SlideShare une entreprise Scribd logo

Ncma saguaro cyber security 2016 law & regulations asis phoenix dely final 05182016

Télécharger en tant que PPTX, PDF
J
John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO

Cyber Security

Technologie
1  sur  35
Cyber Security 2016 Law & Regulatory Environmental Trends A) Presidential Executive Orders 13636 and 13691 Critical Infrastructure Cyber Security B) Legal Authority: Key Federal Laws, DOD Guidance (161 Directives), FAR/DFARS C) System Cyber Defense Resilience Architecture Alex Dely, Contracts Manager, Innovation & Cyber Directorates, Raytheon Missile Systems ASIS Phoenix Chapter 18 May 2016 Alex_Dely@Raytheon.com 1
Cyber Tidbits • Typical Dwell Time in Public Infrastructure Networks before Penetration Detection: 128 Days. • Every minute 1,080 hacks occur, 27 Days to Resolve, $ 7.4M/Incident. • Software Code: 4.9 Flaws/1000 Lines of Code, of which 1 to 5% represent serious vulnerabilities • Typical Penetration Detector: External Vulnerability Assessment Part • 1.5 Million Cyber Security Jobs Unfilled (Unfillable?) • Attacker only needs 0.0001 Success Rate • Most Asset Owners do not know about their Outbound Traffic: # Connections, Length of Connection, Amount of Data, % Encrypted, Destination IP 2
SECTION A PRESIDENTIAL EXECUTIVE ORDERS CRITICAL INFRASTRUCTURE CYBER SECURITY 3
POTUS Executive Order 13636 EO 13636 Improving Critical Infrastructure Cybersecurity (March 2013) * technology-neutral cybersecurity framework and practices * increase volume, timeliness and quality of threat information sharing * incorporate strong privacy and civil liberties protections * evaluate regulatory adequacy POTUS Policy Directive-21 Critical Infrastructure Security and Resilience directs the Executive Branch, led by DHS, in coordination with NIST, NSA and sector Agencies to: * develop near-real time physical and cyber situational awareness capability * understand cascading consequences of infrastructure failures * mature public-private partnerships * update the National Infrastructure Protection Plan * develop comprehensive research and development plan
NIPP 16 Critical Infrastructure Sectors 1) Defense Industrial Base 9) Energy 2) Critical Manufacturing 10) Communications 3) Emergency Services 11) Chemical 4) Government Facilities 12) Dams 5) Financial Services 13) Water & Wastewater 6) Information Technology 14) Food & Agriculture 7) Transportation 15) Public Health Facilities 8) Nuclear Reactors & Materials 16) Commercial Facilities COMPLEX INTERLINKAGES WITH LIMITED CORRESPONDING GOVERNMENT-INDUSTRY EXPERTISE & ACCOUNTABILITY 5
POTUS EXECUTIVE ORDER 13691 EO Order 13691 Private Sector Cybersecurity Information Sharing (Feb 2015) - establishes Information Sharing & Analysis Organizations (ISAO) standards and protocols to coordinate with US Government Information Sharing & Analysis Centers (ISAC) - strengthens DHS National Cybersecurity & Communications Integration Center (NCCIC) ability to approve access to classified information Categories: 1) Cyber-Physical (nano-scale to large-scale wide-area systems of systems; dependably, safely, securely, efficiently and in real-time; convergence of computation, communication, and control) 2) Cyber-Cyber (Network Cyber) 3) Physical-Cyber 4) Physical-Physical
Source: NIST Framework and Roadmap for Smart Grid Interoperability Standards
Integrated SCADA/ICS Graphic courtesy of DHS Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies
Control System is NOT IT Network !! Industrial Control Systems (ICS): * Distributed Control Systems (IoT) * Supervisory Control and Data Acquisition Systems (SCADA) * Process Control Systems * Manufacturing Execution Systems Vulnerability Categories: * Millions of Remote Access Points, many in Legacy systems with limited Access Control, open Communications Protocols, Default Passwords, Limited/No Firewalls * Complex Systems Dynamically Reconfiguring in Space/Time * Reliance on mostly Offshore Suppliers * Technical Documentation freely available on Internet * Hierarchical Wireless Sensor network allow attacker to determine where the root node is placed; 9
DOE FERC NERC CIP Requirements & Penalties • FERC NERC CIP 6/7 Requirements Penalty: up to $ 1M per event/day based on Violation Risk Factor/Severity Level (16 USC 825o) • CIP 001 Sabotage Reporting & Compliance • CIP 002 Critical Cyber Assets Risk Based Management • CIP 003 Senior Management Controls • CIP 004 Personnel & Training • CIP 005 Electronic Security Perimeters & Vulnerability Assessment • CIP 006 Physical Security Perimeters • CIP 007 Security System Management (malware, etc.) • CIP 008 Incident Reporting & Response Planning • CIP 009 Recovery Plans
