Friday, July 14, 2017

How Much Will The Implementation Of Security Measures Cost?

Almost everybody is talking about security measures in the context of automation and communication systems in factories, power plants, substations, hospitals, ... Talking about the topic is one thing - what's about implementing and sustainable use of secure systems? Hm, a good question.
A news report published on June 13, 2017, under the title
"The “Internet of Things” is way more vulnerable
than you think—and not just to hackers

points out that many - maybe most - devices that communicate using internet technologies are not capable to carry the load needed for reasonable security measures. One paragraph referring to Joe Weiss (a well known expert) is eye-catching:
"Weiss believes that the first step in securing the IoT is to build entirely new devices with faster processors and more memory. In essence, hundreds of billions of dollars’ worth of machines need to be replaced or upgraded significantly."

Click HERE to read the complete report.

I would like to see - at least - more powerful platforms when it comes to new installations. Be aware that the cost of a new platform with implemented state-of-the-art security measures is one thing. Another thing is to implement a more centralized security infrastructures to manage the security.
IEC 62351-9 specifies cryptographic key management, namely how to generate, distribute, revoke, and handle X.509 digital certificates and cryptographic keys to protect digital data and its communication.
Primary goals of the series IEC 62351 are considered for the use of cryptography:
  • Verifying the claimed identity of a message sender (authentication);
  • Verifying that the sender has the right to access the requested data (authorization);
  • Ensuring no one has tampered with a message during transit (integrity);
  • Obscuring the contents of a message from unintended recipients (confidentiality);
  • Associating specific actions with the entity that performed them (non-repudiation).
It is recommended for vendors and users to pay more attention to IEC 62351 (and other standards) and to listen carefully to the experts involved in protecting our infrastructures.
A reasonable white paper on the matter has been published by the BDEW (Germany): "Requirements for Secure Control and Telecommunication Systems".
Click HERE to access the BDEW white paper.
Click HERE for further information (some documents are in English).
Click HERE for a paper discussing the BDEW white paper.

No comments: