Embed Size (px)
Citation preview
1
Andrew Yang, Ph.D., CISSP
Executive director, Cyber Security InstituteAssociate Professor of CS, CIS, IT
NIST Cybersecurity Framework (CSF)
for Critical Infrastructures
2
“Cybersecurity Framework is dead.”
Really?
• A bunch of questions about cybersecurity frameworks- What is a cybersecurity framework?- Why do we need a framework?- Will adopting a framework reduce the organization’s IT
security risk?- Will adopting a framework provide sufficient security to the
organization?
3
Outline
What is a cybersecurity framework?
• The NIST Cybersecurity Framework
• Use and Implications of the CSF
• Discussions
4
• http://whatis.techtarget.com/definition/framework:
“a framework is a real or conceptual structure intended to serve as a support or guide for the building of something that expands the structure into something useful.”
Example: the Zachman framework (for Enterprise Architecture and Information Systems Architecture)“a logical structure intended to provide a comprehensive representation of an information technology enterprise that is independent of the tools and methods used in any particular IT business”
5
6
Too many frameworks!
• ISO/IEC 27001 & 27002 (formerly ISO 17799)• NIST SP 800-53: Security and Privacy Controls for
Federal Information Systems and Organizations• Federal Enterprise Architecture Framework (FEAF)• Sherwood Applied Business Security Architecture
(SABSA)• NIST SP 800-39: Risk Management Framework• Security in Major IT Management Frameworks• …
7
• Feb. 12, 2013: Obama administration issued an executive order for “improving critical infrastructure cybersecurity”.– Several mandates:
Expanding information sharingEstablishing a cybersecurity framework…
• “The executive order calls for the NIST to establish a baseline framework to reduce cyber-risk to critical infrastructure.”– Oct. 2013: first draft of the framework– Feb. 2014: final draft (v1.0)
8
Risk Management Model
• Source: http://en.wikipedia.org/wiki/IT_risk_management
9
10
Cybersecurity framework?
• “The security professional needs to adhere to a framework.… once the security professional begins to bring order to the organization’s security program, they are implementing a framework.” -- http://www.securitycurrent.com/en/writers/david-sheidlower/security-where-myths-should-go-to-die
• Benefits:– From chaos to order and organization– Manageable practice– From tools / mechanisms architecture / policy strategy
/ governance
11
Outline
• What is a cybersecurity framework?
The NIST Cybersecurity Framework
• Use and Implications of the CSF
• Discussions
12
• Framework for Improving Critical Infrastructure Cybersecurity, version 1.0, the National Institute of Standards and Technology (NIST), February 12, 2014.o A response to the President’s Executive Order 13636, “Improving
Critical Infrastructure Cybersecurity” on February 12, 2013.
• Critical infrastructure: “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
• a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks
• The Framework is technology neutral.
NIST Cybersecurity Framework
13
14
Using the Framework
• Building from standards, guidelines, and practices, the Framework provides a common taxonomy and mechanism for organizations to: 1) Describe their current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize opportunities for improvement
within the context of a continuous and repeatable process;
4) Assess progress toward the target state; 5) Communicate among internal and external stakeholders
about cybersecurity risk.
15
• Three parts: o The Framework Coreo The Framework Profileo The Framework Implementation Tiers
• Framework Core- A set of activities, outcomes, and informative
references- Providing the detailed guidance for developing
individual organizational Profiles
NIST Cybersecurity Framework
16
• Five concurrent and continuous Functions— Identify— Protect— Detect— Respond— Recover
• (Altogether) the functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.
Framework Core
17
• Functions organize basic cybersecurity activities at their highest level.
• Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities. o Example Categories: “Asset Management,” “Access Control,”
“Detection Processes.”
18
19
• Represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories
• Aligning standards, guidelines, and practices to the Framework Core in a particular implementation scenario
• “Current” profile “Target” profile
• Comparison of Profiles may reveal gaps to be addressed to meet cybersecurity risk management objectives.
Framework Profile
20
• The Framework document does not prescribe Profile templates, allowing for flexibility in implementation.
• Example profiles can be found: http://www.nist.gov/itl/upload/discussion-draft_illustrative-examples-082813.pdf
Example Profiles for Threat Mitigation:1. Mitigating intrusions2. Mitigating malware3. Mitigating insider threats
Framework Profile
21
22
23
24
25
Coordination of Framework Implementation
26
Implementation Tiers• Describe the degree to which an organization’s cybersecurity
risk management practices exhibit the characteristics defined in the Framework.
• Characterize an organization’s practices over a range– from Partial (Tier 1) to Adaptive (Tier 4)
• Partial: risks are managed in an ad hoc manner• Risk Informed: Risk management practices are approved by
management but may not be established as organizational-wide policy. • Repeatable: Risk management practices are formally approved and
expressed as policy.• Adaptive: The organization adapts its cybersecurity practices based on
lessons learned and predictive indicators derived from previous and current cybersecurity activities.
– Reflect a progression from informal, reactive responses to approaches that are agile and risk-informed.
27
Outline
• A bunch of questions about cybersecurity frameworks
• What is a cybersecurity framework?
• The NIST Cybersecurity Framework
Use and Implications of the CSF
• Discussions
28
• Rodney Brown, Cyber-Security Standards for Major Infrastructure, InformationWeek::reports, Jan. 2014.
