dsa: the journey so far

CYBER SECURITY
In India following sectors have been identied as critical: Energy Transportation (air, surface, rail and water) Banking and Finance Telecommunication Defence Space Law enforcement, security and intelligence Sensitive government organisations Public health Water supply and disposal Critical manufacturing E-governance Establish sectoral Computer Emergency Response Teams (CERTs) to deal with critical sector specic issues. These guiding principles have helped NCIIPC to draw a CIIP road map to achieve safe, secure and resilient CII of the nation.

CIIP Guidelines

NCIIPC Mission And Objectives

CRITICAL INFORMATION INFRASTRUCTURE

PROTECTION OF NATIONAL
As Indias economy and society has begun to rely on information systems and networks that are interconnected and interdependent, nationally and globally, several of those systems and networks have become vital for the nation. Their protection, consequently from cyber attacks and towards ensuring better quality of service to customers, is a priority focus area, as a part of the overall national cyber security initiative.
Interconnected Interdependent Heterogeneous With the advancement of convergent communication technologies and shared information systems in India, Critical Sectors are becoming more dependent on their Critical Information Infrastructure (CII). These CIIs are interconnected, interdependent, complex and distributed across various geographical locations. Various inherent threats such as terrorist attacks, organised crimes, cyber espionage; malicious cyber activities aficting the CIIs are growing rapidly. Protection of CIIs of the nation is one of the paramount concerns of the Indian government as an important component of national security. Under Section 70A of IT (Amendment) Act 2008, National Critical Information Infrastructure Protection Centre (NCIIPC) of National Technical Research Organisation (NTRO) has been identied as the nodal agency to coordinate with government departments, private and public sector stakeholders for protection of Critical Information Infrastructures (CIIs) and for taking all measures including associated Research and Development for the protection of CIIs in India. Gazette notication for NCIIPC under section 70A (1) of IT Act 2008 is underway. Rules under section 70A are also being notied. s India is integrating with global economies and societies, her reliance on information systems and networks, that are interconnected and interdependent, is increasing exponentially. These interconnected networks and system are widely acknowledged as Critical Information Infrastructure (CII). In general Critical Infrastructure (CI) can be dened as: Those facilities, systems or functions, whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation. Critical Information Infrastructures (CIIs) are those ICT infrastructures upon which core functionality of Critical Infrastructure is dependent. Thus CII is a sub-set of CI. As per the Section 70A of IT (Amendment) Act 2008, CII is dened as: The computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety. Characteristics of CIIs are that they are: Highly complex Distributed

NCIIPC is mandated to follow best global and practical approaches, control and guidelines for accomplishing its mission for protection of CIIs in line with its clear vision of providing safe, secure and resilient environment. NCIIPC is driven by its mission To take all necessary measures to facilitate protection of Critical Information Infrastructure, from unauthorised access, modication, use, disclosure, disruption, incapacitation or destruction through coherent coordination, synergy and raising information security awareness among all stakeholders and with a vision to facilitate safe, secure and resilient Information Infrastructure for Critical Sectors in the country.

In January 2013, a Joint Working Group (JWG) consisting of representatives from the government and private sector, was appointed by Government of India with the following key objective: To study various approaches, international standards and best practices for Critical Information Infrastructure Protection (CIIP). To interact with stakeholders and regulators to understand their requirements and environment. To evolve the appropriate guidelines for CIIP specic to the country. To evolve Strategy to implement guidelines thus evolved.

MUKTESH CHANDER IPS

The writer is Joint Commissioner of Police, Prime Ministers Security. He was Centre Director of Centre for Cyber Deterrence and Information Assurance in National Technical Research Organisation, Government of India. He has been DIG of Police, Goa, Additional Commissioner of Police, Crime and Trafc Delhi and Inspector General of Police Daman and Diu.He graduated in Electronics and Telecommunication Engineering from Delhi University in rst class with distinction. He holds a law degree from Delhi University. He has completed his Masters Degree in Criminology and is pursuing his PhD in Information Security Management from IIT, Delhi. He has also done Hostage Negotiation course at Louisiana State Police Academy, USA. His current areas of interest are Cyber crime and its detection, cyber terrorism, E-governance, Digital Signatures, Cryptography, E-policing, Information security and Cyber laws, Social media monitoring etc. He has been awarded police medal for meritorious service and President's police medal for distinguished service.

