2014 – Communications Sector Year in Review Cybersecurity Risk Management Framework

Sector Year in Review

Kathryn Condello, Chair Communications Sector Coordinating Council

Five Segments: Broadcast, Cable, Satellite, Wireless, and Wireline Reach: 9700 Network/Service Providers across all 5 segments

Overarching Sector Goals:

2

•Protect and enhance the overall physical and logical/cyber health of communications;

•Rapidly reconstitute critical communications services during a disruption and mitigate cascading effects; and

•Improve the sector’s National Security / Emergency Preparedness posture with Federal, State, Local, Tribal, Territorial, and private sector entities to reduce risk.

POLICY

PLANNING

OPERATIONS

INDUSTRY GOVERNMENT

NSTAC

ISAC

C-SCC

EOP

C-GCC

NCC

Industry Initiatives

Standards Best Practices Segment-Only

Internet of Things

ICT Mobilization

4

Risk Mitigation: ◦ GPS Issues

Assessments ◦ Qualitative Risk Assessment to the Public Network

Planning ◦ Joint National Priorities ◦ Communication Sector Specific Plan

Education/Outreach ◦ NIST Cybersecurity Framework Education

5

Information Sharing Partners ◦ NCCIC, US-CERT, NCC, State Fusion Centers, NCIJTF ◦ National Council of ISACs FS-ISAC, RE-ISAC, Water-ISAC, MS-ISAC and others

◦ 2014 USG/Sector Info Sharing: > 1200 Notices Received

Exercises ◦ ESF#2 Training FEMA Region 1, FEMA Region III

Gov’t/Industry TTX, National Council of ISACs Aug 2014 ◦ Response Planning: Asset Movement to Remote Venues

Education: “Potential” vs. “Real” vs. “CNN” Events

6

Best Practice Development: CSRIC 1. NextGen 911 2. Wireless Emergency Alerts 3. Emergency Alert System 4. Cybersecurity Best Practices (NIST CSF) 5. Remediation of Server-Based DDoS Attacks 6. Long-term Core Internet Protocols Improvements 7. Legacy Best Practice Updates 8. Submarine Cable Landing Sites 9. Infrastructure Sharing During Emergencies 10. Customer Premise Equipment

7

Five Function

s 98

Subcategories

ISO 27001, NIST 800-53,

COBIT

22 Categories

Cybersecurity Framework Core

Function ID

Function Category ID

Category

ID Identify

ID.AM Asset Management ID.BE Business Environment ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy

PR Protect

PR.AC Access Control PR.AT Awareness & Training PR.DS Data Security PR.IP Information Protection

Processes and Procedures PR.MA Maintenance PR.PT Protective Technology

Cybersecurity Framework Core

Function ID

Function Category ID Category

DE Detect

DE.AE Anomalies & Events

DE.CM Security Continuous Monitoring

DE.DP Detection Processes

RS Respond

RS.RP Response Planning RS.CO Communications RS.AN Analysis RS.MI Mitigation RS.IM Improvements

RC Recover RC.RP Recovery Planning RC.IM Improvements RC.CO Communications 10

Cybersecurity Framework Core

11 11 11

In order to provide for confidence in the resilience and reliability of the core public communications functions in the face of cyber threats. Working Group 4 will develop voluntary mechanisms to provide macro-level assurance to the FCC and the public that communications providers are taking the necessary corporate and operational measures to manage cybersecurity risks across the enterprise. The macro-level assurance will demonstrate how communications providers are reducing cybersecurity risks through the application of the NIST Cybersecurity Framework, or an equivalent construct. These assurances:

(1) can be tailored by individual companies to suit their unique needs, characteristics, and risks (i.e., not one-size-fits-all), (2) are based on meaningful indicators of successful (and unsuccessful) cyber risk management (i.e., outcome-based indicators as opposed to process metrics), and (3) allow for meaningful assessments both internally (e.g., CSO and senior corporate management) and externally (e.g., business partners).

