President Obama in February 2013, signed Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”. The goal of the executive order is to protect critical infrastructure, such as power, water, gas, etc. from cyber-threats.
The National Institute of Standards and Technology (NIST) was tasked to create the framework, and released Version 1.0 of the “Framework for Improving Critical Infrastructure Cybersecurity” on February 12th, 2014, also known as the “Cybersecurity Framework”. The framework is voluntary, but is becoming more of a requirement in the utilities industry. It is also a good framework for any organization interested in protecting their networks. The full Cybersecurity Framework can be downloaded at: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf.
The framework is divided into five concurrent and continuous functions: Identify, Protect, Detect, Respond and Recover.
Identify: The process starts with an organization determining what is critical for the organization to deliver its services. This involves identifying what and where critical data is stored and what processes and systems are critical for the organization to operate. This includes data, software, hardware inventory, network diagrams and how data flows through the network.
Protect: Once all the critical data, systems software, and processes are identified, relevant threats and risks against those resources need to be evaluated and proper mitigating solutions must be put in place to assure the availability of these systems. Examples of mitigating solutions include, but are not limited to: access control, patch management, anti-virus, firewalls, backups, security awareness training, etc.
Detect: As we’ve mentioned in previous articles, CIOs are starting to look at IT Security differently than they did in the past. Previously, CIOs were investing all their budget dollars trying to prevent a breach. While protection is still required and is the second function in the framework, the CIO posture has moved to “Assume We Have Been Breached”. FBI Director James Comey on October 5th, 2014 stated on 60 Minutes, “There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese”. All the best mitigating strategies can still leave an organization vulnerable. Tools and processes need to be deployed that are constantly searching for a breach. The detection function is the continual review of logs, traffic patterns and properly trained users noticing and reporting anomaly behavior on a system or network.
Respond: This function of the framework deals with responding to incidents that are generated from users, log reviews or automated systems. An Incident Response Team is the front line group that deals with and investigates security incidents, and is trained to act as first responders. Often times, it is necessary to bring in a forensics team after the incident to review the evidence and determine if any data was actually exfiltrated and the means that were used to gain control of the victim’s systems. A few key components of the Respond function are:
• Alert the Incident Response Team of a potential incident.
• Investigate the incident to determine if an actual incident has occurred.
• Provide internal and external communications.
• Isolate the infected system.
• Preserve evidence.
• Provide business continuity.
• Bring in and support a forensic team, if necessary.
Recover: This function maintains plans to recover the organization back to a 100% operational state. In the Respond function above, one of the responsibilities is to provide business continuance. The difference between business continuity and recovery is, the business continuity is limited to keeping critical functions running, albeit in a diminished performance mode. The recovery scope is to bring the organization back to a 100% operational model.
