System development and maintenance: an international standard for information technology security

G. Pavlis, G.J. Besseris and C. Stergiou

MSc in Advanced Industrial & Manufacturing Systems

TEI of Piraeus, Greeceand KingstonUniversity, London, UK

Abstract

The international standard ISO 17799 has been developed for managing information technology security. The purpose, benefits and the ten security controls that ISO 17799 is consisted of are extensively reviewed. Cryptography, cryptographic tools, and encryption provide message confidentiality by rendering information unreadable to anyone but the intended recipient(s). Authentication, seeks to ensure that a message has been sent by a known party or device. Integrity checking can also be applied to the contents of a message where encryption is used to ensure any alteration of the contents of a message.

The integrity of a message is "guaranteed" by appending to the message some sort of block check, typically a cyclic redundancy check (CRC). This technique is sufficient to defeat accidental modifications of the message. However, it is not sufficient to protect against malicious modification: indeed any attacker can intercept a message, change it, recomputed its block check, and pass it on without the modification being detected. Data integrity techniques require using some one-way function to compute a block check of the message, called a Modification Detection Code(MDC) or Integrity Check Vector (ICV).

Having seen how to provide secrecy and integrity of data, next we discuss methods for guaranteeing authentication of communicating partners. The oldest technique for providing one-way authentication is based on passwords. Aside from the fact that one-way authentication is no longer judged sufficient, passwords are the least safe technique to implement it because they suffer from numerous problems. Digital signatures provide a solution of protecting the authenticity and integrity of electronic documents.

The implementation of ISO 17799 standard is demonstrated on a SCADA. The objective of this report is to make the audience aware that SCADA communications are at risk, and that a standard-based cryptographic system can protect SCADA communications. SCADA system owners will not protect their systems if they do not understand the kinds of attacks that are possible and if they do not believe that there is a reasonable probability that such attacks will occur.

Keywords: ISO 17799, security controls, SCADA, cryptography, encryption, authentication