cyber security in ict networks - organization of american ... · inter-american telecommunication...

Inter-American Telecommunication Commission (CITEL)

Cyber Security in ICT Networks:CITEL Perspectives

Wayne ZeuchRapporteur, Standards Coordination

CITEL PCC.I

OAS Hemispheric Workshop on Cyber Security Rio de Janeiro Brazil Nov 16-18 2009


• Convergence– Wireline/Wireless– PSTN / IP-based Networks– Information Technology / Telephony– Network-based services / 3rd Party

Applications

• Next Generation Networks– Migration toward IP-based backbone

networks is taking place from single-service to multiservice, client/server-based networks

– Full deployment of NGNs requires a flexible (software) architecture for service delivery –based on IP Multimedia Subsystem (IMS)

• Interoperability– Interconnection of networks and

Interoperability of Services

2

Network convergence and the proliferation of end-user applications creates new security challenges for

ICT Networks

ICT Networks

NGN Infrastructure Technical Notebook, CITEL PCC.I

Inter-American Telecommunication Commission (CITEL)3

Service Oriented Networks

A Service Oriented Network (SON) is one in which service providers use agile methods to rapidly create new products and

services from re-usable components (known as Service Enablers)

NGN Standards Technical Notebook, CITEL PCC.I

CHALLENGE: SON implementations must be secure and reliable


CITELWork Process

4

• Resolutions• Best Practices• Proposals• Endorsements

• Discussion/Debate• Awareness Raising• Issue Identification

• Technologies (Security, ...)• Relevant Standards• Policy/Regulatory• Case Studies

Phases


CITEL PCC.ITechnical NotebookDESCRIPTION

• Provides a formalized means of maintaining an archive of technologies, best practices, policies, or regulatory information – made available to the OAS Member States and CITEL telecom industry members

• Documents relevant activities, completed or in progress• As a ”living document”, it is updated on an ongoing basis with

relevant information from contributions submitted to the Working Groups

Identifying issues and archiving valuable information for the use of the ICT community and in anticipation of

future CITEL recommendations

5


CITEL PCC.I Technical Notebooks

‒ Cybersecurity‒ Critical Telecom Infrastructure

Protection‒ NGN Standards‒ Convergence‒ NGN Infrastructure‒ Broadband Access

Technologies‒ NGN Networks – Best Practices

and Case Studies

‒ Fraud in the Provision of Telecom Services

‒ IPTV – Best Practices‒ VOIP – Technology Aspects‒ Number Portability‒ Regulatory – Best Practices‒ Power Line Communication

Technologies‒ Economic Aspects of

Universal Services

6


Cybersecurity Technical Notebook

• Provides an archive of Cybersecurity information available to the telecommunications industry and the Member States

• Highlights ongoing Regional and International cybersecurity strategy activities

• Addresses aspects relevant to developing national cybersecurity strategies

• Addresses issues of incident response, public-private partnerships, and the awareness-raising and application of relevant security standards

• Establishes links with the security standards discussions in the NGN Standards Technical Notebook

• Includes Appendices with national cybersecurity programs and best practices (Dominican Republic, Venezuela, Argentina)

7


Critical Telecommunication InfrastructureProtection (CTIP) Technical Notebook

• Motivation– The number of vulnerabilities in critical infrastructures tends to grow as the

interdependencies between the infrastructures increase, both in number and complexity

– Dissemination of telecommunication networks into all infrastructures, and the increasing reliance of the critical infrastructures upon them, brings with it certain impacts that cannot be neglected

– Interruption of these services can threaten human life, destroy property, and destroy or corrupt information, possibly interrupting the work of governments and corporations

• Strategies– Key National CTIP Issues, Policies, Strategies

• Brazil (Information Security Steering Committee, CERT.br, Security Incident Response Team, CTIP Methodologies)

• Venezuela (SUSCERTE, VENCERT, CENIF) 8


Next Generation Networks: Standards Overview Technical Notebook

• Identifies NGN related standards that the Standards Coordination Group is studying

• Provides an archive of NGN technical information (including security-related topics) that is available to the telecom industry and the Member States

• Documents NGN standards, completed or in progress, which may be considered for future development into an SCD in accordance with the CITEL approval procedures

Identifying issues and archiving valuable standards information for the use of the ICT community and in

anticipation of future CITEL endorsement

9


TheThe NGN Standards Technical NotebookNGN Standards Technical Notebook identifies NGN‐related standards including relevant services, architectures and protocols.

