Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 4 Risk Management

Published byAldous May Modified over 6 years ago

Similar presentations

Presentation on theme: "Module 4 Risk Management"— Presentation transcript:

1 Module 4 Risk Management

2 Lesson Objectives Describe basic security service principles (confidentiality, integrity, availability, and authentication) and their relative importance to CI systems. Explain basic risk management principles. Identify various risk management frameworks and standards, such as the NIST Cybersecurity Framework and the North American Electricity Reliability Council (NERC). Describe how to use the framework core process. Describe how to use the Framework Implementation Tiers to identify cybersecurity risk and the processes necessary to effectively manage that risk. Describe the Cybersecurity Framework Assessment Process Model. Demonstrate an understanding of how the framework process holistically manages risk.

3 Basic Security Services
Core security services that should be guaranteed in a system. These services generally include: Confidentiality – Ensuring that access to assets and data is limited to only authorized entities. Integrity – Ensuring that data has not been modified by an unauthorized entity. Availability – Ensuring that data and assets are readily accessible to authorized entities. Authentication – Verifying that an entity is, in fact, the entity that it claims to be. Can you think of examples where these services would be required? The term “entities” is used as it includes both individuals, as well as processes, that might need to use the asset. While most data systems place an emphasis on protecting the data confidentiality, critical infrastructure sectors tend to place an emphasis on availability. Consider the criticality of transportation systems that require immediate access to rail conditions and traffic to effectively and safely route trains. Integrity must be guaranteed as well. Airplanes have more than 70,000 sensors collecting data and providing that data to onboard flight systems. What would happen if that data was modified and inaccurate data was reported to the computer? Finally, the critical nature of authenticating the source of information can not be understated. What would happen if your car accepted updates from a “spoofed” source, downloading inaccurate GPS maps? While this could be an annoyance for most drivers, it becomes an issue of public safety if this happens to self-driving vehicles. Therefore, it becomes critical that we “authenticate” the identity of the source of the updates.

4 Critical Infrastructure Assets
CIA Triad Critical Infrastructure Assets Confidentiality Availability Integrity Confidentiality, Integrity, and Availability are generally considered to be the most important components of security. They can be represented as the “CIA Triad,” in which you see them providing security protection to critical infrastructure assets such as data and equipment. It is important to note that, while some assets will require the services of each, or all, other assets will not require these security services. The process of a risk assessment, as will be discussed, helps the system owner determine which security service needs to be applied to protect specific assets.

5 The Need for Critical Infrastructure Security
The rapidly changing cybersecurity environment has changed the way we need to look at the security of our critical infrastructure. A proactive and coordinated effort will be necessary to understand, strengthen, and maintain a secure critical infrastructure. This will require a shared responsibility among federal, state, local, tribal, and territorial (SLTT) entities, and public and private owners and operators of critical infrastructure (herein referred to as “critical infrastructure owners and operators” ). To strengthen the resilience of this infrastructure, President Obama issued Executive Order (EO), “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013. This Executive Order calls for the development of a voluntary Cybersecurity Framework that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to managing cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services. The framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk.

6 NIST Cybersecurity Framework
NIST (National Institute of Standards and Technology) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. Refines and clarifies critical infrastructure-related functions, roles, and responsibilities across the federal government. Enhances overall coordination and collaboration for the continuity of national essential functions, and to organize itself to collaborate effectively with and add value to the security and resilience efforts of critical infrastructure owners and operators. This Cybersecurity Framework has been developed in an open manner with input from stakeholders in industry, academia, and government, including a public review and comment process, workshops, and other means of engagement. Students: Do you think there may come a time when this framework moves from being a voluntary framework to being mandatory?

7 NIST Cybersecurity Framework (cont. 1)
Cybersecurity risk is a reality that organizations must understand and manage, like other business risks that can have critical impacts on a business’s bottom line and the nation’s security. Organizations must manage cybersecurity risk in order to gain and maintain customers, reduce cost, increase revenue, and innovate. The Cybersecurity Framework is intended to help each organization manage its cybersecurity risks while maintaining flexibility and its ability to meet business needs. Increasing cybersecurity threats are driving organizations responsible for critical infrastructure to have a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk, regardless of the organizations’ size, threat exposure, or current level of cybersecurity sophistication.

