Tuesday, February 17, 2015

Executive Order Promoting Private Sector Cyber Info Sharing

On February 13, 2015 -- a year plus one day after the President's Executive Order directing NIST to build the new Cybersecurity Framework -- President Obama issued an Executive Order entitled Promoting Private Sector Cybersecurity Information Sharing.

There are seven sections to the four-page Order including:

  1. Policy
  2. Information Sharing and Analysis Organizations (ISAO)
  3. ISAO Standards Organization
  4. Critical Infrastructure Protection Program
  5. Privacy and Civil Liberties Protections
  6. National Industrial Security Program
  7. Definitions

The fundamental aspect of the EO is to emphasis that "...entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible."  

The EO also notes that information sharing must:
  • ...be conducted in a manner that protects the privacy and civil liberties of individuals
  • ...preserves business confidentiality
  • ...safeguards the information being shared, and
  • ...protects the ability of the Government to detect, investigate, prevent and respond to cyber threats...
Certainly commendable policy and something the industry has needed/wanted for years.

Information Sharing and Analysis Organizations (ISAOs)

The Order directs the Secretary of the Department of Homeland security to "...strongly encourage the development and formation of..." ISAOs.

The Order offers some details on how the ISAOs should be organized and how their membership can draw on public or private sectors, and offers the option for the ISAOs to be formed as for-profit or nonprofit entities.

The National Cybersecurity and Communications Integration Center (NCCIC) is ordered to engage in "...continuous, collaborative, and inclusive coordination with ISAOs on the sharing of information..."

ISAO Standards Organization

The Secretary of DHS is orderd to "...enter into an agreement with a nongovernmental organization to serve as the ISAO Standards Organization (SO), which shall identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs under this order."

Observations and Questions

It is commendable that President Obama has stepped forward -- again -- to help raise awareness and take action relative to the issue of cyberthreats to our country, economy and its businesses and citizens.  However, a question continues to be raised with this Executive Order.  That question really is ... "Aren't we already doing this with Information Sharing and Analysis Centers (ISACs)?"

ISACs have been around since May 1998 and were established under the auspices of Presidential Decision Directive 63 (PDD-63) signed by President Clinton.  If you look at the National Council of ISACs website you will note that the definition of an ISAC is:

ISACs are trusted entities established by Critical Infrastructure Key Resource (CI/KR) owners and operators to provide comprehensive sector analysis, which is shared within the sector, with other sectors and with the government. ... Services provided by ISACs include risk mitigation, incident response, alert and information sharing.  The goal is to provide users with accurate, actionable, and relevant information.

And in another white paper on the subject, a description of an ISAC includes the following:

By definition, an ISAC is a trusted, sector-specific entity which performs the following functions: 
  • provides to its constituency a 24/7 secure operating capability that establishes the sector’s specific information sharing/intelligence requirements for incidents, threats and vulnerabilities; 
  • collects, analyzes, and disseminates alerts and incident reports to it membership based on its sector focused subject matter analytical expertise; 
  • helps the government understand impacts for its sector; 
  • provides an electronic, trusted capability for its membership to exchange and share information on cyber, physical and all threats in order to defend the critical infrastructure; and 
  • share and provide analytical support to government and other ISACs regarding technical sector details and in mutual information sharing and assistance during actual or potential sector disruptions whether caused by intentional, accidental or natural events. 

Isn't an ISAC filling part of the role of the ISAO discussed in the Executive Order?  Can't ISACs continue with their current roles and capture the essence and elements of the Executive Order?

The idea of establishing a new bureaucracy and hierarchy of ISAOs that essentially parallel the current ISAC structure and functions does not appear to be very efficient and could lead to more confusion, increased bickering and "turf wars" and finally not help or encourage effective information sharing to better protect our country, economy, businesses or citizens.  At a minimum it is highly recommended that the Department of Homeland Security take time to compare the efforts of the ISACs to the Executive Order and build upon current efforts and not try to push through a distracting, parallel effort.


