Cyber Security Risk Management

TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIV WorkingGroup4FinalReport March2015

1

CYBERSECURITYRISKMANAGEMENTANDBESTPRACTICES

WORKINGGROUP4:FinalReportMarch2015


2

TABLEofCONTENTSI. EXECUTIVESUMMARY......................................................................................4

A. VoluntaryMechanisms...............................................................................6B. GuidancetoIndividualCompaniesontheUseoftheNISTFramework.....8C. CommunicationSectorCommitmenttoAdvancingCybersecurityRisk

Management.........................................................................................10II. INTRODUCTION...............................................................................................11III. BACKGROUND.................................................................................................13

A. CSRICStructure........................................................................................15B. LeadershipTeam......................................................................................16C. WorkingGroup4TeamMembers............................................................16

IV.OBJECTIVE,SCOPE,ANDMETHODOLOGY.......................................................19A. Objective..................................................................................................19B. Scope........................................................................................................20C. Methodology............................................................................................21

V. FINDINGS.........................................................................................................24A. MacroLevelAssuranceFindings..............................................................24B. VoluntaryMechanismsFindings..............................................................25C. UseoftheNISTCybersecurityFrameworkoranEquivalentConstruct

Findings.................................................................................................25D. MeaningfulIndicatorsFindings................................................................25E. CommunicationsSectorImplementationGuidanceFindings..................26

VI.CONCLUSIONS.................................................................................................27A. MacroLevelAssuranceConclusions........................................................27B. VoluntaryMechanismsConclusions.........................................................27C. UseofNISTCybersecurityFrameworkorEquivalentConstructConclusions

..............................................................................................................28D. MeaningfulIndicatorsConclusions..........................................................28E. CommunicationsSectorImplementationGuidanceConclusions............28

VII.RECOMMENDATIONS......................................................................................30A. MacroLevelAssuranceRecommendations.............................................30B. VoluntaryMechanismsRecommendations..............................................30C. UseofNISTCybersecurityFrameworkorEquivalentConstruct

Recommendation..................................................................................31D. MeaningfulIndicatorsRecommendations...............................................31E. CommunicationsSectorImplementationGuidanceRecommendations.31


3

VIII.ACKNOWLEDGEMENTS.................................................................................33IX. REPORTS&SEGMENTS....................................................................................34

9.1BROADCASTSEGMENT.........................................................................359.2CABLESEGMENT...................................................................................629.3SATELLITESEGMENT.............................................................................919.4WIRELESSSEGMENT...........................................................................1189.5WIRELINESEGMENT...........................................................................1679.6REQUIREMENTSANDBARRIERSTOIMPLEMENTATION.....................2029.7CYBERECOSYSTEMANDDEPENDENCIES............................................3219.8MEASUREMENT..................................................................................3559.9SMALLANDMEDIUMBUSINESS.........................................................3709.10TOPCYBERTHREATSANDVECTORS.................................................398


4

I. EXECUTIVESUMMARYCSRICIVWorkingGroup4(WG4)wasgiventhetaskofdevelopingvoluntarymechanismsthatgivetheFederalCommunicationsCommission(FCC)andthepublicassurancethatcommunicationprovidersaretakingthenecessarymeasurestomanagecybersecurityrisksacrosstheenterprise.1WG4alsowaschargedwithprovidingimplementationguidancetohelpcommunicationprovidersuseandadaptthevoluntaryNISTCybersecurityFramework2(hereinafterNISTCSF).WorkingGroup4beganitsworkshortlyaftertheCommunicationsSector3completedahighlycollaborative,multistakeholderprocessthatresultedintheNISTCSFVersion1.04thatwascalledforinthePresidentsExecutiveOrder13636ImprovingCriticalInfrastructureCybersecurity.5ThesectorsparticipationinCSRICWG4wasseenasanopportunitytoassumetheleadershipurgedbyFCCChairmanTomWheelerinaspeechdeliveredtotheAmericanEnterpriseInstituteinJune2014.6BybuildingonthecrosssectorNISTCSFandbyframingitsapplicabilitytofivemajorcommunicationsindustrysegments,theWorkingGroupwasabletoformulateandcommittoseveralvoluntarymechanismsthatprovidethemacrolevelassurancessoughtbytheFCC.Moreover,thesemechanisms,combinedwiththeinsights,tools,guidance,andfactbasedanalysesdevelopedbyover100cybersecurityprofessionalswhoparticipatedinayearlongefforttoproducethisreport,validatetheadvantagesofanonregulatoryapproachoveraprescriptiveandstaticcomplianceregime.7WG4organizeditselfintofivesegmentsubgroupsrepresentingthefivekeypartsofthecommunicationindustry.TheirrepresentativeswereencouragedtopursueindependentevaluationsoftheCSRICWG4chargebasedontheirownoperatingenvironments.Thefivesegmentsincluded:

1SeeFederalCommunicationsCommission,CSRICIVWorkingGroupDescriptionsandLeadership(2013),availableathttp://transition.fcc.gov/pshs/advisory/csric4/wg_descriptions.pdf.2SeeNationalInstituteforStandardsandTechnology,FrameworkforImprovingCybersecurity,79FR9167(Feb.18,2014)[hereinafterNISTCSF],availableathttp://www.nist.gov/cyberframework/upload/cybersecurityframework021214.pdf.3Forpurposesofthisreport,theCommunicationsSectoriscomprisedoffiveindustrysegmentsincludingbroadcast,cable,satellite,wireless,andwirelinenetworkserviceproviders.4SeeNISTCSF.5SeeExec.OrderNo.13,691,PromotingPrivateSectorCybersecurityInformationSharing,80FR9347(Feb.13,2015)[hereinafterEO13691].6SeeRemarksofFCCChairmanTomWheeler,AmericanEnterpriseInstitute,June12,2014,availableathttp://www.fcc.gov/document/chairmanwheeleramericanenterpriseinstitutewashingtondc[hereinafterChairmanWheelersRemarks]([T]henetworkecosystemmuststepuptoassumenewresponsibilityandmarketaccountabilityformanagingcyberrisks.).7Id.(statementofChairmanTomWheeler)([W]ecannothopetokeepupifweadoptaprescriptiveregulatoryapproach.Wemustharnessthedynamismandinnovationofcompetitivemarketstofulfillourpolicyanddevelopsolutions.Wearethereforechallengingprivatesectorstakeholderstocreateanewregulatoryparadigmofbusinessdrivencybersecurityriskmanagement.).


5

Broadcast:Therearemorethan15,000radiosand1,700televisionsbroadcastingfacilitiesintheUnitedStates,providingnews,emergencyinformationandotherprogrammingservicesovertheairtoconsumers.8

Cable:Thecableindustryiscomposedofapproximately7,791cablesystems9thatofferanaloganddigitalvideoprogrammingservices,digitaltelephoneservice,andhighspeedInternetaccessservice.

Satellite:Satellitecommunicationssystemsuseacombinationofspacebasedinfrastructureandgroundequipmentcapableofdeliveringdata,voice,video,andbroadcastcommunicationstoanypersonintheU.S.,itsterritories,andanywhereontheglobe.

Wireless:TheWirelessindustrydeliversadvancedwirelessbroadbandservicesthatincludedata,voiceandvideotomorethan335millionactivewirelessdevicesnationwide,includingmorethan175millionsmartphones,25milliontablets,and51milliondataonlydevices.10Thereareapproximately160facilitiesbasedwirelesscarriers11inUnitedStatesthatoperateandmaintainmorethan304,360cellsites12thatcollectivelyprovidethemostadvanced4Gtechnologydeploymentintheworld.

Wireline:Over1,000companiesofferwireline,facilitiesbasedcommunicationsservicesintheUnitedStates.13WirelinecompaniesserveasthebackboneoftheInternet.

WG4alsoestablishedfivefeedersubgroupstoengageinadeeper,morefocusedanalysisofsubjectmatterareasthatwouldhelpthecommunicationssectorsegmentsevaluatetheircybersecurityriskenvironment,posture,andtolerance.Toensurethatthevoluntarymechanismsandsectorguidanceweregroundedinfacts,thoughtfuljudgments,andpracticalintheirdesign,thefollowingfeedertopicswereexamined:

CyberEcosystemandDependencies TopThreatsandVectors FrameworkRequirementsandBarriers

8NationalAssociationofBroadcasters,LegislativePriorities111thCongress,4,availableathttp://nab.org/documents/advocacy/NAB_111th_Legislative_Priorities.pdf.9SeeU.S.CommunicationsSectorCoordinatingCouncil,TheCommunicationsSector,http://www.commscc.org/(lastvisitedMarch13,2015).10CellularTelephoneIndustriesAssociation(CTIA),WirelessIndustryIndicesReportYearEnd2013133(June2014).11FederalCommunicationsCommission,LocalTelephoneCompetition:StatusasofDecember31,2013,29(Oct.2014),availableathttp://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db0219/DOC329975A1.pdf.12CellularTelephoneIndustriesAssociation(CTIA),WirelessAnnualWirelessIndustrySurvey,http://www.ctia.org/yourwirelesslife/howwirelessworks/annualwirelessindustrysurvey(lastvisitedMar.132015).13Seeid.


6

SmallandMediumBusinesses Measurements

Eachofthesegmentsubgroups,informedbythefindingsofthetopicalfeedersubgroups,evaluatedtheapplicabilityoftheNISTCybersecurityFrameworks98subcategoriestotheirsegment,prioritizedtheapplicablesubcategoriesonanillustrativebasis,andassessedthechallengesofimplementationandeffectivenessforeachapplicablesubcategory.ThesegmentandfeedersubgroupfindingsandresultingNISTCybersecurityFrameworkimplementationguidancearecontainedintheappendicestothisreport. ThekeymacrolevelassurancesdevelopedbyWG4weredesignedtodemonstratehowcommunicationsprovidersareappropriatelymanagingcybersecurityrisksthroughtheapplicationoftheNISTCybersecurityFramework,oranequivalentconstruct.TheFCCdescribedthedesiredcharacteristicsoftheassurancesas:14

Tailoredbyindividualcompaniestosuittheiruniqueneeds,characteristics,andrisks; Basedonmeaningfulindicatorsofsuccessfulcyberriskmanagement;and Allowingformeaningfulassessmentsbothinternallyandexternally.

A. VoluntaryMechanismsAsevidenceoftheCommunicationsSectorscommitmenttoenhancecybersecurityriskmanagementcapabilitiesacrossthesectorandthebroaderecosystem,andtopromoteuseoftheNISTCSF,CSRICrecommendsthreenewvoluntarymechanismstoprovidetheappropriatemacrolevelassurances:

FCCinitiatedconfidentialcompanyspecificmeetings,orsimilarcommunicationformatstoconveytheirriskmanagementpractices.ThemeetingswouldbecoveredbyprotectionsaffordedundertheProtectedCriticalInfrastructureInformation(PCII)15administeredbytheDepartmentofHomelandSecurity(DHS);

AnewcomponentoftheCommunicationsSectorAnnualReportthatfocusesonsegmentspecificcybersecurityriskmanagement,highlightingeffortstomanagecybersecurityriskstothecorecriticalinfrastructure;and

ActiveanddedicatedparticipationinDHSCriticalInfrastructureCyberCommunityC3VoluntaryProgram,16tohelpindustryincreasecybersecurityriskmanagementawarenessanduseoftheFramework.

14Seesupranote1,at4.15SeeDepartmentofHomelandSecurity,ProtectedCriticalInformationProgram,http://www.dhs.gov/protectedcriticalinfrastructureinformationpciiprogram(lastvisitedMar.13,2015)[hereinafterPCIIProgram].16SeeDepartmentofHomelandSecurity,AbouttheCriticalInfrastructureCyberCommunityCVoluntaryProgram,http://www.dhs.gov/aboutcriticalinfrastructurecybercommunityc%C2%B3voluntaryprogram(lastvisitedMar.13,2015)[hereinafterDHSC3VoluntaryProgram].


7

1) ConfidentialCompanySpecificMeetings:Thesectorsupportsthedevelopmentofavoluntaryprogramforperiodicmeetings,oranalternativemeansofcommunicationsamongtheFCC,DHS,andindividualcompaniesthatagreetoparticipate.ThepurposeofthesemeetingswouldbetodiscusseffortsbytheorganizationstodevelopriskmanagementpracticesconsistentwiththeNISTCybersecurityFrameworkorequivalentconstructs.Duringthemeetings,theparticipatingcompanieswouldshareinformationregardingcyberthreatsorattacksontheircriticalinfrastructure,andtheorganizationsefforttorespondorrecoverfromsuchthreatsorattacks.CompaniesthatchoosetoparticipateinthisprogramwouldbeaffordedtheprotectionsthataregivenbythefederalgovernmenttocriticalinfrastructureownersandoperatorsunderthePCIIprogramoralegallysustainableequivalent.Thisvoluntarymechanismrepresentsanewlevelofindustrycommitmentintendedtopromoteadditionaltransparency,visibility,anddialoguewithappropriategovernmentpartnersandourregulatorintheareaofcybersecurityriskmanagement.

2) SectorAnnualReport:TheSectorrecognizesthattheincreasingfrequency,

sophistication,anddestructivenatureofcyberattacksspursconcernsaboutwhatcompaniesaredoingtomanagetheircybersecurityrisks.WG4initiatedtheMeasurementsubgrouptoanalyzehowtobestdemonstratetheoverallstateofcybersecuritywithinthecommunicationssector.TheMeasurementsubgrouprecommendsthattheCommunicationsSectorCoordinatingCouncil(CSCC),astheofficialinterfaceforthesectorcanincludeinformationonthecybersecurityofcriticalcommunicationsnetworkinfrastructureinfuturedraftsoftheSectorAnnualReport(SAR)startingin2015.TheSARwouldthenbeprovidedtoDHS,whichisthecommunicationssectorsSSA,andtheGovernmentCoordinatingCouncil(GCC),whichincludestheFCC.ThisnewvoluntarymechanismreflectsamaterialenhancementtotheexistingSARbecauseitwouldprovidegreaterinsightintothethreatsposedtothesector,andtheactionstakentoensurecontinuedavailabilityofthecorenetworkinfrastructureandthecriticalservicesthatdependonitsavailabilityandintegrity.

3) ActiveParticipationinDHSC3OutreachandEducation:TheDepartmentof

HomelandSecurityoverseesaprogramthatitcreatedinresponsetoadirectivecontainedinExecutiveOrder13636.DHScreatedtheCriticalInfrastructureCyberCommunityCVoluntaryProgramaspartofwhatitdescribesasaninnovativepublicprivatepartnershipdesignedtohelpaligncriticalinfrastructureownersandoperatorswithexistingresourcesthatwillassisttheireffortstoadopttheCybersecurityFrameworkandmanagetheircyberrisks.17TheProgramemphasizesthreeCs:

17SeeDHSC3VoluntaryProgram.


8

ConvergingcriticalinfrastructurecommunityresourcestosupportcybersecurityriskmanagementandresiliencethroughuseoftheFramework;

Connectingcriticalinfrastructurestakeholderstothenationalresilienceeffortthroughcybersecurityresilienceadvocacy,engagement,andawareness;and

Coordinatingcriticalinfrastructurecrosssectoreffortstomaximizenationalcybersecurityresilience.

TheCommunicationsSectorhasalreadyparticipatedindevelopmentactivitiesandwasrecentlyfeaturedinthefirstofaseriesofCwebinarswhereCSRICWorkingGroup4activitiesweredescribed.18ToadvancetheuseoftheFrameworkthroughtheimplementationguidancecontainedinthisreportandfromothersources,thecommunicationssectorwilldevelopaseriesofwebinarsandotherreferencematerials.Thegoalistoincreaseawarenessbysectorenterprises,guidetheiruseoftheNISTCSFandexplaintheinnovativeprocesses,solutions,andlessonslearnedfromthecommunicationsectorsleadersinusingtheFramework.

B. GuidancetoIndividualCompaniesontheUseoftheNISTFrameworkChargedwithprovidingimplementationguidancetofacilitatetheuseandadaptationofthevoluntaryNISTCybersecurityFrameworkbycommunicationsproviders,theWG4membersdevelopedandappliedavarietyofanalyticaltoolsandmethodsthatcouldserveasaprimerforcompanieswhenreviewingtheirownriskmanagementprocesses.TheNISTCSFVersion1.0offersorganizationsdirectionwhentheyareimplementingorenhancingtheircybersecurityriskmanagementprogram.Inaddition,thereportprovidesinformativereferencesthatincludeleadingcybersecurityprotocols,resources,andtools.NISTemphasizedthevoluntarynatureoftheFramework,notingthatitisdesignedtousebusinessdriverstoguidecybersecurityactivitiesandtomanagecybersecurityriskinacosteffectivewaybasedonbusinessneedswithoutplacingadditionalregulatoryrequirementsonbusinesses.19Whilethisreportincorporatesfindings,conclusions,andrecommendationsrelatedtoguidingindividualcompaniesontheuseoftheFramework,manycommunicationscompanieshavelongstandingandmaturecybersecurityriskmanagementcapabilitiesandotherswithinthecommunicationssectordidnotwaitforthisreporttobefinalizedbeforebeginningtheirevaluationoftheapplicabilityoftheFrameworkcomponentstotheirenterprise.Reducingcybersecurityriskbyimplementingwidelyrecognizedstandardsandguidelines20hasbeenahallmarkofcommunicationsindustrypractice,andissupportedby

18SeeDepartmentofHomelandSecurity,CCubedVoluntaryProgram,https://share.dhs.gov/p1qqp8dvu34/(lastvisitedMar.13,2015).19SeeNISTCSF.20SeeGovernmentAccountabilityOffice,CriticalInfrastructureProtectionCybersecurityGuidanceisAvailable,butMoreCanBeDonetoPromoteItsUse(Dec.2011),availableathttp://www.gao.gov/assets/590/587529.pdf.


9

exceptionallyhighlevelsofserviceavailability.21Notwithstandingthisfact,theNISTFrameworkisaseminaldocumentinorganizingriskmanagementactivitiesacrossabroadgloballandscape.Over100professionalsfromacrossthecommunicationssectorandthebroaderstakeholdercommunityhaveworkedtirelesslyoverthepast12monthstoproduceareportwithrecommendationsonFrameworkusewhichshouldhaveimmediateandpracticalvalueforindividualsectorcompaniesandotherkeystakeholders.

1) Governance:TheNISTFrameworkemphasizestheimportanceoftakingaholistic

approachtocybersecurity,viewingitasanenterprisewide,strategicriskmanagementmatter,ratherthanasanarrowinformationtechnology(IT)ornetworkmanagementdomain.

Whenmanagingcybersecurityrisks,itisessentialtoincorporateariskgovernanceprocessintotheprogram.Thekeyobjectiveistoensurethataninclusive,independent,andholisticassessmentofthecurrentandfutureenterpriseriskpostureisroutinelyundertaken,andtoaligntheenterprisesbusinessmissionwithsoundandeffectivecybersecuritypractices,protocols,andtools.Formanycompanies,establishmentofadedicatedcrossenterprisecybersecurityriskgovernancefunctioncanfacilitatethiskeyobjective.Suchagovernanceauthorityshouldbesufficientlyrepresentativeoftheorganizationtoachievethefollowing:

Identifypotentialrisksandavarietyofrisktoleranceperspectives; Applyindependenceandauthoritytoriskmanagementactivities; Ensuretransparencythroughtheriskdecisionmakingandimplementation

process; Defineandcommunicatetheenterprisesrisktolerance;and Continuallyadaptandassesscybersecurityriskmanagementgoalsand

objectives.Whilethespecificstructureandoperationalpracticesofthesegoverningbodiescanandwillvaryamongindividualcompanies,thefoundationalprincipleisthateverycompanyshouldtreatcybersecurityasakeycomponentofoverallenterpriseriskmanagement.

2) NISTCSFImplementationRecommendations:TheWG4industrysegmentsubgroupreportsintheappendicestothisreportprovideconcreteguidanceonhowtousetheFrameworkcanbolstercyberreadiness.EachWG4segmentsubgroupreportsurveysinfrastructurecoreassetsandcriticalservices,andalsoemploysusecases,allwiththeaimofofferingguidanceinhowtoincorporatetheriskmanagement

21SeeFederalCommunicationsCommission,NetworkOutageReportingSystem(NORS),http://transition.fcc.gov/pshs/services/cip/nors/nors.html(lastvisitedMar.13,2015)(awebbasedfilingsystemthroughwhichcommunicationsproviderscoveredbyC.F.R.Part4reportingrulessubmitoutagereportstotheFCC,andallowstheFCCtoperformanalysesandstudiesofthecommunicationsdisruptionsreported).


10

protocolsandpracticesreferencedintheFrameworkwiththeoperatingenvironmentoftherespectiveindustrysegment.

Inadditiontothesegmentspecificguidanceprovidedtobroadcast,cable,satellite,wirelessandwirelinecompaniesthroughtheindustrysegmentsubgroupreports,WG4alsodevelopedcyberriskmanagementrecommendationsthatapplytothesectoracrosstheboard.Companiesareurgedto:

ReviewtheWG4reportanduseitsanalyticalprocesstoadapttheNISTCybersecurityFrameworkapproachtocybersecurityriskmanagementtotheirownoperationsandnetworks;

DistributetheNISTCybersecurityFrameworkandappropriatecomponentsoftheWG4reporttocompanyofficersandpersonnelwhosedutiesencompasscybersecuritymanagementandoperations;

EnsurethatoperatorsandvendorsineverylayeroftheTCP/IPmodelconducttheiroperationswithcybersecuritydiligence,topreventandrespondtoattacksontheirnetworksandoperationalsupportsystems;and

Recognizethatthreatknowledgeispowerandconsideradoptingathreatintelligencehandlingmodel22toenhanceprotectionofcriticalinfrastructure.Thisincludessharingmoredetailedthreatintelligenceinformationwithtrustedstakeholderstoimproveinformationgatheringforuseinthreatanalysesandcyberriskmanagementdecisionmaking.

C. CommunicationSectorCommitmenttoAdvancingCybersecurityRiskManagementWhilethisWG4CSRICreportrepresentsamajormilestone,theWG4membersacknowledgethatwearenotatthefinishline.Effortstohelpenterprisesmanagecybersecurityriskmustbecontinuousandongoingtoadapttoacontinuallychangingecosystemandthreatlandscape.WhilethesectorwillactivelypromoteuseoftheFrameworkthroughongoingandanticipatedworkinmultiplevenues,theWorkingGroupmembersarealsocognizantthateachenterprisemustdecidehowtoutilizeandimplementtheFrameworkoranequivalentriskmanagementconstruct.Themechanismsandassuranceshighlightedbelowareintendedtodemonstratethesectorscommitmenttoindustryledsolutionsbasedonclosecollaborationwithourgovernmentpartnersandregulators.

