Download presentation
Presentation is loading. Please wait.
Published byกมล ชินวัตร Modified over 5 years ago
1
Workshop A: Understanding and Implementation Decisions around the NIST Cybersecurity Framework
CyberSat Summit November 16, 2018
2
Workshop Session Background and Purpose
The Cybersecurity Framework’s flexible approach helps to promote the protection and resilience of critical infrastructure and other sectors important to our economic and national security. Since its release in 2014, and latest update in April 2018, the Framework has seen broad and increasing voluntary adoption, and has been customized to meet the needs of many types of organizations. Purpose: Share the Cybersecurity Framework’s current status, and Highlight relevant industry-led customizations of the Framework that could serve as models for extension of the Framework to enhance satellite cybersecurity. Customizing the Cybersecurity Framework to Enhance Satellite Cybersecurity Interest expressed in CSF for space ground system segments, space assets, and space operations.
3
Cultivating Trust in Information and Systems
Practical Applications Foundational Standards Best practices Many standards and best practices serve as informative references to other sectors and organizations. Shutterstock
4
Key Cybersecurity Framework Attributes
Common and accessible language It’s adaptable to many technologies, lifecycle phases, sectors and uses It’s risk-based It’s meant to be paired It’s a living document Guided by many perspectives – private sector, academia, public sector
5
Cybersecurity Framework Components: Core
5 Functions | 23 Categories | 108 Subcategories | Many industry guidance, practices, controls
6
Cybersecurity Framework Components: Profile
Aligns industry standards and best practices to the Framework Core in an implementation scenario Supports prioritization and measurement while factoring in business needs Ways to think about a Profile: A customization of the Core for a given sector, subsector, or organization A fusion of business/mission logic and cybersecurity outcomes An alignment of cybersecurity requirements with operational methodologies A basis for assessment and expressing target state A decision support tool for cybersecurity risk management Why develop a profile? compliance reporting becomes a byproduct of running your security operation adding new security requirements is more straightforward adding or changing operational methodology is less intrusive to ongoing operations identifying cybersecurity gaps regarding technology, processes, and people
7
Example Cybersecurity Framework Profiles
Manufacturing Profile NIST Discrete Manufacturing Cybersecurity Framework Profile Communciations Segment Profiles Cybersecurity Risk Management and Best Practices Working Group 4: Final Report Maritime Profile Bulk Liquids Transfer Profile
8
Profile Example: Maritime Bulk Liquids Transfer
Provides an industry‐specific instantiation of the Cybersecurity Framework Profile concept for a subsector of the oil and natural gas industry. Acts as non‐mandatory guidance to organizations conducting MBLT operations within facilities and vessels under the regulatory control of the USCG under the Code of Federal Regulations (CFR) 33 CFR 154‐156. Collects recommended cybersecurity safeguards and describes the desired minimum state of cybersecurity for those organizations in the MBLT context in support of those safety‐oriented regulations. Assists in cybersecurity risk assessments for those entities involved in MBLT operations as overseen by the USCG. Serves as a starting point for enterprises to review and adapt their risk management processes due to increased awareness of cybersecurity threats in the OT environment. Traditionally heavy safety focus (personnel, environmental) Increasing use of IT and OT, which can have an impact
9
Building a Profile A Profile can be Created in Three Steps
1 Mission Priority Objective 1 A 2 B 3 C Subcategory 1 2 3 … 98 Cybersecurity Requirements Legislation Regulation Internal & External Policy Best Practices Operating Methodologies Guidance and methodology on implementing, managing, and monitoring 2 3
10
Mission Vocabulary Refine the Sector Mission
1 Mission Priority Objective 1 A 2 B 3 C Mission – universal objective of the sector Mission Objective – specific outcomes that support the mission Mission Priority – the relative importance of one item versus another Mission Dependency – a requirement to fulfill Mission or a Mission Objective that lives outside of the subsector
11
Bulk Liquid Transport Mission Refine the Subsector Mission
Mission Ensuring the safe, secure and timely movement of hazardous bulk liquids within the maritime environment. Mission Boundaries Operations that involve (1) loading and discharging hazardous bulk liquids: (a) from facilities to vessels, (b) from vessels to vessels, and (c) from vessels to facilities, and; (2) the transport or movement of hazardous bulk liquids by vessel.
12
Mission Objectives Refine the Subsector Mission
Maintain Personnel Safety (International Safety Management Code places personnel before environment) Meet Occupational Health Requirements Maintain Environmental Safety Maintain Operational Security Maintain Preparedness Resilient Systems (e.g. weather- environmental) Risk Mitigation Procedures (e.g. SMS) Sustain maintenance and reliability of Physical Equipment Sustain maintenance and reliability of IT Systems Document and Test Plans Maintain quality of product Maintain conditions of product during transport (Temp, pressure, additives) Ensure Appropriate Product Testing Is Completed Safe carriage Meet HR Requirements Train Personnel Appropriately (Good return on people investment) Pass Required Audits/Inspections (e.g., OCIMF Sire inspections) Flag State, Port State, Class Society, Owner/operator, contractual Obtain Timely Vessel Clearance
13
Mission Dependencies Refine the Subsector Mission
Forces outside the sector that affect the mission Factors affecting likelihood: war, price/barrel, Ranked by likelihood: Navigational processes GPS/AIS Deliberate Attacks Weather (region affects likelihood) Market forces (less of a daily affect b/c??) Availability of qualified/experienced, certified Inspectors (labor market affects likelihood, lots available now = high availability) Disruption of supply chain Incident alerting/information sharing (i.e. refinery to transportation system) Status of labor force (technology training, sustaining agreements (i.e. strike)) Other Critical Infrastructure (Water, Communications, Energy, Supply of fuel) Political drivers (domestic and foreign)
14
Building a Profile A Profile can be Created in Three Steps
1 Mission Priority Objective 1 A 2 B 3 C Subcategory 1 2 3 … 98 Cybersecurity Requirements Legislation Regulation Internal & External Policy Best Practices Operating Methodologies Guidance and methodology on implementing, managing, and monitoring 2 3
15
Cybersecurity Requirements
Maritime Transportation Security Act Code of Federal Regulation, Title 33, & Maritime Cyber Security Standards, [2014 – ] International Ship and Port Facility Security Code (ISPS) framework IMO Publication 39/7 dated 10 July 2014, Ensuring Security in and Facilitating International Trade, Measures Toward Enhancing Maritime Cybersecurity ISA/IEC Industrial Automation and Control Systems Security Standard of Good Practice for Information Security ANSI/ISA-99 Industrial Automation and Control System Security ISA/IEC Power systems management and associated information exchange – Data and communications security ISO 27001:2013 Information Technology – Security techniques – Information security management systems – Requirements ISO 28001:2007 Security management systems for the supply chain; Best practices for implementing supply chain security, assessments, and plans – Requirements and guidance Federal Information Security Management Act
16
Building a Profile A Profile can be Created in Three Steps
1 Mission Priority Objective 1 A 2 B 3 C Subcategory 1 2 3 … 98 Cybersecurity Requirements Legislation Regulation Internal & External Policy Best Practices Operating Methodologies Guidance and methodology on implementing, managing, and monitoring 2 3
17
Operating Methodologies
Systems Management Federal Information Processing Standard 199 Security controls CobIT NIST SP ISO 27002:2013 Information Technology – Security techniques – Code of practice for information security controls Risk Assessment NIST SP , Guide for Conducting Risk Assessments Data Labeling NIST SP , Guide to Security Categorization Information Sharing NIST SP , Guide to Cyber Threat Info Sharing
18
Opportunities for a CSF Profile for Satellites?
Identification and prioritization of mission and business objectives For the sector? For segments in the sector (ex, space ground systems, space assets, space operations)? Expression of cybersecurity requirements Regulatory? Industry expressed? Organization specific? Application of standards and practices Existing satellite standards and best practices? Interest expressed in CSF for space ground system segments, space assets, and space operations.
19
Questions & Opportunities to Engage
Cybersecurity Framework: Cybersecurity Framework Resources: Follow us on Contact: Kevin Stine,
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.