rus
Issue #7/2020
K. N. Temnikova
Laser Production and Application: Topical Issues of Information Security and Business Continuity
Laser Production and Application: Topical Issues of Information Security and Business Continuity
DOI: 10.22184/1993-7296.FRos.2020.14.7.604.615
The article deals with the production and application of lasers, and the related possibilities of penetration into the software of industrial laser systems. The goals, advantages and procedure for the implementation of the ISO / IEC 27001:2013 Information Security Management System (ISO 270XX series of standards) are considered. A step-by-step algorithm is presented on how to form an Information Security Management System at enterprises in order to reduce risks and avoid system errors. The relationship of the proposed measures with ensuring business continuity and increasing the investment attractiveness of enterprises is shown. Business disruptions lead to the loss of customers, income and reputation, while the lack of a Business Continuity Management System in the enterprise indicates an unpreparedness for a quick recovery of activities and inconsistency with the international level.
The article deals with the production and application of lasers, and the related possibilities of penetration into the software of industrial laser systems. The goals, advantages and procedure for the implementation of the ISO / IEC 27001:2013 Information Security Management System (ISO 270XX series of standards) are considered. A step-by-step algorithm is presented on how to form an Information Security Management System at enterprises in order to reduce risks and avoid system errors. The relationship of the proposed measures with ensuring business continuity and increasing the investment attractiveness of enterprises is shown. Business disruptions lead to the loss of customers, income and reputation, while the lack of a Business Continuity Management System in the enterprise indicates an unpreparedness for a quick recovery of activities and inconsistency with the international level.
Теги: corporate information systems. business continuity management sy cyber security industrial laser systems. information security management system lasers информационная безопасность кибербезопасность корпоративные информационные системы лазеры промышленные лазерные системы система менеджмента информационной безопасности система менеджмента непрерывности бизнеса
Received: 14.11.2020
Accepted: 19.11.2020
Possibilities of penetration into software of industrial laser systems
Laser technology is developing at a rapid pace. Laser technological complexes intended for industrial implementation of various types of laser technologies for processing materials are becoming more and more in demand. In this sense, it is important to emphasize that “unique parts and products for customers can be manufactured with significant savings in expensive materials” [1, p. 65; 2].
According to experts, “laser sales doubled over the decade, reaching 13.76 billion USD in 2018. Laser sales in 2019 are expected to reach 14.6 billion USD. 2018 was another record year in the industrial laser sales sector: at 5 billion USD, mainly due to fibre lasers. The world market for laser systems for material processing in 2018 reached a record volume of 19.8 billion USD [3].
Industrial laser systems are becoming more and more complex. The range of topical issues related to photonic and optical technologies, optical materials and elements used in optical systems, equipment and machine tools is expanding [4–19]. At the same time, industrial complexes for high-speed laser cutting of rolled metal, machines that create high-quality metal products, etc. have complex software. The safety and efficiency of industrial laser systems is highly dependent on the quality of the software.
Technologies involving high-power lasers (heat treatment, welding and cutting) are closely related to information technologies, including technologies for transmitting information over the Internet, connecting various devices, etc. As industrial laser systems become more complex, the risks of software penetration in these systems increase.
Opportunities for penetration into the software of industrial laser systems are associated, for example, with untimely software updates, neglect of security measures, excessive gullibility, non-compliance with password policies, dishonest suppliers, etc. It should also be noted that there is insufficient information security and a lack of highly qualified personnel in this area.
Penetration into the software of industrial laser systems is possible in several ways (consideration of these methods can serve as the subject of a separate article). Attackers use various types of software, social engineering, phishing, and fraud. There is much to be agreed that as cybercriminal attacks become more frequent and sophisticated, competition will displace incident-intensive businesses from the market.
Both manufacturing enterprises and enterprises using industrial laser systems need to increase competitiveness, investment attractiveness and, in a short period, ensure the growth of infrastructure and its independence from imports, reliability and security.
What are the ways out of this situation? Let’s name just a few of them:
solving the personnel issue in the field of information security (it should be borne in mind that “often hackers have to defend good specialists” [20]);
use of protection means, timely software update;
audit of software suppliers (here you should pay attention to the opinion of experts in relation to related industries: “The problem for the energy sector will be “supply chain” – attacks from suppliers of software and hardware” [21]);
participation of information security specialists in the work of cross-functional product groups, that is, actively use the DevSecOps principle (this principle is becoming more widespread in the world);
increasing the competences of the developers themselves, the level of their culture in the field of information security;
reasonable balance between convenience and safety of innovative solutions; verification of all decisions made in terms of information security (special attention is paid to laser technologies and innovation management technologies);
implementation of information security management systems in accordance with ISO / IEC 27001 (ISO 270XX series of standards, best practices);
implementation of business continuity management systems in accordance with ISO 22301;
training of personnel, conducting trainings.
On specialized electronic resources [22], topical issues of the development of laser technologies are presented. At the same time, the issues of reducing the risks of penetration into the software of industrial laser systems are practically not considered.
In order to reduce the possibilities of penetration into the software of industrial laser systems, it is necessary to pay attention to the development of a unified vision of ensuring information security both in the development of such systems and in their operation, taking into account completely new challenges arising in the information space. At the same time, it is necessary to take into account new risks in the information environment, taking into account the fact that “the cybercriminal world develops its technologies, keeping up with the pace of” civil “digitalization, and sometimes even ahead of them” [23].
In this regard, it is necessary to pay attention to the growing role of import substitution in ensuring information security, including in terms of the use of domestic software in industrial laser systems.
Implementation of information security management system
In the specialized literature, there is an increase in the risks associated with the use of digital technologies, the spread and complexity of cyber threats [24–26]. In connection with the transition to remote work, the use of remote formats of interaction on the Internet, the risks increase significantly.
In order to reduce the risks of penetration into the software of industrial laser systems, to avoid system errors, it is advisable to implement and maintain an information security management system.
The Implementation Working Group is based on international standards, including:
ISO / IEC 27001:2013(en) Information technology – Security techniques – Information security management systems – Requirements;
ISO / IEC 27000, Information technology – Security techniques – Information security management systems – Overview and vocabulary;
ISO / IEC 27002:2013, Information technology – Security Techniques – Code of practice for information security controls;
ISO / IEC 27003, Information technology – Security techniques – Information security management system implementation guidance;
ISO / IEC 27004, Information technology – Security techniques – Information security management – Measurement;
ISO / IEC 27005, Information technology – Security techniques – Information security risk management;
ISO 31000:2018, Risk management – Principles and guidelines (https://www.iso.org/obp/ui/#iso:std:iso:31000:ed‑2:v1:en).
After the acquisition of an international standard, to develop and implement an information security management system in accordance with ISO / IEC 27001, it is necessary to take certain sequential actions, preferably with the involvement of experienced experts.
Sequence of actions: diagnostic audit, preparation of a working group and an implementation plan, training on information security, description of system procedures and requirements, description of basic procedures and requirements, adjustment of processes and procedures of existing management systems, methodological assistance in the development / revision of documents, audits, including internal based on the results of the created management system, analysis of the created management system. Accompanying a certification audit – if necessary.
The solution for the implementation of an information security management system in accordance with ISO / IEC 27001 includes the necessary documentation, consulting, training, audit, preparation for certification. The solution is applicable for individual enterprises, holdings, groups of companies.
When implementing an information security management system for enterprises, resources such as:
ISO / IEC 27001 – Customer Guide – Information on the capabilities of an information security management system;
ISO / IEC 27001 – Executive Briefing – Information on the benefits of ISO / IEC 27001 for business;
ISO / IEC 27001 – Features and Benefits – Learn about the features and benefits of ISO / IEC 27001;
ISO / IEC 27001 – Implementation Guide – Detailed guidance for the implementation of an information security management system;
ISO / IEC 27001 – Self-Review Checklist – Checklist for assessing the organization’s readiness to implement an information security management system.
The implementation of an information security management system in accordance with ISO / IEC 27001 will allow increasing confidence in the information security of the enterprise, to fulfil the requirements of regulators and obligations to counterparties, and to optimize the costs of information security.
Creation of Security Operations Centre (SOC)
It makes sense for enterprises to create their own cohesive, trained, and motivated Security Operations Centre (SOC) team. The alternative is to use commercial SOC services.
In order for an organization to successfully combat cybercrime in today’s threat environment, the SOC team must be able to predict, prevent, and detect threats, as well as effectively respond to threats and predict future attacks, according to Gartner’s Adaptive Security Architecture Model [27].
At the last SOC Forum 2019, the SANS SOC 2018 and SANS SOC 2019 studies addressed the problem of staffing.
Implementation of a business continuity management system
Business continuity issues are relevant both in the case of production and in the case of using industrial laser systems [28, 29, 30].
“According to BleepingComputer, IPG Photonics was attacked by ransomware that disrupted its operations. The company had to shut down computer systems at its offices around the world. Phones and e-mail were disconnected in the offices, there was no communication, the production of parts stopped at the production, delivery did not work” [31, 32].
To eliminate system failures that may be associated with penetration into the software of industrial laser systems, it is advisable to implement an internationally recognized standard for a business continuity management system in accordance with ISO 22301:2019, and use best practices.
The ability of an organization to continue to operate during disruptions is becoming increasingly important. Business disruptions lead to the loss of customers, income and reputation, while the lack of a business continuity management system in the enterprise indicates an unpreparedness for a quick recovery of activities and inconsistency with the international level.
Business continuity management systems should take into account a range of issues, including the impact of product recalls, employee motivation and well-being, non-work related illness, the impact of organizational maturity on the approach and results of long-term trend analysis, and the organization’s preparedness for unforeseen events such as extreme weather conditions, etc.
The business continuity management system is regarded as one of the most dynamically developing areas of strategic and operational management. It is important to correctly define the goals and objectives of business continuity management, the scope (the focus is related to ensuring business continuity at a set acceptable level).
Focus of attention:
Strategy and business continuity planning
Business Impact Analysis (BIA). Definition of RTO and PRO.
Risk assessment. Threat models and scenarios
Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)
Plan development, key success factors and plan implementation.
Employee awareness program
Employee training, employee awareness assessment
Exercise programme
Testing the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). Test types
Assessment of the current state and development of a roadmap to achieve the target state
At the beginning of 2020, new trends, new requirements of regulatory bodies, suppliers, consumers have appeared. Risks have changed significantly [33]. Information security risks, compliance risks, and supply chain interruption risks have become relevant for many enterprises. In the current environment, many organizations prefer to use multiple standards rather than being certified against one standard. For industrial enterprises, international standards ISO 9001, ISO 14001, ISO 45001, ISO / IEC 27001, ISO 22301, etc. are relevant.
Development and implementation of a business continuity management system in accordance with ISO 22301 allows you to improve management efficiency and avoid system errors. The basis of this standard is harmonized with ISO 9001 and ISO / IEC 27001, which is especially important in the context of digitalization.
For the safe development of business, especially when using industrial laser systems, comprehensive information protection is required. This requires a combination of advanced science-based solutions and practical experience. Where can you find this combination? Answer: at the information security research center.
Such a center has been created and is developing successfully. “On the basis of JSC” Research Institute of computing systems named after M. A. Kartseva “for the purpose of studying and carrying out work on the comprehensive protection of information, the Research Center for Information Security operates. The center’s laboratories for conducting special studies and special checks are equipped with the necessary equipment that meets all the requirements of the FSTEC and the FSB of Russia.
There are licenses of Rospotrebnadzor, FSTEC and FSB of Russia, including the license of the FSB of Russia for the development and production of encryption tools. Interaction with government bodies, integrators, state corporations, enterprises of the radio-electronic industry has been established” [34].
The main activities of the SIC IB are presented in the information booklet and can be found [35]:
special checks of technical means and systems for identifying electronic devices intended for secret receipt of information in technical means processing information containing information constituting a state secret;
special studies of technical means and systems using instrumentation to identify possible technical channels of leakage of protected information;
certification of objects of informatization according to information security requirements;
tests for electromagnetic compatibility;
development of software and hardware and information security systems.
In conclusion, I would like to note that there are many examples of successful development of enterprises whose activities are directly related to industrial laser systems.
It is recommended to conduct a diagnostic audit, audit of suppliers, conduct training, implement management systems in accordance with international standards and best practices, improve the information security culture and take a set of other necessary measures, including developing an approach to the formation and development of your own cohesive, trained and motivated SOC team or use of commercial SOC services. It is important to take into account that sooner or later the question of the return on investment in industrial laser systems will arise, and these issues are considered not only from the point of view of ESG factors, but also from the point of view of information security and business continuity.
Unresolved problems in the field of information security can lead not only to incorrect data on the results of work, incorrect conclusions and incorrect management decisions, but also to more serious consequences.
It is important that there are more examples of successful work of enterprises whose activities are directly related to industrial laser systems. This is a strategic task in the context of digitalization.
REFERENCES
Holton K. Rynok lazerov v 2020-m: obzor i prognoz. Lazernye rynki ishchut svoj kurs v nespokojnye vremena. Lazer-Inform. 2020; 3 (666): 1-6.
Trumpf demonstrates additive manufacturing with copper and gold. Industrial Laser Solutions. 2019, JANUARY / FEBRUARY. Р. 6. www.industrial-lasers.com.
Belforte D.A. Mirovoj rynok lazernogo oborudovaniya dlya obrabotki materialov v promyshlennosti. Lazer-Inform. 2020; 17-18 (680-681), 4-7.
Fomenko I. Sovremennye lazernye sistemy v promyshlennosti. 20.35. Universitet NTI. URL: http://skvot.2035.university/sovremennye-lazernye-systemy (12.11.2020).
Otchetnyj doklad Prezidenta Lazernoj associacii I. B. Kovsha. Lazer-Inform. 2018; 5–6 (620–621): 1–7.
Kovsh I. B. Fotonika v Rossii: sostoyanie i zadachi. Lazer-Inform. 2019; 4 (643): 1–16.
OVERTON G., NOGEE A., BELFORTE D., WALLACE J., GEFVERT B. What goes up. ANNUAL LASER MARKET REVIEW & FORECAST 2019. Laser Focus World, January 2019. P. 40–45, 47, 49–54, 56–58, 60–61, 64–65.
Lasers forge 21st century innovations. LASER MARKETPLACE 2014 / GAIL OVERTON, ALLEN NOGEE, and CONARD HOLTON. Laser Focus World, January 2014. P. 38–40, 42, 44, 46, 49, 51–54, 56–62.
Air Force to ask industry for 75-Watt sodium laser to create artificial stars for adaptive optics / John Keller // ; artificial-stars-adaptive-optics.html?cmpid=enl_mae_defense_executive_2019–0205&pwhid=faaefc33bfc7f79fa744508baa2ae2577c1d5af697871251a3c1ab‑77b05cd2ce24b36fbd579d3e69c246472c18183959bfa 392b76b0c46b517d1af9e3ba51ab8&eid=324695413&bid=2360681 17 / 01 / 2019
Laser beam shaping for innovative applications / SAMI LAROUI // Industrial Laser Solutions, MARCH / APRIL 2019. Р. 22–23. www.industrial-lasers.com.
Spectrum supplies laser marking system for use in manufacturing Mars lander // Industrial Laser Solutions, MARCH / APRIL 2019. Р.10. www.industrial-lasers.com.
Ignatov A. G. Voennoe primenenie lazernoj tekhniki nabiraet oboroty i nachinaet opredelyat’ tekhnicheskij uroven’ sovremennogo i perspektivnogo vooruzheniya. Fotonika. 2016; 56(2); 14–25.
High-power blue laser improves fabrication throughput / J. M. Pelaprat, R. Fritz, M. Finuf, M. Zediker. Industrial Laser Solutions. 2018; 1–2: 17–20.
Japan develops blue laser for advanced materials processing / KOJI TOJO, SHINICHIRO MASUNO, RITSUKO HIGASHINO, AND MASAHIRO TSUKAMOTO; Shimadzu Corporation. Industrial Laser Solutions. 2018, September / October, p. 27–31; www.industrial-lasers.com.
Belforte D. My view. Lasers make it better. Industrial Laser Solutions. 2018; 1–2: 32.
Japan develops blue laser for advanced materials processing / KOJI TOJO, SHINICHIRO MASUNO, RITSUKO HIGASHINO, AND MASAHIRO TSUKAMOTO; Shimadzu Corporation. Industrial Laser Solutions. 2018, September / October, p. 27–31; www.industrial-lasers.com.
NUBURU has invented and is manufacturing the world’s first revolutionary high-power blue laser // URL: http://www.nuburu. net / markets / 31 / 01 / 2019
Trumpf demonstrates additive manufacturing with copper and gold // Industrial Laser Solutions, 2019, JANUARY / FEBRUARY. Р. 6. www.industrial-lasers.com.
2018 was another record year, contending with turmoil / DAVID A. BELFORTE // Industrial Laser Solutions, 2019, JANUARY / FEBRUARY. Р. 9–11. www.industrial-lasers.com
Bol’shoj Nacional’nyj forum informacionnoj bezopasnosti.URL: https://infoforum.ru/main/17‑i-nacionalnyi-forym-informacionnoi-bezopasnosti (12/11/2020).
URL: https://www.anti-malware.ru/analytics/Threats_Analysis/cyber-threats-and-security-tools-evolving‑2020‑forecast
Photonica.Pro. URL: http://photonica.pro / (12/11/2020).
Bol’shoj Nacional’nyj forum informacionnoj bezopasnosti. URL: https://infoforum.ru/main/17‑i-nacionalnyi-forym-informacionnoi-bezopasnosti (12/11/2020).
Belous A. I., Soloduha V. A. Kiberoruzhie i kiberbezopasnost’. O slozhnyh veshchah prostymi slovami. – Moskva. Vologda: Infra-Inzheneriya, 2020. – 692 p.
Vajl P., Vorner S. Cifrovaya transformaciya biznesa: Izmenenie biznes-modeli dlya organizacii novogo pokoleniya. – M.: Al’pina Pablisher, 2019. – 257 p.
Kiberbezopasnost’ cifrovoj industrii. Teoriya i praktika funkcional’noj ustojchivosti k kiberatakam / Pod redakciej professora RAN, doktora tekhnicheskih nauk D. P. Zegzhdy. – M.: Goryachaya liniya – Telekom, 2020. – 560 s.: il.
https://media.kaspersky.com/ru/business-security/enterprise/brochure-soc-powered-by-kl.pdf.
Miloslavskaya N. G., Senatorov M. YU., Tolstoj A. I. Upravlenie incidentami informacionnoj bezopasnosti i nepreryvnost’yu biznesa. Uchebnoe posobie dlya vuzov. – 2‑e – M.: Goryachaya liniya – Telekom, 2019. – 170 p.– Seriya “Voprosy upravleniya informacionnoj bezopasnost’yu”. Vypusk 3.
Andrianov V. V., ZefirovS. L., Golovanov V. B. , GolduevN. A. – 2‑e izd., pererab. i dop. Obespechenie informacionnoj bezopasnosti biznesa– M.: CIPSiR: Al’pina Pablisherz, 2011. – 373 p.
Koneev I. R. Sistema upravleniya nepreryvnost’yu biznesa: Pochemu ona dolzhna byt’ vnedrena na kazhdom predpriyatii? – M.: LENAND, 2016. – 352 p.
URL: http://www.itsec.ru/news/krupneyshiy-v-ssha-proizvoditel-volokonnih-lazerov-stal-zhertvoy-vimogatelksogo-po
URL: https://www.securitylab.ru/news/512278.php
https://reports.weforum.org/global-risks-report‑2020/executive-summary/
http://www.niivk.ru/index.php?id=107
http://www.niivk.ru/images/ISRC.pdf
Author
Ksenia N. Temnikova, Moscow Polytechnic University, Associate Professor of the Department of Information Security, Profconsult ISM expert, Candidate of Economic Sciences,
ORCID 0000-0002-9645-7886,
RSCI identifier SPIN code: 6988-2051.
Profile: consulting, implementation and audit of Information Security Management Systems and Business Continuity Management Systems, investments in industrial robots, investments in laser technological complexes.
Accepted: 19.11.2020
Possibilities of penetration into software of industrial laser systems
Laser technology is developing at a rapid pace. Laser technological complexes intended for industrial implementation of various types of laser technologies for processing materials are becoming more and more in demand. In this sense, it is important to emphasize that “unique parts and products for customers can be manufactured with significant savings in expensive materials” [1, p. 65; 2].
According to experts, “laser sales doubled over the decade, reaching 13.76 billion USD in 2018. Laser sales in 2019 are expected to reach 14.6 billion USD. 2018 was another record year in the industrial laser sales sector: at 5 billion USD, mainly due to fibre lasers. The world market for laser systems for material processing in 2018 reached a record volume of 19.8 billion USD [3].
Industrial laser systems are becoming more and more complex. The range of topical issues related to photonic and optical technologies, optical materials and elements used in optical systems, equipment and machine tools is expanding [4–19]. At the same time, industrial complexes for high-speed laser cutting of rolled metal, machines that create high-quality metal products, etc. have complex software. The safety and efficiency of industrial laser systems is highly dependent on the quality of the software.
Technologies involving high-power lasers (heat treatment, welding and cutting) are closely related to information technologies, including technologies for transmitting information over the Internet, connecting various devices, etc. As industrial laser systems become more complex, the risks of software penetration in these systems increase.
Opportunities for penetration into the software of industrial laser systems are associated, for example, with untimely software updates, neglect of security measures, excessive gullibility, non-compliance with password policies, dishonest suppliers, etc. It should also be noted that there is insufficient information security and a lack of highly qualified personnel in this area.
Penetration into the software of industrial laser systems is possible in several ways (consideration of these methods can serve as the subject of a separate article). Attackers use various types of software, social engineering, phishing, and fraud. There is much to be agreed that as cybercriminal attacks become more frequent and sophisticated, competition will displace incident-intensive businesses from the market.
Both manufacturing enterprises and enterprises using industrial laser systems need to increase competitiveness, investment attractiveness and, in a short period, ensure the growth of infrastructure and its independence from imports, reliability and security.
