Critical infrastructure enterprises are vital to our society as they provide crucial services such as power, telecommunications, transportation, water etc. We cannot do without these services, or at the very least, a disruption would make life difficult, and even affect our national security. That is why dedicated work with consistent cybersecurity measures in this sector not only is interesting for the enterprises as such – but also a matter of national interest.
Cybersecurity in critical infrastructure
Critical infrastructure such as electricity distribution, water supply, transportation and telecommunications all depend on IT systems for management, surveillance, and control. Industrial control systems (ICS), also called SCADA (Supervisory Control and Data Acquisition), are in fact consequently essential to maintain the functionality of modern society. These functions include collecting, processing, and storing log messages, managing, real-time billing and more.
While remote vendor support decreases costs and prevents inefficiencies, it leaves facilities more open to information leakage, and even cyberattacks that could have devastating effects. The question is how to protect information in critical infrastructure businesses? How do you protect your facility from these threats, yet remain efficient and continue to guarantee operational uptime?
Regulations for actors in critical infrastructure
There are regulations for actors in critical infrastructure to follow. To raise cybersecurity of critical infrastructure in general, strict segmentation of industrial control utility systems (ICS/SCADA) has to be applied, combining logical separation with physical separation. This means keeping separate domains in the architecture isolated and allowing only very specific information to flow in-between. An effective way is to achieve this is by using products that replace manual management of information (air gap) and connect OT with IT systems at the highest level of security.
The NIS Directive
The NIS Directive aims to promote security measures and boost EU member states’ level of protection of critical infrastructure. In other words, it improves information security of operators in sectors that provide essential services to our society and economy. This also means that action needs to be taken by actors in critical infrastructure to fulfil these security demands.
When you start working with following the NIS Directive, you should ask yourself which parts of your business that are central. This of course depends on the business in question. The harsh reality is that no one can protect all parts. Assets, threats, risks, and risk appetite must therefore be weighed carefully against each other in order to find a reasonable balance and effective measures. It can also be a good idea to consider which parts are most vulnerable to cyberattacks. In general, data transfer between networks or communication between security domains is most vulnerable. Segmentation and secure data transfer are therefore often crucial for a reliable operation.
You should also ask yourself which information is in most need of protection – and if you protect it well enough. The answer lies in the analysis of your assets, threats, risks, and risk appetite. By understanding a potential attacker's ability and resources, you get an idea of how effective protection must be designed. What level of risk is reasonable? Assume the consequences. What can the business not afford to lose? What must absolutely not go wrong?
In Sweden, the law on information security prevails for providers of socially important and digital services. The law is Sweden's way of adopting the NIS directive. The regulations below contain a number of points that clarify how to adapt your business:
Systematic and risk-based information security work
The information security work regarding information management in networks and information systems used for socially important services shall not only be adapted to the organisation but carried out with the help of the standards SS-EN ISO/IEC 27001:2017 and SS-EN ISO/IEC 27002:2017. Once the risks that exist have been identified, the organisation's responsibility for the work with information security must be clarified, all resources that are needed to be able to carry out the work should be ensured, and it must be ensured that the work is adapted and evaluated.
Demands on the information security work
The goal of the organisation's work with information security must be stated in a policy. You must also have a documented approach to, for example, classifying information, analysing risks, and taking reasonable security measures. It is also important to educate employees and ensure that they understand how the work is to be performed and what their role is.
Specifics concerning network and information systems
It is of course of great importance that the networks and information systems used for socially important services meet the requirements for information security. You must also have solid incident management for the information in these systems and a plan for how incidents are to be handled and how the business should proceed after an incident.
The Protective Security Act
To strengthen the protective security, the Government proposed a new security law in 2018. The new Law, the Protective Security Act (2018: 585) contains requirements for measures aimed at protecting information that is of importance for Sweden's security or which is to be protected according to an international commitment for security protection. The protection of other security-sensitive activities, such as important information systems, is also being strengthened.
The law will apply to activities that are run in both public and private areas and those concerned can seek support and advice from the Security Service and the Armed Forces and other supervisory authorities. New is that businesses with data worth protecting are covered, without being officially classified as secret. This can, for example, be about critical infrastructure and their systems for operation, since these represent a potential vulnerability.
Which regulations applies to you?
The Protective Security Act applies to the protection of activities or information that may be important for Sweden's security. The NIS Directive sets requirements linked to the networks and information systems on which a business depends in order to deliver socially important or digital services. The same network and information system may be covered by the Protective Security Act, which may also cover other types of activities. Many organisations can thus be affected by both regulations, but the parts covered by protective security are exempt from the NIS Directive.
In order to fall under the Protective Security Act, you must have activities or process information that falls within the framework of security protection (see the description above). This can apply to networks, information systems and other parts of the business.
If you deliver socially important or digital services, you are covered by the NIS Directive. The requirements in the NIS Directive only apply to the networks and information systems on which the delivery of the socially important or digital service depends.
How to protect information in critical infrastructure
Data diodes are the failsafe way to protect your sensitive systems and confidential data. They allow only designated data to pass in one direction, no malware, destructive data or a simple administrative mistake can change the information flow during data transfer. They keep sensitive infrastructure safe and running, even under severe conditions.
