Embed Size (px)
Citation preview
Protecting Our Infrastructure: utilizing Protecting Our Infrastructure: utilizing everything we have.everything we have.
Suguru YamaguchiAdvisor on Information Security,
Cabinet Secretariat, Government of Japan
Large-scale Accident in Critical InfrastructureLarge-scale Accident in Critical Infrastructure Typical Examples
– Mizuho Bank ( 2002.4.1)– FDP at Tokyo ATC (2003.3.1)
Hard for Gov. to know what’s going on.→ first response is always in their hand.
Troubles/Accidents at Dependable infrastructure make huge impacts on our life.
Prevention Response: minimize impact and
involved areas Learn from accidents: analysis a
nd expertise
(読売新聞:2002年4月3日報道写真)
Analysis on Inter-dependency among Critical Infrastructure
By JST RISTEX MissionProgram II
Area with Large impact
0 hr. 1 hr. 12 hr. 24 hr.
Simulation on spreading impact on social systems in the case of critical accidents on core system of large scale bank in Japan
(simulation)
Internet = Critical InfrastructureInternet = Critical Infrastructure
Internet is critical infrastructure– Various kinds of our activities are now on the Internet.
• Online banking / reservations / shopping and commerce / money transfer / ….
– We can’t imagine our life without the Internet.
“Dependable” infrastructure– What and how we can make this?– Need research
Internet: Global and Ubiquitous Infrastructure for Communication
Communication Technology
Wireless
Satellite
ATMOptical FiberCopper CableWDM/SDH
ISDN
Internet Technology
CATVCable Modem
Society
TCP/IP TCP/IP
Internet for EverythingInternet for Everything
Always connected with global address New services with various kind of devices
Targets and Schedule of CEIISTargets and Schedule of CEIIS
Critical Infrastructure Companies Individuals
◎Establish Ground-Design of Japanese Information Security Policy◎Implement Effective Measures and Policy
•To be reliable for private sectors as their counter-party•To be reliable in global arena•Implement balanced investment toward technologies•Keep transparency
•Maintain function as highly reliable infrastructure•Keep verifiable design of function and business continuity•Promote coordination and mutual assistance
•Support security-culture as major stakeholders•Reach consensus in management and circulation methods of privacy information
The First proposalThe First proposal(Oct/04)(Oct/04)
The Second Proposal(Mar/05)
The Third Proposal(July/05)
(1)Implementation Structure of Overall Information Security Policy
(2)Measures for Government itself
Recommendations #1 (as of Nov. 2004)Recommendations #1 (as of Nov. 2004) “Information Security Policy Committee” (tentative name)
– Under IT Strategy Headquarter
– By FY2006
– Set mid / long term strategy
– Recommendations
– Evaluations
“National Information Security Center” (tentative name)– Operational guidelines for government systems
– Audit and inspections
– Response for IT incidents on government systems
– Repository of “expertise”
E-government in 2005 (JP)E-government in 2005 (JP)
Comm.Comm. BizBizEdu.Edu. TransportTransport National
ResourceNationalResource
BroadcastBroadcast
The InternetThe Internet
Various kind of digital communication infrastructureVarious kind of digital communication infrastructure
http://www.e-gov.go.jp/http://www.e-gov.go.jp/
E-gov portal site– One stop service– Single window servic
e– “online”
Targets and Schedule of CEIISTargets and Schedule of CEIIS
Critical Infrastructure Companies Individuals
◎Establish Ground-Design of Japanese Information Security Policy◎Implement Effective Measures and Policy
•To be reliable for private sectors as their counter-party•To be reliable in global arena•Implement balanced investment toward technologies•Keep transparency
•Maintain function as highly reliable infrastructure•Keep verifiable design of function and business continuity•Promote coordination and mutual assistance
•Support security-culture as major stakeholders•Reach consensus in management and circulation methods of privacy information
The First proposalThe First proposal(Oct/04)(Oct/04)
The Second Proposal(Mar/05)
The Third Proposal(July/05)
Catalyst: each ministries
Sectors and RolesSectors and Roles
GovernmentGovernment
Local GovernmentLocal Government
Critical infrastructureCritical infrastructure
CompaniesCompanies
IndividualsIndividuals
GovernmentGovernment
“Culture of Security”Top down approach from Gov.,Bottom up from private sectors
Top down & bottom upTop down & bottom up Top down approach from Government
– Standards and guidelines for procurement / installation / operation and responses
– Critical Infrastructure Protection (CIP)– Minimum requirements on systems / networks– regulations
Bottom up approach from Private Sectors– Expertise from real operational systems– “Know How” on profitability / cost-down / actual operation / c
ustomizing systems / ….
Cabinet Secretariat
FSA METI MLITMPHPT
Ele.Finance Gas TrainComm Air
Critical Infrastructure
Local Gov.
Information flowInformation flow
More works requiredMore works required
Exercise on Large scale accident– Within an identical infrastructure– With other infrastructures– We don’t know the effect of “Inter-dependency”
• Research required.
Awareness program– Classic / Legacy approach on generic security management– Changes on its systems drastically
• More computers and networks in their systems
– Sharing Best Practices
Services
MonitoringTraffic and access
Other ISP’s
X
ISPBlocking the trafficDefine their handlings in contract
IT sectionNot enough expertiseOut sourcing
Top ManagementDecisions on business operations
AttackerConducting intentional activitiesNeed to work globally
Attack TrafficForging source address
Mission difficult (not impossible)
(1) Improving Technology and Operation(2) Gov/Private Sector collaboration(3) Re-designing Security functions(4) HQ role(5) Learn more from accidents(6) Preparation / Prevention
Sharing Best PracticesSharing Best Practices
Best Practice developed through competition: high quality expertise on technology, engineering, and operation
Distributing Best PracticeWork with Non-profit areaImproving business environment
Private Sectors
Government
Improving Information SharingImproving Information Sharing
Government Critical InfrastructureCompanies
ISAC model?Inter-sector communicationAnonymity / Responsibility
Among MinistriesLEA
SummarySummary
Collaboration and mutual understandings on what we are doing is quite important among Government / private sector relationship
Need to do more– Improving information sharing– Exercises & Awareness– Research, esp. on analysis on “inter-dependency” among CI
CEIIS (Committee of Essensial Issues on Information Security)– Recommendations #2 by the end of FY2004 (Mar. 2005)
