Critical Information Infrastructure Protection (CIIP) National - - PowerPoint PPT Presentation

critical information infrastructure protection ciip
SMART_READER_LITE
LIVE PREVIEW

Critical Information Infrastructure Protection (CIIP) National - - PowerPoint PPT Presentation

Sep 07, 2022 302 likes •519 views

Critical Information Infrastructure Protection (CIIP) National Knowledge Network (NKN) Annual workshop 17 - 19 Oct 2013, IISc, Bangalore Presentation Outline Government Cyber Security Architecture CII Overview & Definitions Critical

slide-1
SLIDE 1

Critical Information Infrastructure Protection (CIIP)

National Knowledge Network (NKN) Annual workshop 17 - 19 Oct 2013, IISc, Bangalore

slide-2
SLIDE 2

Presentation Outline

Government Cyber Security Architecture CII – Overview & Definitions Critical Sectors Threats Approach to CIIP International Efforts & Practices Lateral Developments

NKN Annual Workshop: 17 - 19 Oct' 13

slide-3
SLIDE 3

National Security Council National Information Board

NKN Annual Workshop: 17 - 19 Oct' 13

Threat Monitoring Assurance & Certification R&D and Indigenization Deterrence / Operations Engagement with private sector and Academia Enabling Policies

slide-4
SLIDE 4

CII

  • Those

facilities, systems,

  • r

functions, whose incapacity or destruction would cause a debilitating impact

  • n national security, governance, economy and social well-

being of a nation. In India, as per Section 70 of IT (Amendment) Act 2008, CII is defined as - The computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety. CIIP - To take all measures, including R&D, relating to protection of CII

NKN Annual Workshop: 17 - 19 Oct' 13

slide-5
SLIDE 5

NKN Annual Workshop: 17 - 19 Oct' 13

slide-6
SLIDE 6

Government Situation Awareness/ Threat Analysis Private

NKN Annual Workshop: 17 - 19 Oct' 13

CIIP

slide-7
SLIDE 7

Assurance

NKN Annual Workshop: 17 - 19 Oct' 13

Government CERT Situation Centre CERT-C Analysis Technology

CIIP

slide-8
SLIDE 8

Information not to be divulged Information shared within one sector

NKN Annual Workshop: 17 - 19 Oct' 13

Information restricted within CII Information that can be publicly shared

slide-9
SLIDE 9
  • Defence - Army, Air Force, Navy, Defence Production, and Defence

Research.

  • Energy - Nuclear, hydro, Thermal/Coal, Oil & Gas.
  • Finance
  • Stock

Exchange, Depositories, banks and Financial Institutions, Direct/Indirect Revenue Services.

  • Space - Space Research, Launching, Command & Control, Remote
  • Space - Space Research, Launching, Command & Control, Remote

Sensing.

  • Information and Communication Technology - Internet Services –

DNS, Web, Mail – Date Networks, Satellite, Terrestrial and wireless, Data Centre, Telecom – Fixed and mobile.

  • Information & Broadcasting - Broadcasting Services.
  • Transportation - Railways, Civil Aviation, shipping, Surface Transport.
  • Public Essential Services and Utilities - Medical Services, Fire

Services, Water Supply.

  • Law Enforcement and Security - Police, Security Agencies.

NKN Annual Workshop: 17 - 19 Oct' 13

slide-10
SLIDE 10

NKN Annual Workshop: 17 - 19 Oct' 13

Vertical Dependency Horizontal Dependency

slide-11
SLIDE 11
  • Internal Threats

– IT sabotage, Fraud, Information Security breach and Theft of Confidential or proprietary information

  • External Threats

– Terrorist attacks on CII, Espionage, Cyber/Electronic – Terrorist attacks on CII, Espionage, Cyber/Electronic warfare, Cyber Terrorism, Malware/Spyware, Natural disaster etc.

  • Threats may cause unauthorized access,

modification, use, disclosure, disruption, incapacitation or destruction to CII.

NKN Annual Workshop: 17 - 19 Oct' 13

slide-12
SLIDE 12
  • Top-down structure:

– Coordinated protection for larger entities. – CERT (or equivalent).

  • Bottom-up Structure:

– Community-based

Government Military Departments Large Industry Public Private CEERT

  • p Down Approach

T-D Approach

– Community-based protection for smaller stakeholder. – C-SAW (Community

  • riented Security, Advisory

& Warning) structure.

  • Holistic Development:

– Creating an ‘all- encompassing’ CIIP structure.

NKN Annual Workshop: 17 - 19 Oct' 13

Public Private

Universities of Research Institution Other Tertiary Institution

Small Academic Institutions Small & Medium Business Individuals Top D CSAW Bottom-up T B-U Approach

slide-13
SLIDE 13

Planning Controls

1) Identification of CIIs 2) Vertical & Horizontal Interdependencies 3) Information Security Departments 10) Hardening of Hardware and Software 11) Testing and Evaluation of Hardware & Software 12) DOS/ DDOS Protection Departments 4) Information Security Policies Implementation Control 5) Access Control Policies 6) Limiting Admin Privileges 7) Perimeter Protection 8) Incident Response

9) Network Device Protection

12) DOS/ DDOS Protection 13) Penetration Testing 14) Risk Assessment Management 15) Physical Security 16) Identification & Authentication 17) Maintenance Plan 18) Maintaining Monitoring & Analysis Log.

NKN Annual Workshop: 17 - 19 Oct' 13 Source: Guidelines prepared by JWG of NCIIPC under NTRO

slide-14
SLIDE 14

30) Outsourcing and Vendor Security 31) Critical Information Disposal and Transfer Backup control 32) Disaster Recovery Site 33) Contingency Planning 34) Predictable Failure Prevention Operation control 19) Data Storage – Hashing & Encryption 20) Training & Skill up-gradation 21) Data Loss Prevention 22) Cloud Security 35) Information / Data Leakage Protection 36) Data Backup Plan 37) Secure Architecture Deployment Audit Controls 38) Period Audit 39) Compliance of Security Recommendation 40) Checks and Balances for Negligence

NKN Annual Workshop: 17 - 19 Oct' 13

23) Wi-Fi Security 24) Intranet Security 25) Web Application Security 26) Advanced Persistent Threats Protection 27) Feedback Mechanism 28) Security Certification 29) Asset & Inventory Management

slide-15
SLIDE 15
  • Identification of CII
  • Interdependency & Criticality Assessment
  • Risk Assessment
  • Vulnerability Assessment
  • Threat Analysis
  • Assessment of existing level of Cyber Security measures /
  • Assessment of existing level of Cyber Security measures /

assurance

  • Establishment of Early warning detection system
  • Incident Management
  • Crisis Management Plan
  • Capacity Building
  • Training & Awareness
  • CIIP R&D including modeling & Simulation and SCADA

Security.

NKN Annual Workshop: 17 - 19 Oct' 13

slide-16
SLIDE 16
  • SCADA system are deployed worldwide in CIs e.g.

power, transport, industry etc.

  • Critical to our well-being & economy.
  • Original design & subsequent evolution failed to
  • Original design & subsequent evolution failed to

adequately consider risk of deliberate attack.

  • Need to understand link between SCADA security

and cyber warfare.

  • Research and Indigenisation would be extremely

beneficial in securing CII.

NKN Annual Workshop: 17 - 19 Oct' 13

slide-17
SLIDE 17
  • UN Resolution 58/199 “Creation of Global Culture of Cyber Security and the

Protection of Critical Information Infrastructure.”

  • G8 Principles for Protecting Critical Information Infrastructures

(www.justice.gov/criminal/cybercrime/g82004/G8_CIIP_Principles.pdf )

  • ITU: A Generic National Framework for Critical Information Infrastructure

Protection (CIIP) August 2007

  • Organisation for Economic Co-operation and Development (OECD):

– Development of policies for the protection of the critical information infrastructure – Development of policies for the protection of the critical information infrastructure – Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (http://www.oecd.org/)

  • International Standards

– ISO/IEC Standards 27001,27002, 27003, 27004, 27005, 27021, 27031,27035, 31000, 31010 – ISACA: Cobit 4.1, Cobit 5 – ITIL etc

  • International

Multilateral Partnership Against Cyber Threats (IMPACT) www.impact-alliance.org

  • Information

Sharing and Analysis Centers Council (ISAC Council): A Functional Model for Critical Infrastructure Information Sharing & Analysis (www.isaccouncil.org)

NKN Annual Workshop: 17 - 19 Oct' 13

slide-18
SLIDE 18
  • Clear policies & objectives with support from national

leadership.

  • Entity

at national level that develops security standards and guidelines.

  • National risk management

strategy & framework –

  • National risk management

strategy & framework – Highest level of government to operators.

  • International cooperation.
  • Partnership to address common challenges.
  • Information sharing on international level at both
  • perational & policy level.

NKN Annual Workshop: 17 - 19 Oct' 13

slide-19
SLIDE 19
  • Cyber Security R&D

– Network and Communication Security. – Cryptology. – Enterprise Security

  • Indigenization
  • Indigenization

– Networking/ routing devices, NMS etc – threat analysis, threat management, threat intelligence

  • Human Resource Development in Cyber Security.

NKN Annual Workshop: 17 - 19 Oct' 13

slide-20
SLIDE 20

NKN Annual Workshop: 17 - 19 Oct' 13