Working Draft Supplemental Tool: Connecting to the NICC and NCCIC Draft October 21, 2013

Similar documents
Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Critical Infrastructure Resilience

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

DHS Cybersecurity: Services for State and Local Officials. February 2017

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

Critical Infrastructure Sectors and DHS ICS CERT Overview

Department of Homeland Security Updates

Election Infrastructure Security: The How and Why of It

Overview of the Federal Interagency Operational Plans

The Office of Infrastructure Protection

Statement for the Record

2014 Sector-Specific Plan Guidance. Guide for Developing a Sector-Specific Plan under NIPP 2013 August 2014

Pre-Decisional Draft Working Product Do Not Cite or Quote

ISAO SO Product Outline

Office of Infrastructure Protection Overview

The Office of Infrastructure Protection

June 5, 2018 Independence, Ohio

The Office of Infrastructure Protection

Introduction to the National Response Plan and National Incident Management System

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

National Policy and Guiding Principles

PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection

Member of the County or municipal emergency management organization

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

The Office of Infrastructure Protection

Emergency Support Function #2 Communications Annex INTRODUCTION. Purpose. Scope. ESF Coordinator: Support Agencies: Primary Agencies:

S&T Stakeholders Conference

Implementing Executive Order and Presidential Policy Directive 21

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

The Office of Infrastructure Protection

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

FEMA Region III Cyber Security Program

Mississippi Emergency Management Agency. Shawn Wise. Office Of Preparedness

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team

Long-Term Power Outage Response and Recovery Tabletop Exercise

Intelligence Support to Critical Infrastructure Protection Table of Contents

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Emergency Support Function #12 Energy Annex. ESF Coordinator: Support Agencies:

Control Systems Cyber Security Awareness

Quadrennial Homeland Security Review (QHSR) Ensuring Resilience to Disasters

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

Why you should adopt the NIST Cybersecurity Framework

Water Information Sharing and Analysis Center

COUNTERING IMPROVISED EXPLOSIVE DEVICES

National Counterterrorism Center

EPRO. Electric Infrastructure Protection Initiative EPRO BLACK SKY SYSTEMS ENGINEERING PROCESS

HPH SCC CYBERSECURITY WORKING GROUP

DHS Emergency Services Sector Presents Tools and Resources for First Responders. June 1, pm ET

NATIONAL CAPITAL REGION HOMELAND SECURITY STRATEGIC PLAN SEPTEMBER 2010 WASHINGTON, DC

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

South Dakota Utah Wyoming Needs and Challenges Funding assistance Training Federal program enhancements Exercises

U.S. Department of Homeland Security Office of Cybersecurity & Communications

CRITICAL INFRASTRUCTURE AND KEY RESOURCES

Medical Device Cybersecurity: FDA Perspective

Alternative Fuel Vehicles in State Energy Assurance Planning

Critical Infrastructure Partnership

Presidential Documents

Utilizing Terrorism Early Warning Groups to Meet the National Preparedness Goal. Ed Reed Matthew G. Devost Neal Pollard

DHS Supply Chain Activity: Cross-Sector Supply Chain Working Group and Strategy on Global Supply Chain Security

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Mississippi Emergency Support Function #12 Energy Annex

Chapter X Security Performance Metrics

Cyber Security & Homeland Security:

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

PIPELINE SECURITY An Overview of TSA Programs

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Region Snapshot Regions I and II

Homeland Security and Geographic Information Systems

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Vulnerability Assessments and Penetration Testing

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Cyber Security Incident Report

National Preparedness System. Update for EMForum June 11, 2014

The J100 RAMCAP Method

UNCLASSIFIED. September 24, In October 2007 the President issued his National Strategy for Information Sharing. This

National Incident Management System and National Response Plan. Overview

Incident Response Services

Food and Agriculture Sector Criticality Assessment

Good morning, Chairman Harman, Ranking Member Reichert, and Members of

Her Majesty the Queen in Right of Canada, Cat. No.: PS4-66/2014E-PDF ISBN:

STRATEGIC PLAN. USF Emergency Management

EMERGENCY SUPPORT FUNCTION (ESF) 13 PUBLIC SAFETY AND SECURITY

21ST OSCE ECONOMIC AND ENVIRONMENTAL FORUM

Chapter X Security Performance Metrics

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

NATIONAL ELECTRIC GRID SECURITY AND RESILIENCE ACTION PLAN

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

Department of Defense. Installation Energy Resilience

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

Region Snapshot Region IV

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

Applying Mitigation. to Build Resilient Communities

Needs and Challenges Funding assistance Training Partnership capabilities and sustainment. Implement Risk Management

California Cybersecurity Integration Center (Cal-CSIC)

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Transcription:

3000 Supplemental Tool: Connecting to the NICC and NCCIC 3001 3002 3003 3004 3005 3006 3007 3008 3009 3010 3011 3012 3013 3014 3015 3016 3017 3018 3019 3020 3021 3022 3023 3024 3025 3026 3027 3028 3029 3030 3031 3032 3033 3034 3035 3036 3037 3038 3039 There shall be two national critical infrastructure centers operated by DHS one for physical infrastructure and another for cyber infrastructure. They shall function in an integrated manner and serve as focal points for critical infrastructure partners to obtain situational awareness and integrated, actionable information to protect the physical and cyber aspects of critical infrastructure. - Presidential Policy Directive 21, Critical Infrastructure Security and Resilience Presidential Policy Directive 21 (PPD-21) highlights the role of the national physical and cyber coordinating centers in enabling successful critical infrastructure security and resilience outcomes. The National Cybersecurity and Communications Integration Center (NCCIC) and the National Infrastructure Coordinating Center (NICC) fulfill this Department of Homeland Security (DHS) responsibility within the critical infrastructure partnership. The NICC serves as a clearinghouse to receive and synthesize critical infrastructure information and provide that information back to decision makers at all levels inside and outside of government to enable rapid, informed decisions in steady state, heightened alert, and during incident response. The NCCIC is a round-the-clock information sharing, analysis, and incident response center focused on cybersecurity and communications where government, private sector, and international partners share information and collaborate on response and mitigation activities to reduce the impact of significant incidents, enhance partners security posture, and develop and issue alerts and warnings while creating strategic and tactical plans to combat future malicious activity. An integrated analysis component works in coordination with both centers to contextualize and facilitate greater understanding of the information streams flowing through the two centers. This supplement describes how partners throughout the critical infrastructure community owner/operators, Federal partners, regional consortia, and State, local, tribal, and territorial governments can connect to the NICC and NCCIC. It describes what information is desired by the centers and their partners, as well as how they protect and analyze that data to make timely and actionable information available to partners to inform prevention, protection, mitigation, response, and recovery activities. These centers, along with an integrated analysis function, build situational awareness across critical infrastructure sectors based on partner input and provide back information with greater depth, breadth, and context than the individual pieces from any individual partner or sector. PPD-21 highlights the importance not just of what these centers can provide to the partnership, but the multi-directional information sharing that enables them to build true situational awareness, stating: The success of these national centers, including the integration and analysis function, is dependent on the quality and timeliness of the information and intelligence they receive from the Sector-Specific Agencies (SSAs) and other Federal departments and agencies, as well as from critical infrastructure owners and operators and State, local, tribal, and territorial (SLTT) entities. Draft October 21, 2013 1

3040 3041 3042 3043 3044 3045 3046 3047 3048 3049 3050 3051 3052 3053 3054 3055 3056 3057 3058 3059 3060 3061 3062 3063 3064 3065 3066 3067 3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078 3079 3080 3081 I. The Centers The National Infrastructure Coordinating Center (NICC) The NICC is the watch center component of the National Protection and Programs Directorate s (NPPD s) Office of Infrastructure Protection, the national physical infrastructure center as designated by the Secretary of Homeland Security, and an element of the National Operations Center (NOC). The NICC serves as the national focal point for critical infrastructure partners to obtain situational awareness and integrated actionable information to protect physical critical infrastructure. The mission of the NICC is to provide 24/7 situational awareness, information sharing, and unity of effort to ensure the protection and resilience of the Nation s critical infrastructure. When an incident or event impacting critical infrastructure occurs that requires coordination between DHS and the owners and operators of critical infrastructure, the NICC serves as a national coordination hub to support the protection and resilience of physical critical infrastructure assets. Establishing and maintaining relationships with critical infrastructure partners both within and outside the Federal Government is at the core of the NICC s ability to execute its functions. The NICC collaborates with Federal departments and agencies and private sector partners to monitor potential, developing, and current regional and national operations of the Nation s critical infrastructure sectors. The National Cybersecurity and Communications Integration Center (NCCIC) The NCCIC is the lead cybersecurity and communications organization within DHS, and it serves as the national cyber critical infrastructure center designated by the Secretary of Homeland Security. The NCCIC applies analytic resources, generates shared situational awareness, and coordinates synchronized response, mitigation, and recovery efforts in the event of significant cyber or communications incidents. The NCCIC s mission includes leading the cyberspace protection efforts for Federal civilian agencies and providing cybersecurity support and expertise to State, local, international, and private sector critical infrastructure partners. The NCCIC fulfills this mission through trusted and frequent coordination with law enforcement, the Intelligence Community (IC), international Computer Emergency Readiness Teams, domestic Information Sharing and Analysis Centers (ISACs), and critical infrastructure partners to share information and collaboratively respond to incidents. Information-Sharing Mechanisms The centers share information with their constituents through a variety of mechanisms. Partners may connect directly to the centers but often receive NICC/NCCIC information through their respective SSAs or other parties such as regional consortia, ISACs, Fusion Centers, etc. Online Resources (Web portals and Public Internet) Homeland Security Information Network Critical Infrastructure (HSIN-CI): HSIN-CI provides secure networked information sharing covering the full range of critical infrastructure interests. Validated critical infrastructure partners are eligible for HSIN-CI access. o The NICC posts content from a variety of internal and external sources that is available to all Critical Infrastructure (CI) partners, including incident situation reports, threat reports, impact modeling and analysis, common vulnerabilities, potential indicators, and protective measures. Draft October 21, 2013 2

3082 3083 3084 3085 3086 3087 3088 3089 3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103 3104 3105 3106 3107 3108 3109 3110 3111 3112 3113 3114 3115 3116 3117 3118 3119 3120 3121 3122 3123 3124 3125 3126 o The NICC combines current high-interest incidents and events on the HSIN-CI front page to enable easy access to relevant information. o Individual sectors and sub-sectors self-manage more specific portals within HSIN-CI where smaller communities of participants receive and share relevant information for their particular information needs. o HSIN-CI also includes capabilities to facilitate multiple types of information sharing and coordination, including suspicious activity reporting, webinars, shared calendars, etc. o To ensure broad sharing of essential information, the NICC also receives and provides information via other HSIN portals. United States Computer Emergency Readiness Team (US-CERT) and Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) portal: The NCCIC provides a secure, web-based, collaborative system to share sensitive cybersecurity prevention, protection, mitigation, response, and recovery information with validated private sector, government, and international partners. The NCCIC provides partners with access to two components of the secure portal, which hold information regarding cyber indicators, incidents, and malware digests for critical infrastructure systems: o The Cobalt Compartment serves as an information hub for enterprise systems security. o The Control System Compartment provides material on industrial control systems and is limited to control system asset owners/operators. US-CERT.gov: This publicly open website provides extensive vulnerability and mitigation information to partners around the world, including: o A Control Systems section containing Control Systems Advisories and reports of particular interest to critical infrastructure owners and operators. o A National Cyber Awareness System, which provides timely alerts, bulletins, tips, and technical documents for those who sign up. o Cybersecurity incident reporting, providing critical infrastructure partners with a secure means to report cybersecurity incidents. Email and Other Electronic Means Both centers maintain connectivity with a variety of partners through email, automated data exchange, and other means. This form of connectivity allows very precise outreach when broad communications is inappropriate or not possible. In coordination with the SSAs, both the NICC and the NCCIC will reach out directly to specific partners as a developing situation or information need evolves. Similarly, both centers are available to stakeholders throughout the partnership when rapid response to information needs is essential. Teleconferences National threat briefings: During periods of heightened threat or concern, the NICC will coordinate through the SSAs and relevant critical infrastructure partners to conduct unclassified teleconferences regarding current intelligence, expected actions, and protective measure options for consideration. Incident specific cross-sector calls: o NICC: During significant incidents, the NICC will coordinate calls with the SSA and Government Coordinating Council (GCC)/Sector Coordinating Council Draft October 21, 2013 3

3127 3128 3129 3130 3131 3132 3133 3134 3135 3136 3137 3138 3139 3140 3141 3142 3143 3144 3145 3146 3147 3148 3149 3150 3151 3152 3153 3154 3155 3156 3157 3158 3159 3160 3161 3162 3163 3164 3165 3166 3167 3168 (SCC) leadership to discuss national and cascading impacts and determine potential courses of action to mitigate risk. If necessary, the NICC will also leverage GCC/SCC and regional partners to determine locally affected partners to conduct large-scale teleconferences to share mutual situational awareness and address key areas of concern. o NCCIC: The NCCIC will similarly reach out to sector partners through its established mechanisms. Classified Meetings and Briefings During periods of heightened threat or concern with significant classified components, the NICC and/or NCCIC, in conjunction with the IC, will coordinate through the SSAs, GCCs, and SCCs to conduct classified briefings on current intelligence, expected actions, and protective measure options for consideration. The centers, in collaboration with the SSAs and the IC, may assist in arranging similar briefings outside of the National Capital Region. In-Person Meetings and Regional Extensions Onsite consultations and self-evaluations: The NCCIC helps asset owners take preventive measures necessary to prepare for and protect from cyber attacks via no-cost onsite defense-in-depth cybersecurity strategic analysis of critical infrastructure by DHS subject matter experts. Infrastructure Protection (IP) regional staff: The NICC works in close coordination with DHS and IP field personnel and other regional public and private partners. Information sharing to and from the field is coordinated between the NICC and DHS Protective Security Advisors and chemical inspectors in the field, preventing information stove pipes while reducing duplication of effort. Integrating Partners into Daily Operations The NICC and NCCIC incorporate critical infrastructure partners into their day-to-day operations, even incorporating both public- and private-sector partners into their physical watch facilities. These partners serve as bidirectional conduits of information between the centers and the liaison s home agency or sector. These partners include, but are not limited to, ISACs, SSAs, Federal law enforcement, the intelligence community, and other key partners. II. Federal Partners Both centers maintain active relationships with Federal partners from among the SSAs, law enforcement, intelligence, and emergency management communities. Beyond these mission partners, other government agencies should also work in coordination with the NICC and NCCIC where they share interest in critical infrastructure-related information. For example, the NICC works closely with the State Department s Overseas Security Advisory Council, which often has the earliest releasable information regarding threats to physical infrastructure overseas and is therefore an essential partner for ensuring this information is available to the domestic critical infrastructure community. At the same time, the NCCIC works on a daily basis with other Federal cyber centers to exchange critical information and coordinate analytical and Draft October 21, 2013 4

3169 3170 3171 3172 3173 3174 3175 3176 3177 3178 3179 3180 3181 3182 3183 3184 3185 3186 3187 3188 3189 3190 3191 3192 3193 3194 3195 3196 3197 3198 response processes. Both centers provide reports to the NOC to facilitate shared situational awareness across the Federal community. Sector-Specific Agencies The SSAs actively engage with the centers through the mechanisms listed above. The NICC and NCCIC rely on the SSAs to ensure connectivity broadly across the sectors. During significant incidents, the SSAs provide the NICC and NCCIC with sector impacts for inclusion in the comprehensive infrastructure Common Operating Picture (COP), which is then shared back with the SSAs and other partners. The Intelligence Community The NICC and NCCIC serve as a major conduit for IC threat information both classified and unclassified to the owners and operators of critical infrastructure. Federal Law Enforcement The NICC and NCCIC, within their information sharing protocols and protections, provide suspicious activity reporting and other similar information to Federal law enforcement entities. Federal Emergency Management During major incidents, the NICC and NCCIC maintain close coordination with the Federal Emergency Management Agency (FEMA) to ensure that overall critical infrastructure status and impacts on life and safety are understood throughout the Federal incident response community. Both the NICC and the NCCIC provide liaisons directly to the National Response Coordination Center to ensure continuous bidirectional information flow. The SSAs are often directly tied to the Federal emergency management structure as noted in the table below. The SSAs provide detailed sector-specific status information, while the NICC and NCCIC provide the cross-sector analysis of the system-of-systems that makes up our national critical infrastructure. During major national incidents, particular focus is placed on those lifeline functions on which most critical infrastructure sectors depend; this includes communications, energy, transportation, and water. More information on critical infrastructure information sharing during significant incidents is found in the Critical Infrastructure Support Annex to the National Response Framework. Sector SSA Related Emergency Support Function(s) (ESF) 1 Chemical Department of Homeland Security Commercial Department of Homeland Facilities Security Communications Department of Homeland Security ESF #10 Oil and Hazardous Materials Response (support) ESF #2 Communications (coordinator/primary) 1 The ESFs provide the structure for coordinating Federal interagency support for a Federal response to an incident. They are mechanisms for grouping functions most frequently used to provide Federal support to States and Federal-to-Federal support, both for declared disasters and emergencies under the Stafford Act and for non-stafford Act incidents. Draft October 21, 2013 5

Sector SSA Related Emergency Support Function(s) (ESF) 1 3199 Critical Manufacturing Dams Defense Industrial Base Emergency Services Department of Homeland Security Department of Homeland Security Department of Defense Department of Homeland Security ESF #3 Public Works and Engineering (support) ESF #4 Firefighting (support) ESF #5 Information and Planning (support) ESF #13 Public Safety and Security (support) Energy Department of Energy ESF #12 Energy (coordinator/primary) ESF #10 Oil and Hazardous Materials Response (support) Financial Services Food and Agriculture Government Facilities Healthcare and Public Health Information Technology Nuclear Reactors, Materials, and Waste Transportation Systems Water and Wastewater Systems Department of the Treasury U.S. Department of Agriculture and Department of Health and Human Services Department of Homeland Security and General Services Administration Department of Health and Human Services Department of Homeland Security Department of Homeland Security Department of Homeland Security and Department of Transportation Environmental Protection Agency ESF #11 Agriculture and Natural Resources (USDA: (coordinator/primary; HHS: support) ESF #6 Mass Care, Emergency Assistance, Housing, and Human Services (support) ESF #8 Public Health and Medical Services (coordinator/primary) ESF #12 Energy (coordinator/primary) ESF #1 Transportation (DOT: coordinator/primary; DHS: support) ESF #3 Public Works and Engineering (support) Draft October 21, 2013 6

3200 3201 3202 3203 3204 3205 3206 3207 3208 3209 3210 3211 3212 3213 3214 3215 3216 3217 3218 3219 3220 III. Critical Infrastructure Owners and Operators Individual critical infrastructure owners and operators will often send and receive information to and from the national centers through intermediary entities, but can always reach directly to the centers if necessary to share or request mission-critical information. The centers are in continuous contact with the ISACs and SSAs. IV. State, Local, Tribal, and Territorial Government Partners, and Other Regional Partnerships and Consortia The NICC and NCCIC are resources for non-federal partners in government and regional public-private consortia and coalitions. The coordinating centers may leverage existing regional partnerships to ensure information penetration to decision makers, especially during significant incidents affecting multiple sectors within a region. The centers, in conjunction with other national critical infrastructure partners where appropriate, also share information with State and local fusion centers, InfraGard chapters, Maritime Area Security Committees, FEMA regional offices, etc. V. Common Information-Sharing Requirements, Systems, and Processes The two centers continuously set and refine common information-sharing requirements, systems, and processes to facilitate a COP that delivers actionable information to decision makers at all levels. Specifically: 3221 3222 3223 3224 3225 3226 3227 3228 3229 3230 3231 3232 3233 3234 3235 Refine and manage critical information requirements (CIRs): To build situational awareness, each center operates using a set of defined CIRs, which should be continuously evaluated and refined to ensure optimal situational awareness. SSAs and other departments and agencies may augment these with sector-specific CIRs, and requirements should be coordinated with critical infrastructure owners and operators and the State, Local, Tribal, and Territorial Government Coordinating Council. Leverage the DHS COP for a combined, cross-sector situational awareness picture for critical infrastructure security and resilience: Data feeds and web services should be created across SSAs and other Federal, State, local, tribal, and territorial governments, as well as private sector entities to inform the critical infrastructure centers and overall critical infrastructure COP. In turn, this larger national situational awareness picture is shared back out among the partnership to enable participants to have greater depth and context of knowledge than they would otherwise have. 3236 3237 3238 3239 3240 3241 VI. Information Protection The NICC and NCCIC, as information management and coordination centers, are capable of handling information under a wide range of handling caveats. These protections and caveats include, but are not limited to: classified, For Official Use Only, Personally Identifiable Information (PII), Sensitive PII, Protected Critical Infrastructure Information, Chemical- Draft October 21, 2013 7

3242 3243 terrorism Vulnerability Information, Law Enforcement Sensitive, and various industry standards such as the Traffic Light Protocol used by many ISACs. 3244 VII. Get Connected 3245 3246 3247 3248 3249 3250 3251 3252 3253 Centers National Infrastructure Coordinating Center: nicc@hq.dhs.gov/202 282 9201 National Cybersecurity and Communications Integration Center: nccic@hq.dhs.gov/888 282 0870 Portals HSIN-CI: To request HSIN-CI access, submit the following to HSIN.Helpdesk@hq.dhs.gov: 3254 3255 3256 3257 3258 Name Employer Title Business email Brief written justification 3259 3260 3261 3262 3263 3264 3265 3266 3267 For questions regarding HSIN-CI access, please contact the NICC. US-CERT and ICS-CERT Portal An individual or organization can request access to the Cobalt Compartment by sending an e-mail to NCCIC_Partnership@hq.dhs.gov with the subject line, Request access to Cobalt Compartment. To access the Control System Compartment, send an e-mail to NCCIC_Partnership@hq.dhs.gov with the subject line, Request access to Control Systems Compartment. To qualify for either compartment, requestors must: 3268 3269 3270 3271 3272 3273 Be a U.S.-based organization; Have a role within your organization s network defense community; and Be a control system asset owner/operator (specific to the Control System Compartment). Draft October 21, 2013 8

