SlideShare a Scribd company logo

Building on incident management metrics to support Executive Order 13636

David Sweigert
David Sweigert

This document discusses the need for better coordination between critical infrastructure operators and emergency management entities to improve response to severe cyber incidents. It proposes including metrics in the Cybersecurity Framework to measure communication linkages between these groups. Specifically, it suggests a metric to evaluate whether formal interfaces have been established for conducting cross-organizational incident management activities and information sharing. Improving these linkages could help critical infrastructure organizations better address challenges like cascading failures and fulfill objectives of directives like Presidential Policy Directive 21.

1 of 3
Download to read offline
1 Building on incident management metrics to better prepare for severe cyber incidents and reduce risks to organizations and communities Part four of a series July 2013 Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP ABSTRACT Effective critical infrastructure protection will require the confluence of cyber incident management (internal) and community-based emergency management (external to the hardened enterprise) to create effective incident coordination to support Presidential Policy Directive 21 objectives. Background In April 2013 rifle shots damaged a Pacific Gas & Electric (PG&E) substation. At approximately the same time, someone cut nearby fiber optic cables, disabling the local 911 service. Investigators think the two acts of sabotage were linked. According to the local Sheriff, the saboteur's objective appears to have been "shutting down the system." PG&E officials had told the sheriff that the substation's security fence had been breached, and at least five transformers had been damaged. *** Unlike the average business concern, the community as a whole may have a dependency relationship with the critical infrastructure and key resources (CI/KR) provided by private business owners and operators; such as a gas pipeline or electrical cooperative. Increasingly, there have been more calls for the sharing of information between the traditional hardened end-point CI/KR operators and community emergency management (EM) entities. Case in point: in California Assembly Bill (AB) 869 has been introduced to, quoting in relevant part: “…develop and publish plans to respond to emergencies, including natural disasters, that have the potential to disrupt natural gas or electric service and cause damage, as provided…1 ” 1 An act to add Sections 8610.7 and 8610.9 to the Government Code, relating to utilities.
2 And “…The plan shall be consistent with emergency response plans developed by the Office of Emergency Services and with any plan developed by a local disaster council…”2 . At the very least, this indicates a desire by some in government to see better coordination and cooperation between CI-KR private operators and the local EM and public safety communities. Protecting national infrastructure through information sharing Enter the Cybersecurity Framework (CSF)), proposed by Executive Order 136363 . Those critical of CSF say it can easily become a redundant restatement of existing cybersecurity standards into a voluntary guideline (similar in nature to COBIT (Control Objectives for Information and Related Technology). Understandably, these private-industry critics are concerned about yet another mandatory cybersecurity compliance scheme. Accompanying the issuance of EO 13636 was Presidential Policy Directive (PPD) 21, Critical Infrastructure and Security Resilience, which directed the 2 AB 869: Disaster Relief Emergency Plans 3 Executive Order -- Improving Critical Infrastructure Cybersecurity, 2/12/2013. See: Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure Executive Branch to, quoting in relevant part: “…  Understand the cascading consequences of infrastructure failures  Evaluate and mature the public- private partnership  Update the National Infrastructure Protection Plan …” By examining apparent gaps in defining adequate metrics to measure severe incident response planning in the CSF draft standards, it may be possible to more accurately embody the principles of PPD-21 into the CSF, and make it more useful to private CI/KR owners. National Infrastructure Protection Plan (NIPP) The NIPP represents the “steady state” of CI/KR operations, in contrast to the incident response state articulated in the National Response Framework (NRF). NIPP is pre-incident, NRF is incident response and reaction4 . The NIPP promotes the use of a threat assessment risk management criteria for private CI/KR owner-operators (see Risk Management Framework (RMF)). The NIPP promotes the Cyber Security Vulnerability Assessment (CSVA), a 4 Transitioning From NIPP Steady-State to Incident Management, NIPP, U.S. Dep’t of Homeland Security (2010).
3 metric to gauge an organization’s cyber protection. Per PPD-21, the NIPP shall be updated. In this context, it may be wise to update the CSVA to assess more factors regarding private-public response activities, as alluded to in California’s AB 869. Metrics to measure the transition from steady-state (NIPP) to response state (NRF) may be worthwhile to explore. A communications linkage metric In a Software Engineering Institute (SEI) report, entitled Incident Management Capability Metrics5 , the metric of an “organizational interface” is defined as: “..a common function that is focused on the interfaces between any groups performing incident management activities. An interface is any comm- unication, exchange of information, or work that occurs between two groups…” And such a linkage can be measured. “..Have well-defined, formal interfaces for conducting organization incident management activities been established and maintained ?..” The measurement and evaluation of this metric appears worthwhile for the CSF. 5 Software Engineering Institute, CMU/SEI-2007-TR- 008, April 2007 This metric should measure linkages between Cybersecurity and other domains, especially in the Disaster Recovery and Business Continuity (DR/BC) planning arena. A proposed metric for the CSF should focus on enabling better communications in times of incident management. Quoting SEI: “..From our research and interactions with customers, as well as discussions with teams over the years, the one interface that continues to be critical is communications. It can often be traced to the cause of a delay or failure in action. It is a key success factor for an incident management capability to examine its communications require- ments and pathways, to ensure they are clearly defined, and to exercise diligence in ensuring they are effective, efficient, and understood by those involved in those communications…6 ” About the author: Dave Sweigert is a Certified Information Systems Security Professional, Certified Information Systems Auditor, Project Management Professional and holds Master’s degrees in Information Security and Project Management. A graduate of the National Fire Academy (NFA) Incident Management Team (IMT) course, he is a practitioner of NIPP/NRF in his role of assisting private organizations in institutionalizing NIPP/NRF into their cyber response plans. 6 Incident Management Capability Metrics Version 0.1, TECHNICAL REPORT CMU/SEI-2007-TR-008, April 2007

More Related Content

Building on incident management metrics to support Executive Order 13636

  • 1. 1 Building on incident management metrics to better prepare for severe cyber incidents and reduce risks to organizations and communities Part four of a series July 2013 Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP ABSTRACT Effective critical infrastructure protection will require the confluence of cyber incident management (internal) and community-based emergency management (external to the hardened enterprise) to create effective incident coordination to support Presidential Policy Directive 21 objectives. Background In April 2013 rifle shots damaged a Pacific Gas & Electric (PG&E) substation. At approximately the same time, someone cut nearby fiber optic cables, disabling the local 911 service. Investigators think the two acts of sabotage were linked. According to the local Sheriff, the saboteur's objective appears to have been "shutting down the system." PG&E officials had told the sheriff that the substation's security fence had been breached, and at least five transformers had been damaged. *** Unlike the average business concern, the community as a whole may have a dependency relationship with the critical infrastructure and key resources (CI/KR) provided by private business owners and operators; such as a gas pipeline or electrical cooperative. Increasingly, there have been more calls for the sharing of information between the traditional hardened end-point CI/KR operators and community emergency management (EM) entities. Case in point: in California Assembly Bill (AB) 869 has been introduced to, quoting in relevant part: “…develop and publish plans to respond to emergencies, including natural disasters, that have the potential to disrupt natural gas or electric service and cause damage, as provided…1 ” 1 An act to add Sections 8610.7 and 8610.9 to the Government Code, relating to utilities.
  • 2. 2 And “…The plan shall be consistent with emergency response plans developed by the Office of Emergency Services and with any plan developed by a local disaster council…”2 . At the very least, this indicates a desire by some in government to see better coordination and cooperation between CI-KR private operators and the local EM and public safety communities. Protecting national infrastructure through information sharing Enter the Cybersecurity Framework (CSF)), proposed by Executive Order 136363 . Those critical of CSF say it can easily become a redundant restatement of existing cybersecurity standards into a voluntary guideline (similar in nature to COBIT (Control Objectives for Information and Related Technology). Understandably, these private-industry critics are concerned about yet another mandatory cybersecurity compliance scheme. Accompanying the issuance of EO 13636 was Presidential Policy Directive (PPD) 21, Critical Infrastructure and Security Resilience, which directed the 2 AB 869: Disaster Relief Emergency Plans 3 Executive Order -- Improving Critical Infrastructure Cybersecurity, 2/12/2013. See: Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure Executive Branch to, quoting in relevant part: “…  Understand the cascading consequences of infrastructure failures  Evaluate and mature the public- private partnership  Update the National Infrastructure Protection Plan …” By examining apparent gaps in defining adequate metrics to measure severe incident response planning in the CSF draft standards, it may be possible to more accurately embody the principles of PPD-21 into the CSF, and make it more useful to private CI/KR owners. National Infrastructure Protection Plan (NIPP) The NIPP represents the “steady state” of CI/KR operations, in contrast to the incident response state articulated in the National Response Framework (NRF). NIPP is pre-incident, NRF is incident response and reaction4 . The NIPP promotes the use of a threat assessment risk management criteria for private CI/KR owner-operators (see Risk Management Framework (RMF)). The NIPP promotes the Cyber Security Vulnerability Assessment (CSVA), a 4 Transitioning From NIPP Steady-State to Incident Management, NIPP, U.S. Dep’t of Homeland Security (2010).
  • 3. 3 metric to gauge an organization’s cyber protection. Per PPD-21, the NIPP shall be updated. In this context, it may be wise to update the CSVA to assess more factors regarding private-public response activities, as alluded to in California’s AB 869. Metrics to measure the transition from steady-state (NIPP) to response state (NRF) may be worthwhile to explore. A communications linkage metric In a Software Engineering Institute (SEI) report, entitled Incident Management Capability Metrics5 , the metric of an “organizational interface” is defined as: “..a common function that is focused on the interfaces between any groups performing incident management activities. An interface is any comm- unication, exchange of information, or work that occurs between two groups…” And such a linkage can be measured. “..Have well-defined, formal interfaces for conducting organization incident management activities been established and maintained ?..” The measurement and evaluation of this metric appears worthwhile for the CSF. 5 Software Engineering Institute, CMU/SEI-2007-TR- 008, April 2007 This metric should measure linkages between Cybersecurity and other domains, especially in the Disaster Recovery and Business Continuity (DR/BC) planning arena. A proposed metric for the CSF should focus on enabling better communications in times of incident management. Quoting SEI: “..From our research and interactions with customers, as well as discussions with teams over the years, the one interface that continues to be critical is communications. It can often be traced to the cause of a delay or failure in action. It is a key success factor for an incident management capability to examine its communications require- ments and pathways, to ensure they are clearly defined, and to exercise diligence in ensuring they are effective, efficient, and understood by those involved in those communications…6 ” About the author: Dave Sweigert is a Certified Information Systems Security Professional, Certified Information Systems Auditor, Project Management Professional and holds Master’s degrees in Information Security and Project Management. A graduate of the National Fire Academy (NFA) Incident Management Team (IMT) course, he is a practitioner of NIPP/NRF in his role of assisting private organizations in institutionalizing NIPP/NRF into their cyber response plans. 6 Incident Management Capability Metrics Version 0.1, TECHNICAL REPORT CMU/SEI-2007-TR-008, April 2007