Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Transcription

1 Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA The African Internet Governance Forum - AfIGF Dec 2017, Egypt

2 Agenda Why? Threats Traditional security? What to secure? How..? Objectives, Stratigies Building resilience Implementing resilience Governance Tools

3 Def. What is CII/CIIP - Protecting communications or information service[s] whose availability, reliability and resilience are essential to the functioning of a modern [national] economy, security, and other essential social values. [ENISA] - Critical infrastructure are the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. [DHS13] [ENISA]: [DHS13]: [EG15]: the Questionnaire for CIIP -SCCS

4 Responsibility to defend The CIIP is the government responsibility to protect, however it is mainly owned and operated by the private sector in most countries but who in the government?. Cyber warfare Cyber terrorism Government Responsibility Industrial espionage Cyber crime Public/Private Sector Responsibility 5

5 Setting Roles and Responsibilities Forming the Egyptian Supreme Council for Cyber security (ESCC): On 16 December 2014, ESCC was formed Headed by MoCIT. Reports to the Prime Minister Cabinet. Includes representatives from different CI ministries plus LEA. Looks after national strategies of Cyber Security and Critical Information Infrastructure protection. Supervises the implementation of Cyber security strategies. 7 An Owner and Single Point of Contact are designated.

6 Why?

7

8

9

10 Cyber Security isn t going far enough. Enter Cyber Resilience We have to move to the next step: implementing a Cyber Resilience (CR). Challenge: Plan Develop Execute Govern

11 Building our Strategy 20

12 Setting Our Strategy Objectives 1 - The objectives we want to achieve. 2- Define the scope of strategy. Select the design pattern. 3- Start small, improve then full deployment. Reduce the risk and secure the benefits of a trusted digital Egypt for businesses and individuals. The cyber security strategic initiative aims at developing and implementing a comprehensive framework for enhancing the security of and the trust in the ICT infrastructure, applications and services in Egypt, while protecting the privacy of various users. The cyber security initiative contributes to both MCIT 21roles; as an enabler and as regulator.

13 Objectives and Scope Our Objectives Achieving resilience. Building public-private partnership. Improving overall security. Visibility and early alerting mechanisms. International cooperation. Self sustainability of implementation. Scope The Telecom (ICT) Sector, Financial, and Energy, 22

14 Objectives: Cyber Security Capabilities Enable consistent evaluation and benchmarking Strategy Initiatives Enable prioritized actions 1 Share 2 Create 3 Partner 4 Identify 5 Raise

15 Public-Private Partnership It is about visibility of what is happening on privately-owned CI assets without being there. Objective List of Activities Processes / Procedures / Guidelines / Standards These partnerships create an environment to share critical threat information, risk mitigation, and other vital information and resources. PPP Sign protocols Monitor / alert Hi-level Technical level Probes Incident handling (Not exhaustive lists) Reporting 24 Source :

16 International Cooperation It is about exchange of information and providing support during incident handling and investigations between authorities. Objective List of Activities Sign protocols Processes / Procedures / Guidelines / Standards NDA s Intl. CoOp assign SPOCs Exchange alerts Publish papers analyze and test exchange experience Source: (Not exhaustive lists) 25

17 The Strategy Pattern Common patterns are: Bottom up. Top down. Hybrid. Bottom -Up (Advocacy) starts from details goes up to plans more overlaps / gaps more contribution / involvements less coordination Top-Down (Insight) starts from an insight / concepts doe ability is not guaranteed stakeholders participation is at minimum overall view is at its best better coordination more control over activities 26 National Telecom Regulatory Authority - EGYPT

18 Implementing the Strategy 28 National Telecom Regulatory Authority - EGYPT

19 What to Protect (Discovery Phase) - Collect information on in-hand CII : Stock taking of CII assets Perform quick mitigations Prioritize sectors (if more than one). Perform awareness sessions first. Surveys / questionnaires (preliminary/ detailed). Discuss with owners / operators. Discover areas that needs immediate attention. Perform mitigations (quick fix) if needed. 30 National Telecom Regulatory Authority - EGYPT

20 No suit Fits all CERT-RMM OCTAVE ES-C2M2 SGMM 3 rd party Risk Cybersecurity Assurance the foundation for a process improvement to operational resilience management. It defines the essential practices necessary to manage operational resilience. is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. is a derivative that helps organizations evaluate, prioritize, and improve cybersecurity capabilities in the electricity subsector. is a framework for guiding electricity generation, transmission, and distribution companies in planning their transformation, prioritize their actions, and measure their progress Supply chain help organizations manage their external dependency risks focusing primarily on their relationships involving (ICT), Cyber Resilience Review, Risk and Vulnerability Assessment, and External Dependencies Management Assessment Working with the stakeholders,

21 Standards to be Used ISO Series: (27 standards) dealing with different aspects of information security. Standard Area ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO/IEC 27017* ISO/IEC 27033* Source: Information security management Information security in telecom Security incident management Security risk management Five standards for network security Cloud security Guidelines for industrial process control in energy 33 National Telecom Regulatory Authority - EGYPT

22 Using Surveys / Questionnaires - Set of questions based on ISO27001 areas. - The questionnaire is designed for computer-processing. - The answers will trigger either an expanded investigation or regular processing - Will be used to achieve consistency of reviews. - Between questions for the short version, up to 300 questions in the extended version. - Available (in English) as of the shelf software (COTS) but Arabic needs considerable efforts (interpretation not translation). 34 National Telecom Regulatory Authority - EGYPT

23 Dealing with the Discovery Outcome 36 National Telecom Regulatory Authority - EGYPT

24 NIST Standards Requirements Derived from Widely Recognized Standards NIST Special Publication ISO/IEC NERC Critical Infrastructure Protection (CIP) Recommended Security Controls for Federal Information Systems Rev 3 and with Appendix I, ICS Controls Common Criteria for Information Technology Security Evaluation, Revision 3.1 Reliability Standards CIP-002 through CIP-009, Revisions 2 and 3 DoD Instruction Information Assurance Implementation, February 6, 2003 NIST Special Publication Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for Nuclear Facilities, January 2010 CFATS RBPS 8- Cyber DHS Catalog of Recommendations Chemical Facilities Anti-Terrorism Standard, Risk-Based Performance Standards Guidance 8 Cyber, 6 CFR Part 27 DHS Catalog of Control Systems Security, Recommendations for Standards Developers, Versions 6 and 7 24

25 Cyber Resilience Review Evaluation Tool CRR-self-assessmentpackage The CRR is a no-cost, non-technical assessment to evaluate operational resilience and cybersecurity capabilities of an organization. The CRR is based on the CERT Resilience Management Model a process improvement model developed by Carnegie Mellon University s Software Engineering Institute for managing operational resilience Additional supporting material relating to the Framework can be found on the NIST website at

26 VM SA CNTL TRNG RISK EXD CCM SCM AM IM CRR Domain Goals Asset Management identify, document, and manage assets during their life cycle Incident Management identify and analyze IT events, detect cyber security incidents, and determine an organizational response Configuration and Change Management ensure the integrity of IT systems and networks Service Continuity Management ensure the continuity of essential IT operations if a disruption occurs Risk Management identify, analyze, and mitigate risks to critical service and IT assets External Dependencies Management establish processes to manage an appropriate level of IT, security, contractual, and organizational controls that are dependent on the actions of external entities Controls Management identify, analyze, and manage IT and security controls Training and Awareness promote awareness and develop skills and knowledge of people Vulnerability Management identify, analyze, and manage vulnerabilities Situational Awareness actively discover and analyze information related to immediate operational stability and security

27 How to least Risk Manage? Vendor Management Policies and Procedures Security Awareness/Education Risk Assessment Enforcement of Policies & Procedures Basic Data Security Good Practices

28 Thanks for attention