Framework for Improving Critical Infrastructure Cybersecurity

Similar documents
The NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

NIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Cybersecurity Framework Manufacturing Profile

Opportunities (a.k.a challenges) Interfaces Governance Security boundaries expanded Legacy systems New application Compliance

Securing an IT. Governance, Risk. Management, and Audit

Cybersecurity Risk Management:

Overview of the Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Acalvio Deception and the NIST Cybersecurity Framework 1.1

Framework for Improving Critical Infrastructure Cybersecurity

Updates to the NIST Cybersecurity Framework

Cyber Information Sharing

Track 4A: NIST Workshop

Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA

LESSONS LEARNED IN DEVELOPING CYBERSECURITY FRAMEWORK (CSF) PROFILES WITH INDUSTRY AND THE U.S. COAST GUARD (USCG)

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

How to Align with the NIST Cybersecurity Framework

Why you should adopt the NIST Cybersecurity Framework

NCSF Foundation Certification

Dear Mr. Games: Please see our submission attached. With kind regards, Aaron

NIST (NCF) & GDPR to Microsoft Technologies MAP

Responsible Care Security Code

National Cybersecurity Center of Excellence

Framework for Improving Critical Infrastructure Cybersecurity

Effectively Measuring Cybersecurity Improvement: A CSF Use Case

Improving Cybersecurity through the use of the Cybersecurity Framework

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

NIST Cybersecurity Framework Based Written Information Security Program (WISP)

In support of this, the Coalition intends to host an event bringing together government and private sector leaders and experts to further discuss this

COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

NCSF Foundation Certification

using COBIT 5 best practices?

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

Framework for Improving Critical Infrastructure Cybersecurity

American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment

Maritime Bulk Liquids Transfer Cybersecurity Framework Profile

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

Views on the Framework for Improving Critical Infrastructure Cybersecurity

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Oil & Natural Gas Third Party Collaboration IT Security NIST Profile API ITSS Third Party Collaboration IT Security Workgroup

Cybersecurity & Privacy Enhancements

From the Trenches: Lessons learned from using the NIST Cybersecurity Framework

Mapping and Auditing Your DevOps Systems

ISO based Written Information Security Program (WISP) (a)(1)(i) & (a)(3)(i) & (ii) & (A) (A)(5)(ii) & (ii)(a)

NW NATURAL CYBER SECURITY 2016.JUNE.16

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

SYSTEMS ASSET MANAGEMENT POLICY

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Cybersecurity Overview

Information Security Continuous Monitoring (ISCM) Program Evaluation

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

Kent Landfield, Director Standards and Technology Policy

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

United States Coast Guard Office of Port and Facility Compliance (CG-FAC) Cybersecurity and the Marine Transportation System.

HPH SCC CYBERSECURITY WORKING GROUP

Using Metrics to Gain Management Support for Cyber Security Initiatives

Security Metrics. February 25, Annabelle Lee Senior Technical Executive

Developing a Model for Cyber Security Maturity Assessment

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Ontario Energy Board Cyber Security Framework

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

NIST Framework for Improving Critical Infrastructure Cybersecurity Technical Control Automation

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Cyber Bounty Hunter. Key capabilities of today s. Renault Ross CISSP,MCSE,VCP5,CHSS Distinguished Engineer Chief Security Business Strategist

ACR 2 Solutions Compliance Tools

Security Management Models And Practices Feb 5, 2008

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

HITRUST CSF: One Framework

Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013

Smart Grid Standards and Certification

TEL2813/IS2820 Security Management

Tinker & The Primes 2017 Innovating Together

Implementing Executive Order and Presidential Policy Directive 21

Cybersecurity for Health Care Providers

2014 Sector-Specific Plan Guidance. Guide for Developing a Sector-Specific Plan under NIPP 2013 August 2014

Appendix 12 Risk Assessment Plan

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

NCCoE TRUSTED CLOUD: A SECURE SOLUTION

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

FISMA Cybersecurity Performance Metrics and Scoring

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

The CIS Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Assurance over Cybersecurity using COBIT 5

Cyber Security & Homeland Security:

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Navigation and Vessel Inspection Circular (NVIC) 05-17; Guidelines for Addressing

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

Using the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Mr. Games, Thank you. Kent Landfield McAfee, LLC. [Attachment Copied Below]

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Transcription:

Framework for Improving Critical Infrastructure Cybersecurity May 2017 cyberframework@nist.gov

Why Cybersecurity Framework? Cybersecurity Framework Uses Identify mission or business cybersecurity dependencies Align and de-conflict cybersecurity requirements Prioritize cybersecurity outcomes Organize, authorize, task, and track work Express risk disposition Understand gaps between current and target 2

The Cybersecurity Framework... Includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. Provides a prioritized, flexible, repeatable, performancebased, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. Identifies areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations. Is consistent with voluntary international standards. 3

The Framework Is for Organizations Of any size, in any sector in (and outside of) the critical infrastructure. That already have a mature cyber risk management and cybersecurity program. That don t yet have a cyber risk management or cybersecurity program. Needing to keep up-to-date managing risks, facing business or societal threats. In the federal government, too since it is compatible with FISMA requirements and goals. 4

Cybersecurity Framework Components Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Cybersecurity activities and informative references, organized around particular outcomes Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics 5

Implementation Tiers Risk Management Process Integrated Risk Management Program External Participation 1 2 3 4 Partial Risk Informed Repeatable Adaptive The functionality and repeatability of cybersecurity risk management The extent to which cybersecurity is considered in broader risk management decisions The degree to which the organization benefits my sharing or receiving information from outside parties 6 6

Core Cybersecurity Framework Component Senior Executives Broad enterprise considerations Abstracted risk vocabulary Specialists in Other Fields Specific focus outside of cybersecurity Specialized or no risk vocabulary Implementation/ Operations Deep technical considerations Highly specialized vocabulary 7

Core Cybersecurity Framework Component What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? Function Category ID Asset Management ID.AM Business Environment ID.BE Governance ID.GV Identify Risk Assessment ID.RA Protect Detect Respond Recover Risk Management Strategy Access Control Awareness and Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications ID.RM PR.AC PR.AT PR.DS PR.IP PR.MA PR.PT DE.AE DE.CM DE.DP RS.RP RS.CO RS.AN RS.MI RS.IM RC.RP RC.IM RC.CO 8

Core Example Cybersecurity Framework Component Function Category Subcategory Informative Reference 9

Profile Cybersecurity Framework Component Ways to think about a Profile: A customization of the Core for a given sector, subsector, or organization. A fusion of business/mission logic and cybersecurity outcomes. Identify Protect Detect Respond Recover An alignment of cybersecurity requirements with operational methodologies. A basis for assessment and expressing target state. A decision support tool for cybersecurity risk management. 10

Building a Profile A Profile Can be Created in Three Steps 1 Mission Objective A B C Cybersecurity Requirements Legislation Regulation Internal & External Policy Best Practice Subcategory 1 2 3 98 Operating Methodologies 2 3 Guidance and methodology on implementing, managing, and monitoring 11

Framework 7-Step Process Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a Current Profile Step 4: Conduct a Risk Assessment Step 5: Create a Target Profile Step 6: Determine, Analyze, and Prioritize Gaps Step 7: Implementation Action Plan 12

Supporting Risk Management with Framework 13

Conceptual Profile Value Proposition 2 Cybersecurity 1 3 Operating Requirements Subcategory Priority Methodologies A 1 moderate I II B C 2 high III D IV 3 moderate E V F VI VII G 98 moderate VIII When you organize yourself in this way: Compliance reporting becomes a byproduct of running your security operation Adding new security requirements is straightforward Adding or changing operational methodology is nonintrusive to on-going operation 14

Resource and Budget Decision Making What Can You Do with a CSF Profile? As-Is Year 1 To-Be Year 2 To-Be Sub- Year 1 Year 2 category Priority Gaps Budget Activities Activities 1 moderate small $$$ X 2 high large $$ X 3 moderate medium $ X 98 moderate none $$ reassess and supports on-going operational decisions, too 15

Profile Ecosystem TAXONOMY 1 2 3... 98 NIST REQUIREMENTS 1 Req A 2 Req B 3 Req C...... 98 Req ZZ Community PRIORITIES 1 Req A High 2 Req B Mod 3 Req C Low......... 98 Req ZZ High Organization or Community Cybersecurity Framework Core Crosswalks Mappings Cybersecurity Framework Profile 16

Key Attributes It s voluntary Is meant to be customized. It s a framework, not a prescriptive standard Provides a common language and systematic methodology Does not tell an organization how much cyber risk is tolerable, nor provide the one and only formula for cybersecurity. Enable best practices to become standard practices for everyone It s a living document Can be updated as stakeholders learn from implementation Can be updated as technology and threats changes. It s broadly applicable All size organizations; all maturities of risk practices; both inside and outside of critical infrastructure; industries, governments, and academia 17

Examples of Framework Industry Resources www.nist.gov/cyberframework/industry-resources Italy s National Framework for Cybersecurity American Water Works Association s Process Control System Security Guidance for the Water Sector The Cybersecurity Framework in Action: An Intel Use Case Cybersecurity Risk Management and Best Practices Working Group 4: Final Report Energy Sector Cybersecurity Framework Implementation Guidance 18

Examples of State & Local Use Texas, Department of Information Resources Aligned Agency Security Plans with Framework Aligned Product and Service Vendor Requirements with Framework North Dakota, Information Technology Department Allocated Roles & Responsibilities using Framework Adopted the Framework into their Security Operation Strategy National Association of State CIOs 2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy Houston, Greater Houston Partnership Integrated Framework into their Cybersecurity Guide Offer On-Line Framework Self-Assessment New Jersey Developed a cybersecurity framework that aligns controls and procedures with Framework 19

NIST Manufacturing Profile NIST Discrete Manufacturing Cybersecurity Framework Profile Utilizing CSF Informative References to create tailored language for the manufacturing sector NIST SP 800-53 NIST SP 800-82 ISA / IEC 62443 www.tiger-global.co.uk 20

U.S. Coast Guard Maritime Bulk Liquids Transfer Framework Profile NCCoE and United States Coast Guard (USCG) worked together to draft a USCG Maritime Profile, based on the Cybersecurity Framework Aligns the USCG s cyber strategy with cybersecurity activities of the maritime bulk liquid transport operations of the oil & natural gas industry, utilizing standards and best practices guided by the Framework The profile can help individual companies clarify how cybersecurity fits into their mission priorities and how best to allocate resources to secure their information and operational systems. The profile is available at: https://www.uscg.mil/hq/cg5/cg544/docs/maritime_blt_csf.pdf 21

NIST Baldrige Excellence Builders Baldrige Cybersecurity Excellence Builder Manufacturing Service Small Business Education Healthcare Non-profit Cybersecurity (2017) Self-assessment criteria with basis in Cybersecurity Framework Complements NIST Baldrige Program s performance excellence successes. April 2-5, 2017-29 th Annual Quest for Excellence Conference Pre-conference workshop that focuses on cybersecurity will be held on April 2 nd - visit: https://www.nist.gov/baldrige/qe 22

Continued Improvement of Critical Infrastructure Cybersecurity Amends the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure Cybersecurity Enhancement Act of 2014 (P.L. 113-274) 18 December 2014 23

Basics about the Proposed Revision to Framework Draft Cybersecurity Framework Version 1.1 Draft Version 1.1 of the Cybersecurity Framework seeks to clarify, refine, and enhance the Framework The Framework remains flexible, voluntary, and cost-effective The update is fully compatible with V1.0 Updates were derived from feedback NIST received since publication of Cybersecurity Framework Version 1.0 A 90 day public comment period for the version 1.1 draft ended April 10 th, 2017 There will be a Workshop May 16-17, 2017 to continue discussion 24

Input to the Framework Update Draft Cybersecurity Framework Version 1.1 The Update was based on feedback from the cybersecurity community including: December 2015 request for information Lessons learned from Framework use Shared resources from industry partners April 2016 Cybersecurity Framework workshop Advances made in areas identified in the Roadmap issued with the Framework in February 2014 25

Major Themes from Inputs Draft Cybersecurity Framework Version 1.1 Several major themes were identified and considered during the update which included: Strengthening authentication & identity management in the Framework Core Guidance for acquisition and supply chain risk management (SCRM) Methodology for measurement and generating metrics Clarity on Implementation tiers and their relationship to profiles 26

Cyber Supply Chain Risk Management (SCRM) Overview Draft Cybersecurity Framework Version 1.1 The most notable changes in the draft update related to SCRM Section 3.3 now explains role of SCRM in cybersecurity Multiple provisions were added, including a new category in the Framework Core 27

Implementation Tiers and Profiles Draft Cybersecurity Framework Version 1.1 Additional language added on use of Framework Tiers to include prioritization within target Profile and to inform progress in addressing Profile gaps Language added to reflect integration of Framework considerations within organizational risk management programs Tiers have been expanded to include cyber SCRM considerations Figure 2.0 updated to include actions from the Framework Tiers 28

Identity Management Draft Cybersecurity Framework Version 1.1 Language of the Access Control category refined to better account for authorization Subcategory on identity proofing (PR.AC-6) added to the Access Control category Access Control category renamed to Identity Management, Authentication and Access Control (PR.AC) to better represent Category and Subcategories scope 29

Cybersecurity Measurement Draft Cybersecurity Framework Version 1.1 Sections 4.0 and 4.1 Correlation between business results and cybersecurity risk management outcomes Metrics versus measures Leading versus lagging Section 4.2 Types of Cybersecurity Measurement Framework measurement provides a basis for strong, trusted relationships, both inside and outside of an organization Higher-Level Lower-Level Behaviors Implementation Tiers Process Behaviors Outcomes Core Informative References Outcomes Metrics Practices Management Measures Process Technical 30

Resources Where to Learn More and Stay Current Framework for Improving Critical Infrastructure Cybersecurity and related news, information: www.nist.gov/cyberframework Additional cybersecurity resources: http://csrc.nist.gov/ Questions, comments, ideas: cyberframework@nist.gov

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback