N NICC NICC united against cybercrime Public Private Partnership in the Cybercrime Information Exchange
Mar 21, 2016
NICCsamen tegen cybercrimeNICCsamen tegen cybercrimeNICCunited against cybercrime
Public Private Partnership in the Cybercrime Information Exchange
NICC
ICTU
Adress Wilhelmina van Pruisenweg 104
2595 AN The Hague
P.O. Box 84011, 2508 AA The Hague,
The Netherlands, T 070 888 79 46 / [email protected]
www.samentegencybercrime.nl
‘The Information Exchange is not the ultimate answer to the problem, but it certainly contributes to the solution. If you find that ICT security isn’t going well, government and private sector organizations have to share information and deal with it together. The Informa-tion Exchange was set up as an experi-ment, but our experience has been so positive that we’re continuing with it.’ MARK FREQUIN, MINISTRY OF ECONOMIC AFFAIRS
Overview of the results of the Cybercrime Information Exchange
Tracking down and prosecuting cybercrime? Extremely important, but not the real solution for the problem.Prevention is better. That is why the NICC programme has brought public and private organizations together in the National Infrastructure against Cybercrime. The beating heart of this National Infrastructure is the Cybercrime Information Exchange. Within it, private and public organizations fight against cybercrime side by side.
Every sector organizes one meeting of its ISAC every 6 – 10 weeks. The exact frequency is dependent on the needs of the sector.
Cross-sector activities are developed on a regular basis for the thematic meetings about Process Control Security.
Start Information Exchange
October 2006
‘It’s going well. Public Private Partnership and choosing a ‘bottom-up’ way of working on the basis of trust are the most important success factors. The NICC programme has brought together organizations based on the added value they give each other. It does this by using its know-how in bringing organizations together, and not by trying to solve their problems.’ Boele Staal, NVB (Netherlands Bankers’ Association)
The European Commission gave an explicit warn-ing in May 2007 about the increase in cybercrime. International organized crime has discovered the Internet, and is making use of the most advanced techniques. Cybercriminals operate from countries where they experience little or no incon venience from the police or the judiciary. The very industry sectors on which we as a society are particularly dependent represent key targets for them. Not only for cybercriminals whose objective is financial gain, but also for terrorists.
An attack on the energy supply or financial sectors, for example, would be able to seriously disrupt society. This is why the critical sectors were designated as a priority in 2006 within the National Infrastructure against Cybercrime.
Cybercrime is becoming more professional
5
November 2006
The financial sector is first to join the Cybercrime Information Exchange with their FI-ISAC.
Start of new style FI-ISAC
The hard facts
Eighty percent of the vital infrastructure in the Netherlands is in the hands of the private sector. It is itself responsible for taking measures to combat cybercrime. Considerable knowledge about cybercrime is held within public organ-izations such as the National Police Services Agency (Korps Landelijke Politiediensten, KLPD), the General Intelligence and Security Service (Algemene Inlichtingen- en Veiligheidsdienst, AIVD) and GOVCERT.NL, the government’s Computer Emergency Response Team. Yet when the NICC programme began in 2006 there was still scarcely any structural collaboration, knowledge sharing or exchange of information reported between public and private organizations.
6
November 2006
A number of fact sheets are written about current threats, in collaboration between the various ISACs, GOVCERT.NL, the AIVD and the NICC.
The fact sheets indicate what the threats relate to and what measures can be taken to prevent incidents.
Fact sheets on phishing, cross-site scripting, two-factor authentication, DNS server vulnera-bilities and the MIFARE chip produced.
The NICC programme began in 2006 with a project to bring representatives of the vital sec-tors and relevant public organizations around the table within the Cybercrime Information Exchange. This Information Exchange has since grown into a permanent network of professionals in the areas of cybercrime and ICT security.
Its point of departure is that companies them-selves will only take effective measures if they have access to the right information and are able to make an accurate risk assessment. By sharing information intensively about incidents, threats and good practices, the Information Exchange participants can prevent incidents themselves. This will safeguard the Dutch economy as a whole and the continuity of the individual organizations at the same time.
The solution: the Cybercrime Information Exchange
HIgh Tech Crime Team
7
November 2006
This is a service developed by the FI-ISAC and financed by the NVB. It provides information for the banks about the possible misuse of bank information on the Internet.
Start CMIS (Cybercrime Monitoring and Investigation Service)
‘Participating in the ISACs has greatly expanded our net-work. The Information Exchange also offers continuity. That makes our work easier, because we can meet and communicate quickly, simply and efficiently with our part-ners. The structural collaboration and information sharing has been extremely valuable for us.’ Elly van deN Heuvel, GOVcert.nl
The Information Exchange is based on the model used by the UK’s Centre for the Protection of National Infrastructure (CPNI).This model comprises various consultation groups in which representatives of companies exchange confidential information with each other on a per sector basis. Such a consultation group is called an Information Sharing and Analysis Centre (ISAC).
The ISACs are arranged around a core group consisting of the the AIVD, Team High Tech Crime of the KLPD and GOVCERT.NL. Representatives of these organizations are present at each ISAC consultation, to which they contribute their substantive knowledge and network about cybercrime. With the consent of the participants, they channel relevant information from one sector to another. The NICC acts as a facilitator and motivator in all consultations.
Sharing vital information
9
November 2006
An NTD experiment is started by the FI-ISAC, enabling the banks to report phishing sites to GOVCERT.NL that they are unable to take down themselves, or only with great difficulty.
GOVCERT.NL uses its international network to take the phishing sites down. This experiment has been seen as extremely successful.
Notice-and-Take-Down (NTD) experiment in the banking sector
The Information Exchange is embedded in a gov-ernment sponsored public-private programme, the NICC. This provides a trusted environment for national and international partners. A small core group of public organizations consisting of the NICC programme, the KLPD, the AIVD and GOVCERT.NL:
facilitates the sector consultations and the •working groups;identifies cross-sector subjects;• transfers relevant knowledge and information •to other sectors;initiates cross-sector activities;• initiates, finances and directs research on •
behalf of the connected sectors; connects organizations within the National •Infrastructure against Cybercrime; refers organizations not directly participating •in the Information Exchange to the network; acts as the flywheel and ensures that the •momentum that has been generated is main-tained and built on.
As a neutral party, the NICC programme ensures that the knowledge accumulated in the Informa-tion Exchange is disseminated throughout the whole National Infrastructure against Cybercrime.
Way of working is the strength
10
The ITM has been developed and financed by the banks in collaboration with the NICC, and con-ducted by KPMG. It provides insight into the
threats and vulnerabilities that are associated with several new products that are being developed by the banks.
Start Information Threat Monitor (ITM)
April 2007
The success factors of the Information Exchange
Trusted environmentContinuityImpartialityDriven by the demands and needs of the sectorsGovernment as facilitatorSecure ICT infrastructureValue for every party involvedFlexibility in its implementationContribution of information from governmental organizationsFocus on cybercrime and ICT securitySpecification and streamlining of the analysis functionActs as the flywheelCross-sector exchangeInternational network
11
april 2007
The drinking water companies join the Cyber-crime Information Exchange with the formation of their Water-ISAC.
Start Water-ISAC
United against Cybercrime
The Information Exchange is a success. In two years, the exchange of vital information between public and private organizations has come into being. By mid-2008, seven ISACs were operational, and this number continues to grow (see ‘Particip-ating Sectors’). Members of an ISAC are given access to the know-ledge and experience of other organizations in their own sector, other sectors, and the participating governmental organizations. Furthermore, the knowledge of other organizations with which they have connections, such as (university) research institutes, forensic companies and consultancies, is also made accessible via these participants. The NICC programme collaborates with organiza-
tions such as the CIO Platform Nederland, the International Instrument Users’ Association (WIB) and the Federation of Technology Sectors (FHI). The Information Exchange is a condensation point of networks, knowledge and information. The corporate participants value the insight into the knowledge and information made available to them through the participation of the govern-mental organizations. The public organizations profit from the information about the development of incidents within the various sectors, and from the measures taken by the private organizations to strengthen their defence.The keywords for this successful interchange are trust and value.
12
May 2007
Commissioned by the NICC, TNO (the Netherlands Organization for Scientific Research) conducted a benchmark study examining the level of SCADA Security in the drinking water
companies participating in the Water-ISAC. This led both to a total report for the whole sector, and individual reports on the separate companies.
Start drinking water companies’ SCADA Security benchmark
Participating sectors
2006
FI-ISAC: Dutch financial institutions•
2007
Water-ISAC: drinking water sector•
Energy-ISAC: gas and electricity companies•
Airport-ISAC: Schiphol Airport •
2008
Multinationals-ISAC: internationally-operating organizations •
with headquarters in the Netherlands
Railways-ISAC: organizations in the Dutch railway sector•
PCS-ISAC: the first thematic, cross-sector consultation group •
dealing with security issues in connection with SCADA and
process control systems
A research study is currently being undertaken with public
and private organizations active in the Port of Rotterdam into
ICT vulnerabilities. A Port-ISAC may well result from this.
University medical centers are also expressing interest. Led by
OPTA, the Dutch telecommunications regulator, a number of
governmental organizations concerned with regulation and
law enforcement have been brought together, such as the
KLPD, the Public Prosecutor’s Office, the police, the Consumer
Authority, the Authority for the Financial Markets and
GOVCERT.NL. The possibility of this consultation group
joining the Information Exchange is being discussed. ICT
suppliers are considering forming an Office Automation-ISAC
and a Process Automation-ISAC. Discussions are also ongoing
concerning the establishment of a permanent consultation
group for the Internet sector in the Netherlands.
13
JunE 2007
Sharing knowledge at a European level now also begins. The SCADA Good Practices for the drinking water sector is also translated into En-glish and made available to the EuroSCSIE.
A questionnaire for vendors in the area of process automation (PA) is also developed at a European level.
Start of NICC’s participation in organizations such as the European Scada and Control Sys-tems Information Exchange (EuroSCSIE)
You only share information with someone that you trust. That trust has to be established, and guaranteed by effective rules. All participants are members of an ISAC individually, by name. The definitive, permanent membership guarantees continuity, so that participants can get to know and trust each other. Participation is voluntary, but not without obligation. Participants must make an active contribution to their consultation group, in a spirit of give and take. Information is classified according to a confidentiality code, from white for public information to red for the very most confidential matters (see ‘Traffic Light Protocol’). Whoever contributes the information decides on the degree of confidentiality.
By being able to talk about vulnerabilities and incidents openly, in an atmosphere of absolute trust, public and private organizations obtain a better overview of potential threats, vulnerabil-ities and dependence chains. And perhaps even more importantly: all participants are able to benefit from measures that have been proven to be effective.
Trust
14
June 2007
The drinking water and energy companies parti-cipating in the Water-ISAC and Energy-ISAC are given the possibility to connect themselves to the
GOVCERT.NL Monitoring service. Several drinking water and energy companies make use of it.
Companies begin to connect to the GOVCERT.NL Monitoring service
Traffic Light Protocol
Red
Non-disclosable information and restricted to
representatives present at the meeting only.
Amber
Limited disclosure and restricted to members of the
Information Exchange and those within their organizations
who have a need to know in order to take action.
Green
This information may be shared with more people within
and outside a participant’s organization, but publication
in print or on the web is forbidden.
White
Public information that may be disseminated without
restrictions.
Whoever contributes information to an ISAC consultation establishes its classification according
to a confidentiality code. The code is classified according to traffic light colours:
15
July 2007
The FI-ISAC launches the initiative to harmonize activities and communications vehicles with several collaborating partners. The objective is to work together to maintain Internet banking
Start Internet Banking Security Round Table (with banks, ISPs, security software vendors, GOVCERT.NL and the NICC)
‘The importance of the NICC programme has been extremely significant. Without them, the Information Exchange would never have got off the ground. They are also really important for continuity. As a Multinational-ISAC, we haven’t been active for long, and it takes time to get the consultations running effectively.’ DICK BRANDT, TNT POST, CHAIRMAN MULTINATIONALS-ISAC
Value
Participation in an ISAC must produce benefits. Otherwise, the enthusiasm for the Information Exchange will quickly fade. Guaranteed added value is dependent on some concrete factors:
the chairman is drawn from the sector;• the sector determines the content and •the agenda of the consultation; continuous interesting input from the •participants; flexibility in response to and handling of •questions from the participants; continuity: the longer the group stays together, •the more open its participants will be to share more sensitive information and the more value the consultation will have; a neutral party facilitates the consultation •and ensures that momentum is maintained.
17
security. Various combinations of these organizations have since come together, leading to concrete results concerning a number of topics:
– Identification of a secure PC client – Sharing malware information – An Internet Banking Security Roadmap – Banks’ vision on secure Internet banking.
The cross-pollination between the public and private sectors delivers added value for all parti-cipants. The construction of a permanent network represents significant added value for all parti-cipants. They also now contact each other outside the ISAC meetings for informal discussions and exchange of knowledge. Subjects such as business continuity and countering fraud are particularly important for companies. In a secure environ-ment they are able to deliberate about cybercrime threats and security themes. They receive valu-able information from the participating govern-mental organizations and sector colleagues that they are able to use to enhance and expand their ICT security.
The government is principally concerned with the protection of the critical infrastructure and the prevention of criminal activity. By contributing to the Information Exchange they also contribute to the achievement of the Cabinet’s objectives in the area of cybercrime and ICT security: preven-tion by way of sharing knowledge, exchanging information and raising awareness.
Added value for all participants
18
September 2007
The gas and electricity companies join the Cybercrime Information Exchange with their Energy-ISAC.
Start Energy-ISAC
The KLPD, the AIVD and GOVCERT.NL can con-tribute and obtain information in the Information Exchange that is necessary for the protection of both the vital sectors and economic interests. This platform makes it possible to put security-related issues on the agenda of a broad target group at one time. The governmental organizations are able to finely adapt their tactics in the area of investigation and prosecution on the basis of the input from the private sector organizations. The business community will in turn reap the benefits of this.
19
The participants in the first meetings of the Energy-ISAC share various good practices with each other about the implementation of risk
management and the development of a business case for security.
Start exchange of good practices in the energy sector
September 2007
‘The Information Exchange is a place where you can share sensitive information with each other. That can only happen if you can be sure that the agreements you make will also be followed up on. It has to deliver results, too. Notice and Take Down, for example, the active taking down of sites, has been a success.’ GEO ALDERSHOF, THE CONFEDERATION OF NETHERLANDS
INDUSTRY AND EMPLOYERS (VNO-NCW)
Cross-sector initiatives
Knowledge-sharing and information exchange that goes beyond the individual sectors them-selves is also now gaining momentum. Good examples of this are the initiatives in the area of SCADA and process control systems, which is of vital importance for the operational processes of organizations in many sectors.
A special cross-sector PCS-ISAC has therefore been established to address issues in this area.The NICC programme plays an important role in the development of cross-sector analysis. By financing research and sharing the results with the participating sectors, it makes parti-cipation in the Information Exchange even more attractive.
21
September 2007
At the request of the National Security Programme, a hacking scenario is elaborated during two sessions within the Energy-ISAC
relating to the energy infrastructure in the Netherlands.
Start of the elaboration of a hacking scenario within the energy sector
‘It would make it easier to cooperate if we could get more stable and similar arrangements internationally, with similar roles and responsibilities. You need stability and continuity of people to establish the necessary trust base.’ Steve Cummings, cpni uk
In its early days, the Information Exchange placed the emphasis on the sharing of information. It was soon decided to jointly develop new information that could eliminate bottlenecks however. In the financial sector, for example, an Information Threat Monitor has been established. Round tables have also been started addressing Internet bank-ing security issues, with banks, Internet service providers, security software vendors and govern-mental organizations.
The Water-ISAC has taken the initiative to draft SCADA Good Practices in the Drinking Water Sector. A benchmark has been established in the energy sector for process control security.A research study into ICT vulnerabilities has been initiated through consultation between public and private sector organization in the Port of Rotterdam.
Developing new knowledge together
23
OCtober 2007
On the basis of the benchmark mentioned earlier, the NICC commissions TNO to develop a docu-ment describing 39 SCADA Good Practices for the Dutch drinking water sector.
These good practices enable the drinking water companies themselves to take measures within their own organizations.
The development of the document describing SCADA security good practices for the drinking water sector in the Netherlands initiated
The fight against cybercrime cannot only be undertaken at a national level. Participants within various ISACs (such as the FI-ISAC and the Multinationals-ISAC) are initiating contact with each other because the international component of cybercrime poses specific problems for them.The NICC programme fosters international knowledge exchange through establishing and strengthening contacts with comparable organizations in other countries, such as the CPNI (United Kingdom), SEMA (Sweden), Melani (Switzerland) and the Bundesamt für Sicherheit in der Informationstechnik (Germany).
The NICC programme also works together with other initiatives in the area of ICT security, such as the European Network and Information Security Agency (ENISA), the SANS Institute and the Meridian. Information obtained from the European SCADA and Control Systems Information Exchange (EuroSCSIE) delivers added value within a number of ISAC consultation groups.
International
24
Several organizations operating at Schiphol form the Airport-ISAC and join the Cybercrime Information Exchange.
Start Airport-ISAC
November 2007
Cybercriminals rapidly and continually adapt their methods. New threats are immediately brought to the attention of the participants in the Informa-tion Exchange. A selection of the successes of the Information Exchange:
within a short time a • valuable platform has been created in which cybercrime-related issues can be quickly studied and addressed; the elaboration and testing of a • hacking scenario produced by the National Security Programme in the energy sector; Notice-and-Take-Down • phishing experiment with GOVCERT.NL and the banks;
the dissemination of and discussion about •in formation relating to the report on the MIFARE chip; the discussion about material threats from •specific countries, including recommendations to take measures to reduce risks; consultation about the latest modus operandi of •criminals in the area of Internet banking, includ-ing a review of preventative measures; the discussion about the potential vulnerabilities •of process control systems in the energy sector, which were verified in the international network;
Successes
25
The good practices are elaborated further within several Water-ISAC working groups and discussed in the meetings.
Further elaboration of SCADA good practices begins
December 2007
‘Only trust can lead to the openness of information. The pioneering role of the NICC has been vital; the network has been bearing fruit. The participants are now also sharing information outside the FI-ISAC consultations when immediate action is needed.’ WIM HAFKAMP, RABOBANK, CHAIRMAN FI-ISAC
all European initiatives in the FI-ISAC area made •preparations for a European exchange platform, together with ENISA and CERT-Hungary; • round table meetings with the banks, Internet service providers and security software vendors; SCADA security benchmark and SCADA good •practices in the drinking water sector; process control security benchmark in the energy •sector.
Awareness
Participation in the Information Exchange has raised awareness about security measures to counter cybercrime amongst senior management.A good example is the SCADA security bench-mark, which was established within the drinking water sector on the initiative of the Water-ISAC. The reports about this have been discussed at the highest levels of management within the drinking water companies, and have led to further invest-ments in ICT security.
27
A group of multinational companies headquartered in the Netherlands and listed on the AEX index form the Multinationals-ISAC and join the Cybercrime Information Exchange.
Start Multinationals-ISAC
February 2008
‘Especially in the ISACs that have existed longest, such as the banks and the water companies, participation has led to greater trust between the sector organizations and the police. We’ve come a lot further together in the sharing of information.’ Fred Westerbeke, National Police Services Agency
(KLPD)
Continuing to strengthen security
Within a period of only two years, the subject of ICT security has moved to the top of the agenda in both the public and private sector through the activities of the Information Exchange. That is a good start. But security is more than ICT alone.
In time, ICT security and physical and personnel security will need to be harmonized effectively. It is only when these aspects are well coordinated and made consistent with each other that busi-nesses and society at large can be sure of the best possible safeguards against cybercrime.
A fully developed and mature Cybercrime Informa tion Exchange is therefore essential.For this reason, the Information Exchange will be further expanded and strengthened in the coming years. The spearheads of this process will be the involvement of additional sectors, the establish-ment of thematic cross-sector ISACs and the strengthening of the international network. The Information Exchange is, and continues to be, the beating heart of the National Infrastructure against Cybercrime. It is uniquely the platform that enables organizations in the private and pub-lic sectors to address security issues effectively, in an atmosphere of unqualified openness and trust.
29
NS and ProRail form the Railways-ISAC and join the Cybercrime Information Exchange.
Start Railways-ISAC
March 2008
‘The strongest point about the NICC programme is that it resists being tempted into being involved in execu-tion. This both avoids getting bogged down in operational problems and guarantees independence. The objective is purely to bring organizations together so they can share information.’ kees buis, cio platform The Netherlands
Appendix 1: trust and value
The key objective of the Information Exchange is the improvement of the exchange of informa-tion about cybercrime between public and private organizations in the Netherlands.The Information Exchange also makes a practical contribution in this respect. Research has shown that both public and private organizations value the exchange of information within the Informa-tion Exchange.The private sector organizations value the insight they gain into the knowledge and information held by the governmental organizations.
They are particularly interested in information about threats, modus operandi, increasing risks and future developments. The governmental organizations have benefited from gaining insight into the development of in cidents within the sectors and the measures taken by private sector organizations to improve their defences against cybercrime. The Informa-tion Exchange is therefore vital for the creation of the exchange of information about cybercrime. The key prerequisites for the realization of this exchange of information are trust and value.
31
April 2008
The Energy-ISAC requests that a research study similar to that undertaken for the drinking water sector is conducted for the gas and electricity companies. The NICC commissions The Centre of
Expertise (HEC) and consultancy firm Verdonck, Klooster & Associates (VKA) to undertake this study jointly.
Start of process control security benchmark for energy companies
Hypotheses
Trust is the basis for information sharing. Trust is achieved in small groups, in which
people get to know each other personally.
Building trust takes time and requires
investment.
Experience
Rules (including the Traffic Light Protocol)
to build trust are important as the basis for
consultations.
Participation guidelines.
Participants are members of a consultation
group individually, by name. Permanent
membership (continuity).
Experience of the ongoing sector consul-
tation groups shows that building trust,
through which participants become open
to share confidential information, takes
at least a year. Only then do participants
reach the level at which ‘red’ information
is shared.
APPENDIX 1
Trust
32
The organizations at Schiphol investigate the interde-pendencies between them and the potential vulner-abilities associated with these. This was achieved by each of the various participants giving presentations
enabling them to share their risk analyses with each other. Joint projects have also been initiated in relation to the ICT security benchmark, such as the Integrated Incident Room Infrastructure (GMI).
Inventory of interdependencies of organizations at Schiphol
May 2008
Betrayal of trust produces delays, and
much time is needed to rebuild trust again.
Each participating organization must derive
value from the consultations. Otherwise, the
enthusiasm for investing time and energy in
this sort of initiative will quickly fade.
The value of the consultations can vary
for each participant.
Participation is voluntary, but not without
obligation. Participants are expected to
actively contribute to the consultations.
The continuous efforts of the facilitating
organization are required to monitor and
maintain this. It also depends on continu-
ous interesting input being provided by
the participants. And it demands flexibility
in response to and handling of questions
from the participants (demand-driven
working). The sector takes the lead in
determining the agenda for the consul-
tations.
Subjects such as business continuity and
countering fraud are particularly important
for the private sector. The government is
principally concerned with the protection
of the critical infrastructure and the
prevention of criminal activities.
Value
33
NS and ProRail shared each other’s risk analysis in the Railways-ISAC, enabling them to make an inventory of the applications and infrastructures
that they both use. This has enabled them to estimate potential risks.
Inventory of interdependencies of NS and ProRail
May 2008
Hypotheses
Value grows with investment and trust. Value is determined by the relevance of the
subjects included on the agenda.
The network ensures a structure in
which peers can be found, also outside
the consultation groups.
Experience
The longer the group stays together,
the greater the value the consultation has.
Continuity is therefore important.
The subjects can be specific for the sector.
There must be a clear agreement within
the sector about the potential cybercrime
problems.
The fact that participants get to know each
other facilitates further contacts between
them. They also communicate with each
other outside the meetings, both within
their sector and between repres entatives
of public and private sector organizations.
Value continued
APPENDIX 1
34
The first process control security Event was organized on May 21. A preparation committee was formed by representatives from the sectors participating in the Information Exchange, together with some ap -
propriate players from the NICC network (CIO Platform Nederland, WIB, FHI and TU Delft). This day represented the first step in the formation of a PCS-ISAC, focusing on the theme of Process
Start PCS-ISAC
May 2008
The network can address subjects that
have recently arisen. A platform has
been created in which information can be
quickly shared.
