Managing Critical Information Infrastructure Security Compliance: A Standard Based Approach Using ISO/IEC 17799 and 27001
Information technology constitutes a substantial component of the critical infrastructure of many nations. Systems used by utilities and service industries such as electricity, water, wastewater treatment and gas are key components of these critical infrastructures. These critical infrastructures rely on a range of technologies commonly known as Process Control Systems in the production, distribution or management aspects of their services.
To ensure continued delivery of these critical services, it is important to ensure that the process control systems used to control, monitor and manage the infrastructure are secured against physical and cyber security threats. A number of information security standards have been defined by various industry and government regulatory bodies to provide guidance in securing process control systems. However, managing compliance to several standards can become an added administrative overhead to organizations.
This paper reviews the challenges in maintaining compliance with multiple standards and postulates that a holistic information security management system is required to ensure ongoing security of these process control systems. It proposes the implementation of international standards ISO/IEC 17799 and 27001 as a practical approach to managing the various compliance requirements and providing a framework to implement, monitor, manage and improve the security of process control systems.
KeywordsCritical Infrastructure Process Control System Compliance Requirement Information Security Management Information Security Management System
Unable to display preview. Download preview PDF.
- 1.Attorney General’s Department (Australia): Trusted Information Sharing Network for Critical Infrastructure Protection, Attorney Generals Department (2006)Google Scholar
- 2.Attorney General’s Department (Australia): Critical Infrastructure Protection National Strategy. Attorney General’s Department, Canberra (2004)Google Scholar
- 3.Dacey, R.F.: Critical Infrastructure Protection: Challenges in Securing Control Systems, United States General Accounting Office (2003)Google Scholar
- 4.Rockliff, M.: Process Control System Security, Plexal Group (2005)Google Scholar
- 5.Verton, D.: Blaster Worm Linked to Severity of Blackout, ComputerWorld, ComputerWorld (2003)Google Scholar
- 6.Poulson, K.: Slammer Work Crashed Phio Nuke Plant Network, SecurityFocus (2003)Google Scholar
- 7.Boyer, S.A.: SCADA Supervisory Control and Data Acquisition, 3rd edn. The Instrumentation, Systems and Automation Society, Research Triangle Park, NC, ISA (2004)Google Scholar
- 9.US Computer Emergency Readiness Team: Control Systems Cyber Security Awareness, US-CERT (2005)Google Scholar
- 10.Byres, E., Lowe, J.: The Myths and Facts behind Cyber Security Risks for Industrial Control Systems, British Columbia Institute of Technology (2004)Google Scholar
- 12.Kilman, D., Stamp, J.: Framework for SCADA Security Policy. Sandia National Laboratories, Albuquerque (2005)Google Scholar
- 13.Carlson, R., Dagle, J.E., Shamsuddin, S.A., Evans, R.P.: A summary of Control System Security Standards Activities in the Energy Sector, Department of Energy, p. 48 (2005)Google Scholar
- 14.North American Electricity Reliability Council: Reliability Standards for the Bulk Electric Systems of North America (2006)Google Scholar