Business Continuity for Cyber Threat April 1, 2014 Workshop Session #3 3:00 – 5:30 PM Susan Rogers, MBCP, MBCI Cyberwise CP Between 2009-2010 the Stuxnet cyberweapon is estimated to have destroyed 1,000 Iranian nuclear-fuel centrifuges at the Natanz uranium enrichment plant. What happens when a computer program can activate physical machinery? S2
15
Embed
Business Continuity for Cyber Threat€¦ · Improve coordination between business and technology leaders during cyber incident analysis and response. Tech + Business Incident Command
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Business Continuity for Cyber Threat
April 1, 2014Workshop Session #33:00 – 5:30 PM
Susan Rogers, MBCP, MBCICyberwise CP
Between 2009-2010 the Stuxnet cyberweapon is estimated to have destroyed 1,000 Iranian nuclear-fuel centrifuges at the Natanz uranium enrichment plant.
What happens when a computer program can activate physical machinery?
S2
Slide 2
S2 Susan, 10/15/2013
Cyber Threat to Critical Infrastructure
• “A cyberattack could disable trains all over the country
• It could blow up pipelines.
• It could cause blackouts and damage electrical power grids so that the
blackouts would go on for a long time.
• It could wipe out and confuse financial records, so that we would not
know who owned what.
• It could disrupt traffic in urban areas by knocking out control
computers.
• It could, in nefarious ways, do things like wipe out medical records.“
Richard Clarke tells Fresh Air host Terry Gross. former Counter Terrorism Chief under Presidents Clinton and Bush
Protecting U.S. Critical Infrastructure
“We have entered into a new phase of conflict in which we use a cyberweapon to create physical destruction,” said Retired General Michael Hayden in an interview on 60 Minutes.
“When you use a physical weapon, it destroys itself, in addition to the target, if it’s used properly. A cyberweapon doesn’t,” explained Gen. Hayden. “So there are those out there who can take a look at [the Stuxnet worm], study it and maybe even attempt to turn it to their own purposes. Such as launching a cyber attack against critical infrastructure here in the United States.”
One of the biggest targets for cyber terrorism is our critical infrastructure – energy, in particular.
About 75% of critical infrastructure is owned by private industry. Problem: How do you convince them they need to invest money in safeguard practices to protect their own assets but those of our country?
Framework to Motivate Market Interests
2/12/2013 U.S. Presidential
policy & Executive Order
signed to enhance Cyber security Critical Infrastructure (CI)
“The vulnerabilities allowing Stuxnet to succeed included insecure software (technology), improper IT security management (process), and insufficient security training of personnel (people)—the usual people, process, and technology triad that underlies the security (or insecurity) of any system.”
NRECA / Cooperative Research Network Smart Grid Demonstration Project Guide to Developing a Cyber Security and Risk Mitigation Plan
Executive Order 13636 – Improving Critical Infrastructure Cybersecurity
“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment
that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy and civil
liberties”
National Institute of Standards and Technology (NIST) is directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure
This Cybersecurity Framework is being developed in an open manner with input from stakeholders in industry, academia and government, including a public review and comment process, workshops and other means of engagement.
Value of a Risk Framework
* The ERM framework by the Commission of Sponsoring Organizations of the Treadway Commission (COSO)
Cyber risk = Operations Risk
Baseline activities to strengthen critical infrastructure
Integrate into risk & vendor management practices
http://www.nist.gov/cyberframework/index.cfm
NIST Cybersecurity Risk Framework COSO ERM
Framework Core
• Present Key Outcomes• Align to known activities• Map to standards & guidelines• Baseline - if implemented will
reduce % of breach, attack success & impact
• Framework to communicate maturity and risk environment
“The assessment addresses a number of areas related to
cybersecurity, including firms’: business continuity plans in case of a cyber-attack”
Mapping to BC Process & Controls
Function Category Sub-Category BC Support Process
IDENTIFY
Risk Assessment (ID.RA): The organization understands the
cybersecurity risk to organizational operations
(including mission, functions, image, or reputation), organizational
assets, and individuals.
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
Business units include cyber threat in their risk assessment, with the intent to identify areas of contingency planning.
ID.RA-6: Risk responses are identified and prioritized
Business units identify their processes and assets that are high risk based on cyber threat actor motivation.
Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk
tolerances, and assumptions are established and used to support
operational risk decisions.
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders
Results of risk assessments are aggregated, and approved by senior leadership.
ID.RM-2: Organizational risk tolerance is determined and clearly expressed
An organization's risk tolerance includes funding and approval of technology and business contingency planning activities that will reduce impact of cyber threat.
ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
The organization will meet their Regulator, and Customer's level of standards and practices for information security, business continuity and vendor management.
Nation States Advantage:political, economic, financial, military,
technological
Egonotoriety, revenge
IdeologyReligious political,
cultural
Terrorists
Economic Espionage
Criminals
Activists/Hacktivists
External Opportunists
Insiders
Cyber BC Planning Case Study
Case study will be made available during the DRJ workshop. Materials will be electronically updated after the conference.
Exercising Cyber Contingency Planning
Part III
Lessons Learned
Exercise Content
Takeaways
Lessons Learned From DDOS Attacks
Feedback from Financial Industry BC Planning Takeaway
Break Down Silos - There is a need to bring all together to address cyber, physical impact: business teams, fraud, BC, Incident response, corporate messaging.
Tech + Business Incident Command
Need to adapt and respond to cyber impact quickly.Cyber based tabletop exercisesExpand BC & Incident response plans
During crisis response, decision making cannot be done by committee.
Incident command to define: roles, activities & decision authority
During an attack you need to know what is normal versus and abnormal impact to critical assets.
Need to prioritize business & customer impact and identify actions that will be taken in worst case or poor scenarios.
Extreme case scenario planning
Lessons Learned From Cyber Exercises
Cyber Exercise After Action Report BC Planning Takeaway
Enhance response playbook to better account for a industry specific incident with the goal of strengthening the integration between industry groups, market participants, and government agencies.
Sector & enterprise playbooks
Improve coordination between business and technology leaders during cyber incident analysis and response.
Tech + Business Incident Command
Enhance the role of exchanges, clearing firms, and trusted government partners in cyber incident response and crisis management. Increase awareness about government resources available to assist the sector.
Formalize 3rd party & government crisis routines
Augment existing guidelines and decision frameworks to determine if cyber incidents are systemic in nature.
Crisis monitoring reporting
Institutionalize procedures for market open/close decisions during times of cyber incident response & crisis.
Procedures for worst case scenario
Cyber Exercise Case Study
Case study will be made available during the DRJ workshop. Materials will be electronically updated after the conference.
Take Away Activities
Proactively address Cyber BC with your company’s Info Sec, Risk Management & Critical Business leaders (see action plan).
The White House, Presidential Policy Directive -- Critical Infrastructure Security and Resilience, February 12, 2013, accessed August 6, 2013, www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil
Executive Order 13636—Improving Critical Infrastructure Cybersecurity, www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf