Jason Rao - A Presidential Directive for Science and Technology Engagement
The Presidential Directive on Improving Critical...
-
Upload
nguyentruc -
Category
Documents
-
view
214 -
download
0
Transcript of The Presidential Directive on Improving Critical...
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 1
The Presidential Directive on Improving Critical Infrastructure
Cybersecurity: The NIST Cybersecurity Framework
Carolyn Turbyfill Ph.D. [email protected] © Quality + Engineering QualityPlusEngineering.com CERMAcademy.com 800.COMPETE Oregon 503.233.1012
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 2
Dr. Carolyn Turbyfill Principal Cyber Security Consultant Quality + Engineering [email protected]
Hosted by:
Michael Milutis Director of Marketing Computer Aid, Inc. (CAI) [email protected]
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 3
CAI Achieves IT Operational Excellence
www.compaid.com
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 4
PDU Credits Available for this Webinar
• The PMI has accredited this webinar with PDUs
• You will be eligible to receive 1.0 PDU credits
• Your PDU email will be sent to you within 24 hours
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 5
Online Webinar Recordings NOW AVAILABLE • Anytime Access • Hundreds of Topics
Visit: www.ITMPI.org/library
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 6
Enjoy the benefits of ITMPI Membership JOIN TODAY! • UNLIMITED Free Webinar Recordings • UNLIMITED Free PDU Credits • Hundreds of Topics
Visit: www.ITMPI.org/subscribe
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 7
About Quality + Engineering
Q+E Background: • Cri$cal Infrastructure Protec$on: Forensics, Assurance, Analy$cs® -‐ US
Department of Homeland Security Safety Act Cer$fied • Q+E technologies are DHS ‘Qualified An$-‐Terrorist Technologies” • Developer of Cyber Security and Asymmetric conflict webinar series CERM Academy Background: • Developer of Cer$fied Enterprise Risk Manager® Cer$ficates;
n CERM -‐ Electric Reliability n CERM -‐ Aerospace n CERM -‐ Cyber
• Developer of Value Added Audi$ng® • Publisher of CERM Risk Insights: hRp://insights.cermacademy.com/
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 8
Q+E DHS Certification CIP/FAA
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 9
Dr. Carolyn Turbyfill [email protected] Experience in: Public Companies, Startups, Research, Federal & State Government, Turnarounds, Industry Associa$ons, University Teaching, Consul$ng, Distributed Development (U.S. & Interna$onal) Principal Cyber Security Consultant at Q+E
• 20 Years Experience Developing Innova$ve Security • CIP -‐ Cri$cal Infrastructure Protec$on • CERM Cer$fied – Cer$fied Enterprise Risk Management
Track record building leading edge technologies and products: • The first database benchmark using experimental design techniques, the Wisconsin
Benchmark; • One of the first wireless LAN’s with radio, antenna and IP Layer encryp$on; • The first Firewall Appliance, SunScreen SPF 100 which also included a cer$ficate authority
and one of the first commercial IP Layer VPN’s, SKIP; • The first round-‐trip email marke$ng systems with interac$ve Java applets and the precursor
to PayPal; • The first Managed Security Service at Counterpane Internet Security; • The first virtualized automated test environments for applica$on stacks, the StackSafe Test
Center.
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 10
The White House Office of the Press Secretary Released: EXECUTIVE ORDER
IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY
whitehouse-‐execu$ve-‐order-‐improving-‐cri$cal-‐infrastructure-‐cybersecurity
February 13, 2014 NIST is scheduled to release:
CYBERSECURITY FRAMEWORK 1.0 hRp://www.nist.gov/cyberframework
February 12, 2013
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 11
Presidential Directive Section 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure
The “Cybersecurity Framework” WHO: The Secretary of Commerce shall direct the Director of NIST (the "Director") WHAT: to lead the development of a framework to reduce cyber risks to critical infrastructure.
