 |
|
Homeland Security Advisory
System (HSAS)
|
IA/CIP
Terms
Critical
Infrastructures
Information
Assurance
Scada
Critical
Infrastructures - those physical and cyber-based
systems essential to the minimum operations of the
economy
and government. (NSTISSI 4009)
Information
Assurance - is defined as the set of measures
intended to protect and defend information and information
systems by ensuring their availability, integrity, authentication,
confidentiality, and non-repudiation. This includes providing
for restoration of information systems by incorporating
protection, detection, and reaction capabilities. These
measures are planned and executed by the Information
Assurance Directorate (IAD) of the National Security
Agency/Central Security Service (NSA/CSS).
SCADA - stands for Supervisory
Control And Data Acquisition. As the name indicates,
it is not a
full control
system, but rather focuses on the supervisory
level. As such, it is a purely software package
that is
positioned on top of hardware to which it is
interfaced, in general via Programmable Logic
Controllers (PLCs),
or other commercial hardware modules. (CERN)
|
|
|
|
'The Critical
Infrastructure Protection directive (PDD-63) calls for a
national effort to assure the security of the increasingly
vulnerable and interconnected infrastructures of the United
States. Such infrastructures include telecommunications,
banking and finance, energy, transportation, and essential
government services. The directive requires immediate federal
government action including risk assessment and planning
to reduce exposure to attack. It stresses the critical importance
of cooperation between the government and the private sector
by linking designated agencies with private sector representatives.'
Excerpt
from Presidential Directive 63 Overview
Definition
of Information Assurance (IA)
'Information
operations that protect and defend information and information
systems by ensuring their availability, integrity, authentication,
confidentiality, and nonrepudiation. This includes providing
for restoration of information systems by incorporating protection,
detection, and reaction capabilities.'
NSTISSI
4009, August, 1997
|
|
| Essential
Documents |
 |
 Cyber Security:
A Crisis of Prioritization, [2.3 MB] President’s Information Technology
Advisory Committee, February 2005
Information
Assurance Frequently Asked Questions, National
Security Agency
The
National Strategy to Secure Cyberspace,
White
House, 14. February 2003
The
National Strategy for the Physical Protection
of Critical Infrastructures and Key Assets,
White
House, 14. February 2003
European
Commission proposal for the creation of a
Network
Security Agency, February 2003 [pdf
version]
DoD Directive 8500.1 Information Assurance, 24.
October 2002
A
National Strategy to Secure Cyberspace (draft),
18. September 2002.
Critical Infrastructures: Background and Early
Implementation of PDD-63, Congressional
Research Service (CRS) report, updated February
4, 2002
Cybersecurity
Bill H. R. 3394, [Report
No. 107– ] - To authorize funding for
computer and network security research and
development
and research fellowship programs, and for other
purposes.
Executive Order: Critical Infrastructure Protection
in the Information Age published on 16/10/01
GEIA
Issues Critical Infrastructure Report.
The Government Electronics and Information
Technology
Association has released a white paper titled "Information Assurance and Critical Infrastructure
Protection: A Federal Perspective." The
report finds that while the beginnings of a
federal security infrastructure are taking
shape,
funding to complete this process remains inadequate.'
2001 (Courtesy of GEIA)
"Improving
Our Ability to Fight Cybercrime: Oversight
of
the National Infrastructure Protection Center",
Hearing before the Senate Committee on the Judiciary
Subcommittee on Technology, Terrorism and Government
Information, Wednesday, July 25, 2001.
Critical Infrastructure Protection: NIPC Faces
Significant Challenges in Developing Analysis,
Warning, and Response Capabilities, by Robert
F. Dacey, director, information security issues,
before the Subcommittee on Technology, Terrorism,
and Government Information, Senate Committee
on the Judiciary. GAO-01-769T, May 22.
Critical
Infrastructure Protection: Significant Challenges
in Developing National Capabilities. [1.2
MB] GAO-01-323, April 25.
Protecting America's Critical Infrastructures:
How Secure Are Government Computer Systems?
US Subcommittee on Oversight and Investigations
Hearing, April 05, 2001
Protecting
the Homeland - Report of the Defense Science
Board Task Force on Defensive Information Operations
2000 Summer Study Volume II [1.2 MB] The
Defense Science Board Task Force on Defensive
Information Operations Related concludes that
the United States cannot today defend itself
from an information operations attack by a sophisticated
nation-state adversary. They also state that
the vulnerability of the United States is greater
than in 1996 and that more than 20 countries
have or are developing computer attack capabilities
[published March 2001].
Federal
Critical Infrastructure Protection Activities
[1.53 MB] 'The Report of the President of the
United States on the Status of Federal Critical
Infrastructure Protection Activities, January
2001, was approved for release on February 22,
2001. This report is submitted in accordance
with Section 1053 of the National Defense Authorization
Act for Fiscal Year 2001 (Public Law 106-398),
and pursuant to the requirement in Presidential
Decision Directive 63 (PDD-63) for the National
Coordinator to provide an annual report on the
implementation of PDD-63 to the President and
heads of departments and agencies.'
NIPC
- A Failure to Communicate
Ricardo
Forno looks at how efficent or inefficent the
NIPC is. 'Discusses the inherent problems with
the National Infrastructure Protection Center
(NIPC)'s information exchange system to publicize
security alerts and bugs. This esssay was sparked
by a hilarious (but sadly, real) NIPC Alert
on 1 September that consisted of only one sentence.
Makes one seriously wonder... ' (Published 2.
September 2000)
In
Bits and Pieces - Vulnerability of the Netherlands
ICT-infrastructure and consequences for the
information society by H.A.M. Luiijf and
Dr. M.H.A. Klaver (TNO
Physics and Electronics Laboratory). Translation
in English of the Dutch Infodrome
essay "BITBREUK, de kwetsbaarheid van
de ICT-infrastructuur en de gevolgen voor de
informatiemaatschappij". This essay was
written in March 2000 by order of Infodrome
as a basis for discussion in the Infodrome workshop
"Vulnerabilities of ICT-networks".
The workshop was held in Amsterdam.
Defending
America's Cyberspace National Plan for Information
Systems Protection Version 1.0 - an Invitation
to a Dialect (White House, January 2000)
Practices
for Securing Critical Infrastructure Assets
US CIAO report on how to establish an InfoSec
Policy and how to evaluate vulnerabilities of
critical infrastructure assets (US Critical
Infrastructure Assurance Office, January 2000)
The
Infrastructure of the Protection of the Critical
Infrastructure 'In May 1998, the President
issued Presidential Decision Directive 63, Critical
Infrastructure Protection. Julie Ryan describes
that directive and effects on the existing bureaucracy.'
(Fall 1998)
White Paper
on PDD-63
The Clinton Administration's Policy on Critical
Infrastructure Protection
Factsheet on
PDD-63
Presidential
Decision Directive 63 In May 1998, President
Clinton issued PDD-63, which calls for a national
effort to assure the security of the increasingly
vulnerable and interconnected infrastructure
of the United States, especially the cyber-based
infrastructure.
CIP History: President's Commission on Critical Infrastructure Protection
Executive
Order 13010 on Critical Infrastructure Protection,
July 15, 1996
|
| Articles |
|
General
Articles
Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, GAO-05-434, May 26, 2005
Impact Analysis IA05-001: Impact of September 2000 Fuel Price Protests on UK Critical Infrastructure, PSEPC, January 2005
Technology
Assessment: Cybersecurity for Critical Infrastructure
Protection [1.5MB]. GAO-04-321,
May 28, 2004.
“The
DHS Infrastructure Protection Division:
Public-Private Partnerships
to Secure Critical Infrastructures”, Select
Committee on Homeland Security, 21. April 2004
Critical
Infrastructure Protection: Challenges and
Efforts to Secure Control Systems, by Robert
F. Dacey, director, information security, before
the Subcommittee on Technology, Information
Policy, Intergovernmental Relations, and the
Census, House Committee on Government Reform.
GAO-04-628T, March 2004.
