National Cyber Incident Response - Architectural Concepts

Similar documents
Bradford J. Willke. 19 September 2007

National Policy and Guiding Principles

National Cyber Security Strategy - Qatar. Michael Lewis, Deputy Director

PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Introduction to the National Response Plan and National Incident Management System

About Issues in Building the National Strategy for Cybersecurity in Vietnam

Critical Infrastructure Sectors and DHS ICS CERT Overview

The Confluence of Physical and Cyber Security Management

Government-Industry Collaboration: 7 Steps for Resiliency in Critical Infrastructure Protection

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Emergency Support Function #2 Communications Annex INTRODUCTION. Purpose. Scope. ESF Coordinator: Support Agencies: Primary Agencies:

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Energy Assurance Plans

Statement for the Record

Panel 1 National CSIRT Experience

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Critical Information Infrastructure Protection Law

Directive on security of network and information systems (NIS): State of Play

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Why you should adopt the NIST Cybersecurity Framework

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Maintaining Resiliency Within the Defense Industrial Base Through Preparedness Response and Recovery

Cyber Security in Europe

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

HPH SCC CYBERSECURITY WORKING GROUP

Emergency Support Function #12 Energy Annex. ESF Coordinator: Support Agencies:

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Promoting Global Cybersecurity

Department of Homeland Security Updates

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure (Provisional Translation)

Control Systems Cyber Security Awareness

Quadrennial Homeland Security Review (QHSR) Ensuring Resilience to Disasters

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

Overview of the Federal Interagency Operational Plans

National Incident Management System and National Response Plan. Overview

DHS Cybersecurity: Services for State and Local Officials. February 2017

STRATEGIC PLAN. USF Emergency Management

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team

Defining Computer Security Incident Response Teams

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Intelligence Support to Critical Infrastructure Protection Table of Contents

The Office of Infrastructure Protection

Member of the County or municipal emergency management organization

The Office of Infrastructure Protection

STATEMENT GEORGE FORESMAN UNDERSECRETARY FOR PREPAREDNESS U.S. DEPARTMENT OF HOMELAND SECURITY

Critical Infrastructure Resilience

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Cyber Resilience. Think18. Felicity March IBM Corporation

Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation

Resiliency and the Need for Re-Thinking our Water Infrastructure. Andrew Bielanski U.S. Environmental Protection Agency June 25, 2015

Critical Infrastructure

The NIS Directive and Cybersecurity in

PIPELINE SECURITY An Overview of TSA Programs

Cybersecurity for ALL

Critical Infrastructure Analysis and Protection - A Case for Secure Information Exchange. August 16, 2016

The Office of Infrastructure Protection

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

The Republic of Korea. economic and social benefits. However, on account of its open, anonymous and borderless

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

FEMA Update. Tim Greten Technological Hazards Division Deputy Director. NREP April 2017

Information Sharing and Cooperation

Business Continuity: How to Keep City Departments in Business after a Disaster

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Part 1: Critical Infrastructures and Their Reliance on Critical Information Infrastructures

The Federal Council s Basic Strategy. for Critical Infrastructure Protection

The Australian Government s Approach to Critical Infrastructure Resilience

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

INDEPENDENT COMMUNICATIONS AUTHORITY OF SOUTH AFRICA(ICASA) CYBERSECURITY PRESENTATION AT SAIGF. 28 th November 2018

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Railroad Infrastructure Security

Chapter X Security Performance Metrics

Introduction brief to the ISCe Satellite and Communications Conference

Critical Information Infrastructure Protection. Role of CIRTs and Cooperation at National Level

California Cybersecurity Integration Center (Cal-CSIC)

CRITICAL INFRASTRUCTURE AND KEY RESOURCES

Transport and ICT Global Practice Smart Connections for All Sandra Sargent, Senior Operations Officer, Transport & ICT GP, The World Bank

Cyber Security Strategy

European Union Agency for Network and Information Security

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

Provisional Translation

Directive on Security of Network and Information Systems

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

Cybersecurity Overview

Cyber Security & Homeland Security:

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

American Association of Port Authorities. Navigating the Cyber Domain. Homeland Security UNCLASSIFIED

The Office of Infrastructure Protection

Section One of the Order: The Cybersecurity of Federal Networks.

