Critical Information Infrastructure Protection and South Africa’s Readiness Status Daniel de Jager Academy for Computer Science and Software Engineering, University of Johannesburg, South Africa,
DanielDeJ@Discovery.co.za
TABLE OF CONTENTS
TABLE OF CONTENTS .................................................................................................. 1 TABLE OF FIGURES ...................................................................................................... 2 Introduction ..................................................................................................................... 3 Critical Information Infrastructure .................................................................................... 3 South Africa’s Critical Infrastructure ................................................................................ 4 Why the fuss about Critical Infrastructure before Critical Information Infrastructure Protection? ...................................................................................................................... 6 Public-Private Partnerships ............................................................................................. 8 Conclusion .................................................................................................................... 11 References .................................................................................................................... 12
TABLE OF FIGURES
Figure 1 Under-sea cables connecting Africa to Europe ................................................. 4 Figure 2 National Key Points ........................................................................................... 6 Figure 3 Closed Customer Base. Source: Suter (2007) .................................................. 9
2
Introduction
South-Africa is at major risk from a Critical Information Infrastructure Protection (CIIP) point of view, in terms of legislation, effective policy, doctrine, security awareness as well as the necessary public-private partnerships required to bolster South-Africa’s maturity in CIIP. In this paper we evaluate South-Africa’s Critical Information Infrastructure and describe the shortcomings of past legislation and provide reason to support the new bill on Critical Infrastructure, followed by South Africa’s role in CIIP as part of Africa as well as BRICS.
A thorough discussion is then presented on Public-Private Partnerships and a description of current efforts by the Center for Scientific and Industrial Research (CSIR) is discussed and how the private sector can become part of a National Framework for CIIP. The paper is then concluded with a view on South-Africa’s readiness in light of catastrophic disasters from a CIIP perspective.
Critical Information Infrastructure
Critical Information Infrastructure (CII) are those systems used to run Critical Infrastructure (CI)) such as Monitoring Systems of Energy Plants. But they do not live or exist isolation. They are interdependent and interconnected on a National Level, Regional Level as well an International level due to the interconnectivity of the Internet.
To illustrate the concept of interdependency we refer to Figure 1 below. The Republic of South Africa is connected by undersea cables providing massive bandwidth between Africa and Europe.
3
Figure 1 Under-sea cables connecting Africa to Europe
Early in 2016, Seacom, which is the organization providing the east coast undersea cable to South Africa and other African countries, had an outage, which affected the South African economy for at least 90 minutes (Kekane, 2016). Due to this interdependency, CII can be affected negatively by other components not even directly under the control of a Government.
CI can be defined as those services which provide essential services to a society without which, can have negative economical, health and safety and social impacts (U.S Homeland Security, 2016-a). In the following section, we explore the concept and its relation to CIIP in the South African context. South Africa’s Critical Infrastructure
South-Africa, as it seems, reached a point in 2014, where it was decided that it is important to define what the CII of the Republic really was. At this stage no formal list of CII existed, or more precisely stated, a list of CII was not publically disclosed.
This was as a result of a dispute of the National Key Points (NKP) Act (gov.za, 1980) by activist groups as well as the Democratic Alliance (DA), a local political party, which
4
argued that the NKP Act of 1980 was outdated, can be abused and served as legislation for the protection against threats to legacy infrastructure, built by the previous government served by the National Party.
Since many of the activities of the National Party was clouded in secrecy, such as Nuclear Facilities in Pelindaba, west of Pretoria (Birch, Smith, 2015), National Key Points where not disclosed to the public. However, a court order filed by the activist group, Right to Know, led to the reveal of 204 National Key Points of the Republic of South-Africa by the Police Ministry of the current Government of South Africa (R2K, 2015).
On inspection of this list, it becomes apparent that the list is rather outdated. In fact, Pelindaba, the Nuclear Facility mentioned before, is not even mentioned in the list. In Section 2 of the National Key Points Act of 1980, it states that a National Key Point can be declared as a National Key Point based on the Minister’s decision that it is necessary, deemed necessary for public safety and of public interest. This by itself is a concern, in terms of not only of classifying Critical Infrastructure or National Key Points incorrectly, but also provides too much power in decision making around the topic, which is not conducive to a collaborative approach which CIIP requires.
