The Confluence of Physical and Cyber y ySecurity ManagementGOVSEC 2009

Samuel A Merrell CISSP

GOVSEC 2009

Samuel A Merrell, CISSPJames F. Stevens, CISSP

© 2009 Carnegie Mellon University

Today’s Agenda:• Introduction• Risk Management Concepts• Confluence of Physical and Cyber Security• Adopting a Service View• A Service View for Critical Infrastructure• Next steps• Next steps

2

Software Engineering Institute

U.S. DoD – Office of the Under Secretary

(Research and Engineering)sponsor

(FFRDC*)

CERT Program

• Cyber Threat and Vulnerability Analysis

SurvivableNetwork

Technology

SurvivableEnterprise

Management

PracticesDevelopment

& Training

• Enterprise and Workforce Development• Secure Software and Systems• Digital Forensics

3

Digital Forensics

CERT Capabilities

Technology Organizations Community

Networks(Sensors and

Analysis)

Software(Artifact

Analysis)

Systems(Forensics)

Work Force Development

(Training)

Threat and Incident

Management

Resiliency Engineering

and Management

(Risk)

National CSIRTs

Software Assurance

Vulnerability Disclosure

4

Resiliency Engineering and Management

Resiliency Engineering and Management (REM) develops, deploys, g ( ) p , p y ,and institutionalizes tools, techniques, methods, and training that advance

forganizational capabilities for governing and managing operational resiliency and risk for critical assets (such asrisk for critical assets (such as information and infrastructure) and servicesservices

5

REM Research FocusREM work aligned along four focus areas:• Resiliency Engineering• Resiliency Engineering• Information Resiliency

Critical Infrastructure Resiliency• Critical Infrastructure Resiliency• Governance, Risk & Compliance

6

Today’s Agenda:• Introduction• Risk Management Concepts• Confluence of Physical and Cyber Security• Adopting a Service View• A Service View for Critical Infrastructure• Next steps• Next steps

7

RiskA risk is the possibility of incurring a loss or harm

For risk to exist in any circumstance the followingFor risk to exist in any circumstance, the following three conditions must be satisfied

Th t b l i t d ith th it ti• There must be a loss associated with the situation

• There must be some uncertainty with respect to the eventual outcomeeventual outcome

• Some choice or decision is required

8

The Basic Risk Equation

9

Risk Mitigation OptionsRisk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level

Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence

Risk Limitation. To limit the risk by implementing controls that minimize the y p gadverse impact of a threat's exercising a vulnerability

Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes, implements and maintains controlsimplements, and maintains controls

Research and Acknowledgment. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability

Risk Transference. To transfer the risk by using other options to compensate for the loss

10

Residual and Acceptable Risk

Residual risk is the potential for the occurrence of an adverse event afteroccurrence of an adverse event after adjusting for the effectiveness and impact of all implemented security measures (controls)

Acceptable risk is the level of residual risk that has been determined to be a reasonable level of potential loss/disruption to a system or organization

11

A Risk Management Process

Identify

AnalyzeControl

PlanMonitor

Implement

12

p

Diverse Risks To Be Managed

Fi i lFinancial

Organizational Risks

OperationalRelationship

MarketRegulatory

13

Security and Operational Risk• Managing firewall rule-sets

• Installing fences aroundInstalling fences around facilities

• Limiting access to gintellectual property or confidential information

• Developing business continuity and disaster recovery plansrecovery plans

The aim of these “security” activities, both physical d b i lti t l t ti l i k

14

and cyber, is ultimately to manage operational risk

Focus on Operational RiskA form of hazard risk affecting day-to-day business operationsp

The potential failure to achieve mission objectives

“Operational risk is defined as the risk of loss resulting from inadequate f g f qor failed internal processes, people, and systems, or from external events.”

--Basel II Capital Accords

15

Scope of Operational Risk is Vast

Actions of people

Systems & technology

Failed internal External

eventspeople failures processes events

Tech reliance Global economy Open boundaries Complexity Cultural shifts

16

Today’s Agenda:• Introduction• Risk Management Concepts• Confluence of Physical and Cyber Security• Adopting a Service View• A Service View for Critical Infrastructure• Conclusion• Conclusion

17

Physical Security - Yesterday

18

Cyber Security - Yesterday

19

Silos of Responsibility

20

Today - Confluence

21

The Risk Management Challenge• The convergence of physical

and cyber security has y yrapidly expanded the threat environment that must be managed

• Limited organizational il bl fresources are available for

security activitiesE th t th li it d• Ensure that those limited resources are effectively and efficiently deployed

22

efficiently deployed

“Human sacrifice, dogs and cats living together... mass hysteria!” – Dr. P. Venkmang y

23

A Structured Approach

24

Shifting Security Paradigms

TodayOperational

YesterdayScope: Security Operational

Enterprise

Continuous

Scope: Security

Ownership: IT and Physical

Focus: DiscreteInternal

Process

Focus: Discrete

Driver: External

Execution: Platform/practiceEnterprise resilience

p

Goal: IT and Physical security

25

An Integrated View of Security

Physical Security

C b OthersCyber Security

26

A Fresh Look at Security ManagementOperational risks must be managed within a program that g p gcan adapt to a dynamic environment – this requires

f factive mitigation of all identified risks, regardless of their nature (e g cyber or physical)(e.g., cyber or physical)

27

http://en.wikipedia.org/wiki/File:Pittsburgh_view-from-incline_sm.jpg

Today’s Agenda:• Introduction• Risk Management Concepts• Confluence of Physical and Cyber Security• Adopting a Service View• A Service View for Critical Infrastructure• Conclusion• Conclusion

28

Current Approaches to Security Management

Security by compliance•FISMA•HIPAA•PCI

Security by adoption of best practices•ISO 17799•DISA STIGs•Vendor guides

Result:

29

Uneven use of limited resources

Enterprise Perspective An enterprise view of risk

—Enables risk mitigation decisions gthat effectively deploy limited resourcesIntegrates with enterprise—Integrates with enterprise architecture approaches to security management

—NIST SP 800-39’s “Risk Executive”I t h i l d b—Incorporates physical and cyber security management

30

Assets of an Organization

Assets

31

Assets Support Business Processes

Business Processes

Assets

32

Business Processes Support Services

Services

Business Processes

Assets

33

Services Support the Mission

OrganizationalMissionX

MissionService 1

XServiceMission

Service NMission

ss o

XX

X MissionXX

FacilitiesTechnologyInformationPeople X34

X

Step 1: Understand Your Services• Formally identify the services that your

organization must deliver in order to accomplish its g pmission

• Ask “what are the core competencies of the porganization?”• Often, business units are divided along these lines

• Manufacturing Operations• Sales and Marketing

Finance• Finance• Compliance• Research and Development

35

• Customer Service

Operational Risks to Service Delivery

Risks to service delivery are what organizations need to care aboutneed to care about

• These risks arise from both physical and cyber threats, therefore, both of these risks need to bethreats, therefore, both of these risks need to be mitigated efficiently and effectively

• Physical and cyber protection strategies for assets y y p gcan be engineered and evaluated in terms of their ability to best ensure the service

36

Benefits of Adopting a Service ViewAlign the protection and sustainment strategies to the organization’s missiong

• Engineer a unified approach to mitigating risks• Evaluate protection strategies for effectiveness inEvaluate protection strategies for effectiveness in

protecting the mission• Ensure efficiencies in the application of limited pp

resources

37

Engineer a Unified Approach to Mitigating Risks-1

38

Engineer a Unified Approach to Mitigating Risks-2

39

Select Effective Protection Strategies

Business Services

40

Ensure EfficienciesMaximize use of limited resources by incorporating the disciplines of physical and cyber securityp p y y y

• What works best for your environment: a guard at a post, an automated intrusion detection system, or both?

41

Step 2: Define Service RequirementsWhat are the needs of the services that you have identified?• Customer Service is available between 9:00 am

and 5:00 pmp• This monitoring system must operate 24 x 7

42

Step 3: Map Assets to ServicesService: Loan Operations

Loan OfficersIBM AS/400Bank Tellers

Process: Account

Process: Account

Loan Account DatabaseCorporate Headquarters

Maintenanceccou t

Opening

43

Identifying Interdependencies

44

Step 4: Define Resiliency RequirementsService: Loan Operations Confidentiality

Loan Account data may be viewed only by Loan Officers, account servicing staff, and Customer Service.

IntegrityMaintenance of Loan accounts may be made only by tellers, or Loan officers.Deletions of existing Loan Account information

Process: Account

Process: Account

Deletions of existing Loan Account information may be made only by a Loan Officer.

AvailabilityLoan Accounts must be available during normal

Maintenanceccou t

Opening banking hours (9:00 am to 5:00 pm, Monday through Thursday, 9:00 am to 7:00 pm Friday, and 10:00 am to 1:00 pm on Saturdays).

45

Step 5: Assess Risk to the ServiceRisks to service delivery are what organizations need to care aboutgIdentify how assets are exposed to conditions that can lead to service interruption

• Ensure that all possible vectors of threat are considered – both physical and cyber

46

Step 6: Develop an Integrated Mitigation Strategy

47

Step 7: Monitor for ChangeMaintain vigilance in monitoring for changes in the operating environment.p g

• Ensure that changes do not introduce new risks.

