Upload
vodan
View
213
Download
0
Embed Size (px)
Citation preview
Critical Information Infrastructure Protection (CIIP) Emerging Challenges for Developing Countries
Yaounde, Cameroon
24-27th February 2015
Dr Martin Koyabe
Head of Research & Consultancy
Commonwealth Telecommunications Organization (CTO)
E-mail: [email protected]
Sub-Regional Forum on Cybersecurity & Fight Against Cyberscrime
Acknowledgement
© Commonwealth Telecommunications Organisation | www.cto.int
Understanding CIIP
• Critical Resources
General definition
• Critical Infrastructure
• Critical Information Infrastructure
Inte
rdependenci
es
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Resources
4
Water
Energy
Forests
Defined by some national governments to include:-
• Natural & environmental resources (water, energy, forests etc)
• National monuments & icons, recognized nationally & internationally
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure (1/3)
5
Airports
Power Grid
Roads
Defined by some national governments to include:-
• Nation’s public works, e.g. bridges, roads, airports, dams etc
• Increasingly includes telecommunications, in particular major national and international switches and connections
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure (2/3)
6
“ the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
Source: US Homeland Security
“ the (CNI) comprises those assets, services and systems that support the economic, political and social life of the UK whose importance is such that loss could either, cause large-scale loss of life; have a serious impact on the national economy; have other grave social consequences for the community; or be of immediate concern to the national government.”
Source: UK Centre for the Protection of National Infrastructure (CPNI)
“ an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the well-being of its citizens.”
Source: European Union (EU)
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure (3/3)
7
“ those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defense and ensure national security.”
Source: The Australian, State & Territory Government
“ processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and
Significant harm to public confidence.
Source: Government of Canada
“those facilities, systems, or functions, whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation”
Source: National Critical Information Infrastructure Protection Centre (NCIIPC)
© Commonwealth Telecommunications Organisation | www.cto.int
What about countries in Africa?
8
Q) Does your country have a critical infrastructure framework?
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure Sectors (1/2)
9
• European Commission (EC) provides an indicative list of 11 critical sectors
Energy
ICT
Water
Food Health
Financial
Public & Legal Order and
Safety
Civil Administration
Transport
Chemical and Nuclear Industry
Space & Research
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure Sectors (2/2)
10
• Provisional Critical Infrastructure list for Bangladesh
Energy
(Oil/Gas)
Telecoms
Transport
(Roads)
Monuments/Buildings
Water
Financial ICT
Source: CTO CIIP Workshop, Dhaka, Bangladesh (Sep 2014)
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Information Infrastructure Protection (CIIP)
11
• Widespread use of Internet have transformed stand-alone systems and predominantly closed networks into a virtually seamless fabric of interconnectivity.
• ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks.
• ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks; and many of the critical services that are essential to the well-being of the economy are increasingly becoming dependent on IT.
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Information Infrastructure (1/2)
12
CII definition:-
“ Communications and/or information service whose availability, reliability and resilience are essential to the functioning of a modern economy, security, and other essential social values.”
Rueschlikon Conference on Information Policy Report, 2005
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Information Infrastructure (2/2)
13
Cri
tica
l In
fras
tru
ctu
res
Telecoms
Energy
Transportation
Finance/Banking
Government Services
Large Enterprises
End-users
Critical Information Infrastructure
Cross-cutting ICT interdependencies among
all sectors
Cyber security
Practices and procedures that enable the
secure use and operation of cyber tools
and technologies
Non-essential IT Systems
Essential IT Systems
© Commonwealth Telecommunications Organisation | www.cto.int
• Today Critical Information Infrastructure Protection (CIIP)
– Focuses on protection of IT systems and assets o Telecoms, computers/software, Internet, interconnections & networks services
– Ensures Confidentiality, Integrity and Availability o Required 27/4 (365 days)
o Part of the daily modern economy and the existence of any country
Critical Information Infrastructure Protection (CIIP)
Telecom Network
Power Grid
Water Supply
Public Health
National Defence
National Defence
Law Enforcement
© Commonwealth Telecommunications Organisation | www.cto.int
CII Attack Scenarios
Telecoms
Health Services
Cloud Services
Finance/Banking
eGovernment
Critical Information Infrastructure (CII)
Cross-cutting ICT interdependencies among all sectors
Natural disaster,
power outage, or
hardware failure
Resource
exhaustion (due
to DDoS attack)
Cyber attack
(due to a
software flaw)
© Commonwealth Telecommunications Organisation | www.cto.int
Challenges for developing countries
#1: Cost and lack of (limited) financial investment
– Funds required to establish a CIIP strategic framework can be a hindrance
– Limited human & institutional resources
Source: GDP listed by IMF (2013)
© Commonwealth Telecommunications Organisation | www.cto.int
#2: Technical complexity in deploying CIIP
– Need to understand dependencies & interdependencies o Especially vulnerabilities & how they cascade
Challenges for developing countries
Powerplants Regional
Power Grid
Regional Power Supply
Private D2D links
Private Datacenters
Banks & Trading
Public Administration
Public Datacenters
eGovernment
Online services, cloud
computing Telco sites, switch areas,
interconnections
Public eComms
Regional network, cables,
wires, trunks
Public Transport
Emergency care (Police, Firefighters,
Ambulances)
Emergency Calls
(99.9%) 8 hr outages are disastrous
(99%) 3 days outages are disastrous
(90%) 30 days outages are disastrous
© Commonwealth Telecommunications Organisation | www.cto.int
#3: Limited knowledge on how to identify and classify critical infrastructure
– Need to consider business value, scope of population & technical dependency
Challenges for developing countries
Critical Function
Infrastructure Element
Supply Chain
Supply Chain
Key Resource
Supply Chain
Critical Function
Infrastructure Element
Supply Chain
Supply Chain
Key Resource
Supply Chain Critical Function
Infrastructure Element
Supply Chain
Supply Chain
Key Resource
Supply Chain
Interdependencies
Understand requirements &
complexity
© Commonwealth Telecommunications Organisation | www.cto.int
#4: Need for Cybersecurity education & culture re-think
– Create awareness on importance of Cybersecurity & CIIP o By sharing information on what works & successful best practices
– Creating a Cybersecurity culture can promote trust & confidence o It will stimulate secure usage, ensure protection of data and privacy
Challenges for developing countries
© Commonwealth Telecommunications Organisation | www.cto.int
#5: Lack of relevant CII strategies, policies & framework
– Needs Cybercrime legislation & enforcement mechanisms
– Setup policies to encourage co-operation among stakeholders o Especially through Public-Private-Partnerships (PPP)
#6: Lack of information sharing & knowledge transfer
– It is important at ALL levels National, Regional & International
– Necessary for developing trust relationships among stakeholders o Including CERT teams
Challenges for developing countries
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
21
(1) Establish CIP Goals, e.g.
Critical infrastructures (CI) provide the essential services that support modern information societies and economies. Some CI support critical functions and essential services so vital that the incapacitation, exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being.
• Critical Infrastructure (CI)
CI exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being.
• Understand Critical Infrastructure (CI) Risks
Prevent or minimize disruptions to critical information infrastructures, no matter the source, and thereby protect the people, the economy, the essential human and government services, and the national security. In the event disruptions do occur, they should be infrequent, of minimal duration and manageable.
• Articulate CIP policy/goals
National CIP framework includes relevant government entities, as well as, establishing public private partnerships involving corporate and non-governmental organizations.
• Establish Public-Private Partnerships
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
22
(2) Define CIP Roles
Define Policy and Identify Roles Government
Define CIP goal and roles
Determine Acceptable Risks Levels Public-Private Partnership
Define what’s critical
Assess Risks
Identify Controls and Mitigations
Implement Controls
Measure Effectiveness
Infrastructure
Prioritize Risks
Operators & Service Providers
Deploy best control solutions
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
23
CIP Coordinator
(Executive Sponsor)
Law Enforcement
Sector Specific Agency
Computer Emergency
Response Team (CERT)
Public Private
Partnership
Infrastructure owners and operators
IT vendors and
solution providers
Shared Private Government
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
24
(3) Identify & Prioritize Critical Functions
Critical Function
Infrastructure Element
Supply Chain
Supply Chain
Key Resource
Supply Chain
Critical Function
Infrastructure Element
Supply Chain
Supply Chain
Key Resource
Supply Chain Critical Function
Infrastructure Element
Supply Chain
Supply Chain
Key Resource
Supply Chain
Interdependencies
Understand requirements &
complexity
• Understand the critical functions, infrastructure elements, and key resources necessary for
– Delivering essential services
– Maintaining the orderly operations if the economy
– Ensure public safety.
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
25
(4) Continuously Assess and Mange Risks
Assess Risks
Identify
Controls and
Mitigations
Implement
Controls
Measure
Effectiveness
• Based on holistic approach
• Implement defense in-depth
• Organize by control effectiveness
• Evaluate program effectiveness
• Leverage findings to improve risk
management
• Identify key functions
• Assess risks
• Evaluate consequences
• Define functional requirements
• Evaluate proposed controls
• Estimate risk reduction/cost
benefit
• Select mitigation strategy
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI protection
26
• Develop joint PPP plans for managing emergencies – including recovering critical functions in the event of significant incidents, including but limited to natural disasters, terrorist attacks, technological failures or accidents.
• Create emergency response plans to mitigate damage and promote resiliency.
• Create effective emergency response plans that are generally short and highly actionable so they can be readily tested, evaluated, and implemented.
• Testing and exercising emergency plans to promote trust, understanding and greater operational coordination among public and private sector organizations.
• Exercises also provide an important opportunity by identifying new risk factors that can be addressed in response plans or controlled through regular risk management functions.
(5) Establish & Exercise Emergency Plans
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CII protection
27
• Promote trusted relationships needed for information sharing and collaborating on difficult problems
• Leverage the unique skills of government and private sector organizations
• Provide the flexibility needed to collaboratively address today’s dynamic threat environment
(5) Establish Public Private Partnership (PPP)
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CII protection
28
• Ability to prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions
• Implement contingency frameworks that will enable critical functions to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents
(6) Build Security & Resiliency into Operations
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CII protection
29
• Cyber threats are constantly evolving
• All CIP stakeholders need to prepare for changes in cyber threats
• Constantly monitor trends and changes in critical function dependencies
• Keep systems patched and maintain the latest software versions
• Adopt smart & effective procedures and processes
(7) Update & Innovate Technology and Processes
© Commonwealth Telecommunications Organisation | www.cto.int
Further Information Contact:
Dr Martin Koyabe Email: [email protected] Tel: +44 (0) 208 600 3815 (Off) +44 (0) 791 871 2490 (Mob)
30
Q & A Session