Crafting a Cybersecurity Strategy that Works Texas Association of - - PowerPoint PPT Presentation

Crafting a Cybersecurity Strategy that Works

Texas Association of Broadcasters August 2016

Chris Homer PBS Technology & Operations

Cybersecurity Strategy for Broadcasters

• Summary

– Broadcast Industry Challenges – Understanding Risk – NIST Framework – How to establish a Cybersecurity Strategy

Broadcast Industry Challenges

• Broadcast Networks

– Emergency Alert Systems – News & Weather, Production, Graphics – Traffic & Scheduling – Playout & Automation Systems – STL transport & Broadcast (spokes & hubs)

• EAS Equipment

– Common Alerting Protocol

• September 30 2011 FEMA
• eXtensible Markup Language (XML) standard

– May be tied to local, state & FEMA Networks

News Weather Production & Graphics

• News Room Computer

Systems NRCS

• Non-Linear Editing

Systems NLEs

• Graphics Systems
• Wire Services, Pool

Feeds, Bonded Cellular

• Closed Captioning via IP

Traffic & Scheduling

• Sales Tools
• Traffic Scheduling
• Schedule Import
• Programming
• BXF Export to

Automation

Playout & Automation Systems

• Playout Servers

(Channel in a Box)

• Automation Systems
• IP Playout
• Storage Area Networks

(SAN/NAS)

• Library Systems (Disk,

Tape, Cloud)

STL or Spoke & Hub

• IP over Microwave
• Network Spoke &

Hub Connectivity

Broadcast Industry Challenges

• Networks (Enterprise or Corporate)

– Enterprise Resource Planning (ERP) – Finance – Sales – Research – Intranet/Extranet – Human Resources/Community Service

Finance & Accounting Systems

• Finance
• Accounting

– Accounts Payable – Accounts Receivable

• Purchasing

Broadcast Industry Challenges

– News Data – Finance & Sales – Traffic & Scheduling – File Based Workflow – Viewer Data – Social Media Data

News

• Laptops &

Thumb drives

• NRCS

Rundowns

• Non-Linear

Editing Systems

• Wire Services

Finance Sales & Admin

• Human Resources/Employee Data
• ERP Financial Data
• Email

Traffic & Scheduling

• Contracts & Deals
• Programming Grids
• Schedules

File Based Workflow

• Media
• Graphics
• Meta Data/RDS
• Marketing Content

(Posters, Ads)

• Web Based Content

Community Services/Viewer Data

• Local Events Charities
• Nielsen Data
• Viewer Data
• Social Media Content

Cybersecurity Journey

• Understanding the Risks
• Cyber Attack Chain Model
• FCC CSRIC IV Report
• NIST Cybersecurity

Framework

Understanding the Risks

• Dead Air
• Impact to Resources
• Loss of Revenue
• Embarrassment
• Potential liability
• Breach of employee, viewer or advertiser data

Types of Attacks 7 of 10

Type Definition

Web App Attack Attack the vulnerabilities and authentication of a web application layer such as invalidated redirects, cross site forgery, cross site scripting and others. Point-of-Sale

Remote attacks against the environments where card transactions are conducted.

Insider Misuse Internal or partner misuse of resources. Physical Theft & Loss Loss of information asset whereas the data is more valuable than the asset. Crimeware Use of malware followed by ramsomeware Cyber-espionage Access to state or corporate sensitive data. Denial of Service Any attack to compromise network or system availability.

*2016 Data Breach Investigation Report-Verizon

A Cyber Attack Chain Model

Step Description

Reconnaissance & Probing Find Target Harvest information (email, conference listings, public lists, etc.) Delivery & Attack Place delivery mechanism online Use social engineering to induce target to access malware or other exploits Installation & Exploitation Exploit vulnerabilities on target systems to acquire access Elevate user privileges and install additional “tools” Compromise & Expansion Exfiltration of data Use compromised systems to exploit additional systems

Local Broadcast TV Station

Local Broadcast Radio Station

Central Broadcast TV Hub

Model for Hardened Station

DAM Extra/Intra Net Traditional IT (ERP, HR, Programming, Research) File Ingest Enterprise Network Public Web Sites Internet NRCS

Internal Firewall

Station Playout STL or WAN to Hub General Users Traffic Scheduling Editing Graphics

FCC CSRIC IV Working Group 4

• FCC CSRIC IV Working Group 4 Report on

Cybersecurity for the Telecommunication Industry

• https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Rep
• rt_031815.pdf
• Roadmap for Telecommunication Industry
• Encourage Voluntary Action
• The Communications Security, Reliability and Interoperability Council IV Working Group 4 March 2015

• Segment Analysis

– Broadcasting – Cable – Wireless – Wireline – Satellite

FCC CSRIC IV Working Group 4

FCC CSRIC IV Working Group 4

• Feeder Segments

– Cyber Ecosystem and Dependencies – Top Threats and Vectors – Framework Requirements and Barriers – Small and Medium Business – Measurements

FCC CSRIC IV Working Group 4

• Small/Medium Business

– Identifies what an SMB needs to protect, who has responsibility for a given task, and how an SMB can protect its critical infrastructure. – Use cases from various segments. – Identifies highest priority NIST Cybersecurity Framework subcategories for SMBs.

NIST Cybersecurity Framework

• Framework Core
• Framework Tiers
• Framework Profiles
• Link
• http://www.nist.gov/cyberframework/upload

/cybersecurity-framework-021214.pdf

NIST Cybersecurity Framework

• Framework Core

– Each item designed for desired outcome – Function – Category – Sub-category – Informative Reference

Framework Core Functions

• Identify
• Protect
• Detect
• Respond
• Recover

*Framework for Improving Critical Infrastructure Cybersecurity NIST-2014

*Framework for Improving Critical Infrastructure Cybersecurity NIST-2014

Identify

• Asset Management
• Business Environment
• Governance
• Risk Assessment
• Risk Management

Strategy

Protect

• Access Control
• Awareness and Training
• Data Security
• Maintenance
• Protective Technology
• Information Protection Processes/Procedures

Detect

• Anomalies & Events
• Detection Processes
• Security Monitoring
• SIEM

Respond

• Response

Planning

• Communications
• Analysis
• Mitigation
• Improvements

Recover

• Recovery Planning • Improvements • Communications

Framework Tiers

• Tier 1-Partial
• Tier 2-Risk Informed
• Tier 3-Repeatable
• Tier 4-Adaptive

Tier 1-Partial

• Lack of formal process
• Lack of awareness
• Unable to collaborate outside of organization

Tier 2-Risk Informed

• Formal process may

exist within parts of the organization

• Some awareness but

not organization wide

• May understand role

but not formalized

Tier 3-Repeatable

• Formal process has

become policy

• Organization wide

approach

• Understands

dependencies

Tier 4-Adaptive

• Continuous improvement
• Organization wide and has

become part of the culture

• Has become a great

partner outside the

• rganization

Cyber Risk Management

• Executive
• Business Process
• Operations/Implementation

Executive

• Successful Implementation

– Required support at the highest level – Buy-in from all stake holders – Continuous improvement – Governance

Business Process

• Process to include

– Risk Planning – Recovery Planning – Communication & Training

Operations/Implementation

• Operations and Engineering

– Asset Management – Change Management – Incident Management – Respond & Recover

Steps to Establish a Cybersecurity Program

• Prioritize & Orient
• Create Current Profile
• Perform Risk Assessment
• Create Target Profile
• Perform Gap Analysis
• Create Action Plan

Prioritize & Orient

• Prioritize

– Determine the scope of systems and assets that support the business.

• Orient

– Identifies assets, regulatory requirements, and overall risk approach.

Create Current Profile

• Create Curent Profile

– Current categories/sub-categories – e.g. Asset Management, User Control

Perform Risk Assessment

• Guided by Risk Management Process
• Analyze current environment
• Use pertinent and emerging data

Create Target Profile

• Create Target Profile

– Desired categories and sub-categories – e.g. Security policy, monitoring service – Customer and stakeholder requirements

Analyze & Prioritize Gaps

• Perform Gap Analysis
• Differences between

current profile and target profile

• e.g. Lack of

Governance, Process, Monitoring

Action Plan/Execute

• Create Action Plan
• Cost analysis
• Execute
• Repeat

Organizational Changes

• Governance
• Communication
• Culture
• Response

Conclusion

• Cybersecurity is:

– A Change of mindset & culture – Supported at the highest level in organization – Everyone’s responsibility – Doable through use of process & technology – Ongoing