Andrew Yang, Ph.D., CISSP Executive director, Cyber Security Institute Associate Professor of CS, CIS, IT NIST Cybersecurity Framework (CSF) for Critical Infrastructures 1

2 “Cybersecurity Framework is dead.” Really? A bunch of questions about cybersecurity frameworks - What is a cybersecurity framework? - Why do we need a framework? - Will adopting a framework reduce the organization’s IT security risk? - Will adopting a framework provide sufficient security to the organization?

3 Outline  What is a cybersecurity framework? The NIST Cybersecurity Framework Use and Implications of the CSF Discussions

4 “a framework is a real or conceptual structure intended to serve as a support or guide for the building of something that expands the structure into something useful.” Example: the Zachman framework (for Enterprise Architecture and Information Systems Architecture )Zachman framework “a logical structure intended to provide a comprehensive representation of an information technology enterprise that is independent of the tools and methods used in any particular IT business”

5

Too many frameworks! ISO/IEC & (formerly ISO 17799) NIST SP : Security and Privacy Controls for Federal Information Systems and Organizations Federal Enterprise Architecture Framework (FEAF) Sherwood Applied Business Security Architecture (SABSA) NIST SP : Risk Management Framework Security in Major IT Management Frameworks … 6

Feb. 12, 2013: Obama administration issued an executive order for “improving critical infrastructure cybersecurity”. – Several mandates: Expanding information sharing Establishing a cybersecurity framework … “The executive order calls for the NIST to establish a baseline framework to reduce cyber- risk to critical infrastructure.” – Oct. 2013: first draft of the framework – Feb. 2014: final draft (v1.0) 7

Risk Management Model Source: 8

9

Cybersecurity framework? “The security professional needs to adhere to a framework.… once the security professional begins to bring order to the organization’s security program, they are implementing a framework.” -- go-to-die go-to-die Benefits: – From chaos to order and organization – Manageable practice – From tools / mechanisms  architecture / policy  strategy / governance 10

11 Outline What is a cybersecurity framework?  The NIST Cybersecurity Framework Use and Implications of the CSF Discussions

12 Framework for Improving Critical Infrastructure Cybersecurity, version 1.0, the National Institute of Standards and Technology (NIST), February 12, o A response to the President’s Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” on February 12, Critical infrastructure: “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks The Framework is technology neutral. NIST Cybersecurity Framework

13

Using the Framework Building from standards, guidelines, and practices, the Framework provides a common taxonomy and mechanism for organizations to: 1)Describe their current cybersecurity posture; 2)Describe their target state for cybersecurity; 3)Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4)Assess progress toward the target state; 5)Communicate among internal and external stakeholders about cybersecurity risk. 14

15 Three parts: o The Framework Core o The Framework Profile o The Framework Implementation Tiers Framework Core -A set of activities, outcomes, and informative references -Providing the detailed guidance for developing individual organizational Profiles NIST Cybersecurity Framework

16 Five concurrent and continuous Functions — Identify — Protect — Detect — Respond — Recover (Altogether) the functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. Framework Core

17 Functions organize basic cybersecurity activities at their highest level. Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities. o Example Categories: “Asset Management,” “Access Control,” “Detection Processes.”

18

19 Represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories Aligning standards, guidelines, and practices to the Framework Core in a particular implementation scenario “Current” profile  “Target” profile Comparison of Profiles may reveal gaps to be addressed to meet cybersecurity risk management objectives. Framework Profile

20 The Framework document does not prescribe Profile templates, allowing for flexibility in implementation. Example profiles can be found: examples pdf examples pdf Example Profiles for Threat Mitigation: 1.Mitigating intrusions 2.Mitigating malware 3.Mitigating insider threats Framework Profile

21

22

23

24

25 Coordination of Framework Implementation

Implementation Tiers Describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework. Characterize an organization’s practices over a range – from Partial (Tier 1) to Adaptive (Tier 4) Partial: risks are managed in an ad hoc manner Risk Informed: Risk management practices are approved by management but may not be established as organizational-wide policy. Repeatable: Risk management practices are formally approved and expressed as policy. Adaptive: The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. – Reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. 26

27 Outline A bunch of questions about cybersecurity frameworks What is a cybersecurity framework? The NIST Cybersecurity Framework  Use and Implications of the CSF Discussions

28 Rodney Brown, Cyber-Security Standards for Major Infrastructure, InformationWeek::reports, Jan “In a March 12 (2014) instruction ( ), DoD Chief Information Officer Teri Takai said that starting that same day, defense and military systems will henceforth go through the risk management framework outlined by the National Institute of Standards and Technology rather than through the now-defunct DoD Information Assurance Certification and Accreditation Process (DIACAP).”

29 Rodney Brown, Cyber-Security Standards for Major Infrastructure, InformationWeek::reports, Jan “The Cybersecurity Framework is likely to become the liability floor, much like Sarbanes-Oxley has become.” Jon W. Burd, Cybersecurity Developments: Does the NIST “Voluntary” Framework Portend New Requirements for Contractors? Fall 2013 | Government Contracts Issue Update, Wiley Rein, LLP. “The framework is intended to complement existing business and cybersecurity operations for organizations with formal existing plans and policies, or to serve as a template for organizations that create new programs.” “For government contractors, in particular, one “incentive” agencies could adopt—either through formal rulemaking or on an ad hoc basis—is a preference for framework participants in competitions for federal information technology (IT) or cyber-related contracts.” Use and Implications of the CSF

30 Earl Perkins, NIST Framework Establishes Risk Basics for Critical Infrastructure, Gartner.com, Feb. 18, “The Framework for Critical Infrastructure is a useful tool for managing cybersecurity risk, but will not replace risk management programs.” “ The CSF is not designed to replace large-scale cybersecurity risk programs or existing operational frameworks such as COBIT or ISO 2700x.” “ The CSF serves as taxonomy for risk management of critical infrastructure in a cybersecurity context. ” “The CSF is an absolute minimum of guidance for new or existing cybersecurity risk programs, and is a legal framework for aligning IT to OT security. ” “ The core, tiers and profile elements address combined cybersecurity risks for IT/OT by providing a single approach — one Gartner believes is urgently needed. ”

31 Gartner Recommendations Enterprises: Use the CSF as a legal framework to map your IT/OT risks. Avoid making long-term procurement- or compliance-based decisions from the CSF's guidance in its current state as it is missing key components. Continue to apply standards that are well-accepted by your respective industries. Critical infrastructure companies with existing cybersecurity risk programs: Use the CSF to validate program completeness. Enterprises with nascent cybersecurity risk management programs: Use the CSF as a starting point for cybersecurity risk planning, as a self-assessment tool and as a reference to weigh consulting offerings. Companies with considerable IT/OT assets: Use the CSF as an aid to align and integrate cybersecurity risk management across corporate and industrial control/automation requirements.

U.S. Department of Energy, Use of the NIST Cybersecurity Framework & DOE C2M2, Feb C2M2.pdf C2M2.pdf 32

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE - DRAFT FOR PUBLIC COMMENT & COMMENT SUBMISSION FORM (SEPTEMBER 2014) framework-implementation-guidance-draft-public-comment “This Framework Implementation Guidance is designed to assist energy sector organizations to: Characterize their current and target cybersecurity posture. Identify gaps in their existing cybersecurity risk management programs, using the Framework as a guide, and identify areas where current practices may exceed the Framework. Recognize that existing sector tools, standards, and guidelines may support Framework implementation. Effectively demonstrate and communicate their risk management approach and use of the Framework to both internal and external stakeholders.” 33

34 Outline A bunch of questions about cybersecurity frameworks What is a cybersecurity framework? The NIST Cybersecurity Framework Use and Implications of the CSF  Discussions

35 - What is a cybersecurity framework? - Why do we need a framework? - Will adopting a framework reduce the organization’s IT security risk? - Will adopting a framework provide sufficient security to the organization? Review Questions

Richard Stiennon, Floundering Frameworks: NIST as a Case in Point, SecurityCurrent, Oct. 24, 2013: frameworks-nist-as-a-case-in-point frameworks-nist-as-a-case-in-point “When the NIST Cybersecurity Framework is completed it will, at best, become shelfware. At worst, Congress will eventually create a law requiring critical infrastructure operators to implement the Framework. Thanks to strong lobbying on the part of the regulated, the law will provide funding for implementation of the Framework, funding that will fill the pockets of audit firms and consultants. At the end of the day the risk of a debilitating cyber attack will have been reduced by exactly zero.” 36

NIST Roadmap for Improving Critical Infrastructure Cybersecurity February 12, 2014 Strengthening Private Sector Involvement in Future Governance of the Framework Section 4: Areas for Development, Alignment, and Collaboration 4.1 Authentication 4.2 Automated indicator sharing 4.3 Conformity assessment 4.4 Cybersecurity workforce 4.5 Data analytics 4.6 Federal agency cybersecurity alignment 4.7 International aspects, impacts, and alignment 4.8 Supply chain risk management 4.9 Technical privacy standards 37

Thanks! Questions ? Andrew Yang 38