NECCS Education Evaluation

NECCS education is a permanent cyclical process that starts with a list of requirements requested by NEC owner and NEC/NECCS authorities; next an action plan that includes all the activities needed to meet the requirements; then implementation of the security services according to security policy and security plans; and finally an evaluation process to identify the level of qualification and compliance with security policies and plans, the result of which will provide appropriate feedback.

[154]

10.4.

_Materiel

NECCS materiel is all the equipment, apparatus, supplies, and ancillary items used by the NECCS organization to provide the cyber security services required to reach NEC strategic objectives. They include computer security hardware and software, communication security devices, and cryptographic equipment.

The choice of cyber security materiel depends on a number of factors that should be considered, both prior to the procurement as well as in the future, to ensure that the materiel will meet future requirements. Some of the factors that should be considered when acquiring NECCS materiel are:

a. Efficiency in the required functionality.

b. Guarantee that it does what it claims. This can be obtained through official certifications such as Common Criteria, SECAN, etc.

c. Cryptographic guarantee, usually granted by a National Security Agency. d. Guarantee that it does not do anything apart from what it claims.

e. Interoperability with other equipment in the system and with legacy systems. f. Friendliness in the operation.

g. Resilience, i.e., the ability to recover from cyber attacks.

h. Modularity and scalability, i.e., the ability to be updated by incorporating new modules.

i. Programmability, i.e., the ability to modify specific operational aspects or values without affecting the security.

j. TEMPEST protection if needed.

k. COTS or GOTS: COTS usually is a cheaper alternative, but GOTS can be tailored to meet the requirements precisely.

[155] NECCS Materiel Operational Efficiency _Security Certificate Crypto Certificate Interoperability Friendliness Resillience Modularity Scalability Programmable TEMPEST protection COTS / GOTS Price

[156] NEC decision process Dynamic Risky Fast

10.5.

_Leadership

The environment in which NEC leaders have to make decisions is composed of special features that make the decision making process more complex and risky than ever before.

NEC environment, and in particular cyber security in NEC, are characterized by uncertainty, constant change, rapid actions, fast evolution, unknown enemies, threats and risks, and blurred legal framework.

The NEC environment requires leaders to make decisions rapidly and constantly. Therefore, they should assume a certain degree of risk and uncertainty in their effectiveness. Security is not perfect; the NEC environment is dynamic and uncertain in nature; consequently the making decision process should be rapid, dynamic and risky. The need to take decisions rapidly and the capability of NEC to develop an effective information sharing and widespread, entail the need to open and extent the decision making process, making it less dependent on hierarchy structures.

Furthermore, NEC is based on a Federation of System, which is characterized by leadership decentralization. The federations are independent in command, control, and organization. Leadership must be exercised through common policies, standards, collaboration agreements, and trust.

NECCS should help leaders in the decision-making process by providing information in non-technical language on cyber threats, vulnerabilities, and risks. In addition, it must help ensure the establishment of a reliable, rapid, and extended decision- making process.

NECCS leaders must not forget that the effectiveness of NECCS implementation depends on external factors not controllable by NEC/NECCS organizations. Therefore, they must foster the necessary collaborative environment to reach international and multidisciplinary agreements as well as common understandings that facilitate convergence to NECCS principles.

[157]

10.6.

_Personnel

NECCS is a new way of viewing security that involves a change of mentality by every NEC user; and every NEC user is part of the NECCS organization. Thus, they have real responsibilities for the application of security measures.

An NECCS plan addressed to personnel should include at a minimum the following elements:

a. Inform all NEC users about their NECCS responsibilities.

b. Implement an NECCS education program according to section 9.3.

c. Keep all NEC users informed of the importance of compliance with the NECCS policy.

d. Keep NEC users updated about new threats and risks.

e. Maintain and constantly evaluate the level of tension, attention, and qualification of all NEC users in cyber security issues. Monitor the activities and behavior of all NEC users to test the level of compliance with NECCS policy. f. Implement a change management plan when implementing a new system or

service.

Another two additional considerations:

NECCS department is responsible for implementing, managing and supervising all the activities mentioned above.

Personnel belonging to the NECCS department must be dedicated exclusively to cyber security issues.

[158]

10.7.

_Facilities

NECCS facilities are secure places where cyber security materiel is hosted and protected.

In many cases the NECCS materiel is classified in same manner and to the same degree as the information it processes. Therefore, it must be protected against unauthorized access. In this case, the facilities must be equipped with measures of physical security to protect the hosted classified materiel. NECCS physical security consists of the implementation of physical barriers and control procedures to prevent NECCS facilities and materiel from damage caused by threats other than cyber threats.

Physical threats can be grouped in two different set: natural disasters (fires, floods, earthquakes, etc.) and human action (theft, fraud, sabotage, etc.)

A plan to protect the NECCS facilities must include at a minimum the following elements:

a. Specific measures against natural disasters according to the regional level of risk. b. Security controls against unauthorized physical access, e.g., use of guards, metal detectors, biometric systems, automatic signature verification systems, animals, access and perimeter protection, electronic devices, etc.

c. Control and monitoring measures against overload or failure in power supply, e.g., use of UPS, etc.

d. Control measures against unwanted electromagnetic emissions, e.g., use of measures against TEMPEST phenomenon.

e. Control measures against radio jamming, e.g. use of Faraday cages, etc.

NECCS facilities protection Natural disaster prevention Unauthorized physical access control Power suply protection TEMPEST protection Radio jamming protection

[159]

DOTMLPFIS provides a reminder that

“security is an important aspect that

has to be considered specifically from the

outset”

10.8.

_{Interoperability}

NEC interoperability is the ability of all NEC systems and organizations to work together. Interoperability is a pivotal aspect since NEC is based on a federation of systems, where each federation defines, implements, and manages its own systems and eventually works like a single logical system.

NECCS should consider the interoperability aspect from the beginning, working to foster common security policies and technical standards.

Interoperability must not be reduced to issues related to the NII, but encompass activities aimed at enhancing the communication flow and information sharing among people by converging security mentalities and cultures.

10.9.

_DOTMLPFIS

DOTMLPFI is an acronym used by NATO to remind planners about fundamental aspects that have to be considered when planning the development of a system or program. Security is an aspect that makes the planning work more complex. As a result, it is deliberately avoided even though it may be reflected in the plans in a concise manner.

Inevitably, security eventually will become part in the planning or implementation; and the later that happens, the more risk of dysfunction there will be. Therefore, the system will become

effective, but with more delay and a higher price.

Security is something that makes planning more complex. Therefore, it is deliberately avoided even though it may appear in plans in a concise manner.

Inevitably, security eventually becomes part of the planning or implementation. However, the later it is put into place, the greater the risk of dysfunction. The system will become effective, but with more delay and at a higher price.

For some people, adding the security aspect to the acronym is unnecessary because security is a universal issue affecting all the components of the DOTLMPFI. And because of that, the use of DOTLMPFI without the S is considered sufficient. This is true for all the components of DOTMLPFI, not only for security. The reason behind promoting the use of DOTLMPFIS is to provide a reminder that security is an important aspect that has to be considered specifically from the outset.

[161]

1. The natural evolution of the information age makes NEC the way ahead, whether it is wanted or not.

2. Cyber Security is a necessary component not only to make NEC safer, but to ensure its survival and operation.

3. NECCS involves a cognitive revolution and a change of mentality, whereby the goal is not protecting the information, systems, and networks, but using this protection to facilitate the information superiority of the NEC owner.

4. Some researchers believe that NEC/NECCS is about people rather than technology, while others believe than NEC/NECCS is about culture rather than people or technology. We believe that NEC/NECCS is about people-culture, technology, and information. These elements are mutually dependent. All of them have importance since the failure of one means the failure of all.

5. Although all the main components (people, technology, and information) are equally important, information must be the reference in all NECCS actions. 6. NECCS should be considered during the complete life cycle of NEC, from

inception to disposal.

7. NECCS education and change management are the crucial aspects to succeed in an NEC implementation.

8. NECCS is about dynamic risk management, and how to disseminate the resulting information to decisions makers in a timely manner and in appropriate language.

9. NECCS should provide guidance to face known, emerging, and potential threats and to foresee secure connection to NEC authorized users as well as unanticipated temporary partners.

Concluding