-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
1
CYBERSECURITYRISKMANAGEMENTANDBESTPRACTICES
WORKINGGROUP4:FinalReportMarch2015
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
2
TABLEofCONTENTSI.
EXECUTIVESUMMARY......................................................................................4
A.
VoluntaryMechanisms...............................................................................6B.
GuidancetoIndividualCompaniesontheUseoftheNISTFramework.....8C.
CommunicationSectorCommitmenttoAdvancingCybersecurityRisk
Management.........................................................................................10II.
INTRODUCTION...............................................................................................11III.
BACKGROUND.................................................................................................13
A.
CSRICStructure........................................................................................15B.
LeadershipTeam......................................................................................16C.
WorkingGroup4TeamMembers............................................................16
IV.OBJECTIVE,SCOPE,ANDMETHODOLOGY.......................................................19A.
Objective..................................................................................................19B.
Scope........................................................................................................20C.
Methodology............................................................................................21
V.
FINDINGS.........................................................................................................24A.
MacroLevelAssuranceFindings..............................................................24B.
VoluntaryMechanismsFindings..............................................................25C.
UseoftheNISTCybersecurityFrameworkoranEquivalentConstruct
Findings.................................................................................................25D.
MeaningfulIndicatorsFindings................................................................25E.
CommunicationsSectorImplementationGuidanceFindings..................26
VI.CONCLUSIONS.................................................................................................27A.
MacroLevelAssuranceConclusions........................................................27B.
VoluntaryMechanismsConclusions.........................................................27C.
UseofNISTCybersecurityFrameworkorEquivalentConstructConclusions
..............................................................................................................28D.
MeaningfulIndicatorsConclusions..........................................................28E.
CommunicationsSectorImplementationGuidanceConclusions............28
VII.RECOMMENDATIONS......................................................................................30A.
MacroLevelAssuranceRecommendations.............................................30B.
VoluntaryMechanismsRecommendations..............................................30C.
UseofNISTCybersecurityFrameworkorEquivalentConstruct
Recommendation..................................................................................31D.
MeaningfulIndicatorsRecommendations...............................................31E.
CommunicationsSectorImplementationGuidanceRecommendations.31
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
3
VIII.ACKNOWLEDGEMENTS.................................................................................33IX.
REPORTS&SEGMENTS....................................................................................34
9.1BROADCASTSEGMENT.........................................................................359.2CABLESEGMENT...................................................................................629.3SATELLITESEGMENT.............................................................................919.4WIRELESSSEGMENT...........................................................................1189.5WIRELINESEGMENT...........................................................................1679.6REQUIREMENTSANDBARRIERSTOIMPLEMENTATION.....................2029.7CYBERECOSYSTEMANDDEPENDENCIES............................................3219.8MEASUREMENT..................................................................................3559.9SMALLANDMEDIUMBUSINESS.........................................................3709.10TOPCYBERTHREATSANDVECTORS.................................................398
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
4
I.
EXECUTIVESUMMARYCSRICIVWorkingGroup4(WG4)wasgiventhetaskofdevelopingvoluntarymechanismsthatgivetheFederalCommunicationsCommission(FCC)andthepublicassurancethatcommunicationprovidersaretakingthenecessarymeasurestomanagecybersecurityrisksacrosstheenterprise.1WG4alsowaschargedwithprovidingimplementationguidancetohelpcommunicationprovidersuseandadaptthevoluntaryNISTCybersecurityFramework2(hereinafterNISTCSF).WorkingGroup4beganitsworkshortlyaftertheCommunicationsSector3completedahighlycollaborative,multistakeholderprocessthatresultedintheNISTCSFVersion1.04thatwascalledforinthePresidentsExecutiveOrder13636ImprovingCriticalInfrastructureCybersecurity.5ThesectorsparticipationinCSRICWG4wasseenasanopportunitytoassumetheleadershipurgedbyFCCChairmanTomWheelerinaspeechdeliveredtotheAmericanEnterpriseInstituteinJune2014.6BybuildingonthecrosssectorNISTCSFandbyframingitsapplicabilitytofivemajorcommunicationsindustrysegments,theWorkingGroupwasabletoformulateandcommittoseveralvoluntarymechanismsthatprovidethemacrolevelassurancessoughtbytheFCC.Moreover,thesemechanisms,combinedwiththeinsights,tools,guidance,andfactbasedanalysesdevelopedbyover100cybersecurityprofessionalswhoparticipatedinayearlongefforttoproducethisreport,validatetheadvantagesofanonregulatoryapproachoveraprescriptiveandstaticcomplianceregime.7WG4organizeditselfintofivesegmentsubgroupsrepresentingthefivekeypartsofthecommunicationindustry.TheirrepresentativeswereencouragedtopursueindependentevaluationsoftheCSRICWG4chargebasedontheirownoperatingenvironments.Thefivesegmentsincluded:
1SeeFederalCommunicationsCommission,CSRICIVWorkingGroupDescriptionsandLeadership(2013),availableathttp://transition.fcc.gov/pshs/advisory/csric4/wg_descriptions.pdf.2SeeNationalInstituteforStandardsandTechnology,FrameworkforImprovingCybersecurity,79FR9167(Feb.18,2014)[hereinafterNISTCSF],availableathttp://www.nist.gov/cyberframework/upload/cybersecurityframework021214.pdf.3Forpurposesofthisreport,theCommunicationsSectoriscomprisedoffiveindustrysegmentsincludingbroadcast,cable,satellite,wireless,andwirelinenetworkserviceproviders.4SeeNISTCSF.5SeeExec.OrderNo.13,691,PromotingPrivateSectorCybersecurityInformationSharing,80FR9347(Feb.13,2015)[hereinafterEO13691].6SeeRemarksofFCCChairmanTomWheeler,AmericanEnterpriseInstitute,June12,2014,availableathttp://www.fcc.gov/document/chairmanwheeleramericanenterpriseinstitutewashingtondc[hereinafterChairmanWheelersRemarks]([T]henetworkecosystemmuststepuptoassumenewresponsibilityandmarketaccountabilityformanagingcyberrisks.).7Id.(statementofChairmanTomWheeler)([W]ecannothopetokeepupifweadoptaprescriptiveregulatoryapproach.Wemustharnessthedynamismandinnovationofcompetitivemarketstofulfillourpolicyanddevelopsolutions.Wearethereforechallengingprivatesectorstakeholderstocreateanewregulatoryparadigmofbusinessdrivencybersecurityriskmanagement.).
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
5
Broadcast:Therearemorethan15,000radiosand1,700televisionsbroadcastingfacilitiesintheUnitedStates,providingnews,emergencyinformationandotherprogrammingservicesovertheairtoconsumers.8
Cable:Thecableindustryiscomposedofapproximately7,791cablesystems9thatofferanaloganddigitalvideoprogrammingservices,digitaltelephoneservice,andhighspeedInternetaccessservice.
Satellite:Satellitecommunicationssystemsuseacombinationofspacebasedinfrastructureandgroundequipmentcapableofdeliveringdata,voice,video,andbroadcastcommunicationstoanypersonintheU.S.,itsterritories,andanywhereontheglobe.
Wireless:TheWirelessindustrydeliversadvancedwirelessbroadbandservicesthatincludedata,voiceandvideotomorethan335millionactivewirelessdevicesnationwide,includingmorethan175millionsmartphones,25milliontablets,and51milliondataonlydevices.10Thereareapproximately160facilitiesbasedwirelesscarriers11inUnitedStatesthatoperateandmaintainmorethan304,360cellsites12thatcollectivelyprovidethemostadvanced4Gtechnologydeploymentintheworld.
Wireline:Over1,000companiesofferwireline,facilitiesbasedcommunicationsservicesintheUnitedStates.13WirelinecompaniesserveasthebackboneoftheInternet.
WG4alsoestablishedfivefeedersubgroupstoengageinadeeper,morefocusedanalysisofsubjectmatterareasthatwouldhelpthecommunicationssectorsegmentsevaluatetheircybersecurityriskenvironment,posture,andtolerance.Toensurethatthevoluntarymechanismsandsectorguidanceweregroundedinfacts,thoughtfuljudgments,andpracticalintheirdesign,thefollowingfeedertopicswereexamined:
CyberEcosystemandDependencies TopThreatsandVectors
FrameworkRequirementsandBarriers
8NationalAssociationofBroadcasters,LegislativePriorities111thCongress,4,availableathttp://nab.org/documents/advocacy/NAB_111th_Legislative_Priorities.pdf.9SeeU.S.CommunicationsSectorCoordinatingCouncil,TheCommunicationsSector,http://www.commscc.org/(lastvisitedMarch13,2015).10CellularTelephoneIndustriesAssociation(CTIA),WirelessIndustryIndicesReportYearEnd2013133(June2014).11FederalCommunicationsCommission,LocalTelephoneCompetition:StatusasofDecember31,2013,29(Oct.2014),availableathttp://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db0219/DOC329975A1.pdf.12CellularTelephoneIndustriesAssociation(CTIA),WirelessAnnualWirelessIndustrySurvey,http://www.ctia.org/yourwirelesslife/howwirelessworks/annualwirelessindustrysurvey(lastvisitedMar.132015).13Seeid.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
6
SmallandMediumBusinesses Measurements
Eachofthesegmentsubgroups,informedbythefindingsofthetopicalfeedersubgroups,evaluatedtheapplicabilityoftheNISTCybersecurityFrameworks98subcategoriestotheirsegment,prioritizedtheapplicablesubcategoriesonanillustrativebasis,andassessedthechallengesofimplementationandeffectivenessforeachapplicablesubcategory.ThesegmentandfeedersubgroupfindingsandresultingNISTCybersecurityFrameworkimplementationguidancearecontainedintheappendicestothisreport.
ThekeymacrolevelassurancesdevelopedbyWG4weredesignedtodemonstratehowcommunicationsprovidersareappropriatelymanagingcybersecurityrisksthroughtheapplicationoftheNISTCybersecurityFramework,oranequivalentconstruct.TheFCCdescribedthedesiredcharacteristicsoftheassurancesas:14
Tailoredbyindividualcompaniestosuittheiruniqueneeds,characteristics,andrisks;
Basedonmeaningfulindicatorsofsuccessfulcyberriskmanagement;and
Allowingformeaningfulassessmentsbothinternallyandexternally.
A.
VoluntaryMechanismsAsevidenceoftheCommunicationsSectorscommitmenttoenhancecybersecurityriskmanagementcapabilitiesacrossthesectorandthebroaderecosystem,andtopromoteuseoftheNISTCSF,CSRICrecommendsthreenewvoluntarymechanismstoprovidetheappropriatemacrolevelassurances:
FCCinitiatedconfidentialcompanyspecificmeetings,orsimilarcommunicationformatstoconveytheirriskmanagementpractices.ThemeetingswouldbecoveredbyprotectionsaffordedundertheProtectedCriticalInfrastructureInformation(PCII)15administeredbytheDepartmentofHomelandSecurity(DHS);
AnewcomponentoftheCommunicationsSectorAnnualReportthatfocusesonsegmentspecificcybersecurityriskmanagement,highlightingeffortstomanagecybersecurityriskstothecorecriticalinfrastructure;and
ActiveanddedicatedparticipationinDHSCriticalInfrastructureCyberCommunityC3VoluntaryProgram,16tohelpindustryincreasecybersecurityriskmanagementawarenessanduseoftheFramework.
14Seesupranote1,at4.15SeeDepartmentofHomelandSecurity,ProtectedCriticalInformationProgram,http://www.dhs.gov/protectedcriticalinfrastructureinformationpciiprogram(lastvisitedMar.13,2015)[hereinafterPCIIProgram].16SeeDepartmentofHomelandSecurity,AbouttheCriticalInfrastructureCyberCommunityCVoluntaryProgram,http://www.dhs.gov/aboutcriticalinfrastructurecybercommunityc%C2%B3voluntaryprogram(lastvisitedMar.13,2015)[hereinafterDHSC3VoluntaryProgram].
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
7
1)
ConfidentialCompanySpecificMeetings:Thesectorsupportsthedevelopmentofavoluntaryprogramforperiodicmeetings,oranalternativemeansofcommunicationsamongtheFCC,DHS,andindividualcompaniesthatagreetoparticipate.ThepurposeofthesemeetingswouldbetodiscusseffortsbytheorganizationstodevelopriskmanagementpracticesconsistentwiththeNISTCybersecurityFrameworkorequivalentconstructs.Duringthemeetings,theparticipatingcompanieswouldshareinformationregardingcyberthreatsorattacksontheircriticalinfrastructure,andtheorganizationsefforttorespondorrecoverfromsuchthreatsorattacks.CompaniesthatchoosetoparticipateinthisprogramwouldbeaffordedtheprotectionsthataregivenbythefederalgovernmenttocriticalinfrastructureownersandoperatorsunderthePCIIprogramoralegallysustainableequivalent.Thisvoluntarymechanismrepresentsanewlevelofindustrycommitmentintendedtopromoteadditionaltransparency,visibility,anddialoguewithappropriategovernmentpartnersandourregulatorintheareaofcybersecurityriskmanagement.
2)
SectorAnnualReport:TheSectorrecognizesthattheincreasingfrequency,
sophistication,anddestructivenatureofcyberattacksspursconcernsaboutwhatcompaniesaredoingtomanagetheircybersecurityrisks.WG4initiatedtheMeasurementsubgrouptoanalyzehowtobestdemonstratetheoverallstateofcybersecuritywithinthecommunicationssector.TheMeasurementsubgrouprecommendsthattheCommunicationsSectorCoordinatingCouncil(CSCC),astheofficialinterfaceforthesectorcanincludeinformationonthecybersecurityofcriticalcommunicationsnetworkinfrastructureinfuturedraftsoftheSectorAnnualReport(SAR)startingin2015.TheSARwouldthenbeprovidedtoDHS,whichisthecommunicationssectorsSSA,andtheGovernmentCoordinatingCouncil(GCC),whichincludestheFCC.ThisnewvoluntarymechanismreflectsamaterialenhancementtotheexistingSARbecauseitwouldprovidegreaterinsightintothethreatsposedtothesector,andtheactionstakentoensurecontinuedavailabilityofthecorenetworkinfrastructureandthecriticalservicesthatdependonitsavailabilityandintegrity.
3)
ActiveParticipationinDHSC3OutreachandEducation:TheDepartmentof
HomelandSecurityoverseesaprogramthatitcreatedinresponsetoadirectivecontainedinExecutiveOrder13636.DHScreatedtheCriticalInfrastructureCyberCommunityCVoluntaryProgramaspartofwhatitdescribesasaninnovativepublicprivatepartnershipdesignedtohelpaligncriticalinfrastructureownersandoperatorswithexistingresourcesthatwillassisttheireffortstoadopttheCybersecurityFrameworkandmanagetheircyberrisks.17TheProgramemphasizesthreeCs:
17SeeDHSC3VoluntaryProgram.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
8
ConvergingcriticalinfrastructurecommunityresourcestosupportcybersecurityriskmanagementandresiliencethroughuseoftheFramework;
Connectingcriticalinfrastructurestakeholderstothenationalresilienceeffortthroughcybersecurityresilienceadvocacy,engagement,andawareness;and
Coordinatingcriticalinfrastructurecrosssectoreffortstomaximizenationalcybersecurityresilience.
TheCommunicationsSectorhasalreadyparticipatedindevelopmentactivitiesandwasrecentlyfeaturedinthefirstofaseriesofCwebinarswhereCSRICWorkingGroup4activitiesweredescribed.18ToadvancetheuseoftheFrameworkthroughtheimplementationguidancecontainedinthisreportandfromothersources,thecommunicationssectorwilldevelopaseriesofwebinarsandotherreferencematerials.Thegoalistoincreaseawarenessbysectorenterprises,guidetheiruseoftheNISTCSFandexplaintheinnovativeprocesses,solutions,andlessonslearnedfromthecommunicationsectorsleadersinusingtheFramework.
B.
GuidancetoIndividualCompaniesontheUseoftheNISTFrameworkChargedwithprovidingimplementationguidancetofacilitatetheuseandadaptationofthevoluntaryNISTCybersecurityFrameworkbycommunicationsproviders,theWG4membersdevelopedandappliedavarietyofanalyticaltoolsandmethodsthatcouldserveasaprimerforcompanieswhenreviewingtheirownriskmanagementprocesses.TheNISTCSFVersion1.0offersorganizationsdirectionwhentheyareimplementingorenhancingtheircybersecurityriskmanagementprogram.Inaddition,thereportprovidesinformativereferencesthatincludeleadingcybersecurityprotocols,resources,andtools.NISTemphasizedthevoluntarynatureoftheFramework,notingthatitisdesignedtousebusinessdriverstoguidecybersecurityactivitiesandtomanagecybersecurityriskinacosteffectivewaybasedonbusinessneedswithoutplacingadditionalregulatoryrequirementsonbusinesses.19Whilethisreportincorporatesfindings,conclusions,andrecommendationsrelatedtoguidingindividualcompaniesontheuseoftheFramework,manycommunicationscompanieshavelongstandingandmaturecybersecurityriskmanagementcapabilitiesandotherswithinthecommunicationssectordidnotwaitforthisreporttobefinalizedbeforebeginningtheirevaluationoftheapplicabilityoftheFrameworkcomponentstotheirenterprise.Reducingcybersecurityriskbyimplementingwidelyrecognizedstandardsandguidelines20hasbeenahallmarkofcommunicationsindustrypractice,andissupportedby
18SeeDepartmentofHomelandSecurity,CCubedVoluntaryProgram,https://share.dhs.gov/p1qqp8dvu34/(lastvisitedMar.13,2015).19SeeNISTCSF.20SeeGovernmentAccountabilityOffice,CriticalInfrastructureProtectionCybersecurityGuidanceisAvailable,butMoreCanBeDonetoPromoteItsUse(Dec.2011),availableathttp://www.gao.gov/assets/590/587529.pdf.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
9
exceptionallyhighlevelsofserviceavailability.21Notwithstandingthisfact,theNISTFrameworkisaseminaldocumentinorganizingriskmanagementactivitiesacrossabroadgloballandscape.Over100professionalsfromacrossthecommunicationssectorandthebroaderstakeholdercommunityhaveworkedtirelesslyoverthepast12monthstoproduceareportwithrecommendationsonFrameworkusewhichshouldhaveimmediateandpracticalvalueforindividualsectorcompaniesandotherkeystakeholders.
1)
Governance:TheNISTFrameworkemphasizestheimportanceoftakingaholistic
approachtocybersecurity,viewingitasanenterprisewide,strategicriskmanagementmatter,ratherthanasanarrowinformationtechnology(IT)ornetworkmanagementdomain.
Whenmanagingcybersecurityrisks,itisessentialtoincorporateariskgovernanceprocessintotheprogram.Thekeyobjectiveistoensurethataninclusive,independent,andholisticassessmentofthecurrentandfutureenterpriseriskpostureisroutinelyundertaken,andtoaligntheenterprisesbusinessmissionwithsoundandeffectivecybersecuritypractices,protocols,andtools.Formanycompanies,establishmentofadedicatedcrossenterprisecybersecurityriskgovernancefunctioncanfacilitatethiskeyobjective.Suchagovernanceauthorityshouldbesufficientlyrepresentativeoftheorganizationtoachievethefollowing:
Identifypotentialrisksandavarietyofrisktoleranceperspectives;
Applyindependenceandauthoritytoriskmanagementactivities;
Ensuretransparencythroughtheriskdecisionmakingandimplementation
process; Defineandcommunicatetheenterprisesrisktolerance;and
Continuallyadaptandassesscybersecurityriskmanagementgoalsand
objectives.Whilethespecificstructureandoperationalpracticesofthesegoverningbodiescanandwillvaryamongindividualcompanies,thefoundationalprincipleisthateverycompanyshouldtreatcybersecurityasakeycomponentofoverallenterpriseriskmanagement.
2)
NISTCSFImplementationRecommendations:TheWG4industrysegmentsubgroupreportsintheappendicestothisreportprovideconcreteguidanceonhowtousetheFrameworkcanbolstercyberreadiness.EachWG4segmentsubgroupreportsurveysinfrastructurecoreassetsandcriticalservices,andalsoemploysusecases,allwiththeaimofofferingguidanceinhowtoincorporatetheriskmanagement
21SeeFederalCommunicationsCommission,NetworkOutageReportingSystem(NORS),http://transition.fcc.gov/pshs/services/cip/nors/nors.html(lastvisitedMar.13,2015)(awebbasedfilingsystemthroughwhichcommunicationsproviderscoveredbyC.F.R.Part4reportingrulessubmitoutagereportstotheFCC,andallowstheFCCtoperformanalysesandstudiesofthecommunicationsdisruptionsreported).
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
10
protocolsandpracticesreferencedintheFrameworkwiththeoperatingenvironmentoftherespectiveindustrysegment.
Inadditiontothesegmentspecificguidanceprovidedtobroadcast,cable,satellite,wirelessandwirelinecompaniesthroughtheindustrysegmentsubgroupreports,WG4alsodevelopedcyberriskmanagementrecommendationsthatapplytothesectoracrosstheboard.Companiesareurgedto:
ReviewtheWG4reportanduseitsanalyticalprocesstoadapttheNISTCybersecurityFrameworkapproachtocybersecurityriskmanagementtotheirownoperationsandnetworks;
DistributetheNISTCybersecurityFrameworkandappropriatecomponentsoftheWG4reporttocompanyofficersandpersonnelwhosedutiesencompasscybersecuritymanagementandoperations;
EnsurethatoperatorsandvendorsineverylayeroftheTCP/IPmodelconducttheiroperationswithcybersecuritydiligence,topreventandrespondtoattacksontheirnetworksandoperationalsupportsystems;and
Recognizethatthreatknowledgeispowerandconsideradoptingathreatintelligencehandlingmodel22toenhanceprotectionofcriticalinfrastructure.Thisincludessharingmoredetailedthreatintelligenceinformationwithtrustedstakeholderstoimproveinformationgatheringforuseinthreatanalysesandcyberriskmanagementdecisionmaking.
C.
CommunicationSectorCommitmenttoAdvancingCybersecurityRiskManagementWhilethisWG4CSRICreportrepresentsamajormilestone,theWG4membersacknowledgethatwearenotatthefinishline.Effortstohelpenterprisesmanagecybersecurityriskmustbecontinuousandongoingtoadapttoacontinuallychangingecosystemandthreatlandscape.WhilethesectorwillactivelypromoteuseoftheFrameworkthroughongoingandanticipatedworkinmultiplevenues,theWorkingGroupmembersarealsocognizantthateachenterprisemustdecidehowtoutilizeandimplementtheFrameworkoranequivalentriskmanagementconstruct.Themechanismsandassuranceshighlightedbelowareintendedtodemonstratethesectorscommitmenttoindustryledsolutionsbasedonclosecollaborationwithourgovernmentpartnersandregulators.
