Richard Oehme Director, Office of Information Assurance and Cybersecurity Risk Reduction Division richard.oehme@msb.se

Cyber security in Sweden - With focus on National Collaboration forum and

Private Public Partnership

Crisis management in Sweden

• Strong autonomous authorities

Responsibility to support Information sharing Coordinated decision making

Other

Actors

County

A-B

Agency A

Common

Situational

Picture

Coordination

Information Sharing

Common Message

”Whoever responsible for an activity in normal conditions, shall maintain that responsibility in a crisis situation.” Principle of responsibility

Information Security in Sweden

Ministry of Enterprise, Energy and Communications

Ministry of Defence

Ministry of Justice

eID Delegation Swedish Data Inspection Board (DI)

Swedish Post and Telecom Authority (PTS)

Defence Materiel Administration (FMV)

Swedish Civil Contingencies Agency (MSB)

National Defence Radio Establishment (FRA) Swedish Security

Service (SÄPO)

National Police

Swedish Armed Forces

Government agencies responsible for a sector

County councils (health care) County administrative boards Municipalities

Private enterprises and other organizations

The entire spectrum of threats and risks, from everyday accidents to major disasters

- Local, regional, national, EU, and international

Before, during, and after the occurrence of emergencies, disasters and accidents

Coordinating across sector and jurisdictional boundaries and levels of responsibility

The MSB will not take over the responsibility of primary stakeholders.

Mandate for MSB

Policy and direction Strategy, Action plan, Regulations, Situational assessment

Media sector preparedness Public private partnership

Response and incident management NOCF/CERT-SE, National response plan, Cyber exercises

Support for preventive IS work in organisations - Framework for information security. (recommendations and guidelines to support work in organizations - public and private) - Critical information infrastructure – SCADA program - Communications security (civilian) - e-development (e-administration) - Standardization - Awareness raising - Risk and vulnerability analysis - Training and R&D

MSB’s activities in the field of information and cybersecurity

Director

Information Security Governance Section

Cybersecurity and CIIP Section

Operational Cybersecurity and IT Incident Response

Section

Strategic support

Office of Information Assurance and Cybersecurity

Volunteer Organization

Agency County

Municipality Private Sector

DoJ

COP

Consequence Analysis

Identify Gap

Cooperation

Alert Conferences

Information Cooperation

Common pic

Sitrep

MSB Coordination role

Allhazards

Försvars- underrättelser

Försvars- underrättelser

Försvars- underrättelser

Försvars- underrättelser

Försvars- underrättelser

Intelligence information

Police information

MSB societal situational awareness

Situational awareness Stockholm

Situational awareness Karlstad

One Situational Center

- Two places

Government, Society

Digital Sit.Pic Socital Sit.Pic

National Information and Cyber Security

Cooperation Function (NOS)

Information

MSB other Cyber & Info.Sec Resources

Information

Societal Sit.Pic

Cyber & Information Security Sit.Pic

It Security

Sit.Pic

National response plan

MSB International Cyber Cooperation

EGC

Transportation

Economic Security

Protection, Rescue and

Care

Geographic Area

Responsibility

Spreading of Toxic

Substances

Technical Infrastructure

• Risk analyses • Planning • Training • R&D • Investments

The main goal of the work carried out in the co-ordination areas is to create common capabilities to prevent and manage crises.

About 30 agencies have been identified as having a special responsibility for preparedness and planning.

National “societal security coordination areas” for planning and preparedness - decided by the government

COLLABORATION – A prime key to success

PPP = Private-Public Partnership

The Information Security Council [PPP] The Collaborative Council for Information Security (SAMFI)

Forum on Information Sharing in Industrial Information and Control Systems [PPP]

Forum on Information Sharing in Health Care Services [PPP]

Forum on Information Sharing in the Financial Sector [PPP]

The Governmental Agency Information Security Network (SNITS) The Municipality Information

Security Network (KIS)

The County Council Information Security

Network (NIS)

Swedish IT Security Network for PhD Students (SWITS)

National CERT Forum

The Media Preparedness Council

National Telecommunications Coordination Group [PPP]

Forum on Information Sharing Telcom [PPP]

Gray= MSB run Blue= MSB supported Yellow = Post an telecom agency Red = Intelligence

Intelligence and security frorum

TLP - Traffic light protocol

TLP is merely a tool to be used in trusted forums

PPP - Private- Public Partnership

• The responsibility of the private sector is crucial when it comes to safety and security of the society.

• PPP is a more of a method, or a combination of methods to obtain the goals with cooperation.

• This is also most likely a voluntary agreement between the public and the private actors.

