cyber security risk management
Post on 07-Nov-2015
65 Views
Preview:
DESCRIPTION
TRANSCRIPT
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
1
CYBERSECURITYRISKMANAGEMENTANDBESTPRACTICES
WORKINGGROUP4:FinalReportMarch2015
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
2
TABLEofCONTENTSI. EXECUTIVESUMMARY......................................................................................4
A. VoluntaryMechanisms...............................................................................6B. GuidancetoIndividualCompaniesontheUseoftheNISTFramework.....8C. CommunicationSectorCommitmenttoAdvancingCybersecurityRisk
Management.........................................................................................10II. INTRODUCTION...............................................................................................11III. BACKGROUND.................................................................................................13
A. CSRICStructure........................................................................................15B. LeadershipTeam......................................................................................16C. WorkingGroup4TeamMembers............................................................16
IV.OBJECTIVE,SCOPE,ANDMETHODOLOGY.......................................................19A. Objective..................................................................................................19B. Scope........................................................................................................20C. Methodology............................................................................................21
V. FINDINGS.........................................................................................................24A. MacroLevelAssuranceFindings..............................................................24B. VoluntaryMechanismsFindings..............................................................25C. UseoftheNISTCybersecurityFrameworkoranEquivalentConstruct
Findings.................................................................................................25D. MeaningfulIndicatorsFindings................................................................25E. CommunicationsSectorImplementationGuidanceFindings..................26
VI.CONCLUSIONS.................................................................................................27A. MacroLevelAssuranceConclusions........................................................27B. VoluntaryMechanismsConclusions.........................................................27C. UseofNISTCybersecurityFrameworkorEquivalentConstructConclusions
..............................................................................................................28D. MeaningfulIndicatorsConclusions..........................................................28E. CommunicationsSectorImplementationGuidanceConclusions............28
VII.RECOMMENDATIONS......................................................................................30A. MacroLevelAssuranceRecommendations.............................................30B. VoluntaryMechanismsRecommendations..............................................30C. UseofNISTCybersecurityFrameworkorEquivalentConstruct
Recommendation..................................................................................31D. MeaningfulIndicatorsRecommendations...............................................31E. CommunicationsSectorImplementationGuidanceRecommendations.31
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
3
VIII.ACKNOWLEDGEMENTS.................................................................................33IX. REPORTS&SEGMENTS....................................................................................34
9.1BROADCASTSEGMENT.........................................................................359.2CABLESEGMENT...................................................................................629.3SATELLITESEGMENT.............................................................................919.4WIRELESSSEGMENT...........................................................................1189.5WIRELINESEGMENT...........................................................................1679.6REQUIREMENTSANDBARRIERSTOIMPLEMENTATION.....................2029.7CYBERECOSYSTEMANDDEPENDENCIES............................................3219.8MEASUREMENT..................................................................................3559.9SMALLANDMEDIUMBUSINESS.........................................................3709.10TOPCYBERTHREATSANDVECTORS.................................................398
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
4
I. EXECUTIVESUMMARYCSRICIVWorkingGroup4(WG4)wasgiventhetaskofdevelopingvoluntarymechanismsthatgivetheFederalCommunicationsCommission(FCC)andthepublicassurancethatcommunicationprovidersaretakingthenecessarymeasurestomanagecybersecurityrisksacrosstheenterprise.1WG4alsowaschargedwithprovidingimplementationguidancetohelpcommunicationprovidersuseandadaptthevoluntaryNISTCybersecurityFramework2(hereinafterNISTCSF).WorkingGroup4beganitsworkshortlyaftertheCommunicationsSector3completedahighlycollaborative,multistakeholderprocessthatresultedintheNISTCSFVersion1.04thatwascalledforinthePresidentsExecutiveOrder13636ImprovingCriticalInfrastructureCybersecurity.5ThesectorsparticipationinCSRICWG4wasseenasanopportunitytoassumetheleadershipurgedbyFCCChairmanTomWheelerinaspeechdeliveredtotheAmericanEnterpriseInstituteinJune2014.6BybuildingonthecrosssectorNISTCSFandbyframingitsapplicabilitytofivemajorcommunicationsindustrysegments,theWorkingGroupwasabletoformulateandcommittoseveralvoluntarymechanismsthatprovidethemacrolevelassurancessoughtbytheFCC.Moreover,thesemechanisms,combinedwiththeinsights,tools,guidance,andfactbasedanalysesdevelopedbyover100cybersecurityprofessionalswhoparticipatedinayearlongefforttoproducethisreport,validatetheadvantagesofanonregulatoryapproachoveraprescriptiveandstaticcomplianceregime.7WG4organizeditselfintofivesegmentsubgroupsrepresentingthefivekeypartsofthecommunicationindustry.TheirrepresentativeswereencouragedtopursueindependentevaluationsoftheCSRICWG4chargebasedontheirownoperatingenvironments.Thefivesegmentsincluded:
1SeeFederalCommunicationsCommission,CSRICIVWorkingGroupDescriptionsandLeadership(2013),availableathttp://transition.fcc.gov/pshs/advisory/csric4/wg_descriptions.pdf.2SeeNationalInstituteforStandardsandTechnology,FrameworkforImprovingCybersecurity,79FR9167(Feb.18,2014)[hereinafterNISTCSF],availableathttp://www.nist.gov/cyberframework/upload/cybersecurityframework021214.pdf.3Forpurposesofthisreport,theCommunicationsSectoriscomprisedoffiveindustrysegmentsincludingbroadcast,cable,satellite,wireless,andwirelinenetworkserviceproviders.4SeeNISTCSF.5SeeExec.OrderNo.13,691,PromotingPrivateSectorCybersecurityInformationSharing,80FR9347(Feb.13,2015)[hereinafterEO13691].6SeeRemarksofFCCChairmanTomWheeler,AmericanEnterpriseInstitute,June12,2014,availableathttp://www.fcc.gov/document/chairmanwheeleramericanenterpriseinstitutewashingtondc[hereinafterChairmanWheelersRemarks]([T]henetworkecosystemmuststepuptoassumenewresponsibilityandmarketaccountabilityformanagingcyberrisks.).7Id.(statementofChairmanTomWheeler)([W]ecannothopetokeepupifweadoptaprescriptiveregulatoryapproach.Wemustharnessthedynamismandinnovationofcompetitivemarketstofulfillourpolicyanddevelopsolutions.Wearethereforechallengingprivatesectorstakeholderstocreateanewregulatoryparadigmofbusinessdrivencybersecurityriskmanagement.).
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
5
Broadcast:Therearemorethan15,000radiosand1,700televisionsbroadcastingfacilitiesintheUnitedStates,providingnews,emergencyinformationandotherprogrammingservicesovertheairtoconsumers.8
Cable:Thecableindustryiscomposedofapproximately7,791cablesystems9thatofferanaloganddigitalvideoprogrammingservices,digitaltelephoneservice,andhighspeedInternetaccessservice.
Satellite:Satellitecommunicationssystemsuseacombinationofspacebasedinfrastructureandgroundequipmentcapableofdeliveringdata,voice,video,andbroadcastcommunicationstoanypersonintheU.S.,itsterritories,andanywhereontheglobe.
Wireless:TheWirelessindustrydeliversadvancedwirelessbroadbandservicesthatincludedata,voiceandvideotomorethan335millionactivewirelessdevicesnationwide,includingmorethan175millionsmartphones,25milliontablets,and51milliondataonlydevices.10Thereareapproximately160facilitiesbasedwirelesscarriers11inUnitedStatesthatoperateandmaintainmorethan304,360cellsites12thatcollectivelyprovidethemostadvanced4Gtechnologydeploymentintheworld.
Wireline:Over1,000companiesofferwireline,facilitiesbasedcommunicationsservicesintheUnitedStates.13WirelinecompaniesserveasthebackboneoftheInternet.
WG4alsoestablishedfivefeedersubgroupstoengageinadeeper,morefocusedanalysisofsubjectmatterareasthatwouldhelpthecommunicationssectorsegmentsevaluatetheircybersecurityriskenvironment,posture,andtolerance.Toensurethatthevoluntarymechanismsandsectorguidanceweregroundedinfacts,thoughtfuljudgments,andpracticalintheirdesign,thefollowingfeedertopicswereexamined:
CyberEcosystemandDependencies TopThreatsandVectors FrameworkRequirementsandBarriers
8NationalAssociationofBroadcasters,LegislativePriorities111thCongress,4,availableathttp://nab.org/documents/advocacy/NAB_111th_Legislative_Priorities.pdf.9SeeU.S.CommunicationsSectorCoordinatingCouncil,TheCommunicationsSector,http://www.commscc.org/(lastvisitedMarch13,2015).10CellularTelephoneIndustriesAssociation(CTIA),WirelessIndustryIndicesReportYearEnd2013133(June2014).11FederalCommunicationsCommission,LocalTelephoneCompetition:StatusasofDecember31,2013,29(Oct.2014),availableathttp://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db0219/DOC329975A1.pdf.12CellularTelephoneIndustriesAssociation(CTIA),WirelessAnnualWirelessIndustrySurvey,http://www.ctia.org/yourwirelesslife/howwirelessworks/annualwirelessindustrysurvey(lastvisitedMar.132015).13Seeid.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
6
SmallandMediumBusinesses Measurements
Eachofthesegmentsubgroups,informedbythefindingsofthetopicalfeedersubgroups,evaluatedtheapplicabilityoftheNISTCybersecurityFrameworks98subcategoriestotheirsegment,prioritizedtheapplicablesubcategoriesonanillustrativebasis,andassessedthechallengesofimplementationandeffectivenessforeachapplicablesubcategory.ThesegmentandfeedersubgroupfindingsandresultingNISTCybersecurityFrameworkimplementationguidancearecontainedintheappendicestothisreport. ThekeymacrolevelassurancesdevelopedbyWG4weredesignedtodemonstratehowcommunicationsprovidersareappropriatelymanagingcybersecurityrisksthroughtheapplicationoftheNISTCybersecurityFramework,oranequivalentconstruct.TheFCCdescribedthedesiredcharacteristicsoftheassurancesas:14
Tailoredbyindividualcompaniestosuittheiruniqueneeds,characteristics,andrisks; Basedonmeaningfulindicatorsofsuccessfulcyberriskmanagement;and Allowingformeaningfulassessmentsbothinternallyandexternally.
A. VoluntaryMechanismsAsevidenceoftheCommunicationsSectorscommitmenttoenhancecybersecurityriskmanagementcapabilitiesacrossthesectorandthebroaderecosystem,andtopromoteuseoftheNISTCSF,CSRICrecommendsthreenewvoluntarymechanismstoprovidetheappropriatemacrolevelassurances:
FCCinitiatedconfidentialcompanyspecificmeetings,orsimilarcommunicationformatstoconveytheirriskmanagementpractices.ThemeetingswouldbecoveredbyprotectionsaffordedundertheProtectedCriticalInfrastructureInformation(PCII)15administeredbytheDepartmentofHomelandSecurity(DHS);
AnewcomponentoftheCommunicationsSectorAnnualReportthatfocusesonsegmentspecificcybersecurityriskmanagement,highlightingeffortstomanagecybersecurityriskstothecorecriticalinfrastructure;and
ActiveanddedicatedparticipationinDHSCriticalInfrastructureCyberCommunityC3VoluntaryProgram,16tohelpindustryincreasecybersecurityriskmanagementawarenessanduseoftheFramework.
