critical infrastructure protection: two of many standards needs documents/meetings and... ·...
TRANSCRIPT
![Page 1: Critical Infrastructure Protection: Two of Many Standards Needs documents/Meetings and... · 2015-09-24 · Homeland Security: Collaboration, Innovation and Standardization Slide](https://reader030.vdocuments.site/reader030/viewer/2022041119/5f30d3373fa67d2a741f99a9/html5/thumbnails/1.jpg)
Critical Infrastructure Protection:Two of Many Standards Needs
presented byKen Watson
President and ChairmanPartnership for Critical Infrastructure Security
![Page 2: Critical Infrastructure Protection: Two of Many Standards Needs documents/Meetings and... · 2015-09-24 · Homeland Security: Collaboration, Innovation and Standardization Slide](https://reader030.vdocuments.site/reader030/viewer/2022041119/5f30d3373fa67d2a741f99a9/html5/thumbnails/2.jpg)
ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 2
Critical Infrastructure Protection:Two of Many Needs
AgendaCritical Infrastructure Protection backgroundTwo Key Standards Needs– Information Sharing– Manufacturing and Control Systems
Current Control System Standards ActivitiesInformation Sharing Recommendations
![Page 3: Critical Infrastructure Protection: Two of Many Standards Needs documents/Meetings and... · 2015-09-24 · Homeland Security: Collaboration, Innovation and Standardization Slide](https://reader030.vdocuments.site/reader030/viewer/2022041119/5f30d3373fa67d2a741f99a9/html5/thumbnails/3.jpg)
ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 3
The World is a Network of Networks…Any Geographical Area, Any Network, Any Functional Area
Is a Place of Vulnerability
WaterWater
Oil and GasOil and GasBanking andBanking and
FinanceFinance
TransportationTransportationInternetCore
InternetInternetCoreCore
TelecommunicationsTelecommunicationsGovernmentGovernmentServicesServices
Emergency Emergency ServicesServices
ElectricElectric
3
![Page 4: Critical Infrastructure Protection: Two of Many Standards Needs documents/Meetings and... · 2015-09-24 · Homeland Security: Collaboration, Innovation and Standardization Slide](https://reader030.vdocuments.site/reader030/viewer/2022041119/5f30d3373fa67d2a741f99a9/html5/thumbnails/4.jpg)
ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 4
Critical Infrastructures
PDD-63 CriticalInfrastructuresPDD-63 CriticalInfrastructures
WaterWater
TransportationTransportation
Oil & GasOil & GasBanking & FinanceBanking & Finance
Electric PowerElectric Power
Emergency ServicesEmergency Services
Government ServicesGovernment Services
TelecommunicationsTelecommunications
![Page 5: Critical Infrastructure Protection: Two of Many Standards Needs documents/Meetings and... · 2015-09-24 · Homeland Security: Collaboration, Innovation and Standardization Slide](https://reader030.vdocuments.site/reader030/viewer/2022041119/5f30d3373fa67d2a741f99a9/html5/thumbnails/5.jpg)
ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 5
Critical Infrastructures
Added Critical InfrastructuresAdded Critical Infrastructures
Chemical Industry and Hazardous
Materials
Chemical Industry and Hazardous
Materials
AgricultureAgriculture Key National Assets*Key National Assets*
Public HealthPublic Health
Postal and ShippingPostal and Shipping
FoodFood
Defense Industrial Base
Defense Industrial Base
![Page 6: Critical Infrastructure Protection: Two of Many Standards Needs documents/Meetings and... · 2015-09-24 · Homeland Security: Collaboration, Innovation and Standardization Slide](https://reader030.vdocuments.site/reader030/viewer/2022041119/5f30d3373fa67d2a741f99a9/html5/thumbnails/6.jpg)
ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 6
National Security Interest
Are critical to safety, security, our way of lifeDepend on commercial networksAre interdependentAre largely owned and operated by private companiesCannot entirely depend on the Federal government for defense against cyber attacks
Infrastructures…
Government Needs Industry in a True Public-Private Partnership
![Page 7: Critical Infrastructure Protection: Two of Many Standards Needs documents/Meetings and... · 2015-09-24 · Homeland Security: Collaboration, Innovation and Standardization Slide](https://reader030.vdocuments.site/reader030/viewer/2022041119/5f30d3373fa67d2a741f99a9/html5/thumbnails/7.jpg)
ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 7
The Business CaseBusinesses dependent for their survival on the InternetVulnerabilities threaten economic survivability and competitivenessInterdependency
Supply chainPartnersCustomersInfrastructure industries
Companies are on the front lines of defenseIndustry Needs Government in a True Public-Private Partnership
![Page 8: Critical Infrastructure Protection: Two of Many Standards Needs documents/Meetings and... · 2015-09-24 · Homeland Security: Collaboration, Innovation and Standardization Slide](https://reader030.vdocuments.site/reader030/viewer/2022041119/5f30d3373fa67d2a741f99a9/html5/thumbnails/8.jpg)
ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 8
Cross-sector Collaboration
Partnership for Critical Infrastructure Security (PCIS)
http://www.pcis.org
• Participation by leaders from government,industry & academia
• Coordinates cross-sector initiatives and compliments public-private efforts
• Board of Directors majority always critical infrastructure “sector coordinators”
