View
5
Download
0
Category
Preview:
Citation preview
The Confluence of Physical and Cyber y ySecurity ManagementGOVSEC 2009
Samuel A Merrell CISSP
GOVSEC 2009
Samuel A Merrell, CISSPJames F. Stevens, CISSP
© 2009 Carnegie Mellon University
Today’s Agenda:• Introduction• Risk Management Concepts• Confluence of Physical and Cyber Security• Adopting a Service View• A Service View for Critical Infrastructure• Next steps• Next steps
2
Software Engineering Institute
U.S. DoD – Office of the Under Secretary
(Research and Engineering)sponsor
(FFRDC*)
CERT Program
• Cyber Threat and Vulnerability Analysis
SurvivableNetwork
Technology
SurvivableEnterprise
Management
PracticesDevelopment
& Training
• Enterprise and Workforce Development• Secure Software and Systems• Digital Forensics
3
Digital Forensics
CERT Capabilities
Technology Organizations Community
Networks(Sensors and
Analysis)
Software(Artifact
Analysis)
Systems(Forensics)
Work Force Development
(Training)
Threat and Incident
Management
Resiliency Engineering
and Management
(Risk)
National CSIRTs
Software Assurance
Vulnerability Disclosure
4
Resiliency Engineering and Management
Resiliency Engineering and Management (REM) develops, deploys, g ( ) p , p y ,and institutionalizes tools, techniques, methods, and training that advance
forganizational capabilities for governing and managing operational resiliency and risk for critical assets (such asrisk for critical assets (such as information and infrastructure) and servicesservices
5
REM Research FocusREM work aligned along four focus areas:• Resiliency Engineering• Resiliency Engineering• Information Resiliency
Critical Infrastructure Resiliency• Critical Infrastructure Resiliency• Governance, Risk & Compliance
6
Today’s Agenda:• Introduction• Risk Management Concepts• Confluence of Physical and Cyber Security• Adopting a Service View• A Service View for Critical Infrastructure• Next steps• Next steps
7
RiskA risk is the possibility of incurring a loss or harm
For risk to exist in any circumstance the followingFor risk to exist in any circumstance, the following three conditions must be satisfied
Th t b l i t d ith th it ti• There must be a loss associated with the situation
• There must be some uncertainty with respect to the eventual outcomeeventual outcome
• Some choice or decision is required
8
The Basic Risk Equation
9
Risk Mitigation OptionsRisk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level
Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence
Risk Limitation. To limit the risk by implementing controls that minimize the y p gadverse impact of a threat's exercising a vulnerability
Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes, implements and maintains controlsimplements, and maintains controls
Research and Acknowledgment. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability
Risk Transference. To transfer the risk by using other options to compensate for the loss
10
Residual and Acceptable Risk
Residual risk is the potential for the occurrence of an adverse event afteroccurrence of an adverse event after adjusting for the effectiveness and impact of all implemented security measures (controls)
Acceptable risk is the level of residual risk that has been determined to be a reasonable level of potential loss/disruption to a system or organization
11
A Risk Management Process
Identify
AnalyzeControl
PlanMonitor
Implement
12
p
Diverse Risks To Be Managed
Fi i lFinancial
Organizational Risks
OperationalRelationship
MarketRegulatory
13
Security and Operational Risk• Managing firewall rule-sets
• Installing fences aroundInstalling fences around facilities
• Limiting access to gintellectual property or confidential information
• Developing business continuity and disaster recovery plansrecovery plans
The aim of these “security” activities, both physical d b i lti t l t ti l i k
14
and cyber, is ultimately to manage operational risk
Focus on Operational RiskA form of hazard risk affecting day-to-day business operationsp
The potential failure to achieve mission objectives
“Operational risk is defined as the risk of loss resulting from inadequate f g f qor failed internal processes, people, and systems, or from external events.”