“In a March 12 (2014) instruction (8501.01), DoD Chief Information Officer Teri Takai said that starting that same day, defense and military systems will henceforth go through the risk management framework outlined by the National Institute of Standards and Technology rather than through the now-defunct DoD Information Assurance Certification and Accreditation Process (DIACAP).”
29
• Rodney Brown, Cyber-Security Standards for Major Infrastructure, InformationWeek::reports, Jan. 2014.
“The Cybersecurity Framework is likely to become the liability floor, much like Sarbanes-Oxley has become.”
• Jon W. Burd, Cybersecurity Developments: Does the NIST “Voluntary” Framework Portend New Requirements for Contractors? Fall 2013 | Government Contracts Issue Update, Wiley Rein, LLP.
“The framework is intended to complement existing business and cybersecurity operations for organizations with formal existing plans and policies, or to serve as a template for organizations that create new programs.”
“For government contractors, in particular, one “incentive” agencies could adopt—either through formal rulemaking or on an ad hoc basis—is a preference for framework participants in competitions for federal information technology (IT) or cyber-related contracts.”
Use and Implications of the CSF
30
• Earl Perkins, NIST Framework Establishes Risk Basics for Critical Infrastructure, Gartner.com, Feb. 18, 2014.
https://www.gartner.com/doc/2667132/nist-framework-establishes-risk-basics
“The Framework for Critical Infrastructure is a useful tool for managing cybersecurity risk, but will not replace risk management programs.”
“The CSF is not designed to replace large-scale cybersecurity risk programs or existing operational frameworks such as COBIT or ISO 2700x.”
“The CSF serves as taxonomy for risk management of critical infrastructure in a cybersecurity context.”
“The CSF is an absolute minimum of guidance for new or existing cybersecurity risk programs, and is a legal framework for aligning IT to OT security.”
“The core, tiers and profile elements address combined cybersecurity risks for IT/OT by providing a single approach — one Gartner believes is urgently needed. ”
31
Gartner Recommendations
Enterprises:• Use the CSF as a legal framework to map your IT/OT risks.• Avoid making long-term procurement- or compliance-based decisions
from the CSF's guidance in its current state as it is missing key components.
• Continue to apply standards that are well-accepted by your respective industries.
Critical infrastructure companies with existing cybersecurity risk programs:• Use the CSF to validate program completeness.
Enterprises with nascent cybersecurity risk management programs:• Use the CSF as a starting point for cybersecurity risk planning, as a
self-assessment tool and as a reference to weigh consulting offerings.
Companies with considerable IT/OT assets:• Use the CSF as an aid to align and integrate cybersecurity risk
management across corporate and industrial control/automation requirements.
32
• U.S. Department of Energy, Use of the NIST Cybersecurity Framework & DOE C2M2, Feb. 2014. http://energy.gov/sites/prod/files/2014/02/f7/Use-of-NIST-Cybersecurity-Framework-DOE-C2M2.pdf
33
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE - DRAFT FOR PUBLIC COMMENT & COMMENT SUBMISSION FORM (SEPTEMBER 2014)
http://energy.gov/oe/downloads/energy-sector-cybersecurity-framework-implementation-guidance-draft-public-comment
“This Framework Implementation Guidance is designed to assist energy sector organizations to:• Characterize their current and target cybersecurity posture.• Identify gaps in their existing cybersecurity risk management programs,
using the Framework as a guide, and identify areas where current practices may exceed the Framework.
• Recognize that existing sector tools, standards, and guidelines may support Framework implementation.
• Effectively demonstrate and communicate their risk management approach and use of the Framework to both internal and external stakeholders.”
34
Outline
• A bunch of questions about cybersecurity frameworks
• What is a cybersecurity framework?
• The NIST Cybersecurity Framework
• Use and Implications of the CSF
Discussions
35
- What is a cybersecurity framework?
- Why do we need a framework?
- Will adopting a framework reduce the organization’s
IT security risk?
- Will adopting a framework provide sufficient security
to the organization?
Review Questions
36
Richard Stiennon, Floundering Frameworks: NIST as a Case in Point, SecurityCurrent, Oct. 24, 2013: http://www.securitycurrent.com/en/writers/richard-stiennon/floundering-frameworks-nist-as-a-case-in-point
“When the NIST Cybersecurity Framework is completed it will, at best, become shelfware. At worst, Congress will eventually create a law requiring critical infrastructure operators to implement the Framework. Thanks to strong lobbying on the part of the regulated, the law will provide funding for implementation of the Framework, funding that will fill the pockets of audit firms and consultants. At the end of the day the risk of a debilitating cyber attack will have been reduced by exactly zero.”
37
NIST Roadmap for Improving Critical Infrastructure Cybersecurity February 12, 2014
• Strengthening Private Sector Involvement in Future Governance of the Framework
• Section 4: Areas for Development, Alignment, and Collaboration4.1 Authentication4.2 Automated indicator sharing4.3 Conformity assessment4.4 Cybersecurity workforce4.5 Data analytics4.6 Federal agency cybersecurity alignment4.7 International aspects, impacts, and alignment4.8 Supply chain risk management4.9 Technical privacy standards
