cyber critical infrastructure framework panel
DESCRIPTION
The following presentation slides were used during the 2014 Cyber Summit Panel Session on Cyber Critical Infrastructure Guidelines at the University of Alabama at BirminghamTRANSCRIPT
NIST Cyber Critical Infrastructure Guidelines
Meet Our Panelists
Allen Johnston, Ph.D.Associate Professor of Information Systems
Paul M. Di Gangi, Ph.D., CISSPAssistant Professor of Information Systems
Deborah Williams, CISSPProgram Manager
Matthew SpeareHead of Governance & Integration
Angella Carlisle, CISSP, CRISC, CHSPIT Security Manager
Dave Summitt, CISSPChief Information Security Officer
OUR NATION’S
Critical Infrastructure Gone Digital...
EO 13636: Improving Critical Cybersecurity Infrastructure
It is the policy of the United States to enhance the security and
resilience of the Nation’s critical infrastructure and to maintain a
cyber environment that encourages efficiency, innovation,
and economic prosperity while promoting safety, security,
business confidentiality, privacy, and civil liberties.
February 2013
What are the critical infrastructure sectors?
85%
PRIVATELY OWNED
Critical Sector Reg’s/Standards/Laws
Agriculture & Food 21 CFR 11
Commercial Facilities 25 CFR 542
Dams CIP 002-009 (Mandatory)
Energy CIP \002-009 (Mandatory)
Information Technology
N/A
Postal & Shipping N/A
Banking & Finance 12,16,17,31 CFR , (SOX,GLB, AML)
Communications N/A
Defense Industrial Base
NISPOM
Critical Sector Reg’s/Standards/Laws
Government Facilities N/A
National Monuments & Icons
N/A
Transportation Systems 49 CFR 193,1520
Chemical 6 CFR 27
Critical Manufacturing N/A
Emergency Services N/A
Healthcare & Public Health
45 CFR 164 (HIPAA)
Nuclear Reactors, Materials & Waste
10 CFR 73 (NRC)
Water 42 U.S.C. 300-2 (Law)
What are we already doing to protect these sectors?
But there are still gaps to the overall strategy!
Organizational Views on Cybersecurity
Adaptive
Repeatable
Informed
Partial
Adapts cybersecurity practices based on lessons learned & predictive indicators; organization-wide approach to
managing risk using risk-informed policies, processes, and procedures; actively shares information w/ partners
Risk management practices are formally approved, expressed in policy, and updated regularly; organization-
wide approach to managing risk using risk-informed policies, processes, and procedures; understands
dependencies w/partners
Risk management practices are approved by management, but may not have established organization-wide policy;
awareness of risk at organizational level but approach not established; not formally sharing w/ partners
Risk management practices are not formalized & risk managed in a reactive manner; implements risks
management on case-by-case basis; may not coordinate or collaborate w/ partners
Cybersecurity Framework
Cybersecurity Framework
Strategically-oriented for “Big Picture” View
Threat/Risk Centric Process Approach
Incentive Type Summary Description Grants Fixed cost, performance-based awards for investment in cybersecurity products and services for
prospective Framework adopters. Rate-Recovery for Price-Regulated Industries
Recovery of cybersecurity investments in the rates charged for services provided by Framework adopters through a price cap, in which the government allows a firm to charge up to a certain maximum price that is independent of the realized cost.
Bundled Insurance Requirements, Liability Protection, and Legal Benefits
A system of litigation risk mitigation for which those entities that adopt the Framework and meet reasonable insurance requirements are eligible to apply. Other types of legal benefits may include limited indemnity, higher burdens of proof, or limited penalties; case consolidations; case transfers to a single Federal court; creation of a Federal legal privilege that preempts State disclosure and/or discovery requirements for certain cybersecurity self-assessments.
Prioritizing Certain Classes of Training and Technical Assistance
The Federal Government offers several types of technical assistance to critical infrastructure owners and operators, including preparedness support, assessments, training of employees, and advice on best practices.
Procurement Considerations
Introduce a technical requirement in the procurement process for certain types of acquisitions for Framework adopters, or requirements for Framework adoption for Federal information and communications technology providers or other contracts, particularly those involving access to sensitive government information or essential services.
Streamline Information Security Regulations
Creation of a unified compliance model for similar requirements and eliminate overlaps among existing laws; streamlining of differences between U.S. and international law (perhaps through treaties); ensuring equivalent adoption; reducing audit burdens; and offering prioritized permitting.
Why should organizations adopt a non-mandatory framework?
Where are we in the timeline?
Panel Discussion Question:
What are the pressing issues for critical infrastructure organizations in the information security/assurance domain?
What are the initial reactions of organizations in your industry to the Critical Infrastructure guidelines that were recently released?
Panel Discussion Question:
How well does the Critical Infrastructure guidelines integrate with your existing regulatory requirements? What’s new that is currently not addressed?
Are the Critical Infrastructure guidelines likely to become a standard for your industry or do you see a different set of guidelines being adopted?
Panel Discussion Question:
What are the primary challenges your organization faces for implementing the Critical Infrastructure guidelines?
Panel Discussion Question:
Of the proposed incentives, grants, technical assistance, rate recovery, liability reform – which are most attractive to you?
How are the incentives being perceived within your industry for complying with the Critical Infrastructure guidelines?