If you want to improve your cybersecurity, Advenica is always there to find the best solution for your needs. But before finding the solution, you must figure out what the problem is, what the risks are, and how a potential solution would fit into your environment. Also, there might be laws or regulations demanding you to use specific solutions. So, before you purchase and implement cybersecurity solutions, there are a few steps you need to take!
Perform a risk analysis
To know which direction to go with your cybersecurity work, you must evaluate the business as it is today – by making an analysis of the risks that currently exist in the business’s system. Based on the calculated risks, you can create an architecture with zones, and data flows between the zones. This method of using risk analysis as a base for creating zones is based on standard IEC 62443!
An initial, simple risk analysis identifies the worst that can happen today without having introduced any risk-reducing measures. Later, a detailed risk analysis is performed for separate zones and flows. This step is taken when the groupings of zones and flows have been made, based on the initial risk analysis.
The goal of these risk analyses is to ultimately be able to apply the right risk-reducing measures and create a more secure business where focus is put in the right places.
How do you do a risk analysis?
In the initial, simple risk analysis, you look at a worst-case scenario, i.e. the worst that can happen to the business. Here it is assumed that no measures have been taken to reduce the risks that exist. You need some input in this phase, such as:
- Overall system architecture – you need to know which systems are included to systematically go through them.
- Risk criteria and risk matrix with tolerable risk – what risks can we accept, and which do we have to do something about? How do we measure risk?
- Existing risk analyses – have we done any kind of risk analysis before, and can we use parts from there?
- Information about what threats that exist – what could happen? What are the threats to the organisation?
Based on this input, it is possible to calculate a worst-case risk to which the various parts of the system are exposed without security functions or segmentation. The question is, what effect does a cyberattack where the systems are put out of play have on the business? What would the magnitude of the attack be? How large geographical areas would be impacted and how many people would be affected? If electricity distribution was to be shut down, many people would feel the effects. Are there critical activities (e.g. hospitals) that are dependent on electricity supply? In the initial risk analysis, you are only interested in the consequence and then you assume that the probability is ‘often’.
By defining our different worst-case scenarios and connecting these to the different systems, we can make an initial zoning where the systems are placed in zones together with other systems with the same level of risk.
Start working with zoning
Zoning an IT system is done for both security and functional reasons. In general, the underlying driving force is to reduce the risk of various disturbances in the system. In terms of security, zoning is about gathering assets with the same type of protection needs concerning privacy, integrity, accessibility, and access. The higher the demands placed on the protection of a system, the higher the costs to build and maintain the system and protection mechanisms, which means that for economic reasons, one wants to minimise the size of systems with high demands on protection.
This means that by using zoning, one should try to gather assets with an increased need for protection and separate these from assets with lower demands for protection. Segmentation means that you have separate zones for your assets, but most often, you still allow some communication between these zones. In some slightly more extreme cases, isolation or ”galvanic separation” may be relevant and then no network-based communication between the zones is allowed.
1. Create a zone model
To structure the segmentation project using zoning, you should create a zone model that defines what types of zones you have and what security and assurance requirements you have for the security functions that separate the zones.
2. Define what should be segmented
Define which system or systems that should be segmented and should thereby be included in the segmentation project. It is very important that the scope of the project is clearly defined and well communicated to everyone involved. Draw a high-level picture of the systems that should be segmented where boundaries to other systems are drawn. Also describe which data flows that will be in and out of the systems.
3. Perform a security analysis of systems
The systems included in the segmentation project need to be classified according to their sensitivity and criticality. The classification should be performed on an ongoing basis by the organisation, but a security analysis can identify systems and information that have not been classified.
4. Arrange the systems according to the zone model
Place the systems according to the zone model. Placement is based on requirements for security, availability, functionality, and operational responsibility. Understanding how the different systems communicate with each other at network level is central. Minimise communication between zones, i.e. across zone boundaries. Monitor information flows between the zones.
Once you have made a grouping of your zones and data flows, you usually need to do a detailed risk analysis. According to IEC 62443, a detailed risk analysis is performed if the initial risk exceeds the acceptable risk. In the detailed risk analysis, one risk analysis is performed per zone and flow and is based on the same risk matrix as for the initial risk analysis. The detailed risk analysis is based on a number of steps:
- Identify threats and threat actors against zones and flows
- Identify vulnerabilities that can be exploited
- Assess unmitigated consequence, probability, and risk
- Introduce risk-reducing measures
- Assess reduced consequence, probability and risk
- Is the reduced risk OK? If not, introduce more measures
When the reduced risk is less than the acceptable risk, you have reached your goals with your risk-reducing measures. Read more about how to do risk-based zoning!
Check what laws and regulations you have to follow
There are vital laws and directives you should be aware of, for example the NIS Directive. The NIS Directive (The Directive on security of network and information systems) is a directive, meaning that it is translated into each member state’s national legislation. This means that there may be differences in application.
The NIS Directive aims to promote security measures and boost EU member states’ level of protection of critical infrastructure. In other words, it improves information security of operators in sectors that provide essential services to our society and economy.
Learn more about the NIS Directive!
Another law that might be important for your organisation is the Protective Security Act. It clarifies the obligations for companies with security-sensitive activities and the importance of the operators performing security protection analyses for their operations. The Protective Security Act (2018: 585) contains requirements for measures aimed at protecting information that is of importance for Sweden’s security or which is to be protected according to an international commitment for security protection. The protection of other security-sensitive activities, such as important information systems, is also being strengthened.
Read more about the Protective Security Act!
Contact Advenica when you have completed the steps
When you have taken these steps, it is time to contact a cybersecurity expert that can help you choose the right cybersecurity products for your needs. Advenica’s products can often be used as they are, or with minor adaptations. If you need more tailored solutions according to your specific needs, we will start a cybersecurity project together!
Do you have any questions? Do not hesitate to contact us! Even if you have not completed the steps. We are here to help!