Critical
Infrastructure Protection: Challenges and Efforts
to Secure Systems. GAO-04-354, March
15, 2004
U.S.-Canada
Power System Outage Task ForceInterim Report:
Causes of the August 14th Blackout
in the United States and Canada , 19th December 2003
Critical
Infrastructure Protection: Challenges in
Securing Control Systems, Statement
of Robert F. Dacey, Director, Information
, Testimony Before the Subcommittee on
Technology, Information Policy, Intergovernmental
Relations, and the Census, House Committee
on Government Reform: United States General
Accounting Office, Wednesday,
October 1, 2003
Joint
Homeland Security Subcommittee Hearing:
Implications of Power Blackouts on
America’s
Cyber Networks and Critical Infrastructure,
Part I & I , September 2003
Homeland
Security Cybersecurity Subcommittee Hearing
The Invisible Battleground: How DHS Is
Making America’s Cyberspace More
Secure, Statement
of Robert Liscouski, Assistant Secretary for
Infrastructure Protection, Department of Homeland
Security, September 2003
A National
Infrastructure Simulation and Analysis Center
(NISAC): Strategic Leader
Education and Formulation of Critical Infrastructure
Policies, Centre for Strategic Leadership, US
Army War College, Published: August, 2003
Status
of DoD Information Assurance: Cyber Terrorism:
The New Asymmetric Threat,  Terrorism,
Unconventional Threats and Capabilities Subcommittee,
House Armed Services Committee, July 24, 2003
Ridge
Creates New Division to Combat Cyber Threats:
National Cyber Security Division (NCSD),
June, 2003
Full
House Science Committee Hearing on Cybersecurity
Research and Development, May
14, 2003
Information
Security: Progress Made, but Challenges Remain
to Protect Federal Systems and the Nation's
Critical Infrastructure,
by
Robert F. Dacey, director, information security
issues, before the Subcommittee on Technology,
Information Policy, Intergovernmental Relations,
and the Census, House Committee on Government
Operations. GAO-03-564T, April 8, 2003
Critical
Infrastructure Protection: Challenges for Selected
Agencies and Industry Sectors
GAO-03-233,
February 28, 2003
Critical
Infrastructure: Control Systems and the
Terrorist Threat,
CRS Updated February 21, 2003
Critical
Infrastructures: Background, Policy, and
Implementation,
Congressional Research Service ˜ The
Library of Congress, Updated February
10, 2003
Critical
Infrastructure Protection: Efforts of the Financial
Services Sector to Address Cyber Threats
[1.3
MB] - GAO-03-173, January 30, 2003
Critical
Infrastructure Information Disclosure and
Homeland Security,
CRS, Updated January 29, 2003
Critical
Infrastructures: What Makes an Infrastructure
Critical?,
CRS, Updated January 29, 2003
Blue
Cascades Table Top Exercise Pacific North-West
Economic Region, NIPC
August 2002
Security
in the Information Age: New Challenges, New
Strategies, [3.8 MB] by the Joint Economic
Committee United States Congress May 2002
Critical
Infrastructure Protection by John S. Tomko,
Jr, Strategy Research Project, April 2002
Ronald
L. Dick: “The Legal Aspects of Infrastructure
Protection”, September 5, 2001 INFOWARCON
2001, Washington, DC
America's NERF-Based Security: Reassurance Through
Illusion, Rhetoric, and Fear-Mongering
by
Richard Forno, October 22, 2001
Cyber Terrorism – A View From the
Gilmore Commission On
Wednesday, October 17, 2001 at 10:00 a.m.
the House Committee on Science held its
second hearing to examine the vulnerability
of the
nation’s computer infrastructure as well
as research-related challenges and opportunities
facing the nation’s network security
infrastructure and management.
Cyber
Security – How Can We Protect American
Computer Networks From Attack? On Wednesday,
October 10, 2001 at 10:00 a.m. the House
Committee on Science held a hearing to
examine the vulnerability
of the nation’s computer infrastructure
as well as research-related challenges and opportunities
facing the nation’s computer networks.
"Critical
Infrastructure Protection: Who's In Charge?" U.S. Senate Committee on Governmental Affairs,
October 4, 2001
Oversight hearing
on
"Information
Technology -- Essential Yet Vulnerable:
How Prepared Are We for Attacks?",
September 26, 2001 Subcommittee
on Govermental Efficency, Financial Management
and Intergovernmental Relations.
Ron
Dick, "The Legal Aspects of Infrastructure
Protection," InfoWarCon -
September 5, 2001 - Washington, DC
How
Secure is Our Critical Infrastructure? U.S.
