Collaborating to Solve the Nation’s Intractable Cybersecurity Challenges Brian Barrios will provide an overview of the collaborative work being done to accelerate the adoption of secure technologies across U.S. business sectors. Using standards, best practices, and commercially available secure technologies, security experts the NCCoE demonstrate the real-world application of cybersecurity and publish their example solutions in cybersecurity practice guides (National Institute of Standards and Technology Special Publication series 1800). The presentation will highlight current projects, such as helping health care organizations secure patient health information/electronic health records on mobile devices and helping energy utilities protect physical and logical access to their resources. He will also discuss how the NCCoE’s grand collaborative experiment in applied cybersecurity is helping to solve the nation’s most intractable cybersecurity challenges to ultimately help reduce the technical, economic, and educational barriers to widespread adoption of secure technologies.

1. Collaborating to Solve the Nation’s Intractable
Cybersecurity Challenges
Hacker Halted 2015
September 18, 2015
Brian Barrios
@brianbarrios01

2. INCREASING CYBERSECURITY
CHALLENGES

3. 3
2015: THE YEAR OF THE HEALTHCARE HACK

4. 4

5. 5
Data about more than 120 million people
has been compromised in more than
1,100 separate breaches at organizations
handling protected health data since 2009,
according to U.S. Department of Health
and Human Services data reviewed by
The Washington Post.

6. 6

7. 7
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) FY2014

8. NATIONAL CYBERSECURITY
CENTER OF EXCELLENCE

9. 9
STAKEHOLDERS
The
White
House
SPONSORS
Advise, assist, and facilitate
the center’s strategic
initiatives
TEAM
Collaborate with innovators
to provide real-world
cybersecurity capabilities
that address business
needs
CUSTOMERS
Collaborate with center on
project-specific use cases
that help our customer’s
manage their cybersecurity
priorities
National
Institute of
Standards
and
Technology
U.S.
Department
of
Commerce
U.S.
Congress
Montgomery
County
Maryland
State
NCCoE Academia Project
Specialists
National
Cybersecurity
Excellence
Partnership
(NCEP)
Partners
Government
Project-
Specific
Collaborators
Tech
Firms
Industry
Business
Sectors
Cybersecurity IT Community
Systems IntegratorsIndividuals
Academia
Government
National
Cybersecurity
FFRDC*
*Sponsored by NIST, the National Cybersecurity Federally Funded Research
& Development Center (FFRDC) is operated by the MITRE Corporation

10. 10
NATIONAL CYBERSECURITY EXCELLENCE PARTNERS

11. 11
VISION AND MISSION
GOAL 1
PROVIDE PRACTICAL
CYBERSECURITY
Help people secure their data and
digital infrastructure by equipping
them with practical ways to implement
standards-based cybersecurity
solutions that are modular, repeatable
and scalable
VISION
ADVANCE CYBERSECURITY
A secure cyber infrastructure that
inspires technological innovation
and fosters economic growth
MISSION
ACCELERATE ADOPTION OF
SECURE TECHNOLOGIES
Collaborate with innovators to provide
real-world, standards-based
cybersecurity capabilities that address
business needs
GOAL 2
INCREASE RATE OF
ADOPTION
Enable companies to rapidly deploy
commercially available cybersecurity
technologies by reducing
technological, educational and
economic barriers to adoption
GOAL 3
ACCELERATE
INNOVATION
Empower innovators to
creatively address
businesses’ most pressing
cybersecurity challenges in a
state-of-the-art, collaborative
environment

12. 12
ENGAGEMENT & BUSINESS MODEL
DEFINE + ARTICULATE
Describe the business problem
ORGANIZE + ENGAGE
Partner with innovators
IMPLEMENT + TEST
Build a usable reference design
TRANSFER + LEARN
Guide users to stronger cybersecurity
Define business problems and
project descriptions, refine into a
specific use case
Collaborate with partners from
industry, government, academia
and the IT community on
reference design
Practical, usable, repeatable
reference design that addresses
the business problem
Set of all material necessary to
implement and easily adopt the
reference design

13. 13
ENGAGEMENT & BUSINESS MODEL
ORGANIZE +
ENGAGE
Partner with innovators
TRANSFER + LEARN
Guide stronger practices
IMPLEMENT + TEST
Build a reference design
Identify and
describe
business
problem
Conduct
market
research
Vet project
and use case
descriptions
Publish project use
cases and solicit
responses
Select partners
and
collaborators
Sign
CRADA
Build
reference
design
Test
reference
design
Identify
gaps
Collect
documents
Tech
transfer
Document
lessons
learned
Define business problems
and project descriptions,
refine into specific use
case
Collaborate with partners
from industry, government,
academia and the IT
community on reference
design
Practical, usable,
repeatable reference
design that addresses the
business problem
Set of all material
necessary to implement
and easily adopt the
reference design
DEFINE + ARTICULATE
Describe the business problem
OUTCOME OUTCOME OUTCOME OUTCOME
ACTION ACTION ACTION ACTION

14. 14
APPROACH
We seek problems that are:
‣Broadly relevant
‣Technology-based
‣Addressable with multiple commercially
available technologies

15. 15
TENETS
Standards-based
Modular
Usable
Repeatable
Open and transparent
Commercially available

16. 16
NIST CYBERSECURITY PRACTICE GUIDES
Health IT Sector
‣ Securing Electronic Health Records on Mobile Devices
Energy Sector
‣ Identity and Access Management for Electric Utilities
Identity
‣ Coming soon: Attribute Based Access Control
Mobile
‣ Coming soon: Mobile Device Security

17. HEALTH IT:
ELECTRONIC HEALTH RECORDS
& MOBILE DEVICES

18. 18
HEALTH IT CHALLENGE
‣ Physician uses a mobile device application to send
a referral to another physician.
‣ Application sends the referral to a server running a
certified EHR application.
‣ Server routes the referral to the referred physician.
‣ Referred physician uses mobile device to receive
the referral.

19. 19
SECURING EHRS ON MOBILE DEVICES
Benefits
‣ Improve security: Help organizations better secure
patient data accessed through mobile devices
‣ Reduce costs. Medical identity theft costs billions of
dollars each year, and a cyber-crime can cripple
operations and the ability to care for patients.
‣ Reduce risk. Continuous risk management is critical
to continued operation, success of the organization,
and patient safety. Altered medical information can put
a person’s health at risk through misdiagnosis,
delayed treatment, or incorrect prescriptions.

20. 20
ARCHITECTURE

21. 21
SECURITY WALKTHROUGH
1. Login
Username/
password
User Devices Access Point Identity Svr. MDM EHR Server
STOP
2. Device MAC
STOP
MAC address
filtering
3. Start EAP-TLS
Pass device credential
STOP
STOP
4. Compliance
check
Return Status
Access allowed
802.1X EAP-TLS
Authentication/
authorization
Open EMR:
User/password/
HTTPS encrypted
Check
credential
STOP
5. Connect to OpenEMR Using HTTPS

22. 22
COLLABORATING VENDORS: EHRS ON MOBILE

23. 23
Find it on: https://nccoe.nist.gov
Comment deadline: 9/25/2015

24. ENERGY SECTOR: IDENTITY
AND ACCESS MANAGEMENT

25. 25
UTILITY CHALLENGE
‣ Most utilities separate information technology and
operational technology, leading to decentralized access
control across many departments.
‣ Consequences include:
‣ Increased risk of attack and service disruption
‣ Inability to identify potential sources of a problem or
attack
‣ Lack of overall traceability and accountability regarding
who has access to both critical and noncritical assets

26. 26
IDENTITY & ACCESS MANAGEMENT FOR UTILITIES
Benefits
‣ Improve security by tracking and auditing access
requests and other IdAM activity across all networks
‣ Reduce the risk of malicious or untrained people
gaining unauthorized access to critical infrastructure
components and interfering with their operation,
thereby lowering overall business risk
‣ Improve efficiencies
‣ Allow rapid provisioning and de-provisioning of
access from a centralized platform
‣ Improve speed of delivery of services
‣ Support oversight of resources, including
information technology, personnel, and data

27. 27
OVERVIEW: ENERGY SECTOR IDAM USE CASE

28. 28
COLLABORATING VENDORS: ENERGY IDAM

29. 29
Find it on: https://nccoe.nist.gov
Comment deadline: 10/23/2015

30. SECURING LAW
ENFORCEMENT VEHICLES

31. 31

32. 32

33. 33

34. 34

35. 35

36. 36
AUTOMOTIVE CHALLENGE
‣ IoT is no longer just your thermostat or home security
system.
‣ Law enforcement vehicle security, provided by Virginia
State Patrol:
‣ Public-private working group to explore the technology
needed to safeguard Virginia’s citizens and public safety
agencies from cybersecurity attacks targeting
automobiles

37. 37
VA STATE PATROL CAR SECURITY
Goals
‣ Identify technology that can assist law enforcement
officers in determining if/when a vehicle has fallen
victim to a cyber attack.
‣ Develop strategies for citizens and public safety
personnel to identify and prevent cybersecurity threats
targeting vehicles and other consumer devices.

38. 38
EVENT
Cybersecurity Technology Showcase
‣ Cyber assessment and demo with Virginia State
Patrol vehicles
‣ Date: September 30, 2015
‣ Location: Chester, VA
‣ http://vus.virginia.gov/registration/

39. ADDITIONAL CYBERSECURITY
PROJECTS

40. 40
ATTRIBUTE BASED ACCESS CONTROL
‣ Businesses face the challenge of growing diversity in both
the types of users and their access needs. As this diversity
grows, traditional access control mechanisms become
increasingly difficult to manage and audit.
‣ ABAC does not bucket employees, but rather employee
access decisions are made based on a set of attributes
assigned to a user’s digital identity.
‣ ABAC allows for the use of environmental attributes, such
as time of day, IP address, or threat level to be defined and
implemented in access control policies.

41. 41
MOBILE DEVICE SECURITY
‣ Faced with a rapidly changing array of mobile platforms,
corporations must ensure that the cell phones, tablets and
other devices connected to their enterprise systems can be
trusted to protect sensitive corporate data.
‣ Employees increasingly want to use both corporate-issued
and personally owned mobile devices to access corporate
enterprise services, data, and resources to perform work-
related activities.

42. WORK WITH US

43. 43
FIND US: UPCOMING EVENTS & PROJECTS
‣ Passcode (CSM) Event on Cybersecurity Research
‣ October 8, 2015 in Washington, DC
‣ No cost to attend
‣ Retail projects (including Point of Sale)
‣ Transportation (automotive, air, maritime, rail, etc.)
projects

44. 44
SOLVE PRESSING CHALLENGES
‣ Comment on our projects
‣ Brief us on your products/technology
‣ Use our guides
‣ Join our Communities of Interest
‣ Energy
‣ Financial Services
‣ Health IT
‣ Transportation

45. nccoe@nist.gov240-314-6800
9600 Gudelsky Drive
Rockville, MD 20850http://nccoe.nist.gov