The following presentation slides were used during the 2014 Cyber Summit Panel Session on Cyber Critical Infrastructure Guidelines at the University of Alabama at Birmingham
2. Meet Our Panelists
Allen Johnston, Ph.D.
Associate Professor of Information Systems
Paul M. Di Gangi, Ph.D., CISSP
Assistant Professor of Information Systems
Deborah Williams, CISSP
Program Manager
Matthew Speare
Head of Governance & Integration
Angella Carlisle, CISSP, CRISC, CHSP
IT Security Manager
Dave Summitt, CISSP
Chief Information Security Officer
7. EO 13636: Improving Critical
Cybersecurity Infrastructure
It is the policy of the United
States to enhance the security
and resilience of the Nation’s
critical infrastructure and to
maintain a cyber environment
that encourages efficiency,
innovation, and economic
prosperity while promoting
safety, security, business
confidentiality, privacy, and civil
liberties.
February 2013
8.
9. What are the critical infrastructure sectors?
85
%
PRIVATELY OWNED
10. What are we already doing to protect
these sectors?
Critical Sector
Reg’s/Standards/Laws
Critical Sector
Reg’s/Standards/Laws
Agriculture & Food
21 CFR 11
Government Facilities
N/A
Commercial Facilities
25 CFR 542
N/A
Dams
CIP 002-009 (Mandatory)
National Monuments &
Icons
Transportation Systems
49 CFR 193,1520
Chemical
6 CFR 27
Critical Manufacturing
N/A
Emergency Services
N/A
Healthcare & Public
Health
45 CFR 164 (HIPAA)
Nuclear Reactors,
Materials & Waste
10 CFR 73 (NRC)
Water
42 U.S.C. 300-2 (Law)
Energy
CIP 002-009
(Mandatory)
Information
Technology
N/A
Postal & Shipping
N/A
Banking & Finance
12,16,17,31 CFR ,
(SOX,GLB, AML)
Communications
N/A
Defense Industrial
Base
NISPOM
12. Organizational Views on Cybersecurity
Adaptive
Adapts cybersecurity practices based on lessons learned &
predictive indicators; organization-wide approach to
managing risk using risk-informed policies, processes, and
procedures; actively shares information w/ partners
Repeatable
Risk management practices are formally approved, expressed
in policy, and updated regularly; organization-wide approach
to managing risk using risk-informed policies, processes,
and procedures; understands dependencies w/partners
Informed
Risk management practices are approved by management,
but may not have established organization-wide policy;
awareness of risk at organizational level but approach not
established; not formally sharing w/ partners
Partial
Risk management practices are not formalized & risk
managed in a reactive manner; implements risks
management on case-by-case basis; may not coordinate or
collaborate w/ partners
15. Why should organizations adopt a nonmandatory framework?
Incentive Type
Grants
Rate-Recovery for PriceRegulated Industries
Bundled Insurance
Requirements, Liability
Protection, and Legal
Benefits
Prioritizing Certain
Classes of Training and
Technical Assistance
Procurement
Considerations
Streamline Information
Security Regulations
Summary Description
Fixed cost, performance-based awards for investment in cybersecurity products and services for
prospective Framework adopters.
Recovery of cybersecurity investments in the rates charged for services provided by Framework
adopters through a price cap, in which the government allows a firm to charge up to a certain
maximum price that is independent of the realized cost.
A system of litigation risk mitigation for which those entities that adopt the Framework and meet
reasonable insurance requirements are eligible to apply. Other types of legal benefits may include
limited indemnity, higher burdens of proof, or limited penalties; case consolidations; case transfers to
a single Federal court; creation of a Federal legal privilege that preempts State disclosure and/or
discovery requirements for certain cybersecurity self-assessments.
The Federal Government offers several types of technical assistance to critical infrastructure owners
and operators, including preparedness support, assessments, training of employees, and advice on
best practices.
Introduce a technical requirement in the procurement process for certain types of acquisitions for
Framework adopters, or requirements for Framework adoption for Federal information and
communications technology providers or other contracts, particularly those involving access to
sensitive government information or essential services.
Creation of a unified compliance model for similar requirements and eliminate overlaps among existing
laws; streamlining of differences between U.S. and international law (perhaps through treaties);
ensuring equivalent adoption; reducing audit burdens; and offering prioritized permitting.
17. Panel Discussion Question:
What are the pressing issues for critical infrastructure organizations in the
information security/assurance domain?
What are the initial reactions of organizations in your industry to the Critical
Infrastructure guidelines that were recently released?
18. Panel Discussion Question:
How well does the Critical Infrastructure guidelines integrate with your
existing regulatory requirements? What’s new that is currently not
addressed?
Are the Critical Infrastructure guidelines likely to become a standard for your
industry or do you see a different set of guidelines being adopted?
19. Panel Discussion Question:
What are the primary challenges your organization faces for implementing
the Critical Infrastructure guidelines?
20. Panel Discussion Question:
How are the incentives being perceived within your industry for complying
with the Critical Infrastructure guidelines?
Of the proposed incentives, grants, technical assistance, rate recovery,
liability reform – which are most attractive to you?