Framework for Improving Critical

Infrastructure Cybersecurity
March 2017

[email protected]
Improving Critical Infrastructure Cybersecurity

“It is the policy of the United States to enhance the

security and resilience of the Nation’s critical
infrastructure and to maintain a cyber environment
that encourages efficiency, innovation, and economic
prosperity while promoting safety, security, business
confidentiality, privacy, and civil liberties”

Executive Order 13636

February 12, 2013
2
The Cybersecurity Framework...

• Includes a set of standards, methodologies, procedures,

and processes that align policy, business, and
technological approaches to address cyber risks.
• Provides a prioritized, flexible, repeatable, performance-
based, and cost-effective approach, including information
security measures and controls, to help owners and
operators of critical infrastructure identify, assess, and
manage cyber risk.
• Identifies areas for improvement to be addressed
through future collaboration with particular sectors and
standards-developing organizations.
• Is consistent with voluntary international standards.
3
Development of the Framework
EO 13636 Issued – Feb 12, 2013
Engage
Stakeholders RFI Issued – Feb 2013
1st Workshop – April 2013

Collect,
Categorize, Post
Completed – April 2013
RFI Responses

Analyze RFI 2nd Workshop – May 2013

Responses Draft Outline of Framework – June 2013

Ongoing Engagement:
Identify
Framework
3rd Workshop – July 2013
Elements 4th Workshop – Sept 2013
Open public comment/
review encouraged
throughout the Prepare and
Publish
5th Workshop – Nov 2013
process…
and to this day Framework Published – Feb 12, 2014

4
The Framework Is for Organizations…

• Of any size, in any sector in (and outside of) the critical

infrastructure.
• That already have a mature cyber risk management and
cybersecurity program.
• That don’t yet have a cyber risk management or
cybersecurity program.
• Needing to keep up-to-date managing risks, facing
business or societal threats.
• In the federal government, too…since it is compatible with
FISMA requirements and goals.
5
Continued Improvement of Critical Infrastructure
Cybersecurity
Amends the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say:

“…on an ongoing basis, facilitate and support the

development of a voluntary, consensus-based, industry-
led set of standards, guidelines, best practices,
methodologies, procedures, and processes to cost-
effectively reduce cyber risks to critical infrastructure”

Cybersecurity Enhancement Act of 2014

(P.L. 113-274)
18 December 2014
6
Cybersecurity Framework Components
Aligns industry standards and
Cybersecurity activities and
best practices to the Framework
informative references,
Core in a particular
organized around particular
implementation scenario
outcomes
Supports prioritization and
Enables communication of
measurement while
cyber risk across an
factoring in business
organization
needs Framework
FrameworkProfile
Core
Framework Implementation Tiers

Describes how cybersecurity

risk is managed by an organization
and degree the risk management
practices exhibit key characteristics

7
Key Properties of Cyber Risk Management

Integrated Risk Management Program

Risk Management
Process External
Participation

8
Implementation Tiers
1 2 3 4
Partial Risk Repeatable Adaptive
Informed
Risk
The functionality and repeatability of cybersecurity risk
Management management
Process
Integrated Risk
The extent to which cybersecurity is considered in broader
Management risk management decisions
Program
External The degree to which the organization benefits my sharing or
Participation receiving information from outside parties

9
9
Core
Cybersecurity Framework Component
Senior
Executives
• Broad enterprise Implementation/
considerations Operations
• Abstracted risk
vocabulary
• Deep technical
considerations
• Highly
Specialists specialized
in Other vocabulary

Fields
• Specific focus
outside of
cybersecurity
• Specialized or no risk
vocabulary 10
Core
Cybersecurity Framework Component
Function Category ID
Asset Management ID.AM
Business Environment ID.BE
What processes and
Governance ID.GV
assets need Identify Risk Assessment ID.RA
protection?
Risk Management Strategy ID.RM
Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
What safeguards are
Protect
available? Information Protection Processes & Procedures PR.IP
Maintenance PR.MA
Protective Technology PR.PT
Anomalies and Events DE.AE
What techniques can
identify incidents? Detect Security Continuous Monitoring DE.CM
Detection Processes DE.DP
Response Planning RS.RP
What techniques can Communications RS.CO
contain impacts of Respond Analysis RS.AN
incidents? Mitigation RS.MI
Improvements RS.IM
Recovery Planning RC.RP
What techniques can
restore capabilities? Recover Improvements RC.IM 11
Communications RC.CO
Core Subcategory Informative References
ID.BE-1: The COBIT 5 APO08.04, APO08.05,
Cybersecurity Framework Component organization’s role in APO10.03, APO10.04, APO10.05
Function Category ID the supply chain is ISO/IEC 27001:2013 A.15.1.3,
Asset Management ID.AM identified and A.15.2.1, A.15.2.2
Business Environment ID.BE communicated NIST SP 800-53 Rev. 4 CP-2, SA-12
Governance ID.GV ID.BE-2: The COBIT 5 APO02.06, APO03.01
Identify organization’s place in NIST SP 800-53 Rev. 4 PM-8
Risk Assessment ID.RA critical infrastructure
Risk Management and its industry sector
Strategy ID.RM is identified and
Access Control PR.AC communicated
ID.BE-3: Priorities for COBIT 5 APO02.01, APO02.06,
Awareness and Training PR.AT organizational APO03.01
Data Security PR.DS mission, objectives, ISA 62443-2-1:2009 4.2.2.1,
Protect Information Protection and activities are 4.2.3.6
PR.IP established and NIST SP 800-53 Rev. 4 PM-11, SA-
Processes & Procedures
communicated 14
Maintenance PR.MA
ID.BE-4: ISO/IEC 27001:2013 A.11.2.2,
Protective Technology PR.PT Dependencies and A.11.2.3, A.12.1.3
Anomalies and Events DE.AE critical functions for NIST SP 800-53 Rev. 4 CP-8, PE-9,
delivery of critical PE-11, PM-8, SA-14
Detect Security Continuous
Monitoring DE.CM services are
established
Detection Processes DE.DP ID.BE-5: Resilience COBIT 5 DSS04.02
Response Planning RS.RP requirements to ISO/IEC 27001:2013 A.11.1.4,
Communications RS.CO support delivery of A.17.1.1, A.17.1.2, A.17.2.1
Respond Analysis RS.AN critical services are NIST SP 800-53 Rev. 4 CP-2, CP-11,
established SA-14
Mitigation RS.MI
Improvements RS.IM
Recovery Planning RC.RP
Recover Improvements RC.IM
12
Communications RC.CO 12
Profile
Cybersecurity Framework Component

Ways to think about a Profile: Identify

• A customization of the Core for a Protect
given sector, subsector, or Detect
organization. Respond

• A fusion of business/mission logic Recover

and cybersecurity outcomes.

• An alignment of cybersecurity requirements with
operational methodologies.
• A basis for assessment and expressing target state.
• A decision support tool for cybersecurity risk
management. 13
Supporting Risk Management with Framework

14
Framework 7-Step Process

• Step 1: Prioritize and Scope

• Step 2: Orient
• Step 3: Create a Current Profile
• Step 4: Conduct a Risk Assessment
• Step 5: Create a Target Profile
• Step 6: Determine, Analyze, and Prioritize Gaps
• Step 7: Implementation Action Plan

15
Building a Profile
A Profile Can be Created in Three Steps
Mission
1 Objectiv
e
A
B
C

Subcategory
1
Cybersecurity 2 Operating
2 Requirements Methodologies 3
3
Legislation … Guidance and methodology
Regulation 98 on implementing,

Internal & External Policy managing, and

Best Practice monitoring

16
Conceptual Profile
Value Proposition
Cybersecurity Operating
2 Requirements Subcategory 1 Priority 3 Methodologies
A 1 moderate I
II
B 2 high III
C
D 3 moderate IV
E V
F … … VI
VII
G 98 moderate VIII

When you organize yourself in this way:

• Compliance reporting becomes a byproduct of
running your security operation
• Adding new security requirements is straightforward
• Adding or changing operational methodology is non-
intrusive to on-going operation 17
Resource and Budget Decision Making
What Can You Do with a CSF Profile?

