ITU National Cybersecurity/CIIP Self-Assessment Tool Rev ...
Prof. Dr. B. M. Hämmerli, [email protected] EAPC / PFP Workshop CIIP: ICT Sectors and...
-
date post
21-Dec-2015 -
Category
Documents
-
view
215 -
download
2
Transcript of Prof. Dr. B. M. Hämmerli, [email protected] EAPC / PFP Workshop CIIP: ICT Sectors and...
Prof. Dr. B. M. Hämmerli, [email protected]
EAPC / PFP Workshop
CIIP: ICT Sectors and Interdependencies
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 2
Some Inputs to stimulate the ICT GroupSector and Interdependency Discussion
Content
From Monopoly to Free Market
Economy of Scale and Decentralization / Centralization
Interconnection of Services and Interdependencies
Domino effect
Example Family Home
Our Task today
Conclusion
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 3
Introduction
Definition Criticality of Services:Services, organizations and institutions, which are(absolutely) essential to the public community such that failure or disruption of whichwill result in long-lasting supply bottlenecks and/or other dramatic consequences for substantial elements of the community are considered as critical
A Sector consists of one or Multiple Services
Later: Definition Vulnerability of Systems / Threat / Asymmetric Threat /Domino or Cascading Effects / Interdependencies
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 4
Situation Analysis and Needs Service Supply of Nations: From Monopoly to Free MarketFrom Monopoly to Free Market
SecurityTask
Security ?
TaskTask
TaskTask
TaskTask
TaskTask
Task
For each Nation
Free Market introduced:• Competition (lowest rate possible)• Many service provider with corporate security• Delegation of the supply task• Overall guarantee of supply and its securing measures skipped• Structure is still centralized, (partly with common nodes and/or Infrastructure (Telco)
CIP is the answer to secure the old fashioned “public service” for (inter) & national purpose
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 5
Situation Analysis and Needs I Why we have this challenge by now?Efficiency vs. Robustness: Processes, Infrastructure Services
Efficiency
today 1980 20XX
Robustness
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 6
Situation Analysis and Needs Economy of Scale / Decentralization 1
Economy of Scale
Production cost in regular situations are often lower with a centralized approach
Security measures are applied, but central vulnerabilities remain
Decentralization as a mean to make infrastructure robust
Management Center
Logical channel for management information
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 7
GeneratorSubstation
Overloaded/CongestedTransmission Lines
DistributionSubstation
Nat. Gas ?%
Hydro ?%
Coal ?%
Petroleum ?%
Nuclear ?%
Industrial
Commercial
Residential
This and the next slides are from Prof. Dr. Saifur Rahman, Director Alexandria Research Institute, VA-Tech USA
Conventional Central Station Based Power Systempartly with Decentralized Generation
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 8
Situation Analysis and Needs Economy of Scale / Decentralization 3 Distributed Generation Technologies
Solar Cells Wind Turbines
Gas Turbines Reciprocating Engines
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 9
Complex: A depends on B, B on C, …, and Y on A and B
A B
M
A
B
C
YN
X
O…
A B
A Bor
Dependency and Interdependency
By Suanne Jantsch
A depends on B
Interdependent or mutual dependent
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 10
Infrastructure Sectors and its Interconnection
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 11
Situation Analysis and Needs: Interconnected CIP
IABG Schmitz (2002)
Kno
wle
dge
Man
agem
ent
Cos
t Ben
efit
Ana
lysi
sC
o-op
erat
ion
& D
ecis
ion
Sup
port
Vul
nera
bili
ty A
naly
sis
Ris
k A
naly
sis
/ Saf
ety
Man
agem
ent
Pol
icie
s / S
trat
egie
sAnalysis CIS Hierarchy Methods
Tec
hnic
al C
ompo
nent
s
Indi
vidu
al S
yste
ms
Sys
tem
Int
erde
pend
enci
es
Sys
tem
of
Sys
tem
s
Compound of Critical Infrastructures
GovernmentEconomySociety
Computer Nav. System Power Lines Switches...
Telecommunication Energy Transportation...
System DynamicsEmpirical Modelingetc.
Socio-economic ModelsGamingScenario Techniques
System Simulation Optim. Algorithms Human Behavior Mod.
Technical Simulation
Technical Experimentationetc.
Green: Basic and Essential Services
View from EU Project ACIP
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 12
Pipelines
Oceanshipping
Inlandnavigation
Air transport
Rail transportRoad transport
Publicadministration
Armed forces
Informationprovision
by thegovernement
Diplomacy
Lawenforcement
Admin. ofjustice anddetention
Maintainingpublicsafety
Maintainingpublicorder
Waterquantity
Waterquality
Financialtransferservices
Financialservices &
infrastructure
Healthcare
Food supply& safety
Drinkingwater
supply
Postal andcourier
services
Internetaccess
Broadcastservices
Satellitecommunication
Radiocommunicationand navigation
Mobiletelecom.services
Fixedtelecom.services
Oil
Naturalgas
Electricity
Den Haag
PrivatePublic
and internationally linked: physically, logically and informationally
31 Interconnected Critical Services in the Netherlands
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 13
Sectors according NISCC UK
Finance £
Energy E
Communications C
Emergency Services 9
Food F
Data Communications
Ambulance
Natural Gas
Markets
Distribute
Fixed Voice communications
Fire & Rescue
Petroleum
Retail banking
Marine
Asset Management
Public Information
Police
Financial Facilities
Produce
Retail
Wireless communications
Electricity
Investment banking
Process
Import
Water W
Government G
Hazards & Public Safety !
Transport T
Health H
Central government
Regional government
Local government
Parliaments & legislatures
Justice
National Security
CBRN
Crowds & mass events
Environmental
Air
Marine
Road
Rail
Mains water
Sewage
Health Care
Public Health
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 14
Situation Analysis and Needs New Threats : Interdependencies are structured!
The nature of systems implies, that not all dependencies are as important. Basically has energy first priority, followedby telecommunication.
Physical Thread
Electricity
Communication
Operating System / Middleware
Finance Applications
Applications
Transport / Traffic / Postal ServicesRescue / Health Care DisposalGovernment and AdministrationGas / Oil supplyWatera. s. o.
View ofInfoSuranceSwitzerland
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 15
Interfaces and Independencies
Clearingof Risks
Telecomm
unication
Financ
e
Energy
Applic
a-
tion
Secto
rs
Transp
ort
Rescu
e
Adminis
tratio
n
++++
Round Tabel Generic Risks, InfoSurance Spring 2003
2 Types of Risks:
-Core Risks
-Application Risks
Idea: Share Risks identified in other sectors to speed up the risk analysis process
Common Risk or dependability? !
Trends and Good Practice in Getting Started (Example CH) IVInfoSurance Example: Common Generic Risks in CI(I)P
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 16
Domino Effects
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 17
Dependencies from Energy SectorExample: Family Home
No Electrical Energy:
Food: Cooking: Gas or Electricity Deep Freezer: 10 Hour to warm up!
Light: Candles, Camp Ground Solutions
Telephone: Mobile Wired: Cordless, Simple Phones
Heating Oil (not working because of electrical burning system) Open Fire
Computing / Internet Laptop until end of battery Desk Top
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 18
Emergency Communication
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 19
Our Task
Task I
Your and your Country's‘ understanding of a sector
interdependencies, generally and specifically in your country
Task II: ICT / Communication
What does fail, when ICT does not work? Generally in all country Country specific
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 20
Situation Analysis and NeedsConclusions and Strategies
Architecture: Future Infrastructure Design (New Threats, Free Market) Migration towards future Architecture (decentralization, redundancy and
separation of information and steering- & control layer) Making existing infrastructure resilient (multiple simultaneous
attacks) e.g. through decentralization and segregation (Information and Control Level) Granularity of CIP models (long discussion process of experts needed) Decentralize infrastructure and make critical infrastructure (the sectors and the suppliers within the sectors)
as much as possible independent from each other Avoid centralized and common single point of failure (requires extensive analysis (e.g. telco: common
lines)) Centralize the management platform of decentralized systems to gain as much status knowledge as
possible for taking the best decisions in case of failure. Have several back up of the management centers. Lack of models / contracts with international corporation
(are benefit-oriented, no special loyalty to nations, security is a limited issue) Nations should negotiate and clarify these situations (risk assessment)
“CIP Middleware“ is missing (From Monopoly -> Free Market) Top down: Policy approach is brought in to nations thinking Bottom up: Corporation do an enormous effort in BCP, DRP and IT Security In between is the „CIP Middleware“, Information Sharing Centers (ISAC), topic to be defined
(Automatic mutual support, building CI(I)P Communities)There is a enormous effort in corporate and sector’s CI(I)P today.To integrate this complex infrastructure and its interfaces in a national or transnational CI(I)P plan is one of the most challenging CIP Task