Track 4A: NIST Workshop

Transcription

1 Track 4A: NIST Workshop National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) GridSecCon October 18, 2016

2 AGENDA TOPIC PRESENTER(S) DURATION NIST/NCCoE Introduction Jim McCarthy, NIST/NCCoE 30 min (10 min Q&A) What s up with Cybersecurity Bob Lockhart, UTC 30 min (10 min Q&A) Challenges to Practical Cybersec Options Notes from the Field Break Supply Chain Risks Open Discussion with Presenters/Networking Opportunities Mike Prescher, Black & Veatch Mike Meason, Western Farmers Electric Cooperative Mike Cohen, The MITRE Corporation Julie Steinke, Jim McCarthy 30 min (10 min Q&A) 30 min (10 min Q&A) 15 min 30 min (10 min Q&A) 60/15 2

3 NIST Cybersecurity Portfolio Jim McCarthy GridSecCon October 18, 2016

4 NIST CYBERSECURITY PORTFOLIO Areas of Focus Cryptographic Technologies Security Management and Assurance Secure Systems and Applications Security Components and Mechanisms Security Test and Metrics Group National Cybersecurity Center of Excellence Some Major Activities Secure Hash Competition, Authentication, Key Management, Crypto Transitions, DNSSEC, E- Voting, Quantum Computing Cybersecurity Framework for Critical Infrastructure, FISMA, Public Safety Network, Cyber-Physical System, Health IT, Smart Grid, Supply Chain, NICE, Outreach and Awareness Identity Management, Biometric Standards, Cloud Computing and Virtualization Technologies, Security Automation, Infrastructure Services and Protocols Virtualization, Security Automation (SCAP), Trust Roots, Continuous Monitoring, USGv6 Crypto Validation Programs, CAVP, CMVP (FIPS 140), SCAP Validation, NVD Work with business sectors to identify real-world cybersecurity opportunities and collaborate with IT vendors to develop commercially available solutions to accelerate the adoption of technology 4

5 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY NIST s work enables Science Technology innovation Trade Public benefit NIST works with Industry Academia Government agencies Measurement labs Standards organizations NIST s Laboratories 5

6 IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties President Barack Obama Executive Order 13636, 12 February

7 DEVELOPMENT OF THE FRAMEWORK Engage the Framework Stakeholders EO Issued February 12, 2013 NIST Issues RFI February 26, st Framework Workshop April 03, 2013 Collect, Categorize, and Post RFI Responses Completed April 08, 2013 Identify Common Practices/Themes May 15, 2013 Analyze RFI Responses 2 nd Framework Workshop at CMU May 2013 Draft Outline of Preliminary Framework June 2013 Ongoing Engagement: Open public comment and review encouraged and promoted throughout the process and to this day Identify Framework Elements 3 rd Workshop at UCSD July th Workshop at UT Dallas Sept 2013 Prepare and Publish Framework 5 th Workshop at NC State Nov 2013 Published Framework Feb

8 FRAMEWORK CORE Cybersecurity Framework Component What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? 8

9 CORE Cybersecurity Framework Component Function Category ID Asset Management ID.AM Business Environment ID.BE Identify Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Protect Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT Anomalies and Events DE.AE Detect Security Continuous Monitoring DE.CM Detection Processes DE.DP Response Planning RS.RP Communications RS.CO Respond Analysis RS.AN Mitigation RS.MI Improvements RS.IM Recovery Planning RC.RP Recover Improvements RC.IM Communications RC.CO Subcategory ID.BE-1: The organization s role in the supply chain is identified and communicated ID.BE-2: The organization s place in critical infrastructure and its industry sector is identified and communicated ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated ID.BE-4: Dependencies and critical functions for delivery of critical services are established ID.BE-5: Resilience requirements to support delivery of critical services are established Informative References COBIT 5 APO01.02, DSS06.03 ISA : ISO/IEC 27001:2013 A NIST SP Rev. 4 CP-2, PS-7, PM-11 COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A , A , A NIST SP Rev. 4 CP-2, SA-12 COBIT 5 APO02.06, APO03.01 NIST SP Rev. 4 PM-8 COBIT 5 APO02.01, APO02.06, APO03.01 ISA : , NIST SP Rev. 4 PM-11, SA-14 ISO/IEC 27001:2013 A , A , A NIST SP Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 9

10 PROFILE Cybersecurity Framework Component Ways to think about a Profile: A customization of the Core for a given sector, subsector, or organization A fusion of business/mission logic and cybersecurity outcomes An alignment of cybersecurity requirements with operational methodologies Identify Protect Detect Respond Recover A basis for assessment and expressing target state A decision support tool for cybersecurity risk management 10

11 CSF FOR THE MANUFACTURING SECTOR 11

12 NIST MANUFACTURING CYBERSECURITY RESEARCH Develop a broad Manufacturing Cybersecurity Framework (CSF) Target Profile for various manufacturing scenarios Solicit feedback Incorporate feedback Publish profile as a CSF resource Implement Manufacturing CSF Profile in the NIST Cybersecurity for Smart Manufacturing test bed Measure performance impact of various cybersecurity solutions to meet the Manufacturing CSF Profile Develop guidance on how to implement the NIST CSF in manufacturing environments without having negative performance impacts 12

13 MANUFACTURING PROFILE DEVELOPMENT Utilizing CSF Informative References to create tailored language for the manufacturing sector: NIST SP NIST SP ISA / IEC

14 MANUFACTURING PROFILE 14

15 RISK MANAGEMENT SECURITY LEVEL Identify the applicable level of security needed for the manufacturing system: Low Moderate High 15

16 SYSTEM CATEGORIZATION 16

17 PROFILE LANGUAGE ID.AM-1 17

18 CYBERSECURITY FRAMEWORK MANUFACTURING PROFILE CSF Manufacturing Profile URL: /csf-manufacturing-profile-draft.pdf Contact: Keith Stouffer

19 NEXT STEPS Solicit and incorporate feedback Implement manufacturing profile on the NIST Cybersecurity for Smart Manufacturing test bed Measure performance impact of the security controls Incorporate findings into the manufacturing profile Determine where is the best organization to take ownership of the profile 19

20 ABOUT THE NCCOE

21 WHO WE ARE AND WHAT WE DO VISION ADVANCE CYBERSECURITY A secure cyber infrastructure that inspires technological innovation and fosters economic growth MISSION ACCELERATE ADOPTION OF SECURE TECHNOLOGIES Collaborate with innovators to provide real-world, standards-based cybersecurity capabilities that address business needs GOAL 1 PROVIDE PRACTICAL CYBERSECURITY Help people secure their data and digital infrastructure by equipping them with practical ways to implement standards-based cybersecurity solutions that are modular, repeatable and scalable GOAL 2 INCREASE RATE OF ADOPTION Enable companies to rapidly deploy commercially available cybersecurity technologies by reducing technological, educational and economic barriers to adoption GOAL 3 ACCELERATE INNOVATION Empower innovators to creatively address businesses most pressing cybersecurity challenges in a state-of-the-art, collaborative environment 21

22 BUSINESS MODEL The NCCoE seeks problems that are: Broadly applicable across much of a sector, or across sectors Addressable through one or more reference designs built in our labs Complex enough that our reference designs will need to be based on a combination of multiple commercially available technologies Reference designs address: Sector-specific use cases that focus on a business-driven cybersecurity problem facing a particular sector (e.g., health care, energy, financial services) Technology-specific building blocks that cross sector boundaries (e.g., roots of trust in mobile devices, trusted cloud computing, software asset management, attribute based access control) 22

