International approaches to critical information infrastructure protection jim clarke

Trustworthy CIP: The International Data Issues

Jim Clarke & Neeraj Suri
Telecommunications Software and Systems Group
Waterford Institute of Technology, Ireland

Dept. of Computer Science
TU Darmstadt, Germany

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 1

James Clarke

 19 years EU R&D projects experience
 8 years systems and software engineering
experience
 Strategic Liaison Manager, TSSG research group,
Waterford IT, Ireland

 www.tssg.org

 BIC Project coordinator www.bic-trust.eu


CIP: Monitoring, Communication, Notification, Control...

Internet
Technologies


Critical Infrastructure (CI)  CI Data Ecosystems

 CI ecosystem has transcended beyond the classical notions of CI
(power, transportation, water etc)
 Telcos, financial networks, data centers are all CI’s…

 CI’s are no longer – by design or intent – “closed” systems.
 Users dictate functionality of CI, eg. Mobile-commerce, cost models
for Smart-Grid, Smart-Highways…

 CI’s are inter-connected via ICT (& with shared susceptibilities)!
 Telcos/Internet/Cloud increasingly as the CI data conduit (Stuxnet,
Flame, SASoon…)

 ICT resilience (or lack of it) =‘s CI’s resilience levels!!!


Fundamental CIP Issues (EC CoMiFIN, INSPIRE)

 Detection: Can we detect/identify an anomaly, intrusion or attack
either as a run-time perturbation or as prior-attack pattern database
matches? What are the detectors - their composition, location and
functionality?
 Notification: Can we (in a responsive -timely + reliably- manner)
aggregate & communicate detection to a response entity? What are the
mechanisms to facilitate notification?
 Metrics: Can we quantify what we need to protect and also the value
of the achieved protection?
 Response: Can we conduct mitigation & recovery actions? Can we
quantify what we need to protect and also the value of the achieved
protection?

Economics, as much as technical drivers, dictates CIP


Goal: Basing Secure Communications on Insecure ICT
 Overlays
 Adds filters, routes & functionality
 Buffer to ICT threats  Decouples ICT and CI associations
 Provides monitoring of ICT <-> CI

 P2P Overlays : Adaptive redundant paths
 Handle resource, routes changes
 Handle attacks changes

 Can we enhance ICT-centric overlay communication to provide
technical and economically viable levels of resilience?


CIP ICT Overlay Models (Intrusive, Non-Intrusive)

www.comifin.eu

 Non-intrusive Overlays … e.g. P2P: self
 Intrusive Overlays: Dedicated standing properties - secure,
probes, routers, channels … dependable - & decoupled from the CI!
 Distributed control systems  CI handled as black-box
(SCADA)  Non-intrusive approach to realize an
additional defense line/layer that
implements further/new (usually
collaborative) security mechanisms

Monitoring, Dissemination & Response Issues

 Drivers  „Epidemic“ spreading of  Intra & Inter-CI
 Security/trust support  Undesired information  To monitor the
 Responsiveness (worms etc.) defined metrics
 Scalability  Counter-measures  To predict
 Desired information future patterns
 Base techniques
(warnings, trust etc.)  To evaluate
 Connection overlays
 Higher reachability, infrastructure
 Semantic overlays dependability
lower latency
 Configuration, levels
 Spreading speed
management  Use of the overlays
tunability
to collect
 Adaptive topology control
 Assess security of overlays measurements and
of P2P overlays
 Threat models monitor metrics –
 Reliable data delivery  Intra- and inter-CIs technical and
(data and path forwarding/isolation economic
replication..)  Prediction & early warning


Notification Issues: CoMiFin FIP Approach
Institutions
Financial

Network Network Network
Management Management Management
System System System

Msg/Event Msg/Event Processing Msg/Event Processing
Msg/Event Processing
Processing

Trust
Msg/Event bus

Control
Access

Security
Semantic Overlay

Authentication
Connectivity Overlay

Internet

Trust Attributes for Infrastructure Protection

App Users Businesses FI/Govt
Level Impact

Tech/Info
Conduits

Public Custom • Operational
• Financial
Sys • Confidence
UI Servers Telcos DB Servers
Level

Transactional & Data Confidentiality - Liability Driver
Transactional & Data Integrity - Liability Driver
Transactional & Data Availability - Usage Driver

The Financial Infrastructure Protection (FIP) challenge is not just at a favorite
(national) level or element(s) within the FI landscape, but the consolidated, coherent
and consistent coverage of the overall environment – the technological, usage and user
elements – on a global scale.


Technology Specific Intl. Cooperation Elements

 Providing/Regulating access across proprietary CI Silos!!!
 Overlay technologies: architectures, algorithms, …
 Reliable, secure information delivery techniques
 Intra and Inter-CIP Architectures, threat models,…
 mobile & telco  CIP coupling models
 Intrusion detection (international repository of threat patterns –
monitoring, responsiveness, governance, liability)
…

Cooperation opportunities at technology levels or at the more
abstract CI data levels of monitoring, dissemination, storage and
management (over next slides)


The BIGGER Data Trust Chain Picture on CIP

 CIP is about enhancing “trust” in a CI
 Trust (for any system of CIP) is
fundamentally multi-layered – one needs
Trusted People
to address all aspects of it for a solution to
be meaningful!
Trusted Data  Trust is an end-to-end attribute …and the
trust data chain is global!
Trusted Policies -Trust is NOT a piecemeal property. Cyber
attacks target the entire trust chain (the
Trusted Networks blocks, the interfaces, the technology
changes and users!!!) for the “weakest
link” vulnerabilities on the overall attack
Trusted HW/SW
surface.
- Cloud & Mobile computing makes the
data/trust chain all the more global!
 Trust needs a global collaborative effort!


CIP  Data Management

 The “Data” Elements
 Data Acquisition
 Data Dissemination
 Data Storage
 Data Management/Usage

 Large scale systems (architectures,
infrastructures) invariably evolve to
incorporate unstructured/open
operational elements (including
users!): The issue is to identify the
underlying “structures” such as
building block/interfaces to develop
coherent, domain + technologically
invariant solutions.


FIP Data Acquisition: Devices & Users

 Places your credit card is used?
 Integrity of point of sale terminal
and backend network?
 Inter-bank conduits over domestic
and intl. transactions?

 Online services
 Any knowledge or control where they
are hosted?
 Knowledge or control over threats –
intrusions, attacks - as use or
infrastructure levels?

 Global monitoring & response
entities?


FIP/CIP Data Dissemination

 Data Dissemination
• Does one know or control which network is being used?
• What are the Security Level Agreements – Domestic/Intl?
• Mobile device interfacing to networks? Domestic/Intl?
• Networks might be diverse & changing though the common
monitoring/control elements of pricing/account tracking often
form the weak point

 Data Storage (Data Centers)
 Data Access (Networks, SLA interfaces…..)
 Common Interest Themes: Metrics, Accountability, Mobile TSD


Data Access, Dissemination, Storage & Control?


Data Servers, Storage & The Human Element
 Services and servers are no longer monolithic – collaborative
computing, P2P, Cloud…
 Data Servers are located worldwide - Google Data Centers
 For a security breach on the data, who is liable? The data center
locale? The owner of the data center? The network?


The Big Issue: Info/Data Accountability

- Data Acquisition
 Accountability? - Data Dissemination
 Appropriate use - Data Storage
 Access control - Data Access
 Traceability
 Governance  At what level & by what “trusted”
authority ?
 Liability
 For services?
 Compliance
 For applications?
 …
 Inter-resource?
 Data ownership – digital rights?
 Browsing data?
 Financial data?
 Legal?


Privacy & Security Interplay

 Multi-cultural/national nuances! The role of technology in trust is
also often cultural – what to monitor, how to monitor etc

 Localized Approaches: Smart spaces - ID’s & authentication?

 E2E Trust-Privacy-Security Envelope: Measures of privacy?
Quantification of Trust-Privacy-Security? Tradeoffs? Governance
on an international scale?

Social Requirements Economic Basis Policies/Political


Data Perspective: Collaboration Avenues

 While one can come up with many many many innovative
solutions (routing overlays, replication, negotiation, “your
favorite approach here” etc) , can we collaborate together on:

 What constitutes (globally conformal) data ownership and data
accountability – individual and institutional?
 What to monitor, at what level and where? Regulation?
Governance?
 What are the quantifiers/metrics of trust and security (technological
and economic) based on which one should develop solutions?


Trust and Security Profile (note: not exhaustive list)

Biometrics

Privacy, identity

Network

Services

Secure
Implementation

Trusted
Computing

EffectsPlus GINI-SA
CA/SA’s SecurIST ESFORS
ACTOR

Priority areas for Trust and Security for Call 10 (d’line: 01/2013)

a) Security and Privacy c) Security and Privacy
in cloud computing in mobile services
•scalable, portable and robust; •efficiency, robustness and performance in
•improve the security components, in particular for system security (e.g.
particular for identification, malware detection), data management and
authentication and encryption; identification/authentication;
•long-term privacy and security •Address specificities of the mobile
•new models and tools for inter-domain devices (smart phone, tablet…) compared
security breaches. to traditional PCs;
•include privacy-by-design (user control)
b) Development, demonstration and •scalable, inter-operable and applicability.
innovation in cyber security
•application of technologies to increase the level d) Technologies and methodologies to
of cyber security; support EU trust and security policies
•development and demonstration of technologies,
methodologies and processes to prevent, detect, •Develop an EU cyber security research agenda;
manage and react to cyber incidents; •Analyse the innovation process in privacy and
•improving the situational awareness and cyber security technologies;
supporting the decision making process; • Facilitate the application of privacy and
•develop and demonstrate advanced technologies security by design practices in the development
and tools that will empower users, notably and implementation of products and services.
individuals and SMEs, in handling security
incidents and protecting their privacy. … and others


Building International cooperation


BIC: Building International Co-operation for Trustworthy ICT

 Identify EU & international t&s challenges
 Identify global trust and security challenges
Facilitate collaboration fora
-Raising awareness of funding calls/EU
mechanisms
- people/partner/organisations linkages
- guidance on developing sustained
longer-term EU – international
collaborations
 fostering bi-lateral (tactical) and multi-
lateral (strategic) co-operations.

European Commission
DG-CONNECT Unit H.4: Trust and Security
Coordination Action
Jan 2011-Dec. 2013
http://www.bic-trust.eu/

European Commission Home for BIC

 BIC is in the portfolio of Unit H.4 Trust and Security EC DG CONNECT
(Communications Networks, Content and Technology)
 Directorate H "Sustainable and Secure Society".
 Main goals are to address selected ICT challenges for a sustainable,
healthy and secure society, and to develop a full-cycle roadmap to get the
output into the EU economy, through innovation tools such as pilot-lines,
pre-commercial procurement, and standards.
 Directorate H is the leader for Horizon 2020/Societal Challenges.
 The Trust & Security (H.4) priorities are the following:
 Elaborate a European strategy on Internet security and remove Cyber
security related obstacles to the proper functioning of the Internal Market.
 Eanage implementation of the e-privacy Directive and follow-up of all
issues related to the protection of privacy on-line.
 Manage the various financial programmes (FP7, CIP, H2020) supporting
the Internet and ICT security.
 Promote a better coordinated and coherent approach on cyber incident
management worldwide.
 To find out more information about the transition to DG CONNECT,
please visit
http://ec.europa.eu/dgs/information_society/connect_en.htm

BIC: Overall Structure

BIC countries & programmes

European Commission

External
International Advisory Group
BIC relations
(IAG)
Project e.g.,
core ENISA,
communication via BIC secretariat function W3C, …

WG1. Human/User WG2. Network info-
trust & security & cyber-security

WG3. Programme and funding focus


Bi-Lateral Approach: Tactical

* * *


Multi-Lateral Approach: Strategic


Moving Towards a Strategic Approach

How do we
achieve it?

IAG
Visitations
Contacts/Exchange
Workshops
WG’s


International Advisory Group (IAG) - Roles
 The IAG will be the forum bringing together the countries
representatives from the earlier INCO-Trust countries (U.S.,
Canada, …) and the BIC countries (India, Brazil and S. Africa) in a
more strategic way;
 To facilitate collaborations between national ICT Trust and Security
constituencies and related ICT trust and security related
constituencies from other countries;
 To review the situation on International collaboration strategy in
ICT trust and security on a regular basis providing advice on the
priorities for international cooperation between the respective
research communities, providing directions to the project and
recommendations for improvement;
 Assist in the building of the working groups to enable BIC to
structure relationships and linkages and facilitate contacts for
theme based workshops or other networking events.


IAG & Working Groups Structure

EWG
IAG

EWG CWG EWG

EWG


International Advisory Group

Country IAG Members
India * Dr. Gulshan Rai, Director General, Government of India, Ministry of Communication
& IT, Department of Information Technology (DIT), STQC Directorate.
* Mr. Abhishek Sharma, Beyond Evolution Tech Solution Pvt. Ltd.
Brazil Dr. Leal de Andrade, INCO Unit, CNPQ
Lisandro Granville, Director, CTIC (Research and Development Centre for ICT),
Prof. Priscila Solis Barreto, University of Brasilia
South Africa Mr. Isaac Maredi, Director: Information and Communication Technology, Department
of Science and Technology
Prof. Dr. Jan Eloff, SAP Meraka UTD & University of Pretoria, South Africa (by appt. of
DST)
Dr. Barend Taute, The Council for Scientific and Industrial Research (CSIR), Meraka
Institute, Pretoria, South Africa;
Australia Mr. Gary Morgan, Commonwealth Scientific and Industrial Research Organisation
(CSIRO)
United States Dr. Sam Weber, National Science Foundation (NSF);
Prof. Karl Levitt, University of California, Davis and former NSF;
Prof. John C. Mallery, Massachusetts Institute of Technology.
Canada Dr. Pamela Moss, Director of the MCT Division of Natural Sciences and Engineering
Research Council of Canada (NSERC). (TBC)
Andrew Reddick, University of New Brunswick.
Japan Mr Yasutaka Sakurai, Chief, Dept of International Affairs, Japan Science and
Technology Agency (JST)
Korea Dr. Young Tae Cha, Program director for Ministry of Knowledge Economy (MKE)
Prof. Dr. Souhwan Jung, , Soongsil University
Prof. Dr. Heung Youl Youm, Soonchunhyang (SCH) University, Korea.


Priority areas for Trust and Security for Call 10 (d’line: 01/2013)

a) Security and Privacy c) Security and Privacy
in cloud computing in mobile services
•scalable, portable and robust; •efficiency, robustness and performance in
•improve the security components, in particular for system security (e.g.
particular for identification, malware detection), data management and
authentication and encryption; identification/authentication;
•long-term privacy and security •Address specificities of the mobile
•new models and tools for inter-domain devices (smart phone, tablet…) compared
security breaches. to traditional PCs;
•include privacy-by-design (user control)
b) Development, demonstration and •scalable, inter-operable and applicability.
innovation in cyber security
•application of technologies to increase the level d) Technologies and methodologies to
of cyber security; support EU trust and security policies
•development and demonstration of technologies,
methodologies and processes to prevent, detect, •Develop an EU cyber security research agenda;
manage and react to cyber incidents; •Analyse the innovation process in privacy and
•improving the situational awareness and cyber security technologies;
supporting the decision making process; • Facilitate the application of privacy and
•develop and demonstrate advanced technologies security by design practices in the development
and tools that will empower users, notably and implementation of products and services.
individuals and SMEs, in handling security
incidents and protecting their privacy. … and others


http://www.bic-trust.eu/


International approaches to critical information infrastructure protection jim clarke

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to International approaches to critical information infrastructure protection jim clarke

Similar to International approaches to critical information infrastructure protection jim clarke (20)

More from owaspindia

More from owaspindia (7)

Recently uploaded

Recently uploaded (20)

International approaches to critical information infrastructure protection jim clarke