Securing our Critical Infrastructure – Protecting Society, What’s My Role?
by Jim Attridge, Manager, Cybersecurity BC Hydro and Power Authority
Security and privacy are two areas that have faced an immense challenge in the face of continued technological advancement over the last thirty years. The pace of change and the rate at which we develop amazing new ideas to communicate and share information seems to stay constantly ahead of our ability to control it very well. When the Internet became prevalent, most companies chose simply to block it. Business needs prevailed and soon adjusted to allow filtered access, controlled and monitored centrally.
Today, we face an array of new challenges: Smart phones that serve the purpose of both corporate and personal use; and companies that provide cloud storage and services associated with user identities that are used for both corporate and personal use, such as Google Docs and Apple iCloud; and, an ever-growing expectation that companies will not just tolerate these new ways of sharing but embrace them and integrate them with existing corporate services.
The controls we look at need to be nimble, mature and effective. These three elements can be daunting to combine to fully meet business requirements. Whenever it is done well by organizations, it is because security and privacy are brought in as core requirements of communication platforms, not as an addendum. There are four broad elements that need to be brought to the table for security and privacy to be properly treated:
- Governance and Policy – clear ownership and stewardship by senior levels in the organization around what is permitted and what is not, backed by a solid foundation of legal, technical, acceptable use, financial, and service level policy and process.
- Data Classification – An organization cannot protect data without knowing what data it possesses, where it exists and its importance to the organization that holds it and its customers. Personally identifiable information and critical infrastructure data are both equally sensitive but have completely unique requirements around access – in terms of risk, legal and compliance. Until data is properly classified it cannot be effectively protected.
- Technical Controls – Ensuring your data is protected according to your policy is a wonderfully complex problem to solve. Encryption of data at rest and in transit is just the start. Just as important are robust access controls and process around the data, effective authentication methods that are appropriate to the degree of risk, and tools to detect unauthorized access or misuse of data – just to name a few.
- Monitoring and Follow up – One control that needs special focus is the ability to monitor access to the data and the systems that interface with the data. Having the right tools and processes to effectively maintain your policies though monitoring is key. Having people that know what to do with the monitoring data is even more important. Too often monitoring controls are not effectively coupled with a cohesive strategy to manage your data access policies.
For companies to successfully deploy these new services in a way that satisfies the workforce as well as meeting security and privacy needs, it is ever important that security be brought in as a legitimate stakeholder in these initiatives. This is the only way these four key tenets can be effectively integrated into an overall business solution that meets everyone’s needs.