IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

IWS

Homeland Security Advisory System
(HSAS)




Current Threat Levels

Electricity Sector Physical
Elevated (Yellow)

Electricity Sector Cyber
Elevated (Yellow)

Homeland Security
Elevated (Yellow)

DOE Security Condition
SECON 3 modified

NRC Security Level:
Elevated (Yellow)


IA/CIP Terms

Critical Infrastructures
Information Assurance
Scada

Critical Infrastructures -
those physical and cyber-based systems essential to the minimum operations of the economy and government. (NSTISSI 4009)

Information Assurance -
is defined as the set of measures intended to protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. These measures are planned and executed by the Information Assurance Directorate (IAD) of the National Security Agency/Central Security Service (NSA/CSS).

SCADA - stands for Supervisory Control And Data Acquisition. As the name indicates, it is not a full control system, but rather focuses on the supervisory level. As such, it is a purely software package that is positioned on top of hardware to which it is interfaced, in general via Programmable Logic Controllers (PLCs), or other commercial hardware modules. (CERN)

 

Essential Documents | Articles | News Watch | Links

'The Critical Infrastructure Protection directive (PDD-63) calls for a national effort to assure the security of the increasingly vulnerable and interconnected infrastructures of the United States. Such infrastructures include telecommunications, banking and finance, energy, transportation, and essential government services. The directive requires immediate federal government action including risk assessment and planning to reduce exposure to attack. It stresses the critical importance of cooperation between the government and the private sector by linking designated agencies with private sector representatives.'

Excerpt from Presidential Directive 63 Overview

Definition of Information Assurance (IA)

'Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.'

NSTISSI 4009, August, 1997

Essential Documents

 

 

Cyber Security: A Crisis of Prioritization, [2.3 MB] President’s Information Technology Advisory Committee, February 2005

Information Assurance Frequently Asked Questions, National Security Agency

The National Strategy to Secure Cyberspace
,
White House, 14. February 2003

The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets,
White House, 14. February 2003

European Commission proposal for the creation of a Network Security Agency, February 2003 [pdf version]

DoD Directive 8500.1 Information Assurance, 24. October 2002

A National Strategy to Secure Cyberspace (draft),
18. September 2002.

Critical Infrastructures: Background and Early Implementation of PDD-63, Congressional Research Service (CRS) report, updated February 4, 2002

Cybersecurity Bill H. R. 3394, [Report No. 107– ] - To authorize funding for computer and network security research and development and research fellowship programs, and for other purposes.

Executive Order: Critical Infrastructure Protection in the Information Age
published on 16/10/01

GEIA Issues Critical Infrastructure Report. The Government Electronics and Information Technology Association has released a white paper titled "Information Assurance and Critical Infrastructure Protection: A Federal Perspective." The report finds that while the beginnings of a federal security infrastructure are taking shape, funding to complete this process remains inadequate.' 2001 (Courtesy of GEIA)

"Improving Our Ability to Fight Cybercrime: Oversight of the National Infrastructure Protection Center", Hearing before the Senate Committee on the Judiciary Subcommittee on Technology, Terrorism and Government Information, Wednesday, July 25, 2001.

Critical Infrastructure Protection: NIPC Faces Significant Challenges in Developing Analysis, Warning, and Response Capabilities, by Robert F. Dacey, director, information security issues, before the Subcommittee on Technology, Terrorism, and Government Information, Senate Committee on the Judiciary. GAO-01-769T, May 22.

Critical Infrastructure Protection: Significant Challenges in Developing National Capabilities. [1.2 MB] GAO-01-323, April 25.

Protecting America's Critical Infrastructures: How Secure Are Government Computer Systems?
US Subcommittee on Oversight and Investigations Hearing, April 05, 2001

Protecting the Homeland - Report of the Defense Science Board Task Force on Defensive Information Operations 2000 Summer Study Volume II [1.2 MB] The Defense Science Board Task Force on Defensive Information Operations Related concludes that the United States cannot today defend itself from an information operations attack by a sophisticated nation-state adversary. They also state that the vulnerability of the United States is greater than in 1996 and that more than 20 countries have or are developing computer attack capabilities [published March 2001].

Federal Critical Infrastructure Protection Activities
[1.53 MB] 'The Report of the President of the United States on the Status of Federal Critical Infrastructure Protection Activities, January 2001, was approved for release on February 22, 2001. This report is submitted in accordance with Section 1053 of the National Defense Authorization Act for Fiscal Year 2001 (Public Law 106-398), and pursuant to the requirement in Presidential Decision Directive 63 (PDD-63) for the National Coordinator to provide an annual report on the implementation of PDD-63 to the President and heads of departments and agencies.'

NIPC - A Failure to Communicate Ricardo Forno looks at how efficent or inefficent the NIPC is. 'Discusses the inherent problems with the National Infrastructure Protection Center (NIPC)'s information exchange system to publicize security alerts and bugs. This esssay was sparked by a hilarious (but sadly, real) NIPC Alert on 1 September that consisted of only one sentence. Makes one seriously wonder... ' (Published 2. September 2000)

In Bits and Pieces - Vulnerability of the Netherlands ICT-infrastructure and consequences for the information society by H.A.M. Luiijf and Dr. M.H.A. Klaver (TNO Physics and Electronics Laboratory). Translation in English of the Dutch Infodrome essay "BITBREUK, de kwetsbaarheid van de ICT-infrastructuur en de gevolgen voor de informatiemaatschappij". This essay was written in March 2000 by order of Infodrome as a basis for discussion in the Infodrome workshop "Vulnerabilities of ICT-networks". The workshop was held in Amsterdam.

Defending America's Cyberspace National Plan for Information Systems Protection Version 1.0 - an Invitation to a Dialect (White House, January 2000)

Practices for Securing Critical Infrastructure Assets US CIAO report on how to establish an InfoSec Policy and how to evaluate vulnerabilities of critical infrastructure assets (US Critical Infrastructure Assurance Office, January 2000)

The Infrastructure of the Protection of the Critical Infrastructure 'In May 1998, the President issued Presidential Decision Directive 63, Critical Infrastructure Protection. Julie Ryan describes that directive and effects on the existing bureaucracy.' (Fall 1998)

White Paper on PDD-63  The Clinton Administration's Policy on Critical Infrastructure Protection

Factsheet on PDD-63

Presidential Decision Directive 63 In May 1998, President Clinton issued PDD-63, which calls for a national effort to assure the security of the increasingly vulnerable and interconnected infrastructure of the United States, especially the cyber-based infrastructure.

CIP History: President's Commission on Critical Infrastructure Protection

Executive Order 13010 on Critical Infrastructure Protection, July 15, 1996






Articles



General Articles

Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, GAO-05-434, May 26, 2005

Impact Analysis IA05-001: Impact of September 2000 Fuel Price Protests on UK Critical Infrastructure, PSEPC, January 2005

Technology Assessment: Cybersecurity for Critical Infrastructure Protection [1.5MB]. GAO-04-321, May 28, 2004.

“The DHS Infrastructure Protection Division: Public-Private Partnerships to Secure Critical Infrastructures”, Select Committee on Homeland Security, 21. April 2004

Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems, by Robert F. Dacey, director, information security, before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House Committee on Government Reform. GAO-04-628T, March 2004.

Critical Infrastructure Protection: Challenges and Efforts to Secure Systems. GAO-04-354, March 15, 2004

U.S.-Canada Power System Outage Task ForceInterim Report: Causes of the August 14th Blackout in the United States and Canada , 19th December 2003

Critical Infrastructure Protection: Challenges in Securing Control Systems, Statement of Robert F. Dacey, Director, Information , Testimony Before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House Committee on Government Reform: United States General Accounting Office, Wednesday, October 1, 2003

Joint Homeland Security Subcommittee Hearing: Implications of Power Blackouts on America’s Cyber Networks and Critical Infrastructure, Part I & I , September 2003

Homeland Security Cybersecurity Subcommittee Hearing The Invisible Battleground: How DHS Is Making America’s Cyberspace More Secure, Statement of Robert Liscouski, Assistant Secretary for Infrastructure Protection, Department of Homeland Security, September 2003

A National Infrastructure Simulation and Analysis Center (NISAC): Strategic Leader Education and Formulation of Critical Infrastructure Policies, Centre for Strategic Leadership, US Army War College, Published: August, 2003

Status of DoD Information Assurance: Cyber Terrorism: The New Asymmetric Threat, Terrorism, Unconventional Threats and Capabilities Subcommittee, House Armed Services Committee, July 24, 2003

Ridge Creates New Division to Combat Cyber Threats: National Cyber Security Division (NCSD), June, 2003

Full House Science Committee Hearing on Cybersecurity Research and Development, May 14, 2003

Information Security: Progress Made, but Challenges Remain to Protect Federal Systems and the Nation's Critical Infrastructure, by Robert F. Dacey, director, information security issues, before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House Committee on Government Operations. GAO-03-564T, April 8, 2003

Critical Infrastructure Protection: Challenges for Selected Agencies and Industry Sectors GAO-03-233, February 28, 2003

Critical Infrastructure: Control Systems and the Terrorist Threat, CRS Updated February 21, 2003

Critical Infrastructures: Background, Policy, and Implementation, Congressional Research Service ˜ The Library of Congress, Updated February 10, 2003

Critical Infrastructure Protection: Efforts of the Financial Services Sector to Address Cyber Threats [1.3 MB] - GAO-03-173, January 30, 2003

Critical Infrastructure Information Disclosure and Homeland Security, CRS, Updated January 29, 2003

Critical Infrastructures: What Makes an Infrastructure Critical?, CRS, Updated January 29, 2003

Blue Cascades Table Top Exercise Pacific North-West Economic Region, NIPC August 2002

Security in the Information Age: New Challenges, New Strategies, [3.8 MB] by the Joint Economic Committee United States Congress May 2002


Critical Infrastructure Protection by John S. Tomko, Jr, Strategy Research Project, April 2002

Ronald L. Dick: “The Legal Aspects of Infrastructure Protection”, September 5, 2001 INFOWARCON 2001, Washington, DC

America's NERF-Based Security: Reassurance Through Illusion, Rhetoric, and Fear-Mongering by Richard Forno, October 22, 2001

Cyber Terrorism – A View From the Gilmore Commission
On Wednesday, October 17, 2001 at 10:00 a.m. the House Committee on Science held its second hearing to examine the vulnerability of the nation’s computer infrastructure as well as research-related challenges and opportunities facing the nation’s network security infrastructure and management.

Cyber Security – How Can We Protect American Computer Networks From Attack? On Wednesday, October 10, 2001 at 10:00 a.m. the House Committee on Science held a hearing to examine the vulnerability of the nation’s computer infrastructure as well as research-related challenges and opportunities facing the nation’s computer networks.

"Critical Infrastructure Protection: Who's In Charge?" U.S. Senate Committee on Governmental Affairs, October 4, 2001


Oversight  hearing on "Information Technology -- Essential Yet Vulnerable: How Prepared Are We for Attacks?", September 26, 2001 Subcommittee on Govermental Efficency, Financial Management and Intergovernmental Relations.

Ron Dick, "The Legal Aspects of Infrastructure Protection," InfoWarCon -
September 5, 2001 - Washington, DC

How Secure is Our Critical Infrastructure? U.S. Senate Committee Senate Committee on Governmental Affairs, Wednesday, September 12, 2001

Q&A Center of Attention Career FBI agent Ronald Dick has been given the mission of maturing the scope and capabilities of the National Infrastructure Protection Center.
Reprinted with permission from Information Security Magazine , Interview by Richard Thieme, August 2001, pp 62-70. Copyright 2001 by Information Security Magazine

How Secure is Sensitive Commerce Department Data and Operations? A Review of the Department’s Computer Security Policies and Practices. Subcommittee on Oversight and Investigations August 3, 2001

Protection of the Canadian Critical Infrastructure
(Information Operations published by the Canadian Security Intelligence Service (CSIS) July 17, 2001)

Wired World: Cyber Security and the U.S. Economy Joint Economic Committee Hearing 21 June 2001

Military Readiness Subcommittee hearing on vulnerabilities of Department of Defense networks May 17 2001

Occasional Paper #33 Sharing the Knowledge: Government-Private Sector Partnerships to Enhance Information Security by Steven M. Rinaldi, USAF Institute For National Security Studies, May 2000

Defensive Information Operations – An Interagency Process by James T. Schutze, Strategy Research Project, March 2001

Report of the Commission to Assess United States National Security Space Management and Organization (CIP in Space) The commission warns that the United States should protect its space assets as the US is highly dependent on them. [published 11/01/01]

GAO Report: Information Security
United States General Accounting Office Report to the Chairman of the Subcommittee on Government Management, Information and Technology at the House of Representative. The report criticises the lack of Information Security at Federal Agencies [September 2000]

Computer Security: Cyber Attacks - A War without Borders
Congress Hearing on CIP before House Subcommittee on Government Management, Information, and Technology  [published 26th of July 2000]

New draft version of the CSIS Homeland Defense Projects on CIP [published 16th of July 2000]

Communications-Electronics Security Group (CESG) Presentation to The First International Common Criteria Conference, Baltimore 23 May 2000

Statements before the Senate Armed Services Committee Subcommittee on Emerging Threats and Capabilities: Information Assurance, 1 March 2000:


Statement of John S. Tritak Director, Critical Infrastructure Assurance Office before Senate Judiciary Committee Subcommittee on Technology, Terrorism and Government Information on
February 1, 2000

Cyber-Threats and the US Economy Prepared Testimony and Opening Statements in front of the Joint Economic Committee on February 23, 2000.

Informationstechnische Bedrohungen für Kritische Infrastrukturen in Deutschland [December 1999] Kurzbericht der Ressortarbeitsgruppe KRITIS (Entwurfsversion 7.95) (German CIP Draft Paper)

Highlights of the Protecting the Critical Infrastructure Issues and Solution Symposium 'was held November the 9th 1999 and played host to approximately 500 attendees from Federal Government, the U.S. Military, private industry and academia. The event focused on protection of the critical infrastructure and encouraged a collaborative effort to deal quickly and effectively with the evolving threat to technology resources, information and the U.S. way of life.'



CIP Special Papers - Electricity Sector

NERC's comments in response to the NOPR that the Commission issued on September 5, 2002 on the subject of protecting critical energy infrastructure information

NERC Security Guidelines for the Electricity Sector: Version 1.0 [1.3 MB] - this file contains one Acrobat file inclusive of all 13 individual Security Guidelines, June 2002

Electricty Sector Response to the Critical Infrastructure Protection Challenge, NERC, May 2002

An Approach to Action for the Electricity Sector, [1.5 MB] Working Group Forum on Critical Infrastructure Protection, NERC June 2002.

Information Security Challenges in the Electric Power Industry (White Paper) January 2001 (courtesy of Riptech) Abstract: This white paper addresses how modern utility companies can take advantage of the new business environment brought on by industry deregulation without compromising information security. While operational information security has always been a concern, new issues such as financial and customer information privacy are coming to the surface as utilities continue to implement new Internet-based business methodologies. This report analyzes network and system vulnerabilities and potential impacts, as well as information security best practices for utilities operating in a newly deregulated and competitive environment.

"Understanding SCADA System Security Vulnerabilities." White Paper" January 2001 (courtesy of Riptech) Abstract: This white paper analyzes the issue of supervisory control and data acquisition (SCADA) system vulnerability to public network "cyber" attacks. Riptech network security engineers have found that many utilities underestimate their vulnerability due to some common misconceptions about SCADA system security. This paper addresses these misconceptions and discusses the best ways to protect these mission-critical systems from attack.





News


NIPC FBI Cyber Notes is designed to support security and information system professionals with timely information on cyber-vulnerabilities, exploit scripts, hacker trends, virus information, and other critical infrastructure-related best practices. Cyber Notes is published every two weeks.

Disclaimer: The NIPC accepts no responsibility for any error or omissions contained in the CyberNotes periodical. The NIPC is not liable for any loss or damage arising from or in connection with the information contained in this report. It is the responsibility of the user to evaluate the content and usefulness of this information. References in CyberNotes to any specific commercial products, processes, or services by trade name, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the United States Government or any agency thereof.

Cybernotes Index


NIPC Highlights

Highlights is published on a monthly basis by the National Infrastructure Protection Center (NIPC). Its mission is to apprise policy and/or decision makers of current events, incidents, developments, and trends related to Critical Infrastructure Protection (CIP).

Highlights seeks to provide policy and/or decision makers with value-added insight by synthesizing all source information to provide the most detailed, accurate, and timely reporting on potentially actionable CIP matters.

Disclaimer: The NIPC accepts no responsibility for any error or omissions contained in the Highlights publication. The NIPC is not liable for any loss or damage arising from or in connection with the information contained in this report. It is the responsibility of the user to evaluate the content and usefulness of this information. References in Hightlights to any specific commercial products, processes, or services by trade name, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the United States Government or any agency thereof.

Highlights


 

 

IA/CIP Links


For more links visit our new link directory

How to Link to IWS

Government


Canada

Office of Critical Infrastructure Protection And Emergency Preparedness (OCIPEP)
On February 5, 2001 Prime Minister Jean Chrétien announced the creation of the Office of Critical Infrastructure Protection and Emergency Preparedness. The Minister of National Defence will be the Minister responsible for the organization, which will also encompass the existing functions of Emergency Preparedness Canada. Margaret Purdy has been appointed as Associate Deputy Minister of National Defence and will lead the new organization.



United Kingdom

National Infrastructure Security Coordination Centre (NISCC) 'to ensure sound mechanisms are in place to protect the critical national infrastructure. We set up the National Infrastructure Security Coordination Centre (NISCC) in late 1999 to coordinate and develop work to protect the critical national infrastructure in the public and the private sector against electronic attack. NISCC is raising awareness of information security across those organisations responsible for the critical national infrastructure.' UK e-envoy

Unified Incident Reporting & Alert Scheme '(UNIRAS) was established in 1992 with the role of gathering information on IT security incidents in Government departments and agencies, producing periodic analysis and assessment of incidents and trends, and issuing alerts and briefings on matters of IT security concern. UNIRAS is now a fully integrated part of the National Infrastructure Security Co-ordination Centre (NISCC).'


US

Critical Infrastructure Assurance Office  'PDD-63 created the CIAO on May 22, 1998. CIAO's basic mission, as articulated in PDD-63, is to coordinate national planning activities related to critical infrastructure protection, develop awareness in the private and public sectors on the need for sound security practices, and support the development of a public-private Partnership through outreach and other activities'.


Critical Infrastructure Protection Program at the Department of Commerce 'DOC Critical Infrastructure Protection Program will: focus management attention on the need to protect critical infrastructure, promote best practices in critical infrastructure management, develop and promulgate policies and guidance related to critical infrastructure management, and identify resources needed to manage the Critical Infrastructure Protection Program.'


Critical Infrastructure Surety Department at Sandia National Laboratories 'Sandia is, first and foremost, a systems engineering laboratory whose primary mission is guaranteeing the surety of the nuclear weapons stockpile. Additionally, it has a mission to improve the surety of the nation's energy infrastructure.'

Defense Information Systems Agency
'
DISA is helping protect against, detect and react to threats to both its information infrastructure and information sources. Additionally, DISA is aggressively working with DOD Agencies, the military departments, and other federal agencies, and industry.

The Department of Homeland Security, DHS leads the unified national effort to secure America. It prevents and deters terrorist attacks and protect against and respond to threats and hazards to the nation.

Information Assurance Technology Analysis Center 'IATAC's Mission "Provide the DoD a central point of access for information on Information Assurance emerging technologies in system vulnerabilities, research and development, models, and analysis to support the development and implementation of effective defense against Information Warfare attacks."'

Information Infrastructure Task Force (IITF)
'The White House formed the Information Infrastructure Task Force (IITF) to articulate and implement the Administration's vision for the National Information Infrastructure (NII).'


National Information Assurance Partnership '(NIAP) is a U.S. Government initiative designed to meet the security testing, evaluation, and assessment needs of both information technology (IT) producers and consumers. NIAP is a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in fulfilling their respective responsibilities under Computer Security Act of 1987.'

National Infrastructure Protection Center (FBI)
  'Established in February 1998, the NIPC's mission is to serve as the U.S. government's focal point for threat assessment, warning, investigation, and response for threats or attacks against our critical infrastructures. '


Partnership for Critical Infrastructure Security 'Our Mission: Coordinate cross-sector initiatives, and complement public / private efforts to promote and assure reliable provision of critical infrastructure services in the face of emerging risks to economic and national security.'


Others

The Global Information Infrastructure Commission
'The Global Information Infrastructure Commission (GIIC) is an independent, non-governmental initiative involving communications related industry leaders from developing as well as industrialized countries. The GIIC has been established to respond to the recognition that traditional institutions and regulatory frameworks can no longer meet the increasingly complex challenges and opportunities of globalized information.'


Harvard Information Infrastructure Project  'As the Harvard Information Infrastructure Project (HIIP) moves into its second decade, the information revolution continues to penetrate every aspect of daily life around the globe, affecting everything from national security to personal privacy, from economic competitiveness to democratic participation in governance. The HIIP identifies key issues and guides responsible policy in this critical and fast-moving area.

TNO - Netherlands Organization for Applied Scientific Research 'The Netherlands government has contracted TNO for Critical Infrastructure Protection studies (Bitbreuk and KWINT). TNO maintains a web page with relevant information on infrastructure studies, protection and vulnerabilities.'

Information Assurance Advisory Council (UK) 'is a unique partnership for the information age that brings together corporate leaders, public policy makers and the research community' within the United Kingdom.

InfoSurance The Foundation for the Security of Information Infrastructures in Switzerland 'aims at creating in close partnership with the public and the private sector the organizational and structural conditions.'.

The Institute for Security Technology Studies (ISTS) serves as a national center for cybersecurity and counterterrorism research, development, and analysis. Our research programs concentrate on threats to information infrastructure systems as well as national information sharing needs. Additionally, ISTS develops technology to strengthen America's response to attacks via weapons of mass destruction.

The Partnership for Global Information Security 'is a partnership between industry and government leaders from around the world to address critical communications and information sharing issues surrounding information security in a digital economy. Launched at the conclusion of the inaugural Global InfoSec Summit, held October 16-17, 2000, the purpose of the Partnership is to seek ways to continue international information sharing on the people, process and technology challenges of information security.'


Forschungsgruppe Informationsgesellschaft und Sicherheitspolitik A German CIP research group



Google Ads




IWS Mailing Lists






Mailing Lists Overview

Affiliates & Supporters

 

IWS Awards & Reviews

 

More Awards & Reviews


[ Information Operations | Critical Infrastructure Protection | Terrorism | Computer Security |
| Hacking & Cracking
| RMA & C4I Intelligence | Crime & Espionage | PsyOps | Legal Aspects |
| E-Commerce | Military Affairs | IWS Discussion Forum | IWS Mailing List | Search IWS |
| Contributors | IWS Team | IWS Sponsors | Link Directory | Contact IWS ]

IWS welcomes suggestions regarding site content and usability. Please use our contact form to submit your comments.

Last modified: 13 February, 2011 by Wanja Eric Naef

IWS Copyright © 2000 - 2011