22SeeInfra9.10ThreatIntelligenceHandlingModel.


11

II. INTRODUCTION WorkingGroup4markedafundamentalCSRICshifttoariskmanagementconstructthatalignswiththefivefunctionsidentifiedintheNISTFramework(i.e.,Identify,Protect,Detect,RespondandRecover).ManyingovernmentandtheprivatesectorhavecometounderstandthatthetraditionalmultiyearCSRICreviewcyclescannolongerkeeppacewiththeacceleratingdeploymentofnewnetworkandedgetechnologiesacrosstheecosystemalongwiththerapidadvancementsinincreasinglyinexpensive,perishable,andmoresophisticatedcyberthreats.Withtheissuanceofthe2013PresidentialExecutiveOrder13636,ImprovingCybersecurityCriticalInfrastructure,andthesubsequent2014releaseoftheNISTCybersecurityFrameworkVersion1.0,thereisrenewedemphasisoncybersecurityriskmanagementasthefoundationforprotectingournationscriticalinfrastructure.TheU.S.governmenthasclearlyendorseddevelopmentofavoluntary,riskbasedmodelthatenablesorganizationstoprioritizeandimplementsolutionsbasedoninformed,enterprisetailored,businessdrivenconsiderations.Thegovernmentacknowledgedthatcosteffectivenessisanimportantconsiderationwhenevaluatingnewsecuritymeasuresandrecognizesthatincentivesmayberequiredincertaincircumstances.Itisalsogenerallyacknowledgesthatmeaningfulmethodstoassessthecostsandbenefitsofcybersecurityinvestmentareoftenelusive.InaJune2014speechtotheAmericanEnterpriseInstitute,FCCChairmanTomWheelerendorsedtheriskmanagementapproachstatingthat...companiesmusthavethecapacitytoassurethemselves,theirshareholdersandboardsandtheirnationofthesufficiencyoftheirowncyberriskmanagementpractices.Theseriskassessmentapproacheswillundoubtedlydiffercompanybycompany.Butregardlessofthespecificapproachacompanymightchoose,itiscrucialthatcompaniesdevelopmethodologiesthatgivethemameaningfulunderstandingoftheirriskexposureandriskmanagementposturethatcanbecommunicatedinternallyandexternally.Thatiswhatweareaskingourstakeholderstodo.23Tosetapathforwidespreaduseofriskmanagementprocessesbysectorenterprises,WG4studiedtheFrameworkcomponentsandthefactorsthataremostlikelytoimpactenterpriselevelriskmanagementdecisions.Theprojectwasstructuredaroundfiveindependentindustrysegmentsbasedontheircommonoperatingenvironmentsandarchitectures.ThesegmentsincludedBroadcast,Cable,Satellite,Wireless,andWireline.EachsegmentmadeitsowndeterminationastowhatcriticalinfrastructureshouldbecategorizedasinscopeoroutofscopeandwhichoftheNISTcategoriesandsubcategoriesweremostcriticaltoprotectingthatinfrastructure.Eachgroupchosecriteriatoprioritizetheriskmanagementprocesses.Theanalyseswereintendedtobeillustrativeexamplesofhowindividualcompaniesineachsegmentcouldgoaboutassessingandprioritizingtheframeworkcomponents.Theindustrybasedsegmentsweresupportedbythefivesubjectmatterorientedfeedergroups.TheRequirementsandBarriersgroupevaluatedtheoperationsandtechnology 23SeeChairmanWheelersRemarksat7.


12

requirementsandthebarriersassociatedwitheachofthe98NISTsubcategories.TheCyberEcosystemgroupexaminedtheecosystemdependentlandscapeforcommunicationsprovidersandthemostprominentthreatsthatareflowingacrosstheInternetstack.24TheTopCyberThreatsteamevaluatedtheevolvingthreatenvironmentandidentifiedenterpriselevelprocessesandacommunitythreatmodelthatcouldbeusedbythecommunicationssectortoshareinformationandcoordinateresponseandrecoveryactivities.TheMeasurementgroupexaminedchallengesassociatedwithobtainingreliableindicatorsofcausality(i.e.,riskprocess/riskreduction)andeffectivemechanismstoaddressstakeholderinterestsinkeyindicators.And,sincemanyprovidersclassifyassmallandmediumsizedenterprises,theSmallandMediumBusinessgrouplookedattheiruniquechallengesandprovidedguidanceonFrameworkrelatedapproachessuitableforsuchorganizations.TheCommunicationsSectorcontinuestobealeaderincybersecuritybecauseprovidersofferabroadarrayofcommunicationservicestosomeofthemostdemandingcustomersintheworld.Forallcommunicationproviders,ensuringtheintegrityandresilienceoftheirnetworksandtheavailabilityofservicesisamissioncriticalresponsibility.Meaningfulindicatorsofcriticalserviceavailability,reliability,resiliency,andintegrityshowtheirsuccessinthisarena.However,acrossthebroadspectrumofprovidersthereisarangeofriskmanagementcapabilitiesthatmayoftenbeassociatedwithprovidersabilitytorecoverthecostofcybersecurityinvestmentinahighlycompetitivemarket.Whileenterprisesizeisoftenassociatedwithriskmanagementcapabilities,itisnotalwaystheonlyfactor.Infact,anorganizationsuniquethreatenvironment,itsunderstandingofvulnerabilities,itsbusinessstrategy,anditsoveralltoleranceofriskcaninfluenceinvestmentdecisions.Thisreportprovidesavaluableroadmapforcompaniesinoursectortovalidatetheirexistingriskmanagementprocessesand/orenhancetheircapabilitiesbasedonanongoingevaluationoftheirthreats,vulnerabilities,andrisktolerance.Thefeedersubgroupscontributions,includingtheiranalyses,findings,andimplementationguidance,alongwiththesegmentsubgroupsimplementationguidanceandassessmentoftheapplicabilityoftheNISTCybersecurityFrameworks98subcategoriestoeachsegment,arepresentedasappendicestothisreportandcanbeusedbycompanies,largeandsmall,tofurtherguidetheiruseoftheNISTCybersecurityFrameworkinmanagingtheircybersecurityrisks.Equallyimportant,theWG4membersproposeasetofvoluntarymechanismsandFCCrecommendationsthatleveragethecommunicationsectorsexistingorganizationalstructure,experience,andcybersecurityriskmanagementsectorleadershiptoprovidetherequestedmacrolevelassurances.ThereportconcludesbysuggestingtheFCCcoordinatewithotherdepartmentsandagenciestopromoteeducationandawarenessofthecybersecurityrisksinherentincriticalcommunicationsinfrastructures,andpromotethevoluntarystepsthecommunicationsectortakestomanagetheircybersecurityrisks. 24SeeWikipedia,StructureoftheInternet:TCPIPprotocolstack,http://en.wikibooks.org/wiki/Alevel_Computing/AQA/Computer_Components,_The_Stored_Program_Concept_and_the_Internet/Structure_of_the_Internet/TCP_IP_protocol_stack(lastvisitedMar.13,2015).


13

III. BACKGROUND OnFebruary12,2013,PresidentObamaissuedExecutiveOrder13636,ImprovingCriticalInfrastructureCybersecurity,25whichsetinmotionawiderangeofgovernmentinitiativesdesignedtoadvancethenationscybersecurityresiliency.Initspolicyintroduction,theOrderarticulatedsocietalvaluestobepromotedandreinforcedthepublicprivatepartnershipconstructasthemechanismformakingprogress:

ItisthepolicyoftheUnitedStatestoenhancethesecurityandresilienceoftheNation'scriticalinfrastructureandtomaintainacyberenvironmentthatencouragesefficiency,innovation,andeconomicprosperitywhilepromotingsafety,security,businessconfidentiality,privacy,andcivilliberties.Wecanachievethesegoalsthroughapartnershipwiththeownersandoperatorsofcriticalinfrastructuretoimprovecybersecurityinformationsharingandcollaborativelydevelopandimplementriskbasedstandards.26

AkeycomponentofthePresidentsExecutiveOrderwastheassignmentgiventotheNationalInstituteofStandardsandTechnology(NIST),anagencyoftheU.S.DepartmentofCommerce,toleadthedevelopmentofaCybersecurityFrameworktoreducecyberriskstocriticalinfrastructure.Criticalinfrastructureisdefinedas,systemsandassets,whetherphysicalorvirtual,sovitaltotheUnitedStatesthattheincapacityordestructionofsuchsystemsandassetswouldhaveadebilitatingimpactonsecurity,nationaleconomicsecurity,nationalpublichealthorsafety,oranycombinationofthosematters.27NISTwasgivenalistofwhatshouldbeincludedinthefinalFrameworkandhadoneyeartocompleteitswork.TheOrdergaveexplicitinstructionsregardingthecharacteristicsoftheFrameworkandhowitwastobeused:

TheCybersecurityFrameworkshallprovideaprioritized,flexible,repeatable,performancebased,andcosteffectiveapproach,includinginformationsecuritymeasuresandcontrols,tohelpownersandoperatorsofcriticalinfrastructureidentify,assess,andmanagecyberrisk.TheCybersecurityFrameworkshallfocusonidentifyingcrosssectorsecuritystandardsandguidelinesapplicabletocriticalinfrastructure.TheCybersecurityFrameworkwillalsoidentifyareasforimprovementthatshouldbeaddressedthroughfuturecollaborationwithparticularsectorsandstandardsdevelopingorganizations.Toenabletechnicalinnovationandaccountfororganizationaldifferences,theCybersecurityFrameworkwillprovideguidancethatistechnologyneutralandthatenablescriticalinfrastructuresectorstobenefitfromacompetitivemarketforproductsandservicesthatmeetthestandards,methodologies,

25SeeExec.OrderNo.13,636,ImprovingCriticalInfrastructureCybersecurity,78FR11737(Feb.19,2013)[hereinafterEO13636].26Id.at1:Policy.27Id.at2:CriticalInfrastructure.


14

procedures,andprocessesdevelopedtoaddresscyberrisks.TheCybersecurityFrameworkshallincludeguidanceformeasuringtheperformanceofanentityinimplementingtheCybersecurityFramework.28

ToencourageuseoftheCybersecurityFramework,theDepartmentofHomelandSecurity(DHS)wasorderedtoestablishavoluntaryprogramtosupportownersandoperatorsofcriticalinfrastructure(andanyotherinterestedentities)thatwantedtousetheFrameworkaspartofanexistingornewriskmanagementprogram.SectorSpecificAgencieswereinstructedtocoordinatewiththeSectorCoordinatingCouncilstoreviewtheCybersecurityFrameworkand,ifnecessary,developimplementationguidanceorsupplementalmaterialstoaddresssectorspecificrisksandoperatingenvironments.29TheCommunicationsSectororganizeditsparticipationintheFrameworkdevelopmenteffortthroughtheCSCC,andCouncilrepresentativesparticipatedinallsixNISTworkshopsheldatmajorresearchuniversitiesthroughoutthecountry.30Industryrepresentativesparticipatedonpanels,submittedcomments,andhadextensivedialoguewiththeFrameworkdevelopmentteam.OnFebruary12,2014,NISTreleasedtheFrameworkforImprovingCriticalInfrastructureVersion1.031statingthatitenablesorganizationsregardlessofsize,degreeofcybersecurityrisk,orcybersecuritysophisticationtoapplytheprinciplesandbestpracticesofriskmanagementtoimprovingthesecurityandresilienceofcriticalinfrastructure.32TheauthorsnotedthattheFrameworkisnotaonesizefitsallapproachtomanagingcybersecurityriskforcriticalinfrastructure.Organizationswillcontinuetohaveuniquerisksdifferentthreats,differentvulnerabilities,anddifferentrisktolerancesandhowtheyimplementthepracticesintheFrameworkwillvary.33TheCybersecurityFrameworkprovidesguidanceonhowitcanbeusedbyanorganizationtoenhanceanexistingprogramortocreateanewriskmanagementprogram.TheFrameworkinitiativewasalignedwiththeeffortsoftheFCCsCommunicationsSecurityReliabilityandInteroperabilityCouncil(CSRIC)IV.TheCSRICIVchartercalledforanupdateofthecybersecuritybestpracticesthathadbeendevelopedaspartofCSRICIIWorkingGroup2A:CyberSecurityBestPractices.ThateffortendedinMarch2011andproduced397bestpracticescoveringawiderangeoftechnologyplatformsandservices.34Attheurgingof 28Id.at7:BaselineFrameworktoReduceCyberRisktoCriticalInfrastructure.29Id.8:VoluntaryCriticalInfrastructureCybersecurityProgram.30SeeNationalInstituteofStandardsandTechnology,CybersecurityFrameworkWorkshopsandEvents,http://www.nist.gov/cyberframework/cybersecurityframeworkevents.cfm(lastvisitedMar.13,2015).31SeeNISTCSF.32Id.at1.33Id.at2.34SeeFederalCommunicationsCommission,TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilII,WorkingGroup2ACybersecurityBestPracticesFinalReport(2011),availableathttp://transition.fcc.gov/pshs/docs/csric/WG2ACyberSecurityBestPracticesFinalReport.pdf.


15

industryrepresentatives,theFCCagreedthatCSRICIVWorkingGroup4shouldbeginworkimmediatelyfollowingtheFebruary2014releaseoftheFrameworkbecauseindustrywasasignificantcontributorofresourcestothemultistakeholdercollaborativeprocessthatwasbeingcoordinatedbyNIST.ItwasalsounderstoodthatthesubsequentCSRICIVWorkingGroup4effortwouldbenefitfrombeinginformedbytheNISTprocessandfinalproduct.Toeffectivelyexecuteaprojectofthisscope,theWorkingGroupCoChairsestablishedaLeadershipTeamtoensurethatqualifiedresourceswereappropriatelyappliedtoworkeffortsandthattheworkproductsalignedwiththeoverallobjectivesoftheeffort.ThisLeadershipTeamevolvedtoinclude20individualsthatservedassegmentandfeedergroupleadersandaTechnicalandPolicyAdvisoryBoardthatincludedseniorrepresentativesfromNIST,theWhiteHouseNationalSecurityOffice,andtheFCC.Withover100volunteersrepresentingthefivemajorindustrysegmentsaswellasstakeholdersfromothersectors,academia,andstateandfederalgovernment,thiswasthelargestWorkingGroupeffortundertakeninthehistoryoftheCSRICandtheNetworkReliabilityandInteroperabilityCouncil(NRIC)(i.e.,CSRICspredecessor).

A. CSRICStructure

CommunicationsSecurity,Reliability,andInteroperabilityCouncil(CSRIC)IVCSRICSteeringCommittee

ChairorCoChairs:WorkingGroup1










WorkingGroup1:NextGeneration911

WorkingGroup2:WirelessEmergencyAlerts

WorkingGroup3:EAS

WorkingGroup4:CybersecurityRiskManagementandBestPractices

WorkingGroup5:ServerBasedDDoSAttacks

WorkingGroup6:LongTermCoreInternetProtocolImprovements

WorkingGroup7:LegacyBestPracticeUpdates

WorkingGroup8:SubmarineCableLandingSites

WorkingGroup9:InfrastructureSharingDuringEmergencies

WorkingGroup10:CPEPowering


16

B. LeadershipTeam

C. WorkingGroup4TeamMembers

WorkingGroup4consistsofthememberslistedbelow.

Name CompanyRobertMayer(CoChair) USTelecomAssociationBrianAllen(CoChair) TWCableDonnaDodson(SeniorTechAdvisor) NationalInstituteofStandardsandTechnologyEmilyTalaga(SeniorEconomicAdvisor) FederalCommunicationCommissionVernMosley(FCCLiaison) FederalCommunicationCommissionAdrienneAbbott NevadaEASChairAnthonyAcosta NorthropGrummanMichaelAlagna MotorolaSolutionsCarlAnderson VanScoYocAssociates


17

NadyaBartol UtilitiesTelecomCouncilJamesBean JuniperNetworksChrisBoyer AT&TChuckBrownawell SprintCorporationLoisBurns PAPublicUtilityCommissionIngridCaples DepartmentofHealthandHumanServicesJoelCapps EricssonLisaCarnahan NISTDanCashman FairPointNnekaChiazor VerizonLarryClinton InternetSecurityAllianceEdwardCzarnecki MonroeElectronicsKateDean USISPAPaulDiamond CenturyLinkMartinDolly AT&T(representingATIS)TannerDoucet InternetSecurityAllianceSetonDroppers PBSTechnology&OperationsVictorEinfeldt IridiumRussellEubanks CoxCommunications,IncPaulFerguson InternetIdentityInetteFurey DepartmentofHomelandSecurityAndrewGallo GeorgeWashingtonUniversityChrisGarner CenturyLinkMichaelGeller Cisco(representingATIS)MyK.Gomi NTTAmericaJessicaGulick CSGInternationalStacyHartman CenturyLinkMaryHaynes CharterChrisHomer PBSCharlesHudson,Jr ComcastWinkInfinger FloridaDepartmentofManagementServicesChrisJeppson Consolidated


18

SusanJoseph CableLabsFranckJournoud OracleMerikeKaeo InternetIdentityKevinKastor ConsolidatedJohnKelly ComcastDanielleKriz InformationTechnologyIndustryCouncilRickKrock AlcatelLucentJeremyLarson SilverStarGregLucak WindstreamEthanLucarelli WileyReinLLPDanielMadsen USBankJohnMarinho CTIAHeathE.McGinnis VerizonDonnaBetheaMurphy IridiumPaulNguyen CSGInternationalJorgeNieves ComcastMichaelO'Reirdan Comcast(representingMAAWG)MartinPitson TelesatJoelRademacher IridiumJ.BradfordRamsay NARUCAlanRinker BoeingChrisRoosenraad TWCableTonySager CouncilonCybersecurityHaroldSalters TMobileBrianScarpelli TIAOnlineKarlSchimmeck SIFMAJ.J.Shaw O3bGovernmentRaySingh ACSTomSoroka USTelecomAssociationCraigSpiezle OnlineTrustAlliance(OTA)MattStarr CompTIABillTaub CablevisionSystemsCorporation


19

RobertThornberry BellLabs/AlcatelLucentSheilaTipton IowaUtilitiesBoardMattTooley NCTABillTrelease CTODelhiTelephoneCompanyColinTroha CSGInvotasS.RaoVasireddy AlcatelLucent(TIArepresentative)JoeViens TWCableChristianVogler GallaudetUniversityJesseWard NTCAErrolWeiss CitiKathyWhitbeck Nsight/CellcomJackWhitsitt NationalElectricSectorCybersecurityOrganizationKellyWilliams NationalAssociationofBroadcasters(NAB)ShawnWilson VeriSignPamelaA.Witmer PAPublicUtilityCommissionShinichiYokohama NTT

Table1ListofWorkingGroupMembersIV. OBJECTIVE,SCOPE,ANDMETHODOLOGY

A. ObjectiveTheNISTFrameworkwasdesignedasamultisectorbaselinedocumentthatindividualsectorscouldtailorinwaysthatmightmakeitmorerelevantandusefultoorganizationsoperatingwithintheirsector.Inthecaseoftheexpansivecommunicationssector,asegmentspecificanalysiswasdeemedtobemoreproductive(i.e.,broadcast,cable,satellite,wireless,andwirelinesegments).ConsequentlyWG4participantsfocusedondevelopingsegmentspecificcyberriskmanagementapproachesandguidancethatwouldserveasafoundationforproducingtheassurancescalledforintheCSRICIVWorkingGroup4description.Asoutlinedbelow,theWorkingGroupsassurancesandrecommendationsbuilduponthefoundationalworkintheFrameworkVersion1.0andaresupportedbyfactbasedanalysesandinformedjudgmentsinareasthatarecriticaltotheabilityofthecommunicationssectorandenterprisestoevolvetheircybersecurityriskmanagementprofiles.WorkingGroup4seffortsweredesignedtoprovideindividualserviceprovidersanabilitytoassurethemselves,theirshareholdersorowners,theirboards,andexternalstakeholdersthattheyaretakingappropriatestepstomanagecybersecurityrisk.Whileindividual


20

enterprisesaregivenflexibilityonhowtheyusetheFramework,WorkingGroup4focusedontailoringtheFrameworktotheuniqueconsiderationsofthesegmentsandprovidingmacrolevelanalysesandmechanismstosustainriskmanagementcapabilities.B. ScopeWorkingGroup4wastaskedwithproducingapractical,costeffective,andsegmenttailoredmodelofriskmanagementwithmeaningfulindicatorstocommunicateassurancestointernalandexternalstakeholders.Tofacilitatesectorwideuseoftheframeworkoranalternativeriskmanagementconstruct,itwasnecessarytoevaluatethefiveFrameworkfunctions,22categories,98subcategories,andthefactorsthatwouldimpactanenterprisesdecisiontoadoptorenhanceaparticularriskmanagementprocess.Additionally,theWorkingGroupdeveloped,tested,andutilizedananalyticaltemplatethatanenterprisecouldadopttoprioritizeitsriskmanagementactivitiesbasedonacriticalexaminationofconsiderationsthatwouldberelevanttoitsuniquecircumstances.


21

C. MethodologyTheprojectmethodologywasdesignedtoprovidestrongfactualandanalyticalunderpinningstosupportserviceproviderscybersecurityriskmanagementactivities.Theprojectwasstructuredasaniterativeprocesstoensurethatsegmentanalyseswereconstantlyevaluatedasnewfeedergroupinputwasreceived.Thatprocessisillustratedbelow.

Figure1SegmentAnalysisProcess

TheeffortbeganwiththedevelopmentofananalyticaltemplatethateachofthesegmentsusedtoevaluatehowtheFrameworksstructuremightbeappliedtoanenterpriseoperatinginitssegment.

ThesegmentteamswerefirstaskedtodeterminewhetheraparticularFrameworkFunction,CategoryorSubCategorywasdeemedtobeinscopeoroutofscopeforpurposesofprioritizingriskmanagementprocesses.Thefivesegmentsreliedonworkcompletedaspartofthe2012NationalSectorRiskAssessmentforCommunications,whichexaminedthecommonoperatingenvironmentsofthefivesegmentsandidentifiedcoreinfrastructureandassociatedcriticalservices.EachsegmentmadeanindependentdeterminationastowhichFrameworkCategoriesandsubcategoriesmetthecriteriaforbeingidentifiedasinoroutofscope.Theflexibilityaffordedtothesegmentteamswas


22

consistentwiththeFrameworksemphasisonflexibilityandwasdesignedtobeillustrativeforindividualcompaniesthatmightmakesimilarscopingdeterminations.

Figure2SegmentScopingAnalysis

Onceaprocesswasdeterminedtobeinscope,thenextanalyticalcomponentwasidentificationandrankingofcriteria.Segmentswerefreetoselectrelevantcriteriaamongasetthatincludedthecriticalityofaparticularprocess,thedifficultyassociatedwithimplementingaparticularprocess,andhoweffectiveitcouldbeinmitigatingcybersecurityrisk.

Figure3SegmentIdentificationandRankingofCriteria

HowtoprioritizeFrameworkprocessesrestedonworkthatwasdevelopedbythefeedergroups.Onceadeterminationwasmaderegardingthecriticalityofaparticularprocess,astructuredbasisfordeterminingdifficultywasdevelopedbytheRequirementsandBarriersFeederGroup.Foreachofthe98subcategoriesincludedintheFramework,ateamreviewedtheoperationalandtechnologicalrequirementsassociatedwith


23

implementingthatspecificriskmanagementprocess.Understandingtheserequirementsandthepotentialbarriersorchallengesfororganizationsofvaryingsizeandscopewascriticaltomakingsupportableargumentsarounddifficulty.

Figure4RequirementsandBarriers


24

V. FINDINGS WorkingGroup4strivedtodomorethanjustdevelopatoolthatcommunicationproviderscanusetoadapttheFrameworkinavoluntary,prioritized,andcosteffectivefashion.TheWorkingGroupendeavoredtobreaknewgroundinunderstandingcybersecurityriskmanagement.Assuch,teamswereestablishedtoaddresstheuniqueconsiderationsofsmallandmediumenterprisesinthesector,theecosystemanddependenciesthatimpactedrisk,thethreatsandwaysinwhichorganizationscanevolvecapabilitiesasnewthreatsarise,thebarrierstoimplementingsuccessfulriskmanagementregimes,andtheappropriatemechanismsandmeasurestoaddressadynamicsetofcyberconditions.Thisreportdemonstratesthecommunicationsectorscapabilitytoaddresstheevolvingcyberthreatthroughvoluntarycollaboration.Thispositionissupportedbytheongoinglevelofcriticalserviceavailability,reliability,andresiliencyacrossthecommunicationsindustry.Thefindings,asaretheconclusionsandrecommendations,areorganizedaroundthefivekeyareasoftheWorkingGroup4charge:35(1)macrolevelassurances,(2)voluntarymechanisms,(3)useoftheNISTCybersecurityFrameworkoranequivalentconstruct,(4)meaningfulindicatorsofsuccessfulcyberriskmanagement,and(5)communicationssectorimplementationguidanceforusingtheNISTCybersecurityFramework.

A. MacroLevelAssuranceFindingsThefollowingsummaryfindingsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancethatcommunicationsprovidersaretakingthenecessarycorporateandoperationalmeasurestomanagecybersecurityrisks.

CSRICfoundthatadaptingthevoluntaryFrameworkisaneffectivewaytomanage

cybersecurityrisk. Communicationssectormemberssharedetailedthreatintelligenceinformationwith

appropriatestakeholders,withintheconfinesofexistinglaw. WorkisunderwayontheincentivescategorythatisrecognizedinEO13636asan

essentialfactorinimprovingcriticalinfrastructurecybersecurity. Communicationssectormembersaretakingstepstoadvancetheircybersecurityrisk

managementpractices,althoughvariationsexistwithrespecttolevelsofprogramdevelopmentandimplementation.

Thecommunicationssectororganizesitsstrategic,planningandoperationalcybersecurityactivitiesthroughthreerespectiveentities:theNationalSecurityTelecommunicationsAdvisoryCouncil(NSTAC),theCommunicationsSectorCoordinatingCouncil(CSCC)/GovernmentCoordinatingCouncil(GCC),andtheCommunicationsInformationSharingandAnalysisCenter(CommISAC).

35Seesupranote1,at4.


25

SmallandMediumBusinesses(SMBs)haveuniquecircumstancesandchallengesthatmayinfluencetheirapproachtoimplementingtheFrameworkandprovidingmacrolevelassurances.

B. VoluntaryMechanismsFindingsThefollowingsummaryfindingsaddresstheWorkingGroup4chargetoidentifyvoluntarymechanismstoprovidemacrolevelassurances.

Astaticchecklistmethodologyisnotaneffectivedefense,asitislimitsthemethodsand

tacticsbywhichanorganizationcanpreparefororrespondtoimminentandevolvingthreats.

CSCC/GCCisaneffectiveorganizationalstructureforintegratinganewinitiativetoevaluatehowcybersecuritythreatsaremeasuredatthesectorlevel.

Keygovernmentstakeholdershavealegitimateinterestingaininginformationaboutcybersecuritythreatstocriticalinfrastructureandtheeffectivenessofcybersecurityriskmanagementpractices.

C. UseoftheNISTCybersecurityFrameworkoranEquivalentConstructFindingsThefollowingsummaryfindingsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancesthatdemonstratehowcommunicationsprovidersarereducingcybersecurityrisksthroughtheuseoftheNISTCybersecurityFrameworkoranequivalentconstruct. Useofacommunitymodelforthreatintelligenceorinformationsharingandanalysis

canhelporganizationsintheirquesttoprotecttheircriticalinfrastructureandcriticaldatafromfuturecyberthreats.

UseofthevoluntaryNISTCSFprovidesaconsistentcybersecurityriskmanagementapproachandacommontaxonomytoimproveinternalandexternalcommunicationsregardingcybersecurityriskmanagement.

PriortotheNISTCSF,manycommunicationssectormembersalreadywereactivelyengagedinequivalentprocessestosuccessfullymanagecybersecurityrisks.

D. MeaningfulIndicatorsFindingsThefollowingsummaryfindingsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancesthatarebasedonmeaningfulindicatorsofsuccessfulcyberriskmanagement.

Meaningfulindicatorsofsuccessful(orunsuccessful)cyberriskmanagementfocuson

measureableoutcomes. Itisdifficulttomeasuretheeffectivenessofthecommunicationssectorscybersecurity

riskmanagementprocessesinisolation,givenitsinterdependenciesonothercriticalinfrastructuresectors.


26

E. CommunicationsSectorImplementationGuidanceFindingsThefollowingsummaryfindingsaddresstheWorkingGroup4chargetogivethecommunicationssectorguidanceonhowtoimplementusingtheNISTCybersecurityFramework.

TheNISTCybersecurityFrameworkisaneffectivemechanismtocreateanewrisk

managementprocessortoenhanceexistingcybersecurityriskmanagementprocesses. CyberattackshavebeenobservedandmappedtoeverylayeroftheTCP/IP

communicationmodel,andsubsequentlyagainsteveryidentifiedcategoryoftheecosystem.CyberattackswillcontinuetooccurateveryleveloftheTCP/IPcommunicationsmodel.ItisimportantthatalloperatorsandvendorsineverylayeroftheTCP/IPmodelconducttheiroperationswiththeappropriatelevelofcybersecuritydiligence.

Thecommunicationssectorispartofavastinterdependentecosystemthatrequiressharingcybersecurityresponsibilitiesamongavarietyofstakeholdersanddependsonmultiplenoncommunicationssectorecosystementitiestomakethecommunicationsinfrastructuremoresecure.

FurtheroutreachisneededtoensurethattheSMBcommunityisengagedinthenetworkriskmanagementdiscussiongenerally,andawareofthebenefitsoftheNISTFrameworkspecifically.

ItisnotamatterofIFacommunicationssectormemberwillbeattacked,butamatterofWHENtheywillbeattacked,andthatthreatknowledgeisessentialtoprotectagainstattacks.


27

VI. CONCLUSIONSTheconclusionsdrawnbelowalignwiththekeytaskareasassignedtoWorkingGroup4andaresupportedbyayearlongeffortinvolvingsubstantialinquiriesintocybersecurityactivitiesattheenterprise,segment,andsectorlevels.

A. MacroLevelAssuranceConclusionsThefollowingconclusionsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancethatcommunicationsprovidersaretakingthenecessarycorporateandoperationalmeasurestomanagecybersecurityrisks.

NonewregulationsareneededorwarrantedtoaddressconformitytotheNIST

Framework.Sucharegulatoryregimewouldspuraminimumstandard,notmaximumeffort,andwouldundermineadaptabilityandinnovation.

Cyberthreatinformationsharingresultsinefficientandscalableinformationthatallpartiescanusetodevelopthreatanalysesandtomakecyberriskmanagementdecisions.

Progressonincentivesisnecessarytoovercomemanyofthebarriersidentifiedinthisreport.

Thestepsthecommunicationssectormembersaretakingtoadvancetheircybersecurityriskmanagementpracticescanbeconveyedtorelevantstakeholderswithappropriateprotectionsforsecurityandmarketpurposes.TheNSTAC,CSCC/GCC,andCommISACareeffectivevenuesforinformationsharingandcollaborationregardingreductionofcybersecurityrisks,notonlyamongitsmembersbutwithothercriticalinfrastructuresectorsandgovernmentdepartmentsandagenciesthataredependentuponthecommunicationssectorscriticalinfrastructureandservices.

SpecialconsiderationsandaccommodationsmaybenecessaryforSMBstoimplementtheFrameworkandprovidemacrolevelassurancestotheFCCandthepublic.

B. VoluntaryMechanismsConclusionsThefollowingconclusionsaddresstheWorkingGroup4chargetoidentifyvoluntarymechanismsthatcanbeusedtoprovidemacrolevelassurances.

Achecklistapproachwouldprioritizecomplianceoveranadaptablesecurityrisk

basedmanagementmodelthatisrequiredtoaddresstheevolvingcyberthreatlandscape.

FuturerequestsformeasurementsbygovernmentagenciesintotheimpactofcybersecuritythreatstocommunicationsinfrastructurewouldbemosteffectivelymanagedbytheCSCC/GCC.


28

Thecommunicationssectorcanmakeexternalstakeholdersmoreawareofitscorporateandoperationalcybersecurityriskmanagementmeasuresthroughcurrentcommunicationssectorvenuesthathavetherequisiteprotections.

Voluntarymechanisms,includinganindustrySARandperiodicmeetingswithcommunicationssectormembers,canprovidemacrolevelassurancethatcommunicationsprovidersaretakingtheappropriatemeasurestomanagecybersecurityrisks.

C. UseofNISTCybersecurityFrameworkorEquivalentConstructConclusionsThefollowingconclusionsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancesthatdemonstratehowcommunicationsprovidersaremanagingcybersecurityrisksthroughtheuseoftheNISTCSForanequivalentconstruct.

TheintroductionoftheNISTCSFrepresentsamajorbreakthroughintheabilityto

communicatecybersecurityriskmanagementprinciplesandprocessesandcanbeeffectivelyemployedbythecommunicationssectorandappliedtoothercriticalinfrastructuresectors.

TheuseoftheNISTCSFwillcontinuetoevolvewithinthecommunicationssectorasmoreexperienceisgainedandshared.

Continuedinteragencyandfederal/statecoordinationandcollaborationwithindustryinadvancingtheFrameworkisneededtoavoidfragmentationofindustryandgovernmentresources.

D. MeaningfulIndicatorsConclusionsThefollowingconclusionsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancesthatarebasedonmeaningfulindicatorsofsuccessfulcyberriskmanagement.

Individualcompanymalwareinfectionrates,thenumberofhostedbots,and

customerservicecomplaintsarenotmeaningfulindicatorsofsuccessfulcyberriskmanagement,astheyarenotoutcomebasedmeasures.

