• Home

  • Documents

  • Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates...
15
Identifying Critical Assets for Risk Management Celia Paulsen 05/16/2018

Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

  • Upload
    others

  • View
    8

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

Identifying CriticalAssets for Risk Management

Celia Paulsen05/16/2018

Page 2: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

Disclaimer: "The identification of any commercial product or trade name is included solely for the purpose of providing examples of publicly-disclosed events, and does not imply any particular position by the National Institute of Standards and Technology."

Page 3: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

Problem

• Technology– Interconnected– Sophisticated– Integral

• Complex SDLC Ecosystem

• Evolving Threats• Constant Change• $$$

Image by Andy Lamb: https://www.flickr.com/photos/speedoflife/6924482682

Page 4: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

NIST IR 8179:Criticality Analysis Process Model

• Method for identifying and prioritizing information systems and components– Increase understanding of the

organization’s IT/OT (and other) assets– Better decision making

• risk management• project management• acquisition, maintenance, and upgrade

– Informed distribution of finite resources

Page 5: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

Not Another…

• Failure Mode Effects and Criticality Analysis (FMECA)

• Business Continuity Planning• FIPS Level / Classification• Framework (RMF, CSF, etc.)

LEVERAGES AND INFORMS EXISTING PRACTICES – NOT DUPLICATING IT

Page 6: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

Reading the Model

ID

Name

Description

Inputs

Outputs

Roles & Responsibilities

(Process only)

Methods (Sub-process only)

Related Processes

Page 7: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

Criticality Analysis Process

A. Define & Scope

B. Program-Level Analysis

C. System-Level Analysis

D. Component-Level Analysis

E. Traceback

Page 8: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

Process A: Define & Scope

• Define:– Who– When– How

• Tailor if needed for each analysis

Page 9: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

Process B: Program-Level Analysis

1. Goals, assumptions, constraints, etc.

2. Activities3. Dependencies4. Operating States5. Baseline Criticality

Levels

Page 10: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

Process C: System/Subsystem-Level Analysis

1. Scope2. Functions3. Dependencies4. Operating States5. Baseline Criticality

Level

Page 11: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

Process D: Component/ Subcomponent-Level Analysis

1. Scope2. Functions3. Diagram4. Operating States5. Baseline Criticality

Levels

Page 12: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

Process E: Traceback

1. Identify connections & dependencies

2. Identify Existing Controls

3. Review Impact of Operating States

4. Apply Risk Info5. Final Criticality Level

Page 13: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

Things to Note

• Iterates throughout• Analyses are hierarchical

– Multiple hierarchies of systems (of systems of systems of systems of systems)

– begin at a high level and repeat at a lower level until desired detail is reached

• FLEXIBLE– Meant to work with existing processes, not to

replace or duplicate

Page 14: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

Related Work

• Cyber-Supply Chain Risk Managementcsrc.nist.gov/scrm

• FISMAcsrc.nist.gov/Projects/Risk-Management

• Cybersecurity Frameworkwww.nist.gov/cyberframework

http://www.csrc.nist.gov/scrm
https://csrc.nist.gov/Projects/Risk-Management
http://www.nist.gov/cyberframework
Page 15: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems

Questions?

Celia PaulsenSecurity Engineering and Risk Management Group

National Institute of Standards and [email protected]

mailto:[email protected]

Hierarchies vs. Networks

Hierarchies vs. Networks

Technology
Microprocessor-based systems Curse 7 Memory hierarchies

Microprocessor-based systems Curse 7 Memory hierarchies

Documents
Reverse Dominance Hierarchies

Reverse Dominance Hierarchies

Technology
Vallejo Power Hierarchies

Vallejo Power Hierarchies

Documents
Thinking in systems: digital storytelling, knowledge hierarchies and environmental narratives

Thinking in systems: digital storytelling, knowledge hierarchies and environmental narratives

Environment
Hierarchies of Matter

Hierarchies of Matter

Documents
Multi-core Systems and Coherence Hierarchies

Multi-core Systems and Coherence Hierarchies

Documents
Designing Effective Hierarchies

Designing Effective Hierarchies

Documents
Contexts, hierarchies, and filters : a study of transformational systems as disambiguated languages

Contexts, hierarchies, and filters : a study of transformational systems as disambiguated languages

Documents
Reinforcement Learning with Hierarchies of Machinespapers.nips.cc/paper/1384-reinforcement-learning-with-hierarchies-of... · Reinforcement Learning with Hierarchies of Machines *

Reinforcement Learning with Hierarchies of Machinespapers.nips.cc/paper/1384-reinforcement-learning-with-hierarchies-of... · Reinforcement Learning with Hierarchies of Machines *

Documents
The Celestial Hierarchies

The Celestial Hierarchies

Documents
Hierarchies in representations

Hierarchies in representations

Documents
Leveraging ModelBuilder for Advanced GeoprocessingIteration = looping = repeat a process over and over Iterators. Iterates over a starting and ending value by a given value. Iterates

Leveraging ModelBuilder for Advanced GeoprocessingIteration = looping = repeat a process over and over Iterators. Iterates over a starting and ending value by a given value. Iterates

Documents
New Hierarchies

New Hierarchies

Documents
Hierarchies in Biology

Hierarchies in Biology

Documents
Hierarchies and eBay

Hierarchies and eBay

Documents
Load Hierarchies

Load Hierarchies

Documents
Memory Hierarchies, Pipelines, and Buses for Future … · Memory Hierarchies, Pipelines, and Buses for Future Architectures in Time-Critical Embedded Systems Reinhard Wilhelm, Daniel

Memory Hierarchies, Pipelines, and Buses for Future … · Memory Hierarchies, Pipelines, and Buses for Future Architectures in Time-Critical Embedded Systems Reinhard Wilhelm, Daniel

Documents
DRM - Alternate Hierarchies

DRM - Alternate Hierarchies

Documents
Gopal Hierarchies+ Paper)

Gopal Hierarchies+ Paper)

Documents
1Chapter 7 Memory Hierarchies (Part 2) Outline of Lectures on Memory Systems 1. Memory Hierarchies 2. Cache Memory 3. Virtual Memory 4. The future

1Chapter 7 Memory Hierarchies (Part 2) Outline of Lectures on Memory Systems 1. Memory Hierarchies 2. Cache Memory 3. Virtual Memory 4. The future

Documents
04 Managing Hierarchies

04 Managing Hierarchies

Documents
Higher than Hierarchies: New Ways to Soar Beyond Current Systems

Higher than Hierarchies: New Ways to Soar Beyond Current Systems

Leadership & Management
Hierarchies of Isomonodromic Deformations and Hitchin Systems

Hierarchies of Isomonodromic Deformations and Hitchin Systems

Documents
Classification Systems, Social Hierarchies, and Gender

Classification Systems, Social Hierarchies, and Gender

Documents
Type Hierarchies

Type Hierarchies

Documents
Surgery for partially hyperbolic dynamical systems I. Blow ... · Examples of partially hyperbolic dynamical systems can be roughly classi ed (up to homotopy, nite iterates and nite

Surgery for partially hyperbolic dynamical systems I. Blow ... · Examples of partially hyperbolic dynamical systems can be roughly classi ed (up to homotopy, nite iterates and nite

Documents
Manual Ragged Hierarchies

Manual Ragged Hierarchies

Documents
Models & Hierarchies

Models & Hierarchies

Documents
Galois Groups for Polynomials Related to Quadratic Map Iterates

Galois Groups for Polynomials Related to Quadratic Map Iterates

Documents