Presentation is loading. Please wait.

Presentation is loading. Please wait.

Workshop A: Understanding and Implementation Decisions around the NIST Cybersecurity Framework CyberSat Summit November 16, 2018.

Published byกมล ชินวัตร Modified over 6 years ago

Similar presentations

Presentation on theme: "Workshop A: Understanding and Implementation Decisions around the NIST Cybersecurity Framework CyberSat Summit November 16, 2018."— Presentation transcript:

1 Workshop A: Understanding and Implementation Decisions around the NIST Cybersecurity Framework
CyberSat Summit November 16, 2018

2 Workshop Session Background and Purpose
The Cybersecurity Framework’s flexible approach helps to promote the protection and resilience of critical infrastructure and other sectors important to our economic and national security. Since its release in 2014, and latest update in April 2018, the Framework has seen broad and increasing voluntary adoption, and has been customized to meet the needs of many types of organizations. Purpose: Share the Cybersecurity Framework’s current status, and Highlight relevant industry-led customizations of the Framework that could serve as models for extension of the Framework to enhance satellite cybersecurity. Customizing the Cybersecurity Framework to Enhance Satellite Cybersecurity Interest expressed in CSF for space ground system segments, space assets, and space operations.

3 Cultivating Trust in Information and Systems
Practical Applications Foundational Standards Best practices Many standards and best practices serve as informative references to other sectors and organizations. Shutterstock

4 Key Cybersecurity Framework Attributes
Common and accessible language It’s adaptable to many technologies, lifecycle phases, sectors and uses It’s risk-based It’s meant to be paired It’s a living document Guided by many perspectives – private sector, academia, public sector

5 Cybersecurity Framework Components: Core
5 Functions | 23 Categories | 108 Subcategories | Many industry guidance, practices, controls

6 Cybersecurity Framework Components: Profile
Aligns industry standards and best practices to the Framework Core in an implementation scenario Supports prioritization and measurement while factoring in business needs Ways to think about a Profile: A customization of the Core for a given sector, subsector, or organization A fusion of business/mission logic and cybersecurity outcomes An alignment of cybersecurity requirements with operational methodologies A basis for assessment and expressing target state A decision support tool for cybersecurity risk management Why develop a profile? compliance reporting becomes a byproduct of running your security operation adding new security requirements is more straightforward adding or changing operational methodology is less intrusive to ongoing operations identifying cybersecurity gaps regarding technology, processes, and people

7 Example Cybersecurity Framework Profiles
Manufacturing Profile NIST Discrete Manufacturing Cybersecurity Framework Profile Communciations Segment Profiles Cybersecurity Risk Management and Best Practices Working Group 4: Final Report Maritime Profile Bulk Liquids Transfer Profile

8 Profile Example: Maritime Bulk Liquids Transfer
Provides an industry‐specific instantiation of the Cybersecurity Framework Profile concept for a subsector of the oil and natural gas industry. Acts as non‐mandatory guidance to organizations conducting MBLT operations within facilities and vessels under the regulatory control of the USCG under the Code of Federal Regulations (CFR) 33 CFR 154‐156. Collects recommended cybersecurity safeguards and describes the desired minimum state of cybersecurity for those organizations in the MBLT context in support of those safety‐oriented regulations. Assists in cybersecurity risk assessments for those entities involved in MBLT operations as overseen by the USCG. Serves as a starting point for enterprises to review and adapt their risk management processes due to increased awareness of cybersecurity threats in the OT environment. Traditionally heavy safety focus (personnel, environmental) Increasing use of IT and OT, which can have an impact

9 Building a Profile A Profile can be Created in Three Steps
1 Mission Priority Objective 1 A 2 B 3 C Subcategory 1 2 3 98 Cybersecurity Requirements Legislation Regulation Internal & External Policy Best Practices Operating Methodologies Guidance and methodology on implementing, managing, and monitoring 2 3

10 Mission Vocabulary Refine the Sector Mission
1 Mission Priority Objective 1 A 2 B 3 C Mission – universal objective of the sector Mission Objective – specific outcomes that support the mission Mission Priority – the relative importance of one item versus another Mission Dependency – a requirement to fulfill Mission or a Mission Objective that lives outside of the subsector

11 Bulk Liquid Transport Mission Refine the Subsector Mission
Mission Ensuring the safe, secure and timely movement of hazardous bulk liquids within the maritime environment. Mission Boundaries Operations that involve (1) loading and discharging hazardous bulk liquids: (a) from facilities to vessels, (b) from vessels to vessels, and (c) from vessels to facilities, and; (2) the transport or movement of hazardous bulk liquids by vessel.

12 Mission Objectives Refine the Subsector Mission
Maintain Personnel Safety (International Safety Management Code places personnel before environment) Meet Occupational Health Requirements Maintain Environmental Safety Maintain Operational Security Maintain Preparedness Resilient Systems (e.g. weather- environmental) Risk Mitigation Procedures (e.g. SMS) Sustain maintenance and reliability of Physical Equipment Sustain maintenance and reliability of IT Systems Document and Test Plans Maintain quality of product Maintain conditions of product during transport (Temp, pressure, additives) Ensure Appropriate Product Testing Is Completed Safe carriage Meet HR Requirements Train Personnel Appropriately (Good return on people investment) Pass Required Audits/Inspections (e.g., OCIMF Sire inspections) Flag State, Port State, Class Society, Owner/operator, contractual Obtain Timely Vessel Clearance

13 Mission Dependencies Refine the Subsector Mission
Forces outside the sector that affect the mission Factors affecting likelihood: war, price/barrel, Ranked by likelihood: Navigational processes GPS/AIS Deliberate Attacks Weather (region affects likelihood) Market forces (less of a daily affect b/c??) Availability of qualified/experienced, certified Inspectors (labor market affects likelihood, lots available now = high availability) Disruption of supply chain Incident alerting/information sharing (i.e. refinery to transportation system) Status of labor force (technology training, sustaining agreements (i.e. strike)) Other Critical Infrastructure (Water, Communications, Energy, Supply of fuel) Political drivers (domestic and foreign)

14 Building a Profile A Profile can be Created in Three Steps
1 Mission Priority Objective 1 A 2 B 3 C Subcategory 1 2 3 98 Cybersecurity Requirements Legislation Regulation Internal & External Policy Best Practices Operating Methodologies Guidance and methodology on implementing, managing, and monitoring 2 3

15 Cybersecurity Requirements
Maritime Transportation Security Act Code of Federal Regulation, Title 33, & Maritime Cyber Security Standards, [2014 – ] International Ship and Port Facility Security Code (ISPS) framework IMO Publication 39/7 dated 10 July 2014, Ensuring Security in and Facilitating International Trade, Measures Toward Enhancing Maritime Cybersecurity ISA/IEC Industrial Automation and Control Systems Security Standard of Good Practice for Information Security ANSI/ISA-99 Industrial Automation and Control System Security ISA/IEC Power systems management and associated information exchange – Data and communications security ISO 27001:2013 Information Technology – Security techniques – Information security management systems – Requirements ISO 28001:2007 Security management systems for the supply chain; Best practices for implementing supply chain security, assessments, and plans – Requirements and guidance Federal Information Security Management Act

16 Building a Profile A Profile can be Created in Three Steps
1 Mission Priority Objective 1 A 2 B 3 C Subcategory 1 2 3 98 Cybersecurity Requirements Legislation Regulation Internal & External Policy Best Practices Operating Methodologies Guidance and methodology on implementing, managing, and monitoring 2 3

17 Operating Methodologies
Systems Management Federal Information Processing Standard 199 Security controls CobIT NIST SP ISO 27002:2013 Information Technology – Security techniques – Code of practice for information security controls Risk Assessment NIST SP , Guide for Conducting Risk Assessments Data Labeling NIST SP , Guide to Security Categorization Information Sharing NIST SP , Guide to Cyber Threat Info Sharing

18 Opportunities for a CSF Profile for Satellites?
Identification and prioritization of mission and business objectives For the sector? For segments in the sector (ex, space ground systems, space assets, space operations)? Expression of cybersecurity requirements Regulatory? Industry expressed? Organization specific? Application of standards and practices Existing satellite standards and best practices? Interest expressed in CSF for space ground system segments, space assets, and space operations.

19 Questions & Opportunities to Engage
Cybersecurity Framework: Cybersecurity Framework Resources: Follow us on Contact: Kevin Stine,

20

Download ppt "Workshop A: Understanding and Implementation Decisions around the NIST Cybersecurity Framework CyberSat Summit November 16, 2018."

Similar presentations

Minnesota Port and Waterway Security Working Group Meeting April 12, 2012.

Minnesota Port and Waterway Security Working Group Meeting April 12, 2012.
EMS Checklist (ISO model)

EMS Checklist (ISO model)
United States Coast Guard Marine Safety, Security, and Stewardship 1 U.S. Coast Guard Regulations “Making a difference” 1 Jeff Lantz Director, Commercial.

United States Coast Guard Marine Safety, Security, and Stewardship 1 U.S. Coast Guard Regulations “Making a difference” 1 Jeff Lantz Director, Commercial.
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
National Infrastructure Protection Plan

National Infrastructure Protection Plan
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
Security Controls – What Works

Security Controls – What Works
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
The U. S. National Strategy for Global Supply Chain Security Neema Khatri Office of International Affairs U.S. Department of Homeland Security.

The U. S. National Strategy for Global Supply Chain Security Neema Khatri Office of International Affairs U.S. Department of Homeland Security.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Nuclear Power Plant/Electric Grid Regulatory Coordination and Cooperation - ERO Perspective David R. Nevius and Michael J. Assante 2009 NRC Regulatory.

Nuclear Power Plant/Electric Grid Regulatory Coordination and Cooperation - ERO Perspective David R. Nevius and Michael J. Assante 2009 NRC Regulatory.
1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.

1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.
NIST Special Publication Revision 1

NIST Special Publication Revision 1
Action Plan Intermodal & ITS Experts Group June 2011 Update.

Action Plan Intermodal & ITS Experts Group June 2011 Update.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
© 2011 Underwriters Laboratories Inc. All rights reserved. This document may not be reproduced or distributed without authorization. ASSET Safety Management.

© 2011 Underwriters Laboratories Inc. All rights reserved. This document may not be reproduced or distributed without authorization. ASSET Safety Management.
Securing Critical Chemical Assets: The Responsible Care ® Security Code Protection of Hazardous Installations from Intentional Adversary Acts European.

Securing Critical Chemical Assets: The Responsible Care ® Security Code Protection of Hazardous Installations from Intentional Adversary Acts European.
Crosswalk of Public Health Accreditation and the Public Health Code of Ethics Highlighted items relate to the Water Supply case studied discussed in the.

Crosswalk of Public Health Accreditation and the Public Health Code of Ethics Highlighted items relate to the Water Supply case studied discussed in the.

Similar presentations

Ads by Google