Successfully reported this slideshow.

Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Framework


Published on

Metrics to measure response and recovery methods for severe cyber security incidents (that could lead to “black out” events for Critical Infrastructure and Key Resources) need traceable integration within incident management systems and should be offered as a solution as part of the Executive Order 13636 Cybersecurity Framework.

  • Be the first to comment

  • Be the first to like this

Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Framework

  1. 1. 1 Towards measuring private infrastructure operators’ use of comprehensive incident management techniques to reduce overall risk to the organization and community Part three of a series July 2013 Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP ABSTRACT Metrics to measure response and recovery methods for severe cyber security incidents (that could lead to “black out” events for Critical Infrastructure and Key Resources) need traceable integration within incident management systems and should be offered as a solution as part of the Executive Order 13636 Cybersecurity Framework. Background In September 2011 the San Diego skyline went dark and nearly seven (7) million people went without electrical power in a severe blackout incident that hit Arizona, California, Colorado and Mexico. Traffic lights went dark while trains were held in a standstill in Los Angeles County. Local residents were issued boil water notices due to sewage back-ups (caused by failing pumps). Perishable food losses at supermarkets, for the one day event, totaled $12 to $18 million. An electro-mechanical single point of failure (SPF) in North Gila, Arizona caused the event. *** Preventing severe incidents caused by technology is one of the goals of the White House as expressed in Executive Order 136361 . It purports to strengthen the protection of Critical Infrastructure and Key Resources (CIKR)2 , albeit via voluntary compliance with a proposed Cybersecurity Framework (CSF)). By sponsoring an effort to achieve industry-consensus of already existing standards, the White House hopes to enable a better risk management 1 Executive Order -- Improving Critical Infrastructure Cybersecurity, 2/12/2013. See: Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure 2 Critical Infrastructure: Assets, systems and networks, whether physical or virtual, so vital to the United States that the incapacity or destruction of such assets, systems or networks would have a debilitating impact on security, national economic security, public health or safety, or any combination of those matters. Key resources: Publicly or privately controlled resources essential to the minimal operations of the economy and the government.
  2. 2. 2 approach with the CSF for CIKR operators. E.O. 13636 directs executive agencies with cybersecurity responsibilities to (1) share information with private sector and owner-operators to develop processes that can help address cyber security risks; and (2) review and report on the current appropriateness of their current cyber efforts; quoting in relevant part: “..Explore the use of existing regulation to promote cyber security ..” To date, E.O. 13636 industry-consensus building exercises (coordinated by the U.S. National Institute of Standards and Technology (NIST)) have parsed a dozen cybersecurity compliance standards into a “framework” to support the goal of an integrated approach to risk management. NIST calls this approach the Framework Core. Core of the Framework As an example of the Framework Core, NIST has released a draft example that is comprised of the following major categories of risk management measurement. KNOW PREVENT DETECT RESPOND RECOVER These over-arching categories are explained on the NIST CSF web-site; quoting in relevant part: “…The Framework Core offers a way to take a high-level, overarching view of an organization’s management of cybersecurity risk by focusing on key functions of an organization’s approach to this security…” and “the Framework should assist an organization to align and integrate cybersecurity-related policies and plans, functions, and investments with the enterprise’s overall risk management..” 3 To illustrate, NIST has taken the regulatory enforcement standards of the Bulk Electricity System (BES), known as the Critical Infrastructure Protection (CIP) 4 Reliability Standards, and has parsed them into one of the five categories (KNOW, PREVENT, DETECT, RESPOND, RECOVER (KPDRR)). The BES is already a heavily regulated industry that lives under a mandatory enforcement, auditing and compliance oversight framework empowered by the Federal Energy Regulatory Commission (FERC), which approves standards created by the North American Electric Reliability Corporation (NERC). CIP Reliability Standards are part of that existing compliance structure. 3 minary_framework_standards.pdf 4 North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Standards for Cyber Security
  3. 3. 3 In the NIST “RESPOND” category of the Core Framework the CIP Reliability Standard for Recovery Plans is listed, CIP-009-3; Requirement 1 (CIP-009-3 R1). Quoting the standard in relevant part: “..Standard CIP-009-3 ensures that recovery plan(s) are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices...”. From a risk management framework (RMF) perspective5 , it would appear that the CIP-009-3 Reliability Standard mandates the integration of incident action plans that address “Critical Cyber Assets” with those incident response plans that address “.. disaster recovery (DR) techniques and practices ..”. However, no specific consensus- developed standards seem to be widely available to guide the development of CIP-009-3 measured “DR practices”. The lack of tangible DR metrics to measure “DR practices” (presumably in the form of standards or guidelines) introduces uncertainty into the measurement of gaps. Consequently, the subsequent planning of an appropriate risk response becomes problematic. 5 NIST 800‐37: Guide for Applying the Risk Management Framework Identifying risk management metrics to integrate cybersecurity with in a larger incident response In the context of framing cyber security risks to the BES, each private individual operator is only concerned with their organization’s risk. An individual private CIKR operator is not required to assess downstream, cascading circumstances caused by their equipment malfunctions. The “Electricity Subsector Cybersecurity Risk Management Process (RMP) guideline” (published jointly by NIST, NERC, and the U.S. Department of Energy (May 2012)) describes the paradox of conducting risk management of varying individual DR plans. “..During the risk framing element, organizations may have provided guidance on how to analyze risk and how to determine risk …The degree to which business continuity and disaster recovery are supported by the organization may be different for each mission function and business process application…” It would be helpful to have clear and unambiguous metrics to determine if the degree of integration between cyber security incident response plans and DR or business continuity (BC) plans are appropriate. Unfortunately, the current CIP Reliability Standards are focused on compliance at individual private-operator facilities – not
  4. 4. 4 on interconnecting BES infrastructure outside the facility Electronic Security Perimeter (ESP). Cyber Assets outside the ESP are exempted from compliance in several (if not all) CIP Reliability Standards. This exemption includes: “..Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters…”6 There appears to be no clearly defined metrics to measure KPDRR capabilities addressing how private-individual CIKR operators could accommodate a region wide severe incidents that would be presumably addressed in DR or BC plans; whether caused by Cyber Assets outside the ESP, other manmade disasters, natural disasters, etc. Towards an integrated approach to CIKR resiliency risk measurement Integrated planning for the potential for severe incidents (external to the private- operator CIKR) with a standards-based response protocol (multi-disciplinary in nature) seems to address the apparent gap in measuring responsiveness to a severe incident. Emergency Management (EM) is the traditional domain that has been relied upon to address KPDRR management issues for severe incidents; regardless 6 CIP-003-4, “4.2. The following are exempt from Standard CIP-004-3:” Also, CIP-004-3, CIP-005-3, etc. of the source of the incident. As explained in the Energy Sector Specific Plan, an Annex to the National Infrastructure Protection Plan (NIPP), the EM capabilities developed by the U.S. Department of Homeland Security (DHS) include the National Incident Management System (NIMS) and the National Response Framework (NRF); quoting, in relevant part, the strategic need for: “comprehensive emergency, disaster, and continuity of business planning”7 . Only publicly controlled CIKR operators are presently required to develop EM plans that address NIMS and the NRF as they are under the influence of DHS8 . One wonders if a NIMS/NRF maturity model could augment the CSF RMF, and if that could be successfully applied by private operators to measure risk. About the author: Dave Sweigert, CISSP, CISA, PMP, holds Master’s degrees in Information Security and Project Management. A graduate of the National Fire Academy (NFA) Incident Management Team (IMT) course, he is a practitioner of ICS/NIMS in his role of assisting private organizations in institutionalizing ICS/NIMS into their cyber response plans. 7 2010 Energy Sector-Specific Plan, Page 8 8 Note: as described in the first paper of this series, the U.S. Department of Health and Human Resources (DHHS) required health care facilities to adopt a NIMS-based management plan for EM (see Incident Command System).