Nuclear Regulatory Commission Cyber Security Requirements ! Characteristics of a (High) Quality Cyber Security Program Richard Dahl Director Security, Compliance, & Risk Black & Veatch “The views expressed herein are my own.” Richard Dahl Security Management Professional with more than 21 years in Security First 5 years as Counterintelligence Agent in US Army Extensive technical experience Consulting experience within many industries including Government/Military Bulk Electric Nuclear Power Manufacturing Security management methodology zealot Passion for repeatable and consistent processes that produce high quality security programs Security Management Sounds like: Security Management Sounds like: Security Management Looks like: Security Management Looks like: Characteristics of a Quality Security Program Provide a defined, consistent, methodology for implementing and maintaining security standards. Able to eﬀectively communicate implementation guidance for the standards within context. Hold appropriate parties responsible for the ownership, operation, and oversight of the program. Impediments to Quality 1. Confusing control applicability 2. Inconsistent requirement granularity 3. Inconsistent understanding within organization Impediment #1 Confusing application “Cyber Security” appears to be technical issue, but... Security Requirement Applicability ! Organizations, Locations, Networks, Personnel and Information all require security control implementation as well. Security is a business issue, not an IT/OT issue! Devices / Applications Locations Organizations Networks Personnel Information Impediment #2 Inconsistent requirement granularity Too Prescriptive (Too Hot) Too Ambiguous (Too Cold) Reasonable (Just Right) Too Prescriptive D 3.8 Trusted Path This technical cyber security control configures CDAs to use trusted communication paths between the user and the security functions of CDAs, which includes authentication and re-authentication, at a minimum. Too Ambiguous D 3.11 Transmission of Security Parameters This technical cyber security control configures CDAs to associate security parameters with information exchanged between CDAs. Reasonable D 3.21 Fail in Known State This cyber security control ensures the following: CDAs fail in a state that ensures that SSEP functions are not adversely impacted by the CDAs failure Impediment #3 Inconsistent implementation within organization What does D 3.3 mean to you? D 3.3 Shared Resources This technical cyber security control: Configures CDAs to prevent unauthorized and unintended information transfer via shared system resources. Does it mean the same to a person... Down the hall? At the other plant? In internal audit Interpretation The interpretation of the Standards is what always happens... it is just not usually documented. Everyone who looks at the cyber security Requirements interprets their meaning based on their own understanding of security and their level of technical competence. The real issue is whether the individual interpretations are consistent with one another throughout the enterprise. Methodology Principles Resource Based The standards apply to various resource types Attribute Informed The standards are implemented based on characteristics (attributes) of the resources Objective Driven The standards are designed to realize specific security objectives Resource Based Resource Types The types of “things” that the security standards will actually be implemented on Depends heavily on the NIST SP 800-53 defined concept of control inheritance The control is inheritable, i.e. the control is developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the systems or components [receiving protection] Attribute Informed Resource Attribute Characteristics of a resource that will dictate where (upon which resources) the security standards must be implemented Characteristics of a resource that will dictate how (through what implementing controls) the security standards will be implemented Describe the following about a resource (with respect to application of the security standards) ! ! ! Who uses the resource Where the resource is used What the resource is Why the resource is used When the resource is used How the resource is used Attribute Informed Attributes used to determine Scope A resource must be protected according to a particular security program Security Posture Specific security controls will be applied to the resource in order to meet the requirements of a specific security standard Defined in a hierarchy to limit analysis Child attributes need not be considered if parent is not applicable Resource Attributes Objective Driven Security Objective Purpose of the security standards and the related consequence(s) of either not implementing the standard or failure of the implementation Provide visibility of relationships between standards Ensures consistent application of security standards High Quality Security Programs Defined Quality is achieved and maintained simply by the execution of normal business activities Personnel meet the Security Requirements simply by doing their jobs. Characteristics Horizontal integration of security activities Clearly defined Responsibilities for security activities Methodology Applications Risk Management Ensures the security posture is appropriate Compliance Management Ensures the security posture is in-place Vulnerability Management Ensures the security posture is functioning Governance Management Ensures the security posture is managed correctly Summary The impediments to a quality security program: Confusing resource categories Inconsistent granularity of requirements Inconsistent understanding within an organization Can be mitigated through consistent application of a resource-based, attribute-informed, objective driven security management methodology Thank You Questions? Comments. Concerns!