critical information infrastructure protection information infrastructure protection ... o among...

Critical Information Infrastructure Protection Perspective on Cloud Computing Services

CIIP Workshop

Dhaka, Bangladesh

10-11th September 2014

Presenter

Dr Martin Koyabe (CTO)

Acknowledgement

Table of Content Session 1: Understanding CIIP & Challenges Session 2: Cloud Computing Today Session 3: CIIP Perspective of Cloud Computing Session 4: Cloud Computing CIIP Scenarios Session 5: Steps Towards a CI Protection Session 6: Cybersecurity Threat Horizon Session 7: Commonwealth Cybersecurity Strategy

Session 1: Understanding CIIP & Challenges

CIIP Workshop

Dhaka, Bangladesh


Presenter


© Commonwealth Telecommunications Organisation | www.cto.int

Understanding CIIP

• Critical Resources

General definition

• Critical Infrastructure

• Critical Information Infrastructure

Inte

rdependenci

es


Critical Resources

6

Water

Energy

Forests

Defined by some national governments to include:-

• Natural & environmental resources (water, energy, forests etc)

• National monuments & icons, recognized nationally & internationally


Critical Infrastructure (1/3)

7

Airports

Power Grid

Roads

Defined by some national governments to include:-

• Nation’s public works, e.g. bridges, roads, airports, dams etc

• Increasingly includes telecommunications, in particular major national and international switches and connections



8

“ the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

Source: US Homeland Security

“ the (CNI) comprises those assets, services and systems that support the economic, political and social life of the UK whose importance is such that loss could either, cause large-scale loss of life; have a serious impact on the national economy; have other grave social consequences for the community; or be of immediate concern to the national government.”

Source: UK Centre for the Protection of National Infrastructure (CPNI)

“ an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the well-being of its citizens.”

Source: European Union (EU)



9

“ those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defense and ensure national security.”

Source: The Australian, State & Territory Government

“ processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and

Significant harm to public confidence.

Source: Government of Canada

“those facilities, systems, or functions, whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation”

Source: National Critical Information Infrastructure Protection Centre (NCIIPC)


What about commonwealth member countries?

10

Do they have a national critical infrastructure initiative or strategy?


Critical Infrastructure Sub-Sectors

11

e.g. Germany has technical basic & social-economic services infrastructure


Critical Information Infrastructure (1/2)

12

CII definition:-

“ Communications and/or information service whose availability, reliability and resilience are essential to the functioning of a modern economy, security, and other essential social values.”

Rueschlikon Conference on Information Policy Report, 2005


Critical Information Infrastructure (2/2)

13

Cri

tica

l In

fras

tru

ctu

res

Telecoms

Energy

Transportation

Finance/Banking

Government Services

Large Enterprises

End-users

Critical Information Infrastructure

Cross-cutting ICT interdependencies among

all sectors

Cyber security

Practices and procedures that enable the

secure use and operation of cyber tools

and technologies

Non-essential IT Systems

Essential IT Systems


Critical Information Infrastructure Protection (CIIP)

14

• Widespread use of Internet have transformed stand-alone systems and predominantly closed networks into a virtually seamless fabric of interconnectivity.

• ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks.

• ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks; and many of the critical services that are essential to the well-being of the economy are increasingly becoming dependent on IT.


• Today Critical Information Infrastructure Protection (CIIP)

– Focuses on protection of IT systems and assets o Telecoms, computers/software, Internet, interconnections & networks services

– Ensures Confidentiality, Integrity and Availability o Required 27/4 (365 days)

o Part of the daily modern economy and the existence of any country

Critical Information Infrastructure Protection (CIIP)

Telecom Network

Power Grid

Water Supply

Public Health

National Defence

National Defence

Law Enforcement


CII Attack Scenarios

Telecoms

Health Services

Cloud Services

Finance/Banking

eGovernment

Critical Information Infrastructure (CII)

Cross-cutting ICT interdependencies among all sectors

Natural disaster,

power outage, or

hardware failure

Resource

exhaustion (due

to DDoS attack)

