OCR of the Document

View the Document >>

National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, April 2016. Unclassified.

Framework for Improving Critical Infrastructure Cybersecurity April 2016 cyberframework@nist gov Pre-Cybersecurity Framework Threat Landscape •  79% of reported victims were targets of opportunity •  96% of reported attacks in 2012 were NOT difficult •  85% of reported breaches took weeks or more to discover •  97% of reported breaches were avoidable through simple or intermediate controls Sta9s9cs are from the 2012 Verizon Data Breach Inves9ga9ve Report Improving Critical Infrastructure Cybersecurity “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency innovation and economic prosperity while promoting safety security business confidentiality privacy and civil liberties” President Barack Obama Executive Order 13636 12 February 2013 3 Based on the Executive Order the Cybersecurity Framework Must •  Include a set of standards methodologies procedures and processes that align policy business and technological approaches to address cyber risks •  Provide a prioritized flexible repeatable performancebased and cost-effective approach including information security measures and controls to help owners and operators of critical infrastructure identify assess and manage cyber risk •  Identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations •  Be consistent with voluntary international standards 4 Development of the Framework Engage the Framework Stakeholders EO 13636 Issued – February 12 2013 NIST Issues RFI – February 26 2013 1st Framework Workshop – April 03 2013 Collect Categorize and Post RFI Responses Completed – April 08 2013 Identify Common Practices Themes – May 15 2013 Analyze RFI Responses Ongoing Engagement Open public comment and review encouraged and promoted throughout the process… and to this day 2nd Framework Workshop at CMU – May 2013 Draft Outline of Preliminary Framework – June 2013 Identify Framework Elements 3rd Workshop at UCSD – July 2013 4th Workshop at UT Dallas – Sept 2013 Prepare and Publish Framework 5th Workshop at NC State – Nov 2013 Published Framework – Feb 2014 5 The Cybersecurity Framework Is for Organizations… • • • • Of any size in any sector in and outside of the critical infrastructure That already have a mature cyber risk management and cybersecurity program That don’t yet have a cyber risk management or cybersecurity program With a mission of helping keep up-to-date on managing risk and facing business or societal threats 6 Cybersecurity Framework Components Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Supports prioritization and measurement while factoring in business needs Cybersecurity activities and informative references organized around particular outcomes Framework Profile Framework Core Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics 7 Implementation Tiers Cybersecurity Framework Component 01 2$3# 4%5 ' ' #$% % %'-' % 65' 7% • Allow for flexibility in implementation and bring in concepts of • • • maturity models Reflect how an organization implements the Framework Core functions and manages its risk Progressive ranging from Partial Tier 1 to Adaptive Tier 4 with each Tier building on the previous Tier Characteristics are defined at the organizational level and are applied to the Framework Core to determine how a category is implemented 8 Implementation Tiers Cybersecurity Framework Component Risk Management Process Integrated Risk Management Program External Par cipa on 1 2 Par al Risk Informed 3 4 Repeatable Adap ve The func onality and repeatability of cybersecurity risk management The extent to which cybersecurity is considered in broader risk management decisions The degree to which the organiza on benefits my sharing or receiving informa on from outside par es 9 Taxonomy Value Proposi on Plant classification is the placing of known plants into groups or categories to show some relationship Scientific classification follows a system of rules that standardizes the results and groups successive categories into a hierarchy For example the family to which lilies belong is classified as •  Kingdom Plantae •  Phylum Magnoliophyta •  Class Liliopsida •  Order Liliales •  Family Liliaceae •  Genus •  Species Core Cybersecurity Framework Component Func on What processes and assets need protec on What safeguards are available What techniques can iden fy incidents Iden fy Protect Detect What techniques can contain impacts of Respond incidents What techniques can restore capabili es Recover Category ID Asset Management Business Environment Governance Risk Assessment ID AM ID BE ID GV ID RA Risk Management Strategy ID RM Access Control Awareness and Training Data Security PR AC PR AT PR DS Informa on Protec on Processes Procedures PR IP Maintenance Protec ve Technology Anomalies and Events PR MA PR PT DE AE Security Con nuous Monitoring DE CM Detec on Processes Response Planning Communica ons Analysis Mi ga on Improvements Recovery Planning Improvements Communica ons DE DP RS RP RS CO RS AN RS MI RS IM RC RP RC IM RC CO 11 