Tuesday, February 10, 2015

CIP-014 Implementation Update from NERC

On February 9, 2015, NERC posted an email regarding implementation of CIP-014-1, Physical Security.

In its email NERC offered three links to items of interest.  They included:
And, for the reader's reference, here is the link to CIP-014-1.  Also, I wrote a blog about CIP-014 back on July 22, 2014.

CIP-014 Memo to Industry

The memo to the industry is from the NERC Compliance Assurance organization.  The specific focus of the memo is on CIP-14 Risk Assessment and Third-Party Verifications.  Notably the memo's purpose is to highlight acceptable approaches when implementing Requirements 1 and 2 of CIP-014.

Requirements 1 and 2 required Transmission Owners to perform a risk assessment and third-party verification process to identify Transmission stations and Transmission substations that will ultimately be subject to a physical security assessment (Requirement 4) and the implementation of subsequent physical security plan(s) (Requirement 5).

Per the CIP-014 implementation plans, each applicable Transmission Owner must perform its Requirement 1 risk assessment by October 1, 2015.

Then, within 90 days of completing the R1 risk assessment (i.e., by December 30, 2015) the Transmission owner must ensure that the third-party verifier completes the verification.

Within 60 days of completing the verification the Transmission Owner must either 1) modify its risk assessment to be consistent with the recommendations of the verifier, if any, or 2) document the technical basis for not modifying its risk assessment in accordance with any recommendations.

The memo does need to be read in its entirety; however, a key comment at the end that is probably most useful is that applicable Transmission Owners "...are expected to demonstrate effective application for NERC and the Regional Entities to be able to fully understand, for example:

  • Why certain stations or substations are identified to meet the criteria in Requirement 1
  • Similarly, why certain stations or substations were not identified by Requirement 1
  • What are the defining characteristics of stations and substations identified by Requirement 1
  • How the third-party verifying the risk assessment meets the qualifications in Requirement 2 and the mean the third party used to ensure effective verification."

This document was prepared by the North American Transmission Forum (NATF) and issued on January 19, 2015.  The NATF is headquartered in Charlotte, NC and its members include investor-owned, state-authorized, municipal, cooperative, US federal, and Canadian provincial utilities.  The NATF "...promotes the highest levels of reliability in the operation of the electric transmission systems."

The intent of the document issued by NATF is to provide a general guideline for the risk assessment identified in R1 of CIP-014.  

The guideline offers five suggested steps for the Transmission Owner to follow to accomplish Requirement 1.  A high-level summary of the steps include:
  • Step 1:  The Transmission Owner identifies stations to be analyzed based on criteria in CIP-014-1, Section 4.1.1
  • Step 2:  The Transmission Owner identifies cases/system conditions to be analyzed.  Some cases could include -- summer vs winter peak load levels, shoulder peak load levels with system transfers, alternative generation dispatch assumptions or alternative load models.
  • Step 3:  The Transmission Owner defines the nature of the initiating event and how it will be modeled in the transmission assessment
  • Step 4:  The Transmission Owner is responsible for development of criteria/proxies for instability, uncontrolled separation or Cascading.
  • Step 5:  The Transmission Owner performs appropriate steady-state power flow and/or stability analysis.
There are substantially more details provided under each step in the Guideline.

NERC Physical Security Web Page

A third link in the NERC announcement is for their Physical Security web page (a screenshot is shown below).

This page appears to be an excellent resource for those focused in CIP-014 implementation and compliance.


This blog does not offer adequate details on the contents of the referenced documents, therefore, taking time -- and having your power engineers taking time -- to read the CIP-014 requirements and the guidance from NERC and NATF will be worthwhile.


NIST SP800-82 R2 (2nd Draft) Out for Comment

NIST SP800-82, Guide to Industrial Control Systems (ICS) Security, has been a key, seminal guide for those of us working in ICS security.  The original guide was published as a "final" version in June 2011.  Revision 1 to the 800-82 series went final in May 2013.  In May 2014 the Initial Public Draft of Revision 2 was promulgated for comment.  I wrote a blog about this initial public draft on May 20, 2014 and encouraged interested parties to submit their comments.

Brief History of SP800-82

A few months ago I wrote an article for SearchSecurity on the Evolution of SP 800-82.  As part of this article I researched the history of this document and its development and ultimately prepared the Visio timeline shown below.  One thing I was sure to do was to obtain Keith Stouffer's (principal author of SP800-82 series) approval on the timeline accuracy.

(Apologies for the overlay with the right margin; however, if the chart goes too small then it is hard to read.  Thanks for understanding.)

What are the Revisions?

The new document out for comment is the second revision to NIST SP800-82.  From the NIST Website, updates in this new revision include:

  • Updates to ICS threats and vulnerabilities
  • Updates to ICS risk management recommended practices and architectures
  • Updates to current activities in ICS security
  • Updates to security capabilities and tools for ICS
  • Additional alignment with other ICS security standards and guidelines
  • New tailoring guidance for NIST SP800-53, Revision 4 security controls including the introduction of overlays, and
  • An ICS overlay for NIST SP800-53, Revision 4 security controls that provides tailored security control baselines for Low, Moderate, and High Impact ICS.

When are Comments Due?

The public comment period is from February 9th to March 9th, 2015 (on month).  You can email your comments to nist800-82rev2comments@nist.gov.  You are encouraged to use a comment template form (Excel File) to collect your feedback for submittal.

Your comments are requested to make this a better, more thorough document for the industry.  Thank you!



Monday, February 2, 2015

ENISA - Identifying Critical Information Infrastructure (CII)

The European Union Agency for Network and Information Security (ENISA) has published a new and interesting document entitled Methodologies for the Identification of Critical Information Infrastructure Assets and Services.  The report documents a study performed by ENISA staff to tackle the problem of identification of Critical Information Infrastructures (aka CII) in communications networks.  However, because of the broad scope of the critical infrastructure inspected for this report, there are ideas herein to help countries and large enterprises identify their critical assets.

The study of 23 Member States did reveal that a "...significant number of Member States present a low level of maturity and lack a structured approach regarding identification of Critical Information Infrastructure..." However, this report does offer an overview of methodologies in the identification of CII assets and services which may be useful to other geographic regions, nation states and even large multi-national corporations.  Some key aspects of the methodologies are summarized below.

Identification of Critical Sectors

One of the first steps listed in Section 4.3 is the identification of critical sectors.  On pages 22-24 the report identifies 14 critical sectors including critical subsectors and critical services to be considered when identifying critical assets.  The table showing this useful list is below:

Identification of Critical Services

Section 5.2 offers a suggested process of using criticality criteria in order to identify critical assets.  The report notes that criticality is the (1) level of contribution of an infrastructure to society in maintaining a minimum level of national and international law and order, public safety, economy, public health and environment, or (2) impact level to citizens or to the government from the loss or disruption of the infrastructure.

Again, ENISA offers a table (below) showing eight different criteria with an explanation:

Assessment of Dependencies

The next step in this process is to examine critical infrastructure (system) for the following types of dependencies:

  • Interdependencies within a critical sector (intra-sector)
  • Interdependencies between critical sectors (cross-sector), and, especially for CII
  • Interdependencies among communication network assets (both physical and logical connectivity)

In the United States we have some guidance when identifying critical infrastructure for the electric grid -- this guidance is mainly in the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards.  Even the US Department of Homeland Security (DHS) has identified a list of critical national sectors. However, the ENISA document would be an excellent resource for a large regional organization or nation state or even large, transnational corporation to identify the critical sectors of concern and the critical assets to be protected.

My compliments to ENISA for this document and the guidelines offered.