NIST Cybersecurity Framework (CSF) for Critical Infrastructures Andrew

NIST Cybersecurity Framework (CSF) for Critical Infrastructures Andrew

NIST Cybersecurity Framework (CSF) for Critical Infrastructures Andrew Yang, Ph.D., CISSP Executive director, Cyber Security Institute Associate Professor of CS, CIS, IT 1 Cybersecurity Framework is dead. Really? A bunch of questions about cybersecurity frameworks - What is a cybersecurity framework?

- Why do we need a framework? - Will adopting a framework reduce the organizations IT security risk? - Will adopting a framework provide sufficient security to the organization? 2 Outline What is a cybersecurity framework? The NIST Cybersecurity Framework

Use and Implications of the CSF Discussions 3 http://whatis.techtarget.com/definition/framework:

a framework is a real or conceptual structure intended to serve as a support or guide for the building of something that expands the structure into something useful. Example: the Zachman framework (for Enterprise Architecture and Information Systems Architecture) a logical structure intended to provide a comprehensive representation of an information technology enterprise that is independent of the tools and methods used in any particular IT business 4 5

Too many frameworks! ISO/IEC 27001 & 27002 (formerly ISO 17799) NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations Federal Enterprise Architecture Framework (FEAF) Sherwood Applied Business Security Architecture (SABSA) NIST SP 800-39: Risk Management Framework Security in Major IT Management Frameworks 6

Feb. 12, 2013: Obama administration issued an executive order for improving critical infrastructure cybersecurity. Several mandates: Expanding information sharing Establishing a cybersecurity framework The executive order calls for the NIST to establish a baseline framework to reduce cyber-risk to critical infrastructure. Oct. 2013: first draft of the framework Feb. 2014: final draft (v1.0)

7 Risk Management Model Source: http://en.wikipedia.org/wiki/IT_risk_management 8 9 Cybersecurity framework? The security professional needs to adhere to a framework. once the security professional begins to bring order to the organizations security program,

they are implementing a framework. -http://www.securitycurrent.com/en/writers/david-sheidlower/security-where-myths-shouldgo-to-die Benefits: From chaos to order and organization Manageable practice From tools / mechanisms architecture / policy strategy / governance 10 Outline What is a cybersecurity framework? The NIST Cybersecurity Framework

Use and Implications of the CSF Discussions 11 NIST Cybersecurity Framework Framework for Improving Critical Infrastructure

Cybersecurity, version 1.0, the National Institute of Standards and Technology (NIST), February 12, 2014. o A response to the Presidents Executive Order 13636, Improving Critical Infrastructure Cybersecurity on February 12, 2013. Critical infrastructure: systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or

any combination of those matters. a voluntary risk-based Cybersecurity Framework a set of industry standards and best practices to help organizations manage cybersecurity risks The Framework is technology neutral. 12 13

Using the Framework Building from standards, guidelines, and practices, the Framework provides a common taxonomy and mechanism for organizations to: 1) Describe their current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4) Assess progress toward the target state; 5) Communicate among internal and external stakeholders about cybersecurity risk. 14

NIST Cybersecurity Framework Three parts: o o o The Framework Core

The Framework Profile The Framework Implementation Tiers Framework Core - A set of activities, outcomes, and informative references - Providing the detailed guidance for developing individual organizational Profiles 15 Framework Core

Five concurrent and continuous Functions Identify Protect Detect Respond Recover (Altogether) the functions provide a high-level, strategic view of the lifecycle of an organizations management of

cybersecurity risk. 16 Functions organize basic cybersecurity activities at their highest level. Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities.

o Example Categories: Asset Management, Access Control, Detection Processes. 17 18 Framework Profile Represents the outcomes based on business

needs that an organization has selected from the Framework Categories and Subcategories Aligning standards, guidelines, and practices to the Framework Core in a particular implementation scenario Current profile Target profile

Comparison of Profiles may reveal gaps to be addressed to meet cybersecurity risk management objectives. 19 Framework Profile The Framework document does not prescribe Profile templates, allowing for flexibility in implementation.

