Documente Academic
Documente Profesional
Documente Cultură
Larry Wilson
Lesson 2
June, 2015 1
Lesson 2: Controls Factory Components
2
Part 1: The Controls Factory Components
3
The Factory Components
Threats, Cybersecurity
Controls Technology Threat Organizational
Vulnerabilities, Operations The WISP
Definition Architecture Modeling Model
IOCs Center
Input Output
Security Controls & Program
Threat Controls Technology Assurance &
Administration Technology Deliverables
Intelligence Framework Design Audit
Center Testing Managed
Unmanaged
Assets Assets
F1 F2 F3 F4 F5 F6 F7
4
Part 2: The Threat Office Deliverables
5
Cyber Threats
6
Cyber Threats
7
Software Vulnerabilities
Secunia Presentation
8
Software Vulnerabilities
Secunia Presentation
9
Software Vulnerabilities
Secunia Presentation
10
Indicators of Compromise (IOCs)
RSA Security Presentation
11
Indicators of Compromise (IOCs)
RSA Security Presentation
12
Threat Intelligence – Industry Sector
13
Threat Intelligence – Cross Sector
14
The Cyber Attack Chain
Delivery of Exploitation Malware Malware Execution and malicious Establish communication Data
weaponized content of app vulnerability delivery persistency access to content channels exfiltration
00111
00101
11010
00010
11110
00110
00110
01101
Endless Endless Endless
Many Many
Weaponized Malicious Destinations
content Unpatched files Malicious (C&C traffic
(IPS, sandbox) and zero-day (antivirus, behavior detection)
vulnerabilities (patching) whitelisting) activities
(HIPs)
Vulnerability
No. of Types
15
Stages of the Attack Chain
Advanced threats occur in “kill chains” of up to seven In the RECON stage, cybercriminals research their
stages. intended victims using personal, professional and social
media websites.
Not all threats need to use every stage, giving
cybercriminals hundreds or even thousands of ways They’re looking for information to help them create
to create and execute data-stealing attacks. seemingly trustworthy “lures” that contain links to
compromised websites under their control.
The term “kill chain” refers to the ability to stop an
attack at any of these discrete stages — if the right Some lures use recent disasters, social drama or
defenses are deployed. celebrity deaths to draw on human curiosity.
16
Stages of the Attack Chain
Once a user has clicked on a link to a compromised Once the exploit kit has found a path for delivering malware, the
website, software known as an exploit kit scans the cybercriminal delivers a “dropper file,” typically from another
victim’s system to find open vulnerabilities or zero day compromised server, to infect the victim’s system.
threats. The dropper file may contain software that executes on the
victim’s system to begin the process of finding and extracting
These weaknesses can become open doors for valuable data.
delivering malware, key loggers or other advanced
tools that enable cybercriminals to further infiltrate Some dropper files remain dormant for a predetermined period
networks. of time to avoid detection, and may include additional
executables to deliver malware in the future.
Once the dropper file infects the target system, it “calls The end-game of most modern cyber attacks, the data
home” to a command-and-control server to download theft stage completes the threat kill chain.
additional programs, tools or instructions.
Cybercriminals steal intellectual property, personally
This is the first point at which a direct connection is identifiable information or other valuable data for
made between the attacker and the infected system. financial gain or for use in other attacks.
17
Part 3: The Cybersecurity Controls Office
18
Security Controls
Control Objectives
Controls Definition (COBIT)
19
Controls Implementation
20
Controls Framework
21
NIST Framework Overview
Subcategory Function
Function Category Subcategory
Requirements Requirements
Asset Management (AM) ID.AM-1 to ID.AM-6 6
Business Environment (BE) ID.BE-1 to ID.BE-5 5
Identify Governance (GV) ID.GV-1 to ID.GV-4 4 24
Risk Assessment (RA) ID.RA-1 to ID.RA-6 6
Risk Management (RM) ID.RM-1 to ID.RM-3 3
Protect Access Control (AC) PR.AC-1 to PR.AC-5 5
Awareness and Training (AT) PR.AT-1 to PR.AT-5 5
Data Security (DS) PR.DS-1 to PR.DS-9 9
37
Information Protection Procedures (IP) PR.IP-1 to PR.IP-11 11
Maintenance (MA) PR.MA-1 to PR.MA-2 2
Protective Technology (PT) PR.PT-1 to PR.PT-5 5
Detect Anomalies and Events (AE) DE.AE-1 to DE.AE-5 5
Security Continuous Monitoring (CM) DE.CM-1 to DE.CM-8 8 18
Detection Processes (DP) DE.DP-1 to DE.DP-5 5
Respond Response Planning (RP) RS.RP-1 1
Communications (CO) RS.CO-1 to RS.CO-5 5
Analysis (AN) RS.AN-1 to RS.AN-4 4 14
Mitigation (MI) RS.MI-1 to RS.MI-3 2
Improvements (IM) RS.IM-1 to RS.IM-2 2
Recover Recovery Planning (RP) RC.RP-1 1
Improvements (IM) RC.IM-1 to RC.IM-2 2 5
Communications (CO) RC.CO-1 to RC.CO-2 2
Total = 98
22
NIST Framework Function: Identify
Function Category Subcategory Informative References
ISA 99.02.01 4.2.3.4
COBIT BAI03.04, BAI09.01, BAI09, BAI09.05
ID.AM-1: Physical devices and systems ISO/IEC 27001 A.7.1.1, A.7.1.2
within the organization are inventoried. NIST SP 800-53 Rev. 4 CM-8
CCS CSC1
23
NIST Framework Function: Identify
Function Category Subcategory Informative References
COBIT DSS01.03
ID.BE-4: Dependencies and critical functions for delivery of ISO/IEC 27001 9.2.2
critical services are established. NIST SP 800-53 Rev 4 CP-8, PE-9, PE-10, PE-11, PE-
12, PE-14, PM-8
24
NIST Framework Function: Identify
25
NIST Framework Function: Identify
ID.RA-2: Threat and vulnerability information ISA 99.02.01 4.2.3, 4.2.3.9, 4.2.3.12
Risk Assessment (RA): The is received from information-sharing forums ISO/IEC 27001 A.13.1.2
organization understands the and sources. NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5
cybersecurity risk to
organizational operations
ID.RA Risk Assessment (including mission, functions, ISA 99.02.01 4.2.3, 4.2.3.9, 4.2.3.12
ID.RA-3: Threats to organizational assets are
image, or reputation), COBIT APO12.01, APO12.02, APO12.03, APO12.04
identified and documented. NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-16
organizational assets, and
individuals.
26
NIST Framework Function: Identify
27
NIST Framework Function: Protect
Function Category Subcategory Informative References
28
NIST Framework Function: Protect
29
NIST Framework Function: Protect
Function Category Subcategory Informative References
30
NIST Framework Function: Protect
Function Category Subcategory Informative References
PR.IP-11: Cyber security is included in human COBIT APO07.01, APO07.02, APO07.03, APO07.04, APO07.05
resources practices (including de-provisioning, ISO/IEC 27001 8.2.3, 8.3.1
personnel screening and others). NIST SP 800-53 Rev 4 PS Family 31
NIST Framework Function: Protect
Function Category Subcategory Informative References
32
NIST Framework Function: Detect
33
NIST Framework Function: Detect
Function Category Subcategory Informative References
COBIT DSS05.07
DE.CM-1: The network is monitored to ISO/IEC 27001 A.10.10.2, A.10.10.4, A.10.10.5
detect potential cyber-security events. NIST SP 800-53 Rev. 4 CM-3, CA-7, AC-2, IR-5, SC-5, SI-4
CCS CSC 14, 16
34
NIST Framework Function: Detect
Function Category Subcategory Informative References
35
NIST Framework Function: Respond
RS.CO-4: Coordination with stakeholders occurs ISO/IEC 27001 A.8.1.1, A.6.1.2, A.6.1.6, A.10.8.2
consistent with response plans, including those related NIST SP 800-53 Rev. 4 CP-2, IR-8
to privacy and civil liberties.
