A Critical cogitation on Critical Information Infrastructure

Transcription

1 보안공학연구논문지 (Journal of Security Engineering), 제 5권제 3 호, 2008년 6월 A Critical cogitation on Critical Information Infrastructure Byeong-Ho KANG 1) Abstract Communication services and networks provide the backbone of the Korean economy and are vital to government offices, businesses and citizens. They are often referred to as critical information infrastructure. Information infrastructures like telephone lines, fibre optic cables and computer networks rule our lives, and they have to be safe. While Critical Infrastructure (CI) is essentially national in character, CII (Particularly the Internet) is essentially international because it is more properly borderless in character. Control of Critical in Infrastructure is in the hands of providers and politicians who still have a confused picture about it. This paper discusses Critical Information Infrastructure in Korea and its organization. Keywords : Critical Infrastructure, Critical Information Infrastructure, Critical Infrastructure Protection 1. Introduction Critical information infrastructure (CII) is composed of key sectors of modern society, including those vital to the national security and the essential functioning of industrialized economies, are dependent on a spectrum of highly interdependent national and international software-based control systems for their continuous, smooth and reliable operation. This information infrastructure underpins many elements of the critical infrastructure (CI). The Critical information infrastructure is facing a continuous change towards new ways of interaction with societies: Most evident is the growing use of open systems to monitor and control operations of the CI as well as information technology, the convergence of the media and telecommunications technology towards integrated information and communication technologies. Large parts of the Korean economy are relying on this. Many services and processes have become increasingly dependent on the functioning of information and communication technology (ICT) networks. As these networks tend to be decentralized, highly interconnected and interdependent, failures of these infrastructures could cascade and spread beyond national borders. 2. Critical Infrastructure and Critical Information Infrastructure There is a lack of clarity between Critical Infrastructures and Critical Information Infrastructures in almost all Received(March 10, 2008), Review request(march 11, 2008), Review Result(1st:April 01, 2008, 2nd:April 21, 2008) Accepted(June 30, 2008) 1 Professor, University of Tasmania, Australia bhkang@utas.edu.au 201

2 A Critical cogitation on Critical Information Infrastructure documentation related to Critical Infrastructure. A common list of what are termed Critical Infrastructures has been arrived at: Finance, Energy, Food Supply, Health, Government Services, Law and order, Manufacturing, National Icons, Transport, Water, Waste Water, People, Education. Each of these has a reliance on Critical Information Infrastructure to a greater or lesser extent. Information Infrastructure is more prevalent in the OECD than elsewhere, and it can be said that in the areas of Finance, Food, Manufacturing, and Transport there is total reliance on Critical Information Infrastructure. That this is so should be reasonably obvious. However, for the sake of clarity it is worth pointing out that Finance depends on the electronic investment, commercial, and personal banking services to be maintained; food depends on the supermarket, and other outlets, reordering and just-in-time processes to function as a supply chain; manufacturing depends on a variety of Manufacturing Resource Programs to succeed and Transport depends heavily on electronic information, ticketing, and electronic control measures These infrastructures would simply not survive a collapse in the Critical Information Infrastructure. This is without necessarily introducing the Internet into the equation. All other Critical Infrastructures also have heavy dependence on electronic information systems. In many cases they are now dependent on Information Infrastructure; it is just that in these cases there is a possibility of returning to some form of manual alternative. Critical Information Infrastructure is proportionally more important than all other infrastructures because there is a dependence on Critical Information Infrastructure by all other infrastructures. It is important; therefore, to understand how well advanced the various parts of the Critical Information Infrastructure industry is in protecting itself and customers from this perspective. The operation of Critical Information Infrastructure demands in terms of an approach a series of approaches and standards to make operation of information technologies safe. As yet, most of such development is in private hands and not coordinated, except at an information level, by any national or international body. From a practical standpoint some have realized much of the difficulty in managing Critical Information Infrastructure. The critical information infrastructure is crucial in providing public safety and stable services that are essential for everyday life. The following sectors are counted among the critical infrastructures that are heavily dependent on information and telecommunication technologies in Korea. Gas and Energy Transportation Telecommunication E-Government and National Government 202 Administration National security Emergency / Disaster Recovery Services

