Upload
nelson-quinn
View
222
Download
2
Tags:
Embed Size (px)
Citation preview
Agenda
What are critical infrastructures?
What are the CIP policy drivers?
The differences between CIP/CIIP and
cyber security
Resiliency rules
What is Critical Infrastructure?
Critical infrastructures are generally thought of as the key systems, services and functions whose disruption or destruction would have a debilitating impact on public health and safety, commerce, and national security or any combination of those matters.
These include communications, energy, banking, transportation, public health and safety and essential government services.
NaturalNaturalDisasterDisaster
DirectivesDirectives
ResponseResponsePlansPlans Laws &Laws &
RegulationsRegulations
TerrorismTerrorism
WARWARWARWAR
IT IT AttacksAttacks ConvergenceConvergence
GlobalizationGlobalization
DependenceDependence
CIP Policy Drivers
Info & Comms
Energy
Transportation
Banking
Government
Services
Cybersecurity
Critical Infrastructures
Critical Information InfrastructureCross-Cutting ICT interdependencies among all sectors
Non-essential IT systems
Larg
e En
terp
rises
Pers
onal
user
s
Those practices and procedures that enable the secure use and operation of cyber tools and technologies
CIP/CIIP and Cybersecurity
Understanding the Differences
Resiliency Rules
1. Define Goals and Roles
2. Identify and Prioritize Critical Functions
3. Continuously Assess and Manage Risks
4. Establish and Exercise Emergency plans
5. Create Public-Private Partnerships
6. Build Security/Resiliency into Operations
7. Update and Innovate Technology/Processes
7 Steps for Critical Infrastructure Protection
CIP Roles Understanding Roles Promotes Coordination
Assess Risks
Identify Controls and Mitigations
Implement Controls
Measure Effectiveness
Government“What’s the goal”
Determine Acceptable Risk Levels
Infrastructure“Prioritize Risks”
Public-Private Partnership“What’s critical”
Operators“Best control solutions”
Define Policy and Identify Roles
Define Roles
CIIP CIIP
Coordinator Coordinator
(Executive (Executive
Sponsor)Sponsor)
Sector Sector
Specific Specific
AgencyAgency
Law Law
EnforcementEnforcement
Computer Computer
Emergency Emergency
Response TeamResponse Team
Infrastructure Infrastructure
Owners and Owners and
OperatorsOperatorsPublic-Private Public-Private
PartnershipsPartnerships
IT Vendors IT Vendors
and and
Solution Solution
ProvidersProviders
Government Shared Private
Identify and Prioritize Critical Functions
Establish an open dialogue to understand the critical functions, infrastructure elements, and key resources necessary for delivering essential
services, maintaining the orderly
operations of the economy, and
ensuring public safety.
Collaborate to understand Interdependencies
Critical Function
Critical Function
Key Resource
Key Resource
Infrastructure Element
Infrastructure Element
Critical Function
Key ResourceInfrastructure Element
Supply Chain
Supply Chain
Supply Chain
Supply Chain
Supply Chain
Supply Chain
Supply Chain
Supply Chain
Supply Chain
Supply Chain
Understand Interdependencie
s
Continuously Assess and Manage Risks
Protection is the Continuous Application of Risk Management
• Define Functional Requirements• Evaluate Proposed Controls• Estimate Risk Reduction/Cost Benefit• Select Mitigation Strategy
• Define Functional Requirements• Evaluate Proposed Controls• Estimate Risk Reduction/Cost Benefit• Select Mitigation Strategy
• Seek Holistic Approach. • Organize by Control Effectiveness • Implement Defense-in Depth
• Seek Holistic Approach. • Organize by Control Effectiveness • Implement Defense-in Depth
• Evaluate Program Effectiveness•Leverage Findings to Improve Risk Management
• Evaluate Program Effectiveness•Leverage Findings to Improve Risk Management
• Identify Key Functions• Assess Risks • Evaluate Consequences
• Identify Key Functions• Assess Risks • Evaluate Consequences
Establish and Exercise Emergency plans
Public and private sector organizations can benefit from developing joint plans for managing emergencies – including recovering critical functions in the event of significant incidents, including but limited to natural disasters, terrorist attacks, technological failures or accidents.
Emergency response plans can mitigate damage and promote resiliency.
Effective emergency response plans are generally short and highly actionable so they can be readily tested, evaluated, and implemented.
Testing and exercising emergency plans promotes trust, understanding and greater operational coordination among public and private sector organizations.
Exercises also provide an important opportunity to identify new risk factors that can be addressed in response plans or controlled through regular risk management functions.
Improve Operational Coordination
Create Public-Private Partnerships
Voluntary public-private partnerships Promote trusted relationships needed for
information sharing and collaborating on difficult problems,
Leverage the unique skills of government and private sector organizations, and
Provide the flexibility needed to collaboratively address today’s dynamic threat environment
Build Security and Resiliency into Ops
Organizational incentives can drive security development lifecycle principles into all line of business
Leveraging the security lifecycle promotes secure and resilient organizations and products
DesignDefine security architecture and design guidelines Document elements of software attack surfaceThreat Modeling
Standards, best practices, and toolsApply coding and testing standardsApply security tools (fuzzing tools, static-analysis tools, etc)
Security PushSecurity code reviewsFocused security testingReview against new threatsMeet signoff criteria
Final Security Review Independent review conducted by the security team Penetration testingArchiving ofcompliance info
RTM and DeploymentSignoff
Security ResponsePlan and process in placeFeedback loop back into the development processPostmortems
Product InceptionAssign security advisorIdentify security milestonesPlan security integration into product
The Security Development Lifecycle
Driving Change Across Microsoft
Update and Innovate Technology/ProcessesCyber threats are constantly evolvingPolicy makers, enterprise owner and
operators can prepare for changes in threats by Monitoring trendsKeeping systems patchedMaintaining the latest versions of software that
have been built for the current threat environment.
Guidance
Developer Tools
SystemsManagementActive Directory Active Directory
Federation Services Federation Services (ADFS)(ADFS)
Identity Management
Services
Information Protection
Encrypting File System (EFS)
Encrypting File System (EFS)
BitLocker™
BitLocker™
Network Access Protection (NAP)
Client and Server OS
Server Applications
Edge
Microsoft Innovations DriveMicrosoft Innovations Drive