Experience
Informal networks are created through
participation in the Information Exchange.
Participants also contact each other out-
side the meetings, both within the sector
and between public and private sector
organizations. The network is a platform
for quick information sharing.
Some examples of this are:
•elaboration/testingofahackingscenario
by the National Security Programme
within the energy sector in two sessions;
•thedisseminationofanddiscussion
about information relating to the report
on the MIFARE chip;
•discussionaboutmaterialthreatsfrom
specific countries;
•thediscussionaboutnewmodusoperandi
involved in phishing attacks on banks;
•discussionaboutthepotentialvulnera-
bilities of process control systems in the
energy sector, verified in the international
network.
The Information Exchange also serves
as a condensation point of networks. In
addition to the networks of relevant gover-
nmental organizations, the private sector
companies also participate in various in-
ternational networks. The knowledge and
information from these various networks
is brought together in the Information
Exchange meetings, and its value can also
be tested in them.
35
Control Security, and cross-sector initiatives are being developed on the subject. A second Event is to take place on December 4 at TU Delft.
Appendix 2: trust
To initiate and maintain the sharing of knowledge and information, the sectors need an environ-ment in which a basis of trust can be established and sustained in an efficient and effective way. This costs time, and requires investment from the participants.From the experience of the ongoing sector deliberations it appears that only after a year is the level reached at which the most confidential information is shared.
Criteria for building trust1. A trusted environment2. Continuity3. An impartial stance4. Demand-driven by the sector5. The government as facilitator6. A secure ICT infrastructure
36
MIFARE chip (RFID)
June 2008
The impact of the vulnerability of the MIFARE chip has been investigated and reported on by a group of specialists from a number of ISACs, and
appropriate countermeasures proposed. The fact sheet produced by GOVCERT.NL and the AIVD provided important input for this.
A trusted environment Continuity An impartial stance
Clear rules, endorsed by participants
themselves, are necessary for the creation
of a trusted environment. They must be set
down in participation guidelines
(the Ttraffic Light Protocol).
Trust is built up in small groups in which
people get to know each other personally.
Permanent membership in the core of
the Information Exchange reinforces the
underlying trust.
The Information Exchange must be clearly
positioned, in both policy and operational
terms. The position of the Information
Exchange must be clear for at least the
coming five years. Participants are mem-
bers of the consultation groups by name.
This permanent membership guarantees
continuity.
Only an impartial Information Exchange
can act as an intermediary between the
various organizations. The Information
Exchange is therefore not a policy-making
organization, but does contribute substan-
tive input for policy. The connection with
the policy departments involved must be
formulated effectively.
Trust
37
Start of research into ICT vulnerabilities in the port sector
June 2008
In close collaboration with a steering committee consisting of the Port of Rotterdam, Deltalinqs, the Customs Authorities and the Harbour Police, the NICC has initiated a research study that will
provide insight into ICT vulnerabilities in the Port of Rotterdam. This research is being undertaken jointly by HEC and VKA.
Demand-driven by the sector The government as facilitator A secure ICT infrastructure
The sectors are leading, partly because they
appoint the chairman of the consultation
group. To a great degree the sectors them-
selves determine the subjects to be included
on the agenda.
As a governmental organization it is easier to
collect, process and analyze certain confiden-
tial information. The Information Exchange is
a natural point of contact for (governmental)
organizations within the Netherlands and
especially internationally.
To the degree that more substantial flows of
information are generated, there is also in
turn an increasing necessity for a secure ICT
infrastructure in order to be able to better
facilitate the process of sharing sensitive
information. The need for this becomes even
more important as the analysis function
expands further.
The Information Exchange works together
with GOVCERT.NL to realize a secure ICT
infrastructure. The provision of information
takes place in layers, in a way comparable to
the colour coding of the traffic light model:
per sector, cross-sector or for a broad public.
Table 2
Trust continued
38
Start of participation in the Programme Commit-tee of the European SANS Conference
JunE 2008
The NICC participated in the preparations for the first European SANS Conference on process control security, held in September 2008 in Amsterdam.
Appendix 3: value
Both public and private sector organizations must obtain value from the consultations.Otherwise, the enthusiasm required to devote time and energy to the Information Exchange will quickly fade.
Participation in the Information Exchange is voluntary, but not without obligation. Participants are expected to make an active contribution to their consultation group. The participants are also responsible for continuously contributing interest-ing input. The longer the group stays together, the greater the value of the consultations becomes. Continuity is important for this.
The relevance of the subjects discussed deter-mines the value of a consultation. This is guaran-teed by giving the sector the initiative to establish the agendas for the meetings.
Criteria for guaranteeing value1. Value for every organization involved2. Flexibility in execution3. Input of information from the government4. Focus on cybercrime and ICT security5. Developing / streamlining the analysis function6. Central flywheel function7. Financial resources8. Cross-sector exchange9. A national and international (European) network
39
Start of participation in the Programme Committee of the Meridian Conference 2008
July 2008
The NICC participated in the preparations for the Meridian Conference 2008, to be held in October 2008 in Singapore.
