Many businesses are trying to become more competitive and create added value for customers and other stakeholders by attempting to integrate old and new systems. But integration of different systems can be associated with a security risk, as it can contribute to new possible entrances for attackers if security is not taken seriously enough. So how do you make a secure system integration?
Identify the most valuable information
Integration should be based on what information needs to be shared to create competitiveness and efficiency, not which technical solution is available. The first step is therefore to identify your most valuable assets. Which information is most critical and thus worth protecting?
Classify and identify security needs
The next step is information classification, which means classifying the information and defining different security needs. To do the classification, you must evaluate aspects such as the value and sensitivity of the information, the legal requirements and the importance of the information for the business. A good way to determine how the classification should be done is to use a risk and security analysis. It helps you to quickly and efficiently map your current information security as well as your future needs.
Perform a risk analysis
However willing you are to protect your information, it is not practical or financially justified to protect all information in the same way. To secure the most valuable information, strict network segmentation is the best solution to use. This means that you create zones with different security levels.
In the initial, simple risk analysis, you look at a worst-case scenario, i.e. the worst that can happen to the business. Here it is assumed that no measures have been taken to reduce the risks that exist. You need some input in this phase, such as:
- Overall system architecture – you need to know which systems are included in order to systematically go through them.
- Risk criteria and risk matrix with tolerable risk – what risks can we accept, and which do we have to do something about? How do we measure risk?
- Existing risk analyses – have we done any kind of risk analysis before, and can we use parts from there?
- Information about what threats that exist – what could happen? What are the threats to the organisation?
Based on this input, it is possible to calculate a worst-case risk to which the various parts of the system are exposed without security functions or segmentation. The question is, what effect does a cyberattack where the systems are put out of play have on the business? What would the magnitude of the attack be? How large geographical areas would be impacted and how many people would be affected? If electricity distribution was to be shut down, many people would feel the effects. Are there critical activities (e.g. hospitals) that are dependent on electricity supply? In the initial risk analysis, you are only interested in the consequence and then you assume that the probability is 'often'.
By defining our different worst-case scenarios and connecting these to the different systems, we can make an initial zoning where the systems are placed in zones together with other systems with the same level of risk.
Read the whole risk analysis process here!
The security information policy helps you maintain security
Based on the information classification, a security/information policy can also be established. By only allowing information exchange according to a well-defined information policy, it becomes easier to increase information security without compromising on functionality. The policy will act as your guide for information and security decisions and will help you to work continuously and systematically with your information security.
When you have performed your risk analysis, it is time to divide your systems into security zones. In this way, it is easier to protect each zone in an appropriate manner. Follow these five steps to get started:
1. Create a zone model
To structurise the segmentation project using zoning, you should create a zone model that defines what types of zones you have and what security and assurance requirements you have for the security functions that separate the zones.
2. Define what should be segmented
Define which system or systems that should be segmented and should thereby be included in the segmentation project. It is very important that the scope of the project is clearly defined and well communicated to everyone involved. Draw a high-level picture of the systems that should be segmented where boundaries to other systems are drawn. Also describe which data flows that will be in and out of the systems.
3. Perform a security analysis of systems
The systems included in the segmentation project need to be classified according to its sensitivity and criticality. The classification should be performed on an ongoing basis by the organisation, but a security analysis can identify systems and information that have not been classified.
4. Arrange the systems according to the zone model
Place the systems according to the zone model. Placement is based on requirements for security, availability, functionality and operational responsibility. Understanding how the different systems communicate with each other at network level is central. Minimise communication between zones, i.e. across zone boundaries. Monitor information flows between the zones.
5. Implement, test and put into operation
In order for the segmentation project to go from paper product to reality, various components (applications, firewalls, switches, etc.) will need to be reconfigured and in some cases networks will have to be partially rebuilt. The various security solutions will be configured, tested and put into operation. In this step, the segmentation project risks affecting the ongoing operations due to downtime.
Secure IT/OT integration - an integration that can be a challenge
Operational Technology (OT) is a concept that includes all the subsystems that are needed to control and monitor a physical process, such as a power plant. Historically, OT systems have often been completely disconnected from the outside world. In pace with society's digitisation, the need to connect OT systems with IT systems has increased. This integration is a major challenge from a safety point of view as there is a risk that someone without permission will affect or change the system.
In recent years, the NIS directive and new security laws raise new, higher demands on companies in critical infrastructure regarding information security. In order to upgrade the security to meet the requirements of the regulatory authority and at the same time maintain the accessibility to digital information, solutions that can separate and control data flows are needed.
In short, the following solutions are needed:
- Separation of IT and OT physically in different Zones
- Use the data diode in the Zone boundary for the data flows out of OT
- Allowlisting of information in the Zone boundary
Interested in more information about IT/OT integration? Find it here!