The current events surrounding the COVID crisis or the almost daily news about “hacked” companies show us all how important the secure operation of (critical) infrastructures is for our society and your business success. For us, it goes without saying that the supply of electricity or food is maintained in the same way as the operation of hospitals or the production of medical goods. But it is also essential for the manufacturing industry that production processes experience as few interruptions as possible.
Information security management (ISM) makes a significant contribution to the safe (safety & security) operation of IACS/OT systems (IACS: Industrial Automation and Control Systems, OT: Operational Technologies). Within the scope of the ISMS, the following protection objectives are addressed with technical and organizational (protective) measures:
e.g. pandemic preparedness, protection against cyber attacks (e.g. cyber extortion, economic warfare in cyberspace, ransomware) – or protection against IT/OT failures
Prevention of falsification of data, e.g. customer data, IT/OT system configurations
e.g. know-how protection, data protection
At this point, I would like to ask: “Have you already had problems with one or two protection goals in your company?”
In any case, the legislator recognizes the challenges for society. The NIS-G and supplementary ordinances were enacted to ensure security of supply. Essentially, it is about protecting our (critical) infrastructure from the effects of cyber attacks – e.g. preventing a blackout. In order to achieve these objectives, the legislator stipulates that the companies concerned must establish protective measures for secure IT/IACS/OT operations and demonstrate their effectiveness through regular reviews.
An information security management system (ISMS) can be established for the structured handling of this task. There are a large number of best practices and standards for this. The most widely used standard in Europe is ISO/IEC 27001. The IEC 62443 family of standards was developed for safety in IACS/OT environments. While ISO/IEC 27001 essentially deals with the challenges of IT, IEC 62443 is specifically aimed at the requirements in IACS/OT environments. The standards are fully compatible at management system level and thus offer the possibility of creating a consistent safety management system.
Information security risk management is an essential component or core process of an ISMS. This makes it possible to identify structured potential for improvement in the operation of the IACS/OT infrastructure.
The CRISAM® risk management tool is an Austrian solution that is already used by more than 50% of ISO 27001-certified companies in Austria. With the latest enhancements to the extensive Compliance Knowledge Packs in the area of “critical infrastructure” and “IEC 62443”, you now also have components available that specifically address IACS systems and legal requirements from NISG. Thanks to the comprehensive integrated reporting options, you can prepare the key information efficiently and in a target group-oriented manner.
Companies in these sectors face major challenges in secure IACS/OT operation. However, these can be managed sustainably with the help of structured information security management. CRISAM® provides you with a platform that serves the core process of risk management professionally and efficiently