2. OVERVIEW OF THE PRIVATE INFRASTRUCTURE

Transcription

1 A Functional Model for Critical Infrastructure Information Sharing and Analysis Maturing and Expanding Efforts ISAC Council White Paper January 31, PURPOSE/OBJECTIVES This paper is an effort to establish a path forward and future vision for information sharing and analysis and to provide a functional model for Critical Infrastructure Information Sharing and Analysis. Based on various government and critical infrastructure meetings during the fall of 2003 the following objectives were established. A. Increase Information Sharing and Analysis Security efforts to support the broadest possible reach both within and outside critical infrastructures so that no entity is excluded. B. Efforts must have long-term viability. C. Realize cost efficiencies and reduce redundancy, where possible. 2. OVERVIEW OF THE PRIVATE INFRASTRUCTURE Our critical infrastructures are composed of a vast number of varied private and public entities. Classifying these entities will enable us to determine the appropriate security and information sharing and analysis support required to achieve a national system. For private entities, the first step is to classify organizations within the specific critical infrastructures to which they belong. Currently, there are fourteen critical infrastructures that have been identified by the government. Secondly, within those infrastructures, a private entity can be considered by size, complexity, and the significance of its function, technology, and operation to the nation. Based on these factors, the required top-level security support can be established. Each critical infrastructure possesses large or significant entities that require focused and intense physical, cyber, and all threats security support. This is the first tier. A second tier, in each critical infrastructure, consists of the companies and organizations or companies with less than critical significance which nevertheless require specific support, but not to the degree or intensity of the Tier 1 companies. As a third tier within each critical infrastructure, there may be a very large number of businesses with limited potential impact, which nevertheless must be supported. Finally, and of great importance, is the general business community that does not fall into the identified fourteen critical infrastructures. This is the fourth tier. 1

2 Based on these factors and approach/model there are then four categories of private and public entities. All of these private and public entities require security support however their requirements vary widely as do their resources, both financial and in terms of expertise, which in turn limit their ability to contribute actively and pay for the security support they need. For example, the Electricity Sector is one interconnected infrastructure and instantaneous with critical loads served by large and small entities. The entire electricity sector requires support due to its extremely interdependent nature. See attached Illustration 1, titled Private and Public Infrastructure and Information Sharing and Analysis Requirements 3. UNIQUE INFORMATION SHARING AND ANALYSIS SUPPORT REQUIREMENTS FOR PRIVATE AND PUBLIC INFRASTRUCTURE How can information sharing and analysis support be best tailored and provided to the tiered, private sector and public organizations described above? The following provides the characteristics of the information sharing and analysis structures required to support private and public industry. A. TRUSTED INFORMATION SHARING AND ANALYSIS STRUCTURE. The structure that is providing the information sharing and analysis support must be trusted to ensure safeguarding of sensitive and proprietary information. There must be tiered levels of reporting that permits TRUSTED reporting that can be safeguarded and, if so required by the reporting member, reported with total anonymity. B. TRUSTED SECTOR-TO-SECTOR RELATIONSHIPS. The information sharing and analysis structure must have the TRUST of not just the individual sector it supports but with the interdependent sectors with which that information is shared. C. PRIVATE SECTOR SUBJECT MATTER EXPERTS. The structure must consist of both private sector expertise and current industry knowledge in order to understand the industry and determine the impact/relevance of any given piece of information. This subject matter expertise must be relevant and broad based, within a sector, in order to immediately bring to bear the specific expertise required. This is a key discriminator and critical capability that is required to secure the nation. D. SPECIFICALLY FOCUSED CYBER/PHYSICAL/ALL THREATS ANALYSIS MUST BE THE CORE MISSION BASED ON PRIVATE INDUSTRIES INFORMATION/INTELLIGENCE REQUIREMENTS. 2

3 Current subject matter expert analysts that can determine the relevance of information to each sector must be used to conduct analysis. Based on the recent North American electrical blackout and Hurricane Isabel, our view of security must be broad, encompassing, and consider All Threats. E. MANAGEMENT OF THE SECTOR AND MEMBERSHIP. Support must be provided to vet private entities and then managed. The security structure must understand and continually be in dialogue with its vetted members and manage this trusted relationship. F. MANAGEMENT OF INDUSTRY ALERT PLANS AND ACTIONS. Specific industries/entities rely upon their security providers to support and provide a basis for their unique alert plans and actions. Industry specific intelligence drives the alert level and countermeasure implementation of many industries. G. INTERNATIONAL REACH. Many of the industries that comprise our nation s critical infrastructures are international in scope. Political borders very often do not define private industry and company holdings. What happens in one country to a private infrastructure has direct consequence in the U.S and vice versa. This is also evident in public sector organizations. Reporting and information must be available to the information sharing and analysis mechanism and therefore TRUSTED by international companies and organizations. 4. AN APPROACH TO SATISFY THE STATED OBJECTIVES Certainly an approach to information sharing and analysis can be created from whole cloth without respect to current in-place security structures. However, such an approach would ignore the considerable effort and resources that have been applied by the sectors at the specific request of government, require a considerable amount of time to establish, and in the final analysis would most probably mirror the current security structures. Given the level of industry investment and private sector cooperation, it would simply be counter-productive to ignore current structures and not determine whether the objectives stated in this paper can be satisfied by the current capabilities or by these capabilities once they have been matured and expanded. In fact, for many years industry sector information sharing and analysis capabilities have been maturing. These capabilities are viable, providing significant security support to the nation, and satisfying most of the unique information sharing and analysis requirements of the sectors. 3

4 The most cost effective and viable approach is to evolve the current structures that satisfy the unique industry requirements stated above and can be matured/expanded to fulfill the objectives stated in paragraph STATUS OF INFORMATION SHARING AND ANALYSIS STRUCTURES United States cultural, constitutional, and legal requirements create an environment where the primary responsibility for safeguarding private and public domestic infrastructure lies with the owners of the assets. The cornerstone of information sharing and analysis efforts has been the private industry specific Information Sharing and Analysis Centers (ISACs), which have existed in many forms, beginning in 1984 with the National Coordinating Center for Telecommunications (NCC), through the formation of the Financial Services ISAC in October 1999, to the fourteen sector specific ISACs in existence today. These ISACs are at different levels of maturity. Nevertheless, that so many sectors have invested time, energy, millions of dollars, and in-kind resources in establishing ISACs demonstrates that these sectors see value in establishing formal information sharing and analysis mechanisms that reflect their unique operational and governance characteristics. Also of importance is that the ISACs have voluntarily come together and established an ISAC Council to mature their individual and collective processes, integrate their individual efforts, and address common issues. Through the ISAC Council the ISACs have reached out to the Sector Coordinators and are integrating the coordinators into the council processes. The vision is to continue to coordinate and integrate the private sector security processes through the joint ISAC Council and Sector Coordinator mechanism. All of the ISACs are actively reaching out to their entire sector and integrating the small businesses and organizations to ensure they are supported. For example, the Transit ISAC is open to all transit entities regardless of size. An FTA government grant supported the establishment and operations of this ISAC and its broad outreach. Similarly, the Trucking ISAC provides for open access to all in the industry, regardless of size, based on a multi-tiered need to know criteria. Congress has appropriated funding to enable this approach to be fully implemented over the next several years. The following captures the significant reach of the eleven ISACs represented on the ISAC Council. When viewed in total, the ISACs represent a broad reach for industry and government and a TRUSTED node for information sharing and analysis. Chemical 90% of the sector Electricity nearly 100% Energy 85% and increasing Financial 90% and adding full sector Healthcare Developing Information Technology - ~ 70% of IT globally and ~ 85% of cross sector IT 4

5 Public Transit reaching all major transit systems and developing outreach to connect all agencies Surface Transportation 95% of the Freight Railroad Industry and Amtrak Telecom 95% of infrastructure Trucking - 60% of economic with over 50% of long haul Water 85% of sector receiving alerts In order to take the ISAC from concept to implementation/operation a definition is required. An ISAC is a trusted, sector specific, entity which provides to its constituency a 24/7 Secure Operating Capability that establishes the sector's specific information/intelligence requirements for incidences, threats and vulnerabilities. Based on its sector focused subject matter analytical expertise, the ISAC then collects, analyzes, and disseminates alerts and incident reports to its membership and helps the government understand impacts for their sector. It provides an electronic, trusted ability for the membership to exchange and share information on cyber, physical, and all threats in order to defend the critical infrastructure. This includes analytical support to the Government and other ISACs regarding technical sector details and in mutual information sharing and assistance during actual or potential sector disruptions whether caused by intentional or natural events. TRUSTED information sharing is one of the most vital and sensitive functions of an ISAC. Information sharing requires a trusted relationship between the ISAC and its constituency. Private companies and organizations must know that their private data is protected from all who might use it to the detriment of private industry. This includes competitors as well as regulatory agencies. ISACs provide the required balanced, TRUSTED, information sharing and analysis mechanism for private industry. Private industry TRUST of its ISAC is the critical operational foundation for the ISAC to accomplish its mission. An ISAC manages, vets, establishes, and authenticates the identity of its membership. The ISAC ensures the security of the ISAC s membership, and its data and processes. Sector-Specific Subject Matter Expert Analysis is a critical capability for the ISACs. The purpose of sector specific, subject matter expert, analysis is to identify and categorize threats and vulnerabilities and then identify emerging trends before they can affect critical infrastructures. This is especially true for cyber, physical, and all threats. ISAC provided, sector specific analysis adds critical value to the information being disseminated. The products of this analysis are: 24/7 immediate, sector specific, physical, cyber, all threat and incident report warning Sector specific information and intelligence requirements Forecasts and mitigation strategies to emerging threats Tested mitigations Sector-specific impact assessments 5

6 Cross sector interdependencies, vulnerabilities, and threats. Sector vulnerabilities are extremely sensitive information that must be highly protected. 6. A VISION FOR MATURING AND EXPANDING THE CURRENT INFORMATION SHARING AND ANALYSIS STUCTURES Once fully mature, the ISAC community will be able to enhance the protection of each critical infrastructure through formally recognized partnerships that link ISAC sectors with one another. Analysis provides trending and cross-sector information and identifies interdependencies and effects. ISACs integrate their individual sector analysis and responses across all critical infrastructures. All enterprises participate in infrastructure protection as a routine business operation. The ISACs perform rapid analysis by using a central repository of threat and vulnerability data. The sector specific, subject matter expert, analysis enables enterprises to respond to emerging threats and permits the infrastructure to anticipate potential harm and establish suitable safeguards. Full maturity of the ISAC community leads to interoperability and the ability to forecast emerging threat trends. The desired outcome of a successful ISAC community is the operation of self healing and resilient critical infrastructures that can anticipate and respond to emerging threats in ways that limit disruption. The government is an integrated partner and supports private industry information sharing and analysis efforts with analytical expertise, connectivity, and resources. The only way to ensure sustainability of the information-sharing model is through a viable and robust private sector and government partnership. 7. A PATH FORWARD - MATURING INFORMATION SHARING AND ANALYSIS AND THE ISAC COMMUNITY. Since 1998, the nation s critical infrastructures have been maturing their ISACs. An ISAC community has been established through the ISAC Council and the council s further outreach to the sector coordinators. The ISACs individually have been reaching out to their entire sector to include the small businesses and organizations within their sector. Per the outreach statistics captured in Section 5, the ISACs currently represent and reach a significant portion of the critical domestic infrastructures. To achieve the vision for the ISAC Community and for information sharing and analysis processes, all businesses - including the small business community - must be included. Where possible duplication of effort must be reduced and cost efficiencies achieved. The following recommendations will provide great support to the maturation and vision of the information sharing and analysis effort. 6

7 Each of the current operational ISACs must be open to and reach the Tier 1, Tier 2 and the small business community/tier 3 within each sector. o The government should support the ISACs core functionalities, its small business sector outreach, and analytical effort within each sector through baseline funding. (See attached diagram 1) A specific cost estimate for this effort can be developed by the ISAC Council in conjunction with member ISACs and provided to DHS. Beyond core functionalities, Tier 1 and Tier 2 companies that require enhanced support may continue to pay a membership fee. o A General Business ISAC should be established to reach those general businesses not currently supported by an ISAC. This General Business ISAC would provide baseline security information to vetted small businesses. This ISAC would primarily host a secure website as its means of outreach to its membership. As one approach, associations such as the National Federation of Independent Business and others represent the general business community and have very broad memberships. These entities consist of general businesses and understand the general business community. These entities that focus and serve general business can best create a General Business ISAC and determine what information sharing and analysis/isac support is required. They can vet their membership and manage their members relationship with the ISAC and the broader information sharing and analysis community. The NFIB and other small business associations should be approached regarding interest in establishing an ISAC. The government should procure a bulk license for the ISACs to receive data directly from some of the most viable vulnerability and threat sources and possibly access to analytical or modeling tools. This would provide an overall cost savings to the individual ISACs. The government should establish a standing and formal TRUSTED information sharing and analysis process. The ISACs and sector coordinators are the TRUSTED nodes for this dissemination. This body should be brought in at the beginning of any effort. DHS products should be released to this group for primary and priority dissemination to their respective sectors. A government provided communications network must be established for secure information sharing and analysis. The CWIN capability should be considered as an interim, first phase communications capability. Some of the ISACs are conducting routine communications checks at the analytical level in anticipation of expanded use of CWIN. Functionality needs to be added to CWIN. 7

8 Integrated ISAC and government analytical efforts must continue, and an analytical community that focuses on private industries and public organizations Priority Intelligence and Information Requirements must be established and matured. Industry, working through the ISAC and government analytical working groups, should be integrated into the full government intelligence cycle requirements, tasking, analysis, reporting, and dissemination. The governmentfunding baseline will also resource an ISAC analyst working at DHS to support analysis of sector specific information/intelligence requirements. 8. RECOMMENDATIONS/CONCLUSION This paper has been developed as a resource tool and position paper, with the full input of the ISAC Council, to guide the development of an effective working relationship between the ISACs, ISAC Council, Sector Coordinators, and the Department of Homeland Security. Our intent is to continue to develop these concepts and establish a definitive implementation plan. References: The following are ISAC Council papers in process or released that have relevance to what has been discussed in this paper. They can provide further details on a number of the issues we have raised.. Information Sharing Process and Types of Data ISAC and Government Analytical Efforts Liability and Legal Anti-Trust Interdependencies Policy Framework for the ISAC Community Next Steps Vetting/TRUST for Communication among ISACs and Government Entities Integration of ISACs into Government and Homeland Defense Exercises PDD 63 Review and Recommendations Reach of the ISACs Information Sharing and Analysis Centers, or ISACS, are private sector operational organizations which today are collecting, distributing, analyzing and sharing sensitive information regarding threats, vulnerabilities, alerts and best practices in order to protect our national critical infrastructures. Eleven ISACs -- Chemical, Electricity, Energy, Financial Services, Healthcare, Information Technology, Public Transit, Surface Transportation, Telecommunications, Truck, and Water -- have joined together as an ISAC Council, partnering with their sectors, with one another, and with government to advance the physical and cyber security of the critical infrastructures of North America. Please note that this paper was written by the ISAC Council as a consensus document, with input and review by member ISACs. However, its views and findings do not necessarily represent the official position of each ISAC. For more information on the ISAC Council and the ISACs which form its membership, please visit 8

9 Private Infrastructure and Information Sharing and Analysis Requirements Tier 3 Small businesses & organizations within the fourteen identified critical infrastructures Tier 1 & 2 Medium to large and international companies / organizations / entities of significance Information Sharing and Analysis Requirements 24/7 threat alerts, incident reports, and continuous specific sector & focused interdependencies situational awareness Relies on top tier companies & organizations and sector efforts, mechanisms, and relationships for information/intelligence sharing and analysis Tier 4 All small and general businesses & organizations NOT included in the 14 critical infrastructures Broad Range of Small and General Businesses & Organizations Concerns must be well understood and managed. TRUSTED and secure support structure TRUST and sector expertise required TRUST and overall general business expertise required Analysis must be based on Timeliness less critical Timeliness less critical current sector-specific subject matter expertise Best practices Best practices Best practices Sector specific intelligence/information requirements Contact information if further support is required Contact information if further support is required Sector specific threats and alerts Support to management of industry alert plans and actions Cyber, physical, and all threat information/intelligence Info Sharing and Analysis Structure must manage, understand, and vet membership/sector Interdependencies information/intelligence and threat impacts to the General situational awareness Push approach for threats Pull approach for best practices and general security information Info Sharing and Analysis Structure must manage, understand, and vet membership/sector General situational awareness Push approach for threats Pull approach for best practices and general security information Info Sharing and Analysis Structure must manage, understand, and vet membership/sector 9

10 primary sector Short, mid, and long term sector specific analysis Push, pull, and redundant mechanisms Access to Government classified information 10