Resiliency Rules:7 Steps for Critical Infrastructure Protection

Agenda

What are critical infrastructures?

What are the CIP policy drivers?

The differences between CIP/CIIP and

cyber security

Resiliency rules

What is Critical Infrastructure?

Critical infrastructures are generally thought of as the key systems, services and functions whose disruption or destruction would have a debilitating impact on public health and safety, commerce, and national security or any combination of those matters.

These include communications, energy, banking, transportation, public health and safety and essential government services.

NaturalNaturalDisasterDisaster

DirectivesDirectives

ResponseResponsePlansPlans Laws &Laws &

RegulationsRegulations

TerrorismTerrorism

WARWARWARWAR

IT IT AttacksAttacks ConvergenceConvergence

GlobalizationGlobalization

DependenceDependence

CIP Policy Drivers

Info & Comms

Energy

Transportation

Banking

Government

Services

Cybersecurity

Critical Infrastructures

Critical Information InfrastructureCross-Cutting ICT interdependencies among all sectors

Non-essential IT systems

Larg

e En

terp

rises

Pers

onal

user

s

Those practices and procedures that enable the secure use and operation of cyber tools and technologies

CIP/CIIP and Cybersecurity

Understanding the Differences

Resiliency Rules

1. Define Goals and Roles

2. Identify and Prioritize Critical Functions

3. Continuously Assess and Manage Risks

4. Establish and Exercise Emergency plans

5. Create Public-Private Partnerships

6. Build Security/Resiliency into Operations

7. Update and Innovate Technology/Processes

7 Steps for Critical Infrastructure Protection

CIP Goals Establishing Clear Goals is Central to Success

CIP Roles Understanding Roles Promotes Coordination

Assess Risks

Identify Controls and Mitigations

Implement Controls

Measure Effectiveness

Government“What’s the goal”

Determine Acceptable Risk Levels

Infrastructure“Prioritize Risks”

Public-Private Partnership“What’s critical”

Operators“Best control solutions”

Define Policy and Identify Roles

Define Roles

CIIP CIIP

Coordinator Coordinator

(Executive (Executive

Sponsor)Sponsor)

Sector Sector

Specific Specific

AgencyAgency

 

Law Law

EnforcementEnforcement

Computer Computer

Emergency Emergency

Response TeamResponse Team

Infrastructure Infrastructure

Owners and Owners and

OperatorsOperatorsPublic-Private Public-Private

PartnershipsPartnerships

IT Vendors IT Vendors

and and

Solution Solution

ProvidersProviders

Government Shared Private

Identify and Prioritize Critical Functions

Establish an open dialogue to understand the critical functions, infrastructure elements, and key resources necessary for delivering essential

services, maintaining the orderly

operations of the economy, and

ensuring public safety.

Collaborate to understand Interdependencies

Critical Function

Critical Function

Key Resource

Key Resource

Infrastructure Element

Infrastructure Element

Critical Function

Key ResourceInfrastructure Element

Supply Chain

Supply Chain

Supply Chain

Supply Chain

Supply Chain

Supply Chain

Supply Chain

Supply Chain

Supply Chain

Supply Chain

Understand Interdependencie

s

Continuously Assess and Manage Risks

Protection is the Continuous Application of Risk Management

• Define Functional Requirements• Evaluate Proposed Controls• Estimate Risk Reduction/Cost Benefit• Select Mitigation Strategy

• Define Functional Requirements• Evaluate Proposed Controls• Estimate Risk Reduction/Cost Benefit• Select Mitigation Strategy

• Seek Holistic Approach. • Organize by Control Effectiveness • Implement Defense-in Depth

• Seek Holistic Approach. • Organize by Control Effectiveness • Implement Defense-in Depth

• Evaluate Program Effectiveness•Leverage Findings to Improve Risk Management

• Evaluate Program Effectiveness•Leverage Findings to Improve Risk Management

• Identify Key Functions• Assess Risks • Evaluate Consequences

• Identify Key Functions• Assess Risks • Evaluate Consequences

Establish and Exercise Emergency plans

Public and private sector organizations can benefit from developing joint plans for managing emergencies – including recovering critical functions in the event of significant incidents, including but limited to natural disasters, terrorist attacks, technological failures or accidents.

Emergency response plans can mitigate damage and promote resiliency.

Effective emergency response plans are generally short and highly actionable so they can be readily tested, evaluated, and implemented.

Testing and exercising emergency plans promotes trust, understanding and greater operational coordination among public and private sector organizations.

Exercises also provide an important opportunity to identify new risk factors that can be addressed in response plans or controlled through regular risk management functions.

Improve Operational Coordination

Create Public-Private Partnerships

Voluntary public-private partnerships Promote trusted relationships needed for

information sharing and collaborating on difficult problems,

Leverage the unique skills of government and private sector organizations, and

Provide the flexibility needed to collaboratively address today’s dynamic threat environment

Build Security and Resiliency into Ops

Organizational incentives can drive security development lifecycle principles into all line of business

Leveraging the security lifecycle promotes secure and resilient organizations and products

DesignDefine security architecture and design guidelines Document elements of software attack surfaceThreat Modeling

Standards, best practices, and toolsApply coding and testing standardsApply security tools (fuzzing tools, static-analysis tools, etc)

Security PushSecurity code reviewsFocused security testingReview against new threatsMeet signoff criteria

Final Security Review Independent review conducted by the security team Penetration testingArchiving ofcompliance info

RTM and DeploymentSignoff

Security ResponsePlan and process in placeFeedback loop back into the development processPostmortems

Product InceptionAssign security advisorIdentify security milestonesPlan security integration into product

The Security Development Lifecycle

Driving Change Across Microsoft

Update and Innovate Technology/ProcessesCyber threats are constantly evolvingPolicy makers, enterprise owner and

operators can prepare for changes in threats by Monitoring trendsKeeping systems patchedMaintaining the latest versions of software that

have been built for the current threat environment.

Guidance

Developer Tools

SystemsManagementActive Directory Active Directory

Federation Services Federation Services (ADFS)(ADFS)

Identity Management

Services

Information Protection

Encrypting File System (EFS)

Encrypting File System (EFS)

BitLocker™

BitLocker™

Network Access Protection (NAP)

Client and Server OS

Server Applications

Edge

Microsoft Innovations DriveMicrosoft Innovations Drive

Questions?