3 보안공학연구논문지 (Journal of Security Engineering), 제 5권제 3 호, 2008년 6월 National Defense Media Service Financial Service 2.1 CI and CII Critical Infrastructure Protection is more than Critical Information Infrastructure Protection, but Critical Information Infrastructure Protection is an essential part of Critical Infrastructure Protection. There is at least one characteristic for the distinction of the two concepts. While Critical Infrastructure Protection comprises all critical sectors of a nations infrastructure, Critical Information Infrastructure Protection is only a subset of a comprehensive protection effort, as it focuses on the Critical Information Infrastructure. The definition of exactly what should be subsumed under CI, and what under CII, is another question. Generally, the CII is that part of the global or national Information Infrastructure that is essentially necessary for the continuity of a country s critical infrastructure services. The CII, to a large degree, consist of, but is not fully congruent with the information and telecommunications sector, and includes components such as telecommunications, computers/software, the Internet, satellites, fiber-optics etc. The term is also used for the totality of interconnected computers and networks and their critical information flows. Protection of the CII has become especially important due to two reasons: their invaluable and growing role in the economic sector and their interlinking role between various infrastructure sectors and the essential requirement that other infrastructures function at all times. There are, moreover, several features that demand a clear distinction between CI and CII: First of all, the system characteristics of the emerging Information Infrastructure differ radically from traditional structures, including earlier Information Infrastructures. They differ in terms of scale, connectivity, and dependencies. This means that understanding them will require new analytical techniques and methodologies that are not yet available. Secondly, it appears that cyber-threats are evolving rapidly both in terms of their nature and of their capability to cause harm, so that protective measures require continual technological improvements and new approaches. The International CIIP handbooks, Dunn and Wigert (2009) [8], developed by the Swiss Federal Institute of Technology in Zurich have a high reputation. They are one of few authoritative sources of any research on Critical Infrastructure and Critical Information Infrastructure. However, they have a problem, confirmed by research for this book, with defining these terms. They comment that Critical Infrastructure is both global and national, and so is Critical Information Infrastructure. Critical Infrastructure is reviewed, as is to a lesser extent, Critical Information Infrastructure, against country models. Yet Critical Infrastructure is essentially national in character, and Information Infrastructures (particularly the Internet and World Wide Web) are essentially international in character. 203

4 A Critical cogitation on Critical Information Infrastructure 3. Public Sector Control A number of national and international mechanisms for developing public private partnerships and the sharing of information have been established. In terms of Critical Information Infrastructure many of them are operationally weak. All are relatively strong in terms of initiating Public Private Partnerships and Information Sharing Organizations. Public Private Partnerships are important to Critical Information Protection. This is because much of the infrastructure is in private hands. Yet in a review of OECD countries the Government takes no active operational steps. It acts as a facilitator in almost every case. This is not really good enough given the importance of the infrastructure. The commonly understood information sharing bodies, in a public private context, for Critical Information Infrastructure are CERTs and WARPs. CERT (pronounced SUHRT), officially called the CERT Coordination Center, is the Internet's official emergency team. [Fig. 1] CIIP in Korea. WARP is an acronym for Warning, Advice and Reporting Point. A WARP is a community or internal company based service to share advice and information on computer-based threats and vulnerabilities. 4. Critical Information Infrastructure in South Korea In general, all governmental organizations and their subsidiary organizations are in charge of CIIP. The National Cyber Security Center (NCSC) coordinates the efforts of these departments and agencies. In the field of cyber-crime investigation and prevention, the Internet Crime Investigation Center (ICIC) under the authority of the Supreme Public Prosecutors Office plays a central role. The Electronics & Telecommunications Research Institute has the leadership in developing technology and providing support to protect critical information 204

5 보안공학연구논문지 (Journal of Security Engineering), 제 5권제 3 호, 2008년 6월 infrastructure. The Ministry of Public Administration and Security, the Korea Communications Commission (the former Ministry of Information and Communication), and the Korea Internet Security Center (KISC; KrCERT / CC) within the Korean Information Security Agency (KISA) are undertaking efforts to foster a culture of safe internet and telecommunication networks. In addition, the structure of government organization was changed in February According to new regime plan, the Ministry of Information and Communication was abolished, and its functions in the area of information security were transferred to several ministries: the Ministry of Public Administration and Security, the Ministry of Knowledge and Economy, and the Korea Communication Commission. Therefore, the Ministry of Public Administration and Security, the Korea Communications Commission, and the Ministry of Knowledge and Economy have begun sharing CIIP-related responsibilities in Korea. As a public-private partnership, the national Information Security Alliance (NISA) strives to improve information security by fostering information exchange between governmental agencies, enterprises, and research institutes. The following sectors are counted among the critical infrastructures that are heavily dependent on information and telecommunication technologies. E-Government National Government Administration National security Emergency / Disaster Recovery Services National Defense Media Service Financial Service Gas and Energy Transportation Telecommunication 5. Organization All governmental organizations and their subsidiary organizations are in charge of CIIP. The National Cyber Security Center coordinates the efforts of these departments and agencies. In the field of cyber-crime investigation and prevention, the Internet Crime Investigation Center under the authority of the Supreme Public Prosecutors Office plays a central role. The Electronics & Telecommunications 205

6 A Critical cogitation on Critical Information Infrastructure Research Institute has the leadership in developing technology and providing support to protect critical information infrastructure. The Ministry of Public Administration and Security, the Korea Communications Commission (the former Ministry of Information and Communication), and the Korea Internet Security Center (KISC; KrCERT / CC) within the Korean Information Security Agency (KISA) are undertaking efforts to foster a culture of safe internet and telecommunication networks. In addition, the structure of government organization was changed in February According to new regime plan, the Ministry of Information and Communication was abolished, and its functions in the area of information security were transferred to several ministries: the Ministry of Public Administration and Security, the Ministry of Knowledge and Economy, and the Korea Communication Commission. Therefore the following have begun sharing CIIP-related responsibilities in Korea: the Ministry of Public Administration and Security, the Korea Communications Commission, and the Ministry of Knowledge and Economy. 6. Critical Information Infrastructure Protection Act 2001 The National Information Security Alliance (NISA) was established in September 2002 to improve information security by facilitating information exchange, presenting policies, and concentrating pan-governmental efforts. The alliance consists of 22 major governmental organizations, such as the Ministry of National Defense, the Ministry of Public Administration and Security, and the Korea Communications Commission, as well as information security officials from 17 public enterprises, communication network providers, the Korea Information Security Industry Association, research institutes, and experts from industry and academia. One main aspect of NISA s work is the executive meeting of chairpersons of the National Information Security Alliance, the Public Enterprise Information Security Alliance, and the Industrial-Educational-Research Information Security Alliance as a way of improving cooperation, while guaranteeing the autonomy of each of these actors within the alliance. The Act on Private Information Protection of Public Organizations, the Act on Promotion of Electronic Administration for e-government, and the Resident Registration Act in the public sector, as well as the Act on Promotion of Utilization of Information and Communication Network and Information Protection in the private sector deal with private information security systems. 7. Information Systems and Telecommunication Networks Protection Since attacks on telecommunication networks and information systems increases, the need for a systematic national-level protection system has become urgent. The Framework Act on Information Promotion, the Critical Information Infrastructure Protection Act, the Act on the Promotion of Utilization of Information and 206

7 보안공학연구논문지 (Journal of Security Engineering), 제 5권제 3 호, 2008년 6월 Communication Network Utilization and Information Protection, the e-commerce Framework Act, the e-government Act, the Act on Trade Automation Promotion, the Act on Industrial Infrastructure, and the Freight Distribution Promotion Act have been passed to protect information systems and telecommunication networks. 8. Conclusion Critical Information Infrastructure Protection (CIIP) is concerned with protection for telecommunication networks and information systems which are working as critical infrastructures significantly affecting quality of life, safety, and economic activities. In a country like Korea, where the utilization of CIIs are very common, it is better to understand and prepare this CII from threats. In this paper, we presented CII in Korea and discuss how the government Manages it since it is a National Concern. References [1] Critical Information Infrastructures: Resilience and Protection by Maitland Hyslop (2007) [2] WARP (information security) [3] What is Tech Target [4] Forum of Incident Response and Security Teams FIRST [5] CERT/CC [6] Act on Private Information Protection of Public Organizations (in Korean). [7] Elgin M. Brunner and Manuel Suter (2008) INTERNATIONAL CIIP HANDBOOK 2008 / 2009 [8] Isabelle Wigert & Myriam Dunn. Critical Information Infrastructure Protection (CIIP) Policies in Selected Countries: Findings of the CIIP Handbook [9] Korean Ministry of Government Legislation 207

8 A Critical cogitation on Critical Information Infrastructure Authors Byeong-Ho KANG He is a senior lecturer at the School of Computing, University of Tasmania, Australia and a head of Research and Development of a joint venture company, kmagent Pty.Ltd.,Hobart Australia. He received his Ph.D from the University of New South Wales, Sydney in 1996 and has worked in the Advanced Research Lab. HITACHI, Japan and Hoseo Univerity, Korea, before he joined the University of Tasmania in He also has worked in research and development projects with industries and research organizations, the Smart Internet Collaborative Research Centre, in Australia, the Asian Office of Aerospace Research Department, US in Japan. 208