Theavailabilityofthecriticalinfrastructuretodelivercriticalservicesisanoutcomebasedmeasureandthereforeameaningfulindicatorofsuccessfulcyberriskmanagement.Ifissuesrelatedtoavailabilityariseasaconsequenceofacyberincident,additionalexaminationintoreliability,resiliency,andintegrityofcorenetworkcriticalinfrastructuremayneedtobeevaluated.

Furtheranalysisisrequiredtodeterminewhetheracomprehensiveandvalidsetofcybersecurityeffectivenessmetricscanbeappliedonacrosssectorialbasis.

E. CommunicationsSectorImplementationGuidanceConclusionsThefollowingconclusionsaddresstheWorkingGroup4chargetogivethecommunicationssectorguidanceonimplementingtheNISTCybersecurityFramework.


29

CommunicationssegmentmemberswillbenefitfromtheirreviewofthisreportandtheanalyticalprocessesinthereportthattheycanusetoimplementtheNISTFrameworkoranequivalentconstruct.

UseoftheNISTCSFmustremainflexibleasonesizedoesnotfitall,andcompaniesshouldusetheFrameworkinawaythatisappropriatetotheirriskenvironment,posture,andtolerance.

ThecommunicationssectoriseffectivelyadvancingtheuseoftheNISTCSFasevidencedbytheindustrysparticipationindevelopmentofthisreport.

Asevidentinthisreport,smallandmediumcommunicationssectormembershaveuniquechallengestoovercomeintheuseoftheNISTCSF.

Communicationssectormembersareonecomponentofavastlandscapeofinterdependentcriticalinfrastructureecosystemstakeholdersthatrequiresahighdegreeofinformationsharing(consistentwithapplicablelaw)andcollaborationtoeffectivelymanagecyberrisk.

UseofthevoluntaryNISTCSForequivalentriskmanagementconstructacrossallecosystemstakeholderswillimprovecybersecurityriskmanagement.

AsitrelatestotheuseoftheNISTCSF,sharinginformationaboutexperiencesandlessonslearnedacrosstheecosystemwillfacilitateimprovementsinthefurtherdevelopmentoftheFrameworkandcybersecurityriskmanagementgenerally.

Communicationssectormembers,aswellasothercriticalinfrastructuresectors,cansharedetailedthreatintelligenceinformationwithappropriatestakeholders,consistentwithcurrentlaw,andthusenablemoreefficientandscalablethreatinformationgatheringforcyberriskmanagementdecisionmaking.

AsNIST,DHS,theFCC,andindustrycontinuetheiroutreach,theyshouldunderstandthatasinglemethodofoutreachmightnotbesufficientforanSMB.Amultifacetedapproachisnecessary.


30

VII. RECOMMENDATIONS ThefollowingrecommendationsareconsistentwiththeFederalAdvisoryCommitteeAct(FACA)36rulesunderwhichCSRICoperates.TheserecommendationsweredevelopedwiththeintentionofworkingwiththeFCCandotherU.S.governmentagenciestoenhancecybersecurityriskmanagementcompetenciesandtomakeusefulresourcesavailabletoenterprisesacrossthebroadcommunicationssector.

A. MacroLevelAssuranceRecommendationsThefollowingrecommendationsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancethatcommunicationsprovidersaretakingthenecessarycorporateandoperationalmeasurestomanagecybersecurityrisks.

CSRICrecommendsthattheFCCleveragetheresourcesandcapabilitiesofthethree

primarycommunicationssectororganizations(i.e.NSTAC,CSCC/GCC,CommISAC)topromotevoluntaryparticipationinriskmanagementinitiativesacrossallcommunicationssegmentsandproviders.

CSRICrecommendsthattheFCCpromotethesustainedvoluntarycollaborationandfacilitatethesharingofcybersecuritythreatinformation.ThiscanbeaccomplishedbyworkingwiththecommunicationssectormembersandotherrelevantagentsoftheU.S.governmenttoidentifyandmitigatetechnical,operational,financial,andlegalbarrierstocyberinformationsharing.

CSRICrecommendsthattheFCCfurtherexploretheconsiderationsandaccommodationsthatarerequiredforSMBstoimplementtheNISTCybersecurityFrameworkandprovidemacrolevelassurancestotheFCCandthepublic.

B. VoluntaryMechanismsRecommendationsThefollowingrecommendationsaddresstheWorkingGroup4chargetoidentifyvoluntarymechanismstoprovidemacrolevelassurances.

CSRICrecommendsthattheFCC,inpartnershipwithDHS,participateinperiodic

meetingswithcommunicationssectormembers,inaccordancewithPCIIprotections,37todiscusstheircybersecurityriskmanagementprocessesandtheiruseoftheNISTCSForequivalentconstruct.

CSRICrecommendsthattheFCCusethecurrentcommunicationssectororganizationalstructurewithintheCSCC/GCCtodeliveranindustrySectorAnnualReport(SAR)thataddressestheeffectivenessofcommunicationssectorcybersecurityriskmanagementprocesses.

36SeeGeneralServicesAdministration,FederalAdvisoryCommitteeAct(FACA)ManagementOverview,http://www.gsa.gov/portal/content/104514(lastvisitedMar.13,2015).37SeePCIIProgramoranotherlegallysustainableconstruct.


31

C. UseofNISTCybersecurityFrameworkorEquivalentConstructRecommendationThisrecommendationaddressestheWorkingGroup4chargetoprovidemacrolevelassurancesthatdemonstratehowcommunicationsprovidersaremanagingcybersecurityrisksthroughtheNISTCybersecurityFrameworkoranequivalentconstruct.

CSRICrecommendsthattheFCCpromotethevoluntaryuseoftheNISTCSFamong

allcommunicationssectormembers,largeandsmall,aswellasacrossothercriticalinfrastructuresectorsthatareinterdependentwiththecommunicationssector.

CSRICrecommendsthattheFCCworktocoordinateandrationalizeFrameworkrelatedfederal/stategovernmentinitiativestoensureefficientuseofcriticalandscarcecybersecurityresources.

CSRICrecommendsthattheFCCfurtherincorporateanunderstandingofthechangingthreatlandscape,sectorecosystemdependencies,andharmonizationintopreviousCSRICbestpracticesandtheNISTCSF.

D. MeaningfulIndicatorsRecommendationsThefollowingrecommendationsaddresstheWorkingGroup4chargetoprovidemacrolevelassurancesthatarebasedonmeaningfulindicatorsofsuccessfulcyberriskmanagement.

CSRICrecommendsthattheFCCadoptavailabilityofthecriticalcommunications

infrastructureasthemeaningfulindicatorofcybersecurityriskmanagement. CSRICrecommendsthattheFCCleveragethecommunicationssectorscurrent

organizationalstructure(i.e.,CIPAC)todeliveranindustrySectorAnnualReporttoaddresstheproposedmeaningfulindicatorandcorporateandoperationalinitiativesthecommunicationssectoristakingtomanagecybersecurityrisk.

CSRICrecommendsthattheFCC,inpartnershipwithDHSandNIST,promotecontinuedindustryparticipationineffortstoevaluatetheeffectivenessofcybersecurityriskmanagementprocessesinallsectorsandtheirimpactonthecommunicationssector.

E. CommunicationsSectorImplementationGuidanceRecommendationsThefollowingrecommendationsaddresstheWorkingGroup4chargetoprovidethecommunicationssectorwithguidanceforimplementingtheNISTCybersecurityFramework.

CSRICrecommendsthattheFCCencouragethedisseminationoftheNIST

FrameworkandtheWG4reporttoappropriatecommunicationsectormemberorganizations,andinparticular,tomanagementandstaffwithcybersecuritymanagementandoperationalresponsibilities.

CSRICrecommendsthattheFCCcontinuetocollaboratewithNISTandDHSinthefurtherdevelopmentoftheNISTCSFandthepromotionofprogramstoincreasethevoluntaryuseoftheCSF.


32

CSRICrecommendsthattheFCCpartnerwithotherdepartmentsandagenciestopromoteeducationandawarenessofthecybersecurityrisksinherentincriticalcommunicationsinfrastructures,andtopromotestepsthatthecommunicationssectorcantaketogiveexternalstakeholderswithmacrolevelassurancethatthesecollectiveactionsaresuccessfullymanagingcybersecurityrisks.

CSRICrecommendstheFCCpromoteanindustrythreatintelligencehandlingmodel(referencedinthisreport),oranequivalentconstructbyorganizationsintendingtousethreatintelligencetomaintaincybersecurity,protectcriticalinfrastructure,andprotectcriticaldatafromrapidlyevolvingcyberthreats.

CSRICrecommendstheFCCencouragecommunicationssectormemberstosharerelevantthreatintelligenceinformation(consistentwithapplicablelaw)withappropriatestakeholders,thusenablingmoreefficientandscalablethreatinformationgatheringforuseinthreatanalysesandcyberriskmanagementdecisionmaking.


33

VIII. ACKNOWLEDGEMENTS WorkingGroup4wouldliketoacknowledgethesignificantcontributionsofeachofitsmembers,forwithouttheirexpertise,participation,analysis,andcontributionsthroughouttheprocess,thereportfindings,conclusions,andrecommendationscontainedhereinwouldnothavebeenpossible.WorkingGroup4wouldalsoliketoacknowledgethesegmentandfeedersubgroupleadershipteam,comprisedofKellyWilliams,MattTooley,JohnMarinho,ChrisBoyer,DonnaBetheaMurphy,HaroldSalters,LarryClinton,SusanJoseph,JesseWard,RussellEubanks,JoeViens,TomSoroka,BrianScarpelli,andChrisRoosenraad,wholedtheirteamsinconductingthesegmentandfeederanalysesuponwhichthereportsfindings,conclusions,andrecommendationsarebased.WorkingGroup4wouldalsoliketoacknowledgetheWorkingGroupsadvisors,DonnaDodson,LisaCarnahan,TonySager,andEmilyTalaga,fortheirexpertise,thoughtfuladvice,andencouragementthroughouttheprocess.WorkingGroup4wouldalsoliketoacknowledgetheFCCliaisontotheWorkingGroup,VernMosley,forhissubstantialsupportandcontributionsthroughouttheprocess.WorkingGroup4wouldalsoliketoacknowledgeMattTooleyforhisadministrationoftheWorkingGroupsbox.comaccountthattheWorkingGroupusedtocollaborateinsharinginformationamongtheWorkingGroupmembersandinproducingthereport.WorkingGroup4wouldalsoliketothankRobertMayer,PatMurray,DeontreaCampbell,andthemanyotherUSTelecomsupportstaffmembersforhostingtheWorkingGroup4facetofacemeetings.TheWorkingGroupgreatlyappreciatesthesignificantplanningandlogisticsthatwentintohostingthemanysuccessfulfacetofacemeetings.WorkingGroup4wouldalsoliketoacknowledgetheskilledexpertiseanddedicationoftheFinalReportdraftingteamcomprisedofPaulDiamond,StacyHartman,RobertThornberry,BrianAllen,RobertMayer,andthesegmentandfeedersubgroupleadershipteam.Withouttheirperseveranceandattentiontodetail,theFinalReportwouldnothavebeenpossible.Andlastbutcertainlynotleast,theWorkingGroup4memberswouldliketoacknowledgeandthankouresteemedWorkingGroup4cochairs,RobertMayerandBrianAllen.Theirinsight,focus,expertise,outreachacrossthecommunicationssector,andleadershipthroughouttheprocessisevidencedbythequalityoftheFinalReportsfindings,conclusions,andrecommendations.


34

IX. REPORTS&SEGMENTS9.1BROADCASTSEGMENT...................................................................................359.2CABLESEGMENT............................................................................................629.3SATELLITESEGMENT......................................................................................919.4WIRELESSSEGMENT.....................................................................................1189.5WIRELINESEGMENT.....................................................................................1679.6REQUIREMENTSANDBARRIERSTOIMPLEMENTATION..............................2029.7CYBERECOSYSTEMANDDEPENDENCIES.....................................................3219.8MEASUREMENT............................................................................................3559.9SMALLANDMEDIUMBUSINESS..................................................................3709.10TOPCYBERTHREATSANDVECTORS..........................................................398


35

9.1BROADCASTSEGMENT

CYBERSECURITYRISKMANAGEMENTANDBESTPRACTICES WORKINGGROUP4

March2015


36

TABLEofCONTENTS I. ExecutiveSummary.........................................................................................37II. Introduction....................................................................................................37III. BroadcastSegmentGroupMembers..............................................................38IV.Objective,ScopeandMethodology................................................................38

A. Objective..................................................................................................38B. Scope........................................................................................................39C. Methodology............................................................................................40

V. ResultsandFindings........................................................................................41A. CriticalServices........................................................................................41B. BroadcastEcosystemArchitectures.........................................................41

VI.ApplyingtheNISTCybersecurityFramework..................................................45VII.ApplicationMethodology................................................................................46VIII. IllustrativeUseCases.....................................................................................56

A. BroadcastRadio/TVStation/HubAssessment.........................................58B. BroadcastNetworksBroadcastFirewall.................................................60

IX. ConclusionsandRecommendations...............................................................61X. Acknowledgements.........................................................................................61


37

I. EXECUTIVESUMMARYTheBroadcastIndustrySegmentsubgroupofWorkingGroup4(WG4)focusedondevelopingrecommendationsthatwillassistinreducingcybersecurityrisktobroadcastcriticalonairoperationsthroughtheapplicationoftheNISTCybersecurityFramework(NISTCSF).ToaccomplishthisobjectivetheBroadcastSegmentGroupsmissionwastoprovidearoadmapforbroadcasterstoaligntheirspecificoperationstothatoftheNISTCybersecurityFramework.WhiletheNISTFrameworkmaybeusedbeyondcriticalinfrastructure,theanalysiswasprimarilyfocusedoncriticalinfrastructureasdefinedintheCybersecurityExecutiveOrder.Forbroadcasters,thismeansmaintainingonairoperationsinordertodelivernews,weather,criticalpublicwarning,andemergencyinformationtothecommunitiesthattheyserve.BroadcastersdonotprovideInternetProtocol(IP)networkservicestoothersbutacquirethemfromIPserviceproviders.However,broadcasterscriticalonairoperationsareenabledbyIPnetworksandhaveinrecentyearsbecomemoreandmoredependentuponthem.Individualbroadcastcompaniesshouldconsiderutilizingthestepsoutlinedinthisreporttoupdateordeveloptheirowncyberriskmanagementprograms,applyingtheframeworktotheirownuniquecircumstances.II. INTRODUCTIONTheBroadcastSegmentisasubgroupwithinCSRICIVWorkingGroup4focusedondevelopingrecommendationsthatwillassistinreducingcybersecurityrisktobroadcastonairoperationsthroughtheapplicationoftheNISTCybersecurityFramework(CSF).Thescaleofthebroadcastindustryisfairlyuniqueamongtheothercommunicationsindustrysegments.Thebroadcastindustryisdiverse,morethan15,000radioand1,700televisionbroadcastingfacilitiesintheUnitedStates,providingnews,emergencyinformationandotherprogrammingservicesfree,overtheairtoconsumers.Whilemanyoftheseoperationsarebroadcastnetworksandgroupowed,individuallicenseestendtobesmalltomediumsizedoperations,withrelativelylimitedInformationTechnology(IT)support.ThebroadcastindustryisincreasinglycharacterizedbyarelianceontheInternetandotherIPbasedinfrastructureforitscoreonairoperations.Forthepastseveralyears,thebroadcastindustryhasbeentransformedbyatransitiontofilebasedworkflowsandincreasedfocusedonIPnetworkingandcontentdelivery.Anumberofbroadcasterscontinuetoexpandtheirrelianceoncentralcastingconcentratingonairoperationsinregionalhubs.Alsogrowingrapidlyistheuseofcloudbasedservicesbybroadcasters,particularlyintheareasofstreaming,archiving,editing,transcoding,andcontentdistribution.In2012theCommunicationsSector,inpartnershipwiththeDepartmentofHomelandSecurity(DHS),completedthe2012RiskAssessmentforCommunications(referredtogoingforwardastheNationalSectorRiskAssessmentorNSRA),updatingits2008report,whichassessedphysicalandcyberthreatstothecommunicationsinfrastructure.TheriskassessmentwasintendedtofurtherthegoalsoftheCommunicationsSectorSpecificPlan,alsodevelopedjointly


38

withDHSin2010,toidentifyandprotectnationalcriticalinfrastructure,ensureoverallnetworkreliability,maintainalwaysonserviceforcriticalcustomersandquicklyrestorecriticalcommunicationsfunctionsandservicesfollowingadisruption.InordertoaccomplishthefoundationalobjectivesestablishedbytheFCCforCSRICIVWG4,theBroadcastSegmentgroupsoughttodeveloprecommendationswhichwillenabletheNISTCybersecurityFrameworktobeconformedinsuchawaythatthatitmaybeusedbythebroadcastindustrytoassessthevulnerabilityofcriticalonairoperationsinthecontextofcriticalinfrastructureasdefinedintheCybersecurityExecutiveOrder38andtheNSRA.PleasenotethisreportdoesnotaddresssecurityoftheEmergencyAlertSystem(EAS)anditsassociatedecosystem.EASsecurityisconsideredinCSRICIVWorkingGroupIII.39III. BROADCASTSEGMENTGROUPMEMBERS

Member CompanyAdrienneAbbott NevadaAssociationofBroadcastersSohailAnwar NationalPublicRadioEdwardCzarnecki MonroeElectronics,Inc./DigitalAlertSystemsSetonDroppers PublicBroadcastingSystemChristopherHomer PublicBroadcastingServiceRobertRoss CBSTelevisionNetworkDavidWilliams NationalPublicRadioKellyWilliams NationalAssociationofBroadcasters

IV. OBJECTIVE,SCOPEANDMETHODOLOGY

A. ObjectiveCSRICIVWG4wastaskedwithdevelopingvoluntarymechanismsthatprovidemacrolevelassurancetotheFederalCommunicationsCommission(FCC)andthepublicthatcommunicationprovidersaretakingthenecessarycorporateandoperationalmeasurestomanagecybersecurityrisksacrosstheenterprise.WG4alsowaschargedwithprovidingimplementationguidancetofacilitatetheuseandadaptationofthevoluntaryNISTCybersecurityFramework(CSF)bycommunicationsproviders.ConsistentwithWorkingGroup4slargerobjective,thebroadcastsegmentgroupanalyzedtheNISTCybersecurityFrameworkversion1.0fromtheperspectiveofthebroadcastindustryinordertoapplythepracticesandprocessesdescribedthereintothissegmentofthecommunicationssector.

38SeeExec.OrderNo.13,636,ImprovingCriticalInfrastructureCybersecurity,78FR11737(Feb.19,2013)[hereinafterEO13636].39SeeFederalCommunicationsCommission,TheCommunicationsSecurity,ReliabilityandInteroperabilityCouncilIII,WorkingGroup3EmergencyAlertSystem(EAS)InitialReportCSRICWG3EASSecuritySubcommitteeReport(2014),availableathttp://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG3_InitialReport_061814.pdf.


39

B. ScopeBasedontheNISTcybersecurityframeworkincriticalinfrastructure,thebroadcastsegmentgroupfocusedonidentifyingtheaspectsofthebroadcastinfrastructurethatwouldbeconsideredcriticalinfrastructuresupportingthecriticalservicesbroadcastersprovide.BasedonthedefinitionsofcriticalinfrastructureoutlinedintheNSRAandExecutiveOrder13636,thegroupconcludedthatitisbroadcastersroleinpublicalertingandasfirstinformers(i.e.keepingthepublicinformedduringtimeofemergency)thatfulfilsthiscriticalinfrastructurerole.TheNSRAcommunicationsarchitecturemodelillustratingwhatisconsideredcriticalinfrastructureisshownbelow.

ThebroadcastsegmentgroupagreedwiththeotherSegmentgroupsthatthescopeofitseffortsshouldbuildupontheworkalreadycompletedintheNSRA,whichistoensureoverallnetworkreliability,maintainalwaysonserviceforcriticalcustomersandquicklyrestorecriticalcommunicationsfunctionsandservicesfollowingadisruption.ConsideringallthesefactorstheBroadcastSectorgroupconcludedthatmaintainingtheonairoperationsatlocal,regionalandnationallevelwasconstitutedmaintainingthissegmentofthenationalcriticalcommunicationsinfrastructure.

ItisimportanttonotethatBroadcastersareconsumersofIPbasednetworkservicesanddonotsupplyIPservicestoothers,assuch,theymustevaluatetheriskandvulnerabilityoftheirassetsinthecontextonmaintainingtheircriticalonairoperations.


40

C. MethodologyStartingwiththeBroadcastarchitecturemodelfromtheNSRA(below),thebroadcastsegmentanalyzedthebroadcastecosystemsanddevelopedfourarchitecturemodelsthatareillustrativeofthedifferenttypesofoperationsinthebroadcastsegmentLocalBroadcastStation,SmallRadioStation,Hubbed(orCentralCast)Operation,andBroadcastProgramNetwork.Thesemodels,describedinmoredetailinSectionV,canhelpbroadcastersidentifythecriticalassetsthatmayrequiredifferentapproachestoapplicationoftheNISTFramework.Thesecriticalelementsdelineatethescopeofassetsintendedtobeprotectedthroughthefurtheranalysisbelow.

Commercial Satellite

Television/RadioNetwork Headquarters

STL Studio to Transmitter link (typically point-to-point fixed microwave or fiber)ENG Electronic News Gathering. (local TV news coverage via portable microwave link)SNG Satellite News Gathering (local TV news coverage via portable satellite link)

STL

Mobile Customer

Portable Microwave or Satellite

ENG/SNG

Fiber Back-up

Local Broadcast Station(DTV/AM/FM/HD-Radio)

Satellite Recieve DishesBroadcastAntenna

Radio/Television Station Transmitter

Transmitter Site

Home Custome

Podestrian Customer


41

V. RESULTSANDFINDINGSA. CriticalServicesThebroadcastsegmentutilizedtheNISTcybersecurityframeworktoevaluateitsapplicationtothebroadcastsector.Sincethebroadcastsectorprovidesaservicetoconsumersbyprovidingnews,weatherandemergencyinformationthroughovertheairsignalsor,inthecaseofaprogramnetwork,viasatelliteorleasedfiberfacility,manyofthecybersecurityconcernsmaynotappeartobeapplicable.Aftercarefulreview,thebroadcastsegmentdeterminedthatthereareaspectsofbroadcastinginfrastructurethatareIPnetworkbasedandcriticaltoprovidingessentialservices.Broadcastersareusedtocarryingmissioncriticaldataandinformation.Broadcastersmustassesswhichpartsoftheirinfrastructurearecriticaltomaintainingonairoperationssothattheycandeliverthefollowingtypesofessentialinformationtothepublic.

1) EmergencyAlertSystems(EAS)NewtechnologyinemergencyalertingnowcarrymessagesfromtheFederalEmergencyManagementAssociation(FEMA)throughIPnetworksusingCommonAlertingProtocol(CAP).ManystateandlocalemergencymanagementorganizationshavealsoadoptedCAPprotocolmessagingdistributedviaIPoverdedicatedorpublicinternet.ThebroadcastersIPnetworksthatcarrythesecriticalmessagesneedtobeprotectedagainstcyberattacks40.2) NewsandWeatherandOtherEmergencyInformationBroadcaststationsandnetworksprovideessentialcontentintheformofnewsandweatherandotheremergencyinformation,suchasevacuationroutesortornadotracking.BothinformationandcontentflowoverhighspeedIPnetworkswithinabroadcastplanttoprovideintegrationofNewsRoomComputerSystems(NRCS),audioandvideoservers,graphicssystemsandscheduling/automationsystems.Thebroadcastnetworkisthebackboneofthestationornetworkandneedstobecarefullymanagedforredundancy,reliabilityandsecurity.ImportantfeedsandwireservicesthatareusedtosolelyrelyonsatelliteormicrowavehavealsomigratedgoIPandLongTermEvolution(LTE)networksinordertoprovidevaluableandtimelycontent.

B. BroadcastEcosystemArchitecturesBelowarethefourarchitecturemodelsthatareillustrativeofthedifferenttypesofoperationsinthebroadcastsegment.Broadcasterscanusethemodelthatmostclosely

40ThisreportdoesnotaddressspecificsofsecurityforEASanditsassociatedecosystem.EASsecurityisconsideredinCSRICWorkingGroupIII.


42

resemblestheiractualinfrastructuretoidentifytheassetsthatrequirethreatanalysisandevaluationwhenapplyingtheframeworktoonairoperations

1) LocalBroadcastStationBroadcaststationsincludeindependent,public,educationalorstate,stationgroupsornetworkO&Os(ownedandoperated).Abroadcaststationcanbeahandfulofemployeesinamomandpopshoptomajormarketstationswithhundredsofemployees.Manyfunctionalareaswithinastationincludebutarenotlimitedtosales,programming,traffic,production,news,communityaffairs,publicrelations,accountingandfinance,andengineeringandoperations.EngineeringandOperationstypicallyoperatesona24X7basisaplaysacriticalroleinprovidingcontentforcommunityservice,news,weather,sports,andentertainmentfortheirbroadcastmarket.

2) LocalSmallRadioStationLocalRadioStationsmaynothaveenterpriselevelnetworksaslargerbroadcastersdo,buttherearemanyareaswherethestationnetworkconnectivityprovidescriticalservicestoitsaudienceandwouldnecessitatecybersecuritymeasures.Thisincludesprogrammingsource(s)deliveredviaIP,commercialdeliveryandcommercialproduction,otherproductionresourcessuchasAssociatedPress(A/P)newswireservicedelivery,remoteoperations,CommonAlertingProtocol(CAP)/EASInternetaccess,andStudioTransmitterLinks(STL)transmittermeteringandcontrol.ThenetworkcouldalsobeusedtoprovidefortransmittersitesecurityA/Pnews,station


43

socialMedia/applications/contests/games,inhouseWiFiaccess,FCCaccounts,TrafficBookkeeping(includesstaffandlisteneraccounts),andportablemediausingUniversalSerialBus(USB)orBluetooth.

Content


ENG/SNG

Local Radio Station

Sat RXBroadcastAntenna

RadioTransmitter

Transmitter Site

Home Customer

Internet Service Provider

Firewall

Firewall

Internet Service Provider

LOCAL SMALL RADIO STATION

Station Network

Admin

Production

EASNews

PC/Smart Device

Remote control

Rcvr Process

RDS

On Air Console

STLDEC

Traffic

3) BroadcastHubbed(CentralCast)OperationBroadcaststationhubissomewhatdifferentfromabroadcaststation.Abroadcaststationtypicallytakestherepetitive24X7mastercontroloperationsoftwoormorebroadcaststationsandcombinesthemintoasinglefacilityforefficiencypurposes.Thesecanincludeprivatethirdpartybusiness,educationalorstate,stationgroupsornetworkO&Os(ownedandoperated)hubs.Atelevisionstationthatisaspokeofahubfacilitydoesnotneedtobeasmallmarketfacility.Ahubbedtelevisionstationisafullyfeaturedandfunctioningfacilitythatcanhaveanewsdepartment,promotions,andbeanetworkaffiliateorindependent.Itsimplydoesnothaveamastercontrolfacilitytooriginateitsprogrammingtothelocalbroadcasttransmitter.Therearetwowaystoaccomplishthis:

Thecentralhuboriginatesallcontentwhichissenttothesatellitestationasa

videostreamoveraprivatebandwidthcircuit.Localcommercials,newsprogramming,andotherinterstitialmaterialaresentintheotherdirectiontothehubfortransmissionatalatertimeorinrealtimeinthecaseoflivenewsprogramming.Trafficoperationsarealsousuallycentralizedatthehubfacility.,or


44

Thesatellitestationhasallofthecontentmaterialandequipmentonsite,butiscontrolledfromthecentralhub.

Todaywiththecostofbandwidthbeingmuchlowerthanfiveyearsagomostcentralcastinglocationsusemethodnumberone.TheobvioussecurityandredundancyissuesregardingprotectionofthefeedfromthehubrequirethattwodiverseroutesshouldbeemployedwithfirewallsandVPNprotection.Allotherdatacircuits,computers,digitalstreamingfeeds,feedsofanytypeshouldbeprotectedastheywouldbeinanyothermodernbroadcastfacility.


Television/RadioNetwork Headquarters

Risks for business:1. Internet connections2. Email3. File Delivery (content or otherwise)4. USB Devices5. Laptops6. Partners, etc.

ENG/SNG

Fiber Back-up

Station Hub(DTV/AM/FM/HD-Radio)

Sat RX

Internet Service ProviderIncoming Firewall Outgoing Firewall

Workstations

Video/AudioDevices

BROADCAST HUBBED OPERATION

IP/Feed Radio/Television Station Transmitter

Transmitter Site

BroadcastAntenna


Transmitter Site

BroadcastAntenna


Transmitter Site

BroadcastAntenna

4) BroadcastNetworkBroadcastnetworksprovidecontenttostations,cablecompanies,satelliteprovidersandevenOTT(OvertheTop)broadcast.Abroadcastnetworkrangefromafewhundredtoafewthousandemployeesandtypicallyprovidesanationalorinternationalfootprintfordistribution.Manyfunctionalareaswithinanetworkinclude,butarenotlimitedto,sales,programming,traffic,production,news,publicrelations,accountingandfinance,andengineeringandoperations.EngineeringandOperationstypicallyoperatesona24X7basisaplaysacriticalroleinprovidingcontentforstations,cablecompanies,satelliteprovidersandOTTdistributors.Thiscontenteventuallymakesitswaytothepublicfornews,sports,weather,education,publicinterest,andentertainment.


45

Privateor

CommercialTerrestrial

Internet

CorporateNetwork(SingleBuildingorCampus)

CommercialSatellite

Television/RadioStation

Risksforbusiness:1.Internetconnections2.Email3.FileDelivery(contentorotherwise)4.USBDevices5.Laptops6.Partners,etc.

BroadcastAntenna

ISPAFirewall

CDN,Partners,ETC

Laptop

BroadcastWorkstations

BroadcastNetwork

BCastFiber(CommercialDeliveredby

Telcoor

DarkFiber)

BCastFirewall

FileDelivery

CorporateWorkstations

SatRx

FiberRxMediaSupplyChain

Ingest/Playout

ISPB

SatelliteRecieve

Uplink

VI. APPLYINGTHENISTCYBERSECURITYFRAMEWORKTheNISTFrameworkpresentsfiveCoreFunctionsorganizationscanusetoevaluatetheircybersecurityrisks.

IdentifyDeveloptheorganizationalunderstandingtomanagecybersecurityriskto

systems,assets,data,andcapabilities.TheactivitiesintheIdentifyFunctionarefoundationalforeffectiveuseoftheFramework.Understandingthebusinesscontext,theresourcesthatsupportcriticalfunctionsandtherelatedcybersecurityrisksenablesanorganizationtofocusandprioritizeitsefforts,consistentwithitsriskmanagementstrategyandbusinessneeds.

ProtectDevelopandimplementtheappropriatesafeguardstoensuredeliveryof

criticalinfrastructureservices.TheProtectFunctionsupportstheabilitytolimitorcontaintheimpactofapotentialcybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctioninclude:AccessControl;AwarenessandTraining;DataSecurity;InformationProtectionProcessesandProcedures;Maintenance;andProtectiveTechnology.


46

DetectDevelopandimplementtheappropriateactivitiestoidentifytheoccurrenceofacybersecurityevent.TheDetectFunctionenablestimelydiscoveryofcybersecurityevents.ExamplesofoutcomeCategorieswithinthisFunctioninclude:AnomaliesandEvents;SecurityContinuousMonitoring;andDetectionProcesses.

RespondDevelopandimplementtheappropriateactivitiestotakeactionregardinga

detectedcybersecurityevent.TheRespondFunctionsupportstheabilitytocontaintheimpactofapotentialcybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctioninclude:ResponsePlanning;Communications;Analysis;Mitigation;andImprovements.

RecoverDevelopandimplementtheappropriateactivitiestomaintainplansfor

resilienceandtorestoreanycapabilitiesorservicesthatwereimpairedduetoacybersecurityevent.TheRecoverFunctionsupportstimelyrecoverytonormaloperationstoreducetheimpactfromacybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctioninclude:RecoveryPlanning;Improvements;andCommunications.

VII. APPLICATIONMETHODOLOGYTheCSRICIVBroadcastSubCommitteereviewedtheNISTframeworkasitappliestothedifferentsegmentsofthebroadcastindustry;

SmallRadioStation LocalBroadcastStation StationHub(orCentralCast)Operation BroadcastNetwork

Eachofthe98subcategoriesoftheNISTFrameworkwereevaluatedastobeingnoncritical,maybecritical,orcriticalforeachofthetypesofbroadcastinfrastructuremodels.Thishelpsdefinehowthescopeoftheframeworkcanbeappliedtobroadcastorganizationsofdifferentiatingscopeandsize.


47

NISTSubCategory SmallRadioStationTV

BroadcastStation

StationHub

NetworkFacility

ID.AM1:Physicaldevicesandsystemswithintheorganizationareinventoried Critical Critical Critical Critical

ID.AM2:Softwareplatformsandapplicationswithintheorganizationareinventoried

Critical Critical Critical Critical

ID.AM3:Organizationalcommunicationanddataflowsaremapped

MayNotbeCritical Critical Critical

ID.AM4:Externalinformationsystemsarecatalogued Critical Critical

ID.AM5:Resources(e.g.,hardware,devices,dataandsoftware)areprioritizedbasedontheirclassification,criticality,andbusinessvalue


ID.AM6:Cybersecurityrolesandresponsibilitiesfortheentireworkforceandthirdpartystakeholders(e.g.,suppliers,customers,partners)areestablished


ID.BE1:Organization'sroleinthesup

Cyber Security Risk Management

Documents

Transcript of Cyber Security Risk Management