Geneva, Switzerland, 15-16 September 2014

Critical telecommunication infrastructure protection in Brazil

Antonio Guimaraes / Paulo MouraNational Telecommunication

Agency - Anatel, Brazil

ITU Workshop on “ICT Security Standardizationfor Developing Countries”

(Geneva, Switzerland, 15-16 September 2014)

Agenda

Brazilian legal frameworkAnatel’s prior involvementMethodologies for CTIPSIEC project developmentMain functionalities of SIECNew regulations (in progress)Conclusions

Geneva, Switzerland, 15-16 September 2014 2

Brazilian legal framework

Ordinance No. 2, of February 2008, the Cabinet of Institutional Security of the Presidency (GSI/PR) created the Technical Group on Protection of Critical Infrastructures (GTSIC);Critical Infrastructures are considered as facilities, services, goods and systems that, if disrupted or destroyed, would bring serious economic, political or social impacts or risks to the security of the state and society;GTSIC studies and proposes the implementation of measures and actions related to the security of critical infrastructure in the areas of energy, transport, water and telecommunications.

Geneva, Switzerland, 15-16 September 2014 3

Telecommunication Infrastructure

Interministerial Ordinance No. 16, of July 2008, established the Technical Subgroup on Critical Telecommunication Infrastructure Protection (SGTSIC - Telecom), aiming to:I. study and propose a method for identifying Critical

Telecommunication Infrastructure (CTI); II. identify the CTI in Brazil; III. assess the vulnerabilities of the identified CTI and their

interrelationships; IV. select causes and assess the risks that may affect the

security and safety of CTI; V. propose, coordinate and monitor measures necessary for the

security and safety of the CTI; and VI. to study, propose and implement a CTI information system,

containing online data for decision support.

Geneva, Switzerland, 15-16 September 2014

Anatel’s prior involvement

National Telecommunications Agency (Anatel) is part of SGTSIC - Telecom, with GSI/PR, Ministry of Communications, other agencies and experts;Anatel had prior involvement in this subject, through the project “Critical Telecommunications Infrastructure Protection (CTIP)”, run by CPqD:

identification of CTI in the scope of the Pan-American Games (2007), aiming security and safety planning; benchmarks on CTI in the world, in order to contribute to the development of the national strategy for critical infrastructure protection and foster the creation of working groups in the sphere of the federal government; development of a first information system on critical telecommunication infrastructure protection (off-line).

Geneva, Switzerland, 15-16 September 2014 5

Geneva, Switzerland, 15-16 September 2014 6

Methodologies for CTIP

CTIP model was implemented by a set of five methodologies;Each methodology is responsible for a specific part of the model;Nevertheless, they are interdependent, since the output of one could be the input of other.

SIEC project development

As mandated by SGTSIC – Telecom, Anatel is developing a comprehensive project on CTI protection, know as “Critical Telecommunication Infrastructures Security (SIEC)”;The project considers the development of an information system to deal with governance, risks and conformity (GRC), as well as carry out near real-time monitoring of key networks elements, such as stations and routes; System will receive data from operator’s network management systems, among other sources;SIEC is based on ISO/IEC 27k and 31k series.

Geneva, Switzerland, 15-16 September 2014 7

SIEC – system overview

Geneva, Switzerland, 15-16 September 2014 8

Network GRC

Control Panel

Anatel’s legacy systems

Ris

k q

uest

ion

nair

es O

pera

tor´s N

MS

analysis & evaluation

treatment & control actions

conformity

data collector

topology

faults

quality

Main functionalities of SIEC

SIEC offers a series of dashboard reports, with drill-down capabilities to more granular data;Main functions are grouped under 5 modules:

Analysis and evaluation: threat assessment on assets, classed by station, operator, service and localization;Processing and control actions: functionalities related to contingency analysis and risk mitigation plans;Conformity assessment: analysis on risk questionnaires (filled by operators), according to ISO/IEC 27k and 31k;Network monitoring: near real-time information on faults, interruptions, quality, capacity and traffic;Control panel: graphic presentation of network elements and assets, including geographic referenced information.

Geneva, Switzerland, 15-16 September 2014 9

Geneva, Switzerland, 15-16 September 2014 10

Governance, risks, and conformity

Services mapped:•fixed line phone•mobile phone/data•fixed broadband•pay TV

Questionnaires (filled by

operators, for each telecom

station)

Calculation of indexes of risk

by SIEC

470 Questions on:•Energy supply•Security•Network •Sharing •Transmission•Traffic•incidents

on demand reports;maps of risks, per station.

Identification of high risk assets

Geneva, Switzerland, 15-16 September 2014 11

Examples of SIEC views

GRC and network monitoring

Geneva, Switzerland, 15-16 September 2014 12

SIEC is integrated to the existing “National Centre for Remote Telecommunication Monitoring” of Anatel

New regulations (in progress)

Geneva, Switzerland, 15-16 September 2014 13

Conclusions

Excepted some network monitoring functions, SIEC system is already operating, with a partially populated database;SIEC has been extensively tested during FIFA 2014 Soccer World Cup, with very good results;SIEC system is highly scalable, with room for additions and improvements in the future, such as SIEM functions, more accurate vulnerability metrics, and broader cybersecurity coordination with SOCs and CSIRTs;Some of SIEC developments could be good candidates for contributions to ITU-T SG-17.

Geneva, Switzerland, 15-16 September 2014 14

Thank you !

Geneva, Switzerland, 15-16 September 2014 15

Antonio Guimaraes+556123122819 /0799020425

ateixeira@anatel.gov.brwww.anatel.gov.br