This document discusses international cooperation on critical infrastructure protection (CIP) and trustworthy information and communications technology (ICT). It describes the BIC project, which aims to identify challenges to EU and global trust and security, and facilitate collaboration between organizations. Key issues discussed include monitoring critical infrastructure ecosystems, detection of anomalies, secure notification systems, metrics for quantifying protection, and response strategies. International cooperation is needed for technologies, threat information sharing, and data management standards regarding acquisition, dissemination, storage, and access.
International approaches to critical information infrastructure protection jim clarke
1. Trustworthy CIP: The International Data Issues
Jim Clarke & Neeraj Suri
Telecommunications Software and Systems Group
Waterford Institute of Technology, Ireland
Dept. of Computer Science
TU Darmstadt, Germany
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 1
2. James Clarke
19 years EU R&D projects experience
8 years systems and software engineering
experience
Strategic Liaison Manager, TSSG research group,
Waterford IT, Ireland
www.tssg.org
BIC Project coordinator www.bic-trust.eu
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 2
3. CIP: Monitoring, Communication, Notification, Control...
Internet
Technologies
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 3
4. Critical Infrastructure (CI) CI Data Ecosystems
CI ecosystem has transcended beyond the classical notions of CI
(power, transportation, water etc)
Telcos, financial networks, data centers are all CI’s…
CI’s are no longer – by design or intent – “closed” systems.
Users dictate functionality of CI, eg. Mobile-commerce, cost models
for Smart-Grid, Smart-Highways…
CI’s are inter-connected via ICT (& with shared susceptibilities)!
Telcos/Internet/Cloud increasingly as the CI data conduit (Stuxnet,
Flame, SASoon…)
ICT resilience (or lack of it) =‘s CI’s resilience levels!!!
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 4
5. Fundamental CIP Issues (EC CoMiFIN, INSPIRE)
Detection: Can we detect/identify an anomaly, intrusion or attack
either as a run-time perturbation or as prior-attack pattern database
matches? What are the detectors - their composition, location and
functionality?
Notification: Can we (in a responsive -timely + reliably- manner)
aggregate & communicate detection to a response entity? What are the
mechanisms to facilitate notification?
Metrics: Can we quantify what we need to protect and also the value
of the achieved protection?
Response: Can we conduct mitigation & recovery actions? Can we
quantify what we need to protect and also the value of the achieved
protection?
Economics, as much as technical drivers, dictates CIP
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 5
6. Goal: Basing Secure Communications on Insecure ICT
Overlays
Adds filters, routes & functionality
Buffer to ICT threats Decouples ICT and CI associations
Provides monitoring of ICT <-> CI
P2P Overlays : Adaptive redundant paths
Handle resource, routes changes
Handle attacks changes
Can we enhance ICT-centric overlay communication to provide
technical and economically viable levels of resilience?
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 6
7. CIP ICT Overlay Models (Intrusive, Non-Intrusive)
www.comifin.eu
Non-intrusive Overlays … e.g. P2P: self
Intrusive Overlays: Dedicated standing properties - secure,
probes, routers, channels … dependable - & decoupled from the CI!
Distributed control systems CI handled as black-box
(SCADA) Non-intrusive approach to realize an
additional defense line/layer that
implements further/new (usually
collaborative) security mechanisms
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 7
8. Monitoring, Dissemination & Response Issues
Drivers „Epidemic“ spreading of Intra & Inter-CI
Security/trust support Undesired information To monitor the
Responsiveness (worms etc.) defined metrics
Scalability Counter-measures To predict
Desired information future patterns
Base techniques
(warnings, trust etc.) To evaluate
Connection overlays
Higher reachability, infrastructure
Semantic overlays dependability
lower latency
Configuration, levels
Spreading speed
management Use of the overlays
tunability
to collect
Adaptive topology control
Assess security of overlays measurements and
of P2P overlays
Threat models monitor metrics –
Reliable data delivery Intra- and inter-CIs technical and
(data and path forwarding/isolation economic
replication..) Prediction & early warning
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 8
9. Notification Issues: CoMiFin FIP Approach
Institutions
Financial
Network Network Network
Management Management Management
System System System
Msg/Event Msg/Event Processing Msg/Event Processing
Msg/Event Processing
Processing
Trust
Msg/Event bus
Control
Access
Security
Semantic Overlay
Authentication
Connectivity Overlay
Internet
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 9
10. Trust Attributes for Infrastructure Protection
App Users Businesses FI/Govt
Level Impact
Tech/Info
Conduits
Public Custom • Operational
• Financial
Sys • Confidence
UI Servers Telcos DB Servers
Level
Transactional & Data Confidentiality - Liability Driver
Transactional & Data Integrity - Liability Driver
Transactional & Data Availability - Usage Driver
The Financial Infrastructure Protection (FIP) challenge is not just at a favorite
(national) level or element(s) within the FI landscape, but the consolidated, coherent
and consistent coverage of the overall environment – the technological, usage and user
elements – on a global scale.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 10
11. Technology Specific Intl. Cooperation Elements
Providing/Regulating access across proprietary CI Silos!!!
Overlay technologies: architectures, algorithms, …
Reliable, secure information delivery techniques
Intra and Inter-CIP Architectures, threat models,…
mobile & telco CIP coupling models
Intrusion detection (international repository of threat patterns –
monitoring, responsiveness, governance, liability)
…
Cooperation opportunities at technology levels or at the more
abstract CI data levels of monitoring, dissemination, storage and
management (over next slides)
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 11
12. The BIGGER Data Trust Chain Picture on CIP
CIP is about enhancing “trust” in a CI
Trust (for any system of CIP) is
fundamentally multi-layered – one needs
Trusted People
to address all aspects of it for a solution to
be meaningful!
Trusted Data Trust is an end-to-end attribute …and the
trust data chain is global!
Trusted Policies -Trust is NOT a piecemeal property. Cyber
attacks target the entire trust chain (the
Trusted Networks blocks, the interfaces, the technology
changes and users!!!) for the “weakest
link” vulnerabilities on the overall attack
Trusted HW/SW
surface.
- Cloud & Mobile computing makes the
data/trust chain all the more global!
Trust needs a global collaborative effort!
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 12
13. CIP Data Management
The “Data” Elements
Data Acquisition
Data Dissemination
Data Storage
Data Management/Usage
Large scale systems (architectures,
infrastructures) invariably evolve to
incorporate unstructured/open
operational elements (including
users!): The issue is to identify the
underlying “structures” such as
building block/interfaces to develop
coherent, domain + technologically
invariant solutions.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 13
14. FIP Data Acquisition: Devices & Users
Places your credit card is used?
Integrity of point of sale terminal
and backend network?
Inter-bank conduits over domestic
and intl. transactions?
Online services
Any knowledge or control where they
are hosted?
Knowledge or control over threats –
intrusions, attacks - as use or
infrastructure levels?
Global monitoring & response
entities?
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 14
15. FIP/CIP Data Dissemination
Data Dissemination
• Does one know or control which network is being used?
• What are the Security Level Agreements – Domestic/Intl?
• Mobile device interfacing to networks? Domestic/Intl?
• Networks might be diverse & changing though the common
monitoring/control elements of pricing/account tracking often
form the weak point
Data Storage (Data Centers)
Data Access (Networks, SLA interfaces…..)
Common Interest Themes: Metrics, Accountability, Mobile TSD
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 15
16. Data Access, Dissemination, Storage & Control?
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 16
17. Data Servers, Storage & The Human Element
Services and servers are no longer monolithic – collaborative
computing, P2P, Cloud…
Data Servers are located worldwide - Google Data Centers
For a security breach on the data, who is liable? The data center
locale? The owner of the data center? The network?
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 17
18. The Big Issue: Info/Data Accountability
- Data Acquisition
Accountability? - Data Dissemination
Appropriate use - Data Storage
Access control - Data Access
Traceability
Governance At what level & by what “trusted”
authority ?
Liability
For services?
Compliance
For applications?
…
Inter-resource?
Data ownership – digital rights?
Browsing data?
Financial data?
Legal?
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 18
19. Privacy & Security Interplay
Multi-cultural/national nuances! The role of technology in trust is
also often cultural – what to monitor, how to monitor etc
Localized Approaches: Smart spaces - ID’s & authentication?
E2E Trust-Privacy-Security Envelope: Measures of privacy?
Quantification of Trust-Privacy-Security? Tradeoffs? Governance
on an international scale?
Social Requirements Economic Basis Policies/Political
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 19
20. Data Perspective: Collaboration Avenues
While one can come up with many many many innovative
solutions (routing overlays, replication, negotiation, “your
favorite approach here” etc) , can we collaborate together on:
What constitutes (globally conformal) data ownership and data
accountability – individual and institutional?
What to monitor, at what level and where? Regulation?
Governance?
What are the quantifiers/metrics of trust and security (technological
and economic) based on which one should develop solutions?
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 20
21. Trust and Security Profile (note: not exhaustive list)
Biometrics
Privacy, identity
Network
Services
Secure
Implementation
Trusted
Computing
EffectsPlus GINI-SA
CA/SA’s SecurIST ESFORS
ACTOR
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 21
22. Priority areas for Trust and Security for Call 10 (d’line: 01/2013)
a) Security and Privacy c) Security and Privacy
in cloud computing in mobile services
•scalable, portable and robust; •efficiency, robustness and performance in
•improve the security components, in particular for system security (e.g.
particular for identification, malware detection), data management and
authentication and encryption; identification/authentication;
•long-term privacy and security •Address specificities of the mobile
•new models and tools for inter-domain devices (smart phone, tablet…) compared
security breaches. to traditional PCs;
•include privacy-by-design (user control)
b) Development, demonstration and •scalable, inter-operable and applicability.
innovation in cyber security
•application of technologies to increase the level d) Technologies and methodologies to
of cyber security; support EU trust and security policies
•development and demonstration of technologies,
methodologies and processes to prevent, detect, •Develop an EU cyber security research agenda;
manage and react to cyber incidents; •Analyse the innovation process in privacy and
•improving the situational awareness and cyber security technologies;
supporting the decision making process; • Facilitate the application of privacy and
•develop and demonstrate advanced technologies security by design practices in the development
and tools that will empower users, notably and implementation of products and services.
individuals and SMEs, in handling security
incidents and protecting their privacy. … and others
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 22
24. BIC: Building International Co-operation for Trustworthy ICT
Identify EU & international t&s challenges
Identify global trust and security challenges
Facilitate collaboration fora
-Raising awareness of funding calls/EU
mechanisms
- people/partner/organisations linkages
- guidance on developing sustained
longer-term EU – international
collaborations
fostering bi-lateral (tactical) and multi-
lateral (strategic) co-operations.
European Commission
DG-CONNECT Unit H.4: Trust and Security
Coordination Action
Jan 2011-Dec. 2013
http://www.bic-trust.eu/
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 24
25. European Commission Home for BIC
BIC is in the portfolio of Unit H.4 Trust and Security EC DG CONNECT
(Communications Networks, Content and Technology)
Directorate H "Sustainable and Secure Society".
Main goals are to address selected ICT challenges for a sustainable,
healthy and secure society, and to develop a full-cycle roadmap to get the
output into the EU economy, through innovation tools such as pilot-lines,
pre-commercial procurement, and standards.
Directorate H is the leader for Horizon 2020/Societal Challenges.
The Trust & Security (H.4) priorities are the following:
Elaborate a European strategy on Internet security and remove Cyber
security related obstacles to the proper functioning of the Internal Market.
Eanage implementation of the e-privacy Directive and follow-up of all
issues related to the protection of privacy on-line.
Manage the various financial programmes (FP7, CIP, H2020) supporting
the Internet and ICT security.
Promote a better coordinated and coherent approach on cyber incident
management worldwide.
To find out more information about the transition to DG CONNECT,
please visit
http://ec.europa.eu/dgs/information_society/connect_en.htm
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 25
26. BIC: Overall Structure
BIC countries & programmes
European Commission
External
International Advisory Group
BIC relations
(IAG)
Project e.g.,
core ENISA,
communication via BIC secretariat function W3C, …
WG1. Human/User WG2. Network info-
trust & security & cyber-security
WG3. Programme and funding focus
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 26
29. Moving Towards a Strategic Approach
How do we
achieve it?
IAG
Visitations
Contacts/Exchange
Workshops
WG’s
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 29
30. International Advisory Group (IAG) - Roles
The IAG will be the forum bringing together the countries
representatives from the earlier INCO-Trust countries (U.S.,
Canada, …) and the BIC countries (India, Brazil and S. Africa) in a
more strategic way;
To facilitate collaborations between national ICT Trust and Security
constituencies and related ICT trust and security related
constituencies from other countries;
To review the situation on International collaboration strategy in
ICT trust and security on a regular basis providing advice on the
priorities for international cooperation between the respective
research communities, providing directions to the project and
recommendations for improvement;
Assist in the building of the working groups to enable BIC to
structure relationships and linkages and facilitate contacts for
theme based workshops or other networking events.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 30
31. IAG & Working Groups Structure
EWG
IAG
EWG CWG EWG
EWG
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 31
32. International Advisory Group
Country IAG Members
India * Dr. Gulshan Rai, Director General, Government of India, Ministry of Communication
& IT, Department of Information Technology (DIT), STQC Directorate.
* Mr. Abhishek Sharma, Beyond Evolution Tech Solution Pvt. Ltd.
Brazil Dr. Leal de Andrade, INCO Unit, CNPQ
Lisandro Granville, Director, CTIC (Research and Development Centre for ICT),
Prof. Priscila Solis Barreto, University of Brasilia
South Africa Mr. Isaac Maredi, Director: Information and Communication Technology, Department
of Science and Technology
Prof. Dr. Jan Eloff, SAP Meraka UTD & University of Pretoria, South Africa (by appt. of
DST)
Dr. Barend Taute, The Council for Scientific and Industrial Research (CSIR), Meraka
Institute, Pretoria, South Africa;
Australia Mr. Gary Morgan, Commonwealth Scientific and Industrial Research Organisation
(CSIRO)
United States Dr. Sam Weber, National Science Foundation (NSF);
Prof. Karl Levitt, University of California, Davis and former NSF;
Prof. John C. Mallery, Massachusetts Institute of Technology.
Canada Dr. Pamela Moss, Director of the MCT Division of Natural Sciences and Engineering
Research Council of Canada (NSERC). (TBC)
Andrew Reddick, University of New Brunswick.
Japan Mr Yasutaka Sakurai, Chief, Dept of International Affairs, Japan Science and
Technology Agency (JST)
Korea Dr. Young Tae Cha, Program director for Ministry of Knowledge Economy (MKE)
Prof. Dr. Souhwan Jung, , Soongsil University
Prof. Dr. Heung Youl Youm, Soonchunhyang (SCH) University, Korea.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 32
33. Priority areas for Trust and Security for Call 10 (d’line: 01/2013)
a) Security and Privacy c) Security and Privacy
in cloud computing in mobile services
•scalable, portable and robust; •efficiency, robustness and performance in
•improve the security components, in particular for system security (e.g.
particular for identification, malware detection), data management and
authentication and encryption; identification/authentication;
•long-term privacy and security •Address specificities of the mobile
•new models and tools for inter-domain devices (smart phone, tablet…) compared
security breaches. to traditional PCs;
•include privacy-by-design (user control)
b) Development, demonstration and •scalable, inter-operable and applicability.
innovation in cyber security
•application of technologies to increase the level d) Technologies and methodologies to
of cyber security; support EU trust and security policies
•development and demonstration of technologies,
methodologies and processes to prevent, detect, •Develop an EU cyber security research agenda;
manage and react to cyber incidents; •Analyse the innovation process in privacy and
•improving the situational awareness and cyber security technologies;
supporting the decision making process; • Facilitate the application of privacy and
•develop and demonstrate advanced technologies security by design practices in the development
and tools that will empower users, notably and implementation of products and services.
individuals and SMEs, in handling security
incidents and protecting their privacy. … and others
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 33