In terms of public safety and interest, one would have expected that Hospitals, Military Airforce and Army Bases, Police Stations, National Rail Transportation (including the new Gautrain), Key Food Production and Storage Areas, Market Places and other very important assets should have been included in the list.
In Figure 2 below, we show the distribution of National Key Points in the current list.
Energy (Petroleum, Oil, Gas, Jet Fuel), Water Facilities and Government Facilities account for 42%, 24% and 12% respectively. The survival of the South African economy might be able to partially and temporarily rely on only these three areas, but not necessarily without critical information infrastructure to support it.
5
2% 0%
2% 1% 0% 3%
2% 12% 0%
24%
0% 7% 42%
5%
Not Sure
Chemical
Commercial
Communications
Manufacuring
Water
Emergency Services
Energy
Defense
Financial Services
Food and Agriculture
Government Facilities
Healthcare and Public Health
Information Technology
Transportation
Figure 2 National Key Points
The intent of the Critical Infrastructure Protection Bill of South Africa of 2015 is to properly and transparently be able to identify, declare and protect Critical Infrastructure, essential for public safety and public services, and has been proposed in order to repeal the National Key Points Act of 1980.
This is a positive step in the correct direction, by bringing about legislation which can touch on the risks facing the Republic from a CIIP perspective. In the following section, let’s consider why it is important to define and identify CII first.
Why the fuss about Critical Infrastructure before Critical Information Infrastructure Protection?
In light of the facts stated, identifying and declaring Critical Infrastructure must be the first step towards the identification and classification of Critical Information Infrastructures. 6
This might prove be a difficult task for the South African Government in lieu of the fact that not all Critical Infrastructure has been identified at this point in time. This task, for which the South African Critical Infrastructure Bill has been drafted, must be performed in order to identify the Critical Information Infrastructures that run them, only after which the necessary protection mechanisms can be identified.
The same sentiment is shared by von Solms (2011) in that Africa in general is at risk, especially South-Africa for a couple of reasons namely:
1. Ineffective Legislation and Policies. 2. Lack of Parliamentary Oversight. 3. Lack of Cyber Security Awareness, also related to high levels of computer illiteracy.
CII extends beyond the control of a government in South-Africa. In a 2011 report released by the National Treasury, forwarded by Pravin Gordhan, it is stated that the Financial Sector of South Africa is the cornerstone of the entire economy which enables economic growth, creates more jobs and provides for development of the nation (Treasury, 2011).
However, one must remember that state owned telecommunication providers as well as privately owned CII providers, forms part of the overall banking company through existing partnerships or outsourced contracts. This leads to the concept of privately owned CI and CII.
Privately owned CI and CII, such as the infrastructure used and implemented by banks or ICT providers, faces similar risks just as government owned CI and CII, and are interdependent on the same Global CII. Impact to banks, as companies, will be devastating to the economy, if some catastrophe occurs, such as a complete Eskom electricity grid blackout in combination with a Transnet Pipeline failure and ICT Infrastructure shutdown. The country will be blind and deaf for a finite amount of time. 7
The question is then, will South Africa have the resiliency and necessary structures in place to be able to deal with the realisation of such a threat event?
It is therefore important that private and public sectors join forces so to speak, in order to manage risks associated with the inadequate protection of CII, not only on technical matters, but also matters regarding policy, risk management, communication and collaboration.
Research done by Bendisch, Bologna, Le Grand, and Luiijf (2007) also recommends that Public-Private Partnerships are fundamental towards effective CIIP, since CIIP is a complicated topic.
In the next section we explore the concept of Public-Private partnerships.
Public-Private Partnerships Cavelty (2007) states it plainly:”….governments can no longer go it alone.” This is indeed a true statement even in South Africa, as more ICT technical skills are found in privately owned CII. However, one very good point made by Cavelty (2007) is that it is very possible for public authorities to lay down strict and costly regulations or legislation. However, legislation is one thing and enforcement thereof quite another. Instead Cavelty (2007) argues that governments must aim to create mutual win-win situations.
But how would this partnership look like and what information is exchanged for a win-win situation? Suter (2007) provides a generic national framework for CIIP and proposes the concept of a CIIP Unit.
