Presentation on theme: "Resiliency Rules: 7 Steps for Critical Infrastructure Protection."— Presentation transcript:
1 Resiliency Rules:7 Steps for Critical Infrastructure Protection
2 Agenda What are critical infrastructures? What are the CIP policy drivers?The differences between CIP/CIIP and cyber securityResiliency rules
3 What is Critical Infrastructure? Critical infrastructures are generally thought of as the key systems, services and functions whose disruption or destruction would have a debilitating impact on public health and safety, commerce, and national security or any combination of those matters.These include communications, energy, banking, transportation, public health and safety and essential government services.Governments are increasingly aware of the role critical infrastructures play in supporting the overall economy and security of their nations. While definitions may vary slightly, critical infrastructures are generally thought of as the key systems, services and functions whose disruption or destruction would have a debilitating impact on public health and safety, commerce, and national security or any combination of those matters. These include communications, energy, banking, transportation, public health and safety and essential government services. It is essential that countries at all stages of development plan for and develop policies that will enable them to provide reasonable assurance of resiliency and security to support key national missions and economic stability.The infrastructures described above are often thought of as physical assets such as bank buildings, power plants, trains, hospitals and government offices. These physical elements rely upon an often unseen critical information infrastructure and key functions (CII/KF) to actually deliver services and conduct business. Over the past two decades rapid advances in information services and communications technologies have enabled many traditionally separate infrastructures to integrate and automate. The ubiquity and importance of information and communications technology are increasingly recognized as a discernable cross-cutting “critical information infrastructure” upon which all other infrastructures depend. In some sense, the CII/KF are more complex to identify than more established infrastructures such as electric power, because it is composed of systems, processes and services that are not readily identifiable is the way physical elements are. However, because virtually all elements of a nation’s economy rely upon it, government and private sector should work together to develop collaborative CIIP frameworks for prevention, detection, response, and recovery.
4 CIP Policy Drivers WAR Terrorism Natural Disaster IT Attacks DependenceITAttacksDirectivesConvergenceTerrorismResponsePlansLaws &RegulationsGlobalization
5 CIP/CIIP and Cybersecurity Understanding the DifferencesCritical InfrastructuresNon-essential IT systemsCybersecurityThose practices and procedures that enable the secure use and operation of cyber tools and technologiesCritical Information InfrastructureCross-Cutting ICT interdependencies among all sectorsLarge EnterprisesPersonalusersEnergyInfo & CommsTransportationBankingGovernment Services
6 Resiliency Rules Define Goals and Roles 7 Steps for Critical Infrastructure ProtectionDefine Goals and RolesIdentify and Prioritize Critical FunctionsContinuously Assess and Manage RisksEstablish and Exercise Emergency plansCreate Public-Private PartnershipsBuild Security/Resiliency into OperationsUpdate and Innovate Technology/Processes
7 CIP Goals Establishing Clear Goals is Central to Success Policy ElementsSample StatementCritical Infrastructure ImportanceCritical information infrastructures (CII) provide the essential services that support modern information societies and economies. Some CII support critical functions and essential services so vital that the incapacitation, exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being.Critical Infrastructure RisksCII exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being.CIP Policy Goal/StatementPrevent or minimize disruptions to critical information infrastructures, no matter the source, and thereby protect the people, the economy, the essential human and government services, and the national security. In the event disruptions do occur, they should be infrequent, of minimal duration and manageable.Public-Private ImplementationImplementing the National CIIP framework includes government entities, as well as, voluntary public private partnerships involving corporate and nongovernmental organizations.To build a collaborative and cooperative CIIP program there needs to be transparency about expectations and intent of the national effort. This can be established by (1) clearly defining CIIP policy goals, and (2) defining the roles and responsibilities of the various governmental entities and how they will work partner with private CII owners and operators.In general a CIIP policy statement (1) recognizes the importance of CII to the nation, (2) identifies the risk it faces (usually all-hazards), (3) establishes the CIIP policy goal, and (4) broadly identifies how it will be implemented, including through partnership with the private sector. Table1 below provide some sample language that could address these elements.National CIIP frameworks should not be immutable policies. Instead, they should be flexible and able to respond to the dynamic risk environments of information infrastructures. CIIP frameworks should establish policy goals and not set technical mandates or regulation. By establishing clear policy goals government agencies and non government entities can work together to achieve the stated goals in the most efficient manner.
