1 / 20

CyberSat Workshop: NIST Cybersecurity Framework Implementation

Delve into effective NIST Cybersecurity Framework implementation decisions and customizations for enhancing satellite cybersecurity. Explore profiles and industry best practices.

michaellopez
Download Presentation

CyberSat Workshop: NIST Cybersecurity Framework Implementation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Workshop A: Understanding and Implementation Decisions around the NIST Cybersecurity Framework CyberSat Summit November 16, 2018

  2. Workshop Session Background and Purpose Background: • The Cybersecurity Framework’s flexible approach helps to promote the protection and resilience of critical infrastructure and other sectors important to our economic and national security. Since its release in 2014, and latest update in April 2018, the Framework has seen broad and increasing voluntary adoption, and has been customized to meet the needs of many types of organizations. Purpose: • Share the Cybersecurity Framework’s current status, and • Highlight relevant industry-led customizations of the Framework that could serve as models for extension of the Framework to enhance satellite cybersecurity.

  3. Cultivating Trust in Information and Systems Practical Applications Foundational Standards Best practices Shutterstock

  4. Key Cybersecurity Framework Attributes • Common and accessible language • It’s adaptable to many technologies, lifecycle phases, sectors and uses • It’s risk-based • It’s meant to be paired • It’s a living document • Guided by many perspectives – private sector, academia, public sector

  5. Cybersecurity Framework Components: Core 5 Functions | 23 Categories | 108 Subcategories | Many industry guidance, practices, controls

  6. Cybersecurity Framework Components: Profile

  7. Example Cybersecurity Framework Profiles Manufacturing ProfileNIST Discrete Manufacturing Cybersecurity Framework Profile Communciations Segment Profiles Cybersecurity Risk Management and Best Practices Working Group 4: Final Report Maritime Profile Bulk Liquids Transfer Profile

  8. Profile Example: Maritime Bulk Liquids Transfer • Provides an industry‐specific instantiation of the Cybersecurity Framework Profile concept for a subsector of the oil and natural gas industry. • Acts as non‐mandatory guidance to organizations conducting MBLT operations within facilities and vessels under the regulatory control of the USCG under the Code of Federal Regulations (CFR) 33 CFR 154‐156. • Collects recommended cybersecurity safeguards and describes the desired minimum state of cybersecurity for those organizations in the MBLT context in support of those safety‐oriented regulations. • Assists in cybersecurity risk assessments for those entities involved in MBLT operations as overseen by the USCG. • Serves as a starting point for enterprises to review and adapt their risk management processes due to increased awareness of cybersecurity threats in the OT environment. https://www.dco.uscg.mil/Portals/9/CG-FAC/Documents/Maritime_BLT_CSF.pdf?ver=2017-07-19-070544-223

  9. Building a ProfileA Profile can be Created in Three Steps 1 Operating Methodologies Guidance and methodology on implementing, managing, and monitoring Cybersecurity Requirements Legislation Regulation Internal & External Policy Best Practices 2 3

  10. Mission VocabularyRefine the Sector Mission Mission – universal objective of the sector Mission Objective – specific outcomes that support the mission Mission Priority – the relative importance of one item versus another Mission Dependency – a requirement to fulfill Mission or a Mission Objective that lives outside of the subsector 1

  11. Bulk Liquid Transport MissionRefine the Subsector Mission Mission Ensuring the safe, secure and timely movement of hazardous bulk liquids within the maritime environment. Mission Boundaries Operations that involve (1) loading and discharging hazardous bulk liquids: (a) from facilities to vessels, (b) from vessels to vessels, and (c) from vessels to facilities, and; (2) the transport or movement of hazardous bulk liquids by vessel.

  12. Mission ObjectivesRefine the Subsector Mission • Maintain quality of product • Maintain conditions of product during transport (Temp, pressure, additives) • Ensure Appropriate Product Testing Is Completed • Safe carriage • Meet HR Requirements • Train Personnel Appropriately (Good return on people investment) • Pass Required Audits/Inspections (e.g., OCIMF Sire inspections) • Flag State, Port State, Class Society, Owner/operator, contractual • Obtain Timely Vessel Clearance • Maintain Personnel Safety (International Safety Management Code places personnel before environment) • Meet Occupational Health Requirements • Maintain Environmental Safety • Maintain Operational Security • Maintain Preparedness • Resilient Systems (e.g. weather-environmental) • Risk Mitigation Procedures (e.g. SMS) • Sustain maintenance and reliability of Physical Equipment • Sustain maintenance and reliability of IT Systems • Document and Test Plans

  13. Mission DependenciesRefine the Subsector Mission • Forces outside the sector that affect the mission • Factors affecting likelihood: war, price/barrel, • Ranked by likelihood: • Navigational processes • GPS/AIS • Deliberate Attacks • Weather (region affects likelihood) • Market forces (less of a daily affect b/c??) • Availability of qualified/experienced, certified Inspectors (labor market affects likelihood, lots available now = high availability) • Disruption of supply chain • Incident alerting/information sharing (i.e. refinery to transportation system) • Status of labor force (technology training, sustaining agreements (i.e. strike)) • Other Critical Infrastructure (Water, Communications, Energy, Supply of fuel) • Political drivers (domestic and foreign)

  14. Building a ProfileA Profile can be Created in Three Steps 1 Operating Methodologies Guidance and methodology on implementing, managing, and monitoring Cybersecurity Requirements Legislation Regulation Internal & External Policy Best Practices 2 3

  15. Cybersecurity Requirements • Maritime Transportation Security Act • Code of Federal Regulation, Title 33, 101-106 & 154-156 • Maritime Cyber Security Standards, 78883 [2014 – 30613] • International Ship and Port Facility Security Code (ISPS) framework • IMO Publication 39/7 dated 10 July 2014, Ensuring Security in and Facilitating International Trade, Measures Toward Enhancing Maritime Cybersecurity • ISA/IEC 62443 Industrial Automation and Control Systems Security Standard of Good Practice for Information Security • ANSI/ISA-99 Industrial Automation and Control System Security • ISA/IEC 62351 Power systems management and associated information exchange – Data and communications security • ISO 27001:2013 Information Technology – Security techniques – Information security management systems – Requirements • ISO 28001:2007 Security management systems for the supply chain; Best practices for implementing supply chain security, assessments, and plans – Requirements and guidance • Federal Information Security Management Act

  16. Building a ProfileA Profile can be Created in Three Steps 1 Operating Methodologies Guidance and methodology on implementing, managing, and monitoring Cybersecurity Requirements Legislation Regulation Internal & External Policy Best Practices 2 3

  17. Operating Methodologies • Systems Management • Federal Information Processing Standard 199 • Security controls • CobIT • NIST SP 800-53 • ISO 27002:2013 Information Technology – Security techniques – Code of practice for information security controls • Risk Assessment • NIST SP 800-30, Guide for Conducting Risk Assessments • Data Labeling • NIST SP 800-60, Guide to Security Categorization • Information Sharing • NIST SP 800-150, Guide to Cyber Threat Info Sharing

  18. Opportunities for a CSF Profile for Satellites? • Identification and prioritization of mission and business objectives • For the sector? For segments in the sector (ex, space ground systems, space assets, space operations)? • Expression of cybersecurity requirements • Regulatory? Industry expressed? Organization specific? • Application of standards and practices • Existing satellite standards and best practices?

  19. Questions & Opportunities to Engage Cybersecurity Framework: https://www.nist.gov/cyberframework Cybersecurity Framework Resources: https://www.nist.gov/cyberframework/framework-resources-0 Follow us on Twitter: @NISTcyber Contact: Kevin Stine, kevin.stine@nist.gov

More Related