Information Exchange (IE)

• Agreed guidelines

• Regular meetings

• Demands of presence

• Personal participation (replacements is not accepted)

• Personal trust among the participants

• Information sharing at closed meetings

• Practical work in separate working groups

• Traffic Light Protocol

The Traffic Light Protocol (TLP)

RED – Personal for named recipients only. RED information is limited only to those present. In most circumstances, RED information will be passed on verbally or in person.

AMBER – Limited distribution. The recipient may share AMBER information with others within their organization or information exchange group, but only on the basis ‘need-to-know in order to take action’.

The TLP is designed to improve the flow of information between individuals, organizations or communities in a controlled and trustworthy way.

GREEN – Community wide. Information in this category can be circulated widely within a particular community. However, the information may not be published or posted on the Internet, nor released outside of the community. This circulation is restricted to a ‘need–to–know’ basis.

WHITE – Unlimited. Subject to standard copyright rules, WHITE information may be distributed freely, without restriction.

The Information Security Council

Members:

• The Swedish National Police.

• The Swedish Post and Telecom Agency.

• The Swedish Security Service.

• The Swedish National Defence Radio Establishment.

• Vattenfall AB.

• IIS (The Internet Infrastructure Foundation).

• Karlstad University.

• The Swedish Armed Forces.

• Ericsson.

• The Riksbank (Sweden’s central bank).

• Region Västra Götaland.

• The Swedish National Defence College.

• The Swedish National Debt Office.

• The Swedish Defence Materiel Administration.

• Scania AB.

The MSB Information Security Council The MSB Information Security Council was formed in 2009 and consists of representatives from public administration and the private sector. The Council primarily assists MSB by providing: • Information on developments and trends in

the field of information security. • Feedback on direction, priorities and

execution of the agency’s work on information security.

• Quality assurance and credibility to the agency’s initiatives and projects through its composition and connections to vital societal interests and functions.

• Assistance in spreading information on the agency’s work on information security in the wider society and abroad.

The chairman of the Council is MSB’s Deputy Director General, Mr. Nils Svartz. The Council convenes four times a year, whereof one of the meetings is a study trip in Sweden or abroad.

The Collaborative Council for Information Security (SAMFI)

SAMFI – Consists of governmental agencies with specific societal information security responsibilities as identified by the government.

SAMFI’s subject areas • Strategy, action plan and legislation • Technical issues and standardization • National and international development

in the field of information security • Information • Exercises and training • Management and prevention of IT

incidents

The Council convenes six times a year. MSB sets aside resources to keep a SAMFI secretariat. The other SAMFI authorities contribute resources in accordance with the needs of the Council and their ability.

Members: • The Swedish Civil

Contingencies Agency (MSB).

• The Swedish Post and Telecom Agency (PTS).

• The Swedish National Defence Radio Establishment (FRA).

• The Swedish Security Service (Säpo) and the Swedish Criminal Investigation Service (RKP).

• The Swedish Defence Materiel Administration (FMV)/The Swedish Certification Body for IT Security (CSEC).

• The Swedish Armed Forces (FM)/The Military Intelligence and Security Service (MUST).

Information Security – Trends 2015

Seven trends

• Information security – a value to be balanced among others

• The complexity of modern IT services

• The private sphere, the Information explosion and security

• The security policy dimension of information security

• Crime in Information Societies

• The race to find the weakest link

• Robust information systems and continuity

Forum on Information Sharing in Health Care Services

Members: • 5 county councils/regions.

• Municipalities (representative from The Municipality Information Security Network (KIS)).

• The Swedish Association of Local Authorities and Regions.

• Inera AB (An E-Health coordinator fort the county councils and regions).

• The National Board of Health and Welfare .

• The Data Inspection Board.

• The Medical Products Agency.

• The National Archives.

• The Swedish eHealth Agency.

FIDI-Vård och omsorg The Forum was formed in 2010. The aim is to support the Health Care sector in developing stronger information security, in order to advance the Swedish society’s ability to maintain well-functioning services during regular conditions as well as during times of crisis. The Forum convenes four times a year.

The Forum operates in accordance with the Information Exchange model, and any information sharing is executed in compliance with the Traffic Light Protocol. The rules of the Protocol aim to balance the need of secrecy with the advantages of information sharing.

Forum on Information Sharing in the Financial Sector

Members: • Swedish Bankers’ Association.

• Bankgirot (A European clearing house).

• Skandiabanken (A Swedish bank).

• Euroclear Sweden AB (Sweden’s central securities depository).

• Swedbank (A Swedish bank).