A CIIP Unit is a group of individuals from public sector who oversees certain or specific CII or all CII. The CIIP Unit is then supplemented with private sector members, forming either an open group or a closed group. Suter (2007) refers to closed client base (CCB) 8
and open client base (OCB) respectively. Exclusive information is disseminated in a CCB as opposed to generic information in an OCB.
Key aspects of the makeup of the group includes the following areas as per Suter (2007):
1. A Government Agency, providing strategic leadership and supervision. 2. An Analysis Center with strong linkages to the intelligence community 3. A Technical Center of expertise, usually consisting of staff members of a National Computer Emergency Response Team (CERT).
It is the head of the agency in point 1, which must form private partnerships, with the objective of dissemination of information, where the information is real, trustable and valuable. CCB’s can possibly even generate revenue if it meets the previously mentioned criteria.
Cells of CII Operators can be grouped per Sector they serve and exchange information freely, or with other sectors. Figure 3 shows a model depicting the interaction in a PublicPrivate Partnership on a per Sector basis.
Figure 3 Closed Customer Base. Source: Suter (2007)
9
Private companies can have a significant positive impact on a National CIIP Framework for South-Africa. The major skill the private sector can bring to the table is experience as well as technical skill, possibly even leadership and guidance if required.
Many private companies already have a security incident response team (CIRT) in place and already has established links with the intelligence community through other private third parties locally or abroad. This can be leveraged in a cost effective way.
However, South-Africa is on the back foot from a cyber security point of view, when referring to legislation. Many articles describes this fact due to South-Africa being a developing nation in Africa.
Von Solms and Kritzinger (2011) states that Africa is still on the wrong side of the Rubicon and the key to salvation is collaboration. A few key points for collaboration are highlighted for African countries:
1. Cyber Security Awareness. 2. Provide Capacity Development and Skills Development. 3. Legislative and Policy Aspects 4. National CSIRTs. 5. Research in Cyber Security and CIIP.
Maybe South-Africa is not yet ready for Public-Private Partnerships at the moment regarding CIIP, since so many elements, especially education, training, legislation and information security knowledge, might not be fully developed compared to International Standards and can be costly.
Africa as a whole in my opinion, faces far more important challenges at the moment in 2016 than CIIP, and this might be the reason for the lack of structure in the CIIP arena.
10
However, from a South-African point of view, there is far more to leverage from the BRICS association than in Africa. In fact, Russia has been pushing for a BRICS only, undersea cable (Ozores, 2015). Leveraging the agreement in the BRICS association can possibly improve the CIIP situation for South-Africa if the CIIP Agenda is backed and driven by Russia as a National Security issue.
One very positive move in the correct direction, was the establishment of the Cyber Security Hub, by Siyabonga Cwele, Minister of Telecommunications and Postal Services, as an initial structure to deal with Cyber Security (gov.za, 2015), also to act as a mechanism for Public-Private Partnerships. (At the time of writing this paper, the Cyber Security Hub website was not online, hopefully not taken down as part of a Distributed Denial of Service.)
Conclusion
Is South-Africa ready for a cyber related disaster? My gut tells me, no. Will it take a disaster for South-Africa to become more prepared towards CIIP? Possibly. Most likely, ICT Service Providers will have to deal with the disaster.
South-Africa is still on the wrong side of the Rubicon. Notably, many organisations are attempting to create the correct levels of security awareness and apply the correct principles, such as with the Center for Science and Industrial Research (CSIR) with the Cyber Security Hub, and certain departments at universities. It might prove worthwhile that the CSIR becomes a driving force via the Department of Science and Technology, to drive the issues of Cyber Security and CIIP.
Not only private sector participation, but also international participation in a public-public partnership, such as BRICS, might be a necessary step to play catch up, also due to the fact that CII is interdependent. However, we first need to define and list Critical Infrastructure, and the Bill on Critical Infrastructure needs to be approved.
11
Lastly, a commitment is required on all levels including private sector, which must have a clear commitment to support these initiatives, including support for sufficient financial resources to bolster South-Africa’s maturity level, since it will serve in the best interest for every participant of the South-African economy.
References Albright, D., 1994. ISIS Report. South Africa’s Secret Nuclear Weapons. Available online. http://www.isis-online.org/publications/southafrica/ir0594.html. Accessed: 22 October 2016.
