National Information Infrastructure Protection: The Emerging Imperative

1
National Information Infrastructure Protection
The Emerging Imperative

• Professor S V Raghavan
• svr_at_cs.iitm.ernet.in
• Network Systems Laboratory
• Department of Computer Science and Engineering
• Indian Institute of Technology Madras
• Chennai 600036 INDIA

Theme Paper Presented in Second Indo-Australian
Conference on Information Technology
Security IACITS 2006
2
Why Are We Here?

• In the twenty first century when a nation
  attacks another nation (for whatever reason), no
  bloodshed is likely.
• No direct loss of human life will result.
• But a nation, when attacked, will simply be
  paralyzed.
• World over, the national efforts in Science and
  Technology is turning its attention towards the
  single problem of National Information
  Infrastructure Protection.
• It is the emerging imperative for ensuring the
  security of a nation.

3
IT Security Requirements
Defense
One-to-One Communication One-to-One Association
Internet
One-to-One Communication One-to-Many
Association ? Scale in Numbers/Volume
4
IT Security Spectrum
Two entities in Communication

• 1950s C
• 1960s C C
• 1970s C C N
• 1980s C C N F
• 1990s C C N DB
• 2000s C C N I
• 2002? C C N I
• Infrastructure

• 1950 Computers
• 1960s CS Architecture
• Communication
• 1970s Network
• 1990s Databases
• Applications
• 2000s Routers
• Switches
• Phones
• 2004? PDAs
• Mobile Devices
• All Digitally Enabled
• Devices

5
Logical View Of A Single System
Users
Resources
ISOLATED SYSTEM
6
Architecture Of A Universally Secure System
User presents a request for a resource to the
system
UARP
System grants or denies the resource request
UARP Rule Set
RESOURCE POOL
7
Logical View of a Network of Interconnected
Systems
Local user
Remote user
Systems
Resources
POOL OF RESOURCES
8
A Detour To Network Sniffing
System 1
System 2
Sniffer gets the data
9
Architecture of a Universally Secure World

UARP server program
UARP enforcer
UARP rule set
UARP Server
UARP server
Local UARP rule cache
UARP enforcer
Resources
System
10
Infrastructure Dependencies

• Nations information infrastructure is part of an
  interconnected set of military, commercial,
  national, international independent networks and
  systems
• Critical Functions are heavily dependent on the
  infrastructures information
• Economic
• Manufacturing Distribution
• Free Trade
• Diplomatic
• Coalition Building
• Crisis Stabilization
• Military
• Deployment
• Coalition warfare
• Sustainment

Civil Emergency Services
Mass media
Government Operators
Transportation Control
Power Grid
Finance (National/Global)
Information Infrastructure
Water Supply
Oil/Gas Control
Production/ Inventory/ Process Control
Military-C4I
11
Vulnerabilities

• But these interconnected networks and systems are
  vulnerable
• India is a vulnerable nation
• IT change is much faster than that of security
  solutions
• Its getting worse!!!
• Globalization
• Standardization
• Regularization
• De-regularization
• Open Architecture
• Co-location
• Interconnection

State-sponsored trans-terrorism, criminalism, and
hacking
12
Information warfare is different!!!
Simple Technology
No Boundaries of known nature
Uncertain Responsibilities
Plenty of targets!!!
Criminal
Act of war???
Poorly defined remedies
Psychological Effects
No quick fixes
Ambiguous Laws!!!
13
Additional Observations

• Nations role in information security questioned?
• Market forces alone will not solve the problem
• Legislation, regularization, indemnification,
  incentives, altruism
• The seams (and information sharing) are
  critical
• Offense Defense
• Government Industry

Commerce
Law Enforcement
Jurisdiction
Multinational
Protection
National industry
Prosecution
National Security
Citizen
Policy
Privacy
Military
Safety
Intelligence
14
Additional Observations (Contd.)

• Solutions will have to address local, regional
  and national challenges, not just local
• Centrally coordinated Response Plan Model
• Local processes, procedures and mechanisms must
• Be distributed across geography, organizations
  and local and political boundaries yet tailored
  to the needs of affinity groups
• Not be under or depend on Centralized control

15
Procedures, Processes Mechanisms
Design
Protect
Verify
Deter Attack
Information
Transportation
Finance Banking
Indications, warning Threat assessment
Water Electric Power
Critical Functions Information
Infrastructures
Tactical Warning (monitor, detect, report)
Damage Control / Restoral
Attack Assessment
16
Tie it Together
Establish Stds
Focus on RD
Resolve Issues
Raise the bar
Design focal point
Assess for IW-D Readiness
Design for IW-D
Establish Threat Conditions Responses
Red Team Assessments
Increase Awareness
Assess Infrastructure Dependencies
Vulnerabilities
17
The Risk Clear Present Danger
Single point failure Compromised
Insider Weakness/Flaw Defaults not reset
Aggressor Terrorist Criminal Hacker
Threat Vulnerabilities
Risk
-----------------------------
Impact
Countermeasures
Catastrophic Negligible None
Redundancies Protection Backup Training
18
Cyber Security Ecosystem
Legislation
PKI
DES
RSA
Techniques Technologies
Firewall
Antivirus
Law and Enforcement
STRONG INTERPLAY
Judiciary
Technology Management
Devices
Policy Framework
Cultural change