A Commonwealth Perspective Critical Information Infrastructure Protection ITU Workshop on for Developing Countries

advertisement
ITU Workshop on “ICT Security Standardization
for Developing Countries”
Critical Information Infrastructure Protection
A Commonwealth Perspective
Geneva, Switzerland
15-16th September 2014
Dr Martin Koyabe
Head of Research & Consultancy
Commonwealth Telecommunications Organization (CTO)
E-mail: m.koyabe@cto.int
Acknowledgement
Understanding CIIP
• Critical Resources
• Critical Infrastructure
• Critical Information
Infrastructure
© Commonwealth Telecommunications Organisation | www.cto.int
Interdependencies
General definition
Critical Resources
Water
Energy
Forests
Defined by some national governments to include:• Natural & environmental resources (water, energy, forests etc)
• National monuments & icons, recognized nationally & internationally
© Commonwealth Telecommunications Organisation | www.cto.int
4
Critical Infrastructure (1/3)
Airports
Power Grid
Roads
Defined by some national governments to include:• Nation’s public works, e.g. bridges, roads, airports, dams etc
• Increasingly includes telecommunications, in particular major
national and international switches and connections
© Commonwealth Telecommunications Organisation | www.cto.int
5
Critical Infrastructure (2/3)
“ the assets, systems, and networks, whether physical or virtual, so vital to the United States
that their incapacitation or destruction would have a debilitating effect on security, national
economic security, national public health or safety, or any combination thereof.”
Source: US Homeland Security
“ the (CNI) comprises those assets, services and systems that support the economic, political
and social life of the UK whose importance is such that loss could either, cause large-scale
loss of life; have a serious impact on the national economy; have other grave social
consequences for the community; or be of immediate concern to the national government.”
Source: UK Centre for the Protection of National Infrastructure (CPNI)
“ an asset or system which is essential for the maintenance of vital societal functions. The
damage to a critical infrastructure, its destruction or disruption by natural disasters,
terrorism, criminal activity or malicious behaviour, may have a significant negative impact for
the security of the EU and the well-being of its citizens.”
Source: European Union (EU)
© Commonwealth Telecommunications Organisation | www.cto.int
6
Critical Infrastructure (3/3)
“ those physical facilities, supply chains, information technologies and communication
networks which, if destroyed, degraded or rendered unavailable for an extended period,
would significantly impact on the social or economic wellbeing of the nation or affect
Australia’s ability to conduct national defense and ensure national security.”
Source: The Australian, State & Territory Government
“ processes, systems, facilities, technologies, networks, assets and services essential to the
health, safety, security or economic well-being of Canadians and the effective functioning of
government. Critical infrastructure can be stand-alone or interconnected and interdependent
within and across provinces, territories and national borders. Disruptions of critical
infrastructure could result in catastrophic loss of life, adverse economic effects, and
Significant harm to public confidence.
Source: Government of Canada
“those facilities, systems, or functions, whose incapacity or destruction would cause a
debilitating impact on national security, governance, economy and social well-being of a
nation”
Source: National Critical Information Infrastructure Protection Centre (NCIIPC)
© Commonwealth Telecommunications Organisation | www.cto.int
7
Critical Infrastructure Sub-Sectors
e.g. Germany has technical basic & social-economic services
infrastructure
© Commonwealth Telecommunications Organisation | www.cto.int
8
What about the 53 commonwealth member countries?
Do they have a national critical infrastructure
initiative or strategy?
© Commonwealth Telecommunications Organisation | www.cto.int
9
Critical Information Infrastructure (1/2)
CII definition:-
“ Communications and/or information service whose
availability, reliability and resilience are essential to
the functioning of a modern economy, security, and
other essential social values.”
Rueschlikon Conference on Information Policy Report, 2005
© Commonwealth Telecommunications Organisation | www.cto.int
10
Critical Infrastructures
Critical Information Infrastructure (2/2)
Critical Information Infrastructure
Energy
Cross-cutting ICT interdependencies among
all sectors
Transportation
Telecoms
Non-essential IT Systems
Finance/Banking
Government Services
Essential IT Systems
Cyber security
Large Enterprises
Practices and procedures that enable the
secure use and operation of cyber tools
and technologies
End-users
© Commonwealth Telecommunications Organisation | www.cto.int
11
Critical Information Infrastructure Protection (CIIP)
•
Widespread use of Internet has transformed stand-alone systems and
predominantly closed networks into a virtually seamless fabric of
interconnectivity.
•
ICT or Information infrastructure enables large scale processes
throughout the economy, facilitating complex interactions among systems
across global networks.
•
ICT or Information infrastructure enables large scale processes
throughout the economy, facilitating complex interactions among systems
across global networks; and many of the critical services that are
essential to the well-being of the economy are increasingly becoming
dependent on IT.
© Commonwealth Telecommunications Organisation | www.cto.int
12
Critical Information Infrastructure Protection (CIIP)
• Today Critical Information Infrastructure Protection (CIIP)
– Focuses on protection of IT systems and assets
o Telecoms, computers/software, Internet, interconnections & networks services
– Ensures Confidentiality, Integrity and Availability
o Required 27/4 (365 days)
o Part of the daily modern economy and the existence of any country
Power
Grid
Water
Supply
National
Defence
Telecom
Network
National
Defence
© Commonwealth Telecommunications Organisation | www.cto.int
Public
Health
Law
Enforcement
CII Attack Scenarios
Health Services
Cloud Services
Telecoms
Finance/Banking
eGovernment
Natural disaster,
power outage, or
hardware failure
Resource
exhaustion (due
to DDoS attack)
Critical Information Infrastructure (CII)
Cross-cutting ICT interdependencies among all sectors
© Commonwealth Telecommunications Organisation | www.cto.int
Cyber attack
(due to a
software flaw)
Future CII Attack Vectors
•
Expanding Infrastructures
– Fiber optic connectivity
o
•
TEAMS/SEACOM/EASSy/LION/ACE
Mobile phones
– Mobile/Wireless Networks
o Asia-Pacific – accounts for 55% of ALL
mobile phones in the world (2.2 billion)
– SIM card fraud
•
Existence of failed states
– Cyber warfare platforms
o Doesn’t need troops or military hardware
•
Social Networks
– “Gold mine” for social engineering
o Hactivism creates fear, uncertainty & doubt
•
Cloud Computing
– Increased dependency
– Attacks on cloud services have high impact
© Commonwealth Telecommunications Organisation | www.cto.int
Desired global trends towards CIIP
• Increased awareness for CIIP & cyber security
– Countries aware that risks to CIIP need to be managed
o Whether at National, Regional or International level
• Cyber security & CIIP becoming essential tools
– For supporting national security & social-economic well-being
• At national level
– Increased need to share responsibilities & co-ordination
o Among stakeholders in prevention, preparation, response & recovery
• At regional & international level
– Increased need for co-operation & co-ordination with partners
o In order to formulate and implement effective CIIP frameworks
© Commonwealth Telecommunications Organisation | www.cto.int
Challenges for developing countries
#1: Cost and lack of (limited) financial investment
– Funds required to establish a CIIP strategic framework can be a hindrance
– Limited human & institutional resources
Source: GDP listed by IMF (2013)
© Commonwealth Telecommunications Organisation | www.cto.int
Challenges for developing countries
#2: Technical complexity in deploying CIIP
– Need to understand dependencies & interdependencies
o Especially vulnerabilities & how they cascade
eGovernment
Emergency care
(Police, Firefighters,
Ambulances)
Public
Transport
Public
eComms
Banks &
Trading
Public
Administration
Private
Datacenters
Online services,
cloud
computing
Public
Datacenters
Private D2D
links
Regional
network, cables,
wires, trunks
(90%) 30 days outages are disastrous
(99%) 3 days outages are disastrous
(99.9%) 8 hr outages are disastrous
© Commonwealth Telecommunications Organisation | www.cto.int
Emergency
Calls
Telco sites,
switch areas,
interconnections
Regional
Power
Supply
Powerplants
Regional
Power Grid
Challenges for developing countries
#3: Identify & prioritize critical functions
Critical Function
Critical Function
Infrastructure
Element
Supply
Chain
Supply
Chain
Key
Resource
Infrastructure Element
Supply
Chain
Supply
Critical Function
Chain
Infrastructure
Element
Interdependencies
Understand requirements &
complexity
Supply
Chain
© Commonwealth Telecommunications Organisation | www.cto.int
Supply
Chain
Key
Resource
Supply
Chain
Supply
Chain
Key
Resource
Supply
Chain
• Understand the critical functions,
infrastructure elements, and key resources
necessary for
– Delivering essential services
– Maintaining the orderly operations if the
economy
– Ensure public safety.
Challenges for developing countries
#4: Need for Cybersecurity education & culture re-think
– Create awareness on importance of Cybersecurity & CIIP
o By sharing information on what works & successful best practices
– Creating a Cybersecurity culture can promote trust & confidence
o It will stimulate secure usage, ensure protection of data and privacy
© Commonwealth Telecommunications Organisation | www.cto.int
Challenges for developing countries
#5: Lack of relevant CII strategies, policies & legal framework
– Needs Cybercrime legislation & enforcement mechanisms
– Setup policies to encourage co-operation among stakeholders
o Especially through Public-Private-Partnerships (PPP)
#6: Lack of information sharing & knowledge transfer
– It is important at ALL levels National, Regional & International
– Necessary for developing trust relationships among stakeholders
o Including CERT teams
© Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Approach to Cybergovernance
Why a Commonwealth Model
• Contrasting views emerging across the world on governing the
Cyberspace
• Harmonisation is critical to facilitate the growth and to realise the
full potentials of Cyberspace
• Commonwealth family subscribes to common values and principles
which are equally well applicable to Cyberspace
• CTO is the Commonwealth agency mandated in ICTs
• The project was launched at the 53rd council meeting of the
CTO in Abuja, Nigeria (9th Oct 2013)
• Wide consultations with stakeholders
• Adopted at the Commonwealth ICT Ministers Forum on 3rd and 4th
March 2014 in London
© Commonwealth Telecommunications Organisation | www.cto.int
23
Objectives
The Cybergovernance Model aims to guide Commonwealth
members in:– Developing policies, legislation and regulations
– Planning and implementing practical technical
measures
– Fostering cross-border collaboration
– Building capacity
© Commonwealth Telecommunications Organisation | www.cto.int
24
Commonwealth Values in Cyberspace
• Based on Commonwealth Charter of March 2013
– Democracy, human rights and rule of law
• The Charter expressed the commitment of member states to
– The development of free and democratic societies
– The promotion of peace and prosperity to improve the lives of all peoples
– Acknowledging the role of civil society in supporting Commonwealth
activities
• Cyberspace today and tomorrow should respect and reflect the
Commonwealth Values
– This has led to defining Commonwealth principles for use of Cyberspace
© Commonwealth Telecommunications Organisation | www.cto.int
25
Commonwealth Principle for use of Cyberspace
Principle 1: We contribute to a safe and an effective global
Cyberspace
•
•
•
•
•
•
•
•
•
•
as a partnership between public and private sectors, civil society and
users, a collective creation;
with multi-stakeholder, transparent and collaborative governance
promoting continuous development of Cyberspace;
where investment in the Cyberspace is encouraged and rewarded;
by providing sufficient neutrality of the network as a provider of
information services;
by offering stability in the provision of reliable and resilient information
services;
by having standardisation to achieve global interoperability;
by enabling all to participate with equal opportunity of universal access;
as an open, distributed, interconnected internet;
providing an environment that is safe for its users, particularly the young
and vulnerable;
made available to users at an affordable price.
© Commonwealth Telecommunications Organisation | www.cto.int
26
Commonwealth Principle for use of Cyberspace
Principle 2: Our actions in Cyberspace support broader economic
and social development
•
•
•
•
•
•
•
•
by enabling innovation and sustainable development, creating greater
coherence and synergy, through collaboration and the widespread
dissemination of knowledge;
respecting cultural and linguistic diversity without the imposition of beliefs;
promoting cross-border delivery of services and free flow of labour in a
multi-lateral trading system;
allowing free association and interaction between individuals across
borders;
supporting and enhancing digital literacy;
providing everyone with information that promotes and protects their
rights and is relevant to their interests, for example to support transparent
and accountable government;
enabling and promoting multi-stakeholder partnerships;
facilitating pan-Commonwealth consultations and international linkages in
a single globally connected space that also serves local interests.
© Commonwealth Telecommunications Organisation | www.cto.int
27
Commonwealth Principle for use of Cyberspace
Principle 3: We act individually and collectively to tackle
cybercrime
• nations, organisations and society work together to foster respect for
the law;
• to develop relevant and proportionate laws to tackle Cybercrime
effectively;
• to protect our critical national and shared infrastructures;
• meeting internationally-recognised standards and good practice to
deliver security;
• with effective government structures working collaboratively within and
between states;
• with governments, relevant international organisations and the private
sector working closely to prevent and respond to incidents.
© Commonwealth Telecommunications Organisation | www.cto.int
28
Commonwealth Principle for use of Cyberspace
Principle 4: We each exercise our rights and meet our responsibilities in
Cyberspace
•
•
•
•
•
•
•
we defend in Cyberspace the values of human rights, freedom of expression and
privacy as stated in our Charter of the Commonwealth;
individuals, organisations and nations are empowered through their access to
knowledge;
users benefit from the fruits of their labours; intellectual property is protected
accordingly;
users can benefit from the commercial value of their own information; accordingly,
responsibility and liability for information lies with those who create it;
responsible behaviour demands users all meet minimum Cyberhygiene
requirements;
we protect the vulnerable in society in their use of Cyberspace;
we, individually and collectively, understand the consequences of our actions and
our responsibility to cooperate to make the shared environment safe; our obligation
is in direct proportion to culpability and capability.
© Commonwealth Telecommunications Organisation | www.cto.int
29
Commonwealth
Approach for Developing
National Cybersecurity
Strategies
Development of a Nation Cybersecurity Strategy
• Need support from highest levels of government
• Adopt a multi-stakeholder partnership (private sector,
public sector & civil society)
• Draw on the expertise of the International Community
• Appoint a lead organisation or institution
• Be realistic and sympathetic to the commercial
consideration of the private sector
• Add mechanisms to monitor & validate implementation
© Commonwealth Telecommunications Organisation | www.cto.int
31
Main elements of a Cybersecurity Strategy
•
•
•
•
•
•
Introduction and background
Guiding principles
Vision and strategic goals
Specific objectives
Stakeholders
Strategy implementation
© Commonwealth Telecommunications Organisation | www.cto.int
32
Introduction & Background
• Focuses on the broad context
• Sets the importance of Cybersecurity to national
development
• Assess current state of Cybersecurity and challenges
STRATEGY COMPONENTS
ASPECTS TO CONSIDER
EXAMPLE TEXT FROM PUBLISHED STRATEGIES
AND BEST PRACTICE
1.