14Seesupranote1,at4.15SeeDepartmentofHomelandSecurity,ProtectedCriticalInformationProgram,http://www.dhs.gov/protectedcriticalinfrastructureinformationpciiprogram(lastvisitedMar.13,2015)[hereinafterPCIIProgram].16SeeDepartmentofHomelandSecurity,AbouttheCriticalInfrastructureCyberCommunityCVoluntaryProgram,http://www.dhs.gov/aboutcriticalinfrastructurecybercommunityc%C2%B3voluntaryprogram(lastvisitedMar.13,2015)[hereinafterDHSC3VoluntaryProgram].
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
7
1) ConfidentialCompanySpecificMeetings:Thesectorsupportsthedevelopmentofavoluntaryprogramforperiodicmeetings,oranalternativemeansofcommunicationsamongtheFCC,DHS,andindividualcompaniesthatagreetoparticipate.ThepurposeofthesemeetingswouldbetodiscusseffortsbytheorganizationstodevelopriskmanagementpracticesconsistentwiththeNISTCybersecurityFrameworkorequivalentconstructs.Duringthemeetings,theparticipatingcompanieswouldshareinformationregardingcyberthreatsorattacksontheircriticalinfrastructure,andtheorganizationsefforttorespondorrecoverfromsuchthreatsorattacks.CompaniesthatchoosetoparticipateinthisprogramwouldbeaffordedtheprotectionsthataregivenbythefederalgovernmenttocriticalinfrastructureownersandoperatorsunderthePCIIprogramoralegallysustainableequivalent.Thisvoluntarymechanismrepresentsanewlevelofindustrycommitmentintendedtopromoteadditionaltransparency,visibility,anddialoguewithappropriategovernmentpartnersandourregulatorintheareaofcybersecurityriskmanagement.
2) SectorAnnualReport:TheSectorrecognizesthattheincreasingfrequency,
sophistication,anddestructivenatureofcyberattacksspursconcernsaboutwhatcompaniesaredoingtomanagetheircybersecurityrisks.WG4initiatedtheMeasurementsubgrouptoanalyzehowtobestdemonstratetheoverallstateofcybersecuritywithinthecommunicationssector.TheMeasurementsubgrouprecommendsthattheCommunicationsSectorCoordinatingCouncil(CSCC),astheofficialinterfaceforthesectorcanincludeinformationonthecybersecurityofcriticalcommunicationsnetworkinfrastructureinfuturedraftsoftheSectorAnnualReport(SAR)startingin2015.TheSARwouldthenbeprovidedtoDHS,whichisthecommunicationssectorsSSA,andtheGovernmentCoordinatingCouncil(GCC),whichincludestheFCC.ThisnewvoluntarymechanismreflectsamaterialenhancementtotheexistingSARbecauseitwouldprovidegreaterinsightintothethreatsposedtothesector,andtheactionstakentoensurecontinuedavailabilityofthecorenetworkinfrastructureandthecriticalservicesthatdependonitsavailabilityandintegrity.
3) ActiveParticipationinDHSC3OutreachandEducation:TheDepartmentof
HomelandSecurityoverseesaprogramthatitcreatedinresponsetoadirectivecontainedinExecutiveOrder13636.DHScreatedtheCriticalInfrastructureCyberCommunityCVoluntaryProgramaspartofwhatitdescribesasaninnovativepublicprivatepartnershipdesignedtohelpaligncriticalinfrastructureownersandoperatorswithexistingresourcesthatwillassisttheireffortstoadopttheCybersecurityFrameworkandmanagetheircyberrisks.17TheProgramemphasizesthreeCs:
17SeeDHSC3VoluntaryProgram.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
8
ConvergingcriticalinfrastructurecommunityresourcestosupportcybersecurityriskmanagementandresiliencethroughuseoftheFramework;
Connectingcriticalinfrastructurestakeholderstothenationalresilienceeffortthroughcybersecurityresilienceadvocacy,engagement,andawareness;and
Coordinatingcriticalinfrastructurecrosssectoreffortstomaximizenationalcybersecurityresilience.
TheCommunicationsSectorhasalreadyparticipatedindevelopmentactivitiesandwasrecentlyfeaturedinthefirstofaseriesofCwebinarswhereCSRICWorkingGroup4activitiesweredescribed.18ToadvancetheuseoftheFrameworkthroughtheimplementationguidancecontainedinthisreportandfromothersources,thecommunicationssectorwilldevelopaseriesofwebinarsandotherreferencematerials.Thegoalistoincreaseawarenessbysectorenterprises,guidetheiruseoftheNISTCSFandexplaintheinnovativeprocesses,solutions,andlessonslearnedfromthecommunicationsectorsleadersinusingtheFramework.
B. GuidancetoIndividualCompaniesontheUseoftheNISTFrameworkChargedwithprovidingimplementationguidancetofacilitatetheuseandadaptationofthevoluntaryNISTCybersecurityFrameworkbycommunicationsproviders,theWG4membersdevelopedandappliedavarietyofanalyticaltoolsandmethodsthatcouldserveasaprimerforcompanieswhenreviewingtheirownriskmanagementprocesses.TheNISTCSFVersion1.0offersorganizationsdirectionwhentheyareimplementingorenhancingtheircybersecurityriskmanagementprogram.Inaddition,thereportprovidesinformativereferencesthatincludeleadingcybersecurityprotocols,resources,andtools.NISTemphasizedthevoluntarynatureoftheFramework,notingthatitisdesignedtousebusinessdriverstoguidecybersecurityactivitiesandtomanagecybersecurityriskinacosteffectivewaybasedonbusinessneedswithoutplacingadditionalregulatoryrequirementsonbusinesses.19Whilethisreportincorporatesfindings,conclusions,andrecommendationsrelatedtoguidingindividualcompaniesontheuseoftheFramework,manycommunicationscompanieshavelongstandingandmaturecybersecurityriskmanagementcapabilitiesandotherswithinthecommunicationssectordidnotwaitforthisreporttobefinalizedbeforebeginningtheirevaluationoftheapplicabilityoftheFrameworkcomponentstotheirenterprise.Reducingcybersecurityriskbyimplementingwidelyrecognizedstandardsandguidelines20hasbeenahallmarkofcommunicationsindustrypractice,andissupportedby
18SeeDepartmentofHomelandSecurity,CCubedVoluntaryProgram,https://share.dhs.gov/p1qqp8dvu34/(lastvisitedMar.13,2015).19SeeNISTCSF.20SeeGovernmentAccountabilityOffice,CriticalInfrastructureProtectionCybersecurityGuidanceisAvailable,butMoreCanBeDonetoPromoteItsUse(Dec.2011),availableathttp://www.gao.gov/assets/590/587529.pdf.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
9
exceptionallyhighlevelsofserviceavailability.21Notwithstandingthisfact,theNISTFrameworkisaseminaldocumentinorganizingriskmanagementactivitiesacrossabroadgloballandscape.Over100professionalsfromacrossthecommunicationssectorandthebroaderstakeholdercommunityhaveworkedtirelesslyoverthepast12monthstoproduceareportwithrecommendationsonFrameworkusewhichshouldhaveimmediateandpracticalvalueforindividualsectorcompaniesandotherkeystakeholders.
1) Governance:TheNISTFrameworkemphasizestheimportanceoftakingaholistic
approachtocybersecurity,viewingitasanenterprisewide,strategicriskmanagementmatter,ratherthanasanarrowinformationtechnology(IT)ornetworkmanagementdomain.
Whenmanagingcybersecurityrisks,itisessentialtoincorporateariskgovernanceprocessintotheprogram.Thekeyobjectiveistoensurethataninclusive,independent,andholisticassessmentofthecurrentandfutureenterpriseriskpostureisroutinelyundertaken,andtoaligntheenterprisesbusinessmissionwithsoundandeffectivecybersecuritypractices,protocols,andtools.Formanycompanies,establishmentofadedicatedcrossenterprisecybersecurityriskgovernancefunctioncanfacilitatethiskeyobjective.Suchagovernanceauthorityshouldbesufficientlyrepresentativeoftheorganizationtoachievethefollowing:
Identifypotentialrisksandavarietyofrisktoleranceperspectives; Applyindependenceandauthoritytoriskmanagementactivities; Ensuretransparencythroughtheriskdecisionmakingandimplementation
process; Defineandcommunicatetheenterprisesrisktolerance;and Continuallyadaptandassesscybersecurityriskmanagementgoalsand
objectives.Whilethespecificstructureandoperationalpracticesofthesegoverningbodiescanandwillvaryamongindividualcompanies,thefoundationalprincipleisthateverycompanyshouldtreatcybersecurityasakeycomponentofoverallenterpriseriskmanagement.
2) NISTCSFImplementationRecommendations:TheWG4industrysegmentsubgroupreportsintheappendicestothisreportprovideconcreteguidanceonhowtousetheFrameworkcanbolstercyberreadiness.EachWG4segmentsubgroupreportsurveysinfrastructurecoreassetsandcriticalservices,andalsoemploysusecases,allwiththeaimofofferingguidanceinhowtoincorporatetheriskmanagement
21SeeFederalCommunicationsCommission,NetworkOutageReportingSystem(NORS),http://transition.fcc.gov/pshs/services/cip/nors/nors.html(lastvisitedMar.13,2015)(awebbasedfilingsystemthroughwhichcommunicationsproviderscoveredbyC.F.R.Part4reportingrulessubmitoutagereportstotheFCC,andallowstheFCCtoperformanalysesandstudiesofthecommunicationsdisruptionsreported).
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
10
protocolsandpracticesreferencedintheFrameworkwiththeoperatingenvironmentoftherespectiveindustrysegment.
Inadditiontothesegmentspecificguidanceprovidedtobroadcast,cable,satellite,wirelessandwirelinecompaniesthroughtheindustrysegmentsubgroupreports,WG4alsodevelopedcyberriskmanagementrecommendationsthatapplytothesectoracrosstheboard.Companiesareurgedto:
ReviewtheWG4reportanduseitsanalyticalprocesstoadapttheNISTCybersecurityFrameworkapproachtocybersecurityriskmanagementtotheirownoperationsandnetworks;
DistributetheNISTCybersecurityFrameworkandappropriatecomponentsoftheWG4reporttocompanyofficersandpersonnelwhosedutiesencompasscybersecuritymanagementandoperations;
EnsurethatoperatorsandvendorsineverylayeroftheTCP/IPmodelconducttheiroperationswithcybersecuritydiligence,topreventandrespondtoattacksontheirnetworksandoperationalsupportsystems;and
Recognizethatthreatknowledgeispowerandconsideradoptingathreatintelligencehandlingmodel22toenhanceprotectionofcriticalinfrastructure.Thisincludessharingmoredetailedthreatintelligenceinformationwithtrustedstakeholderstoimproveinformationgatheringforuseinthreatanalysesandcyberriskmanagementdecisionmaking.
C. CommunicationSectorCommitmenttoAdvancingCybersecurityRiskManagementWhilethisWG4CSRICreportrepresentsamajormilestone,theWG4membersacknowledgethatwearenotatthefinishline.Effortstohelpenterprisesmanagecybersecurityriskmustbecontinuousandongoingtoadapttoacontinuallychangingecosystemandthreatlandscape.WhilethesectorwillactivelypromoteuseoftheFrameworkthroughongoingandanticipatedworkinmultiplevenues,theWorkingGroupmembersarealsocognizantthateachenterprisemustdecidehowtoutilizeandimplementtheFrameworkoranequivalentriskmanagementconstruct.Themechanismsandassuranceshighlightedbelowareintendedtodemonstratethesectorscommitmenttoindustryledsolutionsbasedonclosecollaborationwithourgovernmentpartnersandregulators.