Year 1 Year 2
As-Is
To-Be To-Be

Sub- Year 1 Year 2

category Priority Gaps Budget Activities Activities
1 moderate small $$$ X
2 high large $$ X
3 moderate medium $ X
… … … …
98 moderate none $$ reassess

…and supports on-going operational decisions, too 18

Profile Ecosystem
TA XONO MY R EQUIR EM E NTS PRIO RITIES

1 1 Req A 1 Req A High

2 2 Req B 2 Req B Mod
3 3 Req C 3 Req C Low
... ... ... ... ... ...
98 98 Req ZZ 98 Req ZZ High

NIST Organization or
Community
Community

Cybersecurity Crosswalks Cybersecurity

Framework Core Mappings Framework Profile
19
Key Attributes
It’s a framework, not a prescriptive standard
• Provides a common language and systematic methodology for
managing cyber risk.
• Is meant to be adapted.
• Does not tell an organization how much cyber risk is tolerable, nor
provide “the one and only” formula for cybersecurity.
• Enable best practices to become standard practices for everyone
via common lexicon to enable action across diverse stakeholders.
It’s voluntary
It’s a living document
• It is intended to be updated as stakeholders learn from
implementation, and as technology and risks change…more later.
• That’s one reason why the Framework focuses on questions an
organization needs to ask itself to manage its risk. While practices,
technology, and standards will change over time—principles will not.
20
Common Patterns of Use
• Integrate the functions into your leadership
vocabulary and management tool sets.
• Determine optimal risk management using
Implementation Tiers.
• Measure current risk management using
Implementation Tiers.
• Reflect on business environment, governance,
and risk management strategy categories.
• Develop a Profile of cybersecurity priorities,
leveraging (Sub)Sector Profiles when available.
21
Work in Progress: Framework Roadmap
Authentication
Automated Indicator Sharing
Conformity Assessment
Cybersecurity Workforce
Data Analytics
Federal Agency Cybersecurity Alignment
International Aspects, Impacts, and Alignment
Supply Chain Risk Management
Technical Privacy Standards 22
Examples of Framework Industry Resources
www.nist.gov/cyberframework/industry-resources

Italy’s National Framework for

Cybersecurity

American Water Works Association’s

Process Control System Security Guidanc
e for the Water Sector

The Cybersecurity Framework

in Action: An Intel Use Case

Cybersecurity Risk Management and Best Practices Worki

ng Group 4: Final Report

Energy Sector Cybersecurity Framework Implementation Guidance

23
Examples of State & Local Use
Texas, Department of Information Resources
• Aligned Agency Security Plans with Framework
• Aligned Product and Service Vendor Requirements with Framework

North Dakota, Information Technology Department

• Allocated Roles & Responsibilities using Framework
• Adopted the Framework into their Security Operation Strategy

Houston, Greater Houston Partnership

• Integrated Framework into their Cybersecurity Guide
• Offer On-Line Framework Self-Assessment

National Association of State CIOs

• 2 out of 3 CIOs from the 2015 NASCIO Awards cited
Framework as a part of their award-winning strategy

New Jersey
• Developed a cybersecurity framework that aligns controls and
procedures with Framework 24
NIST Baldrige Excellence Builders
Baldrige Cybersecurity Excellence Builder
Manufacturing
Service
Small Business
Education
Healthcare
Non-profit
Cybersecurity (2017)

• Self-assessment criteria with basis in Cybersecurity Framework

• Complements NIST Baldrige Program’s performance excellence
successes.
• April 2-5, 2017 - 29th Annual Quest for Excellence Conference
• Pre-conference workshop that focuses on cybersecurity will be
held on April 2nd - visit: https://www.nist.gov/baldrige/qe
25
NIST Manufacturing Profile
NIST Discrete Manufacturing Cybersecurity Framework Profile

Utilizing CSF Informative References to create tailored language

for the manufacturing sector
• NIST SP 800-53
• NIST SP 800-82
• ISA / IEC 62443

www.tiger-global.co.uk

26
USCG Maritime Bulk Liquids Transfer
(BLT) Framework Profile
• NCCoE and United States Coast Guard (USCG) worked together to
draft a USCG Maritime Profile, based on the Cybersecurity
Framework
• Aligns the USCG’s cyber strategy with cybersecurity activities of the
maritime bulk liquid transport operations of the oil & natural gas
industry, utilizing standards and best practices guided by the
Framework
• The profile can help individual companies clarify how cybersecurity
fits into their mission priorities and how best to allocate resources to
secure their information and operational systems.
The profile is available at: https://www.uscg.mil/hq/cg5/cg544/docs/Maritime_BLT_CSF.pdf

27
Resources
Where to Learn More and Stay Current

Framework for Improving Critical Infrastructure

Cybersecurity and related news, information:
www.nist.gov/cyberframework

Additional cybersecurity resources:

http://csrc.nist.gov/

Questions, comments, ideas:

[email protected]