Cyber attack

(due to a

software flaw)


• Expanding Infrastructures

– Fiber optic connectivity o TEAMS/Seacom/EASSy

– Mobile/Wireless Networks o Asia-Pacific – accounts for 55% of ALL

mobile phones in the world (2.2 billion)

• Existence of failed states

– Increased ship piracy o To fund other activities

– Cyber warfare platforms o Doesn’t need troops or military hardware

• Cyber communities

– Social Networks – Attacker’s “gold mine”

Future CII Attack Vectors


• Increased awareness for CIIP & cyber security

– Countries aware that risks to CIIP need to be managed o Whether at National, Regional or International level

• Cyber security & CIIP becoming essential tools

– For supporting national security & social-economic well-being

• At national level

– Increased need to share responsibilities & co-ordination o Among stakeholders in prevention, preparation, response & recovery

• At regional & international level

– Increased need for co-operation & co-ordination with partners o In order to formulate and implement effective CIIP frameworks

Global trends towards CIIP


Challenges for developing countries

#1: Cost and lack of (limited) financial investment

– Funds required to establish a CIIP strategic framework can be a hindrance

– Limited human & institutional resources

Source: GDP listed by IMF (2013)


#2: Technical complexity in deploying CIIP

– Need to understand dependencies & interdependencies o Especially vulnerabilities & how they cascade


Powerplants Regional

Power Grid

Regional Power Supply

Private D2D links

Private Datacenters

Banks & Trading

Public Administration

Public Datacenters

eGovernment

Online services, cloud

computing Telco sites, switch areas,

interconnections

Public eComms

Regional network, cables,

wires, trunks

Public Transport

Emergency care (Police, Firefighters,

Ambulances)

Emergency Calls

(99.9%) 8 hr outages are disastrous

(99%) 3 days outages are disastrous



#3: Need for Cybersecurity education & culture re-think

– Create awareness on importance of Cybersecurity & CIIP o By sharing information on what works & successful best practices

– Creating a Cybersecurity culture can promote trust & confidence o It will stimulate secure usage, ensure protection of data and privacy



#4: Lack of relevant CII strategies, policies & legal framework

– Needs Cybercrime legislation & enforcement mechanisms

– Setup policies to encourage co-operation among stakeholders o Especially through Public-Private-Partnerships (PPP)

#5: Lack of information sharing & knowledge transfer

– It is important at ALL levels National, Regional & International

– Necessary for developing trust relationships among stakeholders o Including CERT teams



Session 1: Group Discussions

23

Question

What’s the CII definition for your country?

Session 2: Cloud Computing Today

CIIP Workshop

Dhaka, Bangladesh


Presenter



Cloud Computing

25

Should Cloud Computing be considered a Critical Information Infrastructure?


Concentration of ICT Resources

26

• Earlier approach not scalable and costly

High capacity link

Between organizations or operators

IT

IT Information Technology Resources

Per each organizations or operators IT

IT

IT Organization or Operator



27

• Spread associated costs among users

Organizations or operators

Access resources in the same area

Information Technology Resources

Consolidated in data centers

IT IT

Data Centre


Cloud Computing Deployment Models

28

Private Cloud

(Hosted Internally or

Externally)

Hybrid Cloud

Public Cloud

Community Cloud

(Hosted Internally by

Member or Externally)


Some of the benefits of Cloud Computing

29

Reduced Capital & Operational Cost

• Less up-front capital investment

• Allow companies to increase resource needs gradually (pay-as-you-go)

Simplify application deployment & management

• Common programming model across platforms

• Access to ecosystem of widely deployed applications

• Integration with existing IT assets


Cloud Computing

30

Simple definition

Cloud Computing = Software as a Service (SaaS)

+ Platform as a Service (PaaS)

+ Infrastructure as a Service (IaaS)

+ Data as a Service (DaaS)

+ * as a Service (*aaS)


Software as a Service (SaaS)

31

SaaS characteristics:-

• From end user’s point of view

• Application are located in the cloud

• Software experiences are delivered online (Internet)


Platform as a Service (PaaS)

32

PaaS characteristics:-

• From developer’s point of view (i.e. cloud users)

• Cloud providers offer an Internet-based platform

• Developers use the platform to create services


Infrastructure as a Service (IaaS)

33

IaaS characteristics:-

• Cloud providers build datacentres – Power, scale, hardware, networking, storage, distributed system etc

• Datacentre as a service

• Users rent storage, computation & maintenance


Data as a Service (DaaS)

34

DaaS characteristics:-

• Data->Information->Knowledge->Intelligence

• Infrastructure for web data mining & knowledge

• Empower people with knowledge

• Enrich apps & services with intelligence


Uptake of Cloud Computing

35

Microsoft's Data Center, San Antonio, Texas Google's Data Centre, Georgia

• Western Europe market to grow to €15B by 2015

• Amazon AWS carries 1% of all Internet consumer traffic in North America

• Data centre growth estimated to be in excess of €30B

• Facebook server farm (Oregon) measures 14000 m2, cost ~ $200M


Who is leading the cloud market today?



37

Question

What is the level of Cloud Computing uptake in your country? Is it increasing?

Session 3: CIIP Perspective of Cloud Computing

CIIP Workshop

Dhaka, Bangladesh


Presenter




39

Large cloud providers can deploy security and business continuity measures and spread the associated cost among the customers.

Can be a “Double Edged Sword”

If an outage or security breach occurs, the the consequences can be catastrophic affecting large number of users and organisations at once.



40

Japan Earthquake 2011

• Cloud computing was resilient

• Cloud services survived power outages

by using emergency fuel

• Data connections over mobile networks

and fixed networks held up

• Traditional IT deployments went offline

• Cloud computing used to get

organizations up and running



41

Lightening Strike Dublin 2011

• Took down Amazon & Microsoft

services. Outage lasted for 2 days

• Amazon’s other customers

(Foursquare, Reddit & Netflix) were

badly affected

• Amazon’s Elastic Computer Cloud

(EC2) and Relational Database Service

(RDS) experienced disruption in North

Virginia.

• Amazon US-EAST data centers were

cut-off the Internet


Cloud and CIIP

42

Critical in themselves

Cloud Computing services can be critical in two ways

Critical for other critical services


Cloud and CIIP

43

e.g. Cloud based eHealth Record Platform

Critical in itself

• But needed for other

emergency health operations,

which are also critical

Critical to other systems

• Critical to other systems that

depend on the data records


Cloud and CIIP

44

Most CIIP action plans address two major issues:

(1) Cyber disruptions (or outage) with large impact

12M Pakistan

6M Egypt

4.7M Saudi Arabia

1.7M UAE

0.8M Kuwait

0.3M Qatar

12M India

Outage caused by undersea cable cut near Alexandria, Egypt (2008)


Cloud and CIIP

45

(2) Cyber attacks with a large impact

• Influenced mainly by interdependencies

Snapshot of the Internet before an attack on Facebook Source: NORSE


CIIP Dependencies (1/4)

46

Continuity of services & infrastructure dependencies



47

Powerplants Regional

Power Grid

Regional Power Supply

Private D2D links

Private Datacenters

Banks & Trading

Public Administration

Public Datacenters

eGovernment

Online services, cloud

computing Telco sites, switch areas,

interconnections

Public eComms

Regional network, cables,

wires, trunks

Public Transport

Emergency care (Police, Firefighters,

Ambulances)

Emergency Calls

(99.9%) 8 hr outages are disastrous





48

Software as a service dependencies



49

Hospitals

Power plant

Air traffic controllers IT vendor for Office

software

Banks

Public administration



50

Question

List (at least 3) known incidents/cases of CII related attacks in the recent past in your country? Discuss any remedies taken (if known).

