Interpretations and Forecasts: Looking Beyond Rumors, Myths and

Misunderstandings About the New NIST Cybersecurity Framework

March 5th, 2014

Jack Whitsitt | jack@energysec.org | twitter.com/@sintixerr | http://www.energysec.org

204/12/2023

Format

The Energy Sector Security Consortium (EnergySec) is a United States 501(c)(3) non-profit organization. Our Mission: Strengthen the security posture of critical energy infrastructures through continuous education.

Today's webinar is intended to be interactive, so please be generous with your questions. 

Welcome!

About the Framework About Me– Background– Why I care (first post years ago! Work!)

Agenda– Setting the Stage– Conceptual Lenses – Policy Context– The Framework– Future & Change– Discussion

Setting the Stage

We’re not winning.

We don’t know why.

We have trouble admitting it.

But we’re going to fix it anyway

–Cybersecurity–Critical Infrastructure–Policy Levers–Why Government?–“Voluntary”– Common Scope Conflicts & Confusion

Conceptual Lenses

Why define cybersecurity?

Everyone has a different perspective:– Information Security– Data Security– Computer Security– Control Systems Security– Network Security– Information Risk Management– Etc.

Even debating whether there’s a “space” between cyber and security

“Cybersecurity” (For this presentation)

“Those activities and job roles which, by synthesizing multiple disciplines (both technical and non-technical), help sustainably improve or

create the *environments* which allow other more technical or tactical security activities,

particularly at an industry or national scale and in the context of government laws, policies,

mandates, and regulations, to succeed.”

Check out: http://www.liquidmatrix.org/blog/2014/02/03/cyber-critical-security-nutrition/

Defining Critical Infrastructure

Formal and informal definitions– Average “on the street” definition can be anything– Formal definitions actually exist in policy and law (we’ll get

there) Concept: Ultimate Consequence Owner

– There are many “critical” industries and groups in the U.S.– Some “critical” because of the immediate, direct outcomes of

failure– Some “critical” because of their impact on the former– Formal “Critical Infrastructure” designations (mostly) revolve

around the former type– The latter can be usefully considered “Vulnerabilities” – Eg: if Intellectual Property from several utilities stolen from the

same law firm, the firm was the vulnerable area, but the critical consequences are for/from the utilities

Policy Scope: Levers

Independent Action Industry Action Congress & Lawmaking Courts White House & Executive Branch Military

Critical Infrastructure Focus is (mostly) “WH/Executive” + Industry

Courts take awhile, Congress is an inflexible hammer, military is a mission mis-match

Why government at all?

We (security practitioners) have made a lot of noise (as did, unfortunately, other countries) and they bought it

Industry failure is, in Critical Infrastructure, also theirs– Also “ours” which is an interesting gap…

Lack of formal, structured, reliable assurance from industry means government *must* act

If the government is acting, it is better for industry to coordinate than not (some exceptions)

Also, it’s not as if industry is succeeding by itself (*ducks*)

What is “Voluntary”?

This is a formal term, regardless of what it means conversationally

In this space, it is almost synonymous with “public/private partnership”, which we’ll discuss shortly

It is meant to differentiate an initiative from “Regulated” and “Required by specific policy”

“Voluntary” efforts may end up being “De-Facto” mandatory, but that’s a *different* conversation than formally mandatory

Using the term informally or silently including “de-facto mandatory” in scope derails productive conversation. Be Specific.

Common Scope Conflicts & Confusion

Protection vs. Assurance– High consequence, need “Assurance” that “Protection” is

happening…but by Whom? How? Metrics?– Lack of Assurance leads to Excess Protection– Both government and industry have clear “assurance” needs

Risks to vs. Risks From– Managing tactical risk to computers themselves– Managing the long term, strategic risk from computers

Offense vs. Defense– Since “Cybersecurity” is often not defined, roles confused– NSA, DHS for instance

Force Arrangement (by Geography)– This is interesting…

Force Arrangement (by Geography): I

Protected by Force Citizens Individual Businesses Industries National Infrastructure Government infrastructure National Cohesion

Force Arrangement (by Geography): II

Contestable Threat Vectors (CTV): – Provide defendable space between

“bad guys” and targets– Imply that there is a space that is

*not* the target that must be traversed beforehand

– (Just my term) Historically…

– Earth– Air– Water– Space (for some value of historically)

Force Arrangement (by Geography) III

Government “Security” apparatus responsibilities

heavily influenced by geography

The military protects national sovereignty outside the U.S.

DHS protects national cohesion; operates on U.S. as a whole

FBI specific aspects of internal U.S. interests

State & Local government organizations

Force Arrangement (by Geography) IV

Along came cyber…and screwed things up– Cyber Assets: Targets AND part of a

CTV– “Customers of Protection” now own a

CTV– Geographic Protection Schemes break– Opaque by Default

But can have consequences in other CTVs– So we can’t ignore old physical policy

mechanisms– “National Guard” example

Policy Context

The Voluntary World (until 02/2013)

White House: HSPD-7 DHS: National Infrastructure Protection

Plan (NIPP) Sectors Sector Specific Agencies “Public/Private Partnership” Partnership Model: GCC, SCC, CIPAC, Oh

My

“Public/Private Partnership”

Public/Private

Partnership

Natio

nal P

lanni

ngSecurity Operations

Resource Coordination

Sector Coordinating Councils (Industry)

Government Coordinating Councils Government Cyber-Specific Operations

CIPACCRADA/

PCII

Fed to Fed

The Voluntary World (until 02/2013)

Problems– “Cyber” not taken completely seriously by

many Sector Specific Agencies (Fear of what they don’t understand)

– Poor resource coordination between feds– Partnerships seen by industry as creating risks

of regulation (often fairly)– Confusing & Complicated structure (it took me

years to understand)– Terrible messaging– Scope Conflicts discussed earlier– And on and on

The Voluntary World (post 02/2013)

Cyber Executive Order: – Aimed at Gov, Not You: Mom reigning in kids– Cyber was already supposed to have been being handled

(as we’ve seen)– Attempts to rectify these barriers while keeping in tact most

of the fundamental structures already in place.– Heavy focus on “Harmonizing Cyber Efforts”

Awesome Presidential Policy Directive (PPD-21)

– Not Cyber specific – update to HSPD-7– Important

Also, a new NIPP was released 12/2013– http://www.energysec.org/blog/jack-whitsitt-comments-on-

the-new-nipp/

Whitehouse Cyber Executive Order

Main Thrusts:

– Improve Information Sharing– Use business-function driven risk

analysis to determine priorities– Create a framework of standards

for reducing risks from cyber security issues to critical infrastructure

– Engage industry to the greatest extent possible, and assure privacy and civil liberties are embedded in the entire process.

White HouseDHS/SSA’s

Executive Order: Section Analysis

1. – 3. Fluff4. Cybersecurity Information Sharing5. Privacy and Civil Liberties Protections6. Consultative Process7. Baseline Framework to Reduce Cyber Risk to

Critical Infrastructure8. Voluntary Critical Infrastructure Cybersecurity

Program9. Identification of Critical Infrastructure at Greatest

Risk10.Adoption of Framework (Read: Potential Regulation)

Executive Order: Concerns

Could this infringe on individual freedoms?– “Not any more than before”

Do we have any guarantee of transparency?– So far: Chaotic Good

The government wants my data?– Yes. Because they need your data

to make theirs actionable for you. But that’s not “the point”

Why so obtuse?– Right ideas. Poor Messaging. – Married Couple Analogy

I don’t want the government in my space– They just need to “assure” their

mission– It is possible for industry to keep

interference to a minimum

• No faith in government agility to get it right– Crickets. Real Problem. Will impact

success.• Should it have been so broad?

– Built into the EO is a process to focus it. It’s actually at the right level

• Isn't this just a political goad?– Not just. Smart people have worked on it.

Useful (Possibly).

• This preempts legislation or ignored existing work– No

• Why is this a DHS issue?– National cohesion IS DHS’s mission – cyber just

a part. There is no “singularly cyber” mission. Others have other takes on cyber mission

• What about regulation?– This situation might have gotten a little better,

more dynamic

Executive Order: NIST Framework

Ambiguous directive that split responsibilities.

“Framework to Achieve DHS specified Performance Goals”

Industry Driven“All Inclusive”

Standards vs StandardsSome Vision

Lost in TranslationMissing: Balance Rails, Quality Assurance,

Soylent Cyber is People!

(What about regulation?)

Sigh. It’s there and unevenly applied Mixed effects Mostly out of scope here Executive Order told DHS and the SSA’s to

“harmonize” regulation and the framework– Will try and speak to this later, but it’s ongoing– Doesn’t apply to independent regulatory

agencies

The Framework

Framework Overview

First, go to the source– http://www.nist.gov/cyberframework/– I’m only generalizing within the lenses I’ve

described Framework Core– Functions with “Outcome oriented controls”

Framework Implementation Tiers– Maturity Levels

Framework Profile– “As-is” and “To-Be” concept

3304/12/2023

Framework Overview

“Framework to Achieve DHS specified Performance Goals”

Industry Driven “All Inclusive” Standards vs Standards Some Vision EO Performance Goals

The Energy Sector Security Consortium (EnergySec) is a United States 501(c)(3) non-profit organization. Our Mission: Strengthen the security posture of critical energy infrastructures through continuous education.

My Grading: An Overview

Did we get what we needed from the framework itself to solve critical problems?– No…

How good is what we got at being what we got (what DID we get?)– It’s…Okay?

Does it do what it says it does? – About a third of it

Was there some inherent value in the process?– Yes!!!

Did it avoid creating just as many pitfalls?– TBD

If that seems like mixed messaging…

…it is. Dismissing or Praising the framework as a whole (like most things) always misses several value sets. Here, though, I’d really like to mention what a great job NIST, DHS, and Industry did pulling this together on such a short timeline.

Question 1: Does it do what it should have? What could it have addressed (Examples)

– “What is a House?”– We need an airplane not a boat!– Communication– Priority Integration/Rationalization– Success Criteria Determination– Effective Solution Derivation– “Risks to” to “Risks from” mapping– Efficacy Determination– Reduction for smaller organizations

What it did address– Common control classes/categories organized by an

incident response function schema– I.e., what many other things have already done

Question 2a: How good is what we got at being what we got?

Security value of content– Same as what we’ve had before. No change.– This was actually intentional and ok (have to set starting place

before can improve) Compared to other security things…

– Open ended. A little abstract. Speaks to more than it has in it– Not an enterprise security architecture or risk mgt approach, but

sounds like thought it might want to be– Mostly a control catalogue; too incomplete in key areas to be others– This is probably good – room to add on top of it, link to it.

Useability and structure– It’s hard to, by itself, use– Sector, industry, org, other implementation plans (Electric: ES-

C2M2)– Cross-mapping– But…

Question 2b: What’s wrong with the structure?

Aligns with classic incident response functions– Identify, Protect, Detect, Respond, Recover– Remember what I said “Cybersecurity” was up

front? Tries to generalize these functions “up and

out” from classic incident response to “the rest of the business”– Leaves a tangled mess!– Logically related is not always *helpfully* related

Most important– It describes hammers, saws, and screwdrivers,

but doesn’t describe a house– This is what we were missing before the

framework– Structure should help, not just content, but it

doesn’t

Question 3: Does it do what it says it does?

Or: Things People Say About the Framework:

Flexible and Adaptable: – Tangential to content

Executive “C-Suite” Language: – More abstract, but not in C-suite or

board language Risk Driven / Risk Management

Focused– It says risk a lot, but no real risk

management – Leaves room for risk driven, but offers

no aid Outcome Based, not Prescriptive

– Misses the “Outcome based” requests entirely

– The control statements allow for outcome flexibility in terms of control-implementation, but don’t speak to outcomes of security programs or the framework

• “Standard of Care”– IANAL– But legal/contract people overeager– Content ill-suited– Not security effective– Many others will shape specifics (including

SSA’s) in contradictory ways• “Good for Small Utilities”

– Read: “I can’t say it’s bad”– Also: “We’re already doing this”

• Voluntary– Formally? Actually Yes

• Collaborative– Awesomely, Yes– NIST did a *fantastic* job of responding to input

• “Framework Profiles”– ???

Question 4: Does it have inherent value?

Public/Private Partnerships & Trust Starting point of reference Government collaboration &

Messaging It’s a flag!

Question 5: Does it avoid creating many other pitfalls?

Non-SME Groups– Legal/Contracts/Insurance had a huge gap to

fill and are trying to leverage this already inappropriately.

Political Capital – 2nd-hand quote from Congressional “person”:

“We have the framework, aren’t we done?” Entrenched Practices– Continues us down a known failing path– Leaves room for correction, but…who knows?

Future & Change

4304/12/2023

What are some things that went Wrong?

Differing Goals (NIST/DHS) Weak Problem Definition/Communication No Transformations Defined Structure Not Thought Through “Any

structure is good” “No structure perfect” - wrong on both counts

No Use Cases Defined Drivers of cars asked to build car

The Energy Sector Security Consortium (EnergySec) is a United States 501(c)(3) non-profit organization. Our Mission: Strengthen the security posture of critical energy infrastructures through continuous education.

Improving Framework Structure

Go through a process to define:– Problem (to be solved)– Transformations (to solve problem)– Use Cases (to guide structure)– Structure (implementing

transformations)– References (to content)– Content (to be accessed)

(Notice Content is at the End)

A Different Perspective: A Framework of Frameworks

Threats are non-actor specific and speculative. – Used as matrix against

Consequence to validate success criteria

Business Vulnerabilities are in terms of how PEOPLE introduce problems– This leads to more effective C-level

metrics and actions

Business Quality Management is REQUIRED for Cyber-specific activities to be effective– We must be able to pivot to threats

and that requires a base quality

NIST Framework exists almost entirely in one sub-category of “Cyber Vector Control”

This will also help us:– Frame cross-organizational and

public/private work– Communicate in other levers

Using levers for meta-value

As discussed, the framework is a flag– It can stay planted where it is, or it can move things forward through your

involvement Groups participating so far

– White House– Media– Infrastructure Owners– Industry Associations– Regulatory Agencies– Average People– Other government agencies– Lawyers– Etc.

These groups have there hands on *all* of the other levers– Conversation, as a whole, shapes how these other levers are used– Whether or not you think this specific public/private voluntary partnership

project/initiative/scope/content/whatever is helpful– Most other participation is limited, mired in politics, or expensive.

Participate

Get involved? Energysec Working Groups

– Creating specific views to integrate with the framework– Contact me for details

FCC Communications, Security, Reliability and Interoperability Council – I’ll (likely) be working with a subset to fill some of the gaps I’ve talked

about today– Not sure if it’s open, but example of efforts to look for

DHS C^3 Voluntary Program– EO requirement– http://www.dhs.gov/about-critical-infrastructure-cyber-community-c³-voluntary-

program

NIST’s Ongoing efforts– http://www.nist.gov/cyberframework/upload/roadmap-021214.pdf

I Am the Cavalry– Work with these folks: http://www.iamthecavalry.org– They’re coming from new and unusual directions, even if not part of

formal efforts

Questions & Closing

Today's webinar was intended to be interactive, so please be generous with your questions. 

4904/12/2023

Thank you

The Energy Sector Security Consortium (EnergySec) is a United States 501(c)(3) non-profit organization. Our Mission: Strengthen the security posture of critical energy infrastructures through continuous education.

Jack Whitsitt | jack@energysec.org | twitter.com/@sintixerr | http://www.energysec.org