19 Apr This week you will want to start developing a series of enhancements and upgrades for the company that will better secure your network against the attack vectors that your readings identif
Instructions
This week's assignment we are going to go back and look at our setup from Weeks 2 and 6’s assignment. You will want to use the knowledge gained from the readings this week to identify any possible attack vectors to your SCADA/ICS network system. You are NOT producing a full risk assessment this week, rather just identifying any possible changes that you may need to make after your readings.
Assignment Guidelines:
Step 1: Again, this week you will want to start developing a series of enhancements and upgrades for the company that will better secure your network against the attack vectors that your readings identified.
Step 2: Once you have developed your list of enhancements and upgrades you will put together a Word document laying out the proposed changes and the reason for those changes.
Module 4 Risk Management
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
Lesson Objectives
Describe basic security service principles (confidentiality, integrity, availability, and authentication) and their relative importance to CI systems.
Explain basic risk management principles.
Identify various risk management frameworks and standards, such as the NIST Cybersecurity Framework and the North American Electricity Reliability Council (NERC).
Describe how to use the framework core process.
Describe how to use the Framework Implementation Tiers to identify cybersecurity risk and the processes necessary to effectively manage that risk.
Describe the Cybersecurity Framework Assessment Process Model.
Demonstrate an understanding of how the framework process holistically manages risk.
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
2
Basic Security Services
Core security services that should be guaranteed in a system. These services generally include:
Confidentiality – Ensuring that access to assets and data is limited to only authorized entities.
Integrity – Ensuring that data has not been modified by an unauthorized entity.
Availability – Ensuring that data and assets are readily accessible to authorized entities.
Authentication – Verifying that an entity is, in fact, the entity that it claims to be.
Can you think of examples where these services would be required?
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
The term “entities” is used as it includes both individuals, as well as processes, that might need to use the asset.
While most data systems place an emphasis on protecting the data confidentiality, critical infrastructure sectors tend to place an emphasis on availability. Consider the criticality of transportation systems that require immediate access to rail conditions and traffic to effectively and safely route trains. Integrity must be guaranteed as well. Airplanes have more than 70,000 sensors collecting data and providing that data to onboard flight systems. What would happen if that data was modified and inaccurate data was reported to the computer? Finally, the critical nature of authenticating the source of information can not be understated. What would happen if your car accepted updates from a “spoofed” source, downloading inaccurate GPS maps? While this could be an annoyance for most drivers, it becomes an issue of public safety if this happens to self-driving vehicles. Therefore, it becomes critical that we “authenticate” the identity of the source of the updates.
3
CIA Triad
Critical Infrastructure Assets
Confidentiality
Availability
Integrity
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
Confidentiality, Integrity, and Availability are generally considered to be the most important components of security. They can be represented as the “CIA Triad,” in which you see them providing security protection to critical infrastructure assets such as data and equipment. It is important to note that, while some assets will require the services of each, or all, other assets will not require these security services. The process of a risk assessment, as will be discussed, helps the system owner determine which security service needs to be applied to protect specific assets.
4
The Need for Critical Infrastructure Security
The rapidly changing cybersecurity environment has changed the way we need to look at the security of our critical infrastructure.
A proactive and coordinated effort will be necessary to understand, strengthen, and maintain a secure critical infrastructure.
This will require a shared responsibility among federal, state, local, tribal, and territorial (SLTT) entities, and public and private owners and operators of critical infrastructure (herein referred to as “critical infrastructure owners and operators” ).
To strengthen the resilience of this infrastructure, President Obama issued Executive Order 13636 (EO), “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013.
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
This Executive Order calls for the development of a voluntary Cybersecurity Framework that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to managing cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services.
The framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk.
5
NIST Cybersecurity Framework
NIST (National Institute of Standards and Technology) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure.
Refines and clarifies critical infrastructure-related functions, roles, and responsibilities across the federal government.
Enhances overall coordination and collaboration for the continuity of national essential functions, and to organize itself to collaborate effectively with and add value to the security and resilience efforts of critical infrastructure owners and operators.
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
This Cybersecurity Framework has been developed in an open manner with input from stakeholders in industry, academia, and government, including a public review and comment process, workshops, and other means of engagement.
Students: Do you think there may come a time when this framework moves from being a voluntary framework to being mandatory?
6
NIST Cybersecurity Framework (cont. 1)
Cybersecurity risk is a reality that organizations must understand and manage, like other business risks that can have critical impacts on a business’s bottom line and the nation’s security.
Organizations must manage cybersecurity risk in order to gain and maintain customers, reduce cost, increase revenue, and innovate.
The Cybersecurity Framework is intended to help each organization manage its cybersecurity risks while maintaining flexibility and its ability to meet business needs.
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
Increasing cybersecurity threats are driving organizations responsible for critical infrastructure to have a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk, regardless of the organizations’ size, threat exposure, or current level of cybersecurity sophistication.
7
NIST Cybersecurity Framework (cont. 2)
The framework focuses on the 16 sectors identified as critical infrastructure.
Members of each critical infrastructure sector perform functions that are supported by information technology (IT) and industrial control systems (ICS).
A reliance on technology, communication, and the interconnectivity of IT and ICS has changed and expanded the potential vulnerabilities and increased potential risk to critical infrastructure operations.
A clear understanding of the organization’s business drivers and unique security considerations is required to manage cybersecurity risks.
Companies whose work falls outside the 16 sectors can use the framework in their risk assessment and enterprise security planning.
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
The framework focuses on the 16 sectors identified as critical infrastructure.
Members of each critical infrastructure sector perform functions that are supported by information technology (IT) and industrial control systems (ICS).
A reliance on technology, communication, and the interconnectivity of IT and ICS has changed and expanded the potential vulnerabilities and increased potential risk to critical infrastructure operations.
A clear understanding of the organization’s business drivers and unique security considerations is required to manage cybersecurity risks.
This requirement is driven by each organization’s unique risk, along with its use of IT and ICS. The tools and methods used to achieve the outcomes described by the framework will vary.
Companies whose work falls outside the 16 sectors can use the framework in their risk assessment and enterprise security planning.
8
NIST Cybersecurity Framework (cont. 3)
The framework includes a methodology to protect individual privacy and civil liberties when critical infrastructure organizations conduct cybersecurity activities.
Complements existing organizational methods
Provides guidance on performing privacy risk assessments and management
Integrating privacy and cybersecurity increases customer confidence and enables information-sharing
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
The framework includes a methodology to protect individual privacy and civil liberties when critical infrastructure organizations conduct cybersecurity activities.
Many organizations already have processes for addressing privacy and civil liberties.
The methodology is designed to complement such processes and provide guidance to facilitate privacy risk management consistent with an organization’s approach to cybersecurity risk management.
Integrating privacy and cybersecurity can benefit organizations by increasing customer confidence, enabling more standardized sharing of information, and simplifying operations across legal regimes.
9
NIST Cybersecurity Framework (cont. 4)
The framework is technology-neutral to ensure extensibility and enable technical innovation.
It utilizes existing standards, guidelines, and practices to achieve flexibility.
It provides a common taxonomy and mechanism for organizations to:
Describe their current cybersecurity posture;
Describe their target state for cybersecurity;
Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
Assess progress toward the target state;
Communicate among internal and external stakeholders about cybersecurity risk.
Organizations outside the United States may also use the framework to strengthen their own cybersecurity efforts.
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
The framework is technology-neutral to ensure extensibility and enable technical innovation.
It uses and relies on a variety of existing standards, guidelines, and practices to enable critical infrastructure providers to achieve flexibility.
The use of existing and emerging standards will enable economies of scale and drive the development of effective products, services, and practices that meet identified market needs.
Building from those standards, guidelines, and practices, the Cybersecurity Framework provides a common taxonomy and mechanism for organizations to:
Describe their current cybersecurity posture;
Describe their target state for cybersecurity;
Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
Assess progress toward the target state;
Communicate among internal and external stakeholders about cybersecurity risk.
The Cybersecurity Framework does not replace an organization’s risk management process and cybersecurity program; its intent is to complement these processes.
An organization can use its current processes and leverage the Cybersecurity Framework to identify opportunities to improve, strengthen, and communicate its management of cybersecurity risk while aligning with industry practices.
An organization without an existing cybersecurity program can use the Cybersecurity Framework as a reference for establishing a program.
Just as the Cybersecurity Framework is not industry-specific, the common taxonomy of standards, guidelines, and practices that it provides is also not country-specific. Organizations outside the United States may also use the framework to strengthen their own cybersecurity efforts, and the framework can contribute to the development of a common language for international cooperation on critical infrastructure cybersecurity.
10
Other Models: NERC
North American Electricity Reliability Council (NERC) created information security standards for the electric power industry in 2003.
Following are applicable NERC CIP standards:
CIP-001 Sabotage Reporting
CIP-002 Critical Cyber Asset Identification
CIP-003 Security Management Controls
CIP-004 Personnel & Training
CIP-005 Electronic Security Perimeter(s)
CIP-006 Physical Security of Critical Cyber Assets
CIP-007 Systems Security Management
CIP-008 Incident Reporting and Response Planning
CIP-009 Recovery Plans for Critical Cyber Assets
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
11
Framework Process Overview
Clark, R., and Miller, S. “Figure 2.2, Framework Diagram.” Framework for SCADA Cybersecurity. Smashswords ed. Revision A-01.19.2015. 12 Jan 2015. pp. 43.
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
The framework is a risk-based approach to managing cybersecurity risk. It is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. Each framework component reinforces the connection between business drivers and cybersecurity activities.
12
Framework Core
The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors.
There are five concurrent and continuous functions in the Framework Core:
Identify
Protect
Detect
Respond
Recover
When evaluated together, these functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
Image source: National Institute of Standards & Technology (NIST) Cybersecurity https://www.nist.gov/cyberframework. Public Domain image.
The Framework Core presents industry standards, guidelines, and practices in a manner that allows for the communication of cybersecurity activities and outcomes across the organization, from the executive level to the implementation/operations level.
13
Framework Core Categories and Subcategories
The Framework Core then identifies underlying key categories and subcategories for each function.
It matches them with example informative references, such as existing standards, guidelines, and practices for each subcategory.
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
The Framework Core defines 22 categories and 98 subcategories.
Table Citation:
National Institute of Standards and Technology. (12 Feb 2014). “Table A.2-1: Framework Core ID.AM”. Framework for Improving Critical Infrastructure Cybersecurity. Version 1.0. pp. 21.
14
Framework Implementation Tiers
The Framework Implementation Tiers provide background on how an organization views cybersecurity risk and the processes that are in place to manage that risk.
Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the attributes defined in the framework (i.e., being risk- and threat-aware, repeatable, and adaptive).
The tiers identify an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4).
These tiers reflect a progression from informal, reactive responses to approaches that are nimble and risk-informed.
An organization in the tier selection process should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
Tiers are described in greater detail at https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
15
Framework Profile
Outcomes are based on the business needs that the organization has selected from the Cybersecurity Framework categories and subcategories.
Organization identify opportunities for improving their cybersecurity circumstances by comparing a “Current” profile (the “as is” state) with a “Target” profile (the “to be” state).
To develop a profile, the organization reviews all of the categories and subcategories. Based on business drivers and a risk assessment, the organization determines which categories and subcategories are the most important; they can add more later as needed to address the organization’s risks.
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
Public Domain image from NIST.
16
Framework Profile
The Current Profile or “AS IS Profile” can be used to support prioritization and measurement of progress toward the Target Profile or “TO BE Profile,” while factoring in other business needs, including cost-effectiveness and innovation.
This method can be used to conduct self-assessments and to communicate within an organization or between organizations.
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
Public Domain image from NIST.
17
Cybersecurity Framework Core Structure
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
Public Domain Image:
National Institute of Standards and Technology. (12 Feb 2014). “Figure 1: Framework Core Structure ”. Framework for Improving Critical Infrastructure Cybersecurity. Version 1.0. pp. 7.
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
From NIST:
The Framework Core elements work together as follows:
• Functions organize basic cybersecurity activities at their highest level. These functions are Identify, Protect, Detect, Respond, and Recover. They aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities. The Functions also align with existing methodologies for incident management and help show the impact of investments in cybersecurity. For example, investments in planning and exercises support timely response and recovery actions, resulting in reduced impact to the delivery of services.
• Categories are the subdivisions of a function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities. Examples of categories include “Asset Management,” “Access Control,” and “Detection Processes.”
• Subcategories further divide a category into specific outcomes of technical and/or management activities. They provide a set of results that, while not exhaustive, help support achievement of the outcomes in each category. Examples of subcategories include “External information systems are catalogued,” “Data-at-rest is protected,” and “Notifications from detection systems are investigated.”
• Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each subcategory. The Informative References presented in the Framework Core are illustrative and not exhaustive. They are based upon cross-sector guidance most frequently referenced during the Framework development process.
18
Cybersecurity Framework Core Process
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
Captions at youtube
19
Risk Management
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
Risk Management
Risk analysis is used to determine whether an asset is protected and to what level.
Risk assessment is the quantitative or qualitative process of performing this analysis.
In general terms, a cybersecurity risk assessment is a mathematical way to estimate the likelihood that a system can be attacked using cyber means.
Risk assessments often are associated with metrics, models, and graphs.
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
Risk Management (cont. 1)
An analyst identifies the threats to an ICS through observation and by checking configurations; the analyst then contrasts these threats against the controls that are in place to protect the system.
Each attack scenario is assigned a probability rating so that an end value may summarize the risk to the ICS.
Several organizations have created guides, available on the Internet, to assessing the risk to an ICS.
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
Risk Management (cont. 2)
The diagram below shows how controls are applied to reduce risks.
Except where otherwise noted, this presentation is licensed under a
CyberWatch West,
Whatcom Community College.
©2017
Creative Commons Attribution 4.0 International License.
Diagram:
Clark, R., & Miller, S. “Figure 2.3, Risk Management Decomposition Diagram.” Framework for SCADA Cybersecurity. Smashswords ed. Revision A-01.19.2015. 12 Jan 2015. pp. 45. Available at https://www.smashwords.com/books/view/510004.
23
Risk Management & the Cybersecurity Framework
Risk management: A process of identifying vulnerabilities and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of the information system
To manage risk, organizations should understand the likelihood that an event will occur and the resulting impact.
With this information, organizations can determine the acceptable level of ri
