIST Risk Management Framework and associated security standards and guidelinesrequired by FISMA, agencies can leverage the Cybersecurity Framework tocomplement their current information security programs.Interim guidance: d-other-approachesand-initiatives.cfm#sp800-37In the near future, ͞NIST will provide additional guidance on how agencies canuse the Cybersecurity Framework and in particular, how the two frameworkscan work together to help agencies develop, implement, and continuouslyimprove their information security programs.͟21

International DialogsRoadmap Item – International Aspects, Impacts, and AlignmentTwenty nine (29) countries have participated indiscussion with NIST, including dialog with: The European Union, and 14 out of 28Member States All 5 of the Five Eyes 6 countries in Asia 5 countries in the Middle East22

Common Patterns of Use Integrate the Functions into Your LeadershipVocabulary and Management Tool Sets Determine Optimal and Current RiskManagement Using Implementation Tiers Reflect on Business Environment, Governance,and Risk Management Strategy Categories Develop a Profile of Cybersecurity Priorities,Leveraging (Sub)Sector Profiles WhenAvailable23

NIST Baldrige Excellence BuildersBaldrige Cybersecurity Excellence BuilderManufacturingServiceSmall BusinessEducation (1999)Healthcare (1999)Non-profit (2007)Cybersecurity (2016)“There is no question that setting the bar high by using the Baldrige Criteria andseeking this award made an enormous difference in our performance. The resultsshow that we've outgrown our target competitors, exceeded margin expectations, andbuilt a great workforce.”- Scott McIntyre, Managing Partner, PWC Public Sector Practice24

NIST Manufacturing ProfileNIST Discrete Manufacturing Cybersecurity Framework ProfileUtilizing CSF Informative References to create tailored languagefor the manufacturing sector NIST SP 800-53 NIST SP 800-82 ISA / IEC 62443www.tiger-global.co.uk25

System CategorizationNIST Discrete Manufacturing Profile26

System CategorizationNIST Discrete Manufacturing Profile27

Examples of Framework Industry ResourcesItaly’s National Framework forCybersecurityAmerican Water Works Association’sProcess Control System SecurityGuidance for the Water SectorThe Cybersecurity Frameworkin Action: An Intel Use CaseCybersecurity Risk Management and Best PracticesWorking Group 4: Final ReportEnergy Sector Cybersecurity FrameworkImplementation Guidance28

American Water Works AssociationProcess Control System Security Guidance for the Water Sector A 29 page security guide Recommended Security Practices for WaterSector – a list of 12 major ‘to dos’ A Cybersecurity Guidance Tool to simplifyguidance landscape Crosswalk of Framework to AWWA GuidanceControl29

Cybersecurity Guidance ToolProcess ControlSystem Security Guidance for the Water Sector30

CGT Use Case ExamplesProcess Control System Security Guidance for the Water Sector31

Referenced StandardsProcess Control System Security Guidance for the Water Sector32

IntelThe Cybersecurity Framework in Action: An Intel Use Case A 10 page Framework case studyPilot in Intel’s Office of Enterprise InfrastructureCustomized Implementation TiersInterviewed subject matter experts to assign Tierscores at the Category level Compared to an optimal Tier assignments at thecategory level to determine gaps33

Implementation TiersRiskManagementProcessIntegrated ialRiskInformedRepeatableAdaptiveThe functionality and repeatability of cybersecurity riskmanagementThe extent to which cybersecurity is considered in broaderrisk management decisionsThe degree to which the organization benefits my sharing orreceiving information from outside parties3434

Adaptation of Implementation skInformedRepeatableAdaptiveWhether people have assigned roles, regular training, takeinitiative by becoming champions, etc.NIST Risk Management Process NIST Integrated Risk Management ProgramWhether tools are implemented, maintained, evolved,provide effectiveness metrics, etc.NIST External Participation Whether the organization understands its role in theecosystem, including external dependencies with partners3535

Category Gap AnalysisThe Cybersecurity Framework in Action: An Intel Use Case3636

ItalyNational Framework for Cybersecurity A 121 page national framework Based 100% on NIST Framework Created with industry and academia Published in both Italian and English Suggested Subcategory Priorities for Small andMedium Enterprises (SME) Qualitative Assessment Criteria Capture an approach to risk management that isbeyond NIST Framework37

Suggested Priorities for SMEsNational Framework for Cybersecurity38

Qualitative Assessment CriteriaNational Framework for Cybersecurity39

Communications Security, Reliability,and Interoperability CouncilCybersecurity Risk Management and Best Practices Working Group 4: Final Report A 400 page security guide Profiles for five different telecommunicationssegments – Broadcast, Cable, Satellite,Wireless, Wireline Requirements and Barriers to Implementation Small and Medium Business guidance40

Subcategory Scope, Criticality, andDifficulty - Cable SegmentCybersecurity Risk Management and Best Practices Working Group 4: Final Report41

Prioritized Practices - Cable SegmentCybersecurity Risk Management and Best Practices Working Group 4: Final Report42

Requirements and Barriers toImplementationCybersecurity Risk Management and Best Practices Working Group 4: Final Report43

Department of EnergyEnergy Sector Cybersecurity Framework Implementation Guidance A 49 page Framework implementation guide Heavy emphasis on mapping Framework toCybersecurity Capability Maturity Model(C2M2) A view of organizational approaches to gapanalysis Provides additional detail for 7 StepFramework process Maps Framework Implementation Tiers toC2M2 MILs Maps Framework Implementation Tiers toC2M2 MILs44

DoE Framework Implementation ApproachEnergy Sector Cybersecurity Framework Implementation Guidance An effectivecommunicationsand an iterativefeedback loop forcontinuousimprovement Similar to ElectricitySubsectorCybersecurity RiskManagementProcess Guideline[RMP; DOE 2012b]45

Detailed 7 Step Framework ProcessEnergy Sector Cybersecurity Framework Implementation Guidance46

Gap Analysis by Organization ApproachEnergy Sector Cybersecurity Framework Implementation Guidance47

Implementation Tiers – to – C2M2 MILsEnergy Sector Cybersecurity Framework Implementation Guidance48

Framework Core – to – C2M2 MILsEnergy Sector Cybersecurity Framework Implementation Guidance49

Examples of U.S. State & Local UseTexas, Department of Information Resources Aligned Agency Security Plans with FrameworkAligned Product and Service Vendor Requirements with FrameworkNorth Dakota, Information Technology Department Allocated Roles & Responsibilities using FrameworkAdopted the Framework into their Security Operation StrategyHouston, Greater Houston Partnership Integrated Framework into their Cybersecurity GuideOffer On-Line Framework Self-AssessmentNational Association of State CIOs 2 out of 3 CIOs from the 2015 NASCIO Awards citedFramework as a part of their award-winning strategyNew Jersey Developed a cybersecurity framework that aligns controls andprocedures with Framework50

Stakeholder Recommended ActionsNIST applauds stakeholders for their efforts around theFramework thus far. To sustain the growth of a healthy Frameworkecosystem, NIST asks that stakeholders: Customize the Framework for your sector orcommunity Publish a sector or community Profile or relevant“crosswalk.” Advocate for the Framework throughout your sectoror community, with related sectors and communities. Publish “summaries of use” or case studies of yourFramework implementation. Share your Framework resources with NIST atcyberframework@nist.gov.51

Framework Next StepsNIST will proceed with a Minor update that aims to clarify andrefine the Framework while minimizing disruption to stakeholders.Updates may include: Updating the Informative References Clarifying guidance on the Implementation Tiers Cyber Threat Intelligence in the Core Guidance for applying the Framework in supply chain risk management And more .Look for refinement to take place outside of the Core as well. The Framework Roadmap Frequently Asked Questions Related work products and NIST publications Framework Governance Methodology Framework Self-assessment criteriaNIST seeks to release a Framework draft for comment in early 201752

ResourcesWhere to Learn More and Stay CurrentThe National Institute of Standards and Technology Website is available at http://www.nist.govNIST Computer Security Division Computer SecurityResource Center is available at http://csrc.nist.gov/The Framework for Improving Critical InfrastructureCybersecurity and related news and information areavailable at www.nist.gov/cyberframeworkFor additional Framework info and helpcyberframework@nist.gov

May 15, 2013 · NIST Baldrige Excellence Builders. Baldrige Cybersecurity Excellence Builder . Manufacturing Service Small Business Education (1999) Healthcare (1999) Non-profit (2007) Cybersecurity (2016) “ There is no question that setting the bar high by using the Baldrige Criteria and seeking this awar

Related Documents:

Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original

10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan

service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största

Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid

LÄS NOGGRANT FÖLJANDE VILLKOR FÖR APPLE DEVELOPER PROGRAM LICENCE . Apple Developer Program License Agreement Syfte Du vill använda Apple-mjukvara (enligt definitionen nedan) för att utveckla en eller flera Applikationer (enligt definitionen nedan) för Apple-märkta produkter. . Applikationer som utvecklas för iOS-produkter, Apple .

NIST Roadmap for Improving Critical Infrastructure Cybersecurity February 12, 2014 1. Introduction This companion Roadmap to the Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”) discusses NIST’s next steps with the Framework and identifies key areas

cybersecurity posture of the Nation’s critical infrastructure as a whole. February 12, 2014 Cybersecurity Framework Version 1.0 3 1.0 Framework Introduction The national and economic security of the United States depends on the reliable functioning of critical infrastructure. To strengthen the resilience of this infrastructure, President .

Presidential Policy Directive 21, Critical Infrastructure Security and Defining critical infrastructure Resilience, identifies 16 critical infrastructure sectors.2 The US Department of Homeland Security defines critical infrastructure as "the assets, systems, and networks, whether physical or virtual, so vital to the United States that their