The Confluence of Physical and Cyber Security Management

Similar documents
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

National Cyber Incident Response - Architectural Concepts

Energy Assurance Plans

Why you should adopt the NIST Cybersecurity Framework

Goal-Based Assessment for the Cybersecurity of Critical Infrastructure

Defining Computer Security Incident Response Teams

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Software, Security, and Resiliency. Paul Nielsen SEI Director and CEO

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Cyber Hygiene: A Baseline Set of Practices

Information Security Is a Business

Bradford J. Willke. 19 September 2007

CERT Overview. Jeffrey J. Carpenter 2008 Carnegie Mellon University

Critical Infrastructure

Using CERT-RMM in a Software and System Assurance Context

Critical Infrastructure Assessment

The Need for Operational and Cyber Resilience in Transportation Systems

University of Pittsburgh Security Assessment Questionnaire (v1.7)

The NIST Cybersecurity Framework

About Issues in Building the National Strategy for Cybersecurity in Vietnam

Julia Allen Principal Researcher, CERT Division

INTELLIGENCE DRIVEN GRC FOR SECURITY

Critical Infrastructure Resilience

The CERT Top 10 List for Winning the Battle Against Insider Threats

Business Continuity: How to Keep City Departments in Business after a Disaster

Critical Infrastructure Sectors and DHS ICS CERT Overview

Next Generation Policy & Compliance

Critical Resilient Interdependent Infrastructure Systems and Processes

Dr. Stephanie Carter CISM, CISSP, CISA

National Policy and Guiding Principles

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Building A Disaster Resilient Quebec

Industry role moving forward

PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

CRITICAL INFRASTRUCTURE AND KEY RESOURCES

NIST Security Certification and Accreditation Project

ITG. Information Security Management System Manual

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Continuous protection to reduce risk and maintain production availability

Advancing Cyber Intelligence Practices Through the SEI s Consortium

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

John Snare Chair Standards Australia Committee IT/12/4

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

THE POWER OF TECH-SAVVY BOARDS:

Certified Information Security Manager (CISM) Course Overview

Professional in Critical Infrastructure Protection

The Common Controls Framework BY ADOBE

Cyber COBIT. Ophir Zilbiger, CEO SECOZ Shay Zandani, CEO CyberARM. December 2013

Medical Device Cybersecurity: FDA Perspective

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

CCISO Blueprint v1. EC-Council

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Critical Information Infrastructure Protection Law

CRITICAL INFRASTRUCTURE AND CYBER THREAT CRITICAL INFRASTRUCTURE AND CYBER THREAT

How to get the Enterprise to Understand the Value of Security

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

HPH SCC CYBERSECURITY WORKING GROUP

Researching New Ways to Build a Cybersecurity Workforce

Altius IT Policy Collection Compliance and Standards Matrix

Dr. Kenneth E. Nidiffer Director of Strategic Plans for Government Programs

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Office of Infrastructure Protection Overview

EMERGENCY SUPPORT FUNCTION (ESF) 13 PUBLIC SAFETY AND SECURITY

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Information Technology General Control Review

Accelerate Your Enterprise Private Cloud Initiative

For providing decision support on climate stressors to infrastructure and assets for federal, state, local, and private clients...

Components and Considerations in Building an Insider Threat Program

Appendix A. Syllabus. NIST Cybersecurity Foundation. Syllabus. Status: First Draft

Security and Privacy Governance Program Guidelines

The Insider Threat Center: Thwarting the Evil Insider

Introduction to Business Continuity Management

Altius IT Policy Collection Compliance and Standards Matrix

Cybersecurity Auditing in an Unsecure World

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Rethinking Cybersecurity from the Inside Out

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

The NIS Directive and Cybersecurity in

ITG. Information Security Management System Manual

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

LESSONS LEARNED IN SMART GRID CYBER SECURITY

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

01.0 Policy Responsibilities and Oversight

State of Security Operations

Long-Term Power Outage Response and Recovery Tabletop Exercise

TAN Jenny Partner PwC Singapore

Ingram Micro Cyber Security Portfolio

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Are Traditional Disaster Recovery Plans Still Relevant? Bobby Williams, MBCP, MBCI Director, IT Resiliency Planning Fidelity Investments

locuz.com SOC Services

THE LINK BETWEEN ENTERPRISE RISK MANAGEMENT AND DISASTER MANAGEMENT

Drinking Water Emergency Management Ministry of the Environment 2012 Drinking Water Leadership Summit October 25, 2012

NIST Special Publication

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

Transcription:

The Confluence of Physical and Cyber Security Management GOVSEC 2009 Samuel A Merrell, CISSP James F. Stevens, CISSP 2009 Carnegie Mellon University

Today s Agenda: Introduction Risk Management Concepts Confluence of Physical and Cyber Security Adopting a Service View A Service View for Critical Infrastructure Next steps 2

Software Engineering Institute U.S. DoD Office of the Under Secretary (Research and Engineering) sponsor (FFRDC*) CERT Program Cyber Threat and Vulnerability Analysis Enterprise and Workforce Development Survivable Secure Network Software and Systems Technology Digital Forensics Survivable Enterprise Management Practices Development & Training 3

CERT Capabilities Technology Organizations Community Networks (Sensors and Analysis) Software (Artifact Analysis) Systems (Forensics) Work Force Development (Training) Threat and Incident Management Resiliency Engineering and Management (Risk) National CSIRTs Software Assurance Vulnerability Disclosure 4

Resiliency Engineering and Management Resiliency Engineering and Management (REM) develops, deploys, and institutionalizes tools, techniques, methods, and training that advance organizational capabilities for governing and managing operational resiliency and risk for critical assets (such as information and infrastructure) and services 5

REM Research Focus REM work aligned along four focus areas: Resiliency Engineering Information Resiliency Critical Infrastructure Resiliency Governance, Risk & Compliance 6

Today s Agenda: Introduction Risk Management Concepts Confluence of Physical and Cyber Security Adopting a Service View A Service View for Critical Infrastructure Next steps 7

Risk A risk is the possibility of incurring a loss or harm For risk to exist in any circumstance, the following three conditions must be satisfied There must be a loss associated with the situation ti There must be some uncertainty with respect to the eventual outcome Some choice or decision is required 8

The Basic Risk Equation 9

Risk Mitigation Options Risk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence Risk Limitation. To limit the risk by implementing controls that minimize the adverse impact of a threat's exercising a vulnerability Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls Research and Acknowledgment. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability Risk Transference. To transfer the risk by using other options to compensate for the loss 10

Residual and Acceptable Risk Residual risk is the potential for the occurrence of an adverse event after adjusting for the effectiveness and impact of all implemented security measures (controls) Acceptable risk is the level of residual risk that has been determined to be a reasonable level of potential loss/disruption to a system or organization 11

A Risk Management Process Identify Control Analyze Monitor Plan Implement 12

Diverse Risks To Be Managed Financiali Relationship Operational Organizational Risks Regulatory Market 13

Security and Operational Risk Managing firewall rule-sets Installing fences around facilities Limiting access to intellectual property or confidential information Developing business continuity and disaster recovery plans The aim of these security activities, both physical and cyber, is ultimately t l to manage operational risk 14

Focus on Operational Risk A form of hazard risk affecting day-to-day business operations The potential failure to achieve mission objectives Operational risk is defined as the risk of loss resulting gfrom inadequate or failed internal processes, people, and systems, or from external events. --Basel II Capital Accords 15

Scope of Operational Risk is Vast Actions of people Systems & technology failures Failed internal processes External events Tech reliance Global economy Open boundaries Complexity Cultural shifts 16

Today s Agenda: Introduction Risk Management Concepts Confluence of Physical and Cyber Security Adopting a Service View A Service View for Critical Infrastructure Conclusion 17

Physical Security - Yesterday 18

Cyber Security - Yesterday 19

Silos of Responsibility 20

Today - Confluence 21

The Risk Management Challenge The convergence of physical and cyber security has rapidly expanded the threat environment that must be managed Limited organizational resources are available for security activities Ensure that t those limited it resources are effectively and efficiently deployed 22

Human sacrifice, dogs and cats living together... mass hysteria! Dr. P. Venkman 23

A Structured Approach 24

Shifting Security Paradigms Yesterday Today Scope: Security Operational Ownership: Focus: Driver: Execution: Goal: IT and Physical Discrete External Platform/practice IT and Physical security Enterprise Continuous Internal Process Enterprise resilience 25

An Integrated View of Security Physical Security Cyber Security Others 26

A Fresh Look at Security Management Operational risks must be managed within a program that can adapt to a dynamic environment this requires active mitigation of all identified risks, regardless of their nature (e.g., cyber or physical) http://en.wikipedia.org/wiki/file:pittsburgh_view-from-incline_sm.jpg 27

Today s Agenda: Introduction Risk Management Concepts Confluence of Physical and Cyber Security Adopting a Service View A Service View for Critical Infrastructure Conclusion 28

Current Approaches to Security Management Security by compliance FISMA HIPAA PCI Security by adoption of best practices ISO 17799 DISA STIGs Vendor guides Result: Uneven use of limited resources 29

Enterprise Perspective An enterprise view of risk Enables risk mitigation decisions that effectively deploy limited resources Integrates with enterprise architecture approaches to security management NIST SP 800-39 s Risk Executive Incorporates I t physical and cyber security management 30

Assets of an Organization Assets 31

Assets Support Business Processes Business Processes Assets 32

Business Processes Support Services Services Business Processes Assets 33

Services Support the Mission Organizational X Mission Service 1 Service N X Mission Mission X Service X Mission People X Information Technology Facilities 34

Step 1: Understand Your Services Formally identify the services that your organization must deliver in order to accomplish its mission Ask what are the core competencies of the organization? Often, business units are divided along these lines Manufacturing Operations Sales and Marketing Finance Compliance Research and Development Customer Service 35

Operational Risks to Service Delivery Risks to service delivery are what organizations need to care about These risks arise from both physical and cyber threats, therefore, both of these risks need to be mitigated efficiently and effectively Physical and cyber protection strategies for assets can be engineered and evaluated in terms of their ability to best ensure the service 36

Benefits of Adopting a Service View Align the protection and sustainment strategies to the organization s mission Engineer a unified approach to mitigating risks Evaluate protection strategies for effectiveness in protecting the mission Ensure efficiencies in the application of limited resources 37

Engineer a Unified Approach to Mitigating Risks-1 38

Engineer a Unified Approach to Mitigating Risks-2 39

Select Effective Protection Strategies Business Services 40

Ensure Efficiencies Maximize use of limited resources by incorporating the disciplines of physical and cyber security What works best for your environment: a guard at a post, an automated intrusion detection system, or both? 41

Step 2: Define Service Requirements What are the needs of the services that you have identified? Customer Service is available between 9:00 am and 5:00 pm This monitoring system must operate 24 x 7 42

Step 3: Map Assets to Services Service: Loan Operations Process: Account Opening Process: Account Maintenance Bank Tellers IBM AS/400 Loan Officers Loan Account Database Corporate Headquarters 43

Identifying Interdependencies 44

Step 4: Define Resiliency Requirements Service: Loan Operations Process: Account Opening Process: Account Maintenance Confidentiality Loan Account data may be viewed only by Loan Officers, account servicing staff, and Customer Service. Integrity Maintenance of Loan accounts may be made only by tellers, or Loan officers. Deletions of existing Loan Account information may be made only by a Loan Officer. Availability Loan Accounts must be available during normal banking hours (9:00 am to 5:00 pm, Monday through Thursday, 9:00 am to 7:00 pm Friday, and 10:00 am to 1:00 pm on Saturdays). 45

Step 5: Assess Risk to the Service Risks to service delivery are what organizations need to care about Identify how assets are exposed to conditions that can lead to service interruption Ensure that all possible vectors of threat are considered both physical and cyber 46

Step 6: Develop an Integrated Mitigation Strategy 47

Step 7: Monitor for Change Maintain vigilance in monitoring for changes in the operating environment. Ensure that changes do not introduce new risks. 48

Enterprise Perspective for Risk Management 1. Define enterprise services 2. Identify Impact Evaluation Criteria 3. Map assets to services 4. Define resiliency requirements for assets using the needs of the services 5. Assess risks to the reliable delivery of the service 6. Develop an integrated (using disciplines of physical and cyber security) approach effectively mitigate identified risks 7. Monitor for changes in the environment 49

Today s Agenda: Introduction Confluence of Physical and Cyber Security Risk Management Concepts Adopting a Service View A Service View for Critical Infrastructure Conclusion 50

Critical Infrastructure Protection 51

X Agriculture and Food Banking and Finance Chemical Commercial Facilities Commercial Nuclear Reactors, Materials, and Waste Dams Defense industrial i base Drinking Water and Water Treatment Systems Emergency Services Energy egy Government Facilities Information Technology Manufacturing National Monuments and Icons Postal and Shipping Public Health and Healthcare Telecommunications Transportation Systems 18 U.S. Critical Infrastructure Sectors Services 52

Critical Infrastructure Asset Identification Old MacDonald s Petting Zoo, Alabama http://www.oldmacdonaldspettingzoo.com World s Largest Ball of Sisal Twine, Ks http://skyways.lib.ks.us/towns/cawker/twine.html 53

NERC s Struggle with Asset Identification NERC s CIP standards NERC has robust physical security requirements N-1 and N-1-1 contingencies Currently having difficulty in identifying critical infrastructure assets Some BES organizations claim to operate no critical infrastructure 54

Managing Sector Risks Sector Service ` Sector Member Business Service 55

Energy XSector Mission BES Function 1 BES Function N X Mission Accomplishment Mission X X BES Mission People X Information Technology Facilities 56

Benefits of Adopting a Service View Connect protection and sustainment strategies to the sector s mission Risks can be defined in terms of service delivery Impact evaluation criteria can be identified Physical and cyber protection strategies for assets can be engineered and evaluated in terms of their ability to best ensure the service 57

Connect to the Mission of the Sector The requirements of the organization s contribution to the sector service are the basis for resiliency requirements for assets 58

Select Effective Protection Strategies Critical Infrastructure Services 59

Resiliency Requirements Connect requirements for Critical Infrastructure Services to a sector member s contribution to that service Establish service delivery requirements for that contribution Implement controls to effectively and efficiently meet the requirements. 60

Recognize Dependencies http://science.nasa.gov/headlines/y2009/21jan_severespaceweather.htm 61

Critical Infrastructure Risk Management 1. Define sector services 2. Identify service requirements 3. Map assets to how an organization contributes to sector services 4. Define resiliency requirements for assets using the needs of the services 5. Assess risks to the reliable delivery of the service 6. Engineer an integrated (using disciplines of physical and cyber security) approach effectively mitigate identified risks 7. Monitor for changes in the environment 62

Today s Agenda: Introduction Confluence of Physical and Cyber Security Risk Management Concepts Adopting a Service View A Service View for Critical Infrastructure Conclusion 63

Summary and Conclusion Adopt a structured approach to identify services Use business rules to define resiliency requirements Assess risks to assets that will affect reliable service delivery Engineer protection strategies to ensure infrastructure resiliency Continuously monitor for changes http://www.3planesoft.com/img/clock_screen01.jpg 64

CERT Resiliency Management Model http://www.cert.org/resiliency The CERT Resiliency Management Model is a capability model for operational resiliency management. It has two primary objectives: Establish the convergence of operational risk and resiliency management activities such as security, business continuity, and aspects of IT operations management into a single model. Apply a process improvement approach to operational resiliency management through the definition and application of a capability level scale that expresses increasing levels of process improvement. 65

Contact Us Contact Information Speakers Samuel Merrell e-mail: smerrell@cert.org James Stevens e-mail: jfs@cert.org Phone 412-268-5800 (8:30 a.m. - 4:30 p.m. EST) Web http://www.cert.org Postal Mail Software Engineering Institute ATTN: Customer Relations Carnegie Mellon University Pittsburgh, PA 15213-3890 66

Questions? 67

Notices Copyright 2009 Carnegie Mellon University. NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder. Internal use. Permission to reproduce this document for internal use is granted, provided the copyright and "No Warranty" statements are included with all reproductions. Requests for permission to prepare derivative works of this document for internal use should be addressed to the SEI Licensing Agent. External use. Requests for permission to reproduce this document or prepare derivative works of this document for external and commercial use should be addressed to the SEI Licensing Agent. 68

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback