Assessing the security and resilience of critical assets and networks CNi Protection, Security & Resilience 19 th April 2011

Transcription

1 Assessing the security and resilience of critical assets and networks CNi Protection, Security & Resilience 19 th April 2011 Prof. Jim Norton! President! BCS Chartered Institute for IT! External Director! UK Parliamentary Office of Science & Technology (POST)! Issues to be covered So what s the problem with the extended CNI? Frameworks for the identification & management of risk. Limitations of existing methods? A challenge of culture The trap of accidental systems Final thoughts 2 1

2 Why now? A series of reports published in the summer of 2009 stressed the need for major investment in infrastructure renewal and hardening against a wide range of threats 3 Quotes from the reports (1) Recommendation 52: Government should review its powers to mandate realistic minimum levels of resilience in relation to all critical infrastructures and in relation to all areas of interdependence between different infrastructure sectors. Where wider interpretation or amendment of existing legislation is not sufficient and new primary legislation is required, this should be included in the planned further Bill on Civil Contingencies. Recommendation 53: Government should bring together regulators of the different infrastructure industries and require them to enforce higher resilience standards in their own sectors, as well as to investigate and strengthen resilience in areas of interdependencies between sectors and in sector supply chains. Recommendation 54: Government should go further and signal to sector regulators that it would welcome investment by utility providers in relevant areas outside their own core business areas where such investment would reduce interdependence on other elements of the infrastructure. Investment by the power generators, national grid and energy distribution companies in mobile communications that are more resilient against power failure, for example, would be welcome. Recommendation 57: Government should task the Centre for the Protection of National Infrastructure (CPNI) with the development of security recommendations aimed at mitigating command and control risks associated with Smart Grids 4 2

3 Quotes from the reports (2) We do not believe that the NI can continue on its current trajectory, for three main reasons: it is highly fragmented, both in terms of delivery and governance its resilience against systemic failure is significantly weakening through a combination of: o ageing infrastructure components; o greater complexity and interconnectivity between the different infrastructure sectors; and o nearing maximum capacity as a result of increased social and economic pressures the significant challenges posed by climate change and socio-demographic changes, which mean that: o there is an urgent need for a major change in devising low carbon solutions to meet the 80% target for reducing greenhouse gas emissions by 2050; o core pieces of infrastructure need to be future-proofed against extreme natural events; and o they need to be able to respond to future demographic, social and life style changes. 5 Quotes from the reports (3) We recommend that the government creates a single point of authority for infrastructure resilience to coordinate the work of the agencies responsible for dealing with individual sectors and threats and recognise interdependency. This would provide the fundamental overview that is lacking, consider how to fill in the gaps and address the areas of infrastructure defence which are currently ignored. With climate change identified as the biggest threat currently facing the UK s infrastructure, government must ensure that the newly created Natural Hazards Team is effective. Government should invest the Natural Hazards Team with the power to provide strong leadership to asset owners and ensure legislation is properly enforced. Government must give clearer guidance to sector regulators such as Ofgem and Ofwat. At present these regulators remit is largely the short-term prices paid by end users. In order to deliver the improvements to resilience identified as necessary by government and the overview function for infrastructure resilience, regulators must have the capacity to address asset resilience as well as broader and longer term consumer interests. Regulators require the ability to ensure asset owners build in reserve capacity to critical infrastructure and that they are fully prepared for any emergency scenario. 6 3

4 Issues to be covered So what s the problem with the extended CNI? Frameworks for the identification & management of risk. Limitations of existing methods? A challenge of culture The trap of accidental systems Final thoughts 7 Impact of the Turnbull reports in the UK These reports, published in 1999 and 2005, placed the issue of risk firmly on the boardroom agenda: Since profits are, in part, the reward for successful risk-taking in business, the purpose of internal control is to help manage and control risk appropriately rather than to eliminate it The key messages were: directors were responsible for setting up and overseeing the system; managers were charged with operating the system; the system should be seamlessly integrated with the companies procedures and processes; and the system should be cost-effective. Source: Second Turnbull report :Internal Control: Revised Guidance for Directors on the [UK] Combined Code 8 4

5 An effective system of internal controls is vital In determining its policies with regard to internal control, and thereby assessing what constitutes a sound system of internal control in the particular circumstances of the company, the board s deliberations should include consideration of the following factors: The nature and extent of the risks facing the company; The extent and categories of risk which it regards as acceptable for the company to bear; The likelihood of the risks concerned materialising; The company s ability to reduce the incidence and impact on the business of risks that do materialise; and The costs of operating particular controls relative to the benefit thereby obtained in managing the related risks. Source: Second Turnbull report :Internal Control: Revised Guidance for Directors on the [UK] Combined Code 9 Turnbull Risk Matrices Risk issue Control exercised at Board level Report or control relied upon by Board Impact Probability Risk Unauthorised access to key systems Red Team review and penetration testing Weekly report of detected anomalies H L M 10 5

6 A more dynamic approach Beyond appetite Manage down Concern SR2 OR1 Level of risk relative to Risk Appetite Within appetite SR1 Accept FR2 OR2 FR1 Monitor Able to shape Strong control Capability to control risks and outcomes Unable to influence. Little control x x Change in risk since last report Expected future direction of risk x x Added risk Removed risk Source: F&C Asset Management 11 Issues to be covered So what s the problem with the extended CNI? Frameworks for the identification & management of risk. Limitations of existing methods? A challenge of culture The trap of accidental systems Final thoughts 12 6

7 Issues with Turnbull - a personal view Works very well initially Can deteriorate simply into tweaking the existing, identified, risks on a quarterly basis. Likely to miss entirely new risks. Unlikely to pick up gradual changes that have an insidious effect on risk. Could deteriorate into simple box ticking giving the illusion of good process whilst being fundamentally flawed 13 A proposal for a zero based approach 1 Bring together a risk assessment and control (RAC) team within the management staffed by direct reports to executive directors. Have the team meet monthly to review developments and their impact on the various categories of risk. For each meeting, commission an in-depth review of risk in a specific area. Have that review carried out by a RAC team member whose normal responsibility does not cover that area This process not only brings fresh eyes to old problems but builds cross-functional contacts and trust. 14 7

8 A proposal for a zero based approach 2 Over the course of a year all the key areas will have been reviewed in some depth. Have the RAC team report monthly, by exception, to the Board on key changes in the risk profile. Ensure that a different RAC team member carries out a formal risk presentation to the Board each quarter proposing amendments to the Turnbull matrices and facilitating a more wide-ranging discussion This process also gives Non-Executive Board Members improved visibility of key managers below Board level. 15 Issues to be covered So what s the problem with the extended CNI? Frameworks for the identification & management of risk. Limitations of existing methods? A challenge of culture The trap of accidental systems Final thoughts 16 8

9 What makes the greatest impact on security? Attitude of the head of the company Culture within the company Security Technology Rules & Regulations Measuring the number and type of security incidents Security guards 0 Low High Source: IoD Business Opinion Survey, carried out by GfK-NoP on a balanced sample of 500 members in February-March Perceived value of different elements of security Internet & computer security Personnel security Physical security 0 Low High 7 Source: IoD Business Opinion Survey, carried out by GfK-NoP on a balanced sample of 500 members in February-March

10 Relative competitive advantage from security On site guards CCTV monitoring Alarm contractors Physical security Personnel checks Defined security policy Electronic precautions 0 Low High 6 Source: IoD Business Opinion Survey, carried out by GfK-NoP on a balanced sample of 500 members in February-March Issues to be covered So what s the problem with the extended CNI? Frameworks for the identification & management of risk. Limitations of existing methods? A challenge of culture The trap of accidental systems Final thoughts 20 10

11 Examples of accidental systems A multitude of ostensibly independent systems have varying degrees of GNSS dependencies for position, navigation or timing. These include: Stock exchange trading Radar systems Navigation systems Telecommunications systems Emergency services navigation and communications Railway applications, Source: Royal Academy of Engineering 21 GNSS Recommendations for raising awareness & analysing impact 1. Critical services should ensure that GNSS vulnerabilities are included in their risk registers and that the risks are reviewed regularly and mitigated effectively. 2. National and regional emergency management and response teams should review the dependencies (direct and indirect) on GNSS and mitigate the risks appropriately. 3. Services that depend on GNSS for PNT, directly or indirectly, should document this as part of their service descriptions, and explain their contingency plans for GNSS outages (say, of duration 10 minutes, 2 hours, 5 days, 1 month) 22 11

12 GNSS Recommendations for increasing resilience 9. The provision of a widely available PNT service as an alternative to GNSS is an essential part of the national infrastructure. It should be cost effective to incorporate in civil GNSS receivers and free to use. Ideally it should provide additional benefits, such as availability inside buildings and in GNSS blindspots. We are encouraged by progress with eloran in this context. 10. The Technology Strategy Board (TSB) and the Engineering and Physical Sciences Research Council (EPSRC) are encouraged to consider the merits of creating an R&D programme focused on antenna and receiver improvement that would enhance the resilience of systems dependent on GNSS. 23 Issues to be covered So what s the problem with the extended CNI? Frameworks for the identification & management of risk. Limitations of existing methods? A challenge of culture The trap of accidental systems Final thoughts 24 12

13 Final thoughts We live today in a complex, densely networked and heavily technology-reliant society. Extensive privatisation and the pursuit of competitive advantage in globalised markets, have also led us to pare down the systems we rely upon until little or no margin for error remains. We have switched to lean production, stretched supply chains, decreased stock inventories and reduced redundancy in our systems. We have outsourced, offshored and embraced a just-in-time culture with little heed for just-in-case. This magnifies not only efficiency but also vulnerability. Everything depends on infrastructure functioning smoothly and the infrastructure of modern life can be brittle: interdependent systems can make for cascades of concatenated failure when one link in the chain is broken. Let s use the opportunity of infrastructure renewal to drive a renaissance in Security by Design, bringing back into widespread use the good practice that we have long known and understood. 25 But remember, managing risk is a continual battle. Don t ever sit back and believe that you have won! Oh dear! Presentation can be Downloaded from: