320 likes | 331 Views
Protecting critical systems and assets is the highest priority for the national and economic security interests of the United States. This urgent national imperative requires the development of resilient and secure systems to defend against advanced cyber threats. This article explores the current landscape of cyber risk in energy, transportation, manufacturing, and defense sectors and highlights the need for reducing complexity, engineering trustworthiness, and implementing cyber resiliency strategies. The Federal Government's modernization strategy, risk management framework, and upcoming publications from NIST are also discussed.
E N D
Building Trustworthy, Secure Systems for the United States Critical Infrastructure An Urgent National Imperative
The Current Landscape. It’s a dangerous world in cyberspace…
Cyber Risk. Function(threat, vulnerability, impact, likelihood) Energy Transportation Manufacturing Defense
Resilient Military Systems and the Advanced Cyber Threat • Cyber Supply Chain • Cyber Deterrence Defense Science Board Reports
Our appetite for advanced technology is rapidly exceeding our ability to protect it.
Protecting critical systems and assets— The highest priority for the national and economic security interests of the United States.
Federal Government’s Modernization Strategy • Identify and develop federal shared services. • Move to FedRAMP-approved cloud services. • Isolate and strengthen protection for high value assets. Reduce and manage the complexity of systems and networks… Engineer more trustworthy, secure, and resilient solutions.
Reducing susceptibility to cyber threats requires a multidimensional strategy. Harden the target Limit damage to the target First Dimension Second Dimension System Make the target resilient Third Dimension
Cyber Resiliency. The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.
Cyber resiliency relationships with other specialty engineering disciplines. Safety Privacy Security Resilience and Survivability Fault Tolerance Reliability
CREF CYBER RESILIENCY ENGINEERING FRAMEWORK protection. Damage limitation. Resiliency. • Goals • Objectives • Techniques • Approaches • Strategic Design Principles • Structural Design Principles • Risk Management Strategy Constructs
Relationship among cyber resiliency constructs. Why Approaches What GOALS • Anticipate • Withstand • Recover • Adapt OBJECTIVES • Understand • Prevent/Avoid • Prepare • Continue • Constrain • Reconstitute • Transform • Re-architect Strategic Design Principles Structural Design Principles TECHNIQUES Risk Management Strategy Inform selection and prioritization Inform selection and prioritization Inform selection prioritization Inform selection How Inform selection and prioritization Inform selection and prioritization Inform selection and prioritization
CREF CYBER RESILIENCY ENGINEERING FRAMEWORK protection. Damage limitation. Resiliency. • Adaptive Response • Analytic Monitoring • Coordinated Protection • Substantiated Integrity • Privilege Restriction • Dynamic Positioning • Dynamic Representation • Non-Persistence • Diversity • Realignment • Redundancy • Segmentation • Deception • Unpredictability Techniques
ISO/IEC/IEEE 15288:2015 Systems and software engineering — System life cycle processes Cyber Resiliency Constructs in System Life Cycle. • Business or mission analysis • Stakeholder needs and requirements definition • System requirements definition • Architecture definition • Design definition • System analysis • Implementation • Integration • Verification • Transition • Validation • Operation • Maintenance • Disposal NIST SP 800-160
NIST SP 800-37, Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy
MONITOR SELECT CATEGORIZE Risk Management Framework (RMF) 2.0 PREPARE AUTHORIZE IMPLEMENT Just released for public review and comment. ASSESS
A unified framework for managing security, privacy, and supply chain risks. Communication between C-Suite and Implementers and Operators Security Risk Management Privacy Risk Management RMF 2.0 Alignment with NIST Cybersecurity Framework Alignment with Security Engineering Processes Supply Chain Risk Management
Transparency. Traceability. Trust.
On the Horizon… • NIST Special Publication 800-37, Revision 2 Risk Management Framework for Information Systems and Organizations Final Publication: October 2018 • NIST Special Publication 800-53, Revision 5 Security and Privacy Controls for Information Systems and Organizations Final Publication: December 2018 • NIST Special Publication 800-53A, Revision 5 Assessing Security and Privacy Controls in Information Systems and Organizations Final Publication: September 2019
On the Horizon… • NIST Special Publication 800-160, Volume 2 Systems Security Engineering Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems Final Publication: October 2018 • NIST Special Publication 800-160, Volume 3 Systems Security Engineering Software Assurance Considerations for the Engineering of Trustworthy Secure Systems Final Publication: December 2019 • NIST Special Publication 800-160, Volume 4 Systems Security Engineering Hardware Assurance Considerations for the Engineering of Trustworthy Secure Systems Final Publication: December 2020
The ultimate objective for security and privacy. Institutionalize. Operationalize.
The essential partnership. Government Academia Industry
100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Email Mobile ron.ross@nist.gov 301.651.5083 LinkedIn Twitter www.linkedin.com/in/ronross-cybersecurity@ronrossecure WebComments csrc.nist.govsec-cert@nist.gov RMF RISK MANAGEMENT FRAMEWORK Simplify. Innovate. Automate.