8 CIP Roles Understanding Roles Promotes Coordination To build a collaborative and cooperative CIIP program there needs to be transparency about expectations and intent of the national effort. This can be established by (1) clearly defining CIIP policy goals, and (2) defining the roles and responsibilities of the various governmental entities and how they will work partner with private CII owners and operators.In general a CIIP policy statement (1) recognizes the importance of CII to the nation, (2) identifies the risk it faces (usually all-hazards), (3) establishes the CIIP policy goal, and (4) broadly identifies how it will be implemented, including through partnership with the private sector. Table1 below provide some sample language that could address these elements.National CIIP frameworks should not be immutable policies. Instead, they should be flexible and able to respond to the dynamic risk environments of information infrastructures. CIIP frameworks should establish policy goals and not set technical mandates or regulation. By establishing clear policy goals government agencies and non government entities can work together to achieve the stated goals in the most efficient manner.
9 Define Roles Government Shared Private CIIP Coordinator (Executive Sponsor)Infrastructure Owners and OperatorsPublic-Private PartnershipsLaw EnforcementIT Vendors and Solution ProvidersTitlePrimary ResponsibilityCIIP Coordinator (Executive Sponsor)Leads activities associated with developing and managing national CIIP efforts, including coordinating policy development, outreach and awareness, risk assessment and management efforts, funding and support for the CIIP program efforts. This role is usually filled by a lead government agency, an interagency committee, or a cabinet official. This role also serves as an important escalation functions for resolving important issues and emergencies.Sector Specific AgencyA government agency that is responsible for coordinating the national-level risk management process for a particular sector such as banking or communications. The role generally includes working with infrastructure operators to assess risks, define mitigations, identify security controls, and collaborate with infrastructure operators to understand the overall effectiveness of the CIIP risk management program.Law EnforcementPreventing, investigating, and prosecuting various aspects of cybercrime including malware writers, hackers, and organized attackers that intend to steal information or compromise the integrity of critical operations.Computer Emergency Response TeamResponsible for interacting with government agencies, industry, the research community, and others to analyze cyber threats and vulnerabilities, disseminate reasoned and actionable cyber security information such as mitigations to the public, as appropriate.Infrastructure Owners and OperatorsIs responsible for tangible and intangible assets to the infrastructure or infrastructure elements that they own and/or operate. Operators prioritize business assets; analyze levels of impact to assets; define acceptable risk levels; and implement control solutions to manage/mitigate risks.Public-Private PartnershipsComprised of representatives from sector-specific agencies, infrastructure operators, and other key stakeholders, the partnership is responsible for collaborating on risk assessment and mitigation strategies.IT Vendors and Solution ProvidersProvide products and services which are critical to the information infrastructure operators and the general participants in the national economy. They provide strategic insights on architecture, security, operations and risk management. Additionally, they provide patches and mitigation in the face of attacks.Computer Emergency Response TeamSector Specific AgencyGovernment Shared Private
10 Identify and Prioritize Critical Functions Collaborate to understand InterdependenciesEstablish an open dialogue to understand the critical functions, infrastructure elements, and key resources necessary fordelivering essential services,maintaining the orderly operations of the economy, andensuring public safety.Critical FunctionInfrastructure ElementKey ResourceSupply ChainSupply ChainSupply ChainCritical FunctionInfrastructure ElementKey ResourceAs countries begin to establish or expand their respective CIIP efforts it is important that government and private sectors have an open dialogue to discuss what information infrastructure elements, critical functions, and key resources are needed to deliver essential government services, ensure orderly functioning of the economy, and providing public safety.The information infrastructure – including both communications and IT services – is composed of many different pieces including physical and cyber elements, processes, and people that directly support operations. For example a major peering point, undersea cables, or international switching system. In addition there is a complex value chain that supports the direct operations. These indirect infrastructure support elements include electric power, water, software, hardware, and others. In addition, to the traditional notion of infrastructure there may be certain “key functions” that government and economy rely upon. These functions could include processes like routing, internet content, broadcast delivery etc. Disruptions of these key functions could have an immediate and debilitating impact on the ability of a nation to perform essentials missions.Once identified, the critical infrastructure and key functions can be prioritized or ranked as to which is most important and in what context. It is important to remember that the notion of “criticality” is very situation-dependent and what could be critical in one instance may not be critical in the next. It is important that, as nations identify and prioritize critical infrastructure and key functions, they understand that these will change with technology, infrastructure, and process enhancements.Critical FunctionSupply ChainSupply ChainSupply ChainInfrastructure ElementKey ResourceUnderstand InterdependenciesSupply ChainSupply ChainSupply ChainSupply Chain
11 Continuously Assess and Manage Risks Protection is the Continuous Application of Risk ManagementContinuously Assess and Manage RisksEvaluate Program EffectivenessLeverage Findings to Improve Risk ManagementAssess RisksIdentify Controls and MitigationsImplement ControlsMeasure EffectivenessIdentify Key FunctionsAssess RisksEvaluate ConsequencesAssessing Risk: This phase, combines aspects of both quantitative and qualitative risk assessment methodologies. A qualitative approach is used to quickly triage the entire list of security risks. The most serious risks identified during this triage are then examined in more detail using a quantitative approach. The result is a relatively short list of the most important risks that have been examined in detail.Identifying Controls and Mitigations: Stakeholders identify and select potential controls and mitigations for managing the risks indentified during the assessment phase. Once identified, the controls are evaluated to determine if they (1) meet functional requirements, (2) the extent to which they reduce risk, and (3) their direct and indirect costs and benefits. Finally, a mitigation strategy is selected.Implementing Controls: Infrastructure operators implement controls (management, technical, operational) and leverage people, processes and technologies for a holistic solution. Defense-in-depth solutions are used to spread risks and reduce the possibility of compromise or disruption.Measuring Effectiveness: This phase is used to verify that the controls are actually providing the expected degree of protection and to watch for changes in the environment such as new business applications or attack tools that might change the organization's risk profile. Sometimes scorecards are use to track progress.Define Functional RequirementsEvaluate Proposed ControlsEstimate Risk Reduction/Cost BenefitSelect Mitigation StrategySeek Holistic Approach.Organize by Control EffectivenessImplement Defense-in Depth
12 Establish and Exercise Emergency plans Improve Operational CoordinationEstablish and Exercise Emergency plansPublic and private sector organizations can benefit from developing joint plans for managing emergencies – including recovering critical functions in the event of significant incidents, including but limited to natural disasters, terrorist attacks, technological failures or accidents.Emergency response plans can mitigate damage and promote resiliency.Effective emergency response plans are generally short and highly actionable so they can be readily tested, evaluated, and implemented.Testing and exercising emergency plans promotes trust, understanding and greater operational coordination among public and private sector organizations.Exercises also provide an important opportunity to identify new risk factors that can be addressed in response plans or controlled through regular risk management functions.
13 Create Public-Private Partnerships Voluntary public-private partnershipsPromote trusted relationships needed for information sharing and collaborating on difficult problems,Leverage the unique skills of government and private sector organizations, andProvide the flexibility needed to collaboratively address today’s dynamic threat environment
14 Build Security and Resiliency into Ops Organizational incentives can drive security development lifecycle principles into all line of businessLeveraging the security lifecycle promotes secure and resilient organizations and products
16 Update and Innovate Technology/Processes Cyber threats are constantly evolvingPolicy makers, enterprise owner and operators can prepare for changes in threats byMonitoring trendsKeeping systems patchedMaintaining the latest versions of software that have been built for the current threat environment.