8 NIST Cybersecurity Framework (cont. 2)
The framework focuses on the 16 sectors identified as critical infrastructure. Members of each critical infrastructure sector perform functions that are supported by information technology (IT) and industrial control systems (ICS). A reliance on technology, communication, and the interconnectivity of IT and ICS has changed and expanded the potential vulnerabilities and increased potential risk to critical infrastructure operations. A clear understanding of the organization’s business drivers and unique security considerations is required to manage cybersecurity risks. Companies whose work falls outside the 16 sectors can use the framework in their risk assessment and enterprise security planning. The framework focuses on the 16 sectors identified as critical infrastructure. Members of each critical infrastructure sector perform functions that are supported by information technology (IT) and industrial control systems (ICS). A reliance on technology, communication, and the interconnectivity of IT and ICS has changed and expanded the potential vulnerabilities and increased potential risk to critical infrastructure operations. A clear understanding of the organization’s business drivers and unique security considerations is required to manage cybersecurity risks. This requirement is driven by each organization’s unique risk, along with its use of IT and ICS. The tools and methods used to achieve the outcomes described by the framework will vary. Companies whose work falls outside the 16 sectors can use the framework in their risk assessment and enterprise security planning.

9 NIST Cybersecurity Framework (cont. 3)
The framework includes a methodology to protect individual privacy and civil liberties when critical infrastructure organizations conduct cybersecurity activities. Complements existing organizational methods Provides guidance on performing privacy risk assessments and management Integrating privacy and cybersecurity increases customer confidence and enables information-sharing The framework includes a methodology to protect individual privacy and civil liberties when critical infrastructure organizations conduct cybersecurity activities. Many organizations already have processes for addressing privacy and civil liberties. The methodology is designed to complement such processes and provide guidance to facilitate privacy risk management consistent with an organization’s approach to cybersecurity risk management. Integrating privacy and cybersecurity can benefit organizations by increasing customer confidence, enabling more standardized sharing of information, and simplifying operations across legal regimes.

10 NIST Cybersecurity Framework (cont. 4)
The framework is technology-neutral to ensure extensibility and enable technical innovation. It utilizes existing standards, guidelines, and practices to achieve flexibility. It provides a common taxonomy and mechanism for organizations to: Describe their current cybersecurity posture; Describe their target state for cybersecurity; Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; Assess progress toward the target state; Communicate among internal and external stakeholders about cybersecurity risk. Organizations outside the United States may also use the framework to strengthen their own cybersecurity efforts. The framework is technology-neutral to ensure extensibility and enable technical innovation. It uses and relies on a variety of existing standards, guidelines, and practices to enable critical infrastructure providers to achieve flexibility. The use of existing and emerging standards will enable economies of scale and drive the development of effective products, services, and practices that meet identified market needs. Building from those standards, guidelines, and practices, the Cybersecurity Framework provides a common taxonomy and mechanism for organizations to: Describe their current cybersecurity posture; Describe their target state for cybersecurity; Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; Assess progress toward the target state; Communicate among internal and external stakeholders about cybersecurity risk. The Cybersecurity Framework does not replace an organization’s risk management process and cybersecurity program; its intent is to complement these processes. An organization can use its current processes and leverage the Cybersecurity Framework to identify opportunities to improve, strengthen, and communicate its management of cybersecurity risk while aligning with industry practices. An organization without an existing cybersecurity program can use the Cybersecurity Framework as a reference for establishing a program. Just as the Cybersecurity Framework is not industry-specific, the common taxonomy of standards, guidelines, and practices that it provides is also not country-specific. Organizations outside the United States may also use the framework to strengthen their own cybersecurity efforts, and the framework can contribute to the development of a common language for international cooperation on critical infrastructure cybersecurity.

11 Other Models: NERC North American Electricity Reliability Council (NERC) created information security standards for the electric power industry in 2003. Following are applicable NERC CIP standards: CIP-001 Sabotage Reporting CIP-002 Critical Cyber Asset Identification CIP-003 Security Management Controls CIP-004 Personnel & Training CIP-005 Electronic Security Perimeter(s) CIP-006 Physical Security of Critical Cyber Assets CIP-007 Systems Security Management CIP-008 Incident Reporting and Response Planning CIP-009 Recovery Plans for Critical Cyber Assets

12 Framework Process Overview
The framework is a risk-based approach to managing cybersecurity risk. It is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. Each framework component reinforces the connection between business drivers and cybersecurity activities. Clark, R., and Miller, S. “Figure 2.2, Framework Diagram.” Framework for SCADA Cybersecurity. Smashswords ed. Revision A Jan pp. 43.

13 Framework Core The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. There are five concurrent and continuous functions in the Framework Core: Identify Protect Detect Respond Recover When evaluated together, these functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. Image source: National Institute of Standards & Technology (NIST) Cybersecurity Public Domain image. The Framework Core presents industry standards, guidelines, and practices in a manner that allows for the communication of cybersecurity activities and outcomes across the organization, from the executive level to the implementation/operations level.

14 Framework Core Categories and Subcategories
The Framework Core then identifies underlying key categories and subcategories for each function. It matches them with example informative references, such as existing standards, guidelines, and practices for each subcategory. The Framework Core defines 22 categories and 98 subcategories. Table Citation: National Institute of Standards and Technology. (12 Feb 2014). “Table A.2-1: Framework Core ID.AM”. Framework for Improving Critical Infrastructure Cybersecurity. Version 1.0. pp. 21.

15 Framework Implementation Tiers
The Framework Implementation Tiers provide background on how an organization views cybersecurity risk and the processes that are in place to manage that risk. Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the attributes defined in the framework (i.e., being risk- and threat- aware, repeatable, and adaptive). The tiers identify an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These tiers reflect a progression from informal, reactive responses to approaches that are nimble and risk-informed. An organization in the tier selection process should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. Tiers are described in greater detail at

16 Framework Profile Outcomes are based on the business needs that the organization has selected from the Cybersecurity Framework categories and subcategories. Organization identify opportunities for improving their cybersecurity circumstances by comparing a “Current” profile (the “as is” state) with a “Target” profile (the “to be” state). To develop a profile, the organization reviews all of the categories and subcategories. Based on business drivers and a risk assessment, the organization determines which categories and subcategories are the most important; they can add more later as needed to address the organization’s risks. Public Domain image from NIST.

17 Framework Profile The Current Profile or “AS IS Profile” can be used to support prioritization and measurement of progress toward the Target Profile or “TO BE Profile,” while factoring in other business needs, including cost-effectiveness and innovation. This method can be used to conduct self- assessments and to communicate within an organization or between organizations. Public Domain image from NIST.

18 Cybersecurity Framework Core Structure
Public Domain Image: National Institute of Standards and Technology. (12 Feb 2014). “Figure 1: Framework Core Structure ”. Framework for Improving Critical Infrastructure Cybersecurity. Version 1.0. pp. 7. From NIST: The Framework Core elements work together as follows: • Functions organize basic cybersecurity activities at their highest level. These functions are Identify, Protect, Detect, Respond, and Recover. They aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities. The Functions also align with existing methodologies for incident management and help show the impact of investments in cybersecurity. For example, investments in planning and exercises support timely response and recovery actions, resulting in reduced impact to the delivery of services. • Categories are the subdivisions of a function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities. Examples of categories include “Asset Management,” “Access Control,” and “Detection Processes.” • Subcategories further divide a category into specific outcomes of technical and/or management activities. They provide a set of results that, while not exhaustive, help support achievement of the outcomes in each category. Examples of subcategories include “External information systems are catalogued,” “Data-at-rest is protected,” and “Notifications from detection systems are investigated.” • Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each subcategory. The Informative References presented in the Framework Core are illustrative and not exhaustive. They are based upon cross-sector guidance most frequently referenced during the Framework development process.

