Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 and Risk Approach June 9, 2016 cyberframework@nist.gov
Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties President Barack Obama Executive Order 13636, Feb. 12, 2013 The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work; to allow for adoption, Framework version 2.0 was and is still not planned for the near term 2
April 2016 Workshop plots evolution of NIST Cybersecurity Framework Dell survey published in Dec 2015, states 82% of federal IT security employees surveyed state they are using sections of the framework within their own cybersecurity programs, with 53% using the entire guide. Of those using the framework, 74% state it s used as a foundation for their cybersecurity roadmap, helping to improve organizational security; it s just a good policy no matter what sector is moving to embrace it. NIST posted a Request For Information in Dec 2015, seeking to learn from the private sector how organizations are sharing the framework s best practices, what parts of the framework are utilized more than others and what sections need to be updated. The diversity of the 105 organizations that responded surprised NIST, given that the framework was originally geared toward protecting critical infrastructure. Submitted comments ranged from aerospace company Boeing to telecom giant AT&T, to the likes of Microsoft and trade groups like CompTIA and NASCIO. The April 2016 workshop concluded there are opportunities to make small changes, clarifications, and maybe to expand some areas, but not a version 2.0. 3
The Framework in a Nutshell A guide to insuring you include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks Provides a guide to a prioritized, flexible, repeatable, performancebased, approach, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk Identifies areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations Be consistent with voluntary international standards (more later in the presentation) 4
Key Points about the Cybersecurity Framework It s a framework, not a prescription It provides a common language and systematic methodology for managing cyber risk It does not tell a company how much cyber risk is tolerable, nor does it claim to provide the one and only formula for cybersecurity Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite companies to become standard practices for everyone The framework is a living document It is intended to be updated over time as stakeholders learn from implementation, and as technology and risks change That s one reason why the framework focuses on questions an organization needs to ask itself to manage its risk. While practices, technology, and standards will change over time principals will not 17
Framework Core When considered together, these Functions provide a high-level, strategic view of the life cycle of an organization's management of cybersecurity risk. What assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? 6
Framework Core Excerpt Function Category Subcategory Informative References 7
Establish or Improve a Cybersecurity Program Step 1: Prioritize and Scope Requests that organizations scope and prioritize business/mission objectives and high level organizational priorities. This information allows organizations to make strategic decisions regarding the scope of systems and assets that support the selected business lines or processes within the organization. Step 2: Orient Provides organizations an opportunity to identify threats to, and vulnerabilities of, systems identified in the Prioritize and Scope step. Step 3: Create a Current Profile Identifies the requirement to define the current state of the organization's cybersecurity program by establishing a current state profile. Step 4: Conduct a Risk Assessment Allows organizations to conduct a risk assessment using their currently accepted methodology. The information used from this step in the process is used in Step 5. Step 5: Create a Target Profile Allows organizations to develop a risk informed target state profile. The target state profile focuses on the assessment of the Framework Categories and Subcategories describing the organization's desired cybersecurity outcomes. Step 6: Determine, Analyze, and Prioritize Gaps Organizations conduct a gap analysis to determine opportunities for improving the current state. The gaps are identified by overlaying the current state profile with the target state profile. Step 7: Implement Action Plan After the gaps are identified and prioritized, the required actions are taken to 8 close the gaps and work toward obtaining the target state.
Ongoing Risks and Controls 9
Controls That Feed Risk Management 10
The Process Flow 11
An Easy Approach to Ratings A simplified risk rating guideline: To assess likelihood, rate four factors Skill (1 = high skill 5 = low skill) Ease of access (1 = very difficult 5 = very simple) Incentive (1 = low 5 = high) Resource (1 = expensive & rare equipment 5 = little resource) Likelihood overall is highest individual rating Rare Unlikely Possible Likely Almost Certain Impact index is rated relative to Information Asset Profile Insignificant (minor impact absorbed as part of daily activity) Minor (Absorbed at Group level at least one Low CIA ) Moderate (Absorbed at Business Unit Level Medium CIA) Major (Absorbed at Corp at least 1 High CIA) Catastrophic (Absorbed at Corp multiple High CIA) 12
The Complete Methodology 13
Thank you! Questions?
Resources Where to Learn More and Stay Current The National Institute of Standards and Technology Web site is available at http://www.nist.gov NIST Computer Security Division Computer Security Resource Center is available at http://csrc.nist.gov/ The Framework for Improving Critical Infrastructure Cybersecurity and related news and information are available at www.nist.gov/cyberframework For additional Framework info and help cyberframework@nist.gov