SlideShare a Scribd company logo

ASEAN Critical Information Infrastructure Protection Framework

ETDAofficialRegist
ETDAofficialRegist

The main purpose of the study and its point of action is to develop regional critical information infrastructure (CII) resilience practices by identifying CII that have strategic imperatives and developing coordinated approaches for cybersecurity protection. The scope of this project study is based on the ASEAN ICT Masterplan 2020 which aims to strengthen information security and assurance among ASEAN Member States (AMS).

1 of 11
Download to read offline
ASEAN CRITICAL INFORMATION INFRASTRUCTURE PROTECTION FRAMEWORK ASEAN CRITICAL INFORMATION INFRASTRUCTURE PROTECTION FRAMEWORK
Table of Contents Introduction 1 Methodology 1 Results and Deliverable Outcome 1 I. Identifying CIIs that Have Strategic Imperatives 1 1. Identify National CIIs, Common Regional CIIs, and Cross-border CIIs Dependency 2. Identify Key Decision-making Factors to Help Identifying National CII of the AMS Who Have Not Yet Defined Their CIIs 3. Identify Cross-border CII Dependency Risk Perception II. Developing Coordinated Approaches for Cybersecurity Protection 4 4. Identify Common CII Sectors that Are “Sensitive” and “Feasible” for Information Sharing among ASEAN 5. Identify Supports Needed to Raise the Protection Levels of CII Across All AMS 6. Identify Actions Needed to Enhance Information Sharing and Regional Collaboration to Raise the CIIP Levels Across All AMS. 7. Identify Status and the Ways to Promote Bilateral or Multilateral Cooperation and Agreements to Improve the CII Protection Levels in ASEAN Framework Recommendation 5 ASEAN Critical Information Infrastructure Protection (CIIP) Framework 6 1. Policy Coordination, 2. Identifying CIIs, 3. Protecting CIIs, 4. Information Sharing, 5. Incident Response, and 6. Capacity Building. Way Forward 9
1 Summary of ASEAN Critical Information Infrastructure Protection Framework Project Introduction The main purpose of the study and its point of action is to develop regional critical information infrastructure (CII) resilience practices by identifying CII that have strategic imperatives and developing coordinated approaches for cybersecurity protection. The scope of this project study is based on the ASEAN ICT Masterplan 2020 which aims to strengthen information security and assurance among ASEAN Member States (AMS). Methodology The project study approached its objectives in four stages. The first stage is conducting research on country overviews dealing with AMS CII approaches, concept and definition, cross-border and CII interdependencies, cybersecurity policy, strategies, and laws for CII protection. The second stage is conducting the survey among AMS coordinating authorities or national cybersecurity experts while the third stage included the sharing of best practices by experts with advanced or long-time experience with CII protection. Last, a roundtable discussion was held where AMS participants discussed the survey results, provided mutual agreements on different challenges, and shared their perspectives, experiences, and implications towards a common goal of building CII resilience to secure and protect information security in the region. Results and Deliverable Outcome The project study has reached its objectives and achievements which include (I) identifying CIIs that have strategic imperatives and (II) developing coordinated approaches for cybersecurity protection. The project results and deliverable outcome will be described by the 7 key findings which consists of the following: I. Identifying CIIs that Have Strategic Imperatives 1. Identify National CIIs, Common Regional CIIs, and Cross-border CIIs Dependency Beyond national CIIs of the 7 AMS that have been previously defined (Brunei, Indonesia,Malaysia, Philippines, Singapore, Thailand, and Vietnam), the project study identifies potential national CIIs of the remaining AMS who have not yet defined their CIIs and participated in the survey (Cambodia and Laos) and reached a common AMS CII.* These sectors are Government Agency,
2 Energy & Utilities, Banking/Financial Services, and Information/Communications/Telecommunications (ICT) Common AMS Critical Information Infrastructure (CII)* 1) Government Agency 2) Energy & Utilities 3) Banking/Financial Services 4) ICT (* Not represented or related to cross-border CII or CII Interdependency) Cross-border CII dependency, in other words, CIIs that could have high cross-border cybersecurity risk impacts in the region is also investigated and identified. On a scale of ‘none’ to ‘high’ (where 0 = none, 1= low, 2 = medium, and 3 = high), the project study indicates most AMS do not perceive or are aware of a high level of cross-border sectoral dependency in the region at this moment. However, Information/Communications/Telecommunications (ICT) is the sector that most AMS consider posing highest cross-border cybersecurity risk impacts in ASEAN. Other Sector/Service/ Industry Brunei Indonesia Malaysia Philippines Singapore Thailand Vietnam Common Cambodia and Lao PDR # Numbers 8 10 10 12 11 7 11 Potential 1 Government Agency/Ministry ✓ 1. Law Enforcement 2. E-GOV’T GOV’T (including E-GOV’T) GOV'T GOV'T GOV'T 1. E-GOV'T 2. Smart- City 3. Natural Resources ✓ 2 Energy and/or Utilities ✓ Energy and Mineral ✓ ✓ ✓ ✓ ✓ ✓ 3 Water ✓ ✓ ✓ ✓ 4 Banking/Financial Services ✓ ✓ 1. Banking 2. Finance ✓ ✓ ✓ 1. Banking 2. Finance ✓ 5 Healthcare Services ✓ ✓ ✓ ✓ ✓ ✓ ✓  6 ICT ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ 7 Transportation ✓ ✓ ✓ 1. Land 2. Maritime 3. Air 1. Land 2. Maritime 3. Aviation ✓ ✓ 8 Defense & Security Services Defense Defense & Strategic Industry (Resilience) Defence & Security  Security & Emergency Services ✓ ✓ 9 Emergency Services  ✓ ✓ ✓  ✓ 10 Media & Public Communications    ✓ ✓   11 E-Government ✓       12 Food and Agriculture  Food Security ✓     13 Business Process Outsourcing (BPO)    ✓   
3 sectors include Energy & Utilities, Government Agency, Transportation, and Banking/Financial sectors, respectively. AMS perception of cross-border CII Dependency Ranked highest to lowest 1st ICT 2nd Energy & Utilities 3rd Government Agency/Ministry 4th Transportation 5th Banking/Financial Services 2. Identify Key Decision-making Factors to Help Identifying National CII of the AMS Who Have Not Yet Defined Their CIIs The project study combines and compares key decision-making factors to identify national CIIs of AMS who have not yet defined their CIIs to those of AMS who already have CIIs. It has been concluded that Impact on the Economy is the most important key decision-making factor that was considered in identifying the national CIIs by all AMS. Rank Common Decision-Making Factors to Identify National CIIs By the AMS which already have CIIs defined By the (Perception of) AMS which have not defined their CIIs 1st Impact on the economy Impact on the public safety Impact on the economy Impact on the national security and defense 2nd Impact on the national security and defense Impact on the public health Reliance on digital technologies Impact on the gov’t capabilities to function 3rd Impact on the public order and social well- being Impact on the national image Impact on the gov’t capabilities to function Impact on the public order and social well- being Impact on the public safety Impact on the public health 4th Reliance on digital technologies Impact on the national image Other Impact on the personal data violation 3. Identify Cross-border CII Dependency Risk Perception The project study indicates that significant risks related to cross-border CII dependency are (1) technological risks, (2) legal and procedural risks, and (3) social or cultural aspects. Top technological risks include specific threats and risks (geographic risks: disruption of regional network in one region) and man-made hazards (lack of technical expertise, operating errors, and failure of systems). In addition, AMS have identified that threats and incidents that are likely to have the most influence on ASEAN cross-border dependencies include availability (such as a DDos attack), intrusion attempts, and malicious code. Legal and procedural risks include the differences in legislation and policy (on an international level) and the lack of equivalent security standards (on the ASEAN level). Most AMS also pointed
4 out risks in social or cultural aspect to be considered such as lack of information sharing for both reactive and preventive activities, lack of trust, and difference in threat perception. II. Developing Coordinated Approaches for Cybersecurity Protection 4. Identify Common CII Sectors that Are “Sensitive” and “Feasible” for Information Sharing among ASEAN The project study finds the most “sensitive” sectors for regional information sharing are Defense and Security, Financial Services, and Government Agency/Ministry and the most “feasible” sectors for information sharing among AMS are Media & Public Communications, Food and Agriculture, and Transportation, respectively. Most Sensitive Sectors for AMS Information Sharing Ranked highest to lowest Most Feasible Sectors for AMS Information Sharing Ranked highest to lowest 1st Defense and Security 2nd Financial Services 3rd Government Agency/Ministry 1st Media & Public Communications 2nd Food and Agriculture 3rd Transportation Transportation, however, is the sector that most AMS consider pose comparatively high cross- border cybersecurity risk impacts in the region as well as being feasible for information sharing among AMS. Therefore, the sector that AMS should consider starting and focusing on information sharing for CII protection at this moment is the Transportation sector. 5. Identify Supports Needed to Raise the Protection Levels of CII Across All AMS In order to increase the protection level of CII across all AMS, the following supports needed among AMS are: 5.1 Enhancing information sharing among AMS. 5.2 Identifying their own CII assets and CIIP responsibilities as well as the member’s dependency among AMS. 5.3 Empowering point of contact of organizations that can respond and coordinate (aside from legislation, capacity building, and the budget) among ASEAN. 5.4 Adopting a regional CIIP framework which will be the basis and baseline for each AMS in identifying and protecting CIIs in the region. 5.5 Developing a joint consensus to protect the CII and to ensure security and resilience in each AMS and ASEAN. 5.6 Having a forum or working group for CIIP initiatives. 5.7 Being committed to support CII operators to achieve regional security standard level and ensure countermeasuresof each AMS and ASEAN such as building human resource capacity through training programs, workshops, and others relevant activities. The projec study finds the supports most needed by AMS in order to raise the CII protection levels in the region is Information Sharing.
5 6. Identify Actions Needed to Enhance Information Sharing and Regional Collaboration to Raise the CIIP Levels Across All AMS. In order to enhance information sharing and regional collaboration to raise the CII protection levels across the region, the major actions needed and recommended are: 6.1 Establishing an ASEAN Information Sharing and Analysis Center (ASEAN-ISAC). 6.2 Developing information sharing pilot projects for Transportation and ICT sectors. (since both sectors are considered to pose the greatest cross-border cybersecurity risk impacts in the region and to be feasible for comparative information sharing among AMS). 6.3 Developing a trusted platform and building a communication forum among AMS and ASEAN CII operators on provisions regarding cyber threats information related to the CIIP. 7. Identify Status and the Ways to Promote Bilateral or Multilateral Cooperation and Agreements to Improve the CII Protection Levels in ASEAN Regarding the status of regional collaboration, the project study finds AMS are not aware of any existing cooperation or agreements on CII protection at this moment. However, there could be some form of AMS collaborations on CIIP that participating AMS may not recognize. In order to promote bilateral or multilateral cooperation and agreement on CII protection levels in the region, AMS has suggested the following: 7.1 Developing a CII sector-based approach by sharing functions and information, having bilateral agreements on a sector-by-sector basis and then from country to country, expanding to multilateral agreements before proceeding to an ASEAN platform, and moving towards essential practical implementations. At the same time, revising the existing agreements and instruments on ICT and/or cybersecurity in CIIP specific clauses if possible. 7.2 Developing a regulatory body that can receive AMS information from each recognized CII sector and having one central organization to collect and distribute data in the region. Framework Recommendation In moving towards ASEAN’s initiative to strengthen information security and assurance among AMS, the project study addressed a comprehensive ASEAN Critical Information Infrastructure Protection (CIIP) Framework which provides strategic recommendations and coordinated approaches to create more resilient cybersecurity across ASEAN’s critical information infrastructure as follows: Six pillars of ASEAN Critical Information Infrastructure Protection Framework (1) Policy Coordination, (2) Identifying CIIs, (3) Protecting CIIs,
6 (4) Information Sharing, (5) Incident Response, and (6) Capacity Building. Diagram: 6 Pillars of ASEAN Critical Information Infrastructure Protection Framework
7 1. Policy Coordination Policy coordination among AMS through mutually agreed coordinating mechanisms which support and promote collaborative activities across AMS borders, sectors and organizations is essential to the security of the CIIs within the ASEAN region. AMS are encouraged to: ➢ Develop bilateral and/or multilateral cooperative agreements to enhance security of inter- dependent CIIs within ASEAN. ➢ Implement and enhance Public-Private Partnerships, Business Continuity Management, Crisis Management, and sets of cyber incident exercises and tests. ➢ Establish national and regional Points of Contact (POC) for the ASEAN network of cybersecurity experts and organizations. ➢ Participate in cyber norm development activities at the regional and global levels such as the 2015 UNGGE recommendations that were endorsed by the ASEAN Ministerial Conference on Cybersecurity (AMCC) and the Global Forum on Cyber Expertise (GCFE) Meridian Good Practice Guide on Critical Information Infrastructure Protection. 2. Identifying CIIs Identifying ASEAN CIIs and their potential cross-border interdependency is the first step toward making ASEAN CIIs more resilient and ensuring continuity of essential CII service delivery across the region. AMS are encouraged to: ➢ Identify national CIIs (if not yet defined) and their cross-border CII interdependency in the region. ➢ Identify cross-border CII dependency measures (including legal, regulatory, policy, and strategy), cross-border CII dependency risks, and how to assess and mitigate those risks. ➢ Coordinate the development of national regulation and legislation which governs cross- border interdependent CIIs. 3. Protecting CIIs Effective CII protection practices in each AMS including implementationof a minimumprotection requirement, procedural mechanisms and guidelines (especially among the CIIs that are cross- border interdependent), determine holistic ASEAN CII resilience. AMS are encouraged to: ➢ Implement industry-recognized CIIP procedural mechanisms and guidelines such as the NIST Framework for Improving Critical Infrastructure Cybersecurity. ➢ Develop national and regional backup and recovery strategies to safeguard critical information and increase resilience across the ASEAN region.
8 ➢ Prioritize protectionof CIIs with high cross-border cybersecurityrisk impactsincluding (1) energy and utilities, (2) transportation and (3) ICT sectors. 4. Information Sharing Information sharing is a collaborative effort and a shared responsibility to enrich and improve CII resilience practices through standardization at operational, regulatory, institutional and policy levels across the ASEAN region. AMS are encouraged to: ➢ Support the development of regional information sharing and collaboration platforms on CIIP such as ASEAN Information Sharing and Analysis Center (ASEAN-ISAC). ➢ Formalize the format of information exchanges and the general terms/provisions of the sharing agreement. ➢ Implement timely information sharing about the occurrence of cybersecurity incidents. 5. Incident Response The ability to respond to CII security incidents in a timely and effective manner is critically important to maintaining CII resilience. A coordinated approach should be employed when dealing with incidents related to cross-border interdependent CIIs. AMS are encouraged to: ➢ Enhance incident response effectiveness through cooperation, communication and coordination among national CERTs. ➢ Support the establishment of a regional cybersecurity incident response capability, such as the ASEAN Computer Emergency Response Team (ASEAN CERT), to support AMS national CERTs and cybersecurity incident response agencies. ➢ Promote regional incident response readiness through the ASEAN Computer Emergency Response Team Incident Drill (ACID) throughout the ASEAN region. 6. Capacity Building Coordinated efforts to develop cybersecurity capacity to protect CIIs is a high priority for ASEAN as the demand for cybersecurity experts continues to grow and remains a significant challenge. AMS are encouraged to: ➢ Coordinate cybersecurity skills refresh and upgrade programs, including regular provisional cybersecurity exercises. ➢ Define regional requirements and assess the effectivenessof capacity building efforts in the region.
9 ➢ Strengthen ASEAN-wide cybersecurity capacity building programs including the courses offered by the ASEAN-Japan Cybersecurity Capacity Building Centre (AJCCBC), the ASEAN Singapore Cybersecurity Centre of Excellence (ASCCE) and other ASEAN dialogue partners. The ASEAN Critical Information Infrastructure Protection Framework should consist of current and continually updated actions put into practice and improved as AMS provides feedback on implementation progress which can then be integrated into future versions. The Framework can be used to align cybersecurity decisions to mission objectives; organize cybersecurity requirements originating from legislation, regulation, policy, and industry best practices; communicate cybersecurity requirements with stakeholders, including partners and suppliers; integrate privacy and civil liberties risk management into cybersecurity activities; measure and express its current and desired state; prioritize cybersecurity resources and activities; and analyze trade-offs between expenditure and risk. Way Forward As ASEAN prepares to deploy its Digital Masterplan 2025, the ASEAN Critical Information Infrastructure Protection Framework will play a crucial role in building and ensuring CII resilience, trust and security. This Framework will strengthen regional CII resilience and prevent any potential escalation of cyber threats that could lead to national harm, disruption of services and even loss of life. The adoption of this unified, flexible and practical protection framework will encourage further cooperation, communication and collaboration among AMS across the region to advance the vision of a secure ASEAN community. Furthermore, bearing in mind that the scope of what one country considers CIIs may vary over time and be influenced by a multitude of factors, it is recommended that ASEAN review, update and re-assess the Framework and recommendations on a regular interval, such as every 2-3 years.

