As operators of critical infrastructures (utilities, airport, rail operators, military, telecommunications network operators, hospital) you have increased demands on information security and on your risk management system. On the one hand, the increased requirements result from the specific characteristics of the systems used:
- No maintenance windows – hot standby – no data loss
- Long life cycle (> 10 years)
- High cost of testing when changes are required
- High dependence on system suppliers
- Redundancy principle
- Defense in depth principle (castle approach)
Andererseits aus der steigenden Bedrohungslage, die im BSI Lagebericht 2011 wie folgt dokumentiert wurde:
On the other hand, the increased requirements result from an increased threat potential which was documented in the BSI (German Federal Office for Information Security) 2011 annual report as follows:
"After IT attacks on industrial process control systems have long been discussed only in expert circles Stuxnet has impressively demonstrated the very real nature of the threat. This malicious program is characterized by outstanding infection mechanisms; unlike most Trojan horses it does not target “normal” PCs but industrial process control systems […] Through Stuxnet it becomes clear that the overall security design of process control systems must be urgently reviewed and where necessary adapted according to potential threats.
The safety requirements for production systems are gradually taken account of in recommendations and standards. The ISO/IEC TR 27019: 2013, which was taken over from DIN SPEC 27009 by ISO in a fast track process, is particularly noteworthy in this context.
With the CRISAM® SCADA Knowledge Pack combined with CRISAM® ISMS you receive everything you need to smoothly integrate the control technology into your risk management system.
The CRISAM® SCADA Knowledge Pack contains specific building blocks and controls with clear implementation instructions. These were developed together with recognised experts from reputable energy providers.
In addition, the Knowledge Pack contains compliance reports and mappings for the following standards:
Federal Association of Energy and Water Industries (BDEW): requirements for secure control and telecommunications systems
ISO/IEC TR 27019: 2013: information technology - security techniques - information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry