How TeskaLabs Helps You Operate SCADA Systems Securely and Comply with Security Laws
The fight against the Wild Wild Web
Cyberspace does not have boundaries. The internet is a truly international community, and it takes just milliseconds to reach a data source on a whole different continent. The internet is therefore an open arena for cyberattacks from across the world, where anyone can try to break their way into someone else’s data. We can see this daily in the news or on the specialized ICT news servers- the attacks never stop.
The European Union takes cyber threats seriously and requires all members states to adopt a law that deals with critical informational assets protection, and the protection of the information related to national security. EU countries have gradually adopted their own laws governing the information technology sector. Because many security laws are inspired by the ISO 27000 standard family, we can take ISO 27001 requirements as a pattern of rules used, more or less, in every national security law. The Czech Republic was the first EU country to adopt such national security laws three years ago, laws which have affected hundreds of government systems, and thousands of businesses and their IT systems.
The goal of ISO 27000 is to implement a systematic approach to managing sensitive company information and keep this information secure. It incorporates people, processes, and ICT systems by applying a risk management process. Thus, information security management system (ISMS) is implemented to ensure that every critical system is well-protected, monitored and accessible, as well as to ensure all the company’s processes are designed with security in mind. In short, it has the same goal as national security laws, but operates on a smaller scale.
Compliance with national security law or ISO 27000 requires a combination of organizational and technical measures. Carrying out all necessary steps can take months or years depending on the company size, and it costs a sizeable amount of money. The question is, should you care about security?
Why do you want to protect critical assets?
National security laws focus on protection of national security related information, critical informational assets such as information systems, information, contracts, factories and machines, or basic but important services like electricity and gas delivery, television and radio broadcasts, money transfers, or protection of police, military, and hospital data. In fact, security protection is essential whenever there is a direct connection between the physical and digital world. A security failure can have a serious impact on people’s everyday lives, or even put their lives or national security at risk.
These consequences cost money to put right- much more than preventative measures.
For example, an oil distribution company has sensors all over their distribution pipes and pressure stations. In a central SCADA system, the pressure of the oil is controlled and adjusted by input data from sensors. If attackers gain control of the sensor data, they can also alter the data and trigger certain processes behind the control system. Let’s imagine a situation where a hacker alters data about pressure in the pipes. The central control system is informed that the pressure is decreasing, and therefore automatically raises the pressure to its optimum level. However, this could result in an accident where hundreds of barrels of oil contaminate the environment- all because hackers were able to alter a single piece of data.
We can now see that the amount of money required for data integrity protection is nothing compared to the cost of the environmental clean-up that the oil company would then have to carry out. Cyber security laws are in place for a reason - to reduce risk, and lessen the impact of potential breaches. For the same reason that you would buy insurance on your car, cyber security protects you from a serious financial headache in the event that something goes wrong. Not only that, but national security laws are also tutorials on how to protect assets, and how to do it right.
You might have heard of the CIA triad, a popular term referring to Confidentiality, Integrity, and Availability. All three criteria should be met to ensure data security. Together with proper authentication and authorization of all communication sides, a robust and secure IT environment is created. Data within such an environment is secure and protected against attackers. Sadly, most information systems and services provided by many companies are not secure as they should be.
Requirements from the law
As much as we’d like it to, no single piece of technology exists which can cover all security requirements. In order to be compliant with national security law or to fulfill all ISO 27001 requirements, it’s likely that you’ll need to implement several security technologies.
In the previous example with oil distribution, a potential problem lies with unauthorized access to critical data and the ability to modify it. The integrity and confidentiality of the sensors data were broken. As mentioned, the three characteristics of the CIA triad need to be ensured regarding information systems, their data, and the data in transit.
- Integrity (data will be received as it was transmitted)
- Confidentiality (data/service is available to authorized personnel only)
- Availability (data/service is available anytime it is needed)
We can extend the set by additional characteristics:
- Authenticated (data traffic relates to particular identified user)
- Authorized (all data contains the user identification, and the system checks whether or not the user has the right to send or receive it)
- Non-repudiation (every complete operation is logged, and the operation is proved)
There are two possible approaches which will ensure all of these criteria are met. You can either use separate dedicated appliances for each set of criteria, or alternatively to wholly cover all the criteria with a single set of devices or technology. Separate appliances are more expensive, and present a more complex solution with bigger requirements related to high availability.
How we help
TeskaLabs’ SeaCat technology is a comprehensives server software that you secure SCADA and related infrastructure and to remain or become compliant with industry regulations and security laws.
SeaCat operates on a wide range of devices, interfaces and systems such as mobile, web API, and IoT hub. SeaCat, designed to operate in production and critical environment, helps you ensure integrity, confidentiality, availability of data managed and controlled by your SCADA systems and the non-repudiation of data transactions. If you’d like to learn more about our industrial IoT security for SCADA, visit this web page https://www.teskalabs.com/industries/industrial-iot-security-for-scada. Alternatively, contact us to how we can assist you with the security of your SCADA system.
You Might Be Interested in Reading These Articles
4 Common Mobile Point of Sale (POS) Security Issues Affecting Retailers That POS Providers Need to Act On
As mobile point-of-sale applications and systems are picking up speed at retailers around the world replacing traditional one, they become appealing targets for cybercriminals allured by the amount of consumer data entered in POS systems whether through unauthorized access, mobile malware or hacking the backend.
Published on January 03, 2017
The use of mobile app security best practices has become a necessity as app development and mobile usage continue to grow. These practices are needed to improve consumer protection, trust, and regulatory compliance.
Published on March 24, 2015
How TeskaLabs Helped O2 Improve Customer Satisfaction of eKasa Point-of-Sale (POS), the Most Successful POS Product / Mobile Cash Register on the Czech Market
In 2016 the Czech government introduced a new law that required businesses to report their sales and provide Electronic Evidence of Sales (EET). This law calls for the adoption of a more modern point-of-sale system that enables businesses to meet regulatory requirements set forth under this law. During the next two years, the law will gradually impact more than three hundred thousand companies in the Czech Republic. O2, the largest integrated telecommunications provider in the Czech market, observed that many would need help complying with this law, maintaining data security and demanding excellent customer support.
Published on August 08, 2017