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 12
16 CriBcal Infrastructure Sectors
Chemical Commercial Facili$es
Communica$ons Cri$cal Manufacturing
Dams Defense Industrial Base
Emergency Services Energy Sector
Financial Services Food and Agriculture
Government Facili$es Healthcare and Public Health
Informa$on Technology Nuclear Reactors, Materials and Waste
Transporta$on Systems Waste and Wastewater Systems
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 13
Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure. The “Cybersecurity Framework”
Framework:
• Set of Standards • Methodologies • Procedures • Processes
that align approach to cyber risks including • Policy • Business • Technology
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 14
Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure. The “Cybersecurity Framework”
The Cybersecurity Framework shall incorporate,
• voluntary consensus standards and
• industry best practices
to the fullest extent possible. A cybersecurity framework for critical infrastructure owners is voluntary but will become the de facto standard for litigators and regulators. Here's how to prepare:
NIST Cybersecurity Framework: Don’t Underestimate It
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 15
NIST Framework Core Functions, Categories, Subcategories, Informative References
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 16
FUNCTIONS Functions organize basic cybersecurity activities at their highest level. These Functions are: Ident i fy, Protect, Detect, Respond, and Recover. The functions aid in communicating the state of an organization’s cybersecurity activities by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities. The functions also align with existing methodologies for incident management, and can be used to help show the impact of investments in cybersecurity. For example, investments in planning and exercises support timely response and recovery actions, resulting in reduced impact to delivery of services.
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 17
FUNCTIONS: Categories
Categories are the subdivisions of a Function into groups of
cybersecurity outcomes, closely tied to programmatic
needs and particular activities. Examples of Categories
include:
• “Asset Management,”
• “Access Control,”
• “Detection Processes.”
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 18
FUNCTIONS: Subcategories Subcategories further subdivide a Category into high-level outcomes, but are not intended to be a comprehensive set of practices to support a category.
Examples of subcategories include: • “Physical devices and systems within the organization
are catalogued,” • “Data-at-rest is protected,” and
• “Notifications from the detection system are investigated.”
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 19
FUNCTIONS: Informative References
Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors and illustrate a method to accomplish the activities within each Subcategory. The Subcategories are derived from the Informative References. The Informative References presented in the Framework Core are not exhaustive but are example sets, and organizations are free to implement other standards, guidelines, and practices.
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 20
Editable Version FRAMEWORK CORE
FUNCTIONS CATEGORIES SUBCATEGORY INFORMATIVE REFERENCE(S)
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 21
THE IDENTIFY FUNCTION Identify – Develop the institutional understanding to manage cybersecurity risk to organizational systems, assets, data, and capabilities. The Identify Function includes the following categories of outcomes:
• Asset Management, • Business Environment, • Governance, • Risk Assessment, and • Risk Management Strategy.
The activities in the Identify Function are foundational for effective implementation of the Framework. Understanding the business context, resources that support critical functions and the related cybersecurity risks enable an organization to focus its efforts and resources. Defining a risk management strategy enables risk decisions consistent with the business needs or the organization.
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 22
THE PROTECT FUNCTION Protect – Develop and implement the appropriate safeguards, prioritized through the organization’s risk management process, to ensure delivery of critical infrastructure services. The Protect function includes the following categories of outcomes: Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, and Protective Technology. The Protect activities are performed consistent with the organization’s risk strategy defined in the Identify function.
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 23
THE DETECT FUNCTION
Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect function includes the following categories of outcomes: • Anomalies and Events, • Security Continuous Monitoring, and • Detection Processes. The Detect function enables timely response and the potential to limit or contain the impact of potential cyber incidents.
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 24
THE RESPOND FUNCTION Respond – Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event. The Respond function includes the following categories of outcomes: • Response Planning, • Analysis, • Mitigation, and • Improvements. The Respond function is performed consistent with the business context and risk strategy defined in the Identify function. The activities in the Respond function support the ability to contain the impact of a potential cybersecurity event.
