Keeping business safe from national cyber threats | Bangkok Post: tech

NATIONAL SECURITY

Over the next two months, the mission-critical infrastructure will compel 256 businesses in eight categories to carry out self-assessment of their ability to handle emergencies and threats to national security.

Speakers at the meeting to build understanding about the national mission-critical infrastructure.

The Draft Royal Decree of Electronic Transaction Security Methods will ask this of both public and private organisations which ate related to the national mission-critical infrastructure, according to Surankana Wayuparb, security sub-committee under Electronic Transaction Commission.

The royal decree is mainly to encourage those organisations to assess how well they manage and secure information in electronic transactions.

Thaneerat Siripachana, Deputy Permanent Secretary of the Ministry of Information and Communications Technology, said the draft royal decree passed cabinet in July and is awaiting the royal signature.

The draft defines secure methods over three levels _ basic, moderate and high _ depending on the impact on businesses from lost value and users, and the security and health of users, including national and society security.

The draft defines eight business categories _ agriculture, food, water, drugs and healthcare; utilities, energy, industry and national resources; national security; social security; telecoms, transportation and mass media; information technology; finance, banking, insurance and securities; and government, including business related to government.

Surankana continued that there are no punishments under this law because its main purpose is to encourage those mission-critical agencies to carry out self-assessment to reduce damage that might occur from unexpected incidents.

"The draft follows section 25 of the Electronic Transaction Act, which covers electronic transactions with secure methods assuming trusted transactions, so agencies should comply under the decree to build trust and creditability in electronic evidence before the court," Thaneerat explained.

He added that this year's political demonstrations showed that many organisations still lack business contingency and disaster recovery plans, including backup sites or technical support facilities. So he said organisations should hold workshops and conduct brainstorming sessions to create awareness and prepare themselves to handle unexpected incidents.

Chaiyakorn Apiwathanokul, Chief Technology Officer at PTT ICT Solutions and the security sub-committee under the Electronic Transaction Commission, said typical threats to IT systems could also exploit vulnerabilities in control systems.

For example, autonomous worms that randomly search for propagation paths can distribute denial of services attacks such as those that overwhelm network bandwidths. Viruses and Trojan horses can also disrupt utilities, cause electromagnetic interference, hamper radio frequencies and encourage the improper application of software patches.

Not all control system professionals and IT security staff are familiar with these security threats, so collaboration between these two sections is crucial in order to handle such incidents.

In the USA, the National Infrastructure Protection Plan identifies and categorised US critical infrastructure in 18 sectors and has set up public-private co-ordinating mechanisms in its control system security framework.

"Cyber security is a shared responsibility and it needs to report cyber incidents and vulnerabilities. Thailand should apply the US Homeland Security experience," Chaiyakorn suggested.

The ICT Security Committee is in the process of establishing the Thailand Policy and Analysis Center, a virtual network collaboration between all ministries to exchange security information, according to Methini Thepman, Director, Policy and Strategic Bureau of Information and Communication Technology Ministry and secretary of the ICT Security Committee, which is a newly set up committee to set national security policy.

Each ministry will be encouraged to set up its own Computer Emergency Response Team (CERT) and carry out incident drills and exercises.

Moreover, the ministry will allocate a training budget to boost the number of security experts and open more career paths in the profession, as well as build its own National Cryptography Data Standard.

Prinya Hom-anek, member of the ICT Security Committee, added that pervasive computing is under increasing threat of attack by sophisticated and organised cyber criminals. This is known Advanced Persistent Threat (APT).

The government is therefore being encouraged to build its base of security expert professionals to work in business critical infrastructure to combat national security threats.

At the private level, the Thailand Information Security Association (TISA) has launched an examination called the TISA IT Security EBK Test (TISET), allowing security professionals to evaluate themselves and helps organisations to recruit experts of a particular standard.

"Critical Infrastructure protection is a global issue for public safety and it requires collaboration, strategy planning and risk management at the country level," said Prinya.

"We are seeing an increase in national cyber security threats around the globe, such as in South Korea in 2003, when an ATM system was attacked by the Slammer worm, although Thailand has still not had a big incident to build awareness."