Published on February 19, 2014
NIST Cyber Critical Infrastructure Guidelines
Meet Our Panelists Allen Johnston, Ph.D. Associate Professor of Information Systems Paul M. Di Gangi, Ph.D., CISSP Assistant Professor of Information Systems Deborah Williams, CISSP Program Manager Matthew Speare Head of Governance & Integration Angella Carlisle, CISSP, CRISC, CHSP IT Security Manager Dave Summitt, CISSP Chief Information Security Officer
Critical Infrastructure Gone Digital...
EO 13636: Improving Critical Cybersecurity Infrastructure It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. February 2013
What are the critical infrastructure sectors? 85 % PRIVATELY OWNED
What are we already doing to protect these sectors? Critical Sector Reg’s/Standards/Laws Critical Sector Reg’s/Standards/Laws Agriculture & Food 21 CFR 11 Government Facilities N/A Commercial Facilities 25 CFR 542 N/A Dams CIP 002-009 (Mandatory) National Monuments & Icons Transportation Systems 49 CFR 193,1520 Chemical 6 CFR 27 Critical Manufacturing N/A Emergency Services N/A Healthcare & Public Health 45 CFR 164 (HIPAA) Nuclear Reactors, Materials & Waste 10 CFR 73 (NRC) Water 42 U.S.C. 300-2 (Law) Energy CIP 002-009 (Mandatory) Information Technology N/A Postal & Shipping N/A Banking & Finance 12,16,17,31 CFR , (SOX,GLB, AML) Communications N/A Defense Industrial Base NISPOM
But there are still gaps to the overall strategy!
Organizational Views on Cybersecurity Adaptive Adapts cybersecurity practices based on lessons learned & predictive indicators; organization-wide approach to managing risk using risk-informed policies, processes, and procedures; actively shares information w/ partners Repeatable Risk management practices are formally approved, expressed in policy, and updated regularly; organization-wide approach to managing risk using risk-informed policies, processes, and procedures; understands dependencies w/partners Informed Risk management practices are approved by management, but may not have established organization-wide policy; awareness of risk at organizational level but approach not established; not formally sharing w/ partners Partial Risk management practices are not formalized & risk managed in a reactive manner; implements risks management on case-by-case basis; may not coordinate or collaborate w/ partners
Cybersecurity Framework Strategically-oriented for “Big Picture” View Threat/Risk Centric Process Approach
Why should organizations adopt a nonmandatory framework? Incentive Type Grants Rate-Recovery for PriceRegulated Industries Bundled Insurance Requirements, Liability Protection, and Legal Benefits Prioritizing Certain Classes of Training and Technical Assistance Procurement Considerations Streamline Information Security Regulations Summary Description Fixed cost, performance-based awards for investment in cybersecurity products and services for prospective Framework adopters. Recovery of cybersecurity investments in the rates charged for services provided by Framework adopters through a price cap, in which the government allows a firm to charge up to a certain maximum price that is independent of the realized cost. A system of litigation risk mitigation for which those entities that adopt the Framework and meet reasonable insurance requirements are eligible to apply. Other types of legal benefits may include limited indemnity, higher burdens of proof, or limited penalties; case consolidations; case transfers to a single Federal court; creation of a Federal legal privilege that preempts State disclosure and/or discovery requirements for certain cybersecurity self-assessments. The Federal Government offers several types of technical assistance to critical infrastructure owners and operators, including preparedness support, assessments, training of employees, and advice on best practices. Introduce a technical requirement in the procurement process for certain types of acquisitions for Framework adopters, or requirements for Framework adoption for Federal information and communications technology providers or other contracts, particularly those involving access to sensitive government information or essential services. Creation of a unified compliance model for similar requirements and eliminate overlaps among existing laws; streamlining of differences between U.S. and international law (perhaps through treaties); ensuring equivalent adoption; reducing audit burdens; and offering prioritized permitting.
Where are we in the timeline?
Panel Discussion Question: What are the pressing issues for critical infrastructure organizations in the information security/assurance domain? What are the initial reactions of organizations in your industry to the Critical Infrastructure guidelines that were recently released?
Panel Discussion Question: How well does the Critical Infrastructure guidelines integrate with your existing regulatory requirements? What’s new that is currently not addressed? Are the Critical Infrastructure guidelines likely to become a standard for your industry or do you see a different set of guidelines being adopted?
Panel Discussion Question: What are the primary challenges your organization faces for implementing the Critical Infrastructure guidelines?
Panel Discussion Question: How are the incentives being perceived within your industry for complying with the Critical Infrastructure guidelines? Of the proposed incentives, grants, technical assistance, rate recovery, liability reform – which are most attractive to you?
REPO ON CYBERT RSECURITY AND CRITICAL INFRASTRUCTURE IN ... framework to protect the critical ... critical infrastructure from cyber ...
... Nation’s critical infrastructure and to maintain a cyber ... of critical infrastructure. The Framework ... critical infrastructure ...
IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY . ... Baseline Framework to Reduce Cyber Risk to Critical Infrastructure. (a) ...
Improving Critical Infrastructure Cybersecurity ... work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure
Improving Critical Infrastructure ... cyber risk for critical infrastructure. ... of critical infrastructure. But how will the Framework look ...
... works with stakeholders to develop a voluntary Framework for reducing cyber risks to critical infrastructure. ... Critical Infrastructure: NIST Framework.
The United States depends on critical infrastructure every ... Critical Infrastructure Cyber ... use of the Framework and other cyber risk ...
The government published a voluntary cybersecurity framework for critical ... framework for critical infrastructure ... effective cyber ...
... Critical Infrastructure Framework. President Obama's Cyber Security Executive Order 13636 calls for an intensive effort to adopt a common national ...