22SeeInfra9.10ThreatIntelligenceHandlingModel.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
11
II. INTRODUCTION
WorkingGroup4markedafundamentalCSRICshifttoariskmanagementconstructthatalignswiththefivefunctionsidentifiedintheNISTFramework(i.e.,Identify,Protect,Detect,RespondandRecover).ManyingovernmentandtheprivatesectorhavecometounderstandthatthetraditionalmultiyearCSRICreviewcyclescannolongerkeeppacewiththeacceleratingdeploymentofnewnetworkandedgetechnologiesacrosstheecosystemalongwiththerapidadvancementsinincreasinglyinexpensive,perishable,andmoresophisticatedcyberthreats.Withtheissuanceofthe2013PresidentialExecutiveOrder13636,ImprovingCybersecurityCriticalInfrastructure,andthesubsequent2014releaseoftheNISTCybersecurityFrameworkVersion1.0,thereisrenewedemphasisoncybersecurityriskmanagementasthefoundationforprotectingournationscriticalinfrastructure.TheU.S.governmenthasclearlyendorseddevelopmentofavoluntary,riskbasedmodelthatenablesorganizationstoprioritizeandimplementsolutionsbasedoninformed,enterprisetailored,businessdrivenconsiderations.Thegovernmentacknowledgedthatcosteffectivenessisanimportantconsiderationwhenevaluatingnewsecuritymeasuresandrecognizesthatincentivesmayberequiredincertaincircumstances.Itisalsogenerallyacknowledgesthatmeaningfulmethodstoassessthecostsandbenefitsofcybersecurityinvestmentareoftenelusive.InaJune2014speechtotheAmericanEnterpriseInstitute,FCCChairmanTomWheelerendorsedtheriskmanagementapproachstatingthat...companiesmusthavethecapacitytoassurethemselves,theirshareholdersandboardsandtheirnationofthesufficiencyoftheirowncyberriskmanagementpractices.Theseriskassessmentapproacheswillundoubtedlydiffercompanybycompany.Butregardlessofthespecificapproachacompanymightchoose,itiscrucialthatcompaniesdevelopmethodologiesthatgivethemameaningfulunderstandingoftheirriskexposureandriskmanagementposturethatcanbecommunicatedinternallyandexternally.Thatiswhatweareaskingourstakeholderstodo.23Tosetapathforwidespreaduseofriskmanagementprocessesbysectorenterprises,WG4studiedtheFrameworkcomponentsandthefactorsthataremostlikelytoimpactenterpriselevelriskmanagementdecisions.Theprojectwasstructuredaroundfiveindependentindustrysegmentsbasedontheircommonoperatingenvironmentsandarchitectures.ThesegmentsincludedBroadcast,Cable,Satellite,Wireless,andWireline.EachsegmentmadeitsowndeterminationastowhatcriticalinfrastructureshouldbecategorizedasinscopeoroutofscopeandwhichoftheNISTcategoriesandsubcategoriesweremostcriticaltoprotectingthatinfrastructure.Eachgroupchosecriteriatoprioritizetheriskmanagementprocesses.Theanalyseswereintendedtobeillustrativeexamplesofhowindividualcompaniesineachsegmentcouldgoaboutassessingandprioritizingtheframeworkcomponents.Theindustrybasedsegmentsweresupportedbythefivesubjectmatterorientedfeedergroups.TheRequirementsandBarriersgroupevaluatedtheoperationsandtechnology
23SeeChairmanWheelersRemarksat7.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
12
requirementsandthebarriersassociatedwitheachofthe98NISTsubcategories.TheCyberEcosystemgroupexaminedtheecosystemdependentlandscapeforcommunicationsprovidersandthemostprominentthreatsthatareflowingacrosstheInternetstack.24TheTopCyberThreatsteamevaluatedtheevolvingthreatenvironmentandidentifiedenterpriselevelprocessesandacommunitythreatmodelthatcouldbeusedbythecommunicationssectortoshareinformationandcoordinateresponseandrecoveryactivities.TheMeasurementgroupexaminedchallengesassociatedwithobtainingreliableindicatorsofcausality(i.e.,riskprocess/riskreduction)andeffectivemechanismstoaddressstakeholderinterestsinkeyindicators.And,sincemanyprovidersclassifyassmallandmediumsizedenterprises,theSmallandMediumBusinessgrouplookedattheiruniquechallengesandprovidedguidanceonFrameworkrelatedapproachessuitableforsuchorganizations.TheCommunicationsSectorcontinuestobealeaderincybersecuritybecauseprovidersofferabroadarrayofcommunicationservicestosomeofthemostdemandingcustomersintheworld.Forallcommunicationproviders,ensuringtheintegrityandresilienceoftheirnetworksandtheavailabilityofservicesisamissioncriticalresponsibility.Meaningfulindicatorsofcriticalserviceavailability,reliability,resiliency,andintegrityshowtheirsuccessinthisarena.However,acrossthebroadspectrumofprovidersthereisarangeofriskmanagementcapabilitiesthatmayoftenbeassociatedwithprovidersabilitytorecoverthecostofcybersecurityinvestmentinahighlycompetitivemarket.Whileenterprisesizeisoftenassociatedwithriskmanagementcapabilities,itisnotalwaystheonlyfactor.Infact,anorganizationsuniquethreatenvironment,itsunderstandingofvulnerabilities,itsbusinessstrategy,anditsoveralltoleranceofriskcaninfluenceinvestmentdecisions.Thisreportprovidesavaluableroadmapforcompaniesinoursectortovalidatetheirexistingriskmanagementprocessesand/orenhancetheircapabilitiesbasedonanongoingevaluationoftheirthreats,vulnerabilities,andrisktolerance.Thefeedersubgroupscontributions,includingtheiranalyses,findings,andimplementationguidance,alongwiththesegmentsubgroupsimplementationguidanceandassessmentoftheapplicabilityoftheNISTCybersecurityFrameworks98subcategoriestoeachsegment,arepresentedasappendicestothisreportandcanbeusedbycompanies,largeandsmall,tofurtherguidetheiruseoftheNISTCybersecurityFrameworkinmanagingtheircybersecurityrisks.Equallyimportant,theWG4membersproposeasetofvoluntarymechanismsandFCCrecommendationsthatleveragethecommunicationsectorsexistingorganizationalstructure,experience,andcybersecurityriskmanagementsectorleadershiptoprovidetherequestedmacrolevelassurances.ThereportconcludesbysuggestingtheFCCcoordinatewithotherdepartmentsandagenciestopromoteeducationandawarenessofthecybersecurityrisksinherentincriticalcommunicationsinfrastructures,andpromotethevoluntarystepsthecommunicationsectortakestomanagetheircybersecurityrisks.
24SeeWikipedia,StructureoftheInternet:TCPIPprotocolstack,http://en.wikibooks.org/wiki/Alevel_Computing/AQA/Computer_Components,_The_Stored_Program_Concept_and_the_Internet/Structure_of_the_Internet/TCP_IP_protocol_stack(lastvisitedMar.13,2015).
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
13
III. BACKGROUND
OnFebruary12,2013,PresidentObamaissuedExecutiveOrder13636,ImprovingCriticalInfrastructureCybersecurity,25whichsetinmotionawiderangeofgovernmentinitiativesdesignedtoadvancethenationscybersecurityresiliency.Initspolicyintroduction,theOrderarticulatedsocietalvaluestobepromotedandreinforcedthepublicprivatepartnershipconstructasthemechanismformakingprogress:
ItisthepolicyoftheUnitedStatestoenhancethesecurityandresilienceoftheNation'scriticalinfrastructureandtomaintainacyberenvironmentthatencouragesefficiency,innovation,andeconomicprosperitywhilepromotingsafety,security,businessconfidentiality,privacy,andcivilliberties.Wecanachievethesegoalsthroughapartnershipwiththeownersandoperatorsofcriticalinfrastructuretoimprovecybersecurityinformationsharingandcollaborativelydevelopandimplementriskbasedstandards.26
AkeycomponentofthePresidentsExecutiveOrderwastheassignmentgiventotheNationalInstituteofStandardsandTechnology(NIST),anagencyoftheU.S.DepartmentofCommerce,toleadthedevelopmentofaCybersecurityFrameworktoreducecyberriskstocriticalinfrastructure.Criticalinfrastructureisdefinedas,systemsandassets,whetherphysicalorvirtual,sovitaltotheUnitedStatesthattheincapacityordestructionofsuchsystemsandassetswouldhaveadebilitatingimpactonsecurity,nationaleconomicsecurity,nationalpublichealthorsafety,oranycombinationofthosematters.27NISTwasgivenalistofwhatshouldbeincludedinthefinalFrameworkandhadoneyeartocompleteitswork.TheOrdergaveexplicitinstructionsregardingthecharacteristicsoftheFrameworkandhowitwastobeused:
TheCybersecurityFrameworkshallprovideaprioritized,flexible,repeatable,performancebased,andcosteffectiveapproach,includinginformationsecuritymeasuresandcontrols,tohelpownersandoperatorsofcriticalinfrastructureidentify,assess,andmanagecyberrisk.TheCybersecurityFrameworkshallfocusonidentifyingcrosssectorsecuritystandardsandguidelinesapplicabletocriticalinfrastructure.TheCybersecurityFrameworkwillalsoidentifyareasforimprovementthatshouldbeaddressedthroughfuturecollaborationwithparticularsectorsandstandardsdevelopingorganizations.Toenabletechnicalinnovationandaccountfororganizationaldifferences,theCybersecurityFrameworkwillprovideguidancethatistechnologyneutralandthatenablescriticalinfrastructuresectorstobenefitfromacompetitivemarketforproductsandservicesthatmeetthestandards,methodologies,
25SeeExec.OrderNo.13,636,ImprovingCriticalInfrastructureCybersecurity,78FR11737(Feb.19,2013)[hereinafterEO13636].26Id.at1:Policy.27Id.at2:CriticalInfrastructure.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
14
procedures,andprocessesdevelopedtoaddresscyberrisks.TheCybersecurityFrameworkshallincludeguidanceformeasuringtheperformanceofanentityinimplementingtheCybersecurityFramework.28
ToencourageuseoftheCybersecurityFramework,theDepartmentofHomelandSecurity(DHS)wasorderedtoestablishavoluntaryprogramtosupportownersandoperatorsofcriticalinfrastructure(andanyotherinterestedentities)thatwantedtousetheFrameworkaspartofanexistingornewriskmanagementprogram.SectorSpecificAgencieswereinstructedtocoordinatewiththeSectorCoordinatingCouncilstoreviewtheCybersecurityFrameworkand,ifnecessary,developimplementationguidanceorsupplementalmaterialstoaddresssectorspecificrisksandoperatingenvironments.29TheCommunicationsSectororganizeditsparticipationintheFrameworkdevelopmenteffortthroughtheCSCC,andCouncilrepresentativesparticipatedinallsixNISTworkshopsheldatmajorresearchuniversitiesthroughoutthecountry.30Industryrepresentativesparticipatedonpanels,submittedcomments,andhadextensivedialoguewiththeFrameworkdevelopmentteam.OnFebruary12,2014,NISTreleasedtheFrameworkforImprovingCriticalInfrastructureVersion1.031statingthatitenablesorganizationsregardlessofsize,degreeofcybersecurityrisk,orcybersecuritysophisticationtoapplytheprinciplesandbestpracticesofriskmanagementtoimprovingthesecurityandresilienceofcriticalinfrastructure.32TheauthorsnotedthattheFrameworkisnotaonesizefitsallapproachtomanagingcybersecurityriskforcriticalinfrastructure.Organizationswillcontinuetohaveuniquerisksdifferentthreats,differentvulnerabilities,anddifferentrisktolerancesandhowtheyimplementthepracticesintheFrameworkwillvary.33TheCybersecurityFrameworkprovidesguidanceonhowitcanbeusedbyanorganizationtoenhanceanexistingprogramortocreateanewriskmanagementprogram.TheFrameworkinitiativewasalignedwiththeeffortsoftheFCCsCommunicationsSecurityReliabilityandInteroperabilityCouncil(CSRIC)IV.TheCSRICIVchartercalledforanupdateofthecybersecuritybestpracticesthathadbeendevelopedaspartofCSRICIIWorkingGroup2A:CyberSecurityBestPractices.ThateffortendedinMarch2011andproduced397bestpracticescoveringawiderangeoftechnologyplatformsandservices.34Attheurgingof
28Id.at7:BaselineFrameworktoReduceCyberRisktoCriticalInfrastructure.29Id.8:VoluntaryCriticalInfrastructureCybersecurityProgram.30SeeNationalInstituteofStandardsandTechnology,CybersecurityFrameworkWorkshopsandEvents,http://www.nist.gov/cyberframework/cybersecurityframeworkevents.cfm(lastvisitedMar.13,2015).31SeeNISTCSF.32Id.at1.33Id.at2.34SeeFederalCommunicationsCommission,TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilII,WorkingGroup2ACybersecurityBestPracticesFinalReport(2011),availableathttp://transition.fcc.gov/pshs/docs/csric/WG2ACyberSecurityBestPracticesFinalReport.pdf.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
15
industryrepresentatives,theFCCagreedthatCSRICIVWorkingGroup4shouldbeginworkimmediatelyfollowingtheFebruary2014releaseoftheFrameworkbecauseindustrywasasignificantcontributorofresourcestothemultistakeholdercollaborativeprocessthatwasbeingcoordinatedbyNIST.ItwasalsounderstoodthatthesubsequentCSRICIVWorkingGroup4effortwouldbenefitfrombeinginformedbytheNISTprocessandfinalproduct.Toeffectivelyexecuteaprojectofthisscope,theWorkingGroupCoChairsestablishedaLeadershipTeamtoensurethatqualifiedresourceswereappropriatelyappliedtoworkeffortsandthattheworkproductsalignedwiththeoverallobjectivesoftheeffort.ThisLeadershipTeamevolvedtoinclude20individualsthatservedassegmentandfeedergroupleadersandaTechnicalandPolicyAdvisoryBoardthatincludedseniorrepresentativesfromNIST,theWhiteHouseNationalSecurityOffice,andtheFCC.Withover100volunteersrepresentingthefivemajorindustrysegmentsaswellasstakeholdersfromothersectors,academia,andstateandfederalgovernment,thiswasthelargestWorkingGroupeffortundertakeninthehistoryoftheCSRICandtheNetworkReliabilityandInteroperabilityCouncil(NRIC)(i.e.,CSRICspredecessor).
A. CSRICStructure
CommunicationsSecurity,Reliability,andInteroperabilityCouncil(CSRIC)IVCSRICSteeringCommittee
ChairorCoChairs:WorkingGroup1
ChairorCoChairs:WorkingGroup2
ChairorCoChairs:WorkingGroup3
ChairorCoChairs:WorkingGroup4
ChairorCoChairs:WorkingGroup5
ChairorCoChairs:WorkingGroup6
ChairorCoChairs:WorkingGroup7
ChairorCoChairs:WorkingGroup8
ChairorCoChairs:WorkingGroup9
ChairorCoChairs:WorkingGroup10
WorkingGroup1:NextGeneration911
WorkingGroup2:WirelessEmergencyAlerts
WorkingGroup3:EAS
WorkingGroup4:CybersecurityRiskManagementandBestPractices
WorkingGroup5:ServerBasedDDoSAttacks
WorkingGroup6:LongTermCoreInternetProtocolImprovements
WorkingGroup7:LegacyBestPracticeUpdates
WorkingGroup8:SubmarineCableLandingSites
WorkingGroup9:InfrastructureSharingDuringEmergencies
WorkingGroup10:CPEPowering
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
16
B. LeadershipTeam
C. WorkingGroup4TeamMembers
WorkingGroup4consistsofthememberslistedbelow.
Name CompanyRobertMayer(CoChair)
USTelecomAssociationBrianAllen(CoChair)
TWCableDonnaDodson(SeniorTechAdvisor)
NationalInstituteofStandardsandTechnologyEmilyTalaga(SeniorEconomicAdvisor)
FederalCommunicationCommissionVernMosley(FCCLiaison)
FederalCommunicationCommissionAdrienneAbbott
NevadaEASChairAnthonyAcosta NorthropGrummanMichaelAlagna
MotorolaSolutionsCarlAnderson VanScoYocAssociates
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
17
NadyaBartol UtilitiesTelecomCouncilJamesBean
JuniperNetworksChrisBoyer AT&TChuckBrownawell
SprintCorporationLoisBurns PAPublicUtilityCommissionIngridCaples
DepartmentofHealthandHumanServicesJoelCapps EricssonLisaCarnahan
NISTDanCashman FairPointNnekaChiazor VerizonLarryClinton
InternetSecurityAllianceEdwardCzarnecki MonroeElectronicsKateDean
USISPAPaulDiamond CenturyLinkMartinDolly
AT&T(representingATIS)TannerDoucet
InternetSecurityAllianceSetonDroppers
PBSTechnology&OperationsVictorEinfeldt IridiumRussellEubanks
CoxCommunications,IncPaulFerguson InternetIdentityInetteFurey
DepartmentofHomelandSecurityAndrewGallo
GeorgeWashingtonUniversityChrisGarner CenturyLinkMichaelGeller
Cisco(representingATIS)MyK.Gomi NTTAmericaJessicaGulick
CSGInternationalStacyHartman CenturyLinkMaryHaynes
CharterChrisHomer PBSCharlesHudson,Jr ComcastWinkInfinger
FloridaDepartmentofManagementServicesChrisJeppson Consolidated
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
18
SusanJoseph CableLabsFranckJournoud OracleMerikeKaeo
InternetIdentityKevinKastor ConsolidatedJohnKelly
ComcastDanielleKriz InformationTechnologyIndustryCouncilRickKrock
AlcatelLucentJeremyLarson SilverStarGregLucak
WindstreamEthanLucarelli WileyReinLLPDanielMadsen USBankJohnMarinho
CTIAHeathE.McGinnis VerizonDonnaBetheaMurphy IridiumPaulNguyen
CSGInternationalJorgeNieves ComcastMichaelO'Reirdan
Comcast(representingMAAWG)MartinPitson TelesatJoelRademacher
IridiumJ.BradfordRamsay NARUCAlanRinker BoeingChrisRoosenraad
TWCableTonySager CouncilonCybersecurityHaroldSalters
TMobileBrianScarpelli TIAOnlineKarlSchimmeck SIFMAJ.J.Shaw
O3bGovernmentRaySingh ACSTomSoroka USTelecomAssociationCraigSpiezle
OnlineTrustAlliance(OTA)MattStarr CompTIABillTaub
CablevisionSystemsCorporation
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
19
RobertThornberry BellLabs/AlcatelLucentSheilaTipton
IowaUtilitiesBoardMattTooley NCTABillTrelease
CTODelhiTelephoneCompanyColinTroha CSGInvotasS.RaoVasireddy
AlcatelLucent(TIArepresentative)JoeViens TWCableChristianVogler
GallaudetUniversityJesseWard NTCAErrolWeiss CitiKathyWhitbeck
Nsight/CellcomJackWhitsitt
NationalElectricSectorCybersecurityOrganizationKellyWilliams
NationalAssociationofBroadcasters(NAB)ShawnWilson
VeriSignPamelaA.Witmer PAPublicUtilityCommissionShinichiYokohama
NTT
Table1ListofWorkingGroupMembersIV.
OBJECTIVE,SCOPE,ANDMETHODOLOGY
A.
ObjectiveTheNISTFrameworkwasdesignedasamultisectorbaselinedocumentthatindividualsectorscouldtailorinwaysthatmightmakeitmorerelevantandusefultoorganizationsoperatingwithintheirsector.Inthecaseoftheexpansivecommunicationssector,asegmentspecificanalysiswasdeemedtobemoreproductive(i.e.,broadcast,cable,satellite,wireless,andwirelinesegments).ConsequentlyWG4participantsfocusedondevelopingsegmentspecificcyberriskmanagementapproachesandguidancethatwouldserveasafoundationforproducingtheassurancescalledforintheCSRICIVWorkingGroup4description.Asoutlinedbelow,theWorkingGroupsassurancesandrecommendationsbuilduponthefoundationalworkintheFrameworkVersion1.0andaresupportedbyfactbasedanalysesandinformedjudgmentsinareasthatarecriticaltotheabilityofthecommunicationssectorandenterprisestoevolvetheircybersecurityriskmanagementprofiles.WorkingGroup4seffortsweredesignedtoprovideindividualserviceprovidersanabilitytoassurethemselves,theirshareholdersorowners,theirboards,andexternalstakeholdersthattheyaretakingappropriatestepstomanagecybersecurityrisk.Whileindividual
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
20
enterprisesaregivenflexibilityonhowtheyusetheFramework,WorkingGroup4focusedontailoringtheFrameworktotheuniqueconsiderationsofthesegmentsandprovidingmacrolevelanalysesandmechanismstosustainriskmanagementcapabilities.B.
ScopeWorkingGroup4wastaskedwithproducingapractical,costeffective,andsegmenttailoredmodelofriskmanagementwithmeaningfulindicatorstocommunicateassurancestointernalandexternalstakeholders.Tofacilitatesectorwideuseoftheframeworkoranalternativeriskmanagementconstruct,itwasnecessarytoevaluatethefiveFrameworkfunctions,22categories,98subcategories,andthefactorsthatwouldimpactanenterprisesdecisiontoadoptorenhanceaparticularriskmanagementprocess.Additionally,theWorkingGroupdeveloped,tested,andutilizedananalyticaltemplatethatanenterprisecouldadopttoprioritizeitsriskmanagementactivitiesbasedonacriticalexaminationofconsiderationsthatwouldberelevanttoitsuniquecircumstances.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
21
C.
MethodologyTheprojectmethodologywasdesignedtoprovidestrongfactualandanalyticalunderpinningstosupportserviceproviderscybersecurityriskmanagementactivities.Theprojectwasstructuredasaniterativeprocesstoensurethatsegmentanalyseswereconstantlyevaluatedasnewfeedergroupinputwasreceived.Thatprocessisillustratedbelow.
Figure1SegmentAnalysisProcess
TheeffortbeganwiththedevelopmentofananalyticaltemplatethateachofthesegmentsusedtoevaluatehowtheFrameworksstructuremightbeappliedtoanenterpriseoperatinginitssegment.
ThesegmentteamswerefirstaskedtodeterminewhetheraparticularFrameworkFunction,CategoryorSubCategorywasdeemedtobeinscopeoroutofscopeforpurposesofprioritizingriskmanagementprocesses.Thefivesegmentsreliedonworkcompletedaspartofthe2012NationalSectorRiskAssessmentforCommunications,whichexaminedthecommonoperatingenvironmentsofthefivesegmentsandidentifiedcoreinfrastructureandassociatedcriticalservices.EachsegmentmadeanindependentdeterminationastowhichFrameworkCategoriesandsubcategoriesmetthecriteriaforbeingidentifiedasinoroutofscope.Theflexibilityaffordedtothesegmentteamswas
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
22
consistentwiththeFrameworksemphasisonflexibilityandwasdesignedtobeillustrativeforindividualcompaniesthatmightmakesimilarscopingdeterminations.
