Cybersecurity for Government The purpose of the Cybersecurity Protection Plan and RIEMA's Cybersecurity Program is to lead Rhode Island’s effort to protect critical cyber infrastructure from all hazards by identifying and managing physical/cyber risks and enhancing resilience through collaboration with the public and private sector critical infrastructure communities. It is the goal of the Rhode Island Cybersecurity Protection Plan to protect against and detect malicious cyber activity, conduct technical counter-measures against existing and emerging cyber-based threats and effectively recover from cyber-attacks in order to ensure the security, reliability, integrity and availability of Rhode Island’s electronic systems and services. Background On February 12, 2013, President Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, which calls for the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. Recognizing the role that the protection of privacy and civil liberties plays in creating greater public trust, the Executive Order requires that the Framework include a methodology to protect individual privacy and civil liberties when critical infrastructure organizations conduct cybersecurity activities. The Framework complements, but does not replace, an organization’s risk management process and cybersecurity program. The organization can use its current processes and leverage the Framework to identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices. Alternatively, an organization without an existing cybersecurity program can use the Framework as a reference to establish one. Pursuant to Executive Order 13636, the National Institute of Standards and Technology (NIST) developed the “Framework for Improving Critical Infrastructure Cybersecurity”. The Framework is a risk-based approach to managing cybersecurity risk and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. Each Framework component reinforces the connection between business drivers and cybersecurity activities. Development of the Rhode Island Cybersecurity Protection Plan will be based on Executive Order 13636 and the NIST Framework for Improving Critical Infrastructure Cybersecurity. Challenges Security Vulnerabilities Security vulnerabilities are rampant. The Computer Emergency Readiness Team is a federal team that reports about a hundred new security vulnerabilities each week. It becomes difficult to manage the security of an enterprise network (with hundreds of hosts and different operating systems and applications on each host) in the presence of software vulnerabilities that can be exploited. Cyber Attackers Cyber attackers can launch multi-step and multi-host attacks that can incrementally penetrate a network with the goal of eventually compromising critical systems. It is a challenging task to protect the critical systems from such attacks. Complexity of Attacks Current attack detection methods cannot deal with the complexity of attacks. Computer systems are increasingly under attack. When new vulnerabilities are reported, attack programs are available in a short amount of time. Traditional approaches to detecting attacks (i.e. using an Intrusion Detection System) have problems such as too many false positives, limited scalability and limits on detecting. Cyber Assets Cyber assets include programmable electronic devices and communication networks such as hardware, software, and data. Examples of such assets are desktop, laptop, and mainframe computers, cloud providers, and server farms. A more comprehensive list of cyber assets includes: Control systems made up of devices or sets of devices that act to manage, command, or regulate the behavior of processes, devices, or other systems. Data acquisition systems, collections of communication links that act to sample, collect, and provide data regarding the facility’s systems to a centralized location for display, archiving, or further processing. Networking equipment including modems, switches, firewalls, routers and hubs. Hardware platforms running virtual machines or virtual storage. Cyber Disruption Incident Unauthorized access to servers, networks, and computer systems to obtain or destroy information; gain control of a trusted host; or otherwise perform unlawful or unethical acts are prohibited by Federal and/or State laws. Cyber incidents may include the following: An organized attack An uncontrolled exploit, such as a virus or worm, which causes a widespread impact to public safety or economy A natural disaster with significant cyber consequences Other incidents capable of causing extensive damage to critical infrastructure Inadequate or improper information technology maintenance, security and/or design The results of these incidents can lead to the loss of mission critical information, unavailability of information and systems that support the private sector, critical infrastructure, public health, economic institutions, and all other organizations that sustain and provide critical services to Rhode Island citizens. Cyber incidents can endanger vital control systems for other infrastructure such as energy generation, transmission, and distribution. Additional Resources State Resources RIEMA Cybersecurity RI Cyber Disruption Team RI Department of Information Technology Federal Resources Critical Infrastructure Cyber Community Voluntary Program Computer Emergency Readiness Team Cybersecurity Framework National Cybersecurity & Communications Integration Center National Institute of Standards & Technology National Vulnerability Database Assessment Tools Cybersecurity Evaluation Tool Cyber Resilience Review Internet Crime Complaint Center