More Related Content

ASEAN Critical Information Infrastructure Protection Framework

  • 1. ASEAN CRITICAL INFORMATION INFRASTRUCTURE PROTECTION FRAMEWORK ASEAN CRITICAL INFORMATION INFRASTRUCTURE PROTECTION FRAMEWORK
  • 2. Table of Contents Introduction 1 Methodology 1 Results and Deliverable Outcome 1 I. Identifying CIIs that Have Strategic Imperatives 1 1. Identify National CIIs, Common Regional CIIs, and Cross-border CIIs Dependency 2. Identify Key Decision-making Factors to Help Identifying National CII of the AMS Who Have Not Yet Defined Their CIIs 3. Identify Cross-border CII Dependency Risk Perception II. Developing Coordinated Approaches for Cybersecurity Protection 4 4. Identify Common CII Sectors that Are “Sensitive” and “Feasible” for Information Sharing among ASEAN 5. Identify Supports Needed to Raise the Protection Levels of CII Across All AMS 6. Identify Actions Needed to Enhance Information Sharing and Regional Collaboration to Raise the CIIP Levels Across All AMS. 7. Identify Status and the Ways to Promote Bilateral or Multilateral Cooperation and Agreements to Improve the CII Protection Levels in ASEAN Framework Recommendation 5 ASEAN Critical Information Infrastructure Protection (CIIP) Framework 6 1. Policy Coordination, 2. Identifying CIIs, 3. Protecting CIIs, 4. Information Sharing, 5. Incident Response, and 6. Capacity Building. Way Forward 9
  • 3. 1 Summary of ASEAN Critical Information Infrastructure Protection Framework Project Introduction The main purpose of the study and its point of action is to develop regional critical information infrastructure (CII) resilience practices by identifying CII that have strategic imperatives and developing coordinated approaches for cybersecurity protection. The scope of this project study is based on the ASEAN ICT Masterplan 2020 which aims to strengthen information security and assurance among ASEAN Member States (AMS). Methodology The project study approached its objectives in four stages. The first stage is conducting research on country overviews dealing with AMS CII approaches, concept and definition, cross-border and CII interdependencies, cybersecurity policy, strategies, and laws for CII protection. The second stage is conducting the survey among AMS coordinating authorities or national cybersecurity experts while the third stage included the sharing of best practices by experts with advanced or long-time experience with CII protection. Last, a roundtable discussion was held where AMS participants discussed the survey results, provided mutual agreements on different challenges, and shared their perspectives, experiences, and implications towards a common goal of building CII resilience to secure and protect information security in the region. Results and Deliverable Outcome The project study has reached its objectives and achievements which include (I) identifying CIIs that have strategic imperatives and (II) developing coordinated approaches for cybersecurity protection. The project results and deliverable outcome will be described by the 7 key findings which consists of the following: I. Identifying CIIs that Have Strategic Imperatives 1. Identify National CIIs, Common Regional CIIs, and Cross-border CIIs Dependency Beyond national CIIs of the 7 AMS that have been previously defined (Brunei, Indonesia,Malaysia, Philippines, Singapore, Thailand, and Vietnam), the project study identifies potential national CIIs of the remaining AMS who have not yet defined their CIIs and participated in the survey (Cambodia and Laos) and reached a common AMS CII.* These sectors are Government Agency,
  • 4. 2 Energy & Utilities, Banking/Financial Services, and Information/Communications/Telecommunications (ICT) Common AMS Critical Information Infrastructure (CII)* 1) Government Agency 2) Energy & Utilities 3) Banking/Financial Services 4) ICT (* Not represented or related to cross-border CII or CII Interdependency) Cross-border CII dependency, in other words, CIIs that could have high cross-border cybersecurity risk impacts in the region is also investigated and identified. On a scale of ‘none’ to ‘high’ (where 0 = none, 1= low, 2 = medium, and 3 = high), the project study indicates most AMS do not perceive or are aware of a high level of cross-border sectoral dependency in the region at this moment. However, Information/Communications/Telecommunications (ICT) is the sector that most AMS consider posing highest cross-border cybersecurity risk impacts in ASEAN. Other Sector/Service/ Industry Brunei Indonesia Malaysia Philippines Singapore Thailand Vietnam Common Cambodia and Lao PDR # Numbers 8 10 10 12 11 7 11 Potential 1 Government Agency/Ministry ✓ 1. Law Enforcement 2. E-GOV’T GOV’T (including E-GOV’T) GOV'T GOV'T GOV'T 1. E-GOV'T 2. Smart- City 3. Natural Resources ✓ 2 Energy and/or Utilities ✓ Energy and Mineral ✓ ✓ ✓ ✓ ✓ ✓ 3 Water ✓ ✓ ✓ ✓ 4 Banking/Financial Services ✓ ✓ 1. Banking 2. Finance ✓ ✓ ✓ 1. Banking 2. Finance ✓ 5 Healthcare Services ✓ ✓ ✓ ✓ ✓ ✓ ✓  6 ICT ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ 7 Transportation ✓ ✓ ✓ 1. Land 2. Maritime 3. Air 1. Land 2. Maritime 3. Aviation ✓ ✓ 8 Defense & Security Services Defense Defense & Strategic Industry (Resilience) Defence & Security  Security & Emergency Services ✓ ✓ 9 Emergency Services  ✓ ✓ ✓  ✓ 10 Media & Public Communications    ✓ ✓   11 E-Government ✓       12 Food and Agriculture  Food Security ✓     13 Business Process Outsourcing (BPO)    ✓   
