Critical Information Infrastructure Protection A Commonwealth Perspective Geneva, Switzerland 15-16...
If you can't read please download the document
Critical Information Infrastructure Protection A Commonwealth Perspective Geneva, Switzerland 15-16 th September 2014 Dr Martin Koyabe Head of Research
Critical Information Infrastructure Protection A Commonwealth
Perspective Geneva, Switzerland 15-16 th September 2014 Dr Martin
Koyabe Head of Research & Consultancy Commonwealth
Telecommunications Organization (CTO) E-mail: [email protected] ITU
Workshop on ICT Security Standardization for Developing
Countries
Slide 2
Acknowledgement
Slide 3
Commonwealth Telecommunications Organisation | www.cto.int
Understanding CIIP Critical Resources 3 General definition Critical
Infrastructure Critical Information Infrastructure
Interdependencies
Slide 4
Commonwealth Telecommunications Organisation | www.cto.int
Critical Resources 4 WaterEnergyForests Defined by some national
governments to include:- Natural & environmental resources
(water, energy, forests etc) National monuments & icons,
recognized nationally & internationally
Slide 5
Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure (1/3) 5 AirportsPower GridRoads Defined by
some national governments to include:- Nations public works, e.g.
bridges, roads, airports, dams etc Increasingly includes
telecommunications, in particular major national and international
switches and connections
Slide 6
Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure (2/3) 6 the assets, systems, and networks,
whether physical or virtual, so vital to the United States that
their incapacitation or destruction would have a debilitating
effect on security, national economic security, national public
health or safety, or any combination thereof. Source: US Homeland
Security the (CNI) comprises those assets, services and systems
that support the economic, political and social life of the UK
whose importance is such that loss could either, cause large-scale
loss of life; have a serious impact on the national economy; have
other grave social consequences for the community; or be of
immediate concern to the national government. Source: UK Centre for
the Protection of National Infrastructure (CPNI) an asset or system
which is essential for the maintenance of vital societal functions.
The damage to a critical infrastructure, its destruction or
disruption by natural disasters, terrorism, criminal activity or
malicious behaviour, may have a significant negative impact for the
security of the EU and the well-being of its citizens. Source:
European Union (EU)
Slide 7
Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure (3/3) 7 those physical facilities, supply
chains, information technologies and communication networks which,
if destroyed, degraded or rendered unavailable for an extended
period, would significantly impact on the social or economic
wellbeing of the nation or affect Australias ability to conduct
national defense and ensure national security. Source: The
Australian, State & Territory Government processes, systems,
facilities, technologies, networks, assets and services essential
to the health, safety, security or economic well-being of Canadians
and the effective functioning of government. Critical
infrastructure can be stand-alone or interconnected and
interdependent within and across provinces, territories and
national borders. Disruptions of critical infrastructure could
result in catastrophic loss of life, adverse economic effects, and
Significant harm to public confidence. Source: Government of Canada
those facilities, systems, or functions, whose incapacity or
destruction would cause a debilitating impact on national security,
governance, economy and social well-being of a nation Source:
National Critical Information Infrastructure Protection Centre
(NCIIPC)
Slide 8
Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure Sub-Sectors 8 e.g. Germany has technical
basic & social-economic services infrastructure
Slide 9
Commonwealth Telecommunications Organisation | www.cto.int What
about the 53 commonwealth member countries? 9 Do they have a
national critical infrastructure initiative or strategy?
Slide 10
Commonwealth Telecommunications Organisation | www.cto.int
Critical Information Infrastructure (1/2) 10 CII definition:-
Communications and/or information service whose availability,
reliability and resilience are essential to the functioning of a
modern economy, security, and other essential social values.
Rueschlikon Conference on Information Policy Report, 2005
Slide 11
Commonwealth Telecommunications Organisation | www.cto.int
Critical Information Infrastructure (2/2) 11 Critical
Infrastructures Telecoms Energy Transportation Finance/Banking
Government Services Large Enterprises End-users Critical
Information Infrastructure Cross-cutting ICT interdependencies
among all sectors Cyber security Practices and procedures that
enable the secure use and operation of cyber tools and technologies
Non-essential IT Systems Essential IT Systems
Slide 12
Commonwealth Telecommunications Organisation | www.cto.int
Critical Information Infrastructure Protection (CIIP) 12 Widespread
use of Internet has transformed stand-alone systems and
predominantly closed networks into a virtually seamless fabric of
interconnectivity. ICT or Information infrastructure enables large
scale processes throughout the economy, facilitating complex
interactions among systems across global networks. ICT or
Information infrastructure enables large scale processes throughout
the economy, facilitating complex interactions among systems across
global networks; and many of the critical services that are
essential to the well-being of the economy are increasingly
becoming dependent on IT.
