• Save
Integration of cyber security incident response with IMS -- an approach for E.O. 13636
Upcoming SlideShare
Loading in...5
×
 

Integration of cyber security incident response with IMS -- an approach for E.O. 13636

on

  • 824 views

Response and recovery methods for severe cyber security incidents need traceable integration within incident management systems, which should be offered as a tool-set within the Executive Order 13636 ...

Response and recovery methods for severe cyber security incidents need traceable integration within incident management systems, which should be offered as a tool-set within the Executive Order 13636 Cybersecurity Framework.

NERC FERC CIP CIP-009 IMS NFPA 1600 CYBER SECURITY CISA CISSP PMP

Response and recovery methods for severe cyber security incidents need traceable integration within incident management systems, which should be offered as a tool-set within the Executive Order 13636 Cybersecurity Framework.

NERC FERC CIP CIP-009 IMS NFPA 1600 CYBER SECURITY CISA CISSP PMP

Statistics

Views

Total Views
824
Views on SlideShare
824
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
1

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Integration of cyber security incident response with IMS -- an approach for E.O. 13636 Integration of cyber security incident response with IMS -- an approach for E.O. 13636 Document Transcript

  • 1Integration of cyber security incident response withinholistic incident management systems tostrengthen resiliency of the nation’s critical infrastructurePart two of a seriesJune 2013Author: Dave Sweigert, M.Sci., CISSP, CISA, PMPABSTRACTResponse and recovery methods for severe cyber security incidents needtraceable integration within incident management systems, which should beoffered as a tool-set within the Executive Order 13636 Cybersecurity Framework.BackgroundIn September 2010, a 30-inch diameternatural gas pipeline exploded near aresidential neighborhood of San Bruno,California. A fire followed which quicklyengulfed nearby homes. As the site wastwo miles West of San Francisco Airportinitial responders believed a jetliner hadcrashed in the area. It took the privateoperator, PG&E, 90 minutes to shut offthe gas after the explosion.Preventing severe incidents caused bytechnology is one of the goals of theWhite House as expressed in ExecutiveOrder 136361. E.O. 13636 seeks tostrengthen the protection of CriticalInfrastructure and Key Resources1Executive Order -- Improving Critical InfrastructureCybersecurity, 2/12/2013. See: Sec. 7. BaselineFramework to Reduce Cyber Risk to CriticalInfrastructure(CIKR)2, albeit via voluntary compliancewith a new Cybersecurity Framework(CSF)).E.O. 13636 seeks to “explore the use ofexisting regulation to promote cybersecurity” while “understanding thecascading consequences of infrastructurefailures..3”. This paper intends to meldboth goals to better explore ways in whichexisting policy frameworks can beleveraged to further particularize the CSFwith practical solutions.2Critical Infrastructure: Assets, systems andnetworks, whether physical or virtual, so vital to theUnited States that the incapacity or destruction ofsuch assets, systems or networks would have adebilitating impact on security, national economicsecurity, public health or safety, or any combinationof those matters.Key resources: Publicly or privately controlledresources essential to the minimal operations of theeconomy and the government.3Presidential Policy Directive (PPD) 21
  • 2Industry check-box attitudes aboutcyber-security complianceAlthough CSF is voluntary in nature,some private sector operators of CIKRhave voiced their concern that severeincidents may require cohesive andcoordinated rapid response andrecovery, which is not addressed bytechnology-based standards (seeresponses to the U.S. National Instituteof Standards and Technology (NIST),Request for Information (RFI)4).Real CIKR resiliency may requireexamination of how an organization’sresponse capabilities align with public orprivate partners and understandingthose functional interdependencies.In contrast, the Critical InfrastructureProtection (CIP)5Reliability Standardsprogram (a Bulk Electric System (BES)industry6framework) has imposed a fine-based compliance scheme on the BESindustry. CIP critics complain it is anadministrative-based set of disjointedstandards which foster a “check the boxmentality” and has failed in achievingtangible “comprehensive and effectivecybersecurity.”74 Docket No. 130208119-3119-01, Industry responses toNIST Request for Information.5North American Electric Reliability Corporation’s (NERC)Critical Infrastructure Protection (CIP) Standards for CyberSecurity6http://www.nerc.net/standardsreports/standardssummary.aspx7“Utilities are focusing on regulatory compliance insteadof comprehensive security. The existing federal and stateregulatory environment creates a culture within the utilityindustry of focusing on compliance with cybersecurityrequirements, instead of a culture focused on achievingTo illustrate, the static CIP standard009, “Recovery Plans for Critical CyberAssets8”, requires the creation of a“recovery plan” for “cyber assets”. CIP-009 does not require integration of sucha stand-alone recovery plan within theorganization’s overall severe incidentresponse. So, cyber-incident escalationtriggers that activate other responseplans may or may not be addressed.To be CIP-009 compliant, an entity onlyneeds a cyber-incident response9planto react to cyber hygiene focusedevents; e.g. sabotage reporting,privilege escalation, security perimeterbreaches, etc. However, a responseteam may need visibility into thecascading consequences caused bynetwork or system outages on criticalinfrastructure and may need tounderstand when and how to trigger alarger response to the unfolding event.comprehensive and effective cybersecurity. Specifically,experts told us that utilities focusing on achievingminimum regulatory requirements rather than designing acomprehensive approach to systems security. In addition,one expert stated that security requirements areinherently incomplete, and having a culture that views thesecurity problem as being solved once those requirementsare met will leave an organization vulnerable to cyberattack. Consequently, without a comprehensive approachto security, utilities leave themselves open to unnecessaryrisk.” United States Government Accountability Office,Electricity Grid Modernization Progress Being Made onCybersecurity Guidelines, but Key Challenges Remain to beAddressed (Report to Congressional Requesters), GAO-11-117 (Washington, DC: U.S. Government AccountabilityOffice, January 2011), 23,http://www.gao.gov/products/GAO-11-117.8http://www.nerc.com/files/CIP-009-3.pdf9Computer Security Incident Response Capability (CSIRC)or team (as defined within NIST Special Publication 800-61)
  • 3Alignment of the CIP-009 plan with otherplanning documents may be a prudentobjective; e.g. integration with theEmergency Operations Plan (governedby yet another BES standard, the EOP-001 Emergency Operations Planning10standard).Incident management system (IMS) amore fully integrated approachThe National Infrastructure ProtectionPlan (NIPP) Energy Sector Specific Plan(2010) states as a goal the need toachieve “comprehensive emergency,disaster, and continuity of businessplanning”11.Severe incident response can bemanaged with an incident managementsystem (IMS) to “direct, control, andcoordinate response and recoveryoperations.”12An approach endorsed by Congress13and the U.S. Department of HomelandSecurity14is contained in the NationalFire Prevention Association (NFPA)Standard 1600 (Disaster/EmergencyManagement and Business ContinuityPrograms); quoted in relevant part:10http://www.nerc.com/files/EOP-001-0_1b.pdf112010 Energy Sector-Specific Plan, Page 812National Fire Protection Standard 1600, Standard onDisaster/Emergency Management and Business ContinuityPrograms.13Intelligence Reform and Terrorism Prevention Act of200414June 2010, DHS Secretary Napolitano formally adoptsNFPA 1600 as a standard.“..An IMS is designed to enable effectiveand efficient domestic incidentmanagement by integrating acombination of facilities, equipment,personnel, procedures, andcommunications operating within acommon organizational structure…”An IMS creates a response structurethat can respond to dynamic conditionsassociated with severe incidents. Itrepresents a doctrine and set ofprinciples to organize response activitiesand capabilities.SummaryCyber-centric response activities can beintegrated within an IMS approach toguide the creation of a holistic capabilitythat can respond to severe incidents.NFPA 1600 may provide private andpublic operators with the guidance theyneed to integrate cyber-response plansinto a holistic response framework.About the author: Dave Sweigert is aCertified Information Systems SecurityProfessional, Certified InformationSystems Auditor, Project ManagementProfessional and holds Master’sdegrees in Information Security andProject Management. He is apractitioner of IMS principles in his roleas a volunteer Emergency MedicalTechnician and has attended more than500 hours in IMS related training. Hespecializes in assisting organizations ininstitutionalizing NFPA 1600 into theircyber response plans.