  • 5. 3 sectors include Energy & Utilities, Government Agency, Transportation, and Banking/Financial sectors, respectively. AMS perception of cross-border CII Dependency Ranked highest to lowest 1st ICT 2nd Energy & Utilities 3rd Government Agency/Ministry 4th Transportation 5th Banking/Financial Services 2. Identify Key Decision-making Factors to Help Identifying National CII of the AMS Who Have Not Yet Defined Their CIIs The project study combines and compares key decision-making factors to identify national CIIs of AMS who have not yet defined their CIIs to those of AMS who already have CIIs. It has been concluded that Impact on the Economy is the most important key decision-making factor that was considered in identifying the national CIIs by all AMS. Rank Common Decision-Making Factors to Identify National CIIs By the AMS which already have CIIs defined By the (Perception of) AMS which have not defined their CIIs 1st Impact on the economy Impact on the public safety Impact on the economy Impact on the national security and defense 2nd Impact on the national security and defense Impact on the public health Reliance on digital technologies Impact on the gov’t capabilities to function 3rd Impact on the public order and social well- being Impact on the national image Impact on the gov’t capabilities to function Impact on the public order and social well- being Impact on the public safety Impact on the public health 4th Reliance on digital technologies Impact on the national image Other Impact on the personal data violation 3. Identify Cross-border CII Dependency Risk Perception The project study indicates that significant risks related to cross-border CII dependency are (1) technological risks, (2) legal and procedural risks, and (3) social or cultural aspects. Top technological risks include specific threats and risks (geographic risks: disruption of regional network in one region) and man-made hazards (lack of technical expertise, operating errors, and failure of systems). In addition, AMS have identified that threats and incidents that are likely to have the most influence on ASEAN cross-border dependencies include availability (such as a DDos attack), intrusion attempts, and malicious code. Legal and procedural risks include the differences in legislation and policy (on an international level) and the lack of equivalent security standards (on the ASEAN level). Most AMS also pointed
  • 6. 4 out risks in social or cultural aspect to be considered such as lack of information sharing for both reactive and preventive activities, lack of trust, and difference in threat perception. II. Developing Coordinated Approaches for Cybersecurity Protection 4. Identify Common CII Sectors that Are “Sensitive” and “Feasible” for Information Sharing among ASEAN The project study finds the most “sensitive” sectors for regional information sharing are Defense and Security, Financial Services, and Government Agency/Ministry and the most “feasible” sectors for information sharing among AMS are Media & Public Communications, Food and Agriculture, and Transportation, respectively. Most Sensitive Sectors for AMS Information Sharing Ranked highest to lowest Most Feasible Sectors for AMS Information Sharing Ranked highest to lowest 1st Defense and Security 2nd Financial Services 3rd Government Agency/Ministry 1st Media & Public Communications 2nd Food and Agriculture 3rd Transportation Transportation, however, is the sector that most AMS consider pose comparatively high cross- border cybersecurity risk impacts in the region as well as being feasible for information sharing among AMS. Therefore, the sector that AMS should consider starting and focusing on information sharing for CII protection at this moment is the Transportation sector. 5. Identify Supports Needed to Raise the Protection Levels of CII Across All AMS In order to increase the protection level of CII across all AMS, the following supports needed among AMS are: 5.1 Enhancing information sharing among AMS. 5.2 Identifying their own CII assets and CIIP responsibilities as well as the member’s dependency among AMS. 5.3 Empowering point of contact of organizations that can respond and coordinate (aside from legislation, capacity building, and the budget) among ASEAN. 5.4 Adopting a regional CIIP framework which will be the basis and baseline for each AMS in identifying and protecting CIIs in the region. 5.5 Developing a joint consensus to protect the CII and to ensure security and resilience in each AMS and ASEAN. 5.6 Having a forum or working group for CIIP initiatives. 5.7 Being committed to support CII operators to achieve regional security standard level and ensure countermeasuresof each AMS and ASEAN such as building human resource capacity through training programs, workshops, and others relevant activities. The projec study finds the supports most needed by AMS in order to raise the CII protection levels in the region is Information Sharing.
  • 7. 5 6. Identify Actions Needed to Enhance Information Sharing and Regional Collaboration to Raise the CIIP Levels Across All AMS. In order to enhance information sharing and regional collaboration to raise the CII protection levels across the region, the major actions needed and recommended are: 6.1 Establishing an ASEAN Information Sharing and Analysis Center (ASEAN-ISAC). 6.2 Developing information sharing pilot projects for Transportation and ICT sectors. (since both sectors are considered to pose the greatest cross-border cybersecurity risk impacts in the region and to be feasible for comparative information sharing among AMS). 6.3 Developing a trusted platform and building a communication forum among AMS and ASEAN CII operators on provisions regarding cyber threats information related to the CIIP. 7. Identify Status and the Ways to Promote Bilateral or Multilateral Cooperation and Agreements to Improve the CII Protection Levels in ASEAN Regarding the status of regional collaboration, the project study finds AMS are not aware of any existing cooperation or agreements on CII protection at this moment. However, there could be some form of AMS collaborations on CIIP that participating AMS may not recognize. In order to promote bilateral or multilateral cooperation and agreement on CII protection levels in the region, AMS has suggested the following: 7.1 Developing a CII sector-based approach by sharing functions and information, having bilateral agreements on a sector-by-sector basis and then from country to country, expanding to multilateral agreements before proceeding to an ASEAN platform, and moving towards essential practical implementations. At the same time, revising the existing agreements and instruments on ICT and/or cybersecurity in CIIP specific clauses if possible. 7.2 Developing a regulatory body that can receive AMS information from each recognized CII sector and having one central organization to collect and distribute data in the region. Framework Recommendation In moving towards ASEAN’s initiative to strengthen information security and assurance among AMS, the project study addressed a comprehensive ASEAN Critical Information Infrastructure Protection (CIIP) Framework which provides strategic recommendations and coordinated approaches to create more resilient cybersecurity across ASEAN’s critical information infrastructure as follows: Six pillars of ASEAN Critical Information Infrastructure Protection Framework (1) Policy Coordination, (2) Identifying CIIs, (3) Protecting CIIs,
  • 8. 6 (4) Information Sharing, (5) Incident Response, and (6) Capacity Building. Diagram: 6 Pillars of ASEAN Critical Information Infrastructure Protection Framework
  • 9. 7 1. Policy Coordination Policy coordination among AMS through mutually agreed coordinating mechanisms which support and promote collaborative activities across AMS borders, sectors and organizations is essential to the security of the CIIs within the ASEAN region. AMS are encouraged to: ➢ Develop bilateral and/or multilateral cooperative agreements to enhance security of inter- dependent CIIs within ASEAN. ➢ Implement and enhance Public-Private Partnerships, Business Continuity Management, Crisis Management, and sets of cyber incident exercises and tests. ➢ Establish national and regional Points of Contact (POC) for the ASEAN network of cybersecurity experts and organizations. ➢ Participate in cyber norm development activities at the regional and global levels such as the 2015 UNGGE recommendations that were endorsed by the ASEAN Ministerial Conference on Cybersecurity (AMCC) and the Global Forum on Cyber Expertise (GCFE) Meridian Good Practice Guide on Critical Information Infrastructure Protection. 2. Identifying CIIs Identifying ASEAN CIIs and their potential cross-border interdependency is the first step toward making ASEAN CIIs more resilient and ensuring continuity of essential CII service delivery across the region. AMS are encouraged to: ➢ Identify national CIIs (if not yet defined) and their cross-border CII interdependency in the region. ➢ Identify cross-border CII dependency measures (including legal, regulatory, policy, and strategy), cross-border CII dependency risks, and how to assess and mitigate those risks. ➢ Coordinate the development of national regulation and legislation which governs cross- border interdependent CIIs. 3. Protecting CIIs Effective CII protection practices in each AMS including implementationof a minimumprotection requirement, procedural mechanisms and guidelines (especially among the CIIs that are cross- border interdependent), determine holistic ASEAN CII resilience. AMS are encouraged to: ➢ Implement industry-recognized CIIP procedural mechanisms and guidelines such as the NIST Framework for Improving Critical Infrastructure Cybersecurity. ➢ Develop national and regional backup and recovery strategies to safeguard critical information and increase resilience across the ASEAN region.
  • 10. 8 ➢ Prioritize protectionof CIIs with high cross-border cybersecurityrisk impactsincluding (1) energy and utilities, (2) transportation and (3) ICT sectors. 4. Information Sharing Information sharing is a collaborative effort and a shared responsibility to enrich and improve CII resilience practices through standardization at operational, regulatory, institutional and policy levels across the ASEAN region. AMS are encouraged to: ➢ Support the development of regional information sharing and collaboration platforms on CIIP such as ASEAN Information Sharing and Analysis Center (ASEAN-ISAC). ➢ Formalize the format of information exchanges and the general terms/provisions of the sharing agreement. ➢ Implement timely information sharing about the occurrence of cybersecurity incidents. 5. Incident Response The ability to respond to CII security incidents in a timely and effective manner is critically important to maintaining CII resilience. A coordinated approach should be employed when dealing with incidents related to cross-border interdependent CIIs. AMS are encouraged to: ➢ Enhance incident response effectiveness through cooperation, communication and coordination among national CERTs. ➢ Support the establishment of a regional cybersecurity incident response capability, such as the ASEAN Computer Emergency Response Team (ASEAN CERT), to support AMS national CERTs and cybersecurity incident response agencies. ➢ Promote regional incident response readiness through the ASEAN Computer Emergency Response Team Incident Drill (ACID) throughout the ASEAN region. 6. Capacity Building Coordinated efforts to develop cybersecurity capacity to protect CIIs is a high priority for ASEAN as the demand for cybersecurity experts continues to grow and remains a significant challenge. AMS are encouraged to: ➢ Coordinate cybersecurity skills refresh and upgrade programs, including regular provisional cybersecurity exercises. ➢ Define regional requirements and assess the effectivenessof capacity building efforts in the region.
  • 11. 9 ➢ Strengthen ASEAN-wide cybersecurity capacity building programs including the courses offered by the ASEAN-Japan Cybersecurity Capacity Building Centre (AJCCBC), the ASEAN Singapore Cybersecurity Centre of Excellence (ASCCE) and other ASEAN dialogue partners. The ASEAN Critical Information Infrastructure Protection Framework should consist of current and continually updated actions put into practice and improved as AMS provides feedback on implementation progress which can then be integrated into future versions. The Framework can be used to align cybersecurity decisions to mission objectives; organize cybersecurity requirements originating from legislation, regulation, policy, and industry best practices; communicate cybersecurity requirements with stakeholders, including partners and suppliers; integrate privacy and civil liberties risk management into cybersecurity activities; measure and express its current and desired state; prioritize cybersecurity resources and activities; and analyze trade-offs between expenditure and risk. Way Forward As ASEAN prepares to deploy its Digital Masterplan 2025, the ASEAN Critical Information Infrastructure Protection Framework will play a crucial role in building and ensuring CII resilience, trust and security. This Framework will strengthen regional CII resilience and prevent any potential escalation of cyber threats that could lead to national harm, disruption of services and even loss of life. The adoption of this unified, flexible and practical protection framework will encourage further cooperation, communication and collaboration among AMS across the region to advance the vision of a secure ASEAN community. Furthermore, bearing in mind that the scope of what one country considers CIIs may vary over time and be influenced by a multitude of factors, it is recommended that ASEAN review, update and re-assess the Framework and recommendations on a regular interval, such as every 2-3 years.