Slide 13
Commonwealth Telecommunications Organisation | www.cto.int
Today Critical Information Infrastructure Protection (CIIP) Focuses
on protection of IT systems and assets o Telecoms,
computers/software, Internet, interconnections & networks
services Ensures Confidentiality, Integrity and Availability o
Required 27/4 (365 days) o Part of the daily modern economy and the
existence of any country Critical Information Infrastructure
Protection (CIIP)
Slide 14
Commonwealth Telecommunications Organisation | www.cto.int CII
Attack Scenarios Telecoms Health Services Cloud Services
Finance/Banking eGovernment Critical Information Infrastructure
(CII) Cross-cutting ICT interdependencies among all sectors Natural
disaster, power outage, or hardware failure Resource exhaustion
(due to DDoS attack) Cyber attack (due to a software flaw)
Slide 15
Commonwealth Telecommunications Organisation | www.cto.int
Expanding Infrastructures Fiber optic connectivity o
TEAMS/SEACOM/EASSy/LION/ACE Mobile phones Mobile/Wireless Networks
o Asia-Pacific accounts for 55% of ALL mobile phones in the world
(2.2 billion) SIM card fraud Existence of failed states Cyber
warfare platforms o Doesnt need troops or military hardware Social
Networks Gold mine for social engineering o Hactivism creates fear,
uncertainty & doubt Cloud Computing Increased dependency
Attacks on cloud services have high impact Future CII Attack
Vectors
Slide 16
Commonwealth Telecommunications Organisation | www.cto.int
Increased awareness for CIIP & cyber security Countries aware
that risks to CIIP need to be managed o Whether at National,
Regional or International level Cyber security & CIIP becoming
essential tools For supporting national security &
social-economic well-being At national level Increased need to
share responsibilities & co-ordination o Among stakeholders in
prevention, preparation, response & recovery At regional &
international level Increased need for co-operation &
co-ordination with partners o In order to formulate and implement
effective CIIP frameworks Desired global trends towards CIIP
Slide 17
Commonwealth Telecommunications Organisation | www.cto.int
Challenges for developing countries #1: Cost and lack of (limited)
financial investment Funds required to establish a CIIP strategic
framework can be a hindrance Limited human & institutional
resources Source: GDP listed by IMF (2013)
Slide 18
Commonwealth Telecommunications Organisation | www.cto.int #2:
Technical complexity in deploying CIIP Need to understand
dependencies & interdependencies o Especially vulnerabilities
& how they cascade Challenges for developing countries
Powerplants Regional Power Grid Regional Power Supply Private D2D
links Private Datacenters Banks & Trading Public Administration
Public Datacenters eGovernment Online services, cloud computing
Telco sites, switch areas, interconnections Public eComms Regional
network, cables, wires, trunks Public Transport Emergency care
(Police, Firefighters, Ambulances) Emergency Calls (99.9%) 8 hr
outages are disastrous (99%) 3 days outages are disastrous (90%) 30
days outages are disastrous
Slide 19
Commonwealth Telecommunications Organisation | www.cto.int
Challenges for developing countries Interdependencies Understand
requirements & complexity Understand the critical functions,
infrastructure elements, and key resources necessary for Delivering
essential services Maintaining the orderly operations if the
economy Ensure public safety. #3: Identify & prioritize
critical functions
Slide 20
Commonwealth Telecommunications Organisation | www.cto.int #4:
Need for Cybersecurity education & culture re-think Create
awareness on importance of Cybersecurity & CIIP o By sharing
information on what works & successful best practices Creating
a Cybersecurity culture can promote trust & confidence o It
will stimulate secure usage, ensure protection of data and privacy
Challenges for developing countries
Slide 21
Commonwealth Telecommunications Organisation | www.cto.int #5:
Lack of relevant CII strategies, policies & legal framework
Needs Cybercrime legislation & enforcement mechanisms Setup
policies to encourage co-operation among stakeholders o Especially
through Public-Private-Partnerships (PPP) #6: Lack of information
sharing & knowledge transfer It is important at ALL levels
National, Regional & International Necessary for developing
trust relationships among stakeholders o Including CERT teams
Challenges for developing countries
Slide 22
Commonwealth Approach to Cybergovernance
Slide 23
Commonwealth Telecommunications Organisation | www.cto.int Why
a Commonwealth Model Contrasting views emerging across the world on
governing the Cyberspace Harmonisation is critical to facilitate
the growth and to realise the full potentials of Cyberspace
Commonwealth family subscribes to common values and principles
which are equally well applicable to Cyberspace CTO is the
Commonwealth agency mandated in ICTs The project was launched at
the 53 rd council meeting of the CTO in Abuja, Nigeria (9 th Oct
2013) Wide consultations with stakeholders Adopted at the
Commonwealth ICT Ministers Forum on 3 rd and 4 th March 2014 in
London 23
Slide 24
Commonwealth Telecommunications Organisation | www.cto.int
Objectives The Cybergovernance Model aims to guide Commonwealth
members in:- Developing policies, legislation and regulations
Planning and implementing practical technical measures Fostering
cross-border collaboration Building capacity 24
Slide 25
Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Values in Cyberspace Based on Commonwealth Charter of
March 2013 Democracy, human rights and rule of law The Charter
expressed the commitment of member states to The development of
free and democratic societies The promotion of peace and prosperity
to improve the lives of all peoples Acknowledging the role of civil
society in supporting Commonwealth activities Cyberspace today and
tomorrow should respect and reflect the Commonwealth Values This
has led to defining Commonwealth principles for use of Cyberspace
25
Slide 26
Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace Principle 1: We
contribute to a safe and an effective global Cyberspace as a
partnership between public and private sectors, civil society and
users, a collective creation; with multi-stakeholder, transparent
and collaborative governance promoting continuous development of
Cyberspace; where investment in the Cyberspace is encouraged and
rewarded; by providing sufficient neutrality of the network as a
provider of information services; by offering stability in the
provision of reliable and resilient information services; by having
standardisation to achieve global interoperability; by enabling all
to participate with equal opportunity of universal access; as an
open, distributed, interconnected internet; providing an
environment that is safe for its users, particularly the young and
vulnerable; made available to users at an affordable price. 26
Slide 27
Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace Principle 2: Our
actions in Cyberspace support broader economic and social
development by enabling innovation and sustainable development,
creating greater coherence and synergy, through collaboration and
the widespread dissemination of knowledge; respecting cultural and
linguistic diversity without the imposition of beliefs; promoting
cross-border delivery of services and free flow of labour in a
multi-lateral trading system; allowing free association and
interaction between individuals across borders; supporting and
enhancing digital literacy; providing everyone with information
that promotes and protects their rights and is relevant to their
interests, for example to support transparent and accountable
government; enabling and promoting multi-stakeholder partnerships;
facilitating pan-Commonwealth consultations and international
linkages in a single globally connected space that also serves
local interests. 27
Slide 28
Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace Principle 3: We act
individually and collectively to tackle cybercrime nations,
organisations and society work together to foster respect for the
law; to develop relevant and proportionate laws to tackle
Cybercrime effectively; to protect our critical national and shared
infrastructures; meeting internationally-recognised standards and
good practice to deliver security; with effective government
structures working collaboratively within and between states; with
governments, relevant international organisations and the private
sector working closely to prevent and respond to incidents. 28
Slide 29
Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace Principle 4: We each
exercise our rights and meet our responsibilities in Cyberspace we
defend in Cyberspace the values of human rights, freedom of
expression and privacy as stated in our Charter of the
Commonwealth; individuals, organisations and nations are empowered
through their access to knowledge; users benefit from the fruits of
their labours; intellectual property is protected accordingly;
users can benefit from the commercial value of their own
information; accordingly, responsibility and liability for
information lies with those who create it; responsible behaviour
demands users all meet minimum Cyberhygiene requirements; we
protect the vulnerable in society in their use of Cyberspace; we,
individually and collectively, understand the consequences of our
actions and our responsibility to cooperate to make the shared
environment safe; our obligation is in direct proportion to
culpability and capability. 29
Slide 30
Commonwealth Approach for Developing National Cybersecurity
Strategies
Slide 31
Commonwealth Telecommunications Organisation | www.cto.int
Development of a Nation Cybersecurity Strategy Need support from
highest levels of government Adopt a multi-stakeholder partnership
(private sector, public sector & civil society) Draw on the
expertise of the International Community Appoint a lead
organisation or institution Be realistic and sympathetic to the
commercial consideration of the private sector Add mechanisms to
monitor & validate implementation 31
Slide 32
Commonwealth Telecommunications Organisation | www.cto.int Main
elements of a Cybersecurity Strategy Introduction and background
Guiding principles Vision and strategic goals Specific objectives
Stakeholders Strategy implementation 32
Slide 33
Commonwealth Telecommunications Organisation | www.cto.int
Introduction & Background Focuses on the broad context Sets the
importance of Cybersecurity to national development Assess current
state of Cybersecurity and challenges 33 STRATEGY COMPONENTSASPECTS
TO CONSIDEREXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE
1.Introduction / background This section provides a succinct
background of the countrys circumstances and the status of its
Cybersecurity Explain the importance of Cybersecurity to economic
and social development. Describe the use of Cyberspace and the
nature of Cybersecurity challenges to justify the need for the
Cybersecurity strategy Explain the relationship to existing
national strategies and initiatives. Ugandas introduction covers:
The definition of information security The justification for a
strategy Country analysis of current state of information security
framework. Strategy guiding principles Vision, mission, strategic
objectives Note that this example covers the first three sections
in this framework.
Slide 34
Commonwealth Telecommunications Organisation | www.cto.int
Based on Commonwealth Cybergovernance principles Balance security
goals & privacy/protection of civil liberties Risk-based
(threats, vulnerabilities, and consequences) Outcome-focused
(rather than the means to achieve it) Prioritised (graduated
approach focusing on critical issues) Practicable (optimise for the
largest possible group) Globally relevant (harmonised with
international standards) 34 Guiding Principles (1/2)
Slide 35
Commonwealth Telecommunications Organisation | www.cto.int
Guiding Principles (2/2) 35 STRATEGY COMPONENTSASPECTS TO
CONSIDEREXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE
2.Guiding principles This section identifies the guiding principles
for addressing Cybersecurity within which the strategy is designed
and delivered. Build from the principles of the Commonwealth
Cybergovernance model. Include any relevant national principles.
Describe the delivery principles that guide the design of the
objectives goals, vision and objectives. In addition to the
Commonwealth Cybergovernance principles and national principles the
following delivery principles are recommended: Risk-based. Assess
risk by identifying threats, vulnerabilities, and consequences,
then manage the risk through mitigations, controls, costs, and
similar measures. Outcome-focused. Focus on the desired end state
rather than prescribing the means to achieve it, and measure
progress towards that end state. Prioritised. Adopt a graduated
approach and focus on what is critical, recognising that the impact
of disruption or failure is not uniform among assets or sectors.
Practicable. Optimise for adoption by the largest possible group of
critical assets and realistic implementation across the broadest
range of critical sectors. Globally relevant. Integrate
international standards to the maximum extent possible, keeping the
goal of harmonization in mind wherever possible.
Slide 36
Commonwealth Telecommunications Organisation | www.cto.int
Promote economic development Provide national leadership Tackle
cybercrime Strengthen the critical infrastructure Raise and
maintain awareness Achieve shared responsibility Defend the value
of Human Rights Develop national and international partnerships 36
Visions & Strategic Goals
Slide 37
Commonwealth Telecommunications Organisation | www.cto.int 37
STRATEGY COMPONENTSASPECTS TO CONSIDEREXAMPLE TEXT FROM PUBLISHED
STRATEGIES AND BEST PRACTICE 3.Strategic goals and vision This
section defines what success looks like in broad summary terms and
reflects the countrys priorities. Make a clear statement of the
countrys commitment to protecting the use of its Cyberspace
Emphasise the breadth of the use of Cyberspace: covering social and
economic activity Include text that can be quoted as part of the
communication with wider stakeholders, e.g. a vision statement.
Australias vision: The maintenance of a secure, resilient and
trusted electronic operating environment that supports Australias
national security and maximises the benefits of the digital economy
Three pillars of the Australian strategy: All Australians are aware
of cyber risks, secure their computers and take steps to protect
their identities, privacy and finances online; Australian
businesses operate secure and resilient information and
communications technologies to protect the integrity of their own
operations and the identity and privacy of their customers; The
Australian Government ensures its information and communications
technologies are secure and resilient. Four pillars of the UK
strategy: Tackle cybercrime and be one of the most secure places in
the world to do business in cyberspace; To be more resilient to
cyber attacks and better able to protect our interests in
cyberspace; To have helped shape an open, stable and vibrant
cyberspace which the UK public can use safely and that supports
open societies; To have the cross-cutting knowledge, skills and
capability it needs to underpin all our Cybersecurity objectives.
Visions & Strategic Goals
Slide 38
Commonwealth Telecommunications Organisation | www.cto.int
Provide a national governance framework for securing Cyberspace
Enhance the nations preparedness to respond to the challenges of
Cyberspace Strengthening Cyberspace and national critical
infrastructure Securing national ICT systems to attract
international businesses Building a secure, resilient and reliable
Cyberspace Building relevant national and international
partnerships and putting effective political-strategic measures in
place to promote Cyber safety Developing a culture of Cybersecurity
awareness among citizens Promoting a culture of self protection
among businesses and citizens Creating a secure Cyber environment
for protection of businesses and individuals Building skills and
capabilities needed to address Cybercrime Becoming a world leader
in Cybercrime-preparedness and Cybercrime-defence 38 Specific
Objectives
Slide 39
Commonwealth Telecommunications Organisation | www.cto.int 39
STRATEGY COMPONENTSASPECTS TO CONSIDEREXAMPLE TEXT FROM PUBLISHED
STRATEGIES AND BEST PRACTICE 4.Risk management (Risk based approach
objectives) How the risk management process works, and then setting
objectives and priorities This section describes how risk
management is performed and provides a top-level analysis. It
states specific and tangible targets and assigns relative
priorities. How risk management is currently performed, for example
for national security. Sources of threat information and of major
vulnerabilities. How granular to make the outcomes and objectives.
How frequently to repeat the risk assessment process. Source:
Microsofts guidance, listed in appendix 3: A clear structure for
assessing and managing risk Understand national threats and major
vulnerabilities Document and review risk acceptance and exceptions
Set clear security priorities consistent with the principles Make
national cyber risk assessment an on-going process Specific
Objectives
Slide 40
Commonwealth Telecommunications Organisation | www.cto.int 40
Stakeholders CIP Coordinator (Executive Sponsor) Law Enforcement
Sector Specific Agency Computer Emergency Response Team (CERT)
Public Private Partnership International Organisations
Infrastructure owners and operators IT vendors and solution
providers SharedPrivateGovernment
Slide 41
Commonwealth Telecommunications Organisation | www.cto.int 41
STRATEGY COMPONENTSASPECTS TO CONSIDEREXAMPLE TEXT FROM PUBLISHED
STRATEGIES AND BEST PRACTICE 4.Stakeholders This section identifies
key participants in the development and delivery of the strategy.
Roles and responsibilities should be clearly defined using RACI
terminology (see appendix 5). Identify all relevant key
stakeholders taking into consideration, country objectives and
focus areas Identify key international stakeholders and partners
that could contribute effectively Draw stakeholders from
governmental and non- governmental organizations, civil societies,
academia, public and private sectors of the economy. Should include
but not limited to software and equipment vendors, owners and
operators of CII, law enforcement institutions etc. In constructing
the list of stakeholders, the following constituencies should be
considered: ministers and other politicians; government departments
concerned with ICT, telecommunications and information security;
private sector organisations that provide ICT services; government
departments whose responsibilities rely upon or who engage with
Cyberspace, including: most economic activity, trade, tourism, law
enforcement; providers of the critical national infrastructure
whose vital communications are increasingly carried across the
internet; companies across the economy that rely upon Cyberspace,
often represented by trade associations; representatives of civil
society, often in the form of groups that reflect broad public
opinion and can advise on the best way to achieve outcomes
involving the public; civil society organisations that represent
particular parts of society or interest groups and can explain, for
example, the needs of the young, of women, of rural communities and
of the vulnerable; experts who understand how Cyberspace works,
from a technical perspective, to ensure that government strategies
are practical; Academia who can advise on R&D, international
best practice, emerging issues; International bodies such as the
Commonwealth Telecommunications Organisation Other countries,
particularly regional countries. Specific Objectives
Slide 42
Commonwealth Telecommunications Organisation | www.cto.int
Governance and management structure Legal and regulatory framework
Capacity Development Awareness and outreach programmes Incident
response Incentivize commercial competitors to cooperate Create
national CERTs (include sector based CERTs) Stakeholder
collaboration Research and Development Monitoring and evaluation 42
Strategy Implementation
Commonwealth Telecommunications Organisation | www.cto.int What
Next? Upcoming CIIP Workshops 44 Accra, Ghana Jan-Feb 2015 Nairobi,
Kenya Nov 2014 Colombo, Sri Lanka/Dhaka, Bangladesh Aug-Sep 2014
Port Vila, Vanuatu Sep-Oct 2014 Successfully completed Scheduled to
take place To be confirmed CTO CIIP Workshops
Slide 45
Commonwealth Telecommunications Organisation | www.cto.int
Further Information Contact: Dr Martin Koyabe Email:
[email protected] Tel: +44 (0) 208 600 3815 (Off) +44 (0) 791 871
2490 (Mob) 45 Q & A Session