23 NCCOE CURRENT PROJECTS Consumer/Retail Multifactor Authentication for e- Commerce Energy Identity and Access Management Situational Awareness Financial Services IT Asset Management Access Rights Management Healthcare Electronic Health Records on Mobile Devices Infusion Pumps Transportation: Maritime Cybersecurity Profile for Bulk Liquid Transfer Public Safety/First Responder Mobile Single Sign-On Authentication for Law Enforcement Vehicle Systems Mobile Device Security Mobile Device Security: Cloud & Hybrid Builds Mobile Threat Catalogue NISTIR 8144: Assessing Threats to Mobile Devices & Infrastructure Attribute Based Access Control Data Integrity Derived Personal Identity Verification (PIV) DNS-based Secured 23

24 IDENTITY AND ACCESS MANAGEMENT FOR THE ENERGY SECTOR Challenge Solution Benefits Employees have access to multiple systems across multiple grid substations, including physical locations, the IT and OT network Current access is typically managed in silos, making it difficult for utilities to know who has access to what When an employee leaves it s difficult to ensure that all access rights have been revoked leaving a utility open to potential harm and threats IT Network PACS Network Physical Network Electric utilities need a converged or consolidated access management solution to maintain better security posture Access to facilities and devices is granted, revoked or modified by a single, secured platform Provides a real-time view of all access rights currently in place Provides ability to quickly revoke access to facilities and devices in near real-time Can reduce the risk of malicious or untrained people gaining unauthorized access to critical infrastructure Simplifies regulatory compliance by automating generation and collection of access information Improves security posture by tracking and auditing access requests and other IdAM activity across all networks 24

25 IDAM PRACTICE GUIDE NIST SP a,b,c: Identity And Access Management for Electric Utilities Download: NIST SP a: Executive Summary NIST SP b: Approach, Architecture, and Security Characteristics - what we built and why NIST SP c: How To Guides instructions for building the example solution 25

26 IDAM PROJECT INDUSTRY PARTNERS AlertEnterprise CA Technologies Cisco Systems, Inc. GlobalSign Mount Airey Group RS2 Technologies RSA Security, LLC Radiflow Schneider Electric TDi Technologies XTec, Inc. 26

27 SITUATIONAL AWARENESS FOR THE ENERGY SECTOR Challenge Widely accepted Grid is vulnerable to Cyber Attack Silo ed Approach to security does not work Electric power industry need a real-time Situational Awareness to include security data from OT, IT and Physical Assets. Solutio n Security data feeds into single view Benefits Improves ability to detect Cyber related breaches Increases chances of eliminating or minimizing impacts to the Grid as a result of such attacks Increased ability to perform forensics Provides correlation of security data across silos Creates real-time situational awareness and increases efficiency and effectiveness of response to potential security events 27

28 SA PROJECT INDUSTRY PARTNERS Dragos Security LLC Hewlett Packard Enterprise ICS 2 OSISoft Radiflow Ltd. RS2 Technologies RSA Schneider Electric Siemens TDi Technologies Waratek Waterfall Security Solutions Ltd. 28

29 INITIAL USE CASE INPUTS FROM MARITIME BLT/ONG Possible use cases derived from Maritime and Oli and Natural Gas Open Session at the NCCoE About 50 attendees Held on 5 Apr 16 in conjunction with Cybersecurity Framework Workshop 6-7 Apr 16 Some of the use case ideas from attendees: Hardware/software asset management including detection of unauthorized devices, patching, etc Access control for internal personnel and external partners, as well as device interconnectivity Software assurance and ability to go back to gold versions for ICS/SCADA devices Reestablishment of baseline controls after device repairs & patches, particularly on offshore platforms Pipeline ops and interdependencies (supply chain) 29

30 RESOURCES: WHERE TO LEARN MORE AND STAY CURRENT The National Institute of Standards and Technology National Cybersecurity Center of Excellence: NIST Computer Security Division Computer Security Resource Center: The Framework for Improving Critical Infrastructure Cybersecurity and related news and information: For additional Framework info and help: 30

31 QUESTIONS? Contact: Jim McCarthy 31