The current events around the COVID crisis or the almost daily new news about “hacked” companies show us all how important the secure operation of (critical) infrastructures is for our society and your business success. We take it for granted that the supply of electricity or food is maintained just as much as the operation of hospitals or the production of medical goods. But it is also necessary for the manufacturing industry that production processes experience as few interruptions as possible.
Information Security Management (ISM) makes a significant contribution to the safe (Safety & Security) operation of IACS/OT systems (IACS: Industrial Automation and Control Systems, OT: Operational Technologies). Within the scope of the ISMS, the following protection goals, among others, are addressed with technical and organizational (protection) measures:
e.g. pandemic preparedness, protection against cyber attacks (e.g. cyber extortion, economic warfare in cyber space, ransomware) – respectively protection against IT/OT failures
Prevention of falsification of data e.g. customer data, IT/OT system configurations
e.g. know-how protection, data protection
At this point, allow me to ask, “Have you had any problems with one or another protection goal in your company? ”
In any case, lawmakers see the challenges facing society. To ensure security of supply, the NIS-G and supplementary ordinances were enacted. Essentially, it’s about protecting our (critical) infrastructure from the effects of cyber attacks – for example, preventing a blackout. In order to achieve these goals, legislation requires that the companies concerned establish protective measures for secure IT/IACS/OT operations and demonstrate their effectiveness via regular audits.
To deal with this task in a structured manner, it makes sense to establish an information security management system (ISMS). There are a large number of best practices and standards for this. The most widely used standard in Europe is ISO/IEC 27001. The IEC 62443 family of standards was developed for safety in IACS/OT environments. If ISO/IEC 27001 essentially addresses the challenges of IT, IEC 62443 specifically targets the requirements in IACS/OT environments. The standards are comprehensively compatible at the management system level and thus offer the possibility of forming an end-to-end safety management system.
An essential component or the core process of an ISMS is information security risk management. This enables structured improvement potentials in the operation of the IACS/OT infrastructure to be identified.
With the risk management tool CRISAM® you have an Austrian solution at your disposal which is already used by more than 50% of the ISO 27001 certified companies in Austria. With the latest enhancements of the comprehensive Compliance Knowledge Packs in the area of “critical infrastructure” and “IEC 62443”, you now also have components available that specifically address IACS systems and legal requirements from NISG. Thanks to the comprehensive integrated reporting options, they can prepare the essential information efficiently and in line with the target group.
Companies in these sectors face significant challenges in secure IACS/OT operations. However, these can be managed sustainably with the help of structured information security management. CRISAM® provides you with a platform that serves the core process of risk management professionally and efficiently.
More information about current Knowledge Pack updates can be found here
Author
Partner
CALPANA business consulting GmbH
Email: office@calpana.com
Phone: +43 732 601 216 – 0