Example profiles can be found: http:// www.nist.gov/itl/upload/discussion-draft_illustrative-examples-0828 13.pdf Example Profiles for Threat Mitigation: 1. Mitigating intrusions 2. Mitigating malware 3. Mitigating insider threats 20

21 22 23 24 Coordination of Framework Implementation 25 Implementation Tiers

Describe the degree to which an organizations cybersecurity risk management practices exhibit the characteristics defined in the Framework. Characterize an organizations practices over a range from Partial (Tier 1) to Adaptive (Tier 4) Partial: risks are managed in an ad hoc manner Risk Informed: Risk management practices are approved by management but may not be established as organizational-wide policy. Repeatable: Risk management practices are formally approved and expressed as policy. Adaptive: The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities.

Reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. 26 Outline A bunch of questions about cybersecurity frameworks What is a cybersecurity framework?

The NIST Cybersecurity Framework Use and Implications of the CSF Discussions 27 Rodney Brown, Cyber-Security Standards for Major Infrastructure,

InformationWeek::reports, Jan. 2014. In a March 12 (2014) instruction (8501.01), DoD Chief Information Officer Teri Takai said that starting that same day, defense and military systems will henceforth go through the risk management framework outlined by the National Institute of Standards and Technology rather than through the now-defunct DoD Information Assurance Certification and Accreditation Process (DIACAP). 28 Use and Implications of the CSF

Rodney Brown, Cyber-Security Standards for Major Infrastructure, InformationWeek::reports, Jan. 2014. The Cybersecurity Framework is likely to become the liability floor, much like Sarbanes-Oxley has become. Jon W. Burd, Cybersecurity Developments: Does the NIST Voluntary Framework Portend New Requirements for Contractors? Fall 2013 | Government Contracts Issue Update, Wiley Rein, LLP. The framework is intended to complement existing business and cybersecurity operations for organizations with formal existing plans and policies, or to serve as a template for organizations that create new

programs. For government contractors, in particular, one incentive agencies could adopteither through formal rulemaking or on an ad hoc basis is a preference for framework participants in competitions for federal information technology (IT) or cyber-related contracts. 29 Earl Perkins, NIST Framework Establishes Risk Basics for Critical Infrastructure, Gartner.com, Feb. 18, 2014. https://www.gartner.com/doc/2667132/nist-framework-establishes-risk-basics

The Framework for Critical Infrastructure is a useful tool for managing cybersecurity risk, but will not replace risk management programs. The CSF is not designed to replace large-scale cybersecurity risk programs or existing operational frameworks such as COBIT or ISO 2700x. The CSF serves as taxonomy for risk management of critical infrastructure in a cybersecurity context. The CSF is an absolute minimum of guidance for new or existing cybersecurity risk programs, and is a legal framework for aligning IT to OT security. The core, tiers and profile elements address combined cybersecurity risks for IT/OT by providing a single approach one Gartner believes

is urgently needed. 30 Gartner Recommendations Enterprises: Use the CSF as a legal framework to map your IT/OT risks. Avoid making long-term procurement- or compliance-based decisions from the CSF's guidance in its current state as it is missing key components. Continue to apply standards that are well-accepted by your respective industries. Critical infrastructure companies with existing cybersecurity risk programs:

Use the CSF to validate program completeness. Enterprises with nascent cybersecurity risk management programs: Use the CSF as a starting point for cybersecurity risk planning, as a self-assessment tool and as a reference to weigh consulting offerings. Companies with considerable IT/OT assets: Use the CSF as an aid to align and integrate cybersecurity risk management across corporate and industrial control/automation requirements. 31 U.S. Department of Energy, Use of the NIST Cybersecurity Framework & DOE C2M2, Feb. 2014. http:// energy.gov/sites/prod/files/2014/02/f7/Use-of-NIST-Cybersecurity-Framework-DOE-C2M2.pd

f 32 ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE - DRAFT FOR PUBLIC COMMENT & COMMENT SUBMISSION FORM (SEPTEMBER 2014) http:// energy.gov/oe/downloads/energy-sector-cybersecurity-framework-implementa tion-guidance-draft-public-comment This Framework Implementation Guidance is designed to assist energy sector organizations to: Characterize their current and target cybersecurity posture.

Identify gaps in their existing cybersecurity risk management programs, using the Framework as a guide, and identify areas where current practices may exceed the Framework. Recognize that existing sector tools, standards, and guidelines may support Framework implementation. Effectively demonstrate and communicate their risk management approach and use of the Framework to both internal and external stakeholders. 33 Outline A bunch of questions about cybersecurity frameworks

What is a cybersecurity framework? The NIST Cybersecurity Framework Use and Implications of the CSF Discussions 34

Review Questions - What is a cybersecurity framework? - Why do we need a framework? - Will adopting a framework reduce the organizations IT security risk? - Will adopting a framework provide sufficient security to the organization? 35 Richard Stiennon, Floundering Frameworks: NIST as a Case in Point, SecurityCurrent, Oct. 24, 2013: http://

www.securitycurrent.com/en/writers/richard-stiennon/floundering-fram eworks-nist-as-a-case-in-point When the NIST Cybersecurity Framework is completed it will, at best, become shelfware. At worst, Congress will eventually create a law requiring critical infrastructure operators to implement the Framework. Thanks to strong lobbying on the part of the regulated, the law will provide funding for implementation of the Framework, funding that will fill the pockets of audit firms and consultants. At the end of the day the risk of a debilitating cyber attack will have been reduced by exactly zero.

36 NIST Roadmap for Improving Critical Infrastructure Cybersecurity February 12, 2014 Strengthening Private Sector Involvement in Future Governance of the Framework Section 4: Areas for Development, Alignment, and Collaboration 4.1 Authentication 4.2 Automated indicator sharing 4.3 Conformity assessment 4.4 Cybersecurity workforce 4.5 Data analytics

4.6 Federal agency cybersecurity alignment 4.7 International aspects, impacts, and alignment 4.8 Supply chain risk management 4.9 Technical privacy standards 37 Thanks! Questions ? Andrew Yang [email protected] http://www.uhcl.edu/sce/csi 38

Recently Viewed Presentations

  • Text Features - Hudson City School District

    Text Features - Hudson City School District

    The Truth about Text Features. A. Authors include text features to help the reader better understand what they have read. Text features provide information that may not be written in the text itself. C. Text features can be found in...
  • Summer Institute for Computing Education

    Summer Institute for Computing Education

    one revolution four revolutions Functions and Conditionals in Alice * Parameters We want to return the value computed as distance/( P * diameter) Obviously, what is needed is the ball's diameter the ball object has a built-in width function the...
  • LATITUDE=FATitude  Latitude lines run ____ to ____, but

    LATITUDE=FATitude Latitude lines run ____ to ____, but

    LATITUDE. Latitude lines run . east. to . west, but are measured . north & south. The 0 of latitude that circles the . earth is called the . equator. 0. 0. latitude ...
  • Air Sunshine Flight 527 Cessna 402C, N314AB, Treasure Cay ...

    Air Sunshine Flight 527 Cessna 402C, N314AB, Treasure Cay ...

    Air Sunshine Flight 527 Cessna 402C, N314AB Treasure Cay, Bahamas July 13, 2003 Timothy W. Monville Investigator-in-Charge Accident Airplane Intended Route of Flight Right Engine Failure Occurred at 3,500 feet altitude during descent 20 to 25 miles from Treasure Cay...
  • Learning to write Writing to learn - English for Palestine

    Learning to write Writing to learn - English for Palestine

    That is a lesson in how NOT to teach writing! Chat with your partner and talk about what was good or bad about that exercise. Now let's share it with the group.
  • Understanding Cost Centers - University of Houston

    Understanding Cost Centers - University of Houston

    Understanding a Chartfield Value. Program Code. Definition - The program code is a Chartfield in PeopleSoft that classifies transactions in terms of the function of the entity. Consists of five digits that are used to uniquely identify a cost center...
  • Measuring Well-being Initiatives in Individual Countries Jil Matheson

    Measuring Well-being Initiatives in Individual Countries Jil Matheson

    What are the main features of the measurement initiatives on well-being, progress and sustainability undertaken in their own country? What can other countries learn for their experience in implementing these initiatives, both in terms of strengths and weaknesses?
  • Developmental disorders

    Developmental disorders

    Změny velikosti a tvaru dens invaginatus (dens in dente) invaginace sklovinného orgánu do mezodermu pulpy před kalcifikací horní I2, bilaterální, kaz 1a. Změny velikosti a tvaru taurodontismus (bull tooth) porucha Hertwigovy kořenové pochvy široká dřeňová dutina moláry ...