Executive Order 13636 & Presidential Policy Directive 21 Ed Goff, Duke Energy Melanie Seader, EEI
Agenda � Executive Order 13636 � Presidential Policy Directive – 21 � Nation Infrastructure Protection Plan � Cybersecurity Framework � EEI Member consensus input
Executive Order 13636 � “Improving Critical Infrastructure Cybersecurity” directs the Executive Branch to: � Develop a technology-neutral cybersecurity framework (NIST) � Promote and incentivize the adoption of cybersecurity practices � Increase the volume, timeliness, and quality of cyber threat information sharing � Incorporate strong privacy and civil liberties � Explore the use of existing regulation to promote cybersecurity
Presidential Policy Directive - 21 � “Critical Infrastructure Security and Resilience” directs the Executive Branch to: � Develop a near-real time cyber and physical critical infrastructure situational awareness capability � Evaluate and mature the public-private partnership � Update the National Infrastructure Protection Plan � Develop a comprehensive research and development plan
DHS Integrated Task Force � 8 Working Groups: Stakeholder Engagement 1. Cyber-Dependent Infrastructure Identification 2. Planning and Evaluation (NIPP Update) 3. Situational Awareness and Information Exchange 4. Incentives 5. Cybersecurity Framework Collaboration (CSF) with NIST 6. Assessments: Privacy and Civil Rights and Civil Liberties 7. Research and Development 8.
National Infrastructure Protection Plan (NIPP) Update � Working Draft of the National Infrastructure Protection Plan � Focuses on Critical Infrastructure Partnership to improve security and resilience � Encourages partnership to improve information sharing and risk-based decision making � Provides a risk management process � Final comments due September 20 � Concern � Too detailed for a plan at this level. � Overlapping concepts with the Sector Specific Plan & new Cybersecurity Framework
Cybersecurity Framework � NIST must publish a preliminary version of the Cybersecurity Framework within 240 days (i.e., by October 10,2013), final version published by February 12, 2014. � 4 Workshops April 3 � Washington, D.C. 1. May 29-31 � Pittsburgh, PA 2. July 10-12 � San Diego, CA 3. September 11-13 � Dallas, TX 4.
How will the CSF be developed?
Cybersecurity Framework � Discussion Draft posted August 28, 2013 � 3 Parts of the Framework: � Core � Implementation Tiers � Profiles – Current and Target � Incorporates risk management, but does not define a process � Identifies areas for improvement � Concern � Too prescriptive for a Framework to apply to all sectors � The ES-C2M2 is thought to meet the intent of the CSF but not clear in the latest draft.
How to Use the Framework � Establish or Improve a Cybersecurity Program Make Organization Wide Decisions 1. Establish a Target Profile 2. Establish a Current Profile 3. 4. Compare Target and Current Profiles Implement Target Profile 5. � Communicate Cybersecurity Requirements with Stakeholders � Identify Gaps
Framework Profile � Selection of the Functions, Categories, and Subcategories aligned with business requirements, risk tolerance, and organizational resources � Does not provide Target Profile templates nor identify Tier requirements � Gaps allow creation of roadmap to reduce cybersecurity risk
Framework Core � Subcategories � Informative References • ISA 99.02.01 • COBIT • ISO/IEC 27001 • NIST SP 800-53 • CCS Top 20 Critical Security Controls � For ES profile • ES-C2M2 • RMP • NERC CIP
Implementation Tiers � Tier 0 – Partial: no formal, threat-ware risk management process, implementing portions of the Framework � Tier 1 – Risk-Informed: formal, threat-aware risk management process, staff has adequate cybersecurity resources � Tier 2 – Repeatable: regularly updates profile to respond to changing cybersecurity landscape, understands dependencies and partners � Tier 3 – Adaptive: updates profile based on predictive indicators to actively adapt to changing cybersecurity landscape, actively shares information with partners
Areas for Improvement � EO 13636 “identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations.” � Based on stakeholder input, NIST identified the following areas for improvement: � Supply chains and interdependencies � Privacy � Conformity assessment � International aspects, impacts, and alignment � Data analytics � Automated indicator sharing
EEI Member Consensus input � EEI encourages NIST to develop a high-level framework focused on cybersecurity practices that can be applied across all 16 critical infrastructure sectors. � EEI encourages NIST to keep the framework flexible enough to allow entities to use existing processes, standards, and guidance to avoid time-consuming and un necessary duplication of cybersecurity efforts. � EEI encourages NIST to incorporate a flexible risk management process to keep the framework cybersecurity practices at a high-level and engage executive leadership. � EEI encourages NIST to consider who is providing input to the Framework process when developing the framework.
Questions from NIST � How can the Preliminary Framework: � Adequately define outcomes that strengthen cybersecurity and support business objectives? � Enable cost-effective implementation? � Appropriately integrate cybersecurity risk into business risk? � Provide the tools for senior executives and board of directors to understand risks and mitigations at the appropriate level of detail? � Provide sufficient guidance and resources to aid businesses of all sizes while maintaining flexibility?
Questions from NIST � Will the Discussion Draft: � Be inclusive of, and not disruptive to, effective cybersecurity practices in use today? � Enable organizations to incorporate threat information? � Is the Discussion Draft: � Presented at the right level of specificity? � Sufficiently addressing unique privacy and civil liberties needs for critical infrastructure?
References � Executive Order http://www.whitehouse.gov/the-press- office/2013/02/12/executive-order-improving-critical- infrastructure-cybersecurity � PPD-21 http://www.whitehouse.gov/the-press- office/2013/02/12/presidential-policy-directive-critical- infrastructure-security-and-resil � NIST Cybersecurity Framework http://www.nist.gov/itl/cyberframework.cfm
Recommend
More recommend
