V

CYB 4303, Critical Infrastructure Protection in Cybersecurity 1

Course Learning Outcomes for Unit V Upon completion of this unit, students should be able to:

2. Evaluate organization infrastructures for vulnerabilities. 2.1 Explain the current state of critical infrastructure protection efforts.

5. Analyze vulnerabilities of critical information and key resources (CIKR).

5.3 Identify current threats to the information technology sector.

Required Unit Resources

Chapter 8: Information Technology (IT)

In order to access the following resource, click the link below.

For the following resource, read Section 3-5 of the National Infrastructure Protection Plan. Department of Homeland Security. (2013). National Infrastructure Protection Plan 2013.

https://www.dhs.gov/national-infrastructure-protection-plan

Unit Lesson

Introduction The country’s communications systems are complex and intricate, encompassing numerous technologies, types of services, and diverse ownerships. According to the Communications Sector-Specific Plan (CSSP), the communications sector “has evolved from predominantly a provider of voice services into a diverse, competitive, and interconnected industry, using terrestrial, satellite, and wireless transmission systems“ (Department of Homeland Security [DHS], 2015, p. iv). A great majority of the nation’s communication systems are privately owned and operated, and, as such, DHS assigned sector-specific agencies (SSAs) to partner with state, local, and industry organizations to enhance the communications sector-specific protection. The SSAs consigned to the communications sector are the Communications Sector Coordinating Council (CSCC) and Communications Sector Government Coordinating Council (CGCC), both under the DHS ( DHS, 2015). According to the CSSP, the following three joint goals were developed to guide the mission to protect the communications sector:

1. protect and enhance the overall physical and logical health of communications; 2. rapidly reconstitute critical communications services in the event of disruption, and mitigate cascading

effects; and 3. improve the sector’s national security and emergency preparedness (NS/EP) posture with federal,

state, local, tribal, international, and private sector entities to reduce risk (DHS, 2015, p. iv).

Information Technology as a Critical Infrastructure As we have seen thus far, securing critical infrastructures has become increasingly vital for DHS. In Section 1016 of the USA PATRIOT Act of 2001, a critical infrastructure is defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets

UNIT V STUDY GUIDE

Information Technology Protection and Security

CYB 4303, Critical Infrastructure Protection in Cybersecurity 2

UNIT x STUDY GUIDE

Title

would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters” (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, 2001, p. 130). Table 1 outlines the currently defined 18 sectors considered Critical Infrastructure and Key Resources (CIKRs). These systems, whether physical or intangible, are vital to the nation’s economy and public health and safety. Any damage or destruction of such systems, specifically information technology (IT), will have debilitating effects to the nation. The level of vulnerability varies from sector to sector. As an example, some sectors such as energy, water, and federal facilities are, by nature physical, while others such as communication, finance, and information technology have cyber elements.

Agriculture and Food Water Nuclear Reactor

Defense Industrial Base Chemical Information Technology

Energy Commercial Facilities Communications

Healthcare and Public Health Critical Manufacturing Postal & Shipping

National Monuments & Icons Dams Transportation Systems

Banking and Finance Emergency Services Government Facilities

Table 1. Eighteen critical infrastructure and key resource (CIKR) sectors (NIPP, 2013, p. 9)

The IT sector is functions-based, according to the National Infrastructure Protection Plan (NIPP) (DHS, 2016). The IT Sector’s six critical functions are to:

1. provide IT products and services; 2. provide incident management capabilities; 3. provide domain name resolution services; 4. provide identity management and associated trust support services; 5. provide Internet-based content, information, and communications services; and 6. provide Internet routing, access, and connection services (DHS, 2016).

“The IT Sector functions encompass the full set of processes involved in creating IT products and services, including Research and Development (R&D), manufacturing, distribution, upgrades, and maintenance. They also support the Sector’s ability to produce and provide high-assurance products, services, and practices that are resilient to threats and can be rapidly recovered. Assurance is essential to achieving the Sector’s vision and is therefore a fundamental aspect of all critical functions. (DHS, 2016, p. 2)

These critical functions are provided by a combination of private and public entities with private operators constituting the majority of owners and operators of information technology infrastructures. Private entities work with the federal government and the Information Technology Coordinating Council (IT SCC) to protect the sector’s infrastructure and assets (DHS, 2015). While the IT sector’s functions, products, and services contribute to the efficiency and effectiveness of the global economy, the sector also faces global threats from natural or manmade activities on a daily basis. Many of these threats take place frequently but do not have major consequences as the private and public sectors are continuously taking security measures as new threats and events develop around the globe.

Security

A key aspect of the information technology sector is security. Information security is the approach taken by public and private sectors to protect information technology (IT) systems (as shown in Figure 1), physical structures, and associated assets from threats present in the environment. The National Institute of Standards and Technology (NIST) Handbook (2017) outlines three critical areas for physical security:

1. physical structures, assets, and elements (including IT systems, storage, and communication infrastructures);

2. the facility's general geographic area, which could be susceptible to natural threats, man-made threats, or interception of transmissions and emanations, among others; and

3. Supporting facilities, which are those services (both technical and human) that underpin the operation of the system.

CYB 4303, Critical Infrastructure Protection in Cybersecurity 3

UNIT x STUDY GUIDE

Title

Gilchrist (2017) noted that information security encompasses the protection of IT assets guaranteeing the integrity, availability, and confidentiality of information. The security of IT physical and cyber assets includes a physical, technical, and procedural methodology. Physical controls must be implemented to ensure that IT environments are protected. Examples include computer rooms and data centers with restricted access to non-essential personnel to avoid accidental access to critical organizational systems. Technical security strategies rely on security measures using technology as well as physical means. This approach relates to computer and software techniques to prevent unauthorized access to IT systems. Examples include password protected systems and software controls of restricted information. Last, procedural security covers organizational rules, regulations, and policies to mitigate risks arising from the use of information systems. An example of policies encompasses end user agreements on the utilization of company assets such as computers and other IT devices.

Again, physical and environmental security is very important as this approach is taken for the protection of not only IT systems but physical structures and associated infrastructure against threats related to the physical environment. Physical and environmental safeguards can many times be overlooked but are critical in protecting information technology elements. Structures and locations must be designed with protection in mind to avoid damage (natural or man-made) as well as unauthorized access to information and computer systems (See Table 2). Physical and environmental security, which is also called geographic or area security, often provides the first line of defense of information and information systems with equipment security and general controls to protect physical assets (Simpson et al., 2017).

Natural Threats Human Threats

1. Loss of personnel 2. Failure of IT systems 3. Lightning 4. Fire 5. Flooding 6. Storms 7. Power failures 8. Dust

1. Hacker 2. Social engineering 3. Computer criminals – Individuals who

use computers or computer networks to commit a crime.

4. Physical damage to systems

CORE CONCEPT

Security access controls are processes wherein an organization’s IT assets are made into a more difficult or less attractive target through physical, technical, and procedural mechanisms.

CORE CONCEPT

Fundamental to ISO 27001 is that it considers information systems security as a continuous improvement process and not as a product.

Figure 1. A network protected behind a firewall

CYB 4303, Critical Infrastructure Protection in Cybersecurity 4

UNIT x STUDY GUIDE

Title

9. Magnetic fields

Table 1 Threat examples

Summary

The information technology sector and all information systems within it are subject to negative environmental events and unauthorized access attempts that may invalidate their use causing potentially irreparable damage to all critical sectors including organizations, individuals, and society. Implementing a sound organizational security strategy involves setting security standards (policies, training, and enforcement) applying the confidentiality, integrity, and availability (CIA) approach. Simpson et al. (2017) recommended adapting the Crime Prevention Through Environment Design (CPTED) guidelines and principles for the reduction of security incidents.

References Department of Homeland Security. (2013). National Infrastructure Protection Plan.

https://www.dhs.gov/sites/default/files/publications/national-infrastructure-protection-plan-2013- 508.pdf

Department of Homeland Security. (2015). Communications sector-specific plan: An annex to the NIPP 2013.

https://www.dhs.gov/sites/default/files/publications/nipp-ssp-communications-2015-508.pdf Department of Homeland Security. (2016). Information technology sector-specific plan: An annex to the NIPP

2013. https://www.dhs.gov/sites/default/files/publications/nipp-ssp-information-technology-2016- 508.pdf

Gilchrist, A. (2017). IoT security issues. https://ebookcentral.proquest.com

National Institute of Standards and Technology. (2017). NIST SP 800-12 An introduction to computer security: The NIST Handbook. https://csrc.nist.gov/csrc/media/publications/sp/800-12/rev- 1/draft/documents/sp800_12_r1_draft.pdf

Simpson, D., Jensen, V., & Rubing, A. (Eds.). (2017). The city between freedom and security: Contested

public spaces in the 21st century. https://ebookcentral.proquest.com

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, Pub. L. No. 107-56, 115 Stat. 272 (2001). https://www.govinfo.gov/content/pkg/PLAW-107publ56/pdf/PLAW-107publ56.pdf

Suggested Unit Resources In order to access the following resources, click the links below. Additional information relevant to the unit’s objectives can be found in the following links. There are more details provided in these links as it relates to the National Infrastructure Protection Plan (NIPP) and recommended standards published in the National Institute of Standards and Technology (NIST) websites: www.dhs.gov and www.nist.gov respectively.

CORE CONCEPT

CPTED proposes that the proper design and effective use of the built environment may lead to a reduction in the fear and incidence of cyberattacks, crime, and an improvement of the quality of life (Simpson et al., 2017).

CYB 4303, Critical Infrastructure Protection in Cybersecurity 5

UNIT x STUDY GUIDE

Title

Department of Homeland Security. (2013). National Infrastructure Protection Plan 2013. https://www.dhs.gov/national-infrastructure-protection-plan

National Institute of Standards and Technology. (2017). NIST Special Publication 800-12 An introduction to

information security: The NIST Handbook. https://csrc.nist.gov/csrc/media/publications/sp/800-12/rev- 1/draft/documents/sp800_12_r1_draft.pdf

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, Pub. L. No. 107-56, 115 Stat. 272 (2001). https://www.govinfo.gov/content/pkg/PLAW-107publ56/pdf/PLAW-107publ56.pdf

CYB 4303, Critical Infrastructure Protection in Cybersecurity 1

Course Learning Outcomes for Unit V Upon completion of this unit, students should be able to:

2. Evaluate organization infrastructures for vulnerabilities. 2.1 Explain the current state of critical infrastructure protection efforts.

5. Analyze vulnerabilities of critical information and key resources (CIKR).

5.3 Identify current threats to the information technology sector.

Required Unit Resources

Chapter 8: Information Technology (IT)

In order to access the following resource, click the link below.

For the following resource, read Section 3-5 of the National Infrastructure Protection Plan. Department of Homeland Security. (2013). National Infrastructure Protection Plan 2013.

https://www.dhs.gov/national-infrastructure-protection-plan

Unit Lesson

Introduction The country’s communications systems are complex and intricate, encompassing numerous technologies, types of services, and diverse ownerships. According to the Communications Sector-Specific Plan (CSSP), the communications sector “has evolved from predominantly a provider of voice services into a diverse, competitive, and interconnected industry, using terrestrial, satellite, and wireless transmission systems“ (Department of Homeland Security [DHS], 2015, p. iv). A great majority of the nation’s communication systems are privately owned and operated, and, as such, DHS assigned sector-specific agencies (SSAs) to partner with state, local, and industry organizations to enhance the communications sector-specific protection. The SSAs consigned to the communications sector are the Communications Sector Coordinating Council (CSCC) and Communications Sector Government Coordinating Council (CGCC), both under the DHS ( DHS, 2015). According to the CSSP, the following three joint goals were developed to guide the mission to protect the communications sector:

1. protect and enhance the overall physical and logical health of communications; 2. rapidly reconstitute critical communications services in the event of disruption, and mitigate cascading

effects; and 3. improve the sector’s national security and emergency preparedness (NS/EP) posture with federal,

state, local, tribal, international, and private sector entities to reduce risk (DHS, 2015, p. iv).

