ITU Workshop on “ICT Security Standardization
for Developing Countries”
(Geneva, Switzerland, 15-16 September 2014)
Critical telecommunication
infrastructure protection in Brazil
Antonio Guimaraes / Paulo Moura
National Telecommunication
Agency - Anatel, Brazil
Geneva, Switzerland, 15-16 September 2014
Agenda
Brazilian legal framework
Anatel’s prior involvement
Methodologies for CTIP
SIEC project development
Main functionalities of SIEC
New regulations (in progress)
Conclusions
Geneva, Switzerland, 15-16 September 2014
2
Brazilian legal framework
Ordinance No. 2, of February 2008, the Cabinet
of Institutional Security of the Presidency
(GSI/PR) created the Technical Group on
Protection of Critical Infrastructures (GTSIC);
Critical
Infrastructures
are
considered
as
facilities, services, goods and systems that, if
disrupted or destroyed, would bring serious
economic, political or social impacts or risks to
the security of the state and society;
GTSIC studies and proposes the implementation
of measures and actions related to the security of
critical infrastructure in the areas of energy,
transport, water and telecommunications.
Geneva, Switzerland, 15-16 September 2014
3
Telecommunication Infrastructure
Interministerial Ordinance No. 16, of July 2008,
established the Technical Subgroup on Critical
Telecommunication
Infrastructure
Protection
(SGTSIC - Telecom), aiming to:
I.
II.
III.
IV.
V.
VI.
study and propose a method for identifying Critical
Telecommunication Infrastructure (CTI);
identify the CTI in Brazil;
assess the vulnerabilities of the identified CTI and their
interrelationships;
select causes and assess the risks that may affect the
security and safety of CTI;
propose, coordinate and monitor measures necessary
for the security and safety of the CTI; and
to study, propose and implement a CTI information
system, containing online data for decision support.
Geneva, Switzerland, 15-16 September 2014
Anatel’s prior involvement
National Telecommunications Agency (Anatel) is
part of SGTSIC - Telecom, with GSI/PR, Ministry
of Communications, other agencies and experts;
Anatel had prior involvement in this subject,
through the project “Critical Telecommunications
Infrastructure Protection (CTIP)”, run by CPqD:
identification of CTI in the scope of the Pan-American
Games (2007), aiming security and safety planning;
benchmarks on CTI in the world, in order to contribute
to the development of the national strategy for critical
infrastructure protection and foster the creation of
working groups in the sphere of the federal government;
development of a first information system on critical
telecommunication infrastructure protection (off-line).
Geneva, Switzerland, 15-16 September 2014
5
Methodologies for CTIP
CTIP model was implemented by a set of five
methodologies;
Each methodology is responsible for a specific
part of the model;
Nevertheless, they are interdependent, since the
output of one could be the input of other.
Geneva, Switzerland, 15-16 September 2014
6
SIEC project development
As mandated by SGTSIC – Telecom, Anatel is
developing a comprehensive project on CTI
protection, know as “Critical Telecommunication
Infrastructures Security (SIEC)”;
The project considers the development of an
information system to deal with governance,
risks and conformity (GRC), as well as carry out
near real-time monitoring of key networks
elements, such as stations and routes;
System will receive data from operator’s network
management systems, among other sources;
SIEC is based on ISO/IEC 27k and 31k series.
Geneva, Switzerland, 15-16 September 2014
7
SIEC – system overview
Control Panel
Network
analysis &
evaluation
data
collector
treatment
& control
actions
topology
conformity
quality
faults
Operator´s NMS
Risk questionnaires
GRC
Anatel’s legacy systems
Geneva, Switzerland, 15-16 September 2014
8
Main functionalities of SIEC
SIEC offers a series of dashboard reports, with
drill-down capabilities to more granular data;
Main functions are grouped under 5 modules:
Analysis and evaluation: threat assessment on assets,
classed by station, operator, service and localization;
Processing and control actions: functionalities related to
contingency analysis and risk mitigation plans;
Conformity assessment: analysis on risk questionnaires
(filled by operators), according to ISO/IEC 27k and 31k;
Network monitoring: near real-time information on
faults, interruptions, quality, capacity and traffic;
Control panel: graphic presentation of network elements
and assets, including geographic referenced information.
Geneva, Switzerland, 15-16 September 2014
9
Governance, risks, and conformity
Services mapped:
• fixed line phone
• mobile phone/data
• fixed broadband
• pay TV
470 Questions on:
• Energy supply
• Security
• Network
• Sharing
• Transmission
• Traffic
• incidents
Geneva, Switzerland, 15-16 September 2014
Calculation of
indexes of risk
by SIEC
Questionnaires
(filled by
operators, for
each telecom
station)
Identification of
high risk assets
on demand
reports;
maps of risks,
per station.
10
Examples of SIEC views
Geneva, Switzerland, 15-16 September 2014
11
GRC and network monitoring
SIEC is integrated to the existing “National Centre
for Remote Telecommunication Monitoring” of Anatel
Geneva, Switzerland, 15-16 September 2014
12
New regulations (in progress)
Geneva, Switzerland, 15-16 September 2014
13
Conclusions
Excepted some network monitoring functions,
SIEC system is already operating, with a partially
populated database;
SIEC has been extensively tested during FIFA
2014 Soccer World Cup, with very good results;
SIEC system is highly scalable, with room for
additions and improvements in the future, such
as SIEM functions, more accurate vulnerability
metrics, and broader cybersecurity coordination
with SOCs and CSIRTs;
Some of SIEC developments could be good
candidates for contributions to ITU-T SG-17.
Geneva, Switzerland, 15-16 September 2014
14
Thank you !
Antonio Guimaraes
+556123122819 /0799020425
ateixeira@anatel.gov.br
www.anatel.gov.br
Geneva, Switzerland, 15-16 September 2014
15