Executive Order 13636 & Presidential Policy Directive 21 Ed Goff, Duke Energy Melanie Seader, EEI
Agenda Executive Order 13636 Presidential Policy Directive 21 Nation Infrastructure Protection Plan Cybersecurity Framework EEI Member consensus input
Executive Order 13636 Improving Critical Infrastructure Cybersecurity directs the Executive Branch to: Develop a technology-neutral cybersecurity framework (NIST) Promote and incentivize the adoption of cybersecurity practices Increase the volume, timeliness, and quality of cyber threat information sharing Incorporate strong privacy and civil liberties Explore the use of existing regulation to promote cybersecurity
Presidential Policy Directive -21 Critical Infrastructure Security and Resilience directs the Executive Branch to: Develop a near-real time cyber and physical critical infrastructure situational awareness capability Evaluate and mature the public-private partnership Update the National Infrastructure Protection Plan Develop a comprehensive research and development plan
DHS Integrated Task Force 8 Working Groups: 1. Stakeholder Engagement 2. Cyber-Dependent Infrastructure Identification 3. Planning and Evaluation (NIPP Update) 4. Situational Awareness and Information Exchange 5. Incentives 6. Cybersecurity Framework Collaboration (CSF) with NIST 7. Assessments: Privacy and Civil Rights and Civil Liberties 8. Research and Development
National Infrastructure Protection Plan (NIPP) Update Working Draft of the National Infrastructure Protection Plan Focuses on Critical Infrastructure Partnership to improve security and resilience Encourages partnership to improve information sharing and risk-based decision making Provides a risk management process Final comments due September 20 Concern Too detailed for a plan at this level. Overlapping concepts with the Sector Specific Plan & new Cybersecurity Framework
Cybersecurity Framework NIST must publish a preliminary version of the Cybersecurity Framework within 240 days (i.e., by October 10,2013), final version published by February 12, 2014. 4 Workshops 1. April 3 Washington, D.C. 2. May 29-31 Pittsburgh, PA 3. July 10-12 San Diego, CA 4. September 11-13 Dallas, TX
How will the CSF be developed?
Cybersecurity Framework Discussion Draft posted August 28, 2013 3 Parts of the Framework: Core Implementation Tiers Profiles Current and Target Incorporates risk management, but does not define a process Identifies areas for improvement Concern Too prescriptive for a Framework to apply to all sectors The ES-C2M2 is thought to meet the intent of the CSF but not clear in the latest draft.
How to Use the Framework Establish or Improve a Cybersecurity Program 1. Make Organization Wide Decisions 2. Establish a Target Profile 3. Establish a Current Profile 4. Compare Target and Current Profiles 5. Implement Target Profile Communicate Cybersecurity Requirements with Stakeholders Identify Gaps
Framework Profile Selection of the Functions, Categories, and Subcategories aligned with business requirements, risk tolerance, and organizational resources Does not provide Target Profile templates nor identify Tier requirements Gaps allow creation of roadmap to reduce cybersecurity risk
Framework Core Subcategories Informative References ISA 99.02.01 COBIT ISO/IEC 27001 NIST SP 800-53 CCS Top 20 Critical Security Controls For ES profile ES-C2M2 RMP NERC CIP
Implementation Tiers Tier 0 Partial: no formal, threat-ware risk management process, implementing portions of the Framework Tier 1 Risk-Informed: formal, threat-aware risk management process, staff has adequate cybersecurity resources Tier 2 Repeatable: regularly updates profile to respond to changing cybersecurity landscape, understands dependencies and partners Tier 3 Adaptive: updates profile based on predictive indicators to actively adapt to changing cybersecurity landscape, actively shares information with partners
Areas for Improvement EO 13636 identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations. Based on stakeholder input, NIST identified the following areas for improvement: Supply chains and interdependencies Privacy Conformity assessment International aspects, impacts, and alignment Data analytics Automated indicator sharing
EEI Member Consensus input EEI encourages NIST to develop a high-level framework focused on cybersecurity practices that can be applied across all 16 critical infrastructure sectors. EEI encourages NIST to keep the framework flexible enough to allow entities to use existing processes, standards, and guidance to avoid time-consuming and un necessary duplication of cybersecurity efforts. EEI encourages NIST to incorporate a flexible risk management process to keep the framework cybersecurity practices at a high-level and engage executive leadership. EEI encourages NIST to consider who is providing input to the Framework process when developing the framework.
Questions from NIST How can the Preliminary Framework: Adequately define outcomes that strengthen cybersecurity and support business objectives? Enable cost-effective implementation? Appropriately integrate cybersecurity risk into business risk? Provide the tools for senior executives and board of directors to understand risks and mitigations at the appropriate level of detail? Provide sufficient guidance and resources to aid businesses of all sizes while maintaining flexibility?
Questions from NIST Will the Discussion Draft: Be inclusive of, and not disruptive to, effective cybersecurity practices in use today? Enable organizations to incorporate threat information? Is the Discussion Draft: Presented at the right level of specificity? Sufficiently addressing unique privacy and civil liberties needs for critical infrastructure?
References Executive Order http://www.whitehouse.gov/the-pressoffice/2013/02/12/executive-order-improving-criticalinfrastructure-cybersecurity PPD-21 http://www.whitehouse.gov/the-pressoffice/2013/02/12/presidential-policy-directive-criticalinfrastructure-security-and-resil NIST Cybersecurity Framework http://www.nist.gov/itl/cyberframework.cfm