• Nasdaq-OMX (The Swedish stock exchange).

• Nordnet (A Swedish Investment bank).

• The Riksbank.

• The Swedish National Debt Office.

• SEB (A Swedish bank).

• Sparbankernas Riksförbund (A Swedish trade organization of banks and trusts).

• The Swedish National Police Board, The Center for Fraud.

• Swedish National Defence Radio Establishment.

• Nordea (A Swedish bank).

• Handelsbanken (A Swedish bank).

FIDI-Finans The Forum was formed in 2009 and aims to identify and initiate measures which may contribute to strengthening the overall security and reduce common vulnerabilities in the financial sector. The Forum convenes ten to twelve times a year. The Forum also conducts work in a number of working groups in order to evaluate and clarify issues which have been raised during Forum sessions. The Forum is tied to the Financial Sector Private-Public Collaboration Organization (FSPOS). The Forum operates in accordance with the Information Exchange model, and any information sharing is executed in compliance with the Traffic Light Protocol.

Forum on Information Sharing in TeleCom sector (PPP)

Members:

• Telia Sonera (Telecom & ISP)

• Tele2 (Telecom & ISP)

• IP-only (ISP)

• TDC (IT, Telecom, ISP)

• Telenor (Telecom & ISP)

• Netnod (Internet infrastruct org)

• Com Hem (ISP & digital TV)

• Tre (Telecom & ISP)

• MSB/CERT-SE (National Swedish CERT)

FIDI-TELEKOM The Forum was formed in 2015 and is a forum for information sharing regarding cyber security with the telecom sector. The member organizations use the forum for sharing of operative technical information and threat assessments as well as for discussion on more strategic matters. The Forum convenes four times a year for a full day meeting. MSB serves as its Chair.

The Forum operates in accordance with the Information Exchange model, and any information sharing is executed in compliance with the Traffic Light Protocol.

The Swedish CERT Forum

SCF is technical forum where a number of Swedish CERT organizations (Computer Emergency Response Team) take part.

The Forum shares technical information, members inform each other on tools and trends and discussions are held on approaches to current IT security related events and incidents.

The Forum enables quick, established and simple common means of communication between the member organizations when major events with society wide implications occur.

The Forum convenes three to four times a year for a full day meeting. MSB/CERT-SE acts as the convener for the meetings.

Members:

• CERT-SE.

• FM-CERT (The CERT-function of the Swedish Armed Forces).

• Sunet-CERT (The CERT for the Swedish university nets).

• TS-CERT (The CERT for the telecom company TeliaSonera).

• Basefarm-CERT (The CERT for a major Swedish IT services provider).

• Handelsbanken IRT (The Incident Response Team of the Swedish bank Handelsbanken).

• Swedbank SIRT (Swedbank Security Incident Response Team).

The Media Preparedness Council

The Media Preparedness Council was formed in the nineteen fifties. The council consists of both producing and distributing media companies and participation takes place on a purely voluntary basis.

A continuous dialogue is held on the security, preparedness, crisis management ability and collaboration in and between the Swedish media companies.

The overall goal of the Council is to ensure that media companies are able to disseminate news, community information and Emergency Population Warnings (VMA) in times of crisis and in war.

The council convenes four times a year and it is chaired by the MSB Director General, Helena Lindberg.

Members:

• Canal Digital AB (Cable network provider).

• Com Hem (Cable network and broadband provider).

• Radiobranschen (Swedish media trade organization).

• Radio Sweden (Sweden’s public radio).

• Sveriges Television (Sweden’s public TV network).

• Teracom (Technical infrastructure provider).

• Tidningarnas Telegrambyrå (Swedish news agency).

• Tidningsutgivarna (Swedish media trade organization).

• TV4 (TV network privider).

• Post and Telecom Agency (PTS).

• Viasat (TV network provider).

Risker, hot och sårbarheter i mediebranschen 2011

• 60 procent av medieföretagen har regelbundna övningar och har förberett verksamheten för flytt till en annan plats vid en kris.

• Två tredjedelar av medieföretagen har utsett en särskild krisledningsorganisation och gjort övergripande riskanalyser av verksamheten.

• Hot riktade mot hela företaget eller enskilda personer är vanligare i dag än för fyra år sedan.

• Mest sannolika hotbilden är avbrott i elektroniska kommunikationer.

• Det som skulle medföra störst konsekvenser är omfattande brand, informationssäkerhets-incidenter, elavbrott och avbrott i elektroniska kommunikationer.

• Andelen som har reservkraftaggregat för att driva de viktigaste delarna av verksamheten vid ett omfattande elavbrott har ökat från drygt 40 procent 2007 till närmare 60 procent 2011.

The SWITS Research Network

SWITS (Swedish IT Security Network for PhD Students) is a Swedish network for PhD students studying in fields related to IT security.

The network, which was formed in 2001, consists of scientists and research groups in IT security from several Swedish universities and colleges. The work of the Forum is financed by MSB but coordinated and supported by Karlstad University.

The Network hosts an annual seminar where current research is presented and research methodology in IT security is discussed.

The purpose is to:

• Strengthen the collaboration between PhD students and leading institutions and laboritories.

• Identify study materials and make them available for participating institutions.

• Identify relevant and interesting research courses and seminars at Swedish universities and colleges and make them available for PhD students in the network.

• Participate in organizing IT courses at international resarch institutions and summer schools and provide opportunities for PhD students in the network to participate.

• Arrange guest lectures with external experts.

Awareness Raising

Omvärldsbevakning och informationsdelning

Analysis & Information Sharing

Technical Platform

National & International Cooperation

Industrial Control Systems Security Program

Forum on Information Sharing in SCADA Systems

Members: • Stockholm Vatten AB (The

Stockholm Water Company).

• VA Syd (Regional water and sewage in south west Skåne).

• SL (Greater Stockholm Local Transport Company).

• Vattenfall AB (A major Swedish energy company).

• Fortum AB (A major Swedish energy company).

• Eon (A major Swedish-German energy company).

• The Swedish Security Services.

• Svenska Kraftnät (The Swedish National Grid).

• The Swedish Transport Administration.

• Preem AB (A major Swedish energy company).

FIDI-SCADA The Forum was formed in 2005 and its activities are aimed at strengthening the SCADA related information security of its member organizations. SCADA stands for Supervisory, Control and Data Aquisition and revolves around IT systems which control physical processes such as electricity production, water sanitation and purification or transport systems. The Forum convenes four times a year for a full day meeting. MSB serves as its Chair.

The Forum operates in accordance with the Information Exchange model, and any information sharing is executed in compliance with the Traffic Light Protocol.

NCS3 National Centre for Security in

Industrial Control Systems

• History: Started in 2007 as a cooperation between MSB and the Swedish

Defence Research Agency.

• Vision: To be the national arena where experiments, exercises and technical

studies are carried out to increase security in industrial control systems used in critical infrastructure.

• Long term goal: To increase the security in industrial control systems and

thereby increase the national ability to prevent and handle interruptions in critical infrastructure.

Information security research at FOI

• Combining technical, system, and social

aspects

• Main customers

• Swedish Civil Contingencies Agency

• Swedish Armed Forces

• EU 7th Framework Programme

• Swedish Defence Material Administration

• Research areas

• Secure information sharing in coalitions

• Data-centric security

• Methods for information risk management

• Information security culture

• Cyber defence of information systems and critical

infrastructure

• Large-scale technical cyber defence exercises

• Vulnerability and forensic analysis (malware, file carving)

Context • Stakeholders:

• Actors that own and operate critical infrastructure

• Supervisory and sector-related authorities

• Authorities participating in the Swedish national information security community SAMFI

• Activities:

• Training and courses

• Demonstrators

• Technical studies

• Strategic studies

NCS3 (Cont.)

Activities • Training

• Awareness – demos and demonstrators

• Knowledge (OT) • Ability (IT/OT/Management)

• Demonstrators – Cyber range

• Technical studies • Application Whitelisting • Siemens S7 • Vlan • GNSS

• Strategic studies • Smart structures • Water purification plants

CRATE • CRATE is a Cyber Range And Training Environment

hosted by Swedish Defence Research Agency (FOI) and financed by The Swedish Civil Contingencies Agency and the Swedish Armed Forces.

• Established 2008

• Used for courses and exercises

• CRATE makes it possible to simulate “a cyber environment” – Computer cluster with physical

servers (≈ 400)

– A library of templates for virtual machines

– Deploy and configure VMs (3000+) – Host based traffic generators

emulating user behaviour

– Internet BGP routing

Example of demonstrators

Cyber security courses

• Courses with practical components are held in CRATE on a regular basis.

• Designed to teach to practitioners some tool or technique, such as vulnerability scanning.

• Commonly used to train both IT-security professionals and novices.

Cyber security courses - SCADA

Nordic National CERT Cooperation

Nordic National CERT

Exercise 2015

UN Climate Summit 2015

Scenario

Overarching Concept

msb.se

krisinformation.se

dinsakerhet.se

sakerhetspolitik.se

informationssakerhet.se

cert.se