36
NIST Framework Function: Respond
Function Category Subcategory Informative References
Improvements (IM):
Organizational response ISO/IEC 27001 A.13.2.2
activities are improved by RS.IM-1: Response plans incorporate lessons learned. ISA 99.02.01 4.3.4.5.10, 4.4.3.4
incorporating lessons NIST SP 800-53 Rev. 4 CP-2, IR-8
RS.IM Improvements learned from current and
previous
detection/response
activities. RS.IM-2: Response strategies are updated. NIST SP 800-53 Rev. 4 CP-2, IR-8
37
NIST Framework Function: Recover
38
Cybersecurity Risk Management / Best Practices
WORKING GROUP 4: Final Report, March 2015
39
Part 4: The Technology Center
40
NIST Framework Function: Identify
Category Subcategory Technical Requirements
Operations staff assigned to inventory critical infrastructure network devices
ID.AM-1: Physical devices and and systems may need easy to operate database software and technologies
systems within the organization that can automate, scale and report on the adding and removing of networked
are inventoried. resources that are inventoried. This automated system should detect the presence of
unauthorized hardware.
Operations staff assigned to inventory network critical software may use easy
ID.AM-2: Software platforms and to operate database software and technologies that can automate, scale and
applications within the organization report on the adding and removing of network software resources that are
are inventoried. inventoried. This automated system can detect the presence of unauthorized
software, databases and applications.
Computing systems, information storage systems, databases, VPNs, LANs,
VLANs,WANs, VPNs, Text/SMS, Email systems can all have the scheduling, credentials
ID.AM-3: The organizational
of access, business process rules, and security controls built into them, such that
communication and data flow is
personnel and authorized external entities can access the correct information in
mapped.
timely manner according to the documented
ID.AM Asset communications flow.
Management Organizational staff assigned to catalog externally facing critical
infrastructure information systems, servers, virtual machines, software, networks and
ID.AM-4: External information resources can use easy to operate database software and technologies that can scale
systems are mapped and and report on the externally facing resources that are inventoried. This externally
cataloged. facing catalog system can be made secure to prevent corruption of critical network
functions, to prevent theft of services/software and to prevent fraudulent actions. It is
highly
Once the highest priority functions and their corresponding supporting
ID.AM-5: Resources are prioritized based technical resources are prioritized, it is imperative that spare equipment, circuit
on the classification/criticality/business boards, parts, fuel, circuits, servers, and anything physical and technical that can
value of hardware, devices, data and minimize outages and downtime of critical systems, be procured. These critical spares
software. should be stored where operational staff can quickly access and install in order to
minimize any outages or downtime of critical systems.
ID.AM-6: Workforce roles and
Documented roles and responsibilities can be stored and accessible, where
responsibilities for business functions,
all of the organization's staff can read, download and print.
including cyber security, are established. 41
NIST Framework Function: Identify
Category Subcategory Technical Requirements
Once the supply chain roles and responsibilities are identified, conveyed and in place, the key
information that can transfer between various sub‐ organizations, organizations, and its
ID.BE-1: The organization’s external sources can be developed, enhanced, improved or updated to meet the critical
role in the supply chain is business communications requirements within a supply chain ecosystem.
identified and
communicated. The critical networks, protocols, web services, forms, emails, VPNs, VLANs, WANs, databases,
web portals that can transfer critical information between various sub‐organizations,
organizations, and it's external sources can be developed, enhanced, improved or updated to
meet the critical business requirements within a supply chain ecosystem.
Once the Critical Infrastructure roles and responsibilities are identified, conveyed and in place,
ID.BE-2: The the key information that can transfer between various sub‐organizations, organizations, and its
organization’s place in external sources can be developed, enhanced, improved or updated to meet the critical
critical infrastructure business communications requirements within a supply chain ecosystem.
and their industry
ecosystem is identified The critical networks, protocols, web services, forms, emails, VPNs, VLANs, WANs, databases,
and communicated. web portals that can transfer critical information between various sub‐organizations,
ID.BE Business
organizations, and it's external sources can be developed, enhanced, improved or updated to
Environment
meet the critical business requirements within a Critical Infrastructure ecosystem.
ID.BE-3: Priorities for
organizational mission,
None
objectives and activities
are established.
Primary, secondary and tertiary communications systems and techniques can
ID.BE-4: Dependencies and critical be implemented, so that the organization can reach its critically dependent 3rd party entities
functions for delivery of critical in an emergency and/or crisis situation. These modes of communication include but limited to
services are established. telephony, VoIP, IM, Video conference, Internet/Email, Text/SMS and possibly Social media as
modes of critical communications.
Primary, secondary and tertiary communications systems and techniques can
ID.BE-5: Resilience be implemented, so that the organization can reach its critically dependent 3rd party entities
requirements to support in an emergency and/or crisis situation. These modes of communication include but limited to
delivery of critical services are telephony, VoIP, IM, Video conference, Internet/Email, Text/SMS, and possibly Social media as
established. a last resort of critical communications. All of these modes of communications can be made as
secure as practically possible and include authentication functions. 42
NIST Framework Function: Identify
Category Subcategory Technical Requirements
Documented Security policy, along with roles and responsibilities can
ID.GV-1: Organizational information security
be stored and accessible , where all of the organization's staff can
policy is established.
read, download and print.
43
NIST Framework Function: Identify
44
NIST Framework Function: Identify
45
NIST Framework Function: Protect
The overall network design may be designed to maintain the fullest, maximum
PR.AC-5: Network integrity is protected
practical operational integrity. The network design should employ maximum
practical diversity, redundancy, and segmentation where it is practical.
46
NIST Framework Function: Protect
Category Subcategory Technical Requirements
PR.AT Awareness PR.AT-1: General users are informed None
and Training and trained.
Organizations, sub‐organizations and all data owners who manage and maintain information
PR.AT-2: Privileged users technology assets may receive comprehensive training on implementing cybersecurity best
understand roles and practices.
responsibilities.
Computing systems, information storage systems, databases, VPNs, LANs, VLANs, WANs,
PR.AT-3: Third-party VPNs, Text/SMS, Email systems should all have the authorized identities, authorized
stakeholders (suppliers, credentials of access, business process rules, and security controls built into them, such that
customers, partners) personnel and authorized external entities can access the correct information in a timely
understand roles and manner according to the documented communications flow. Security policy filters should be
responsibilities. in place that monitors file structure, metadata, or data type, thus, determining where this
data may flow through the information system based upon specified attributes.
Computing systems, information storage systems, databases, VPNs, LANs, VLANs, WANs,
VPNs, Text/SMS, Email systems can all have the authorized identities, authorized credentials
PR.AT-4: Senior executives of access, business process rules, and security controls built into them, such that personnel
understand roles and and authorized external entities can access the correct information in a timely manner
responsibilities. according to the documented communications flow. Security policy filters should be in place
that monitors file structure, metadata, or data type, thus, determining where this data may
flow through the information system based upon specified attributes.
Computing systems, information storage systems, databases, VPNs, LANs, VLANs, WANs,
VPNs, Text/SMS, Email systems can all have the authorized identities, authorized credentials
PR.AT-5: Physical and of access, business process rules, and security controls built into them, such that personnel
information security and authorized external entities can access the correct information in a timely manner
personnel understand roles according to the documented communications flow. Security policy filters should be in place
and responsibilities. that monitors file structure, metadata, or data type, thus, determining where this data may
flow through the information system based upon specified attributes.