Uganda’s introduction covers:

The definition of information security

The justification for a strategy

Country analysis of current state of
information security framework.

Strategy guiding principles

Vision, mission, strategic objectives
Introduction / background
This section provides a succinct background of
the country’s circumstances and the status of its
Cybersecurity


Explain the importance of Cybersecurity
to economic and social development.
Describe the use of Cyberspace and the
nature of Cybersecurity challenges to
justify the need for the Cybersecurity
strategy
Explain the relationship to existing
national strategies and initiatives.
Note that this example covers the first three
sections in this framework.
© Commonwealth Telecommunications Organisation | www.cto.int
33
Guiding Principles (1/2)
•
•
•
•
•
•
•
Based on Commonwealth Cybergovernance principles
Balance security goals & privacy/protection of civil liberties
Risk-based (threats, vulnerabilities, and consequences)
Outcome-focused (rather than the means to achieve it)
Prioritised (graduated approach focusing on critical issues)
Practicable (optimise for the largest possible group)
Globally relevant (harmonised with international standards)
© Commonwealth Telecommunications Organisation | www.cto.int
34
Guiding Principles (2/2)
STRATEGY COMPONENTS
ASPECTS TO CONSIDER
EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND
BEST PRACTICE
2. Guiding principles

In addition to the Commonwealth Cybergovernance
principles and national principles the following
delivery principles are recommended:
Risk-based. Assess risk by identifying threats,
vulnerabilities, and consequences, then manage the
risk through mitigations, controls, costs, and similar
measures.
Outcome-focused. Focus on the desired end state
rather than prescribing the means to achieve it, and
measure progress towards that end state.
Prioritised. Adopt a graduated approach and focus on
what is critical, recognising that the impact of
disruption or failure is not uniform among assets or
sectors.
Practicable. Optimise for adoption by the largest
possible group of critical assets and realistic
implementation across the broadest range of
critical sectors.
Globally relevant. Integrate international standards
to the maximum extent possible, keeping the goal
of harmonization in mind wherever possible.
This section identifies the guiding principles
for addressing Cybersecurity within which 
the strategy is designed and delivered.

© Commonwealth Telecommunications Organisation | www.cto.int
Build from the principles of the
Commonwealth Cybergovernance
model.
Include any relevant national principles.
Describe the delivery principles that
guide the design of the objectives goals,
vision and objectives.
35
Visions & Strategic Goals
•
•
•
•
•
•
•
•
Promote economic development
Provide national leadership
Tackle cybercrime
Strengthen the critical infrastructure
Raise and maintain awareness
Achieve shared responsibility
Defend the value of Human Rights
Develop national and international partnerships
© Commonwealth Telecommunications Organisation | www.cto.int
36
Visions & Strategic Goals
STRATEGY COMPONENTS
ASPECTS TO CONSIDER
EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE
3. Strategic goals and vision

Australia’s vision: “The maintenance of a secure, resilient and trusted
electronic operating environment that supports Australia’s national
security and maximises the benefits of the digital economy”
This section defines what
success looks like in broad
summary terms and reflects the
country’s priorities.


Make a clear statement of the
country’s commitment to protecting
the use of its Cyberspace
Emphasise the breadth of the use of
Cyberspace: covering social and
economic activity
Include text that can be quoted as
part of the communication with wider
stakeholders, e.g. a vision statement.
Three pillars of the Australian strategy:
• All Australians are aware of cyber risks, secure their computers
and take steps to protect their identities, privacy and finances
online;
• Australian businesses operate secure and resilient information and
communications technologies to protect the integrity of their own
operations and the identity and privacy of their customers;
• The Australian Government ensures its information and
communications technologies are secure and resilient.”
Four pillars of the UK strategy:
• Tackle cybercrime and be one of the most secure places in the
world to do business in cyberspace;
• To be more resilient to cyber attacks and better able to protect
our interests in cyberspace;
• To have helped shape an open, stable and vibrant cyberspace
which the UK public can use safely and that supports open
societies;
• To have the cross-cutting knowledge, skills and capability it needs
to underpin all our Cybersecurity objectives.
© Commonwealth Telecommunications Organisation | www.cto.int
37
Specific Objectives
•
•
•
•
•
•
•
•
•
•
•
Provide a national governance framework for securing Cyberspace
Enhance the nation’s preparedness to respond to the challenges of Cyberspace
Strengthening Cyberspace and national critical infrastructure
Securing national ICT systems to attract international businesses
Building a secure, resilient and reliable Cyberspace
Building relevant national and international partnerships and putting effective
political-strategic measures in place to promote Cyber safety
Developing a culture of Cybersecurity awareness among citizens
Promoting a culture of “self protection” among businesses and citizens
Creating a secure Cyber environment for protection of businesses and individuals
Building skills and capabilities needed to address Cybercrime
Becoming a world leader in Cybercrime-preparedness and Cybercrime-defence
© Commonwealth Telecommunications Organisation | www.cto.int
38
Specific Objectives
STRATEGY COMPONENTS
ASPECTS TO CONSIDER
4. Risk management (Risk 
based approach objectives)
How the risk management
process works, and then setting
objectives and priorities

This section describes how risk
management is performed and
provides a top-level analysis.
It states specific and tangible
targets and assigns relative
priorities.


How risk management is currently
performed, for example for national
security.
Sources of threat information and of
major vulnerabilities.
How granular to make the outcomes
and objectives.
How frequently to repeat the risk
assessment process.
© Commonwealth Telecommunications Organisation | www.cto.int
EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE
Source: Microsoft’s guidance, listed in appendix 3:
• A clear structure for assessing and managing risk
• Understand national threats and major vulnerabilities
• Document and review risk acceptance and exceptions
• Set clear security priorities consistent with the principles
• Make national cyber risk assessment an on-going process
39
Stakeholders
Sector Specific
Agency
Public
Private
Partnership
International
Organisations
Infrastructure
owners and
operators
Law
Enforcement
CIP Coordinator
(Executive
Sponsor)
Government
© Commonwealth Telecommunications Organisation | www.cto.int
Computer
Emergency
Response Team
(CERT)
Shared
IT vendors
and
solution
providers
Private
40
Specific Objectives
STRATEGY COMPONENTS
ASPECTS TO CONSIDER
EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE
4. Stakeholders

This section identifies key
participants in the
development and delivery of
the strategy.

In constructing the list of stakeholders, the following constituencies should be
considered:
• ministers and other politicians;
• government departments concerned with ICT, telecommunications and
information security;
• private sector organisations that provide ICT services;
• government departments whose responsibilities rely upon or who engage with
Cyberspace, including: most economic activity, trade, tourism, law enforcement;
• providers of the critical national infrastructure whose vital communications are
increasingly carried across the internet;
• companies across the economy that rely upon Cyberspace, often represented by
trade associations;
• representatives of civil society, often in the form of groups that reflect broad
public opinion and can advise on the best way to achieve outcomes involving the
public;
• civil society organisations that represent particular parts of society or interest
groups and can explain, for example, the needs of the young, of women, of rural
communities and of the vulnerable;
• experts who understand how Cyberspace works, from a technical perspective, to
ensure that government strategies are practical;
• Academia who can advise on R&D, international best practice, emerging issues;
• International bodies such as the Commonwealth Telecommunications
Organisation
• Other countries, particularly regional countries.
Roles and responsibilities
should be clearly defined
using RACI terminology (see
appendix 5).

Identify all relevant key
stakeholders taking into
consideration, country
objectives and focus areas
Identify key international
stakeholders and partners
that could contribute
effectively
Draw stakeholders from
governmental and nongovernmental
organizations, civil societies,
academia, public and
private sectors of the
economy. Should include
but not limited to software
and equipment vendors,
owners and operators of CII,
law enforcement
institutions etc.
© Commonwealth Telecommunications Organisation | www.cto.int
41
Strategy Implementation
•
•
•
•
•
Governance and management structure
Legal and regulatory framework
Capacity Development
Awareness and outreach programmes
Incident response
– Incentivize commercial competitors to cooperate
– Create national CERTs (include sector based CERTs)
• Stakeholder collaboration
• Research and Development
• Monitoring and evaluation
© Commonwealth Telecommunications Organisation | www.cto.int
42
Strategy Implementation
© Commonwealth Telecommunications Organisation | www.cto.int
43
What Next? Upcoming CIIP Workshops
CTO CIIP Workshops
Successfully completed
Scheduled to take place
Accra, Ghana
Jan-Feb 2015
Colombo, Sri Lanka/Dhaka, Bangladesh
Aug-Sep 2014
Nairobi, Kenya
Nov 2014
Port Vila, Vanuatu
Sep-Oct 2014
To be confirmed
© Commonwealth Telecommunications Organisation | www.cto.int
44
Q & A Session
Further Information Contact:
Dr Martin Koyabe
Email: m.koyabe@cto.int
Tel: +44 (0) 208 600 3815 (Off)
+44 (0) 791 871 2490 (Mob)
© Commonwealth Telecommunications Organisation | www.cto.int
45
Download