--Basel II Capital Accords
15
Scope of Operational Risk is Vast
Actions of people
Systems & technology
Failed internal External
eventspeople failures processes events
Tech reliance Global economy Open boundaries Complexity Cultural shifts
16
Today’s Agenda:• Introduction• Risk Management Concepts• Confluence of Physical and Cyber Security• Adopting a Service View• A Service View for Critical Infrastructure• Conclusion• Conclusion
17
Physical Security - Yesterday
18
Cyber Security - Yesterday
19
Silos of Responsibility
20
Today - Confluence
21
The Risk Management Challenge• The convergence of physical
and cyber security has y yrapidly expanded the threat environment that must be managed
• Limited organizational il bl fresources are available for
security activitiesE th t th li it d• Ensure that those limited resources are effectively and efficiently deployed
22
efficiently deployed
“Human sacrifice, dogs and cats living together... mass hysteria!” – Dr. P. Venkmang y
23
A Structured Approach
24
Shifting Security Paradigms
TodayOperational
YesterdayScope: Security Operational
Enterprise
Continuous
Scope: Security
Ownership: IT and Physical
Focus: DiscreteInternal
Process
Focus: Discrete
Driver: External
Execution: Platform/practiceEnterprise resilience
p
Goal: IT and Physical security
25
An Integrated View of Security
Physical Security
C b OthersCyber Security
26
A Fresh Look at Security ManagementOperational risks must be managed within a program that g p gcan adapt to a dynamic environment – this requires
f factive mitigation of all identified risks, regardless of their nature (e g cyber or physical)(e.g., cyber or physical)
27
http://en.wikipedia.org/wiki/File:Pittsburgh_view-from-incline_sm.jpg
Today’s Agenda:• Introduction• Risk Management Concepts• Confluence of Physical and Cyber Security• Adopting a Service View• A Service View for Critical Infrastructure• Conclusion• Conclusion
28
Current Approaches to Security Management
Security by compliance•FISMA•HIPAA•PCI
Security by adoption of best practices•ISO 17799•DISA STIGs•Vendor guides
Result:
29
Uneven use of limited resources
Enterprise Perspective An enterprise view of risk
—Enables risk mitigation decisions gthat effectively deploy limited resourcesIntegrates with enterprise—Integrates with enterprise architecture approaches to security management
—NIST SP 800-39’s “Risk Executive”I t h i l d b—Incorporates physical and cyber security management
30
Assets of an Organization
Assets
31
Assets Support Business Processes
Business Processes
Assets
32
Business Processes Support Services
Services
Business Processes
Assets
33
Services Support the Mission
OrganizationalMissionX
MissionService 1
XServiceMission
Service NMission
ss o
XX
X MissionXX
FacilitiesTechnologyInformationPeople X34
X
Step 1: Understand Your Services• Formally identify the services that your
organization must deliver in order to accomplish its g pmission
• Ask “what are the core competencies of the porganization?”• Often, business units are divided along these lines
• Manufacturing Operations• Sales and Marketing
Finance• Finance• Compliance• Research and Development
35
• Customer Service
Operational Risks to Service Delivery
Risks to service delivery are what organizations need to care aboutneed to care about
• These risks arise from both physical and cyber threats, therefore, both of these risks need to bethreats, therefore, both of these risks need to be mitigated efficiently and effectively
• Physical and cyber protection strategies for assets y y p gcan be engineered and evaluated in terms of their ability to best ensure the service
36
Benefits of Adopting a Service ViewAlign the protection and sustainment strategies to the organization’s missiong
• Engineer a unified approach to mitigating risks• Evaluate protection strategies for effectiveness inEvaluate protection strategies for effectiveness in
protecting the mission• Ensure efficiencies in the application of limited pp
resources
37
Engineer a Unified Approach to Mitigating Risks-1
38
Engineer a Unified Approach to Mitigating Risks-2
39
Select Effective Protection Strategies
Business Services
40
Ensure EfficienciesMaximize use of limited resources by incorporating the disciplines of physical and cyber securityp p y y y
• What works best for your environment: a guard at a post, an automated intrusion detection system, or both?
41
Step 2: Define Service RequirementsWhat are the needs of the services that you have identified?• Customer Service is available between 9:00 am
and 5:00 pmp• This monitoring system must operate 24 x 7
42
Step 3: Map Assets to ServicesService: Loan Operations
Loan OfficersIBM AS/400Bank Tellers
Process: Account
Process: Account
Loan Account DatabaseCorporate Headquarters
Maintenanceccou t
Opening
43
Identifying Interdependencies
44
Step 4: Define Resiliency RequirementsService: Loan Operations Confidentiality
Loan Account data may be viewed only by Loan Officers, account servicing staff, and Customer Service.
IntegrityMaintenance of Loan accounts may be made only by tellers, or Loan officers.Deletions of existing Loan Account information
Process: Account
Process: Account
Deletions of existing Loan Account information may be made only by a Loan Officer.
AvailabilityLoan Accounts must be available during normal
Maintenanceccou t
Opening banking hours (9:00 am to 5:00 pm, Monday through Thursday, 9:00 am to 7:00 pm Friday, and 10:00 am to 1:00 pm on Saturdays).
45
Step 5: Assess Risk to the ServiceRisks to service delivery are what organizations need to care aboutgIdentify how assets are exposed to conditions that can lead to service interruption
• Ensure that all possible vectors of threat are considered – both physical and cyber
46
Step 6: Develop an Integrated Mitigation Strategy
47
Step 7: Monitor for ChangeMaintain vigilance in monitoring for changes in the operating environment.p g
• Ensure that changes do not introduce new risks.