22SeeInfra9.10ThreatIntelligenceHandlingModel.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
11
II. INTRODUCTION WorkingGroup4markedafundamentalCSRICshifttoariskmanagementconstructthatalignswiththefivefunctionsidentifiedintheNISTFramework(i.e.,Identify,Protect,Detect,RespondandRecover).ManyingovernmentandtheprivatesectorhavecometounderstandthatthetraditionalmultiyearCSRICreviewcyclescannolongerkeeppacewiththeacceleratingdeploymentofnewnetworkandedgetechnologiesacrosstheecosystemalongwiththerapidadvancementsinincreasinglyinexpensive,perishable,andmoresophisticatedcyberthreats.Withtheissuanceofthe2013PresidentialExecutiveOrder13636,ImprovingCybersecurityCriticalInfrastructure,andthesubsequent2014releaseoftheNISTCybersecurityFrameworkVersion1.0,thereisrenewedemphasisoncybersecurityriskmanagementasthefoundationforprotectingournationscriticalinfrastructure.TheU.S.governmenthasclearlyendorseddevelopmentofavoluntary,riskbasedmodelthatenablesorganizationstoprioritizeandimplementsolutionsbasedoninformed,enterprisetailored,businessdrivenconsiderations.Thegovernmentacknowledgedthatcosteffectivenessisanimportantconsiderationwhenevaluatingnewsecuritymeasuresandrecognizesthatincentivesmayberequiredincertaincircumstances.Itisalsogenerallyacknowledgesthatmeaningfulmethodstoassessthecostsandbenefitsofcybersecurityinvestmentareoftenelusive.InaJune2014speechtotheAmericanEnterpriseInstitute,FCCChairmanTomWheelerendorsedtheriskmanagementapproachstatingthat...companiesmusthavethecapacitytoassurethemselves,theirshareholdersandboardsandtheirnationofthesufficiencyoftheirowncyberriskmanagementpractices.Theseriskassessmentapproacheswillundoubtedlydiffercompanybycompany.Butregardlessofthespecificapproachacompanymightchoose,itiscrucialthatcompaniesdevelopmethodologiesthatgivethemameaningfulunderstandingoftheirriskexposureandriskmanagementposturethatcanbecommunicatedinternallyandexternally.Thatiswhatweareaskingourstakeholderstodo.23Tosetapathforwidespreaduseofriskmanagementprocessesbysectorenterprises,WG4studiedtheFrameworkcomponentsandthefactorsthataremostlikelytoimpactenterpriselevelriskmanagementdecisions.Theprojectwasstructuredaroundfiveindependentindustrysegmentsbasedontheircommonoperatingenvironmentsandarchitectures.ThesegmentsincludedBroadcast,Cable,Satellite,Wireless,andWireline.EachsegmentmadeitsowndeterminationastowhatcriticalinfrastructureshouldbecategorizedasinscopeoroutofscopeandwhichoftheNISTcategoriesandsubcategoriesweremostcriticaltoprotectingthatinfrastructure.Eachgroupchosecriteriatoprioritizetheriskmanagementprocesses.Theanalyseswereintendedtobeillustrativeexamplesofhowindividualcompaniesineachsegmentcouldgoaboutassessingandprioritizingtheframeworkcomponents.Theindustrybasedsegmentsweresupportedbythefivesubjectmatterorientedfeedergroups.TheRequirementsandBarriersgroupevaluatedtheoperationsandtechnology 23SeeChairmanWheelersRemarksat7.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
12
requirementsandthebarriersassociatedwitheachofthe98NISTsubcategories.TheCyberEcosystemgroupexaminedtheecosystemdependentlandscapeforcommunicationsprovidersandthemostprominentthreatsthatareflowingacrosstheInternetstack.24TheTopCyberThreatsteamevaluatedtheevolvingthreatenvironmentandidentifiedenterpriselevelprocessesandacommunitythreatmodelthatcouldbeusedbythecommunicationssectortoshareinformationandcoordinateresponseandrecoveryactivities.TheMeasurementgroupexaminedchallengesassociatedwithobtainingreliableindicatorsofcausality(i.e.,riskprocess/riskreduction)andeffectivemechanismstoaddressstakeholderinterestsinkeyindicators.And,sincemanyprovidersclassifyassmallandmediumsizedenterprises,theSmallandMediumBusinessgrouplookedattheiruniquechallengesandprovidedguidanceonFrameworkrelatedapproachessuitableforsuchorganizations.TheCommunicationsSectorcontinuestobealeaderincybersecuritybecauseprovidersofferabroadarrayofcommunicationservicestosomeofthemostdemandingcustomersintheworld.Forallcommunicationproviders,ensuringtheintegrityandresilienceoftheirnetworksandtheavailabilityofservicesisamissioncriticalresponsibility.Meaningfulindicatorsofcriticalserviceavailability,reliability,resiliency,andintegrityshowtheirsuccessinthisarena.However,acrossthebroadspectrumofprovidersthereisarangeofriskmanagementcapabilitiesthatmayoftenbeassociatedwithprovidersabilitytorecoverthecostofcybersecurityinvestmentinahighlycompetitivemarket.Whileenterprisesizeisoftenassociatedwithriskmanagementcapabilities,itisnotalwaystheonlyfactor.Infact,anorganizationsuniquethreatenvironment,itsunderstandingofvulnerabilities,itsbusinessstrategy,anditsoveralltoleranceofriskcaninfluenceinvestmentdecisions.Thisreportprovidesavaluableroadmapforcompaniesinoursectortovalidatetheirexistingriskmanagementprocessesand/orenhancetheircapabilitiesbasedonanongoingevaluationoftheirthreats,vulnerabilities,andrisktolerance.Thefeedersubgroupscontributions,includingtheiranalyses,findings,andimplementationguidance,alongwiththesegmentsubgroupsimplementationguidanceandassessmentoftheapplicabilityoftheNISTCybersecurityFrameworks98subcategoriestoeachsegment,arepresentedasappendicestothisreportandcanbeusedbycompanies,largeandsmall,tofurtherguidetheiruseoftheNISTCybersecurityFrameworkinmanagingtheircybersecurityrisks.Equallyimportant,theWG4membersproposeasetofvoluntarymechanismsandFCCrecommendationsthatleveragethecommunicationsectorsexistingorganizationalstructure,experience,andcybersecurityriskmanagementsectorleadershiptoprovidetherequestedmacrolevelassurances.ThereportconcludesbysuggestingtheFCCcoordinatewithotherdepartmentsandagenciestopromoteeducationandawarenessofthecybersecurityrisksinherentincriticalcommunicationsinfrastructures,andpromotethevoluntarystepsthecommunicationsectortakestomanagetheircybersecurityrisks. 24SeeWikipedia,StructureoftheInternet:TCPIPprotocolstack,http://en.wikibooks.org/wiki/Alevel_Computing/AQA/Computer_Components,_The_Stored_Program_Concept_and_the_Internet/Structure_of_the_Internet/TCP_IP_protocol_stack(lastvisitedMar.13,2015).
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
13
III. BACKGROUND OnFebruary12,2013,PresidentObamaissuedExecutiveOrder13636,ImprovingCriticalInfrastructureCybersecurity,25whichsetinmotionawiderangeofgovernmentinitiativesdesignedtoadvancethenationscybersecurityresiliency.Initspolicyintroduction,theOrderarticulatedsocietalvaluestobepromotedandreinforcedthepublicprivatepartnershipconstructasthemechanismformakingprogress:
ItisthepolicyoftheUnitedStatestoenhancethesecurityandresilienceoftheNation'scriticalinfrastructureandtomaintainacyberenvironmentthatencouragesefficiency,innovation,andeconomicprosperitywhilepromotingsafety,security,businessconfidentiality,privacy,andcivilliberties.Wecanachievethesegoalsthroughapartnershipwiththeownersandoperatorsofcriticalinfrastructuretoimprovecybersecurityinformationsharingandcollaborativelydevelopandimplementriskbasedstandards.26
AkeycomponentofthePresidentsExecutiveOrderwastheassignmentgiventotheNationalInstituteofStandardsandTechnology(NIST),anagencyoftheU.S.DepartmentofCommerce,toleadthedevelopmentofaCybersecurityFrameworktoreducecyberriskstocriticalinfrastructure.Criticalinfrastructureisdefinedas,systemsandassets,whetherphysicalorvirtual,sovitaltotheUnitedStatesthattheincapacityordestructionofsuchsystemsandassetswouldhaveadebilitatingimpactonsecurity,nationaleconomicsecurity,nationalpublichealthorsafety,oranycombinationofthosematters.27NISTwasgivenalistofwhatshouldbeincludedinthefinalFrameworkandhadoneyeartocompleteitswork.TheOrdergaveexplicitinstructionsregardingthecharacteristicsoftheFrameworkandhowitwastobeused:
TheCybersecurityFrameworkshallprovideaprioritized,flexible,repeatable,performancebased,andcosteffectiveapproach,includinginformationsecuritymeasuresandcontrols,tohelpownersandoperatorsofcriticalinfrastructureidentify,assess,andmanagecyberrisk.TheCybersecurityFrameworkshallfocusonidentifyingcrosssectorsecuritystandardsandguidelinesapplicabletocriticalinfrastructure.TheCybersecurityFrameworkwillalsoidentifyareasforimprovementthatshouldbeaddressedthroughfuturecollaborationwithparticularsectorsandstandardsdevelopingorganizations.Toenabletechnicalinnovationandaccountfororganizationaldifferences,theCybersecurityFrameworkwillprovideguidancethatistechnologyneutralandthatenablescriticalinfrastructuresectorstobenefitfromacompetitivemarketforproductsandservicesthatmeetthestandards,methodologies,
25SeeExec.OrderNo.13,636,ImprovingCriticalInfrastructureCybersecurity,78FR11737(Feb.19,2013)[hereinafterEO13636].26Id.at1:Policy.27Id.at2:CriticalInfrastructure.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
14
procedures,andprocessesdevelopedtoaddresscyberrisks.TheCybersecurityFrameworkshallincludeguidanceformeasuringtheperformanceofanentityinimplementingtheCybersecurityFramework.28
ToencourageuseoftheCybersecurityFramework,theDepartmentofHomelandSecurity(DHS)wasorderedtoestablishavoluntaryprogramtosupportownersandoperatorsofcriticalinfrastructure(andanyotherinterestedentities)thatwantedtousetheFrameworkaspartofanexistingornewriskmanagementprogram.SectorSpecificAgencieswereinstructedtocoordinatewiththeSectorCoordinatingCouncilstoreviewtheCybersecurityFrameworkand,ifnecessary,developimplementationguidanceorsupplementalmaterialstoaddresssectorspecificrisksandoperatingenvironments.29TheCommunicationsSectororganizeditsparticipationintheFrameworkdevelopmenteffortthroughtheCSCC,andCouncilrepresentativesparticipatedinallsixNISTworkshopsheldatmajorresearchuniversitiesthroughoutthecountry.30Industryrepresentativesparticipatedonpanels,submittedcomments,andhadextensivedialoguewiththeFrameworkdevelopmentteam.OnFebruary12,2014,NISTreleasedtheFrameworkforImprovingCriticalInfrastructureVersion1.031statingthatitenablesorganizationsregardlessofsize,degreeofcybersecurityrisk,orcybersecuritysophisticationtoapplytheprinciplesandbestpracticesofriskmanagementtoimprovingthesecurityandresilienceofcriticalinfrastructure.32TheauthorsnotedthattheFrameworkisnotaonesizefitsallapproachtomanagingcybersecurityriskforcriticalinfrastructure.Organizationswillcontinuetohaveuniquerisksdifferentthreats,differentvulnerabilities,anddifferentrisktolerancesandhowtheyimplementthepracticesintheFrameworkwillvary.33TheCybersecurityFrameworkprovidesguidanceonhowitcanbeusedbyanorganizationtoenhanceanexistingprogramortocreateanewriskmanagementprogram.TheFrameworkinitiativewasalignedwiththeeffortsoftheFCCsCommunicationsSecurityReliabilityandInteroperabilityCouncil(CSRIC)IV.TheCSRICIVchartercalledforanupdateofthecybersecuritybestpracticesthathadbeendevelopedaspartofCSRICIIWorkingGroup2A:CyberSecurityBestPractices.ThateffortendedinMarch2011andproduced397bestpracticescoveringawiderangeoftechnologyplatformsandservices.34Attheurgingof 28Id.at7:BaselineFrameworktoReduceCyberRisktoCriticalInfrastructure.29Id.8:VoluntaryCriticalInfrastructureCybersecurityProgram.30SeeNationalInstituteofStandardsandTechnology,CybersecurityFrameworkWorkshopsandEvents,http://www.nist.gov/cyberframework/cybersecurityframeworkevents.cfm(lastvisitedMar.13,2015).31SeeNISTCSF.32Id.at1.33Id.at2.34SeeFederalCommunicationsCommission,TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilII,WorkingGroup2ACybersecurityBestPracticesFinalReport(2011),availableathttp://transition.fcc.gov/pshs/docs/csric/WG2ACyberSecurityBestPracticesFinalReport.pdf.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
15
industryrepresentatives,theFCCagreedthatCSRICIVWorkingGroup4shouldbeginworkimmediatelyfollowingtheFebruary2014releaseoftheFrameworkbecauseindustrywasasignificantcontributorofresourcestothemultistakeholdercollaborativeprocessthatwasbeingcoordinatedbyNIST.ItwasalsounderstoodthatthesubsequentCSRICIVWorkingGroup4effortwouldbenefitfrombeinginformedbytheNISTprocessandfinalproduct.Toeffectivelyexecuteaprojectofthisscope,theWorkingGroupCoChairsestablishedaLeadershipTeamtoensurethatqualifiedresourceswereappropriatelyappliedtoworkeffortsandthattheworkproductsalignedwiththeoverallobjectivesoftheeffort.ThisLeadershipTeamevolvedtoinclude20individualsthatservedassegmentandfeedergroupleadersandaTechnicalandPolicyAdvisoryBoardthatincludedseniorrepresentativesfromNIST,theWhiteHouseNationalSecurityOffice,andtheFCC.Withover100volunteersrepresentingthefivemajorindustrysegmentsaswellasstakeholdersfromothersectors,academia,andstateandfederalgovernment,thiswasthelargestWorkingGroupeffortundertakeninthehistoryoftheCSRICandtheNetworkReliabilityandInteroperabilityCouncil(NRIC)(i.e.,CSRICspredecessor).
