Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

National Critical Information Infrastructure Protection Centre (NCIIPC): Role and Responisbilities

5.526 visualizaciones

Publicado el

A talk about Critical Information Infrastructure (CII).

Publicado en: Educación
  • Sé el primero en comentar

National Critical Information Infrastructure Protection Centre (NCIIPC): Role and Responisbilities

  1. 1. 1 Role, Charter & Responsibilities A Presentation by Muktesh Chander IPS Centre Director NCIIPC NTRO Government of India National Critical Information Infrastructure Protection Centre (NCIIPC)
  2. 2. 2 Critical Information Infrastructure (CII) Threats to CII Examples of Cyber attacks to CIIs International Critical Information Infrastructure Protection Efforts International Information Security Standards Information Security initiatives in India National Critical Information Infrastructure Protection Centre (NCIIPC) Outline of Presentation
  3. 3. 3 Energy Transportation ( air, surface, rail & water) Banking & Finance Telecommunication Defence Space Law enforcement, security & intelligence Sensitive Government organisations Public Health Water supply Critical manufacturing E-Governance …
  4. 4. 4 In general Critical Infrastructure (CI) can be defined as: “those facilities, systems, or functions, whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation”. Critical Information Infrastructure (CII) are those ICT infrastructure upon which core functionality of Critical Infrastructure is dependent.  As per Section 70 of IT Act 2000, CII is defined as: “the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.” Critical Information Infrastructure
  5. 5. 5 Information Infrastructure CI CI CI CII CII CI CII Figure: Varying Dependence of CI on Information Infrastructure Inter-dependence
  6. 6. 6 Characteristics of CII Highly Complex Distributed Interconnected Interdependent Increasing trend in all of the above
  7. 7. 7 Complexity and Inter-dependence of CII
  8. 8. 8 Threats to CII are classified as: ◦Internal Threat It is defined as “One or more individuals with the access and/or inside knowledge of a company, organization, or enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products, or facilities with the intent to cause harm.” Insider betrayals cause losses due to IT sabotage, Fraud, and Theft of Confidential or proprietary information This may be intentional or due to ignorance ◦External Threat Arise from outside of the organization by individuals, hackers, organizations, terrorists , foreign Government agents, non state actors and pose risk like Crippling CII, Espionage, Cyber/Electronic warfare, Cyber Terrorism etc. Types of threats to CIIs
  9. 9. 9 Malware Attacks ( 19,719,262 distinct malware so far) Email attachments Smartphones Removable media Web Application Attacks Client Side Attacks, MITM Social Engineering Attacks Social network Wireless attacks DoS/DDoS Botnet SCADA APTs Embedded systems Supply Chain contamination Threat vectors to CII
  10. 10. 10
  11. 11. 11 Individuals Disgruntled or ex employee Rivals (Industrial Espionage) Hackers, Script kiddies, Crackers Cyber criminals (organized as well as unorganized) Hactivists Cyber Mercenaries Terrorist groups (CyberJehadis) Non state actors Hostile states Threat actors
  12. 12. 12 •Damage or destruction of CII •Disruption or degradation of services •Loss of sensitive and strategic information •Widespread damage in short time •Cascading effects on several CII Effects of Cyber Attacks on CII
  13. 13. 13 Example of Cyber Attacks on CII
  14. 14. 14 Discovered in June 2010 It is first known targeted worm to attack a particular type of Industrial Control Systems (ICS). It primarily spreads via portable USB drive It first exploits zero-day vulnerabilities to infect Windows based workstations then attacks associated Programmable Logical Controller (PLC) based SCADA machines and modifies their configuration and behaviour. Stuxnet, which affected the Nuclear program of Iran is the most sophisticated APT. Stuxnet Virus: A New weapon of War
  15. 15. 15 Concentration of infections in Iran. Stuxnet spread and geographical distribution of infected systems
  16. 16. 16 Discovered in September 2011. Affected countries include Iran, France, UK, Hungary, Austria, and Indonesia. It is a variant of Stuxnet virus. Unlike Stuxnet Duqu worm does not replicate but is ‘highly targeted’ and uses Trojans to gather sensitive information and passwords and send back to a command and control server. It does not have a payload like Stuxnet, but instead seems to exist to set up remote access capabilities. Duqu Virus: A Stuxnet Variant
  17. 17. 17 20 MB in size Cause: ◦Flame can spread to other systems over LAN or USB stick. ◦Mine computer to record Skype conversation, screenshots, keyboard activity and network traffic, turns infected computers into Bluetooth becons which attempt to download contact information from nearby Bluetooth- enabled devices. ◦Collected information is sent back to remote control servers. Effect: ◦Initially infected 1000 machines, with victims including governmental organizations, financial organizations etc. in Iran, Egypt, Sudan, Lebanon, Saudi Arabia and Israel. Flame Malware
  18. 18. 18 Targets: ◦Energy Sector. ◦Disrupted services of Saudi Aramco and Qatar RasGas. Effect: ◦Capable to spread to other offline workstations on network. ◦Wipes disks of workstations and overwrites Master Boot Record preventing them from booting. Motive: ◦Unlike other Cyber Espionage Malware, Shamoon is a Cyber Sabotage Weapon. Shamoon Malware (August 2012)
  19. 19. 19 From Cyber Skirmishes to Cyber Warfare
  20. 20. 20 Cause: ◦Malicious emails when opened dropped Trojan horse . ◦Trojan horse connects back to Control Server to download and install Gh0st Rat Trojan. Effect: ◦Gh0st Rat allows attackers to gain complete, real time control of computers running Microsoft windows. ◦Infiltrated high-value political, economic, and media locations in 103 countries. ◦Compromised computer systems of embassies, foreign ministries and other government offices, Dalai Lama’s centers in India, London and New York city etc. GhostNet: Cyber Spying Operation
  21. 21. 21 Cause: ◦A malware ecosystem employed by the attackers via GhostNet etc. ◦Ecosystem Leveraged multiple redundant cloud computing systems, social networking platforms, free web hosting services etc to maintain persistent control. Effect: ◦Complex cyber espionage network. ◦Theft of classified and sensitive documents. ◦Collateral compromise: Visa applications stolen. ◦Command and control Infrastructure that leverage cloud based social media services. Shadow in Cloud: Cyber Espionage
  22. 22. 22 On 4th December 2011, Iran captured an American Lockheed Martin RQ-170 Sentinel unmanned aerial vehicle (UAV) Iranian Government claimed that drone was brought down by its cyber warfare unit stationed near Kashmar. An Iranian engineer claimed that the drone was captured by jamming both satellite and land- originated control signals to the UAV, followed up by a spoofing attack, feeding the UAV false GPS data to make it land in Iran at what the drone thought was its home base in Afghanistan Cyber Attack brought down US Drone RQ-170
  23. 23. 23 Incident Time Frame ◦Start 27 April 2007, End 18 May 2007, Duration 3 weeks Methods ◦DoS and DDoS; Website defacement; Attacking DNS servers; ◦Mass e-mail and comment spam. Targets ◦Servers of institutions responsible for the Estonian Internet infrastructure; ◦Governmental and political targets (parliament, president, ministries, state agencies, etc); ◦Services provided by the private sector (ebanking, news organisations etc); ◦Personal and random targets. Estonia 2007 Cyber Conflict
  24. 24. 24 Incident Time Frame ◦Start 8 August 2008; End 28 August 2008; Duration 3 weeks Methods ◦DoS and DDoS attacks;Distribution of malicious software together with attack instructions; exploiting SQL vulnerability; ◦Defacement; Using e-mail addresses for spamming and targeted attacks. Targets ◦Government sites (President, Parliament, ministries; local government of Abkhazia); News and media sites, online Discussion forums, Financial institutions etc. Georgia 2008 Cyber Conflict
  25. 25. 25 Incident Time Frame ◦Start 28 June 2008; End 2 July 2008; Duration 4 days. Methods ◦Defacement. Pro-Soviet and communist symbols as well as profane anti-Lithuanian slogans posted on websites. ◦Some e-mail spam. Targets ◦Over 3oo private sector (95%) and governmental (5%) websites; ◦Damage largely avoided to the public sector due to timely warning; ◦Private sector suffered most. Lithuanian 2008 Cyber Conflict
  26. 26. 26 Cyber attacks on Indian Government Infrastructure
  27. 27. 27 As reported by Indian Computer Emergency Response Team (CERT-In) a total no. of 90, 119, 252 and 219 Government websites were defaced by various hacker groups in the year 2008, 2009, 2010 and January – October 2011 respectively 13000 incidents handled by CERT in in 2011 Cyber attacks on Indian Government Websites
  28. 28. 28 Loss of confidential information from sensitive organisations Email Compromises
  29. 29. 29 International efforts for Protection Of Critical Information Infrastructure
  30. 30. 30 UN Resolution 58/199 ITU, G8 Agencies for protection of Critical Infrastructure: ◦Europe: European program for Critical Information Infrastructure Protection (EPCIP) ◦United Kingdom: Centre for the Protection of National Infrastructure (CPNI) ◦United States: Responsibility of Critical Infrastructure protection falls under the jurisdiction of the Department of Homeland Security. ◦Australia: National Security agency ◦South Korea: National Intelligence Service International CIIP initiatives
  31. 31. 31 Information Security Management
  32. 32. 32 Some Information Security facts ◦ It is a multidisciplinary subject ◦Security depends on people, process more than technology; ◦Internal employees are a far bigger threat to information security than any outside threat; ◦Security is not static entity but a running process; it should flow through the organization. ◦Moving from technical, managerial, standardization & certification to the Forth wave of Information security Governance (B. Von Solms ) Information Security Management
  33. 33. 33 ◦ISO/IEC 27000 family; ◦ISO 31000: Risk Management; ◦ISO 22301: Business continuity Management etc . Federal Information Processing Standard (FIPS) Control Objective for Information and Related Technologies (COBIT) Information Technology Infrastructure Library (ITIL) Payment Card Industry Information Security Standard (PCIDSS) Data Security Council of India Security Framework (DSF) International Standards
  34. 34. 34 Specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within an organisation. It is usually applicable to all types of organisations, including business enterprises, government agencies, and so on. It is a normative standard against which certification is obtained. Adopts Plan-DO-Check-Act (PDCA) model and is applied to structure all ISMS processes. ISO/IEC 27001
  35. 35. 35 Establish the ISMS Implement and operate the ISMS Monitor and Review the ISMS Maintain and Improve the ISMS Plan Do Check Act Information security Requirements and Expectations Managed Information Security and Operations PDCA Model ISO/IEC 27001 Standard (contd..)
  36. 36. 36 ISO/IEC 27001 ISMS Requirements ◦General requirements Establishing and managing the ISMS Establish the ISMS, Implement and operate the ISMS Monitor and review the ISMS, Maintain and improve the ISMS ◦Documentation requirements General, Control of documents, Control of records ◦Management responsibility Management commitment Resource management Provision of resources Training, awareness and competence ◦Internal ISMS audits ◦Management review of the ISMS General, Review input, Review output ◦ISMS improvement Continual improvement, Corrective action, Preventive action ISO/IEC 27001 Standard (contd..)
  37. 37. 37 Criminal Offences Subsection Sending offensive messages, including attachments, through communications service 66A Dishonestly receiving stolen computer resource or communication device 66B Identity theft 66C Cheating by personating 66D Violation of privacy 66E Cyber terrorism: defined as causing denial of service, illegal access, introducing a virus in any of the critical information infrastructure of the country defined u/s 70 with the intent to threaten the unity, integrity, security or sovereignty of India or strike terror in the people or any section of the people; or gaining illegal access to data or database that is restricted for reasons of the security of state or friendly relations with foreign states. 66F Publishing or transmitting of material containing sexually explicit act in electronic form 67A Publishing or transmitting of material depicting children in sexually explicit act 67B Preservation and retention of information by intermediaries as may be specified for such duration and in such manner and format as the central government may prescribe. 67C IT Act 2000
  38. 38. 38 Section 70 deals with declaration of protected systems as any computer resource which directly or indirectly affects the facility of critical information infrastructure (CII) Protected Systems
  39. 39. 39 Sec 66 F: Punishment for Cyber Terrorism- (1) Whoever,- (A) with intent to threaten the unity, integrity, security or sovereignty of India or strike error in the people or any section of the people by- (i) deny or cause the denial of access to any person authorized to access computer resources; or (ii) attempting to penetrate or access a computer resource without authorization or exceeding authorised access; or (iii) introducing or causing to introduce any computer contaminant; or and by any means of such conduct causes or is likely to cause death or injuries to person or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70. Cyber Terrorism
  40. 40. 41 Under Section 70A NCIIPC, under NTRO is being declared as the nodal agency for the protection of Critical Information Infrastructure of India. Gazette notification for NCIIPC under section 70A (1) is underway. NCIIPC under its mandate from section 70A(2) of IT Act is responsible for all measures including R&D for protection of Critical Information Infrastructure Rules under section 70A being notified. National Critical Information Infrastructure Protection Centre (NCIIPC)
  41. 41. 42 NCIIPC Vision “To facilitate safe, secure and resilient Information Infrastructure for Critical Sectors of the Nation”
  42. 42. 43 “To take all necessary measures to facilitate protection of Critical Information Infrastructure from unauthorized access, modification, use, disclosure, disruption, incapacitation or destruction through coherent coordination, synergy and raising information Security awareness among all stakeholders.” NCIIPC Mission
  43. 43. 44 CERT-IN NCIIPC Organizational Security Department LEAs LOW Criticality HIGH HIGH Dependency Dependency and Criticality Matrix for NCIIPC
  44. 44. 45 Prevention and early warning Detection Mitigation Response Recovery Resilience
  45. 45. 46 Identification of Critical Sub-sectors Study of Information Infrastructure of identified critical sub-sectors Issue of Daily / Monthly cyber alerts / advisories Malware Analysis Tracking zombies and Malware spreading IPs Cyber Forensics activities Research and Development for Smart and Secure Environment. Facilitate CII owners in adoption of appropriate policies, standards, best practices for protection of CII. Annual CISO Conference for Critical Sectors. Awareness and training 24X7 operation and helpdesk NCIIPC Activities
  46. 46. NTRO has identified 17 sub-sectors initially and has started activities for 7 sub-sectors named below: •Air Traffic Management (ATM), Civil Aviation (Transportation) •Power grid (Energy) •MTNL •NSEI •BSNL •Railways •SBI
  47. 47. Sl No. SECTOR as identified in crisis management plan 2010 Sub- sector Dept./Agency Organization Specific Area Remarks 1. Transportation Civil aviation AAI ATC Work under progress 2. Transportation Railways IRCTC RAILTEL Passenger reservation system, communication Work under progress 3. Transportation Shipping Port Port management 4. Energy Power Powergrid corporation POSOCO Work under progress 5. Energy Nuclear BAARC, NPCL 6. Energy Oil & Gas ONGC 7. Finance/Banking Finance NSE, BSE, Central Economic Intelligence Bureau (CEIB) SIEN network (CEIB) NFS(National Financial Switches) Work under progress 8. Finance/Banking Banking SBI, RBI INFINET, NEFT, SIEN Work under progress 9. ICT Communication MTNL, BSNL Work under progress
  48. 48. Sl No. SECTOR as identified in crisis management plan 2010 Sub- sector Dept./Agency Organization Specific Area Remarks 10. ICT IT NIC NKN, SWAN 11. Law Enforcement, Security & intelligence Law Enforcement & Security ITBP, SSB, CRPF, Assam Rifles, BSF, CISF 12. Law Enforcement, Security & intelligence Law Enforcement & Security MHA CCTNS 13. Law Enforcement, Security & intelligence Intelligence Agencies R&AW, IB, NTRO, CBI, NIA NATGRID, FRRO Networks Cobweb Work under progress 14. Space -- ISRO Spacenet, Remote sensing, spacebased Programme 15. Defence Army, Navy, Air Force, Coast guard, Strategic Forces Command 16. MEA -- -- Passport Database/Visa OTHERS 17. Sensitive Govt. Organisations PMO, NSCS, Planning Commission, Cabinet Sectt., MHS, Registrar General Doordarshan & AIR AADHAAR Network from any of these areas which go through NIC
  49. 49. 50 Each Organisation/Ministry in Critical Sector should nominate a Nodal Officer (CISO) for interaction with NCIIPC. CISO will be the point of contact for NCIIPC. Nodal Officer/CISO
  50. 50. 51 CISO responsibilities include, but not limited to: ◦Build an Information security culture ◦Assist senior management in the development, implementation and maintenance of an information security infrastructure. ◦Develop, communicate and ensure compliance with organizational information security policy, standards and guidelines ◦Ensure regulatory and Standards compliance ◦Develop a security awareness and training program ◦Periodically conduct internal audit to check compliance with organizational security policy, standard and guidelines ◦Risk Management ◦Incident Management ◦Business Continuity Management ◦Assist senior management in acquisition of products, tools and services related to information & related technology. CISO Roles & Responsibilities
  51. 51. 52 Guidelines for Protecting Critical Information Infrastructure Under preparation with the help of Academia and Industry
  52. 52. 53 We understand several Ministries/Departments have identified organisations under their administrative control as a Sectoral CERT for their respective Ministries/Departments We would expect these Sectoral CERTS henceforth workout an institutional mechanism to synergistically work with NCIIPC towards providing effective protection to the CII in these Ministries/Departments. NCIIPC Expectations
  53. 53. 54 Take some time to fill questionnaire Provide details of information security measures being taken in your organisation Leave above documents when you go for lunch. Feedback
  54. 54. 55 Marching towards building a culture of cyber security NCIIPC at your Service Thank you