1. Geneva, Switzerland, 15-16 September 2014 Critical telecommunication infrastructure protection in Brazil Antonio Guimaraes / Paulo Moura National Telecommunication Agency - Anatel, Brazil ITU Workshop on “ICT Security Standardization for Developing Countries” (Geneva, Switzerland, 15-16 September 2014)

2. Agenda Brazilian legal framework Anatel’s prior involvement Methodologies for CTIP SIEC project development Main functionalities of SIEC New regulations (in progress) Conclusions Geneva, Switzerland, 15-16 September 2014 2

3. Brazilian legal framework Ordinance No. 2, of February 2008, the Cabinet of Institutional Security of the Presidency (GSI/PR) created the Technical Group on Protection of Critical Infrastructures (GTSIC); Critical Infrastructures are considered as facilities, services, goods and systems that, if disrupted or destroyed, would bring serious economic, political or social impacts or risks to the security of the state and society; GTSIC studies and proposes the implementation of measures and actions related to the security of critical infrastructure in the areas of energy, transport, water and telecommunications. Geneva, Switzerland, 15-16 September 2014 3

4. Telecommunication Infrastructure Interministerial Ordinance No. 16, of July 2008, established the Technical Subgroup on Critical Telecommunication Infrastructure Protection (SGTSIC - Telecom), aiming to: I. study and propose a method for identifying Critical Telecommunication Infrastructure (CTI); II. identify the CTI in Brazil; III. assess the vulnerabilities of the identified CTI and their interrelationships; IV. select causes and assess the risks that may affect the security and safety of CTI; V. propose, coordinate and monitor measures necessary for the security and safety of the CTI; and VI. to study, propose and implement a CTI information system, containing online data for decision support. Geneva, Switzerland, 15-16 September 2014 4

5. Anatel’s prior involvement National Telecommunications Agency (Anatel) is part of SGTSIC - Telecom, with GSI/PR, Ministry of Communications, other agencies and experts; Anatel had prior involvement in this subject, through the project “Critical Telecommunications Infrastructure Protection (CTIP)”, run by CPqD: identification of CTI in the scope of the Pan-American Games (2007), aiming security and safety planning; benchmarks on CTI in the world, in order to contribute to the development of the national strategy for critical infrastructure protection and foster the creation of working groups in the sphere of the federal government; development of a first information system on critical telecommunication infrastructure protection (off-line). Geneva, Switzerland, 15-16 September 2014 5

6. 6 Methodologies for CTIP CTIP model was implemented by a set of five methodologies; Each methodology is responsible for a specific part of the model; Nevertheless, they are interdependent, since the output of one could be the input of other.

7. SIEC project development As mandated by SGTSIC – Telecom, Anatel is developing a comprehensive project on CTI protection, know as “Critical Telecommunication Infrastructures Security (SIEC)”; The project considers the development of an information system to deal with governance, risks and conformity (GRC), as well as carry out near real-time monitoring of key networks elements, such as stations and routes; System will receive data from operator’s network management systems, among other sources; SIEC is based on ISO/IEC 27k and 31k series. Geneva, Switzerland, 15-16 September 2014 7

8. SIEC – system overview Geneva, Switzerland, 15-16 September 2014 8 Network GRC Control Panel Anatel’s legacy systems Risk questionnaires Operator´s NMS analysis & evaluation treatment & control actions conformity data collector topology faults quality

9. Main functionalities of SIEC SIEC offers a series of dashboard reports, with drill-down capabilities to more granular data; Main functions are grouped under 5 modules: Analysis and evaluation: threat assessment on assets, classed by station, operator, service and localization; Processing and control actions: functionalities related to contingency analysis and risk mitigation plans; Conformity assessment: analysis on risk questionnaires (filled by operators), according to ISO/IEC 27k and 31k; Network monitoring: near real-time information on faults, interruptions, quality, capacity and traffic; Control panel: graphic presentation of network elements and assets, including geographic referenced information. Geneva, Switzerland, 15-16 September 2014 9

10. 10 Governance, risks, and conformity Services mapped: fixed line phone mobile phone/data fixed broadband pay TV Questionnaires (filled by operators, for each telecom station) Calculation of indexes of risk by SIEC 470 Questions on: Energy supply Security Network Sharing Transmission Traffic incidents on demand reports; maps of risks, per station. Identification of high risk assets

11. Geneva, Switzerland, 15-16 September 2014 11 Examples of SIEC views

12. GRC and network monitoring Geneva, Switzerland, 15-16 September 2014 12 SIEC is integrated to the existing “National Centre for Remote Telecommunication Monitoring” of Anatel

13. New regulations (in progress) Geneva, Switzerland, 15-16 September 2014 13

14. Conclusions Excepted some network monitoring functions, SIEC system is already operating, with a partially populated database; SIEC has been extensively tested during FIFA 2014 Soccer World Cup, with very good results; SIEC system is highly scalable, with room for additions and improvements in the future, such as SIEM functions, more accurate vulnerability metrics, and broader cybersecurity coordination with SOCs and CSIRTs; Some of SIEC developments could be good candidates for contributions to ITU-T SG-17. Geneva, Switzerland, 15-16 September 2014 14

15. Thank you ! Geneva, Switzerland, 15-16 September 2014 15 Antonio Guimaraes +556123122819 /0799020425 ateixeira@anatel.gov.br www.anatel.gov.br