Protection of critical information infrastructure

Protection of Critical Information Infrastructure By: Rinchon Sanghkro Avibunno Aakriti Shukla Neha Agarwal Vansheeka Saxena

Critical Information Infrastructure In general Critical Infrastructure (CI) can be defined as: “those facilities, systems, or functions, whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation.” Information Infrastructure is the term usually used to describe the totality of inter-connected computers and networks, and information flowing through them. Critical Information Infrastructure (CII) are those information and communications technology infrastructure upon which the core functionality of Critical Infrastructure is dependent. As per section 70 of IT Act 2000, CII is defined as: “the computer resource, the incapacitation or destruction of which, shall have a debilitating impact on national security, economy, public health or safety.”

Critical Sectors Energy Transportation (air, surface, rail & water) Law enforcement, security & intelligence Sensitive Government organisations Banking & Finance Telecommunication Defense Space Public health Water supply Critical manufacturing E- governance Power generation

Characteristics of CII 1. Highly Complex 2. Interconnected 3. Interdependent 4. Distributed

Importance and management of CII Critical infrastructures play a vital role in today’s societies, enabling many of the key functions and services upon which modern nations depend. From financial networks to emergency services, energy generation to water supply, these infrastructures fundamentally impact and continually improve our quality of life. Particularly vital in this regard are critical information infrastructures, those vast and crosscutting networks that link and effectively enable the proper functioning of other key infrastructures. The five basic steps that must be kept in mind are: 1. Determining risk management scope; 2. Identifying critical information infrastructure functions; 3. Analyzing critical function value chain and interdependencies; 4. Assessing critical function risk; and 5. Prioritizing and treating critical function risk.

National Critical Information Infrastructure Protection Centre (NCIIPC) - Origin In 2008, in recognition of the rise in cyber vulnerabilities, threats and attacks, India’s Information Technology Act was amended. Section 70A was introduced, which laid down the mandate for the creation of a new agency to protect sectors designated as CII. While those changes were made in 2008, the Gazette Notification by the Government of India came, however, only on January 16, 2014. Under section 70A(1) of the Information Technology (Amendment) Act 2008, the Government of India, has designated ‘National Critical Information Infrastructure Protection Centre’ (NCIIPC) as the national nodal agency responsible for all measures, including research and development relating to the protection of CII.

NCIIPC is driven by its mission “To take all necessary measures to facilitate protection of Critical Information Infrastructure from unauthorized access, modification, use, disclosure, disruption, incapacitation or destruction through coherent coordination, synergy and raising information security awareness among all stakeholders” and a vision “to facilitate safe, secure and resilient Information Infrastructure for Critical Sectors of the nation” . The NCIIPC started off with several sectors, but has now categorised them into five broad areas that cover the ‘critical sectors’. These are: Power & Energy Banking, Financial Institutions & Insurance Information and Communication Technology Transportation E-governance and Strategic Public Enterprise

Guiding Principles Development of mechanisms to facilitate Identification of CII in conjunction with CI organizations . Protection of CII through a risk management approach. Ensuring compliance of NCIIPC policies, guidelines, advisories/ alerts etc. by CII. Develop capabilities for real time warning system and facilitate sharing of information on emerging threats, cyber attacks, vulnerabilities etc with CIIs. Lead and coordinate national programs and policies on Critical Information Infrastructure.

Guiding Principles Establish national and international linkages / initiatives including R&D for the protection of CII . Promote Indigenous Research and Development (R&D) relating to protection of Critical Information Infrastructure. Develop mechanisms to facilitate sharing of information among CII stake holders as well as with NCIIPC. Facilitate thematic workshops and Information Security Awareness and Training Programme. Facilitate capacity building towards creation of highly skilled manpower through engaging Premier Institutes like IISc, NITs etc as well as private/non government partners working on CIIP. Establish Sectoral CERTs to deal with critical sector specific issues.

NCIIPC critical controls Implementation control Operational control Reporting and accountability Disaster recovery Planning control NCIIPC CRITICAL CONTROLS

Planning Controls Identification of CII Information Security Department (ISD) Vertical and Horizontal Interdependencies Information Security Policy Integration Control VTR Assessment and Mitigation Controls Security Certifications Physical Security Controls

Implementation Controls Asset and Inventory Control : To correlate and track all physical and virtual assets owned by the CIIs. Access Control Policies : Role based approach should be followed. Identification and Authentication Control : Providing unique identity to all the users of the information. Physical and Environmental Security Testing and Evaluation of Hardware and Software : Organizations need to be cautious in deploying possibly contaminated hardware or software products, especially in CII. After procurement and before deployment of hardware there should be an in depth testing and evaluation of systems.

Operational Controls Data storage: Hashing and Encryption Data Loss Prevention Penetration Testing Training, Awareness and Skill up-gradation Incident Management – Response Critical Information Disposal and Transfer Network Device Protection APT protection

Disaster Recovery/Business Continuity Planning (BCP) Controls Contingency Planning Data Back-up and Recovery Plan Hot disaster recovery site warm disaster recovery site cold disaster recovery site The entire aim of the Contingency planning is to reduce the impact of the disaster or any major CII outage to the minimum

Reporting to Govt. Agencies Periodic Audit Reporting and Accountability Controls

Threats to Critical Information Infrastructure Vulnerabilities are gaps/weaknesses in systems that allow an attacker to reduce the systems information assurance . Threats are actors / actions targeting the vulnerabilities in a system. Risks are the possibilities that a particular threat will successfully exploit vulnerability and the resultant impact of that exploitation on the information assurance of the system.

Critical Information and threat The threat actors exploit the underlying vulnerabilities within the application software, control systems software, hardware or even the people to get access to the desired location in the network. Once the network—enterprise or control system network—is breached, they can execute commands, steal sensitive information such as design or configuration or corrupt the information flowing to the interfaces. Threat actors have their own set of motivational factors, varying from political to security or monetary gains to rivalry or competition. There are myriad malicious actors, varying from insiders (in the form of disgruntled employees or compromised/socially engineered employees), economic, military or adversary nation states, criminal syndicates to terrorist

TYPES OF THREATS Threats to critical infrastructure can be broadly classified into three categories: Natural threats include weather problem in both hot and cold climates and also geological hazards like earthquakes, tsunamis, land shifting etc. Accidental threats arise from failures, errors and miscalculation Human threats include all the attempts made by malicious actors to gain access to the system with the intent of causing a harm or damage. It can be classified into Insider, Outsider and Collusion

Human Threats Insider : An insider could be a person (employee, partner, contractor or vendor) within the organization, having authorization or legitimate access to the asset where the attack has been executed. Generally, insiders possess the requisite information, credentials or security clearances pivotal to perpetrate an attack. There are different motivational factors, varying from monetary gain to disgruntlement and jealously to vengeance. Outsider : An outsider, as an adversary, is external to the organization and therefore does not have the authorization or legitimate access to targeted asset. The list of motivational factors is quite wide, as it could vary from acts of terrorism to crime and hacktivism to professional services. Incollusion : Collusion happens when an outsider partners with an collusion perpetrate an attack. In order to gain an easy and definite access, adversaries are generally in quest of vulnerable insiders, the they exploit these insiders to their own advantage. However, the insider might sometimes unconsciously pass on certain information to the adversary.

Threat Vector To Critical Information Infrastructure A Threat Vector is a path or a tool that a threat Actor uses to attack the target. They can be Malware Email attachment Removable drives Web application attack Social Network DDOS Social Engineering Mobile phones

Objectives, Motivations and Characteristics of Cyber-attacks

ATTACK SURFACE AND THREAT VECTORING An attack is fundamentally the convergence of vulnerability, accessibility of the system and capability of the adversary An attack surface is an aggregate of all the points of entry for a potential attacker, and these points are spread across the network, the software or the applications, through physical means of entry and it also includes the human beings . These points of entry let the attacker send data to the target or extract data from the target. Network attack surface originates from the exposed constituents of networking technology, such as the protocols, the ports and communication channels; the devices in form of routers, firewalls or mobile phones; and the network applications such as cloud-based services and firmware interfaces with external systems. Software attack surface is calculated across the programmed code an organization executes in totality and these include the applications, different email services, configurations, databases, executables, Web applications, mobile applications and operating systems, covering the interfaces, services, protocols and practices available to all users, particularly the components accessible to unauthenticated users.

Human attack surface considers the wide spectrum of vulnerabilities within the human beings, which could compromise sensitive information leading to an easy way into the secured systems. These considerations are as diverse as social engineering attacks, inadvertent errors, malicious insiders, death, disease or disability of human resources. A thorough attack surface analysis is a vital input to the process of setting up defensive mechanisms of firewall, intrusion prevention systems, intrusion detection systems, data policy and other security measures. Despite defences, attacks do take place; and for an attack to succeed, attacker adopts a path or means to gain access to the target and deliver the malicious code, known as attack vector. Common attack vectors are Web application attacks, client side attacks, network attacks, attacks using malware, DoS/DDoS attacks, social engineering or spear phishing attacks, man-in-the-middle attack or interception of communication channel, targeted attacks by evading/bypassing perimeter protection devices, etc.

Strategies followed by Attackers to exploit Safety Instrumented System (SIS) Attackers have now moved beyond reconnaissance and are leveraging their acquired knowledge of control networks to interrupt production and create safety incidents. They are targeting systems which are critical for national security, economy and health of citizen. Cyber terrorists could do tremendous damage if they wanted to, ranging from taking control of water treatment facilities to shutting down power generation plants to causing havoc with air traffic control systems and all of these systems are extremely vulnerable to attack. Malicious actors have been penetrating the computer networks of companies that operate nuclear power stations, other energy facilities, and manufacturing plants. The threat is growing exponentially and could easily spin out of control. The malware referred to as Triton is significant to impact on CII’s because it is not only part of an increasing focus of attacks on industrial control systems (ICSs), but it is the first to directly target a safety instrumented system (SIS).

RECENT CASE STUDIES Venezuela Decries Attack On Critical Infrastructure_3 rd apr,19 Iran Conducted Cyber Attacks On UK Infrastructure – Report_dec,18 Hexion, Momentive and Norsk Hydro all hit by ransom ware cyber attacks_ March,19 Hackers beat university cyber-defences in two hours_4 th April, 19

REFERENCES http://nciipc.gov.in/cyberAttack.html https://idsa.in/system/files/monograph/monograph60.pdf http://www.nciipc.gov.in/documents/NCIIPC_Newsletter_Jan19.pdf https://mha.gov.in/division_of_mha/cyber-and-information-security-cis-division Guidelines for the Protection of National Critical Information Infrastructure Version 2.0 16 January 2015 India http://nciipc.gov.in/alerts_advisories_more.html

THANK YOU

Protection of critical information infrastructure

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Protection of critical information infrastructure

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx