1、 ETSI TR 103 303 V1.1.1 (2016-04) CYBER; Protection measures for ICT in the context of Critical Infrastructure TECHNICAL REPORT ETSI ETSI TR 103 303 V1.1.1 (2016-04) 2 Reference DTR/CYBER-0001 Keywords Critical Infrastructure, Cyber Security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex
2、 - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may
3、 be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in pr
4、int, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of
5、this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be repr
6、oduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restricti
7、on extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its
8、Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 103 303 V1.1.1 (2016-04) 3 Contents Intellectual Property Rights 4g3Foreword . 4g3Modal verbs terminology 4g31 Scope 5g32 References 5g32.1 Normative refere
9、nces . 5g32.2 Informative references 5g33 Definitions and abbreviations . 6g33.1 Definitions 6g33.2 Abbreviations . 6g34 Identification and notification of Critical Infrastructure 7g34.1 Definition of CI 7g34.2 Identification of CI . 7g34.3 Notification of CI . 8g35 Security domains for CI protectio
10、n 8g35.1 Review of CIA paradigm and its applicability in CI Protection . 8g35.1.1 Overview 8g35.1.2 Confidentiality 8g35.1.3 Integrity 9g35.1.3.1 Overview of the role of integrity . 9g35.1.3.2 Supply chain integrity . 9g35.1.4 Availability . 9g35.2 Resilience . 10g36 Measures for CIP 10g36.1 Protect
11、ion lifecycle . 10g36.2 Planning measures 10g36.2.1 Overview of planning . 10g36.2.2 Business Objectives 10g36.2.3 Asset Management 10g36.2.4 Threat Assessment 11g36.2.5 Risk Management . 11g36.2.6 Incident response 11g36.3 Detection measures. 11g36.4 CIA based reaction measures . 11g36.4.1 Integrit
12、y measures. 11g36.4.1.1 Identification of stable state - integrity base point 11g36.4.1.2 Identification of manipulation of system - loss of system integrity 12g36.4.1.3 Recovery of compromised system - reinstatement of base point 12g36.4.2 Availability measures . 13g36.4.2.1 Access control measures
13、 . 13g36.4.2.2 Critical instance override of access control . 13g36.5 Resilience and recovery measures 13g3Annex A: Review of existing CI definitions . 15g3Annex B: Bibliography 17g3History 18g3ETSI ETSI TR 103 303 V1.1.1 (2016-04) 4 Intellectual Property Rights IPRs essential or potentially essenti
14、al to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified
15、 to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to t
16、he existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER). Modal verbs terminolo
17、gy In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETS
18、I deliverables except when used in direct citation. ETSI ETSI TR 103 303 V1.1.1 (2016-04) 5 1 Scope The present document reviews the roles and subsequent measures for the protection of any infrastructure for which loss or damage in whole or in part will lead to significant negative impact on one or
19、more of the economic activity of the stakeholders, the safety, security or health of the population, where such infrastructure is hereinafter referred to as Critical Infrastructure (CI). The resulting measures and processes for Critical Infrastructure Protection (CIP) where the CI in whole or in par
20、t is composed of ICT technologies using Cyber-Security mechanisms are defined and relevant mechanisms to be implemented are identified. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. Fo
21、r specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Ref
22、erence. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references References are eit
23、her specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which
24、 are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. The following referenced documents are not nece
25、ssary for the application of the present document but they assist the user with regard to a particular subject area. i.1 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protect
26、ion. i.2 Commission of the European Communities; COM(2006) 786 final; communication from the Commission on a European Programme for Critical Infrastructure Protection (Brussels, 12.12.2006). i.3 European Commission; SWD(2013) 318 final; Commission staff working document on a new approach to the Euro
27、pean Programme for Critical Infrastructure Protection Making European Critical Infrastructures more secure; Brussels, 28.8.2013. i.4 Public Safety Canada: “National Strategy for Critical Infrastructure“. NOTE: Available at http:/www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/srtg-crtc
28、l-nfrstrctr-eng.pdf. i.5 Australian Government: “Critical Infrastructure Resilience Strategy“, 2010. NOTE: Available at http:/www.tisn.gov.au/Documents/CriticalInfrastructureResilienceStrategyPlanAccessible.pdf. ETSI ETSI TR 103 303 V1.1.1 (2016-04) 6 i.6 Japan Information Security Policy Council (I
29、SPC): “Action Plan on Information Security Measures for Critical Infrastructure“, 2005. i.7 ISO 27000 series: “Information technology - Security techniques - Information security management systems“. NOTE: ISO 27000 is a multipart standard. The reference is to the body of work prepared by ISO/IEC JT
30、C1 SC27 in the domain of Information security management systems. i.8 ISO 15408-1: “Information technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model“. i.9 ETSI EG 202 387: “Telecommunications and Internet converged Services and Protocols for
31、 Advanced Networking (TISPAN); Security Design Guide; Method for application of Common Criteria to ETSI deliverables“. i.10 ETSI TR 103 309: “CYBER; Secure by Default - platform security technology“. i.11 ETSI TR 103 305: “CYBER; Critical Security Controls for Effective Cyber Defence“. 3 Definitions
32、 and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: Critical Infrastructure (CI): infrastructure for which loss or damage in whole or in part will lead to significant negative impact on one or more of the economic activity of the st
33、akeholders, the safety, security or health of the population NOTE: Annex A of the present document presents a summary of existing definitions of CI that have informed the definition given above. 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: AC Access
34、Control CC Common CriteriaCI Critical Infrastructure CIA Confidentiality Integrity Availability CIP Critical Infrastructure Protection CS Critical Service EAL Evaluation Assurance Level EU European Union ICT Information Communications Technology ISO International Organization for Standardization NIS
35、T National Institute of Standards and Technology PKI Public Key Infrastructure RBAC Role Based Access Control ETSI ETSI TR 103 303 V1.1.1 (2016-04) 7 4 Identification and notification of Critical Infrastructure 4.1 Definition of CI In order to identify CI it is essential to have a clear definition o
36、f what constitutes a critical service. This should be based upon the impact of a deliberate or accidental disruption to the service over a realistic timeframe. Critical services should then be further classified according to defined scales of impact should disruption occur. Subsequently, the infrast
37、ructure, whether physical or logical, essential to the operation of the service should be identified and similarly classified by impact to form CI. NOTE: Whilst it is possible for a critical service to have no critical infrastructure (e.g. in the case of highly distributed systems where any critical
38、 impact on the service would require systemic failure across several resources) such systems and services are not addressed in the present document. The process of CI classification enables the prioritization of protection efforts and investment decisions across CI. In working towards a classificati
39、on it may be helpful to group critical services into sectors and sub-sectors to manage engagement efforts with relevant operators. EXAMPLE: In the energy sector, a critical sub-sector is electricity, with the transmission or distribution of electricity to the nation representing a critical service.
40、ICT which underpin this service, such as Industrial Control Systems, can then be identified and classified according to the impact of an attack on the availability or integrity of the system. 4.2 Identification of CI Once definitions and criteria have been established it is crucial to design and imp
41、lement a process to create and maintain an up-to-date record of CI. Stakeholders should be identified and provided with adequate mandates and resources to carry out this function. CI should not be considered in isolation but as part of the wider critical service that it supports. At a minimum, the i
42、nformation captured should include the possible impact of an attack on CI, the owner of the CI, the location (where relevant) and a record of any dependencies or interdependencies required for continued operation. The key questions to ask when identifying CI are: Are the impacts of a successful atta
43、ck on the CI understood (including those resulting from interdependencies)? Have those impacts been used to properly categorize the CI? Have any dependencies (including technical, procedural and commercial) relating to the CI been captured and analysed? Have any interdependencies relating to the CI
44、been captured and subjected to further analysis? Can the owner of the CI and its location be quickly ascertained? How frequently will the categorization of this CI need to be reviewed? EXAMPLE: The generation of electricity is often dependent upon water supplies to provide adequate cooling of equipm
45、ent in power plants. Conversely, the supply of water is dependent on electricity. Failure to identify this interdependence may result in the misclassification of CI and the implementation of inadequate security. The process of identifying and categorizing CI should be iterative. Following the identi
46、fication of CI dependencies it might become clear that there is a risk of common mode or cascading failure. The process should also be subject to audit on a regular basis to ensure it remains effective. ETSI ETSI TR 103 303 V1.1.1 (2016-04) 8 4.3 Notification of CI Organizations should be familiar w
47、ith the definition(s) of CI in their sector(s) and the government body acting as a point of contact in this area. Any organization believing that they either meet the relevant definition of CI or will do so in the near future should notify the relevant government body. NOTE: Given the national signi
48、ficance of CI it is presumed that a government appointed body has responsibility for CI. The key questions to consider when notifying CI are: At what stage should an organization notify the relevant body? Are organizations aware of the criticality thresholds and notification requirements for CI? How
49、 will organizations be persuaded to notify the relevant body when they meet the threshold for CI? 5 Security domains for CI protection 5.1 Review of CIA paradigm and its applicability in CI Protection 5.1.1 Overview The conventional paradigm for provision of security features is CIA Confidentiality, Integrity, Availability. This paradigm is conventionally applied in well defined domains and is often combined with known triples of domain, attack, countermeasure, such that in the confidentiality branch the triple confidentiality
