550 likes | 2.16k Views
Resiliency Rules:. 7 Steps for Critical Infrastructure Protection. Agenda. What are critical infrastructures? What are the CIP policy drivers? The differences between CIP/CIIP and cyber security Resiliency rules. What is Critical Infrastructure?.
E N D
Resiliency Rules: 7 Steps for Critical Infrastructure Protection
Agenda • What are critical infrastructures? • What are the CIP policy drivers? • The differences between CIP/CIIP and cyber security • Resiliency rules
What is Critical Infrastructure? • Critical infrastructures are generally thought of as the key systems, services and functions whose disruption or destruction would have a debilitating impact on public health and safety, commerce, and national security or any combination of those matters. • These include communications, energy, banking, transportation, public health and safety and essential government services.
CIP Policy Drivers Natural Disaster WAR Dependence Directives IT Attacks Convergence Response Plans Terrorism Laws & Regulations Globalization
CIP/CIIP and Cybersecurity Understanding the Differences Critical Infrastructures Non-essential IT systems Cybersecurity Those practices and procedures that enable the secure use and operation of cyber tools and technologies Critical Information Infrastructure Cross-Cutting ICT interdependencies among all sectors Large Enterprises Personal users Info & Comms Energy Banking Transportation Government Services
Resiliency Rules 7 Steps for Critical Infrastructure Protection • Define Goals and Roles • Identify and Prioritize Critical Functions • Continuously Assess and Manage Risks • Establish and Exercise Emergency plans • Create Public-Private Partnerships • Build Security/Resiliency into Operations • Update and Innovate Technology/Processes
CIP Goals Establishing Clear Goals is Central to Success
CIP Roles Understanding Roles Promotes Coordination
Define Roles CIIP Coordinator (Executive Sponsor) Infrastructure Owners and Operators Public-Private Partnerships Law Enforcement IT Vendors and Solution Providers Computer Emergency Response Team Sector Specific Agency Government Shared Private
Identify and Prioritize Critical Functions Collaborate to understand Interdependencies • Establish an open dialogue to understand the critical functions, infrastructure elements, and key resources necessary for • delivering essential services, • maintaining the orderly operations of the economy, and • ensuring public safety. Critical Function Infrastructure Element Key Resource Supply Chain Supply Chain Supply Chain Critical Function Infrastructure Element Key Resource Critical Function Supply Chain Supply Chain Supply Chain Infrastructure Element Key Resource Understand Interdependencies Supply Chain Supply Chain Supply Chain Supply Chain
Continuously Assess and Manage Risks Protection is the Continuous Application of Risk Management • Evaluate Program Effectiveness • Leverage Findings to Improve Risk Management • Identify Key Functions • Assess Risks • Evaluate Consequences • Define Functional Requirements • Evaluate Proposed Controls • Estimate Risk Reduction/Cost Benefit • Select Mitigation Strategy • Seek Holistic Approach. • Organize by Control Effectiveness • Implement Defense-in Depth
Establish and Exercise Emergency plans Improve Operational Coordination • Public and private sector organizations can benefit from developing joint plans for managing emergencies – including recovering critical functions in the event of significant incidents, including but limited to natural disasters, terrorist attacks, technological failures or accidents. • Emergency response plans can mitigate damage and promote resiliency. • Effective emergency response plans are generally short and highly actionable so they can be readily tested, evaluated, and implemented. • Testing and exercising emergency plans promotes trust, understanding and greater operational coordination among public and private sector organizations. • Exercises also provide an important opportunity to identify new risk factors that can be addressed in response plans or controlled through regular risk management functions.
Create Public-Private Partnerships • Voluntary public-private partnerships • Promote trusted relationships needed for information sharing and collaborating on difficult problems, • Leverage the unique skills of government and private sector organizations, and • Provide the flexibility needed to collaboratively address today’s dynamic threat environment
Build Security and Resiliency into Ops • Organizational incentives can drive security development lifecycle principles into all line of business • Leveraging the security lifecycle promotes secure and resilient organizations and products
The Security Development Lifecycle Driving Change Across Microsoft • Product Inception • Assign security advisor • Identify security milestones • Plan security integration into product • Design • Define security architecture and design guidelines • Document elements of software attack surface • Threat Modeling • Standards, best practices, and tools • Apply coding and testing standards • Apply security tools (fuzzing tools, static-analysis tools, etc) Security Push • Security code reviews • Focused security testing • Review against new threats • Meet signoff criteria Final Security Review • Independent review conducted by the security team • Penetration testing • Archiving ofcompliance info • RTM and Deployment • Signoff Security Response • Plan and process in place • Feedback loop back into the development process • Postmortems
Update and Innovate Technology/Processes • Cyber threats are constantly evolving • Policy makers, enterprise owner and operators can prepare for changes in threats by • Monitoring trends • Keeping systems patched • Maintaining the latest versions of software that have been built for the current threat environment.
Services Edge Server Applications Encrypting File System (EFS) BitLocker™ Network Access Protection (NAP) Information Protection Client and Server OS Identity Management SystemsManagement Active Directory Federation Services (ADFS) Guidance Developer Tools Microsoft Innovations Drive