CERT PODCAST SERIES: SECURITY FOR BUSINESS LEADERS: SHOW NOTES

Using the Cyber Resilience Review to Help Critical Infrastructures Better Manage Operational Resilience

Key Message: Participating in a CRR allows critical infrastructure owners and operators to compare their cybersecurity performance with their peers.

Executive Summary

"The U.S. Department of Homeland Security (DHS) conducts a no-cost, voluntary Cyber Resilience Review (CRR) to evaluate and enhance cybersecurity capacities and capabilities within all 18 Critical Infrastructure and Key Resources (CIKR) Sectors, as well as State, Local, Tribal, and Territorial (SLTT) governments. The goal of the CRR is to develop an understanding of an organization’s operational resilience and ability to manage cyber risk to its critical services and assets during normal operations and during times of operational stress and crises." [1]

In this podcast, Kevin Dillon, Branch Chief for Stakeholder Risk Assessment and Mitigation with DHS and Matthew Butkovic, the CERT Division’s Technical Portfolio Manager for Infrastructure Resilience, discuss the DHS Cyber Resilience Review and how it is helping critical infrastructure owners and operators improve their operational resilience and security.

PART 1: PURPOSE AND SCOPE

History

Starting in 2009, DHS was seeking ways to partner with critical infrastructure owners and operators as well as state, local, tribal, and territorial governments to help them improve their cybersecurity and operational resilience - in essence, be better prepared to handle a disruptive cyber event.

The vast majority of critical infrastructures are owned and operated by private sector organizations.

DHS has a long standing relationship with the CERT Division at Carnegie Mellon University and wanted to use the CERT Resilience Management Model as the foundation for this effort.

Purpose

• their current security state
• how they manage critical services and the assets associated with these services
• the mission critical functions that the organization is delivering
• how to improve in the 10 domains that are the focus of the CRR
• how to improve their overall cyber resilience
• how to manage a “bad day” when a cyber risk to mission critical services occurs as a disruptive or stressful event
• the repeatability and effectiveness of their resilience processes

Another purpose is to provide DHS with visibility into an organization's ability to handle disruptive events.

The organizational roles that are likely to most benefit from a CRR are the Chief Information Officer (CIO), Chief Information Security Officer (CISO), Chief Security Officer (CSO), IT security staff, business continuity staff, and operational and physical/facility security staff.

The CRR has been used with organizations and security staffs of all sizes. The best fit is likely organizations that have sufficient staff with full time roles that align with the CRR domains.

Scope

The CRR is intended to be lightweight, repeatable, and portable. Another objective is to ensure it can be accomplished in a single day.

The 10 domains included in the CRR are:

• asset management
• configuration and change management
• risk management
• controls management
• vulnerability management
• incident management
• service continuity management
• external dependencies management
• training and awareness
• situational awareness

The asset types covered by the CRR are: people, information, technology, and facilities.

The CRR development team selected practices and goals from CERT-RMM process areas and translated them into a set of 269 questions that compose the CRR assessment method.

CRR questions address the presence or absence of a practice (answers are yes, incomplete, or no) as well as the maturity with which a practice is executed.

Questions focus on how processes, services, and assets are managed to be more resilient and secure – as contrasted with detailed technical controls such as those described in NIST 800-53.

PART 2: CONDUCT AND RESULTS

Conduct

A CRR occurs in one calendar work day. The DHS/CERT team travels to the critical infrastructure owner/operator’s site at their request. The CRR is conducted as a facilitated interview with the key cybersecurity personnel from the organization. The team asks all of the questions in the 10 domains, seeking yes, no, and incomplete as answers.

The CRR is conducted at no cost to the organization other than the time of participating personnel.

Results

The team develops a report that summarizes strengths and weaknesses in each domain as well as options for consideration (recommendations) that will help an organization improve. This report is provided within 30 calendar days of the site visit.

The CRR team briefs the organization on the findings and provides the opportunity for the organization to correct any mis-characterizations.

Results are presented as a series of heat maps and graphs that describe practice performance and maturity. In addition, the report includes a comparison of the organization's performance with all prior CRR participants. There is no identification of any organization by name. This is the most often requested result of a CRR, in answer to the question "How do I compare with my peers and the entire population of CRR participants?"

To date, more than 300 CRRs have been conducted with 12 of the 16 critical infrastructure sectors.

CRR results are afforded protection under the DHS Protected Critical Infrastructure Information Program (PCII). The CRR report is intended for owner/operator organization use only. No results are shared by DHS.

Organizations participate in a CRR voluntarily. They are typically seeking new and unique ways to manage their critical services. An organization is seldom surprised by the results, i.e., CRR findings usually confirm their current understanding. The response to CRRs conducted to date has been universally positive.

Benefits

A key benefit is providing a forum where staff in various roles can have the conversations that are the focus of the CRR. In addition, effective practices at one organization are shared with others, for example, the outline of a plan.

PART 3: ANALYSIS OF CRR DATA AND FUTURE PLANS

CRR Data Analysis

All CRR data is collected and handled in strict adherence to PCII. Data is aggregated and cannot be attributed to any participating organization.

The CRR is structured around the concept of critical services. So all questions are asked in relation to a specific activity. In the water sector this would be, for example, the purification and distribution of potable water.

The primary use of CRR data is for the site itself as described in Results above. The secondary use is to look for patterns and trends in the larger dataset. In concert with CMU researchers, the CERT team is discovering patterns and drawing insights and conclusions regarding cyber resilience performance in critical infrastructure organizations.

There are plans to share some of this data in the future. The data may include options for consideration, paths forward, and implementation guidance across critical infrastructure organizations, to help them improve their operational resilience.

Future Plans

These include:

• Cyber Resilience Workshops for representatives from 20-30 organizations or 20-30 staff members from a given organization that are not yet ready to participate in a CRR but are interested in learning more about it.
• offering effective practices and other improvement suggestions based on CRR observations.
• an increased focus on the management of external dependencies in the context of better managing supply chain risk.
• implementation guides for each of the ten domains, several of which have been developed. Such guides provide roadmaps for improvement linked to CRR results.

To obtain more information and to volunteer to participate in a CRR, send email to cse@hq.dhs.gov.

Resources

[1] Cyber Resilience Review description

U.S. Department of Homeland Security website

CERT Resilience Management Model website

CERT podcast: "Managing Disruptive Events: CERT-RMM Experience Reports," August 2013.