Advisors Donna Dodson, WG4 Sr. Technical Advisor,

NIST, Deputy Chief Cybersecurity Advisor & Division Chief for Computer Security Division

Lisa Carnahan, NIST, Computer Scientist Emily Talaga, WG4 Sr. Economic Advisor, FCC Tony Sager, Council on Cybersecurity

WG4 Leadership Team

Co-Chairs: Robert Mayer, USTelecom and Brian Allen, Time Warner Cable

Segment Leads

Broadcast, Kelly Williams, NAB Cable, Matt Tooley, NCTA Wireless, John Marinho, CTIA Wireline, Chris Boyer, AT&T Satellite, Donna Bethea Murphy, Iridium

Feeder Group Initiatives

Requirements and Barriers to Implementation, Co-Leads, Harold Salters T-Mobile, Larry Clinton, Internet Security Alliance

Mids/Smalls – Co-Leads, Susan Joseph, Cable Labs, Jesse Ward, NTCA

Top Cyber Threats and Vectors - Russell Eubanks, Cox, Joe Viens, TWCable

Ecosystem – Shared Responsibilities, Co-Leads, Tom Soroka, USTelecom, Brian Scarpelli, TIA

Measurement, Co-Leads, Chris Boyer, AT&T, Chris Roosenraad, TimeWarnerCable

12

Drafting Team Co-Leads – Stacy Hartman and Paul Diamond,

CenturyLink, Robert Thornberry, Alcatel/Lucent

Engineering and Operational Review

Co-Leads - Tom Soroka, USTelecom and John Marinho, CTIA

Segment Leads Support

13

Cyber Ecosystem Players

User/Device

Mobility UE

CPE

Provider-mgdGateway

M2M/IoT

Corporations

Device Provider

O/S

Embedded Systems

OEM

AV/IDS/MDM

Provider Edge

Internet Control Plane

(DNS/BGP/TCP/IP)

Macro Wireless

WiFi

Broadband

High-Speed Access

Satellite

Core

Internet Control Plane

(DNS/BGP/TCP/IP)

Public Peering

Private Peering

Private Network s

Mobility EPC

Infrastructure Provider

Internet Control Plane

(DNS/BGP/TCP/IP)

DNS & IPRegistrars | CAs

Cloud

Hosting

CDN

MSS

Application/Content

OTT Comms

Social Networks

Video

Applications

Standards/Policies/Practices (e.g., IETF)

Physical Security

Malicious Actors

One of the more comprehensive ‘Ecosystem’ diagrams, comes from a joint industry/government partnership called the U.S. Communications Sector Coordinating Council (CSCC). The Ecosystem Feeder group determined that this diagram captured a large number of the categories of the Ecosystem that were previously identified and it was an excellent depiction of the various ‘Cyber’ Ecosystem relationships within the Communications Sector.

Issue: Critical infrastructure sectors, including the financial sector, have been under assault from a barrage of DDoS attacks emanating from data centers and hosting providers.

Deliverable: Recommend

measures communications providers can take to mitigate the incidence and impact of DDoS attacks from data centers and hosting providers, particularly those targeting the information systems of critical sectors.

ACS Cox Communications Intrado

Public Interest Registry

Akamai/ Prolexic

CSG International MAAWG Shadowserver

Arbor Networks CTIA Microsoft Sprint

AT&T DHS NCTA Time Warner Cable

ATIS Fed Reserve Board of Governors Neustar

Univ of Oregon/Internet2

Bell Labs, Alcatel-Lucent FSSCC Nsight VeriSign, Inc.

CAUCE Google NTT Verizon

CenturyLink IEEE Online Trust Alliance Wells Fargo

Comcast Internet Identity PA Public Utility Commission Windstream

14

http://www.fcc.gov/encyclopedia/communications-security-reliability-and-interoperability-council-iv

Plan Locally

A “whole of community” approach to advance the national resilience

effort

Respond Globally

A “borderless” approach to advance cyber response norms.

15

Planning ◦ National Resiliency Framework ◦ Development Information Sharing “Framework”

Assessment: Sector Cyber Measures (WG4)

Dependency / Inter-Dependency Analysis ◦ Electricity Sector (ESCC + CSCC Issues) ◦ Data Center Dependencies (Regional Assessment) ◦ Financial Services Dependencies on Data Centers (Regional

Assessment)

16

Regional Risk Assessments: ◦ Data Center Dependencies: Ashburn, VA ◦ Financial Services Dependencies: Chicago, IL

Findings from Regional Risk Assessments are reviewed for incorporation into Sector Best Practices

17

Cloud/Data Centers increasingly relied upon for functions critical to the Nation’s security.

No specific SCC or ISAC for Cloud/Data

Center Providers ◦ Suggest alignment with IT or Communication Sector

18

11

National Security Telecommunications Advisory Committee dhs.gov/nstac

Communications Sector Coordinating Council

commscc.org

National Coordinating Center for Communications (NCC) National Cybersecurity & Communications Integration Center

Department of Homeland Security dhs.gov/national-coordinating-center-communications

Communications Security, Reliability and Interoperability Council (IV)

www.fcc.gov

Kathryn Condello CenturyLink Director, National Security / Emergency Preparedness

Kathryn.Condello@CenturyLink.com

Questions?