Thursday, December 5, 2013

11:30am-1:00pm

Eni Trading & Shipping

Two Allen Center, 1200 Smith StreetHouston, Texas 77002

Sponsors

Cyber Security: Protecting the EnergyIndustry Against Cyber Threats

James Cargas is the Senior Assistant City Attorney for Energy for the City of Houston, the fourthlargest city and the eighth largest purchaser of renewable power in the nation. Hisresponsibilities include electricity, natural gas, and fuel transactions as well as compliance andenforcement matters. James advises the Mayor and Sustainability Director on implementation ofsustainable development projects, including the largest municipal hybrid vehicle fleet in thenation and the beginnings of an electric vehicle fleet.

James is a board member of the North American Energy Standards Board, which works with NIST,NERC and FERC to implement cyber security business practice standards for the electric andnatural gas industries. He also serves on the Board of the Energy Bar Association’s HoustonChapter.

Previously, James has worked in the natural gas pipeline and drilling industries, and privatepractice as an energy and environmental lawyer. His public service includes the U.S. Congress,Federal Energy Regulatory Commission, Clinton’s White House Council on SustainableDevelopment and the U.S. Department of Energy under Sec. Bill Richardson. Recently, he was the2012 Democratic candidate for U.S. Congress for Texas’ Seventh District.

James Cargas – ModeratorSenior Assistant City Attorney for Energy, City of Houston

Dave has been a leader in information technology aspects of regulatory, business continuity, disasterrecovery, security, and infrastructure for over 25 years.

With over 25 years of practical experience in regulatory, information technology, security, crisismanagement and business continuity in both government and the private sector, Dr. Hopson has served insenior management with Union Carbide Corp, BHP Billiton, and Devon Energy, Inc., following his tenureas Team Leader, USMC 3rd Force Recon. He was medically retired from the U.S. Marine Corps, havingserved as a recon team member, leader of: Anti-terrorism, Hostage Rescue, and Special OPS logisticalplanning. Dave served in many countries and regions across the Near, Far, and Middle East not onlyperforming rescue and training missions, but also fortifying our ports, ships, and bases. In these roles,Dave would utilize the skills obtained in over 200 missions to help our own forces to better fortify andplan for the eventual attack. As a graduate student, Dave brought mathematics to the planning table tocreate objective Threat Assessment Strategies. During his stint in the business world, Dr. Hopson broughtthe same skills for contingency planning to Information Technology. From Union Carbide to Devon Energy,he brought the infrastructure, processes, physical security, and planning for IT to a Special OperationsPlanning and Execution level.

He earned a Ph.D. from Claremont Graduate School—Peter Drucker’s School of Management, and a MISfrom Claremont Graduate School, and a BS in Political Science from Sam Houston State University. Hisfirm, Triumphus Tek, Inc. is a Houston-based consultancy specializing in Information Technology projectand departmental recovery, as well as IT operations, departmental preparation for IPO, and ITStrategy/Roadmapping. (http://www.triumphustek.com).

Dr. Dave HopsonFounding Partner, Triumphus Tek, Inc.

Irene Kosturakis is Chief Intellectual Property Counsel at BMC Software, Inc., whereshe is responsible for all intellectual property matters, including patent acquisition,development and maintenance of the patent and trademark portfolios, patentlitigation, copyrights, intellectual property transactions, and IP due diligence for theCompany’s mergers and acquisitions. In her role, she also supports the Company withregard to information security and cyber-security concerns.

Prior to BMC, Irene was with Hewlett-Packard Company and Compaq ComputerCorporation. Irene is a registered patent attorney and is licensed to practice law inthe State of Texas.

Irene has a Masters of Law in Intellectual Property from the University of Houston, aJ.D. from South Texas College of Law, a Master of Science in Civil Engineering from theUniversity of Houston, and a Bachelor of Science in Civil Engineering from theUniversity of Texas at El Paso.

Outside of BMC, Irene is an adjunct professor at South Texas College of Law, of itsInternational Business Transactions course. She is a member of the State Bar of Texas’sBusiness Law Section Council and Chair of its Donated Services Committee, pastpresident of the Houston Chapter of the Association of Corporate Counsel (ACC) 2007-2008, and a member of the Houston Intellectual Property Lawyers Association.

Irene KosturakisChief Intellectual Property Counsel, BMC Software, Inc.

TOPIC: The Energy Industry is becoming increasingly dependent uponinternet technology to meet real time operational needs and thedemands of its customers. These same automated technologies,however, provide potential unwanted access to sensitive systems andinformation. The energy industry has already been targeted for cyberattacks from lone hackers and from well-organized state-sponsored,corporate espionage operations based outside the United States. Jointhe Houston Chapter for a discussion with experts regarding thetechnologies and policies available to protect your company, thecurrent thinking of regulators regarding cyber security requirements,and the liabilities and legal challenges your company faces as itattempts to balance cost and security concerns.

* Feb. 12, 2013

* Critical InfrastructureSecurity and Resilience

* Energy and communicationssystems are uniquely critical

* Feb. 12, 2013

* Improving CriticalInfrastructure Cybersecurity

* Requires the NationalInstitute of Standards andTechnology (NIST) todevelop a cybersecurityframework

The Framework provides acommon language andmechanism for organizations to:

1. Describe their currentcybersecurity posture

2. Describe their target state forcybersecurity

3. Identify and prioritizeopportunities forimprovement within thecontext of risk management

4. Assess progress towards thetarget state

5. Foster communicationsamong internal and externalstakeholders

Enterprise Security –Recent Events

Attack Vectors Spoofing

Denial of Service

Man in the middle

Spyware/Viruses/Trojans

Advanced Persistent Threat

Zero Day Vulnerability Exploit

Phishing

Social Engineering

Worms

Botnets

Port Scanning

Three Groups ofPerpetrators Criminals

Activists

Nation-States

201310

FBI knocked on the door to let them knowthey had been compromised.

State sponsored cyber attack on theirIntellectual Property.

Two years and 12 MM to clean and correct Lost all contract bids in that area, cost

unknowable

201311

Website compromised because of knowncore solution flaw.

Website was not patched due to cost 18 months to recover lost data Emails and snail mail to customers about

potential loss of data

201312

FBI contacted them due to traffic going toand from known cyber-activists IP addressesin a foreign country

Required extensive testing, removal ofseveral machines from the environment

201313

14 2013

ICS are operated by a specialized assembly like codeon programmable logic controllers (PLCs).

The PLCs are programmed typically from Windowscomputers.

The ICS are not connected to the Internet. ICS usually consider availability and ease of

maintenance first and security last. ICS consider the “airgap” as sufficient security.

201315

June 2010: A worm targeting Siemens WinCCindustrial control system.

Targets high speed variable-frequencyprogrammable logic motor controllers from justtwo vendors: Vacon (Finland) and Fararo Paya(Iran)

Only when the controllers are running at 807Hzto 1210Hz. Makes the frequency of thosecontrollers vary from 1410Hz to 2Hz to 1064Hz.

http://en.wikipedia.org/wiki/Stuxnet

16 2013

29 September 2010, From Symantic Infected Hosts

201317

18 2013

But why would Stuxnet want to make the centrifuges shakedestructively? Wasn’t infecting their systems disruptive enough inand of itself? No.

If you only cause problems solely in the cyber sphere,it is, at least conceptually, possible to “wipe and reload” therebyfixing both the infected control systems and the modifiedprogrammable motor controllers at the targeted facility.Software-only cyber-only impacts are seldom “long term” or“persistent” in nature.

However, if the cyber attack is able to cause physical damage,such as causing thousands of centrifuges to shake themselves topieces, or a generator to self destruct, that would take far longerto remediate.

19 2013

Why would a nation-state adversary release such a narrowlytargeted piece of malware?

Blowback a term borrowed from chemical warfare an unexpected change in wind patterns can send an airborne chemical

weapon drifting away from its intended enemy target and backtoward friendly troops.

While most of the Stuxnet infections took place in Iran, someinfections did happen in other countries, including the U.S.

Prudent “cyber warriors” might take all possible steps to insurethat if Stuxnet did “get away from them,” it wouldn’t wreak havocon friendly or neutral targets.

So now you know why Stuxnet appears to have been so narrowlytailored.