(e.g., Signaling, Access, Transport, Management, Service Creation, QoS, Internet Protocol, Numbering). In particular, ...

–– Chapter 2 Chapter 2 –– Emergency Telecommunications Service (ETS)Emergency Telecommunications Service (ETS)•• ETS TypesETS Types

•• Standardization Activities (ITU, IETF, ETSI, ATIS, others)Standardization Activities (ITU, IETF, ETSI, ATIS, others)

–– Chapter 6 Chapter 6 –– Security Standards (active) Security Standards (active) •• ITUITU‐‐T Security StandardsT Security Standards

•• Identity ManagementIdentity Management

–– Chapter 15 Chapter 15 –– Security Standards (archive)Security Standards (archive)•• Internet Protocol Security (IPsec)Internet Protocol Security (IPsec)

•• Internet Key Exchange (IKE) Internet Key Exchange (IKE)

•• Security Architecture for EndSecurity Architecture for End‐‐toto‐‐End Communication SystemsEnd Communication Systems

“Next Generation Networks: Standards Overview”Technical Notebook

Inter-American Telecommunication Commission (CITEL)11

Cyber Security and CTIPMethodologies and Processes

• ITU-T: Recommendation X.805, “Security Architecture for End-to-End Network Security”(NGN Standards Technical Notebook, CITEL PCC.I)

• ISO/IEC 27005: Risk Management Process (Cybersecurity Technical Notebook, CITEL PCC.I)

• Brazil: Methodologies created for Critical Telecommunications Infrastructure Protection

(Cybersecurity Technical Notebook, CITEL PCC.I)

Acce

ss C

ontro

l

Infrastructure Security

Applications Security

Services Security

End User Plane

Control Plane

Management Plane

THREATS

8 Security Dimensions

ATTACKSData

Con

fiden

tialit

y

Com

mun

icat

ion

Secu

rity

Dat

a In

tegr

ity

Avai

labi

lity

Priv

acy Interruption

Fabrication

InterceptionModification

Auth

entic

atio

n

Non-

repu

diat

ion

VULNERABILITIES

Examples:


Acce

ss C

ontro

l

Infrastructure Security

Applications Security

Services Security

End User Plane

Control Plane

Management Plane

THREATS

8 Security Dimensions

ATTACKSData

Con

fiden

tialit

y

Com

mun

icat

ion

Secu

rity

Data

Inte

grity

Avai

labi

lity

Priv

acy Interruption

Fabrication

InterceptionModification

Auth

entic

atio

n

Non-

repu

diat

ion

VULNERABILITIES

Security Architecture for EndSecurity Architecture for End--toto--End Network SecurityEnd Network Security

ITU‐T Security Architecture

NGN Standards Technical Notebook, CITEL PCC.I

ITU‐T Rec. X.805


Security Program• Consists of policies and procedures in addition to technology• Includes three phases:

– Definition and Planning phase– Implementation phase– Maintenance phase

• Security Architecture can guide the development of:– comprehensive security policy– incident response and recovery plans– technology architectures

• Security Architecture ensures that Security Program addresses each Security Dimension for each Security Layer and Plane

ITU‐T Security Architecture


Security Risk ManagementISO/IEC 27005

Cybersecurity Technical Notebook, CITEL PCC.I


Brazil

Methodologies for Cybersecurity and CTIP

CTIP Technical Notebook, CITEL PCC.I


Methodology for Critical Infrastructure Identification (MI2C)

Brazil

CTIP Technical Notebook, CITEL PCC.I


Standards Coordination Process

Raising awareness by socializing technology standardization activities/progress. Archiving standards descriptions in

anticipation of future endorsement.

