A talk about Critical Information Infrastructure (CII).

1. 1
Role, Charter & Responsibilities
A Presentation by Muktesh Chander IPS
Centre Director
NCIIPC
NTRO
Government of India
National Critical Information
Infrastructure Protection
Centre (NCIIPC)

2. 2
Critical Information Infrastructure (CII)
Threats to CII
Examples of Cyber attacks to CIIs
International Critical Information Infrastructure Protection Efforts
International Information Security Standards
Information Security initiatives in India
National Critical Information Infrastructure Protection Centre (NCIIPC)
Outline of Presentation

3. 3
Energy
Transportation ( air, surface, rail & water)
Banking & Finance
Telecommunication
Defence
Space
Law enforcement, security & intelligence
Sensitive Government organisations
Public Health
Water supply
Critical manufacturing
E-Governance
…

4. 4
In general Critical Infrastructure (CI) can be defined as:
“those facilities, systems, or functions, whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation”.
Critical Information Infrastructure (CII) are those ICT infrastructure upon which core functionality of Critical Infrastructure is dependent.
 As per Section 70 of IT Act 2000, CII is defined as:
“the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.”
Critical Information Infrastructure

5. 5
Information Infrastructure
CI
CI
CI
CII
CII
CI
CII
Figure: Varying Dependence of CI on Information Infrastructure
Inter-dependence

6. 6
Characteristics of CII
Highly Complex
Distributed
Interconnected
Interdependent
Increasing trend in all of the above

7. 7
Complexity and Inter-dependence
of CII

8. 8
Threats to CII are classified as:
◦Internal Threat
It is defined as “One or more individuals with the access and/or inside knowledge of a company, organization, or enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products, or facilities with the intent to cause harm.”
Insider betrayals cause losses due to IT sabotage, Fraud, and Theft of Confidential or proprietary information
This may be intentional or due to ignorance
◦External Threat
Arise from outside of the organization by individuals, hackers, organizations, terrorists , foreign Government agents, non state actors and pose risk like Crippling CII, Espionage, Cyber/Electronic warfare, Cyber Terrorism etc.
Types of threats to CIIs

9. 9
Malware Attacks ( 19,719,262 distinct malware so far)
Email attachments
Smartphones
Removable media
Web Application Attacks
Client Side Attacks, MITM
Social Engineering Attacks
Social network
Wireless attacks
DoS/DDoS
Botnet
SCADA APTs
Embedded systems
Supply Chain contamination
Threat vectors to CII

10. 10

11. 11
Individuals
Disgruntled or ex employee
Rivals (Industrial Espionage)
Hackers, Script kiddies, Crackers
Cyber criminals (organized as well as unorganized)
Hactivists
Cyber Mercenaries
Terrorist groups (CyberJehadis)
Non state actors
Hostile states
Threat actors

12. 12
•Damage or destruction of CII
•Disruption or degradation of services
•Loss of sensitive and strategic information
•Widespread damage in short time
•Cascading effects on several CII
Effects of Cyber Attacks on CII

13. 13
Example of Cyber Attacks on CII

14. 14
Discovered in June 2010
It is first known targeted worm to attack a particular type of Industrial Control Systems (ICS).
It primarily spreads via portable USB drive
It first exploits zero-day vulnerabilities to infect Windows based workstations then attacks associated Programmable Logical Controller (PLC) based SCADA machines and modifies their configuration and behaviour.
Stuxnet, which affected the Nuclear program of Iran is the most sophisticated APT.
Stuxnet Virus: A New weapon of War

15. 15
Concentration of infections in Iran.
Stuxnet spread and geographical distribution of infected systems

16. 16
Discovered in September 2011.
Affected countries include Iran, France, UK, Hungary, Austria, and Indonesia.
It is a variant of Stuxnet virus.
Unlike Stuxnet Duqu worm does not replicate but is ‘highly targeted’ and uses Trojans to gather sensitive information and passwords and send back to a command and control server.
It does not have a payload like Stuxnet, but instead seems to exist to set up remote access capabilities.
Duqu Virus: A Stuxnet Variant

17. 17
20 MB in size
Cause:
◦Flame can spread to other systems over LAN or USB stick.
◦Mine computer to record Skype conversation, screenshots, keyboard activity and network traffic, turns infected computers into Bluetooth becons which attempt to download contact information from nearby Bluetooth- enabled devices.
◦Collected information is sent back to remote control servers.
Effect:
◦Initially infected 1000 machines, with victims including governmental organizations, financial organizations etc. in Iran, Egypt, Sudan, Lebanon, Saudi Arabia and Israel.
Flame Malware

18. 18
Targets:
◦Energy Sector.
◦Disrupted services of Saudi Aramco and Qatar RasGas.
Effect:
◦Capable to spread to other offline workstations on network.
◦Wipes disks of workstations and overwrites Master Boot Record preventing them from booting.
Motive:
◦Unlike other Cyber Espionage Malware, Shamoon is a Cyber Sabotage Weapon.
Shamoon Malware (August 2012)

19. 19
From Cyber Skirmishes
to
Cyber Warfare

20. 20
Cause:
◦Malicious emails when opened dropped Trojan horse .
◦Trojan horse connects back to Control Server to download and install Gh0st Rat Trojan.
Effect:
◦Gh0st Rat allows attackers to gain complete, real time control of computers running Microsoft windows.
◦Infiltrated high-value political, economic, and media locations in 103 countries.
◦Compromised computer systems of embassies, foreign ministries and other government offices, Dalai Lama’s centers in India, London and New York city etc.
GhostNet: Cyber Spying
Operation

21. 21
Cause:
◦A malware ecosystem employed by the attackers via GhostNet etc.
◦Ecosystem Leveraged multiple redundant cloud computing systems, social networking platforms, free web hosting services etc to maintain persistent control.
Effect:
◦Complex cyber espionage network.
◦Theft of classified and sensitive documents.
◦Collateral compromise: Visa applications stolen.
◦Command and control Infrastructure that leverage cloud based social media services.
Shadow in Cloud: Cyber
Espionage

22. 22
On 4th December 2011, Iran captured an American Lockheed Martin RQ-170 Sentinel unmanned aerial vehicle (UAV)
Iranian Government claimed that drone was brought down by its cyber warfare unit stationed near Kashmar.
An Iranian engineer claimed that the drone was captured by jamming both satellite and land- originated control signals to the UAV, followed up by a spoofing attack, feeding the UAV false GPS data to make it land in Iran at what the drone thought was its home base in Afghanistan
Cyber Attack brought down US Drone RQ-170

23. 23
Incident Time Frame
◦Start 27 April 2007, End 18 May 2007, Duration 3 weeks
Methods
◦DoS and DDoS; Website defacement; Attacking DNS servers;
◦Mass e-mail and comment spam.
Targets
◦Servers of institutions responsible for the Estonian Internet infrastructure;
◦Governmental and political targets (parliament, president, ministries, state agencies, etc);
◦Services provided by the private sector (ebanking, news organisations etc);
◦Personal and random targets.
Estonia 2007 Cyber Conflict

24. 24
Incident Time Frame
◦Start 8 August 2008; End 28 August 2008; Duration 3 weeks
Methods
◦DoS and DDoS attacks;Distribution of malicious software together with attack instructions; exploiting SQL vulnerability;
◦Defacement; Using e-mail addresses for spamming and targeted attacks.
Targets
◦Government sites (President, Parliament, ministries; local government of Abkhazia); News and media sites, online Discussion forums, Financial institutions etc.
Georgia 2008 Cyber Conflict

25. 25
Incident Time Frame
◦Start 28 June 2008; End 2 July 2008; Duration 4 days.
Methods
◦Defacement. Pro-Soviet and communist symbols as well as profane anti-Lithuanian slogans posted on websites.
◦Some e-mail spam.
Targets
◦Over 3oo private sector (95%) and governmental (5%) websites;
◦Damage largely avoided to the public sector due to timely warning;
◦Private sector suffered most.
Lithuanian 2008 Cyber Conflict

26. 26
Cyber attacks on
Indian Government Infrastructure

27. 27
As reported by Indian Computer Emergency Response Team (CERT-In) a total no. of 90, 119, 252 and 219 Government websites were defaced by various hacker groups in the year 2008, 2009, 2010 and January – October 2011 respectively
13000 incidents handled by CERT in in 2011
Cyber attacks on Indian Government Websites

28. 28
Loss of confidential information from sensitive organisations
Email Compromises

29. 29
International efforts for Protection
Of Critical Information
Infrastructure

30. 30
UN Resolution 58/199
ITU, G8
Agencies for protection of Critical Infrastructure:
◦Europe: European program for Critical Information Infrastructure Protection (EPCIP)
◦United Kingdom: Centre for the Protection of National Infrastructure (CPNI)
◦United States: Responsibility of Critical Infrastructure protection falls under the jurisdiction of the Department of Homeland Security.
◦Australia: National Security agency
◦South Korea: National Intelligence Service
International CIIP initiatives

31. 31
Information Security Management

32. 32
Some Information Security facts
◦ It is a multidisciplinary subject
◦Security depends on people, process more than technology;
◦Internal employees are a far bigger threat to information security than any outside threat;
◦Security is not static entity but a running process; it should flow through the organization.
◦Moving from technical, managerial, standardization & certification to the Forth wave of Information security Governance (B. Von Solms )
Information Security Management

33. 33
◦ISO/IEC 27000 family;
◦ISO 31000: Risk Management;
◦ISO 22301: Business continuity Management etc .
Federal Information Processing Standard (FIPS)
Control Objective for Information and Related Technologies (COBIT)
Information Technology Infrastructure Library (ITIL)
Payment Card Industry Information Security Standard (PCIDSS)
Data Security Council of India Security Framework (DSF)
International Standards

34. 34
Specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within an organisation.
It is usually applicable to all types of organisations, including business enterprises, government agencies, and so on.
It is a normative standard against which certification is obtained.
Adopts Plan-DO-Check-Act (PDCA) model and is applied to structure all ISMS processes.
ISO/IEC 27001

35. 35
Establish the ISMS
Implement and operate the ISMS
Monitor and Review the ISMS
Maintain and Improve the ISMS
Plan
Do
Check
Act
Information security Requirements and Expectations
Managed Information Security and Operations
PDCA Model
ISO/IEC 27001 Standard (contd..)

36. 36
ISO/IEC 27001 ISMS Requirements
◦General requirements
Establishing and managing the ISMS
Establish the ISMS, Implement and operate the ISMS
Monitor and review the ISMS, Maintain and improve the ISMS
◦Documentation requirements
General, Control of documents, Control of records
◦Management responsibility Management commitment
Resource management Provision of resources
Training, awareness and competence
◦Internal ISMS audits
◦Management review of the ISMS
General, Review input, Review output
◦ISMS improvement
Continual improvement, Corrective action, Preventive action
ISO/IEC 27001 Standard (contd..)

37. 37
Criminal Offences
Subsection
Sending offensive messages, including attachments, through communications service
66A
Dishonestly receiving stolen computer resource or communication device
66B
Identity theft
66C
Cheating by personating
66D
Violation of privacy
66E
Cyber terrorism: defined as causing denial of service, illegal access, introducing a virus in any of the critical information infrastructure of the country defined u/s 70 with the intent to threaten the unity, integrity, security or sovereignty of India or strike terror in the people or any section of the people; or gaining illegal access to data or database that is restricted for reasons of the security of state or friendly relations with foreign states.
66F
Publishing or transmitting of material containing sexually explicit act in electronic form
67A
Publishing or transmitting of material depicting children in sexually explicit act
67B
Preservation and retention of information by intermediaries as may be specified for such duration and in such manner and format as the central government may prescribe.
67C
IT Act 2000

38. 38
Section 70 deals with declaration of protected systems as any computer resource which directly or indirectly affects the facility of critical information infrastructure (CII)
Protected Systems

39. 39
Sec 66 F: Punishment for Cyber Terrorism- (1) Whoever,-
(A) with intent to threaten the unity, integrity, security or sovereignty of India or strike error in the people or any section of the people by-
(i) deny or cause the denial of access to any person authorized to access computer resources; or
(ii) attempting to penetrate or access a computer resource without authorization or exceeding authorised access; or
(iii) introducing or causing to introduce any computer contaminant; or and by any means of such conduct causes or is likely to cause death or injuries to person or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70.
Cyber Terrorism

41. 41
Under Section 70A NCIIPC, under NTRO is being declared as the nodal agency for the protection of Critical Information Infrastructure of India.
Gazette notification for NCIIPC under section 70A (1) is underway.
NCIIPC under its mandate from section 70A(2) of IT Act is responsible for all measures including R&D for protection of Critical Information Infrastructure
Rules under section 70A being notified.
National Critical Information Infrastructure Protection Centre (NCIIPC)

42. 42
NCIIPC Vision
“To facilitate safe, secure and resilient Information Infrastructure for Critical Sectors of the Nation”

43. 43
“To take all necessary measures to facilitate protection of Critical Information Infrastructure from unauthorized access, modification, use, disclosure, disruption, incapacitation or destruction through coherent coordination, synergy and raising information Security awareness among all stakeholders.”
NCIIPC Mission

44. 44
CERT-IN
NCIIPC
Organizational Security Department
LEAs
LOW
Criticality
HIGH
HIGH
Dependency
Dependency and Criticality Matrix for NCIIPC

45. 45
Prevention and early warning
Detection
Mitigation
Response
Recovery
Resilience

46. 46
Identification of Critical Sub-sectors
Study of Information Infrastructure of identified critical sub-sectors
Issue of Daily / Monthly cyber alerts / advisories
Malware Analysis
Tracking zombies and Malware spreading IPs
Cyber Forensics activities
Research and Development for Smart and Secure Environment.
Facilitate CII owners in adoption of appropriate policies, standards, best practices for protection of CII.
Annual CISO Conference for Critical Sectors.
Awareness and training
24X7 operation and helpdesk
NCIIPC Activities

47. NTRO has identified 17 sub-sectors initially and has started activities for 7 sub-sectors named below:
•Air Traffic Management (ATM), Civil Aviation (Transportation)
•Power grid (Energy)
•MTNL
•NSEI
•BSNL
•Railways
•SBI

48. Sl No.
SECTOR as identified in crisis management plan 2010
Sub- sector
Dept./Agency
Organization
Specific Area
Remarks
1.
Transportation
Civil aviation
AAI
ATC
Work under progress
2.
Transportation
Railways
IRCTC RAILTEL
Passenger reservation system, communication
Work under progress
3.
Transportation
Shipping
Port
Port management
4.
Energy
Power
Powergrid corporation
POSOCO
Work under progress
5.
Energy
Nuclear
BAARC, NPCL
6.
Energy
Oil & Gas
ONGC
7.
Finance/Banking
Finance
NSE, BSE, Central Economic Intelligence Bureau (CEIB)
SIEN network (CEIB) NFS(National Financial Switches)
Work under progress
8.
Finance/Banking
Banking
SBI, RBI
INFINET, NEFT, SIEN
Work under progress
9.
ICT
Communication
MTNL, BSNL
Work under progress

49. Sl No.
SECTOR as identified in crisis management plan 2010
Sub- sector
Dept./Agency
Organization
Specific Area
Remarks
10.
ICT
IT
NIC
NKN, SWAN
11.
Law Enforcement, Security & intelligence
Law Enforcement & Security
ITBP, SSB, CRPF, Assam Rifles, BSF, CISF
12.
Law Enforcement, Security & intelligence
Law Enforcement & Security
MHA
CCTNS
13.
Law Enforcement, Security & intelligence
Intelligence Agencies
R&AW, IB, NTRO, CBI, NIA
NATGRID, FRRO Networks Cobweb
Work under progress
14.
Space
--
ISRO
Spacenet, Remote sensing, spacebased Programme
15.
Defence
Army, Navy, Air Force, Coast guard, Strategic Forces Command
16.
MEA
--
--
Passport Database/Visa
OTHERS
17.
Sensitive Govt. Organisations
PMO, NSCS, Planning Commission, Cabinet Sectt., MHS, Registrar General Doordarshan & AIR
AADHAAR
Network from any of these areas which go through NIC

50. 50
Each Organisation/Ministry in Critical Sector should nominate a Nodal Officer (CISO) for interaction with NCIIPC.
CISO will be the point of contact for NCIIPC.
Nodal Officer/CISO

51. 51
CISO responsibilities include, but not limited to:
◦Build an Information security culture
◦Assist senior management in the development, implementation and maintenance of an information security infrastructure.
◦Develop, communicate and ensure compliance with organizational information security policy, standards and guidelines
◦Ensure regulatory and Standards compliance
◦Develop a security awareness and training program
◦Periodically conduct internal audit to check compliance with organizational security policy, standard and guidelines
◦Risk Management
◦Incident Management
◦Business Continuity Management
◦Assist senior management in acquisition of products, tools and services related to information & related technology.
CISO Roles & Responsibilities

52. 52
Guidelines for Protecting Critical Information Infrastructure
Under preparation with the help of Academia and Industry

53. 53
We understand several Ministries/Departments have identified organisations under their administrative control as a Sectoral CERT for their respective Ministries/Departments
We would expect these Sectoral CERTS henceforth workout an institutional mechanism to synergistically work with NCIIPC towards providing effective protection to the CII in these Ministries/Departments.
NCIIPC Expectations

54. 54
Take some time to fill questionnaire
Provide details of information security measures being taken in your organisation
Leave above documents when you go for lunch.
Feedback

55. 55
Marching towards building a culture of cyber security NCIIPC at your Service Thank you