20 2013

2009 June: Earliest Stuxnet seen Does not have signed drivers

2010 Jan: Stuxnet driver signed With a valid certificate belonging to Realtek Semiconductors

2010 June: Virusblokada reports W32.Stuxnet Verisign revokes Realtek certificate

2010 July: Anti-virus vendor Eset identifies new Stuxnetdriver With a valid certificate belonging to JMicron Technology Corp

2010 July: Siemens report they are investigating malwareSCADA systems Verisign revokes JMicron certificate

201321

Components used Zero-day exploits

Windows rootkit

PLC rootkit (first ever)

Antivirus evasion

Peer-to-Peer updates

Signed driver with a valid certificate Command and control interface Stuxnet consists of a large .dll file Designed to sabotage industrial processes controlled

by Siemens SIMATIC WinCC and PCS 7 systems.

201322

Stuxnet is a significant milestone in maliciouscode history It is the first to exploit multiple 0-day vulnerabilities. Used two (compromised) digital certificates. Injected code into industrial control systems. Hid the code from the operator.

Stuxnet is of great complexity Requiring significant resources to develop

Stuxnet has highlighted that direct-attacks oncritical infrastructure are possible.

It is out in the wild – anyone can use it now

201323

Thought to be highly related to Stuxnet Has the same core code Written in an specialized C code and compiler Works like stuxnet with different objectives Looks for vulnerabilities in ICS’s and reports them

back It captures keystrokes and system information No self replication Removes itself after 36 days May have been used to build stuxnet, but not

discovered until after stuxnet

201324

Most advanced Cyber Attack toolkit yet, 20 timesmore complicated that stuxnet

Over 20Meg in size Cyber-espionage tool that can: Record audio

Capture data for forms filled in

Screen captures

Scans for bluetooth devices

Connected to over a 100 command and control servers

Has a kill command It is out in the wild – anyone can use it now

201325

Very Similar to Flame Over 20Meg in size Cyber-espionage tool that can:

Looking for Banking Credentials

Has a kill command

May have been Flame (state sponsored)adapted to Gauss (criminal motives)

It is out in the wild – anyone can use it now

201326

Spreading disinformation through trusted sources about a dangerous escalation of ageopolitical flashpoint, prompting a plunge in global markets that lasts for days before it’scorrected. North Korea’s Kim Jong-Un launches ICBMs at the United States, for instance, orIsrael attacks Iran’s nuclear program, squeezing the global oil supply.

Hacking into the Industrial Control Systems (ICS) that run so many government and privatesector systems, disrupting dams, oil refineries, the power grid, utility companies—or theglobal banking system known as SWIFT. (A Chinese hacker is suspected in a recentintrusion into a US government database cataloging dam vulnerabilities, according to theWashington Free Beacon.)

Disrupting trading on the NewYork, London or Tokyo stock exchanges, or finding a way towipe out, or corrupt, the vast database of prior trades.

Messing with the space-based satellite navigation system that provides location and timeinformation for just about everything these days. “Think of this,’” Rosenzweig says. “Whatif someone started degrading the information that GPS runs on? It’s just data, ones andzeros that come down from satellites. You could make our missiles less accurate, our planesless able to fly or less safe. You could intercept, degrade it, or spoof it—send false signals,and make the planes think they are somewhere else.”

Paul Rosenzweig, “Cyber Warfare: How Conflicts in Cyberspace Are Challenging America andChanging the World.“

201327

Several companies had IP addresses that were reachable externally they didnot know.

Web results showed several IIS common problems – mostly not up to datepatching

Most companies use obscurity as a defense mechanism. Not the best choice We were able to penetrate all the companies

▪ We could pull data

▪ Access AD

▪ Change Web Pages

▪ One location we could even log on to the Production SQL server

▪ Several locations we could log into the firewall Most common problems are:

Factory or “normal” passwords are used

Patching not up to date

Ports open that are not required

28

2013

NERC Critical Infrastructure Program (CIP). Currently under version 5 because the industry

would not self regulate Chemical Facility Anti-Terrorism Safety

(CFATS) Department of Homeland Security Ten specific infrastructure areas governed

National Institute of Standards andTechnology (NIST)

