Critical infrastructure enterprises are vital to our society as they provide crucial services such as power, telecommunications, transportation, water etc. We cannot do without these services, or at the very least, a disruption would make life difficult, and even affect our national security. That is why dedicated work with consistent cybersecurity measures in this sector not only is interesting for the enterprises as such – but also a matter of national interest.
Cybersecurity in critical infrastructure
Critical infrastructure such as electricity distribution, water supply, transportation and telecommunications all depend on IT systems for management, surveillance, and control. Industrial control systems (ICS), also called SCADA (Supervisory Control and Data Acquisition), are in fact consequently essential to maintain the functionality of modern society. These functions include collecting, processing, and storing log messages, managing, real-time billing and more.
While remote vendor support decreases costs and prevents inefficiencies, it leaves facilities more open to information leakage, and even cyberattacks that could have devastating effects. The question is how to protect information in critical infrastructure businesses? How do you protect your facility from these threats, yet remain efficient and continue to guarantee operational uptime?
Regulations for actors in critical infrastructure
There are regulations for actors in critical infrastructure to follow. To raise cybersecurity of critical infrastructure in general, strict segmentation of industrial control utility systems (ICS/SCADA) has to be applied, combining logical separation with physical separation. This means keeping separate domains in the architecture isolated and allowing only very specific information to flow in-between. An effective way is to achieve this is by using products that replace manual management of information (air gap) and connect OT with IT systems at the highest level of security.
The NIS Directive
The NIS Directive aims to promote security measures and boost EU member states’ level of protection of critical infrastructure. In other words, it improves information security of operators in sectors that provide essential services to our society and economy. This also means that action needs to be taken by actors in critical infrastructure to fulfil these security demands.
When you start working with following the NIS Directive, you should ask yourself which parts of your business that are central. This of course depends on the business in question. The harsh reality is that no one can protect all parts. Assets, threats, risks, and risk appetite must therefore be weighed carefully against each other in order to find a reasonable balance and effective measures. It can also be a good idea to consider which parts are most vulnerable to cyberattacks. In general, data transfer between networks or communication between security domains is most vulnerable. Segmentation and secure data transfer are therefore often crucial for a reliable operation.
You should also ask yourself which information is in most need of protection – and if you protect it well enough. The answer lies in the analysis of your assets, threats, risks, and risk appetite. By understanding a potential attacker's ability and resources, you get an idea of how effective protection must be designed. What level of risk is reasonable? Assume the consequences. What can the business not afford to lose? What must absolutely not go wrong?
In Sweden, the law on information security prevails for providers of socially important and digital services. The law is Sweden's way of adopting the NIS directive. The regulations below contain a number of points that clarify how to adapt your business:
Systematic and risk-based information security work
The information security work regarding information management in networks and information systems used for socially important services shall not only be adapted to the organisation but carried out with the help of the standards SS-EN ISO/IEC 27001:2017 and SS-EN ISO/IEC 27002:2017. Once the risks that exist have been identified, the organisation's responsibility for the work with information security must be clarified, all resources that are needed to be able to carry out the work should be ensured, and it must be ensured that the work is adapted and evaluated.
Demands on the information security work
The goal of the organisation's work with information security must be stated in a policy. You must also have a documented approach to, for example, classifying information, analysing risks, and taking reasonable security measures. It is also important to educate employees and ensure that they understand how the work is to be performed and what their role is.
Specifics concerning network and information systems
It is of course of great importance that the networks and information systems used for socially important services meet the requirements for information security. You must also have solid incident management for the information in these systems and a plan for how incidents are to be handled and how the business should proceed after an incident.
The Protective Security Act
To strengthen the protective security, the Government proposed a new security law in 2018. The new Law, the Protective Security Act (2018: 585) contains requirements for measures aimed at protecting information that is of importance for Sweden's security or which is to be protected according to an international commitment for security protection. The protection of other security-sensitive activities, such as important information systems, is also being strengthened.
The law will apply to activities that are run in both public and private areas and those concerned can seek support and advice from the Security Service and the Armed Forces and other supervisory authorities. New is that businesses with data worth protecting are covered, without being officially classified as secret. This can, for example, be about critical infrastructure and their systems for operation, since these represent a potential vulnerability.
Which regulations applies to you?
The Protective Security Act applies to the protection of activities or information that may be important for Sweden's security. The NIS Directive sets requirements linked to the networks and information systems on which a business depends in order to deliver socially important or digital services. The same network and information system may be covered by the Protective Security Act, which may also cover other types of activities. Many organisations can thus be affected by both regulations, but the parts covered by protective security are exempt from the NIS Directive.
In order to fall under the Protective Security Act, you must have activities or process information that falls within the framework of security protection (see the description above). This can apply to networks, information systems and other parts of the business.
If you deliver socially important or digital services, you are covered by the NIS Directive. The requirements in the NIS Directive only apply to the networks and information systems on which the delivery of the socially important or digital service depends.
How to protect information in critical infrastructure
Data diodes are the failsafe way to protect your sensitive systems and confidential data. They allow only designated data to pass in one direction, no malware, destructive data or a simple administrative mistake can change the information flow during data transfer. They keep sensitive infrastructure safe and running, even under severe conditions.
Data diodes are compact appliances, also called ‘unidirectional security gateways’, which sit between two networks. They guarantee simplified yet secure real-time, one-way data transfer, safeguarding the integrity of the connected system. The data diode disconnects the critical part of your infrastructure from other networks while maintaining vital information flows. No unauthorised people or processes are able to interfere with your systems. Additionally, they offer greater efficiencies over conventional firewalls by reducing firewall configuration, real-time monitoring and logging costs, auditing, and training, minimising the risk of human error.
In critical infrastructure, all connections to and from the ICS/SCADA network must be secured so that the segmentation between OT and IT cannot be breached. For example, wind farms rely on the power of wind to generate energy. These energy plants need accurate forecasts from agencies such as The Met Office or Sweden’s SMHI to optimise production. Reliable forecasts for a day ahead are needed by utility operators to start up secondary power sources like coal, nuclear, or gas plants in case of low wind speeds. If, for example, this data was tampered with, it could have catastrophic consequences.
What is needed is a security gateway. Advenica’s ZoneGuard technology is the failsafe way to protect your sensitive systems. The solution allows only designated data to pass in one direction, no malware or destructive data can infiltrate systems during data transfer, and no data leakage can occur. ZoneGuard enables sensitive and structured information to pass through the system, maximising production, even under severe conditions. ZoneGuards are compact bidirectional security gateways which sit between two networks. The ZoneGuard disconnects the critical part of your infrastructure from other networks while maintaining access to the critical information it needs for its management functions to operate in an optimal way.
Do you need help securing your critical operations? Do not hesitate to contact us!
Do you want to know more about protecting your digital information? Read more here!