A. CSRICStructure
CommunicationsSecurity,Reliability,andInteroperabilityCouncil(CSRIC)IVCSRICSteeringCommittee
ChairorCoChairs:WorkingGroup1
ChairorCoChairs:WorkingGroup2
ChairorCoChairs:WorkingGroup3
ChairorCoChairs:WorkingGroup4
ChairorCoChairs:WorkingGroup5
ChairorCoChairs:WorkingGroup6
ChairorCoChairs:WorkingGroup7
ChairorCoChairs:WorkingGroup8
ChairorCoChairs:WorkingGroup9
ChairorCoChairs:WorkingGroup10
WorkingGroup1:NextGeneration911
WorkingGroup2:WirelessEmergencyAlerts
WorkingGroup3:EAS
WorkingGroup4:CybersecurityRiskManagementandBestPractices
WorkingGroup5:ServerBasedDDoSAttacks
WorkingGroup6:LongTermCoreInternetProtocolImprovements
WorkingGroup7:LegacyBestPracticeUpdates
WorkingGroup8:SubmarineCableLandingSites
WorkingGroup9:InfrastructureSharingDuringEmergencies
WorkingGroup10:CPEPowering
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
16
B. LeadershipTeam
C. WorkingGroup4TeamMembers
WorkingGroup4consistsofthememberslistedbelow.
Name CompanyRobertMayer(CoChair) USTelecomAssociationBrianAllen(CoChair) TWCableDonnaDodson(SeniorTechAdvisor) NationalInstituteofStandardsandTechnologyEmilyTalaga(SeniorEconomicAdvisor) FederalCommunicationCommissionVernMosley(FCCLiaison) FederalCommunicationCommissionAdrienneAbbott NevadaEASChairAnthonyAcosta NorthropGrummanMichaelAlagna MotorolaSolutionsCarlAnderson VanScoYocAssociates
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
17
NadyaBartol UtilitiesTelecomCouncilJamesBean JuniperNetworksChrisBoyer AT&TChuckBrownawell SprintCorporationLoisBurns PAPublicUtilityCommissionIngridCaples DepartmentofHealthandHumanServicesJoelCapps EricssonLisaCarnahan NISTDanCashman FairPointNnekaChiazor VerizonLarryClinton InternetSecurityAllianceEdwardCzarnecki MonroeElectronicsKateDean USISPAPaulDiamond CenturyLinkMartinDolly AT&T(representingATIS)TannerDoucet InternetSecurityAllianceSetonDroppers PBSTechnology&OperationsVictorEinfeldt IridiumRussellEubanks CoxCommunications,IncPaulFerguson InternetIdentityInetteFurey DepartmentofHomelandSecurityAndrewGallo GeorgeWashingtonUniversityChrisGarner CenturyLinkMichaelGeller Cisco(representingATIS)MyK.Gomi NTTAmericaJessicaGulick CSGInternationalStacyHartman CenturyLinkMaryHaynes CharterChrisHomer PBSCharlesHudson,Jr ComcastWinkInfinger FloridaDepartmentofManagementServicesChrisJeppson Consolidated
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
18
SusanJoseph CableLabsFranckJournoud OracleMerikeKaeo InternetIdentityKevinKastor ConsolidatedJohnKelly ComcastDanielleKriz InformationTechnologyIndustryCouncilRickKrock AlcatelLucentJeremyLarson SilverStarGregLucak WindstreamEthanLucarelli WileyReinLLPDanielMadsen USBankJohnMarinho CTIAHeathE.McGinnis VerizonDonnaBetheaMurphy IridiumPaulNguyen CSGInternationalJorgeNieves ComcastMichaelO'Reirdan Comcast(representingMAAWG)MartinPitson TelesatJoelRademacher IridiumJ.BradfordRamsay NARUCAlanRinker BoeingChrisRoosenraad TWCableTonySager CouncilonCybersecurityHaroldSalters TMobileBrianScarpelli TIAOnlineKarlSchimmeck SIFMAJ.J.Shaw O3bGovernmentRaySingh ACSTomSoroka USTelecomAssociationCraigSpiezle OnlineTrustAlliance(OTA)MattStarr CompTIABillTaub CablevisionSystemsCorporation
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
19
RobertThornberry BellLabs/AlcatelLucentSheilaTipton IowaUtilitiesBoardMattTooley NCTABillTrelease CTODelhiTelephoneCompanyColinTroha CSGInvotasS.RaoVasireddy AlcatelLucent(TIArepresentative)JoeViens TWCableChristianVogler GallaudetUniversityJesseWard NTCAErrolWeiss CitiKathyWhitbeck Nsight/CellcomJackWhitsitt NationalElectricSectorCybersecurityOrganizationKellyWilliams NationalAssociationofBroadcasters(NAB)ShawnWilson VeriSignPamelaA.Witmer PAPublicUtilityCommissionShinichiYokohama NTT
Table1ListofWorkingGroupMembersIV. OBJECTIVE,SCOPE,ANDMETHODOLOGY
A. ObjectiveTheNISTFrameworkwasdesignedasamultisectorbaselinedocumentthatindividualsectorscouldtailorinwaysthatmightmakeitmorerelevantandusefultoorganizationsoperatingwithintheirsector.Inthecaseoftheexpansivecommunicationssector,asegmentspecificanalysiswasdeemedtobemoreproductive(i.e.,broadcast,cable,satellite,wireless,andwirelinesegments).ConsequentlyWG4participantsfocusedondevelopingsegmentspecificcyberriskmanagementapproachesandguidancethatwouldserveasafoundationforproducingtheassurancescalledforintheCSRICIVWorkingGroup4description.Asoutlinedbelow,theWorkingGroupsassurancesandrecommendationsbuilduponthefoundationalworkintheFrameworkVersion1.0andaresupportedbyfactbasedanalysesandinformedjudgmentsinareasthatarecriticaltotheabilityofthecommunicationssectorandenterprisestoevolvetheircybersecurityriskmanagementprofiles.WorkingGroup4seffortsweredesignedtoprovideindividualserviceprovidersanabilitytoassurethemselves,theirshareholdersorowners,theirboards,andexternalstakeholdersthattheyaretakingappropriatestepstomanagecybersecurityrisk.Whileindividual
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
20
enterprisesaregivenflexibilityonhowtheyusetheFramework,WorkingGroup4focusedontailoringtheFrameworktotheuniqueconsiderationsofthesegmentsandprovidingmacrolevelanalysesandmechanismstosustainriskmanagementcapabilities.B. ScopeWorkingGroup4wastaskedwithproducingapractical,costeffective,andsegmenttailoredmodelofriskmanagementwithmeaningfulindicatorstocommunicateassurancestointernalandexternalstakeholders.Tofacilitatesectorwideuseoftheframeworkoranalternativeriskmanagementconstruct,itwasnecessarytoevaluatethefiveFrameworkfunctions,22categories,98subcategories,andthefactorsthatwouldimpactanenterprisesdecisiontoadoptorenhanceaparticularriskmanagementprocess.Additionally,theWorkingGroupdeveloped,tested,andutilizedananalyticaltemplatethatanenterprisecouldadopttoprioritizeitsriskmanagementactivitiesbasedonacriticalexaminationofconsiderationsthatwouldberelevanttoitsuniquecircumstances.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
21
C. MethodologyTheprojectmethodologywasdesignedtoprovidestrongfactualandanalyticalunderpinningstosupportserviceproviderscybersecurityriskmanagementactivities.Theprojectwasstructuredasaniterativeprocesstoensurethatsegmentanalyseswereconstantlyevaluatedasnewfeedergroupinputwasreceived.Thatprocessisillustratedbelow.
Figure1SegmentAnalysisProcess
TheeffortbeganwiththedevelopmentofananalyticaltemplatethateachofthesegmentsusedtoevaluatehowtheFrameworksstructuremightbeappliedtoanenterpriseoperatinginitssegment.
ThesegmentteamswerefirstaskedtodeterminewhetheraparticularFrameworkFunction,CategoryorSubCategorywasdeemedtobeinscopeoroutofscopeforpurposesofprioritizingriskmanagementprocesses.Thefivesegmentsreliedonworkcompletedaspartofthe2012NationalSectorRiskAssessmentforCommunications,whichexaminedthecommonoperatingenvironmentsofthefivesegmentsandidentifiedcoreinfrastructureandassociatedcriticalservices.EachsegmentmadeanindependentdeterminationastowhichFrameworkCategoriesandsubcategoriesmetthecriteriaforbeingidentifiedasinoroutofscope.Theflexibilityaffordedtothesegmentteamswas
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
22
consistentwiththeFrameworksemphasisonflexibilityandwasdesignedtobeillustrativeforindividualcompaniesthatmightmakesimilarscopingdeterminations.