StandardsDevelopment(ITU, IETF, …)

PCC.I Standards Coordination

Technology andStandards

Presentations, Discussions

NGN TechnicalNotebook

(if applicable)

StandardsCoordination

Document (SCD)

PCC.I ResolutionEndorsing Standard

17

CITEL does not develop standards.

CITEL identifies relevantstandards and endorsestheir use in the AmericasRegion.


Standards Coordination

• Communication system security (security framework, protocols, lawful intercept, identity management, fraud prevention)

• Multimedia service definition and architectures

• Signaling requirements and protocols (converged networks)

• IP-based services (VOIP, IPTV, etc.)

• Emergency services• Interworking between

traditional telecommunication networks and evolving networks

• Metropolitan and Long haul optical transport networks

Standards topics identified:

• Metropolitan and Long haul optical transport networks

• Access network transport (LANs, Wireless LANs, xDSL, Ethernet, cable modem, fiber, etc.)

• Terminals (PC, TV, PDA, phone, codecs, etc.)

• Management of communications services, networks and equipment

• Network aspects of IMT-2000 and beyond (wireless internet, harmonization and convergence, network control, mobility, roaming, etc.)

• Numbering, Naming and Addressing (ENUM)

• Performance and QoS

18


CITEL‐PCC.I ResolutionsEndorsing Standards for the Americas Region (1)

Standard DateDateGateway Control Protocol March 2001

Intelligent Networks Capability Set 3 March 2001

Intelligent Networks Capability Set 4 Dec 2002

ITU-T Y.2000-Series Recs for NGN (SG13) Sept 2003

ANSI-41 Evolved Core Network with CDMA2000 Access Network Sept 2003

GSM Evolved UMTS Core Network with UTRAN Access Network Sept 2003

Security Architecture for the Internet Protocol (IPsec) March 2004

Security Architecture for Systems Providing End-to-End Communications (ITU-T Rec. X.805)

March 2004


CITEL PCC.I ResolutionsEndorsing Standards for the Americas Region (2)

Standard DatePacket-Based Multimedia Communications Systems (ITU-T Rec. H.323)

March 2004

Interworking Between SIP and BICC Protocols or ISUP (Rec. Q.1912.5)

Sept 2004

SIP: Session Initiation Protocol April 2005

ITU-T Rec. G.993.2 , VDSL2: Very High Speed DSL-2 Transceivers

Sept 2006

ITU-T Rec. J.122, “Second-Generation Transmission Systems for Interactive Cable Television Services – IP Cable Modems”

Sept 2006

Internet Protocol Version 6 (IPv6) Sept 2006

E.164 to Uniform Resource Identifiers (URI) Dynamic Delegation Discovery System (DDDS) Application (ENUM)

Sept 2007

20


CITEL‐PCC.I ResolutionsEndorsing Standards for the Americas Region (3)

Standard DateITU-T Rec. E.106, “International Emergency Preference Scheme for Disaster Relief Operations”

March 2008

ITU-T Rec. E.107, “Emergency Telecommunications Service (ETS) and Interconnection Framework for National Implementations of ETS”

March 2008

ITU-T Rec. Y.1910, “IPTV Functional Architecture” May 2009

ITU-T Rec. Y.2270, “NGN Identity Management” May 2009


ITU‐T Study Group 17

Telecommunications systems security projectSecurity architecture and frameworkSecurity managementCybersecurityCountering spam by technical meansSecure aspects of ubiquitous telecommunication servicesSecure application servicesService Oriented Architecture SecurityTelebiometricsIdentity Management architecture and mechanisms

ITU‐T Security Standards

Study Group 17 Study Group 17 is the Lead is the Lead ITUITU‐‐T Study Group for T Study Group for SecuritySecurity and and Identity Identity ManagementManagement


Approved ITU‐T Security RecommendationsM.3016.0, 1, 2, 3, 4

Security for the management plane: Overview, Security requirements, Security services, Security mechanism, Profile proforma

X.509 Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks

X.805 Security architecture for systems providing end-to-end communications

X.893 Information technology – Generic applications of ASN.1: Fast infoset security

X.1035 Password-authenticated key exchange (PAK) protocol

X.1051 Information security management system - Requirements for telecommunications (ISMS-T)

X.1055 Risk management guidelines for telecommunications organizations

X.1056 Security incident management guidelines for telecommunications organizations

X.1081 The telebiometric multimodal model - A framework for the specification of security and safety aspects of telebiometrics

X.1111 Framework for security technologies for home networkX.1114 Certificate profile for the device in the home network, User authentication

mechanisms for home network service, Authorization framework for home network

PartialList (1)


X.1121 Framework of security technologies for mobile end-to-end communications

X.1122 Guideline for implementing secure mobile systems based on PKI

X.1141 Security Assertion Markup Language (SAML 2.0)

X.1142 eXtensible Access Control Markup Language (XACML 2.0)

X.1191 Functional requirements and architecture for IPTV security aspects

X.1205 Overview of cybersecurity

X.1242 Short message service (SMS) spam filtering system

X.1244 Overall aspects of countering spam in IP-based multi-media applications

Y.2270 NGN Identity Management Framework

Y.2701 Security requirements for NGN release 1

Approved ITU‐T Security Recommendations PartialList (2)


SG 17 security work in progress (selected items)

Draft Rec. Title or Subject

X.1250 Requirements for global identity management trust and interoperabilityX.1251 Framework for user control of digital identityX.akm Framework for EAP-based authentication and key managementX.gopw Guideline on preventing worm spreading in a data communication network

X.fcsip Framework for countering IP multimedia spamX.tcs-1 Interactive spam countering gateway systemX.tpp-2 Telebiometrics protection procedures – Part 2: A guideline for data

protectionX.tai Telebiometrics authentication infrastructureX.tsm-2 Telebiometrics system mechanism – Part 2:Protection profile for client

terminalsX.rfpg Guideline on protection for personally identifiable information in RFID

applications

(continued)

ITU‐T Security StandardsSG 17 security work in progress (selected items)


IETF Standards DevelopmentThe IETF Security Area has the following active Working

Groups developing Internet standards:• btns Better-Than-Nothing Security• dkim Domain Keys Identified Mail• emu EAP Method Update• hokey Handover Keying• Ipsecme IP Security Maintenance and Extensions• isms Integrated Security Model for SNMP• keyprov Provisioning of Symmetric Keys• kitten Kitten (GSS-API Next Generation)• krb-wg Kerberos• ltans Long-Term Archive and Notary Services• msec Multicast Security• nea Network Endpoint Assessment • pkix Public-Key Infrastructure (X.509)• sasl Simple Authentication and Security Layer• smime S/MIME Mail Security• syslog Security Issues in Network Event Logging• tls Transport Layer Security

IETF Security Standards

The Internet Engineering Task Force is a major is a major developer of Internet developer of Internet standardsstandards


Summary• CITEL continues to address Cybersecurity and Critical

Telecommunications Infrastructure Protection and has initiated new work in several key areas

• CITEL is not only collecting experiences and data on Cybersecurity from its members, but is also actively engaged in discussions of national strategies and best practices, leading to policy recommendations for the Americas Region

• CITEL is utilizing workshops and Technical Notebooks to increase awareness of cybersecurity issues and to assess best practices and strategies in order to increase security and mitigate the effects of cyber crime


Summary (2)• CITEL is utilizing Standards Coordination Documents to

increase awareness of relevant security standards and to endorse the use of those standards in the Region

• Continued cooperation within the Americas Region and continued input from its members on cybersecurity experiences and strategies will allow CITEL to remain focused on the most relevant security issues so as to provide recommendations for the Region and provide value to other bodies internationally


g{tÇ~ lÉâ4g{tÇ~ lÉâ4Wayne ZeuchCITEL PCC.IRapporteur, Standards [email protected]

[email protected]