Executive Order 13636 & Presidential Policy Directive 21 Ed - - PowerPoint PPT Presentation
Executive Order 13636 & Presidential Policy Directive 21 Ed Goff, Duke Energy Melanie Seader, EEI Agenda Executive Order 13636 Presidential Policy Directive 21 Nation Infrastructure Protection Plan Cybersecurity Framework
Ed Goff, Duke Energy Melanie Seader, EEI
Executive Order 13636 Presidential Policy Directive – 21 Nation Infrastructure Protection Plan Cybersecurity Framework EEI Member consensus input
“Improving Critical Infrastructure Cybersecurity”
Develop a technology-neutral cybersecurity framework
(NIST)
Promote and incentivize the adoption of cybersecurity
practices
Increase the volume, timeliness, and quality of cyber threat
information sharing
Incorporate strong privacy and civil liberties Explore the use of existing regulation to promote
cybersecurity
“Critical Infrastructure Security and Resilience”
Develop a near-real time cyber and physical critical
infrastructure situational awareness capability
Evaluate and mature the public-private partnership Update the National Infrastructure Protection Plan Develop a comprehensive research and development plan
8 Working Groups: 1.
Stakeholder Engagement
2.
Cyber-Dependent Infrastructure Identification
3.
Planning and Evaluation (NIPP Update)
4.
Situational Awareness and Information Exchange
5.
Incentives
6.
Cybersecurity Framework Collaboration (CSF) with NIST
7.
Assessments: Privacy and Civil Rights and Civil Liberties
8.
Research and Development
Working Draft of the National Infrastructure Protection Plan
Focuses on Critical Infrastructure Partnership to improve security and
resilience
Encourages partnership to improve information sharing and risk-based
decision making
Provides a risk management process
Final comments due September 20 Concern
Too detailed for a plan at this level. Overlapping concepts with the Sector Specific Plan & new Cybersecurity Framework
NIST must publish a preliminary version of the
4 Workshops
1.
April 3 Washington, D.C.
2.
May 29-31 Pittsburgh, PA
3.
July 10-12 San Diego, CA
4.
September 11-13 Dallas, TX
Discussion Draft posted August 28, 2013 3 Parts of the Framework:
Core Implementation Tiers Profiles – Current and Target
Incorporates risk management, but does not define a process Identifies areas for improvement Concern
Too prescriptive for a Framework to apply to all sectors The ES-C2M2 is thought to meet the intent of the CSF but not clear in the latest
draft.
Establish or Improve a Cybersecurity Program
1.
Make Organization Wide Decisions
2.
Establish a Target Profile
3.
Establish a Current Profile
5.
Implement Target Profile
Communicate Cybersecurity Requirements with
Identify Gaps
Selection of the Functions,
Categories, and Subcategories aligned with business requirements, risk tolerance, and
Does not provide Target Profile templates nor identify Tier
requirements
Gaps allow creation of roadmap to reduce cybersecurity risk
Subcategories Informative References
Critical Security Controls
For ES profile
Tier 0 – Partial: no formal, threat-ware risk management
process, implementing portions of the Framework
Tier 1 – Risk-Informed: formal, threat-aware risk management
process, staff has adequate cybersecurity resources
Tier 2 – Repeatable: regularly updates profile to respond to
changing cybersecurity landscape, understands dependencies and partners
Tier 3 – Adaptive: updates profile based on predictive indicators
to actively adapt to changing cybersecurity landscape, actively shares information with partners
EO 13636 “identify areas for improvement that should be
addressed through future collaboration with particular sectors and standards-developing organizations.”
Based on stakeholder input, NIST identified the following areas
for improvement:
Supply chains and interdependencies Privacy Conformity assessment International aspects, impacts, and alignment Data analytics Automated indicator sharing
EEI encourages NIST to develop a high-level framework
focused on cybersecurity practices that can be applied across all 16 critical infrastructure sectors.
EEI encourages NIST to keep the framework flexible enough
to allow entities to use existing processes, standards, and guidance to avoid time-consuming and un necessary duplication of cybersecurity efforts.
EEI encourages NIST to incorporate a flexible risk
management process to keep the framework cybersecurity practices at a high-level and engage executive leadership.
EEI encourages NIST to consider who is providing input to
the Framework process when developing the framework.
How can the Preliminary Framework:
Adequately define outcomes that strengthen cybersecurity and support
business objectives?
Enable cost-effective implementation? Appropriately integrate cybersecurity risk into business risk? Provide the tools for senior executives and board of directors to
understand risks and mitigations at the appropriate level of detail?
Provide sufficient guidance and resources to aid businesses of all sizes
while maintaining flexibility?
Will the Discussion Draft:
Be inclusive of, and not disruptive to, effective cybersecurity practices in
use today?
Enable organizations to incorporate threat information?
Is the Discussion Draft:
Presented at the right level of specificity? Sufficiently addressing unique privacy and civil liberties needs for critical
infrastructure?
Executive Order http://www.whitehouse.gov/the-press-
infrastructure-cybersecurity
PPD-21 http://www.whitehouse.gov/the-press-
infrastructure-security-and-resil
NIST Cybersecurity Framework
http://www.nist.gov/itl/cyberframework.cfm