Session 4: Cloud Computing CIIP Scenarios

CIIP Workshop

Dhaka, Bangladesh


Presenter



Cloud Computing CIIP Scenarios

52

CII attack vectors

Telecoms

Health Services

Cloud Services

Finance/Banking

eGovernment

Critical Information Infrastructure (CII)

Cross-cutting ICT interdependencies among all sectors

Natural disaster,

power outage, or

hardware failure

Resource

exhaustion (due

to DDoS attack)

Cyber attack

(due to a

software flaw)



53

Four (4) scenarios where Cloud Computing is critical

(1) Financial Services

Source: New York Stock Exchange (NYSE)



54

Datacenter Datacenter

Operator

Datacenter

Trader Trader

Private network, Dedicated links

Duplicated connection between datacenters

Public Internet or telephony

Connecting traders to datacenters

Data Centers

All systems are duplicated

Traders platform

Web-interface access

Trading Platform (SaaS)



55

Key Points: • Software flaw can impact wide range of organisations directly

• Consider creating ‘logical redundancy’ in addition to ‘physical redundancy’



56

(2) Health Services

• By 2016 about 30% of IT budget of healthcare organisation

would be devoted for cloud computing based expenses

• 73% plan to make greater use of cloud-based technologies

in the future

Source: Accenture



57

Datacenter Datacenter Datacenter

Hospital Hospital




Connecting hospital to datacenters

Data Centers


eHealth platform

Web-interface access

eHealth Record Platform (SaaS)



58

Key Point: • Cloud computing is expected to bring additional efficiency gains

in health care service provision

“APT 18” launched the attack

Said to have links with Chinese government and

behind targeted attack on companies in

aerospace and defense, construction and

engineering, technology, financial services and

healthcare industry.

Source: FireEye Inc

TDoS Attack

Telephony Denial of Service (TDoS) attack

targets emergency response services in critical

services such as health care



59

(3) e-Government Services

• UK Gov Cloud app store “GovStore” has over

1,700 information & communication services

available to the UK public sector

Source: http://govstore.service.gov.uk



60


eGov Website

eGov Website




Connecting eGov to datacenters

Data Centers


eGovernment platform

Web-interface access (SaaS)

Gov cloud app store (PaaS)



61

Key Point: • eGovernment services need to be resilient at all levels of attacks

VS

VS



62

(4) Cloud Services



63


Webmail provider (SaaS)

Online backup service (SaaS)




Connecting eGov to datacenters

Data Centers


eGovernment

applications (SaaS)

Running on a government app

store (PaaS)

Infrastructure or platform as a service (PaaS)



64

Key Point: • The impact of failure at an IaaS/PaaS provider can have an

impact across a range of organisations, affecting many end-users.



65

Question

What practical measures need to be taken to enhance CII resilience, especially the Cloud Infrastructure?

Session 5: Steps towards CI Protection

CIIP Workshop

Dhaka, Bangladesh


Presenter



Steps towards CI Protection

67

(1) Establish CIP Goals, e.g.

Critical infrastructures (CI) provide the essential services that support modern information societies and economies. Some CI support critical functions and essential services so vital that the incapacitation, exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being.

• Critical Infrastructure (CI)

CI exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being.

• Understand Critical Infrastructure (CI) Risks

Prevent or minimize disruptions to critical information infrastructures, no matter the source, and thereby protect the people, the economy, the essential human and government services, and the national security. In the event disruptions do occur, they should be infrequent, of minimal duration and manageable.

• Articulate CIP policy/goals

National CIP framework includes relevant government entities, as well as, establishing public private partnerships involving corporate and non-governmental organizations.

• Establish Public-Private Partnerships



68

(2) Define CIP Roles

Define Policy and Identify Roles Government

Define CIP goal and roles

Determine Acceptable Risks Levels Public-Private Partnership

Define what’s critical

Assess Risks

Identify Controls and Mitigations

Implement Controls

Measure Effectiveness

Infrastructure

Prioritize Risks

Operators & Service Providers

Deploy best control solutions



69

CIP Coordinator

(Executive Sponsor)

Law Enforcement

Sector Specific Agency

Computer Emergency

Response Team (CERT)

Public Private

Partnership

Infrastructure owners and operators

IT vendors and

solution providers

Shared Private Government



70

(3) Identify & Prioritize Critical Functions

Critical Function

Infrastructure Element

Supply Chain

Supply Chain

Key Resource

Supply Chain

Critical Function


Supply Chain

Supply Chain

Key Resource

Supply Chain Critical Function


Supply Chain

Supply Chain

Key Resource

Supply Chain

Interdependencies

Understand requirements &

complexity

• Understand the critical functions, infrastructure elements, and key resources necessary for

– Delivering essential services

– Maintaining the orderly operations if the economy

– Ensure public safety.



71

(4) Continuously Assess and Mange Risks

Assess Risks

Identify

Controls and

Mitigations

Implement

Controls

Measure

Effectiveness

• Based on holistic approach

• Implement defense in-depth

• Organize by control effectiveness

• Evaluate program effectiveness

• Leverage findings to improve risk

management

• Identify key functions

• Assess risks

• Evaluate consequences

• Define functional requirements

• Evaluate proposed controls

• Estimate risk reduction/cost

benefit

• Select mitigation strategy


Steps towards CI protection

72

• Develop joint PPP plans for managing emergencies – including recovering critical functions in the event of significant incidents, including but limited to natural disasters, terrorist attacks, technological failures or accidents.

• Create emergency response plans to mitigate damage and promote resiliency.

• Create effective emergency response plans that are generally short and highly actionable so they can be readily tested, evaluated, and implemented.

• Testing and exercising emergency plans to promote trust, understanding and greater operational coordination among public and private sector organizations.

• Exercises also provide an important opportunity by identifying new risk factors that can be addressed in response plans or controlled through regular risk management functions.

(5) Establish & Exercise Emergency Plans


Steps towards CII protection

73

• Promote trusted relationships needed for information sharing and collaborating on difficult problems

• Leverage the unique skills of government and private sector organizations

• Provide the flexibility needed to collaboratively address today’s dynamic threat environment

(5) Establish Public Private Partnership (PPP)



74

• Ability to prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions

• Implement contingency frameworks that will enable critical functions to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents

(6) Build Security & Resiliency into Operations



75

• Cyber threats are constantly evolving

• All CIP stakeholders need to prepare for changes in cyber threats

• Constantly monitor trends and changes in critical function dependencies

• Keep systems patched and maintain the latest software versions

• Adopt smart & effective procedures and processes

(7) Update & Innovate Technology and Processes



76

Question

• What should be the additional roles and responsibilities of the state?

• What investment is required to address CIIP vulnerabilities & threats?

• How should the private sector & government work on CIIP and build trust?

Session 6: Cybersecurity Threat Horizon

CIIP Workshop

Dhaka, Bangladesh


Presenter




78

• Ability to prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions

• Implement contingency frameworks that will enable critical functions to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents

(6) Build Security & Resiliency into Operations

Session 7: Commonwealth Cybergovernance Model

CIIP Workshop

Dhaka, Bangladesh


Presenter



Trends in Cyberspace

• Cyberspace provides access to ICT – Bridging the digital divide and influencing social-economic activities

• Cyberspace is increasingly becoming a global system – Anticipated to grow from 2-4 Billion users by 2020 (mostly from developing

countries)

• Cyberspace is open, decentralised and empowering – This has fostered innovation, collaboration and rapid development

• Cyberspace success depends on it’s infrastructure – Infrastructure should be secure, resilient and available to users

• Cyberspace can also be used for criminal activities – Cybercrimes, extremisms and other social crimes

80


Why a Commonwealth Model

• Contrasting views emerging across the world on governing the Cyberspace

• Harmonisation is critical to facilitate the growth and to realise the full potentials of Cyberspace

• Commonwealth family subscribes to common values and principles which are equally well applicable to Cyberspace

• CTO is the Commonwealth agency mandated in ICTs

• The project was launched at the 53rd council meeting of the CTO in Abuja, Nigeria (9th Oct 2013)

• Wide consultations with stakeholders

• Adopted at the Commonwealth ICT Ministers Forum on 3rd and 4th March 2014 in London

81


Objectives

The Cybergovernance Model aims to guide Commonwealth members in:-

– Developing policies, legislation and regulations

– Planning and implementing practical technical measures

– Fostering cross-border collaboration

– Building capacity

82


Commonwealth Values in Cyberspace

• Based on Commonwealth Charter of March 2013 – Democracy, human rights and rule of law

• The Charter expressed the commitment of member states to – The development of free and democratic societies – The promotion of peace and prosperity to improve the lives of all

peoples – Acknowledging the role of civil society in supporting Commonwealth

activities

• Cyberspace today and tomorrow should respect and reflect the

Commonwealth Values – This has led to defining Commonwealth principles for use of

Cyberspace

83


Commonwealth Principle for use of Cyberspace

Principle 1: We contribute to a safe and an effective global Cyberspace • as a partnership between public and private sectors, civil society and

users, a collective creation; • with multi-stakeholder, transparent and collaborative governance

promoting continuous development of Cyberspace; • where investment in the Cyberspace is encouraged and rewarded; • by providing sufficient neutrality of the network as a provider of

information services; • by offering stability in the provision of reliable and resilient information

services; • by having standardisation to achieve global interoperability; • by enabling all to participate with equal opportunity of universal access; • as an open, distributed, interconnected internet; • providing an environment that is safe for its users, particularly the young

and vulnerable; • made available to users at an affordable price.

84



Principle 2: Our actions in Cyberspace support broader economic and social development • by enabling innovation and sustainable development, creating greater

coherence and synergy, through collaboration and the widespread dissemination of knowledge;

• respecting cultural and linguistic diversity without the imposition of beliefs; • promoting cross-border delivery of services and free flow of labour in a

multi-lateral trading system; • allowing free association and interaction between individuals across

borders; • supporting and enhancing digital literacy; • providing everyone with information that promotes and protects their

rights and is relevant to their interests, for example to support transparent and accountable government;

• enabling and promoting multi-stakeholder partnerships; • facilitating pan-Commonwealth consultations and international linkages in

a single globally connected space that also serves local interests.

85



Principle 3: We act individually and collectively to tackle cybercrime

• nations, organisations and society work together to foster respect for the law;

• to develop relevant and proportionate laws to tackle Cybercrime effectively;

• to protect our critical national and shared infrastructures;

• meeting internationally-recognised standards and good practice to deliver security;

• with effective government structures working collaboratively within and between states;

• with governments, relevant international organisations and the private sector working closely to prevent and respond to incidents.

86



Principle 4: We each exercise our rights and meet our responsibilities in Cyberspace

• we defend in Cyberspace the values of human rights, freedom of expression and privacy as stated in our Charter of the Commonwealth;

• individuals, organisations and nations are empowered through their access to knowledge;

• users benefit from the fruits of their labours; intellectual property is protected accordingly;

• users can benefit from the commercial value of their own information; accordingly, responsibility and liability for information lies with those who create it;

• responsible behaviour demands users all meet minimum Cyberhygiene requirements;

• we protect the vulnerable in society in their use of Cyberspace;

• we, individually and collectively, understand the consequences of our actions and our responsibility to cooperate to make the shared environment safe; our obligation is in direct proportion to culpability and capability.

87


Practical Application of Commonwealth Principles

• Commonwealth members can develop individual strategies

– Aimed at addressing unique local needs and socio-economic priorities

• The Commonwealth Telecommunications Organisation welcomes engagement by all stakeholders

88


Further Information Contact:

Dr Martin Koyabe Email: [email protected] Tel: +44 (0) 208 600 3815 (Off) +44 (0) 791 871 2490 (Mob)

89

Q & A Session

critical information infrastructure protection information infrastructure protection ... o among...

Documents