Securing a U.N. Climate Convention
Client:The Ministry of Foreign Affairs of Denmark and the United Nations Framework Convention on Climate Change
- Conflicting security objectives and technical challenges for a major conference
- Performed a distributed security assessment of the conference environment.
- Reduced real world threat profile, increased availability of key infrastructure and information systems.
- Improved visibility of security events in real time, and stronger security architecture and segregation between security zones.
Last year, CSC’s Global StrikeForce team was tasked to assess both physical and IT security used for the United Nations Framework Convention on Climate Change in Denmark. The conference’s goal: to reach a binding global climate agreement that would go into effect when the first commitment period under the Kyoto Protocol expires in 2012.
Some 30,000 people, including 15,000 delegates, 7,500 media members and 7,500 nongovernment participants attended the two-week conference. In addition, protestors, 2,000 of whom were arrested, joined as uninvited guests. Conference floor space, which spread across more than 60,000 square meters, was webbed with almost 1,000 kilometers of network cabling, 5,000 network end points, public and private voice and data networks, and a core network infrastructure that rivaled a large, permanent data center.
StrikeForce began work months before the December 2009 conference, providing security assessment and testing of the entire cyber and physical environment in which the U.N. conference would take place. Risks ranged from espionage against participants to protecting privileged information and infrastructure from outside groups pushing specific, and potentially disruptive, agendas. Denmark’s police force was responsible for external security.
Complex distributed security
During the project, StrikeForce worked with numerous participants, including government staff, such as heads of state, police and intelligence services; U.N. staff; nongovernment organizations; media; and IT suppliers. CSC worked with all participants to ensure the highest levels of security were achieved across all areas, including straddling groups that worked independently, but whose actions could have affected security in adjacent areas.
Protecting highly sensitive data
During the conference, United Nations staff and delegates accessed voice and data, much of which would have been considered highly sensitive, via internal trusted, external untrusted and semitrusted networks. During an event such as this, where hundreds of groups have different objectives and agendas, this segregation not only becomes more important, but infinitely more complex.
Everything from voice communications to print jobs needed to be protected from adjacent third parties. Hackers could have intercepted this traffic by introducing a rogue access point masquerading as a legitimate wireless access point.
Cyber reports and solutions
During the project, and after the conference was finished, we provided detailed assessment reports that identified security events as they happened and provided concrete solutions that would eliminate the potential for similar future events so they could be resolved before any damage occurred. CSC also provided a complete historical record of security events enabling users to fully investigate any actions or events that led to a failure of one or more of the security controls.
Each contractor and service provider supporting specific elements of the conference’s infrastructure was responsible for fixing any StrikeForce identified threats or weaknesses. StrikeForce worked directly with each group to determine the most effective and appropriate remediation plan based on the security objectives, time and budget.
Download a longer, PDF version of this case study.