Figure2SegmentScopingAnalysis
Onceaprocesswasdeterminedtobeinscope,thenextanalyticalcomponentwasidentificationandrankingofcriteria.Segmentswerefreetoselectrelevantcriteriaamongasetthatincludedthecriticalityofaparticularprocess,thedifficultyassociatedwithimplementingaparticularprocess,andhoweffectiveitcouldbeinmitigatingcybersecurityrisk.
Figure3SegmentIdentificationandRankingofCriteria
HowtoprioritizeFrameworkprocessesrestedonworkthatwasdevelopedbythefeedergroups.Onceadeterminationwasmaderegardingthecriticalityofaparticularprocess,astructuredbasisfordeterminingdifficultywasdevelopedbytheRequirementsandBarriersFeederGroup.Foreachofthe98subcategoriesincludedintheFramework,ateamreviewedtheoperationalandtechnologicalrequirementsassociatedwith
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
23
implementingthatspecificriskmanagementprocess.Understandingtheserequirementsandthepotentialbarriersorchallengesfororganizationsofvaryingsizeandscopewascriticaltomakingsupportableargumentsarounddifficulty.
Figure4RequirementsandBarriers
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
24
V. FINDINGS
WorkingGroup4strivedtodomorethanjustdevelopatoolthatcommunicationproviderscanusetoadapttheFrameworkinavoluntary,prioritized,andcosteffectivefashion.TheWorkingGroupendeavoredtobreaknewgroundinunderstandingcybersecurityriskmanagement.Assuch,teamswereestablishedtoaddresstheuniqueconsiderationsofsmallandmediumenterprisesinthesector,theecosystemanddependenciesthatimpactedrisk,thethreatsandwaysinwhichorganizationscanevolvecapabilitiesasnewthreatsarise,thebarrierstoimplementingsuccessfulriskmanagementregimes,andtheappropriatemechanismsandmeasurestoaddressadynamicsetofcyberconditions.Thisreportdemonstratesthecommunicationsectorscapabilitytoaddresstheevolvingcyberthreatthroughvoluntarycollaboration.Thispositionissupportedbytheongoinglevelofcriticalserviceavailability,reliability,andresiliencyacrossthecommunicationsindustry.Thefindings,asaretheconclusionsandrecommendations,areorganizedaroundthefivekeyareasoftheWorkingGroup4charge:35(1)macrolevelassurances,(2)voluntarymechanisms,(3)useoftheNISTCybersecurityFrameworkoranequivalentconstruct,(4)meaningfulindicatorsofsuccessfulcyberriskmanagement,and(5)communicationssectorimplementationguidanceforusingtheNISTCybersecurityFramework.
A.
MacroLevelAssuranceFindingsThefollowingsummaryfindingsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancethatcommunicationsprovidersaretakingthenecessarycorporateandoperationalmeasurestomanagecybersecurityrisks.
CSRICfoundthatadaptingthevoluntaryFrameworkisaneffectivewaytomanage
cybersecurityrisk.
Communicationssectormemberssharedetailedthreatintelligenceinformationwith
appropriatestakeholders,withintheconfinesofexistinglaw.
WorkisunderwayontheincentivescategorythatisrecognizedinEO13636asan
essentialfactorinimprovingcriticalinfrastructurecybersecurity.
Communicationssectormembersaretakingstepstoadvancetheircybersecurityrisk
managementpractices,althoughvariationsexistwithrespecttolevelsofprogramdevelopmentandimplementation.
Thecommunicationssectororganizesitsstrategic,planningandoperationalcybersecurityactivitiesthroughthreerespectiveentities:theNationalSecurityTelecommunicationsAdvisoryCouncil(NSTAC),theCommunicationsSectorCoordinatingCouncil(CSCC)/GovernmentCoordinatingCouncil(GCC),andtheCommunicationsInformationSharingandAnalysisCenter(CommISAC).
35Seesupranote1,at4.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
25
SmallandMediumBusinesses(SMBs)haveuniquecircumstancesandchallengesthatmayinfluencetheirapproachtoimplementingtheFrameworkandprovidingmacrolevelassurances.
B.
VoluntaryMechanismsFindingsThefollowingsummaryfindingsaddresstheWorkingGroup4chargetoidentifyvoluntarymechanismstoprovidemacrolevelassurances.
Astaticchecklistmethodologyisnotaneffectivedefense,asitislimitsthemethodsand
tacticsbywhichanorganizationcanpreparefororrespondtoimminentandevolvingthreats.
CSCC/GCCisaneffectiveorganizationalstructureforintegratinganewinitiativetoevaluatehowcybersecuritythreatsaremeasuredatthesectorlevel.
Keygovernmentstakeholdershavealegitimateinterestingaininginformationaboutcybersecuritythreatstocriticalinfrastructureandtheeffectivenessofcybersecurityriskmanagementpractices.
C.
UseoftheNISTCybersecurityFrameworkoranEquivalentConstructFindingsThefollowingsummaryfindingsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancesthatdemonstratehowcommunicationsprovidersarereducingcybersecurityrisksthroughtheuseoftheNISTCybersecurityFrameworkoranequivalentconstruct.
Useofacommunitymodelforthreatintelligenceorinformationsharingandanalysis
canhelporganizationsintheirquesttoprotecttheircriticalinfrastructureandcriticaldatafromfuturecyberthreats.
UseofthevoluntaryNISTCSFprovidesaconsistentcybersecurityriskmanagementapproachandacommontaxonomytoimproveinternalandexternalcommunicationsregardingcybersecurityriskmanagement.
PriortotheNISTCSF,manycommunicationssectormembersalreadywereactivelyengagedinequivalentprocessestosuccessfullymanagecybersecurityrisks.
D.
MeaningfulIndicatorsFindingsThefollowingsummaryfindingsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancesthatarebasedonmeaningfulindicatorsofsuccessfulcyberriskmanagement.
Meaningfulindicatorsofsuccessful(orunsuccessful)cyberriskmanagementfocuson
measureableoutcomes.
Itisdifficulttomeasuretheeffectivenessofthecommunicationssectorscybersecurity
riskmanagementprocessesinisolation,givenitsinterdependenciesonothercriticalinfrastructuresectors.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
26
E.
CommunicationsSectorImplementationGuidanceFindingsThefollowingsummaryfindingsaddresstheWorkingGroup4chargetogivethecommunicationssectorguidanceonhowtoimplementusingtheNISTCybersecurityFramework.
TheNISTCybersecurityFrameworkisaneffectivemechanismtocreateanewrisk
managementprocessortoenhanceexistingcybersecurityriskmanagementprocesses.
CyberattackshavebeenobservedandmappedtoeverylayeroftheTCP/IP
communicationmodel,andsubsequentlyagainsteveryidentifiedcategoryoftheecosystem.CyberattackswillcontinuetooccurateveryleveloftheTCP/IPcommunicationsmodel.ItisimportantthatalloperatorsandvendorsineverylayeroftheTCP/IPmodelconducttheiroperationswiththeappropriatelevelofcybersecuritydiligence.
Thecommunicationssectorispartofavastinterdependentecosystemthatrequiressharingcybersecurityresponsibilitiesamongavarietyofstakeholdersanddependsonmultiplenoncommunicationssectorecosystementitiestomakethecommunicationsinfrastructuremoresecure.
FurtheroutreachisneededtoensurethattheSMBcommunityisengagedinthenetworkriskmanagementdiscussiongenerally,andawareofthebenefitsoftheNISTFrameworkspecifically.
ItisnotamatterofIFacommunicationssectormemberwillbeattacked,butamatterofWHENtheywillbeattacked,andthatthreatknowledgeisessentialtoprotectagainstattacks.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
27
VI.
CONCLUSIONSTheconclusionsdrawnbelowalignwiththekeytaskareasassignedtoWorkingGroup4andaresupportedbyayearlongeffortinvolvingsubstantialinquiriesintocybersecurityactivitiesattheenterprise,segment,andsectorlevels.
A.
MacroLevelAssuranceConclusionsThefollowingconclusionsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancethatcommunicationsprovidersaretakingthenecessarycorporateandoperationalmeasurestomanagecybersecurityrisks.
NonewregulationsareneededorwarrantedtoaddressconformitytotheNIST
Framework.Sucharegulatoryregimewouldspuraminimumstandard,notmaximumeffort,andwouldundermineadaptabilityandinnovation.
Cyberthreatinformationsharingresultsinefficientandscalableinformationthatallpartiescanusetodevelopthreatanalysesandtomakecyberriskmanagementdecisions.
Progressonincentivesisnecessarytoovercomemanyofthebarriersidentifiedinthisreport.
Thestepsthecommunicationssectormembersaretakingtoadvancetheircybersecurityriskmanagementpracticescanbeconveyedtorelevantstakeholderswithappropriateprotectionsforsecurityandmarketpurposes.TheNSTAC,CSCC/GCC,andCommISACareeffectivevenuesforinformationsharingandcollaborationregardingreductionofcybersecurityrisks,notonlyamongitsmembersbutwithothercriticalinfrastructuresectorsandgovernmentdepartmentsandagenciesthataredependentuponthecommunicationssectorscriticalinfrastructureandservices.
SpecialconsiderationsandaccommodationsmaybenecessaryforSMBstoimplementtheFrameworkandprovidemacrolevelassurancestotheFCCandthepublic.
B.
VoluntaryMechanismsConclusionsThefollowingconclusionsaddresstheWorkingGroup4chargetoidentifyvoluntarymechanismsthatcanbeusedtoprovidemacrolevelassurances.
Achecklistapproachwouldprioritizecomplianceoveranadaptablesecurityrisk
basedmanagementmodelthatisrequiredtoaddresstheevolvingcyberthreatlandscape.
FuturerequestsformeasurementsbygovernmentagenciesintotheimpactofcybersecuritythreatstocommunicationsinfrastructurewouldbemosteffectivelymanagedbytheCSCC/GCC.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
28
Thecommunicationssectorcanmakeexternalstakeholdersmoreawareofitscorporateandoperationalcybersecurityriskmanagementmeasuresthroughcurrentcommunicationssectorvenuesthathavetherequisiteprotections.
Voluntarymechanisms,includinganindustrySARandperiodicmeetingswithcommunicationssectormembers,canprovidemacrolevelassurancethatcommunicationsprovidersaretakingtheappropriatemeasurestomanagecybersecurityrisks.
C.
UseofNISTCybersecurityFrameworkorEquivalentConstructConclusionsThefollowingconclusionsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancesthatdemonstratehowcommunicationsprovidersaremanagingcybersecurityrisksthroughtheuseoftheNISTCSForanequivalentconstruct.
TheintroductionoftheNISTCSFrepresentsamajorbreakthroughintheabilityto
communicatecybersecurityriskmanagementprinciplesandprocessesandcanbeeffectivelyemployedbythecommunicationssectorandappliedtoothercriticalinfrastructuresectors.
TheuseoftheNISTCSFwillcontinuetoevolvewithinthecommunicationssectorasmoreexperienceisgainedandshared.
Continuedinteragencyandfederal/statecoordinationandcollaborationwithindustryinadvancingtheFrameworkisneededtoavoidfragmentationofindustryandgovernmentresources.
D.
MeaningfulIndicatorsConclusionsThefollowingconclusionsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancesthatarebasedonmeaningfulindicatorsofsuccessfulcyberriskmanagement.
Individualcompanymalwareinfectionrates,thenumberofhostedbots,and
customerservicecomplaintsarenotmeaningfulindicatorsofsuccessfulcyberriskmanagement,astheyarenotoutcomebasedmeasures.
Theavailabilityofthecriticalinfrastructuretodelivercriticalservicesisanoutcomebasedmeasureandthereforeameaningfulindicatorofsuccessfulcyberriskmanagement.Ifissuesrelatedtoavailabilityariseasaconsequenceofacyberincident,additionalexaminationintoreliability,resiliency,andintegrityofcorenetworkcriticalinfrastructuremayneedtobeevaluated.
Furtheranalysisisrequiredtodeterminewhetheracomprehensiveandvalidsetofcybersecurityeffectivenessmetricscanbeappliedonacrosssectorialbasis.
E.
CommunicationsSectorImplementationGuidanceConclusionsThefollowingconclusionsaddresstheWorkingGroup4chargetogivethecommunicationssectorguidanceonimplementingtheNISTCybersecurityFramework.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
29
CommunicationssegmentmemberswillbenefitfromtheirreviewofthisreportandtheanalyticalprocessesinthereportthattheycanusetoimplementtheNISTFrameworkoranequivalentconstruct.
UseoftheNISTCSFmustremainflexibleasonesizedoesnotfitall,andcompaniesshouldusetheFrameworkinawaythatisappropriatetotheirriskenvironment,posture,andtolerance.
ThecommunicationssectoriseffectivelyadvancingtheuseoftheNISTCSFasevidencedbytheindustrysparticipationindevelopmentofthisreport.
Asevidentinthisreport,smallandmediumcommunicationssectormembershaveuniquechallengestoovercomeintheuseoftheNISTCSF.
Communicationssectormembersareonecomponentofavastlandscapeofinterdependentcriticalinfrastructureecosystemstakeholdersthatrequiresahighdegreeofinformationsharing(consistentwithapplicablelaw)andcollaborationtoeffectivelymanagecyberrisk.
UseofthevoluntaryNISTCSForequivalentriskmanagementconstructacrossallecosystemstakeholderswillimprovecybersecurityriskmanagement.
AsitrelatestotheuseoftheNISTCSF,sharinginformationaboutexperiencesandlessonslearnedacrosstheecosystemwillfacilitateimprovementsinthefurtherdevelopmentoftheFrameworkandcybersecurityriskmanagementgenerally.
Communicationssectormembers,aswellasothercriticalinfrastructuresectors,cansharedetailedthreatintelligenceinformationwithappropriatestakeholders,consistentwithcurrentlaw,andthusenablemoreefficientandscalablethreatinformationgatheringforcyberriskmanagementdecisionmaking.
AsNIST,DHS,theFCC,andindustrycontinuetheiroutreach,theyshouldunderstandthatasinglemethodofoutreachmightnotbesufficientforanSMB.Amultifacetedapproachisnecessary.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
30
VII. RECOMMENDATIONS
ThefollowingrecommendationsareconsistentwiththeFederalAdvisoryCommitteeAct(FACA)36rulesunderwhichCSRICoperates.TheserecommendationsweredevelopedwiththeintentionofworkingwiththeFCCandotherU.S.governmentagenciestoenhancecybersecurityriskmanagementcompetenciesandtomakeusefulresourcesavailabletoenterprisesacrossthebroadcommunicationssector.
A.
MacroLevelAssuranceRecommendationsThefollowingrecommendationsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancethatcommunicationsprovidersaretakingthenecessarycorporateandoperationalmeasurestomanagecybersecurityrisks.
CSRICrecommendsthattheFCCleveragetheresourcesandcapabilitiesofthethree
primarycommunicationssectororganizations(i.e.NSTAC,CSCC/GCC,CommISAC)topromotevoluntaryparticipationinriskmanagementinitiativesacrossallcommunicationssegmentsandproviders.
CSRICrecommendsthattheFCCpromotethesustainedvoluntarycollaborationandfacilitatethesharingofcybersecuritythreatinformation.ThiscanbeaccomplishedbyworkingwiththecommunicationssectormembersandotherrelevantagentsoftheU.S.governmenttoidentifyandmitigatetechnical,operational,financial,andlegalbarrierstocyberinformationsharing.
CSRICrecommendsthattheFCCfurtherexploretheconsiderationsandaccommodationsthatarerequiredforSMBstoimplementtheNISTCybersecurityFrameworkandprovidemacrolevelassurancestotheFCCandthepublic.
B.
VoluntaryMechanismsRecommendationsThefollowingrecommendationsaddresstheWorkingGroup4chargetoidentifyvoluntarymechanismstoprovidemacrolevelassurances.
CSRICrecommendsthattheFCC,inpartnershipwithDHS,participateinperiodic
meetingswithcommunicationssectormembers,inaccordancewithPCIIprotections,37todiscusstheircybersecurityriskmanagementprocessesandtheiruseoftheNISTCSForequivalentconstruct.
CSRICrecommendsthattheFCCusethecurrentcommunicationssectororganizationalstructurewithintheCSCC/GCCtodeliveranindustrySectorAnnualReport(SAR)thataddressestheeffectivenessofcommunicationssectorcybersecurityriskmanagementprocesses.
36SeeGeneralServicesAdministration,FederalAdvisoryCommitteeAct(FACA)ManagementOverview,http://www.gsa.gov/portal/content/104514(lastvisitedMar.13,2015).37SeePCIIProgramoranotherlegallysustainableconstruct.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
31
C.
UseofNISTCybersecurityFrameworkorEquivalentConstructRecommendationThisrecommendationaddressestheWorkingGroup4chargetoprovidemacrolevelassurancesthatdemonstratehowcommunicationsprovidersaremanagingcybersecurityrisksthroughtheNISTCybersecurityFrameworkoranequivalentconstruct.
CSRICrecommendsthattheFCCpromotethevoluntaryuseoftheNISTCSFamong
allcommunicationssectormembers,largeandsmall,aswellasacrossothercriticalinfrastructuresectorsthatareinterdependentwiththecommunicationssector.
CSRICrecommendsthattheFCCworktocoordinateandrationalizeFrameworkrelatedfederal/stategovernmentinitiativestoensureefficientuseofcriticalandscarcecybersecurityresources.
CSRICrecommendsthattheFCCfurtherincorporateanunderstandingofthechangingthreatlandscape,sectorecosystemdependencies,andharmonizationintopreviousCSRICbestpracticesandtheNISTCSF.
D.
MeaningfulIndicatorsRecommendationsThefollowingrecommendationsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancesthatarebasedonmeaningfulindicatorsofsuccessfulcyberriskmanagement.
CSRICrecommendsthattheFCCadoptavailabilityofthecriticalcommunications
infrastructureasthemeaningfulindicatorofcybersecurityriskmanagement.
CSRICrecommendsthattheFCCleveragethecommunicationssectorscurrent
organizationalstructure(i.e.,CIPAC)todeliveranindustrySectorAnnualReporttoaddresstheproposedmeaningfulindicatorandcorporateandoperationalinitiativesthecommunicationssectoristakingtomanagecybersecurityrisk.
CSRICrecommendsthattheFCC,inpartnershipwithDHSandNIST,promotecontinuedindustryparticipationineffortstoevaluatetheeffectivenessofcybersecurityriskmanagementprocessesinallsectorsandtheirimpactonthecommunicationssector.
E.
CommunicationsSectorImplementationGuidanceRecommendationsThefollowingrecommendationsaddresstheWorkingGroup4chargetoprovidethecommunicationssectorwithguidanceforimplementingtheNISTCybersecurityFramework.
CSRICrecommendsthattheFCCencouragethedisseminationoftheNIST
FrameworkandtheWG4reporttoappropriatecommunicationsectormemberorganizations,andinparticular,tomanagementandstaffwithcybersecuritymanagementandoperationalresponsibilities.
CSRICrecommendsthattheFCCcontinuetocollaboratewithNISTandDHSinthefurtherdevelopmentoftheNISTCSFandthepromotionofprogramstoincreasethevoluntaryuseoftheCSF.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
32
CSRICrecommendsthattheFCCpartnerwithotherdepartmentsandagenciestopromoteeducationandawarenessofthecybersecurityrisksinherentincriticalcommunicationsinfrastructures,andtopromotestepsthatthecommunicationssectorcantaketogiveexternalstakeholderswithmacrolevelassurancethatthesecollectiveactionsaresuccessfullymanagingcybersecurityrisks.
CSRICrecommendstheFCCpromoteanindustrythreatintelligencehandlingmodel(referencedinthisreport),oranequivalentconstructbyorganizationsintendingtousethreatintelligencetomaintaincybersecurity,protectcriticalinfrastructure,andprotectcriticaldatafromrapidlyevolvingcyberthreats.
CSRICrecommendstheFCCencouragecommunicationssectormemberstosharerelevantthreatintelligenceinformation(consistentwithapplicablelaw)withappropriatestakeholders,thusenablingmoreefficientandscalablethreatinformationgatheringforuseinthreatanalysesandcyberriskmanagementdecisionmaking.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
33
VIII. ACKNOWLEDGEMENTS
WorkingGroup4wouldliketoacknowledgethesignificantcontributionsofeachofitsmembers,forwithouttheirexpertise,participation,analysis,andcontributionsthroughouttheprocess,thereportfindings,conclusions,andrecommendationscontainedhereinwouldnothavebeenpossible.WorkingGroup4wouldalsoliketoacknowledgethesegmentandfeedersubgroupleadershipteam,comprisedofKellyWilliams,MattTooley,JohnMarinho,ChrisBoyer,DonnaBetheaMurphy,HaroldSalters,LarryClinton,SusanJoseph,JesseWard,RussellEubanks,JoeViens,TomSoroka,BrianScarpelli,andChrisRoosenraad,wholedtheirteamsinconductingthesegmentandfeederanalysesuponwhichthereportsfindings,conclusions,andrecommendationsarebased.WorkingGroup4wouldalsoliketoacknowledgetheWorkingGroupsadvisors,DonnaDodson,LisaCarnahan,TonySager,andEmilyTalaga,fortheirexpertise,thoughtfuladvice,andencouragementthroughouttheprocess.WorkingGroup4wouldalsoliketoacknowledgetheFCCliaisontotheWorkingGroup,VernMosley,forhissubstantialsupportandcontributionsthroughouttheprocess.WorkingGroup4wouldalsoliketoacknowledgeMattTooleyforhisadministrationoftheWorkingGroupsbox.comaccountthattheWorkingGroupusedtocollaborateinsharinginformationamongtheWorkingGroupmembersandinproducingthereport.WorkingGroup4wouldalsoliketothankRobertMayer,PatMurray,DeontreaCampbell,andthemanyotherUSTelecomsupportstaffmembersforhostingtheWorkingGroup4facetofacemeetings.TheWorkingGroupgreatlyappreciatesthesignificantplanningandlogisticsthatwentintohostingthemanysuccessfulfacetofacemeetings.WorkingGroup4wouldalsoliketoacknowledgetheskilledexpertiseanddedicationoftheFinalReportdraftingteamcomprisedofPaulDiamond,StacyHartman,RobertThornberry,BrianAllen,RobertMayer,andthesegmentandfeedersubgroupleadershipteam.Withouttheirperseveranceandattentiontodetail,theFinalReportwouldnothavebeenpossible.Andlastbutcertainlynotleast,theWorkingGroup4memberswouldliketoacknowledgeandthankouresteemedWorkingGroup4cochairs,RobertMayerandBrianAllen.Theirinsight,focus,expertise,outreachacrossthecommunicationssector,andleadershipthroughouttheprocessisevidencedbythequalityoftheFinalReportsfindings,conclusions,andrecommendations.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
34
IX.
REPORTS&SEGMENTS9.1BROADCASTSEGMENT...................................................................................359.2CABLESEGMENT............................................................................................629.3SATELLITESEGMENT......................................................................................919.4WIRELESSSEGMENT.....................................................................................1189.5WIRELINESEGMENT.....................................................................................1679.6REQUIREMENTSANDBARRIERSTOIMPLEMENTATION..............................2029.7CYBERECOSYSTEMANDDEPENDENCIES.....................................................3219.8MEASUREMENT............................................................................................3559.9SMALLANDMEDIUMBUSINESS..................................................................3709.10TOPCYBERTHREATSANDVECTORS..........................................................398
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
35
9.1BROADCASTSEGMENT
CYBERSECURITYRISKMANAGEMENTANDBESTPRACTICES WORKINGGROUP4
March2015
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
36
TABLEofCONTENTS I.
ExecutiveSummary.........................................................................................37II.
Introduction....................................................................................................37III.
BroadcastSegmentGroupMembers..............................................................38IV.Objective,ScopeandMethodology................................................................38
A.
Objective..................................................................................................38B.
Scope........................................................................................................39C.
Methodology............................................................................................40
V.
ResultsandFindings........................................................................................41A.
CriticalServices........................................................................................41B.
BroadcastEcosystemArchitectures.........................................................41
VI.ApplyingtheNISTCybersecurityFramework..................................................45VII.ApplicationMethodology................................................................................46VIII.
IllustrativeUseCases.....................................................................................56
A.
BroadcastRadio/TVStation/HubAssessment.........................................58B.
BroadcastNetworksBroadcastFirewall.................................................60
IX.
ConclusionsandRecommendations...............................................................61X.
Acknowledgements.........................................................................................61
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
37
I.
EXECUTIVESUMMARYTheBroadcastIndustrySegmentsubgroupofWorkingGroup4(WG4)focusedondevelopingrecommendationsthatwillassistinreducingcybersecurityrisktobroadcastcriticalonairoperationsthroughtheapplicationoftheNISTCybersecurityFramework(NISTCSF).ToaccomplishthisobjectivetheBroadcastSegmentGroupsmissionwastoprovidearoadmapforbroadcasterstoaligntheirspecificoperationstothatoftheNISTCybersecurityFramework.WhiletheNISTFrameworkmaybeusedbeyondcriticalinfrastructure,theanalysiswasprimarilyfocusedoncriticalinfrastructureasdefinedintheCybersecurityExecutiveOrder.Forbroadcasters,thismeansmaintainingonairoperationsinordertodelivernews,weather,criticalpublicwarning,andemergencyinformationtothecommunitiesthattheyserve.BroadcastersdonotprovideInternetProtocol(IP)networkservicestoothersbutacquirethemfromIPserviceproviders.However,broadcasterscriticalonairoperationsareenabledbyIPnetworksandhaveinrecentyearsbecomemoreandmoredependentuponthem.Individualbroadcastcompaniesshouldconsiderutilizingthestepsoutlinedinthisreporttoupdateordeveloptheirowncyberriskmanagementprograms,applyingtheframeworktotheirownuniquecircumstances.II.
INTRODUCTIONTheBroadcastSegmentisasubgroupwithinCSRICIVWorkingGroup4focusedondevelopingrecommendationsthatwillassistinreducingcybersecurityrisktobroadcastonairoperationsthroughtheapplicationoftheNISTCybersecurityFramework(CSF).Thescaleofthebroadcastindustryisfairlyuniqueamongtheothercommunicationsindustrysegments.Thebroadcastindustryisdiverse,morethan15,000radioand1,700televisionbroadcastingfacilitiesintheUnitedStates,providingnews,emergencyinformationandotherprogrammingservicesfree,overtheairtoconsumers.Whilemanyoftheseoperationsarebroadcastnetworksandgroupowed,individuallicenseestendtobesmalltomediumsizedoperations,withrelativelylimitedInformationTechnology(IT)support.ThebroadcastindustryisincreasinglycharacterizedbyarelianceontheInternetandotherIPbasedinfrastructureforitscoreonairoperations.Forthepastseveralyears,thebroadcastindustryhasbeentransformedbyatransitiontofilebasedworkflowsandincreasedfocusedonIPnetworkingandcontentdelivery.Anumberofbroadcasterscontinuetoexpandtheirrelianceoncentralcastingconcentratingonairoperationsinregionalhubs.Alsogrowingrapidlyistheuseofcloudbasedservicesbybroadcasters,particularlyintheareasofstreaming,archiving,editing,transcoding,andcontentdistribution.In2012theCommunicationsSector,inpartnershipwiththeDepartmentofHomelandSecurity(DHS),completedthe2012RiskAssessmentforCommunications(referredtogoingforwardastheNationalSectorRiskAssessmentorNSRA),updatingits2008report,whichassessedphysicalandcyberthreatstothecommunicationsinfrastructure.TheriskassessmentwasintendedtofurtherthegoalsoftheCommunicationsSectorSpecificPlan,alsodevelopedjointly
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
38
withDHSin2010,toidentifyandprotectnationalcriticalinfrastructure,ensureoverallnetworkreliability,maintainalwaysonserviceforcriticalcustomersandquicklyrestorecriticalcommunicationsfunctionsandservicesfollowingadisruption.InordertoaccomplishthefoundationalobjectivesestablishedbytheFCCforCSRICIVWG4,theBroadcastSegmentgroupsoughttodeveloprecommendationswhichwillenabletheNISTCybersecurityFrameworktobeconformedinsuchawaythatthatitmaybeusedbythebroadcastindustrytoassessthevulnerabilityofcriticalonairoperationsinthecontextofcriticalinfrastructureasdefinedintheCybersecurityExecutiveOrder38andtheNSRA.PleasenotethisreportdoesnotaddresssecurityoftheEmergencyAlertSystem(EAS)anditsassociatedecosystem.EASsecurityisconsideredinCSRICIVWorkingGroupIII.39III.
BROADCASTSEGMENTGROUPMEMBERS
Member CompanyAdrienneAbbott
NevadaAssociationofBroadcastersSohailAnwar
NationalPublicRadioEdwardCzarnecki
MonroeElectronics,Inc./DigitalAlertSystemsSetonDroppers
PublicBroadcastingSystemChristopherHomer
PublicBroadcastingServiceRobertRoss
CBSTelevisionNetworkDavidWilliams NationalPublicRadioKellyWilliams
NationalAssociationofBroadcasters
IV. OBJECTIVE,SCOPEANDMETHODOLOGY
A.
ObjectiveCSRICIVWG4wastaskedwithdevelopingvoluntarymechanismsthatprovidemacrolevelassurancetotheFederalCommunicationsCommission(FCC)andthepublicthatcommunicationprovidersaretakingthenecessarycorporateandoperationalmeasurestomanagecybersecurityrisksacrosstheenterprise.WG4alsowaschargedwithprovidingimplementationguidancetofacilitatetheuseandadaptationofthevoluntaryNISTCybersecurityFramework(CSF)bycommunicationsproviders.ConsistentwithWorkingGroup4slargerobjective,thebroadcastsegmentgroupanalyzedtheNISTCybersecurityFrameworkversion1.0fromtheperspectiveofthebroadcastindustryinordertoapplythepracticesandprocessesdescribedthereintothissegmentofthecommunicationssector.
38SeeExec.OrderNo.13,636,ImprovingCriticalInfrastructureCybersecurity,78FR11737(Feb.19,2013)[hereinafterEO13636].39SeeFederalCommunicationsCommission,TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIII,WorkingGroup3EmergencyAlertSystem(EAS)InitialReportCSRICWG3EASSecuritySubcommitteeReport(2014),availableathttp://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG3_InitialReport_061814.pdf.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
39
B.
ScopeBasedontheNISTcybersecurityframeworkincriticalinfrastructure,thebroadcastsegmentgroupfocusedonidentifyingtheaspectsofthebroadcastinfrastructurethatwouldbeconsideredcriticalinfrastructuresupportingthecriticalservicesbroadcastersprovide.BasedonthedefinitionsofcriticalinfrastructureoutlinedintheNSRAandExecutiveOrder13636,thegroupconcludedthatitisbroadcastersroleinpublicalertingandasfirstinformers(i.e.keepingthepublicinformedduringtimeofemergency)thatfulfilsthiscriticalinfrastructurerole.TheNSRAcommunicationsarchitecturemodelillustratingwhatisconsideredcriticalinfrastructureisshownbelow.
ThebroadcastsegmentgroupagreedwiththeotherSegmentgroupsthatthescopeofitseffortsshouldbuildupontheworkalreadycompletedintheNSRA,whichistoensureoverallnetworkreliability,maintainalwaysonserviceforcriticalcustomersandquicklyrestorecriticalcommunicationsfunctionsandservicesfollowingadisruption.ConsideringallthesefactorstheBroadcastSectorgroupconcludedthatmaintainingtheonairoperationsatlocal,regionalandnationallevelwasconstitutedmaintainingthissegmentofthenationalcriticalcommunicationsinfrastructure.
ItisimportanttonotethatBroadcastersareconsumersofIPbasednetworkservicesanddonotsupplyIPservicestoothers,assuch,theymustevaluatetheriskandvulnerabilityoftheirassetsinthecontextonmaintainingtheircriticalonairoperations.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
40
C.
MethodologyStartingwiththeBroadcastarchitecturemodelfromtheNSRA(below),thebroadcastsegmentanalyzedthebroadcastecosystemsanddevelopedfourarchitecturemodelsthatareillustrativeofthedifferenttypesofoperationsinthebroadcastsegmentLocalBroadcastStation,SmallRadioStation,Hubbed(orCentralCast)Operation,andBroadcastProgramNetwork.Thesemodels,describedinmoredetailinSectionV,canhelpbroadcastersidentifythecriticalassetsthatmayrequiredifferentapproachestoapplicationoftheNISTFramework.Thesecriticalelementsdelineatethescopeofassetsintendedtobeprotectedthroughthefurtheranalysisbelow.
Commercial Satellite
Television/RadioNetwork Headquarters
STL Studio to Transmitter link (typically point-to-point fixed
microwave or fiber)ENG Electronic News Gathering. (local TV news
coverage via portable microwave link)SNG Satellite News Gathering
(local TV news coverage via portable satellite link)
STL
Mobile Customer
Portable Microwave or Satellite
ENG/SNG
Fiber Back-up
Local Broadcast Station(DTV/AM/FM/HD-Radio)
Satellite Recieve DishesBroadcastAntenna
Radio/Television Station Transmitter
Transmitter Site
Home Custome
Podestrian Customer
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
41
V. RESULTSANDFINDINGSA.
CriticalServicesThebroadcastsegmentutilizedtheNISTcybersecurityframeworktoevaluateitsapplicationtothebroadcastsector.Sincethebroadcastsectorprovidesaservicetoconsumersbyprovidingnews,weatherandemergencyinformationthroughovertheairsignalsor,inthecaseofaprogramnetwork,viasatelliteorleasedfiberfacility,manyofthecybersecurityconcernsmaynotappeartobeapplicable.Aftercarefulreview,thebroadcastsegmentdeterminedthatthereareaspectsofbroadcastinginfrastructurethatareIPnetworkbasedandcriticaltoprovidingessentialservices.Broadcastersareusedtocarryingmissioncriticaldataandinformation.Broadcastersmustassesswhichpartsoftheirinfrastructurearecriticaltomaintainingonairoperationssothattheycandeliverthefollowingtypesofessentialinformationtothepublic.
1)
EmergencyAlertSystems(EAS)NewtechnologyinemergencyalertingnowcarrymessagesfromtheFederalEmergencyManagementAssociation(FEMA)throughIPnetworksusingCommonAlertingProtocol(CAP).ManystateandlocalemergencymanagementorganizationshavealsoadoptedCAPprotocolmessagingdistributedviaIPoverdedicatedorpublicinternet.ThebroadcastersIPnetworksthatcarrythesecriticalmessagesneedtobeprotectedagainstcyberattacks40.2)
NewsandWeatherandOtherEmergencyInformationBroadcaststationsandnetworksprovideessentialcontentintheformofnewsandweatherandotheremergencyinformation,suchasevacuationroutesortornadotracking.BothinformationandcontentflowoverhighspeedIPnetworkswithinabroadcastplanttoprovideintegrationofNewsRoomComputerSystems(NRCS),audioandvideoservers,graphicssystemsandscheduling/automationsystems.Thebroadcastnetworkisthebackboneofthestationornetworkandneedstobecarefullymanagedforredundancy,reliabilityandsecurity.ImportantfeedsandwireservicesthatareusedtosolelyrelyonsatelliteormicrowavehavealsomigratedgoIPandLongTermEvolution(LTE)networksinordertoprovidevaluableandtimelycontent.
B.
BroadcastEcosystemArchitecturesBelowarethefourarchitecturemodelsthatareillustrativeofthedifferenttypesofoperationsinthebroadcastsegment.Broadcasterscanusethemodelthatmostclosely
40ThisreportdoesnotaddressspecificsofsecurityforEASanditsassociatedecosystem.EASsecurityisconsideredinCSRICWorkingGroupIII.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
42
resemblestheiractualinfrastructuretoidentifytheassetsthatrequirethreatanalysisandevaluationwhenapplyingtheframeworktoonairoperations
1)
LocalBroadcastStationBroadcaststationsincludeindependent,public,educationalorstate,stationgroupsornetworkO&Os(ownedandoperated).Abroadcaststationcanbeahandfulofemployeesinamomandpopshoptomajormarketstationswithhundredsofemployees.Manyfunctionalareaswithinastationincludebutarenotlimitedtosales,programming,traffic,production,news,communityaffairs,publicrelations,accountingandfinance,andengineeringandoperations.EngineeringandOperationstypicallyoperatesona24X7basisaplaysacriticalroleinprovidingcontentforcommunityservice,news,weather,sports,andentertainmentfortheirbroadcastmarket.
2)
LocalSmallRadioStationLocalRadioStationsmaynothaveenterpriselevelnetworksaslargerbroadcastersdo,buttherearemanyareaswherethestationnetworkconnectivityprovidescriticalservicestoitsaudienceandwouldnecessitatecybersecuritymeasures.Thisincludesprogrammingsource(s)deliveredviaIP,commercialdeliveryandcommercialproduction,otherproductionresourcessuchasAssociatedPress(A/P)newswireservicedelivery,remoteoperations,CommonAlertingProtocol(CAP)/EASInternetaccess,andStudioTransmitterLinks(STL)transmittermeteringandcontrol.ThenetworkcouldalsobeusedtoprovidefortransmittersitesecurityA/Pnews,station
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
43
socialMedia/applications/contests/games,inhouseWiFiaccess,FCCaccounts,TrafficBookkeeping(includesstaffandlisteneraccounts),andportablemediausingUniversalSerialBus(USB)orBluetooth.
Content
Commercial Satellite
ENG/SNG
Local Radio Station
Sat RXBroadcastAntenna
RadioTransmitter
Transmitter Site
Home Customer
Internet Service Provider
Firewall
Firewall
Internet Service Provider
LOCAL SMALL RADIO STATION
Station Network
Admin
Production
EASNews
PC/Smart Device
Remote control
Rcvr Process
RDS
On Air Console
STLDEC
Traffic
3)
BroadcastHubbed(CentralCast)OperationBroadcaststationhubissomewhatdifferentfromabroadcaststation.Abroadcaststationtypicallytakestherepetitive24X7mastercontroloperationsoftwoormorebroadcaststationsandcombinesthemintoasinglefacilityforefficiencypurposes.Thesecanincludeprivatethirdpartybusiness,educationalorstate,stationgroupsornetworkO&Os(ownedandoperated)hubs.Atelevisionstationthatisaspokeofahubfacilitydoesnotneedtobeasmallmarketfacility.Ahubbedtelevisionstationisafullyfeaturedandfunctioningfacilitythatcanhaveanewsdepartment,promotions,andbeanetworkaffiliateorindependent.Itsimplydoesnothaveamastercontrolfacilitytooriginateitsprogrammingtothelocalbroadcasttransmitter.Therearetwowaystoaccomplishthis:
Thecentralhuboriginatesallcontentwhichissenttothesatellitestationasa
videostreamoveraprivatebandwidthcircuit.Localcommercials,newsprogramming,andotherinterstitialmaterialaresentintheotherdirectiontothehubfortransmissionatalatertimeorinrealtimeinthecaseoflivenewsprogramming.Trafficoperationsarealsousuallycentralizedatthehubfacility.,or
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
44
Thesatellitestationhasallofthecontentmaterialandequipmentonsite,butiscontrolledfromthecentralhub.
Todaywiththecostofbandwidthbeingmuchlowerthanfiveyearsagomostcentralcastinglocationsusemethodnumberone.TheobvioussecurityandredundancyissuesregardingprotectionofthefeedfromthehubrequirethattwodiverseroutesshouldbeemployedwithfirewallsandVPNprotection.Allotherdatacircuits,computers,digitalstreamingfeeds,feedsofanytypeshouldbeprotectedastheywouldbeinanyothermodernbroadcastfacility.
Commercial Satellite
Television/RadioNetwork Headquarters
Risks for business:1. Internet connections2. Email3. File
Delivery (content or otherwise)4. USB Devices5. Laptops6. Partners,
etc.
ENG/SNG
Fiber Back-up
Station Hub(DTV/AM/FM/HD-Radio)
Sat RX
Internet Service ProviderIncoming Firewall Outgoing Firewall
Workstations
Video/AudioDevices
BROADCAST HUBBED OPERATION
IP/Feed Radio/Television Station Transmitter
Transmitter Site
BroadcastAntenna
Radio/Television Station Transmitter
Transmitter Site
BroadcastAntenna
Radio/Television Station Transmitter
Transmitter Site
BroadcastAntenna
4)
BroadcastNetworkBroadcastnetworksprovidecontenttostations,cablecompanies,satelliteprovidersandevenOTT(OvertheTop)broadcast.Abroadcastnetworkrangefromafewhundredtoafewthousandemployeesandtypicallyprovidesanationalorinternationalfootprintfordistribution.Manyfunctionalareaswithinanetworkinclude,butarenotlimitedto,sales,programming,traffic,production,news,publicrelations,accountingandfinance,andengineeringandoperations.EngineeringandOperationstypicallyoperatesona24X7basisaplaysacriticalroleinprovidingcontentforstations,cablecompanies,satelliteprovidersandOTTdistributors.Thiscontenteventuallymakesitswaytothepublicfornews,sports,weather,education,publicinterest,andentertainment.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
45
Privateor
CommercialTerrestrial
Internet
CorporateNetwork(SingleBuildingorCampus)
CommercialSatellite
Television/RadioStation
Risksforbusiness:1.Internetconnections2.Email3.FileDelivery(contentorotherwise)4.USBDevices5.Laptops6.Partners,etc.
BroadcastAntenna
ISPAFirewall
CDN,Partners,ETC
Laptop
BroadcastWorkstations
BroadcastNetwork
BCastFiber(CommercialDeliveredby
Telcoor
DarkFiber)
BCastFirewall
FileDelivery
CorporateWorkstations
SatRx
FiberRxMediaSupplyChain
Ingest/Playout
ISPB
SatelliteRecieve
Uplink
VI.
APPLYINGTHENISTCYBERSECURITYFRAMEWORKTheNISTFrameworkpresentsfiveCoreFunctionsorganizationscanusetoevaluatetheircybersecurityrisks.
IdentifyDeveloptheorganizationalunderstandingtomanagecybersecurityriskto
systems,assets,data,andcapabilities.TheactivitiesintheIdentifyFunctionarefoundationalforeffectiveuseoftheFramework.Understandingthebusinesscontext,theresourcesthatsupportcriticalfunctionsandtherelatedcybersecurityrisksenablesanorganizationtofocusandprioritizeitsefforts,consistentwithitsriskmanagementstrategyandbusinessneeds.
ProtectDevelopandimplementtheappropriatesafeguardstoensuredeliveryof
criticalinfrastructureservices.TheProtectFunctionsupportstheabilitytolimitorcontaintheimpactofapotentialcybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctioninclude:AccessControl;AwarenessandTraining;DataSecurity;InformationProtectionProcessesandProcedures;Maintenance;andProtectiveTechnology.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
46
DetectDevelopandimplementtheappropriateactivitiestoidentifytheoccurrenceofacybersecurityevent.TheDetectFunctionenablestimelydiscoveryofcybersecurityevents.ExamplesofoutcomeCategorieswithinthisFunctioninclude:AnomaliesandEvents;SecurityContinuousMonitoring;andDetectionProcesses.
RespondDevelopandimplementtheappropriateactivitiestotakeactionregardinga
detectedcybersecurityevent.TheRespondFunctionsupportstheabilitytocontaintheimpactofapotentialcybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctioninclude:ResponsePlanning;Communications;Analysis;Mitigation;andImprovements.
RecoverDevelopandimplementtheappropriateactivitiestomaintainplansfor
resilienceandtorestoreanycapabilitiesorservicesthatwereimpairedduetoacybersecurityevent.TheRecoverFunctionsupportstimelyrecoverytonormaloperationstoreducetheimpactfromacybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctioninclude:RecoveryPlanning;Improvements;andCommunications.
VII.
APPLICATIONMETHODOLOGYTheCSRICIVBroadcastSubCommitteereviewedtheNISTframeworkasitappliestothedifferentsegmentsofthebroadcastindustry;
SmallRadioStation LocalBroadcastStation
StationHub(orCentralCast)Operation BroadcastNetwork
Eachofthe98subcategoriesoftheNISTFrameworkwereevaluatedastobeingnoncritical,maybecritical,orcriticalforeachofthetypesofbroadcastinfrastructuremodels.Thishelpsdefinehowthescopeoftheframeworkcanbeappliedtobroadcastorganizationsofdifferentiatingscopeandsize.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV
WorkingGroup4FinalReport March2015
47
NISTSubCategory SmallRadioStationTV
BroadcastStation
StationHub
NetworkFacility
ID.AM1:Physicaldevicesandsystemswithintheorganizationareinventoried
Critical Critical Critical Critical
ID.AM2:Softwareplatformsandapplicationswithintheorganizationareinventoried
Critical Critical Critical Critical
ID.AM3:Organizationalcommunicationanddataflowsaremapped
MayNotbeCritical Critical Critical
ID.AM4:Externalinformationsystemsarecatalogued Critical
Critical
ID.AM5:Resources(e.g.,hardware,devices,dataandsoftware)areprioritizedbasedontheirclassification,criticality,andbusinessvalue
Critical Critical Critical Critical
ID.AM6:Cybersecurityrolesandresponsibilitiesfortheentireworkforceandthirdpartystakeholders(e.g.,suppliers,customers,partners)areestablished
Critical Critical Critical Critical
ID.BE1:Organization'sroleinthesup