Post on 25-May-2015
Interpretations and Forecasts: Looking Beyond Rumors, Myths and
Misunderstandings About the New NIST Cybersecurity Framework
March 5th, 2014
Jack Whitsitt | jack@energysec.org | twitter.com/@sintixerr | http://www.energysec.org
204/12/2023
Format
The Energy Sector Security Consortium (EnergySec) is a United States 501(c)(3) non-profit organization. Our Mission: Strengthen the security posture of critical energy infrastructures through continuous education.
Today's webinar is intended to be interactive, so please be generous with your questions.
Welcome!
About the Framework About Me– Background– Why I care (first post years ago! Work!)
Agenda– Setting the Stage– Conceptual Lenses – Policy Context– The Framework– Future & Change– Discussion
Setting the Stage
We’re not winning.
We don’t know why.
We have trouble admitting it.
But we’re going to fix it anyway
–Cybersecurity–Critical Infrastructure–Policy Levers–Why Government?–“Voluntary”– Common Scope Conflicts & Confusion
Conceptual Lenses
Why define cybersecurity?
Everyone has a different perspective:– Information Security– Data Security– Computer Security– Control Systems Security– Network Security– Information Risk Management– Etc.
Even debating whether there’s a “space” between cyber and security
“Cybersecurity” (For this presentation)
“Those activities and job roles which, by synthesizing multiple disciplines (both technical and non-technical), help sustainably improve or
create the *environments* which allow other more technical or tactical security activities,
particularly at an industry or national scale and in the context of government laws, policies,
mandates, and regulations, to succeed.”
Check out: http://www.liquidmatrix.org/blog/2014/02/03/cyber-critical-security-nutrition/
Defining Critical Infrastructure
Formal and informal definitions– Average “on the street” definition can be anything– Formal definitions actually exist in policy and law (we’ll get
there) Concept: Ultimate Consequence Owner
– There are many “critical” industries and groups in the U.S.– Some “critical” because of the immediate, direct outcomes of
failure– Some “critical” because of their impact on the former– Formal “Critical Infrastructure” designations (mostly) revolve
around the former type– The latter can be usefully considered “Vulnerabilities” – Eg: if Intellectual Property from several utilities stolen from the
same law firm, the firm was the vulnerable area, but the critical consequences are for/from the utilities
Policy Scope: Levers
Independent Action Industry Action Congress & Lawmaking Courts White House & Executive Branch Military
Critical Infrastructure Focus is (mostly) “WH/Executive” + Industry
Courts take awhile, Congress is an inflexible hammer, military is a mission mis-match
Why government at all?
We (security practitioners) have made a lot of noise (as did, unfortunately, other countries) and they bought it
Industry failure is, in Critical Infrastructure, also theirs– Also “ours” which is an interesting gap…
Lack of formal, structured, reliable assurance from industry means government *must* act
If the government is acting, it is better for industry to coordinate than not (some exceptions)
Also, it’s not as if industry is succeeding by itself (*ducks*)
What is “Voluntary”?
This is a formal term, regardless of what it means conversationally
In this space, it is almost synonymous with “public/private partnership”, which we’ll discuss shortly
It is meant to differentiate an initiative from “Regulated” and “Required by specific policy”
“Voluntary” efforts may end up being “De-Facto” mandatory, but that’s a *different* conversation than formally mandatory
Using the term informally or silently including “de-facto mandatory” in scope derails productive conversation. Be Specific.
Common Scope Conflicts & Confusion
Protection vs. Assurance– High consequence, need “Assurance” that “Protection” is
happening…but by Whom? How? Metrics?– Lack of Assurance leads to Excess Protection– Both government and industry have clear “assurance” needs
Risks to vs. Risks From– Managing tactical risk to computers themselves– Managing the long term, strategic risk from computers
Offense vs. Defense– Since “Cybersecurity” is often not defined, roles confused– NSA, DHS for instance
Force Arrangement (by Geography)– This is interesting…
Force Arrangement (by Geography): I
Protected by Force Citizens Individual Businesses Industries National Infrastructure Government infrastructure National Cohesion
Force Arrangement (by Geography): II
Contestable Threat Vectors (CTV): – Provide defendable space between
“bad guys” and targets– Imply that there is a space that is
*not* the target that must be traversed beforehand
– (Just my term) Historically…
– Earth– Air– Water– Space (for some value of historically)
Force Arrangement (by Geography) III
Government “Security” apparatus responsibilities
heavily influenced by geography
The military protects national sovereignty outside the U.S.
DHS protects national cohesion; operates on U.S. as a whole
FBI specific aspects of internal U.S. interests
State & Local government organizations
Force Arrangement (by Geography) IV
Along came cyber…and screwed things up– Cyber Assets: Targets AND part of a
CTV– “Customers of Protection” now own a
CTV– Geographic Protection Schemes break– Opaque by Default
But can have consequences in other CTVs– So we can’t ignore old physical policy
mechanisms– “National Guard” example
Policy Context
The Voluntary World (until 02/2013)
White House: HSPD-7 DHS: National Infrastructure Protection
Plan (NIPP) Sectors Sector Specific Agencies “Public/Private Partnership” Partnership Model: GCC, SCC, CIPAC, Oh
My
“Public/Private Partnership”
Public/Private
Partnership
Natio
nal P
lanni
ngSecurity Operations
Resource Coordination
Sector Coordinating Councils (Industry)
Government Coordinating Councils Government Cyber-Specific Operations
CIPACCRADA/
PCII
Fed to Fed
The Voluntary World (until 02/2013)
Problems– “Cyber” not taken completely seriously by
many Sector Specific Agencies (Fear of what they don’t understand)
– Poor resource coordination between feds– Partnerships seen by industry as creating risks
of regulation (often fairly)– Confusing & Complicated structure (it took me
years to understand)– Terrible messaging– Scope Conflicts discussed earlier– And on and on
The Voluntary World (post 02/2013)
Cyber Executive Order: – Aimed at Gov, Not You: Mom reigning in kids– Cyber was already supposed to have been being handled
(as we’ve seen)– Attempts to rectify these barriers while keeping in tact most
of the fundamental structures already in place.– Heavy focus on “Harmonizing Cyber Efforts”
Awesome Presidential Policy Directive (PPD-21)
– Not Cyber specific – update to HSPD-7– Important
Also, a new NIPP was released 12/2013– http://www.energysec.org/blog/jack-whitsitt-comments-on-
the-new-nipp/
Whitehouse Cyber Executive Order
Main Thrusts:
– Improve Information Sharing– Use business-function driven risk
analysis to determine priorities– Create a framework of standards
for reducing risks from cyber security issues to critical infrastructure
– Engage industry to the greatest extent possible, and assure privacy and civil liberties are embedded in the entire process.
White HouseDHS/SSA’s
Executive Order: Section Analysis
1. – 3. Fluff4. Cybersecurity Information Sharing5. Privacy and Civil Liberties Protections6. Consultative Process7. Baseline Framework to Reduce Cyber Risk to
Critical Infrastructure8. Voluntary Critical Infrastructure Cybersecurity
Program9. Identification of Critical Infrastructure at Greatest
Risk10.Adoption of Framework (Read: Potential Regulation)
Executive Order: Concerns
Could this infringe on individual freedoms?– “Not any more than before”
Do we have any guarantee of transparency?– So far: Chaotic Good
The government wants my data?– Yes. Because they need your data
to make theirs actionable for you. But that’s not “the point”
Why so obtuse?– Right ideas. Poor Messaging. – Married Couple Analogy
I don’t want the government in my space– They just need to “assure” their
mission– It is possible for industry to keep
interference to a minimum
• No faith in government agility to get it right– Crickets. Real Problem. Will impact
success.• Should it have been so broad?
– Built into the EO is a process to focus it. It’s actually at the right level
• Isn't this just a political goad?– Not just. Smart people have worked on it.
Useful (Possibly).
• This preempts legislation or ignored existing work– No
• Why is this a DHS issue?– National cohesion IS DHS’s mission – cyber just
a part. There is no “singularly cyber” mission. Others have other takes on cyber mission
• What about regulation?– This situation might have gotten a little better,
more dynamic
Executive Order: NIST Framework
Ambiguous directive that split responsibilities.
“Framework to Achieve DHS specified Performance Goals”
Industry Driven“All Inclusive”
Standards vs StandardsSome Vision
Lost in TranslationMissing: Balance Rails, Quality Assurance,
Soylent Cyber is People!
(What about regulation?)
Sigh. It’s there and unevenly applied Mixed effects Mostly out of scope here Executive Order told DHS and the SSA’s to
“harmonize” regulation and the framework– Will try and speak to this later, but it’s ongoing– Doesn’t apply to independent regulatory
agencies
The Framework
Framework Overview
First, go to the source– http://www.nist.gov/cyberframework/– I’m only generalizing within the lenses I’ve
described Framework Core– Functions with “Outcome oriented controls”
Framework Implementation Tiers– Maturity Levels
Framework Profile– “As-is” and “To-Be” concept
3304/12/2023
Framework Overview
“Framework to Achieve DHS specified Performance Goals”
Industry Driven “All Inclusive” Standards vs Standards Some Vision EO Performance Goals
The Energy Sector Security Consortium (EnergySec) is a United States 501(c)(3) non-profit organization. Our Mission: Strengthen the security posture of critical energy infrastructures through continuous education.
My Grading: An Overview
Did we get what we needed from the framework itself to solve critical problems?– No…
How good is what we got at being what we got (what DID we get?)– It’s…Okay?
Does it do what it says it does? – About a third of it
Was there some inherent value in the process?– Yes!!!
Did it avoid creating just as many pitfalls?– TBD
If that seems like mixed messaging…
…it is. Dismissing or Praising the framework as a whole (like most things) always misses several value sets. Here, though, I’d really like to mention what a great job NIST, DHS, and Industry did pulling this together on such a short timeline.
Question 1: Does it do what it should have? What could it have addressed (Examples)
– “What is a House?”– We need an airplane not a boat!– Communication– Priority Integration/Rationalization– Success Criteria Determination– Effective Solution Derivation– “Risks to” to “Risks from” mapping– Efficacy Determination– Reduction for smaller organizations
What it did address– Common control classes/categories organized by an
incident response function schema– I.e., what many other things have already done
Question 2a: How good is what we got at being what we got?
Security value of content– Same as what we’ve had before. No change.– This was actually intentional and ok (have to set starting place
before can improve) Compared to other security things…
– Open ended. A little abstract. Speaks to more than it has in it– Not an enterprise security architecture or risk mgt approach, but
sounds like thought it might want to be– Mostly a control catalogue; too incomplete in key areas to be others– This is probably good – room to add on top of it, link to it.
Useability and structure– It’s hard to, by itself, use– Sector, industry, org, other implementation plans (Electric: ES-
C2M2)– Cross-mapping– But…
Question 2b: What’s wrong with the structure?
Aligns with classic incident response functions– Identify, Protect, Detect, Respond, Recover– Remember what I said “Cybersecurity” was up
front? Tries to generalize these functions “up and
out” from classic incident response to “the rest of the business”– Leaves a tangled mess!– Logically related is not always *helpfully* related
Most important– It describes hammers, saws, and screwdrivers,
but doesn’t describe a house– This is what we were missing before the
framework– Structure should help, not just content, but it
doesn’t
Question 3: Does it do what it says it does?
Or: Things People Say About the Framework:
Flexible and Adaptable: – Tangential to content
Executive “C-Suite” Language: – More abstract, but not in C-suite or
board language Risk Driven / Risk Management
Focused– It says risk a lot, but no real risk
management – Leaves room for risk driven, but offers
no aid Outcome Based, not Prescriptive
– Misses the “Outcome based” requests entirely
– The control statements allow for outcome flexibility in terms of control-implementation, but don’t speak to outcomes of security programs or the framework
• “Standard of Care”– IANAL– But legal/contract people overeager– Content ill-suited– Not security effective– Many others will shape specifics (including
SSA’s) in contradictory ways• “Good for Small Utilities”
– Read: “I can’t say it’s bad”– Also: “We’re already doing this”
• Voluntary– Formally? Actually Yes
• Collaborative– Awesomely, Yes– NIST did a *fantastic* job of responding to input
• “Framework Profiles”– ???
Question 4: Does it have inherent value?
Public/Private Partnerships & Trust Starting point of reference Government collaboration &
Messaging It’s a flag!
Question 5: Does it avoid creating many other pitfalls?
Non-SME Groups– Legal/Contracts/Insurance had a huge gap to
fill and are trying to leverage this already inappropriately.
Political Capital – 2nd-hand quote from Congressional “person”:
“We have the framework, aren’t we done?” Entrenched Practices– Continues us down a known failing path– Leaves room for correction, but…who knows?
Future & Change
4304/12/2023
What are some things that went Wrong?
Differing Goals (NIST/DHS) Weak Problem Definition/Communication No Transformations Defined Structure Not Thought Through “Any
structure is good” “No structure perfect” - wrong on both counts
No Use Cases Defined Drivers of cars asked to build car
The Energy Sector Security Consortium (EnergySec) is a United States 501(c)(3) non-profit organization. Our Mission: Strengthen the security posture of critical energy infrastructures through continuous education.
Improving Framework Structure
Go through a process to define:– Problem (to be solved)– Transformations (to solve problem)– Use Cases (to guide structure)– Structure (implementing
transformations)– References (to content)– Content (to be accessed)
(Notice Content is at the End)
A Different Perspective: A Framework of Frameworks
Threats are non-actor specific and speculative. – Used as matrix against
Consequence to validate success criteria
Business Vulnerabilities are in terms of how PEOPLE introduce problems– This leads to more effective C-level
metrics and actions
Business Quality Management is REQUIRED for Cyber-specific activities to be effective– We must be able to pivot to threats
and that requires a base quality
NIST Framework exists almost entirely in one sub-category of “Cyber Vector Control”
This will also help us:– Frame cross-organizational and
public/private work– Communicate in other levers
Using levers for meta-value
As discussed, the framework is a flag– It can stay planted where it is, or it can move things forward through your
involvement Groups participating so far
– White House– Media– Infrastructure Owners– Industry Associations– Regulatory Agencies– Average People– Other government agencies– Lawyers– Etc.
These groups have there hands on *all* of the other levers– Conversation, as a whole, shapes how these other levers are used– Whether or not you think this specific public/private voluntary partnership
project/initiative/scope/content/whatever is helpful– Most other participation is limited, mired in politics, or expensive.
Participate
Get involved? Energysec Working Groups
– Creating specific views to integrate with the framework– Contact me for details
FCC Communications, Security, Reliability and Interoperability Council – I’ll (likely) be working with a subset to fill some of the gaps I’ve talked
about today– Not sure if it’s open, but example of efforts to look for
DHS C^3 Voluntary Program– EO requirement– http://www.dhs.gov/about-critical-infrastructure-cyber-community-c³-voluntary-
program
NIST’s Ongoing efforts– http://www.nist.gov/cyberframework/upload/roadmap-021214.pdf
I Am the Cavalry– Work with these folks: http://www.iamthecavalry.org– They’re coming from new and unusual directions, even if not part of
formal efforts
Questions & Closing
Today's webinar was intended to be interactive, so please be generous with your questions.
4904/12/2023
Thank you
The Energy Sector Security Consortium (EnergySec) is a United States 501(c)(3) non-profit organization. Our Mission: Strengthen the security posture of critical energy infrastructures through continuous education.
Jack Whitsitt | jack@energysec.org | twitter.com/@sintixerr | http://www.energysec.org