How TeskaLabs Helps You Operate SCADA Systems Securely and Comply with Security Laws

The fight against the Wild Wild Web

Cyberspace does not have boundaries. The internet is a truly international community, and it takes just milliseconds to reach a data source on a whole different continent. The internet is therefore an open arena for cyberattacks from across the world, where anyone can try to break their way into someone else’s data. We can see this daily in the news or on the specialized ICT news servers- the attacks never stop.

The European Union takes cyber threats seriously and requires all members states to adopt a law that deals with critical informational assets protection, and the protection of the information related to national security. EU countries have gradually adopted their own laws governing the information technology sector. Because many security laws are inspired by the ISO 27000 standard family, we can take ISO 27001 requirements as a pattern of rules used, more or less, in every national security law. The Czech Republic was the first EU country to adopt such national security laws three years ago, laws which have affected hundreds of government systems, and thousands of businesses and their IT systems.

The goal of ISO 27000 is to implement a systematic approach to managing sensitive company information and keep this information secure. It incorporates people, processes, and ICT systems by applying a risk management process. Thus, information security management system (ISMS) is implemented to ensure that every critical system is well-protected, monitored and accessible, as well as to ensure all the company’s processes are designed with security in mind. In short, it has the same goal as national security laws, but operates on a smaller scale.

Compliance with national security law or ISO 27000 requires a combination of organizational and technical measures. Carrying out all necessary steps can take months or years depending on the company size, and it costs a sizeable amount of money. The question is, should you care about security?

Why do you want to protect critical assets?

National security laws focus on protection of national security related information, critical informational assets such as information systems, information, contracts, factories and machines, or basic but important services like electricity and gas delivery, television and radio broadcasts, money transfers, or protection of police, military, and hospital data. In fact, security protection is essential whenever there is a direct connection between the physical and digital world. A security failure can have a serious impact on people’s everyday lives, or even put their lives or national security at risk.

These consequences cost money to put right- much more than preventative measures.

For example, an oil distribution company has sensors all over their distribution pipes and pressure stations. In a central SCADA system, the pressure of the oil is controlled and adjusted by input data from sensors. If attackers gain control of the sensor data, they can also alter the data and trigger certain processes behind the control system. Let’s imagine a situation where a hacker alters data about pressure in the pipes. The central control system is informed that the pressure is decreasing, and therefore automatically raises the pressure to its optimum level. However, this could result in an accident where hundreds of barrels of oil contaminate the environment- all because hackers were able to alter a single piece of data.

We can now see that the amount of money required for data integrity protection is nothing compared to the cost of the environmental clean-up that the oil company would then have to carry out. Cyber security laws are in place for a reason - to reduce risk, and lessen the impact of potential breaches. For the same reason that you would buy insurance on your car, cyber security protects you from a serious financial headache in the event that something goes wrong. Not only that, but national security laws are also tutorials on how to protect assets, and how to do it right.

You might have heard of the CIA triad, a popular term referring to Confidentiality, Integrity, and Availability. All three criteria should be met to ensure data security. Together with proper authentication and authorization of all communication sides, a robust and secure IT environment is created. Data within such an environment is secure and protected against attackers. Sadly, most information systems and services provided by many companies are not secure as they should be.

Requirements from the law

As much as we’d like it to, no single piece of technology exists which can cover all security requirements. In order to be compliant with national security law or to fulfill all ISO 27001 requirements, it’s likely that you’ll need to implement several security technologies.

In the previous example with oil distribution, a potential problem lies with unauthorized access to critical data and the ability to modify it. The integrity and confidentiality of the sensors data were broken. As mentioned, the three characteristics of the CIA triad need to be ensured regarding information systems, their data, and the data in transit.

1. Integrity (data will be received as it was transmitted)
2. Confidentiality (data/service is available to authorized personnel only)
3. Availability (data/service is available anytime it is needed)

We can extend the set by additional characteristics:

1. Authenticated (data traffic relates to particular identified user)
2. Authorized (all data contains the user identification, and the system checks whether or not the user has the right to send or receive it)
3. Non-repudiation (every complete operation is logged, and the operation is proved)

There are two possible approaches which will ensure all of these criteria are met. You can either use separate dedicated appliances for each set of criteria, or alternatively to wholly cover all the criteria with a single set of devices or technology. Separate appliances are more expensive, and present a more complex solution with bigger requirements related to high availability.

How we help

TeskaLabs’ SeaCat technology is a comprehensives server software that you secure SCADA and related infrastructure and to remain or become compliant with industry regulations and security laws.

SeaCat operates on a wide range of devices, interfaces and systems such as mobile, web API, and IoT hub. SeaCat, designed to operate in production and critical environment, helps you ensure integrity, confidentiality, availability of data managed and controlled by your SCADA systems and the non-repudiation of data transactions. If you’d like to learn more about our industrial IoT security for SCADA, visit this web page https://www.teskalabs.com/industries/industrial-iot-security-for-scada. Alternatively, contact us to how we can assist you with the security of your SCADA system.

About the Author

Jiri Kohout

TeskaLabs’ VP of Application Security, Jiri Kohout, brings years of experience in ICT security, having served as the Chief Information Security Officer for the Ministry of Justice and Chief Information Officer for Prague Municipal Court. He cooperated with the Czech National Security Agency to prepare the Czech Republic cyber security law.