Large DH utilities or utilities with subscribers considered part of the critical infrastructure, such as hospitals, cold storage, or vital production facilities, must aim for higher maturity levels. Smaller DH utilities, with relatively few mostly private house- holds, may start off aiming for a lower maturity level. It is, how- ever, important to note that more mature utilities are less likely to be compromised by a cybersecurity attack, so all utilities should aim as high as economically possible to ensure conti- nuity of service and retain their subscribers’ trust.
In addition to the overall system architecture, the security of a system requires secure components that are integrated in secure ways using secure communication protocols; this is sometimes called proactive security. This can be difficult for end users to determine directly, so it is crucial to identify rel- evant security goals and include these in the requirement specification when systems are developed or purchased. In addition, to secure the implementation and configuration of the systems included in the infrastructure, the system must also be managed and evolve in secure ways; this is sometimes called reactive security. In addition to logging all security-rele- vant events in the system and continuously monitoring these logs to determine whether the system is under attack, it is also common to hire external security experts to try and penetrate the security; this is called a penetration test or pen-test of the system. A lot of attention and money is paid to pen tests now. Any vulnerabilities uncovered by a pen test must be addressed. Still, it is essential to remember that even the most frequent and expensive pen-testing program does not replace a sound security architecture and substantial proactive security efforts.
Summary and Conclusions
With the increasing dependence on DH and the increasing regulation of cybersecurity in critical infrastructure, security governance and the ability to demonstrate compliance with regulations and good security practices, in general, are receiv- ing increasing focus. We have examined the importance of explicit security goals that reflect the risk to the utility and its subscribers and de- scribed different techniques and technologies that may help achieve these goals. The purpose of this article is not to sug- gest how security-responsible employees in DH utilities should organize their work but to raise the security awareness of all employees in DH utilities and to help those smaller DH organi- sations realize that they form part of critical infrastructure that may soon be regulated. Few organisations are sufficiently large to justify an internal security department, so smaller organi- sations must hire external help from specialist security com- panies or by forming DH cybersecurity co-operatives that may serve many smaller DH utilities in the same geographical area.
Security Evaluation and Certification
Developing a security architecture that balances the security goals against other goals, such as the maintenance of physical infrastructure, requires an understanding of an organisation's current security posture, the well-defined security goals that we discussed above, and gap analysis to inform the transfor- mation from the security posture “as is” to the security posture required by legislation and regulation and expected by sub- scribers. This implies an evaluation of the security posture of DH utili- ties, which normally follows some security maturity model. We do not discuss these models here beyond observing that they follow the same general pattern, from no structured approach to security through more structured approaches to security documented by self-assessment to very structured approach- es following an externally defined framework and evaluated by an external certification agency.
For further information please contact: Christian Damsgaard Jensen, mcdje@dtu.dk
Made with FlippingBook - Online magazine maker