Professional Documents
Culture Documents
Armonk, NY 10504-1722
April 12, 2013
Ms. Diane Honeycutt
National Institute for Standards and Technoloy
100 !ureau Dri"e, Stop #$30
%aithers&ur, MD 20#$$
'IA (MAI)* cy&erfra+e,or-.nist.o"
/e* De"elopin a 0ra+e,or- to I+pro"e 1ritical Infrastructure 1y&ersecurity /0I
0ederal /eister Doc-et 2* Doc-et Nu+&er 13020#11$3311$301
To 4ho+ It May 1oncern*
I!M appreciates the opportunity to respond to the National Institute of Standards and Technoloy
/e5uest for Infor+ation 6/0I7 on Developing a Framework to Improve Critical Infrastructure
Cybersecurity, as ,ell as the onoin colla&oration &et,een o"ern+ent and sta-eholders to
address cy&ersecurity threats to our nation8s +ost critical assets.
Securin lare enterprises aainst cy&ersecurity threats is a sinificant underta-in and one that
I!M understands first hand. Today, I!M secures the operations and proprietary infor+ation for a
lo&ally interated enterprise spannin 190 countries, ,ith +ore than :00,000 e+ployees,
120,000 ser"ers, and a half3a3+illion net,or-ed de"ices. In addition to securin our o,n lo&al
operations, ,e pro"ide security ser"ices and solutions to "irtually e"ery sector of ;.S. and lo&al
&usinesses and o"ern+ents.
4e ha"e &een directly in"ol"ed in onoin discussions and enae+ents ,ith the ;.S.
o"ern+ent and other o"ern+ents and clients around the ,orld on the host of issues associated
,ith cy&erspace. These e<periences infor+ our co++ents for the 5uestions posed in the /0I.
I!M ,elco+es o"ern+ent3industry colla&oration in addressin cy&ersecurity ris-s and
co++ends the Ad+inistration for its outreach to the sta-eholder co++unity in de"elopin and
i+ple+entin the (<ecuti"e =rder. Ho,e"er, ,e counsel aainst a prescripti"e, reulatory
approach that does not ade5uately reflect the e"er3chanin nature of cy&erspace. !usinesses
+ust adapt their ris- +anae+ent strateies faster than any reulatory process can +o"e. Most
pro&le+atic, in our "ie,, ,ould &e a static, >chec-3the &o<? co+pliance rei+e that ,ould stifle
inno"ation &y encourain fir+s to in"est only in +eetin riid standards or practices that are
out+oded &efore they can e"en &e pu&lished. Not only ,ould this fail to pro"ide lastin
i+pro"e+ents to the nation8s collecti"e security, it could easily result in a false sense of security.
The current cy&er3threat en"iron+ent e"ol"es in real ti+e and re5uires a continuous, co+ple<,
and layered approach to security that "aries reatly across industry sectors. Many of the cy&er
issues faced &y our clients differ reatly, chane daily, and cannot &e sol"ed &y an e<ternally3
i+posed set of co++on responses. Therefore, I!M is particularly supporti"e of the pro"isions in
the (<ecuti"e =rder that re5uire the cy&ersecurity fra+e,or- to &e fle<i&le, repeata&le,
technoloy3neutral, and consistent ,ith "oluntary international consensus3&ased standards and
industry &est practices. 4e are hopeful that the full i+ple+entation of the (<ecuti"e =rder ,ill
produce positi"e outco+es for our nation8s security ,hile also pro+otin the technoloical
inno"ation needed to deter threats.
1
I. RISK MANAGEMENT PRACTICES
0or any society and in any era, the issue of security is ine<trica&ly &ound up ,ith the nature and
pace of chane. And today, the pace of chane @ in &usiness, politics, and technoloy @ is
acceleratin e<ponentially.
This is not +ild, episodic chaneA ,e are tal-in a&out >tur&ulent chane.? (cono+ic disruptions,
cy&er attac-s, political uphea"al, technoloy leapfros, and natural disasters can occur al+ost
,ithout ,arnin. ("en anticipated chane @ dri"en &y the a"aila&ility of ne, co+putin +odels
and ne, partnerships, +erers and ac5uisitions, or +anae+ent initiati"es @ re5uires leaders to
+a-e decisions in the face of uncertainty in order to ensure continuin econo+ic ro,th and
e<panded sta-eholder "alue.
In the face of this uncertainty, ho, do ,e anticipate and prepare for e"erythin that +iht
happenB The ans,er is* ,e can8t. Instead, ,e opti+iCe our oraniCations for adapta&ility. It is
those oraniCations that ha"e learned to e+&race chane @ and thri"e on it @ that ha"e endured
and prospered. They ha"e disco"ered that it is possi&le not only to adapt 5uic-ly to tur&ulent and
accelerated chane, &ut to turn that aility into a co+petiti"e strenth.
Ho, does the +anae+ent of security ris- factor into this faster, s+arter ,orldB 1learly, that
challene is a priority for e<ecuti"es ,ho cite*
1oncern a&out the security of technoloies li-e cloud co+putin and +o&ile de"ice
adoptionA
1oncern a&out the per"asi"eness of data and the a&ility to effecti"ely control its
appropriate use and pre"ent inad"ertent or deli&erate e<posureA
1oncern a&out the rapidly chanin threat en"iron+ent and confusion o"er ho, to
effecti"ely defend aainst increasinly sophisticated attac-ers usin increasinly
sophisticated toolsA
%ro,in concern around >&ad actor? in"ol"e+ent in product 6hard,are or soft,are7
de"elop+ent, ,hich has &een fueled &y incidences of counterfeit products, cy&er
espionae and other cy&er cri+e "ia insertion of +al,are and +alicious codeA
0rustration ,ith a patch,or- of costly and co+ple< co+pliance re5uire+ents* the a"erae
enterprise is su&Dect to hundreds of reulationsA
1oncern a&out ho, to deploy effecti"e security tools ,hile also respectin e+ployee
pri"acyA
1onfusion on approach @ see-in uidance a&out ,hat constitutes effecti"e security in a
particular industry and the cy&ersecurity ris- landscapeA
1oncern a&out o&tainin co+prehensi"e and up3to3date assistance in ac5uirin and
deployin effecti"e security +easuresA and
A eneral lac- of security s-ill ,ithin the technical population and a specific lac- of
e<perienced security professionals a"aila&le for hire.
As &oth an enterprise and leadin security product and ser"ice pro"ider, our e<perience indicates
that those oraniCations displayin +aturity in security ris- +anae+ent practices ha"e a
co++on characteristic* They ha"e effecti"ely alined &usiness stratey ,ith security priorities
throuh the leadership of a dedicated, e+po,ered, security e<ecuti"e ,ho +anaes enterprise
security throuh operation of a pra+atic, ris-3&ased security +anae+ent prora+.
Organizational Structure Elevation of the Ri! Manage"ent #unction
I!M &elie"es that no other sinle action ,ill do +ore to al"aniCe a ne, approach to security in an
oraniCation than the appoint+ent and e+po,er+ent of a 1hief Infor+ation Security =fficer
61IS=7 or 'ice3Eresident of Infor+ation Technoloy /is-. This e<ecuti"e +ust ha"e authority and
responsi&ility for esta&lishin and dri"in enterprise3,ide cy&ersecurity prora+s. /eulators,
2
o"ern+ents, in"estors, e+ployees, and custo+ers ,ill notice and appreciate the stron sinal a
1IS= appoint+ent sends a&out ho, seriously the oraniCation ta-es security and pri"acy.
To &e +ost effecti"e, I!M reco++ends that the 1IS= position report directly to the corporate
1(=, 1==, 1I=, or 10= and ha"e responsi&ility and authority for*
Identifyin and prioritiCin cy&ersecurity ris-sA
I+ple+entin and +onitorin the perfor+ance of &est practicesA
Settin and +aintainin cy&ersecurity policiesA
(nsurin proper &usiness and technical controls are i+ple+ented, tested, and -ept
currentA
Translatin security challenes and opportunities into &usiness lanuae for reular
consu+ption &y the 1(=, the !oard of Directors, and other -ey senior leadersA and
(nsurin onoin ,or-force education and a,areness of cy&ersecurity ris-s and &est
practices
Co"$rehenive Ri! Manage"ent I%M Securit& #ra"e'or!
4hile +any oraniCations around the ,orld ha"e i+ple+ented traditional ris- +anae+ent
prora+s to identify, assess, +itiate, +onitor, and continually re"ie, ris-s ,ithin the financial,
&usiness, health and safety, physical security, or operational ris- do+ains, typical approaches to
cy&ersecurity ris- +anae+ent are less +ature.
It is I!M8s perspecti"e that oraniCations need to +anae cy&ersecurity ris- ,ith a structured
operational ris- +anae+ent process that assesses &usiness and IT ris-s that include*
identifyin -ey threats and co+pliance +andatesA re"ie,in e<istin security ris-s and challenesA
i+ple+entin and enforcin security ris- +anae+ent processes and co++on control
fra+e,or-sA and e<ecutin incident +anae+ent processes ,hen crises occur. Security does
not stop at oraniCational &oundaries. Successful oraniCations need to i+ple+ent and enforce
security e<cellence across the e<tended enterprise &y includin -ey sta-eholders, custo+ers,
partners, and suppliers.
In order to operate cy&ersecurity as a true enterprise function, +anae+ent needs a fra+e,or-
,ithin ,hich to esta&lish current security prora+s, understand the conte<t and critical
interdependencies, and set priorities accordinly. Such a fra+e,or- is also used to identify aps,
+onitor proress, and achie"e other strateic security o&Decti"es, ,hile ensurin security
prora+s are fully coordinated ,ith an oraniCation8s core &usiness o&Decti"es and initiati"es.
I!M8s Security 0ra+e,or- is &ased on the principle that &etter security +anae+ent is achie"ed
,hen an entity is protected &y not Dust one layer or one co+ponent, &ut &y +ultiple, di"erse
+echanis+s architected to achie"e defense3in3depth. !uilt upon such internationally reconiCed
IT security standards as IS= 2F002*2009, IS= 19:0#, 1o!IT, and ITI), the I!M Security
0ra+e,or- co"ers areas such as trusted and consistent identities, authentication and access
control, infor+ation flo, control, encryption of sensiti"e data at3rest and in3transit, audit and
co+pliance, and net,or- resiliency.
0or a detailed description of the I!M Security 0ra+e,or- and !est Eractices, see
http*GG,,,.red&oo-s.i&+.co+Ga&stractsGs2:#100.ht+lB=pen
I!M reconiCes that security for critical infrastructure often oes &eyond the &usiness and IT
do+ains. 1on"entional enterprise IT security +easures +ust &e adapted and e<tended into the
industrial process control syste+s, ,hich in"ol"e a +yriad of proprietary interfaces, protocols, and
heteroeneous de"ices spread o"er a lare eoraphic and o"ernance space. =ne of today8s
&iest cy&ersecurity challenes is assurin that IT security controls are applied to these ne,ly
connected processes control net,or-s.
3
II. SPECI#IC IN()STR* PRACTICES Pro+uct an+ Service Aurance
The I!M de"elop+ent oraniCation is lo&al, ,ith +ore than H0 la&oratories and o"er :0,000
de"elopers ,or-in to produce and support a rane of hard,are, pre+ise soft,are, and soft,are
ser"ice used throuhout +aDor industries and critical infrastructure. The process used &y I!M,
-no,n as >Security (nineerin? is an onoin internal prora+ desined to ensure that I!M
desins, &uilds, and supports our products and ser"ices ,ith security in +ind.
0or I!M, the de"elop+ent of products and ser"ices is characteriCed &y +aturity of practices in
four pillars* 617 Structured De"elop+ent ErocessA 627 Secure (nineerin 0ra+e,or-A 637
1ontinuous I+pro"e+ent Iuality Manae+ent Erora+A and 6:7 a Supply 1hain Security
prora+. The Secure (nineerin 0ra+e,or- pillar is further defined &y a set of eiht essential
practices that are +ar-ers of success in the dri"e to &uild secure products. The essential
practices are* (ducation J A,areness, EroDect Elannin, /is- Assess+ent J Threat Modelin,
Security /e5uire+ents, Secure De"elop+ent, Security Testin, Security Docu+entation and
Security Incident /esponse. This 0ra+e,or- represents practices that can &e adopted in any
style of de"elop+ent proDect, fro+ ,aterfall, to iterati"e, to aile or De"G=ps.
="er the years, I!M sa, that enineerin processes as practiced &y "arious oraniCations and
"arious styles of de"elop+ent lac-ed the rior re5uired to pro"ide re5uisite security assurance.
As a result, I!M pu&lished the Secure (nineerin 0ra+e,or-.
1
The I!M Secure (nineerin
0ra+e,or- reflects &est practices used for I!M soft,are de"elop+ent and directs our
de"elop+ent tea+s to i"e proper attention to security durin the de"elop+ent lifecycle.
2
I!M
&elie"es that this 0ra+e,or- can act as a uideline for a ,ide rane of solutions and industry,
includin critical infrastructure.
I!M recei"es a continuous strea+ of re5uests for infor+ation on ho, these practices are
e<ecuted. In an effort to ensure transparency, I!M has &een ,or-in ,ith leadin "endors fro+
the infor+ation technoloy industry, ;.S. %o"ern+ent aencies, and the &usiness co++unity to
define open standards and an accreditation process applica&le to Infor+ation and
1o++unications Technoloy 6I1T7 "endors. A recent e<a+ple is the =pen Trusted Technoloy
Ero"ider Standard,
3
released &y the =pen %roup, ,hich descri&es re5uire+ents and practices in
four areas of infor+ation technoloy de"elop+ent* Eroduct De"elop+ent Erocess, Secure
(nineerin Erocess, Secure Supply 1hain, and Eroduct ("aluation. I!M &elie"es this type of
approach can help de+onstrate I1T "endor co++it+ent to assurance of products and ser"ices.
As for "ulnera&ility analysis for product and ser"ice de"elop+ent and deli"ery, I!M sees se"eral
continuin &usiness and technical challenes. In +any cases, these challenes are tracea&le to
the ac5uisition, correlation and disse+ination of "ulnera&ility infor+ation to a di"erse co++unity
that includes* sta-eholders, I1T De"elop+ent tea+s, and IT Ser"ice =perations tea+s. I!M
&elie"es a con"ered le<icon and ta<ono+y for /is-s, Threat 'ectors, Threats, 4ea-nesses,
'ulnera&ilities, Eolicies, and related concepts could ad"ance the state of the art in /is- Analysis
and Threat Modelin early in de"elop+ent proDects.
III. IN#ORMATION S,ARING AN( INCI(ENT RESPONSE
/is- +anae+ent fra+e,or-s, oraniCational structures, and de"elop+ent of secure products
are all -ey co+ponents for critical infrastructure security. Ho,e"er, capa&ilities to recei"e
actiona&le threat data and appropriately and effecti"ely respond to incidents are Dust as critical to
i+pro"e our o"erall security posture.
1 http://www.redbooks.ibm.com/redpapers/pdfs/redp4641.pdf
2 http://www-03.ibm.com/security/secure-engineering/
3 http://www.opengroup.org/ottf/
4
Infor+ation Sharin
The lo&al econo+y has &een transfor+ed &y +assi"e a+ounts of data. Hundreds of &illions of
connected de"ices ha"e created an enor+ous, in"isi&le flo, of diital >1s? and >0s?Ka lo&al
usher of infor+ation. (nterprises and institutions are analyCin this flo, of strea+in,
unstructured data and actin upon those insihts in real ti+e. 1o+panies, co++unities, and
o"ern+ents around the ,orld are &einnin to harness the po,er of !i Data to +a-e s+arter
decisions, anticipate pro&le+s to resol"e the+ proacti"ely, and coordinate resources to operate
+ore effecti"ely. I!M sees this first hand, ,or-in ,ith clients to use data analytics to dri"e
intellience into e"ery aspect of their operations.
/eal ti+e data sharin and analytics are Dust as critical in the protection of infrastructure and
oraniCations aainst cy&er threats. In fact, the diital "enue for cy&er attac-sK,hich piy&ac-
on that flo, of >1s? and >0s? to deli"er their payloadK+a-es real ti+e data sharin all the +ore
i+portant. 4hile indi"idual entities each ha"e a line of "ision into their o,n net,or-s, analyCin
collecti"e pools of data ,ill reatly i+pro"e our chances at successfully connectin the dots to
pre"ent da+ain attac-s. 4ith cy&er e"ents occurrin at liht speed, it is clear that auto+ation
and real3ti+e sharin of rele"ant infor+ation need to &e &uilt into the process.
%o"ern+ent3industry partnerships are a -ey aspect of effecti"e infor+ation sharin. Industry
partners, li-e I!M, can host and supply state3of3the3art analytics platfor+s, as ,ell as share
anony+iCed data feeds captured fro+ onoin internal security acti"ities. %o"ern+ent can supply
its o,n uni5ue threat intellience and ser"e as a trusted hu& for coordinatin across industry
sectors. Ta-en toether, the colla&orati"e security intellience strea+s ,ill i+pro"e o"erall
a,areness of cy&er threats and &e used to ad"ise critical infrastructure and other entities as to
e+erin threats and reco++ended responses.
The (<ecuti"e =rder ta-es a nu+&er of positi"e steps to increase the "olu+e, ti+eliness, and
5uality of cy&er threat infor+ation shared &y the federal o"ern+ent ,ith the pri"ate sector. !ut
+ore needs to &e done &y 1onress to address leal i+pedi+ents and lia&ility ris-s that are
hinderin the ro&ust sharin of infor+ation &y pri"ate sector oraniCations. The sooner actiona&le
infor+ation a&out cy&ersecurity threats is shared, the faster it can &e used to help protect the
pu&lic. Today, ho,e"er, e"en the +ost security3conscientious &usinesses +ay hesitate to &rin
for,ard that infor+ation in a ti+ely ,ay due to lia&ility concerns, e"en ,hen they, too, are &ein
"icti+iCed. Treatin such oraniCations as allies rather than acco+plices ,ill help the+ step
for,ard @ in the interests of their clients, e+ployees, the nation, and the+sel"es.
Coor+inate+ C&-erecurit& Inci+ent Re$one
An effecti"e incident response capa&ility is another -ey ele+ent of any cy&ersecurity stratey.
4ithout an incident response plan, there is +ore ris- that a cy&er attac- ,ill cause reater
da+ae @ either &ecause the attac- is not disco"ered in ti+e or &ecause appropriate +itiation
actions are not follo,ed upon disco"ery. A centraliCed and ,ell3pu&liciCed incident reportin
+echanis+, as ,ell as ,ritten incident response procedures that define roles and responsi&ilities,
are central features. 0orensic and other in"estiati"e capa&ilities also should &e resourced, either
internally or ,ith a third party "endor. 0or e<a+ple, I!M has its o,n internal 1o+puter Security
Incident /esponse Tea+, and also pro"ides si+ilar ser"ices and e<pertise to its custo+ers
throuh I!M8s (+erency /esponse Ser"ice ;nit.
At a national le"el, incident response for sinificant cy&er e"ents affectin critical infrastructure ,ill
necessarily in"ol"e federal, state, and local o"ern+ent, as ,ell as non3o"ern+ent entities. It is
i+portant that incident response in such lare3scale e"ents is not ,eihed do,n &y co+ple<ity
and &ureaucracy, &ut rather is a&le to adapt ni+&ly to rapidly chanin e"ents and pro"ide ti+ely,
actiona&le infor+ation to rele"ant parties, includin pri"ate entities and state and local officials.