Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Richard Oehme Director, Office of Information Assurance and Cybersecurity Risk Reduction Division [email protected]
Cyber security in Sweden - With focus on National Collaboration forum and
Private Public Partnership
Crisis management in Sweden
• Strong autonomous authorities
Responsibility to support Information sharing Coordinated decision making
Other
Actors
County
A-B
Agency A
Common
Situational
Picture
Coordination
Information Sharing
Common Message
”Whoever responsible for an activity in normal conditions, shall maintain that responsibility in a crisis situation.” Principle of responsibility
Information Security in Sweden
Ministry of Enterprise, Energy and Communications
Ministry of Defence
Ministry of Justice
eID Delegation Swedish Data Inspection Board (DI)
Swedish Post and Telecom Authority (PTS)
Defence Materiel Administration (FMV)
Swedish Civil Contingencies Agency (MSB)
National Defence Radio Establishment (FRA) Swedish Security
Service (SÄPO)
National Police
Swedish Armed Forces
Government agencies responsible for a sector
County councils (health care) County administrative boards Municipalities
Private enterprises and other organizations
The entire spectrum of threats and risks, from everyday accidents to major disasters
- Local, regional, national, EU, and international
Before, during, and after the occurrence of emergencies, disasters and accidents
Coordinating across sector and jurisdictional boundaries and levels of responsibility
The MSB will not take over the responsibility of primary stakeholders.
Mandate for MSB
Policy and direction Strategy, Action plan, Regulations, Situational assessment
Media sector preparedness Public private partnership
Response and incident management NOCF/CERT-SE, National response plan, Cyber exercises
Support for preventive IS work in organisations - Framework for information security. (recommendations and guidelines to support work in organizations - public and private) - Critical information infrastructure – SCADA program - Communications security (civilian) - e-development (e-administration) - Standardization - Awareness raising - Risk and vulnerability analysis - Training and R&D
MSB’s activities in the field of information and cybersecurity
Director
Information Security Governance Section
Cybersecurity and CIIP Section
Operational Cybersecurity and IT Incident Response
Section
Strategic support
Office of Information Assurance and Cybersecurity
Volunteer Organization
Agency County
Municipality Private Sector
DoJ
COP
Consequence Analysis
Identify Gap
Cooperation
Alert Conferences
Information Cooperation
Common pic
Sitrep
MSB Coordination role
Allhazards
Försvars- underrättelser
Försvars- underrättelser
Försvars- underrättelser
Försvars- underrättelser
Försvars- underrättelser
Intelligence information
Police information
MSB societal situational awareness
Situational awareness Stockholm
Situational awareness Karlstad
One Situational Center
- Two places
Government, Society
Digital Sit.Pic Socital Sit.Pic
National Information and Cyber Security
Cooperation Function (NOS)
Information
MSB other Cyber & Info.Sec Resources
Information
Societal Sit.Pic
Cyber & Information Security Sit.Pic
It Security
Sit.Pic
National response plan
MSB International Cyber Cooperation
EGC
Transportation
Economic Security
Protection, Rescue and
Care
Geographic Area
Responsibility
Spreading of Toxic
Substances
Technical Infrastructure
• Risk analyses • Planning • Training • R&D • Investments
The main goal of the work carried out in the co-ordination areas is to create common capabilities to prevent and manage crises.
About 30 agencies have been identified as having a special responsibility for preparedness and planning.
National “societal security coordination areas” for planning and preparedness - decided by the government
COLLABORATION – A prime key to success
PPP = Private-Public Partnership
The Information Security Council [PPP] The Collaborative Council for Information Security (SAMFI)
Forum on Information Sharing in Industrial Information and Control Systems [PPP]
Forum on Information Sharing in Health Care Services [PPP]
Forum on Information Sharing in the Financial Sector [PPP]
The Governmental Agency Information Security Network (SNITS) The Municipality Information
Security Network (KIS)
The County Council Information Security
Network (NIS)
Swedish IT Security Network for PhD Students (SWITS)
National CERT Forum
The Media Preparedness Council
National Telecommunications Coordination Group [PPP]
Forum on Information Sharing Telcom [PPP]
Gray= MSB run Blue= MSB supported Yellow = Post an telecom agency Red = Intelligence
Intelligence and security frorum
TLP - Traffic light protocol
TLP is merely a tool to be used in trusted forums
PPP - Private- Public Partnership
• The responsibility of the private sector is crucial when it comes to safety and security of the society.
• PPP is a more of a method, or a combination of methods to obtain the goals with cooperation.
• This is also most likely a voluntary agreement between the public and the private actors.
