Managing critical information infrastructure security compliance: A standard based approach using ISO/IEC 17799 and 27001

Abstract

Information technology constitutes a substantial component of the critical infrastructure of many nations. Systems used by utilities and service industries such as electricity, water, wastewater treatment and gas are key components of these critical infrastructures. These critical infrastructures rely on a range of technologies commonly known as Process Control Systems in the production, distribution or management aspects of their services. To ensure continued delivery of these critical services, it is important to ensure that the process control systems used to control, monitor and manage the infrastructure are secured against physical and cyber security threats. A number of information security standards have been defined by various industry and government regulatory bodies to provide guidance in securing process control systems. However, managing compliance to several standards can become an added administrative overhead to organizations. This paper reviews the challenges in maintaining compliance with multiple standards and postulates that a holistic information security management system is required to ensure ongoing security of these process control systems. It proposes the implementation of international standards ISO/IEC 17799 and 27001 as a practical approach to managing the various compliance requirements and providing a framework to implement, monitor, manage and improve the security of process control systems. © Springer-Verlag Berlin Heidelberg 2006.