Resiliency Rules: 7 Steps for Critical Infrastructure Protection
Agenda What are critical infrastructures? What are the CIP policy drivers? The differences between CIP/CIIP and cyber security Resiliency rules
What is Critical Infrastructure? Critical infrastructures are generally thought of as the key systems, services and functions whose disruption or destruction would have a debilitating impact on public health and safety, commerce, and national security or any combination of those matters. These include communications, energy, banking, transportation, public health and safety and essential government services. Governments are increasingly aware of the role critical infrastructures play in supporting the overall economy and security of their nations. While definitions may vary slightly, critical infrastructures are generally thought of as the key systems, services and functions whose disruption or destruction would have a debilitating impact on public health and safety, commerce, and national security or any combination of those matters. These include communications, energy, banking, transportation, public health and safety and essential government services. It is essential that countries at all stages of development plan for and develop policies that will enable them to provide reasonable assurance of resiliency and security to support key national missions and economic stability. The infrastructures described above are often thought of as physical assets such as bank buildings, power plants, trains, hospitals and government offices. These physical elements rely upon an often unseen critical information infrastructure and key functions (CII/KF) to actually deliver services and conduct business. Over the past two decades rapid advances in information services and communications technologies have enabled many traditionally separate infrastructures to integrate and automate. The ubiquity and importance of information and communications technology are increasingly recognized as a discernable cross-cutting “critical information infrastructure” upon which all other infrastructures depend. In some sense, the CII/KF are more complex to identify than more established infrastructures such as electric power, because it is composed of systems, processes and services that are not readily identifiable is the way physical elements are. However, because virtually all elements of a nation’s economy rely upon it, government and private sector should work together to develop collaborative CIIP frameworks for prevention, detection, response, and recovery.
CIP Policy Drivers WAR Terrorism Natural Disaster IT Attacks Dependence IT Attacks Directives Convergence Terrorism Response Plans Laws & Regulations Globalization
CIP/CIIP and Cybersecurity Understanding the Differences Critical Infrastructures Non-essential IT systems Cybersecurity Those practices and procedures that enable the secure use and operation of cyber tools and technologies Critical Information Infrastructure Cross-Cutting ICT interdependencies among all sectors Large Enterprises Personal users Energy Info & Comms Transportation Banking Government Services
Resiliency Rules Define Goals and Roles 7 Steps for Critical Infrastructure Protection Define Goals and Roles Identify and Prioritize Critical Functions Continuously Assess and Manage Risks Establish and Exercise Emergency plans Create Public-Private Partnerships Build Security/Resiliency into Operations Update and Innovate Technology/Processes
CIP Goals Establishing Clear Goals is Central to Success Policy Elements Sample Statement Critical Infrastructure Importance Critical information infrastructures (CII) provide the essential services that support modern information societies and economies. Some CII support critical functions and essential services so vital that the incapacitation, exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being. Critical Infrastructure Risks CII exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being. CIP Policy Goal/Statement Prevent or minimize disruptions to critical information infrastructures, no matter the source, and thereby protect the people, the economy, the essential human and government services, and the national security. In the event disruptions do occur, they should be infrequent, of minimal duration and manageable. Public-Private Implementation Implementing the National CIIP framework includes government entities, as well as, voluntary public private partnerships involving corporate and nongovernmental organizations. To build a collaborative and cooperative CIIP program there needs to be transparency about expectations and intent of the national effort. This can be established by (1) clearly defining CIIP policy goals, and (2) defining the roles and responsibilities of the various governmental entities and how they will work partner with private CII owners and operators. In general a CIIP policy statement (1) recognizes the importance of CII to the nation, (2) identifies the risk it faces (usually all-hazards), (3) establishes the CIIP policy goal, and (4) broadly identifies how it will be implemented, including through partnership with the private sector. Table1 below provide some sample language that could address these elements. National CIIP frameworks should not be immutable policies. Instead, they should be flexible and able to respond to the dynamic risk environments of information infrastructures. CIIP frameworks should establish policy goals and not set technical mandates or regulation. By establishing clear policy goals government agencies and non government entities can work together to achieve the stated goals in the most efficient manner.
CIP Roles Understanding Roles Promotes Coordination To build a collaborative and cooperative CIIP program there needs to be transparency about expectations and intent of the national effort. This can be established by (1) clearly defining CIIP policy goals, and (2) defining the roles and responsibilities of the various governmental entities and how they will work partner with private CII owners and operators. In general a CIIP policy statement (1) recognizes the importance of CII to the nation, (2) identifies the risk it faces (usually all-hazards), (3) establishes the CIIP policy goal, and (4) broadly identifies how it will be implemented, including through partnership with the private sector. Table1 below provide some sample language that could address these elements. National CIIP frameworks should not be immutable policies. Instead, they should be flexible and able to respond to the dynamic risk environments of information infrastructures. CIIP frameworks should establish policy goals and not set technical mandates or regulation. By establishing clear policy goals government agencies and non government entities can work together to achieve the stated goals in the most efficient manner.
Define Roles Government Shared Private CIIP Coordinator (Executive Sponsor) Infrastructure Owners and Operators Public-Private Partnerships Law Enforcement IT Vendors and Solution Providers Title Primary Responsibility CIIP Coordinator (Executive Sponsor) Leads activities associated with developing and managing national CIIP efforts, including coordinating policy development, outreach and awareness, risk assessment and management efforts, funding and support for the CIIP program efforts. This role is usually filled by a lead government agency, an interagency committee, or a cabinet official. This role also serves as an important escalation functions for resolving important issues and emergencies. Sector Specific Agency A government agency that is responsible for coordinating the national-level risk management process for a particular sector such as banking or communications. The role generally includes working with infrastructure operators to assess risks, define mitigations, identify security controls, and collaborate with infrastructure operators to understand the overall effectiveness of the CIIP risk management program. Law Enforcement Preventing, investigating, and prosecuting various aspects of cybercrime including malware writers, hackers, and organized attackers that intend to steal information or compromise the integrity of critical operations. Computer Emergency Response Team Responsible for interacting with government agencies, industry, the research community, and others to analyze cyber threats and vulnerabilities, disseminate reasoned and actionable cyber security information such as mitigations to the public, as appropriate. Infrastructure Owners and Operators Is responsible for tangible and intangible assets to the infrastructure or infrastructure elements that they own and/or operate. Operators prioritize business assets; analyze levels of impact to assets; define acceptable risk levels; and implement control solutions to manage/mitigate risks. Public-Private Partnerships Comprised of representatives from sector-specific agencies, infrastructure operators, and other key stakeholders, the partnership is responsible for collaborating on risk assessment and mitigation strategies. IT Vendors and Solution Providers Provide products and services which are critical to the information infrastructure operators and the general participants in the national economy. They provide strategic insights on architecture, security, operations and risk management. Additionally, they provide patches and mitigation in the face of attacks. Computer Emergency Response Team Sector Specific Agency Government Shared Private
Identify and Prioritize Critical Functions Collaborate to understand Interdependencies Establish an open dialogue to understand the critical functions, infrastructure elements, and key resources necessary for delivering essential services, maintaining the orderly operations of the economy, and ensuring public safety. Critical Function Infrastructure Element Key Resource Supply Chain Supply Chain Supply Chain Critical Function Infrastructure Element Key Resource As countries begin to establish or expand their respective CIIP efforts it is important that government and private sectors have an open dialogue to discuss what information infrastructure elements, critical functions, and key resources are needed to deliver essential government services, ensure orderly functioning of the economy, and providing public safety. The information infrastructure – including both communications and IT services – is composed of many different pieces including physical and cyber elements, processes, and people that directly support operations. For example a major peering point, undersea cables, or international switching system. In addition there is a complex value chain that supports the direct operations. These indirect infrastructure support elements include electric power, water, software, hardware, and others. In addition, to the traditional notion of infrastructure there may be certain “key functions” that government and economy rely upon. These functions could include processes like routing, internet content, broadcast delivery etc. Disruptions of these key functions could have an immediate and debilitating impact on the ability of a nation to perform essentials missions. Once identified, the critical infrastructure and key functions can be prioritized or ranked as to which is most important and in what context. It is important to remember that the notion of “criticality” is very situation-dependent and what could be critical in one instance may not be critical in the next. It is important that, as nations identify and prioritize critical infrastructure and key functions, they understand that these will change with technology, infrastructure, and process enhancements. Critical Function Supply Chain Supply Chain Supply Chain Infrastructure Element Key Resource Understand Interdependencies Supply Chain Supply Chain Supply Chain Supply Chain
Continuously Assess and Manage Risks Protection is the Continuous Application of Risk Management Continuously Assess and Manage Risks Evaluate Program Effectiveness Leverage Findings to Improve Risk Management Assess Risks Identify Controls and Mitigations Implement Controls Measure Effectiveness Identify Key Functions Assess Risks Evaluate Consequences Assessing Risk: This phase, combines aspects of both quantitative and qualitative risk assessment methodologies. A qualitative approach is used to quickly triage the entire list of security risks. The most serious risks identified during this triage are then examined in more detail using a quantitative approach. The result is a relatively short list of the most important risks that have been examined in detail. Identifying Controls and Mitigations: Stakeholders identify and select potential controls and mitigations for managing the risks indentified during the assessment phase. Once identified, the controls are evaluated to determine if they (1) meet functional requirements, (2) the extent to which they reduce risk, and (3) their direct and indirect costs and benefits. Finally, a mitigation strategy is selected. Implementing Controls: Infrastructure operators implement controls (management, technical, operational) and leverage people, processes and technologies for a holistic solution. Defense-in-depth solutions are used to spread risks and reduce the possibility of compromise or disruption. Measuring Effectiveness: This phase is used to verify that the controls are actually providing the expected degree of protection and to watch for changes in the environment such as new business applications or attack tools that might change the organization's risk profile. Sometimes scorecards are use to track progress. Define Functional Requirements Evaluate Proposed Controls Estimate Risk Reduction/Cost Benefit Select Mitigation Strategy Seek Holistic Approach. Organize by Control Effectiveness Implement Defense-in Depth
Establish and Exercise Emergency plans Improve Operational Coordination Establish and Exercise Emergency plans Public and private sector organizations can benefit from developing joint plans for managing emergencies – including recovering critical functions in the event of significant incidents, including but limited to natural disasters, terrorist attacks, technological failures or accidents. Emergency response plans can mitigate damage and promote resiliency. Effective emergency response plans are generally short and highly actionable so they can be readily tested, evaluated, and implemented. Testing and exercising emergency plans promotes trust, understanding and greater operational coordination among public and private sector organizations. Exercises also provide an important opportunity to identify new risk factors that can be addressed in response plans or controlled through regular risk management functions.
Create Public-Private Partnerships Voluntary public-private partnerships Promote trusted relationships needed for information sharing and collaborating on difficult problems, Leverage the unique skills of government and private sector organizations, and Provide the flexibility needed to collaboratively address today’s dynamic threat environment
Build Security and Resiliency into Ops Organizational incentives can drive security development lifecycle principles into all line of business Leveraging the security lifecycle promotes secure and resilient organizations and products
The Security Development Lifecycle 4/20/2017 8:33 AM The Security Development Lifecycle Driving Change Across Microsoft Product Inception Assign security advisor Identify security milestones Plan security integration into product Design Define security architecture and design guidelines Document elements of software attack surface Threat Modeling Standards, best practices, and tools Apply coding and testing standards Apply security tools (fuzzing tools, static-analysis tools, etc) Security Push Security code reviews Focused security testing Review against new threats Meet signoff criteria Final Security Review Independent review conducted by the security team Penetration testing Archiving of compliance info RTM and Deployment Signoff Security Response Plan and process in place Feedback loop back into the development process Postmortems © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Update and Innovate Technology/Processes Cyber threats are constantly evolving Policy makers, enterprise owner and operators can prepare for changes in threats by Monitoring trends Keeping systems patched Maintaining the latest versions of software that have been built for the current threat environment.
Microsoft Innovations Drive 4/20/2017 8:33 AM Microsoft Innovations Drive Guidance Developer Tools Active Directory Federation Services (ADFS) Identity Management Systems Management Information Protection Encrypting File System (EFS) BitLocker™ Services Client and Server OS Server Applications Edge Network Access Protection (NAP) © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Questions?