Information Exchange (IE)
• Agreed guidelines
• Regular meetings
• Demands of presence
• Personal participation (replacements is not accepted)
• Personal trust among the participants
• Information sharing at closed meetings
• Practical work in separate working groups
• Traffic Light Protocol
The Traffic Light Protocol (TLP)
RED – Personal for named recipients only. RED information is limited only to those present. In most circumstances, RED information will be passed on verbally or in person.
AMBER – Limited distribution. The recipient may share AMBER information with others within their organization or information exchange group, but only on the basis ‘need-to-know in order to take action’.
The TLP is designed to improve the flow of information between individuals, organizations or communities in a controlled and trustworthy way.
GREEN – Community wide. Information in this category can be circulated widely within a particular community. However, the information may not be published or posted on the Internet, nor released outside of the community. This circulation is restricted to a ‘need–to–know’ basis.
WHITE – Unlimited. Subject to standard copyright rules, WHITE information may be distributed freely, without restriction.
The Information Security Council
Members:
• The Swedish National Police.
• The Swedish Post and Telecom Agency.
• The Swedish Security Service.
• The Swedish National Defence Radio Establishment.
• Vattenfall AB.
• IIS (The Internet Infrastructure Foundation).
• Karlstad University.
• The Swedish Armed Forces.
• Ericsson.
• The Riksbank (Sweden’s central bank).
• Region Västra Götaland.
• The Swedish National Defence College.
• The Swedish National Debt Office.
• The Swedish Defence Materiel Administration.
• Scania AB.
The MSB Information Security Council The MSB Information Security Council was formed in 2009 and consists of representatives from public administration and the private sector. The Council primarily assists MSB by providing: • Information on developments and trends in
the field of information security. • Feedback on direction, priorities and
execution of the agency’s work on information security.
• Quality assurance and credibility to the agency’s initiatives and projects through its composition and connections to vital societal interests and functions.
• Assistance in spreading information on the agency’s work on information security in the wider society and abroad.
The chairman of the Council is MSB’s Deputy Director General, Mr. Nils Svartz. The Council convenes four times a year, whereof one of the meetings is a study trip in Sweden or abroad.
The Collaborative Council for Information Security (SAMFI)
SAMFI – Consists of governmental agencies with specific societal information security responsibilities as identified by the government.
SAMFI’s subject areas • Strategy, action plan and legislation • Technical issues and standardization • National and international development
in the field of information security • Information • Exercises and training • Management and prevention of IT
incidents
The Council convenes six times a year. MSB sets aside resources to keep a SAMFI secretariat. The other SAMFI authorities contribute resources in accordance with the needs of the Council and their ability.
Members: • The Swedish Civil
Contingencies Agency (MSB).
• The Swedish Post and Telecom Agency (PTS).
• The Swedish National Defence Radio Establishment (FRA).
• The Swedish Security Service (Säpo) and the Swedish Criminal Investigation Service (RKP).
• The Swedish Defence Materiel Administration (FMV)/The Swedish Certification Body for IT Security (CSEC).
• The Swedish Armed Forces (FM)/The Military Intelligence and Security Service (MUST).
Information Security – Trends 2015
Seven trends
• Information security – a value to be balanced among others
• The complexity of modern IT services
• The private sphere, the Information explosion and security
• The security policy dimension of information security
• Crime in Information Societies
• The race to find the weakest link
• Robust information systems and continuity
Forum on Information Sharing in Health Care Services
Members: • 5 county councils/regions.
• Municipalities (representative from The Municipality Information Security Network (KIS)).
• The Swedish Association of Local Authorities and Regions.
• Inera AB (An E-Health coordinator fort the county councils and regions).
• The National Board of Health and Welfare .
• The Data Inspection Board.
• The Medical Products Agency.
• The National Archives.
• The Swedish eHealth Agency.
FIDI-Vård och omsorg The Forum was formed in 2010. The aim is to support the Health Care sector in developing stronger information security, in order to advance the Swedish society’s ability to maintain well-functioning services during regular conditions as well as during times of crisis. The Forum convenes four times a year.
The Forum operates in accordance with the Information Exchange model, and any information sharing is executed in compliance with the Traffic Light Protocol. The rules of the Protocol aim to balance the need of secrecy with the advantages of information sharing.
Forum on Information Sharing in the Financial Sector
Members: • Swedish Bankers’ Association.
• Bankgirot (A European clearing house).
• Skandiabanken (A Swedish bank).
• Euroclear Sweden AB (Sweden’s central securities depository).
• Swedbank (A Swedish bank).
• Nasdaq-OMX (The Swedish stock exchange).
• Nordnet (A Swedish Investment bank).
• The Riksbank.
• The Swedish National Debt Office.
• SEB (A Swedish bank).
• Sparbankernas Riksförbund (A Swedish trade organization of banks and trusts).
• The Swedish National Police Board, The Center for Fraud.
• Swedish National Defence Radio Establishment.
• Nordea (A Swedish bank).
• Handelsbanken (A Swedish bank).
FIDI-Finans The Forum was formed in 2009 and aims to identify and initiate measures which may contribute to strengthening the overall security and reduce common vulnerabilities in the financial sector. The Forum convenes ten to twelve times a year. The Forum also conducts work in a number of working groups in order to evaluate and clarify issues which have been raised during Forum sessions. The Forum is tied to the Financial Sector Private-Public Collaboration Organization (FSPOS). The Forum operates in accordance with the Information Exchange model, and any information sharing is executed in compliance with the Traffic Light Protocol.
Forum on Information Sharing in TeleCom sector (PPP)
Members:
• Telia Sonera (Telecom & ISP)
• Tele2 (Telecom & ISP)
• IP-only (ISP)
• TDC (IT, Telecom, ISP)
• Telenor (Telecom & ISP)
• Netnod (Internet infrastruct org)
• Com Hem (ISP & digital TV)
• Tre (Telecom & ISP)
• MSB/CERT-SE (National Swedish CERT)
FIDI-TELEKOM The Forum was formed in 2015 and is a forum for information sharing regarding cyber security with the telecom sector. The member organizations use the forum for sharing of operative technical information and threat assessments as well as for discussion on more strategic matters. The Forum convenes four times a year for a full day meeting. MSB serves as its Chair.
The Forum operates in accordance with the Information Exchange model, and any information sharing is executed in compliance with the Traffic Light Protocol.
The Swedish CERT Forum
SCF is technical forum where a number of Swedish CERT organizations (Computer Emergency Response Team) take part.
The Forum shares technical information, members inform each other on tools and trends and discussions are held on approaches to current IT security related events and incidents.
The Forum enables quick, established and simple common means of communication between the member organizations when major events with society wide implications occur.
The Forum convenes three to four times a year for a full day meeting. MSB/CERT-SE acts as the convener for the meetings.
Members:
• CERT-SE.
• FM-CERT (The CERT-function of the Swedish Armed Forces).
• Sunet-CERT (The CERT for the Swedish university nets).
• TS-CERT (The CERT for the telecom company TeliaSonera).
• Basefarm-CERT (The CERT for a major Swedish IT services provider).
• Handelsbanken IRT (The Incident Response Team of the Swedish bank Handelsbanken).
• Swedbank SIRT (Swedbank Security Incident Response Team).
The Media Preparedness Council
The Media Preparedness Council was formed in the nineteen fifties. The council consists of both producing and distributing media companies and participation takes place on a purely voluntary basis.
A continuous dialogue is held on the security, preparedness, crisis management ability and collaboration in and between the Swedish media companies.
The overall goal of the Council is to ensure that media companies are able to disseminate news, community information and Emergency Population Warnings (VMA) in times of crisis and in war.
The council convenes four times a year and it is chaired by the MSB Director General, Helena Lindberg.
Members:
• Canal Digital AB (Cable network provider).
• Com Hem (Cable network and broadband provider).
• Radiobranschen (Swedish media trade organization).
• Radio Sweden (Sweden’s public radio).
• Sveriges Television (Sweden’s public TV network).
• Teracom (Technical infrastructure provider).
• Tidningarnas Telegrambyrå (Swedish news agency).
• Tidningsutgivarna (Swedish media trade organization).
• TV4 (TV network privider).
• Post and Telecom Agency (PTS).
• Viasat (TV network provider).
Risker, hot och sårbarheter i mediebranschen 2011
• 60 procent av medieföretagen har regelbundna övningar och har förberett verksamheten för flytt till en annan plats vid en kris.
• Två tredjedelar av medieföretagen har utsett en särskild krisledningsorganisation och gjort övergripande riskanalyser av verksamheten.
• Hot riktade mot hela företaget eller enskilda personer är vanligare i dag än för fyra år sedan.
• Mest sannolika hotbilden är avbrott i elektroniska kommunikationer.
• Det som skulle medföra störst konsekvenser är omfattande brand, informationssäkerhets-incidenter, elavbrott och avbrott i elektroniska kommunikationer.
• Andelen som har reservkraftaggregat för att driva de viktigaste delarna av verksamheten vid ett omfattande elavbrott har ökat från drygt 40 procent 2007 till närmare 60 procent 2011.