Information Technology as a Critical Infrastructure As we have seen thus far, securing critical infrastructures has become increasingly vital for DHS. In Section 1016 of the USA PATRIOT Act of 2001, a critical infrastructure is defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets

UNIT V STUDY GUIDE

Information Technology Protection and Security

CYB 4303, Critical Infrastructure Protection in Cybersecurity 2

UNIT x STUDY GUIDE

Title

would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters” (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, 2001, p. 130). Table 1 outlines the currently defined 18 sectors considered Critical Infrastructure and Key Resources (CIKRs). These systems, whether physical or intangible, are vital to the nation’s economy and public health and safety. Any damage or destruction of such systems, specifically information technology (IT), will have debilitating effects to the nation. The level of vulnerability varies from sector to sector. As an example, some sectors such as energy, water, and federal facilities are, by nature physical, while others such as communication, finance, and information technology have cyber elements.

Agriculture and Food Water Nuclear Reactor

Defense Industrial Base Chemical Information Technology

Energy Commercial Facilities Communications

Healthcare and Public Health Critical Manufacturing Postal & Shipping

National Monuments & Icons Dams Transportation Systems

Banking and Finance Emergency Services Government Facilities

Table 1. Eighteen critical infrastructure and key resource (CIKR) sectors (NIPP, 2013, p. 9)

The IT sector is functions-based, according to the National Infrastructure Protection Plan (NIPP) (DHS, 2016). The IT Sector’s six critical functions are to:

1. provide IT products and services; 2. provide incident management capabilities; 3. provide domain name resolution services; 4. provide identity management and associated trust support services; 5. provide Internet-based content, information, and communications services; and 6. provide Internet routing, access, and connection services (DHS, 2016).

“The IT Sector functions encompass the full set of processes involved in creating IT products and services, including Research and Development (R&D), manufacturing, distribution, upgrades, and maintenance. They also support the Sector’s ability to produce and provide high-assurance products, services, and practices that are resilient to threats and can be rapidly recovered. Assurance is essential to achieving the Sector’s vision and is therefore a fundamental aspect of all critical functions. (DHS, 2016, p. 2)

These critical functions are provided by a combination of private and public entities with private operators constituting the majority of owners and operators of information technology infrastructures. Private entities work with the federal government and the Information Technology Coordinating Council (IT SCC) to protect the sector’s infrastructure and assets (DHS, 2015). While the IT sector’s functions, products, and services contribute to the efficiency and effectiveness of the global economy, the sector also faces global threats from natural or manmade activities on a daily basis. Many of these threats take place frequently but do not have major consequences as the private and public sectors are continuously taking security measures as new threats and events develop around the globe.

Security

A key aspect of the information technology sector is security. Information security is the approach taken by public and private sectors to protect information technology (IT) systems (as shown in Figure 1), physical structures, and associated assets from threats present in the environment. The National Institute of Standards and Technology (NIST) Handbook (2017) outlines three critical areas for physical security:

1. physical structures, assets, and elements (including IT systems, storage, and communication infrastructures);

2. the facility's general geographic area, which could be susceptible to natural threats, man-made threats, or interception of transmissions and emanations, among others; and

3. Supporting facilities, which are those services (both technical and human) that underpin the operation of the system.

CYB 4303, Critical Infrastructure Protection in Cybersecurity 3

UNIT x STUDY GUIDE

Title

Gilchrist (2017) noted that information security encompasses the protection of IT assets guaranteeing the integrity, availability, and confidentiality of information. The security of IT physical and cyber assets includes a physical, technical, and procedural methodology. Physical controls must be implemented to ensure that IT environments are protected. Examples include computer rooms and data centers with restricted access to non-essential personnel to avoid accidental access to critical organizational systems. Technical security strategies rely on security measures using technology as well as physical means. This approach relates to computer and software techniques to prevent unauthorized access to IT systems. Examples include password protected systems and software controls of restricted information. Last, procedural security covers organizational rules, regulations, and policies to mitigate risks arising from the use of information systems. An example of policies encompasses end user agreements on the utilization of company assets such as computers and other IT devices.

Again, physical and environmental security is very important as this approach is taken for the protection of not only IT systems but physical structures and associated infrastructure against threats related to the physical environment. Physical and environmental safeguards can many times be overlooked but are critical in protecting information technology elements. Structures and locations must be designed with protection in mind to avoid damage (natural or man-made) as well as unauthorized access to information and computer systems (See Table 2). Physical and environmental security, which is also called geographic or area security, often provides the first line of defense of information and information systems with equipment security and general controls to protect physical assets (Simpson et al., 2017).

Natural Threats Human Threats

1. Loss of personnel 2. Failure of IT systems 3. Lightning 4. Fire 5. Flooding 6. Storms 7. Power failures 8. Dust

1. Hacker 2. Social engineering 3. Computer criminals – Individuals who

use computers or computer networks to commit a crime.

4. Physical damage to systems

CORE CONCEPT

Security access controls are processes wherein an organization’s IT assets are made into a more difficult or less attractive target through physical, technical, and procedural mechanisms.

CORE CONCEPT

Fundamental to ISO 27001 is that it considers information systems security as a continuous improvement process and not as a product.

Figure 1. A network protected behind a firewall

CYB 4303, Critical Infrastructure Protection in Cybersecurity 4

UNIT x STUDY GUIDE

Title

9. Magnetic fields

Table 1 Threat examples

Summary

The information technology sector and all information systems within it are subject to negative environmental events and unauthorized access attempts that may invalidate their use causing potentially irreparable damage to all critical sectors including organizations, individuals, and society. Implementing a sound organizational security strategy involves setting security standards (policies, training, and enforcement) applying the confidentiality, integrity, and availability (CIA) approach. Simpson et al. (2017) recommended adapting the Crime Prevention Through Environment Design (CPTED) guidelines and principles for the reduction of security incidents.

References Department of Homeland Security. (2013). National Infrastructure Protection Plan.

https://www.dhs.gov/sites/default/files/publications/national-infrastructure-protection-plan-2013- 508.pdf

Department of Homeland Security. (2015). Communications sector-specific plan: An annex to the NIPP 2013.

https://www.dhs.gov/sites/default/files/publications/nipp-ssp-communications-2015-508.pdf Department of Homeland Security. (2016). Information technology sector-specific plan: An annex to the NIPP

2013. https://www.dhs.gov/sites/default/files/publications/nipp-ssp-information-technology-2016- 508.pdf

Gilchrist, A. (2017). IoT security issues. https://ebookcentral.proquest.com

National Institute of Standards and Technology. (2017). NIST SP 800-12 An introduction to computer security: The NIST Handbook. https://csrc.nist.gov/csrc/media/publications/sp/800-12/rev- 1/draft/documents/sp800_12_r1_draft.pdf

Simpson, D., Jensen, V., & Rubing, A. (Eds.). (2017). The city between freedom and security: Contested

public spaces in the 21st century. https://ebookcentral.proquest.com

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, Pub. L. No. 107-56, 115 Stat. 272 (2001). https://www.govinfo.gov/content/pkg/PLAW-107publ56/pdf/PLAW-107publ56.pdf

Suggested Unit Resources In order to access the following resources, click the links below. Additional information relevant to the unit’s objectives can be found in the following links. There are more details provided in these links as it relates to the National Infrastructure Protection Plan (NIPP) and recommended standards published in the National Institute of Standards and Technology (NIST) websites: www.dhs.gov and www.nist.gov respectively.

CORE CONCEPT

CPTED proposes that the proper design and effective use of the built environment may lead to a reduction in the fear and incidence of cyberattacks, crime, and an improvement of the quality of life (Simpson et al., 2017).

CYB 4303, Critical Infrastructure Protection in Cybersecurity 5

UNIT x STUDY GUIDE

Title

Department of Homeland Security. (2013). National Infrastructure Protection Plan 2013. https://www.dhs.gov/national-infrastructure-protection-plan

National Institute of Standards and Technology. (2017). NIST Special Publication 800-12 An introduction to

information security: The NIST Handbook. https://csrc.nist.gov/csrc/media/publications/sp/800-12/rev- 1/draft/documents/sp800_12_r1_draft.pdf

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, Pub. L. No. 107-56, 115 Stat. 272 (2001). https://www.govinfo.gov/content/pkg/PLAW-107publ56/pdf/PLAW-107publ56.pdf