Information Infrastructure is the term usually used to describe the totality of inter-connected computers and networks, and information flowing through them. Certain parts of this Information Infrastructure, could be dedicated for management / control etc of infrastructure providers’ e.g. Power generation, Gas/oil pipelines, or support our economy or national
fabric e.g. Banking / Telecom etc. The contribution of the services supported
by these infrastructures, and more importantly, the impact of any sudden
failure or outage on our National well being or National Security marks them as being Critical.
By extension, information infrastructure supporting the operations of Critical Infrastructure (CI) marks this as Critical Information infrastructure (CII). These Networks operate/monitor and control important Governmental and Societal functions and services including, but not limited to, Power (Generation/transmission/ distribution etc), Telecommunication (mobile/landline/internet etc), Transportation (Air/land/rail/sea etc), Defence etc. These CII are becoming increasingly dependent on their information infrastructure for information management, communication and control functions.
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
Protection of critical information infrastructure
1. Protection of Critical Information
Infrastructure
By:
Rinchon Sanghkro
Avibunno
Aakriti Shukla
Neha Agarwal
Vansheeka Saxena
2. Critical Information Infrastructure
• In general Critical Infrastructure (CI) can be defined as:
“those facilities, systems, or functions, whose incapacity or destruction
would cause a debilitating impact on national security, governance,
economy and social well-being of a nation.”
• Information Infrastructure is the term usually used to describe the totality
of inter-connected computers and networks, and information flowing
through them.
• Critical Information Infrastructure (CII) are those information and
communications technology infrastructure upon which the core
functionality of Critical Infrastructure is dependent.
• As per section 70 of IT Act 2000, CII is defined as:
“the computer resource, the incapacitation or destruction of which, shall
have a debilitating impact on national security, economy, public health or
safety.”
3. Critical Sectors
Energy
Transportation (air, surface, rail & water)
Law enforcement, security & intelligence
Sensitive Government organisations
Banking & Finance
Telecommunication
Defense
Space
Public health
Water supply
Critical manufacturing
E- governance
Power generation
5. Importance and management of CII
• Critical infrastructures play a vital role in today’s societies, enabling many of
the key functions and services upon which modern nations depend.
• From financial networks to emergency services, energy generation to water
supply, these infrastructures fundamentally impact and continually improve
our quality of life.
• Particularly vital in this regard are critical information infrastructures, those
vast and crosscutting networks that link and effectively enable the proper
functioning of other key infrastructures.
• The five basic steps that must be kept in mind are:
1. Determining risk management scope;
2. Identifying critical information infrastructure functions;
3. Analyzing critical function value chain and interdependencies;
4. Assessing critical function risk; and
5. Prioritizing and treating critical function risk.
6. National Critical Information
Infrastructure Protection Centre
(NCIIPC) - Origin
•In 2008, in recognition of the rise in cyber vulnerabilities, threats and
attacks, India’s Information Technology Act was amended.
•Section 70A was introduced, which laid down the mandate for the
creation of a new agency to protect sectors designated as CII.
•While those changes were made in 2008, the Gazette Notification by
the Government of India came, however, only on January 16, 2014.
•Under section 70A(1) of the Information Technology (Amendment)
Act 2008, the Government of India, has designated ‘National Critical
Information Infrastructure Protection Centre’ (NCIIPC) as the
national nodal agency responsible for all measures, including research
and development relating to the protection of CII.
7. NCIIPC is driven by
its mission “To take all necessary measures to facilitate protection of Critical
Information Infrastructure from unauthorized access, modification, use,
disclosure, disruption, incapacitation or destruction through coherent
coordination, synergy and raising information security awareness among all
stakeholders” and
a vision “to facilitate safe, secure and resilient Information Infrastructure for
Critical Sectors of the nation”.
The NCIIPC started off with several sectors,
but has now categorised them into five
broad areas that cover the ‘critical
sectors’. These are:
i. Power & Energy
ii. Banking, Financial Institutions &
Insurance
iii. Information and Communication
Technology
iv. Transportation
v. E-governance and Strategic Public
Enterprise
8. Guiding Principles
Development of mechanisms to facilitate Identification of CII in
conjunction with CI organizations.
Protection of CII through a risk management approach.
Ensuring compliance of NCIIPC policies, guidelines, advisories/
alerts etc. by CII.
Develop capabilities for real time warning system and facilitate
sharing of information on emerging threats, cyber attacks,
vulnerabilities etc with CIIs.
Lead and coordinate national programs and policies on Critical
Information Infrastructure.
9. Guiding Principles
Establish national and international linkages / initiatives
including R&D for the protection of CII.
Promote Indigenous Research and Development (R&D) relating to
protection of Critical Information Infrastructure.
Develop mechanisms to facilitate sharing of information among
CII stake holders as well as with NCIIPC.
Facilitate thematic workshops and Information Security
Awareness and Training Programme.
Facilitate capacity building towards creation of highly skilled
manpower through engaging Premier Institutes like IISc, NITs etc
as well as private/non government partners working on CIIP.
Establish Sectoral CERTs to deal with critical sector specific
issues.
11. Planning Controls
• Identification of CII
• Information Security Department (ISD)
• Vertical and Horizontal Interdependencies
• Information Security Policy
• Integration Control
• VTR Assessment and Mitigation Controls
• Security Certifications
• Physical Security Controls
12. Implementation Controls
• Asset and Inventory Control : To correlate and track all physical
and virtual assets owned by the CIIs.
• Access Control Policies : Role based approach should be
followed.
• Identification and Authentication Control : Providing unique
identity to all the users of the information.
• Physical and Environmental Security
• Testing and Evaluation of Hardware and Software :
Organizations need to be cautious in deploying possibly
contaminated hardware or software products, especially in CII.
After procurement and before deployment of hardware there
should be an in depth testing and evaluation of systems.
13. Operational Controls
• Data storage:
Hashing and
Encryption
•Data Loss
Prevention
•Penetration
Testing
•Training, Awareness and
Skill up-gradation
•Incident
Management –
Response
• Critical Information
Disposal and Transfer
•Network Device
Protection
• APT
protection
14. Disaster Recovery/Business Continuity Planning
(BCP) Controls
Contingency
Planning
Data Back-up and
Recovery Plan
Hot disaster
recovery
site
warm
disaster
recovery
site
cold disaster
recovery site
The entire aim of
the Contingency
planning is to
reduce the
impact of the
disaster or any
major CII outage
to the minimum
15. • Reporting to Govt. Agencies • Periodic Audit
Reporting and Accountability Controls
16. Threats to Critical Information
Infrastructure
Vulnerabilities are gaps/weaknesses in systems that allow an
attacker to reduce the systems information assurance.
Threats are actors / actions targeting the vulnerabilities in a
system.
Risks are the possibilities that a particular threat will successfully
exploit vulnerability and the resultant impact of that exploitation
on the information assurance of the system.
17. Critical Information and threat
• The threat actors exploit the underlying vulnerabilities within the
application software, control systems software, hardware or even the
people to get access to the desired location in the network.
• Once the network—enterprise or control system network—is breached, they
can execute commands, steal sensitive information such as design or
configuration or corrupt the information flowing to the interfaces.
• Threat actors have their own set of motivational factors, varying from
political to security or monetary gains to rivalry or competition.
• There are myriad malicious actors, varying from insiders (in the form of
disgruntled employees or compromised/socially engineered
employees), economic, military or adversary nation states, criminal
syndicates to terrorist
18. TYPES OF THREATS
Threats to critical infrastructure can be broadly classified into
three categories:
1. Natural threats include weather problem in both hot and
cold climates and also geological hazards like earthquakes,
tsunamis, land shifting etc.
2. Accidental threats arise from failures, errors and
miscalculation
3. Human threats include all the attempts made by
malicious actors to gain access to the system with the
intent of causing a harm or damage. It can be classified
into Insider, Outsider and Collusion
19. Human Threats
• Insider : An insider could be a person (employee, partner, contractor or
vendor) within the organization, having authorization or legitimate
access to the asset where the attack has been executed. Generally,
insiders possess the requisite information, credentials or security
clearances pivotal to perpetrate an attack. There are different
motivational factors, varying from monetary gain to disgruntlement and
jealously to vengeance.
• Outsider : An outsider, as an adversary, is external to the organization
and therefore does not have the authorization or legitimate access to
targeted asset. The list of motivational factors is quite wide, as it could
vary from acts of terrorism to crime and hacktivism to professional
services.
• Incollusion : Collusion happens when an outsider partners with an
collusion perpetrate an attack. In order to gain an easy and definite
access, adversaries are generally in quest of vulnerable insiders, the they
exploit these insiders to their own advantage. However, the insider
might sometimes unconsciously pass on certain information to the
adversary.
20. Threat Vector To Critical Information
Infrastructure
A Threat Vector is a path or a tool that a threat Actor
uses to attack the target. They can be
• Malware
• Email attachment
• Removable drives
• Web application attack
• Social Network
• DDOS
• Social Engineering
• Mobile phones
22. ATTACK SURFACE AND THREAT
VECTORING
• An attack is fundamentally the convergence of vulnerability, accessibility of the
system and capability of the adversary
• An attack surface is an aggregate of all the points of entry for a potential
attacker, and these points are spread across the network, the software or the
applications, through physical means of entry and it also includes the human
beings. These points of entry let the attacker send data to the target or extract
data from the target.
• Network attack surface originates from the exposed constituents of
networking technology, such as the protocols, the ports and communication
channels; the devices in form of routers, firewalls or mobile phones; and the
network applications such as cloud-based services and firmware interfaces with
external systems.
• Software attack surface is calculated across the programmed code an
organization executes in totality and these include the applications, different
email services, configurations, databases, executables, Web applications,
mobile applications and operating systems, covering the interfaces, services,
protocols and practices available to all users, particularly the components
accessible to unauthenticated users.
23. • Human attack surface considers the wide spectrum of vulnerabilities
within the human beings, which could compromise sensitive information
leading to an easy way into the secured systems. These considerations are as
diverse as social engineering attacks, inadvertent errors, malicious insiders,
death, disease or disability of human resources.
• A thorough attack surface analysis is a vital input to the process of setting up
defensive mechanisms of firewall, intrusion prevention systems, intrusion
detection systems, data policy and other security measures. Despite defences,
attacks do take place; and for an attack to succeed, attacker adopts a path or
means to gain access to the target and deliver the malicious code, known as
attack vector.
• Common attack vectors are Web application attacks, client side attacks,
network attacks, attacks using malware, DoS/DDoS attacks, social engineering
or spear phishing attacks, man-in-the-middle attack or interception of
communication channel, targeted attacks by evading/bypassing perimeter
protection devices, etc.
24. Strategies followed by Attackers to exploit Safety
Instrumented System (SIS)
• Attackers have now moved beyond reconnaissance and are leveraging
their acquired knowledge of control networks to interrupt production
and create safety incidents. They are targeting systems which are
critical for national security, economy and health of citizen.
• Cyber terrorists could do tremendous damage if they wanted to,
ranging from taking control of water treatment facilities to shutting
down power generation plants to causing havoc with air traffic control
systems and all of these systems are extremely vulnerable to attack.
• Malicious actors have been penetrating the computer networks of
companies that operate nuclear power stations, other energy facilities,
and manufacturing plants. The threat is growing exponentially and
could easily spin out of control. The malware referred to as Triton is
significant to impact on CII’s because it is not only part of an
increasing focus of attacks on industrial control systems (ICSs), but it
is the first to directly target a safety instrumented system (SIS).
25. RECENT CASE STUDIES
• Venezuela Decries Attack On Critical Infrastructure_3rd apr,19
• Iran Conducted Cyber Attacks On UK Infrastructure –
Report_dec,18
• Hexion, Momentive and Norsk Hydro all hit by ransom ware
cyber attacks_ March,19
• Hackers beat university cyber-defences in two hours_4th April, 19