Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates...
Transcript of Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates...
![Page 1: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems](https://reader033.fdocuments.in/reader033/viewer/2022060219/5f06d9997e708231d41a0c0a/html5/thumbnails/1.jpg)
Identifying CriticalAssets for Risk Management
Celia Paulsen05/16/2018
![Page 2: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems](https://reader033.fdocuments.in/reader033/viewer/2022060219/5f06d9997e708231d41a0c0a/html5/thumbnails/2.jpg)
Disclaimer: "The identification of any commercial product or trade name is included solely for the purpose of providing examples of publicly-disclosed events, and does not imply any particular position by the National Institute of Standards and Technology."
![Page 3: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems](https://reader033.fdocuments.in/reader033/viewer/2022060219/5f06d9997e708231d41a0c0a/html5/thumbnails/3.jpg)
Problem
• Technology– Interconnected– Sophisticated– Integral
• Complex SDLC Ecosystem
• Evolving Threats• Constant Change• $$$
Image by Andy Lamb: https://www.flickr.com/photos/speedoflife/6924482682
![Page 4: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems](https://reader033.fdocuments.in/reader033/viewer/2022060219/5f06d9997e708231d41a0c0a/html5/thumbnails/4.jpg)
NIST IR 8179:Criticality Analysis Process Model
• Method for identifying and prioritizing information systems and components– Increase understanding of the
organization’s IT/OT (and other) assets– Better decision making
• risk management• project management• acquisition, maintenance, and upgrade
– Informed distribution of finite resources
![Page 5: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems](https://reader033.fdocuments.in/reader033/viewer/2022060219/5f06d9997e708231d41a0c0a/html5/thumbnails/5.jpg)
Not Another…
• Failure Mode Effects and Criticality Analysis (FMECA)
• Business Continuity Planning• FIPS Level / Classification• Framework (RMF, CSF, etc.)
LEVERAGES AND INFORMS EXISTING PRACTICES – NOT DUPLICATING IT
![Page 6: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems](https://reader033.fdocuments.in/reader033/viewer/2022060219/5f06d9997e708231d41a0c0a/html5/thumbnails/6.jpg)
Reading the Model
ID
Name
Description
Inputs
Outputs
Roles & Responsibilities
(Process only)
Methods (Sub-process only)
Related Processes
![Page 7: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems](https://reader033.fdocuments.in/reader033/viewer/2022060219/5f06d9997e708231d41a0c0a/html5/thumbnails/7.jpg)
Criticality Analysis Process
A. Define & Scope
B. Program-Level Analysis
C. System-Level Analysis
D. Component-Level Analysis
E. Traceback
![Page 8: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems](https://reader033.fdocuments.in/reader033/viewer/2022060219/5f06d9997e708231d41a0c0a/html5/thumbnails/8.jpg)
Process A: Define & Scope
• Define:– Who– When– How
• Tailor if needed for each analysis
![Page 9: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems](https://reader033.fdocuments.in/reader033/viewer/2022060219/5f06d9997e708231d41a0c0a/html5/thumbnails/9.jpg)
Process B: Program-Level Analysis
1. Goals, assumptions, constraints, etc.
2. Activities3. Dependencies4. Operating States5. Baseline Criticality
Levels
![Page 10: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems](https://reader033.fdocuments.in/reader033/viewer/2022060219/5f06d9997e708231d41a0c0a/html5/thumbnails/10.jpg)
Process C: System/Subsystem-Level Analysis
1. Scope2. Functions3. Dependencies4. Operating States5. Baseline Criticality
Level
![Page 11: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems](https://reader033.fdocuments.in/reader033/viewer/2022060219/5f06d9997e708231d41a0c0a/html5/thumbnails/11.jpg)
Process D: Component/ Subcomponent-Level Analysis
1. Scope2. Functions3. Diagram4. Operating States5. Baseline Criticality
Levels
![Page 12: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems](https://reader033.fdocuments.in/reader033/viewer/2022060219/5f06d9997e708231d41a0c0a/html5/thumbnails/12.jpg)
Process E: Traceback
1. Identify connections & dependencies
2. Identify Existing Controls
3. Review Impact of Operating States
4. Apply Risk Info5. Final Criticality Level
![Page 13: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems](https://reader033.fdocuments.in/reader033/viewer/2022060219/5f06d9997e708231d41a0c0a/html5/thumbnails/13.jpg)
Things to Note
• Iterates throughout• Analyses are hierarchical
– Multiple hierarchies of systems (of systems of systems of systems of systems)
– begin at a high level and repeat at a lower level until desired detail is reached
• FLEXIBLE– Meant to work with existing processes, not to
replace or duplicate
![Page 14: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems](https://reader033.fdocuments.in/reader033/viewer/2022060219/5f06d9997e708231d41a0c0a/html5/thumbnails/14.jpg)
Related Work
• Cyber-Supply Chain Risk Managementcsrc.nist.gov/scrm
• FISMAcsrc.nist.gov/Projects/Risk-Management
• Cybersecurity Frameworkwww.nist.gov/cyberframework
![Page 15: Identifying Critical Assets - NIST€¦ · Final Criticality Level. Things to Note • Iterates throughout • Analyses are hierarchical – Multiple hierarchies of systems (of systems](https://reader033.fdocuments.in/reader033/viewer/2022060219/5f06d9997e708231d41a0c0a/html5/thumbnails/15.jpg)
Questions?
Celia PaulsenSecurity Engineering and Risk Management Group
National Institute of Standards and [email protected]