Protecting Your Critical Infrastructure; What Security Approaches Do Organizations Need to Adopt?
Earlier this week we outlined the nature of main threats to critical infrastructure from cyberspace. Today, we want to outline the steps organizations need to take to protect themselves. First and foremost, it is key that organizations adopt a holistic approach to their security, focusing on physical security as well as cyber security.
For the physical aspects of the critical infrastructure facility design organizations need be sure to include security design and placement early in the planning stage. The site location is very important. Security should be included in "where" the facility is placed and "how" it is built.
For example, in relation to the security of the facility a number of things should be considered: visibility of the facility; neighboring companies and buildings; local considerations (such as hazardous waste sites, low crime areas); impact of natural disasters (earthquake zones, flooding) and finally joint tenancy - is the facility shared with another company and how would this impact shared access, environmental controls etc. A secure site also needs to include security design in the walls, ceilings, floors, doors, windows, sprinkler controls, installation of liquid and gas lines, and climate controls. Security controls such as cameras, motion detectors, and environmental sensors/alarms should also be included in the plan.
In addition for the critical infrastructure physical design a "layered defense model" should be adopted, ensuring that key assets - whether physical or cyber - are at the core of the facility behind layers of physical and cyber security.
Regarding the cyber aspects of the integrated security project security controls need to be developed, included, maintained and enforced as appropriate to secure the project. These include administrative controls (policies, asset and data clarification, governance polices; personal security policies and education); technical controls (encryption of critical data and/or signals; access control mechanisms such as biometrics, key cards, etc.; access control lists; remote access authentication protocols) and physical controls (some of which are included above). These controls can be preventive, detective or corrective in nature and they can be implemented automatically or manually.
You may find answers to some frequently asked questions related to the physical security of data centers in another recent post, Data Centers: Six Frequently Asked Questions.