Figure2SegmentScopingAnalysis
Onceaprocesswasdeterminedtobeinscope,thenextanalyticalcomponentwasidentificationandrankingofcriteria.Segmentswerefreetoselectrelevantcriteriaamongasetthatincludedthecriticalityofaparticularprocess,thedifficultyassociatedwithimplementingaparticularprocess,andhoweffectiveitcouldbeinmitigatingcybersecurityrisk.
Figure3SegmentIdentificationandRankingofCriteria
HowtoprioritizeFrameworkprocessesrestedonworkthatwasdevelopedbythefeedergroups.Onceadeterminationwasmaderegardingthecriticalityofaparticularprocess,astructuredbasisfordeterminingdifficultywasdevelopedbytheRequirementsandBarriersFeederGroup.Foreachofthe98subcategoriesincludedintheFramework,ateamreviewedtheoperationalandtechnologicalrequirementsassociatedwith
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
23
implementingthatspecificriskmanagementprocess.Understandingtheserequirementsandthepotentialbarriersorchallengesfororganizationsofvaryingsizeandscopewascriticaltomakingsupportableargumentsarounddifficulty.
Figure4RequirementsandBarriers
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
24
V. FINDINGS WorkingGroup4strivedtodomorethanjustdevelopatoolthatcommunicationproviderscanusetoadapttheFrameworkinavoluntary,prioritized,andcosteffectivefashion.TheWorkingGroupendeavoredtobreaknewgroundinunderstandingcybersecurityriskmanagement.Assuch,teamswereestablishedtoaddresstheuniqueconsiderationsofsmallandmediumenterprisesinthesector,theecosystemanddependenciesthatimpactedrisk,thethreatsandwaysinwhichorganizationscanevolvecapabilitiesasnewthreatsarise,thebarrierstoimplementingsuccessfulriskmanagementregimes,andtheappropriatemechanismsandmeasurestoaddressadynamicsetofcyberconditions.Thisreportdemonstratesthecommunicationsectorscapabilitytoaddresstheevolvingcyberthreatthroughvoluntarycollaboration.Thispositionissupportedbytheongoinglevelofcriticalserviceavailability,reliability,andresiliencyacrossthecommunicationsindustry.Thefindings,asaretheconclusionsandrecommendations,areorganizedaroundthefivekeyareasoftheWorkingGroup4charge:35(1)macrolevelassurances,(2)voluntarymechanisms,(3)useoftheNISTCybersecurityFrameworkoranequivalentconstruct,(4)meaningfulindicatorsofsuccessfulcyberriskmanagement,and(5)communicationssectorimplementationguidanceforusingtheNISTCybersecurityFramework.
A. MacroLevelAssuranceFindingsThefollowingsummaryfindingsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancethatcommunicationsprovidersaretakingthenecessarycorporateandoperationalmeasurestomanagecybersecurityrisks.
CSRICfoundthatadaptingthevoluntaryFrameworkisaneffectivewaytomanage
cybersecurityrisk. Communicationssectormemberssharedetailedthreatintelligenceinformationwith
appropriatestakeholders,withintheconfinesofexistinglaw. WorkisunderwayontheincentivescategorythatisrecognizedinEO13636asan
essentialfactorinimprovingcriticalinfrastructurecybersecurity. Communicationssectormembersaretakingstepstoadvancetheircybersecurityrisk
managementpractices,althoughvariationsexistwithrespecttolevelsofprogramdevelopmentandimplementation.
Thecommunicationssectororganizesitsstrategic,planningandoperationalcybersecurityactivitiesthroughthreerespectiveentities:theNationalSecurityTelecommunicationsAdvisoryCouncil(NSTAC),theCommunicationsSectorCoordinatingCouncil(CSCC)/GovernmentCoordinatingCouncil(GCC),andtheCommunicationsInformationSharingandAnalysisCenter(CommISAC).
35Seesupranote1,at4.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
25
SmallandMediumBusinesses(SMBs)haveuniquecircumstancesandchallengesthatmayinfluencetheirapproachtoimplementingtheFrameworkandprovidingmacrolevelassurances.
B. VoluntaryMechanismsFindingsThefollowingsummaryfindingsaddresstheWorkingGroup4chargetoidentifyvoluntarymechanismstoprovidemacrolevelassurances.
Astaticchecklistmethodologyisnotaneffectivedefense,asitislimitsthemethodsand
tacticsbywhichanorganizationcanpreparefororrespondtoimminentandevolvingthreats.
CSCC/GCCisaneffectiveorganizationalstructureforintegratinganewinitiativetoevaluatehowcybersecuritythreatsaremeasuredatthesectorlevel.
Keygovernmentstakeholdershavealegitimateinterestingaininginformationaboutcybersecuritythreatstocriticalinfrastructureandtheeffectivenessofcybersecurityriskmanagementpractices.
C. UseoftheNISTCybersecurityFrameworkoranEquivalentConstructFindingsThefollowingsummaryfindingsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancesthatdemonstratehowcommunicationsprovidersarereducingcybersecurityrisksthroughtheuseoftheNISTCybersecurityFrameworkoranequivalentconstruct. Useofacommunitymodelforthreatintelligenceorinformationsharingandanalysis
canhelporganizationsintheirquesttoprotecttheircriticalinfrastructureandcriticaldatafromfuturecyberthreats.
UseofthevoluntaryNISTCSFprovidesaconsistentcybersecurityriskmanagementapproachandacommontaxonomytoimproveinternalandexternalcommunicationsregardingcybersecurityriskmanagement.
PriortotheNISTCSF,manycommunicationssectormembersalreadywereactivelyengagedinequivalentprocessestosuccessfullymanagecybersecurityrisks.
D. MeaningfulIndicatorsFindingsThefollowingsummaryfindingsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancesthatarebasedonmeaningfulindicatorsofsuccessfulcyberriskmanagement.
Meaningfulindicatorsofsuccessful(orunsuccessful)cyberriskmanagementfocuson
measureableoutcomes. Itisdifficulttomeasuretheeffectivenessofthecommunicationssectorscybersecurity
riskmanagementprocessesinisolation,givenitsinterdependenciesonothercriticalinfrastructuresectors.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
26
E. CommunicationsSectorImplementationGuidanceFindingsThefollowingsummaryfindingsaddresstheWorkingGroup4chargetogivethecommunicationssectorguidanceonhowtoimplementusingtheNISTCybersecurityFramework.
TheNISTCybersecurityFrameworkisaneffectivemechanismtocreateanewrisk
managementprocessortoenhanceexistingcybersecurityriskmanagementprocesses. CyberattackshavebeenobservedandmappedtoeverylayeroftheTCP/IP
communicationmodel,andsubsequentlyagainsteveryidentifiedcategoryoftheecosystem.CyberattackswillcontinuetooccurateveryleveloftheTCP/IPcommunicationsmodel.ItisimportantthatalloperatorsandvendorsineverylayeroftheTCP/IPmodelconducttheiroperationswiththeappropriatelevelofcybersecuritydiligence.
Thecommunicationssectorispartofavastinterdependentecosystemthatrequiressharingcybersecurityresponsibilitiesamongavarietyofstakeholdersanddependsonmultiplenoncommunicationssectorecosystementitiestomakethecommunicationsinfrastructuremoresecure.
FurtheroutreachisneededtoensurethattheSMBcommunityisengagedinthenetworkriskmanagementdiscussiongenerally,andawareofthebenefitsoftheNISTFrameworkspecifically.
ItisnotamatterofIFacommunicationssectormemberwillbeattacked,butamatterofWHENtheywillbeattacked,andthatthreatknowledgeisessentialtoprotectagainstattacks.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
27
VI. CONCLUSIONSTheconclusionsdrawnbelowalignwiththekeytaskareasassignedtoWorkingGroup4andaresupportedbyayearlongeffortinvolvingsubstantialinquiriesintocybersecurityactivitiesattheenterprise,segment,andsectorlevels.
A. MacroLevelAssuranceConclusionsThefollowingconclusionsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancethatcommunicationsprovidersaretakingthenecessarycorporateandoperationalmeasurestomanagecybersecurityrisks.
NonewregulationsareneededorwarrantedtoaddressconformitytotheNIST
Framework.Sucharegulatoryregimewouldspuraminimumstandard,notmaximumeffort,andwouldundermineadaptabilityandinnovation.
Cyberthreatinformationsharingresultsinefficientandscalableinformationthatallpartiescanusetodevelopthreatanalysesandtomakecyberriskmanagementdecisions.
Progressonincentivesisnecessarytoovercomemanyofthebarriersidentifiedinthisreport.
Thestepsthecommunicationssectormembersaretakingtoadvancetheircybersecurityriskmanagementpracticescanbeconveyedtorelevantstakeholderswithappropriateprotectionsforsecurityandmarketpurposes.TheNSTAC,CSCC/GCC,andCommISACareeffectivevenuesforinformationsharingandcollaborationregardingreductionofcybersecurityrisks,notonlyamongitsmembersbutwithothercriticalinfrastructuresectorsandgovernmentdepartmentsandagenciesthataredependentuponthecommunicationssectorscriticalinfrastructureandservices.
SpecialconsiderationsandaccommodationsmaybenecessaryforSMBstoimplementtheFrameworkandprovidemacrolevelassurancestotheFCCandthepublic.
B. VoluntaryMechanismsConclusionsThefollowingconclusionsaddresstheWorkingGroup4chargetoidentifyvoluntarymechanismsthatcanbeusedtoprovidemacrolevelassurances.
Achecklistapproachwouldprioritizecomplianceoveranadaptablesecurityrisk
basedmanagementmodelthatisrequiredtoaddresstheevolvingcyberthreatlandscape.
FuturerequestsformeasurementsbygovernmentagenciesintotheimpactofcybersecuritythreatstocommunicationsinfrastructurewouldbemosteffectivelymanagedbytheCSCC/GCC.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
28
Thecommunicationssectorcanmakeexternalstakeholdersmoreawareofitscorporateandoperationalcybersecurityriskmanagementmeasuresthroughcurrentcommunicationssectorvenuesthathavetherequisiteprotections.
Voluntarymechanisms,includinganindustrySARandperiodicmeetingswithcommunicationssectormembers,canprovidemacrolevelassurancethatcommunicationsprovidersaretakingtheappropriatemeasurestomanagecybersecurityrisks.
C. UseofNISTCybersecurityFrameworkorEquivalentConstructConclusionsThefollowingconclusionsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancesthatdemonstratehowcommunicationsprovidersaremanagingcybersecurityrisksthroughtheuseoftheNISTCSForanequivalentconstruct.
TheintroductionoftheNISTCSFrepresentsamajorbreakthroughintheabilityto
communicatecybersecurityriskmanagementprinciplesandprocessesandcanbeeffectivelyemployedbythecommunicationssectorandappliedtoothercriticalinfrastructuresectors.
TheuseoftheNISTCSFwillcontinuetoevolvewithinthecommunicationssectorasmoreexperienceisgainedandshared.
Continuedinteragencyandfederal/statecoordinationandcollaborationwithindustryinadvancingtheFrameworkisneededtoavoidfragmentationofindustryandgovernmentresources.
D. MeaningfulIndicatorsConclusionsThefollowingconclusionsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancesthatarebasedonmeaningfulindicatorsofsuccessfulcyberriskmanagement.