The SWITS Research Network
SWITS (Swedish IT Security Network for PhD Students) is a Swedish network for PhD students studying in fields related to IT security.
The network, which was formed in 2001, consists of scientists and research groups in IT security from several Swedish universities and colleges. The work of the Forum is financed by MSB but coordinated and supported by Karlstad University.
The Network hosts an annual seminar where current research is presented and research methodology in IT security is discussed.
The purpose is to:
• Strengthen the collaboration between PhD students and leading institutions and laboritories.
• Identify study materials and make them available for participating institutions.
• Identify relevant and interesting research courses and seminars at Swedish universities and colleges and make them available for PhD students in the network.
• Participate in organizing IT courses at international resarch institutions and summer schools and provide opportunities for PhD students in the network to participate.
• Arrange guest lectures with external experts.
Awareness Raising
Omvärldsbevakning och informationsdelning
Analysis & Information Sharing
Technical Platform
National & International Cooperation
Industrial Control Systems Security Program
Forum on Information Sharing in SCADA Systems
Members: • Stockholm Vatten AB (The
Stockholm Water Company).
• VA Syd (Regional water and sewage in south west Skåne).
• SL (Greater Stockholm Local Transport Company).
• Vattenfall AB (A major Swedish energy company).
• Fortum AB (A major Swedish energy company).
• Eon (A major Swedish-German energy company).
• The Swedish Security Services.
• Svenska Kraftnät (The Swedish National Grid).
• The Swedish Transport Administration.
• Preem AB (A major Swedish energy company).
FIDI-SCADA The Forum was formed in 2005 and its activities are aimed at strengthening the SCADA related information security of its member organizations. SCADA stands for Supervisory, Control and Data Aquisition and revolves around IT systems which control physical processes such as electricity production, water sanitation and purification or transport systems. The Forum convenes four times a year for a full day meeting. MSB serves as its Chair.
The Forum operates in accordance with the Information Exchange model, and any information sharing is executed in compliance with the Traffic Light Protocol.
NCS3 National Centre for Security in
Industrial Control Systems
• History: Started in 2007 as a cooperation between MSB and the Swedish
Defence Research Agency.
• Vision: To be the national arena where experiments, exercises and technical
studies are carried out to increase security in industrial control systems used in critical infrastructure.
• Long term goal: To increase the security in industrial control systems and
thereby increase the national ability to prevent and handle interruptions in critical infrastructure.
Information security research at FOI
• Combining technical, system, and social
aspects
• Main customers
• Swedish Civil Contingencies Agency
• Swedish Armed Forces
• EU 7th Framework Programme
• Swedish Defence Material Administration
• Research areas
• Secure information sharing in coalitions
• Data-centric security
• Methods for information risk management
• Information security culture
• Cyber defence of information systems and critical
infrastructure
• Large-scale technical cyber defence exercises
• Vulnerability and forensic analysis (malware, file carving)
Context • Stakeholders:
• Actors that own and operate critical infrastructure
• Supervisory and sector-related authorities
• Authorities participating in the Swedish national information security community SAMFI
• Activities:
• Training and courses
• Demonstrators
• Technical studies
• Strategic studies
NCS3 (Cont.)
Activities • Training
• Awareness – demos and demonstrators
• Knowledge (OT) • Ability (IT/OT/Management)
• Demonstrators – Cyber range
• Technical studies • Application Whitelisting • Siemens S7 • Vlan • GNSS
• Strategic studies • Smart structures • Water purification plants
CRATE • CRATE is a Cyber Range And Training Environment
hosted by Swedish Defence Research Agency (FOI) and financed by The Swedish Civil Contingencies Agency and the Swedish Armed Forces.
• Established 2008
• Used for courses and exercises
• CRATE makes it possible to simulate “a cyber environment” – Computer cluster with physical
servers (≈ 400)
– A library of templates for virtual machines
– Deploy and configure VMs (3000+) – Host based traffic generators
emulating user behaviour
– Internet BGP routing
Example of demonstrators
Cyber security courses
• Courses with practical components are held in CRATE on a regular basis.
• Designed to teach to practitioners some tool or technique, such as vulnerability scanning.
• Commonly used to train both IT-security professionals and novices.
Cyber security courses - SCADA
Nordic National CERT Cooperation
Nordic National CERT
Exercise 2015
UN Climate Summit 2015
Scenario
Overarching Concept
msb.se
krisinformation.se
dinsakerhet.se
sakerhetspolitik.se
informationssakerhet.se
cert.se