1 / 32

Building Trustworthy, Secure Systems for the United States Critical Infrastructure

Protecting critical systems and assets is the highest priority for the national and economic security interests of the United States. This urgent national imperative requires the development of resilient and secure systems to defend against advanced cyber threats. This article explores the current landscape of cyber risk in energy, transportation, manufacturing, and defense sectors and highlights the need for reducing complexity, engineering trustworthiness, and implementing cyber resiliency strategies. The Federal Government's modernization strategy, risk management framework, and upcoming publications from NIST are also discussed.

mkilby
Download Presentation

Building Trustworthy, Secure Systems for the United States Critical Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building Trustworthy, Secure Systems for the United States Critical Infrastructure An Urgent National Imperative

  2. The Current Landscape. It’s a dangerous world in cyberspace…

  3. Cyber Risk. Function(threat, vulnerability, impact, likelihood) Energy Transportation Manufacturing Defense

  4. Resilient Military Systems and the Advanced Cyber Threat • Cyber Supply Chain • Cyber Deterrence Defense Science Board Reports

  5. Complexity.

  6. Our appetite for advanced technology is rapidly exceeding our ability to protect it.

  7. Data. Data. Everywhere.

  8. Houston, we have a problem.

  9. Protecting critical systems and assets— The highest priority for the national and economic security interests of the United States.

  10. Defending cyberspace in 2018 and beyond.

  11. Simplify. Innovate. Automate.

  12. Federal Government’s Modernization Strategy • Identify and develop federal shared services. • Move to FedRAMP-approved cloud services. • Isolate and strengthen protection for high value assets. Reduce and manage the complexity of systems and networks… Engineer more trustworthy, secure, and resilient solutions.

  13. Reducing susceptibility to cyber threats requires a multidimensional strategy. Harden the target Limit damage to the target First Dimension Second Dimension System Make the target resilient Third Dimension

  14. Cyber Resiliency. The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.

  15. Cyber resiliency relationships with other specialty engineering disciplines. Safety Privacy Security Resilience and Survivability Fault Tolerance Reliability

  16. CREF CYBER RESILIENCY ENGINEERING FRAMEWORK protection. Damage limitation. Resiliency. • Goals • Objectives • Techniques • Approaches • Strategic Design Principles • Structural Design Principles • Risk Management Strategy Constructs

  17. Relationship among cyber resiliency constructs. Why Approaches What GOALS • Anticipate • Withstand • Recover • Adapt OBJECTIVES • Understand • Prevent/Avoid • Prepare • Continue • Constrain • Reconstitute • Transform • Re-architect Strategic Design Principles Structural Design Principles TECHNIQUES Risk Management Strategy Inform selection and prioritization Inform selection and prioritization Inform selection prioritization Inform selection How Inform selection and prioritization Inform selection and prioritization Inform selection and prioritization

  18. CREF CYBER RESILIENCY ENGINEERING FRAMEWORK protection. Damage limitation. Resiliency. • Adaptive Response • Analytic Monitoring • Coordinated Protection • Substantiated Integrity • Privilege Restriction • Dynamic Positioning • Dynamic Representation • Non-Persistence • Diversity • Realignment • Redundancy • Segmentation • Deception • Unpredictability Techniques

  19. ISO/IEC/IEEE 15288:2015 Systems and software engineering — System life cycle processes Cyber Resiliency Constructs in System Life Cycle. • Business or mission analysis • Stakeholder needs and requirements definition • System requirements definition • Architecture definition • Design definition • System analysis • Implementation • Integration • Verification • Transition • Validation • Operation • Maintenance • Disposal NIST SP 800-160

  20. NIST SP 800-37, Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy

  21. MONITOR SELECT CATEGORIZE Risk Management Framework (RMF) 2.0 PREPARE AUTHORIZE IMPLEMENT Just released for public review and comment. ASSESS

  22. A unified framework for managing security, privacy, and supply chain risks. Communication between C-Suite and Implementers and Operators Security Risk Management Privacy Risk Management RMF 2.0 Alignment with NIST Cybersecurity Framework Alignment with Security Engineering Processes Supply Chain Risk Management

  23. Transparency. Traceability. Trust.

  24. On the Horizon… • NIST Special Publication 800-37, Revision 2 Risk Management Framework for Information Systems and Organizations Final Publication: October 2018 • NIST Special Publication 800-53, Revision 5 Security and Privacy Controls for Information Systems and Organizations Final Publication: December 2018 • NIST Special Publication 800-53A, Revision 5 Assessing Security and Privacy Controls in Information Systems and Organizations Final Publication: September 2019

  25. On the Horizon… • NIST Special Publication 800-160, Volume 2 Systems Security Engineering Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems Final Publication: October 2018 • NIST Special Publication 800-160, Volume 3 Systems Security Engineering Software Assurance Considerations for the Engineering of Trustworthy Secure Systems Final Publication: December 2019 • NIST Special Publication 800-160, Volume 4 Systems Security Engineering Hardware Assurance Considerations for the Engineering of Trustworthy Secure Systems Final Publication: December 2020

  26. Some final thoughts.

  27. Work smarter, not harder.

  28. The ultimate objective for security and privacy. Institutionalize. Operationalize.

  29. The essential partnership. Government Academia Industry

  30. Security. Privacy. Freedom.

  31. 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Email Mobile ron.ross@nist.gov 301.651.5083 LinkedIn Twitter www.linkedin.com/in/ronross-cybersecurity@ronrossecure WebComments csrc.nist.govsec-cert@nist.gov RMF RISK MANAGEMENT FRAMEWORK Simplify. Innovate. Automate.

More Related