3274 3275 3276 3277 3278 3279 3280 3281 3282 3283 3284 3285 3286 3287 3288 3289 3290 3291 3292 3293 3294 3295 3296 3297 3298 3299 3300 Supplemental Tool: The Critical Infrastructure Risk Management Framework Risk is defined as the potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences. 2 Simply stated, risk is influenced by the nature and magnitude of a threat or hazard, the vulnerabilities from that threat or hazard, and the consequences that could result. Risk information enables partners, ranging from facility owners and operators to Federal agencies, to prioritize risk mitigation efforts. This supplement describes how the critical infrastructure risk management framework can be used as part of the overall effort to ensure the security and resilience of our Nation s critical infrastructure. The critical infrastructure risk management framework, depicted in Figure 1, supports the integration of strategies, capabilities, and governance to enable risk-informed decision making related to the Nation s critical infrastructure. This framework is applicable to threats such as cyber incidents, natural disasters, manmade safety hazards, and acts of terrorism, although different information and methodologies may be used to understand each. There are other risk management models used in government and industry, which can be more detailed and often are tailored to a specific need. For example, private industry uses specific models, utilizing standards and best practices, to assess operational and economic business risks. The critical infrastructure risk management framework is not intended to replace any such models or processes already in use. Rather, it provides a common, unifying approach to risk management that all critical infrastructure partners can use, relate to, and align with their own risk management models and activities. Figure 1: Critical Infrastructure Risk Management Framework 3301 3302 3303 3304 3305 The critical infrastructure risk management framework is tailored toward and applied on an asset, system, network, or functional basis, depending on the fundamental characteristics of each individual critical infrastructure sector. For those sectors primarily dependent on fixed assets and physical facilities, a bottom-up, asset-by-asset approach may be most appropriate. For sectors 2 DHS Risk Lexicon, U.S. Department of Homeland Security, 2010. Draft October 21, 2013 9

3306 3307 3308 3309 3310 3311 3312 3313 3314 3315 3316 3317 3318 3319 3320 3321 3322 3323 3324 3325 3326 3327 3328 3329 3330 3331 3332 3333 3334 3335 3336 3337 3338 3339 3340 3341 3342 3343 3344 3345 3346 3347 3348 3349 3350 such as Communications, Information Technology, and Food and Agriculture, with accessible and distributed systems, a top-down, business or mission continuity approach that uses risk assessments focused on network and system interdependencies may be more effective. Each sector must pursue the approach that produces the most effective use of resources and has the opportunity to contribute to cross-sector comparative risk analyses conducted by the Department of Homeland Security (DHS). The risk management framework is also useful at a community level, as jurisdictions or businesses can work collaboratively to make risk-informed decisions within their span of control. The critical infrastructure risk management framework includes the following activities: Set Goals and Objectives: Define specific outcomes, conditions, end points, or performance targets that collectively describe an effective and desired risk management posture. Identify Critical Infrastructure (assets, systems, and networks): Develop an inventory of critical assets, systems, and networks that contribute to critical functionality, and collect information pertinent to risk management, including analysis of dependencies and interdependencies. Assess and Analyze Risks: Evaluate the risk, taking into consideration the potential direct and indirect consequences of an incident, known vulnerabilities to various potential threats or hazards, and general or specific threat information. Implement Risk Management Activities: Make decisions and implement risk management approaches to control, accept, transfer, or avoid risks. Approaches can include prevention, protection, mitigation, response, and recovery activities. Measure Effectiveness: Use metrics and other evaluation procedures to measure progress and assess the effectiveness of efforts to secure and strengthen the resilience of critical infrastructure. This process is an ongoing and continuing one with feedback loops and iterative steps. It allows the critical infrastructure partnership to track progress and implement actions to improve national critical infrastructure security and resilience over time. The physical, cyber, and human elements of critical infrastructure should be considered in tandem in each aspect of the risk management framework. The partnership structures discussed in the National Plan provide the mechanism for coordination of risk management activities that are flexibly tailored to different sectors, levels of government, and owners and operators. I. Set Goals and Objectives Achieving robust, secure, and resilient infrastructure requires national, State, local, and sector-specific critical infrastructure visions, goals, and objectives that are collaboratively developed and describe the desired risk management posture. Goals and objectives should consider the physical, cyber, and human elements of critical infrastructure security and resilience. Goals and objectives may vary across sectors and organizations, depending on the risk landscape, operating environment, and composition of a specific industry, resource, or other aspect of critical infrastructure. Draft October 21, 2013 10

3351 3352 3353 3354 3355 3356 3357 3358 3359 3360 3361 3362 3363 3364 3365 3366 3367 3368 3369 3370 3371 3372 3373 3374 3375 3376 3377 3378 3379 3380 3381 3382 3383 Nationally, the overall goal of critical infrastructure-related risk management is an enhanced state of security and resilience achieved through the implementation of focused risk management activities within and across sectors and levels of government. The risk management framework supports this goal by: Enabling the development of national, State, regional, and sector risk profiles that support the National Critical Infrastructure Security and Resilience Annual Report. These risk profiles outline the highest risks facing different sectors and geographic regions and identify cross-sector or regional issues of concern that are appropriate for the Federal critical infrastructure focus, as well as opportunities for sector, State, and regional initiatives. Enabling the critical infrastructure community to determine the best courses of action to reduce potential consequences, threats, and/or vulnerabilities, which, in turn, reduce risk. Some available options include encouraging voluntary implementation of focused risk management strategies (e.g., through public-private partnerships), applying standards and best practices, pursuing economic incentive-related policies and programs, and conducting additional information sharing, if appropriate. Informing the identification of risk management and resource allocation options, rather than specifying requirements for critical infrastructure owners and operators. It also allows for a variety of support from government partners. From a sector or jurisdictional perspective, critical infrastructure security and resilience goals and their supporting objectives: Consider distinct assets, systems, networks, functions, operational processes, business environments, and risk management approaches; Define the risk management posture that critical infrastructure partners seek to attain individually or collectively; and Express this posture in terms of the outcomes and objectives sought. Taken collectively, these goals and objectives guide all levels of government and the private sector in tailoring risk management programs and activities to address critical infrastructure security and resilience needs. 3384 II. Identify Critical Infrastructure 3385 3386 Partners both public and private identify the infrastructure that they consider critical to 3387 focus their efforts for improving and enhancing security and resilience. Different partners 3388 view criticality differently and thereby may identify different infrastructure of concern to 3389 them. The Federal Government works with partners to determine which assets, systems, and 3390 networks are nationally significant. Some sectors identify regional, State, and locally 3391 significant infrastructure as a joint activity between public- and private-sector partners. 3392 Private-sector owners and operators may identify additional infrastructure that are necessary 3393 to keep their businesses running to provide goods and services to their customers. Similarly, 3394 State, local, tribal, and territorial (SLTT) governments should identify those assets, systems, 3395 and networks that are crucial to their continued operations to ensure public health and safety Draft October 21, 2013 11

3396 3397 3398 3399 3400 3401 3402 3403 3404 3405 3406 3407 3408 3409 3410 3411 3412 3413 3414 3415 3416 3417 3418 3419 3420 3421 3422 3423 3424 3425 3426 3427 3428 3429 3430 3431 3432 3433 3434 3435 3436 3437 and the provision of essential services. The National Critical Infrastructure Prioritization Program (NCIPP) identifies nationally significant infrastructure to support risk-informed decision making by the Federal Government and its critical infrastructure partners. Critical assets, systems, and networks identified through this process include those, which if destroyed or disrupted, could cause some combination of significant casualties, major economic losses, or widespread and long-term impacts to national well-being and governance capacity. The NCIPP collects, identifies, and prioritizes critical infrastructure information from States, critical infrastructure sectors, and other homeland security partners across the Nation. The NCIPP uses an enhanced infrastructure data collection application, which provides the ability to input data throughout the year. Data collected through the NCIPP forms the basis of a national inventory that includes those assets, systems, and networks that are nationally significant and those that may not be significant on a national level but are, nonetheless, important to State, local, or regional critical infrastructure security and resilience and national preparedness efforts. The goal of the national inventory is to provide access to relevant information for natural disasters, industrial accidents, and other incidents. Critical infrastructure partners work together to ensure that the inventory data structure is accurate, current, and secure. The Federal Government, including the Sector-Specific Agencies (SSAs), works with critical infrastructure owners and operators and SLTT entities to build upon and update existing inventories at the State and local levels to avoid duplication of past or ongoing complementary efforts. Identifying Cyber Infrastructure The national plan addresses security and resilience of the cyber elements of critical infrastructure in an integrated manner rather than as a separate consideration. As a component of the sector-specific risk assessment process, cyber system components should be identified individually or be included as a cyber element of a larger asset, system, or network with which they are associated. The identification process should include information on international cyber infrastructure with cross-border implications, interdependencies, or cross-sector ramifications. Cyber system elements that exist in most, if not all, sectors include business systems, control systems, access control systems, and warning and alert systems. The Internet has been identified as an essential resource, comprising the domestic and international assets within both the Information Technology and Communications Sectors, and the need for access to and reliance on information and communications technology is common to all sectors. DHS supports the SSAs and other critical infrastructure partners by developing tools and methodologies to assist in identifying cyber assets, systems, and networks, including those that involve multiple sectors. Several sectors have developed a functions-based approach for Draft October 21, 2013 12

3438 3439 3440 3441 3442 3443 3444 3445 3446 3447 3448 3449 3450 3451 3452 3453 3454 3455 3456 3457 3458 3459 3460 3461 3462 3463 3464 3465 3466 3467 3468 3469 3470 3471 identifying cyber-dependent critical infrastructure. The Cyber-Dependent Infrastructure Identification 3 approach is based on three high-level steps, which include: Defining criteria for catastrophic impacts across all sectors; Evaluating previous sector efforts to determine how they can be leveraged to identify cyber-dependent critical infrastructure at greatest risk; and Applying a functions-based approach to identify cyber-dependent infrastructure and its impacts on the sector. Additionally, DHS, in collaboration with other critical infrastructure partners, provides cross-sector cyber methodologies, which, when applied, enable sectors to identify cyber assets, systems, and networks that may have nationally significant consequences if destroyed, incapacitated, or exploited. These methodologies also characterize the reliance of a sector s business and operational functionality on cyber systems. Today's information systems, networks, and end-user mobile devices are highly dependent upon the availability of accurate and precise positioning, navigation, and timing (PNT) data. PNT services are critical to the operations of multiple critical infrastructure sectors and are vital to incident response. The U.S. Air Force operates the Global Positioning System (GPS), a dual-use system that provides PNT services worldwide for civil and military purposes. The free, open, and dependable nature of GPS has led to the development of hundreds of applications affecting every aspect of modern life and U.S. economic growth. Other countries are also investing in global navigation satellite systems like GPS. While space-based PNT services are highly available and reliable, these services can be subject to intentional and unintentional disruption by interference or signal blockage, thus preventing valuable PNT data from reaching intended recipients. Because so many business functions and operations rely exclusively on GPS for location and timing data, disruption to GPS civil services could potentially create a point of failure and lead to cascading effects across multiple sectors. To better understand and mitigate risks from potential disruptions to GPS service availability, critical infrastructure partners can identify the sources and applications of PNT information that support or enable their critical functions and operations, continually assess dependencies and interdependencies, and implement steps to increase the resilience of critical infrastructure operations in the event of interference to or disruption of primary PNT services. 3472 III. Assess Risks 3473 3474 Homeland security risks can be assessed in terms of their likelihood and consequences. 3475 Common definitions, scenarios, assumptions, metrics, and processes are needed to ensure 3476 that risk assessments contribute to a shared understanding among critical infrastructure 3477 partners. The risk management framework outlines a risk assessment approach that results in 3478 sound, scenario-based, consequence and vulnerability estimates, as well as an assessment of 3479 the likelihood that the postulated threat or hazard would occur. 3 Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February 2013. Draft October 21, 2013 13

3480 3481 3482 3483 3484 3485 3486 3487 3488 3489 3490 3491 3492 3493 3494 3495 3496 3497 3498 3499 3500 3501 3502 3503 3504 3505 3506 3507 3508 3509 3510 3511 3512 3513 3514 3515 3516 3517 3518 3519 3520 3521 3522 3523 3524 The National Plan calls for critical infrastructure partners to generally assess risk from any scenario, considering both likelihood and consequence. As stated in the introduction to this supplemental tool, it is important to think of risk as influenced by the nature and magnitude of a threat or hazard, the vulnerabilities to those threats and hazards, and the consequences that could result. Threat: Natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property. For the purpose of calculating risk, the threat of an unintentional hazard is generally estimated as the likelihood that a hazard will manifest itself. Intentional hazard is generally estimated as the likelihood of an attack being attempted by an adversary. In the case of intentionally adversarial actors and actions, for both physical and cyber effects, the threat likelihood is estimated based on the intent and capability of the adversary. Vulnerability: Physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard. In calculating the risk of an intentional hazard, a common measure of vulnerability is the likelihood that an attack is successful, given that it is attempted. Consequence: The effect of an event, incident, or occurrence; reflects the level, duration, and nature of the loss resulting from the incident. For the purposes of the national plan, potential consequences may fall into four categories: public health and safety (i.e., loss of life and illness), economic (direct and indirect), psychological, and governance/mission impacts. It is appropriate for critical infrastructure risk assessments to explicitly consider each of these factors, but it is not necessary to do so in a quantifiable manner. In conducting assessments, analysts should be very careful when calculating risk to properly address interdependencies and any links between how the threats and vulnerabilities were calculated to ensure that the results are sound and defensible. A comprehensive critical infrastructure risk assessment will explicitly consider each of these factors, to the extent necessary for decision making and as possible, given the available information. Critical infrastructure-related risk assessments are conducted on assets, systems, or networks, depending on the characteristics of the infrastructure being examined. Individual threat, consequence, or vulnerability assessments may be useful on their own or in the aggregate to assess risk. Critical Infrastructure Risk Assessments Risk assessments are conducted by many critical infrastructure partners to meet their own decision-making needs, using a broad range of methodologies. As a general rule, simple but defensible methodologies are preferred over more complicated methods. Simple methodologies are more likely to fulfill the requirements of transparency and practicality. Risk methodologies are often sorted into qualitative and quantitative categories, but when welldesigned, both types of assessments have the potential to deliver useful analytic results. Similarly, both qualitative and quantitative methodologies can be needlessly complex or poorly Draft October 21, 2013 14

3525 3526 3527 3528 3529 3530 3531 3532 3533 3534 3535 3536 3537 3538 3539 3540 3541 3542 3543 3544 3545 3546 3547 3548 3549 3550 3551 3552 3553 3554 3555 3556 3557 3558 3559 3560 3561 3562 3563 3564 3565 3566 3567 3568 3569 designed. The methodology that best meets the decision maker s needs is generally the best choice, whether quantitative or qualitative. The common analytic principles originally provided in the National Infrastructure Protection Plan are broadly applicable to all parts of a risk methodology. These principles provide a guide for improving existing methodologies or modifying them so that the investment and expertise they represent can be used to support national-level, comparative risk assessments, investments, incident response planning, and resource prioritization. Recognizing that many risk assessment methodologies are under development and others evolve in a dynamic environment, the analytic principles for risk assessment methodologies serve as a guide to future adaptations. The basic analytic principles ensure that risk assessments are: Documented: The methodology and the assessment must clearly document what information is used and how it is synthesized to generate a risk estimate. Any assumptions, weighting factors, and subjective judgments need to be transparent to the user of the methodology, its audience, and others who are expected to use the results. The types of decisions that the risk assessment is designed to support and the timeframe of the assessment (e.g., current conditions versus future operations) should be given. Reproducible: The methodology must produce comparable, repeatable results, even though assessments of different critical infrastructure may be performed by different analysts or teams of analysts. It must minimize the number and impact of subjective judgments, leaving policy and value judgments to be applied by decision makers. Defensible: The risk methodology must logically integrate its components, making appropriate use of the professional disciplines relevant to the analysis, as well as be free from significant errors or omissions. Uncertainty associated with consequence estimates and confidence in the vulnerability and threat estimates should be communicated. Risk Scenario Identification It is generally helpful for homeland security risk assessments to use scenarios to divide the identified risks into separate pieces that can be assessed and analyzed individually. A scenario is a hypothetical situation comprised of an identified hazard, an entity impacted by that hazard, and associated conditions including consequences, when appropriate. When analysts are developing plausible scenarios to identify potential risks for a risk assessment, the set of scenarios should attempt to cover the full scope of the assessment to ensure that the decision maker is provided with complete information when making a decision. For a relatively fixed system, an important first step is to identify those components or critical nodes where potential consequences would be highest and where security and resilience activities can be focused. Analysts should take care when dealing with the results, as including multiple scenarios that contain the same event could lead to double counting the risk. Threat and Hazard Assessment The remaining factor to be considered in the risk assessment process is the assessment of threat and/or hazard. Assessment of the current terrorist threat to the United States is derived from extensive study and understanding of terrorists and terrorist organizations, and frequently is dependent on analysis of classified information. The Federal Government provides its partners with unclassified assessments of potential terrorist threats and appropriate access to Draft October 21, 2013 15

