Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
2014 – Communications Sector Year in Review Cybersecurity Risk Management Framework
Sector Year in Review
Kathryn Condello, Chair Communications Sector Coordinating Council
Five Segments: Broadcast, Cable, Satellite, Wireless, and Wireline Reach: 9700 Network/Service Providers across all 5 segments
Overarching Sector Goals:
2
•Protect and enhance the overall physical and logical/cyber health of communications;
•Rapidly reconstitute critical communications services during a disruption and mitigate cascading effects; and
•Improve the sector’s National Security / Emergency Preparedness posture with Federal, State, Local, Tribal, Territorial, and private sector entities to reduce risk.
POLICY
PLANNING
OPERATIONS
INDUSTRY GOVERNMENT
NSTAC
ISAC
C-SCC
EOP
C-GCC
NCC
Industry Initiatives
Standards Best Practices Segment-Only
Internet of Things
ICT Mobilization
4
Risk Mitigation: ◦ GPS Issues
Assessments ◦ Qualitative Risk Assessment to the Public Network
Planning ◦ Joint National Priorities ◦ Communication Sector Specific Plan
Education/Outreach ◦ NIST Cybersecurity Framework Education
5
Information Sharing Partners ◦ NCCIC, US-CERT, NCC, State Fusion Centers, NCIJTF ◦ National Council of ISACs FS-ISAC, RE-ISAC, Water-ISAC, MS-ISAC and others
◦ 2014 USG/Sector Info Sharing: > 1200 Notices Received
Exercises ◦ ESF#2 Training FEMA Region 1, FEMA Region III
Gov’t/Industry TTX, National Council of ISACs Aug 2014 ◦ Response Planning: Asset Movement to Remote Venues
Education: “Potential” vs. “Real” vs. “CNN” Events
6
Best Practice Development: CSRIC 1. NextGen 911 2. Wireless Emergency Alerts 3. Emergency Alert System 4. Cybersecurity Best Practices (NIST CSF) 5. Remediation of Server-Based DDoS Attacks 6. Long-term Core Internet Protocols Improvements 7. Legacy Best Practice Updates 8. Submarine Cable Landing Sites 9. Infrastructure Sharing During Emergencies 10. Customer Premise Equipment
7
Five Function
s 98
Subcategories
ISO 27001, NIST 800-53,
COBIT
22 Categories
Cybersecurity Framework Core
Function ID
Function Category ID
Category
ID Identify
ID.AM Asset Management ID.BE Business Environment ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy
PR Protect
PR.AC Access Control PR.AT Awareness & Training PR.DS Data Security PR.IP Information Protection
Processes and Procedures PR.MA Maintenance PR.PT Protective Technology
Cybersecurity Framework Core
Function ID
Function Category ID Category
DE Detect
DE.AE Anomalies & Events
DE.CM Security Continuous Monitoring
DE.DP Detection Processes
RS Respond
RS.RP Response Planning RS.CO Communications RS.AN Analysis RS.MI Mitigation RS.IM Improvements
RC Recover RC.RP Recovery Planning RC.IM Improvements RC.CO Communications 10
Cybersecurity Framework Core
11 11 11
In order to provide for confidence in the resilience and reliability of the core public communications functions in the face of cyber threats. Working Group 4 will develop voluntary mechanisms to provide macro-level assurance to the FCC and the public that communications providers are taking the necessary corporate and operational measures to manage cybersecurity risks across the enterprise. The macro-level assurance will demonstrate how communications providers are reducing cybersecurity risks through the application of the NIST Cybersecurity Framework, or an equivalent construct. These assurances:
(1) can be tailored by individual companies to suit their unique needs, characteristics, and risks (i.e., not one-size-fits-all), (2) are based on meaningful indicators of successful (and unsuccessful) cyber risk management (i.e., outcome-based indicators as opposed to process metrics), and (3) allow for meaningful assessments both internally (e.g., CSO and senior corporate management) and externally (e.g., business partners).
Advisors Donna Dodson, WG4 Sr. Technical Advisor,
NIST, Deputy Chief Cybersecurity Advisor & Division Chief for Computer Security Division
Lisa Carnahan, NIST, Computer Scientist Emily Talaga, WG4 Sr. Economic Advisor, FCC Tony Sager, Council on Cybersecurity
WG4 Leadership Team
Co-Chairs: Robert Mayer, USTelecom and Brian Allen, Time Warner Cable
Segment Leads
Broadcast, Kelly Williams, NAB Cable, Matt Tooley, NCTA Wireless, John Marinho, CTIA Wireline, Chris Boyer, AT&T Satellite, Donna Bethea Murphy, Iridium
Feeder Group Initiatives
Requirements and Barriers to Implementation, Co-Leads, Harold Salters T-Mobile, Larry Clinton, Internet Security Alliance
Mids/Smalls – Co-Leads, Susan Joseph, Cable Labs, Jesse Ward, NTCA
Top Cyber Threats and Vectors - Russell Eubanks, Cox, Joe Viens, TWCable
Ecosystem – Shared Responsibilities, Co-Leads, Tom Soroka, USTelecom, Brian Scarpelli, TIA
Measurement, Co-Leads, Chris Boyer, AT&T, Chris Roosenraad, TimeWarnerCable
12
Drafting Team Co-Leads – Stacy Hartman and Paul Diamond,
CenturyLink, Robert Thornberry, Alcatel/Lucent
Engineering and Operational Review
Co-Leads - Tom Soroka, USTelecom and John Marinho, CTIA
Segment Leads Support
13
Cyber Ecosystem Players
User/Device
Mobility UE
CPE
Provider-mgdGateway
M2M/IoT
Corporations
Device Provider
O/S
Embedded Systems
OEM
AV/IDS/MDM
Provider Edge
Internet Control Plane
(DNS/BGP/TCP/IP)
Macro Wireless
WiFi
Broadband
High-Speed Access
Satellite
Core
Internet Control Plane
(DNS/BGP/TCP/IP)
Public Peering
Private Peering
Private Network s
Mobility EPC
Infrastructure Provider
Internet Control Plane
(DNS/BGP/TCP/IP)
DNS & IPRegistrars | CAs
Cloud
Hosting
CDN
MSS
Application/Content
OTT Comms
Social Networks
Video
Applications
Standards/Policies/Practices (e.g., IETF)
Physical Security
Malicious Actors
One of the more comprehensive ‘Ecosystem’ diagrams, comes from a joint industry/government partnership called the U.S. Communications Sector Coordinating Council (CSCC). The Ecosystem Feeder group determined that this diagram captured a large number of the categories of the Ecosystem that were previously identified and it was an excellent depiction of the various ‘Cyber’ Ecosystem relationships within the Communications Sector.
Issue: Critical infrastructure sectors, including the financial sector, have been under assault from a barrage of DDoS attacks emanating from data centers and hosting providers.
Deliverable: Recommend
measures communications providers can take to mitigate the incidence and impact of DDoS attacks from data centers and hosting providers, particularly those targeting the information systems of critical sectors.
ACS Cox Communications Intrado
Public Interest Registry
Akamai/ Prolexic
CSG International MAAWG Shadowserver
Arbor Networks CTIA Microsoft Sprint
AT&T DHS NCTA Time Warner Cable
ATIS Fed Reserve Board of Governors Neustar
Univ of Oregon/Internet2
Bell Labs, Alcatel-Lucent FSSCC Nsight VeriSign, Inc.
CAUCE Google NTT Verizon
CenturyLink IEEE Online Trust Alliance Wells Fargo
Comcast Internet Identity PA Public Utility Commission Windstream
14
http://www.fcc.gov/encyclopedia/communications-security-reliability-and-interoperability-council-iv
Plan Locally
A “whole of community” approach to advance the national resilience
effort
Respond Globally
A “borderless” approach to advance cyber response norms.
15
Planning ◦ National Resiliency Framework ◦ Development Information Sharing “Framework”
Assessment: Sector Cyber Measures (WG4)
Dependency / Inter-Dependency Analysis ◦ Electricity Sector (ESCC + CSCC Issues) ◦ Data Center Dependencies (Regional Assessment) ◦ Financial Services Dependencies on Data Centers (Regional
Assessment)
16
Regional Risk Assessments: ◦ Data Center Dependencies: Ashburn, VA ◦ Financial Services Dependencies: Chicago, IL
Findings from Regional Risk Assessments are reviewed for incorporation into Sector Best Practices
17
Cloud/Data Centers increasingly relied upon for functions critical to the Nation’s security.
No specific SCC or ISAC for Cloud/Data
Center Providers ◦ Suggest alignment with IT or Communication Sector
18
11
National Security Telecommunications Advisory Committee dhs.gov/nstac
Communications Sector Coordinating Council
commscc.org
National Coordinating Center for Communications (NCC) National Cybersecurity & Communications Integration Center
Department of Homeland Security dhs.gov/national-coordinating-center-communications
Communications Security, Reliability and Interoperability Council (IV)
www.fcc.gov
Kathryn Condello CenturyLink Director, National Security / Emergency Preparedness
Questions?