Core Cybersecurity Framework Component Func on Iden fy Protect Detect Respond Recover Category Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Access Control Awareness and Training Data Security Informa on Protec on Processes Procedures Maintenance Protec ve Technology Anomalies and Events Security Con nuous Monitoring Detec on Processes Response Planning Communica ons Analysis Mi ga on Improvements Recovery Planning Improvements Communica ons ID ID AM ID BE ID GV ID RA ID RM PR AC PR AT PR DS PR IP PR MA PR PT DE AE DE CM DE DP RS RP RS CO RS AN RS MI RS IM RC RP RC IM RC CO Subcategory Informative References ID BE-1 The COBIT 5 APO08 04 APO08 05 organiza on’s role in APO10 03 APO10 04 APO10 05 the supply chain is ISO IEC 27001 2013 A 15 1 3 A iden fied and 15 2 1 A 15 2 2 communicated NIST SP 800-53 Rev 4 CP-2 SA-12 ID BE-2 The COBIT 5 APO02 06 APO03 01 organiza on’s place in NIST SP 800-53 Rev 4 PM-8 cri cal infrastructure and its industry sector is iden fied and communicated ID BE-3 Priori es for COBIT 5 APO02 01 APO02 06 organiza onal APO03 01 mission objec ves ISA 62443-2-1 2009 4 2 2 1 and ac vi es are 4 2 3 6 established and NIST SP 800-53 Rev 4 PM-11 communicated SA-14 ID BE-4 ISO IEC 27001 2013 A 11 2 2 A Dependencies and 11 2 3 A 12 1 3 cri cal func ons for NIST SP 800-53 Rev 4 CP-8 PE-9 delivery of cri cal PE-11 PM-8 SA-14 services are established ID BE-5 Resilience COBIT 5 DSS04 02 requirements to ISO IEC 27001 2013 A 11 1 4 A support delivery of 17 1 1 A 17 1 2 A 17 2 1 cri cal services are NIST SP 800-53 Rev 4 CP-2 12 established CP-11 SA-14 12 Profile Cybersecurity Framework Component # %' ' -24 '# @ '#'A BC D' • 6 0-#4 @' #$ #3 -9% H# % 3# ' 7%$ 0% -# Q 0 0% -# Q # # '$ @' #$ • 6 3 0 #$ #3 0 $%00 4 00 #$ # '$5 % 0% - # - #4%0 25%$ 3 #-% - I%-% - %0 #$5 % #7% • 6$ ' $4%$- #3 % 0% - % %4%$-0 -9 # % ' #$' 4%-9#5# # %0 • 6 '0 0 3# '00%004%$- '$5 % %00 $ -' %- 0-'-% • 6 5% 0 #$ 0 # - -## 3# % 0% - 01 4'$' %4%$- 13 Building a Profile A Profile Can be Created in Three Steps S U BC84 -4 A 7C 4NA 43407- _% 0 ' #$ % ' #$ 2$-% $' J E -% $' # D%0- ' % Mission Priority Objective S 6 U D T H Subcategory S U T ZN O64 ' 0 47F252 2 4- T F 5'$ % '$5 4%-9#5# # #$ 4 %4%$ $ Q 4'$' $ Q '$5 4#$ -# $ 14 Supporting Risk Management with Framework Facus rganizalinnal Risk Aetlens Risk Dedslan and Priorities Business Changes In process Ia'i' Current and Level Fut R'l-t re '5 Focus Critical Infrastructh Risk Management Aetlans Selects Profile Alineatas Budget a Missien Prieritzlr and Risk Appetite anti Budget Implementaliun Pro-grass Framework Changes in Assets Frafle Vulnerability and Implementation Threat iDparatlens Focus Securing Crilieal Intraslruelure Actions Implements Pm le 15 Key Attributes •  It’s a framework not a prescription •  It provides a common language and systematic methodology for managing cyber risk •  It is meant to be adapted •  It does not tell a company how much cyber risk is tolerable nor does it claim to provide “the one and only” formula for cybersecurity •  Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite companies to become standard practices for everyone •  The framework is a living document •  It is intended to be updated over time as stakeholders learn from implementation and as technology and risks change •  That’s one reason why the framework focuses on questions an organization needs to ask itself to manage its risk While practices technology and standards will change over time—principals will not 16 Where Should I Start 1 Business Environment ID BE The organization’s mission objectives stakeholders and activities are understood and prioritized this information is used to inform cybersecurity roles responsibilities and risk management decisions Framework Version 1 0 Section 3 2 Step 1 Prioritize and Scope The organization identifies its business mission objectives and high-level organizational priorities With this information the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process The Framework can be adapted to support the different business lines or processes within an organization which may have different business needs and associated risk tolerance 2a Governance ID GV The policies procedures and processes to manage and monitor the organization’s regulatory legal risk environmental and operational requirements are understood and inform the management of cybersecurity risk risk 2b Risk Management Strategy ID RM The organization’s priorities constraints risk tolerances and assumptions are established and used to support operational risk decisions L % '-% J C' $-' $ 17 Industry Use The Framework is designed to complement existing business and cybersecurity operations and has been used to •  Self-Assessment Gap Analysis Budget Resourcing Decisions •  Standardizing Communication Between Business Units •  Harmonize Security Operations with Audit •  Communicate Requirements with Partners and Suppliers •  Describe Applicability of Products and Services •  Identify Opportunities for New or Revised Standards •  Categorize College Course Catalogs •  As a Part of Cybersecurity