Senate Committee Senate Committee on Governmental
Affairs, Wednesday, September 12, 2001
Q&A
Center of Attention Career FBI agent Ronald
Dick has been given the mission of maturing
the scope and capabilities of the National Infrastructure
Protection Center.
Reprinted with permission from Information
Security Magazine , Interview by Richard
Thieme, August 2001, pp 62-70. Copyright 2001
by Information Security Magazine
How
Secure is Sensitive Commerce Department Data
and Operations? A Review of the Department’s
Computer Security Policies and Practices.
Subcommittee on Oversight and Investigations
August 3, 2001
Protection of the Canadian Critical Infrastructure
(Information Operations published by the
Canadian Security Intelligence Service (CSIS)
July 17, 2001)
Wired
World: Cyber Security and the U.S. Economy
Joint Economic Committee Hearing 21 June 2001
Military
Readiness Subcommittee hearing on vulnerabilities
of Department of Defense networks May
17 2001
Occasional
Paper #33 Sharing the Knowledge: Government-Private
Sector Partnerships to Enhance Information Security
by
Steven M. Rinaldi, USAF Institute For National
Security Studies, May 2000
Defensive
Information Operations – An Interagency
Process by James T. Schutze, Strategy Research
Project, March 2001
Report of
the Commission to Assess United States National
Security Space Management and Organization
(CIP
in Space) The commission warns that the United
States should protect its space assets as the
US is highly dependent on them. [published 11/01/01]
GAO
Report: Information Security
United States General Accounting Office Report
to the Chairman of the Subcommittee on Government
Management, Information and Technology at the
House of Representative. The report criticises
the lack of Information Security at Federal
Agencies [September 2000]
Computer Security: Cyber Attacks - A War without
Borders Congress Hearing on CIP before
House Subcommittee on Government Management,
Information,
and Technology [published 26th of
July 2000]
New
draft version of the CSIS Homeland Defense Projects
on CIP [published 16th of July 2000]
Communications-Electronics
Security Group (CESG) Presentation to The
First International Common Criteria Conference,
Baltimore 23 May 2000
Statements
before the Senate Armed Services Committee Subcommittee
on Emerging Threats and Capabilities: Information
Assurance, 1 March 2000:
Statement
of John S. Tritak Director, Critical Infrastructure
Assurance Office before Senate Judiciary Committee
Subcommittee on Technology, Terrorism and Government
Information on February
1, 2000
Cyber-Threats
and the US Economy Prepared Testimony and
Opening Statements in front of the Joint Economic
Committee on February 23, 2000.
Informationstechnische
Bedrohungen für Kritische Infrastrukturen in
Deutschland [December 1999] Kurzbericht
der Ressortarbeitsgruppe KRITIS (Entwurfsversion
7.95) (German CIP Draft Paper)
Highlights
of the Protecting the Critical Infrastructure
Issues and Solution Symposium 'was
held November the 9th 1999 and played host to
approximately 500 attendees from Federal Government,
the U.S. Military, private industry and academia.
The event focused on protection of the critical
infrastructure and encouraged a collaborative
effort to deal quickly and effectively with
the evolving threat to technology resources,
information and the U.S. way of life.'
CIP
Special Papers - Electricity Sector
NERC's
comments in response to the NOPR that the
Commission issued on September 5, 2002 on the
subject of protecting critical energy infrastructure
information
NERC
Security Guidelines for the Electricity Sector:
Version 1.0 [1.3 MB] - this file contains
one Acrobat file inclusive of all 13 individual
Security Guidelines, June 2002
Electricty
Sector Response to the Critical Infrastructure
Protection Challenge, NERC, May 2002
An
Approach to Action for the Electricity Sector,
[1.5 MB] Working Group Forum on Critical Infrastructure
Protection, NERC June 2002.
Information
Security Challenges in the Electric Power Industry
(White Paper) January 2001 (courtesy of
Riptech) Abstract: This white paper addresses how
modern utility companies can take advantage of the
new business environment brought on by industry deregulation
without compromising information security. While
operational information security has always been
a concern, new issues such as financial and customer
information privacy are coming to the surface as
utilities continue to implement new Internet-based
business methodologies. This report analyzes network
and system vulnerabilities and potential impacts,
as well as information security best practices for
utilities operating in a newly deregulated and competitive
environment.
"Understanding
SCADA System Security Vulnerabilities." White
Paper" January 2001 (courtesy of Riptech)
Abstract: This white paper analyzes the issue of
supervisory control and data acquisition (SCADA)
system vulnerability to public network "cyber" attacks.
Riptech network security engineers have found that
many utilities underestimate their vulnerability
due to some common misconceptions about SCADA system
security. This paper addresses these misconceptions
and discusses the best ways to protect these mission-critical
systems from attack.
|
| News |
|
NIPC
FBI Cyber Notes is designed to support security
and information system professionals with timely
information on cyber-vulnerabilities, exploit
scripts, hacker trends, virus information, and
other critical infrastructure-related best practices.
Cyber Notes is published every two weeks.
Disclaimer: The NIPC accepts no responsibility
for any error or omissions contained in the
CyberNotes periodical. The NIPC is not liable
for any loss or damage arising from or in connection
with the information contained in this report.
It is the responsibility of the user to evaluate
the content and usefulness of this information.
References in CyberNotes to any specific commercial
products, processes, or services by trade name,
trademark, manufacturer, or otherwise, does
not constitute or imply endorsement, recommendation,
or favoring by the United States Government
or any agency thereof.
Cybernotes
Index
NIPC Highlights
Highlights
is published on a monthly basis by the National Infrastructure
Protection Center (NIPC). Its mission is to apprise
policy and/or decision makers of current events, incidents,
developments, and trends related to Critical Infrastructure
Protection (CIP).
Highlights
seeks to provide policy and/or decision makers with
value-added insight by synthesizing all source information
to provide the most detailed, accurate, and timely
reporting on potentially actionable CIP matters.
Disclaimer:
The
NIPC accepts no responsibility for any error
or omissions contained in the Highlights publication.
The NIPC is not liable for any loss or damage
arising from or in connection with the information
contained in this report. It is the responsibility
of the user to evaluate the content and usefulness
of this information. References in Hightlights
to any specific commercial products, processes,
or services by trade name, trademark, manufacturer,
or otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the United States
Government or any agency thereof.
Highlights
|
|
|
|
|
|
For
more links visit our new link directory
Government
Canada
Office
of Critical Infrastructure Protection And Emergency
Preparedness (OCIPEP)
On February 5, 2001 Prime Minister Jean Chrétien
announced the creation of the Office of Critical
Infrastructure Protection and Emergency Preparedness.
The Minister of National Defence will be the Minister
responsible for the organization, which will also
encompass the existing functions of Emergency Preparedness
Canada. Margaret Purdy has been appointed as Associate
Deputy Minister of National Defence and will lead
the new organization.
United Kingdom
National
Infrastructure Security Coordination Centre (NISCC)
'to ensure sound mechanisms are in place to protect
the critical national infrastructure. We set up
the National Infrastructure Security Coordination
Centre (NISCC) in late 1999 to coordinate and develop
work to protect the critical national infrastructure
in the public and the private sector against electronic
attack. NISCC is raising awareness of information
security across those organisations responsible
for the critical national infrastructure.' UK e-envoy
Unified
Incident Reporting & Alert Scheme '(UNIRAS)
was established in 1992 with the role of gathering
information on IT security incidents in Government
departments and agencies, producing periodic
analysis and assessment of incidents and trends,
and issuing alerts and briefings on matters of
IT security concern. UNIRAS is now a fully integrated
part of the National Infrastructure Security
Co-ordination Centre (NISCC).'
US
Critical
Infrastructure Assurance Office
'PDD-63 created the CIAO on May 22, 1998.
CIAO's basic mission, as articulated in PDD-63,
is to coordinate national planning activities related
to critical infrastructure protection, develop
awareness
in the private and public sectors on the need for
sound security practices, and support the development
of a public-private Partnership through outreach
and other activities'.
Critical
Infrastructure Protection Program at the Department
of Commerce 'DOC Critical Infrastructure Protection
Program will: focus management attention on the
need to protect critical infrastructure, promote
best practices in critical infrastructure management,
develop and promulgate policies and guidance related
to critical infrastructure management, and identify
resources needed to manage the Critical Infrastructure
Protection Program.'
Critical
Infrastructure Surety Department at Sandia National
Laboratories 'Sandia is, first and foremost, a systems
engineering laboratory whose primary mission is
guaranteeing the surety of the nuclear weapons stockpile.
Additionally, it has a mission to improve the surety
of the nation's energy infrastructure.'
Defense Information Systems Agency
' DISA
is helping protect against, detect and react to
threats to both its information infrastructure and
information sources. Additionally, DISA is aggressively
working with DOD Agencies, the military departments,
and other federal agencies, and industry.
The Department of
Homeland Security, DHS
leads the unified national effort to secure America.
It prevents and deters terrorist attacks and
protect against and respond to threats and hazards
to the nation.
Information
Assurance Technology Analysis Center 'IATAC's
Mission "Provide the DoD a central point of
access for information on Information Assurance
emerging technologies in system vulnerabilities,
research and development, models, and analysis to
support the development and implementation of effective
defense against Information Warfare attacks."'
Information Infrastructure Task Force (IITF)
'The White House formed the Information Infrastructure
Task Force (IITF) to articulate and implement the
Administration's vision for the National Information
Infrastructure (NII).'
National
Information Assurance Partnership '(NIAP) is
a U.S. Government initiative designed to meet the
security testing, evaluation, and assessment needs
of both information technology (IT) producers and
consumers. NIAP is a collaboration between the National
Institute of Standards and Technology (NIST) and
the National Security Agency (NSA) in fulfilling
their respective responsibilities under Computer
Security Act of 1987.'
National Infrastructure Protection Center
(FBI) 'Established
in February 1998, the NIPC's mission is to serve
as the U.S. government's focal point for threat
assessment, warning, investigation, and response
for threats or attacks against our critical infrastructures.
'
Partnership
for Critical Infrastructure Security 'Our Mission:
Coordinate cross-sector initiatives, and complement
public / private efforts to promote and assure reliable
provision of critical infrastructure services in
the face of emerging risks to economic and national
security.'
Others
The Global Information Infrastructure Commission
'The Global Information Infrastructure Commission
(GIIC) is an independent, non-governmental initiative
involving communications related industry leaders
from developing as well as industrialized countries.
The GIIC has been established to respond to the
recognition that traditional institutions and regulatory
frameworks can no longer meet the increasingly complex
challenges and opportunities of globalized information.'
Harvard
Information Infrastructure Project 'As
the Harvard Information Infrastructure Project (HIIP)
moves into its second decade, the information revolution
continues to penetrate every aspect of daily life
around the globe, affecting everything from national
security to personal privacy, from economic competitiveness
to democratic participation in governance. The HIIP
identifies key issues and guides responsible policy
in this critical and fast-moving area.
TNO
- Netherlands Organization for Applied Scientific
Research 'The Netherlands government has contracted
TNO for Critical Infrastructure Protection studies
(Bitbreuk and KWINT). TNO maintains a web page with
relevant information on infrastructure studies,
protection and vulnerabilities.'
Information
Assurance Advisory Council (UK) 'is a unique
partnership for the information age that brings
together corporate leaders, public policy makers
and the research community' within the United Kingdom.
InfoSurance
The Foundation for the Security of Information Infrastructures
in Switzerland 'aims at creating in close partnership
with the public and the private sector the organizational
and structural conditions.'.
The
Institute for Security Technology Studies (ISTS)
serves
as a national center for cybersecurity and counterterrorism
research, development, and analysis. Our research
programs concentrate on threats to information infrastructure
systems as well as national information sharing
needs. Additionally, ISTS develops technology to
strengthen America's response to attacks via weapons
of mass destruction.
The Partnership for Global Information Security
'is a partnership between industry and government
leaders from around the world to address critical
communications and information sharing issues surrounding
information security in a digital economy. Launched
at the conclusion of the inaugural Global InfoSec
Summit, held October 16-17, 2000, the purpose of
the Partnership is to seek ways to continue international
information sharing on the people, process and technology
challenges of information security.'
Forschungsgruppe
Informationsgesellschaft und Sicherheitspolitik A
German CIP research group
|
|
| Online Master in Information Assurance |
 |
|
|
|