Individualcompanymalwareinfectionrates,thenumberofhostedbots,and
customerservicecomplaintsarenotmeaningfulindicatorsofsuccessfulcyberriskmanagement,astheyarenotoutcomebasedmeasures.
Theavailabilityofthecriticalinfrastructuretodelivercriticalservicesisanoutcomebasedmeasureandthereforeameaningfulindicatorofsuccessfulcyberriskmanagement.Ifissuesrelatedtoavailabilityariseasaconsequenceofacyberincident,additionalexaminationintoreliability,resiliency,andintegrityofcorenetworkcriticalinfrastructuremayneedtobeevaluated.
Furtheranalysisisrequiredtodeterminewhetheracomprehensiveandvalidsetofcybersecurityeffectivenessmetricscanbeappliedonacrosssectorialbasis.
E. CommunicationsSectorImplementationGuidanceConclusionsThefollowingconclusionsaddresstheWorkingGroup4chargetogivethecommunicationssectorguidanceonimplementingtheNISTCybersecurityFramework.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
29
CommunicationssegmentmemberswillbenefitfromtheirreviewofthisreportandtheanalyticalprocessesinthereportthattheycanusetoimplementtheNISTFrameworkoranequivalentconstruct.
UseoftheNISTCSFmustremainflexibleasonesizedoesnotfitall,andcompaniesshouldusetheFrameworkinawaythatisappropriatetotheirriskenvironment,posture,andtolerance.
ThecommunicationssectoriseffectivelyadvancingtheuseoftheNISTCSFasevidencedbytheindustrysparticipationindevelopmentofthisreport.
Asevidentinthisreport,smallandmediumcommunicationssectormembershaveuniquechallengestoovercomeintheuseoftheNISTCSF.
Communicationssectormembersareonecomponentofavastlandscapeofinterdependentcriticalinfrastructureecosystemstakeholdersthatrequiresahighdegreeofinformationsharing(consistentwithapplicablelaw)andcollaborationtoeffectivelymanagecyberrisk.
UseofthevoluntaryNISTCSForequivalentriskmanagementconstructacrossallecosystemstakeholderswillimprovecybersecurityriskmanagement.
AsitrelatestotheuseoftheNISTCSF,sharinginformationaboutexperiencesandlessonslearnedacrosstheecosystemwillfacilitateimprovementsinthefurtherdevelopmentoftheFrameworkandcybersecurityriskmanagementgenerally.
Communicationssectormembers,aswellasothercriticalinfrastructuresectors,cansharedetailedthreatintelligenceinformationwithappropriatestakeholders,consistentwithcurrentlaw,andthusenablemoreefficientandscalablethreatinformationgatheringforcyberriskmanagementdecisionmaking.
AsNIST,DHS,theFCC,andindustrycontinuetheiroutreach,theyshouldunderstandthatasinglemethodofoutreachmightnotbesufficientforanSMB.Amultifacetedapproachisnecessary.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
30
VII. RECOMMENDATIONS ThefollowingrecommendationsareconsistentwiththeFederalAdvisoryCommitteeAct(FACA)36rulesunderwhichCSRICoperates.TheserecommendationsweredevelopedwiththeintentionofworkingwiththeFCCandotherU.S.governmentagenciestoenhancecybersecurityriskmanagementcompetenciesandtomakeusefulresourcesavailabletoenterprisesacrossthebroadcommunicationssector.
A. MacroLevelAssuranceRecommendationsThefollowingrecommendationsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancethatcommunicationsprovidersaretakingthenecessarycorporateandoperationalmeasurestomanagecybersecurityrisks.
CSRICrecommendsthattheFCCleveragetheresourcesandcapabilitiesofthethree
primarycommunicationssectororganizations(i.e.NSTAC,CSCC/GCC,CommISAC)topromotevoluntaryparticipationinriskmanagementinitiativesacrossallcommunicationssegmentsandproviders.
CSRICrecommendsthattheFCCpromotethesustainedvoluntarycollaborationandfacilitatethesharingofcybersecuritythreatinformation.ThiscanbeaccomplishedbyworkingwiththecommunicationssectormembersandotherrelevantagentsoftheU.S.governmenttoidentifyandmitigatetechnical,operational,financial,andlegalbarrierstocyberinformationsharing.
CSRICrecommendsthattheFCCfurtherexploretheconsiderationsandaccommodationsthatarerequiredforSMBstoimplementtheNISTCybersecurityFrameworkandprovidemacrolevelassurancestotheFCCandthepublic.
B. VoluntaryMechanismsRecommendationsThefollowingrecommendationsaddresstheWorkingGroup4chargetoidentifyvoluntarymechanismstoprovidemacrolevelassurances.
CSRICrecommendsthattheFCC,inpartnershipwithDHS,participateinperiodic
meetingswithcommunicationssectormembers,inaccordancewithPCIIprotections,37todiscusstheircybersecurityriskmanagementprocessesandtheiruseoftheNISTCSForequivalentconstruct.
CSRICrecommendsthattheFCCusethecurrentcommunicationssectororganizationalstructurewithintheCSCC/GCCtodeliveranindustrySectorAnnualReport(SAR)thataddressestheeffectivenessofcommunicationssectorcybersecurityriskmanagementprocesses.
36SeeGeneralServicesAdministration,FederalAdvisoryCommitteeAct(FACA)ManagementOverview,http://www.gsa.gov/portal/content/104514(lastvisitedMar.13,2015).37SeePCIIProgramoranotherlegallysustainableconstruct.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
31
C. UseofNISTCybersecurityFrameworkorEquivalentConstructRecommendationThisrecommendationaddressestheWorkingGroup4chargetoprovidemacrolevelassurancesthatdemonstratehowcommunicationsprovidersaremanagingcybersecurityrisksthroughtheNISTCybersecurityFrameworkoranequivalentconstruct.
CSRICrecommendsthattheFCCpromotethevoluntaryuseoftheNISTCSFamong
allcommunicationssectormembers,largeandsmall,aswellasacrossothercriticalinfrastructuresectorsthatareinterdependentwiththecommunicationssector.
CSRICrecommendsthattheFCCworktocoordinateandrationalizeFrameworkrelatedfederal/stategovernmentinitiativestoensureefficientuseofcriticalandscarcecybersecurityresources.
CSRICrecommendsthattheFCCfurtherincorporateanunderstandingofthechangingthreatlandscape,sectorecosystemdependencies,andharmonizationintopreviousCSRICbestpracticesandtheNISTCSF.
D. MeaningfulIndicatorsRecommendationsThefollowingrecommendationsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancesthatarebasedonmeaningfulindicatorsofsuccessfulcyberriskmanagement.
CSRICrecommendsthattheFCCadoptavailabilityofthecriticalcommunications
infrastructureasthemeaningfulindicatorofcybersecurityriskmanagement. CSRICrecommendsthattheFCCleveragethecommunicationssectorscurrent
organizationalstructure(i.e.,CIPAC)todeliveranindustrySectorAnnualReporttoaddresstheproposedmeaningfulindicatorandcorporateandoperationalinitiativesthecommunicationssectoristakingtomanagecybersecurityrisk.
CSRICrecommendsthattheFCC,inpartnershipwithDHSandNIST,promotecontinuedindustryparticipationineffortstoevaluatetheeffectivenessofcybersecurityriskmanagementprocessesinallsectorsandtheirimpactonthecommunicationssector.
E. CommunicationsSectorImplementationGuidanceRecommendationsThefollowingrecommendationsaddresstheWorkingGroup4chargetoprovidethecommunicationssectorwithguidanceforimplementingtheNISTCybersecurityFramework.
CSRICrecommendsthattheFCCencouragethedisseminationoftheNIST
FrameworkandtheWG4reporttoappropriatecommunicationsectormemberorganizations,andinparticular,tomanagementandstaffwithcybersecuritymanagementandoperationalresponsibilities.
CSRICrecommendsthattheFCCcontinuetocollaboratewithNISTandDHSinthefurtherdevelopmentoftheNISTCSFandthepromotionofprogramstoincreasethevoluntaryuseoftheCSF.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
32
CSRICrecommendsthattheFCCpartnerwithotherdepartmentsandagenciestopromoteeducationandawarenessofthecybersecurityrisksinherentincriticalcommunicationsinfrastructures,andtopromotestepsthatthecommunicationssectorcantaketogiveexternalstakeholderswithmacrolevelassurancethatthesecollectiveactionsaresuccessfullymanagingcybersecurityrisks.
CSRICrecommendstheFCCpromoteanindustrythreatintelligencehandlingmodel(referencedinthisreport),oranequivalentconstructbyorganizationsintendingtousethreatintelligencetomaintaincybersecurity,protectcriticalinfrastructure,andprotectcriticaldatafromrapidlyevolvingcyberthreats.
CSRICrecommendstheFCCencouragecommunicationssectormemberstosharerelevantthreatintelligenceinformation(consistentwithapplicablelaw)withappropriatestakeholders,thusenablingmoreefficientandscalablethreatinformationgatheringforuseinthreatanalysesandcyberriskmanagementdecisionmaking.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
33
VIII. ACKNOWLEDGEMENTS WorkingGroup4wouldliketoacknowledgethesignificantcontributionsofeachofitsmembers,forwithouttheirexpertise,participation,analysis,andcontributionsthroughouttheprocess,thereportfindings,conclusions,andrecommendationscontainedhereinwouldnothavebeenpossible.WorkingGroup4wouldalsoliketoacknowledgethesegmentandfeedersubgroupleadershipteam,comprisedofKellyWilliams,MattTooley,JohnMarinho,ChrisBoyer,DonnaBetheaMurphy,HaroldSalters,LarryClinton,SusanJoseph,JesseWard,RussellEubanks,JoeViens,TomSoroka,BrianScarpelli,andChrisRoosenraad,wholedtheirteamsinconductingthesegmentandfeederanalysesuponwhichthereportsfindings,conclusions,andrecommendationsarebased.WorkingGroup4wouldalsoliketoacknowledgetheWorkingGroupsadvisors,DonnaDodson,LisaCarnahan,TonySager,andEmilyTalaga,fortheirexpertise,thoughtfuladvice,andencouragementthroughouttheprocess.WorkingGroup4wouldalsoliketoacknowledgetheFCCliaisontotheWorkingGroup,VernMosley,forhissubstantialsupportandcontributionsthroughouttheprocess.WorkingGroup4wouldalsoliketoacknowledgeMattTooleyforhisadministrationoftheWorkingGroupsbox.comaccountthattheWorkingGroupusedtocollaborateinsharinginformationamongtheWorkingGroupmembersandinproducingthereport.WorkingGroup4wouldalsoliketothankRobertMayer,PatMurray,DeontreaCampbell,andthemanyotherUSTelecomsupportstaffmembersforhostingtheWorkingGroup4facetofacemeetings.TheWorkingGroupgreatlyappreciatesthesignificantplanningandlogisticsthatwentintohostingthemanysuccessfulfacetofacemeetings.WorkingGroup4wouldalsoliketoacknowledgetheskilledexpertiseanddedicationoftheFinalReportdraftingteamcomprisedofPaulDiamond,StacyHartman,RobertThornberry,BrianAllen,RobertMayer,andthesegmentandfeedersubgroupleadershipteam.Withouttheirperseveranceandattentiontodetail,theFinalReportwouldnothavebeenpossible.Andlastbutcertainlynotleast,theWorkingGroup4memberswouldliketoacknowledgeandthankouresteemedWorkingGroup4cochairs,RobertMayerandBrianAllen.Theirinsight,focus,expertise,outreachacrossthecommunicationssector,andleadershipthroughouttheprocessisevidencedbythequalityoftheFinalReportsfindings,conclusions,andrecommendations.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
34
IX. REPORTS&SEGMENTS9.1BROADCASTSEGMENT...................................................................................359.2CABLESEGMENT............................................................................................629.3SATELLITESEGMENT......................................................................................919.4WIRELESSSEGMENT.....................................................................................1189.5WIRELINESEGMENT.....................................................................................1679.6REQUIREMENTSANDBARRIERSTOIMPLEMENTATION..............................2029.7CYBERECOSYSTEMANDDEPENDENCIES.....................................................3219.8MEASUREMENT............................................................................................3559.9SMALLANDMEDIUMBUSINESS..................................................................3709.10TOPCYBERTHREATSANDVECTORS..........................................................398
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
35
9.1BROADCASTSEGMENT
CYBERSECURITYRISKMANAGEMENTANDBESTPRACTICES WORKINGGROUP4
March2015
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
36
TABLEofCONTENTS I. ExecutiveSummary.........................................................................................37II. Introduction....................................................................................................37III. BroadcastSegmentGroupMembers..............................................................38IV.Objective,ScopeandMethodology................................................................38
A. Objective..................................................................................................38B. Scope........................................................................................................39C. Methodology............................................................................................40
V. ResultsandFindings........................................................................................41A. CriticalServices........................................................................................41B. BroadcastEcosystemArchitectures.........................................................41
VI.ApplyingtheNISTCybersecurityFramework..................................................45VII.ApplicationMethodology................................................................................46VIII. IllustrativeUseCases.....................................................................................56
A. BroadcastRadio/TVStation/HubAssessment.........................................58B. BroadcastNetworksBroadcastFirewall.................................................60
IX. ConclusionsandRecommendations...............................................................61X. Acknowledgements.........................................................................................61
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
37
I. EXECUTIVESUMMARYTheBroadcastIndustrySegmentsubgroupofWorkingGroup4(WG4)focusedondevelopingrecommendationsthatwillassistinreducingcybersecurityrisktobroadcastcriticalonairoperationsthroughtheapplicationoftheNISTCybersecurityFramework(NISTCSF).ToaccomplishthisobjectivetheBroadcastSegmentGroupsmissionwastoprovidearoadmapforbroadcasterstoaligntheirspecificoperationstothatoftheNISTCybersecurityFramework.WhiletheNISTFrameworkmaybeusedbeyondcriticalinfrastructure,theanalysiswasprimarilyfocusedoncriticalinfrastructureasdefinedintheCybersecurityExecutiveOrder.Forbroadcasters,thismeansmaintainingonairoperationsinordertodelivernews,weather,criticalpublicwarning,andemergencyinformationtothecommunitiesthattheyserve.BroadcastersdonotprovideInternetProtocol(IP)networkservicestoothersbutacquirethemfromIPserviceproviders.However,broadcasterscriticalonairoperationsareenabledbyIPnetworksandhaveinrecentyearsbecomemoreandmoredependentuponthem.Individualbroadcastcompaniesshouldconsiderutilizingthestepsoutlinedinthisreporttoupdateordeveloptheirowncyberriskmanagementprograms,applyingtheframeworktotheirownuniquecircumstances.II. INTRODUCTIONTheBroadcastSegmentisasubgroupwithinCSRICIVWorkingGroup4focusedondevelopingrecommendationsthatwillassistinreducingcybersecurityrisktobroadcastonairoperationsthroughtheapplicationoftheNISTCybersecurityFramework(CSF).Thescaleofthebroadcastindustryisfairlyuniqueamongtheothercommunicationsindustrysegments.Thebroadcastindustryisdiverse,morethan15,000radioand1,700televisionbroadcastingfacilitiesintheUnitedStates,providingnews,emergencyinformationandotherprogrammingservicesfree,overtheairtoconsumers.Whilemanyoftheseoperationsarebroadcastnetworksandgroupowed,individuallicenseestendtobesmalltomediumsizedoperations,withrelativelylimitedInformationTechnology(IT)support.ThebroadcastindustryisincreasinglycharacterizedbyarelianceontheInternetandotherIPbasedinfrastructureforitscoreonairoperations.Forthepastseveralyears,thebroadcastindustryhasbeentransformedbyatransitiontofilebasedworkflowsandincreasedfocusedonIPnetworkingandcontentdelivery.Anumberofbroadcasterscontinuetoexpandtheirrelianceoncentralcastingconcentratingonairoperationsinregionalhubs.Alsogrowingrapidlyistheuseofcloudbasedservicesbybroadcasters,particularlyintheareasofstreaming,archiving,editing,transcoding,andcontentdistribution.In2012theCommunicationsSector,inpartnershipwiththeDepartmentofHomelandSecurity(DHS),completedthe2012RiskAssessmentforCommunications(referredtogoingforwardastheNationalSectorRiskAssessmentorNSRA),updatingits2008report,whichassessedphysicalandcyberthreatstothecommunicationsinfrastructure.TheriskassessmentwasintendedtofurtherthegoalsoftheCommunicationsSectorSpecificPlan,alsodevelopedjointly
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
38
withDHSin2010,toidentifyandprotectnationalcriticalinfrastructure,ensureoverallnetworkreliability,maintainalwaysonserviceforcriticalcustomersandquicklyrestorecriticalcommunicationsfunctionsandservicesfollowingadisruption.InordertoaccomplishthefoundationalobjectivesestablishedbytheFCCforCSRICIVWG4,theBroadcastSegmentgroupsoughttodeveloprecommendationswhichwillenabletheNISTCybersecurityFrameworktobeconformedinsuchawaythatthatitmaybeusedbythebroadcastindustrytoassessthevulnerabilityofcriticalonairoperationsinthecontextofcriticalinfrastructureasdefinedintheCybersecurityExecutiveOrder38andtheNSRA.PleasenotethisreportdoesnotaddresssecurityoftheEmergencyAlertSystem(EAS)anditsassociatedecosystem.EASsecurityisconsideredinCSRICIVWorkingGroupIII.39III. BROADCASTSEGMENTGROUPMEMBERS
Member CompanyAdrienneAbbott NevadaAssociationofBroadcastersSohailAnwar NationalPublicRadioEdwardCzarnecki MonroeElectronics,Inc./DigitalAlertSystemsSetonDroppers PublicBroadcastingSystemChristopherHomer PublicBroadcastingServiceRobertRoss CBSTelevisionNetworkDavidWilliams NationalPublicRadioKellyWilliams NationalAssociationofBroadcasters
IV. OBJECTIVE,SCOPEANDMETHODOLOGY
A. ObjectiveCSRICIVWG4wastaskedwithdevelopingvoluntarymechanismsthatprovidemacrolevelassurancetotheFederalCommunicationsCommission(FCC)andthepublicthatcommunicationprovidersaretakingthenecessarycorporateandoperationalmeasurestomanagecybersecurityrisksacrosstheenterprise.WG4alsowaschargedwithprovidingimplementationguidancetofacilitatetheuseandadaptationofthevoluntaryNISTCybersecurityFramework(CSF)bycommunicationsproviders.ConsistentwithWorkingGroup4slargerobjective,thebroadcastsegmentgroupanalyzedtheNISTCybersecurityFrameworkversion1.0fromtheperspectiveofthebroadcastindustryinordertoapplythepracticesandprocessesdescribedthereintothissegmentofthecommunicationssector.
38SeeExec.OrderNo.13,636,ImprovingCriticalInfrastructureCybersecurity,78FR11737(Feb.19,2013)[hereinafterEO13636].39SeeFederalCommunicationsCommission,TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIII,WorkingGroup3EmergencyAlertSystem(EAS)InitialReportCSRICWG3EASSecuritySubcommitteeReport(2014),availableathttp://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG3_InitialReport_061814.pdf.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
39
B. ScopeBasedontheNISTcybersecurityframeworkincriticalinfrastructure,thebroadcastsegmentgroupfocusedonidentifyingtheaspectsofthebroadcastinfrastructurethatwouldbeconsideredcriticalinfrastructuresupportingthecriticalservicesbroadcastersprovide.BasedonthedefinitionsofcriticalinfrastructureoutlinedintheNSRAandExecutiveOrder13636,thegroupconcludedthatitisbroadcastersroleinpublicalertingandasfirstinformers(i.e.keepingthepublicinformedduringtimeofemergency)thatfulfilsthiscriticalinfrastructurerole.TheNSRAcommunicationsarchitecturemodelillustratingwhatisconsideredcriticalinfrastructureisshownbelow.
ThebroadcastsegmentgroupagreedwiththeotherSegmentgroupsthatthescopeofitseffortsshouldbuildupontheworkalreadycompletedintheNSRA,whichistoensureoverallnetworkreliability,maintainalwaysonserviceforcriticalcustomersandquicklyrestorecriticalcommunicationsfunctionsandservicesfollowingadisruption.ConsideringallthesefactorstheBroadcastSectorgroupconcludedthatmaintainingtheonairoperationsatlocal,regionalandnationallevelwasconstitutedmaintainingthissegmentofthenationalcriticalcommunicationsinfrastructure.
ItisimportanttonotethatBroadcastersareconsumersofIPbasednetworkservicesanddonotsupplyIPservicestoothers,assuch,theymustevaluatetheriskandvulnerabilityoftheirassetsinthecontextonmaintainingtheircriticalonairoperations.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
40
C. MethodologyStartingwiththeBroadcastarchitecturemodelfromtheNSRA(below),thebroadcastsegmentanalyzedthebroadcastecosystemsanddevelopedfourarchitecturemodelsthatareillustrativeofthedifferenttypesofoperationsinthebroadcastsegmentLocalBroadcastStation,SmallRadioStation,Hubbed(orCentralCast)Operation,andBroadcastProgramNetwork.Thesemodels,describedinmoredetailinSectionV,canhelpbroadcastersidentifythecriticalassetsthatmayrequiredifferentapproachestoapplicationoftheNISTFramework.Thesecriticalelementsdelineatethescopeofassetsintendedtobeprotectedthroughthefurtheranalysisbelow.
Commercial Satellite
Television/RadioNetwork Headquarters
STL Studio to Transmitter link (typically point-to-point fixed microwave or fiber)ENG Electronic News Gathering. (local TV news coverage via portable microwave link)SNG Satellite News Gathering (local TV news coverage via portable satellite link)
STL
Mobile Customer
Portable Microwave or Satellite
ENG/SNG
Fiber Back-up
Local Broadcast Station(DTV/AM/FM/HD-Radio)
Satellite Recieve DishesBroadcastAntenna
Radio/Television Station Transmitter
Transmitter Site
Home Custome
Podestrian Customer
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
41
V. RESULTSANDFINDINGSA. CriticalServicesThebroadcastsegmentutilizedtheNISTcybersecurityframeworktoevaluateitsapplicationtothebroadcastsector.Sincethebroadcastsectorprovidesaservicetoconsumersbyprovidingnews,weatherandemergencyinformationthroughovertheairsignalsor,inthecaseofaprogramnetwork,viasatelliteorleasedfiberfacility,manyofthecybersecurityconcernsmaynotappeartobeapplicable.Aftercarefulreview,thebroadcastsegmentdeterminedthatthereareaspectsofbroadcastinginfrastructurethatareIPnetworkbasedandcriticaltoprovidingessentialservices.Broadcastersareusedtocarryingmissioncriticaldataandinformation.Broadcastersmustassesswhichpartsoftheirinfrastructurearecriticaltomaintainingonairoperationssothattheycandeliverthefollowingtypesofessentialinformationtothepublic.
1) EmergencyAlertSystems(EAS)NewtechnologyinemergencyalertingnowcarrymessagesfromtheFederalEmergencyManagementAssociation(FEMA)throughIPnetworksusingCommonAlertingProtocol(CAP).ManystateandlocalemergencymanagementorganizationshavealsoadoptedCAPprotocolmessagingdistributedviaIPoverdedicatedorpublicinternet.ThebroadcastersIPnetworksthatcarrythesecriticalmessagesneedtobeprotectedagainstcyberattacks40.2) NewsandWeatherandOtherEmergencyInformationBroadcaststationsandnetworksprovideessentialcontentintheformofnewsandweatherandotheremergencyinformation,suchasevacuationroutesortornadotracking.BothinformationandcontentflowoverhighspeedIPnetworkswithinabroadcastplanttoprovideintegrationofNewsRoomComputerSystems(NRCS),audioandvideoservers,graphicssystemsandscheduling/automationsystems.Thebroadcastnetworkisthebackboneofthestationornetworkandneedstobecarefullymanagedforredundancy,reliabilityandsecurity.ImportantfeedsandwireservicesthatareusedtosolelyrelyonsatelliteormicrowavehavealsomigratedgoIPandLongTermEvolution(LTE)networksinordertoprovidevaluableandtimelycontent.
B. BroadcastEcosystemArchitecturesBelowarethefourarchitecturemodelsthatareillustrativeofthedifferenttypesofoperationsinthebroadcastsegment.Broadcasterscanusethemodelthatmostclosely
40ThisreportdoesnotaddressspecificsofsecurityforEASanditsassociatedecosystem.EASsecurityisconsideredinCSRICWorkingGroupIII.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
42
resemblestheiractualinfrastructuretoidentifytheassetsthatrequirethreatanalysisandevaluationwhenapplyingtheframeworktoonairoperations
1) LocalBroadcastStationBroadcaststationsincludeindependent,public,educationalorstate,stationgroupsornetworkO&Os(ownedandoperated).Abroadcaststationcanbeahandfulofemployeesinamomandpopshoptomajormarketstationswithhundredsofemployees.Manyfunctionalareaswithinastationincludebutarenotlimitedtosales,programming,traffic,production,news,communityaffairs,publicrelations,accountingandfinance,andengineeringandoperations.EngineeringandOperationstypicallyoperatesona24X7basisaplaysacriticalroleinprovidingcontentforcommunityservice,news,weather,sports,andentertainmentfortheirbroadcastmarket.
2) LocalSmallRadioStationLocalRadioStationsmaynothaveenterpriselevelnetworksaslargerbroadcastersdo,buttherearemanyareaswherethestationnetworkconnectivityprovidescriticalservicestoitsaudienceandwouldnecessitatecybersecuritymeasures.Thisincludesprogrammingsource(s)deliveredviaIP,commercialdeliveryandcommercialproduction,otherproductionresourcessuchasAssociatedPress(A/P)newswireservicedelivery,remoteoperations,CommonAlertingProtocol(CAP)/EASInternetaccess,andStudioTransmitterLinks(STL)transmittermeteringandcontrol.ThenetworkcouldalsobeusedtoprovidefortransmittersitesecurityA/Pnews,station
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
43
socialMedia/applications/contests/games,inhouseWiFiaccess,FCCaccounts,TrafficBookkeeping(includesstaffandlisteneraccounts),andportablemediausingUniversalSerialBus(USB)orBluetooth.
Content
Commercial Satellite
ENG/SNG
Local Radio Station
Sat RXBroadcastAntenna
RadioTransmitter
Transmitter Site
Home Customer
Internet Service Provider
Firewall
Firewall
Internet Service Provider
LOCAL SMALL RADIO STATION
Station Network
Admin
Production
EASNews
PC/Smart Device
Remote control
Rcvr Process
RDS
On Air Console
STLDEC
Traffic
3) BroadcastHubbed(CentralCast)OperationBroadcaststationhubissomewhatdifferentfromabroadcaststation.Abroadcaststationtypicallytakestherepetitive24X7mastercontroloperationsoftwoormorebroadcaststationsandcombinesthemintoasinglefacilityforefficiencypurposes.Thesecanincludeprivatethirdpartybusiness,educationalorstate,stationgroupsornetworkO&Os(ownedandoperated)hubs.Atelevisionstationthatisaspokeofahubfacilitydoesnotneedtobeasmallmarketfacility.Ahubbedtelevisionstationisafullyfeaturedandfunctioningfacilitythatcanhaveanewsdepartment,promotions,andbeanetworkaffiliateorindependent.Itsimplydoesnothaveamastercontrolfacilitytooriginateitsprogrammingtothelocalbroadcasttransmitter.Therearetwowaystoaccomplishthis:
Thecentralhuboriginatesallcontentwhichissenttothesatellitestationasa
videostreamoveraprivatebandwidthcircuit.Localcommercials,newsprogramming,andotherinterstitialmaterialaresentintheotherdirectiontothehubfortransmissionatalatertimeorinrealtimeinthecaseoflivenewsprogramming.Trafficoperationsarealsousuallycentralizedatthehubfacility.,or
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
44
Thesatellitestationhasallofthecontentmaterialandequipmentonsite,butiscontrolledfromthecentralhub.
Todaywiththecostofbandwidthbeingmuchlowerthanfiveyearsagomostcentralcastinglocationsusemethodnumberone.TheobvioussecurityandredundancyissuesregardingprotectionofthefeedfromthehubrequirethattwodiverseroutesshouldbeemployedwithfirewallsandVPNprotection.Allotherdatacircuits,computers,digitalstreamingfeeds,feedsofanytypeshouldbeprotectedastheywouldbeinanyothermodernbroadcastfacility.
Commercial Satellite
Television/RadioNetwork Headquarters
Risks for business:1. Internet connections2. Email3. File Delivery (content or otherwise)4. USB Devices5. Laptops6. Partners, etc.
ENG/SNG
Fiber Back-up
Station Hub(DTV/AM/FM/HD-Radio)
Sat RX
Internet Service ProviderIncoming Firewall Outgoing Firewall
Workstations
Video/AudioDevices
BROADCAST HUBBED OPERATION
IP/Feed Radio/Television Station Transmitter
Transmitter Site
BroadcastAntenna
Radio/Television Station Transmitter
Transmitter Site
BroadcastAntenna
Radio/Television Station Transmitter
Transmitter Site
BroadcastAntenna
4) BroadcastNetworkBroadcastnetworksprovidecontenttostations,cablecompanies,satelliteprovidersandevenOTT(OvertheTop)broadcast.Abroadcastnetworkrangefromafewhundredtoafewthousandemployeesandtypicallyprovidesanationalorinternationalfootprintfordistribution.Manyfunctionalareaswithinanetworkinclude,butarenotlimitedto,sales,programming,traffic,production,news,publicrelations,accountingandfinance,andengineeringandoperations.EngineeringandOperationstypicallyoperatesona24X7basisaplaysacriticalroleinprovidingcontentforstations,cablecompanies,satelliteprovidersandOTTdistributors.Thiscontenteventuallymakesitswaytothepublicfornews,sports,weather,education,publicinterest,andentertainment.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
45
Privateor
CommercialTerrestrial
Internet
CorporateNetwork(SingleBuildingorCampus)
CommercialSatellite
Television/RadioStation
Risksforbusiness:1.Internetconnections2.Email3.FileDelivery(contentorotherwise)4.USBDevices5.Laptops6.Partners,etc.
BroadcastAntenna
ISPAFirewall
CDN,Partners,ETC
Laptop
BroadcastWorkstations
BroadcastNetwork
BCastFiber(CommercialDeliveredby
Telcoor
DarkFiber)
BCastFirewall
FileDelivery
CorporateWorkstations
SatRx
FiberRxMediaSupplyChain
Ingest/Playout
ISPB
SatelliteRecieve
Uplink
VI. APPLYINGTHENISTCYBERSECURITYFRAMEWORKTheNISTFrameworkpresentsfiveCoreFunctionsorganizationscanusetoevaluatetheircybersecurityrisks.
IdentifyDeveloptheorganizationalunderstandingtomanagecybersecurityriskto
systems,assets,data,andcapabilities.TheactivitiesintheIdentifyFunctionarefoundationalforeffectiveuseoftheFramework.Understandingthebusinesscontext,theresourcesthatsupportcriticalfunctionsandtherelatedcybersecurityrisksenablesanorganizationtofocusandprioritizeitsefforts,consistentwithitsriskmanagementstrategyandbusinessneeds.
ProtectDevelopandimplementtheappropriatesafeguardstoensuredeliveryof
criticalinfrastructureservices.TheProtectFunctionsupportstheabilitytolimitorcontaintheimpactofapotentialcybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctioninclude:AccessControl;AwarenessandTraining;DataSecurity;InformationProtectionProcessesandProcedures;Maintenance;andProtectiveTechnology.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
46
DetectDevelopandimplementtheappropriateactivitiestoidentifytheoccurrenceofacybersecurityevent.TheDetectFunctionenablestimelydiscoveryofcybersecurityevents.ExamplesofoutcomeCategorieswithinthisFunctioninclude:AnomaliesandEvents;SecurityContinuousMonitoring;andDetectionProcesses.
RespondDevelopandimplementtheappropriateactivitiestotakeactionregardinga
detectedcybersecurityevent.TheRespondFunctionsupportstheabilitytocontaintheimpactofapotentialcybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctioninclude:ResponsePlanning;Communications;Analysis;Mitigation;andImprovements.
RecoverDevelopandimplementtheappropriateactivitiestomaintainplansfor
resilienceandtorestoreanycapabilitiesorservicesthatwereimpairedduetoacybersecurityevent.TheRecoverFunctionsupportstimelyrecoverytonormaloperationstoreducetheimpactfromacybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctioninclude:RecoveryPlanning;Improvements;andCommunications.
VII. APPLICATIONMETHODOLOGYTheCSRICIVBroadcastSubCommitteereviewedtheNISTframeworkasitappliestothedifferentsegmentsofthebroadcastindustry;
SmallRadioStation LocalBroadcastStation StationHub(orCentralCast)Operation BroadcastNetwork
Eachofthe98subcategoriesoftheNISTFrameworkwereevaluatedastobeingnoncritical,maybecritical,orcriticalforeachofthetypesofbroadcastinfrastructuremodels.Thishelpsdefinehowthescopeoftheframeworkcanbeappliedtobroadcastorganizationsofdifferentiatingscopeandsize.
-
TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015
47
NISTSubCategory SmallRadioStationTV
BroadcastStation
StationHub
NetworkFacility
ID.AM1:Physicaldevicesandsystemswithintheorganizationareinventoried Critical Critical Critical Critical
ID.AM2:Softwareplatformsandapplicationswithintheorganizationareinventoried
Critical Critical Critical Critical
ID.AM3:Organizationalcommunicationanddataflowsaremapped
MayNotbeCritical Critical Critical
ID.AM4:Externalinformationsystemsarecatalogued Critical Critical
ID.AM5:Resources(e.g.,hardware,devices,dataandsoftware)areprioritizedbasedontheirclassification,criticality,andbusinessvalue
Critical Critical Critical Critical
ID.AM6:Cybersecurityrolesandresponsibilitiesfortheentireworkforceandthirdpartystakeholders(e.g.,suppliers,customers,partners)areestablished
Critical Critical Critical Critical
ID.BE1:Organization'sroleinthesup
top related