Utilizing Terrorism Early Warning Groups to Meet the National Preparedness Goal. Ed Reed Matthew G. Devost Neal Pollard

The NIST Cybersecurity Framework

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

Critical Infrastructure Partnership

ENISA Cooperation in the EU / NIS Directive

EMERGENCY SUPPORT FUNCTION (ESF) 13 PUBLIC SAFETY AND SECURITY

Transcription:

CSIRT Contributions to National Cyber Incident Response: An Architectural Perspective with U.S. Examples Bradford J. Willke Team Lead, Information Security Assessment & Evaluation Survivable Enterprise Management Group National Cyber Incident Response - Architectural Concepts 2 1

Protection Imperatives Protection of critical infrastructures, including information infrastructures is a matter of national security, economy, public welfare, and safety A high percentage (85% in U.S.) of critical infrastructure assets and key resources are privately owned; and we can assume a larger percentage for information infrastructures National goals for the protection of critical infrastructures cannot be accomplished without strong public-private partnerships It is the policy of the United States to protect... the operation of the information systems for critical infrastructure, and thereby, help to protect the people, economy, essential human and government services, and the national security of the United States, and to ensure that any disruptions that occur are infrequent, of minimal duration, manageable, and cause the least damage possible. Executive Order on Critical Infrastructure Protection, 16 October, 2001 3 Protection Scope 10+ Critical Infrastructure Sectors (17 for the U.S.) Agriculture and Food Energy National Monuments & Icons Drinking Water Postal and Shipping Transportation systems Government Facilities Telecommunications Information Technology Defense Industrial Base Public Health and Health Care Banking and Finance Chemical Commercial Facilities Dams Emergency Services Nuclear reactors, materials, waste Source: U.S. National Infrastructure Protection Plan, 2006 4 2

Critical Infrastructure / Key Resources Agriculture and Food Energy Transportation Chemical Industry Postal and Shipping Water Public Health Telecommunications Banking and Finance Key Assets Farms Food Processing Plants Power Plants Production Sites Railroad Tracks Highway Bridges Pipelines Ports Chemical Plants Delivery Sites Reservoirs Treatment Plants Hospitals Cable Fiber FDIC institutions Nuclear Power Plants Government facilities Dams Cyber Infrastructure Internet Domain Name System Web Hosting IP Protocol E-Mail Hardware Servers Desktops Networking Equipment Software Operating Systems System Utilities Program Applications Control Systems SCADA PCS DCS 5 Protection Factors - Interdependency Source: Critical Infrastructure Interdependency Modeling: A Survey of U.S. and Int l Research, Idaho National Laboratory, 2006 6 3

National Response Planning Requirements - 1 Identification of experts, critical assets / key resources, areas of responsibility, mutual countermeasures, best practices, and standards Coordination of vendor and service provider communities on technical and procedural solutions and remedies Coordination with other management frameworks (such as CIP programs, national emergency response plans, etc) Collaboration of government, ncsirts, intelligence services, and law enforcement Collaboration on planning, design, implementation, operation, and reconstitution processes with partners 7 National Response Planning Requirements - 2 Identification of dependencies and interdependencies between critical infrastructure systems Identification of consequences of a critical infrastructure failure Identification of threats, risks, single points of failure, and major vulnerabilities Development of options for investment and other mitigation strategies Planning and testing using evaluations and scenarios, including natural disasters, criminal actions, and acts of sabotage/terrorism, which disrupt the supply of critical infrastructure services and test business continuity and other response plans 8 4

U.S. Environment of National Cyber Incident Response 9 U.S. Cyber Incident Planning Communities Federal Incident Response Community DHS - National Cyber Security Division Law Enforcement / Intelligence Department of Defense Information Sharing and Analysis Centers Sector Coordinating Councils Government Coordinating Council International Entities International Incident Response Community Law Enforcement Community Intelligence Community War-Fighter Community Assessment Response Restoration & Remediation 10 5

National Response Framework Presents guiding principles that enable all response partners to prepare for and provide a unified national response to disasters and emergencies from the smallest incident to the largest catastrophe. Supersedes NRP, December 2004. 11 NRF Quick Reference 12 6

5/22/08 Cyber Incident Annex - 1 Federal Government Responsibilities under Framework: Providing indications and warning of potential threats, incidents, and attacks Information-sharing both inside and outside the government, including best practices, investigative information, coordination of incident response, and incident mitigation Analyzing cyber vulnerabilities, exploits, and attack methodologies Providing technical assistance Conducting investigations, forensics analysis, and prosecution Attributing the source of cyber attacks Defending against the attack Leading national-level recovery efforts 13 Cyber Incident Annex - 2 Organizations Involved: Interagency Incident Management Group (IIMG) National Cyber Response Coordination Group (NCRCG) U.S. Computer Emergency Readiness Team (US-CERT) Intelligence Community Incident Response Center (IC-IRC) Department of Defense (DOD) Supporting Agencies: Department of Homeland Security Department of Justice National Security Council 14 7

U.S. National Response Authorizations Homeland Security Presidential Directive-5 (HSPD-5) Homeland Security Presidential Directive-7 (HSPD-7) Federal Information Security Management Act (FISMA) Executive Order 12472: The Assignment of National Security Emergency Preparedness Responsibilities for Telecommunications Section 706, Communications Act of 1934, as amended (47 U.S.C. 606) The Defense Production Act of 1950, as amended National Security Act of 1947, as amended National Security Directive 42: National Policy for the Security of National Security Telecommunications and Information Systems Executive Order 12333: United States Intelligence Activities, as amended National Strategy to Secure Cyberspace 15 Information Sharing & Analysis Programs Emergency Management and Response Informa5on Sharing and Analysis Center (EMR ISAC) 16 8

Strategic Operations US-CERT Overview Watch, Warning, and Incident Response Government Forum of Incident Response Security Teams (GFIRST) Chief Information Security Officers (CISO) Forum Computer Network Defense Service Provider (CNDSP) Accreditation Program Federal Situational Awareness National Cyber Alert System 17 LESSONS LEARNED 18 9

Use a Roadmap ITU Example I. National Strategy Create awareness at national policy level about cybersecurity and the need for national action and international cooperation. Develop a national strategy to enhance cybersecurity to reduce the risks and effects of cyber disruptions. Participate in international efforts for the prevention of, preparation for, preparation for, response to, and recovery from incidents. II. Government-Industry Collaboration Develop government-industry collaborations that work to effectively manage cyber risk and to protect cyberspace. Provide a mechanism for bringing a variety of perspectives, equities, and knowledge together to reach consensus and move forward together to enhance security at a national level. III. Deterring Cybercrime Enact and enforce a comprehensive set of laws relating to cybersecurity and cybercrime consistent with the provisions of the Convention on Cybercrime (2001). For a nation seeking to enhance cybersecurity and secure its critical information infrastructure, a first step is to establish cybersecurity as IV. Incident Management Capabilities national Develop a coordinated policy. national cyberspace security response system to prevent, detect, deter, respond to and recover from cyber incidents. Establish a focal point for managing cyber incidents that bring together critical elements from government (including law enforcement) and essential elements from infrastructure operators and vendors to reduce both the risk and severity of incidents. Participate in watch, warning and incident response information sharing mechanisms. Develop, test and exercise emergency response plans, procedures, and protocols to ensure that government and non-government collaborators can build trust and coordinate effectively in a crisis. V. Culture of Cybersecurity Promote a national Culture of Security consistent with UNGA Resolutions 57/239, Creation of a global culture of cybersecurity, and 58/199, Creation of a global culture of cybersecurity and the protection of critical information infrastructures. 19 Understand National Strategy Impediments Goal Orientation: Cybersecurity, business continuity, and ICT operations support critical information infrastructure protection (I.e., provide elements of resiliency) but are often performed independent of one another Problem Recognition: The field of cybersecurity and CIIP tends to be focused on technical not managerial solutions; true process improvement elusive Preparation: Nation s have false sense of preparedness; only tested during disruptive events Process: Codes of practice are numerous; however practice effectiveness is rarely measured Measurement: There are few reliable benchmarks for determining an nation s capability for protecting critical information infrastructures 20 10

Use Measurement & Metrics National Incident Management Capabilities A.1 4 B.1 3 A.2 A.7 A.6 2 1 0 A.5 A.4 A.3 2008 2009 National Strategic Capabilities C.7 4 A.1 A.2 C.6 A.3 3 C.5 A.4 2 C.4 A.5 1 C.3 C.2 0 A.6 A.7 2008 2009 C.1 A.8 B.6 B.5 B.4 B.3 B.2 B.1 21 Understand the Policy Framework 22 11

Utilize Policy Coordination Partnerships 23 Understand Supporting Success Factors Committed resources Budget/People/Time Situational and security awareness Trained, Skilled, and Educated Partners and Principals Design and conduct operational exercises Established communication channels (Public-Private Partnership) Developed risk criteria Established mitigation procedures Hardened information infrastructures 24 12

Understand CI Sector / Segment Perspectives h"p://intelligrid.info/intelligrid_architecture/high_level_concepts/hlc_network_management.htm 5/22/08 25 Use Modeling and Simulation Geospatial / Geopolitical Mission Critical Analysis Assurance Cases Dependent / Interdependent Risk Perspectives (CIIP) System Dynamics Modeling 26 13

National Level Exercise (NLE) - Objectives Exercise the national cyber incident response community with a focus on: Interagency coordination under the Cyber Annex to the National Response Plan: Interagency Incident Management Group (IIMG) National Cyber Response Coordination Group (NCRCG) Intergovernmental coordination and incident response: Domestic: State Federal International: Australia, Canada, NZ, UK & US Identification and improvement of public-private collaboration, procedures and processes Identification of policies/issues that affect cyber response & recovery Identification of critical information sharing paths and mechanisms Raise awareness of the economic and national security impacts associated with a significant cyber incident 27 NLE Player Universe An N 2 Problem 28 14

NLE - Lessons Learned 1 Correlation of multiple incidents is challenging at all levels: Within enterprises / organizations Across critical infrastructure sectors Between states, federal agencies and countries Bridging public private sector divide Communication provides the foundation for response Processes and procedures must address communication protocols, means and methods Collaboration on vulnerabilities is rapidly becoming required Reliance on information systems for situational awareness, process controls and communications means that infrastructures cannot operate in a vacuum Coordination of response is time critical Cross-sector touch points, key organizations, and SOPs must be worked out in advance Coordination between public-private sectors must include well articulated roles and responsibilities 29 NLE - Lessons Learned 2 Strategic Communications / Public Messaging Critical part of government response that should be coordinated with partners at all levels Policy Coordination Senior leadership / interagency bodies should develop more structured communication paths with international counterparts Strategic situational awareness picture cannot be built from a wholly federal or domestic perspective in the cyber realm Operational Cooperation True situational awareness will always include an external component Initial efforts at international cooperation during NLE provided concrete insights into of near term development of way ahead for ops/tech info sharing Communication paths, methods, means and protocols must be solidified in advance of crisis/incident response Who do I call? When do I call? How do I call them? Secure and assured communications are critical in order to share sensitive information Cooperation must include ability to link into or share info in all streams: e.g., Cyber, Physical, LE, Intelligence 30 15

Use International Resources ITU Study Group Q.22/1 Report on Best Practices for a National Approach to Cybersecurity: A management Framework for Organizing National Cybersecurity Efforts, ITU-D Secretariat DRAFT, January 2008 Available at: http://www.itu.int/itu-d/cyb/ 2007 Report on Policies to Protect the Critical Information Infrastructure (Australia, Canada, Japan, Korea, The Netherlands, United Kingdom, United States) Available at: www.oecd.org/sti/security-privacy International CIIP Handbook 2006: Volume I: An Inventory of 20 National and 6 International Critical Information Infrastructure Protection Policies Volume II: Analyzing Issues, Challenges, and Prospects Available at: http://www.crn.ethz.ch/publications/crn_team 31 Questions and Discussion The problems of today will not be solved by the same thinking that produced the problems in the first place. Albert Einstein Contact Information: Bradford Willke Email: bwillke@cert.org Phone: +1 412 268-5050 Postal Address: CERT Survivable Enterprise Management Group Software Engineering Institute Carnegie Mellon University Pittsburgh, Pennsylvania 15213-3890 USA 32 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback