Saturday, 5 July 2014

Securing Networked Infrastructure for the Energy Sector

Industrial Control Cyber Security USA October 5/6/7 

The NCCoE approach will be presented by NIST on a strategic roundtable in Sacramento California on the Industrial Control Cyber Security conference.


The NCCoE approach
starts with engaging representatives from specific industrial and economic sectors to identify, from a business perspective, cyber security problems associated with organizations’ processes, operations, and services. The NCCoE and these business participants then derive security and operational requirements from the problems identified. The requirements and problems are stated using business terminology. The NCCoE then meets with cyber security technology providers in order to identify cyber security products and components that can employ automation to address identified business problems and derived requirements.
Proposed mechanisms for satisfying requirements are typically compositions of a number of products, each of which addresses some aspect of the business security requirement(s). Project definitions are developed that identify proposed use cases, including the:
  • Business problems addressed by each use case,
  • Cybersecurity risks associated with those business problems,
  • Cybersecurity requirements derived from business problems and risk assessments,
  • Cybersecurity technology potentially available to address the derived requirements,
  • Potential sources for the security technologies identified, and
  • Any technology gaps that leave any identified requirements unaddressed.
Project descriptions are subjected to public review in order to identify erroneous assumptions, potential additional solutions and sources, and potential additional business applications for proposed solutions.
Once a project is defined, the technology provider community is invited to participate in the development and demonstration of a proof-of-concept prototype security platform that satisfies the project’s requirements:
  • Both the technology components and expert assistance needed in composing an effective security platform from the components are provided without financial compensation by the government. Interested parties must formally agree that, though some details of the components they provide are protected intellectual property, any hardware or software harnesses necessary to making the components work effectively in the composed security platform will be freely available to the public.
  • The team formed for each project develops the demonstration security platform and demonstrates the platform to potential users, including those who were involved in the development of the requirements that the platform is intended to address.
  • The team documents the security platform, including the harnesses and applications programming interfaces, and documents how the platform may be effectively employed to satisfy the use case requirements in applicable environments. The documentation is structured in a manner that permits other technology providers to compose platforms that also satisfy the same or similar use case requirements.
  • The NCCoE develops and publishes applications guides and best practices for standardized employment of the platforms to satisfy government, critical infrastructure, and other economically significant information and automation security requirements. It is important to note that the platform documentation does not constitute a NIST endorsement of the security platform described or of any technology provider.
Examples of early NCCoE development and demonstration projects include:
o   Secure Exchange of Electronic Health Information (a mobile devices use case),
o   Securing Assets for the Financial Services Sector (an access rights management use case and IT asset management use case),
o   Securing Networked Infrastructure for the Energy Sector (an identity and access management use case and a situational awareness use case),
o   Software Asset Management (a building block), and
o   Trusted Geolocation in the Cloud (a building block).

The NCCoE supports and complements the broader NIST cybersecurity program. In addition to the NCCoE and NSTIC initiatives, NIST cybersecurity programs include:
  • Work in cryptographic mechanisms that address topics such as hash algorithms, symmetric and asymmetric cryptographic techniques, key management, authentication, and random number generation;
  • Security research focused on the development and management of foundational building-block security mechanisms and techniques that can be integrated into a wide variety of mission-critical U.S. information systems;
  • Security research focused on identifying emerging and high-priority technologies, and on developing security solutions that will have a high impact on the U.S. critical information infrastructure;
  • Development, integration, and promotion of security standards, guidelines, tools, technologies, methodologies, tests, and measurements to address critical cybersecurity needs; Validating cryptographic algorithm implementations, cryptographic modules, and Security Content Automation Protocol (SCAP)-compliant products; and
  • Developing test suites and test methods.

No comments:

Post a Comment