Value for every organization involved Flexibility in execution Input of information from the government
It must be possible for every organization
involved to derive value from their participa-
tion in the Cybercrime Information Exchange.
Its nature may be different for each organ-
ization – safeguarding of critical assets for
the government, for example, and business
continuity for the private sector.
The sectors differ in terms of the problems
they face, their structure and their needs.
This means that they need customization.
The speed with which subjects of the day can
be dealt with to a large degree determines
the success of the Information Exchange.
A trusted, informal network enables the
government to share important subjects
quickly with the sectors involved.
The specific expertise of GOVCERT.NL,
the AIVD and the KLPD and their access to
sources of information delivers significant
added value for the Cybercrime Information
Exchange.
Expertise is (reciprocally) built up by, and
shared between, existing organizations
that fulfil a function within the National
Infrastructure. The participants from the
governmental organizations are not sec-
onded to a central location. They participate
from their own organizations in the
Information Exchange, maximizing the use
of the knowledge from these organizations.
Value
APPENDIX 3
40
Industrial espionage
August 2008
Industrial espionage is an important topic within the Multinationals-ISAC. Participants share good practices and information about incidents with each other, and the AIVD has provided important input.
Focusoncybercrime/ICTsecurity
The organizations also remain more commit-
ted to the Cybercrime Information Exchange
in this way, and in a wider sense to the
Natio nal Infrastructure against Cybercrime.
The Cybercrime Information Exchange also
strengthens the relationship in this respect,
and avoids the duplication of knowledge
generation.
Awin/winscenarioiscreatedforpublic
and private sector organizations by not
only focusing on the vital character of the
sector, but also by paying attention to
subjects related to the business continuity
of the private sector organizations as well
as cybercrime conducted for financial gain.
There is clear governmental interest in this
too, since the prevention of criminality is
also an important issue for the govern-
ment.
It has been reported from the sectors
that fragmentation of the ICT
security/cybercrimethemeleadsto
confusion. It is desirable to streamline it.
It appears from the experiences in other
countries (such as the UK and Switzerland)
that it is advisable to develop the various
component areas involving ICT, physical
structures and human resources to a mature
level before addressing the integration of
the various aspects of security. This has
been endorsed by the sectors that are
currently participating, who have also seen
groups within their own organizations that
are addressing these themes. The principal
difference concerns the dynamics
within the various key security factors.
Threats change within ICT many times
faster than with the areas of physical and
personnel security. It is of course necessary
to harmonize the different key factors.
41
Start of participation in the MPCSIE (Meridian Process Control Security Information Exchange)
August 2008
The NICC participated in the establishment of a worldwide exchange platform in the area of pro-cess control systems, initiated by the Meridian.
Developing/streamliningtheanalysisfunction Central flywheel function
Currently the Cybercrime Information
Exchange focuses principally on Information
Sharing (the ‘IS’ from ISAC). The sectors
have indicated that there is an increasing
need for the development of an Analysis
Centre (the ‘AC’ from ISAC). At the moment
this function is being shared by the separate
organ izations involved in the Cybercrime
Information Exchange, such as the KLPD,
the AIVD and GOVCERT.NL. This function
needs to be strengthened, and this can most
effectively be done by one of the associated
organizations or as a separate function within
the Cybercrime Information Exchange.
A flywheel function is necessary to maintain
the momentum of information sharing and to
provide for and support the new cross-sector
and international initiatives. The facilita-
ting role that the NICC currently has in the
Cybercrime Information Exchange is essential
in this respect.
The strength of this lies in the mobilization
of the currently associated organizations and
drawing them together. It does not therefore
principally concern taking over tasks, but
binding and reinforcing the organizations.
The way of working required for this
strengthening and binding function also calls
for a specific type of employee within the
Information Exchange. The competences
must principally be focused on the building
and maintaining of relationships, the ability
to operate within a complex and sometimes
sensitive context, the analysis of the key
issues faced by the sectors, and bringing
together, supporting and guiding relevant
organizations.
APPENDIX 3
Value continued
42
Financial resources Cross-sector exchange
The Information Exchange needs financial re-
sources to fund research and to obtain advice
from external sources. The objective of this
is to be able to deal with issues in a broader
context. In the future a budget can also be
utilized for such items as training courses, fact
sheets and trend reports.
The sectors are becoming increasingly
dependent on each other. Security themes
addressed by the different sectors are
converging.
Many of the themes addressed by different
sectors are converging. The involvement and
participation of additional sectors is making
it possible to deal with these themes on a
cross-sector basis, and this is enhancing the
efficiency and effectiveness of the approach.
The Information Exchange enables sectors
to link together quickly to discuss relevant
subjects.
It is vital to have a permanent group of
participants in the Cybercrime Information
Exchange who can provide knowledge from
beyond a sector-specific consultation in
order to be able to stimulate this cross-sector
exchange of knowledge. Furthermore, this
knowledge can also then be shared in both
a national and an international (European)
network.
43
A national and international (European)
It is increasingly apparent that the
development of a network that includes
similar organizations in other countries will
produce substantial added value.
The fight against cybercrime is essentially
an international endeavour after all. This
has already been demonstrated from
the information that has been obtained
from the EuroSCSIE (European Scada and
Control Systems Information Exchange).
This has produced significant added value
in the consultations in the various sectors
concerned with this theme. A step of the
same kind is currently being taken within
the financial sector.
Valuable contacts have also been estab-
lished between the various initiatives and
comparable ones in other countries, such
as the CPNI (UK), SEMA (Sweden), Melani
(Switzerland) and the BSI (Germany).
It will be important to continue building
up contacts such as these in the future.
APPENDIX 3
network
Value continued
44
The organizations participating in the Cybercrime Information Exchange are listed in the following table. The individual participants representing these organizations generally hold the following positions within them:
• SecurityManagers• Corporate(Information)SecurityOfficers• SeniorICTSecuritySpecialists• ICTManagers• InformationSecurityAdvisors• Processcontrol(Security)Managers• Processcontrol(Security)Specialists• RiskManagers
Appendix 4: participating organizations
45
FI-ISAC Water-ISAC Energy-ISAC
ABN AMRO
Achmea Staalbankiers
Bank Nederlandse Gemeenten
(BNG, a bank for the public
sector)
Currence
De Nederlandsche Bank
(DNB, the Central Bank of
the Netherlands)
Equens
Fortis
Friesland Bank
ING/Postbank
Nederlandse Vereniging
van Banken
(NVB, the Netherlands Bankers’
Association), principally
representing smaller banks
Rabobank
SNS Reaal
Van Lanschot Bankiers
Brabant Water
DZH
Evides
Oasen
PWN
VEWIN
Vitens
Waterbedrijf Groningen
Waterleidingmaatschappij
Drenthe
Waternet
WML
Delta
Electrabel
ENECO
EnergieNed
E-ON Benelux
Essent
Gasunie
NUON
Shell/NAM
TenneT
APPENDIX 4
46
The governmental organizations GOVCERT.NL, the AIVD and the KLPD (High Tech Crime Team)
participate in all consultation groups. The consultation groups are facilitated, supported and
financed by the NICC.
Airport-ISAC Multinationals-ISAC Railways-ISAC Port of Rotterdam
Douane/Belastingdienst
(DutchCustoms/Tax
Authority)
KLM
Koninklijke Marechaussee
(Netherlands Royal
Military Police)
Schiphol
Schiphol Telematics
LVNL
Aircraft Fuel Supply
Ahold/AlbertHeijn
Akzo Nobel
DSM
Heineken
Océ
Philips
Shell
TNT Post
Unilever
NS (Netherlands Railways)
ProRail
PCS-ISAC
Organizations in the Water-
ISAC, Energy-ISAC, Airport-
ISAC, Multinationals-ISAC,
Railways-ISAC, together
with organizations in the Oil,
Chemicals and Nuclear sectors,
hospitals, suppliers and
consultancy firms.
Deltalinqs
Douane/Belastingdienst
(DutchCustoms/TaxAuthority)
Gemeentelijk Havenbedrijf
Rotterdam (Port of Rotterdam
Authority)
Zeehavenpolitie Rotterdam
(Harbour Police)
47
Programme
Annemarie Zielstra (ICTU)programme manager
Auke Huistra project manager Cybercrime Information Exchange
Manou Aliprogramme support
48
The NICC programme is an ICTU programme, commissioned by the Ministry of Economic Af-fairs. The motto of the ICTU is: help government to perform better with ICT. The ICTU combines knowledge and expertise in the area of ICT and
government. ICTU executes various projects with and on behalf of governmental organ izations. In this way, policy is translated into concrete projects for government. More information can be found at www.ictu.nl.
Publisher
NICC
Editor
Tekstbureau De Nieuwe Koekoek, Utrecht
Design
OSAGE / communicatie en ontwerp, Utrecht
Photography
Marcel Rozenberg, Schiedam
OBT / TDS printmaildata, Schiedam
october 2008
‘It would make it easier to cooperate if we could get
more stable and similar arrangements internation-
ally, with similar roles and responsibilities. You need
stability and continuity of people to establish the
necessary trust base.’
Steve Cummings, cpni uk
‘Only trust can lead to the openness of information.
The pioneering role of the NICC has been vital; the
network has been bearing fruit. The participants are
now also sharing information outside the FI-ISAC
consultations when immediate action is needed.’
wim hafkamp, rabobank, voorzitter fi-isac
‘The Information Exchange is not the ultimate ans-
wer to the problem, but it certainly contributes to
the solution. If you find that ICT security isn’t going
well, government and private sector organizations
have to share information and deal with it together.
The Information Exchange was set up as an experi-
ment, but our experience has been so positive that
we’re continuing with it.’
Mark Frequin, EZ
Tracking down and prosecuting cybercrime?
Extremely important, but not the real solution
for the problem. Prevention is better.