Download - National Critical Information Infrastructure Protection Centre (NCIIPC): Role and Responisbilities
1
Role, Charter & Responsibilities
A Presentation by
Muktesh Chander IPS
Centre Director
NCIIPC
NTRO
Government of India
National Critical Information Infrastructure Protection
Centre (NCIIPC)
2
Critical Information Infrastructure (CII) Threats to CII Examples of Cyber attacks to CIIs International Critical Information
Infrastructure Protection Efforts International Information Security Standards Information Security initiatives in India National Critical Information Infrastructure
Protection Centre (NCIIPC)
Outline of Presentation
3
Energy
Transportation ( air, surface, rail & water)
Banking & Finance
Telecommunication
Defence
Space
Law enforcement, security & intelligence
Sensitive Government organisations
Public Health
Water supply
Critical manufacturing
E-Governance
…
4
In general Critical Infrastructure (CI) can be defined as: “those facilities, systems, or functions, whose incapacity or
destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation”.
Critical Information Infrastructure (CII) are those ICT infrastructure upon which core functionality of Critical Infrastructure is dependent.
As per Section 70 of IT Act 2000, CII is defined as: “the computer resource, the incapacitation or destruction of
which, shall have debilitating impact on national security, economy, public health or safety.”
Critical Information Infrastructure
5
Information Infrastructure
CI CI
CI
CII CII CI CII
Figure: Varying Dependence of CI on Information Infrastructure
Inter-dependence
6
Characteristics of CII
Highly Complex
Distributed
Interconnected
Interdependent
Increasing trend in all of the above
7
Complexity and Inter-dependence of CII
8
Threats to CII are classified as: ◦ Internal Threat
It is defined as “One or more individuals with the access and/or inside knowledge of a company, organization, or enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products, or facilities with the intent to cause harm.”
Insider betrayals cause losses due to IT sabotage, Fraud, and Theft of Confidential or proprietary information
This may be intentional or due to ignorance
◦ External Threat
Arise from outside of the organization by individuals, hackers, organizations, terrorists , foreign Government agents, non state actors and pose risk like Crippling CII, Espionage, Cyber/Electronic warfare, Cyber Terrorism etc.
Types of threats to CIIs
9
Malware Attacks ( 19,719,262 distinct malware so far)
Email attachments
Smartphones
Removable media
Web Application Attacks
Client Side Attacks, MITM
Social Engineering Attacks
Social network
Wireless attacks
DoS/DDoS
Botnet
SCADA APTs
Embedded systems
Supply Chain contamination
Threat vectors to CII
10
11
Individuals
Disgruntled or ex employee
Rivals (Industrial Espionage)
Hackers, Script kiddies, Crackers
Cyber criminals (organized as well as unorganized)
Hactivists
Cyber Mercenaries
Terrorist groups (CyberJehadis)
Non state actors
Hostile states
Threat actors
12
• Damage or destruction of CII
• Disruption or degradation of services
• Loss of sensitive and strategic information
• Widespread damage in short time
• Cascading effects on several CII
Effects of Cyber Attacks on CII
13
Example of Cyber Attacks on CII
14
Discovered in June 2010
It is first known targeted worm to attack a particular type of Industrial Control Systems (ICS).
It primarily spreads via portable USB drive
It first exploits zero-day vulnerabilities to infect Windows based workstations then attacks associated Programmable Logical Controller (PLC) based SCADA machines and modifies their configuration and behaviour.
Stuxnet, which affected the Nuclear program of Iran is the most sophisticated APT.
Stuxnet Virus: A New weapon of War
15
Concentration of infections in Iran.
Stuxnet spread and geographical distribution of infected systems
16
Discovered in September 2011.
Affected countries include Iran, France, UK, Hungary, Austria, and Indonesia.
It is a variant of Stuxnet virus.
Unlike Stuxnet Duqu worm does not replicate but is ‘highly targeted’ and uses Trojans to gather sensitive information and passwords and send back to a command and control server.
It does not have a payload like Stuxnet, but instead seems to exist to set up remote access capabilities.
Duqu Virus: A Stuxnet Variant
17
20 MB in size
Cause:
◦ Flame can spread to other systems over LAN or USB stick.
◦ Mine computer to record Skype conversation, screenshots, keyboard activity and network traffic, turns infected computers into Bluetooth becons which attempt to download contact information from nearby Bluetooth-enabled devices.
◦ Collected information is sent back to remote control servers.
Effect:
◦ Initially infected 1000 machines, with victims including governmental organizations, financial organizations etc. in Iran, Egypt, Sudan, Lebanon, Saudi Arabia and Israel.
Flame Malware
18
Targets: ◦ Energy Sector.
◦ Disrupted services of Saudi Aramco and Qatar RasGas.
Effect: ◦ Capable to spread to other offline workstations on
network.
◦ Wipes disks of workstations and overwrites Master Boot Record preventing them from booting.
Motive: ◦ Unlike other Cyber Espionage Malware, Shamoon is a
Cyber Sabotage Weapon.
Shamoon Malware (August 2012)
19
From Cyber Skirmishes to
Cyber Warfare
20
Cause: ◦ Malicious emails when opened dropped Trojan horse .
◦ Trojan horse connects back to Control Server to download and install Gh0st Rat Trojan.
Effect: ◦ Gh0st Rat allows attackers to gain complete, real time
control of computers running Microsoft windows.
◦ Infiltrated high-value political, economic, and media locations in 103 countries.
◦ Compromised computer systems of embassies, foreign ministries and other government offices, Dalai Lama’s centers in India, London and New York city etc.
GhostNet: Cyber Spying Operation
21
Cause: ◦ A malware ecosystem employed by the attackers via
GhostNet etc. ◦ Ecosystem Leveraged multiple redundant cloud
computing systems, social networking platforms, free web hosting services etc to maintain persistent control.
Effect: ◦ Complex cyber espionage network. ◦ Theft of classified and sensitive documents. ◦ Collateral compromise: Visa applications stolen. ◦ Command and control Infrastructure that leverage
cloud based social media services.
Shadow in Cloud: Cyber Espionage
22
On 4th December 2011, Iran captured an American Lockheed Martin RQ-170 Sentinel unmanned aerial vehicle (UAV)
Iranian Government claimed that drone was brought down by its cyber warfare unit stationed near Kashmar.
An Iranian engineer claimed that the drone was captured by jamming both satellite and land-originated control signals to the UAV, followed up by a spoofing attack, feeding the UAV false GPS data to make it land in Iran at what the drone thought was its home base in Afghanistan
Cyber Attack brought down US Drone RQ-170
23
Incident Time Frame ◦ Start 27 April 2007, End 18 May 2007, Duration 3 weeks
Methods ◦ DoS and DDoS; Website defacement; Attacking DNS servers; ◦ Mass e-mail and comment spam.
Targets ◦ Servers of institutions responsible for the Estonian Internet
infrastructure; ◦ Governmental and political
targets (parliament, president, ministries, state agencies, etc);
◦ Services provided by the private sector (ebanking, news organisations etc);
◦ Personal and random targets.
Estonia 2007 Cyber Conflict
24
Incident Time Frame ◦ Start 8 August 2008; End 28 August 2008; Duration 3 weeks
Methods ◦ DoS and DDoS attacks;Distribution of malicious software
together with attack instructions; exploiting SQL vulnerability; ◦ Defacement; Using e-mail addresses for spamming and
targeted attacks.
Targets ◦ Government sites (President, Parliament, ministries; local
government of Abkhazia); News and media sites, online Discussion forums, Financial institutions etc.
Georgia 2008 Cyber Conflict
25
Incident Time Frame ◦ Start 28 June 2008; End 2 July 2008; Duration 4 days.
Methods ◦ Defacement. Pro-Soviet and communist symbols as well as
profane anti-Lithuanian slogans posted on websites. ◦ Some e-mail spam.
Targets ◦ Over 3oo private sector (95%) and governmental (5%)
websites; ◦ Damage largely
avoided to the public sector due to timely warning;
◦ Private sector suffered most.
Lithuanian 2008 Cyber Conflict
26
Cyber attacks on Indian Government Infrastructure
27
As reported by Indian Computer Emergency Response Team (CERT-In) a total no. of 90, 119, 252 and 219 Government websites were defaced by various hacker groups in the year 2008, 2009, 2010 and January – October 2011 respectively
13000 incidents handled by CERT in in 2011
Cyber attacks on Indian Government Websites
28
Loss of confidential information from sensitive organisations
Email Compromises
29
International efforts for Protection Of Critical Information
Infrastructure
30
UN Resolution 58/199
ITU, G8
Agencies for protection of Critical Infrastructure: ◦ Europe: European program for Critical Information
Infrastructure Protection (EPCIP)
◦ United Kingdom: Centre for the Protection of National Infrastructure (CPNI)
◦ United States: Responsibility of Critical Infrastructure protection falls under the jurisdiction of the Department of Homeland Security.
◦ Australia: National Security agency
◦ South Korea: National Intelligence Service
International CIIP initiatives
31
Information Security Management
32
Some Information Security facts
◦ It is a multidisciplinary subject
◦ Security depends on people, process more than technology;
◦ Internal employees are a far bigger threat to information security than any outside threat;
◦ Security is not static entity but a running process; it should flow through the organization.
◦ Moving from technical, managerial, standardization & certification to the Forth wave of Information security
Governance (B. Von Solms )
Information Security Management
33
◦ ISO/IEC 27000 family;
◦ ISO 31000: Risk Management;
◦ ISO 22301: Business continuity Management etc .
Federal Information Processing Standard (FIPS) Control Objective for Information and Related
Technologies (COBIT) Information Technology Infrastructure Library (ITIL) Payment Card Industry Information Security Standard
(PCIDSS) Data Security Council of India Security Framework (DSF)
International Standards
34
Specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within an organisation.
It is usually applicable to all types of organisations, including business enterprises, government agencies, and so on.
It is a normative standard against which certification is obtained.
Adopts Plan-DO-Check-Act (PDCA) model and is applied to structure all ISMS processes.
ISO/IEC 27001
35
Establish the
ISMS
Implement
and operate
the ISMS
Monitor and
Review the
ISMS
Maintain and
Improve the
ISMS
Plan
Do
Check
Act
Information security
Requirements and Expectations
Managed Information Security and Operations
PDCA Model
ISO/IEC 27001 Standard (contd..)
36
ISO/IEC 27001 ISMS Requirements
◦ General requirements
Establishing and managing the ISMS
Establish the ISMS, Implement and operate the ISMS
Monitor and review the ISMS, Maintain and improve the ISMS
◦ Documentation requirements
General, Control of documents, Control of records
◦ Management responsibility Management commitment
Resource management Provision of resources
Training, awareness and competence
◦ Internal ISMS audits
◦ Management review of the ISMS
General, Review input, Review output
◦ ISMS improvement
Continual improvement, Corrective action, Preventive action
ISO/IEC 27001 Standard (contd..)
37
Criminal Offences Subsection
Sending offensive messages, including attachments, through communications service 66A
Dishonestly receiving stolen computer resource or communication device 66B
Identity theft 66C
Cheating by personating 66D
Violation of privacy 66E
Cyber terrorism: defined as causing denial of service, illegal access, introducing a virus in any of
the critical information infrastructure of the country defined u/s 70 with the intent to threaten
the unity, integrity, security or sovereignty of India or strike terror in the people or any section of
the people; or gaining illegal access to data or database that is restricted for reasons of the
security of state or friendly relations with foreign states.
66F
Publishing or transmitting of material containing sexually explicit act in electronic form 67A
Publishing or transmitting of material depicting children in sexually explicit act 67B
Preservation and retention of information by intermediaries as may be specified for such
duration and in such manner and format as the central government may prescribe.
67C
IT Act 2000
38
Section 70 deals with declaration of protected systems as any computer resource which directly or indirectly affects the facility of critical information infrastructure (CII)
Protected Systems
39
Sec 66 F: Punishment for Cyber Terrorism- (1) Whoever,-
(A) with intent to threaten the unity, integrity, security or sovereignty of India or strike error in the people or any section of the people by-
(i) deny or cause the denial of access to any person authorized to access computer resources; or
(ii) attempting to penetrate or access a computer resource without authorization or exceeding authorised access; or
(iii) introducing or causing to introduce any computer contaminant; or and by any means of such conduct causes or is likely to cause death or injuries to person or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70.
Cyber Terrorism
41
Under Section 70A NCIIPC, under NTRO is being declared as the nodal agency for the protection of Critical Information Infrastructure of India.
Gazette notification for NCIIPC under section 70A (1) is underway.
NCIIPC under its mandate from section 70A(2) of IT Act is responsible for all measures including R&D for protection of Critical Information Infrastructure
Rules under section 70A being notified.
National Critical Information Infrastructure Protection Centre (NCIIPC)
42
NCIIPC Vision
“To facilitate safe, secure and
resilient Information Infrastructure
for Critical Sectors of the Nation”
43
“To take all necessary measures to facilitate protection of Critical Information Infrastructure from unauthorized access, modification, use, disclosure, disruption,
incapacitation or destruction through coherent coordination, synergy and
raising information Security awareness among all stakeholders.”
NCIIPC Mission
44
CERT-IN
NCIIPC
Organizational
Security
Department
LEAs
LOW Criticality HIGH
HIGH
Dependency
Dependency and Criticality Matrix for NCIIPC
45
Prevention and early warning
Detection
Mitigation
Response
Recovery
Resilience
46
Identification of Critical Sub-sectors Study of Information Infrastructure of identified
critical sub-sectors Issue of Daily / Monthly cyber alerts / advisories Malware Analysis Tracking zombies and Malware spreading IPs Cyber Forensics activities Research and Development for Smart and Secure
Environment. Facilitate CII owners in adoption of appropriate
policies, standards, best practices for protection of CII.
Annual CISO Conference for Critical Sectors. Awareness and training 24X7 operation and helpdesk
NCIIPC Activities
NTRO has identified 17 sub-sectors initially and has started activities for 7 sub-sectors named below:
•Air Traffic Management (ATM), Civil Aviation (Transportation) •Power grid (Energy) •MTNL •NSEI •BSNL •Railways •SBI
Sl No.
SECTOR as identified in crisis management plan 2010
Sub- sector Dept./Agency Organization
Specific Area Remarks
1. Transportation Civil aviation AAI ATC Work under progress
2. Transportation Railways IRCTC RAILTEL Passenger reservation system, communication
Work under progress
3. Transportation Shipping Port Port management
4. Energy Power Powergrid corporation
POSOCO Work under progress
5. Energy Nuclear BAARC, NPCL
6. Energy Oil & Gas ONGC
7. Finance/Banking Finance NSE, BSE, Central Economic Intelligence Bureau (CEIB)
SIEN network (CEIB) NFS(National Financial Switches)
Work under progress
8. Finance/Banking Banking SBI, RBI INFINET, NEFT, SIEN
Work under progress
9. ICT Communication MTNL, BSNL Work under progress
Sl No.
SECTOR as identified in crisis management plan 2010
Sub- sector Dept./Agency Organization
Specific Area Remarks
10. ICT IT NIC NKN, SWAN
11. Law Enforcement, Security & intelligence
Law Enforcement & Security
ITBP, SSB, CRPF, Assam Rifles, BSF, CISF
12. Law Enforcement, Security & intelligence
Law Enforcement & Security
MHA CCTNS
13. Law Enforcement, Security & intelligence
Intelligence Agencies
R&AW, IB, NTRO, CBI, NIA
NATGRID, FRRO Networks Cobweb
Work under progress
14. Space -- ISRO Spacenet, Remote sensing, spacebased Programme
15. Defence Army, Navy, Air Force, Coast guard, Strategic Forces Command
16. MEA -- -- Passport Database/Visa
OTHERS
17. Sensitive Govt. Organisations PMO, NSCS, Planning Commission, Cabinet Sectt., MHS, Registrar General Doordarshan & AIR
AADHAAR
Network from any of these areas which go through NIC
50
Each Organisation/Ministry in Critical Sector should nominate a Nodal Officer (CISO) for interaction with NCIIPC.
CISO will be the point of contact for NCIIPC.
Nodal Officer/CISO
51
CISO responsibilities include, but not limited to: ◦ Build an Information security culture
◦ Assist senior management in the development, implementation and maintenance of an information security infrastructure.
◦ Develop, communicate and ensure compliance with organizational information security policy, standards and guidelines
◦ Ensure regulatory and Standards compliance
◦ Develop a security awareness and training program
◦ Periodically conduct internal audit to check compliance with organizational security policy, standard and guidelines
◦ Risk Management
◦ Incident Management
◦ Business Continuity Management
◦ Assist senior management in acquisition of products, tools and services related to information & related technology.
CISO Roles & Responsibilities
52
Guidelines for Protecting Critical Information Infrastructure
Under preparation with the help of Academia and Industry
53
We understand several Ministries/Departments have identified organisations under their administrative control as a Sectoral CERT for their respective Ministries/Departments
We would expect these Sectoral CERTS henceforth workout an institutional mechanism to synergistically work with NCIIPC towards providing effective protection to the CII in these Ministries/Departments.
NCIIPC Expectations
54
Take some time to fill questionnaire
Provide details of information security measures being taken in your organisation
Leave above documents when you go for lunch.
Feedback
55
Marching towards building
a culture of cyber security
NCIIPC at your Service
Thank you