SecureIT 2014 - ICT for Infrastructure Security... - Sailesh K Tiwari, Director, Computerisation & Information System, Railway Board, Ministry of Railways

  • 1,169 views
Uploaded on

SecureIT 2014 - ICT for Infrastructure Security... - Sailesh K Tiwari, Director, Computerisation & Information System, Railway Board, Ministry of Railways

SecureIT 2014 - ICT for Infrastructure Security... - Sailesh K Tiwari, Director, Computerisation & Information System, Railway Board, Ministry of Railways

More in: Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,169
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • ForMalicious software:-Our policy forbids the use of pirated software.Antivirus software is in use in major installations.All the Critical servers are periodically updated with Virus / worm definition.Regarding Firewall/IPS/IDS:-Signatures/rules of Firewall/IPS/IDS are periodically tested and unnecessary ports and services are closed.

Transcript

  • 1. Computerisation and Information Systems Railway Board, Ministry of Railways Government of India By Shailesh K Tiwari Director (electronics)
  • 2. Internet revolution and E- Security  Internet revolution  Unprecedented growth , development and changes  Greater comfort  Hassle free life  Ore avenues of happiness ???  But it has also made our life vulnerable  Evolution of Technology focuseds on ease of use.  Leads us to increased Network environment and highly network dependent application.  As an Organisation one need to make sure the balance between Security- Functionality-Ease of Use.
  • 3. Indian Railways Core Values
  • 4. Indian Railways  Core values of Indian Railways  Safety  Security  Punctuality
  • 5. E-Securing Indian Railways  Citizen’s security  Integrated Security System for passengers and Assets  IT systems security  Information Systems Security  Network Security
  • 6. Electronic Security of People and Assets over Indian Railways
  • 7. IR – Electronic Surveillance  Railway Protection Force  A dedicated security organisation –handles all physical security of people and assets  Similar to Police Organisation  In recent times Extensive Use of technology  RPF Control rooms  End to end computerisation  Fully networked.
  • 8. IR – Electronic Surveillance  RPF help line  Centralised system at New Delhi  Similar to dial 100  All India roll out  Passengers can dial 1322  GPS and GIS integration to know exact location of aggrieved passengers planned  Support for Hindi/English and other languages
  • 9. IR – Electronic Surveillance  Integrated security system  CCTV based Electronic Surveillance  IP based video cameras  Network Video recorder etc  Access control system  Under vehicle scanner  Personal and baggage screening system  Bomb detection and disposal system
  • 10. Information Security over Indian Railways
  • 11. INDIAN RAILWAYS- POLICY INITIATIVES ON E- SECURITY  CERT-RAIL  set up under C&IS Directorate in the Railway Board.  Functions :-  Monitors the progress of IT Security adoption measures in all units of Railways.  Guidance to CRIS’ IT Security group,  Ensures that the Baseline Security Policy is kept updated with the latest knowledge and disseminated to the individual units.  Interacts with Ministry of IT, Cert-In, and other IT Security related forums  Co-opt experts from industry and academia  Monitors overall IT Security environment
  • 12. Classification of IT security needs-  System Types  Large centrally administered applications  PRS, FOIS, UTS  Batch-type Local applications  Payroll systems:  MIS applications,  Control Office application,  Workshop systems,  Zone / Production Unit systems and applications such as PRIME, AFRES  PCs, small servers, and other equipment, used for general information processing
  • 13. Classification of IT security needs  Data Security  E-Tendering, Employee Records, Vigilance related data (Data Confidentiality)  PRS, Financial applications (Data integrity)  Control Charting, UTS (Data availability)  Program Security  IPR issues, Encryption algorithms (Program Confidentiality)  Inadvertent changes to program integrity can cause programs to fail (Program integrity)  Malicious changes may lead to fraud (Program integrity)  Restricted access: Licensing & Legal Requirements
  • 14. Classification of IT security needs IT Asset type Examples IT Security procedures to be managed by 1 Centrally Administered Applications PRS, FOIS, UTS CRIS / C&IS Dte of Railway Board 2 Zone Based Applications PRIME, AFRES, MMIS CCA Dte of Railway Board / Zonal EDP Centres 3 Distributed Applications MIS applications MIS Dte of Railway Board 4 Production Unit Applications Systems in RCF, ICF, DLW CM-IT of the PU 5 Batch type applications Payroll EDP centres 6 General purpose IT equipment PCs, servers, placed in all offices Concerned departments
  • 15. Indian Railways- cyber security Policy  Cyber Security policy component  People:-Security Training and awareness of Employee.  Process:-Process to detect, protect and respond to Security Threat/attack and Vulnerability.  Technology:-Technology required to assist people and strengthening of the Process to improve the Security.
  • 16. INFORMATION SECURITY MANAGEMENT Confidentiality INFORMATION SECURITY Integrity Availability Authenticity Security Policy People Process Technology Regulatory Compliance Access Control Security Audit User Awareness Program Incident Response Firewall, IPS/IDS Encryption, PKI Antivirus
  • 17. IT Security- People  Technical Manpower at CRIS  Ensures secuirty of all IT apploications.  Plan and deploy state of the art information security systems  Technical advice to Zonal Railways  Zonal/ divisional level  User awareness training program  Training of manpower in technical issues to tackle immediate crisis
  • 18. IT Security-Process  Security Audit  Vulnerability Assessment and Penetration of critical apps - done by STQC, a division of the Ministry of IT and  recommendations/suggestions have been incorporated into the system.  Regulatory Compliance:- All the regulatory compliance related to Information Security, Digital Signature are followed. Some of them are  IT Act, 2000 and IT (Amendment) Act 2008  Best Practices ISO 27001  Cyber Security Guidelines for Government of India.  Guidelines for Indian Government Website.
  • 19. IR IT Security-Technology  Security of any IT system is divided in following areas  Network Security:-  Major applications -hosted in CRIS Data Center.  Firewall, IPS/IDS, host-based firewall, network access control etc on the Perimeter.  A common secure Internet gateway is implemented for all the IR applications hosted by CRIS.  Host-based Firewalls and SIEM (Security Information and Event Management) Tools is under process. This will provide a higher level of layered security for all applications.
  • 20. IR IT Security-Technology  Malicious software:-  Indian Railways policy forbids the use of pirated software.  Antivirus software is in use in major installations.  All the Critical servers are periodically updated with Virus / worm definition.  Firewall/IPS/IDS:-  Signatures/rules of Firewall/IPS/IDS are periodically tested and unnecessary ports and services are closed.
  • 21. IT Network Architecture-Technology ….. Common Internet Gateway Internet L-3 Switch Firewall •Stateful Inspection of Packets •Access Control •Traffic Filtering •Authentication •Authorization •Security Policies/Rules Intrusion Prevention System (IPS) •Mitigate DoS/DDoS attacks •Blocks Virus/Spyware etc. •Deep Packet Inspection •Traffic Behaviour Analysis •Mitigation of Attacks by analysing traffic behavior
  • 22. IR Security-Technology…..  Application Security  Vulnerability Assessment and Penetration Testing for FOIS,PRS,UTS applications had been done.  Recommendations of STQC have been implemented in all applications.  Security Testing of EPS application is also being done periodically for various modules.  Security audit periodically done
  • 23. Future Road Map- for securing Government’s Information Systems  The security of Information systems of Government are a big challenge because its prone to attack from  hackers, freakers etc.  Anti national elements  Terrorists organisations  Unfriendly countries
  • 24. Future Road Map- for securing Government’s Information Systems  Build a dedicated private IP VPN network for all Government apps (GOV-Net)  Move applications to cloud (Government Cloud ?)  Have only few POPs- may be 4-5 , connecting Gov-Net to internet.
  • 25. Future Road Map- for securing Government’s Information Systems  Build robust security infrastructure at the POPs connecting to internet.  Additionally secure each of data centres.  Any access of apps through internet to be strictly monitored- may be access granted to devices of known MAC addresses