2014 Communications Sector Year in Review Cybersecurity Risk Management Framework. Sector Year in Review

Transcription

1 2014 Communications Sector Year in Review Cybersecurity Risk Management Framework Sector Year in Review Kathryn Condello, Chair Communications Sector Coordinating Council

2 Five Segments: Broadcast, Cable, Satellite, Wireless, and Wireline Reach: 9700 Network/Service Providers across all 5 segments Overarching Sector Goals: Protect and enhance the overall physical and logical/cyber health of communications; Rapidly reconstitute critical communications services during a disruption and mitigate cascading effects; and Improve the sector s National Security / Emergency Preparedness posture with Federal, State, Local, Tribal, Territorial, and private sector entities to reduce risk. 2

3 INDUSTRY GOVERNMENT NSTAC POLICY EOP C-SCC PLANNING C-GCC ISAC OPERATIONS NCC Industry Initiatives Standards Best Practices Segment-Only

4 Internet of Things ICT Mobilization 4

5 Risk Mitigation: GPS Issues Assessments Qualitative Risk Assessment to the Public Network Planning Joint National Priorities Communication Sector Specific Plan Education/Outreach NIST Cybersecurity Framework Education 5

6 Information Sharing Partners NCCIC, US-CERT, NCC, State Fusion Centers, NCIJTF National Council of ISACs FS-ISAC, RE-ISAC, Water-ISAC, MS-ISAC and others 2014 USG/Sector Info Sharing: > 1200 Notices Received Exercises ESF#2 Training FEMA Region 1, FEMA Region III Gov t/industry TTX, National Council of ISACs Aug 2014 Response Planning: Asset Movement to Remote Venues Education: Potential vs. Real vs. CNN Events 6

7 Best Practice Development: CSRIC 1. NextGen Wireless Emergency Alerts 3. Emergency Alert System 4. Cybersecurity Best Practices (NIST CSF) 5. Remediation of Server-Based DDoS Attacks 6. Long-term Core Internet Protocols Improvements 7. Legacy Best Practice Updates 8. Submarine Cable Landing Sites 9. Infrastructure Sharing During Emergencies 10. Customer Premise Equipment 7

8 Cybersecurity Framework Core 22 Categories Five Function s 98 Subcategorie s ISO 27001, NIST , COBIT

9 Cybersecurity Framework Core Function ID Function Category ID Category ID.AM Asset Management ID.BE Business Environment ID Identify ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy PR.AC Access Control PR.AT Awareness & Training PR Protect PR.DS PR.IP Data Security Information Protection Processes and Procedures PR.MA Maintenance PR.PT Protective Technology

10 Cybersecurity Framework Core Function ID DE RS RC Function Category ID Category Detect Respond Recover DE.AE DE.CM DE.DP RS.RP RS.CO RS.AN RS.MI RS.IM RC.RP RC.IM Anomalies & Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements RC.CO Communications 10

11 In order to provide for confidence in the resilience and reliability of the core public communications functions in the face of cyber threats. Working Group 4 will develop voluntary mechanisms to provide macro-level assurance to the FCC and the public that communications providers are taking the necessary corporate and operational measures to manage cybersecurity risks across the enterprise. The macro-level assurance will demonstrate how communications providers are reducing cybersecurity risks through the application of the NIST Cybersecurity Framework, or an equivalent construct. These assurances: (1) can be tailored by individual companies to suit their unique needs, characteristics, and risks (i.e., not one-size-fits-all), (2) are based on meaningful indicators of successful (and unsuccessful) cyber risk management (i.e., outcome-based indicators as opposed to process metrics), and (3) allow for meaningful assessments both internally (e.g., CSO and senior corporate management) and externally (e.g., business partners)

12 WG4 Leadership Team Co-Chairs: Robert Mayer, USTelecom and Brian Allen, Time Warner Cable Segment Leads Broadcast, Kelly Williams, NAB Cable, Matt Tooley, NCTA Wireless, John Marinho, CTIA Wireline, Chris Boyer, AT&T Satellite, Donna Bethea Murphy, Iridium Feeder Group Initiatives Requirements and Barriers to Implementation, Co-Leads, Harold Salters T-Mobile, Larry Clinton, Internet Security Alliance Mids/Smalls Co-Leads, Susan Joseph, Cable Labs, Jesse Ward, NTCA Top Cyber Threats and Vectors - Russell Eubanks, Cox, Joe Viens, TWCable Ecosystem Shared Responsibilities, Co-Leads, Tom Soroka, USTelecom, Brian Scarpelli, TIA Measurement, Co-Leads, Chris Boyer, AT&T, Chris Roosenraad, TimeWarnerCable Advisors Donna Dodson, WG4 Sr. Technical Advisor, NIST, Deputy Chief Cybersecurity Advisor & Division Chief for Computer Security Division Lisa Carnahan, NIST, Computer Scientist Emily Talaga, WG4 Sr. Economic Advisor, FCC Tony Sager, Council on Cybersecurity Engineering and Operational Review Co-Leads - Tom Soroka, USTelecom and John Marinho, CTIA Segment Leads Support Drafting Team Co-Leads Stacy Hartman and Paul Diamond, CenturyLink, Robert Thornberry, Alcatel/Lucent 12

13 Cyber Ecosystem Players User/ Device Mobility UE CPE Provider-mgd Gateway M2M/IoT Corporations Device Provider O/S Embedded Systems OEM AV/IDS/MDM Provider Edge Internet Control Plane (DNS/BGP/TCP/IP) Macro Wireless WiFi Broadband High-Speed Access Satellite Core Internet Control Plane (DNS/BGP/TCP/IP) Public Peering Private Peering Private Network s Mobility EPC Standards/Policies/Practices (e.g., IETF) Physical Security Infrastructure Provider Internet Control Plane (DNS/BGP/TCP/IP) DNS & IP Registrars CAs Cloud Hosting CDN MSS Application/ Content OTT Comms Social Networks Video Applications One of the more comprehensive Ecosystem diagrams, comes from a joint industry/government partnership called the U.S. Communications Sector Coordinating Council (CSCC). The Ecosystem Feeder group determined that this diagram captured a large number of the categories of the Ecosystem that were previously identified and it was an excellent depiction of the various Cyber Ecosystem relationships within the Communications Sector. Malicious Actors 13

14 Issue: Critical infrastructure sectors, including the financial sector, have been under assault from a barrage of DDoS attacks emanating from data centers and hosting providers. Deliverable: Recommend measures communications providers can take to mitigate the incidence and impact of DDoS attacks from data centers and hosting providers, particularly those targeting the information systems of critical sectors. ACS Akamai/ Prolexic Cox Communications Intrado Public Interest Registry CSG International MAAWG Shadowserver Arbor Networks CTIA Microsoft Sprint AT&T DHS NCTA Time Warner Cable ATIS Fed Reserve Board of Governors Neustar Univ of Oregon/Internet2 Bell Labs, Alcatel-Lucent FSSCC Nsight VeriSign, Inc. CAUCE Google NTT Verizon CenturyLink Comcast IEEE Online Trust Alliance Wells Fargo PA Public Utility Internet Identity Commission Windstream 14

15 Plan Locally Respond Globally A whole of community approach to advance the national resilience effort A borderless approach to advance cyber response norms. 15

16 Planning National Resiliency Framework Development Information Sharing Framework Assessment: Sector Cyber Measures (WG4) Dependency / Inter-Dependency Analysis Electricity Sector (ESCC + CSCC Issues) Data Center Dependencies (Regional Assessment) Financial Services Dependencies on Data Centers (Regional Assessment) 16

17 Regional Risk Assessments: Data Center Dependencies: Ashburn, VA Financial Services Dependencies: Chicago, IL Findings from Regional Risk Assessments are reviewed for incorporation into Sector Best Practices 17

18 Cloud/Data Centers increasingly relied upon for functions critical to the Nation s security. No specific SCC or ISAC for Cloud/Data Center Providers Suggest alignment with IT or Communication Sector 18

19 National Security Telecommunications Advisory Committee dhs.gov/nstac Communications Sector Coordinating Council commscc.org National Coordinating Center for Communications (NCC) National Cybersecurity & Communications Integration Center Department of Homeland Security dhs.gov/national-coordinating-center-communications Communications Security, Reliability and Interoperability Council (IV) Kathryn Condello CenturyLink Director, National Security / Emergency Preparedness Kathryn.Condello@CenturyLink.com 11

20 Questions?