A proposed Security Incident Management Process for WMO Member States Rémy Giraud cbs-16@wmo.int
ET on Communication Techniques and Systems As part of our Terms of Reference: (a) Maintain and develop recommended practices and technical guidance material for data communication techniques and procedures for use in the WIS, with a view to ensuring efficient and safe operations of information systems, and inform members of recent developments in standards bodies, in particular W3C, IETF, ITU and ISO; (e) Provide guidance on the technical, operational, security, administrative and contractual aspects of data communications services for WIS implementation at national, regional and global levels, including among others satellite telecommunications, managed data communications network services, cloud services and the Internet and coordinating cooperation with other organizations where appropriate to obtain operational benefits; (l) Raise awareness of Members on the opportunities and risks associated with new infrastructure technologies;
The trigger In 2015, a Security Incident affecting one of the GISCs was reported in the press The Security Incident wasn’t, at the time, neither denied nor confirmed by the GISC As a consequence of this incident, another GISC decided the “unplug the wire” with the (potentially) affected GISC Considering how the WIS is operating this could have tremendous consequences in the successful operation of the WIS 3
The lack of coordination So far, in our set of regulations, we have no agreed way to manage such an event Even if this event was one of the first one to be reported at a global level, it is very likely to happen again In an integrated World Information System that we have now, we should have a proper Security Incident management methodology 4
The response ICT-ISS had an emergency meeting to discuss the matter. It must be noted that at the time, no one within ICT-ISS knew whether the incident was real or not and what could have been the impact ICT-ISS tasked ET-CTS to draft a proposal for a coordinate response in case of security related event ET-CTS presented the proposal mid-2016 and this is know part of the decision papers presented at CBS the way the metadata records are structured is having an impact on the usability of WIS 5
The WIS architecture
Background information The WIS, up to a point, can be seen as one large IT environment, where each member appears as one site of a larger organization Eg: The 24 hour Global Cache is a replicated database between all the GISC A compromise database is one location could compromise all instances WIS is much more integrated compare to the GTS. The GTS is a “loosely coupled” system. The store and forward of bulletin poses less risks 7
Is there an applicable model? (1) The ISO 27xxx is a set of standard practices related to IT Security, we can mention: ISO/IEC 27000 — Information security management systems — Overview and vocabulary[6] ISO/IEC 27001 — Information technology - Security Techniques - Information security management systems — Requirements. The older ISO/IEC 27001:2005standard relied on the Plan-Do-Check-Act cycle; the newer ISO/IEC 27001:2013 does not, but has been updated in other ways to reflect changes in technologies and in how organizations manage information. ISO/IEC 27002 — Code of practice for information security management ISO/IEC 27003 — Information security management system implementation guidance 8
Is there an applicable model? (2) In the standard: “Security incidents should be reported through appropriate management channels as quickly as possible. A formal reporting procedure should be established, together with an incident response procedure, setting out the action to be taken on receipt of an incident report.” This is (almost) exactly what we need! We have however some difficulties in applying straight away this model cbs-16@wmo.int 9 9
Can we apply the model? (1) The domain of applicability of the ISO 27xxx standard is within an organization Typically, in our case, that would be within the NC and (probably) the reporting process will involve the national government What we are trying to achieve here is at a much larger scale and should cover multiple organizations (the GISCs, DCPCs and NCs ) spread over the world cbs-16@wmo.int 10 10
Can we apply the model? (2) When preparing the proposal within ET-CTS, we had exchange whether the model was applicable or not. We rather quickly hit the issue of disclosure If and when an NC is facing a Security Incident what can and can’t do? There was a consensus that is many cases the national laws would forbid the NC to communicate on the occurrence of the Incident, not to mention the nature of the incident cbs-16@wmo.int 11 11
The proposal The proposal that is presented at CBS-16 is inspired by the ISO standards while at the same time recognizing that WMO and its Members is not a single organization and therefore each Member will be able to decide on a case by case basis what can and can’t be shared We are proposing a method to handle such cases Even if the ISO 27xxx standards are very interesting documents, they are a bit tough to read (!). So we have “translated” the requirements into simple flowcharts cbs-16@wmo.int 12 12
The cases covered What process should I follow if I think I have an IT Security incident? What process should I follow if I hear that another WMO member has had a possible IT Security incident? What process should I follow if am contacted by my GISC? What process should the WMO IT Security Contact Point follow? What process should the GISC follow? cbs-16@wmo.int 13 13
What process should I follow if I think I have an IT Security incident? cbs-16@wmo.int 14 14
The document and some background information The topic is introduced in CBS-16/Doc. 5.5(2) The full text is available at ICTT-WIS review of Draft Security Incidents - http://wis.wmo.int/file=3007 The story that triggered this effort as we know it late 2016: http://www.abc.net.au/news/2016-10-12/bureau-of-meteorology-bom-cyber-hacked-by-foreign-spies/7923770 cbs-16@wmo.int 15 15
Thank you Merci cbs-16@wmo.int