#25 – CYBER RISK FRAMEWORKS – ED PERKINS

OLYMPUS DIGITAL CAMERAThe US Federal government folks in the Computer Security Division (CSD) at National Institute of Standards and Technology (NIST) have been hard at work on the Cybersecurity Framework deliverables for the President’s February Executive Order 13636, on Improving Critical Infrastructure Cybersecurity. (see prior Insights post).  NIST has created a web portal for the Framework at http://www.nist.gov/itl/cyberframework.cfm .  The NIST CSD portal is http://csrc.nist.gov/.

Crucial dates for deliverables are: October 12, when the 240 days to develop the “baseline” framework are up, and February 12, 2014, when the final version is to be published.

Cyber risk has been identified as the #1 global threat (see this and this Insights posts), so it will be interesting to see what the final Framework defines.

NIST FRAMEWORKS
In February NIST issued an RFI for “information to help identify, refine, and guide the many interrelated considerations, challenges, and efforts needed to develop the Framework” (https://www.federalregister.gov/articles/2013/02/26/2013-04413/developing-a-framework-to-improve-critical-infrastructure-cybersecurity) with comments due April 8. NIST received 265 responses to the RFI. You can peruse them at http://csrc.nist.gov/cyberframework/rfi_comments.html.  Comments range from 1-pagers to thesis-level tomes.

NIST has been holding a series of Cybersecurity Framework workshops; the fourth was held on September 11-13.  The fifth will be held November 14-15, 2013 at North Carolina State University (NCSU) in Raleigh, North Carolina.  See the NIST Cybersecurity Framework portal http://www.nist.gov/itl/cyberframework.cfm for details.

On July 2, NIST released the draft outline of the “Preliminary Cybersecurity Framework” (http://www.nist.gov/itl/upload/draft_outline_preliminary_framework_standards.pdf) which was the subject  of the 3rd Cybersecurity Framework workshop July 10-12, 2013 held in San Diego at the University of California, San Diego (UCSD).  At this workshop, NIST presented an annotated outline of the initial draft Cybersecurity Framework for discussion. Workshop participants were asked to offer nput on the level of guidance, integration with existing standards, practices, and guidelines, and potential gaps.

On August 28, NIST released the “Discussion Draft of the Preliminary Cybersecurity Framework” (Framework) http://www.nist.gov/itl/upload/discussion-draft_preliminary-cybersecurity-framework-082813.pdf.

RISK FRAMEWORK
According to the Draft, the Framework is composed of three parts: the Core, the Implementation Tiers, and the Profile. These components are detailed below.

  • Framework Core (“Core”) – a compilation of cybersecurity activities and references that are common across critical infrastructure sectors.
  • Framework Implementation Tiers (“Tiers”) – to demonstrate the implementation of the Framework Core Functions and Categories and indicate how cybersecurity risk is managed.
  • Framework Profile (“Profile”) – which shows how an organization would manage cybersecurity risk in each of the Framework Core Functions and Categories by identifying Subcategories that are implemented or planned for implementation.

The Core presents standards and best practices to allow for communication and risk management across the organization from the senior executive level to the implementation/operations level. The Framework Core consists of five Functions—Identify, Protect, Detect, Respond, Recover—which can provide a high-level, strategic view of an organization’s management of cybersecurity risk.

The Core then identifies underlying key Categories and Subcategories for each of these Functions, and matches them with Informative References such as existing standards, guidelines, and practices for each Subcategory. For example, for the “Protect” Function, categories include: Data Security; Access Control; Awareness and Training; and Protective Technology. At the next level down, in Subcategory “Data Security”, ISO/IEC 27001 Control A.10.8.3 is an informative reference which supports the “Data during transportation/transmission is protected to achieve confidentiality, integrity, and availability goals” Subcategory of the “Data Security” Category.

The Tiers define four implementation levels that reflect organizational maturity in addressing cybersecurity by implementing the Framework. The implementation of the Framework Core Functions and Categories indicate how cybersecurity risk is managed. The Tiers are Partial (Tier 0), Risk-Informed (Tier 1), Repeatable (Tier 2) and Adaptive (Tier 3), with each Tier building on the previous Tier.

The Profile conveys how an organization manages cybersecurity risk in each of the Framework Core Functions and Categories by identifying the Subcategories that are implemented or planned for implementation. Profiles are developed by using risk assessment and applying risk management. Profiles are also used to identify the appropriate goals for an organization or for a critical infrastructure sector and to assess progress against meeting those goals.

COMPENDIUM
Appendix A of the Core provides a matrix showing the functions, categories, subcategories, and informative references.  This is a compendium of informative references that include standards, guidelines and best practices provided as an initial data set to map to functions, categories, subcategories, and informative references.

The Framework’s compendium (http://www.nist.gov/itl/upload/draft_framework_compendium.xlsx) points to many standards – including performance and process-based standards.  These are intended to be illustrative and to assist organizations in identifying and selecting standards for their own use.  The compendium also offers practices and guidelines, including practical implementation guides.  The draft was released in July.

The 322 standards, guidelines, and practices listed are intended to be informative resources; they reflect the recommendations of the private-public partners who helped to develop the Framework.  Each organization using the Framework will need to decide which of these match their relative threats, vulnerabilities, and risks as well as the resources available.  The goal will be to provide appropriate performance in terms of cybersecurity protection in view of the organization’s overall management of risk.  If alternative standards, guidelines, and practices are used, organizations should be certain that they provide that level of expected performance.

