Cyber Security in ICT Networks: CITEL Perspectives Wayne Zeuch Rapporteur, Standards Coordination CITEL PCC.I OAS Hemispheric Workshop on Cyber Security Rio de Janeiro Brazil Nov 16-18 2009
ICT Networks Convergence Wireline/Wireless PSTN / IP-based Networks Information Technology / Telephony Network-based services / 3 rd Party Applications Next Generation Networks Migration toward IP-based backbone networks is taking place from single-service to multiservice, client/server-based networks Full deployment of NGNs requires a flexible (software) architecture for service delivery based on IP Multimedia Subsystem (IMS) Interoperability Interconnection of networks and Interoperability of Services NGN Infrastructure Technical Notebook, CITEL PCC.I Network convergence and the proliferation of end-user applications creates new security challenges for ICT Networks 2
Service Oriented Networks CHALLENGE: SON implementations must be secure and reliable NGN Standards Technical Notebook, CITEL PCC.I A Service Oriented Network (SON) is one in which service providers use agile methods to rapidly create new products and services from re-usable components (known as Service Enablers) 3
Phases CITEL Work Process Technologies (Security,...) Relevant Standards Policy/Regulatory Case Studies Discussion/Debate Awareness Raising Issue Identification Resolutions Best Practices Proposals Endorsements 4
CITEL PCC.I Technical Notebook DESCRIPTION Provides a formalized means of maintaining an archive of technologies, best practices, policies, or regulatory information made available to the OAS Member States and CITEL telecom industry members Documents relevant activities, completed or in progress As a living document, it is updated on an ongoing basis with relevant information from contributions submitted to the Working Groups Identifying issues and archiving valuable information for the use of the ICT community and in anticipation of future CITEL recommendations 5
CITEL PCC.I Technical Notebooks Cybersecurity Critical Telecom Infrastructure Protection NGN Standards Convergence NGN Infrastructure Broadband Access Technologies NGN Networks Best Practices and Case Studies Fraud in the Provision of Telecom Services IPTV Best Practices VOIP Technology Aspects Number Portability Regulatory Best Practices Power Line Communication Technologies Economic Aspects of Universal Services 6
Cybersecurity Technical Notebook Provides an archive of Cybersecurity information available to the telecommunications industry and the Member States Highlights ongoing Regional and International cybersecurity strategy activities Addresses aspects relevant to developing national cybersecurity strategies Addresses issues of incident response, public-private partnerships, and the awareness-raising and application of relevant security standards Establishes links with the security standards discussions in the NGN Standards Technical Notebook Includes Appendices with national cybersecurity programs and best practices (Dominican Republic, Venezuela, Argentina) 7
Critical Telecommunication Infrastructure Protection (CTIP) Technical Notebook Motivation The number of vulnerabilities in critical infrastructures tends to grow as the interdependencies between the infrastructures increase, both in number and complexity Dissemination of telecommunication networks into all infrastructures, and the increasing reliance of the critical infrastructures upon them, brings with it certain impacts that cannot be neglected Interruption of these services can threaten human life, destroy property, and destroy or corrupt information, possibly interrupting the work of governments and corporations Strategies Key National CTIP Issues, Policies, Strategies Brazil (Information Security Steering Committee, CERT.br, Security Incident Response Team, CTIP Methodologies) Venezuela (SUSCERTE, VENCERT, CENIF) 8
Next Generation Networks: Standards Overview Technical Notebook Identifies NGN related standards that the Standards Coordination Group is studying Provides an archive of NGN technical information (including security-related topics) that is available to the telecom industry and the Member States Documents NGN standards, completed or in progress, which may be considered for future development into an SCD in accordance with the CITEL approval procedures Identifying issues and archiving valuable standards information for the use of the ICT community and in anticipation of future CITEL endorsement 9
Next Generation Networks: Standards Overview Technical Notebook The NGN Standards Technical Notebook identifies NGN related standards including relevant services, architectures and protocols. (e.g., Signaling, Access, Transport, Management, Service Creation, QoS, Internet Protocol, Numbering). In particular,... Chapter 2 Emergency Telecommunications Service (ETS) ETS Types Standardization Activities (ITU, IETF, ETSI, ATIS, others) Chapter 6 Security Standards (active) ITU T T Security Standards Identity Management Chapter 15 Security Standards (archive) Internet Protocol Security (IPsec) Internet Key Exchange (IKE) Security Architecture for End to to End Communication Systems
Cyber Security and CTIP Methodologies and Processes Examples: ITU-T: Recommendation X.805, Security Architecture for End-to-End Network Security VULNERABILITIES Applications Security Services Security Infrastructure Security Access Control Authentication Non-repudiation Data Confidentiality Communication Security Data Integrity Availability Privacy THREATS Interruption Interception Modification Fabrication ATTACKS (NGN Standards Technical Notebook, CITEL PCC.I) End User Plane Control Plane Management Plane 8 Security Dimensions ISO/IEC 27005: Risk Management Process (Cybersecurity Technical Notebook, CITEL PCC.I) Brazil: Methodologies created for Critical Telecommunications Infrastructure Protection (Cybersecurity Technical Notebook, CITEL PCC.I) 11
ITU T Security Architecture ITU T Rec. X.805 Applications Security VULNERABILITIES Services Security Infrastructure Security Access Control Authentication Non-repudiation Data Confidentiality Communication Security Data Integrity Availability Privacy THREATS Interruption Interception Modification Fabrication ATTACKS End User Plane Control Plane Management Plane 8 Security Dimensions Security Architecture for End-to to-end Network Security NGN Standards Technical Notebook, CITEL PCC.I
ITU T Security Architecture Security Program Consists of policies and procedures in addition to technology Includes three phases: Definition and Planning phase Implementation phase Maintenance phase Security Architecture can guide the development of: comprehensive security policy incident response and recovery plans technology architectures Security Architecture ensures that Security Program addresses each Security Dimension for each Security Layer and Plane
ISO/IEC 27005 Security Risk Management Cybersecurity Technical Notebook, CITEL PCC.I
Methodologies for Cybersecurity and CTIP Brazil CTIP Technical Notebook, CITEL PCC.I
Brazil Methodology for Critical Infrastructure Identification (MI 2 C) CTIP Technical Notebook, CITEL PCC.I
Standards Coordination Process CITEL does not develop standards. PCC.I Standards Coordination CITEL identifies relevant standards and endorses their use in the Americas Region. Technology and Standards Presentations, Discussions Standards Coordination Document (SCD) Standards Development (ITU, IETF, ) NGN Technical Notebook (if applicable) PCC.I Resolution Endorsing Standard Raising awareness by socializing technology standardization activities/progress. Archiving standards descriptions in anticipation of future endorsement. 17
Standards Coordination Standards topics identified: Communication system security (security framework, protocols, lawful intercept, identity management, fraud prevention) Multimedia service definition and architectures Signaling requirements and protocols (converged networks) IP-based services (VOIP, IPTV, etc.) Emergency services Interworking between traditional telecommunication networks and evolving networks Metropolitan and Long haul optical transport networks Metropolitan and Long haul optical transport networks Access network transport (LANs, Wireless LANs, xdsl, Ethernet, cable modem, fiber, etc.) Terminals (PC, TV, PDA, phone, codecs, etc.) Management of communications services, networks and equipment Network aspects of IMT-2000 and beyond (wireless internet, harmonization and convergence, network control, mobility, roaming, etc.) Numbering, Naming and Addressing (ENUM) Performance and QoS 18
CITEL PCC.I Resolutions Endorsing Standards for the Americas Region (1) Standard Date Gateway Control Protocol March 2001 Intelligent Networks Capability Set 3 March 2001 Intelligent Networks Capability Set 4 Dec 2002 ITU-T Y.2000-Series Recs for NGN (SG13) Sept 2003 ANSI-41 Evolved Core Network with CDMA2000 Access Network Sept 2003 GSM Evolved UMTS Core Network with UTRAN Access Network Sept 2003 Security Architecture for the Internet Protocol (IPsec) March 2004 Security Architecture for Systems Providing End-to-End Communications (ITU-T Rec. X.805) March 2004
CITEL PCC.I Resolutions Endorsing Standards for the Americas Region (2) Standard Date Packet-Based Multimedia Communications Systems (ITU-T March 2004 Rec. H.323) Interworking Between SIP and BICC Protocols or ISUP (Rec. Sept 2004 Q.1912.5) SIP: Session Initiation Protocol April 2005 ITU-T Rec. G.993.2, VDSL2: Very High Speed DSL-2 Transceivers ITU-T Rec. J.122, Second-Generation Transmission Systems for Interactive Cable Television Services IP Cable Modems Sept 2006 Sept 2006 Internet Protocol Version 6 (IPv6) Sept 2006 E.164 to Uniform Resource Identifiers (URI) Dynamic Delegation Discovery System (DDDS) Application (ENUM) Sept 2007 20
CITEL PCC.I Resolutions Endorsing Standards for the Americas Region (3) Standard ITU-T Rec. E.106, International Emergency Preference Scheme for Disaster Relief Operations ITU-T Rec. E.107, Emergency Telecommunications Service (ETS) and Interconnection Framework for National Implementations of ETS Date March 2008 March 2008 ITU-T Rec. Y.1910, IPTV Functional Architecture May 2009 ITU-T Rec. Y.2270, NGN Identity Management May 2009
ITU T Security Standards ITU T Study Group 17 Telecommunications systems security project Security architecture and framework Security management Cybersecurity Countering spam by technical means Secure aspects of ubiquitous telecommunication services Secure application services Service Oriented Architecture Security Study Group 17 is the Lead Telebiometrics ITU T T Study Group for Security and Identity Identity Management architecture and Management mechanisms
Approved ITU T Security Recommendations M.3016.0, 1, 2, 3, 4 Security for the management plane: Overview, Security requirements, Security services, Security mechanism, Profile proforma X.509 Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks X.805 Security architecture for systems providing end-to-end communications X.893 Information technology Generic applications of ASN.1: Fast infoset security X.1035 Password-authenticated key exchange (PAK) protocol X.1051 Information security management system - Requirements for telecommunications (ISMS-T) X.1055 Risk management guidelines for telecommunications organizations Partial List (1) X.1056 Security incident management guidelines for telecommunications organizations X.1081 The telebiometric multimodal model - A framework for the specification of security and safety aspects of telebiometrics X.1111 Framework for security technologies for home network X.1114 Certificate profile for the device in the home network, User authentication mechanisms for home network service, Authorization framework for home network
Approved ITU T Security Recommendations Partial List (2) X.1121 Framework of security technologies for mobile end-to-end communications X.1122 Guideline for implementing secure mobile systems based on PKI X.1141 Security Assertion Markup Language (SAML 2.0) X.1142 extensible Access Control Markup Language (XACML 2.0) X.1191 Functional requirements and architecture for IPTV security aspects X.1205 Overview of cybersecurity X.1242 Short message service (SMS) spam filtering system X.1244 Overall aspects of countering spam in IP-based multi-media applications Y.2270 NGN Identity Management Framework Y.2701 Security requirements for NGN release 1
ITU T Security Standards SG 17 security work in progress (selected items) SG 17 security work in progress (selected items) Draft Rec. Title or Subject X.1250 Requirements for global identity management trust and interoperability X.1251 Framework for user control of digital identity X.akm X.gopw X.fcsip X.tcs-1 X.tpp-2 X.tai X.tsm-2 X.rfpg Framework for EAP-based authentication and key management Guideline on preventing worm spreading in a data communication network Framework for countering IP multimedia spam Interactive spam countering gateway system Telebiometrics protection procedures Part 2: A guideline for data protection Telebiometrics authentication infrastructure Telebiometrics system mechanism Part 2:Protection profile for client terminals Guideline on protection for personally identifiable information in RFID applications (continued)
IETF Security Standards IETF Standards Development The IETF Security Area has the following active Working Groups developing Internet standards: btns Better-Than-Nothing Security dkim Domain Keys Identified Mail emu EAP Method Update hokey Handover Keying Ipsecme IP Security Maintenance and Extensions isms Integrated Security Model for SNMP keyprov Provisioning of Symmetric Keys kitten Kitten (GSS-API Next Generation) krb-wg Kerberos ltans Long-Term Archive and Notary Services msec Multicast Security nea Network Endpoint Assessment pkix Public-Key Infrastructure (X.509) sasl Simple Authentication and Security Layer smime S/MIME Mail Security syslog Security Issues in Network Event Logging tls Transport Layer Security The Internet Engineering Task Force is a major developer of Internet standards
Summary CITEL continues to address Cybersecurity and Critical Telecommunications Infrastructure Protection and has initiated new work in several key areas CITEL is not only collecting experiences and data on Cybersecurity from its members, but is also actively engaged in discussions of national strategies and best practices, leading to policy recommendations for the Americas Region CITEL is utilizing workshops and Technical Notebooks to increase awareness of cybersecurity issues and to assess best practices and strategies in order to increase security and mitigate the effects of cyber crime
Summary (2) CITEL is utilizing Standards Coordination Documents to increase awareness of relevant security standards and to endorse the use of those standards in the Region Continued cooperation within the Americas Region and continued input from its members on cybersecurity experiences and strategies will allow CITEL to remain focused on the most relevant security issues so as to provide recommendations for the Region and provide value to other bodies internationally
g{tç~ léâ4 Wayne Zeuch CITEL PCC.I Rapporteur, Standards Coordination waynezeuch@aol.com 29 citel@oas.org