The same information security threats that pose major risks to corporate IT systems also present serious risks to national and business infrastructures, from transport systems and utility networks to manufacturing facilities and financial transaction networks.
This is the warning from the Information Security Forum (ISF) at this week’s Infosecurity Europe 2008 show in west London.
“While the increasing dependence on IT may make this seem rather obvious; the relationship between information systems and critical infrastructures is frequently overlooked,” says Mark Chaplin, the author of a report published by the ISF, an association of over 300 businesses and public sector organisations from around the world. “Furthermore, it appears that information security professionals are rarely involved in the design, planning, implementation and management of infrastructure components, such as vital production lines, support networks and electricity supply, heating and ventilation equipment – and this has to change.”
The ISF report available to its members is called ‘Securing Critical Infrastructure’ and includes recommendations to address these important issues.
Today, nearly all critical infrastructure components within an organisation are supported or enabled by information systems, ranging from embedded systems and process control PCs to sophisticated information systems such as Computer-Aided Manufacturing (CAM) and Supervisory Control and Data Acquisition (SCADA).
“The dependence on information systems introduces security issues that can have a significant impact on the resilience and reliability of critical infrastructures, regardless of whether the supporting systems are centralised, stand-alone or embedded,” says Chaplin.
The report focuses on critical business infrastructure associated with four different categories, each of which can be adversely affected by a failure or compromise of information systems:
Operations – including machinery and manufacturing equipment, transportation and financial processing equipment
Telecommunications – including telephone and mobile communications and network equipment
Utilities – including gas, water and electricity processing equipment
Buildings – including surveillance, physical access and health and safety equipment, and the buildings themselves
Threats to these critical infrastructures include: external threats such as hacking, espionage and denial of service attacks; internal threats including human error, malicious misuse and fraud; and natural or man-made disasters such as fire, flooding or explosions, which could damage IT equipment.
The association points to examples of how information security failures have brought business and national infrastructures to a grinding halt from a breakdown in signalling on the railways or baggage handling at airports, to a collapse in business operations due to severe weather conditions. These instances can often be avoided by following simple steps as outlined below.
Securing Critical Infrastructure is one of over 200 authoritative reports along with information risk methodologies and benchmarking tools that are available free of charge to ISF members. In addition, the latest ISF Standard of Good Practice for Information Security is also available free to non-members at www.isfstandard.com
Identify the organisation’s critical infrastructure
* Gain a high level and enterprise-wide view of infrastructure used by the organisation
* Determine which components of infrastructure are critical
Determine the information systems that support the critical infrastructure
* Identify information systems associated with critical infrastructure
* Maintain an inventory of information systems that support critical infrastructure
* Establish roles and responsibilities of individuals who own and run critical infrastructure
Perform an information risk analysis of information systems that support critical infrastructure
* Translate business requirements for critical infrastructure into information security requirements
* Assess the threats to information systems that support critical infrastructure
* Evaluate the vulnerabilities associated with information systems that support critical infrastructure
* Report the findings of the information risk analysis
Establish a framework of controls to secure the critical infrastructure
* Develop a control framework for information systems that support critical infrastructure
* Apply a balanced set of controls to information systems that support critical infrastructure
* Reduce single points of failure associated with critical infrastructure
* Address the power requirements of information systems that support critical infrastructure
* Manage third parties that are involved with critical infrastructure.