Assessment of Security and Protection in Critical Infrastructures

TECNALIA provides integral security assessment services of critical infrastructures, including physical security and logical/cyber-security, addressed to managers of critical and strategic infrastructures and to public administrations that are owners of critical and strategic infrastructures.

Integral Security is defined as a formal integration of all security resources in an organization that provides organizational benefits, such as integral risks mitigation, increased efficiency and operational efficiency, and cost savings. In the past, entities faced risk mitigation in an essentially independent way, where physical security and logical security were handled separately, both in terms of risk assessment, risk management and other risk-oriented functions. That is why the integration of the different types of security (physical and logical) becomes a critical aspect for the protection of critical infrastructures that operate critical services. However, in recent years, the integration of these lines has been boosted by the global economy and the speed of technological advances. Likewise, the advent of regulatory framework, such as the Spanish Law 8/2011 (PIC) that includes measures for protecting critical infrastructure in Spain, including the baseline requirements by the public and private sectors, has also influenced the creation of a new concept of the Integral security field.

TECNALIA's approach for the assessment of security in Critical Infrastructures is based on a model that is supported on methodologies drawn up by prestigious institutions, such as ASIS, ISO, NIST, ISA or NERC, to perform risk analysis and vulnerability scans in an integral way, by combining physical and logical lines with the aim to ensure security across the spectrum.

Objectives

The objectives of the evaluation are to:
  • Assess the integration of physical and logical security in critical infrastructures.
  • Determine the effectiveness of the integral security and protection system in critical infrastructures.
  • Contribute to improve the infrastructure security and protection, both at physical and logical levels, as well as integral level.
  • Determine the installation status with respect to the requirements of the Critical Infrastructure Protection Law (PIC Law) and the Royal Decree that develops it.
  • Pose the next implementation steps in order to achieve an improvement of provided services continuity guarantee.

Process

The evaluation process steps are:

Step 1: Pre-evaluation meetings
Evaluation scope and framework as well as contacts on both sides will be set.

The client will provide documentation related to security (risk assessment study, plans or security protocols, access, operation, cyber security, contingency plan, evacuation plan, ...). At this stage, some questions are also posed to the client regarding recent security incidents and security problems.

A document describing the path to follow during the evaluation will be produced and delivered to the client.

Step 2: Data collection and analysis
Tecnalia starts a remote assessment of the integral security by conducting an extensive open source intelligence search on the target entity. This research collects information about databases and public records of the target entity, job postings, social networks, Internet search engines and much more.

This public information together with the security documentation submitted in Step I is thoroughly analysed.

Step 3: Visit to the facilities
Tecnalia meets on site with the client to take a tour of the facility, performing in-situ assessment of all physical and logical security elements and measures that are located in the evaluation scope facilities.

Step 4: Analysis of the control centre integral security
At this step, those integral vulnerabilities that have been previously identified during the evaluation of measures and controls are identified. In addition, an analysis of intra-dependencies, interdependencies with other critical infrastructures as well as circular inter-dependencies is performed.

As a result, a recommendations report is made which determines whether certain controls should be improved or if a new technology could help mitigate the threat of identified agents.

Step 5: Presentation of reports
As part of the service, in addition to the recommendations report, an executive presentation aimed at the management is made that gathers the main conclusions of the evaluation process.

Tecnalia will hold a closing meeting and make a presentation to the management to summarize the assessment and provide an opportunity to ask questions about it.

Benefits of the Evaluation

The assessment allows to mitigate risks and prepare for contingencies against possible future threats and failures.
  • Development of an analysis to lower security costs.
  • Preparation for adapting to Critical and Strategic Infrastructure Laws and to Integral security standards.
  • Support in the biennial review of the Operator’s PSO and PPE documents, as established by the Spanish PIC Law.

TECNALIA Strategic Partnership

  • Collaboration in drafting plans for PIC Law enforcement: PSO (Operator Security Plan), PPE (Specific Protection Plan) and Business Continuity management plan.
  • Risk Analysis and Management.
  • Assessing threats and vulnerabilities of strategic assets.
  • Participation in drafting specifications for Critical Infrastructures solutions at security level.
  • Participation in architectural design of Critical Infrastructure solutions to provide the point of view of security.

Contact info:

Abel Capelastegui , abel.capelastegui@tecnalia.com
Javier Puelles , javier.puelles@tecnalia.com
Cristina Martinez , cristina.martinez@tecnalia.com

Share this post