Critical Information Infrastructure Protection A Commonwealth Perspective
-
Upload
vernon-kidd -
Category
Documents
-
view
17 -
download
1
description
Transcript of Critical Information Infrastructure Protection A Commonwealth Perspective
Critical Information Infrastructure Protection
A Commonwealth Perspective
Geneva, Switzerland15-16th September 2014
Dr Martin KoyabeHead of Research & Consultancy
Commonwealth Telecommunications Organization (CTO)E-mail: [email protected]
ITU Workshop on “ICT Security Standardizationfor Developing Countries”
Acknowledgement
© Commonwealth Telecommunications Organisation | www.cto.int
Understanding CIIP
• Critical Resources
General definition
• Critical Infrastructure
• Critical Information Infrastructure In
terd
epend
enci
es
© Commonwealth Telecommunications Organisation | www.cto.int 4
Critical Resources
Water Energy Forests
Defined by some national governments to include:-
• Natural & environmental resources (water, energy, forests etc)• National monuments & icons, recognized nationally &
internationally
© Commonwealth Telecommunications Organisation | www.cto.int 5
Critical Infrastructure (1/3)
Airports Power Grid Roads
Defined by some national governments to include:-
• Nation’s public works, e.g. bridges, roads, airports, dams etc• Increasingly includes telecommunications, in particular major
national and international switches and connections
© Commonwealth Telecommunications Organisation | www.cto.int 6
Critical Infrastructure (2/3)
“ the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
Source: US Homeland Security
“ the (CNI) comprises those assets, services and systems that support the economic, political and social life of the UK whose importance is such that loss could either, cause large-scale loss of life; have a serious impact on the national economy; have other grave social consequences for the community; or be of immediate concern to the national government.”
Source: UK Centre for the Protection of National Infrastructure (CPNI)
“ an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the well-being of its citizens.”
Source: European Union (EU)
© Commonwealth Telecommunications Organisation | www.cto.int 7
Critical Infrastructure (3/3)
“ those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defense and ensure national security.”
Source: The Australian, State & Territory Government
“ processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, andSignificant harm to public confidence.
Source: Government of Canada
“those facilities, systems, or functions, whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation”
Source: National Critical Information Infrastructure Protection Centre (NCIIPC)
© Commonwealth Telecommunications Organisation | www.cto.int 8
Critical Infrastructure Sub-Sectors
e.g. Germany has technical basic & social-economic services infrastructure
© Commonwealth Telecommunications Organisation | www.cto.int 9
What about the 53 commonwealth member countries?
Do they have a national critical infrastructure initiative or strategy?
© Commonwealth Telecommunications Organisation | www.cto.int 10
Critical Information Infrastructure (1/2)
CII definition:-
“ Communications and/or information service whose availability, reliability and resilience are essential to the functioning of a modern economy, security, and other essential social values.”
Rueschlikon Conference on Information Policy Report, 2005
© Commonwealth Telecommunications Organisation | www.cto.int 11
Critical Information Infrastructure (2/2)Cr
itica
l Inf
rast
ruct
ures
Telecoms
Energy
Transportation
Finance/Banking
Government Services
Large Enterprises
End-users
Critical Information Infrastructure
Cross-cutting ICT interdependencies among all sectors
Cyber securityPractices and procedures that enable the secure use and operation of cyber tools and technologies
Non-essential IT Systems
Essential IT Systems
© Commonwealth Telecommunications Organisation | www.cto.int 12
Critical Information Infrastructure Protection (CIIP)
• Widespread use of Internet has transformed stand-alone systems and predominantly closed networks into a virtually seamless fabric of interconnectivity.
• ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks.
• ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks; and many of the critical services that are essential to the well-being of the economy are increasingly becoming dependent on IT.
© Commonwealth Telecommunications Organisation | www.cto.int
• Today Critical Information Infrastructure Protection (CIIP) – Focuses on protection of IT systems and assets
o Telecoms, computers/software, Internet, interconnections & networks services
– Ensures Confidentiality, Integrity and Availabilityo Required 27/4 (365 days)o Part of the daily modern economy and the existence of any country
Critical Information Infrastructure Protection (CIIP)
TelecomNetwork
Power Grid
Water Supply
PublicHealth
NationalDefence
NationalDefence
LawEnforcement
© Commonwealth Telecommunications Organisation | www.cto.int
CII Attack Scenarios
Telecoms
Health Services
Cloud Services
Finance/Banking
eGovernment
Critical Information Infrastructure (CII)Cross-cutting ICT interdependencies among all sectors
Natural disaster, power outage, or hardware failure
Resource exhaustion (due to DDoS attack)
Cyber attack (due to a software flaw)
© Commonwealth Telecommunications Organisation | www.cto.int
• Expanding Infrastructures– Fiber optic connectivity
o TEAMS/SEACOM/EASSy/LION/ACE
• Mobile phones– Mobile/Wireless Networks
o Asia-Pacific – accounts for 55% of ALL mobile phones in the world (2.2 billion)
– SIM card fraud
• Existence of failed states– Cyber warfare platforms
o Doesn’t need troops or military hardware
• Social Networks– “Gold mine” for social engineering
o Hactivism creates fear, uncertainty & doubt
• Cloud Computing– Increased dependency– Attacks on cloud services have high impact
Future CII Attack Vectors
© Commonwealth Telecommunications Organisation | www.cto.int
• Increased awareness for CIIP & cyber security– Countries aware that risks to CIIP need to be managed
o Whether at National, Regional or International level
• Cyber security & CIIP becoming essential tools– For supporting national security & social-economic well-being
• At national level– Increased need to share responsibilities & co-ordination
o Among stakeholders in prevention, preparation, response & recovery
• At regional & international level– Increased need for co-operation & co-ordination with partners
o In order to formulate and implement effective CIIP frameworks
Desired global trends towards CIIP
© Commonwealth Telecommunications Organisation | www.cto.int
Challenges for developing countries
#1: Cost and lack of (limited) financial investment– Funds required to establish a CIIP strategic framework can be a hindrance– Limited human & institutional resources
Source: GDP listed by IMF (2013)
© Commonwealth Telecommunications Organisation | www.cto.int
#2: Technical complexity in deploying CIIP– Need to understand dependencies & interdependencies
o Especially vulnerabilities & how they cascade
Challenges for developing countries
Powerplants Regional Power Grid
Regional Power Supply
Private D2D links
Private Datacenters
Banks & Trading
Public Administration
Public Datacenters
eGovernment
Online services, cloud
computing Telco sites, switch areas,
interconnections
Public eComms
Regional network, cables,
wires, trunks
Public Transport
Emergency care (Police, Firefighters,
Ambulances)
Emergency Calls
(99.9%) 8 hr outages are disastrous
(99%) 3 days outages are disastrous
(90%) 30 days outages are disastrous
© Commonwealth Telecommunications Organisation | www.cto.int
Challenges for developing countries
Critical FunctionInfrastructure
Element
Supply Chain
Supply Chain
Key Resource
Supply Chain
Critical Function
Infrastructure Element
Supply Chain
Supply Chain
Key Resource
Supply ChainCritical Function
Infrastructure Element
Supply Chain
Supply Chain
Key Resource
Supply Chain
InterdependenciesUnderstand requirements &
complexity
• Understand the critical functions, infrastructure elements, and key resources necessary for
– Delivering essential services– Maintaining the orderly operations if the
economy– Ensure public safety.
#3: Identify & prioritize critical functions
© Commonwealth Telecommunications Organisation | www.cto.int
#4: Need for Cybersecurity education & culture re-think– Create awareness on importance of Cybersecurity & CIIP
o By sharing information on what works & successful best practices
– Creating a Cybersecurity culture can promote trust & confidenceo It will stimulate secure usage, ensure protection of data and privacy
Challenges for developing countries
© Commonwealth Telecommunications Organisation | www.cto.int
#5: Lack of relevant CII strategies, policies & legal framework– Needs Cybercrime legislation & enforcement mechanisms– Setup policies to encourage co-operation among stakeholders
o Especially through Public-Private-Partnerships (PPP)
#6: Lack of information sharing & knowledge transfer– It is important at ALL levels National, Regional & International – Necessary for developing trust relationships among stakeholders
o Including CERT teams
Challenges for developing countries
Commonwealth Approach to Cybergovernance
© Commonwealth Telecommunications Organisation | www.cto.int 23
Why a Commonwealth Model
• Contrasting views emerging across the world on governing the Cyberspace
• Harmonisation is critical to facilitate the growth and to realise the full potentials of Cyberspace
• Commonwealth family subscribes to common values and principles which are equally well applicable to Cyberspace
• CTO is the Commonwealth agency mandated in ICTs• The project was launched at the 53rd council meeting of
the CTO in Abuja, Nigeria (9th Oct 2013) • Wide consultations with stakeholders• Adopted at the Commonwealth ICT Ministers Forum on 3rd
and 4th March 2014 in London
© Commonwealth Telecommunications Organisation | www.cto.int 24
Objectives
The Cybergovernance Model aims to guide Commonwealth members in:-
– Developing policies, legislation and regulations– Planning and implementing practical technical
measures– Fostering cross-border collaboration– Building capacity
© Commonwealth Telecommunications Organisation | www.cto.int 25
Commonwealth Values in Cyberspace
• Based on Commonwealth Charter of March 2013– Democracy, human rights and rule of law
• The Charter expressed the commitment of member states to – The development of free and democratic societies– The promotion of peace and prosperity to improve the lives of all
peoples– Acknowledging the role of civil society in supporting
Commonwealth activities
• Cyberspace today and tomorrow should respect and reflect the Commonwealth Values– This has led to defining Commonwealth principles for use of
Cyberspace
© Commonwealth Telecommunications Organisation | www.cto.int 26
Commonwealth Principle for use of Cyberspace
Principle 1: We contribute to a safe and an effective global Cyberspace• as a partnership between public and private sectors, civil society and
users, a collective creation;• with multi-stakeholder, transparent and collaborative governance
promoting continuous development of Cyberspace;• where investment in the Cyberspace is encouraged and rewarded;• by providing sufficient neutrality of the network as a provider of
information services;• by offering stability in the provision of reliable and resilient information
services;• by having standardisation to achieve global interoperability;• by enabling all to participate with equal opportunity of universal access;• as an open, distributed, interconnected internet;• providing an environment that is safe for its users, particularly the young
and vulnerable;• made available to users at an affordable price.
© Commonwealth Telecommunications Organisation | www.cto.int 27
Commonwealth Principle for use of Cyberspace
Principle 2: Our actions in Cyberspace support broader economic and social development• by enabling innovation and sustainable development, creating greater
coherence and synergy, through collaboration and the widespread dissemination of knowledge;
• respecting cultural and linguistic diversity without the imposition of beliefs;• promoting cross-border delivery of services and free flow of labour in a
multi-lateral trading system;• allowing free association and interaction between individuals across
borders;• supporting and enhancing digital literacy;• providing everyone with information that promotes and protects their
rights and is relevant to their interests, for example to support transparent and accountable government;
• enabling and promoting multi-stakeholder partnerships;• facilitating pan-Commonwealth consultations and international linkages in
a single globally connected space that also serves local interests.
© Commonwealth Telecommunications Organisation | www.cto.int 28
Commonwealth Principle for use of Cyberspace
Principle 3: We act individually and collectively to tackle cybercrime• nations, organisations and society work together to foster
respect for the law;• to develop relevant and proportionate laws to tackle
Cybercrime effectively;• to protect our critical national and shared infrastructures;• meeting internationally-recognised standards and good
practice to deliver security;• with effective government structures working collaboratively
within and between states;• with governments, relevant international organisations and
the private sector working closely to prevent and respond to incidents.
© Commonwealth Telecommunications Organisation | www.cto.int 29
Commonwealth Principle for use of Cyberspace
Principle 4: We each exercise our rights and meet our responsibilities in Cyberspace• we defend in Cyberspace the values of human rights, freedom of expression
and privacy as stated in our Charter of the Commonwealth;• individuals, organisations and nations are empowered through their access
to knowledge;• users benefit from the fruits of their labours; intellectual property is
protected accordingly;• users can benefit from the commercial value of their own information;
accordingly, responsibility and liability for information lies with those who create it;
• responsible behaviour demands users all meet minimum Cyberhygiene requirements;
• we protect the vulnerable in society in their use of Cyberspace;• we, individually and collectively, understand the consequences of our
actions and our responsibility to cooperate to make the shared environment safe; our obligation is in direct proportion to culpability and capability.
