Editorial - VGB PowerTech Journal 8/2014

“The only certainty is that nothing is certain.
Not even that!“

Joachim Ringelnatz: German author and cabaret artist

Information is a hot commodity in the business world. Every business depends on it for economic success and long-term survival. Essential information in every shape and form (either on paper, in your head, or in a database etc.) has to be protected – danger lurks in every corner. Business-relevant information can end up in the wrong hands or be manipulated, misused or destroyed. Most information nowadays is in the form of digital data. Access should be limited and controlled. Only authorised users should have access to this information.

The foundation of IT security is IT baseline protection (BITB).

The objective of IT baseline protection is to achieve a level of security for IT systems, which is appropriate and sufficient for normal protection requirements through suitable application of organisational, personnel, infrastructure and technical security measures. An important element of IT baseline protection is the basic protection catalogue in which general, basic security is described. Rules on security in IT are the same everywhere. The measures target total coverage but don’t directly add anything to the value chain of a company.

Only the risks to the IT systems are considered; thus the measures are very technical and implementation often very complex leading to significant discussions on costs.

IT security has the task of managing the security of IT components (server, firewall, VPN gateway, etc.) in a company so that a predetermined mainly technical level is achieved / maintained.

Security takes second place after business

In contrast, information security management is not focused on IT systems, but on critical business processes. It ensures the maintenance of business operations. Business risks are minimised and returns and business success are maximised.

The existing and recognised risks in focus must be assessed and appropriate countermeasures designed.

Security (Information Security) is considered among experts as the challenge of the future. Statistics and current events demonstrate the increasing potential of threat.

One way to counter the potential threat is a management system.

An ISMS is the management system which allows the assessment and management of information security within a company, organisation or structure. This covers both technical and non-technical aspects (assets).

Information Security Management Systems (ISMS) ISO 27001:2005 are especially applicable where general and broad safety regulations cannot be observed. Management being the operative word in the term ISMS. Unfortunately, this term is heavily over-used.

Behind the term management in accordance with ISO lies a way of dealing with a specific topic in a particular process-oriented manner. Management systems are also being established for ISO/IEC 14001:2004 (environmental management), ISO/IEC 9001:2008 (process management) and, for example, ISO/IEC 20000-1:2005 (ITIL). In the ISO/IEC 27001 requirements for management of information security are described.

The object and purpose of such a management system according to ISO 27001 is to make the processes of the value chain more robust and sustainable in the face of the identified risks, as well as to manage the dedicated countermeasures and their effectiveness.

In a power plant environment the analysis of processes at the sites is essential for the evaluation of information security. This includes the identification of risks in the SCADA environment (Data Processing (PDV) and control (LT) and their effects on the core processes such as the block operation.

Assets have, or are, weak spots in the process. If these weak spots are threatened then this creates a potential risk.

On the other hand, assets have value, which are incorporated into damage potential.

The level of potential damage coupled with the probability describes the risk.

A major advantage of the management system is how to deal with the risks. These can be avoided, mitigated or accepted by using selected measures. A transfer such as an insurance policy is also possible.

The risk strategy has to try to bring the risk factors within an acceptable range.

Documentation plays an essential role in standardisation. Only when all processes whose assets, risks and measures and improvements are documented transparently, the steps van be traced, even at a later date.

In more and more corporations and companies risk analyses and management systems according to ISO/IEC27001are being developed.

ISMS means: adequate security, economic security, and documented security.

“The winner will not be the one who best avoids risks.”
The winners will be those who manage risks most effectively.

Bruce Schneier
Expert in cryptography and computer security