IT Safety Act: How municipal utilities tackle the new challenge

Image may be NSFW.
Clik here to view.

Electrical power supply is a central part of mission-critical infrastructures. Outages or disturbances of these infrastructures have severe consequences and immediate effects on the other sectors and therefore on the state, economy and society. That is why they have to be secured safely and reliably so that outages can be prevented before they even occur. The new IT Safety Act has established a legal basis for the IT security of mission-critical infrastructure. Municipal utilities all over the European Union are now facing the challenge of fulfilling these compliance regulations.

Security guidelines for mission-critical infrastructures

Image may be NSFW.
Clik here to view.

The nine sectors of mission-critical infrastructure

It is hard to imagine our modern every day life without electric power supply or clean running water. It has become a given that we get up in the morning and turn on the light, let the water run from the tap in the bathroom, take public transportation to get to work where we sit down in front of the computer that turns on when we press the button. But what if these processes were disturbed? What if no light comes on, no water runs, no metro is coming, the computer doesn’t turn on? A power outage, for example, can lead to severe consequences. Hospitals can lose data when computers shut off unexpectedly, medical devices cannot run properly. The cold storage house cannot keep perishables refrigerated, private households are freezing in winter when the radiators are attached to the power supply. Quickly we realize: The more we depend on flawlessly running IT infrastructures, the better they need to be protected. In May 2016, the new IT Safety Act was passed that determines security guidelines for mission-critical infrastructure across the European Union. Electrical power supply is one of its central parts.

Need for action for municipal utilities

Many municipal utilities are under great pressure: They are affected by the new regulatory requirements for operators of mission-critical infrastructure. The law is to prevent attacks from the outside and guarantee a safe mains operation. This means an urgent need for action for municipal utilities. According to the new law, they have to establish an Information Security Management System (ISMS) and show a certification after ISO27001 by the end of January 2018.

Wanted: Certification according to ISO27001 for municipal utilities with 300 employees

Image may be NSFW.
Clik here to view.

The Kentix-Truck in action

The municipal utilities of Newtown (name changed) realizes that they are affected by the IT Safety Act. According to the new law, they are considered mission-critical infrastructure and therefore are required to show a certification of the Information Security Management System (ISMS) after ISO27001 by the end of January 2018. In preparation of the ISO27001 certification the municipal utilities of Newtown have researched what it takes to monitor the critical IT rooms according to ISO27001 regulations. Through ads in well-established trade magazines and eventually by doing research with the help of search engines on the internet, they found Kentix. The All-in-One solution for environmental monitoring and access control seemed promising so the responsible person made a quick phone call to get a general overview and some more information. Quickly it became clear that the Kentix system meets the requirements of the municipal utilities of Newtown and that a certification according to the ISO 27001 will be possible with it. Just a few days later, a Kentix employee drove up on the premises with the Kentix Show-Truck in order to present the solution live and vividly on site. Moreover, measurements of the IT rooms and an analysis of needs was conducted. Finally, the project was separated into several single phases: Until when is the monitoring solution to be implemented in which rooms? For this, the responsible persons determined the urgency for each part of the IT infrastructure together with the Kentix employee and in the end, they clarified the installing, implementation and junction of the single phases.

360° physical security made easy: With Kentix

Monitoring solution for IT rooms

Image may be NSFW.
Clik here to view.

In the first step, the main focus was the physical security of the IT rooms. In order to secure them against more than 35 physical threats such as critical climate factors, fire, leakage or burglary, a StarterSet-PRO was installed. This includes an AlarmManager for the central control and administration of the system as well as a MultiSensor-RF and a MultiSensor-DOOR for the physical monitoring of the environment. The basic layout was upgraded by a LeakageSensor for the protection against potential water ingress and a KeyPad-Touch for access logging. Whenever a threat is detected, the correspondent sensor immediately sends out an alarm to the AlarmManager which logs the alarms and forwards them via SMS, e-mail or push notification to the responsible persons. Finally, an IP camera was installed which integrates smoothly into the Kentix portfolio.

Protection against unauthorized access for IT cabinets

In the second step, an access control system – the Kentix DoorLock® – was implemented for six IT cabinets in the engineering rooms. The AccessPoint serves as the central control unit for the system. Via its web surface, authorizations can be granted or withdrawn. The IT cabinets were rebuilt and were equipped with a half cylinder which is mounted to the Online Door Knob. This way, the door can only be unlocked with an RFID medium and sufficient authorization.

Expansion of the system across locations

Image may be NSFW.
Clik here to view.Eventually, in a third step the access control system and the physical monitoring solution was expanded to additional engineering rooms, distributors and offices. Altogether, the municipal utilities of Newtown have 12 rooms secured against physical threats and unauthorized access with the Kentix solution. In contrast to IT cabinets with the Online Door Knob, office doors were equipped with the Online Door Lever. This door opener offers comfortable access to highly frequented doors. A function can be set up which will unlock the door for a predefined timeframe after one successful booking. This way, the door does not have to be opened with an RFID medium each time somebody enters the room. Once the timeframe is up, the door is locked again. Moreover, additional IT cameras were installed which are triggered by a booking at the door opener and record a sequence of pictures. False bookings or attempts of sabotage are immediately forwarded to the responsible persons with the pictures attached. Additional MultiSensor-LAN take care of the physical security in the IT rooms. Altogether, the monitoring and access solution will be continuously expanded to 380 distribution sites. Thanks to the interconnection across locations of the components with each other and to the central administration of the system, this is no problem at all. The entire system can easily be controlled from anywhere and at an time via web browser or the app for smartphones and tablets. This way, the municipal utilities of Newtown have their IT infrastructure and their rooms at a glance always and can act immediately in case a threat is detected in order to avoid outages before they occur. Therefore, nothing stands in the way of the certification according to the ISO27001.

All requirements fulfilled for the certification according to ISO27001

The implementation of the Kentix system considers the following threat protection specified in the BSI baseline protection catalog:

• Image may be NSFW.
  Clik here to view.Force majeure (G 1.4, 1.5, 1.7)
• Organizational faults (G 2.6)
• Technical defects (G 4.1, 4.2, 4.6)
• Deliberate acts (G 5.1, 5.2, 5.3, 5.4, 5.5)
• Hazard alert system (M1.18)  (ISO 27002, 11.1.4)
• Remote indication of disturbances (M 1.31)
• Fire alarm system in the data center (M 1.48)
• Early fire detection / extinguishing technique (M 1.54)
• Access control (M 2.17)

Excerpt from an audit report by the TÜV Rheinland:

When implementing the Kentix system, the following requirements specified by the DIN 27001 have been fulfilled:

• A.9 Access control
• A.11 Physical and environmental security