FRAMEWORK CORE ELEMENTS
The Framework Core elements are defined to work together as follows:

  • Functions provide the highest level of structure, for organizing cybersecurity activities into Categories and Subcategories.  These Functions are: Identify, Protect, Detect, Respond, and Recover.
  • Categories are the subdivisions of a Function into groups of cybersecurity activities, more closely tied to programmatic needs.  Examples of Categories include “Asset Management,” “Access Control,” and “Detection Processes.”
  • Subcategories further subdivide a Category into high-level tactical activities to support technical implementation.  Examples of subcategories include “Inventory and track physical devices and systems within the organization,” “Protect network integrity by segregating networks/implementing enclaves (where appropriate),” and “Assess the impact of detected cybersecurity events to inform response and recovery activity.”
  • Informative References are specific sections of standards and practices common among critical infrastructure sectors and illustrate a method to accomplish the activities within each Subcategory.  The Subcategories are derived from the Informative References.  The Informative References presented in the Framework Core are not exhaustive, and organizations are free to implement other standards, guidelines, and practices. [see compendium]

FRAMEWORK CORE FUNCTIONS
The five Framework Core Functions apply to both traditional information technology and operational technology.

  • Identify – Develop the institutional understanding of which organizational systems, assets, data, and capabilities need to be protected, determine priority in light of organizational mission, and establish processes to achieve risk management goals.
  • Protect – Develop and implement the appropriate safeguards, prioritized through the organization’s risk management process, to ensure delivery of critical infrastructure services.
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. [need def]
  • Respond – Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event.
  • Recover – Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the appropriate capabilities that were impaired through a cybersecurity event.

CYBER MATURITY AND CAPABILITY TIERS
The four Tiers are defined in the Core as:

  • Tier 0: Partial – The organization has not yet implemented a formal, threat-aware risk management process to determine a prioritized list of cybersecurity activities. The organization may implement some portions of the Framework on an irregular, case-by-case basis due to varied experience or information gained from outside sources.  An organization at Tier 0 might not have the processes in place to share cybersecurity information internally between its organizational layers and might not have the processes in place to participate in coordination or collaboration with other entities.
  • Tier 1: Risk-Informed – The organization uses a formal, threat-aware risk management process to develop a Profile of the Framework.  In addition, risk-informed, management-approved processes and procedures are defined and implemented and staff has adequate resources to perform their cybersecurity duties. The organization knows its role in the larger ecosystem, but has not formalized its capabilities to interact and share information externally.
  • Tier 2: Repeatable – The organization updates its Profile based on regular application of its risk management process to respond to a changing cybersecurity landscape. Risk-informed policies, processes, and procedures are defined, implemented as intended, and validated.  The organization will also have consistent methods in place to provide updates when a risk change occurs.  Personnel have adequate knowledge and skills to perform their defined roles and responsibilities. The organization understands its dependencies and partners and can consume information from these partners to help prevent and improve its reaction to events.
  • Tier 3: Adaptive – The organization updates its Profile based on predictive indicators derived from previous and anticipated cybersecurity activities.  These updates to the Profile enable the organization to actively adapt to a changing cybersecurity landscape and emerging/evolving threats.  Risk-informed policies, processes, and procedures are part of the organizational culture and evolve from previous activities (and from information shared by other sources) to predict and address potential cybersecurity events.  The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before an event occurs.

IT’S UP TO YOU
NIST by design is not being prescriptive, they feel it it is up to the organization to employ risk-based decision making to determine which aspects of the Framework Core elements, functions, standards and practices are applicable to achieve its desired capabilities and  maturity Tier. Note, however, that the expectations are large.

REFERENCES:

#8 – EXECUTIVE ORDER – IMPROVING CRITICAL INFRASTRUCTURE CYBER SECURITY – ED PERKINS
https://insights.cermacademy.com/2013/02/8-executive-order-improving-critical-infrastructure-cyber-security-president-obama/

Discussion Draft – Preliminary Cybersecurity Framework, August 28, 2013
http://www.nist.gov/itl/upload/discussion-draft_preliminary-cybersecurity-framework-082813.pdf

Discussion Draft – Executive Overview, August, 28, 2013
http://www.nist.gov/itl/upload/discussion-draft_executive-overview-082813.pdf

Discussion Draft – Illustrative Examples, Threat Mitigation, August 28, 2013
http://www.nist.gov/itl/upload/discussion-draft_illustrative-examples-082813.pdf

Discussion Draft – Illustrative Example, ICS Profile for the Electricity Subsector, August 30, 2013
http://www.nist.gov/itl/upload/framework_example_electric-tysubsector_20130830.pdf

DRAFT Outline – Preliminary Cybersecurity Framework, July 1, 2013
http://www.nist.gov/itl/upload/draft_outline_preliminary_framework_standards.pdf

DRAFT – Framework Core
http://www.nist.gov/itl/upload/draft_framework_core.pdf

DRAFT – Compendium
http://www.nist.gov/itl/upload/draft_framework_compendium.xlsx

 

Leave a Reply

Your email address will not be published. Required fields are marked *