19 Cybersecurity Framework Core Process
Captions at youtube

20 Risk Management

21 Risk Management Risk analysis is used to determine whether an asset is protected and to what level. Risk assessment is the quantitative or qualitative process of performing this analysis. In general terms, a cybersecurity risk assessment is a mathematical way to estimate the likelihood that a system can be attacked using cyber means. Risk assessments often are associated with metrics, models, and graphs.

22 Risk Management (cont. 1)
An analyst identifies the threats to an ICS through observation and by checking configurations; the analyst then contrasts these threats against the controls that are in place to protect the system. Each attack scenario is assigned a probability rating so that an end value may summarize the risk to the ICS. Several organizations have created guides, available on the Internet, to assessing the risk to an ICS.

23 Risk Management (cont. 2)
The diagram below shows how controls are applied to reduce risks. Diagram: Clark, R., & Miller, S. “Figure 2.3, Risk Management Decomposition Diagram.” Framework for SCADA Cybersecurity. Smashswords ed. Revision A Jan pp. 45. Available at

24 Risk Management & the Cybersecurity Framework
Risk management: A process of identifying vulnerabilities and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of the information system To manage risk, organizations should understand the likelihood that an event will occur and the resulting impact. With this information, organizations can determine the acceptable level of risk for delivery of products and services, expressing this as their risk tolerance. Risk tolerance is the amount of risk that an organization is willing to accept, understanding that security controls cost money and impact performance and usability.

25 Risk Management & the Cybersecurity Framework (cont. 1)
Once there is an understanding of risk tolerance, organizations can prioritize their cybersecurity activities, making informed decisions about cybersecurity expenditures. Implementation of risk management programs offers organizations the ability to quantify and communicate adjustments to their cybersecurity programs. Organizations choose to handle risk in different ways, including mitigating the risk transferring the risk avoiding the risk accepting the risk depending on the potential impact to the delivery of critical products and services Risk tolerance is the amount of risk that an organization is willing to accept, understanding that security controls cost money and impact performance and usability

26 Risk Management & the Cybersecurity Framework (cont. 2)
The Cybersecurity Framework uses risk management processes to enable organizations to inform and prioritize decisions regarding cybersecurity. It supports recurring risk assessments and the validation of business drivers to help organizations select target states for cybersecurity activities that reflect desired outcomes. It gives organizations the ability to dynamically select and direct improvement in cybersecurity risk management for the IT and ICS environments.

27 Risk Management & the Cybersecurity Framework (cont. 3)
The Cybersecurity Framework can be adapted to provide a flexible and risk-based implementation that can be used with a broad array of cybersecurity risk management processes. Examples of cybersecurity risk management processes include: International Organization for Standardization (ISO) 31000:2009 , ISO/IEC 27005:2011 National Institute of Standards and Technology (NIST) Special Publication (SP) Electricity Subsector Cybersecurity Risk Management Process (RMP) guideline

28 Risk Management & the Cybersecurity Framework (cont. 4)
Risk management processes include: Identifying and controlling information asset risks to all of its systems The framework enables the integration of cybersecurity risk management into the organization’s overall risk management process, fostering: An integrated risk management process across the enterprise organization and all of its systems – including traditional systems and ICS Cybersecurity risk management practices that are internalized by the organization to ensure that decision making is conducted by a risk-informed process of continuous improvement Cybersecurity standards that can be used to support risk management activities Risk managem ent processes include: Identifyi ng and controllin g informati on asset risks Docume nt and assess the security posture of the organizati on’s IT, SCADA, and DCS systems, and the risks it faces. The framewor k enables the integratio n of cybersecu rity risk managem ent into the organizati on’s overall risk managem ent process, fostering: - An integrate d risk manage ment process across the enterpris e organizati on and all of its systems, including tradition al systems and ICS; -- Exposes depende ncies that exist within large, mature and/or diverse entities; - - Interacti on of multiple risks – and those between the entities and their partners, vendors, suppliers , and others; - Cybersecu rity risk managem ent practices that are internaliz ed by the organizati on to ensure that decision- making is conducte d by a risk- informed process of continuou s improvem ent - Cybersecu rity standards that can be used to support risk managem ent activities

29 Risk Management & the Cybersecurity Framework (cont. 5)
What are the implications? The Cybersecurity Framework marks an important step for U.S. cybersecurity policy after an Executive Order from the Obama Administration called for its creation in February 2013. Criticisms The Cybersecurity Framework has been criticized as being overly broad and toothless. Some security professionals note that the framework is not that different from the checklists that chief security officers already regularly implement. Most large organizations have already implemented a risk management process similar to the Cybersecurity Framework to manage their cybersecurity activities. In practice, medium- and smaller-sized organizations may benefit most significantly from this first version of the Cybersecurity Framework. However, additional sector-specific iterations are anticipated. Many government analysts note that the Cybersecurity Framework has the potential to become the de facto standard for managing cybersecurity risk.

30 Holistic Risk Management
There have been calls for government to work more closely with critical infrastructure organizations to strengthen cybersecurity. This includes sharing information about cybersecurity threats and jointly developing a framework for cybersecurity standards, best practices, and processes for risk assessment, and implementation of solutions to close cybersecurity risk gaps. While use of the Cybersecurity Framework is voluntary, the federal government has been actively exploring various measures to incentivize participation both universally and on a sector-by-sector basis.

31 Holistic Risk Management (cont.)
Booz Allen Hamilton, a leading provider of management and technology consulting services to the U.S. government, has identified five key steps for exploiting these new technologies and practices to achieve collaborative success: Establish flexible, risk-based cybersecurity standards of practice (such as a cybersecurity framework) that provide a foundation for measuring the growing maturity of an organization’s security program. Accelerate the adoption of continuous monitoring and data analytics. Create an information-sharing broker (or brokers) to help government and industry share threat information efficiently and effectively. Revitalize the public-private partnership based on shared interests. Explore and develop norms guiding the use of “active cyber defense.”

32 What’s Next for U.S. Cybersecurity Policy?
Roadmap to the Cybersecurity Framework outlines several planned follow-up activities. In the near term, NIST will continue to oversee and coordinate development of the framework Options for long-term governance, including identifying the appropriate responsible partners(s) for overseeing the Cybersecurity Framework, are being solicited. The roadmap identifies nine cybersecurity disciplines marked for further development and discussion, including: Authentication Automated indicator sharing Conforming cybersecurity assessments Preparation of a skilled cybersecurity workforce Use of data analytics in cybersecurity International coordination Federal agency cybersecurity alignment Technical privacy standards Supply chain risk management

33 End Slide

Download ppt "Module 4 Risk Management"

Similar presentations

Financing of OAS Activities Sources of cooperation Cooperation modalities Cooperation actors Specific Funds management models and resources mobilization.

Financing of OAS Activities Sources of cooperation Cooperation modalities Cooperation actors Specific Funds management models and resources mobilization.
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
National Infrastructure Protection Plan

National Infrastructure Protection Plan
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.

Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.
The NIST Framework for Cybersecurity

The NIST Framework for Cybersecurity
Cybersecurity Framework October 7, 2014

Cybersecurity Framework October 7, 2014
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”
United States-Canada Regulatory Cooperation Council United States-Canada Regulatory Cooperation Council January 30, 2012 Washington D.C. 1.1048952.

United States-Canada Regulatory Cooperation Council United States-Canada Regulatory Cooperation Council January 30, 2012 Washington D.C
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.

Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.

Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
Module 3 Develop the Plan Planning for Emergencies – For Small Business –

Module 3 Develop the Plan Planning for Emergencies – For Small Business –
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.

CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.
Critical Infrastructure Protection: Program Overview

Critical Infrastructure Protection: Program Overview
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.

An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
© 2011 Underwriters Laboratories Inc. All rights reserved. This document may not be reproduced or distributed without authorization. ASSET Safety Management.

© 2011 Underwriters Laboratories Inc. All rights reserved. This document may not be reproduced or distributed without authorization. ASSET Safety Management.
National Institute of Standards and Technology Information Technology Laboratory 1 USG Cloud Computing Technology Roadmap Next Steps NIST Mission: To promote.

National Institute of Standards and Technology Information Technology Laboratory 1 USG Cloud Computing Technology Roadmap Next Steps NIST Mission: To promote.

Similar presentations

Ads by Google