Neal Rauhauser: Cyber-Security Global Knowledge Network

Advanced Cyber/IO
Neal Rauhauser
Neal Rauhauser

Worth a look.

ICS-ISAC and the Global Knowledge Sharing Network

ICS-ISAC and the Global Knowledge Sharing Network

The Industrial Control System Information Sharing and Analysis Center (ICS-ISAC) is part of the Global Knowledge Network (GKN). The Global Knowledge Network has been evolving for a number of years and is today undergoing a rapid expansion and refinement process. Public and private sector centers for creating and sharing cybersecurity knowledge have arisen around the world at an increasing rate in recent years and have established various working models for knowledge sharing.

The following describes the basic form of the Global Knowledge Network and how it is generally implemented at national and regional scales.

Standard Knowledge Sharing Model

Regardless of the detail within a specific portion of the global knowledge sharing network, at the highest level it follows a standard architecture that is reflected in this diagram.

The three major components – Facility Capabilities, Aggregation, and Knowledge Centers – arrange in different topologies depending on specific conditions at the smaller scale, but follow a consistent pattern. Data, Information and Knowledge flows in definable fashions between facilities and knowledge centers.

Facility Baseline Requirements:

Facilities must have a basic capability to produce data and/or utilize knowledge in order to participate in the global knowledge network. This baseline capability includes such functionality as is necessary to maintain visibility into the inventory and activity of assets with cyber characteristics.

These capabilities can include:

  • control system network activity monitoring
  • malware detection
  • vulnerability management

Aggregation:

  • One-to-One connectivity between all asset owners and individual knowledge centers is topologically complex and operationally difficult for all parties.
  • Many facilities do not and will not have the capability to manage security on their cyber infrastructure, and will require outsourced operations.
  • Aggregation of asset-owner information can be performed by public or private Managed Security Service Provider (MSSP) offerings, or by other means.

Public Knowledge Centers:

  • Public knowledge centers perform diligence for government responsibility for infrastructure security. (i.e. ICS-CERT)
  • Public centers exist at international, national, state, regional, county and municipal levels in the US governmental model, for example.
  • Public knowledge centers generally have access to information Private centers may not.
  • Public knowledge centers generally have legal restrictions regarding dissemination of knowledge Private centers may not.

Private Knowledge Centers:

  • Private knowledge centers perform diligence for private organizations’ responsibility for infrastructure security. (i.e. WCX)
  • Private knowledge centers exist as for-profit and non-profit entities. (i.e. NESCO TAC [non-profit], McAfee GTI [for-profit])
  • Private knowledge centers can be dedicated operations or a unit within other private entities. (i.e. Red Sky Alliance [dedicated], IBM Xforce [unit])

Public/Private Knowledge Centers:

  • “Public/Private”: public-sector centers where the private sector comes to share knowledge (i.e. ICSJWG).
  • Public/Private knowledge centers provide forums for public sector to engage in knowledge sharing with the private sector.
  • “Private/Public”: private-sector centers where the public sector comes to share knowledge (i.e. ICS-ISAC).
  • Private/Public knowledge centers provide forums for private sector to engage in knowledge sharing with the public sector.

National Implementation of Knowledge Sharing Architecture

In the context of a national or regional implementation for the public sector, the architecture of the GKN follows this structure:

  • Federal knowledge centers maintain International relationships.
  • A consistent set of capabilities and functions is instantiated at state/provincial/regional Security Operations Centers.
  • The state SOCs ensure consistent visibility into and communication with all state assets.
  • The state SOC share filtered information and knowledge bidirectionally with other: public/private; private; and state, federal and international public knowledge centers.
  • Some critical assets will establish relationships directly with the state SOC.
  • County, tribal and other regional public knowledge centers share filtered information and knowledge bidirectionally with the state SOC.
  • County, tribal and other regional public knowledge centers share filtered data and knowledge bidirectionally with Municipal and other sub-regional knowledge centers.
  • Municipal and other sub-regional public knowledge centers share filtered data and knowledge bidirectionally with regional centers.
  • Municipal and other sub-regional public knowledge centers receive filtered data from and share knowledge with asset owners.

 State/Provincial Implementation of Knowledge Sharing Architecture

At the state level the GKN architecture is as shown here.

  • The state SOCs ensure consistent visibility into and communication with all state assets.
  • The state SOCs share filtered data and knowledge bidirectionally with other: public/private; private; as well as state, federal and international public knowledge centers.
  • Some critical assets establish relationships directly with the state SOC.
  • County, tribal and other regional public knowledge centers share filtered data and knowledge bidirectionally with the state SOC.
  • County, tribal and other regional public knowledge centers share filtered data and knowledge bidirectionally with Municipal and other sub-regional information sharing centers.
  • Municipal and other sub-regional public knowledge centers share filtered data and knowledge bidirectionally with regional centers.
  • Municipal and other sub-regional public knowledge centers will receive filtered information from and share knowledge with asset owners.
  • Asset owners within the state may communicate with the state knowledge network by way of a direct connection to the state SOC, through regional or sub-regional public knowledge sharing centers, and/or through other means. Knowledge from such assets routes through the knowledge sharing network to reach pertinent parties (such as municipal emergency management communicating with the local City Hall via a program like LIGHTS, in this example).

The Global Knowledge Network is emerging as centers such as the Center for Protection of National Infrastructure (CPNI) becomes established in the UK and the Netherlands, JP-CERT in Japan builds on what ICS-CERT has done in the US, Red Sky Alliance and the Western Cyber Exchange (WCX) and many other knowledge centers around the world come online.

This year the ICS-ISAC and a consortium of vendors, non-profits, integrators, operators, managed security providers and asset owners will perform a demonstration of real-time knowledge sharing across the GKN. The transformative nature of the Global Knowledge Network on realized cybersecurity – particularly in ICS – is likely to be far more significant than is commonly perceived at present.