Issuu on Google+

Public Private Partnership in the Cybercrime Information Exchange

samen against united tegen cybercrime cybercrime

NICC


NICC ICTU Adress Wilhelmina van Pruisenweg 104 2595 AN The Hague P.O. Box 84011, 2508 AA The Hague, The Netherlands, T 070 888 79 46 / nicc@ictu.nl www.samentegencybercrime.nl


Public Private Partnership in the Cybercrime Information Exchange


‘The Information Exchange is not the ultimate answer to the problem, but it certainly contributes to the solution. If you find that ICT security isn’t going well, government and private sector organizations have to share information and deal with it together. The Information Exchange was set up as an experiment, but our experience has been so positive that we’re continuing with it.’ MARK FREQUIN, MINISTRY OF ECONOMIC AFFAIRS

Overview of the results of the Cybercrime Information Exchange


Tracking down and prosecuting cybercrime? Extremely important, but not the real solution for the problem. Prevention is better. That is why the NICC programme has brought public and private organizations together in the National Infrastructure against Cybercrime. The beating heart of this National Infrastructure is the Cybercrime Information Exchange. Within it, private and public organizations fight against cybercrime side by side.

October 2006

Start Information Exchange

Every sector organizes one meeting of its ISAC every 6 – 10 weeks. The exact frequency is dependent on the needs of the sector.

Cross-sector activities are developed on a regular basis for the thematic meetings about Process Control Security.


‘It’s going well. Public Private Partnership and choosing a ‘bottom-up’ way of working on the basis of trust are the most important success factors. The NICC programme has brought together organizations based on the added value they give each other. It does this by using its know-how in bringing organizations together, and not by trying to solve their problems.’ Boele Staal, NVB (Netherlands Bankers’ Association)


Cybercrime is becoming more professional The European Commission gave an explicit warning in May 2007 about the increase in cybercrime. International organized crime has discovered the Internet, and is making use of the most advanced techniques. Cybercriminals operate from countries where they experience little or no incon足venience from the police or the judiciary. The very industry sectors on which we as a society are particularly dependent represent key targets for them. Not only for cybercriminals whose objective is financial gain, but also for terrorists.

An attack on the energy supply or financial sectors, for example, would be able to seriously disrupt society. This is why the critical sectors were designated as a priority in 2006 within the National Infrastructure against Cybercrime.

November 2006

Start of new style FI-ISAC

The financial sector is first to join the Cybercrime Information Exchange with their FI-ISAC.

5


The hard facts

6

Eighty percent of the vital infrastructure in the Netherlands is in the hands of the private sector. It is itself responsible for taking measures to combat cybercrime. Considerable knowledge about cybercrime is held within public organ­ izations such as the National Police Services Agency (Korps Landelijke Politiediensten, KLPD), the General Intelligence and Security Service (Algemene Inlichtingen- en Veiligheidsdienst, AIVD) and GOVCERT.NL, the government’s Computer Emergency Response Team. Yet when the NICC programme began in 2006 there was still scarcely any structural collaboration, knowledge sharing or exchange of information reported between public and private organizations. November 2006

Fact sheets on phishing, cross-site scripting, two-factor authentication, DNS server vulnerabilities and the MIFARE chip produced.

A number of fact sheets are written about current threats, in collaboration between the various ISACs, GOVCERT.NL, the AIVD and the NICC.

The fact sheets indicate what the threats relate to and what measures can be taken to prevent incidents.


The solution: the Cybercrime Information Exchange The NICC programme began in 2006 with a project to bring representatives of the vital sectors and relevant public organizations around the table within the Cybercrime Information Exchange. This Information Exchange has since grown into a permanent network of professionals in the areas of cybercrime and ICT security.

Its point of departure is that companies themselves will only take effective measures if they have access to the right information and are able to make an accurate risk assessment. By sharing information intensively about incidents, threats and good practices, the Information Exchange participants can prevent incidents themselves. This will safeguard the Dutch economy as a whole and the continuity of the individual organizations at the same time.

HIgh Tech Crime Team November 2006

Start CMIS (Cybercrime Monitoring and Investigation Service)

This is a service developed by the FI-ISAC and financed by the NVB. It provides information for the banks about the possible misuse of bank information on the Internet.

7


‘Participating in the ISACs has greatly expanded our network. The Information Exchange also offers continuity. That makes our work easier, because we can meet and communicate quickly, simply and efficiently with our partners. The structural collaboration and information sharing has been extremely valuable for us.’ Elly van deN Heuvel, GOVcert.nl


Sharing vital information

The Information Exchange is based on the model used by the UK’s Centre for the Protection of National Infrastructure (CPNI). This model comprises various consultation groups in which representatives of companies exchange confidential information with each other on a per sector basis. Such a consultation group is called an Information Sharing and Analysis Centre (ISAC).

The ISACs are arranged around a core group consisting of the the AIVD, Team High Tech Crime of the KLPD and GOVCERT.NL. Representatives of these organizations are present at each ISAC consultation, to which they contribute their substantive knowledge and network about cybercrime. With the consent of the participants, they channel relevant information from one sector to another. The NICC acts as a facilitator and motivator in all consultations.

November 2006

Notice-and-Take-Down (NTD) experiment in the banking sector

An NTD experiment is started by the FI-ISAC, enabling the banks to report phishing sites to GOVCERT.NL that they are unable to take down themselves, or only with great difficulty.

GOVCERT.NL uses its international network to take the phishing sites down. This experiment has been seen as extremely successful.

9


Way of working is the strength

10

The Information Exchange is embedded in a government sponsored public-private programme, the NICC. This provides a trusted environment for national and international partners. A small core group of public organizations consisting of the NICC programme, the KLPD, the AIVD and GOVCERT.NL: • facilitates the sector consultations and the working groups; • identifies cross-sector subjects; • transfers relevant knowledge and information to other sectors; • initiates cross-sector activities; • initiates, finances and directs research on

behalf of the connected sectors; • connects organizations within the National Infrastructure against Cybercrime; • refers organizations not directly participating in the Information Exchange to the network; • acts as the flywheel and ensures that the momentum that has been generated is maintained and built on. As a neutral party, the NICC programme ensures that the knowledge accumulated in the Information Exchange is disseminated throughout the whole National Infrastructure against Cybercrime.

April 2007

Start Information Threat Monitor (ITM)

The ITM has been developed and financed by the banks in collaboration with the NICC, and conducted by KPMG. It provides insight into the

threats and vulnerabilities that are associated with several new products that are being developed by the banks.


The success factors of the Information Exchange Trusted environment Continuity Impartiality Driven by the demands and needs of the sectors Government as facilitator Secure ICT infrastructure Value for every party involved Flexibility in its implementation Contribution of information from governmental organizations Focus on cybercrime and ICT security Specification and streamlining of the analysis function Acts as the flywheel Cross-sector exchange International network

april 2007

Start Water-ISAC

The drinking water companies join the Cybercrime Information Exchange with the formation of their Water-ISAC.

11


United against Cybercrime

12

The Information Exchange is a success. In two years, the exchange of vital information between public and private organizations has come into being. By mid-2008, seven ISACs were operational, and this number continues to grow (see ‘Particip­ ating Sectors’). Members of an ISAC are given access to the know­ ledge and experience of other organizations in their own sector, other sectors, and the participating governmental organizations. Furthermore, the knowledge of other organizations with which they have connections, such as (university) research institutes, forensic companies and consultancies, is also made accessible via these participants. The NICC programme collaborates with organiza-

tions such as the CIO Platform Nederland, the International Instrument Users’ Association (WIB) and the Federation of Technology Sectors (FHI). The Information Exchange is a condensation point of networks, knowledge and information. The corporate participants value the insight into the knowledge and information made available to them through the participation of the govern­ mental organizations. The public organizations profit from the information about the development of incidents within the various sectors, and from the measures taken by the private organizations to strengthen their defence. The keywords for this successful interchange are trust and value.

May 2007

Start drinking water companies’ SCADA Security benchmark

Commissioned by the NICC, TNO (the Netherlands Organization for Scientific Research) conducted a benchmark study examining the level of SCADA Security in the drinking water

companies participating in the Water-ISAC. This led both to a total report for the whole sector, and individual reports on the separate companies.


Participating sectors 2006 • FI-ISAC: Dutch financial institutions

A research study is currently being undertaken with public

13

and private organizations active in the Port of Rotterdam into 2007

ICT vulnerabilities. A Port-ISAC may well result from this.

• Water-ISAC: drinking water sector

University medical centers are also expressing interest. Led by

• Energy-ISAC: gas and electricity companies

OPTA, the Dutch telecommunications regulator, a number of

• Airport-ISAC: Schiphol Airport

governmental organizations concerned with regulation and law enforcement have been brought together, such as the

2008

KLPD, the Public Prosecutor’s Office, the police, the Consumer

• Multinationals-ISAC: internationally-operating organizations with headquarters in the Netherlands

Authority, the Authority for the Financial Markets and GOVCERT.NL. The possibility of this consultation group

• Railways-ISAC: organizations in the Dutch railway sector

joining the Information Exchange is being discussed. ICT

• PCS-ISAC: the first thematic, cross-sector consultation group

suppliers are considering forming an Office Automation-ISAC

dealing with security issues in connection with SCADA and

and a Process Automation-ISAC. Discussions are also ongoing

process control systems

concerning the establishment of a permanent consultation group for the Internet sector in the Netherlands.

JunE 2007

Start of NICC’s participation in organizations such as the European Scada and Control Systems Information Exchange (EuroSCSIE)

Sharing knowledge at a European level now also begins. The SCADA Good Practices for the drinking water sector is also translated into English and made available to the EuroSCSIE.

A questionnaire for vendors in the area of process automation (PA) is also developed at a European level.


Trust

14

You only share information with someone that you trust. That trust has to be established, and guaranteed by effective rules. All participants are members of an ISAC individually, by name. The definitive, permanent membership guarantees continuity, so that participants can get to know and trust each other. Participation is voluntary, but not without obligation. Participants must make an active contribution to their consultation group, in a spirit of give and take. Information is classified according to a confidentiality code, from white for public information to red for the very most confidential matters (see ‘Traffic Light Protocol’). Whoever contributes the information decides on the degree of confidentiality.

By being able to talk about vulnerabilities and incidents openly, in an atmosphere of absolute trust, public and private organizations obtain a better overview of potential threats, vulnerabil­ ities and dependence chains. And perhaps even more importantly: all participants are able to benefit from measures that have been proven to be effective.

June 2007

Companies begin to connect to the GOVCERT.NL Monitoring service

The drinking water and energy companies participating in the Water-ISAC and Energy-ISAC are given the possibility to connect themselves to the

GOVCERT.NL Monitoring service. Several drinking water and energy companies make use of it.


Traffic Light Protocol Whoever contributes information to an ISAC consultation establishes its classification according

15

to a confidentiality code. The code is classified according to traffic light colours: Red

Green

Non-disclosable information and restricted to

This information may be shared with more people within

representatives present at the meeting only.

and outside a participant’s organization, but publication in print or on the web is forbidden.

Amber Limited disclosure and restricted to members of the

White

Information Exchange and those within their organizations

Public information that may be disseminated without

who have a need to know in order to take action.

restrictions.

July 2007

Start Internet Banking Security Round Table (with banks, ISPs, security software vendors, GOVCERT.NL and the NICC)

The FI-ISAC launches the initiative to harmonize activities and communications vehicles with several collaborating partners. The objective is to work together to maintain Internet banking


‘The importance of the NICC programme has been extremely significant. Without them, the Information Exchange would never have got off the ground. They are also really important for continuity. As a Multinational-ISAC, we haven’t been active for long, and it takes time to get the consultations running effectively.’ DICK BRANDT, TNT POST, CHAIRMAN MULTINATIONALS-ISAC


Value

Participation in an ISAC must produce benefits. Otherwise, the enthusiasm for the Information Exchange will quickly fade. Guaranteed added value is dependent on some concrete factors:

security. Various combinations of these organizations have since come together, leading to concrete results concerning a number of topics:

• the chairman is drawn from the sector; • the sector determines the content and the agenda of the consultation; • continuous interesting input from the participants; • flexibility in response to and handling of questions from the participants; • continuity: the longer the group stays together, the more open its participants will be to share more sensitive information and the more value the consultation will have; • a neutral party facilitates the consultation and ensures that momentum is maintained.

– Identification of a secure PC client – Sharing malware information – An Internet Banking Security Roadmap – Banks��� vision on secure Internet banking.

17


Added value for all participants

18

The cross-pollination between the public and private sectors delivers added value for all parti­ cipants. The construction of a permanent network represents significant added value for all parti­ cipants. They also now contact each other outside the ISAC meetings for informal discussions and exchange of knowledge. Subjects such as business continuity and countering fraud are particularly important for companies. In a secure environment they are able to deliberate about cybercrime threats and security themes. They receive valuable information from the participating governmental organizations and sector colleagues that they are able to use to enhance and expand their ICT security.

The government is principally concerned with the protection of the critical infrastructure and the prevention of criminal activity. By contributing to the Information Exchange they also contribute to the achievement of the Cabinet’s objectives in the area of cybercrime and ICT security: prevention by way of sharing knowledge, exchanging information and raising awareness.

September 2007

Start Energy-ISAC

The gas and electricity companies join the Cybercrime Information Exchange with their Energy-ISAC.


The KLPD, the AIVD and GOVCERT.NL can contribute and obtain information in the Information Exchange that is necessary for the protection of both the vital sectors and economic interests. This platform makes it possible to put security-related issues on the agenda of a broad target group at one time. The governmental organizations are able to finely adapt their tactics in the area of investigation and prosecution on the basis of the input from the private sector organizations. The business community will in turn reap the benefits of this.

19

September 2007

Start exchange of good practices in the energy sector

The participants in the first meetings of the Energy-ISAC share various good practices with each other about the implementation of risk

management and the development of a business case for security.


‘The Information Exchange is a place where you can share sensitive information with each other. That can only happen if you can be sure that the agreements you make will also be followed up on. It has to deliver results, too. Notice and Take Down, for example, the active taking down of sites, has been a success.’ GEO ALDERSHOF, THE CONFEDERATION OF NETHERLANDS INDUSTRY AND EMPLOYERS (VNO-NCW)


Cross-sector initiatives

Knowledge-sharing and information exchange that goes beyond the individual sectors themselves is also now gaining momentum. Good examples of this are the initiatives in the area of SCADA and process control systems, which is of vital importance for the operational processes of organizations in many sectors.

A special cross-sector PCS-ISAC has therefore been established to address issues in this area. The NICC programme plays an important role in the development of cross-sector analysis. By financing research and sharing the results with the participating sectors, it makes parti足 cipation in the Information Exchange even more attractive.

September 2007

Start of the elaboration of a hacking scenario within the energy sector

At the request of the National Security Programme, a hacking scenario is elaborated during two sessions within the Energy-ISAC

relating to the energy infrastructure in the Netherlands.

21


‘It would make it easier to cooperate if we could get more stable and similar­ arrangements internationally, with similar roles and responsibilities. You need stability and continuity of people to establish the necessary trust base.’ Steve Cummings, cpni uk


Developing new knowledge together

In its early days, the Information Exchange placed the emphasis on the sharing of information. It was soon decided to jointly develop new information that could eliminate bottlenecks however. In the financial sector, for example, an Information Threat Monitor has been established. Round tables have also been started addressing Internet banking security issues, with banks, Internet service providers, security software vendors and governmental organizations.

The Water-ISAC has taken the initiative to draft SCADA Good Practices in the Drinking Water Sector. A benchmark has been established in the energy sector for process control security. A research study into ICT vulnerabilities has been initiated through consultation between public and private sector organization in the Port of Rotterdam.

OCtober 2007

The development of the document describing SCADA security good practices for the drinking water sector in the Netherlands initiated

On the basis of the benchmark mentioned earlier, the NICC commissions TNO to develop a document describing 39 SCADA Good Practices for the Dutch drinking water sector.

These good practices enable the drinking water companies themselves to take measures within their own organizations.

23


International

24

The fight against cybercrime cannot only be undertaken at a national level. Participants within various ISACs (such as the FI-ISAC and the Multinationals-ISAC) are initiating contact with each other because the international component of cybercrime poses specific problems for them. The NICC programme fosters international knowledge exchange through establishing and strengthening contacts with comparable organizations in other countries, such as the CPNI (United Kingdom), SEMA (Sweden), Melani (Switzerland) and the Bundesamt f端r Sicherheit in der Informationstechnik (Germany).

The NICC programme also works together with other initiatives in the area of ICT security, such as the European Network and Information Security Agency (ENISA), the SANS Institute and the Meridian. Information obtained from the European SCADA and Control Systems Information Exchange (EuroSCSIE) delivers added value within a number of ISAC consultation groups.

November 2007

Start Airport-ISAC

Several organizations operating at Schiphol form the Airport-ISAC and join the Cybercrime Information Exchange.


Successes

Cybercriminals rapidly and continually adapt their methods. New threats are immediately brought to the attention of the participants in the Information Exchange. A selection of the successes of the Information Exchange: • within a short time a valuable platform has been created in which cybercrime-related issues can be quickly studied and addressed; • the elaboration and testing of a hacking scenario produced by the National Security Programme in the energy sector; • Notice-and-Take-Down phishing experiment with GOVCERT.NL and the banks;

• the dissemination of and discussion about in­formation relating to the report on the MIFARE chip; • the discussion about material threats from specific countries, including recommendations to take measures to reduce risks; • consultation about the latest modus operandi of criminals in the area of Internet banking, including a review of preventative measures; • the discussion about the potential vulnerabilities of process control systems in the energy sector, which were verified in the international network;

December 2007

Further elaboration of SCADA good practices begins

The good practices are elaborated further within several Water-ISAC working groups and discussed in the meetings.

25


‘Only trust can lead to the openness of information. The pioneering role of the NICC has been vital; the network has been bearing fruit. The participants are now also sharing information outside the FI-ISAC consultations when immediate action is needed.’ WIM HAFKAMP, RABOBANK, CHAIRMAN FI-ISAC


Awareness

• all European initiatives in the FI-ISAC area made preparations for a European exchange platform, together with ENISA and CERT-Hungary; • round  table meetings with the banks, Internet service providers and security software vendors; • SCADA security benchmark and SCADA good practices in the drinking water sector; • process control security benchmark in the energy sector.

Participation in the Information Exchange has raised awareness about security measures to counter cybercrime amongst senior management. A good example is the SCADA security benchmark, which was established within the drinking water sector on the initiative of the Water-ISAC. The reports about this have been discussed at the highest levels of management within the drinking water companies, and have led to further investments in ICT security.

February 2008

Start Multinationals-ISAC

A group of multinational companies headquartered in the Netherlands and listed on the AEX index form the Multinationals-ISAC and join the Cybercrime Information Exchange.

27


‘Especially in the ISACs that have existed longest, such as the banks and the water companies, participation has led to greater trust between the sector organizations and the police. We’ve come a lot further together in the sharing of information.’ Fred Westerbeke, National Police Services Agency (KLPD)


Continuing to strengthen security

Within a period of only two years, the subject of ICT security has moved to the top of the agenda in both the public and private sector through the activities of the Information Exchange. That is a good start. But security is more than ICT alone. In time, ICT security and physical and personnel security will need to be harmonized effectively. It is only when these aspects are well coordinated and made consistent with each other that businesses and society at large can be sure of the best possible safeguards against cybercrime.

A fully developed and mature Cybercrime Informa足tion Exchange is therefore essential. For this reason, the Information Exchange will be further expanded and strengthened in the coming years. The spearheads of this process will be the involvement of additional sectors, the establishment of thematic cross-sector ISACs and the strengthening of the international network. The Information Exchange is, and continues to be, the beating heart of the National Infrastructure against Cybercrime. It is uniquely the platform that enables organizations in the private and public sectors to address security issues effectively, in an atmosphere of unqualified openness and trust.

29

March 2008

Start Railways-ISAC

NS and ProRail form the Railways-ISAC and join the Cybercrime Information Exchange.


‘The strongest point about the NICC programme is that it resists being tempted into being involved in execution. This both avoids getting bogged down in operational problems and guarantees independence. The objective is purely to bring organizations together so they can share information.’ kees buis, cio platform The Netherlands


Appendix 1: trust and value

The key objective of the Information Exchange is the improvement of the exchange of information about cybercrime between public and private organizations in the Netherlands. The Information Exchange also makes a practical contribution in this respect. Research has shown that both public and private organizations value the exchange of information within the Information Exchange. The private sector organizations value the insight they gain into the knowledge and information held by the governmental organizations.

They are particularly interested in information about threats, modus operandi, increasing risks and future developments. The governmental organizations have benefited from gaining insight into the development of in足cidents within the sectors and the measures taken by private sector organizations to improve their defences against cybercrime. The Information Exchange is therefore vital for the creation of the exchange of information about cybercrime. The key prerequisites for the realization of this exchange of information are trust and value.

31

April 2008

Start of process control security benchmark for energy companies

The Energy-ISAC requests that a research study similar to that undertaken for the drinking water sector is conducted for the gas and electricity companies. The NICC commissions The Centre of

Expertise (HEC) and consultancy firm Verdonck, Klooster & Associates (VKA) to undertake this study jointly.


Trust Hypotheses APPENDIX 1

Trust is the basis for information sharing.

Trust is achieved in small groups, in which

Building trust takes time and requires

people get to know each other personally.

investment.

Rules (including the Traffic Light Protocol)

Participation guidelines.

Experience of the ongoing sector consul-

to build trust are important as the basis for

Participants are members of a consultation

tation groups shows that building trust,

consultations.

group individually, by name. Permanent

through which participants become open

membership (continuity).

to share confidential information, takes

32

Experience

at least a year. Only then do participants reach the level at which ‘red’ information is shared.

May 2008

Inventory of interdependencies of organizations at Schiphol

The organizations at Schiphol investigate the interdependencies between them and the potential vulner­ abilities associated with these. This was achieved by each of the various participants giving presentations

enabling them to share their risk analyses with each other. Joint projects have also been initiated in relation to the ICT security benchmark, such as the Integrated Incident Room Infrastructure (GMI).


Value Betrayal of trust produces delays, and

Each participating organization must derive

The value of the consultations can vary

much time is needed to rebuild trust again.

value from the consultations. Otherwise, the

for each participant.

33

enthusiasm for investing time and energy in this sort of initiative will quickly fade.

Participation is voluntary, but not without

The continuous efforts of the facilitating

Subjects such as business continuity and

obligation. Participants are expected to

organization are required to monitor and

countering fraud are particularly important

actively contribute to the consultations.

maintain this. It also depends on continu­

for the private sector. The government is

ous interesting input being provided by

principally concerned with the protection

the participants. And it demands flexibility

of the critical infrastructure and the

in response to and handling of questions

prevention of criminal activities.

from the participants (demand-driven working). The sector takes the lead in determining the agenda for the consul­ tations. May 2008

Inventory of interdependencies of NS and ProRail

NS and ProRail shared each other’s risk analysis in the Railways-ISAC, enabling them to make an inventory of the applications and infrastructures

that they both use. This has enabled them to estimate potential risks.


Value continued Hypotheses APPENDIX 1

Value grows with investment and trust.

Value is determined by the relevance of the

The network ensures a structure in

subjects included on the agenda.

which peers can be found, also outside

34

the consultation groups.

Experience The longer the group stays together,

The subjects can be specific for the sector.

The fact that participants get to know each

the greater the value the consultation has.

There must be a clear agreement within

other facilitates further contacts between

Continuity is therefore important.

the sector about the potential cybercrime

them. They also communicate with each

problems.

other outside the meetings, both within their sector and between repres足entatives of public and private sector organizations.

May 2008

Start PCS-ISAC

The first process control security Event was organized on May 21. A preparation committee was formed by representatives from the sectors participating in the Information Exchange, together with some ap足-

propriate players from the NICC network (CIO Platform Nederland, WIB, FHI and TU Delft). This day represented the first step in the formation of a PCS-ISAC, focusing on the theme of Process


The network can address subjects that have recently arisen. A platform has

35

been created in which information can be quickly shared. Experience Informal networks are created through

• the dissemination of and discussion

The Information Exchange also serves

participation in the Information Exchange.

about information relating to the report

as a condensation point of networks. In

Participants also contact each other out-

on the MIFARE chip;

addition to the networks of relevant gover-

side the meetings, both within the sector and between public and private sector organizations. The network is a platform for quick information sharing. Some examples of this are: • elaboration /testing of a hacking scenario

• discussion about material threats from specific countries; • the discussion about new modus operandi involved in phishing attacks on banks; • discussion about the potential vulnera-

nmental organizations, the private sector companies also participate in various international networks. The knowledge and information from these various networks is brought together in the Information

bilities of process control systems in the

Exchange meetings, and its value can also

by the National Security Programme

energy sector, verified in the international

be tested in them.

within the energy sector in two sessions;

network.

Control Security, and cross-sector initiatives are being developed on the subject. A second Event is to take place on December 4 at TU Delft.


Appendix 2: trust

36

To initiate and maintain the sharing of knowledge and information, the sectors need an environment in which a basis of trust can be established and sustained in an efficient and effective way. This costs time, and requires investment from the participants. From the experience of the ongoing sector deliberations it appears that only after a year is the level reached at which the most confidential information is shared.

Criteria for building trust 1. A trusted environment 2. Continuity 3. An impartial stance 4. Demand-driven by the sector 5. The government as facilitator 6. A secure ICT infrastructure

June 2008

MIFARE chip (RFID)

The impact of the vulnerability of the MIFARE chip has been investigated and reported on by a group of specialists from a number of ISACs, and

appropriate countermeasures proposed. The fact sheet produced by GOVCERT.NL and the AIVD provided important input for this.


Trust A trusted environment

Continuity

An impartial stance

Clear rules, endorsed by participants

The Information Exchange must be clearly

Only an impartial Information Exchange

themselves, are necessary for the creation

positioned, in both policy and operational

can act as an intermediary between the

of a trusted environment. They must be set

terms. The position of the Information

various organizations. The Information

down in participation guidelines

Exchange must be clear for at least the

Exchange is therefore not a policy-making

(the Ttraffic Light Protocol).

coming five years. Participants are mem-

organization, but does contribute substan-

Trust is built up in small groups in which

bers of the consultation groups by name.

tive input for policy. The connection with

people get to know each other personally.

This permanent membership guarantees

the policy departments involved must be

Permanent membership in the core of

continuity.

formulated effectively.

the Information Exchange reinforces the underlying trust.

June 2008

Start of research into ICT vulnerabilities in the port sector

In close collaboration with a steering committee consisting of the Port of Rotterdam, Deltalinqs, the Customs Authorities and the Harbour Police, the NICC has initiated a research study that will

provide insight into ICT vulnerabilities in the Port of Rotterdam. This research is being undertaken jointly by HEC and VKA.

37


Trust continued

Table 2

38

Demand-driven by the sector

The government as facilitator

A secure ICT infrastructure

The sectors are leading, partly because they

As a governmental organization it is easier to

To the degree that more substantial flows of

appoint the chairman of the consultation

collect, process and analyze certain confiden-

information are generated, there is also in

group. To a great degree the sectors them足

tial information. The Information Exchange is

turn an increasing necessity for a secure ICT

selves determine the subjects to be included

a natural point of contact for (governmental)

infrastructure in order to be able to better

on the agenda.

organizations within the Netherlands and

facilitate the process of sharing sensitive

especially internationally.

information. The need for this becomes even more important as the analysis function expands further. The Information Exchange works together with GOVCERT.NL to realize a secure ICT infrastructure. The provision of information takes place in layers, in a way comparable to the colour coding of the traffic light model: per sector, cross-sector or for a broad public.

JunE 2008

Start of participation in the Programme Committee of the European SANS Conference

The NICC participated in the preparations for the first European SANS Conference on process control security, held in September 2008 in Amsterdam.


Appendix 3: value

Both public and private sector organizations must obtain value from the consultations. Otherwise, the enthusiasm required to devote time and energy to the Information Exchange will quickly fade. Participation in the Information Exchange is voluntary, but not without obligation. Participants are expected to make an active contribution to their consultation group. The participants are also responsible for continuously contributing interesting input. The longer the group stays together, the greater the value of the consultations becomes. Continuity is important for this.

The relevance of the subjects discussed determines the value of a consultation. This is guaranteed by giving the sector the initiative to establish the agendas for the meetings. Criteria for guaranteeing value 1. Value for every organization involved 2. Flexibility in execution 3. Input of information from the government 4. Focus on cybercrime and ICT security 5. Developing / streamlining the analysis function 6. Central flywheel function 7. Financial resources 8. Cross-sector exchange 9. A national and international (European) network

July 2008

Start of participation in the Programme Committee of the Meridian Conference 2008

The NICC participated in the preparations for the Meridian Conference 2008, to be held in October 2008 in Singapore.

39


Value APPENDIX 3

40

Value for every organization involved

Flexibility in execution

Input of information from the government

It must be possible for every organization

The sectors differ in terms of the problems

The specific expertise of GOVCERT.NL,

involved to derive value from their participa-

they face, their structure and their needs.

the AIVD and the KLPD and their access to

tion in the Cybercrime Information Exchange.

This means that they need customization.

sources of information delivers significant

Its nature may be different for each organ­

added value for the Cybercrime Information

ization – safeguarding of critical assets for

The speed with which subjects of the day can

the government, for example, and business

be dealt with to a large degree determines

continuity for the private sector.

the success of the Information Exchange.

Exchange. Expertise is (reciprocally) built up by, and­ shared between, existing organizations

A trusted, informal network enables the

that fulfil a function within the National

government to share important subjects

Infrastructure. The participants from the

quickly with the sectors involved.

governmental organizations are not seconded to a central location. They participate from their own organizations in the Information Exchange, maximizing the use of the knowledge from these organizations.

August 2008

Industrial espionage

Industrial espionage is an important topic within the Multinationals-ISAC. Participants share good practices and information about incidents with each other, and the AIVD has provided important input.


Focus on cybercrime/ICT security The organizations also remain more commit-

A win/win scenario is created for public

It appears from the experiences in other

ted to the Cybercrime Information Exchange

and private sector organizations by not

countries (such as the UK and Switzerland)

in this way, and in a wider sense to the

only focusing on the vital character of the

that it is advisable to develop the various

Natio足nal Infrastructure against Cybercrime.

sector, but also by paying attention to

component areas involving ICT, physical

The Cybercrime Information Exchange also

subjects related to the business continuity

structures and human resources to a mature

strengthens the relationship in this respect,

of the private sector organizations as well

level before addressing the integration of

and avoids the duplication of knowledge

as cybercrime conducted for financial gain.

the various aspects of security. This has

generation.

There is clear governmental interest in this

been endorsed by the sectors that are

too, since the prevention of criminality is

currently participating, who have also seen

also an important issue for the govern-

groups within their own organizations that

ment.

are addressing these themes. The principal difference concerns the dynamics

It has been reported from the sectors

within the various key security factors.

that fragmentation of the ICT

Threats change within ICT many times

security/cyber足crime theme leads to

faster than with the areas of physical and

confusion. It is desirable to streamline it.

personnel security. It is of course necessary to harmonize the different key factors.

August 2008

Start of participation in the MPCSIE (Meridian Process Control Security Information Exchange)

The NICC participated in the establishment of a worldwide exchange platform in the area of process control systems, initiated by the Meridian.

41


Value continued

APPENDIX 3

42

Developing/streamlining the analysis function

Central flywheel function

Currently the Cybercrime Information

A flywheel function is necessary to maintain

The way of working required for this

Exchange focuses principally on Information

the momentum of information sharing and to

strengthening and binding function also calls

Sharing (the ‘IS’ from ISAC). The sectors

provide for and support the new cross-sector

for a specific type of employee within the

have indicated that there is an increasing

and international initiatives. The facilita-

Information Exchange. The competences

need for the development of an Analysis

ting role that the NICC currently has in the

must principally be focused on the building

Centre (the ‘AC’ from ISAC). At the moment

Cybercrime Information Exchange is essential

and maintaining of relationships, the ability

this function is being shared by the separate­

in this respect.

to operate within a complex and sometimes

organ­izations involved in the Cybercrime

sensitive context, the analysis of the key

Information Exchange, such as the KLPD,

The strength of this lies in the mobilization

issues faced by the sectors, and bringing

the AIVD and GOVCERT.NL. This function

of the currently associated organizations and

together, supporting and guiding relevant

needs to be strengthened, and this can most

drawing them together. It does not therefore

organizations.

effectively be done by one of the associated

principally concern taking over tasks, but

­organizations or as a separate function within

binding and reinforcing the organizations.

the Cybercrime Information Exchange.


Financial resources

Cross-sector exchange

The Information Exchange needs financial re-

The sectors are becoming increasingly

It is vital to have a permanent group of

sources to fund research and to obtain advice

dependent on each other. Security themes

participants in the Cybercrime Information

from external sources. The objective of this

addressed by the different sectors are

Exchange who can provide knowledge from

is to be able to deal with issues in a broader

converging.

beyond a sector-specific consultation in

context. In the future a budget can also be

Many of the themes addressed by different

order to be able to stimulate this cross-sector

utilized for such items as training courses, fact

sectors are converging. The involvement and

exchange of knowledge. Furthermore, this

sheets and trend reports.

participation of additional sectors is making

knowledge can also then be shared in both

it possible to deal with these themes on a

a national and an international (European)

cross-sector basis, and this is enhancing the

network.

efficiency and effectiveness of the approach. The Information Exchange enables sectors to link together quickly to discuss relevant subjects.

43


Value continued A national and international (European) network APPENDIX 3

44

It is increasingly apparent that the

Valuable contacts have also been estab-

development of a network that includes

lished between the various initiatives and

similar organizations in other countries will

comparable ones in other countries, such

produce substantial added value.

as the CPNI (UK), SEMA (Sweden), Melani

The fight against cybercrime is essentially

(Switzerland) and the BSI (Germany).

an international endeavour after all. This

It will be important to continue building

has already been demonstrated from

up contacts such as these in the future.

the information that has been obtained from the EuroSCSIE (European Scada and Control Systems Information Exchange). This has produced significant added value in the consultations in the various sectors concerned with this theme. A step of the same kind is currently being taken within the financial sector.


Appendix 4: participating organizations

The organizations participating in the Cybercrime Information Exchange are listed in the following table. The individual participants representing these organizations generally hold the following positions within them: • Security Managers • Corporate (Information) Security Officers • Senior ICT Security Specialists • ICT Managers • Information Security Advisors • Process control (Security) Managers • Process control (Security) Specialists • Risk Managers

45


FI-ISAC APPENDIX 4

46

Water-ISAC

Energy-ISAC

ABN AMRO

Friesland Bank

Brabant Water

Delta

Achmea Staalbankiers

ING / Postbank

DZH

Electrabel

Bank Nederlandse Gemeenten

Nederlandse Vereniging

Evides

ENECO

(BNG, a bank for the public

van Banken

Oasen

EnergieNed

sector)

(NVB, the Netherlands Bankers’

PWN

E-ON Benelux

Currence

Association), principally

VEWIN

Essent

De Nederlandsche Bank

representing smaller banks

Vitens

Gasunie

(DNB, the Central Bank of

Rabobank

Waterbedrijf Groningen

NUON

the Netherlands)

SNS Reaal

Waterleidingmaatschappij

Shell/NAM

Equens

Van Lanschot Bankiers

Drenthe

TenneT

Fortis

Waternet WML

The governmental organizations GOVCERT.NL, the AIVD and the KLPD (High Tech Crime Team) participate in all consultation groups. The consultation groups are facilitated, supported and financed by the NICC.


Airport-ISAC

Multinationals-ISAC

Railways-ISAC

Port of Rotterdam

Douane / Belastingdienst

Ahold / Albert Heijn

NS (Netherlands Railways)

Deltalinqs

(Dutch Customs / Tax

Akzo Nobel

ProRail

Douane / Belastingdienst

Authority)

DSM

(Dutch Customs / Tax Authority)

KLM

Heineken

Gemeentelijk Havenbedrijf

Koninklijke Marechaussee

OcĂŠ

(Netherlands Royal

Philips

Military Police)

Shell

Organizations in the Water-

Zeehavenpolitie Rotterdam

Schiphol

TNT Post

ISAC, Energy-ISAC, Airport-

(Harbour Police)

Schiphol Telematics

Unilever

ISAC, Multinationals-ISAC,

PCS-ISAC

Rotterdam (Port of Rotterdam Authority)

LVNL

Railways-ISAC, together

Aircraft Fuel Supply

with organizations in the Oil, Chemicals and Nuclear sectors, hospitals, suppliers and consultancy firms.

47


Programme

48

Annemarie Zielstra (ICTU) programme manager

Auke Huistra project manager Cybercrime Information Exchange

The NICC programme is an ICTU programme, commissioned by the Ministry of Economic Affairs. The motto of the ICTU is: help government to perform better with ICT. The ICTU combines knowledge and expertise in the area of ICT and

Manou Ali programme support

government. ICTU executes various projects with and on behalf of governmental organ足i zations. In this way, policy is translated into concrete projects for government. More information can be found at www.ictu.nl.


Publisher NICC Editor Tekstbureau De Nieuwe Koekoek, Utrecht Design OSAGE / communicatie en ontwerp, Utrecht Photography Marcel Rozenberg, Schiedam Print OBT / TDS printmaildata, Schiedam

october 2008


‘It would make it easier to cooperate if we could get more stable and similar arrangements internationally, with similar roles and responsibilities. You need stability and continuity of people to establish the necessary trust base.’ Steve Cummings, cpni uk ‘Only trust can lead to the openness of information. The pioneering role of the NICC has been vital; the network has been bearing fruit. The participants are now also sharing information outside the FI-ISAC consultations when immediate action is needed.’ wim hafkamp, rabobank, voorzitter fi-isac ‘The Information Exchange is not the ultimate answer to the problem, but it certainly contributes to the solution. If you find that ICT security isn’t going well, government and private sector organizations have to share information and deal with it together. The Information Exchange was set up as an experiment, but our experience has been so positive that we’re continuing with it.’ Mark Frequin, EZ Tracking down and prosecuting cybercrime? Extremely important, but not the real solution for the problem. Prevention is better.


NICC_brochure_uk