3570 3571 3572 3573 3574 3575 3576 3577 3578 3579 3580 3581 3582 3583 3584 3585 3586 3587 3588 3589 3590 3591 3592 3593 3594 3595 3596 3597 3598 3599 3600 3601 3602 3603 3604 3605 3606 3607 3608 3609 3610 3611 3612 3613 3614 classified assessments where necessary and authorized. These threat assessments are derived from analyses of adversary intent and capability, and describe what is known about terrorist interest in particular critical infrastructure sectors, as well as specific attack methods. Since international terrorists, in particular, have continually demonstrated flexibility and unpredictability, DHS and its partners in the intelligence community also analyze known terrorist goals, objectives, and developing capabilities to provide critical infrastructure owners and operators with a broad view of the potential threat and postulated terrorist attack methods. Similar approaches are used to assess the threats of theft, vandalism, sabotage, insider threat, cyber threats, active shooter, and other deliberate acts. Both domestic and international critical infrastructure remains potential prime targets for adversaries. Given the deeply rooted nature of these goals and motivations, critical infrastructure likely will remain highly attractive targets for state and non-state actors and others with ill intent. Threat assessments must address the various elements of both physical and cyber threats to critical infrastructure, depending on the attack type and target. Hazard assessments draw on historical information and future predictions about natural hazards to assess the likelihood or frequency of various hazards. This is an area where various components of the Federal Government work with sector leadership and owners and operators to make assessments in advance of any specific hazard as well as once an impending hazard (such as a hurricane yet to make landfall) is identified. Vulnerability Assessment Vulnerabilities are physical features or operational attributes that render an entity open to exploitation or susceptible to a given hazard. Vulnerabilities may be associated with physical (e.g., no barriers or alarm systems), cyber (e.g., lack of a firewall), or human (e.g., untrained guards) factors. A vulnerability assessment can be a stand-alone process or part of a full risk assessment. The vulnerability assessment involves the evaluation of specific threats to the asset, system, or network under review to identify areas of weakness that could result in consequences of concern. Many different vulnerability assessment approaches are used in the different critical infrastructure sectors and by various government authorities. Many of the Sector-Specific Plans (SSPs) describe vulnerability assessment methodologies used in the sectors. The SSPs also may provide specific details regarding how the assessments can be carried out (e.g., by whom and how often). Consequence Assessment Consequence categories may include: Public Health and Safety: Effect on human life and physical well-being (e.g., fatalities, injuries/illness). Economic: Direct and indirect economic losses (e.g., cost to rebuild asset, cost to respond to and recover from attack, downstream costs resulting from disruption of product or service, long-term costs due to environmental damage). Psychological: Effect on public morale and confidence in national economic and political institutions. This encompasses those changes in perceptions emerging after a significant incident that affect the public s sense of safety and well-being and can Draft October 21, 2013 16

3615 3616 3617 3618 3619 3620 3621 3622 3623 3624 3625 3626 3627 3628 3629 3630 3631 3632 3633 3634 3635 3636 3637 3638 3639 3640 3641 3642 3643 3644 3645 3646 3647 3648 manifest in aberrant behavior. Governance/Mission Impact: Effect on the ability of government or industry to maintain order, deliver minimum essential public services, ensure public health and safety, and carry out national security-related missions. Consequence analysis should ideally address both direct and indirect effects. Many assets, systems, and networks depend on connections to other critical infrastructure to function. For example, nearly all sectors share relationships with elements of the Energy, Information Technology, Communications, Financial Services, and Transportation Systems sectors. In many cases, the failure of an asset or system in one sector will affect the ability of interrelated assets or systems in the same or another sector to perform the necessary functions. Furthermore, cyber interdependencies present unique challenges for all sectors because of the borderless nature of cyberspace. Interdependencies are dual in nature. For example, the Energy Sector relies on computer-based control systems to manage the electric power grid, while those same control systems require electric power to operate. As a result, complete consequence analysis addresses both critical infrastructure interconnections for the purposes of risk assessment. The level of detail and specificity achieved by using the most sophisticated models and simulations may not be practical or necessary for all assets, systems, or networks. In these circumstances, a simplified dependency and interdependency analysis based on expert judgment may provide sufficient insight to make informed risk management decisions in a timely manner. There is also an element of uncertainty in consequence estimates. Even when a scenario with reasonable worst-case conditions is clearly stated and consistently applied, there is a range of outcomes that could occur. For some incidents, the consequence range is small, and a simple estimate may provide sufficient information to support decisions. If the range of outcomes is large, the scenario may require more specificity about conditions to obtain appropriate estimates of the outcomes. However, if the scenario is broken down to a reasonable level of granularity and there is still significant uncertainty, the estimate should be accompanied by the uncertainty range to support more informed decision making. The best way to communicate uncertainty will depend on the factors that make the outcome uncertain, as well as the amount and type of information that is available. 3649 IV. Implement Risk Management Activities 3650 3651 The selection and implementation of appropriate risk management activities requires 3652 prioritization to help focus planning, increase coordination, and support effective resource 3653 allocation and incident management, response, and restoration decisions. Comparing the risk 3654 faced by different entities helps identify where risk mitigation is most needed and to 3655 subsequently determine and help justify the most cost-effective risk management options. 3656 Prioritization can be used primarily to inform resource allocation decisions, such as where risk 3657 management programs should be instituted; guide investments in these programs; and highlight 3658 the measures that offer the greatest return on investment. 3659 Draft October 21, 2013 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback