Information Risks Present Major Challenges For Critical National And Business Infrastructures Says ISF

Visit the ISF at Infosecurity Europe stand F262

21 April 2008: The same information security threats that pose major risks to corporate IT systems also present serious risks to national and business infrastructures, from transport systems and utility networks to manufacturing facilities and financial transaction networks. This is the warning from the Information Security Forum (ISF) at this week’s Infosecurity Europe 2008.

“While the increasing dependence on IT may make this seem rather obvious; the relationship between information systems and critical infrastructures is frequently overlooked,” says Mark Chaplin, the author of a report published by the ISF, an independent association of over 300 major businesses and public sector organisations from around the world.  “Furthermore, it appears that information security professionals are rarely involved in the design, planning, implementation and management of infrastructure components, such as vital production lines, support networks and electricity supply, heating and ventilation equipment – and this has to change.”

The ISF report available to Members is called ‘Securing Critical Infrastructure’ and includes recommendations to address these important issues.

Today, nearly all critical infrastructure components within an organisation are supported or enabled by information systems, ranging from embedded systems and process control PCs to sophisticated information systems such as Computer-Aided Manufacturing (CAM) and Supervisory Control and Data Acquisition (SCADA).

“The dependence on information systems introduces security issues that can have a significant impact on the resilience and reliability of critical infrastructures, regardless of whether the supporting systems are centralised, stand-alone or embedded,” says Chaplin.

The report focuses on critical business infrastructure associated with four different categories, each of which can be adversely affected by a failure or compromise of information systems:

Operations - including machinery and manufacturing equipment, transportation and financial processing equipment

Telecommunications - including telephone and mobile communications and network equipment

Utilities - including gas, water and electricity processing equipment

Buildings – including surveillance, physical access and health and safety equipment, and the buildings themselves

Threats to these critical infrastructures include: external threats such as hacking, espionage and denial of service attacks; internal threats including human error, malicious misuse and fraud; and natural or man-made disasters such as fire, flooding or explosions, which could damage IT equipment.

There are numerous examples of how information security failures have brought business and national infrastructures to a grinding halt from a breakdown in signalling on the railways or baggage handling at airports, to a collapse in business operations due to severe weather conditions. These instances can often be avoided by following simple steps as outlined below.

Securing Critical Infrastructure is one of over 200 authoritative reports along with information risk methodologies and benchmarking tools  that are available free of charge to ISF Members. The ISF is a not-for-profit international association of over 300 leading international organisations that has already invested over US$100 million in research and the development of practical, business driven solutions to information security and risk management problems.

In addition, the latest ISF Standard of Good Practice for Information Security is also available free to non-members at www.isfstandard.com.