Information Security Risks and Controls of Public Geospatial Datasets July 17, 2014

David Lanter PhD GISP

This Presentation…

CDM Smith applies GIS and develops custom applications –producing, deploying and disseminating geospatial datasets for our public agency clients We are responsible for understanding the unique information security risks and controls associated with protecting public geospatial data…

Risks and Controls of Public Geospatial Datasets

Presentation

Risks and Controls of Public Geospatial Datasets

1. Background 2. GIS Data are Important 3. National Spatial Data Infrastructure 4. Critical National Infrastructure 5. Risks to Critical National Infrastructure 6. Inherent Risks 7. Mitigating Controls 8. Research Opportunities

Background

Risks and Controls of Public Geospatial Datasets

• 1950’s – 60’s Will Garrison and his students at the University of Washington in Seattle (dubbed the “space cadets”) lead the quantitative revolution in geography

• • 1961 – Lee Pratt of Canada Land Inventory boards plane

and sits next to Roger Tomlinson and describes his problem – Unfeasible estimate of $8 million to produce maps and

analyze land use of >100 million sq. miles of rural lands

• 1963 – Tomlinson proposes $3 million project to solve the problem with computers

Background

Risks and Controls of Public Geospatial Datasets

• 1970’s – First GIS: Tomlinson’s Canada GIS – spatial queries and analyses of Earth’s surface

• Situational awareness • Resource inventories • Change detection monitoring • Raster to Vector conversion • …

• 1976 – Ford Foundation funds Geography Chair at Harvard – Brian Berry (Garrison’s student) appointed Chair and directs

the Laboratory for Computer Graphics and Spatial Analysis where research leading to ArcGIS (PIOS, Whirlpool, etc…) and Spatial Analyst (GRID) was conducted

Background

Risks and Controls of Public Geospatial Datasets

Over the decades, GIS capabilities improve… – Proprietary commercial, academic and governmental open

source GIS packages developed and bundled

– Migrated across hardware platforms and operating systems

• Ported from mainframe to mini-computers, to personal computers

– Geocoding, navigation, and display reengineered and fused with real-time location and geographic sensors

• On-board computers in cars, planes and boats

Background…

Risks and Controls of Public Geospatial Datasets

• Over the decades, GIS capabilities improve – Geo-relational “geospatial” data structures associating

descriptive attributes with spatial representations – Complex disk file storage formats evolved into enterprise

relational databases containing spatial indexes (for rapid spatial searches)

– Spatially enabled middleware connected to a wide-range of custom and commercial off the shelf client applications

– Client-server and n-tier architectures move GIS back to larger enterprise computer servers and onto web servers supporting distributed personal computers, laptops, and other mobile platforms

GIS Data are Important

GIS Data play a central role in the United States – Geographic location is key element of 80-90% of all

governmental data (FGDC, 2006) – Essential to >50% of Nation’s domestic economic activities

(National Academy of Public Administration, 1998)

GIS Data are Important • Free flow of geographic information between government

and public is recognized as essential – Informs public for participation in democratic decision

making – Private businesses reuse the public’s investment in

government information

• Disseminating public geospatial data is central to the missions of many public, private and non-profit organizations

National Spatial Data Infrastructure 1994 President Clinton signs Executive Order 12906

– Federal Geographic Data Committee (FGDC) to create National Spatial Data Infrastructure (NSDI), and…

• Address $ billions wasted – Redundant collection of

undocumented hard to find geospatial data stored in incompatible formats

• Encourage Agencies to stand-up NSDI Clearing House nodes on Internet

– Populated with geospatial data and their descriptive metadata

National Spatial Data Infrastructure

FGDC 1998. Content Standard for Digital Geospatial Metadata

Critical National Infrastructure In 1996, President Clinton signed Executive Order 13010 which formally identified certain infrastructure as vulnerable to attack by explaining:

“Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States”

• Water supply systems • Transportation • Electrical power systems • Continuity of government • Telecommunications • Gas and oil storage and transport • Banking and finance • Emergency services

Critical National Infrastructure After 9/11/2001 attention focused on protecting critical infrastructure that the U.S. advisories might seek to attack

U.S. officials began instituting policies to protect information

…it was not too long before GIS data made available through Clearinghouse nodes of NSDI became recognized as at risk of being exploited by those seeking to attack U.S. major cities and critical infrastructure

Risks to Critical National Infrastructure In 2003, Director of U.S. National Imagery and Mapping Agency (in 2004 renamed National Geospatial-Intelligence Agency) asked RAND Corporation for a:

Framework to “guide public and private decision makers in weighing homeland security implications related to release of geospatial information”

Risks to Critical National Infrastructure

RAND’s 2004 Deliverable included a Survey and Analysis of – 465 programs/offices/initiatives at 30 agencies and departments

identified as providing geospatial information to the public • 628 public datasets sampled from NSDI Clearinghouse nodes • 37 (~6%) found to be useful in helping an attacker select a target or

plan an attack against a site – None were so critical that an “attacker could not perform the attack

without” them

– Conclusions • Publically available geospatial “information needed for identifying

and locating potential targets is widely accessible” • “…detailed and up-to-date information required for attack planning

against a particular target is much less readily available”

Risks to Critical National Infrastructure

Risks to Critical National Infrastructure

“Does knowledge of the location and purpose of a feature as described in the data, have the potential to significantly compromise the security of persons, property, or systems?” FGDC Guidelines 2005 -based on RAND’s 2004 study

Inherent Risks

Classification of geospatial data “sensitivity” is based on usefulness to terrorists…

Does it contain Choke points that can increase effectiveness of an attack ?

Inherent Risks

“Does it include information that can be used to find the best way to cause catastrophic failure ?”

Does it contain temporal information identifying times of increased security vulnerability?

Mitigating Controls

Mitigating Controls If security risks outweigh benefits of releasing the data to the public, agency can choose to safeguard data by: – Modifying data

• Remove or reduce detail in offending data elements

– either in the attributes, spatial representations, or both

– Restricting access to data

• If agency lacks authority to change data, or believes modifying data will undermine its value to the public, then agency can restrict access

Mitigating Controls Remove, or reduce detail in offending data elements…

– Apply techniques of Cartographic Generalization

1. Selective Omission 2. Simplification 3. Combination 4. Exaggeration 5. Displacement

Mitigating Controls Restricting Access to Geospatial Data is accomplished through identification, permissions and authorization systems of IT data management systems and applications

Security Risk Management Process Diagram - Microsoft

Restricting Access – SANS Institute

Control Policies

Control Policies (1), (3), (4)

Note: See www.fgdc.gov for Crosswalk from FGDC CSDCM to ISO 19115 metadata standard

http://www.fgdc.gov/

Control Policies (2)

Mitigating Controls (4)

Supporting metadata development tools

An Inherent Weakness as Mitigating Controls Other than Security Classification, FGDC Metadata are “unstructured”…

Type: text Domain: “None” free text

Research Opportunities in Automating Mitigating Controls 1. Structured metadata

+ 2. Reliable identity and

authorization management system

= Automated security policy implementation tools to: ÿ Block access to data by unauthorized

users ÿ Determine whether to present FOUO

original version or generalized version to the user

Research Opportunities in Automating Mitigating Controls 1. Structured metadata

+ 2. Reliable identity and authorization

management system

+ 3. Automated security policy implementation

tools to block access of unauthorized users “Security Policy Language” (Kotenko et al. 2007)

= Tools able to detect, identify, and help resolve inconsistencies among policies within and among Agencies which provide sensitive geospatial data to NSDI

Kotenko, Igor, Artem Tishkov, Olga Chervatuk, Ekaterina Sidelnikova, 2007. Security Policy Verification Tool for Geographic Information Systems, in Information Fusion and Geographic Information Systems – Lecture Notes in Geoinformation and Cartography, Springer, pp.128-46

Presentation

Risks and Controls of Public Geospatial Datasets

¸ Background ¸ GIS Data are Important ¸ National Spatial Data Infrastructure ¸ Critical National Infrastructure ¸ Risks to Critical National Infrastructure ¸ Inherent Risks ¸ Mitigating Controls ¸ Research Opportunities

Information Security Risks and Controls of Public Geospatial Datasets July 17, 2014

David Lanter PhD GISP

Slide Number 1This Presentation…PresentationBackgroundBackgroundBackgroundBackground…GIS Data are ImportantGIS Data are ImportantNational Spatial Data InfrastructureNational Spatial Data InfrastructureCritical National InfrastructureCritical National InfrastructureRisks to Critical National InfrastructureRisks to Critical National InfrastructureRisks to Critical National InfrastructureRisks to Critical National InfrastructureInherent RisksInherent RisksMitigating ControlsMitigating ControlsMitigating ControlsMitigating ControlsControl PoliciesControl Policies (1), (3), (4)Control Policies (2)Mitigating Controls (4)Supporting metadata development toolsAn Inherent Weakness as Mitigating ControlsResearch Opportunities in Automating Mitigating ControlsResearch Opportunities in Automating Mitigating ControlsPresentationSlide Number 33