What does an information security management system (ISMS) have to do with critical infrastructure?
The current events surrounding the COVID crisis or the almost daily new news about “hacked” companies show us all how important the secure operation of (critical) infrastructures is for our society and your business success. We take it for granted that the supply of electricity or food is maintained just as much as the operation of hospitals or the production of medical goods. But it is also necessary for the manufacturing industry that production processes experience as few interruptions as possible.
WHAT DOES THIS HAVE TO DO WITH INFORMATION SECURITY MANAGEMENT?
Information Security Management (ISM) makes a significant contribution to the safe (Safety & Security) operation of IACS/OT plants (IACS: Industrial Automation and Control Systems, OT: Operational Technologies). Within the scope of the ISMS, the following protection goals, among others, are addressed with technical and organizational (protection) measures:
e.g. precaution against pandemic, protection against cyber attacks (e.g. cyber extortion, economic warfare in cyber space, ransomware) – respectively protection against IT/OT failures
prevention of data corruption e.g. customer data, IT/OT system configurations
e.g. know-how protection, data protection
At this point, allow me to ask: “Have you already had problems with one or the other protection goal in your company?”
In any case, the legislator sees the challenges for society. The NIS-G and supplementary ordinances were enacted to ensure security of supply. Essentially, the goal is to protect our (critical) infrastructure from the effects of cyber attacks – e.g., to prevent a blackout. In order to achieve these goals, the legislator stipulates that the companies concerned must establish protective measures for secure IT/IACS/OT operations and prove their effectiveness via regular audits.
To deal with this task in a structured manner, it makes sense to establish an Information Security Management System (ISMS). There are a large number of best practices and standards for this purpose. The most widely used standard in Europe is ISO/IEC 27001, while the IEC 62443 family of standards has been developed for security in IACS/OT environments. While ISO/IEC 27001 essentially addresses the challenges of IT, IEC 62443 specifically targets the requirements in IACS/OT environments. The standards are comprehensively compatible at management system level and thus offer the possibility of forming an end-to-end security management system.
An essential component or the core process of an ISMS is Information Security Risk Management. This enables structured improvement potentials to be identified in the operation of the IACS/OT infrastructure.
With the Risk Management tool CRISAM® an Austrian solution is available which is already used by more than 50% of the ISO 27001 certified companies in Austria. With the latest enhancements of the comprehensive Compliance Knowledge Packs in the area of “critical infrastructure” and “IEC 62443”, you now also have components available that specifically address IACS systems and legal requirements from NISG. Thanks to the comprehensive integrated reporting options, you can prepare the essential information efficiently and in line with the target group.
Companies in these sectors face major challenges in secure IACS/OT operations. However, these can be mastered sustainably with the help of a structured Information Security Management. CRISAM® provides you with a platform that handles the core process of Risk Management professionally and efficiently.
PROFESSIONALLY MANAGE RISK AND COMPLIANCE MANAGEMENT REQUIREMENTS
With the new Knowledge Packs “KRITIS” and “IEC 62443” CRISAM® supports you in fulfilling the requirements regarding NISG or proofs towards your clients.
Dipl.Ing. Harald Montenegro, MSc
CALPANA business consulting GmbH
Phone: +43 664 88 10 92 21
Weitere Themen ///
THERE’S A FIRE – HOW WELL PROTECTED IS YOUR DATA?
In light of the recent fire at the cloud operator OHV, we recommend that every company take a close look at the topic of cloud outsourcing, because the consequences can be painful and an investment in information security that is saved at one end can be expensive at the other. It is therefore worth taking a closer look at a few points in good time. You can find out what these are in this article.
News Enterprise Risk Management
HOW TO GET CALMLY THROUGH THE IDW PS 340 N.F. AUDIT
A revised auditing standard was published on January 1, 2021. How do you get calm through the IDW PS 340 n.F. audit with CRISAM®? Take advantage of this opportunity and expand the capabilities of your corporate planning...
Content Release March 2021
Comprehensive innovation in the CRISAM® Knowledge Packs in the area of ISMS, SCADE, KRITIS, B3S, VDA-TISAX and Legal Essentials.
REVIEW OF THE FIRST CRISAM® COMMUNITY TALK
Tuesday, 2/23/2021 was the day. The first CRISAM® Community Talk took place online and the turnout was fantastic. Numerous participants from a wide range of industries took a day to exchange ideas among Risk Management experts.
News Information Risk Management
CRISAM® Process Model
CRISAM® is based on a 6-step process model that provides a holistic view of your risk management.
News Enterprise Risk Management
CRISAM® Enterprise Server
With the CRISAM® Enterprise Server several users can work on the same project at the same time. The data is stored on a Microsoft SQL server. In addition, a flexible role and user management...