A Sustainable Strategy for Critical Infrastructures and Key Resources Partnering to Optimize the Security of Critical Infrastructure

Transcription

1 SESSION ID: SPO3-W11 A Sustainable Strategy for Critical Infrastructures and Key Resources Partnering to Optimize the Security of Critical Infrastructure Phil Quade Chief Information Security Officer Fortinet, Inc.

2 The scope and scale of the critical infrastructure security problem has mostly frozen the ambitions to take on the problem. [anonymous]

3 Outline Goal Premise Approach How Organizing Steps Throughout Group discussion Way forward; adjustments; risks

4 Goal

5 Goal Optimize the security of US CIKRs in both the near and long term Commensurate with the risks and the rapidly accelerating dynamics of technology

6 Premise

7 Premise CIKRs are primarily privately owned & operated, but we all depend on them CIKRs are often dependent on, and interrelated with, one another Both public and private organizations can contribute to the larger security challenge if organized or rallied behind a common vision The relationship between physical and cyber security is very important (especially in CIKR s Industrial Controls Systems); need synergy among them Control systems security is fundamentally different than IT security, and the application of better IT alone will not remove CIKR risks There is an inherent engineering challenge based on fundamental physical processes that requires a fusion of diverse talent, technology, and frameworks No proposed changes to the authorities between, or within, government and industry

8 What s the Approach?

9 What s The Approach? A collaboration that transcends public-private sector, while respecting distinctions Create an action-oriented network of like-minded thought-leaders & stakeholders who share an common vision and altruistic vision of a more secure and resilient CIKR posture Use individual and collective influence (not control) to rally resources and programs to focus on the most urgent areas for risk mitigation Solicits, but does not depend upon, centralized advocacy

10 How

11 How Create an action-oriented network of like-minded thought-leaders and stakeholders Who share a common, altruistic vision of a more secure and resilient U.S. posture relative to Critical Infrastructure & Key Resources (CIKR) Use thought-leadership impactful exchanges to rally resources and programs of stakeholders around the most critical immediate efforts for risk mitigation While formulating mutually beneficial visions and plans for long term challenges with common gaps Senior leadership in both government and industry act on prioritized problems using resources and authorities within their span of control And based on actionable knowledge that provides context through both informed analysis and sharing

12 Organizing

13 An Action-Oriented Network Phase 1: Informal Thought leaders Organizations with tangible stuff (equipment, expertise) Those with money Highly-symbolic partners Those with positional authority Others Phase 2: Add light-touch orchestration/governance, if needed

14 Steps

15 Analogy A national-level solution requires vision, strategy, and planning It doesn t require knowing all the solutions before you start It does require innovative approaches, and steadiness on the stick The moonshot of 50 years ago is a good analogy

16 The Goal, The Horizon, The First Steps, All the Steps

17 The Goal, The Horizon, The First Steps, All the Steps

18 The Goal, The Horizon, The First Steps, All the Steps

19 The Goal, The Horizon, The First Steps, All the Steps

20 Exceeding Expectations

21 The Goal, The Horizon, The First Steps, All the Steps Economic competitiveness National security Privacy and Civil liberties Public safety Pursuit of happiness

22 The Goal, The Horizon, The First Steps, All the Steps

23 Automated Information Sharing Pilots Workforce Development The Goal, The Horizon, The First Steps, All the Steps En Chm Wtr El O&G Nu Xm Dist Gen

24 The Goal, The Horizon, The First Steps, All the Steps? Journey of a thousand mile starts with one step

25 Potential Next Steps 1. Sharpen common vision and define model for collaboration Strategic alignment 2. Create a strawman information sharing architecture Socialize Add fidelity 3. Pilot specific activities Information sharing Consequence-based engineering Integrated, automated cyber defenses 4. Create and scale guild model, across security disciplines Inform existing workforce initiatives Create new ones where needed Identify scalability and culture change solutions 5. Establish [informal or formal] governance construct

26 WE HAVE A RESPONSIBILITY WE NEED TO CHANGE OUR HORIZ0N THERE ARE NEAR-TERM IMPROVEMENTS TO MAKE

27