![Page 9: Critical Infrastructure Protection: Two of Many Standards Needs documents/Meetings and... · 2015-09-24 · Homeland Security: Collaboration, Innovation and Standardization Slide](https://reader030.vdocuments.site/reader030/viewer/2022041119/5f30d3373fa67d2a741f99a9/html5/thumbnails/9.jpg)
Stat
e an
d Lo
cal G
over
nmen
ts
Advisory CommitteesAdvisory Committees
DHSDHS
President of the President of the United StatesUnited States
Federal Departments and Federal Departments and AgenciesAgencies
Sector CoordinatorsSector Coordinators
Elec
tric
Pow
erEl
ectr
ic P
ower
Food
Saf
ety
Food
Saf
ety
Fina
ncia
l Ser
vice
sFi
nanc
ial S
ervi
ces
Tele
com
mun
icat
ions
Tele
com
mun
icat
ions
Che
mic
als
Che
mic
als
Wat
erW
ater
Oil
and
Nat
ural
Gas
Oil
and
Nat
ural
Gas
Surf
ace
Tran
spor
tatio
nSu
rfac
e Tr
ansp
orta
tion
Air
Tran
spor
tatio
nA
ir Tr
ansp
orta
tion
Info
rmat
ion
Tech
nolo
gyIn
form
atio
n Te
chno
logy
Law
Enf
orce
men
tLa
w E
nfor
cem
ent
Fire
fight
ers
Fire
fight
ers
Emer
genc
y M
edic
alEm
erge
ncy
Med
ical
Man
ufac
turin
gM
anuf
actu
ring
PCISPCIS
US Public-Private Relationships for CIP
![Page 10: Critical Infrastructure Protection: Two of Many Standards Needs documents/Meetings and... · 2015-09-24 · Homeland Security: Collaboration, Innovation and Standardization Slide](https://reader030.vdocuments.site/reader030/viewer/2022041119/5f30d3373fa67d2a741f99a9/html5/thumbnails/10.jpg)
ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 10
Information Sharing and Analysis Centers (ISACs)
Vital part of Critical Infrastructure Protection (CIP)Gather, analyze, and disseminate information on security threats, vulnerabilities, incidents, countermeasures, and best practicesEarly and trusted advance notification of member threats and attacks Organized by industry: cross-sector awareness, outreach, response and recoveryISAC Council: Leadership of ten ISACs
![Page 11: Critical Infrastructure Protection: Two of Many Standards Needs documents/Meetings and... · 2015-09-24 · Homeland Security: Collaboration, Innovation and Standardization Slide](https://reader030.vdocuments.site/reader030/viewer/2022041119/5f30d3373fa67d2a741f99a9/html5/thumbnails/11.jpg)
ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 11
Need for Information Sharing Standards10 ISACs + DHS: Unique alert levels, message formats, requirementsVulnerability disclosure complex issue
National Infrastructure Advisory Council (NIAC) developing guidelines
PCIS taxonomy effort—6000 termshttp://www.pcis.org/library.cfm?urlSection=WG (first two listings)
ISAC Council working on cross-sector and public-private information sharing mechanismsMust consider physical and cyber aspects
![Page 12: Critical Infrastructure Protection: Two of Many Standards Needs documents/Meetings and... · 2015-09-24 · Homeland Security: Collaboration, Innovation and Standardization Slide](https://reader030.vdocuments.site/reader030/viewer/2022041119/5f30d3373fa67d2a741f99a9/html5/thumbnails/12.jpg)
ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 12
Need for Common IT/Control System Risk Analysis Standards
Control system networks are becoming more like IT networksPlant/control system engineers understand safety risk assessments; IT security engineers understand information security risk assessmentsCyber incident data much more scarce than accident data—deliberate cyber attacks hard to quantifyTherefore, need common physical and cyber analysis tools
Methodologies similar for both aspectsInterdependencies
![Page 13: Critical Infrastructure Protection: Two of Many Standards Needs documents/Meetings and... · 2015-09-24 · Homeland Security: Collaboration, Innovation and Standardization Slide](https://reader030.vdocuments.site/reader030/viewer/2022041119/5f30d3373fa67d2a741f99a9/html5/thumbnails/13.jpg)
Current Control System Cybersecurity Standards Activity
American Gas Association AGA-12-1: draft standard currently in development for protecting legacy Supervisory Control And Data Aquisition (SCADA) communications links
See http://www.gtiservices.org/security/Instrumentation Systems and Automation Society (ISA) SP-99: cross-sector cybersecurity initiative
Aimed at attempts to do the best with existing technology and practicesTwo reports:
– TR-1 (Technology)– TR-2 (Application and Practice)—out for ballot 16 Sep 2003
See http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821NIST Process Control Systems Security Requirements Forum (PCSRF): draft "Security Capabilities Profile" document to serve as the basis for writing protection profiles for different control systems components
Aimed at next generation of control system networks and productsSee http://www.isd.mel.nist.gov/projects/processcontrol/
![Page 14: Critical Infrastructure Protection: Two of Many Standards Needs documents/Meetings and... · 2015-09-24 · Homeland Security: Collaboration, Innovation and Standardization Slide](https://reader030.vdocuments.site/reader030/viewer/2022041119/5f30d3373fa67d2a741f99a9/html5/thumbnails/14.jpg)
ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 14
Information Sharing Recommendations
Leverage ongoing workNIAC Vulnerability Disclosure guidelinesISAC Council proceduresPCIS “dictionary”
Work toward standard:Message formatsTermsAlert levels (where applicable)