48

Enterprise Perspective for Risk Management

1. Define enterprise services2. Identify Impact Evaluation Criteriay3. Map assets to services4. Define resiliency requirements for assets

using the needs of the services5. Assess risks to the reliable delivery of the

serviceservice6. Develop an integrated (using disciplines of

physical and cyber security) approach effectively mitigate identified risks

7. Monitor for changes in the environment

49

T d ’ A dToday’s Agenda:• Introduction

C fl f Ph i l d C b S it• Confluence of Physical and Cyber Security• Risk Management Concepts• Adopting a Service ViewAdopting a Service View• A Service View for Critical Infrastructure• Conclusion

50

Critical Infrastructure Protection

51

18 U.S. Critical Infrastructure Sectors ServicesXAgriculture and FoodBanking and Finance

ChemicalCommercial Facilities

Commercial Nuclear Reactors, Materials, and WasteDams

D f i d t i l bDefense industrial baseDrinking Water and Water Treatment Systems

Emergency ServicesEnergye gy

Government FacilitiesInformation Technology

ManufacturingN ti l M t d INational Monuments and Icons

Postal and ShippingPublic Health and Healthcare

Telecommunications

52

TelecommunicationsTransportation Systems

Critical Infrastructure Asset Identification

53

World’s Largest Ball of Sisal Twine, Kshttp://skyways.lib.ks.us/towns/Cawker/twine.html

Old MacDonald’s Petting Zoo, Alabama http://www.oldmacdonaldspettingzoo.com

NERC’s Struggle with Asset Identification

NERC’s CIP standards• NERC has robust physical securityNERC has robust physical security

requirements• “N-1” and “N-1-1” contingenciesg

• Currently having difficulty in identifying critical infrastructure assets• Some BES organizations claim to operate no critical

infrastructure

54

Managing Sector Risks

`Sector Service

Sector Member

Business Service

55

Energy Sector

MissionXMission

BES Function 1

BESMission

BES Function NMission

Accomplishment

XX

X MissionXXFacilitiesTechnologyInformationPeople X

56

Benefits of Adopting a Service View• Connect protection and sustainment strategies to the

sector’s mission• Risks can be defined in terms of service delivery• Impact evaluation criteria can be identified

• Physical and cyber protection strategies for assets can be engineered and evaluated in terms of their ability to best ensure the service

57

Connect to the Mission of the Sector

The requirements of the organization’s contribution to the sector service are thecontribution to the sector service are the basis for resiliency requirements for assets

58

Select Effective Protection Strategies

Critical Infrastructure Services

59

Resiliency Requirements• Connect requirements for Critical Infrastructure

Services to a sector member’s contribution to that service

• Establish service delivery requirements for that y qcontribution

• Implement controls to effectively and efficiently meet the requirements.

60

Recognize Dependencies

61

http://science.nasa.gov/headlines/y2009/21jan_severespaceweather.htm

Critical Infrastructure Risk Management

1. Define sector services2. Identify service requirementsy3. Map assets to how an organization

contributes to sector services4. Define resiliency requirements for assets

using the needs of the services5 Assess risks to the reliable delivery of the5. Assess risks to the reliable delivery of the

service6. Engineer an integrated (using disciplines

of physical and cyber security) approach effectively mitigate identified risks

7 Monitor for changes in the environment

62

7. Monitor for changes in the environment

Today’s Agenda:Today s Agenda:• Introduction• Confluence of Physical and Cyber Security• Confluence of Physical and Cyber Security• Risk Management Concepts• Adopting a Service Viewp g• A Service View for Critical Infrastructure• Conclusion

63

Summary and Conclusion

• Adopt a structured approach to identify services

• Use business rules to define resiliency requirements

• Assess risks to assets that will affect reliable service delivery

• Engineer protection strategies to• Engineer protection strategies to ensure infrastructure resiliency

• Continuously monitor for changesy g

64

http://www.3planesoft.com/img/clock_screen01.jpg

CERT® Resiliency Management Model

http://www.cert.org/resiliency

The CERT Resiliency Management Model is a capability model for operational resiliency management. It has two primary objectives:• Establish the convergence of operational risk and resiliency• Establish the convergence of operational risk and resiliency

management activities such as security, business continuity, and aspects of IT operations management into a single model.

• Apply a process improvement approach to operational resiliency• Apply a process improvement approach to operational resiliency management through the definition and application of a capability level scale that expresses increasing levels of process improvement.

65

Contact UsContact InformationSpeakersSamuel Merrell James Stevense-mail: smerrell@cert.org e-mail: jfs@cert.org

Phone412-268-5800(8 30 4 30 EST)(8:30 a.m. - 4:30 p.m. EST)

Webhttp://www.cert.org

Postal MailSoftware Engineering InstituteATTN: Customer RelationsATTN: Customer RelationsCarnegie Mellon UniversityPittsburgh, PA 15213-3890

66

Questions?

67

NoticesCopyright 2009 Carnegie Mellon University.NO WARRANTYTHIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE , ,MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.Use of any trademarks in this report is not intended in any way to infringe on the rights of theUse of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder.Internal use. Permission to reproduce this document for internal use is granted, provided the copyright and "No Warranty" statements are included with all reproductions. Requests for permission to prepare derivative works of this document for internal use should be addressedpermission to prepare derivative works of this document for internal use should be addressed to the SEI Licensing Agent.External use. Requests for permission to reproduce this document or prepare derivative works of this document for external and commercial use should be addressed to the SEI

68

Licensing Agent.