The threat of cyber incidence is very real, and the incidents may harm critical services and functions offered by organization. As nations develop, their reliance on e-Governance infrastructure grows and these infrastructure then also become target of state-sponsored, criminal and politically motivated attacks.
Further, E-Government applications are increasingly getting integrated and are building vertical and horizontal dependencies. Therefore it is important to also evaluate cyber security practices across the value chain. According to 2020 Ponemon report on third party security, 63% respondents stated that reliance on reputation is the most common reason for not evaluating the privacy and cybersecurity practices of third parties. This reputation, trust and leadership of the organization can potentially suffer the most in case of a debilitating cyber attack. The Confidentiality, Integrity and Availability (CIA) of e-Government services can be adversely impacted by such incidents, and have a negative effect on national economy and security posturing.
It therefore is paramount for countries to identify such critical infrastructures and ensure their safety and security. By definition, the Critical Information Infrastructure (CII) is one whose incapacitation or damage can have debilitating impact on national security, economy, public health and safety. To manage security aspect comprehensively, a more holistic approach is required to be taken which encompasses entire project lifecycle and all touch points.
Driving from the Top
Looking at the sensitivity associated with cyber security, Government of India has constituted a national nodal agency called “National Critical Information Infrastructure (NCIIPC)”. NCIIPC takes all necessary measures to facilitate protection of CII from unauthorized access, modification, use, disclosure, disruption, incapacitation or distraction, and raising awareness among all stakeholders. Ministry of Electronics and Information Technology vide notification dated 22nd May, 2018 has directed organizations having “protected systems” to constitute an “Information Security Steering Committee (ISSC)” under the chairmanship of CEO/ MD/ Secretary of Organization and comprising of:
- IT Head or Equivalent
- Chief Information Security Officer (CISO)
- Financial Advisor or equivalent
- Representative of NCIIPC
- Any other nominated expert
“With growing robustness of e-Government systems and reliable citizen transactions, the departments have gradually built High Value Assets (HVA). HVAs are of particular interest to criminal, politically-motivated, or state-sponsored actors for either direct exploitation of the data or to cause a loss of confidence by the public. “
Protection of Critical Information Infrastructure
There are many segments/ services such as VPN Services, E-Mail, Webservices, Network that are under continuous threat. Security by default needs to associated with the entire lifecycle of e-Government projects. NCIIPC accordingly has published guidelines for protection of CII. The guidelines are clubbed in 5 controls as under:
These controls are required to be assessed at design/ planning stage.
1.1. Thus, it needs to be assessed by organization whether there is a “Critical Infrastructure” in their information system landscape. What functions and criticality (availability, access, delivery of services etc.) of system is required to assessed. It needs to be seen whether there are complementarities associated with system i.e. if critical infrastructure (CI) goes down – does it have a cascading impact.
1.2. The dependencies on system: Vertical dependency can lead to impact at different organization layers whereas horizontal dependency.
1.3. Every organization to have a Information Security Department headed by CISO (Chief Information Security Officer). The department will have roles and responsibilities to build a safety and security of controls around CII at all stages – planning, development, management and oversight.
1.4. Each organization to have Information Security Management System (ISMS) Policy. The ISMS policy is a living document and is continually evolved and reviewed to capture adequate and appropriate security controls
1.5. Integration Control: It is important for organization to factor in existing processes and any interfaces with external systems.
1.6. Vulnerability/ Threat/ Risk assessment including risk management and mitigation controls
1.7. Security Architecture control including configuration management and mitigation control
1.8. Redundancy Controls: CII components would be by design fault tolerant and incorporate adequate redundancy to cater for system malfunctions/ failover etc.
1.9. Adequate AMC/ ATS support from OEM providers
1.10. Supply Chain Management: Security precautions including Non-Disclosure Agreements (NDAs), extensions etc. would be applicable to engaged parties.
1.11. Security Certifications: Not only CII assets must adhere to internationally accepted security best practices and controls, but also the employees engaged in ensuring security of assets should have relevant certifications listed out. Knowledge upgradation, training and continuous feedback would be part of the process.
1.12. Implementing controls to tackle physical security threats such as Natural threat, Human threats, Environmental threats etc.
These security design controls are translated into actual implementation & configurations.
2.1 Asset and inventory control: To track all physical and virtual assets. Ensuring necessary audit, patching and replacement of damaged device controls.
2.2 Establish Access Control Policies along with roles, activity and actions.
2.3 Identification and Authorization process should be in place.
2.4 Perimeter protection through NIPS, NIDS, Firewall, proxy, Internet DNS server, VPN, antivirus etc.
2.5 Physical and Environmental Security: Having clear policies, mock drill to protect civil unrest, environmental impacts etc. to ensure continuity of systems.
2.6 Testing and evaluation of Hardware and Software must be conducted for security before procurement
These controls ensure security posturing is maintained in operations environment.
3.1 Data storage: Hashing and Encryption of data at rest and in motion. Periodic backups must be ensured at appropriate frequency.
3.2 Incident Management with clear roles and responsibilities should be identified. Recovery plan along with analysis of security incidents must be in place.
3.3 Training, Awareness and Skill Upgradation: Preferably set up a committee to identify training needs for Organization and Employees.
3.4 Data Loss Prevention
3.5 Penetration Testing
3.6 Asset and Inventory Management
3.7 Network Device Protection through access control, security patches, password management, traffic monitoring etc.
3.8 Cloud Protection in case organization is using cloud for some reason.
3.9 Critical information disposal and Transfer
3.10 Intranet Security through Intranet Security Policy, Hardening of Intranet IT systems, Authorization and Authentication, Access Control List, Monitoring and Feedback
3.11 Advance Protection Threat (APT): Humans should be trained to be sensitive against security threat.
These controls ensure quick restoration of services with minimum downtime in the event of disaster.
4.1 Careful choice of Disaster Recovery Site
4.2. Business continuity planning
4.3 Have a plan for secure and resilient architecture
These controls ensure adequate oversight by senior management and compliances.
5.1 Have a mechanism for threat reporting to Government agenicies to apex security bodies – CERTIN, NCIIPC
5.2 Periodic audit and vulnerability assessment
5.3 Compliance of security recommendations prefereably through a committee.