Electro/Telecom Industry Trends
Protecting the Critical Information Infrastructure IEEE Computer Society Launches Information Assurance Efforts
 |
| Issue Table of Contents |
|
|
Like other frontiers, Information Technology (IT) promises to deliver adventure and opportunity. It offers new markets...new relationships...new ways to be one-up on the competition. However, at the same time, IT is full of new dangers. IT is rife with pranksters and professional criminals. There are teenage savants who hack because it's cool. Disgruntled employees hack to get even. Not to mention the high-tech industrial spies who hack for hire. As IT increases in importance, so do the number of threats directed against this critical infrastructure.
The Institute of Electrical and Electronics Engineers Computer Society is working hard to deliver cyber-security solutions that will help government and businesses protect data and assets, detect threats and intrusions, and recover more quickly from incidents such as September 11th. "The IEEE Computer Society is the largest group within IEEE, and entertains more than 40 technical committees and task forces," explains Jack Cole, IEEE Information Assurance Task Force Chair.
Information Assurance (IA) is the main goal behind IEEE's IT efforts. In the historical definition, IA encompasses information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation (recipient can not deny receipt). This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. "IA transcends this operations-centric definition, meeting the must-not-fail requirements of business continuity and military mission, and taking a systems view of all of all possible sources of failure, not just focusing on cyber-terrorism, but also proactively approaches remediation for IT flaws and resilience, resistance to effects of flaws and attacks," explains Cole. "Although work is just beginning on a consensus definition of IA in this larger context, fundamentally, IA assures timely delivery of information to authenticated users for authorized purposes in ways which can neither be repudiated or compromised."
"The IEEE will develop consensus standards in IA which are international," comments Cole. "The Critical Infrastructure Protection (CIP) is best served in an international perspective, as each nation society is dependent on other nation societies as trading partners, for control of pollution, for food, for control of diseases, etc.," he continues. "It is a small world. For example, when Asian financial markets suffer, so do North American markets and vice-versa."
Two key IEEE efforts towards information assurance include:
- Task Force on Information Assurance (TFIA)
- Information Assurance Study Group/Information Assurance Standards Committee (IASG /IASC).
"The Task Force on Information Assurance and the soon to be formed Information Assurance Standards Committee are the two umbrella efforts for all of the underlying information technology (IT) areas," explains Cole.
Task Force on Information Assurance (TFIA)
The Task Force on Information Assurance (TFIA) champions a systems approach to development of Information Assurance technology by asserting an Information Assurance view across numerous closely related technologies:
- Networking
- Software engineering
- Distributed processing
- Pattern recognition
- Real-time computing
- Visualization
- Cryptography
- Simulation
- Man-machine interface
- Data engineering
- Mass storage
…and more
The TFIA participates in development of recommended practices and standards for IA. The TFIA sponsors Tutorials, Workshops, and Symposia each year, and publishes a quarterly newsletter.
The Efforts of TFIA are in alliance with the National Information Assurance
Partnership (NIAP), a U.S. Government initiative designed to meet the security testing, evaluation, and assessment needs of both IT producers and consumers. NIAP is collaboration between the National Institute of Standards and Technology and the National Security agency. The security requirements and security specifications are being developed with IEEE and other standard developing organizations (SDOs).
"NIAP has a target list of IT areas for which it wants consensus developed standards established using the ISO/IEC 15408-1 standard, Common Criteria Protection Profiles, as a framework," explains Cole. "This list includes public key infrastructure (PKI), operating systems, smartmedia, virtual private networks (VPN), firewalls, biometrics devices, database systems, network devices, intrusion detection systems, etc."
The Information Assurance Standards Committee began as the Information Assurance Study Group in November of 2001, with over 300 interested participants. That number has grown and includes representatives from all over the world and numerous industries, including Power, Maritime, Medical, and others.
There are two important groups within the IASG/IASC, the Certificate Issuing and Management Components Working Group (CIMCWG) and the Security In Storage Working Group.
"The IEEE is developing a base document from NIAP with a group of 14 people to become the IEEE 1618 Standard for Certificate Issuing and Management Components. This is the first standard in a family of standards," says Cole.
The Security in Storage Working Group held its first meeting on June 20, 2002, which included representation from StorageTek, IBM, CISCO, Seagate, Emulex, EMC, Kasten CHase, Zyfer, and others key participants. This group is developing the IEEE 1619 Standard for Encrypted Shared Media, balloting and approval of the standard will occur in 2003.
This work group will also:
1) Define standards for cryptographic algorithms and methods for encrypting data before it is sent to the storage (disk or tape) device. This will include the algorithms and modes to create interoperable solutions.
2) Create Common Criteria Protection Profiles.
"The IASC and TFIA as well as many of the other Computer Society task forces and technical committees, groups from the Power Engineering and Communications Society, and other groups outside of IEEE compromises a complex of efforts to advance IA technology and assure the IT aspects of the critical infrastructures," comments Cole. "So this complex of efforts not only attempts to take a holistic or systems view of the many relevant IT areas, but also of the relevant industries maintaining the infrastructures critical to society.3
3 Primary Source: IEEE Institute of Electrical and Electronics Engineers