48
Enterprise Perspective for Risk Management
1. Define enterprise services2. Identify Impact Evaluation Criteriay3. Map assets to services4. Define resiliency requirements for assets
using the needs of the services5. Assess risks to the reliable delivery of the
serviceservice6. Develop an integrated (using disciplines of
physical and cyber security) approach effectively mitigate identified risks
7. Monitor for changes in the environment
49
T d ’ A dToday’s Agenda:• Introduction
C fl f Ph i l d C b S it• Confluence of Physical and Cyber Security• Risk Management Concepts• Adopting a Service ViewAdopting a Service View• A Service View for Critical Infrastructure• Conclusion
50
Critical Infrastructure Protection
51
18 U.S. Critical Infrastructure Sectors ServicesXAgriculture and FoodBanking and Finance
ChemicalCommercial Facilities
Commercial Nuclear Reactors, Materials, and WasteDams
D f i d t i l bDefense industrial baseDrinking Water and Water Treatment Systems
Emergency ServicesEnergye gy
Government FacilitiesInformation Technology
ManufacturingN ti l M t d INational Monuments and Icons
Postal and ShippingPublic Health and Healthcare
Telecommunications
52
TelecommunicationsTransportation Systems
Critical Infrastructure Asset Identification
53
World’s Largest Ball of Sisal Twine, Kshttp://skyways.lib.ks.us/towns/Cawker/twine.html
Old MacDonald’s Petting Zoo, Alabama http://www.oldmacdonaldspettingzoo.com
NERC’s Struggle with Asset Identification
NERC’s CIP standards• NERC has robust physical securityNERC has robust physical security
requirements• “N-1” and “N-1-1” contingenciesg
• Currently having difficulty in identifying critical infrastructure assets• Some BES organizations claim to operate no critical
infrastructure
54
Managing Sector Risks
`Sector Service
Sector Member
Business Service
55
Energy Sector
MissionXMission
BES Function 1
BESMission
BES Function NMission
Accomplishment
XX
X MissionXXFacilitiesTechnologyInformationPeople X
56
Benefits of Adopting a Service View• Connect protection and sustainment strategies to the
sector’s mission• Risks can be defined in terms of service delivery• Impact evaluation criteria can be identified
• Physical and cyber protection strategies for assets can be engineered and evaluated in terms of their ability to best ensure the service
57
Connect to the Mission of the Sector
The requirements of the organization’s contribution to the sector service are thecontribution to the sector service are the basis for resiliency requirements for assets
58
Select Effective Protection Strategies
Critical Infrastructure Services
59
Resiliency Requirements• Connect requirements for Critical Infrastructure
Services to a sector member’s contribution to that service
• Establish service delivery requirements for that y qcontribution
• Implement controls to effectively and efficiently meet the requirements.
60
Recognize Dependencies
61
http://science.nasa.gov/headlines/y2009/21jan_severespaceweather.htm
Critical Infrastructure Risk Management
1. Define sector services2. Identify service requirementsy3. Map assets to how an organization
contributes to sector services4. Define resiliency requirements for assets
using the needs of the services5 Assess risks to the reliable delivery of the5. Assess risks to the reliable delivery of the
service6. Engineer an integrated (using disciplines
of physical and cyber security) approach effectively mitigate identified risks
7 Monitor for changes in the environment
62
7. Monitor for changes in the environment
Today’s Agenda:Today s Agenda:• Introduction• Confluence of Physical and Cyber Security• Confluence of Physical and Cyber Security• Risk Management Concepts• Adopting a Service Viewp g• A Service View for Critical Infrastructure• Conclusion
63
Summary and Conclusion
• Adopt a structured approach to identify services
• Use business rules to define resiliency requirements
• Assess risks to assets that will affect reliable service delivery
• Engineer protection strategies to• Engineer protection strategies to ensure infrastructure resiliency
• Continuously monitor for changesy g
64
http://www.3planesoft.com/img/clock_screen01.jpg
CERT® Resiliency Management Model
http://www.cert.org/resiliency
The CERT Resiliency Management Model is a capability model for operational resiliency management. It has two primary objectives:• Establish the convergence of operational risk and resiliency• Establish the convergence of operational risk and resiliency
management activities such as security, business continuity, and aspects of IT operations management into a single model.
• Apply a process improvement approach to operational resiliency• Apply a process improvement approach to operational resiliency management through the definition and application of a capability level scale that expresses increasing levels of process improvement.
65
Contact UsContact InformationSpeakersSamuel Merrell James Stevense-mail: smerrell@cert.org e-mail: jfs@cert.org
Phone412-268-5800(8 30 4 30 EST)(8:30 a.m. - 4:30 p.m. EST)
Webhttp://www.cert.org
Postal MailSoftware Engineering InstituteATTN: Customer RelationsATTN: Customer RelationsCarnegie Mellon UniversityPittsburgh, PA 15213-3890
66
Questions?
67
NoticesCopyright 2009 Carnegie Mellon University.NO WARRANTYTHIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE , ,MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.Use of any trademarks in this report is not intended in any way to infringe on the rights of theUse of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder.Internal use. Permission to reproduce this document for internal use is granted, provided the copyright and "No Warranty" statements are included with all reproductions. Requests for permission to prepare derivative works of this document for internal use should be addressedpermission to prepare derivative works of this document for internal use should be addressed to the SEI Licensing Agent.External use. Requests for permission to reproduce this document or prepare derivative works of this document for external and commercial use should be addressed to the SEI
68
Licensing Agent.
Recommended