critical information infrastructure protection ciip
play

Critical Information Infrastructure Protection (CIIP) National - PowerPoint PPT Presentation

Critical Information Infrastructure Protection (CIIP) National Knowledge Network (NKN) Annual workshop 17 - 19 Oct 2013, IISc, Bangalore Presentation Outline Government Cyber Security Architecture CII Overview & Definitions Critical


  1. Critical Information Infrastructure Protection (CIIP) National Knowledge Network (NKN) Annual workshop 17 - 19 Oct 2013, IISc, Bangalore

  2. Presentation Outline Government Cyber Security Architecture CII – Overview & Definitions Critical Sectors Threats Approach to CIIP International Efforts & Practices Lateral Developments NKN Annual Workshop: 17 - 19 Oct' 13

  3. National Security Council National Information Board Engagement Enabling with private Threat Assurance & R&D and Deterrence / Policies sector and Monitoring Certification Indigenization Operations Academia NKN Annual Workshop: 17 - 19 Oct' 13

  4. CII - Those facilities, systems, or functions, whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well- being of a nation. In India, as per Section 70 of IT (Amendment) Act 2008, CII is defined as - The computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety. CIIP - To take all measures, including R&D, relating to protection of CII NKN Annual Workshop: 17 - 19 Oct' 13

  5. NKN Annual Workshop: 17 - 19 Oct' 13

  6. Situation Government Awareness/ Threat Analysis Private CIIP NKN Annual Workshop: 17 - 19 Oct' 13

  7. Assurance Government CERT-C Situation Centre CERT Analysis Technology CIIP NKN Annual Workshop: 17 - 19 Oct' 13

  8. Information not to be divulged Information shared within one sector Information restricted within CII Information that can be publicly shared NKN Annual Workshop: 17 - 19 Oct' 13

  9. • Defence - Army, Air Force, Navy, Defence Production, and Defence Research. • Energy - Nuclear, hydro, Thermal/Coal, Oil & Gas. • Finance - Stock Exchange, Depositories, banks and Financial Institutions, Direct/Indirect Revenue Services. • • Space - Space Research, Launching, Command & Control, Remote Space - Space Research, Launching, Command & Control, Remote Sensing. • Information and Communication Technology - Internet Services – DNS, Web, Mail – Date Networks, Satellite, Terrestrial and wireless, Data Centre, Telecom – Fixed and mobile. • Information & Broadcasting - Broadcasting Services. • Transportation - Railways, Civil Aviation, shipping, Surface Transport. • Public Essential Services and Utilities - Medical Services, Fire Services, Water Supply. • Law Enforcement and Security - Police, Security Agencies. NKN Annual Workshop: 17 - 19 Oct' 13

  10. Vertical Dependency Horizontal Dependency NKN Annual Workshop: 17 - 19 Oct' 13

  11. • Internal Threats – IT sabotage, Fraud, Information Security breach and Theft of Confidential or proprietary information • External Threats – Terrorist attacks on CII, Espionage, Cyber/Electronic – Terrorist attacks on CII, Espionage, Cyber/Electronic warfare, Cyber Terrorism, Malware/Spyware, Natural disaster etc. • Threats may cause unauthorized access, modification, use, disclosure, disruption, incapacitation or destruction to CII. NKN Annual Workshop: 17 - 19 Oct' 13

  12. • Top-down structure: Government – Coordinated protection for op Down Approach larger entities. T-D Approach Military Departments CEERT – CERT (or equivalent). Large Industry • Bottom-up Structure: Top D Public Public Private Private T – Community-based – Community-based protection for smaller Universities of Research Institution stakeholder. Other Tertiary Institution – C-SAW (Community B-U Approach oriented Security, Advisory Bottom-up Small Academic Institutions & Warning) structure. CSAW Small & Medium Business • Holistic Development: Individuals – Creating an ‘all- encompassing’ CIIP structure. NKN Annual Workshop: 17 - 19 Oct' 13

  13. Planning Controls 10) Hardening of Hardware and 1) Identification of CIIs Software 2) Vertical & Horizontal 11) Testing and Evaluation of Interdependencies Hardware & Software 3) Information Security Departments Departments 12) DOS/ DDOS Protection 12) DOS/ DDOS Protection 4) Information Security Policies 13) Penetration Testing 14) Risk Assessment Management Implementation Control 15) Physical Security 5) Access Control Policies 16) Identification & Authentication 6) Limiting Admin Privileges 17) Maintenance Plan 7) Perimeter Protection 18) Maintaining Monitoring & 8) Incident Response Analysis Log. 9) Network Device Protection Source: Guidelines prepared by JWG of NCIIPC under NTRO NKN Annual Workshop: 17 - 19 Oct' 13

  14. 30) Outsourcing and Vendor Security Operation control 31) Critical Information Disposal and 19) Data Storage – Hashing & Transfer Encryption Backup control 20) Training & Skill up-gradation 32) Disaster Recovery Site 21) Data Loss Prevention 33) Contingency Planning 22) Cloud Security 34) Predictable Failure Prevention 35) Information / Data Leakage 23) Wi-Fi Security Protection 24) Intranet Security 36) Data Backup Plan 25) Web Application Security 37) Secure Architecture Deployment 26) Advanced Persistent Threats Audit Controls Protection 38) Period Audit 27) Feedback Mechanism 39) Compliance of Security Recommendation 28) Security Certification 40) Checks and Balances for 29) Asset & Inventory Management Negligence NKN Annual Workshop: 17 - 19 Oct' 13

  15. Identification of CII • Interdependency & Criticality Assessment • Risk Assessment • Vulnerability Assessment • Threat Analysis • Assessment of existing level of Cyber Security measures / Assessment of existing level of Cyber Security measures / • • assurance Establishment of Early warning detection system • Incident Management • Crisis Management Plan • Capacity Building • Training & Awareness • CIIP R&D including modeling & Simulation and SCADA • Security. NKN Annual Workshop: 17 - 19 Oct' 13

  16. • SCADA system are deployed worldwide in CIs e.g. power, transport, industry etc. • Critical to our well-being & economy. • Original design & subsequent evolution failed to • Original design & subsequent evolution failed to adequately consider risk of deliberate attack. • Need to understand link between SCADA security and cyber warfare. • Research and Indigenisation would be extremely beneficial in securing CII. NKN Annual Workshop: 17 - 19 Oct' 13

  17. • UN Resolution 58/199 “Creation of Global Culture of Cyber Security and the Protection of Critical Information Infrastructure.” • G8 Principles for Protecting Critical Information Infrastructures (www.justice.gov/criminal/cybercrime/g82004/G8_CIIP_Principles.pdf ) • ITU: A Generic National Framework for Critical Information Infrastructure Protection (CIIP) August 2007 • Organisation for Economic Co-operation and Development (OECD): – – Development of policies for the protection of the critical information Development of policies for the protection of the critical information infrastructure infrastructure – Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (http://www.oecd.org/) • International Standards – ISO/IEC Standards 27001,27002, 27003, 27004, 27005, 27021, 27031,27035, 31000, 31010 – ISACA: Cobit 4.1, Cobit 5 – ITIL etc • International Multilateral Partnership Against Cyber Threats (IMPACT) www.impact-alliance.org • Information Sharing and Analysis Centers Council (ISAC Council): A Functional Model for Critical Infrastructure Information Sharing & Analysis (www.isaccouncil.org) NKN Annual Workshop: 17 - 19 Oct' 13

  18. • Clear policies & objectives with support from national leadership. • Entity at national level that develops security standards and guidelines. • National risk management • National risk management strategy & framework – strategy & framework – Highest level of government to operators. • International cooperation. • Partnership to address common challenges. • Information sharing on international level at both operational & policy level. NKN Annual Workshop: 17 - 19 Oct' 13

  19. • Cyber Security R&D – Network and Communication Security. – Cryptology. – Enterprise Security • Indigenization • Indigenization – Networking/ routing devices, NMS etc – threat analysis, threat management, threat intelligence • Human Resource Development in Cyber Security. NKN Annual Workshop: 17 - 19 Oct' 13

  20. NKN Annual Workshop: 17 - 19 Oct' 13

Recommend


More recommend