Commonwealth Approach for Developing
National Cybersecurity Strategies
© Commonwealth Telecommunications Organisation | www.cto.int 31
Development of a Nation Cybersecurity Strategy
• Need support from highest levels of government• Adopt a multi-stakeholder partnership (private sector,
public sector & civil society)• Draw on the expertise of the International Community• Appoint a lead organisation or institution• Be realistic and sympathetic to the commercial
consideration of the private sector• Add mechanisms to monitor & validate
implementation
© Commonwealth Telecommunications Organisation | www.cto.int 32
Main elements of a Cybersecurity Strategy
• Introduction and background• Guiding principles • Vision and strategic goals • Specific objectives • Stakeholders• Strategy implementation
© Commonwealth Telecommunications Organisation | www.cto.int 33
Introduction & Background
• Focuses on the broad context• Sets the importance of Cybersecurity to national
development• Assess current state of Cybersecurity and challenges
STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE
1. Introduction / background
This section provides a succinct background of the country’s circumstances and the status of its Cybersecurity
Explain the importance of Cybersecurity to economic and social development.
Describe the use of Cyberspace and the nature of Cybersecurity challenges to justify the need for the Cybersecurity strategy
Explain the relationship to existing national strategies and initiatives.
Uganda’s introduction covers: The definition of information security The justification for a strategy Country analysis of current state of
information security framework. Strategy guiding principles Vision, mission, strategic objectives
Note that this example covers the first three sections in this framework.
© Commonwealth Telecommunications Organisation | www.cto.int 34
• Based on Commonwealth Cybergovernance principles • Balance security goals & privacy/protection of civil liberties• Risk-based (threats, vulnerabilities, and consequences)• Outcome-focused (rather than the means to achieve it)• Prioritised (graduated approach focusing on critical issues)• Practicable (optimise for the largest possible group)• Globally relevant (harmonised with international standards)
Guiding Principles (1/2)
© Commonwealth Telecommunications Organisation | www.cto.int 35
Guiding Principles (2/2)
STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE
2. Guiding principles
This section identifies the guiding principles for addressing Cybersecurity within which the strategy is designed and delivered.
Build from the principles of the Commonwealth Cybergovernance model.
Include any relevant national principles. Describe the delivery principles that
guide the design of the objectives goals, vision and objectives.
In addition to the Commonwealth Cybergovernance principles and national principles the following delivery principles are recommended:Risk-based. Assess risk by identifying threats,
vulnerabilities, and consequences, then manage the risk through mitigations, controls, costs, and similar measures.
Outcome-focused. Focus on the desired end state rather than prescribing the means to achieve it, and measure progress towards that end state.
Prioritised. Adopt a graduated approach and focus on what is critical, recognising that the impact of disruption or failure is not uniform among assets or sectors.
Practicable. Optimise for adoption by the largest possible group of critical assets and realistic implementation across the broadest range of critical sectors.
Globally relevant. Integrate international standards to the maximum extent possible, keeping the goal of harmonization in mind wherever possible.
© Commonwealth Telecommunications Organisation | www.cto.int 36
• Promote economic development• Provide national leadership• Tackle cybercrime• Strengthen the critical infrastructure• Raise and maintain awareness• Achieve shared responsibility• Defend the value of Human Rights• Develop national and international partnerships
Visions & Strategic Goals
© Commonwealth Telecommunications Organisation | www.cto.int 37
STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE
3. Strategic goals and vision
This section defines what success looks like in broad summary terms and reflects the country’s priorities.
Make a clear statement of the country’s commitment to protecting the use of its Cyberspace
Emphasise the breadth of the use of Cyberspace: covering social and economic activity
Include text that can be quoted as part of the communication with wider stakeholders, e.g. a vision statement.
Australia’s vision: “The maintenance of a secure, resilient and trusted electronic operating environment that supports Australia’s national security and maximises the benefits of the digital economy” Three pillars of the Australian strategy:• All Australians are aware of cyber risks, secure their computers
and take steps to protect their identities, privacy and finances online;
• Australian businesses operate secure and resilient information and communications technologies to protect the integrity of their own operations and the identity and privacy of their customers;
• The Australian Government ensures its information and communications technologies are secure and resilient.”
Four pillars of the UK strategy:• Tackle cybercrime and be one of the most secure places in the
world to do business in cyberspace;• To be more resilient to cyber attacks and better able to protect our
interests in cyberspace;• To have helped shape an open, stable and vibrant cyberspace
which the UK public can use safely and that supports open societies;
• To have the cross-cutting knowledge, skills and capability it needs to underpin all our Cybersecurity objectives.
Visions & Strategic Goals
© Commonwealth Telecommunications Organisation | www.cto.int 38
• Provide a national governance framework for securing Cyberspace• Enhance the nation’s preparedness to respond to the challenges of
Cyberspace• Strengthening Cyberspace and national critical infrastructure• Securing national ICT systems to attract international businesses• Building a secure, resilient and reliable Cyberspace• Building relevant national and international partnerships and putting
effective political-strategic measures in place to promote Cyber safety• Developing a culture of Cybersecurity awareness among citizens• Promoting a culture of “self protection” among businesses and citizens• Creating a secure Cyber environment for protection of businesses and
individuals• Building skills and capabilities needed to address Cybercrime• Becoming a world leader in Cybercrime-preparedness and Cybercrime-
defence
Specific Objectives
© Commonwealth Telecommunications Organisation | www.cto.int 39
STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE
4. Risk management (Risk based approach objectives)
How the risk management process works, and then setting objectives and priorities This section describes how risk management is performed and provides a top-level analysis. It states specific and tangible targets and assigns relative priorities.
How risk management is currently performed, for example for national security.
Sources of threat information and of major vulnerabilities.
How granular to make the outcomes and objectives.
How frequently to repeat the risk assessment process.
Source: Microsoft’s guidance, listed in appendix 3:• A clear structure for assessing and managing risk • Understand national threats and major vulnerabilities• Document and review risk acceptance and exceptions• Set clear security priorities consistent with the principles• Make national cyber risk assessment an on-going process
Specific Objectives
© Commonwealth Telecommunications Organisation | www.cto.int 40
Stakeholders
CIP Coordinator(Executive Sponsor)
Law Enforcement
Sector Specific Agency
Computer Emergency
Response Team (CERT)
Public Private
Partnership International Organisations
Infrastructure owners and operators
IT vendors and
solution providers
Shared PrivateGovernment
© Commonwealth Telecommunications Organisation | www.cto.int 41
STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE
4. Stakeholders
This section identifies key participants in the development and delivery of the strategy. Roles and responsibilities should be clearly defined using RACI terminology (see appendix 5).
Identify all relevant key stakeholders taking into consideration, country objectives and focus areas
Identify key international stakeholders and partners that could contribute effectively
Draw stakeholders from governmental and non-governmental organizations, civil societies, academia, public and private sectors of the economy. Should include but not limited to software and equipment vendors, owners and operators of CII, law enforcement institutions etc.
In constructing the list of stakeholders, the following constituencies should be considered:• ministers and other politicians;• government departments concerned with ICT, telecommunications and
information security;• private sector organisations that provide ICT services;• government departments whose responsibilities rely upon or who engage with
Cyberspace, including: most economic activity, trade, tourism, law enforcement;• providers of the critical national infrastructure whose vital communications are
increasingly carried across the internet;• companies across the economy that rely upon Cyberspace, often represented by
trade associations;• representatives of civil society, often in the form of groups that reflect broad
public opinion and can advise on the best way to achieve outcomes involving the public;
• civil society organisations that represent particular parts of society or interest groups and can explain, for example, the needs of the young, of women, of rural communities and of the vulnerable;
• experts who understand how Cyberspace works, from a technical perspective, to ensure that government strategies are practical;
• Academia who can advise on R&D, international best practice, emerging issues; • International bodies such as the Commonwealth Telecommunications
Organisation• Other countries, particularly regional countries.
Specific Objectives
© Commonwealth Telecommunications Organisation | www.cto.int 42
• Governance and management structure• Legal and regulatory framework• Capacity Development• Awareness and outreach programmes • Incident response
– Incentivize commercial competitors to cooperate– Create national CERTs (include sector based CERTs)
• Stakeholder collaboration• Research and Development • Monitoring and evaluation
Strategy Implementation
© Commonwealth Telecommunications Organisation | www.cto.int 43
Strategy Implementation
© Commonwealth Telecommunications Organisation | www.cto.int 44
What Next? Upcoming CIIP Workshops
Accra, GhanaJan-Feb 2015
Nairobi, KenyaNov 2014
Colombo, Sri Lanka/Dhaka, BangladeshAug-Sep 2014
Port Vila, VanuatuSep-Oct 2014
Successfully completed
Scheduled to take place
To be confirmed
CTO CIIP Workshops
© Commonwealth Telecommunications Organisation | www.cto.int 45
Further Information Contact:
Dr Martin KoyabeEmail: [email protected] Tel: +44 (0) 208 600 3815 (Off) +44 (0) 791 871 2490 (Mob)
Q & A Session