How TeskaLabs Helps You Operate SCADA Systems Securely and Comply with Security Laws
The fight against the Wild Wild Web
Cyberspace does not have boundaries. The internet is a truly international community, and it takes just milliseconds to reach a data source on a whole different continent. The internet is therefore an open arena for cyberattacks from across the world, where anyone can try to break their way into someone else’s data. We can see this daily in the news or on the specialized ICT news servers- the attacks never stop.
The European Union takes cyber threats seriously and requires all members states to adopt a law that deals with critical informational assets protection, and the protection of the information related to national security. EU countries have gradually adopted their own laws governing the information technology sector. Because many security laws are inspired by the ISO 27000 standard family, we can take ISO 27001 requirements as a pattern of rules used, more or less, in every national security law. The Czech Republic was the first EU country to adopt such national security laws three years ago, laws which have affected hundreds of government systems, and thousands of businesses and their IT systems.
The goal of ISO 27000 is to implement a systematic approach to managing sensitive company information and keep this information secure. It incorporates people, processes, and ICT systems by applying a risk management process. Thus, information security management system (ISMS) is implemented to ensure that every critical system is well-protected, monitored and accessible, as well as to ensure all the company’s processes are designed with security in mind. In short, it has the same goal as national security laws, but operates on a smaller scale.
Compliance with national security law or ISO 27000 requires a combination of organizational and technical measures. Carrying out all necessary steps can take months or years depending on the company size, and it costs a sizeable amount of money. The question is, should you care about security?
Why do you want to protect critical assets?
National security laws focus on protection of national security related information, critical informational assets such as information systems, information, contracts, factories and machines, or basic but important services like electricity and gas delivery, television and radio broadcasts, money transfers, or protection of police, military, and hospital data. In fact, security protection is essential whenever there is a direct connection between the physical and digital world. A security failure can have a serious impact on people’s everyday lives, or even put their lives or national security at risk.
These consequences cost money to put right- much more than preventative measures.
For example, an oil distribution company has sensors all over their distribution pipes and pressure stations. In a central SCADA system, the pressure of the oil is controlled and adjusted by input data from sensors. If attackers gain control of the sensor data, they can also alter the data and trigger certain processes behind the control system. Let’s imagine a situation where a hacker alters data about pressure in the pipes. The central control system is informed that the pressure is decreasing, and therefore automatically raises the pressure to its optimum level. However, this could result in an accident where hundreds of barrels of oil contaminate the environment- all because hackers were able to alter a single piece of data.
We can now see that the amount of money required for data integrity protection is nothing compared to the cost of the environmental clean-up that the oil company would then have to carry out. Cyber security laws are in place for a reason - to reduce risk, and lessen the impact of potential breaches. For the same reason that you would buy insurance on your car, cyber security protects you from a serious financial headache in the event that something goes wrong. Not only that, but national security laws are also tutorials on how to protect assets, and how to do it right.
You might have heard of the CIA triad, a popular term referring to Confidentiality, Integrity, and Availability. All three criteria should be met to ensure data security. Together with proper authentication and authorization of all communication sides, a robust and secure IT environment is created. Data within such an environment is secure and protected against attackers. Sadly, most information systems and services provided by many companies are not secure as they should be.
Requirements from the law
As much as we’d like it to, no single piece of technology exists which can cover all security requirements. In order to be compliant with national security law or to fulfill all ISO 27001 requirements, it’s likely that you’ll need to implement several security technologies.
In the previous example with oil distribution, a potential problem lies with unauthorized access to critical data and the ability to modify it. The integrity and confidentiality of the sensors data were broken. As mentioned, the three characteristics of the CIA triad need to be ensured regarding information systems, their data, and the data in transit.
- Integrity (data will be received as it was transmitted)
- Confidentiality (data/service is available to authorized personnel only)
- Availability (data/service is available anytime it is needed)
We can extend the set by additional characteristics:
- Authenticated (data traffic relates to particular identified user)
- Authorized (all data contains the user identification, and the system checks whether or not the user has the right to send or receive it)
- Non-repudiation (every complete operation is logged, and the operation is proved)
There are two possible approaches which will ensure all of these criteria are met. You can either use separate dedicated appliances for each set of criteria, or alternatively to wholly cover all the criteria with a single set of devices or technology. Separate appliances are more expensive, and present a more complex solution with bigger requirements related to high availability.
How we help
TeskaLabs’ SeaCat technology is a comprehensives server software that you secure SCADA and related infrastructure and to remain or become compliant with industry regulations and security laws.
SeaCat operates on a wide range of devices, interfaces and systems such as mobile, web API, and IoT hub. SeaCat, designed to operate in production and critical environment, helps you ensure integrity, confidentiality, availability of data managed and controlled by your SCADA systems and the non-repudiation of data transactions. If you’d like to learn more about our industrial IoT security for SCADA, visit this web page https://www.teskalabs.com/industries/industrial-iot-security-for-scada. Alternatively, contact us to how we can assist you with the security of your SCADA system.
Data encryption tool for GDPRMore information
You Might Be Interested in Reading These Articles
In October 2015, Blakely Thomas-Aguilar did a great article on mobile security statistics on the VMware AirWatch blog that can and will send shivers down your spine. For example, she found that there was an increase of 18% in the number of Android vulnerabilities between 2011 and 2015.
Published on July 26, 2016
MazelTov and the Russian Underground Have It Going for Your Android Devices. But Not for Good Reasons
The Internet has been a good place for individuals and businesses. However, it's fast-becoming a leading medium for criminals in this cyber war against people like you and I. One example is the Russian underground that sell anything to do with cyber crime. On their websites, you can find any type of Trojans, exploits, rootkits and fake documents.
Published on May 19, 2015
In June 2017, two information security firms researching the 2016 hack of the electricity grid in Ukraine announced that they had identified the malicious code used to shut down power stations and leave thousands of households and businesses in darkness for several hours. The malware used to target the Kiev power grid has been named Industroyer, and it serves as a sobering reminder about the dangers faced by the Industrial Internet of Things (IIoT).
Published on September 05, 2017