To achieve its mission and vision, NCIIPC has formulated The JWG was headed by the following guiding principles: Prof N Balakrishnan, Associate Develop mechanism to facilitate identication of Director of Indian Institute of CII, protection of CII through risk management and Science, Bangalore as Chairman. ensuring compliance of NCIIPC policies, guidelines, Mr Kiran Karnik, Chairman, CII advisories / alerts etc by CIIs. National Committee on Telecom Lead and coordinate national programmes and and Broadband, Mr Virat Bhatia, policies on Critical Information Infrastructure protection. Chairman, Communication and Establish national and international linkages Digital Economy Committee / initiatives for the protection of CIIs including R&D. FICCI and Mr Muktesh Chander Promote indigenous Research and Development IPS, Ex-Centre Director of NTRO (R&D) relating to protection of Critical Information Infrastructure were its members. including modelling and simulation of complex CIIs, development of CIIP tools and threat scenarios. Develop mechanism to facilitate sharing of information on information security breaches, incidents, cyber attacks, espionage etc among CII stakeholders as well as with NCIIPC. Facilitate thematic workshops and information security awareness and training programmes. Facilitate capacity building towards creation of highly skilled manpower through engaging premier institutes like Indian Institute of Science, Indian Institutes of Technology, National Institutes of Technology etc as well as private / non-government partners working on CIIP. Develop capability for real time warning system and facilitate sharing of information on emerging threats, cyber attacks, vulnerabilities etc with CIIs. The writer at the release function

54

October 2013 DEFENCE AND SECURITY ALERT

October 2013 DEFENCE AND SECURITY ALERT

55

dsa: the journey so far

CYBER SECURITY
signicant milestones for the protection of nations critical information assets. The 40 controls for the protection of CIIs across sectors suggested by the JWG are: Identication of CIIs Vertical and Horizontal interdependencies Information Security Department Information Security Policy Training and Skill upgradation Data Loss Prevention Access Control Policies Limiting Admin Privileges Perimeter Protection Incident Response Risk Assessment Management Physical Security Identication and Authentication Maintenance Plan Maintaining, Monitoring and Analysing logs Penetration Testing Data Storage Hashing and Encryption Feedback Mechanism Security Certication Asset and Inventory Management Contingency Planning Disaster Recovery Site Predictable Failure Prevention Information / Data Leakage Protection DoS / DDos Protection Wi-Fi Security Data Back-up plan Secure Architecture Deployment Web Application Security Testing and Evaluation of Hardware and Software Hardening of Hardware and Software Period Audit Compliance of Security Recommendations Checks and Balances for Negligence Advanced Persistent Threats (APT) protection Network Device Protection Cloud Security Outsourcing and Vendor Security Critical Information Disposal and Transfer Intranet security

These CIIs are interconnected, interdependent, complex and distributed across various geographical locations. Various inherent threats such as terrorist attacks, organised crimes, cyber espionage; malicious cyber activities afflicting the CIIs are growing rapidly. Protection of CIIs of the nation is one of the paramount concerns of the Indian government as an important component of national security
In view of the need for a multi-stakeholder dialogue, the JWG had consultations with experts across the critical sectors such as Communications, Banking and Insurance, Power and Energy, Aviation, Railways, other organisations of strategic importance and the sector regulators including Directorate General of Civil Aviation (DGCA), Telecom Regulatory Authority of India (TRAI), Reserve Bank of India (RBI) and Securities and Exchange Board of India (SEBI). Since the communications network forms the rst line of defence with regard to any cyber security threat and in turn provides the linkages across several sector networks within the CII, the JWG also met key telecom industry associations including Cellular Operators Association of India (COAI), Association of Unied Telecom Service Providers of India (AUSPI), Internet Service Providers Association of India (ISPAI), Association of Competitive Telecom Operators (ACTO), Communication and Manufacturing Association of India (CMAI), Telecom Systems Design and Manufacturers Association (TSDMA) and Internet & Mobile Association of India (IAMAI). After detailed discussions and consultations, the JWG prepared and submitted the Guidelines for Protection of National Critical Information Infrastructure. On 19th July 2013, these guidelines were released by Mr Shivshankar Menon, National Security Adviser to Government of India in presence of Mr AG Apte, Chairman NTRO. The guidelines are suitable for India and have 40 controls for the protection of CIIs across various sectors. Development of these guidelines is one of the

Cyber Security: A Global Concern

In a networked world, there are no real safe havens. If you are on the network, you are automatically available to everyone else on the network. A key consequence is that security is not the concern of someone else; it is of necessity the concern of everyone, a collective global concern that must transcend national boundaries. National Cyber Security Policy 2013 mentions To build a secure and resilient cyberspace for citizens, businesses and Government. Prime Minister Mr Manmohan Singh, in his speech at the Annual Conference of DGPs / IGPs on September 8, 2012, emphasised that Our countrys vulnerability to cyber crime is escalating as our economy and critical infrastructure become increasingly reliant on interdependent computer networks and the internet.

In a networked world, there are no real safe havens. If you are on the network, you are automatically available to everyone else on the network. A key consequence is that security is not the concern of someone else; it is of necessity the concern of everyone, a collective global concern that must transcend national boundaries
cyber security policy must be creating the right awareness of and incentive for cyber risk management at all levels: home computer users, small and large corporations (the main component of the critical infrastructure), as well as local, regional and national governments. This is why cyber security is such a complex and novel area of public policy concern. Cyber security concerns cannot be dealt with easily by market forces or by regulation but require a novel mix of solutions. These concerns are not the exclusive domain of economists, political scientists, lawyers, business policy or management experts, or computer specialists or even of national security experts or telecom regulators. Rather, a highly diverse group of stakeholders or key actors working in their domains and in concert have to play a potential role

Stuxnet is a computer malware that targets industrial control systems that are used to monitor and control large scale industrial facilities like power plants, dams, waste processing systems and similar operations. It allows the attackers to take control of these systems without the operators knowing. This is the rst attack weve seen that allows hackers to manipulate real-world equipment, which makes it very dangerous. Its like nothing weve seen before both in what it does and how it came to exist. It is the rst computer virus capable of wreaking havoc in the physical world. It is sophisticated, well-funded and there are not many groups that could pull this kind of threat off. It is also the rst cyber attack weve seen specically targeting industrial control systems. Stuxnet can infect Windows systems and we all should protect ourselves from this and other online threats. Whistleblower Edward Snowden told German magazine Der Speigel that Israel and the United States created the Stuxnet computer virus that destroyed nuclear centrifuges in Iran. Snowden was asked if the US National Security Agency partners with other nations, like Israel? He responded that the NSA has a massive body responsible for such partnerships called the Foreign Affairs Directorate. He also was asked, Did the NSA help to create Stuxnet?. Snowden responded, NSA and Israel co-wrote it. Stuxnet, in 2010, wrought havoc on equipment at Irans Natanz nuclear plant and complicated the manufacture of highly enriched uranium, which the West suspects is intended for making atomic weapons. The virus temporarily disabled 1,000 centrifuges being used by the Iranians to enrich uranium. Snowden, a former technical contractor for the NSA and employee of the CIA, revealed the existence of mass surveillance programmes by the United States and Britain against their own citizens and citizens of other countries. He said Germany and most other Western nations are in bed together with the NSA. STUXNET virus is a game changer in the world. It was discovered in June 2010. It is rst known targeted worm to attack a particular type of Industrial Control Systems (ICS). It primarily spreads via portable USB drive. It rst exploits zero-day vulnerabilities to infect Windows based workstations, then attacks associated Programmable Logical Controller (PLC) based Supervisory Control and Data Acquisition (SCADA) machines and modies their conguration and behaviour. Stuxnet, which affected the Nuclear programme of Iran is the most sophisticated APT. Cyber security is not something done by one person, but is a shared responsibility among all connected with and who use the ICT infrastructure. Therefore one key element of effective in orchestrating the set of functions that in aggregate result in an effective cyber security policy. Each stakeholder will need to take actions or communicate with other key actors in the private sector, semi-private sector, or the government, nationally or internationally. As a result, any effective approach to cyber security will result in a complex network of conversations among public and private entities both in a national and international context. These communications are seamless, having no bounds or limits geographic or jurisdictional.