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 25
THE RECOVER FUNCTION Recover – Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the capabilities or critical infrastructure services that were impaired through a cybersecurity event. The Recover function includes the following categories of outcomes: • Recovery Planning, • Improvements, and • Communications. The activities performed in the Recover function are performed consistent with the business context and risk strategy defined in the Identify function. The activities in the Recover function support timely recovery to normal operations to reduce the impact from a cybersecurity event.
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 26
Example FRAMEWORK CORE
FUNCTIONS CATEGORIES SUBCATEGORY INFORMATIVE REFERENCE(S)
IDENTIFY Asset Management (AM)
Inventory / track physical
ISO/IEC 27001 A.7.1.1, A.7.1.2
Iden$fy vulnerabili$es
NIST SP 800-‐53 Rev. 4 CA-‐2, RA-‐3, SI-‐5
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 27
NIST Framework Decision Flows
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 28
NIST Framework Profile
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 29
Preliminary Framework Compendium A Key NIST Framework Component The Framework’s compendium of “informative
resources” references many (321) standards – including performance and process-based standards. • These 321 standards are intended:
– to be illustrative – to assist organizations in identifying and selecting
standards for their own use – for use to map into the core Framework.
• The compendium also offers practices and guidelines, including practical implementation guides.
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 30
Cybersecurity Framework 1.0 To be Published February 13, 2014
• A “living document,” • Continuous improvement:
– update and refine the Framework based on lessons learned – through use as well as integration of new standards, guidelines,
and practices that become available.
• Cybersecurity Framework 1.0 will be posted here: http://www.nist.gov/cyberframework
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 31
ISSUES Cybersecurity Framework 1.0 Due February 13, 2014 (continued)
Overwhelming technology challenges on many fronts:
1. VUCA – Volatility, Uncertainty, Complexity & Ambiguity 2. Explosive Growth of Mobile Devices 3. Big Data 4. Big Government 5. Next Generation Internet (Hybrid)
a. Demand for data outstripping consumer willingness to pay b. Hype Cycle and Software Defined Networking
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 32
ISSUE 1: VUCA
• Framework is unlikely to reduce your compliance workload.
• Still same plethora of existing standards that require adherence.
• 321 Standards in preliminary NIST Compendium, however:
NIST Cyber Security Framework Doesn't Include Application Security
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 33
ISSUE 1: VUCA • New Risk-Based versions of existing
standards – ISO 9001 (general quality) – AS 9100 Rev C (aerospace quality) – ISO 27000 family (Cybersecurity) – ISO 31000 ISO Security base standard – NERC CIP (US grid security) – ISO 16949 (automotive quality) – PCI DSS 3.0 (Nov 2103 - requires risk assessment) – BASEL III (banking regulation, supervision and risk
management) • New Certifications – i.e. CERM (Certified Enterprise
Risk Management); CERM Software
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 34
From: Cisco VNI: 2012-2017 Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2012–2017 • “By the end of 2013, the number of mobile-connected
devices will exceed the number of people on earth.” • “ By 2017 there will be nearly 1.4 mobile devices per
capita. • There will be over 10 billion mobile-connected devices in
2017, including machine-to-machine (M2M) modules-exceeding the world's population at that time (7.6 billion).”
• Customer expectations – they expect to send and receive more data but they don’t want to pay more.
• Vendors need to meet customer demand & must reduce operational cost to maintain profitability.
ISSUE 2: Explosive Growth of Mobile Devices
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 35
ISSUE 3: Big Data Cisco VNI Uses Petabytes and Exabytes
Byte = 8 bits Kilobyte 103 = 1000 bytes Megabyte 106 = 10002 bytes Gigabyte 109 = 10003 bytes Terabyte 1012 = 10004 bytes Petabyte 1015 = 10005 bytes Exabyte 1018 = 10006 bytes Zettabyte 1021 = 10007 bytes Yottabyte 1021 = 10008 bytes
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 36
ISSUE 3: Big Data Scale Comparisons
• All the printed material in the Library of Congress estimated at 10 Terabytes of data: • Terabyte = 1012 = 10004 bytes • http://whatsabyte.com/
• An Exabyte of storage could contain 50,000 years' worth of DVD-quality video: • Exabyte = 1018 = 10006 bytes • http://searchstorage.techtarget.com/definition/exabyte
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 37
ISSUE 3: Big Data Cisco VNI Uses Petabytes and Exabytes
• Global mobile data traffic in 2012 (885 petabytes per month) was nearly twelve times greater than the total global Internet traffic in 2000 (75 petabytes per month).
• Mobile data traffic will reach the following milestones within the next five years. – Monthly global mobile data traffic will surpass 10 exabytes in 2017. – The number of mobile-connected devices will exceed the world's
population in 2013. – The average mobile connection speed will surpass 1 Mbps in 2014. – Due to increased usage on smartphones, handsets will exceed 50
percent of mobile data traffic in 2013. – Monthly mobile tablet traffic will surpass 1 Exabyte per month in
2017. – Tablets will exceed 10 percent of global mobile data traffic in 2015.
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 38
ISSUE 3: Has Big Data Made Anonymity Impossible? Has Big Data Made Anonymity Impossible? By Patrick Tucker on May 7, 2013 MIT Technology Review “What modern data science is finding is that nearly any type of data can be used, much like a fingerprint, to identify the person who created it: your choice of movies on Netflix, the location signals emitted by your cell phone, even your pattern of walking as recorded by a surveillance camera. In effect, the more data there is, the less any of it can be said to be private. We are coming to the point that if the commercial incentives to mine the data are in place, anonymity of any kind may be “algorithmically impossible,” says Princeton University computer scientist Arvind Narayanan.”
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 39
ISSUE 4: Big Government
Internet 2.0 in early stages of development. • Privacy and Civil Liberties – lack of agreement
– Currently not in the Core
– Too much specificity may deter voluntary implmentation – PRISM and other surveillance controversies - out of scope?
• Implementation Needs – Voluntary and useful for broader audience (not just CIPS)
– Specific Standards for CIPS – White House Incentives
• Complexity: Nature and Use of Profiles and Implementation Tiers • Informative references in Framework Core are advisory only. • Small/Medium businesses need more support (i.e. Threat Information) to
implement framework.
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 40
ISSUE 5: Next Generation Internet
Internet 2.0 in early stages of development. • Software Defined Networking (SDN) or Forwarding and
Control Element Separation (FoRCES) • Will enable hardware cost savings to data centers with
user-programmable commodity switches replacing proprietary and expensive routers. – Meet customer demand for more data without increasing costs. – Commodity switches enable cost savings
• Still a set of tools and not a mature mainstream solution; not yet cost effective.
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 41
ISSUE 5: Next Generation Internet
Internet 2.0 in early stages of development. • Compelling and complete application stacks taking
advantage of SDN lacking. • Not Standardized, Not Secure, Innovative Pre-Chasm
Technology for Early Adopters and Innovators. • Hybrid Internet – Internet 1 isn’t going away • For more information: http://www.sdncentral.com/
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 42
References • NIST Cybersecurity Framework portal
– http://www.nist.gov/cyberframework • Preliminary Framework Compendium
(list of 321 cyber rules, standards and best practices) – http://www.nist.gov/itl/upload/
preliminary_framework_compendium.xlsx • Preliminary Cybersecurity Framework
– http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf
• Appendix A, Framework Core – presents a listing of Functions, Categories, Subcategories and
Informative References – http://www.nist.gov/itl/upload/alternative-view_appendix-
a_framework-core-informative-references.pdf
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 43
References • DNI Tes$mony: DNI-‐worldwide-‐threat-‐assessment-‐of-‐US-‐intel-‐community • CNSSI Number 4009, Na$onal Informa$on Assurance (IA) Glossary 4/26/2010 http://DOD-General CNSSI_4009_26APR2010_20593/ • NIST: hRp://www.nist.gov/index.html • “Tipping Point” by Malcolm Gladwell http://www.gladwell.com/tippingpoint/ • http://www.archives.gov/federal-register/executive-orders/2013.html
• NIST Computer Security Special Publica$ons hRp://csrc.nist.gov/publica$ons/PubsSPs.html • NIST outlines drar cybersecurity framework for industry hRp://www.nist.gov/itl/csd/cybersecurity-‐070213.cfm • ISO 31000 Risk Management Standards hRp://www.iso.org/iso/home/standards/iso31000.htm • The Biggest Security SNAFUs of 2013 (So Far) hRp://www.networkworld.com/news/2013/security-‐snafus.html • CERM Academy hRp://insights.cermacademy.com/
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 44
References
• DNI Tes$mony: DNI-‐worldwide-‐threat-‐assessment-‐of-‐US-‐intel-‐community • CMMI Audits of Services hRp://www.sei.cmu.edu/library/abstracts/presenta$ons/CMMI-‐for-‐Services-‐Overview.cfm • NIST: hRp://www.nist.gov/index.html • NIST Computer Security Special Publica$ons hRp://csrc.nist.gov/publica$ons/PubsSPs.html • NIST outlines drar cybersecurity framework for industry hRp://www.nist.gov/itl/csd/cybersecurity-‐070213.cfm • ISO 31000 Risk Management Standards hRp://www.iso.org/iso/home/standards/iso31000.htm • The Biggest Security SNAFUs of 2013 (So Far) hRp://www.networkworld.com/news/2013/security-‐snafus.html • CERM Academy hRp://insights.cermacademy.com/
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 45
Risk Management Paradigm ShiZ Next Steps
• Upcoming IMTPI Seminar Series on Cybersecurity in 2014 (TBD) By Dr. Carolyn Turbyfill and Ed Perkins
[email protected] • Quality + Engineering can help:
Greg Hutchins PE [email protected]
800.COMPETE or 800.266.7383 503.233.1012
Cell 503.957.6443 FAX 503.233.1410
www.QualityPlusEngineering.com • Keep up with ongoing developments:
CERM Academy hRp://insights.cermacademy.com/
Coming Soon: Asymmetric Warfare & Cybersecurity
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 46
QuesBons?
Dr. Carolyn Turbyfill: [email protected] Ed Perkins: [email protected]
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 47
CAI Sponsors Proudly Sponsors
The IT Metrics & Productivity Institute • IT and Software Knowledge Center: WWW.ITMPI.ORG
• Weekly PDU Accredited Webinars: WWW.ITMPI.ORG / WEBINARS
• Access PDU Accredited Recordings Anytime at WWW.ITMPI.ORG / LIBRARY
• Enjoy the Benefits of ITMPI Membership at WWW.ITMPI.ORG / SUBSCRIBE
• Free Basic Memberships: Automatic Registration for Live Webinars
• Premium Membership for $179/year:
-Unlimited Free PDU and Recording Access for ONE YEAR
-Access to Over 500 PDUs for a Period of ONE YEAR
• Advanced PDU accredited courseware at WWW.ITMPI.ORG/ COURSEWARE
• Follow Us on TWITTER at WWW.TWITTER.COM/ ITMPI
• Join Our Network on LINKED IN at WWW.ITMPI.ORG/ LINKEDIN
4/1/14 Webinar Sponsored by Computer Aid, Inc.
Slide: 48
Dr. Carolyn Turbyfill Principal Cyber Security Consultant Quality + Engineering [email protected]
Hosted by:
Michael Milutis Director of Marketing Computer Aid, Inc. (CAI) [email protected]