47
NIST Framework Function: Protect
Category Subcategory Technical Requirements
PR.DS Data Security Tools and technologies may include, but not limited to: Network port
scanning / packet capture‐inspection / Intrusion Detection‐ Protection(IPS/IDS) /
Endpoint monitoring‐security / Threat correlation functions / Digital forensics /
PR.DS-1: Data at rest is protected. Data‐File flow and anomaly detection / Access control / SSL Decryption / Log analysis
/ File‐content filtering‐blocking / Outbound botnet communication disruption /
Secure Email gateways / Big‐ data security analytics / and Next Gen Firewalls. *
Computing systems,
Tools and technologies may include, but not limited to: Network port
scanning / packet capture‐inspection / Intrusion Detection‐ Protection(IPS/IDS) /
Endpoint monitoring‐security / Threat correlation functions / Digital forensics /
PR.DS-2: Data in motion is secured. Data‐File flow and anomaly detection / Access control / SSL Decryption / Log analysis
/ File‐content filtering‐blocking / Outbound botnet communication disruption /
Secure Email gateways / Big‐ data security analytics / and Next Gen Firewalls. *
Computing systems,
PR.DS-4: Adequate capacity to Organizations should implement maximum practical diversity, redundancy,
ensure availability is maintained. sparing for all of their critical systems, networks and data storage.
48
NIST Framework Function: Protect
49
NIST Framework Function: Protect
Category Subcategory Technical Requirements
PR.IP Information PR.IP-1: A baseline configuration of The organization can implement a set of continuous monitoring systems and the
Protection information technology/operational database processing and storage assets required to handle large volumes of
technology systems is created. collected data from critical assets.
PR.IP-3: Configuration change control The previously required hardware and software asset inventory systems, may
processes are in place. have functionality to track and document disposal of assets.
PR.IP-4: Backups of information are There should be more than adequate storage capacity, database capacity, and
managed. network bandwidth to allow frequent backups of critical information and data.
PR.IP-6: Information is destroyed The previously required hardware and software infrastructure asset inventory
according to policy and requirements. systems, may have functionality to track and document disposal of assets.
50
NIST Framework Function: Protect
Category Subcategory Technical Requirements
PR.IP Information
Protection Computing systems, information storage systems, databases, VPNs, LANs,
VLANs,WANs, VPNs, Text/SMS, Email systems may all have the authorized identities,
PR.IP-7: Protection processes are
authorized credentials of access, business process rules, and security controls built into
continuously improved.
them, such that personnel and authorized external entities can access the correct
information in a timely manner according to the documented communications flow.
PR.IP-8: Information
The utilization of secure communication and encryption is vital to the sharing of cyber
sharing occurs with
protection technologies, methods and procedures.
appropriate parties.
PR.IP-9: Response plans
The organization may consider DR technologies, systems, protocols,
(business continuity plan(s),
networks, off‐site data storage facilities, and services. There may be more than
disaster recovery plan(s),
adequate storage capacity, database capacity, and network bandwidth to allow frequent
incident handling plan(s) are in
backups of critical information and data .
place and managed.
The organization may consider DR technologies, systems, protocols,
PR.IP-10: Response plans are networks, off‐site data storage facilities, and services. There may be more than
exercised. adequate storage capacity, database capacity, and network bandwidth
to allow frequent backups of critical information and data.
PR.IP-11: Cyber security is
included in human resources An organization's IT department, may have to procure mobile and Endpoint
practices (including de- device management technologies that will also disable / decommission / wipe / destroy
provisioning, personnel screening all account privileges for employees that have departed the organization.
and others).
PR.IP‐12: A vulnerability
management plan is developed and
implemented None
51
NIST Framework Function: Protect
52
NIST Framework Function: Protect
PR.PT-1: Audit and log records are stored in Access control / logging / disabling technologies and systems may have
accordance with audit policy. to be deployed to protect critical assets.
USB drives, Bluetooth devices and any wireless device that can store
PR.PT-2: Removable media are protected
information, should be tracked / inventoried / disposed of properly if
according to a specified policy.
they are allowed in an organization's operational environment.
PR.PT Protective
Technology PR.PT-3: Access to systems and assets is Access control / logging / disabling technologies and systems may have
appropriately controlled. to be deployed to protect critical assets.
53
NIST Framework Function: Detect
54
NIST Framework Function: Detect
Category Subcategory Technical Requirements
DE.CM-1: The network is
The organization may employ different monitoring tools, e.g., host
monitored to detect potential
monitoring, network monitoring, and anti‐virus software.
cyber-security events.
55
NIST Framework Function: Detect
Category Subcategory Technical Requirements
The organization may implement non signature‐based malicious code detection
mechanisms, which include the use of heuristics to detect, analyze, and describe the
DE.CM-5: Unauthorized
characteristics or behavior of malicious code and to provide safeguards against
mobile code is detected.
malicious code for which signatures do not yet exist or for which existing signatures
may not be effective.
DE.CM-6: External service Access control / logging / disabling technologies and systems may have to be
providers are monitored. deployed to protect critical infrastructure assets.
DE.CM Security
Continuous The organization may deploy automated monitoring tools to help in its monitoring
Monitoring efforts for critical infrastructure. Automated tools include, for example, host‐based,
DE.CM-7: Unauthorized network‐based, network‐based, transport‐based, or storage‐based event monitoring
resources are monitored. tools or Security Information and Event Management (SIEM) technologies that provide
real time analysis of alerts and/or notifications generated by organizations information
systems.
The organization may implement vulnerability scanning tools that include the
DE.CM-8: Vulnerability capability to readily update the information systems vulnerabilities to be scanned.
assessments are performed. Also, automated mechanisms to compare the results of vulnerability scans over time
may be implemented to determine trends.
56
NIST Framework Function: Detect
Category Subcategory Technical Requirements
Organizations may consider deploying various tools and technologies to PREVENT /
MITIGATE / RESPOND and RECOVER from cyber‐attack incidents. These tools and
technologies may include, but not limited to: Network port scanning / packet
DE.DP-1: Roles and responsibilities for capture‐inspection / Intrusion Detection‐ Protection(IPS/IDS) / Endpoint
detection are well defined to ensure monitoring‐security / Threat correlation functions / Digital forensics / Data‐File flow
accountability. and anomaly detection / Accesscontrol / SSL Decryption / Log analysis / File‐content
filtering‐blocking / Outbound botnet communication disruption / Secure Email
gateways / Big‐ data security analytics / and Next Gen Firewalls.
57
NIST Framework Function: Respond
58
NIST Framework Function: Respond
59
NIST Framework Function: Respond
60
NIST Framework Function: Respond
RS.IM-1: Response plans incorporate The Lessons learned may be documented and stored/placed in an area or
lessons learned. directory where the organization's security staff can access.
RS.IM Improvements
RS.IM-2: Response strategies are
None
updated.
61
NIST Framework Function: Recover
RC.CO‐3: Recovery activities are The organizations can ensure that secure, reliable electronic communications
communicated to internal (email, text, voice comms..........................................................., etc.) are in
stakeholders and executive and place, so that appropriate personnel are alerted into action when an incident
management teams response is required.
62
Part 5: The Operations Center
63
Operations Center Capabilities
Cyber-Intelligence Services
Identify Protect Detect Respond Recover
64
65
NIST Framework Function: Identify
Category Subcategory Operational Requirements
Appropriate and adequate Operations staff should be assigned to locate, track, count,
ID.AM-2: Software platforms and and document all network critical infrastructure software, critical applications, OSS
ID.AM Asset
applications within the organization software, (i.e.; Billing & Customer Account DBs), network/customer databases, mobile
Management
are inventoried. employee supporting systems, and stored information that is critical to the operations
of the organization.
66
NIST Framework Function: Identify
Category Subcategory Operational Requirements
Organizational staff can identify, inventory, track and update the catalog of externally
facing critical infrastructure systems, databases, web servers, virtual machines,
virtual/physical circuits, networks, VPNs, VLANs, WANs, communications channels,
email systems, phone/UC systems, calendars, applications, web portals, eCommerce
ID.AM-4: External information
interfaces, mobile/remote employee devices, cloud‐data center resources and any
systems are mapped and
other hardware and software that is used to communicate with "outside" entities.
cataloged.
Outside entities include but not limited to: vendors/suppliers, emergency responders,
government officials, peers, customers, public facing websites, customer portals,
contact centers, legal entities, executive communications, billing interfaces,
eCommerce interfaces, mobile employee support, cloud‐data centers etc. *
Organizational leadership, operations and engineering staff can determine who (by
job function) needs to know what information within the entire organization.
Following this exercise, various levels of cybersecurity responsibilities and leadership
ID.AM-6: Workforce roles and can be assigned. These levels of cybersecurity responsibilities will include but not
responsibilities for business functions, limited to: Security of entire infrastructure, security of groups of systems /
including cyber security, are established. applications / databases / SW /devices, security of individual systems / applications /
databases / SW / devices, as well as security of internal and external communications
channels. The cybersecurity leadership can then develop cybersecurity policies and
procedures, then train the appropriate staff of these cybersecurity procedures.
67
NIST Framework Function: Identify
Category Subcategory Operqational Requirements
Organizational leadership, operations and engineering staff can determine
how the organization fits into a supply chain ecosystem. The following questions can be
ID.BE-1: The organization’s
answered: Is the organization a producer, a consumer, both, or something that has yet to be
role in the supply chain is
defined? Does the organization turn raw materials into a product? Does the organization
identified and
provide a service where human resources and expertise is the main ingredient for business
communicated.
operations? Is the organization in the middle of a larger supply chain ecosystem? How does the
organization earn revenue from it's customers? How does the sales function get what it needs
to sell a product or service to customers?
ID.BE-2: The
organization’s place in Organizational leadership, operations and engineering staff may determine how the
critical infrastructure organization fits into a Critical Infrastructure ecosystem. The following questions can be
and their industry answered: Does this organization supply a product or service to critical infrastructure that
ecosystem is identified supports the functioning of our society or economy? Does this organization supply a product or
ID.BE Business and communicated. service to the government to support the security of our society or economy?
Environment
ID.BE-3: Priorities for Organizational leadership, operations and engineering staff can determine the organization's
organizational mission, mission and its primary business objectives as an ongoing concern. The sub‐organizations that
objectives and activities are deemed critical to operating the business can be prioritized such that key decision makers
are established. are very aware of their responsibilities and available human and physical resources.
ID.BE-4: Dependencies and critical
Organizational leadership, operations and engineering staff can determine critical functions for
functions for delivery of critical
delivery of critical services.
services are established.
Once the organizational leadership, operations and engineering staff has determined critical
ID.BE-5: Resilience functions for delivery of critical services. Then they can determine redundant, sometimes
requirements to support duplicative methods for delivery of critical components, supplies and materials. This may
delivery of critical services are include but not limited to redundant circuits for communications, alternate secondary
established. suppliers of fuel, secondary suppliers of critical components, secondary shipping and delivery
providers, alternate means of communicating with government officials and first responders.
68
NIST Framework Function: Identify
Category Subcategory Operational Requirements
An organization's executive and technical leadership can determine which information
ID.GV-1: Organizational and data types that can be protected from threats. Critical financial and technical data
information security policy may be protected and secured from unauthorized access and can address privacy
is established. considerations. Other types of information may be allowed to reach certain people on
a need‐to‐know basis, in order to perform their jobs.
Once the information security policies are established within an organization, these
policies can be conveyed to the appropriate levels of executives, management, and
ID.GV-2: Information security staffing, such that everyone knows their responsibilities in protecting various types of
roles and responsibility are information. External policies and procedures for protecting information can also be
coordinated and aligned. developed. These externally facing information security policies and procedures can
also be strongly conveyed to external suppliers, partners, peers and 3rd party entities
that support the organization.
An organization's executive and technical leadership can include the
organization's legal counsel and/or legal staff in the development of cybersecurity and
ID.GV-3: Legal and regulatory
ID.GV Governance information protection policies. They can ensure that these new cybersecurity and
requirements regarding
information protection policies conform to and do not violate privacy laws and civil
cyber security, including
liberties obligations. Once the legal details of the cybersecurity and information
privacy and civil liberties
protection policies are established, they can be conveyed to the entire organization's
obligations, are understood
staff. Staff confirmation and possibly acceptance of these cybersecurity and
and managed.
information protection policies may need to be obtained. Non‐acceptance by certain
individuals, may dictate what responsibilities are assigned to them.
Once an organization creates an ongoing Threats/Risk catalog, they may progress to
developing the appropriate cyber risk management responses by all of the
sub‐organizations that play a role of managing and responding to these risks. These
ID.GV-4: Governance and risk
appropriate responses, may include, but not be limited to the 5 phases of emergency
management processes
management; Prevention, Mitigation, Preparedness, Response, and Recovery. The
address cyber-security risks.
appropriate responses may describe "Who does What, and When" for every identified
risk in the risk catalog. These responses can include every sub‐organization from the
top executives all the way through to the most remote member of an organization.
69
NIST Framework Function: Identify
Category Subcategory Operational Requirements
Technical staff may research publicly available information and vendor proprietary
information to learn of all of the publicly‐known vulnerabilities of the critical hardware,
ID.RA-1: Asset software, database and network resources of an organization. The technical staff may also
vulnerabilities are research cyber‐criminal elements for vulnerabilities that are not public or known by the
identified and vendors. Once documented and key organizational decision makers can be alerted. Technical
documented. staff may subscribe to websites and news boards that exist for the sole purpose of spreading
details of found technical vulnerabilities over the Internet. An organization may outline what
systems should be monitored,
ID.RA-2: Threat and
Technical staff may research publicly available information and vendor proprietary
vulnerability information is
information to learn of all of the publicly‐known vulnerabilities of the critical hardware,
received from information-
software, database and network resources of an organization.
sharing forums and sources.
ID.RA-3: Threats to Technical staff may research publicly available information and vendor proprietary
organizational assets are information to learn of all of the publicly‐known vulnerabilities of the critical hardware,
identified and documented. software, database and network resources of an organization
ID.RA Risk Assessment
Organizational leadership, operations and engineering staff may determine the
primary‐critical functions and services that make the organization operate as an ongoing
ID.RA-4: Potential impacts are
concern. They can ask the questions: "If we lost <function>, can we continue to operate our
analyzed.
business and business plan(s)?" An example of this exercise may be similar to: "If e lost our
<website>, could we still deliver services to our customers?"
ID.RA-5: Risk responses are The organization may build a list, chart or table to identify threats and vulnerabilities to the
identified. critical business functions, their systems, their networks and their software.
Once an organization creates an ongoing Threats/Risk catalog, they may progress to
developing the appropriate cyber risk management responses by all of the sub‐organizations
ID.RA‐6: Risk responses are that play a role of managing and responding to these risks. These appropriate responses, may
identified and prioritized include, but not be limited to the 5 phases of emergency management; PREVENTION,
MITIGATION, PREPAREDNESS, RESPONSE, and RECOVERY. The appropriate responses may
describe "Who does What, and When" for every identified risk in the risk catalog. These
responses may include every sub‐organization from the top executives all the way through to
the most remote member of an organization.
