Cyber Critical Infrastructure Framework Panel

50 %
50 %
Information about Cyber Critical Infrastructure Framework Panel

Published on February 19, 2014

Author: pmd06c



The following presentation slides were used during the 2014 Cyber Summit Panel Session on Cyber Critical Infrastructure Guidelines at the University of Alabama at Birmingham

NIST Cyber Critical Infrastructure Guidelines

Meet Our Panelists Allen Johnston, Ph.D. Associate Professor of Information Systems Paul M. Di Gangi, Ph.D., CISSP Assistant Professor of Information Systems Deborah Williams, CISSP Program Manager Matthew Speare Head of Governance & Integration Angella Carlisle, CISSP, CRISC, CHSP IT Security Manager Dave Summitt, CISSP Chief Information Security Officer


Critical Infrastructure Gone Digital...

EO 13636: Improving Critical Cybersecurity Infrastructure It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. February 2013

What are the critical infrastructure sectors? 85 % PRIVATELY OWNED

What are we already doing to protect these sectors? Critical Sector Reg’s/Standards/Laws Critical Sector Reg’s/Standards/Laws Agriculture & Food 21 CFR 11 Government Facilities N/A Commercial Facilities 25 CFR 542 N/A Dams CIP 002-009 (Mandatory) National Monuments & Icons Transportation Systems 49 CFR 193,1520 Chemical 6 CFR 27 Critical Manufacturing N/A Emergency Services N/A Healthcare & Public Health 45 CFR 164 (HIPAA) Nuclear Reactors, Materials & Waste 10 CFR 73 (NRC) Water 42 U.S.C. 300-2 (Law) Energy CIP 002-009 (Mandatory) Information Technology N/A Postal & Shipping N/A Banking & Finance 12,16,17,31 CFR , (SOX,GLB, AML) Communications N/A Defense Industrial Base NISPOM

But there are still gaps to the overall strategy!

Organizational Views on Cybersecurity Adaptive Adapts cybersecurity practices based on lessons learned & predictive indicators; organization-wide approach to managing risk using risk-informed policies, processes, and procedures; actively shares information w/ partners Repeatable Risk management practices are formally approved, expressed in policy, and updated regularly; organization-wide approach to managing risk using risk-informed policies, processes, and procedures; understands dependencies w/partners Informed Risk management practices are approved by management, but may not have established organization-wide policy; awareness of risk at organizational level but approach not established; not formally sharing w/ partners Partial Risk management practices are not formalized & risk managed in a reactive manner; implements risks management on case-by-case basis; may not coordinate or collaborate w/ partners

Cybersecurity Framework

Cybersecurity Framework Strategically-oriented for “Big Picture” View Threat/Risk Centric Process Approach

Why should organizations adopt a nonmandatory framework? Incentive Type Grants Rate-Recovery for PriceRegulated Industries Bundled Insurance Requirements, Liability Protection, and Legal Benefits Prioritizing Certain Classes of Training and Technical Assistance Procurement Considerations Streamline Information Security Regulations Summary Description Fixed cost, performance-based awards for investment in cybersecurity products and services for prospective Framework adopters. Recovery of cybersecurity investments in the rates charged for services provided by Framework adopters through a price cap, in which the government allows a firm to charge up to a certain maximum price that is independent of the realized cost. A system of litigation risk mitigation for which those entities that adopt the Framework and meet reasonable insurance requirements are eligible to apply. Other types of legal benefits may include limited indemnity, higher burdens of proof, or limited penalties; case consolidations; case transfers to a single Federal court; creation of a Federal legal privilege that preempts State disclosure and/or discovery requirements for certain cybersecurity self-assessments. The Federal Government offers several types of technical assistance to critical infrastructure owners and operators, including preparedness support, assessments, training of employees, and advice on best practices. Introduce a technical requirement in the procurement process for certain types of acquisitions for Framework adopters, or requirements for Framework adoption for Federal information and communications technology providers or other contracts, particularly those involving access to sensitive government information or essential services. Creation of a unified compliance model for similar requirements and eliminate overlaps among existing laws; streamlining of differences between U.S. and international law (perhaps through treaties); ensuring equivalent adoption; reducing audit burdens; and offering prioritized permitting.

Where are we in the timeline?

Panel Discussion Question: What are the pressing issues for critical infrastructure organizations in the information security/assurance domain? What are the initial reactions of organizations in your industry to the Critical Infrastructure guidelines that were recently released?

Panel Discussion Question: How well does the Critical Infrastructure guidelines integrate with your existing regulatory requirements? What’s new that is currently not addressed? Are the Critical Infrastructure guidelines likely to become a standard for your industry or do you see a different set of guidelines being adopted?

Panel Discussion Question: What are the primary challenges your organization faces for implementing the Critical Infrastructure guidelines?

Panel Discussion Question: How are the incentives being perceived within your industry for complying with the Critical Infrastructure guidelines? Of the proposed incentives, grants, technical assistance, rate recovery, liability reform – which are most attractive to you?

Add a comment

Related presentations

Related pages

Report on Cybersecurity and Critical Infrastructure in the ...

REPO ON CYBERT RSECURITY AND CRITICAL INFRASTRUCTURE IN ... framework to protect the critical ... critical infrastructure from cyber ...
Read more

Version 1.0 National Institute of Standards and Technology ...

... Nation’s critical infrastructure and to maintain a cyber ... of critical infrastructure. The Framework ... critical infrastructure ...
Read more

Executive Order -- Improving Critical Infrastructure ...

IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY . ... Baseline Framework to Reduce Cyber Risk to Critical Infrastructure. (a) ...
Read more

Framework for Improving Critical Infrastructure Cybersecurity

Improving Critical Infrastructure Cybersecurity ... work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure
Read more

Improving Critical Infrastructure Cybersecurity: The ...

Improving Critical Infrastructure ... cyber risk for critical infrastructure. ... of critical infrastructure. But how will the Framework look ...
Read more

Reducing Cyber Risk to Critical Infrastructure: NIST ...

... works with stakeholders to develop a voluntary Framework for reducing cyber risks to critical infrastructure. ... Critical Infrastructure: NIST Framework.
Read more

Critical Infrastructure Cyber Community C³ Voluntary ...

The United States depends on critical infrastructure every ... Critical Infrastructure Cyber ... use of the Framework and other cyber risk ...
Read more

Cybersecurity Framework For U.S. Critical Infrastructure ...

The government published a voluntary cybersecurity framework for critical ... framework for critical infrastructure ... effective cyber ...
Read more

NYU Tandon School of Engineering Sloan Lecture Series

... Critical Infrastructure Framework. President Obama's Cyber Security Executive Order 13636 calls for an intensive effort to adopt a common national ...
Read more