CHAPTER 16: ASSESSMENT OF THE SECURITY LEVEL
‘If you’re not doing scans and penetration tests, then just know that someone else is. And they don’t work for you.’20 – George Grachis
Can we be certain that our information systems are protected? Are the information systems used to provide critical infrastructure services adequately protected, especially considering the expertise and capabilities of those who might organise cyber attacks?
People often say that their systems are well protected, because nothing has ever happened. Does the fact that nothing has happened really mean they are well protected? Or is it a case of it just hasn’t happened yet? To establish the answer an organisation might use a self-assessment to gauge the security of its information systems. The organisation’s internal audit function could then give its opinion of the security of information systems. The organisation should also order an external audit to receive an independent opinion; internal audit departments often don’t have the competence required for auditing information systems, and are unlikely to have auditors with the skills to audit the security level of automatic control systems.
When ordering audits of information systems, the auditor should hold the certificate of an information systems auditor (e.g. CISA, ISO 27001 Lead Auditor). Certified auditors should include the relevant specialists in their work, whether they are industrial control system security experts, IP network security experts, application level security experts, etc. Audits should not remain solely at the level of giving an opinion of the information security policies of the CII provider, but should include actual testing that gives answers about the real level of security.
Attention must be paid to the reliability of the service provider, and background checks of all the auditors and experts who perform the work must be carried out. Since many critical infrastructure service providers are private companies, they should cooperate with the relevant public authorities that can advise on suitable service auditors and experts.
Requiring experience in carrying out similar audits is a good idea. The potential impact on the systems that will be tested must also be considered, as even the smallest attack test that looks harmless at first may impact operating systems.
An audit report is prepared following an audit. The report should include the findings made during the audit and recommendations for their elimination. The auditors and testers should also prepare a summary presentation of the audit results, which the organisation’s management should most definitely attend.
Management should be interested in the auditors’ opinion of the security level of the information systems used to provide the critical infrastructure service. They must also know whether and how many different vulnerabilities were found, how they can be eliminated, and how much money, expertise and time this would take.
The audit should highlight the money, expertise and time an attacker would need to organise an attack. Auditors may also point out risks and/or weaknesses related to non-human actors or non-malicious incidents from insiders, which can also be detrimental to the security of information systems. Such figures can make management think and act more. They can provide a very simple illustration of how low the level of security is in some organisations, or even reveal there is no security in the organisation, or parts of it, at all.
The security of information systems used to provide CII should be regularly audited to obtain objective opinions.
Lesson 16: Assess the security level of your information systems yourself and ask external experts to assess them as well.