Certifications •  Categorize and Organize Requests for Proposal Responses •  Consistent dialog both within and amongst countries •  Common platform on which to innovate by identifying market opportunities where tools and capabilities may not exist today 18 Framework – One Year After Release Questions focused on awareness experiences and roadmap areas 4 201 st 26 Augu Request for Information Experience with the Cybersecurity Framework Goal Raise awareness encourage use as a tool highlight examples of sector-specific efforts implementation efforts gather feedback 4 201 r o 29-30 Oct Center f y da Flori ersecurit Cyb 6th Cybersecurity Framework Workshop mber 14 5 20 Summary posted that includes analysis of RFI responses feedback from the 6th workshop an update on Roadmap areas and next steps Dece Update on the Cybersecurity Framework 015 12 2 NIST Cybersecurity Framework site update to include FAQs Upcoming Events and Industry Resources Ongoing targeted outreach continues uary 1 Year Anniversary of the Release Febr February 13 2015 White House Releases Fact Sheet on Cybersecurity and Consumer Protection Examples of Industry Resources Cybersecurity Guidance for Small Firms The Cybersecurity Framework in Action An Intel Use Case H % 0% - 01 C'$' %4%$- '$5 D%0- ' %0 # 1 $ F # PX a $' % # - Energy Sector Cybersecurity Framework Implementation Guidance 20 Examples of U S State Local Use Texas Department of Information Resources • Aligned Agency Security Plans with Framework • Aligned Product and Service Vendor Requirements with Framework North Dakota Information Technology Department • Allocated Roles Responsibilities using Framework • Adopted the Framework into their Security Operation Strategy Houston Greater Houston Partnership • Integrated Framework into their Cybersecurity Guide • Offer On-Line Framework Self-Assessment National Association of State CIOs • 2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy New Jersey • Developed a cybersecurity framework that aligns controls and procedures with Framework 21 Framework Roadmap Items Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects Impacts and Alignment Supply Chain Risk Management Technical Privacy Standards 22 Framework Roadmap Items Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects Impacts and Alignment Supply Chain Risk Management Technical Privacy Standards 23 Standards Guidelines for FISMA RM FIPS - Federal Information Processing Standards §  FIPS 199 – Standards for Security Categorization §  FIPS 200 – Minimum Security Requirements SPs – Special Publications §  §  §  §  §  §  §  §  §  SP 800-18 – Guide for System Security Plan development SP 800-30 – Guide for Conducting Risk Assessments SP 800-34 – Guide for Contingency Plan development SP 800-37 – Guide for Applying the Risk Management Framework SP 800-39 – Managing Information Security Risk SP 800-53 53A – Security controls catalog assessment procedures SP 800-60 – Mapping Information Types to Security Categories SP 800-128 – Security-focused Configuration Management SP 800-137 – Information Security Continuous Monitoring §  Many others for operational and technical implementations Recent Framework Related Policy and Legislation Cybersecurity Enhancement Act of 2014 • Codified NIST’s on-going role facilitating Framework evolution • Asked NIST to facilitate less redundancies in regulation OMB Memorandum M-16-03 04 • M-16-03 FY 2015-16 Guidance on Federal Information Security and Privacy Management Requirements • M-16-04 Cybersecurity Strategy and Implementation Plan Circular A-130 Update • Provides generalized guidance for use of pre-existing FISMA-based guidance like Risk Management Framework with Cybersecurity Framework • NIST publishing guidance on using Risk Management Framework and Cybersecurity Framework together 25 Tailoring SP 800-53 Security Controls Use Case #3 for Risk Management Framework Cybersecurity Framework CSF Core customize CSF Profile 26 Framework Roadmap Items Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects Impacts and Alignment Supply Chain Risk Management Technical Privacy Standards 27 International Dialogs Twenty eight 28 countries have participated in discussion with NIST including dialog with •  The European Union and 14 out of 28 Member States •  4 out of 5 of the Five Eyes •  6 countries in Asia •  5 countries in the Middle East 28 Emerging International Use - Italy Italy’s National Framework for Cybersecurity •  http www cybersecurityframework it •  Adopted 100% of the NIST Cybersecurity Framework •  Extended NIST Cybersecurity Framework •  Created with industry and academia •  Published in both Italian and English 29 Resources Where to Learn More and Stay Current The National Institute of Standards and Technology Web site is available at http www nist gov NIST Computer Security Division Computer Security Resource Center is available at http csrc nist gov The Framework for Improving Critical Infrastructure Cybersecurity and related news and information are available at www nist gov cyberframework For additional Framework info and help cyberframework@nist gov