• Save
International approaches to critical information infrastructure protection   jim clarke
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

International approaches to critical information infrastructure protection jim clarke

  • 628 views
Uploaded on

International Approaches To Critical Information Infrastructure Protection - Jim Clarke - OWASP India Conference 2012

International Approaches To Critical Information Infrastructure Protection - Jim Clarke - OWASP India Conference 2012

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
628
On Slideshare
606
From Embeds
22
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 22

http://www.owasp.in 18
http://2012.owasp.in 4

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Trustworthy CIP: The International Data Issues Jim Clarke & Neeraj Suri Telecommunications Software and Systems Group Waterford Institute of Technology, Ireland Dept. of Computer Science TU Darmstadt, Germany OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 1
  • 2. James Clarke  19 years EU R&D projects experience  8 years systems and software engineering experience  Strategic Liaison Manager, TSSG research group, Waterford IT, Ireland  www.tssg.org  BIC Project coordinator www.bic-trust.euOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 2
  • 3. CIP: Monitoring, Communication, Notification, Control... Internet Technologies OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 3
  • 4. Critical Infrastructure (CI)  CI Data Ecosystems CI ecosystem has transcended beyond the classical notions of CI (power, transportation, water etc)  Telcos, financial networks, data centers are all CI’s… CI’s are no longer – by design or intent – “closed” systems.  Users dictate functionality of CI, eg. Mobile-commerce, cost models for Smart-Grid, Smart-Highways… CI’s are inter-connected via ICT (& with shared susceptibilities)!  Telcos/Internet/Cloud increasingly as the CI data conduit (Stuxnet, Flame, SASoon…) ICT resilience (or lack of it) =‘s CI’s resilience levels!!! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 4
  • 5. Fundamental CIP Issues (EC CoMiFIN, INSPIRE) Detection: Can we detect/identify an anomaly, intrusion or attack either as a run-time perturbation or as prior-attack pattern database matches? What are the detectors - their composition, location and functionality? Notification: Can we (in a responsive -timely + reliably- manner) aggregate & communicate detection to a response entity? What are the mechanisms to facilitate notification? Metrics: Can we quantify what we need to protect and also the value of the achieved protection? Response: Can we conduct mitigation & recovery actions? Can we quantify what we need to protect and also the value of the achieved protection? Economics, as much as technical drivers, dictates CIP OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 5
  • 6. Goal: Basing Secure Communications on Insecure ICT Overlays  Adds filters, routes & functionality  Buffer to ICT threats  Decouples ICT and CI associations  Provides monitoring of ICT <-> CI P2P Overlays : Adaptive redundant paths  Handle resource, routes changes  Handle attacks changes Can we enhance ICT-centric overlay communication to provide technical and economically viable levels of resilience? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 6
  • 7. CIP ICT Overlay Models (Intrusive, Non-Intrusive) www.comifin.eu  Non-intrusive Overlays … e.g. P2P: self Intrusive Overlays: Dedicated standing properties - secure, probes, routers, channels … dependable - & decoupled from the CI! Distributed control systems  CI handled as black-box (SCADA)  Non-intrusive approach to realize an additional defense line/layer that implements further/new (usually collaborative) security mechanisms OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 7
  • 8. Monitoring, Dissemination & Response Issues Drivers  „Epidemic“ spreading of  Intra & Inter-CI  Security/trust support  Undesired information  To monitor the  Responsiveness (worms etc.) defined metrics  Scalability  Counter-measures  To predict  Desired information future patterns Base techniques (warnings, trust etc.)  To evaluate  Connection overlays  Higher reachability, infrastructure  Semantic overlays dependability lower latency Configuration, levels  Spreading speed management  Use of the overlays tunability to collect  Adaptive topology control Assess security of overlays measurements and of P2P overlays  Threat models monitor metrics –  Reliable data delivery  Intra- and inter-CIs technical and (data and path forwarding/isolation economic replication..)  Prediction & early warning OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 8
  • 9. Notification Issues: CoMiFin FIP ApproachInstitutions Financial Network Network Network Management Management Management System System SystemMsg/Event Msg/Event Processing Msg/Event Processing Msg/Event ProcessingProcessing TrustMsg/Event bus Control Access Security Semantic Overlay Authentication Connectivity Overlay Internet OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 9
  • 10. Trust Attributes for Infrastructure Protection App Users Businesses FI/GovtLevel Impact Tech/Info Conduits Public Custom • Operational • Financial Sys • Confidence UI Servers Telcos DB ServersLevel Transactional & Data Confidentiality - Liability Driver Transactional & Data Integrity - Liability Driver Transactional & Data Availability - Usage Driver The Financial Infrastructure Protection (FIP) challenge is not just at a favorite (national) level or element(s) within the FI landscape, but the consolidated, coherent and consistent coverage of the overall environment – the technological, usage and user elements – on a global scale. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 10
  • 11. Technology Specific Intl. Cooperation Elements Providing/Regulating access across proprietary CI Silos!!! Overlay technologies: architectures, algorithms, … Reliable, secure information delivery techniques Intra and Inter-CIP Architectures, threat models,…  mobile & telco  CIP coupling models Intrusion detection (international repository of threat patterns – monitoring, responsiveness, governance, liability)… Cooperation opportunities at technology levels or at the more abstract CI data levels of monitoring, dissemination, storage and management (over next slides) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 11
  • 12. The BIGGER Data Trust Chain Picture on CIP  CIP is about enhancing “trust” in a CI  Trust (for any system of CIP) is fundamentally multi-layered – one needs Trusted People to address all aspects of it for a solution to be meaningful! Trusted Data  Trust is an end-to-end attribute …and the trust data chain is global! Trusted Policies -Trust is NOT a piecemeal property. Cyber attacks target the entire trust chain (the Trusted Networks blocks, the interfaces, the technology changes and users!!!) for the “weakest link” vulnerabilities on the overall attack Trusted HW/SW surface. - Cloud & Mobile computing makes the data/trust chain all the more global!  Trust needs a global collaborative effort! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 12
  • 13. CIP  Data Management  The “Data” Elements  Data Acquisition  Data Dissemination  Data Storage  Data Management/Usage  Large scale systems (architectures, infrastructures) invariably evolve to incorporate unstructured/open operational elements (including users!): The issue is to identify the underlying “structures” such as building block/interfaces to develop coherent, domain + technologically invariant solutions.OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 13
  • 14. FIP Data Acquisition: Devices & Users Places your credit card is used? Integrity of point of sale terminal and backend network? Inter-bank conduits over domestic and intl. transactions? Online services  Any knowledge or control where they are hosted?  Knowledge or control over threats – intrusions, attacks - as use or infrastructure levels? Global monitoring & response entities? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 14
  • 15. FIP/CIP Data Dissemination Data Dissemination • Does one know or control which network is being used? • What are the Security Level Agreements – Domestic/Intl? • Mobile device interfacing to networks? Domestic/Intl? • Networks might be diverse & changing though the common monitoring/control elements of pricing/account tracking often form the weak point Data Storage (Data Centers) Data Access (Networks, SLA interfaces…..) Common Interest Themes: Metrics, Accountability, Mobile TSD OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 15
  • 16. Data Access, Dissemination, Storage & Control? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 16
  • 17. Data Servers, Storage & The Human Element Services and servers are no longer monolithic – collaborative computing, P2P, Cloud… Data Servers are located worldwide - Google Data Centers  For a security breach on the data, who is liable? The data center locale? The owner of the data center? The network? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 17
  • 18. The Big Issue: Info/Data Accountability - Data Acquisition Accountability? - Data Dissemination  Appropriate use - Data Storage  Access control - Data Access  Traceability  Governance  At what level & by what “trusted” authority ?  Liability  For services?  Compliance  For applications?  …  Inter-resource?  Data ownership – digital rights?  Browsing data?  Financial data?  Legal? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 18
  • 19. Privacy & Security Interplay Multi-cultural/national nuances! The role of technology in trust is also often cultural – what to monitor, how to monitor etc Localized Approaches: Smart spaces - ID’s & authentication? E2E Trust-Privacy-Security Envelope: Measures of privacy? Quantification of Trust-Privacy-Security? Tradeoffs? Governance on an international scale? Social Requirements Economic Basis Policies/Political OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 19
  • 20. Data Perspective: Collaboration Avenues While one can come up with many many many innovative solutions (routing overlays, replication, negotiation, “your favorite approach here” etc) , can we collaborate together on:  What constitutes (globally conformal) data ownership and data accountability – individual and institutional?  What to monitor, at what level and where? Regulation? Governance?  What are the quantifiers/metrics of trust and security (technological and economic) based on which one should develop solutions? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 20
  • 21. Trust and Security Profile (note: not exhaustive list) BiometricsPrivacy, identity Network Services SecureImplementation Trusted Computing EffectsPlus GINI-SA CA/SA’s SecurIST ESFORS ACTOR OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 21
  • 22. Priority areas for Trust and Security for Call 10 (d’line: 01/2013) a) Security and Privacy c) Security and Privacy in cloud computing in mobile services •scalable, portable and robust; •efficiency, robustness and performance in •improve the security components, in particular for system security (e.g. particular for identification, malware detection), data management and authentication and encryption; identification/authentication; •long-term privacy and security •Address specificities of the mobile •new models and tools for inter-domain devices (smart phone, tablet…) compared security breaches. to traditional PCs; •include privacy-by-design (user control)b) Development, demonstration and •scalable, inter-operable and applicability. innovation in cyber security•application of technologies to increase the level d) Technologies and methodologies toof cyber security; support EU trust and security policies•development and demonstration of technologies,methodologies and processes to prevent, detect, •Develop an EU cyber security research agenda;manage and react to cyber incidents; •Analyse the innovation process in privacy and•improving the situational awareness and cyber security technologies;supporting the decision making process; • Facilitate the application of privacy and•develop and demonstrate advanced technologies security by design practices in the developmentand tools that will empower users, notably and implementation of products and services.individuals and SMEs, in handling securityincidents and protecting their privacy. … and others OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 22
  • 23. Building International cooperationOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 23
  • 24. BIC: Building International Co-operation for Trustworthy ICT  Identify EU & international t&s challenges  Identify global trust and security challenges Facilitate collaboration fora -Raising awareness of funding calls/EU mechanisms - people/partner/organisations linkages - guidance on developing sustained longer-term EU – international collaborations  fostering bi-lateral (tactical) and multi- lateral (strategic) co-operations. European Commission DG-CONNECT Unit H.4: Trust and Security Coordination Action Jan 2011-Dec. 2013 http://www.bic-trust.eu/ OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 24
  • 25. European Commission Home for BIC BIC is in the portfolio of Unit H.4 Trust and Security EC DG CONNECT (Communications Networks, Content and Technology) Directorate H "Sustainable and Secure Society".  Main goals are to address selected ICT challenges for a sustainable, healthy and secure society, and to develop a full-cycle roadmap to get the output into the EU economy, through innovation tools such as pilot-lines, pre-commercial procurement, and standards.  Directorate H is the leader for Horizon 2020/Societal Challenges. The Trust & Security (H.4) priorities are the following:  Elaborate a European strategy on Internet security and remove Cyber security related obstacles to the proper functioning of the Internal Market.  Eanage implementation of the e-privacy Directive and follow-up of all issues related to the protection of privacy on-line.  Manage the various financial programmes (FP7, CIP, H2020) supporting the Internet and ICT security.  Promote a better coordinated and coherent approach on cyber incident management worldwide. To find out more information about the transition to DG CONNECT, please visit http://ec.europa.eu/dgs/information_society/connect_en.htm OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 25
  • 26. BIC: Overall Structure BIC countries & programmes European Commission External International Advisory Group BIC relations (IAG) Project e.g., core ENISA, communication via BIC secretariat function W3C, … WG1. Human/User WG2. Network info- trust & security & cyber-security WG3. Programme and funding focusOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 26
  • 27. Bi-Lateral Approach: Tactical* * *OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 27
  • 28. Multi-Lateral Approach: StrategicOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 28
  • 29. Moving Towards a Strategic Approach How do we achieve it? IAG Visitations Contacts/Exchange Workshops WG’sOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 29
  • 30. International Advisory Group (IAG) - Roles The IAG will be the forum bringing together the countries representatives from the earlier INCO-Trust countries (U.S., Canada, …) and the BIC countries (India, Brazil and S. Africa) in a more strategic way; To facilitate collaborations between national ICT Trust and Security constituencies and related ICT trust and security related constituencies from other countries; To review the situation on International collaboration strategy in ICT trust and security on a regular basis providing advice on the priorities for international cooperation between the respective research communities, providing directions to the project and recommendations for improvement; Assist in the building of the working groups to enable BIC to structure relationships and linkages and facilitate contacts for theme based workshops or other networking events. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 30
  • 31. IAG & Working Groups Structure EWGIAG EWG CWG EWG EWG OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 31
  • 32. International Advisory GroupCountry IAG MembersIndia * Dr. Gulshan Rai, Director General, Government of India, Ministry of Communication & IT, Department of Information Technology (DIT), STQC Directorate. * Mr. Abhishek Sharma, Beyond Evolution Tech Solution Pvt. Ltd.Brazil Dr. Leal de Andrade, INCO Unit, CNPQ Lisandro Granville, Director, CTIC (Research and Development Centre for ICT), Prof. Priscila Solis Barreto, University of BrasiliaSouth Africa Mr. Isaac Maredi, Director: Information and Communication Technology, Department of Science and Technology Prof. Dr. Jan Eloff, SAP Meraka UTD & University of Pretoria, South Africa (by appt. of DST) Dr. Barend Taute, The Council for Scientific and Industrial Research (CSIR), Meraka Institute, Pretoria, South Africa;Australia Mr. Gary Morgan, Commonwealth Scientific and Industrial Research Organisation (CSIRO)United States Dr. Sam Weber, National Science Foundation (NSF); Prof. Karl Levitt, University of California, Davis and former NSF; Prof. John C. Mallery, Massachusetts Institute of Technology.Canada Dr. Pamela Moss, Director of the MCT Division of Natural Sciences and Engineering Research Council of Canada (NSERC). (TBC) Andrew Reddick, University of New Brunswick.Japan Mr Yasutaka Sakurai, Chief, Dept of International Affairs, Japan Science and Technology Agency (JST)Korea Dr. Young Tae Cha, Program director for Ministry of Knowledge Economy (MKE) Prof. Dr. Souhwan Jung, , Soongsil University Prof. Dr. Heung Youl Youm, Soonchunhyang (SCH) University, Korea. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 32
  • 33. Priority areas for Trust and Security for Call 10 (d’line: 01/2013) a) Security and Privacy c) Security and Privacy in cloud computing in mobile services •scalable, portable and robust; •efficiency, robustness and performance in •improve the security components, in particular for system security (e.g. particular for identification, malware detection), data management and authentication and encryption; identification/authentication; •long-term privacy and security •Address specificities of the mobile •new models and tools for inter-domain devices (smart phone, tablet…) compared security breaches. to traditional PCs; •include privacy-by-design (user control)b) Development, demonstration and •scalable, inter-operable and applicability. innovation in cyber security•application of technologies to increase the level d) Technologies and methodologies toof cyber security; support EU trust and security policies•development and demonstration of technologies,methodologies and processes to prevent, detect, •Develop an EU cyber security research agenda;manage and react to cyber incidents; •Analyse the innovation process in privacy and•improving the situational awareness and cyber security technologies;supporting the decision making process; • Facilitate the application of privacy and•develop and demonstrate advanced technologies security by design practices in the developmentand tools that will empower users, notably and implementation of products and services.individuals and SMEs, in handling securityincidents and protecting their privacy. … and others OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 33
  • 34. http://www.bic-trust.eu/OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 34