Critical telecommunication infrastructure protection in Brazil

1. ITU Workshop on “ICT Security Standardizationfor Developing Countries” (Geneva, Switzerland, 15-16 September 2014) Critical telecommunication infrastructure protection in Brazil Antonio Guimaraes / Paulo Moura National Telecommunication Agency - Anatel, Brazil

2. Agenda Brazilian legal framework Anatel’s prior involvement Methodologies for CTIP SIEC project development Main functionalities of SIEC New regulations (in progress) Conclusions

3. Brazilian legal framework Ordinance No. 2, of February 2008, the Cabinet of Institutional Security of the Presidency (GSI/PR) created the Technical Group on Protection of Critical Infrastructures (GTSIC); Critical Infrastructures are considered as facilities, services, goods and systems that, if disrupted or destroyed, would bring serious economic, political or social impacts or risks to the security of the state and society; GTSIC studies and proposes the implementation of measures and actions related to the security of critical infrastructure in the areas of energy, transport, water and telecommunications.

4. Telecommunication Infrastructure • Interministerial Ordinance No. 16, of July 2008, established the Technical Subgroup on Critical Telecommunication Infrastructure Protection (SGTSIC - Telecom), aiming to: • study and propose a method for identifying Critical Telecommunication Infrastructure (CTI); • identify the CTI in Brazil; • assess the vulnerabilities of the identified CTI and their interrelationships; • select causes and assess the risks that may affect the security and safety of CTI; • propose, coordinate and monitor measures necessary for the security and safety of the CTI; and • to study, propose and implement a CTI information system, containing online data for decision support.

5. Anatel’s prior involvement • National Telecommunications Agency (Anatel) is part of SGTSIC - Telecom, with GSI/PR, Ministry of Communications, other agencies and experts; • Anatel had prior involvement in this subject, through the project “Critical Telecommunications Infrastructure Protection (CTIP)”, run by CPqD: • identification of CTI in the scope of the Pan-American Games (2007), aiming security and safety planning; • benchmarks on CTI in the world, in order to contribute to the development of the national strategy for critical infrastructure protection and foster the creation of working groups in the sphere of the federal government; • development of a first information system on critical telecommunication infrastructure protection (off-line).

6. Methodologies for CTIP CTIP model was implemented by a set of five methodologies; Each methodology is responsible for a specific part of the model; Nevertheless, they are interdependent, since the output of one could be the input of other.

7. SIEC project development • As mandated by SGTSIC – Telecom, Anatel is developing a comprehensive project on CTI protection, know as “Critical Telecommunication Infrastructures Security (SIEC)”; • The project considers the development of an information system to deal with governance, risks and conformity (GRC), as well as carry out near real-time monitoring of key networks elements, such as stations and routes; • System will receive data from operator’s network management systems, among other sources; • SIEC is based on ISO/IEC 27k and 31k series.

8. SIEC – system overview Control Panel GRC Network analysis & evaluation data collector topology Operator´s NMS Risk questionnaires treatment & control actions faults conformity quality Anatel’s legacy systems

9. Main functionalities of SIEC • SIEC offers a series of dashboard reports, with drill-down capabilities to more granular data; • Main functions are grouped under 5 modules: • Analysis and evaluation: threat assessment on assets, classed by station, operator, service and localization; • Processing and control actions: functionalities related to contingency analysis and risk mitigation plans; • Conformity assessment: analysis on risk questionnaires (filled by operators), according to ISO/IEC 27k and 31k; • Network monitoring: near real-time information on faults, interruptions, quality, capacity and traffic; • Control panel: graphic presentation of network elements and assets, including geographic referenced information.

10. Governance, risks, and conformity Calculation of indexes of risk by SIEC • Services mapped: • fixed line phone • mobile phone/data • fixed broadband • pay TV Questionnaires (filled by operators, for each telecom station) Identification of high risk assets • 470 Questions on: • Energy supply • Security • Network • Sharing • Transmission • Traffic • incidents on demand reports; maps of risks, per station.

11. Examples of SIEC views

12. GRC and network monitoring SIEC is integrated to the existing “National Centre for Remote Telecommunication Monitoring” of Anatel

13. New regulations (in progress)

14. Conclusions Excepted some network monitoring functions, SIEC system is already operating, with a partially populated database; SIEC has been extensively tested during FIFA 2014 Soccer World Cup, with very good results; SIEC system is highly scalable, with room for additions and improvements in the future, such as SIEM functions, more accurate vulnerability metrics, and broader cybersecurity coordination with SOCs and CSIRTs; Some of SIEC developments could be good candidates for contributions to ITU-T SG-17.

15. Thank you ! Antonio Guimaraes +556123122819 /0799020425 ateixeira@anatel.gov.br www.anatel.gov.br