DHS Cross Sector Roadmap of Cyber Security Control Systems Homeland security Presidential Directive-7: Robustness, Survivability & Resilience Systems-of-Systems Principles: 1) Operational Independence of Elements 2) Managerial Independence of Elements 3) Geographical Distribution of Elements 4) Evolutionary Development 5) Emergent behavior 6) Heterogeneous Network of Systems 7) Automated Intrusion Audit Trails 8) Real Time Incident Response 9) Acquisition Strategy & Contracting 10) Training 11
Where We Want to Go “Defense-in-Depth Architecture” Graphic courtesy of DHS Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies October 2009
SECTION B KEY FEDERAL LAWS, DOD GUIDANCE, FAR/DFARS 13
Key Federal Laws 1) Title 44 Federal Information Security Management Act (3541 et seq) 2) Title 18 Computer Fraud & Abuse Act (1030) 3) Title 18 Stored Communications Act (2701 et seq) 4) Title 18 Federal Wiretap Act (2510 et seq) 5) Title 18 Pen Registers and Trap and Trace Devices (3121 et seq) 6) Many Presidential Executive Orders 14
DOD Guidance Documents (161!) Build & Operate a Trusted DoDIN handut (CIO Cyber) 1) Lead & Govern (18) 2) Design for the Fight (26) 3) Develop the Workforce (12) 4) Partner for Strength (9) 5) Secure Data in Transit (22) 6) Manage Access (16) 7) Assure Information Sharing (7) 8) Understand the Battlespace (7) 9) Prevent & Delay Attackers/Prevent Attackers from Staying (15) 10) Develop and maintain Trust (9) 11) Strengthen Cyber Readiness (8) 12) Sustain Missions(12) 15
DoDI 5000.02 & 5200.39 Program Protection Planning PPP is iterative System Security risk management process: 1) Critical Program Information Identification/Criticality 2) Mission Critical Functions & Components Trusted Systems & Networks Analysis 3) Identification of Horizontal Protection Requirements 4) Identification of Foreign Involvement (Trusted Supply Chain) 5) Threat Analysis 6) Vulnerability Assessment 7) Risk Assessment 8) Trade-off Analyses 9) Countermeasures Implementation (Defensive Cyber Resilience, Anti Tamper, OpSec, InfoSec/Information Assurance, Software Assurance) 10) Verification & Validation and Residual Risk 16
DFARS 252.204-7012 (Sept 2015) “Safeguarding Covered Defense Information and Cyber Incident Reporting”: INTERIM RULE: 1) 72 Hr Network Penetration Reporting 2) Contracting for Cloud Services Four Recommended Contractor Actions: 1) Register with DOD to obtain a mandatory Medium Assurance certificate 2) Identify & Mark all Attributional/Proprietary Information 3) SCM Flowdown to Subcontractors (including Commercial Item and Small Business Subcontracts, Teaming Agreements etc). Sub must report to Prime and DOD within 72 hrs (no Tier limitation). 4) Monitor Existing Contract Mods 17
DFARS 252.204-7012 Cont 2 “Covered Defense Information”: - unclassified information provided to contractor by or on behalf of DOD in connection with performance of a contract - Information collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of contract performance CDI includes: - Controlled Technical Information - Critical Information - ITAR Export Control Information - Other Restricted Information Covered Contractor Information Systems: any systems owned, or operated by or for, that processes, stores or transmits CDI. NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and organizations. REPLACES NIST SP 800-53 18
DFARS 252.204-7012 Cont 3 72 HR CYBER INCIDENT REPORTING: - Any action that results in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein - Required “Review for Compromise”: * disclosure of information to unauthorized persons * violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction or loss of an object, or copying to unauthorized media may have occurred 90 DAY IMAGE PROTECTION OF INFORMATION SYSTEMS FOR FORENSIC ANALYSIS AND DAMAGE ASSESSMENT 19
DFARS 252.204-7012 Cont 4 COMPANION DFARS 252.204-7009 Limitations on the Use and Disclosure of Third Party Contractor Reported Incident Information Cyber Incident Info may be shared with: 1) US and other entities affected 2) Entities that may assist in diagnosis, detection, or mitigation (need additional PIA/NDA!) 3) Law enforcement and counterintelligence 4) Defense Industrial Base participants 5) Support services contractors 20
SECTION C LIFECYCLE SYSTEMS CYBER RESILIENCY ARCHITECTING 21
Cyber Resiliency Defined (MITRE) 1) The ability of a nation, organization, mission, process or weapon system to anticipate, withstand, recover from, and evolve to improve capabilities in face of adverse conditions, stresses, or attacks on the supporting cyber resources it needs to function 2) The sub-discipline of Mission Assurance Engineering which considers: a) the ways an evolving set of resilience practises can be applied, and b) the tradeoffs associated with the different strategies for applying those practises 22
Cyber Resilience Key “Terms of Art” Defined (Cont) END STATE: 1) Anticipate: Understand, Prepare, Predict, Prevent 2) Withstand: Constrain, Maintain Essential Functionality 3) Recover: Determine Damages, Restore Capabilities, Reconstitute, Determine Reliability 4) Evolve: Re-architect TECHNIQUES: Adaptive Response, Privilege Restriction, Deception, Diversity, Substantiated Integrity, Coordinated Defense, Analytic Monitoring, Non-Persistence, Dynamic Positioning, Redundancy, Segmentation, Unpredictability, Dynamic Representation, Realignment 23
Cyber Resiliency 3 Pillars 1) NATIONAL INSTITUTE FOR STANDARDS & TECHNOLOGY (NIST): A) Cybersecurity Framework B) Risk Management Framework C) Trustworthy Resilient Systems D) Supply Chain Risk Management SP 800 Series of Documents: SP 800-160 System Security Engineering, SP 800-115 Information Security Testing, SP 800-161 Supply Chain Risk Management 2) DOD ENGINEERED RESILIENT SYSTEMS INITITATIVE (ERS TOGAF) 3) DOD PROGRAM PROTECTION PLANNING (PPP) 24
18 Cyber Resiliency Architecture Principles 1) Separate 2) Manual Operation 3) “Stateless” Services (no record of previous interaction) 4) Common vs Redundant Services 5) Any Function/Console 6) Location Independent services 7) Degraded Modes 8) Saturation Alleviation 9) Disconnected Modes 10) Least Privilege 11) Provenance 12) Reconfigurability 13) Layers 14) Vulnerability Containment 15) Isolation 16) Boundaries 17) Audit 18) Recovery 25
13 Cyber Resilience Engineering Techniques 1) Adaptive Response 2) Analytic Monitoring 3) Coordinated Command & Control Defense 4) Deception 5) Diversity 6) Dynamic Positioning & Representation 7) Non-Persistence 8) Privilege Restriction 9) Realignment 10) Redundancy 11) Segmentation 12) Unpredictability 13) Substantiated Integrity 26
14 Cyber Attack Mechanisms 1) Gather Information 2) Deplete Resources 3) Injection 4) Deceptive Interactions 5) Abuse of Functionality 6) Probabilistic Techniques 7) Exploitation of Authentication 8) Exploitation of Authorization 9) Manipulate Data Structures 10) Analyze Target 11) Gain Physical Access 12) Malicious Code Execution 13) Alter System Components 14) Manipulate System Users 27
Measuring Cyber Resilience • DOD Universal Joint task List Enclosure B • MITRE Cyber Resiliency Metrics (272) 28
SUMMARY: 1) Critical Infrastructure Cyber Security goes WELL beyond IT networks 2) Cyber Security Law & Regulation is infancy and DOD Guidance will likely drive significant expansion in scope & quantity of new laws and FAR/DFARS regulations 3) Most of the 16 Critical Infrastructure Industry Sectors have BARELY begun Cyber Resilience Architecting & Engineering of Critical Systems 29
BACKUP 30
SCADA Cyber Security Needs Operational Needs • Certifiable, attribute-based access control (only authenticated AND authorized users) • Low cost, small form factor information assurance appliances—SW and HW • Tailorable levels of assurance to changing operational requirements • Real-time data delivery between stations • Interfaces with multiple communications protocols • Rapid reconfiguration of security policies to meet dynamic needs of smart grids • Scalable for all levels of service (e.g. generating stations, substations, primary & secondary customers) Operational Benefits  Enhanced operational effectiveness and efficiency (e.g. lower cost per kwh)  Streamlined certification & accreditation to meet emerging policy mandates
DHS Cyber Cryptography • Aging Cryptographic Algorithms – Legacy 80-bit algorithms (DES, MD5, SHA-1, RSA-1024, two-key 3DES, SKIPJACK, KEA, and DSA) are threatened. NIST SP 800-78 requires Government users to replace RSA-1024/SHA-1 with higher security algorithms • Suite B Algorithms for the Next Generation – NSA-endorsed algorithms that are approved for classified use and deliver the information assurance required for the next 30-50 years – ECC in GF(p) (P-256, P-384, P-521*) – Equivalent to 3,072, 7,680, and 15,360-bit RSA – ECMQV and EC Diffie-Hellman key establishment – ECDSA digital signatures – AES-128/192*/256, SHA-224*/256/384/512*
DHS Control System AMI Security Requirements 2.8 System Communication Protection * Policy/Management * Port Partitioning/Security Function Isolation/Information Remnants/Denial of Service Protection/ * Communication Integrity/Trusted Path/ * Validated Cryptographic Key Establishment/Public Key Infrastructure Certificates * Message Authenticity/Secure Name–Address Resolution
2.9 Information System Management 2.10 System Development & Maintenance (Legacy) 2.12 Incident Response (Continuity of Operations/Alternate Control Centers) 2.14 System & Information Integrity (Malicious Code/Accuracy/Completeness/Validity/Authenticity) 2.15 Access Control (Authenticator Management, Remote Access, Wireless Access) 2.16 Audit & Accountability (Time Stamps) DHS Control System AMI Sec Cont
NIST Control System Security Cont 15 Categories of Logical Interfaces 1) SCADA Control Systems 2) WAN Control Systems 3) DMS/LMS Control Systems 4-5) Back Office Systems 6) B2B Connections 7) Control to NC Systems 8) Sensor Networks 9) Sensor to Control Sys 10) AMI Network Interfaces 11) HAN/BAN Customer 12) Interface to Customer 13) Mobile Field Crews 14) Metering Interfaces 15) Decision WAMS/ISO

Recommandé

Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government Contractors
Government Technology and Services Coalition
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber SurveyKristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Government Technology and Services Coalition
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through Acquisition
Government Technology and Services Coalition
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
Government Technology and Services Coalition
 
Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...
Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...
Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...
Government Technology and Services Coalition
 
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
Government Technology and Services Coalition
 
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
Government Technology and Services Coalition
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
PECB
 

Recommandé

Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government Contractors
Government Technology and Services Coalition
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber SurveyKristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Government Technology and Services Coalition
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through Acquisition
Government Technology and Services Coalition
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
Government Technology and Services Coalition
 
Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...
Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...
Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...
Government Technology and Services Coalition
 
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
Government Technology and Services Coalition
 
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
Government Technology and Services Coalition
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
PECB
 
Cyber security for manufacturers umuc cadf-ron mcfarland
Cyber security for manufacturers umuc cadf-ron mcfarlandCyber security for manufacturers umuc cadf-ron mcfarland
Cyber security for manufacturers umuc cadf-ron mcfarland
Highervista
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007
Chris Hammond-Thrasher
 
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHSInsight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Government Technology and Services Coalition
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Positive Hack Days
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
vngundi
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
padler01
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
Shawn Tuma
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
IT Governance Ltd
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
PECB
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
EnergySec
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
William McBorrough
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Education & Training Boards
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber Resiliency
EnergySec
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Matthew Rosenquist
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
ControlCase
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Phil Agcaoili
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
IBM Security
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Ignyte Assurance Platform
 
Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a Science
Pankaj Rane
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Amazon Web Services
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
EnergySec
 

Contenu connexe

Tendances

Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHSInsight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Government Technology and Services Coalition
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Positive Hack Days
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
padler01
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
PECB
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
EnergySec
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber Resiliency
EnergySec
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Matthew Rosenquist
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
IBM Security
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Ignyte Assurance Platform
 

Tendances (20)

Cyber security for manufacturers umuc cadf-ron mcfarland
Cyber security for manufacturers umuc cadf-ron mcfarlandCyber security for manufacturers umuc cadf-ron mcfarland
Cyber security for manufacturers umuc cadf-ron mcfarland
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007
 
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHSInsight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber Resiliency
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
 
Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a Science
 

Similaire à Ncma saguaro cyber security 2016 law & regulations asis phoenix dely final 05182016

Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Amazon Web Services
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
Kresimir Popovic
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016
David Blanco
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 

Similaire à Ncma saguaro cyber security 2016 law & regulations asis phoenix dely final 05182016 (20)

Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of Things
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
 
CLASS 2022 - Abilio Franco e Bryan Rivera (Thales) - Privacidade de dados e c...
CLASS 2022 - Abilio Franco e Bryan Rivera (Thales) - Privacidade de dados e c...CLASS 2022 - Abilio Franco e Bryan Rivera (Thales) - Privacidade de dados e c...
CLASS 2022 - Abilio Franco e Bryan Rivera (Thales) - Privacidade de dados e c...
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas Company
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
Tyler Technology Expo
Tyler Technology ExpoTyler Technology Expo
Tyler Technology Expo
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscape
 
Deep Dive into Operational Technology Security - USCSI®.pdf
Deep Dive into Operational Technology Security - USCSI®.pdfDeep Dive into Operational Technology Security - USCSI®.pdf
Deep Dive into Operational Technology Security - USCSI®.pdf
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
Robust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesRobust Cyber Security for Power Utilities
Robust Cyber Security for Power Utilities
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
 
David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligence
 
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
 
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v22-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
 
Nreca kickoff meeting
Nreca kickoff meetingNreca kickoff meeting
Nreca kickoff meeting
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilities
 

Dernier

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Dernier (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 

Ncma saguaro cyber security 2016 law & regulations asis phoenix dely final 05182016

  • 1. Cyber Security 2016 Law & Regulatory Environmental Trends A) Presidential Executive Orders 13636 and 13691 Critical Infrastructure Cyber Security B) Legal Authority: Key Federal Laws, DOD Guidance (161 Directives), FAR/DFARS C) System Cyber Defense Resilience Architecture Alex Dely, Contracts Manager, Innovation & Cyber Directorates, Raytheon Missile Systems ASIS Phoenix Chapter 18 May 2016 Alex_Dely@Raytheon.com 1
  • 2. Cyber Tidbits • Typical Dwell Time in Public Infrastructure Networks before Penetration Detection: 128 Days. • Every minute 1,080 hacks occur, 27 Days to Resolve, $ 7.4M/Incident. • Software Code: 4.9 Flaws/1000 Lines of Code, of which 1 to 5% represent serious vulnerabilities • Typical Penetration Detector: External Vulnerability Assessment Part • 1.5 Million Cyber Security Jobs Unfilled (Unfillable?) • Attacker only needs 0.0001 Success Rate • Most Asset Owners do not know about their Outbound Traffic: # Connections, Length of Connection, Amount of Data, % Encrypted, Destination IP 2
  • 3. SECTION A PRESIDENTIAL EXECUTIVE ORDERS CRITICAL INFRASTRUCTURE CYBER SECURITY 3
  • 4. POTUS Executive Order 13636 EO 13636 Improving Critical Infrastructure Cybersecurity (March 2013) * technology-neutral cybersecurity framework and practices * increase volume, timeliness and quality of threat information sharing * incorporate strong privacy and civil liberties protections * evaluate regulatory adequacy POTUS Policy Directive-21 Critical Infrastructure Security and Resilience directs the Executive Branch, led by DHS, in coordination with NIST, NSA and sector Agencies to: * develop near-real time physical and cyber situational awareness capability * understand cascading consequences of infrastructure failures * mature public-private partnerships * update the National Infrastructure Protection Plan * develop comprehensive research and development plan
  • 5. NIPP 16 Critical Infrastructure Sectors 1) Defense Industrial Base 9) Energy 2) Critical Manufacturing 10) Communications 3) Emergency Services 11) Chemical 4) Government Facilities 12) Dams 5) Financial Services 13) Water & Wastewater 6) Information Technology 14) Food & Agriculture 7) Transportation 15) Public Health Facilities 8) Nuclear Reactors & Materials 16) Commercial Facilities COMPLEX INTERLINKAGES WITH LIMITED CORRESPONDING GOVERNMENT-INDUSTRY EXPERTISE & ACCOUNTABILITY 5
  • 6. POTUS EXECUTIVE ORDER 13691 EO Order 13691 Private Sector Cybersecurity Information Sharing (Feb 2015) - establishes Information Sharing & Analysis Organizations (ISAO) standards and protocols to coordinate with US Government Information Sharing & Analysis Centers (ISAC) - strengthens DHS National Cybersecurity & Communications Integration Center (NCCIC) ability to approve access to classified information Categories: 1) Cyber-Physical (nano-scale to large-scale wide-area systems of systems; dependably, safely, securely, efficiently and in real-time; convergence of computation, communication, and control) 2) Cyber-Cyber (Network Cyber) 3) Physical-Cyber 4) Physical-Physical
  • 7. Source: NIST Framework and Roadmap for Smart Grid Interoperability Standards
  • 8. Integrated SCADA/ICS Graphic courtesy of DHS Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies
  • 9. Control System is NOT IT Network !! Industrial Control Systems (ICS): * Distributed Control Systems (IoT) * Supervisory Control and Data Acquisition Systems (SCADA) * Process Control Systems * Manufacturing Execution Systems Vulnerability Categories: * Millions of Remote Access Points, many in Legacy systems with limited Access Control, open Communications Protocols, Default Passwords, Limited/No Firewalls * Complex Systems Dynamically Reconfiguring in Space/Time * Reliance on mostly Offshore Suppliers * Technical Documentation freely available on Internet * Hierarchical Wireless Sensor network allow attacker to determine where the root node is placed; 9
  • 10. DOE FERC NERC CIP Requirements & Penalties • FERC NERC CIP 6/7 Requirements Penalty: up to $ 1M per event/day based on Violation Risk Factor/Severity Level (16 USC 825o) • CIP 001 Sabotage Reporting & Compliance • CIP 002 Critical Cyber Assets Risk Based Management • CIP 003 Senior Management Controls • CIP 004 Personnel & Training • CIP 005 Electronic Security Perimeters & Vulnerability Assessment • CIP 006 Physical Security Perimeters • CIP 007 Security System Management (malware, etc.) • CIP 008 Incident Reporting & Response Planning • CIP 009 Recovery Plans
  • 11. DHS Cross Sector Roadmap of Cyber Security Control Systems Homeland security Presidential Directive-7: Robustness, Survivability & Resilience Systems-of-Systems Principles: 1) Operational Independence of Elements 2) Managerial Independence of Elements 3) Geographical Distribution of Elements 4) Evolutionary Development 5) Emergent behavior 6) Heterogeneous Network of Systems 7) Automated Intrusion Audit Trails 8) Real Time Incident Response 9) Acquisition Strategy & Contracting 10) Training 11
  • 12. Where We Want to Go “Defense-in-Depth Architecture” Graphic courtesy of DHS Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies October 2009
  • 13. SECTION B KEY FEDERAL LAWS, DOD GUIDANCE, FAR/DFARS 13
  • 14. Key Federal Laws 1) Title 44 Federal Information Security Management Act (3541 et seq) 2) Title 18 Computer Fraud & Abuse Act (1030) 3) Title 18 Stored Communications Act (2701 et seq) 4) Title 18 Federal Wiretap Act (2510 et seq) 5) Title 18 Pen Registers and Trap and Trace Devices (3121 et seq) 6) Many Presidential Executive Orders 14
  • 15. DOD Guidance Documents (161!) Build & Operate a Trusted DoDIN handut (CIO Cyber) 1) Lead & Govern (18) 2) Design for the Fight (26) 3) Develop the Workforce (12) 4) Partner for Strength (9) 5) Secure Data in Transit (22) 6) Manage Access (16) 7) Assure Information Sharing (7) 8) Understand the Battlespace (7) 9) Prevent & Delay Attackers/Prevent Attackers from Staying (15) 10) Develop and maintain Trust (9) 11) Strengthen Cyber Readiness (8) 12) Sustain Missions(12) 15
  • 16. DoDI 5000.02 & 5200.39 Program Protection Planning PPP is iterative System Security risk management process: 1) Critical Program Information Identification/Criticality 2) Mission Critical Functions & Components Trusted Systems & Networks Analysis 3) Identification of Horizontal Protection Requirements 4) Identification of Foreign Involvement (Trusted Supply Chain) 5) Threat Analysis 6) Vulnerability Assessment 7) Risk Assessment 8) Trade-off Analyses 9) Countermeasures Implementation (Defensive Cyber Resilience, Anti Tamper, OpSec, InfoSec/Information Assurance, Software Assurance) 10) Verification & Validation and Residual Risk 16
  • 17. DFARS 252.204-7012 (Sept 2015) “Safeguarding Covered Defense Information and Cyber Incident Reporting”: INTERIM RULE: 1) 72 Hr Network Penetration Reporting 2) Contracting for Cloud Services Four Recommended Contractor Actions: 1) Register with DOD to obtain a mandatory Medium Assurance certificate 2) Identify & Mark all Attributional/Proprietary Information 3) SCM Flowdown to Subcontractors (including Commercial Item and Small Business Subcontracts, Teaming Agreements etc). Sub must report to Prime and DOD within 72 hrs (no Tier limitation). 4) Monitor Existing Contract Mods 17
  • 18. DFARS 252.204-7012 Cont 2 “Covered Defense Information”: - unclassified information provided to contractor by or on behalf of DOD in connection with performance of a contract - Information collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of contract performance CDI includes: - Controlled Technical Information - Critical Information - ITAR Export Control Information - Other Restricted Information Covered Contractor Information Systems: any systems owned, or operated by or for, that processes, stores or transmits CDI. NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and organizations. REPLACES NIST SP 800-53 18
  • 19. DFARS 252.204-7012 Cont 3 72 HR CYBER INCIDENT REPORTING: - Any action that results in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein - Required “Review for Compromise”: * disclosure of information to unauthorized persons * violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction or loss of an object, or copying to unauthorized media may have occurred 90 DAY IMAGE PROTECTION OF INFORMATION SYSTEMS FOR FORENSIC ANALYSIS AND DAMAGE ASSESSMENT 19
  • 20. DFARS 252.204-7012 Cont 4 COMPANION DFARS 252.204-7009 Limitations on the Use and Disclosure of Third Party Contractor Reported Incident Information Cyber Incident Info may be shared with: 1) US and other entities affected 2) Entities that may assist in diagnosis, detection, or mitigation (need additional PIA/NDA!) 3) Law enforcement and counterintelligence 4) Defense Industrial Base participants 5) Support services contractors 20
  • 21. SECTION C LIFECYCLE SYSTEMS CYBER RESILIENCY ARCHITECTING 21
  • 22. Cyber Resiliency Defined (MITRE) 1) The ability of a nation, organization, mission, process or weapon system to anticipate, withstand, recover from, and evolve to improve capabilities in face of adverse conditions, stresses, or attacks on the supporting cyber resources it needs to function 2) The sub-discipline of Mission Assurance Engineering which considers: a) the ways an evolving set of resilience practises can be applied, and b) the tradeoffs associated with the different strategies for applying those practises 22
  • 23. Cyber Resilience Key “Terms of Art” Defined (Cont) END STATE: 1) Anticipate: Understand, Prepare, Predict, Prevent 2) Withstand: Constrain, Maintain Essential Functionality 3) Recover: Determine Damages, Restore Capabilities, Reconstitute, Determine Reliability 4) Evolve: Re-architect TECHNIQUES: Adaptive Response, Privilege Restriction, Deception, Diversity, Substantiated Integrity, Coordinated Defense, Analytic Monitoring, Non-Persistence, Dynamic Positioning, Redundancy, Segmentation, Unpredictability, Dynamic Representation, Realignment 23
  • 24. Cyber Resiliency 3 Pillars 1) NATIONAL INSTITUTE FOR STANDARDS & TECHNOLOGY (NIST): A) Cybersecurity Framework B) Risk Management Framework C) Trustworthy Resilient Systems D) Supply Chain Risk Management SP 800 Series of Documents: SP 800-160 System Security Engineering, SP 800-115 Information Security Testing, SP 800-161 Supply Chain Risk Management 2) DOD ENGINEERED RESILIENT SYSTEMS INITITATIVE (ERS TOGAF) 3) DOD PROGRAM PROTECTION PLANNING (PPP) 24
  • 25. 18 Cyber Resiliency Architecture Principles 1) Separate 2) Manual Operation 3) “Stateless” Services (no record of previous interaction) 4) Common vs Redundant Services 5) Any Function/Console 6) Location Independent services 7) Degraded Modes 8) Saturation Alleviation 9) Disconnected Modes 10) Least Privilege 11) Provenance 12) Reconfigurability 13) Layers 14) Vulnerability Containment 15) Isolation 16) Boundaries 17) Audit 18) Recovery 25
  • 26. 13 Cyber Resilience Engineering Techniques 1) Adaptive Response 2) Analytic Monitoring 3) Coordinated Command & Control Defense 4) Deception 5) Diversity 6) Dynamic Positioning & Representation 7) Non-Persistence 8) Privilege Restriction 9) Realignment 10) Redundancy 11) Segmentation 12) Unpredictability 13) Substantiated Integrity 26
  • 27. 14 Cyber Attack Mechanisms 1) Gather Information 2) Deplete Resources 3) Injection 4) Deceptive Interactions 5) Abuse of Functionality 6) Probabilistic Techniques 7) Exploitation of Authentication 8) Exploitation of Authorization 9) Manipulate Data Structures 10) Analyze Target 11) Gain Physical Access 12) Malicious Code Execution 13) Alter System Components 14) Manipulate System Users 27
  • 28. Measuring Cyber Resilience • DOD Universal Joint task List Enclosure B • MITRE Cyber Resiliency Metrics (272) 28
  • 29. SUMMARY: 1) Critical Infrastructure Cyber Security goes WELL beyond IT networks 2) Cyber Security Law & Regulation is infancy and DOD Guidance will likely drive significant expansion in scope & quantity of new laws and FAR/DFARS regulations 3) Most of the 16 Critical Infrastructure Industry Sectors have BARELY begun Cyber Resilience Architecting & Engineering of Critical Systems 29
  • 31. SCADA Cyber Security Needs Operational Needs • Certifiable, attribute-based access control (only authenticated AND authorized users) • Low cost, small form factor information assurance appliances—SW and HW • Tailorable levels of assurance to changing operational requirements • Real-time data delivery between stations • Interfaces with multiple communications protocols • Rapid reconfiguration of security policies to meet dynamic needs of smart grids • Scalable for all levels of service (e.g. generating stations, substations, primary & secondary customers) Operational Benefits  Enhanced operational effectiveness and efficiency (e.g. lower cost per kwh)  Streamlined certification & accreditation to meet emerging policy mandates
  • 32. DHS Cyber Cryptography • Aging Cryptographic Algorithms – Legacy 80-bit algorithms (DES, MD5, SHA-1, RSA-1024, two-key 3DES, SKIPJACK, KEA, and DSA) are threatened. NIST SP 800-78 requires Government users to replace RSA-1024/SHA-1 with higher security algorithms • Suite B Algorithms for the Next Generation – NSA-endorsed algorithms that are approved for classified use and deliver the information assurance required for the next 30-50 years – ECC in GF(p) (P-256, P-384, P-521*) – Equivalent to 3,072, 7,680, and 15,360-bit RSA – ECMQV and EC Diffie-Hellman key establishment – ECDSA digital signatures – AES-128/192*/256, SHA-224*/256/384/512*
  • 33. DHS Control System AMI Security Requirements 2.8 System Communication Protection * Policy/Management * Port Partitioning/Security Function Isolation/Information Remnants/Denial of Service Protection/ * Communication Integrity/Trusted Path/ * Validated Cryptographic Key Establishment/Public Key Infrastructure Certificates * Message Authenticity/Secure Name–Address Resolution
  • 34. 2.9 Information System Management 2.10 System Development & Maintenance (Legacy) 2.12 Incident Response (Continuity of Operations/Alternate Control Centers) 2.14 System & Information Integrity (Malicious Code/Accuracy/Completeness/Validity/Authenticity) 2.15 Access Control (Authenticator Management, Remote Access, Wireless Access) 2.16 Audit & Accountability (Time Stamps) DHS Control System AMI Sec Cont
  • 35. NIST Control System Security Cont 15 Categories of Logical Interfaces 1) SCADA Control Systems 2) WAN Control Systems 3) DMS/LMS Control Systems 4-5) Back Office Systems 6) B2B Connections 7) Control to NC Systems 8) Sensor Networks 9) Sensor to Control Sys 10) AMI Network Interfaces 11) HAN/BAN Customer 12) Interface to Customer 13) Mobile Field Crews 14) Metering Interfaces 15) Decision WAMS/ISO