TSA is looking to create one for Pipelines

201229

NERC started CIP in April of 2005 with CIP-001

The process started as self regulating Very few companies in the industry claimed

to be “critical” Most of the infrastructure remains

unprotected Version 5 now defines what is critical so the

grid is protected

201330

Do not specify a technology or method, ratheran outcome

Do not suggest self-regulation

Audits are required

Fines must be higher than cost to remediate

Focus on big picture, not technologies

Connectivity makes all areas entry points

201331

www.nerc.com http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx http://www.dhs.gov/cybersecurity-laws-regulations http://www.dhs.gov/featured-laws-regulations http://www.uschamber.com/feed/cybersecurity-more-government-

regulation http://blog.heritage.org/2013/10/02/voluntary-cybersecurity-standards-

the-threat-of-regulation-looms/ http://rwu.edu/academics/conferences/cyber-threats-realities https://www.privacyassociation.org/privacy_tracker/post/u.s._cybersecur

ity_policy_developments_a_year_to_date_roundup http://csis.org/files/media/csis/pubs/090327_lewis_innovation_cybersecu

rity.pdf

201332

Jennifer Rizzo. (August 2, 2012) "Cybersecurity bill fails in Senate." Paul Rosenzweig. (July 23, 2012) "Cybersecurity Act of 2012: Revised Cyber Bill

Still Has Problems." The Heritage Foundation. Ed O’Keefe & Ellen Nakashima. (August 2, 2012 ) "Cybersecurity bill fails in

Senate." The Washington Post. Alex Fitzpatrick. (July 20, 2012) "Obama Gives Thumbs-Up to New Cybersecurity

Bill." Mashable. Brendan Sasso. (August 4, 2012) "After defeat of Senate cybersecurity bill,

Obama weighs executive-order option". The Hill. Jaikumar Vijayan. (August 16, 2012) "No partisan fight over cybersecurity bill,

GOP senator says". Computerworld. Carl Franzen. (August 2, 2012) "As Cybersecurity Bill Fails In Senate, Privacy

Advocates Rejoice". TPM. Alex Fitzpatrick. (August 2, 2012) "[40]". Mashable. Jody Westby (August 13, 2012) "Congress Needs to Go Back To School on Cyber

Legislation". Forbes.

201333

Rise Is Seen in Cyberattacks Targeting U.S. Infrastructure July 26, 2012 NewYorkTimes

http://www.dhs.gov/news/2012/09/19/written-testimony-secretary-napolitano-senate-committee-homeland-security-and

http://www.fastcompany.com/3005464/obama-new-york-times-cnn-fox-news-twitter-accounts-may-have-been-compromised

http://homeland.house.gov/sites/homeland.house.gov/files/04-24-12%20McCaul%20Open.pdf

http://www.defense.gov/news/newsarticle.aspx?id=118187 FT Special Report (7 June 2013). "Secrecy hampers battle for web". Financial

Times. "Executive Order -- Improving Critical Infrastructure Cybersecurity". The White

House. Office of the Press Secretary.. http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-

improving-critical-infrastructure-cybersecurity

201334

"A chronology of data breaches reported since the ChoicePointincident." (2005).

"Electronic privacy information center bill track: Tracking privacy,speech and civil liberties in the 109th congress." (2005).

"How computer viruses work." (2005). "The National Strategy to Secure Cyberspace." (2003). "Notice of security breach - civil code sections 1798.29 and

1798.82 - 1798.84." 2003). "Richard Clarke interview." (2003). Gordon, L. A., Loeb, M. P., Lucyshyn, W. & Richardson, R. (2005).

"2005 CSI/FBI computer crime and security survey." Lemos, R. (2003). "Bush unveils final cybersecurity plan." Rasmussen, M., & Brown, A. (2004). "California Law Establishes

Duty of Care for Information Security." Schmitt, E., Charron, C., Anderson, E., & Joseph, J. (2004). "What

Proposed Data Laws Will Mean for Marketers."

201335

12/5/2013

U.S Trade Secret Law –Implications for Cyber-security Concerns

Irene KosturakisChief Intellectual Property CounselBMC Software, Inc.

5 December 2013

12/5/2013 © Copyright 2006 , 2013 BMC Software, Inc.37

Cyber Security Obama Order

› President Obama identified cyber security as one of themost serious economic and national security challenges,but are not adequately prepared to counter

› Order - review of federal efforts to defend the U.S.information and communications infrastructure and thedevelopment of a comprehensive approach to securingdigital infrastructure

› Close work with key players in U.S. cyber security,including state and local governments and the privatesector, to ensure an organized and unified response tofuture cyber incidents, find technology solutions, invest inR&D necessary to meet the digital challenges; and promotecyber security awareness

12/5/2013 © Copyright 2006 , 2013 BMC Software, Inc.38

Cyber Security Obama Order

› Build on Bush Administration’s Comprehensive NationalCybersecurity Initiative (CNCI)

› CNCI consists of initiatives with the goals:– To establish a front line of defense against today’s immediate

threats—and the ability to act quickly to reduce our currentvulnerabilities and prevent intrusions

– To defend threats by enhancing U.S. counterintelligencecapabilities and increasing the security of key IT

– To expand cyber education and coordinating R&D efforts acrossthe Federal Government; and working to define and developstrategies to deter hostile or malicious activity in cyberspace.

– Includes funding within the federal law enforcement, intelligence,and defense communities

CONTROL SYSTEMS

› SCADA: Supervisory Control and Data Acquisition› Homeland Security Presidential Directive – national

policy for federal departments and agencies toidentify and prioritize critical infrastructure andprotect it from cyber attacks

› Increases in the exploitation of vulnerabilities acrossall industries, including the federal government,have mandated cyber security awareness

• SCADA: Supervisory Control and Data Acquisition

39

A “control system” is a generic term for softwareand devices that automate complex processes.

PowerPower

WaterWater

Oil & gasOil & gas

12/5/2013 © Copyright 2006 , 2013 BMC Software, Inc.40

Trade Secrets – 3 Frameworks of Protection

› Common Law – state case law

› Uniform Trade Secrets Act (UTSA) - 47 states have enacted – not NY,Mass., or N. Carolina (but N. Carolina’s statute is very similar toUTSA)

– Effective in Texas September 1, 2013

› Federal Statute - Economic Espionage Act of 1996, 18 U.S.C. 1831-1839

12/5/2013 © Copyright 2006 , 2013 BMC Software, Inc.41

Trade Secret Definitions

› Restatement of Torts 1st § 757 - Non-public information that gives aparty a competitive edge over the party’s competitors

› Texas Uniform Trade Secrets Act (TUTSA) – information, including aformula, pattern, compilation, program, device, method, technique,process, financial data, or list of actual or potential customers orsuppliers that:

– derives independent economic value from not being generally known to, andnot being readily ascertainable by proper means by, other person who canobtain economic value from its disclosure or use; and

– is the subject of reasonable efforts to maintain its secrecy

– Proper means is defined as discovery by independent development, reverseengineering unless prohibited, or any other means that is not improper

› Economic Espionage Act of 1996, 18 U.S.C. 1831-1839 – broaderdefinition than the TUTSA and defines as including tangible as wellas intangible information

12/5/2013 © Copyright 2006, 2013 BMC Software, Inc.42

TUTSA

› Misappropriation– Acquisition of a trade secret of another by a person who knows or

has reason to know that the trade secret was acquired by impropermeans, or

– Disclosure or use of another’s trade secret without consent• Used improper means to acquire knowledge of the trade secret

• Knew or had reason to know that the knowledge was– Derived from someone using improper means to acquire it

– Acquired under a duty to maintain secrecy

– Derived from someone who owed a duty to maintain secrecy

› Improper means– Theft, bribery, misrepresentation, breach or inducement of a

breach of a duty to maintain secrecy, limit use, or prohibitdiscovery of a trade secret, or espionage through electronic orother means.

12/5/2013 © Copyright 2006, 2013 BMC Software, Inc.43

TUTSA Remedies

› Actual or threatened misappropriation may be enjoined

› A claimant is entitled recover damages formisappropriation, including the actual loss and unjustenrichment caused by misappropriation

› If misappropriation is proven to be willful or malicious,may award exemplary damages of 2 times the award

› Attorneys fees to prevailing party if:– Claim of misappropriation is made in bad faith

– Motion to terminate an injunction is made or resisted in badfaith, or

– Willful and malicious misappropriation exists

12/5/2013 © Copyright 2006, 2013 BMC Software, Inc.44

Other Remedies in Texas

› TUTSA does not affect criminal remedies, whether or not based uponmisappropriation of a trade secret

› Texas also allows for criminal penalties for theft of trade secret,which is considered a third-degree felony, Texas Penal code §31.05(a)(4)

12/5/2013 © Copyright 2006 , 2012 BMC Software, Inc.45

Economic Espionage Act – Federal Law

› Economic Espionage Act of 1996 (EEA) - Genesis– Criminal penalties for misappropriating trade secrets or competitive

information of companies

– In 1995, out of 325 companies surveyed, nearly half of them hadexperienced a trade secret theft

– It was estimated that nearly $24 billion of corporate intellectual propertywas stolen every year

– The FBI suspected that more than 20 countries were actively trying tosteal United States companies' trade secrets.

– Uniform Trade Secrets Act and other state statutes provided noeffective criminal response

12/5/2013 © Copyright 2006, 2012 BMC Software, Inc.46

Economic Espionage Act – Federal Law

› The EEA contains two distinct provisions– § 1831 - addresses economic espionage directed by foreign governments– § 1832 - prohibits the commercial theft of trade secrets carried out for economic or

commercial advantage, whether the perpetrator is foreign or domestic– 1831 and 1832 both may control acts committed outside the country– As of April 2005, all prosecutions brought to date under the EEA have been under §

1832

› The EEA applies if the offender is a citizen or resident alien of theUnited States, or an organization organized under the laws of theUnited States or any state

12/5/2013 © Copyright 2006, 2013 BMC Software, Inc.47

Economic Espionage Act – Federal Law

› § 1831 - applies when there is evidence of foreign governmentsponsored or coordinated intelligence activity

› § 1831- the Government must prove that:– (1) the defendant stole, or without the owner's authorization obtained, destroyed, or

conveyed information that he knew or believed was a trade secret;

– (2) the information was a trade secret; and

– (3) the defendant intended or knew that the offense would benefit a foreigngovernment, instrumentality, or agent

› Penalties - A convicted individual can be imprisoned for up to 15years and a fine of $500,000, and an organization can be fined up to$10,000,000

12/5/2013 © Copyright 2006 , 2013 BMC Software, Inc.48

Economic Espionage Act – Federal Law

› § 1832 - the Government must prove beyond a reasonable doubtthat:

– (1) the defendant stole, or without the owner's authorization obtained, sent, destroyed,or conveyed information that he knew or believed was a trade secret;

– (2) the information was in fact a trade secret;– (3) the defendant intended to convert the trade secret to the economic benefit of

somebody other than the owner;– (4) the defendant knew or intended that the owner of the trade secret would be

injured; and– (5) the trade secret was related to, or was included in, a product that was produced or

placed in interstate or foreign commerce

› Penalties – convicted individuals can be imprisoned for up to tenyears and fined $250,000, and an organization can be fined up to$5,000,000

12/5/2013 © Copyright 2006 , 2013 BMC Software, Inc.49

Economic Espionage Act – Federal Law

› The EEA Amendment› President Obama enacted the Theft of Trade Secrets

Clarification Act of 2012– Clarifies the scope of § 1832 and attempts to reverse United

States v. Aleynikov, 676 F.3d 71 (2d Cir. 2012)– Clarifies that the EEA protects wholly internal proprietary

information if the information relates to products or services thatare used in interstate or foreign commerce.

Questions?

12/5/201350 © Copyright 2006 , 2013 BMC Software, Inc.

e136573

Text Box

Reprinted with the permission of the author

64478 Federal Register/Vol. 78, No, 209/Tuesday, October 29, 2013/Notices

DEPARTMENT OF COMMERCE

National Institute of Standards andTechnology

[Docket No.: 130909789-3789-01]

Request for Comments on thePreliminary Cybersecurity Framework

AGENCY: National Institute of Standardsand Technology (N1ST), Department ofCommerce.ACTION: Notice; request for comments.

SUMMARY: The National Institute ofStandards and Technology (N1ST) seekscomments on the preliminary version ofthe Cybersecurity Frameworit("preliminary Framework"). Thepreliminary Framework was developedby NIST using information collectedthrough the Request for Information(RFI) that was published in the FederalRegister on February 26, 2013, and aseries of open public workshops. Thepreliminary Framework was developedin response to NIST responsibilitiesdirected in Executive Ord«r 13838,"Improving Critical InfrastructureCybersecurity" ("Executive Order").

Under the Executive Order, theSecretary of Commerce is tasked todirect the Director of NIST to lead thodevelopment of ,i framework to reducecyber risks to critical infrastructure (the"Cybersecurity Framework" or"Framework"), The Framework willconsist of standards, methodologies,procedures and processes that alignpolicy, business, and technologicalapproaches to address cyber risks. Thepreliminary Framework is availableelectronically from the NIST Wob siteat: httpJ/www.nist.gov/itl/cyberframework.cfm.

DATES: B ^

«222iL_ADDRESSES: Both written and electroniccomments should be submitted usingthe comment template form availableelectronically from the NIST Web siteat: hllp://www.nist.gov/itl/eyheiframework.cfm. Written commentsconcerning the preliminary Framework,may be sent lo: Information TechnologyLaboratory, A'iTN: Adam Sedgewick,National institute of Standards andTechnology, 100 Bureau Drive, Stop8930, Gaithersburg, MD 20899-8930.Electronic comments concerning thepreliminary F'ramework should besubmitted in Microsoft Word or Excelformats to: csfcommonts9nisl.gov, withthe Subject line: PreliminaryCybersecurity Framework Comments.

The preliminary CybersecurityFramework is available electronicallyfrom the NIST Web site at: http://www. nist.gov/itl/cyberfmmework. cfm.FOR FURTHER INFORMATION CONTACT:Diano f lonoycutt, telephone: 301—975—8443, National Institute of Standardsand Technology, 100 liureau Drive, Stop8930, Gaithorsburg, MD 20899-8930 orvia email: dhoncycutl@nisl.gov. Floasodirect media inquiries to NIST's PublicAffairs Office at (301) 975-NiST.SUPPLEMENTARY INFORMATION: Thenational and economic security of .theUnited States depends on the reliablefunctioning of critical infrastructure,'which has become increasinglydependent on information technology.Recent trends demonstrate the need forimproved capabilities for defendingagainst malicious cyber activity. Suchactivity is increasing, and itsconsequences can range from theftthrough disruption to destruction. Steps

* For the purposes of this notice the t«rtn "criticalinfrastructure" has (he meaning given the term in42 U.S.C 5195C(G), "systems and ass«M3( whetherphysical or virtual, so vital to the United Stales thaithe incapatiiy or destruction of such systems andassets wmild tmv® a ifebifitaiittg Impact oft mcufiiy.national economic security. naikMMtl public; htmlihor safety, cw* aay ceuitiinaliofi of those matters."

Federal Register/Vol. 78, No. 209 / Tuesday, October 29, 2013/Notices §4479

must be taken to enhance existingefforts to increase the protection andresilience of this infrastructure, whilemain ta in ing a cyber environment thatencourages efficiency, innovation, andeconomic prosperity, while protectingprivacy and civil liberties.

Under the Executive Order,2 theSecretary of Commerce is tasked todirect the Director of NIST to lead thedevelopment of a framework to reduceeyi»0F risks to critical infrastructure (the"Cybersecurity Framework" or"Framework"). The CybersecurityFramework will consist of standards,methodologies, procedures andprocesses that align policy, business,and technological approaches to addresscyber risks. Given the diversity ofsectors in critical infrastructure, theFramework development process wasdesigned to initially identify cross-sector security standards and guidelinesthat arc immediately applicable or likelyto be applicable to criticalinfrastructure, to increase visibility andadoption of those standards andguidelines, and to find potential areasfor improvement (i.e., where standards/guidelines are nonexistent or whoreexisting standards/guidelines areinadequate) that need to bo addressedthrough future collaboration withindustry and industry-led standardsbodies. The Cybersecurity Frameworkwill incorporate voluntary consensusstandards and industry best, practices tothe fullest extent possible and will beconsistent with voluntary internationalconsensus-based standards when suchinternational standards advance Ihoobjectives of (he Executive Order. TheCybersecurity Framework will bedesigned for compatibility with existingregulatory authorities and regulations.

The Cybersecurity Framework willprovide a prioritized, flexible,repeatable, performance-based, andcost-effective approach, includinginformation security measures andcontrols to help owners and operators ofcritical infrastructure and otherinterested entities to identify, assess,and manage cybersecurity-related riskwhile protecting businessconfidentiality, individual privacy andcivil liberties. To enable technicalinnovation and account fororganizational differences, theCybersecurity Framework will notprescribe particular technologicalsolutions or specifications. It willinclude guidance for measuring theperformance of an entity inimplementing the Cybersecurity

Framework and will includemethodologies to identify and mitigateimpacts of the Framework andassociated information securitymeasures and controls on businessconfidentiality and to protect individualprivacy and civil liberties.

As a non-regulatory Federal agency,NIST developed the preliminaryFramework in a manner that Isconsistent with its mission to promoteU.S. innovation and industrialcompetitiveness through thedevelopment of standards andguidelines in consultation withstakeholders in both government andindustry. The preliminary Frameworkseeks to provide owners and operatorsof critical infrastructure the ability toimplement security practices in themost effective manner while allowingorganizations to express requirements tomultiple authorities and regulators.Issues relating to harmonization ofexisting relevant standards andintegration with existing frameworkswere also considered. While the focus ison the Nation's critical infrastructure,the preliminary Framework wasdeveloped in a manner to promote wideadoption of practices to increasecybersocuritv across all sectors andindustry types.

The preliminary Framework wasdeveloped through an open publicreview and comment process thatincluded information collected throughRequest for Information (RF1), 78 FK13024 {February 20, 2013), and a seriesof public workshops. Commentsreceived in response to the RF1 areavailable at http://csrc.nist.gov/cybcrframework/rfi comnwnls.html.

NIST held four open publicworkshops to provide the public withadditional opportunities lo provideinput. The first workshop wasconducted on April 3, 2013, at theDepartment of Commerce inWashington, DC The second workshopwas conducted on May 29-31, 2013, atCarnegie Mellon University inPittsburgh, Pennsylvania, The thirdworkshop was conducted on July 10-12,2013, at the University of California,San (Jfogo. The fourth workshop wasconducted on September 11—13, 2(113, atthe University of Texas at Dallas.Agenda, discussion materials, andpresentation slides for each of thoseworkshops are available at http://www, nist.gov/iil/cyberfrainework.cfin.

Throughout the process, NIST issuedpublic updates on the development ofthe Cybersecurity Framework. NISTissued the first update on June 18, 2013,and It Is available at http:/Iwww.nisl.gov/itl/upload/nistcyhcrsccurity framework

update 061813.pdf. NIST issued thesecond update on July 24, 2013, and itis available at http://www.nist.gov/itl/upload/NlSl-Cyborsocunly-Franwwork-Update-072413.pdf.

The preliminary Frameworkincorporates existing consensus-basedstandards to the fullest extent possible,consistent with requirements of theNational Technology Transfer andAdvancement Act of 1995,3 andguidance provided by Office ofManagement aiid Budget Circular A—118, "Federal Participation in theDevelopment and Use of VoluntaryConsensus Standards and in ConformityAssessment Activities."4 Principlesarticulated in the Executive Office of thePresident memorandum M—12-08"Principles for Federal Engagement inStandards Activities to AddressNational Priorities" s are followed. Thepreliminary Framework is alsoconsistent with, and supported by thebroad policy goals of, theAdministration's 2010 "NationalSecurity Strategy,"6 2011 "CyberspacePolicy Review," 7 "InternationalStrategy for Cyberspace" 8 of May 2011and HSPD-7 "Critical infrastructureIdentification, Prioritization, andProtection."9

Request for Comments:

NIST socks public comments on thepreliminary Cybersecurity Framework.The draft report is availableelectronically from the NIST Web siteat: http://www.nist.gov/itl/cfheifmmework.cfni. The commenttemplates are available at the sameaddress, and are required for bothwritten and electronic comments.Interested parties should submitcomments in accordance with the DATESand ADDRESSES sections of tills notice.All comments will be posted at http://csrv, nist.go v/c yberfranw work/preliminary_framework_comments.htmlwithout change or redaction, socommenlers should not includeinformation they do not wish to beposted (e.g., personal or businessinformation).

I 'yt ' l i L.iu i n - 11 11 Vi'u'-l. • <«fifi. •_(• • •

f. if. j l 13 ! , S i Tl ' - l . l .

' ! ! • ) ; , » " , ! ! < / < } < , • ! . . • > , • „ .„>,! , • f m ' i I j l ' al-il

I t " ' , ! ! 5 i u ! i f / i

! • , , ' ! . ; . , i , . - , I ' - h t v i:i-\>iv <tr,nl;. I'

64480 Federal Register/Vol. 78, No. 209/Tuesday, October 29, 2013/Notices

Dated: October 23, 2013.Patrick Gallagher, IUnder Secretary of Commerce for Standards \and Technology. :|FR Doc. 2013-25586 Filed 10-2S-13: 8:45 ami '

BILUNG CODE 3510-13-P