Az ISO/IEC 27001 szabvány alkalmazása lehetővé teszi az OT-rendszereket üzemeltető szervezetek számára, hogy egy átfogó és koherens biztonsági stratégiát alakítsanak ki, amely integrálja a kockázatkezelést és az információvédelem legjobb gyakorlatait. Az ISO/IEC 27001 kiemeli a felső vezetés elkötelezettségének szükségességét, a hatókör pontos meghatározását, a kockázatértékelést, a megfelelő biztonsági kontrollok kiválasztását és a rendszer folyamatos felülvizsgálatát és fejlesztését. Ezek a lépések kulcsfontosságúak az OT-rendszerek biztonságának fenntartása és a kibertámadásokkal szembeni védelem megerősítése érdekében. Az ISO/IEC 27001 alkalmazása OT-környezetben nemcsak a biztonsági intézkedések hatékonyságát növeli, hanem hozzájárul az üzleti folytonosság fenntartásához, az ügyfelek bizalmának növeléséhez és a szabályozási követelményeknek való megfeleléshez is. A közelmúltban megje-lent hazai és nemzetközi, OT/ICS-rendszerekre vonatkozó kiberbiztonsági jelentések legfőbb konklúziója, hogy a fenyegetettségek száma és kifinomultsága folyamatosan növekszik. A nemzetek és a szervezetek alapvető érdeke ezeknek a kockázatoknak a minimalizálása, valamint OT/ICS-rendszereik minél hatékonyabb védelme a kibertérben. Ennek legmegfelelőbb módja a kibervédelem szabványalapú megközelítése és az ajánlások hatékony alkalmazása. Ez a cikk bemutatja az ISO/IEC 27001 gyakorlati alkalmazásának kulcsfontosságú lépéseit, előnyeit és gyakorlati hasznosítását OT/ICS-rendszerek vonatkozásában.
OT (Operational Technology) systems refer to the technology that manages and controls physical processes and industrial assets. OT systems are primarily found in industrial sectors, energy sector, transportation, and infrastructure. Other examples include BMS (Building Management Systems), CCTV (Closed-Circuit Television), SSM (Safety and Security Management), and HMI (Human-Machine Interface) systems. OT systems differ from IT (Information Technology), which are more focused on data processing and information management. In contrast, OT systems are designed to control physical processes and industrial assets, such as production lines, power distribution networks, or transportation systems. Organizations that operate cyber-physical systems, particularly industrial systems, critical infrastructure, or other legacy systems, face significant cybersecurity challenges. These systems often consist of components that were not designed with security or modern connectivity in mind. As OT systems increasingly connect with IT systems, the risk of cyberattacks rises. Older devices often lack updated security protocols, and the absence of industrial standards makes them vulnerable. The increasing frequency of cyberattacks can have severe consequences for operational processes and safety. The uniqueness of OT systems lies in their impact on the physical world, meaning that cyberattacks can lead not only to data loss but also potentially life-threatening situations. The implementation of the ISO/IEC 27001 standard enables organizations operating OT systems to develop a comprehensive and coherent security strategy that integrates risk management and the best practices in information protection. ISO/IEC 27001 emphasizes the necessity of senior management commitment, precise definition of scope, risk assessment, selection of appropriate security controls, and continuous review and improvement of the system. These steps are crucial for maintaining the security of OT systems and strengthening protection against cyber-attacks. The application of ISO/ IEC 27001 in an OT environment not only enhances the effectiveness of security measures but also contributes to maintaining business continuity, increasing customer trust, and meeting regulatory requirements. The Dragos 2023 and BlackCell reports provide several practices and principles that support the requirements and objectives of the ISO/IEC 27001 standard. These include continuous risk assessment, advanced incident management, ongoing improvement of security measures, and robust network segmentation and monitoring. By following these recommendations, organizations can effectively manage cybersecurity risks and improve their information security performance, ensuring they remain resilient against an ever-changing threat landscape.
Backes, M., Pfitzmann, B., & Waidner, M. (2006) Soundness Limits of Dolev-Yao Models. In: Workshop on Formal and Computational Cryptography (FCC 2006).
Baheti, R., & Gill, H. (2011) Cyber-physical systems. The impact of control technology 12, pp. 161–166.
Barraza de la Paz, J. V., Rodríguez-Picón, L. A., Morales-Rocha, V., & Torres-Argüelles, S. V. (2023) A systematic review of risk management methodologies for complex organizations in industry 4.0 and 5.0. Systems 11, p. 218.
Chavez, S., Anahue, J., & Ticona, W. (2024) Implementation of an ISMS Based on ISO/IEC 27001:2022 to Improve Information Security in the Internet Services Sector. In: 14th International Conference on Cloud Computing, Data Science & Engineering 2024 (Confluence). IEEE. pp. 184–189.
Commission, I.O. for S.E., others (2022) ISO/IEC 27001:2022 Information security management systems. https://www.iso.org/standard/27001
Dragos (2024) OT Cybersecurity. The 2023 year in review.
Farkas T. (2023) A kommunikációs és információs rendszerek értelmezése napjainkban: követelmények és kihívások. In: Új típusú kihívások az infokommunikációban. pp. 11–30.
Feng, T., Zhang, B., Liu, C., & Zheng, L. (2024) Security assessment and improvement of building ethernet KNXnet/IP protocol. Discover Applied Sciences 6, p. 162.
How Do OT and IT Differ? (2024) https://www.cisco.com/c/en/us/solutions/internet-of-things/what-is-ot-vs-it.html
Iturbe, E., Rios, E., Mansell, J., & Toledo, N. (2023) Information Security Risk Assessment Methodology for Industrial Systems Supporting ISA/IEC 62443 Compliance. In: 2023 International Conference on Electrical, Computer and Energy Technologies (ICECET). IEEE. pp. 1–6.
Kocsis T. (2019) ICS/OT Snapshot 2019. Riport a hazai, interneten elérhető ipari vezérlők felhasználásáról.
Michelberger P. (2024) Fejezetek a vállalati biztonságmenedzsmentből. Budapest, Akadémiai Kiadó.
Prasetyani, L., Dini, A., & Ma’arif, E. (2021) Automation Control Design of a Storage Machine Based on Omron PLC System. pp. 30–34.
Ratzer, A. V., Wells, L., Lassen, H. M., Laursen, M., Qvortrup, J. F., Stissing, M. S., Westergaard, M., Christensen, S., & Jensen, K. (2003) CPN tools for editing, simulating, and analysing coloured Petri nets. In: International Conference on Application and Theory of Petri Nets. Springer. pp. 450–462.
Sario, A. (2019) What is Operational Technology? https://www.engineeringinreallife.com/post/what-is-operational-technology
Scheidegger, B. (2013) Smart eagle: Advanced external monitoring of heterogeneous networks. Master’s Thesis. ETH Zürich.
Stouffer, K. (2023) Guide to Operational Technolog (OT) Securit (No. NIST SP 800-82r3). National Institute of Standards and Technology, Gaithersburg, MD.
Tsvetanov, T., & Slaria, S. (2021) The effect of the Colonial Pipeline shutdown on gasoline prices. Economics Letters 209, 110122.
Vacherot, C. (2020) Sneak into buildings with KNXnet/IP. In: Sneak into Buildings with KNXnet/IP.
Watkins, S. (2022) ISO/IEC 27001:2022. An introduction to information security and the ISMS standard. IT Governance Publishing, Ely, Cambridgeshire.
Zelmati, M., Oulqaid, Z., & Elouadi, A. (2023) Real-time Tracking of Auditing Process Progress with a Customizable Application for Cybersecurity Standards Compliance: A Case Study on ISO 27001 and TISAX. In: 10th International Conference on Wireless Networks and Mobile Communications 2023 (WINCOM). IEEE. pp. 1–7.