Bendisch, U., Bologna, S., Le Grand, G. and Luiijf, E., 2007. Towards a European Research Agenda for CIIP: Results from the CI2RCO Project. In International Workshop on Critical Information Infrastructures Security (pp. 1-12). Springer Berlin Heidelberg.
Birch, D., Smith, R. 2015. The Center for Public Integrity. South Africa rebuffs repeated U.S
demands
that
it
relinquish
its
nuclear
explosives.
Available
online.
https://www.publicintegrity.org/2015/03/14/16873/south-africa-rebuffs-repeated-usdemands-it-relinquish-its-nuclear-explosives. Accessed: 22 October 2016.
Cavelty, M.D., 2007. Critical information infrastructure: vulnerabilities, threats and responses. In Disarmament Forum (Vol. 3, pp. 15-22).
gov.za, 1980. Act 102 of 1980: National Key Points Act.. Available online. http://www.gov.za/sites/www.gov.za/files/Act%20102%20of%201980.pdf. Accessed: 22 October 2016.
gov.za. 2015. Minister Siyabonga Cwele: Launch of Cybersecurity Hub. Available online. http://www.gov.za/speeches/minister-siyabonga-cwele-launch-cybersecurity-hub-30-oct2015-0000. Accessed: 23 October 2016.
12
Ozores, P. 2015. Bnamericas.com Russia pushed for BRICS undersea cable. Available online.
http://www.bnamericas.com/en/news/privatization/russia-pushes-for-brics-
underseas-cable. Accessed: 23 October 2016.
Kekana, M. 2016. Eye Witness News. SA Suffers Internet Connection Issues after SeaCom Outage. Available online. http://ewn.co.za/2016/01/21/SA-suffers-internetconnection-issues-as-Seacom-cable-is-down. Accessed: 22 October 2016.
National Treasury. 2011. A safer financial sector to serve South Africa better. Available online. https://www.google.co.za/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&cad=rja&uact =8&ved=0ahUKEwj2xfDjqu_PAhXKBsAKHXARB0sQFggMAU&url=http%3A%2F%2Fwww.treasury.gov.za%2Ftwinpeaks%2F20131211%2520%2520Item%25202%2520A%2520safer%2520financial%2520sector%2520to%2520ser ve%2520South%2520Africa%2520better.pdf&usg=AFQjCNHWN5SrT34_dkbfdnJ718K3ednMQ&sig2=u8Nrzq3GGffJmaZQFJNpjQ. Accessed: 22 October 2016.
R2K.
2015.
Revealed:
List
of
National
Key
Points.
Available
http://www.r2k.org.za/2015/01/23/revealed-list-of-national-key-points/.
Online.
Accessed:
22
October 2016.
Suter, M., 2007, May. A Generic National Framework For Critical Information Infrastructure Protection. Meeting Background Paper. Second.
U.S Homeland Security, 2016-a. Critical Infrastructure Security. Available online. https://www.dhs.gov/topic/critical-infrastructure-security. Accessed: 22 October 2016.
U.S Homeland Security, 2016-b. Critical Infrastructure Sectors. Available online. https://www.dhs.gov/critical-infrastructure-sectors. Accessed: 22 October 2016.
13
Von Solms, B., 2011. Cyber Security and Critical Information Infrastructure protection from
a
South
African
Viewpoint.
Available
online.
http://www.finpro.fi/documents/10304/abefd9a9-3cce-4523-8ad1-9d64b7a092c4. Accessed: 22 October 2016. Von Solms, B. and Kritzinger, E., 2011, November. Critical Information Infrastructure Protection (CIIP) and Cyber Security in Africa–Has the CIIP and Cyber Security Rubicon Been Crossed? In International Conference on e-Infrastructure and e-Services for Developing Countries (pp. 116-124). Springer Berlin Heidelberg.
Voster, G., 2013. BusinessTech. Race on to build new SA subsea cable. Available online. http://businesstech.co.za/news/general/33577/race-on-to-build-new-sa-subsea-cable/. Accessed: 22 October 2016.
Wilson, C., 2014. Cyber threats to critical information infrastructure. In Cyberterrorism (pp. 123-136). Springer New York.
14