70
NIST Framework Function: Identify
71
NIST Framework Function: Protect
Category Subcategory Technical Requirements
The organization can determine "who‐internally" needs to know "what“ information, "when" and "how"
will that information be delivered. The organization can take into account "all" internal communications
with: Tiers I, II, III of critical infrastructure related operations, network ops centers, engineering, technical
management, program/project management, customer service, IT, sales, C‐suite officials, billing,
accounting, human resources, security offices etc. Once these communication paths and flows have been
PR.AC-1: Identities and determined the organization can set access controls‐ business process rules within various systems to
credentials are managed allow authorized personnel to reach their required information, when they need it to perform their job
for authorized devices and function. The entire flow of information that describes who‐what‐when‐how must be documented and
users conveyed through ongoing training, to the effected personnel. The organization can determine
"who‐externally" needs to know "what" information, "when" and "how" will that information be
delivered. The organization must take into account "all" external communications with: vendors /
suppliers, emergency responders, government officials, peers, customers, public facing websites,
customer portals, contact centers, legal entities, executive communications, billing interfaces,
eCommerce interfaces, mobile/remote employees etc.
PR.AC Access
Control The organization should determine whom within, internal and external to the entire organization, can be
allowed "PHYSICAL" access to critical infrastructure networks systems, computing systems, storage
PR.AC-2: Physical access systems, databases, email systems, technical spaces, data centers, wiring closets, servers rooms, devices,
to resources is managed tools, vehicles etc. that allow the organization to be an on‐going concern. These critical systems should
and secured be protected from unauthorized 'physical' access by locked doors, locked equipment cabinets, locked file
and software cabinets, locked fencing, biometric locks to shared technical areas, locked vehicles, locked
property and even building/landscaping designs to prevent brute‐force entries to critical areas.
The organization should determine whom within, internal and external to the entire organization, can be
allowed "REMOTE" access to critical infrastructure networks systems, computing systems, storage
systems, databases, email systems, technical spaces, data centers, wiring closets, servers rooms, devices,
PR.AC-3: Remote access is
tools, vehicles etc. that allow the organization to be an on‐going concern. These critical systems should
managed
be protected from unauthorized 'REMOTE' access by mechanisms including, but not limited to: firewalls,
USERNAME/PASSWORDs, mult‐factor identification, access control lists, scheduling limits, VPN access,
LAN/WAN access, biometrics, encryption keys etc.
72
NIST Framework Function: Protect
Category Subcategory Operational Requirements
The organization's technical and operations staff may design their critical
infrastructure networks, such that they can withstand attacks, nodal failures and resources
outages. A suggested approach is to segment the network design into smaller segments, so if
PR.AC-5: Network integrity is an anomaly occurs at one location or node, it can be isolated and not take down the entire
protected network. It is understood that segmentation may not be applicable to all network scenarios,
but it should be considered by the organization and evaluated for its ability to maintain
network integrity. Alternatives to network segmentation may be explored in order to achieve
comparable levels of resiliency.
73
NIST Framework Function: Protect
Category Subcategory Operational Requirements
The organization may determine "who‐internally" needs to know "what“ information, "when"
and "how" will that information be delivered. The organization can take into account "all"
internal communications with: Tiers I,II,III of critical infrastructure related operations, network
PR.AT-2: Privileged ops centers, engineering, technical management, program/project management, customer
PR.AT Awareness users understand service, IT, sales, C‐suite officials, billing, accounting, human resources, security offices etc. Once
and Training roles and these communication paths and flows have been determined the organization can set access
responsibilities. controls‐ business process rules within various systems to allow authorized personnel to reach
their required information, when they need it to perform their job function. The entire flow of
information that describes who‐what‐ when‐how can be documented and conveyed through
ongoing training, to the effected personnel.
The organization may determine "who‐internally" needs to know "what“ information, "when"
and "how" will that information be delivered. The organization may take into account "all"
PR.AT-3: Third-party
internal communications with: Tiers I,II,III of critical infrastructure related operations, network
stakeholders (suppliers,
ops centers, engineering, technical management, program/project management, customer
customers, partners)
service, IT, sales, C‐suite officials, billing, accounting, human resources, security offices etc. Once
understand roles and
these communication paths and flows have been determined the organization can set access
responsibilities.
controls‐ business process rules within various systems to allow authorized personnel to reach
their required information, when they need it to perform their job function.
74
NIST Framework Function: Protect
The organization may determine "who‐internally" needs to know "what“ information, "when"
and "how" will that information be delivered. The organization may take into account "all"
internal communications with: Tiers I,II,III of critical infrastructure related operations, network
PR.AT-4: Senior ops centers, engineering, technical management, program/project management, customer
executives understand service, IT, sales, C‐suite officials, billing, accounting, human resources, security offices etc.
roles and Once these communication paths and flows have been determined the organization should set
responsibilities. access controls‐ business process rules within various systems to allow authorized personnel to
reach their required information, when they need it to perform their job function. The entire
flow of information that describes who‐what‐ when‐how may be documented and conveyed
through ongoing training, to the effected personnel
PR.AT Awareness
and Training
The organization may determine "who‐internally" needs to know "what“ information, "when"
and "how" will that information be delivered. The organization may take into account "all"
internal communications with: Tiers I,II,III of critical infrastructure related operations, network
PR.AT-5: Physical and ops centers, engineering, technical management, program/project management, customer
information security service, IT, sales, C‐suite officials, billing, accounting, human resources, security offices etc.
personnel understand Once these communication paths and flows have been determined the organization must set
roles and responsibilities. access controls‐ business process rules within various systems to allow authorized personnel to
reach their required information, when they need it to perform their job function. The entire
flow of information that describes who‐what‐ when‐how can be documented and conveyed
through ongoing training, to the effected personnel.
75
NIST Framework Function: Protect
Category Subcategory Operational Requirements
PR.DS-3: Assets are formally Organizations can monitor and control critical infrastructure asset configuration and
managed throughout installation changes. Only authorized staff and departments may be allowed to change
removal, transfers and the physical and virtual configurations of critical assets, software, applications, databases
disposition. and stored data.
76
NIST Framework Function: Protect
Category Subcategory Operational Requirements
Organizations may consider deploying various tools and technologies to PREVENT / MITIGATE /
RESPOND and RECOVER from cyber‐attack incidents on critical infrastructure. Organizations
with Data centers or connect with (Cloud) Data Centers should establish a benchmark of what
applications reside in the datacenter. This benchmark may include, but not limited to: File
activity / Authorized Access Accounts / Data flow activity / Software version control / Database
snapshots / Communications ports / Protocols in use / VM quantities and activity.
PR.DS-5: There is protection
Organizations can classify, compartmentalize and segment their critical assets and data.
against data leaks.
Establish “Zones” of various levels of trust, including a “Zero‐Trust” Zone for the most critical
PR.DS Data Security data and network assets. Zero‐Trust Zones mean no default trust is allowed for any entity, user,
device, application, or packet regardless of what it is and its location in the network.
Organizations may only allow granular control of devices, data, content, network access and
applications to only authorized users and authorized sub‐organizations.
.
Organizations may consider deploying various tools and technologies to PREVENT / MITIGATE /
RESPOND and RECOVER from cyber‐attack incidents on critical infrastructure. Organizations
PR.DS-6: Integrity checking with Data centers or connect with (Cloud) Data Centers should establish a benchmark of what
mechanisms are applications reside in the datacenter. This benchmark may include, but not limited to: File
used to verify activity / Authorized Access Accounts / Data flow activity / Software version control / Database
software, firmware, snapshots / Communications ports / Protocols in use / VM quantities and activity.
and information Organizations can classify, compartmentalize and segment their critical assets and data.
integrity Establish “Zones” of various levels of trust, including a “Zero‐Trust” Zone for the most critical
data and network assets. Zero‐Trust Zones mean no default trust is allowed for any entity, user,
device, application, or packet regardless of what it is and its location in the network.
77
NIST Framework Function: Protect
78
NIST Framework Function: Protect
Category Subcategory Operational Requirements
Organizations may monitor and establish BASELINE critical infrastructure
network traffic, file access, database activity, software modifications, stored data
access, and overall asset behavior, in order to better detect anomalies, unauthorized
PR.IP-1: A baseline configuration of access, breaches and attacks. Organizations can scan and certify all new network
information connected and mobile devices before they can be placed into service. Organizations
technology/operational technology with Data centers or connect with (Cloud) Data Centers should establish a benchmark
systems is created. of what applications reside in the datacenter. This benchmark may include, but not
limited to: File activity / Authorized Access Accounts / Data flow activity / Software
version control / Database snapshots / Communications ports / Protocols in use / VM
quantities and activity.
PR.IP-2: A system development Organizations using a systems‐software development lifecycle (SDLC) approach, may
lifecycle to manage systems is incorporate security into every phase of planning, analysis, design, and
implemented. implementation of all of their critical infrastructure systems.
PR.IP Information
Protection Organizations can monitor and control critical infrastructure asset configuration and
PR.IP-3: Configuration change installation changes. Only authorized staff and departments may be allowed to change
control processes are in place. the physical and virtual configurations of critical assets, software, applications,
databases and stored data.
Organizations may establish a critical infrastructure data and systems backup
PR.IP-4: Backups of information are
policy, and required procedures. Once the procedures are established they can be
managed.
tested, updated and then conveyed to the authorized data owners and staff.
PR.IP-5: Policy and regulations Organizations can consider building a Security Team of staff or use external security
regarding the physical operating resources with the following roles included, but not limited to: Incident Responders /
environment for organizational assets Digital Forensics / Investigators / Security Leadership / Compliance Auditor / Legal
are met. Professional / Security Operations
Organizations can monitor and control critical infrastructure asset
PR.IP-6: Information is destroyed
configuration and installation changes. Only authorized staff and departments may be
according to policy and
allowed to change the physical and virtual configurations of critical assets, software,
requirements.
applications, databases and stored data.
79
NIST Framework Function: Protect
Category Subcategory Operational Requirements
PR.IP-8: Information Organizations may share what they learn about Threats, Attacks, Signatures,
sharing occurs with and remediation/recovery information with trusted organizations,
appropriate parties. government entities and trusted industry peers.
PR.IP-9: Response plans Organizations may develop/document a formalized Incident Response Plan. This Incident
(business continuity plan(s), Response Plan should contain, but not limited to the following areas: Preparation / Incident
disaster recovery plan(s), Identification / Incident Containment / Incident‐Threat Eradication / Recovery / and Lessons
incident handling plan(s) are in Learned. This Incident Response Plan may be approved by the highest levels of
place and managed. organizational leadership and by all data/system/network owning business units.
PR.IP Information Organizations may TEST formalized Incident Response Plans on a regular and frequent
Protection basis. This Incident Response TESTING can contain, but not limited to the following areas:
PR.IP-10: Response plans are Preparation / Incident Identification / Incident Containment / Incident‐Threat Eradication /
exercised. Recovery / and Lessons Learned. This Incident Response TESTING may be coordinated with
all levels of organizational leadership and by all data/system/network owning business
units.
PR.IP-11: Cyber security is
included in human resources Organizations, sub‐organizations and all data owners who manage and maintain
practices (including de- information technology assets may receive comprehensive training on implementing
provisioning, personnel screening cybersecurity best practices.
and others).
PR.IP‐12: A vulnerability
management plan is developed and Organizations may establish and document a Threats/Vulnerabilities management plan as it
implemented relates to critical infrastructure
80
NIST Framework Function: Protect
PR.MA-2: Remote maintenance of organizational assets Organizations may monitor and control critical infrastructure
is approved, logged and performed in a manner that asset configuration and installation changes. Only authorized
prevents unauthorized access and supports availability staff and departments may be allowed to change the physical
requirements for important operational and information and virtual configurations of critical assets, software,
systems. applications, databases and stored data.
81
NIST Framework Function: Protect
Category Subcategory Operational Requirements
Organizations may collect data and track all activities with critical
infrastructure assets. This may include, but not limited to logging of all logins,
PR.PT-1: Audit and log records are
applications used, files accessed/copied/downloaded, all doors opened,
stored in accordance with audit policy.
Internet connections/URLs / times these events occurred and who conducted
these activities.
Organizations may identify all possible threats and vulnerabilities to their
PR.PT-2: Removable media are
infrastructure assets, including, but not limited to: Unauthorized Access / Data
protected according to a specified
Breaches / Malware / DDoS / Advanced Persistent Threats / Zero‐day
policy.
Attacks / Phishing / SQL Injections / USB injected bots / and False alarms.
The organization can determine "who‐internally" needs to know "what"
information, "when" and "how" will that information be delivered. The
PR.PT Protective organization may take into account "all" internal communications with: Tiers
PR.PT-3: Access to systems and assets is
Technology I,II,III of critical infrastructure related operations, network ops centers,
appropriately controlled.
engineering, technical management, program/project management, customer
service, IT, sales, C‐suite officials, billing, accounting, human resources,
security offices etc
Organizations may protect critical infrastructure related physical and virtual
PR.PT-4: Communications networks are circuits, networks and communications systems from attack and DDoS by
secured. employing Next‐Gen firewalls, session border controllers (SBC), IPv6,
encryption technologies and the latest cyber/network security best practices.
PR.PT-5: Specialized systems are
protected according to the risk analysis
(SCADA, ICS, DLS). None
82
NIST Framework Function: Detect
Category Subcategory Operational Requirements
The organization and appropriate staff can develop, document, and maintain under
configuration control, a current baseline configuration of the critical infrastructure
DE.AE-1: A baseline of normal information system. Baseline configurations include information about information system
operations and procedures is components (e.g. standard software packages installed on workstastions, notebook
identified and managed. computers, servers, network components, or mobile devices) along with the network
topology. The organization may maintain baseline configurations by creating new baselines
as organizational informational systems change over time.
The organization and appropriate staff can correlate incident information and individual
incident responses to achieve an organization‐wide perspective on incident awareness and
DE.AE-2: Detected events are response for critical infrastructure. The organization may also employ automated
analyzed to understand attack mechanisms to integrate audit review, analysis, and reporting processes to support
targets and methods. organization processes for investigation and response to suspicious activities. The
organization then may analyze and correlate audit records across different repositories to
gain organization‐wide situational awareness.
DE.AE Anomalies The organization and appropriate staff can properly track and document information system
and Events security incidents for critical infrastructure. This can include an automated mechanism to
DE.AE-3: Cyber-security data is
assist in the tracking of security incidents and the collection and analysis of incident
correlated from diverse
information. Also, the organization and appropriate staff may develop an incident response
information sources.
plan that defines the resources and management support needed to effectively maintain
and mature your incident response capabilities.
DE.AE-4: Impact of potential The organization and appropriate staff can coordinate with external organizations to
cyber-security events is correlate and share incident information to achieve a cross‐ organization perspective of the
determined. security event as it relates to critical infrastructure.
When organizations employ monitoring, scanning and collection functions, and baselines
have been set for 'normal' behavior, the organization may establish thresholds of incident
DE.AE-05: Incident alert thresholds
alerts, where valid problems are alerted upon, and keeps false alarms to a minimum. This
are created.
can be an iterative process and the thresholds should be adjusted as the organization learns
more details of 'normal' behavior as it relates to critical infrastructure.
83
NIST Framework Function: Detect
Category Subcategory Operational Requirements
The organization and appropriate staff monitors the information system to detect attacks
and indicators of potential attacks in accordance with defined monitoring objectives for
DE.CM-1: The network is critical infrastructure. The organization may be looking for unauthorized local, network,
monitored to detect potential and remote connections. To accomplish this organization may deploy monitoring devices
cyber-security events. strategically within the information system to collect organization‐determined essential
information, and at ad hoc locations within the system to track specific types of
transactions of interests to the organization.
For critical infrastructure, the organization and appropriate staff employs malicious code
DE.CM-4: Malicious code is
protection mechanisms at information system entry and exit points to detect and eradicate
detected.
malicious code.
84
NIST Framework Function: Detect
Category Subcategory Operational Requirements
DE.CM-5: Unauthorized For critical infrastructure, the organization and appropriate staff may define
mobile code is detected. acceptable and unacceptable mobile code and mobile code technologies.
For critical infrastructure, the organization and appropriate staff can scan for
vulnerabilities in the information system and hosted applications at a defined
DE.CM-8: Vulnerability
frequency and when new vulnerabilities potentially affecting the system/applications
assessments are performed.
are identified and reported. The process may include analyzing the scans and
correcting legitimate vulnerabilities.
85
NIST Framework Function: Detect
Category Subcategory Operational Requirements
The organization and appropriate staff develops a security assessment plan that describes
the scope of the assessment, including employing assessors or assessment teams with a
level of independence to conduct security control assessments of critical infrastructure
DE.DP-1: Roles and
assets. Independent assessors or assessment teams are individuals or groups who conduct
responsibilities for detection are
impartial assessments of organizational information systems. To achieve impartiality,
well defined to ensure
assessors should not: (i) create a mutual or conflicting interests with the organizations
accountability.
where the assessments are being conducted; (ii) assess their own work; (iii) act as
management or employees of the organization they are serving; or (iv) place themselves in
positions of advocacy for the organizations acquiring their services.
DE.DP-2: Detection activities
comply with all applicable
requirements, including those None
related to privacy and civil
liberties.
The organization and appropriate staff may test critical infrastructure intrusion‐monitoring
DE.DP Detection DE.DP-3: Detection processes
tools at a defined frequency. Testing intrusion‐ monitoring is necessary to ensure that the
Processes are exercised to ensure
tools are operating correctly and continue to meet the monitoring objectives of the
readiness.
organization.
The organization and appropriate staff may share information obtained from the
DE.DP-4: Event detection vulnerability scanning process and security control assessments with appropriate staff to
information is communicated to help eliminate similar vulnerabilities in other critical infrastructure information systems.
appropriate parties. This could include automatic alerts from the information system itself that conveys the
information to the appropriate staff.
The organization and appropriate staff may analyze communication
traffic/event patterns for the critical infrastructure information system; develop profiles
representing common traffic patterns and/or events; and use the traffic/event profiles for
DE.DP-5: Detection processes tuning system‐monitoring devices to reduce the number of false positives and the number
are continuously improved. of false negatives. In addition, the organization may use trend analysis to determine if
security control implementations, the frequency of continuous monitoring activities,
and/or the types of activities used in continuous monitoring process need to be modified
based on empirical data.
86
NIST Framework Function: Respond
87
NIST Framework Function: Respond
Category Subcategory Operational Requirements
The organization and supporting staff may develop an incident
response plan that provides a roadmap for implementing its incident
response capability; provides a high‐level approach for how the
RS.CO-1: Personnel know their roles and order
incident response capability fits into the overall organization; and
of operations when a response is needed.
defines reportable incidents etc. This plan may be provided to
organization‐defined incident response personnel as it relates to critical
infrastructure.
88
NIST Framework Function: Respond
RS.AN-1: Notifications from The organization and appropriate staff may review and analyzes critical
the detection system are infrastructure information system audit records at specified intervals for indications
investigated. of unauthorized activities. The anomalies can be reported to the appropriate staff.
RS.AN-4: Incidents are The organization and appropriate staff can track and document critical
classified consistent with infrastructure information system security incidents. This may include maintaining
response plans. records about the incidents, the status of the incidents, and how it was handling.
89
NIST Framework Function: Respond
RS.MI‐3: Newly identified For critical infrastructure, the organization and appropriate staff may develop
vulnerabilities are mitigated or a continuous monitoring strategy and implements a continuous monitoring program.
documented as accepted risks The program may include a list of organization units to be monitored, the metrics in
which to monitor them, and the frequency in which to employ such monitoring.
The organization and appropriate staff should not only incorporate lessons learned
RS.IM-1: Response plans incorporate from within the organization and particular organization groups, but should
lessons learned. continually coordinate with external service providers to ensure that their
capabilities are aligned with the organization.
RS.IM Improvements
The organization and appropriate staff may revisit the developed response
RS.IM-2: Response strategies are
strategies on a scheduled basis and re‐evaluate ongoing needs. This strategy
updated.
may be constantly reviewed and approved by appropriate staff leaders.
90
NIST Framework Function: Recover
RC.CO‐3: Recovery activities are The appropriate staff and organization leaders may identify essential missions and
communicated to internal business functions and their associated contingency requirements. The organization
stakeholders and executive and then can provide contingency roles and responsibilities to the appropriate individuals.
management teams Once finalized, the organization may distribute copies of this plan, update the plan as
need be, and protect the plan from unauthorized disclosure or modification.
91
Part 6: The Testing Center
92
The Testing Center
Test Plans Threat Modeling
93
Threat Modeling
94
Controls Testing
Program Engine The C3 Test Analyzer Controls Engine
Identify
COBIT 5.0
Crown Jewels
ISO 27001
Protect CSC CSC
Identities
IEC 62443
Information
NIST 800-53
Detect
Applications
BSIMM V5
Infrastructure PCI DSS
Respond HIPAA
201 CMR 17
………………
Recover Enterprise Network
95
Penetration Testing Methodology
96
Penetration Testing Methodology
97
Part 7: The Program Office
98
The Written Information Security Program (WISP)
99
The Written Information Security Program (WISP)
100
The Written Information Security Program (WISP)
101
The Written Information Security Program (WISP)
102
Part 8: The GRC Office
103
Governance Models
104
Communications Sector Risk Assessment
105
Risk Assessment Approach
106
Risk Assessment Approach
107
The Risk Assessment – Identify Function
Relevant Categories: Relevant Categories:
Asset Management (ID.AM): The data, personnel, devices, Financial: Barriers are dependent on the size of an organization, and
systems, and facilities that enable the organization to achieve costs are not linear. Marginal cost for improving Tier position is
business purposes are identified and managed consistent with often exponential. Nonetheless, enterprises should use the NIST
their relative importance to business objectives and the framework’s Tier definitions to determine their current posture, and
organization’s risk strategy. where they want to be.
Business Environment (ID.BE): The organization’s mission, Technology: There is no specific set of technologies for
objectives, stakeholders, and activities are understood and implementing the framework, as they are evolving and changing.
prioritized; this information is used to inform cybersecurity roles, Barrier is the complexity of the problem. Nonetheless, full
responsibilities, and risk management decisions. assessment of the Business Environment should be undertaken as a
starting point for risk management calculations.
Governance (ID.GV): The policies, procedures, and processes to Legal/Policy: Difficulties in differentiating between what is classified
manage and monitor the organization’s regulatory, legal, risk, and what is nonclassified information. For segments like Satellite,
environmental, and operational requirements are understood and differentiation between the federal government (classified) and
inform the management of cybersecurity risk. consumer/enterprise markets (unclassified) makes governance
determinations more complex
Risk Assessment (ID.RA): The organization understands the Operational: Challenge in obtaining and being able to discern what
cybersecurity risk to organizational operations (including mission, information is reliable and what is not in a complex threat
functions, image, or reputation), organizational assets, and environment. Nonetheless, undertaking a Risk Assessment on a
individuals. best-available basis is a necessary starting point for risk
management calculations.
Risk Management Strategy (ID.RM): The organization’s priorities, Financial: There is little cyber empirical data to support ROI
constraints, risk tolerances, and assumptions are established and calculations, as it is very difficult to determine risk exposure.
used to support operational risk decisions. Barriers can be mitigated, however, through the use of informed risk
management resources, such as the National Association of
Corporate Director’s Cyber Risk Oversight Handbook, published in
collaboration with the Internet Security Alliance.
108
The Risk Assessment – Protect Function
Relevant Categories: Relevant Categories:
Access Control (PR.AC): Access to assets and associated facilities Financial: Legacy systems require significant investments to
is limited to authorized users, processes, or devices, and to implement framework, and there would be a lower ROI. Companies
authorized activities and transactions. should use the NIST Tier position analysis to determine where they
currently are, and where they want to be.
Awareness and Training (PR.AT): The organization’s personnel Operational: Difficult to implement and gauge effectiveness of
and partners are provided cybersecurity awareness education training in a complex threat environment.
and are adequately trained to perform their information
security-related duties and responsibilities consistent with
related policies, procedures, and agreements.
Data Security (PR.DS): Information and records (data) are Financial: Money spent on security controls cannot be accurately
managed consistent with the organization’s risk strategy to analyzed to determine their value. Companies should use the NIST
protect the confidentiality, integrity, and availability of framework’s Tiers to determine where they currently are, and
information. where they want to be.
Information Protection Processes and Procedures (PR.IP): Technology: Wide diversity of technologies and available solutions is
Security policies (that address purpose, scope, roles, a complexity barrier. Although unique systems, enterprises should
responsibilities, management commitment, and coordination analyze for common vulnerabilities/modes of exploitation that can be
among organizational entities), processes, and procedures are leveraged to overcome barriers.
maintained and used to manage protection of information
systems and assets.
Maintenance (PR.MA): Maintenance and repairs of industrial Operational: Implementing the Framework does not ensure that it is
control and information system components is performed being followed through as part of the business model. Enterprises
consistent with policies and procedures. should seek to align the Framework with on-going operations
wherever possible.
Protective Technology (PR.PT): Technical security solutions are Operational: Usage can be monitored, but it can be very difficult to
managed to ensure the security and resilience of systems and understand the effect. Using the NIST Framework Tier position
assets, consistent with related policies, procedures, and analysis, organizations can prioritize security measures.
agreements.
109
The Risk Assessment – Detect Function
Relevant Categories: Relevant Categories:
Anomalies and Events (DE.AE): Anomalous activity is detected Operational: Difficult to determine the impact in real‐time.
in a timely manner and the potential impact of events is Enterprises should seek to align the Framework with on‐going
understood. operations wherever possible.
Security Continuous Monitoring (DE.CM): The information Operational: Companies are not actively monitoring all employee
system and assets are monitored at discrete intervals to identify activity. Implementing would require additional investments. Using
cybersecurity events and verify the effectiveness of protective the NIST Tier position analysis, organizations can prioritize
measures. security measures.
Detection Processes (DE.DP): Detection processes and Financial: There will be an additional CAPEX cost to procuring SIEM /
procedures are maintained and tested to ensure timely and IPS / IDS technologies and systems. There will be an additional OPEX
adequate awareness of anomalous events. cost to allocate, hire, train staff to be responsible for SIEM /
IPS / IDS technologies and systems.
110
The Risk Assessment – Respond Function
Relevant Categories: Relevant Categories:
Planning (RS.RP): Response process and procedures are Financial: Additional CAPEX and OPEX cost to procuring BC and DR
executed and maintained, to ensure timely response to detected technologies and systems and training staff to recover systems and
cybersecurity events. data, in order to return the organization back to normal business
operations.
Communications (RS.CO): Response activities are coordinated Legal/Policy: Liability concerns could limit voluntary information
with internal and external stakeholders, as appropriate, to sharing. Liability Protection via CISPA and other Bills, as well as
include external support from law enforcement agencies. liability protection from self‐audit, should mitigate this barrier.
Analysis (RS.AN): Analysis is conducted to ensure adequate Operational: Lack of internal cyber security expertise in the areas of
response and support recovery activities investigation / security analysis / forensics / incident response / and
specialized technologies will hinder an effective response to an
attack, breach or loss of data.
Mitigation (RS.MI): Activities are performed to prevent Financial: The hacker/attacker community has an endless capacity to
expansion of an event, mitigate its effects, and eradicate the advance their missions, methods and attack technologies.
incident. Organizations are left to often times guess a hacker’s/attacker’s next
action and point of attack costing them time and money.
Improvements (RS.IM): Organizational response activities are Financial: Numerous False alarms, lack of dedicated security staff,
improved by incorporating lessons learned from current and lack of staff availability, lack of budget all could affect the
previous detection/response activities. organizations ability to keep their response strategies up to date.
111
The Risk Assessment – Recover Function
Relevant Categories: Relevant Categories:
Recovery Planning (RC.RP): Recovery processes and procedures Financial: There will be an additional CAPEX cost to procuring DR
are executed and maintained to ensure timely restoration of technologies and offsite services like storage and data recovery.
systems or assets affected by cybersecurity events. There will be an additional OPEX cost to allocate, hire, train staff to
be responsible for Business Continuity and Disaster Recovery
Improvements (RC.IM): Recovery planning and processes are Operational: Lack of BC/DR Plans will hinder an effective recovery
improved by incorporating lessons learned into future activities. from an attack, breach or loss of data.
Communications (RC.CO): Restoration activities are coordinated Operational: Some staff, executives, shareholders and board
with internal and external parties, such as coordinating centers, members may disagree with the content and delivery time of press
Internet Service Providers, owners of attacking systems, victims, releases and official notifications.
other CSIRTs, and vendors.
112
Conclusions and Recommendations
There is currently a large and growing set of independent research, which has consistently shown that the primary problem
with respect to securing critical infrastructure is economic. Sources as varied as PWC, McAfee/Intel, CIO Magazine, and the
Center for Strategic and International Studies (CSIS).
As a general matter, mitigating some of the costs involved with voluntary adoption of the Framework will increase
awareness and overall implementation, particularly for small‐to‐ medium enterprises. Therefore, the barriers feeder group
recommends that the federal government resume the work on incentives that was initiated by four government agencies–
U.S. Departments of the Treasury, Commerce, and Homeland Security, and a General Services Administration
(GSA)/Department of Defense (DOD) joint effort– that was called‐for in EO 13636.
Even relatively homogenous critical infrastructure sectors, such as the Communications Sector, often have substantial
differences at the individual enterprise level. Incentives may need to be applied at the corporate level to be effective, and
only each individual corporate entity would be in a position to evaluate what policies and incentives work best for them.
Therefore, a menu of market incentives available for corporations that elect voluntary adoption of effective standards and
practices would best drive further adoption of the Framework.
The barriers feeder group suggests the FCC consider, and advocate for the federal government at‐large to develop a set of
economic incentives that will further Framework adoption.
113
Questions?
114