Data diodes are compact appliances, also called ‘unidirectional security gateways’, which sit between two networks. They guarantee simplified yet secure real-time, one-way data transfer, safeguarding the integrity of the connected system. The data diode disconnects the critical part of your infrastructure from other networks while maintaining vital information flows. No unauthorised people or processes are able to interfere with your systems. Additionally, they offer greater efficiencies over conventional firewalls by reducing firewall configuration, real-time monitoring and logging costs, auditing, and training, minimising the risk of human error.
In critical infrastructure, all connections to and from the ICS/SCADA network must be secured so that the segmentation between OT and IT cannot be breached. For example, wind farms rely on the power of wind to generate energy. These energy plants need accurate forecasts from agencies such as The Met Office or Sweden’s SMHI to optimise production. Reliable forecasts for a day ahead are needed by utility operators to start up secondary power sources like coal, nuclear, or gas plants in case of low wind speeds. If, for example, this data was tampered with, it could have catastrophic consequences.
What is needed is a security gateway. Advenica’s ZoneGuard technology is the failsafe way to protect your sensitive systems. The solution allows only designated data to pass in one direction, no malware or destructive data can infiltrate systems during data transfer, and no data leakage can occur. ZoneGuard enables sensitive and structured information to pass through the system, maximising production, even under severe conditions. ZoneGuards are compact bidirectional security gateways which sit between two networks. The ZoneGuard disconnects the critical part of your infrastructure from other networks while maintaining access to the critical information it needs for its management functions to operate in an optimal way.
Common use cases for critical infrastructure
Secure remote access
Many organisations depend on remote access through RDP, for example to allow suppliers to perform maintenance, or so that operating personnel can monitor and control a system. Secure remote access solves many of the security risks that are otherwise associated with such solutions.
Remote access can be made secure by using RDP and protects the jump server with an explicit security solution. Advenica’s ZoneGuard for RDP is such a solution. The connection from the user’s PC is established with RDP to ZoneGuard. The user is authenticated and the solution ensures that the connection is to an approved target system at a permitted time. ZoneGuard then ensures that only screen view data may pass from the target system to the user. Only keystrokes and mouse movements are transferred in the other direction. It is also possible to set restrictions, for example that only certain keystroke combinations are permitted. No other information is permitted to pass, eliminating the risks of, for example, general network communication or incorrect configuration of the jump server or its software. This also prevents access to peripheral devices, which would otherwise have meant enhanced risk.
Read more about secure remote access!
Historically, OT systems were often entirely standalone. However, the need to connect OT to other systems has grown with the digitalisation of society. IT and OT are therefore connected, and similar technology is often used in IT and OT. The different needs in IT and OT can easily lead to challenging technical conflicts.
Physical separation of IT and OT using zoning: Separating IT and OT into separate segments helps avoid vulnerabilities or disruption in IT affecting OT. To avoid risks as a consequence of mistakes in configuration or function, physical segmentation (zoning) should be used. This means that separate hardware is used for IT and OT.
Use data diodes in the zone border for outbound data flows from OT: The most secure way to connect an integrity sensitive data network to other systems is to use data diodes. All data flows from OT that can be managed with data diodes involve a simplified security analysis, quite simply because a data diode is so secure and easy to analyse. Or, more correctly, because it has such high assurance.
Information allowlisting in the zone border: For data flows for which data diodes are not suitable, you can instead use systems that secure the information flow, such as ZoneGuard. To avoid malicious code intruding and affecting the process, it is important to have strict separation between, and monitoring of, all data flows across the zone border. The most secure method is to have strict control over the information that is permitted to cross the zone border. For example, by not allowing transport protocols to pass the zone border, you entirely avoid many of the risks that you might otherwise face.
Read more about secure IT/OT integration!
Secure transfer of SCADA information
For many years, companies using SCADA systems have been gradually automated. At the same time, the systems become increasingly complex and control more and more socially critical functions. This makes them more vulnerable, and the challenge will be to continue digitalising in a secure way. At the same time, the need to transfer the information to other networks is growing to be able to work efficiently.
The transmission of sensitive information can be done by using a solution which offers secure and filtered bidirectional communication. Such a solution is Advenica’s ZoneGuard. ZoneGuard validates the exchange of information that occurs between different networks and security domains and ensures that the organisational information policies are followed at each transfer. The solution thus enables digitalisation without compromising security while being flexible and easy to adjust depending on your organisation’s different needs.
Read more about secure transfer of SCADA information!
Most IT systems generate logs that enable troubleshooting and traceability. To benefit the most from such logs, it is important to combine logs from as many systems as possible in one chronological list. If you have security sensitive or zoned systems and want to implement centralised logging, you need to resolve an inherent goal conflict. Logging benefits from having one shared system for all zones/subsystems, but a shared system also increases the risk of attacks.
All the zones that supply log data are protected with one data diode each. The data flow is made unidirectional towards the log system. A shared log system can therefore be used regardless of the number of zones supplying data to the log system. If any of the zones contains confidential data, either the log system must be protected at the appropriate confidentiality level, or the log data from such a zone must be filtered so that the log system is not contaminated with confidential data. However, this can lead to the value of the log data decreasing as free text data often needs to be filtered out, which may make it more difficult to interpret log data.
Read more about secure logging!
Do you need help securing your critical operations? Do not hesitate to contact us!
Do you want to know more about protecting your digital information? Read more here!