Security Governance Framework

ensuring preparedness for the protection of CNI and

implementing a strong cyber defense measures

Setiadi Yazid – Universitas Indonesia

National Infrastructure (UK)

Those critical elements of infrastructure (namely assets, facilities, systems, networks or processes and the essential workers that operate and facilitate them), the loss or compromise of which could result in: major detrimental impact on the availability, integrity or

delivery of essential services – including those services, whose integrity, if compromised, could result in significant loss of life or casualties – taking into account significant economic or social impacts; and/or

significant impact on national security, national defence, or the functioning of the state”.

US Executive Order (2013)

• Critical infrastructure is defined in the EO as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Due to the increasing pressures from external and internal threats, organizations responsible for critical infrastructure need to have a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk. This approach is necessary regardless of an organization’s size, threat exposure, or cybersecurity sophistication today.

Objek Khusus• Obyek Vital, yaitu kawasan, tempat, bangunan dan usaha yg menyangkut

harkat hidup orang banyak, kepentingan dan atau sumber pendapatan besar negara yg memiliki potensi kerawanan dan dapat menggoyahkan stabilitas ekonomi, politik dan keamanan bila terjadi gangguan keamanan

• Objek Wisata, yaitu tempat-tempat dan atau kegiatan-kegiatan tertentu yang dikunjungi orang sehubungan dengan nilai-nilai sosial budaya atau kondisi alamnya.

• Obyek Khusus Tertentu, seperti : Kantor bank/lembaga keuangan,Rumah sakit

• Obyek Vital Nasional adalah kawasan/lokasi, bangunan/instalasi dan/atau usaha yg menyangkut hajat hidup orang banyak, kepentingan negara dan/atau sumber pendapatan negara yg bersifat strategis. Status obyek vital nasional harus ditetapkan berdasarkan keputusan menteri dan/atau kepala lembaga pemerintah non departemen. (Kepres Nomor 63 Tahun 2004 Pasal 3 )

BSA survey 2015

• Is there a national cybersecurity strategy in place?

• Indonesia is in the early stages of developing a national cybersecurity strategy.

• Is there a critical infrastructure protection (CIP) strategy or plan in place?

• There is no critical infrastructure protection plan in place in Indonesia.

Infrastructure Inter dependencies

Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. (NIST 2014)

What is Secure?

Time to Breach

Is GREATER than

Time to Detect + Time to Respond

Critical Infrastructure Framework

• Core Functions (concurrent and continuous): Identify, Protect, Detect, Respond, Recover

• Implementation Tiers: from reactive, risk-informed, repeatable to adaptive (tier 4)

• Framework Profile based on core functions categories to describe states of cyber security activities

(Framework for Improving Critical Infrastructure Cyber Security, version 1.0, NIST 2014)

Core Functions • Identify: asset mgmt, business Environment,

governance, Risk Assessment, Risk Mgmt• Protect: access control, awareness/training, data

security, Information protection process & procedures, Maintenance, Protective technology

• Detect: Anomalies and events, Security continous monitoring, detection process

• Respond: response planning, communication, analysis, mitigation, improvements

• Recover: recovery planning, improvements, communications

(breakdowns comply to Cobit, NIST 800-53, ISO 27001)

PROTECT (breakdown example)

• Technical:

– Firewalls, Application White Listing, IDS, Access Control

• Non Technical

– Security Policies and Procedures

• Standards

– Access permissions are managed, incorporating the principles of least privilege and separation of duties according to NIST SP 800-53, ISO 27001:2013

Security Index (M, S)

• Maturity level: reactive, adhoc, supported by management, optimized and supported by policies

• Protection level: casual incidents, hacker, hacktivist/terrorist, sophisticated national attack

Indonesia Security instruments

• ID-SIRTII• ID-CERT• Lemsaneg• Kominfo• Dephan• Kepolisian• Community/society: mastel, apjii, isp• Academia

Identify Protect Detect Respond Recover

ID-SIRTII

ID-CERT

Lemsaneg

Dephan

Kepolisian

End user

Academia

ISP

Distribution of Tasks

Security Planning Steps

• Set Goals and Objectives, “catastrophic levels”, “critical infrastructures”, “attack graph/scenarios”

• Identify Critical Infrastructures and dependencies

• Assess and Analyze Current Security level

• Risk assessment

• Define Target Security Level

• Prioritize GAPS

• ACTION PLAN

(NIPP 2013/NIST 2014)

Conclusions

• Protecting CNI is a HUGE task, everybody should be responsible.

• Indonesia’s Security instruments should start working together toward a common goal

• National security awareness should be increased

• Regulation should be established ASAP

• A small body e.g. BCN can be the coordinator