SecureIT 2014 - ICT for Infrastructure Security... - Sailesh K Tiwari, Director, Computerisation & Information System, Railway Board, Ministry of Railways

Uploaded on

SecureIT 2014 - ICT for Infrastructure Security... - Sailesh K Tiwari, Director, Computerisation & Information System, Railway Board, Ministry of Railways

SecureIT 2014 - ICT for Infrastructure Security... - Sailesh K Tiwari, Director, Computerisation & Information System, Railway Board, Ministry of Railways

More in: Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • ForMalicious software:-Our policy forbids the use of pirated software.Antivirus software is in use in major installations.All the Critical servers are periodically updated with Virus / worm definition.Regarding Firewall/IPS/IDS:-Signatures/rules of Firewall/IPS/IDS are periodically tested and unnecessary ports and services are closed.


  • 1. Computerisation and Information Systems Railway Board, Ministry of Railways Government of India By Shailesh K Tiwari Director (electronics)
  • 2. Internet revolution and E- Security  Internet revolution  Unprecedented growth , development and changes  Greater comfort  Hassle free life  Ore avenues of happiness ???  But it has also made our life vulnerable  Evolution of Technology focuseds on ease of use.  Leads us to increased Network environment and highly network dependent application.  As an Organisation one need to make sure the balance between Security- Functionality-Ease of Use.
  • 3. Indian Railways Core Values
  • 4. Indian Railways  Core values of Indian Railways  Safety  Security  Punctuality
  • 5. E-Securing Indian Railways  Citizen’s security  Integrated Security System for passengers and Assets  IT systems security  Information Systems Security  Network Security
  • 6. Electronic Security of People and Assets over Indian Railways
  • 7. IR – Electronic Surveillance  Railway Protection Force  A dedicated security organisation –handles all physical security of people and assets  Similar to Police Organisation  In recent times Extensive Use of technology  RPF Control rooms  End to end computerisation  Fully networked.
  • 8. IR – Electronic Surveillance  RPF help line  Centralised system at New Delhi  Similar to dial 100  All India roll out  Passengers can dial 1322  GPS and GIS integration to know exact location of aggrieved passengers planned  Support for Hindi/English and other languages
  • 9. IR – Electronic Surveillance  Integrated security system  CCTV based Electronic Surveillance  IP based video cameras  Network Video recorder etc  Access control system  Under vehicle scanner  Personal and baggage screening system  Bomb detection and disposal system
  • 10. Information Security over Indian Railways
  • 11. INDIAN RAILWAYS- POLICY INITIATIVES ON E- SECURITY  CERT-RAIL  set up under C&IS Directorate in the Railway Board.  Functions :-  Monitors the progress of IT Security adoption measures in all units of Railways.  Guidance to CRIS’ IT Security group,  Ensures that the Baseline Security Policy is kept updated with the latest knowledge and disseminated to the individual units.  Interacts with Ministry of IT, Cert-In, and other IT Security related forums  Co-opt experts from industry and academia  Monitors overall IT Security environment
  • 12. Classification of IT security needs-  System Types  Large centrally administered applications  PRS, FOIS, UTS  Batch-type Local applications  Payroll systems:  MIS applications,  Control Office application,  Workshop systems,  Zone / Production Unit systems and applications such as PRIME, AFRES  PCs, small servers, and other equipment, used for general information processing
  • 13. Classification of IT security needs  Data Security  E-Tendering, Employee Records, Vigilance related data (Data Confidentiality)  PRS, Financial applications (Data integrity)  Control Charting, UTS (Data availability)  Program Security  IPR issues, Encryption algorithms (Program Confidentiality)  Inadvertent changes to program integrity can cause programs to fail (Program integrity)  Malicious changes may lead to fraud (Program integrity)  Restricted access: Licensing & Legal Requirements
  • 14. Classification of IT security needs IT Asset type Examples IT Security procedures to be managed by 1 Centrally Administered Applications PRS, FOIS, UTS CRIS / C&IS Dte of Railway Board 2 Zone Based Applications PRIME, AFRES, MMIS CCA Dte of Railway Board / Zonal EDP Centres 3 Distributed Applications MIS applications MIS Dte of Railway Board 4 Production Unit Applications Systems in RCF, ICF, DLW CM-IT of the PU 5 Batch type applications Payroll EDP centres 6 General purpose IT equipment PCs, servers, placed in all offices Concerned departments
  • 15. Indian Railways- cyber security Policy  Cyber Security policy component  People:-Security Training and awareness of Employee.  Process:-Process to detect, protect and respond to Security Threat/attack and Vulnerability.  Technology:-Technology required to assist people and strengthening of the Process to improve the Security.
  • 16. INFORMATION SECURITY MANAGEMENT Confidentiality INFORMATION SECURITY Integrity Availability Authenticity Security Policy People Process Technology Regulatory Compliance Access Control Security Audit User Awareness Program Incident Response Firewall, IPS/IDS Encryption, PKI Antivirus
  • 17. IT Security- People  Technical Manpower at CRIS  Ensures secuirty of all IT apploications.  Plan and deploy state of the art information security systems  Technical advice to Zonal Railways  Zonal/ divisional level  User awareness training program  Training of manpower in technical issues to tackle immediate crisis
  • 18. IT Security-Process  Security Audit  Vulnerability Assessment and Penetration of critical apps - done by STQC, a division of the Ministry of IT and  recommendations/suggestions have been incorporated into the system.  Regulatory Compliance:- All the regulatory compliance related to Information Security, Digital Signature are followed. Some of them are  IT Act, 2000 and IT (Amendment) Act 2008  Best Practices ISO 27001  Cyber Security Guidelines for Government of India.  Guidelines for Indian Government Website.
  • 19. IR IT Security-Technology  Security of any IT system is divided in following areas  Network Security:-  Major applications -hosted in CRIS Data Center.  Firewall, IPS/IDS, host-based firewall, network access control etc on the Perimeter.  A common secure Internet gateway is implemented for all the IR applications hosted by CRIS.  Host-based Firewalls and SIEM (Security Information and Event Management) Tools is under process. This will provide a higher level of layered security for all applications.
  • 20. IR IT Security-Technology  Malicious software:-  Indian Railways policy forbids the use of pirated software.  Antivirus software is in use in major installations.  All the Critical servers are periodically updated with Virus / worm definition.  Firewall/IPS/IDS:-  Signatures/rules of Firewall/IPS/IDS are periodically tested and unnecessary ports and services are closed.
  • 21. IT Network Architecture-Technology ….. Common Internet Gateway Internet L-3 Switch Firewall •Stateful Inspection of Packets •Access Control •Traffic Filtering •Authentication •Authorization •Security Policies/Rules Intrusion Prevention System (IPS) •Mitigate DoS/DDoS attacks •Blocks Virus/Spyware etc. •Deep Packet Inspection •Traffic Behaviour Analysis •Mitigation of Attacks by analysing traffic behavior
  • 22. IR Security-Technology…..  Application Security  Vulnerability Assessment and Penetration Testing for FOIS,PRS,UTS applications had been done.  Recommendations of STQC have been implemented in all applications.  Security Testing of EPS application is also being done periodically for various modules.  Security audit periodically done
  • 23. Future Road Map- for securing Government’s Information Systems  The security of Information systems of Government are a big challenge because its prone to attack from  hackers, freakers etc.  Anti national elements  Terrorists organisations  Unfriendly countries
  • 24. Future Road Map- for securing Government’s Information Systems  Build a dedicated private IP VPN network for all Government apps (GOV-Net)  Move applications to cloud (Government Cloud ?)  Have only few POPs- may be 4-5 , connecting Gov-Net to internet.
  • 25. Future Road Map- for securing Government’s Information Systems  Build robust security infrastructure at the POPs connecting to internet.  Additionally secure each of data centres.  Any access of apps through internet to be strictly monitored- may be access granted to devices of known MAC addresses