1. Resiliency Rules:
7 Steps for Critical Infrastructure Protection

2. Agenda What are critical infrastructures?
What are the CIP policy drivers?
The differences between CIP/CIIP and cyber security
Resiliency rules

3. What is Critical Infrastructure?
Critical infrastructures are generally thought of as the key systems, services and functions whose disruption or destruction would have a debilitating impact on public health and safety, commerce, and national security or any combination of those matters.
These include communications, energy, banking, transportation, public health and safety and essential government services.
Governments are increasingly aware of the role critical infrastructures play in supporting the overall economy and security of their nations. While definitions may vary slightly, critical infrastructures are generally thought of as the key systems, services and functions whose disruption or destruction would have a debilitating impact on public health and safety, commerce, and national security or any combination of those matters. These include communications, energy, banking, transportation, public health and safety and essential government services. It is essential that countries at all stages of development plan for and develop policies that will enable them to provide reasonable assurance of resiliency and security to support key national missions and economic stability.
The infrastructures described above are often thought of as physical assets such as bank buildings, power plants, trains, hospitals and government offices. These physical elements rely upon an often unseen critical information infrastructure and key functions (CII/KF) to actually deliver services and conduct business. Over the past two decades rapid advances in information services and communications technologies have enabled many traditionally separate infrastructures to integrate and automate. The ubiquity and importance of information and communications technology are increasingly recognized as a discernable cross-cutting “critical information infrastructure” upon which all other infrastructures depend. In some sense, the CII/KF are more complex to identify than more established infrastructures such as electric power, because it is composed of systems, processes and services that are not readily identifiable is the way physical elements are. However, because virtually all elements of a nation’s economy rely upon it, government and private sector should work together to develop collaborative CIIP frameworks for prevention, detection, response, and recovery.

4. CIP Policy Drivers WAR Terrorism Natural Disaster IT Attacks
Dependence IT
Attacks
Directives
Convergence
Terrorism
Response
Plans
Laws &
Regulations
Globalization

5. CIP/CIIP and Cybersecurity
Understanding the Differences
Critical Infrastructures
Non-essential IT systems
Cybersecurity
Those practices and procedures that enable the secure use and operation of cyber tools and technologies
Critical Information Infrastructure
Cross-Cutting ICT interdependencies among all sectors
Large Enterprises
Personal
users
Energy
Info & Comms
Transportation
Banking
Government Services

6. Resiliency Rules Define Goals and Roles
7 Steps for Critical Infrastructure Protection
Define Goals and Roles
Identify and Prioritize Critical Functions
Continuously Assess and Manage Risks
Establish and Exercise Emergency plans
Create Public-Private Partnerships
Build Security/Resiliency into Operations
Update and Innovate Technology/Processes

7. CIP Goals Establishing Clear Goals is Central to Success
Policy Elements
Sample Statement
Critical Infrastructure Importance
Critical information infrastructures (CII) provide the essential services that support modern information societies and economies. Some CII support critical functions and essential services so vital that the incapacitation, exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being.
Critical Infrastructure Risks
CII exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being.
CIP Policy Goal/Statement
Prevent or minimize disruptions to critical information infrastructures, no matter the source, and thereby protect the people, the economy, the essential human and government services, and the national security. In the event disruptions do occur, they should be infrequent, of minimal duration and manageable.
Public-Private Implementation
Implementing the National CIIP framework includes government entities, as well as, voluntary public private partnerships involving corporate and nongovernmental organizations.
To build a collaborative and cooperative CIIP program there needs to be transparency about expectations and intent of the national effort. This can be established by (1) clearly defining CIIP policy goals, and (2) defining the roles and responsibilities of the various governmental entities and how they will work partner with private CII owners and operators.
In general a CIIP policy statement (1) recognizes the importance of CII to the nation, (2) identifies the risk it faces (usually all-hazards), (3) establishes the CIIP policy goal, and (4) broadly identifies how it will be implemented, including through partnership with the private sector. Table1 below provide some sample language that could address these elements.
National CIIP frameworks should not be immutable policies. Instead, they should be flexible and able to respond to the dynamic risk environments of information infrastructures. CIIP frameworks should establish policy goals and not set technical mandates or regulation. By establishing clear policy goals government agencies and non government entities can work together to achieve the stated goals in the most efficient manner.

8. CIP Roles Understanding Roles Promotes Coordination
To build a collaborative and cooperative CIIP program there needs to be transparency about expectations and intent of the national effort. This can be established by (1) clearly defining CIIP policy goals, and (2) defining the roles and responsibilities of the various governmental entities and how they will work partner with private CII owners and operators.
In general a CIIP policy statement (1) recognizes the importance of CII to the nation, (2) identifies the risk it faces (usually all-hazards), (3) establishes the CIIP policy goal, and (4) broadly identifies how it will be implemented, including through partnership with the private sector. Table1 below provide some sample language that could address these elements.
National CIIP frameworks should not be immutable policies. Instead, they should be flexible and able to respond to the dynamic risk environments of information infrastructures. CIIP frameworks should establish policy goals and not set technical mandates or regulation. By establishing clear policy goals government agencies and non government entities can work together to achieve the stated goals in the most efficient manner.

9. Define Roles Government Shared Private
CIIP Coordinator (Executive Sponsor)
Infrastructure Owners and Operators
Public-Private Partnerships
Law Enforcement
IT Vendors and Solution Providers
Title
Primary Responsibility
CIIP Coordinator (Executive Sponsor)
Leads activities associated with developing and managing national CIIP efforts, including coordinating policy development, outreach and awareness, risk assessment and management efforts, funding and support for the CIIP program efforts. This role is usually filled by a lead government agency, an interagency committee, or a cabinet official. This role also serves as an important escalation functions for resolving important issues and emergencies.
Sector Specific Agency
A government agency that is responsible for coordinating the national-level risk management process for a particular sector such as banking or communications. The role generally includes working with infrastructure operators to assess risks, define mitigations, identify security controls, and collaborate with infrastructure operators to understand the overall effectiveness of the CIIP risk management program.
Law Enforcement
Preventing, investigating, and prosecuting various aspects of cybercrime including malware writers, hackers, and organized attackers that intend to steal information or compromise the integrity of critical operations.
Computer Emergency Response Team
Responsible for interacting with government agencies, industry, the research community, and others to analyze cyber threats and vulnerabilities, disseminate reasoned and actionable cyber security information such as mitigations to the public, as appropriate.
Infrastructure Owners and Operators
Is responsible for tangible and intangible assets to the infrastructure or infrastructure elements that they own and/or operate. Operators prioritize business assets; analyze levels of impact to assets; define acceptable risk levels; and implement control solutions to manage/mitigate risks.
Public-Private Partnerships
Comprised of representatives from sector-specific agencies, infrastructure operators, and other key stakeholders, the partnership is responsible for collaborating on risk assessment and mitigation strategies.
IT Vendors and Solution Providers
Provide products and services which are critical to the information infrastructure operators and the general participants in the national economy. They provide strategic insights on architecture, security, operations and risk management. Additionally, they provide patches and mitigation in the face of attacks.
Computer Emergency Response Team
Sector Specific Agency
Government Shared Private

10. Identify and Prioritize Critical Functions
Collaborate to understand Interdependencies
Establish an open dialogue to understand the critical functions, infrastructure elements, and key resources necessary for
delivering essential services,
maintaining the orderly operations of the economy, and
ensuring public safety.
Critical Function
Infrastructure Element
Key Resource
Supply Chain
Supply Chain
Supply Chain
Critical Function
Infrastructure Element
Key Resource
As countries begin to establish or expand their respective CIIP efforts it is important that government and private sectors have an open dialogue to discuss what information infrastructure elements, critical functions, and key resources are needed to deliver essential government services, ensure orderly functioning of the economy, and providing public safety.
The information infrastructure – including both communications and IT services – is composed of many different pieces including physical and cyber elements, processes, and people that directly support operations. For example a major peering point, undersea cables, or international switching system. In addition there is a complex value chain that supports the direct operations. These indirect infrastructure support elements include electric power, water, software, hardware, and others. In addition, to the traditional notion of infrastructure there may be certain “key functions” that government and economy rely upon. These functions could include processes like routing, internet content, broadcast delivery etc. Disruptions of these key functions could have an immediate and debilitating impact on the ability of a nation to perform essentials missions.
Once identified, the critical infrastructure and key functions can be prioritized or ranked as to which is most important and in what context. It is important to remember that the notion of “criticality” is very situation-dependent and what could be critical in one instance may not be critical in the next. It is important that, as nations identify and prioritize critical infrastructure and key functions, they understand that these will change with technology, infrastructure, and process enhancements.
Critical Function
Supply Chain
Supply Chain
Supply Chain
Infrastructure Element
Key Resource
Understand Interdependencies
Supply Chain
Supply Chain
Supply Chain
Supply Chain

11. Continuously Assess and Manage Risks
Protection is the Continuous Application of Risk Management
Continuously Assess and Manage Risks
Evaluate Program Effectiveness
Leverage Findings to Improve Risk Management
Assess Risks
Identify Controls and Mitigations
Implement Controls
Measure Effectiveness
Identify Key Functions
Assess Risks
Evaluate Consequences
Assessing Risk: This phase, combines aspects of both quantitative and qualitative risk assessment methodologies. A qualitative approach is used to quickly triage the entire list of security risks. The most serious risks identified during this triage are then examined in more detail using a quantitative approach. The result is a relatively short list of the most important risks that have been examined in detail.
Identifying Controls and Mitigations: Stakeholders identify and select potential controls and mitigations for managing the risks indentified during the assessment phase. Once identified, the controls are evaluated to determine if they (1) meet functional requirements, (2) the extent to which they reduce risk, and (3) their direct and indirect costs and benefits. Finally, a mitigation strategy is selected.
Implementing Controls: Infrastructure operators implement controls (management, technical, operational) and leverage people, processes and technologies for a holistic solution. Defense-in-depth solutions are used to spread risks and reduce the possibility of compromise or disruption.
Measuring Effectiveness: This phase is used to verify that the controls are actually providing the expected degree of protection and to watch for changes in the environment such as new business applications or attack tools that might change the organization's risk profile. Sometimes scorecards are use to track progress.
Define Functional Requirements
Evaluate Proposed Controls
Estimate Risk Reduction/Cost Benefit
Select Mitigation Strategy
Seek Holistic Approach.
Organize by Control Effectiveness
Implement Defense-in Depth

12. Establish and Exercise Emergency plans
Improve Operational Coordination
Establish and Exercise Emergency plans
Public and private sector organizations can benefit from developing joint plans for managing emergencies – including recovering critical functions in the event of significant incidents, including but limited to natural disasters, terrorist attacks, technological failures or accidents.
Emergency response plans can mitigate damage and promote resiliency.
Effective emergency response plans are generally short and highly actionable so they can be readily tested, evaluated, and implemented.
Testing and exercising emergency plans promotes trust, understanding and greater operational coordination among public and private sector organizations.
Exercises also provide an important opportunity to identify new risk factors that can be addressed in response plans or controlled through regular risk management functions.

13. Create Public-Private Partnerships
Voluntary public-private partnerships
Promote trusted relationships needed for information sharing and collaborating on difficult problems,
Leverage the unique skills of government and private sector organizations, and
Provide the flexibility needed to collaboratively address today’s dynamic threat environment

14. Build Security and Resiliency into Ops
Organizational incentives can drive security development lifecycle principles into all line of business
Leveraging the security lifecycle promotes secure and resilient organizations and products

15. The Security Development Lifecycle
4/20/2017 8:33 AM
The Security Development Lifecycle
Driving Change Across Microsoft
Product Inception
Assign security advisor
Identify security milestones
Plan security integration into product
Design
Define security architecture and design guidelines
Document elements of software attack surface
Threat Modeling
Standards, best practices, and tools
Apply coding and testing standards
Apply security tools (fuzzing tools, static-analysis tools, etc)
Security Push
Security code reviews
Focused security testing
Review against new threats
Meet signoff criteria
Final Security Review
Independent review conducted by the security team
Penetration testing
Archiving of compliance info
RTM and Deployment
Signoff
Security Response
Plan and process in place
Feedback loop back into the development process
Postmortems
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. Update and Innovate Technology/Processes
Cyber threats are constantly evolving
Policy makers, enterprise owner and operators can prepare for changes in threats by
Monitoring trends
Keeping systems patched
Maintaining the latest versions of software that have been built for the current threat environment.

17. Microsoft Innovations Drive
4/20/2017 8:33 AM
Microsoft Innovations Drive
Guidance
Developer Tools
Active Directory Federation Services (ADFS)
Identity Management
Systems Management
Information Protection
Encrypting File System (EFS)
BitLocker™
Services
Client and Server OS
Server Applications
Edge
Network Access Protection (NAP)
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Questions?