Developing Global Relationships

Guidelines being released by National Security Adviser Mr Shivshankar Menon

Effective cyber security policy requires a wide range of global collaborative activities. This needs to take place at different levels between government and private sector stakeholders. These contacts must be both bilateral and multilateral. The

56

October 2013 DEFENCE AND SECURITY ALERT

October 2013 DEFENCE AND SECURITY ALERT

57

dsa: the journey so far

CYBER SECURITY
Generic National Framework

reason for these collaborations include information sharing on risks, vulnerabilities and best practices, developing formal and informal working relationships with key stakeholders in other countries with comparable roles and responsibilities and enabling the assessment of ones effort against those of similar countries. The global community should commit to developing the necessary resources and capabilities for implementing more effective cyber security policies on an international basis. Many multinational organisations including International Telecommunication Union (ITU), the Internet Engineering Task Force (IETF), the World Bank, the Organisation for Economic Co-operation and Development (OECD), the European Union etc have an important role in dealing with and implementing such policies. An overview of a comparative analysis of the development of policies for the protection of Critical Information

Societies all over the world are becoming more and more dependent on information technology. Critical Information Infrastructure Protection (CIIP) is universally acknowledged as a vital component of national security policy. In order to protect their critical infrastructure, some countries in Western Europe and North America have established sophisticated and comprehensive CIIP organisations.

The Four Pillars of CIIP

International Telecommunication Union has provided a Generic National Framework for Critical Information Infrastructure Protection which identies the essential tasks of CIIP arranged in a Four Pillar Model. These four pillars are: Prevention and early warning Detection Reaction Crisis management

Infrastructure (CII) in Australia, Canada, South Korea, Japan, The Netherlands, The United Kingdom and the United States is in order. In these countries the critical information infrastructure encompasses the following: Information components supporting the critical infrastructure Information infrastructure supporting essential components of government business Information infrastructure essential to the national economy The following components have been considered by the above seven countries when implementing national policies for protection for the critical information infrastructure and cyber security programs: A national strategy Legal foundation Incident response capability Industry-government partnerships A culture of security Information sharing mechanisms Risk management approach

The Path Ahead

Taking a lesson from the most advanced countries, which have been facing threats to their CII, India needs to adopt a proactive approach in protecting its CIIs. Such computer systems and networks, which directly or indirectly affect the facility of CIIs, must be identied and declared as Protected Systems under the provisions of Section 70 of IT Act so that the provisions of punishment for cyber terrorism are applicable on the attacker. A National Cyber Security Operation Centre must be established for live tracking of threats, situational analysis and alert generation on 24x7 basis. Sector specic guidelines must also be formulated for micro management of information security in specic critical sectors. There must be annual review and evaluation of compliance of these guidelines, which must be made mandatory for protected systems. A National Institute of Critical Information Infrastructure Protection must be established for capacity building of stakeholders and Research and Development in this eld. Co-operation of industry, academia and international agencies must be solicited to deal with the constantly evolving cyber threats and attack vectors. The possibility of a Digital Pearl Harbour is real and we cannot let it happen.

58

October 2013 DEFENCE AND SECURITY ALERT