The Presidential Directive on Improving Critical ...cermacademy.com/wp-content/uploads/2014/04/NISTCybersecurity...The Presidential Directive on Improving Critical Infrastructure

4/1/14 Webinar Sponsored by Computer Aid, Inc.

Slide: 1

The Presidential Directive on Improving Critical Infrastructure

Cybersecurity: The NIST Cybersecurity Framework

Carolyn Turbyfill Ph.D. [email protected] © Quality + Engineering QualityPlusEngineering.com CERMAcademy.com 800.COMPETE Oregon 503.233.1012


Slide: 2

Dr. Carolyn Turbyfill Principal Cyber Security Consultant Quality + Engineering [email protected]

Hosted by:

Michael Milutis Director of Marketing Computer Aid, Inc. (CAI) [email protected]


Slide: 3

CAI Achieves IT Operational Excellence

www.compaid.com


Slide: 4

PDU Credits Available for this Webinar

•  The PMI has accredited this webinar with PDUs

•  You will be eligible to receive 1.0 PDU credits

•  Your PDU email will be sent to you within 24 hours


Slide: 5

Online Webinar Recordings NOW AVAILABLE •  Anytime Access •  Hundreds of Topics

Visit: www.ITMPI.org/library


Slide: 6

Enjoy the benefits of ITMPI Membership JOIN TODAY! •  UNLIMITED Free Webinar Recordings •  UNLIMITED Free PDU Credits •  Hundreds of Topics

Visit: www.ITMPI.org/subscribe


Slide: 7

About Quality + Engineering

Q+E Background: •  Cri$cal Infrastructure Protec$on: Forensics, Assurance, Analy$cs® -‐ US

Department of Homeland Security Safety Act Cer$fied •  Q+E technologies are DHS ‘Qualified An$-‐Terrorist Technologies” •  Developer of Cyber Security and Asymmetric conflict webinar series CERM Academy Background: •  Developer of Cer$fied Enterprise Risk Manager® Cer$ficates;

n  CERM -‐ Electric Reliability n  CERM -‐ Aerospace n  CERM -‐ Cyber

•  Developer of Value Added Audi$ng® •  Publisher of CERM Risk Insights: hRp://insights.cermacademy.com/


Slide: 8

Q+E DHS Certification CIP/FAA


Slide: 9

Dr. Carolyn Turbyfill [email protected] Experience in: Public Companies, Startups, Research, Federal & State Government, Turnarounds, Industry Associa$ons, University Teaching, Consul$ng, Distributed Development (U.S. & Interna$onal) Principal Cyber Security Consultant at Q+E

•  20 Years Experience Developing Innova$ve Security •  CIP -‐ Cri$cal Infrastructure Protec$on •  CERM Cer$fied – Cer$fied Enterprise Risk Management

Track record building leading edge technologies and products: •  The first database benchmark using experimental design techniques, the Wisconsin

Benchmark; •  One of the first wireless LAN’s with radio, antenna and IP Layer encryp$on; •  The first Firewall Appliance, SunScreen SPF 100 which also included a cer$ficate authority

and one of the first commercial IP Layer VPN’s, SKIP; •  The first round-‐trip email marke$ng systems with interac$ve Java applets and the precursor

to PayPal; •  The first Managed Security Service at Counterpane Internet Security; •  The first virtualized automated test environments for applica$on stacks, the StackSafe Test

Center.


Slide: 10

The White House Office of the Press Secretary Released: EXECUTIVE ORDER

IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY

whitehouse-‐execu$ve-‐order-‐improving-‐cri$cal-‐infrastructure-‐cybersecurity

February 13, 2014 NIST is scheduled to release:

CYBERSECURITY FRAMEWORK 1.0 hRp://www.nist.gov/cyberframework

February 12, 2013


Slide: 11

Presidential Directive Section 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure

The “Cybersecurity Framework” WHO: The Secretary of Commerce shall direct the Director of NIST (the "Director") WHAT: to lead the development of a framework to reduce cyber risks to critical infrastructure.


Slide: 12

16 CriBcal Infrastructure Sectors

Chemical Commercial Facili$es

Communica$ons Cri$cal Manufacturing

Dams Defense Industrial Base

Emergency Services Energy Sector

Financial Services Food and Agriculture

Government Facili$es Healthcare and Public Health

Informa$on Technology Nuclear Reactors, Materials and Waste

Transporta$on Systems Waste and Wastewater Systems


Slide: 13

Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure. The “Cybersecurity Framework”

Framework:

•  Set of Standards •  Methodologies •  Procedures •  Processes

that align approach to cyber risks including •  Policy •  Business •  Technology


Slide: 14

Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure. The “Cybersecurity Framework”

The Cybersecurity Framework shall incorporate,

•  voluntary consensus standards and

•  industry best practices

to the fullest extent possible. A cybersecurity framework for critical infrastructure owners is voluntary but will become the de facto standard for litigators and regulators. Here's how to prepare:

NIST Cybersecurity Framework: Don’t Underestimate It


Slide: 15

NIST Framework Core Functions, Categories, Subcategories, Informative References


Slide: 16

FUNCTIONS Functions organize basic cybersecurity activities at their highest level. These Functions are: Ident i fy, Protect, Detect, Respond, and Recover. The functions aid in communicating the state of an organization’s cybersecurity activities by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities. The functions also align with existing methodologies for incident management, and can be used to help show the impact of investments in cybersecurity. For example, investments in planning and exercises support timely response and recovery actions, resulting in reduced impact to delivery of services.


Slide: 17

FUNCTIONS: Categories

Categories are the subdivisions of a Function into groups of

cybersecurity outcomes, closely tied to programmatic

needs and particular activities. Examples of Categories

include:

•  “Asset Management,”

•  “Access Control,”

•  “Detection Processes.”


Slide: 18

FUNCTIONS: Subcategories Subcategories further subdivide a Category into high-level outcomes, but are not intended to be a comprehensive set of practices to support a category.

Examples of subcategories include: •  “Physical devices and systems within the organization

are catalogued,” •  “Data-at-rest is protected,” and

•  “Notifications from the detection system are investigated.”


Slide: 19

FUNCTIONS: Informative References

Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors and illustrate a method to accomplish the activities within each Subcategory. The Subcategories are derived from the Informative References. The Informative References presented in the Framework Core are not exhaustive but are example sets, and organizations are free to implement other standards, guidelines, and practices.


Slide: 20

Editable Version FRAMEWORK CORE

FUNCTIONS CATEGORIES SUBCATEGORY INFORMATIVE REFERENCE(S)

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER


Slide: 21

THE IDENTIFY FUNCTION Identify – Develop the institutional understanding to manage cybersecurity risk to organizational systems, assets, data, and capabilities. The Identify Function includes the following categories of outcomes:

•  Asset Management, •  Business Environment, •  Governance, •  Risk Assessment, and •  Risk Management Strategy.

The activities in the Identify Function are foundational for effective implementation of the Framework. Understanding the business context, resources that support critical functions and the related cybersecurity risks enable an organization to focus its efforts and resources. Defining a risk management strategy enables risk decisions consistent with the business needs or the organization.


Slide: 22

THE PROTECT FUNCTION Protect – Develop and implement the appropriate safeguards, prioritized through the organization’s risk management process, to ensure delivery of critical infrastructure services. The Protect function includes the following categories of outcomes: Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, and Protective Technology. The Protect activities are performed consistent with the organization’s risk strategy defined in the Identify function.


Slide: 23

THE DETECT FUNCTION

Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect function includes the following categories of outcomes: •  Anomalies and Events, •  Security Continuous Monitoring, and •  Detection Processes. The Detect function enables timely response and the potential to limit or contain the impact of potential cyber incidents.


Slide: 24

THE RESPOND FUNCTION Respond – Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event. The Respond function includes the following categories of outcomes: •  Response Planning, •  Analysis, •  Mitigation, and •  Improvements. The Respond function is performed consistent with the business context and risk strategy defined in the Identify function. The activities in the Respond function support the ability to contain the impact of a potential cybersecurity event.


Slide: 25

THE RECOVER FUNCTION Recover – Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the capabilities or critical infrastructure services that were impaired through a cybersecurity event. The Recover function includes the following categories of outcomes: •  Recovery Planning, •  Improvements, and •  Communications. The activities performed in the Recover function are performed consistent with the business context and risk strategy defined in the Identify function. The activities in the Recover function support timely recovery to normal operations to reduce the impact from a cybersecurity event.


Slide: 26

Example FRAMEWORK CORE

FUNCTIONS CATEGORIES SUBCATEGORY INFORMATIVE REFERENCE(S)

IDENTIFY Asset Management (AM)

Inventory / track physical

ISO/IEC 27001 A.7.1.1, A.7.1.2

Iden$fy vulnerabili$es

NIST SP 800-‐53 Rev. 4 CA-‐2, RA-‐3, SI-‐5


Slide: 27

NIST Framework Decision Flows


Slide: 28

NIST Framework Profile


Slide: 29

Preliminary Framework Compendium A Key NIST Framework Component The Framework’s compendium of “informative

resources” references many (321) standards – including performance and process-based standards. •  These 321 standards are intended:

–  to be illustrative –  to assist organizations in identifying and selecting

standards for their own use –  for use to map into the core Framework.

•  The compendium also offers practices and guidelines, including practical implementation guides.


Slide: 30

Cybersecurity Framework 1.0 To be Published February 13, 2014

•  A “living document,” •  Continuous improvement:

–  update and refine the Framework based on lessons learned –  through use as well as integration of new standards, guidelines,

and practices that become available.

•  Cybersecurity Framework 1.0 will be posted here: http://www.nist.gov/cyberframework


Slide: 31

ISSUES Cybersecurity Framework 1.0 Due February 13, 2014 (continued)

Overwhelming technology challenges on many fronts:

1.  VUCA – Volatility, Uncertainty, Complexity & Ambiguity 2.  Explosive Growth of Mobile Devices 3.  Big Data 4.  Big Government 5.  Next Generation Internet (Hybrid)

a.  Demand for data outstripping consumer willingness to pay b.  Hype Cycle and Software Defined Networking


Slide: 32

ISSUE 1: VUCA

•  Framework is unlikely to reduce your compliance workload.

•  Still same plethora of existing standards that require adherence.

•  321 Standards in preliminary NIST Compendium, however:

NIST Cyber Security Framework Doesn't Include Application Security


Slide: 33

ISSUE 1: VUCA •  New Risk-Based versions of existing

standards –  ISO 9001 (general quality) –  AS 9100 Rev C (aerospace quality) –  ISO 27000 family (Cybersecurity) –  ISO 31000 ISO Security base standard –  NERC CIP (US grid security) –  ISO 16949 (automotive quality) –  PCI DSS 3.0 (Nov 2103 - requires risk assessment) –  BASEL III (banking regulation, supervision and risk

management) •  New Certifications – i.e. CERM (Certified Enterprise

Risk Management); CERM Software


Slide: 34

From: Cisco VNI: 2012-2017 Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2012–2017 •  “By the end of 2013, the number of mobile-connected

devices will exceed the number of people on earth.” •  “ By 2017 there will be nearly 1.4 mobile devices per

capita. •  There will be over 10 billion mobile-connected devices in

2017, including machine-to-machine (M2M) modules-exceeding the world's population at that time (7.6 billion).”

•  Customer expectations – they expect to send and receive more data but they don’t want to pay more.

•  Vendors need to meet customer demand & must reduce operational cost to maintain profitability.

ISSUE 2: Explosive Growth of Mobile Devices


Slide: 35

ISSUE 3: Big Data Cisco VNI Uses Petabytes and Exabytes

Byte = 8 bits Kilobyte 103 = 1000 bytes Megabyte 106 = 10002 bytes Gigabyte 109 = 10003 bytes Terabyte 1012 = 10004 bytes Petabyte 1015 = 10005 bytes Exabyte 1018 = 10006 bytes Zettabyte 1021 = 10007 bytes Yottabyte 1021 = 10008 bytes


Slide: 36

ISSUE 3: Big Data Scale Comparisons

•  All the printed material in the Library of Congress estimated at 10 Terabytes of data: •  Terabyte = 1012 = 10004 bytes •  http://whatsabyte.com/

•  An Exabyte of storage could contain 50,000 years' worth of DVD-quality video: •  Exabyte = 1018 = 10006 bytes •  http://searchstorage.techtarget.com/definition/exabyte


Slide: 37

ISSUE 3: Big Data Cisco VNI Uses Petabytes and Exabytes

•  Global mobile data traffic in 2012 (885 petabytes per month) was nearly twelve times greater than the total global Internet traffic in 2000 (75 petabytes per month).

•  Mobile data traffic will reach the following milestones within the next five years. –  Monthly global mobile data traffic will surpass 10 exabytes in 2017. –  The number of mobile-connected devices will exceed the world's

population in 2013. –  The average mobile connection speed will surpass 1 Mbps in 2014. –  Due to increased usage on smartphones, handsets will exceed 50

percent of mobile data traffic in 2013. –  Monthly mobile tablet traffic will surpass 1 Exabyte per month in

2017. –  Tablets will exceed 10 percent of global mobile data traffic in 2015.


Slide: 38

ISSUE 3: Has Big Data Made Anonymity Impossible? Has Big Data Made Anonymity Impossible? By Patrick Tucker on May 7, 2013 MIT Technology Review “What modern data science is finding is that nearly any type of data can be used, much like a fingerprint, to identify the person who created it: your choice of movies on Netflix, the location signals emitted by your cell phone, even your pattern of walking as recorded by a surveillance camera. In effect, the more data there is, the less any of it can be said to be private. We are coming to the point that if the commercial incentives to mine the data are in place, anonymity of any kind may be “algorithmically impossible,” says Princeton University computer scientist Arvind Narayanan.”


Slide: 39

ISSUE 4: Big Government

Internet 2.0 in early stages of development. •  Privacy and Civil Liberties – lack of agreement

–  Currently not in the Core

–  Too much specificity may deter voluntary implmentation –  PRISM and other surveillance controversies - out of scope?

•  Implementation Needs –  Voluntary and useful for broader audience (not just CIPS)

–  Specific Standards for CIPS –  White House Incentives

•  Complexity: Nature and Use of Profiles and Implementation Tiers •  Informative references in Framework Core are advisory only. •  Small/Medium businesses need more support (i.e. Threat Information) to

implement framework.


Slide: 40

ISSUE 5: Next Generation Internet

Internet 2.0 in early stages of development. •  Software Defined Networking (SDN) or Forwarding and

Control Element Separation (FoRCES) •  Will enable hardware cost savings to data centers with

user-programmable commodity switches replacing proprietary and expensive routers. –  Meet customer demand for more data without increasing costs. –  Commodity switches enable cost savings

•  Still a set of tools and not a mature mainstream solution; not yet cost effective.


Slide: 41

ISSUE 5: Next Generation Internet

Internet 2.0 in early stages of development. •  Compelling and complete application stacks taking

advantage of SDN lacking. •  Not Standardized, Not Secure, Innovative Pre-Chasm

Technology for Early Adopters and Innovators. •  Hybrid Internet – Internet 1 isn’t going away •  For more information: http://www.sdncentral.com/


Slide: 42

References •  NIST Cybersecurity Framework portal

–  http://www.nist.gov/cyberframework •  Preliminary Framework Compendium

(list of 321 cyber rules, standards and best practices) –  http://www.nist.gov/itl/upload/

preliminary_framework_compendium.xlsx •  Preliminary Cybersecurity Framework

–  http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf

•  Appendix A, Framework Core –  presents a listing of Functions, Categories, Subcategories and

Informative References –  http://www.nist.gov/itl/upload/alternative-view_appendix-

a_framework-core-informative-references.pdf


Slide: 43

References •  DNI Tes$mony: DNI-‐worldwide-‐threat-‐assessment-‐of-‐US-‐intel-‐community •  CNSSI Number 4009, Na$onal Informa$on Assurance (IA) Glossary 4/26/2010 http://DOD-General CNSSI_4009_26APR2010_20593/ •  NIST: hRp://www.nist.gov/index.html •  “Tipping Point” by Malcolm Gladwell http://www.gladwell.com/tippingpoint/ •  http://www.archives.gov/federal-register/executive-orders/2013.html

•  NIST Computer Security Special Publica$ons hRp://csrc.nist.gov/publica$ons/PubsSPs.html •  NIST outlines drar cybersecurity framework for industry hRp://www.nist.gov/itl/csd/cybersecurity-‐070213.cfm •  ISO 31000 Risk Management Standards hRp://www.iso.org/iso/home/standards/iso31000.htm •  The Biggest Security SNAFUs of 2013 (So Far) hRp://www.networkworld.com/news/2013/security-‐snafus.html •  CERM Academy hRp://insights.cermacademy.com/


Slide: 44

References

•  DNI Tes$mony: DNI-‐worldwide-‐threat-‐assessment-‐of-‐US-‐intel-‐community •  CMMI Audits of Services hRp://www.sei.cmu.edu/library/abstracts/presenta$ons/CMMI-‐for-‐Services-‐Overview.cfm •  NIST: hRp://www.nist.gov/index.html •  NIST Computer Security Special Publica$ons hRp://csrc.nist.gov/publica$ons/PubsSPs.html •  NIST outlines drar cybersecurity framework for industry hRp://www.nist.gov/itl/csd/cybersecurity-‐070213.cfm •  ISO 31000 Risk Management Standards hRp://www.iso.org/iso/home/standards/iso31000.htm •  The Biggest Security SNAFUs of 2013 (So Far) hRp://www.networkworld.com/news/2013/security-‐snafus.html •  CERM Academy hRp://insights.cermacademy.com/


Slide: 45

Risk Management Paradigm ShiZ Next Steps

•  Upcoming IMTPI Seminar Series on Cybersecurity in 2014 (TBD) By Dr. Carolyn Turbyfill and Ed Perkins

[email protected] •  Quality + Engineering can help:

Greg Hutchins PE [email protected]

800.COMPETE or 800.266.7383 503.233.1012

Cell 503.957.6443 FAX 503.233.1410

www.QualityPlusEngineering.com •  Keep up with ongoing developments:

CERM Academy hRp://insights.cermacademy.com/

Coming Soon: Asymmetric Warfare & Cybersecurity


Slide: 46

QuesBons?

Dr. Carolyn Turbyfill: [email protected] Ed Perkins: [email protected]


Slide: 47

CAI Sponsors Proudly Sponsors

The IT Metrics & Productivity Institute •  IT and Software Knowledge Center: WWW.ITMPI.ORG

•  Weekly PDU Accredited Webinars: WWW.ITMPI.ORG / WEBINARS

•  Access PDU Accredited Recordings Anytime at WWW.ITMPI.ORG / LIBRARY

•  Enjoy the Benefits of ITMPI Membership at WWW.ITMPI.ORG / SUBSCRIBE

•  Free Basic Memberships: Automatic Registration for Live Webinars

•  Premium Membership for $179/year:

-Unlimited Free PDU and Recording Access for ONE YEAR

-Access to Over 500 PDUs for a Period of ONE YEAR

•  Advanced PDU accredited courseware at WWW.ITMPI.ORG/ COURSEWARE

•  Follow Us on TWITTER at WWW.TWITTER.COM/ ITMPI

•  Join Our Network on LINKED IN at WWW.ITMPI.ORG/ LINKEDIN


Slide: 48

Dr. Carolyn Turbyfill Principal Cyber Security Consultant Quality + Engineering [email protected]

Hosted by:

Michael Milutis Director of Marketing Computer Aid, Inc. (CAI) [email protected]

Documents

The Presidential Directive on Improving Critical ...cermacademy.com/wp-content/uploads/2014/04/NISTCybersecurity...The Presidential Directive on Improving Critical Infrastructure