Download document () of 20
Send email
Download
You have exceeded the download limit
Cybercriminals and other attackers are increasingly targeting industrial facilities and critical infrastructure. In doing so, they are exploiting the attack surfaces created by the merging of industrial operating and classic information technologies (OT-IT convergence). The cyber threat to control and automation systems requires an adaptation of the interpretation in terms of the protection goals applicable to IT security: This is because it can result not only in immense economic harm, but also - especially with regard to critical infrastructures - in serious consequences for people and the environment.
With the growing cyber threat to industrial facilities, the classic protection goals for IT security are also changing. While IT security refers to the protection of technical systems, information security is more generally concerned with the protection of information - which, is also available on paper, for example. The two terms are often used synonymously, although strictly speaking information security is an area that is prioritized over IT security.
In the IT landscape, protecting data and systems is the ultimate goal of IT security. The following IT protection goals are mainly deployed in order to ward off corresponding threats:
Get every important blog post or new information Eaton is pulishing for machine and systembuilders.
In addition, other protection goals can be pursued. Examples include authenticity - the authenticity, verifiability and trustworthiness of an object or actor - or accountability, in which actions should be clearly assigned to the communication partners involved and proven.
While the focus of traditional IT security is on ensuring the confidentiality and integrity of data through strict access control and data encryption, the key security objectives for industrial control systems (ICS) are usually availability, integrity and authenticity.
Attackers today use a variety of different attack vectors, paths and approaches to gain access to a device or control network. Potential pathways for an attack on a network include:
Clear guidelines for planning, implementing, monitoring and improving information security are provided by ISO/IEC 27001. This is a leading international standard for information security management systems (ISMS) and therefore an important standard for certification related to IT security. The implementation of this standard helps to defend against cyberattacks and protects the company from outages, loss of information and their consequences. With ISO/IEC 27001, information security and IT security can be optimized in a systematic and structured manner. In order to achieve this, the standard not only describes the requirements for setting up, realizing, operating and improving an IMSM, but also includes requirements for assessing and dealing with cyber threats, and always based on the specific needs of a company.
An information security management system is a framework for defining rules and procedures to ensure, verify, and improve information security. This means that it is not a software tool or anything similar. An ISMS provides methods for identifying and assessing risks relevant to the company, defining security objectives, and also defining and documenting responsibilities, communication channels, systems, and processes.
The IT Baseline Protection developed by the German Federal Office for Information Security (BSI) is a proven standard for setting up an ISMS. In Germany, it is considered the guideline for information security.
IT Baseline Protection provides a technical foundation and a comprehensive working tool for information security. A comprehensive approach is central to this: in addition to technical aspects, infrastructural, organizational and personnel issues are also considered. In this way, necessary security measures can be systematically identified and implemented. The BSI standards provide proven procedures for this, while the IT Baseline Protection Compendium provides specific requirements. This allows an ISMS to be implemented in a company.
Based on the standards of the BSI, HiSolutions AG, a consulting company for security and IT management, has created a recommended checklist for IT security. This is aimed primarily at small and medium-sized enterprises for which the introduction of a complete ISMS seems disproportionate. Although the checklist cannot replace a methodical comprehensive IT security concept, it is an implementation aid for all those for whom a comprehensive security concept is not (yet) available or is difficult to implement. For various subject areas (organization, employees, protection against malware and attacks ...), the most important requirements are named, with which information security can be influenced positively in a significant way.
Securing IT infrastructures is a complex task that requires a methodical approach. To achieve the IT protection goals, an ISO/IEC 27001 approach and the establishment of an information security management system are recommended. Eaton describes in the white paper "Cybersecurity considerations for industrial control systems". which measures users must take to protect industrial control systems and automation components in particular from cyberattacks and how manufacturers develop "secure" products.
Contact our team or sign up to ask questions and stay up-to-date on news, product updates and industry trends.
