Metrics to measure response and recovery methods for severe cyber security incidents (that could lead to “black out” events for Critical Infrastructure and Key Resources) need traceable integration within incident management systems and should be offered as a solution as part of the Executive Order 13636 Cybersecurity Framework.

1. 1
Towards measuring private infrastructure operators’
use of comprehensive incident management techniques
to reduce overall risk to the organization and community
Part three of a series
July 2013
Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP
ABSTRACT
Metrics to measure response and recovery methods for severe cyber security
incidents (that could lead to “black out” events for Critical Infrastructure and Key
Resources) need traceable integration within incident management systems and
should be offered as a solution as part of the Executive Order 13636
Cybersecurity Framework.
Background
In September 2011 the San Diego
skyline went dark and nearly seven (7)
million people went without electrical
power in a severe blackout incident that
hit Arizona, California, Colorado and
Mexico. Traffic lights went dark while
trains were held in a standstill in Los
Angeles County. Local residents were
issued boil water notices due to sewage
back-ups (caused by failing pumps).
Perishable food losses at supermarkets,
for the one day event, totaled $12 to $18
million. An electro-mechanical single
point of failure (SPF) in North Gila,
Arizona caused the event.
***
Preventing severe incidents caused by
technology is one of the goals of the
White House as expressed in Executive
Order 136361
. It purports to strengthen
the protection of Critical Infrastructure
and Key Resources (CIKR)2
, albeit via
voluntary compliance with a proposed
Cybersecurity Framework (CSF)).
By sponsoring an effort to achieve
industry-consensus of already existing
standards, the White House hopes to
enable a better risk management
1
Executive Order -- Improving Critical Infrastructure
Cybersecurity, 2/12/2013. See: Sec. 7. Baseline
Framework to Reduce Cyber Risk to Critical
Infrastructure
2
Critical Infrastructure: Assets, systems and
networks, whether physical or virtual, so vital to the
United States that the incapacity or destruction of
such assets, systems or networks would have a
debilitating impact on security, national economic
security, public health or safety, or any combination
of those matters.
Key resources: Publicly or privately controlled
resources essential to the minimal operations of the
economy and the government.

2. 2
approach with the CSF for CIKR
operators.
E.O. 13636 directs executive agencies
with cybersecurity responsibilities to (1)
share information with private sector
and owner-operators to develop
processes that can help address cyber
security risks; and (2) review and report
on the current appropriateness of their
current cyber efforts; quoting in relevant
part:
“..Explore the use of existing regulation
to promote cyber security ..”
To date, E.O. 13636 industry-consensus
building exercises (coordinated by the
U.S. National Institute of Standards and
Technology (NIST)) have parsed a
dozen cybersecurity compliance
standards into a “framework” to support
the goal of an integrated approach to
risk management. NIST calls this
approach the Framework Core.
Core of the Framework
As an example of the Framework Core,
NIST has released a draft example that
is comprised of the following major
categories of risk management
measurement.
KNOW
PREVENT
DETECT
RESPOND
RECOVER
These over-arching categories are
explained on the NIST CSF web-site;
quoting in relevant part:
“…The Framework Core offers a way to
take a high-level, overarching view of an
organization’s management of
cybersecurity risk by focusing on key
functions of an organization’s approach
to this security…” and “the Framework
should assist an organization to align
and integrate cybersecurity-related
policies and plans, functions, and
investments with the enterprise’s overall
risk management..” 3
To illustrate, NIST has taken the
regulatory enforcement standards of the
Bulk Electricity System (BES), known as
the Critical Infrastructure Protection
(CIP) 4
Reliability Standards, and has
parsed them into one of the five
categories (KNOW, PREVENT,
DETECT, RESPOND, RECOVER
(KPDRR)).
The BES is already a heavily regulated
industry that lives under a mandatory
enforcement, auditing and compliance
oversight framework empowered by the
Federal Energy Regulatory Commission
(FERC), which approves standards
created by the North American Electric
Reliability Corporation (NERC). CIP
Reliability Standards are part of that
existing compliance structure.
3
http://www.nist.gov/itl/upload/draft_outline_preli
minary_framework_standards.pdf
4
North American Electric Reliability Corporation’s (NERC)
Critical Infrastructure Protection (CIP) Standards for Cyber
Security

3. 3
In the NIST “RESPOND” category of the
Core Framework the CIP Reliability
Standard for Recovery Plans is listed,
CIP-009-3; Requirement 1 (CIP-009-3
R1). Quoting the standard in relevant
part:
“..Standard CIP-009-3 ensures that
recovery plan(s) are put in place for
Critical Cyber Assets and that these
plans follow established business
continuity and disaster recovery
techniques and practices...”.
From a risk management framework
(RMF) perspective5
, it would appear that
the CIP-009-3 Reliability Standard
mandates the integration of incident
action plans that address “Critical Cyber
Assets” with those incident response
plans that address “.. disaster recovery
(DR) techniques and practices ..”.
However, no specific consensus-
developed standards seem to be widely
available to guide the development of
CIP-009-3 measured “DR practices”.
The lack of tangible DR metrics to
measure “DR practices” (presumably in
the form of standards or guidelines)
introduces uncertainty into the
measurement of gaps. Consequently,
the subsequent planning of an
appropriate risk response becomes
problematic.
5 NIST 800‐37: Guide for Applying the Risk Management
Framework
Identifying risk management metrics
to integrate cybersecurity with in a
larger incident response
In the context of framing cyber security
risks to the BES, each private individual
operator is only concerned with their
organization’s risk. An individual private
CIKR operator is not required to assess
downstream, cascading circumstances
caused by their equipment malfunctions.
The “Electricity Subsector Cybersecurity
Risk Management Process (RMP)
guideline” (published jointly by NIST,
NERC, and the U.S. Department of
Energy (May 2012)) describes the
paradox of conducting risk management
of varying individual DR plans.
“..During the risk framing element,
organizations may have provided
guidance on how to analyze risk and
how to determine risk …The degree to
which business continuity and disaster
recovery are supported by the
organization may be different for each
mission function and business process
application…”
It would be helpful to have clear and
unambiguous metrics to determine if the
degree of integration between cyber
security incident response plans and DR
or business continuity (BC) plans are
appropriate.
Unfortunately, the current CIP Reliability
Standards are focused on compliance at
individual private-operator facilities – not

4. 4
on interconnecting BES infrastructure
outside the facility Electronic Security
Perimeter (ESP). Cyber Assets outside
the ESP are exempted from compliance
in several (if not all) CIP Reliability
Standards. This exemption includes:
“..Cyber Assets associated with
communication networks and data
communication links between discrete
Electronic Security Perimeters…”6
There appears to be no clearly defined
metrics to measure KPDRR capabilities
addressing how private-individual CIKR
operators could accommodate a region
wide severe incidents that would be
presumably addressed in DR or BC
plans; whether caused by Cyber Assets
outside the ESP, other manmade
disasters, natural disasters, etc.
Towards an integrated approach to
CIKR resiliency risk measurement
Integrated planning for the potential for
severe incidents (external to the private-
operator CIKR) with a standards-based
response protocol (multi-disciplinary in
nature) seems to address the apparent
gap in measuring responsiveness to a
severe incident.
Emergency Management (EM) is the
traditional domain that has been relied
upon to address KPDRR management
issues for severe incidents; regardless
6
CIP-003-4, “4.2. The following are exempt from
Standard CIP-004-3:” Also, CIP-004-3, CIP-005-3,
etc.
of the source of the incident. As
explained in the Energy Sector Specific
Plan, an Annex to the National
Infrastructure Protection Plan (NIPP),
the EM capabilities developed by the
U.S. Department of Homeland Security
(DHS) include the National Incident
Management System (NIMS) and the
National Response Framework (NRF);
quoting, in relevant part, the strategic
need for:
“comprehensive emergency, disaster,
and continuity of business planning”7
.
Only publicly controlled CIKR operators
are presently required to develop EM
plans that address NIMS and the NRF
as they are under the influence of DHS8
.
One wonders if a NIMS/NRF maturity
model could augment the CSF RMF,
and if that could be successfully applied
by private operators to measure risk.
About the author: Dave Sweigert,
CISSP, CISA, PMP, holds Master’s
degrees in Information Security and
Project Management. A graduate of the
National Fire Academy (NFA) Incident
Management Team (IMT) course, he is
a practitioner of ICS/NIMS in his role of
assisting private organizations in
institutionalizing ICS/NIMS into their
cyber response plans.
7
2010 Energy Sector-Specific Plan, Page 8
8 Note: as described in the first paper of this series, the
U.S. Department of Health and Human Resources (DHHS)
required health care facilities to adopt a NIMS-based
management plan for EM (see Incident Command System).