The same basic principle applies to cyber and information security as security in general, points out Veikko Rouhianen, Research Professor at VTT, where his area of speciality is risk management and security.
– One can get quite far simply by using common sense, understanding the risks, and behaving accordingly. No system will help you, if you do not use it. Information security is not the responsibility of a company’s ICT personnel only, but everyone has to observe it in their daily activities.
On construction sites, it is already a normal practice that everyone wears a helmet. Similarly, it should be totally clear that security-sensitive information is not sent by e-mail, for example.
– A minimum requirement is an encrypted e-mail connection. The good old paper is also a surprisingly good alternative.
In addition, people should be aware of, for example, which information is security-sensitive and which is not.
What makes the situation more complicated is the fact that when innocent-looking pieces of data are brought together, the final outcome may reveal too much.
– In such matters, we should revise our attitudes. For instance, in social media, people disclose matters they would better leave untold.
– When basic thinking related to information security is in order, it is a good point to start developing the systems in other respects as well, underscores Rouhiainen.
Strategic research and assignments
The distinction between cyber and information security is becoming obscure, and today these two terms are largely used as synonyms. In principle, though, cyber security is a sub-area of information security, aiming at ensuring the security of critical functions for society. The terminology is changing rapidly, however, and no unambiguous definitions have been established.
VTT collaborates with companies and various organisations in research and development related to cyber and information security – and also performs different assignments related to these matters.
Reijo Savola, Principal Scientist, cyber security, says that typical assignments include different information security analyses, assessments and testing. VTT also performs, for example, risk analyses and, on the basis of these, assesses system architectures and their implementation.
VTT is internationally known for its research related to information security indicators.
– The basic idea of information security indicators is the establishment of as good a situation awareness image of information security as possible, which helps decision-making at all organisational levels. The information needed by the strategic, operative and technical levels is provided in exactly the same language they use.
The indicators make it possible to report, for instance, to the company’s management group the information security data needed by it in an easy-to-understand visual format. The key matters that have emerged in the risk analysis can be described, for example, by using a traffic light style visualisation.
– The idea is also that the necessary data is passed along throughout the various phases of risk analyses and the product and service development linked with it.
Adaptive information security is another spearhead area of VTT operations that is partly related to these indicators.
– If, for example, a certain monitoring system is used both in a hospital environment and at home, it is rational that the identification needed to access the system adapts according to the situation. In practice, this means that in a closed hospital environment or, for example, an ambulance, access to the system is easier, but elsewhere the access control is stricter. It is not sensible to require too much information, if it is not really needed.
Savola points out that adaptive features make the system lighter and easier to use.
– The role of this type of adaptive systems is also becoming more and more emphasised all the time, as IoT, the Internet of Things, becomes more common. Various types of devices we use in our everyday lives are constantly linked with each other, exchange information with each other, and travel from place to place.
The whole arsenal in use in the Cyber War Room
Reijo Savola is especially proud of VTT’s new Cyber War Room – a miniature-scale internet, isolated from the rest of the world, where different kinds of test attacks can be made. He estimates that, in the future, attack competence will be an important skill for cyber security professionals, to ensure the best possible expertise for defence against criminals.
– The legislation alone prohibits making this kind of cyber attacks in the open Internet, where different malware can spread. In the Cyber War Room, we do not need to rely on simulation, but we can freely use the entire attack arsenal available to us, and test the defence capabilities of different systems. This will serve both our customer companies and our strategic research.
VTT also operates in the Finnish Information Security Cluster (FISC, www.fisc.fi), involving companies that specialise in information security solutions.
– At the moment, even the big Finnish information actors are small in global scale. Still, we have a lot of expertise in this sector in Finland. In the FISC network, the idea is to enhance co-operation and to collectively gain access to larger projects and challenges, and to consider development trends at a strategic level.
And, as we are discussing cyber and information security, the work is never done. Technology and the threats related to that evolve all the time. Someone is always developing new methods of hacking into systems.
– This combat is somewhat disproportionate. We have to be prepared for any kind of threat scenarios all the time, to be relatively good at everything. Criminals, on the other hand, can focus on developing only one cyber weapon of their choice at a time; they do not need to prepare themselves across the whole front, says Savola describing the situation.
Development of industrial cyber security
VTT has been working several years for the development of industrial cyber security in several projects.
Senior Scientist Pasi Ahonen mentions as one example of the achievements among the projects targeted at the industry the common requirements for vendors, which supports the management of automation system vendors’ information security. By applying it, an industrial company will have its various system suppliers, devices and solutions function in accordance with its own information security concept.
VTT has also produced, for example, information security instructions for factory environment, in other words, basic rules on what every employee, from plant cleaner to automation engineer, needs to know about information security.
At the moment, Ahonen heads a three-year KYBER-TEO project entity (2014–2016), with an aim to develop cyber security services and practical implementation of information security solutions and practices in the industrial sector. The main sponsor of the project entity is the National Emergency Supply Agency.
– The idea is to develop and test cyber security services in the participating companies with a view to ensuring production and continuity. In bilateral cases, the confidential results are naturally revealed only to the organisation involved. At the same time, however, general information is also generated, which can be shared for everyone to use, also outside the projects.
The kyber-teo consists of three work packages: cyber protection practices and mappings, practical implementation of cyber security in domestic production, and monitoring services of production automation network.
– We also provide a forum for exchange of information and peer support. Companies can, for example, compare what functions well and what doesn’t.
One of the problems in the development of cyber security is that very little information about production stoppages caused by, for example, viruses is made public.
– It is important to develop a more closed sharing of information system on the subject, so that people are aware of, for example, any active attacks. This will also make preparation for fending off such threats easier.
In addition to the National Emergency Supply Agency, the other customers involved in the KYBER-TEO project includes Metso Automation, Neste Oil, Outotec, Turun seudun puhdistamo, and, from the service sector, Nixu, nSense, Prosys and Nordic LAN & WAN Communication Oy.
– There is room for new companies, as we are only going through the first year of the project, hints Pasi Ahonen.