What are the ways out of this situation? Let’s name just a few of them:
solving the personnel issue in the field of information security (it should be borne in mind that “often hackers have to defend good specialists” [20]);
use of protection means, timely software update;
audit of software suppliers (here you should pay attention to the opinion of experts in relation to related industries: “The problem for the energy sector will be “supply chain” – attacks from suppliers of software and hardware” [21]);
participation of information security specialists in the work of cross-functional product groups, that is, actively use the DevSecOps principle (this principle is becoming more widespread in the world);
increasing the competences of the developers themselves, the level of their culture in the field of information security;
reasonable balance between convenience and safety of innovative solutions; verification of all decisions made in terms of information security (special attention is paid to laser technologies and innovation management technologies);
implementation of information security management systems in accordance with ISO / IEC 27001 (ISO 270XX series of standards, best practices);
implementation of business continuity management systems in accordance with ISO 22301;
training of personnel, conducting trainings.
On specialized electronic resources [22], topical issues of the development of laser technologies are presented. At the same time, the issues of reducing the risks of penetration into the software of industrial laser systems are practically not considered.
In order to reduce the possibilities of penetration into the software of industrial laser systems, it is necessary to pay attention to the development of a unified vision of ensuring information security both in the development of such systems and in their operation, taking into account completely new challenges arising in the information space. At the same time, it is necessary to take into account new risks in the information environment, taking into account the fact that “the cybercriminal world develops its technologies, keeping up with the pace of” civil “digitalization, and sometimes even ahead of them” [23].
In this regard, it is necessary to pay attention to the growing role of import substitution in ensuring information security, including in terms of the use of domestic software in industrial laser systems.
Implementation of information security management system
In the specialized literature, there is an increase in the risks associated with the use of digital technologies, the spread and complexity of cyber threats [24–26]. In connection with the transition to remote work, the use of remote formats of interaction on the Internet, the risks increase significantly.
In order to reduce the risks of penetration into the software of industrial laser systems, to avoid system errors, it is advisable to implement and maintain an information security management system.
The Implementation Working Group is based on international standards, including:
ISO / IEC 27001:2013(en) Information technology – Security techniques – Information security management systems – Requirements;
ISO / IEC 27000, Information technology – Security techniques – Information security management systems – Overview and vocabulary;
ISO / IEC 27002:2013, Information technology – Security Techniques – Code of practice for information security controls;
ISO / IEC 27003, Information technology – Security techniques – Information security management system implementation guidance;
ISO / IEC 27004, Information technology – Security techniques – Information security management – Measurement;
ISO / IEC 27005, Information technology – Security techniques – Information security risk management;
ISO 31000:2018, Risk management – Principles and guidelines (https://www.iso.org/obp/ui/#iso:std:iso:31000:ed‑2:v1:en).
After the acquisition of an international standard, to develop and implement an information security management system in accordance with ISO / IEC 27001, it is necessary to take certain sequential actions, preferably with the involvement of experienced experts.
Sequence of actions: diagnostic audit, preparation of a working group and an implementation plan, training on information security, description of system procedures and requirements, description of basic procedures and requirements, adjustment of processes and procedures of existing management systems, methodological assistance in the development / revision of documents, audits, including internal based on the results of the created management system, analysis of the created management system. Accompanying a certification audit – if necessary.
The solution for the implementation of an information security management system in accordance with ISO / IEC 27001 includes the necessary documentation, consulting, training, audit, preparation for certification. The solution is applicable for individual enterprises, holdings, groups of companies.
When implementing an information security management system for enterprises, resources such as:
ISO / IEC 27001 – Customer Guide – Information on the capabilities of an information security management system;
ISO / IEC 27001 – Executive Briefing – Information on the benefits of ISO / IEC 27001 for business;
ISO / IEC 27001 – Features and Benefits – Learn about the features and benefits of ISO / IEC 27001;
ISO / IEC 27001 – Implementation Guide – Detailed guidance for the implementation of an information security management system;
ISO / IEC 27001 – Self-Review Checklist – Checklist for assessing the organization’s readiness to implement an information security management system.
The implementation of an information security management system in accordance with ISO / IEC 27001 will allow increasing confidence in the information security of the enterprise, to fulfil the requirements of regulators and obligations to counterparties, and to optimize the costs of information security.
Creation of Security Operations Centre (SOC)
It makes sense for enterprises to create their own cohesive, trained, and motivated Security Operations Centre (SOC) team. The alternative is to use commercial SOC services.
In order for an organization to successfully combat cybercrime in today’s threat environment, the SOC team must be able to predict, prevent, and detect threats, as well as effectively respond to threats and predict future attacks, according to Gartner’s Adaptive Security Architecture Model [27].
At the last SOC Forum 2019, the SANS SOC 2018 and SANS SOC 2019 studies addressed the problem of staffing.
Implementation of a business continuity management system
Business continuity issues are relevant both in the case of production and in the case of using industrial laser systems [28, 29, 30].
“According to BleepingComputer, IPG Photonics was attacked by ransomware that disrupted its operations. The company had to shut down computer systems at its offices around the world. Phones and e-mail were disconnected in the offices, there was no communication, the production of parts stopped at the production, delivery did not work” [31, 32].
To eliminate system failures that may be associated with penetration into the software of industrial laser systems, it is advisable to implement an internationally recognized standard for a business continuity management system in accordance with ISO 22301:2019, and use best practices.
The ability of an organization to continue to operate during disruptions is becoming increasingly important. Business disruptions lead to the loss of customers, income and reputation, while the lack of a business continuity management system in the enterprise indicates an unpreparedness for a quick recovery of activities and inconsistency with the international level.
Business continuity management systems should take into account a range of issues, including the impact of product recalls, employee motivation and well-being, non-work related illness, the impact of organizational maturity on the approach and results of long-term trend analysis, and the organization’s preparedness for unforeseen events such as extreme weather conditions, etc.
The business continuity management system is regarded as one of the most dynamically developing areas of strategic and operational management. It is important to correctly define the goals and objectives of business continuity management, the scope (the focus is related to ensuring business continuity at a set acceptable level).
Focus of attention:
Strategy and business continuity planning
Business Impact Analysis (BIA). Definition of RTO and PRO.
Risk assessment. Threat models and scenarios
Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)
Plan development, key success factors and plan implementation.
Employee awareness program
Employee training, employee awareness assessment
Exercise programme
Testing the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). Test types
Assessment of the current state and development of a roadmap to achieve the target state
At the beginning of 2020, new trends, new requirements of regulatory bodies, suppliers, consumers have appeared. Risks have changed significantly [33]. Information security risks, compliance risks, and supply chain interruption risks have become relevant for many enterprises. In the current environment, many organizations prefer to use multiple standards rather than being certified against one standard. For industrial enterprises, international standards ISO 9001, ISO 14001, ISO 45001, ISO / IEC 27001, ISO 22301, etc. are relevant.
Development and implementation of a business continuity management system in accordance with ISO 22301 allows you to improve management efficiency and avoid system errors. The basis of this standard is harmonized with ISO 9001 and ISO / IEC 27001, which is especially important in the context of digitalization.
For the safe development of business, especially when using industrial laser systems, comprehensive information protection is required. This requires a combination of advanced science-based solutions and practical experience. Where can you find this combination? Answer: at the information security research center.
Such a center has been created and is developing successfully. “On the basis of JSC” Research Institute of computing systems named after M. A. Kartseva “for the purpose of studying and carrying out work on the comprehensive protection of information, the Research Center for Information Security operates. The center’s laboratories for conducting special studies and special checks are equipped with the necessary equipment that meets all the requirements of the FSTEC and the FSB of Russia.
There are licenses of Rospotrebnadzor, FSTEC and FSB of Russia, including the license of the FSB of Russia for the development and production of encryption tools. Interaction with government bodies, integrators, state corporations, enterprises of the radio-electronic industry has been established” [34].
The main activities of the SIC IB are presented in the information booklet and can be found [35]:
special checks of technical means and systems for identifying electronic devices intended for secret receipt of information in technical means processing information containing information constituting a state secret;
special studies of technical means and systems using instrumentation to identify possible technical channels of leakage of protected information;
certification of objects of informatization according to information security requirements;
tests for electromagnetic compatibility;
development of software and hardware and information security systems.
In conclusion, I would like to note that there are many examples of successful development of enterprises whose activities are directly related to industrial laser systems.
It is recommended to conduct a diagnostic audit, audit of suppliers, conduct training, implement management systems in accordance with international standards and best practices, improve the information security culture and take a set of other necessary measures, including developing an approach to the formation and development of your own cohesive, trained and motivated SOC team or use of commercial SOC services. It is important to take into account that sooner or later the question of the return on investment in industrial laser systems will arise, and these issues are considered not only from the point of view of ESG factors, but also from the point of view of information security and business continuity.
Unresolved problems in the field of information security can lead not only to incorrect data on the results of work, incorrect conclusions and incorrect management decisions, but also to more serious consequences.
It is important that there are more examples of successful work of enterprises whose activities are directly related to industrial laser systems. This is a strategic task in the context of digitalization.
REFERENCES
Holton K. Rynok lazerov v 2020-m: obzor i prognoz. Lazernye rynki ishchut svoj kurs v nespokojnye vremena. Lazer-Inform. 2020; 3 (666): 1-6.
Trumpf demonstrates additive manufacturing with copper and gold. Industrial Laser Solutions. 2019, JANUARY / FEBRUARY. Р. 6. www.industrial-lasers.com.
Belforte D.A. Mirovoj rynok lazernogo oborudovaniya dlya obrabotki materialov v promyshlennosti. Lazer-Inform. 2020; 17-18 (680-681), 4-7.
Fomenko I. Sovremennye lazernye sistemy v promyshlennosti. 20.35. Universitet NTI. URL: http://skvot.2035.university/sovremennye-lazernye-systemy (12.11.2020).
Otchetnyj doklad Prezidenta Lazernoj associacii I. B. Kovsha. Lazer-Inform. 2018; 5–6 (620–621): 1–7.
Kovsh I. B. Fotonika v Rossii: sostoyanie i zadachi. Lazer-Inform. 2019; 4 (643): 1–16.
OVERTON G., NOGEE A., BELFORTE D., WALLACE J., GEFVERT B. What goes up. ANNUAL LASER MARKET REVIEW & FORECAST 2019. Laser Focus World, January 2019. P. 40–45, 47, 49–54, 56–58, 60–61, 64–65.
Lasers forge 21st century innovations. LASER MARKETPLACE 2014 / GAIL OVERTON, ALLEN NOGEE, and CONARD HOLTON. Laser Focus World, January 2014. P. 38–40, 42, 44, 46, 49, 51–54, 56–62.
Air Force to ask industry for 75-Watt sodium laser to create artificial stars for adaptive optics / John Keller // ; artificial-stars-adaptive-optics.html?cmpid=enl_mae_defense_executive_2019–0205&pwhid=faaefc33bfc7f79fa744508baa2ae2577c1d5af697871251a3c1ab‑77b05cd2ce24b36fbd579d3e69c246472c18183959bfa 392b76b0c46b517d1af9e3ba51ab8&eid=324695413&bid=2360681 17 / 01 / 2019
Laser beam shaping for innovative applications / SAMI LAROUI // Industrial Laser Solutions, MARCH / APRIL 2019. Р. 22–23. www.industrial-lasers.com.
Spectrum supplies laser marking system for use in manufacturing Mars lander // Industrial Laser Solutions, MARCH / APRIL 2019. Р.10. www.industrial-lasers.com.
Ignatov A. G. Voennoe primenenie lazernoj tekhniki nabiraet oboroty i nachinaet opredelyat’ tekhnicheskij uroven’ sovremennogo i perspektivnogo vooruzheniya. Fotonika. 2016; 56(2); 14–25.
High-power blue laser improves fabrication throughput / J. M. Pelaprat, R. Fritz, M. Finuf, M. Zediker. Industrial Laser Solutions. 2018; 1–2: 17–20.
Japan develops blue laser for advanced materials processing / KOJI TOJO, SHINICHIRO MASUNO, RITSUKO HIGASHINO, AND MASAHIRO TSUKAMOTO; Shimadzu Corporation. Industrial Laser Solutions. 2018, September / October, p. 27–31; www.industrial-lasers.com.
Belforte D. My view. Lasers make it better. Industrial Laser Solutions. 2018; 1–2: 32.
Japan develops blue laser for advanced materials processing / KOJI TOJO, SHINICHIRO MASUNO, RITSUKO HIGASHINO, AND MASAHIRO TSUKAMOTO; Shimadzu Corporation. Industrial Laser Solutions. 2018, September / October, p. 27–31; www.industrial-lasers.com.
NUBURU has invented and is manufacturing the world’s first revolutionary high-power blue laser // URL: http://www.nuburu. net / markets / 31 / 01 / 2019
Trumpf demonstrates additive manufacturing with copper and gold // Industrial Laser Solutions, 2019, JANUARY / FEBRUARY. Р. 6. www.industrial-lasers.com.
2018 was another record year, contending with turmoil / DAVID A. BELFORTE // Industrial Laser Solutions, 2019, JANUARY / FEBRUARY. Р. 9–11. www.industrial-lasers.com
Bol’shoj Nacional’nyj forum informacionnoj bezopasnosti.URL: https://infoforum.ru/main/17‑i-nacionalnyi-forym-informacionnoi-bezopasnosti (12/11/2020).
URL: https://www.anti-malware.ru/analytics/Threats_Analysis/cyber-threats-and-security-tools-evolving‑2020‑forecast
Photonica.Pro. URL: http://photonica.pro / (12/11/2020).
Bol’shoj Nacional’nyj forum informacionnoj bezopasnosti. URL: https://infoforum.ru/main/17‑i-nacionalnyi-forym-informacionnoi-bezopasnosti (12/11/2020).
Belous A. I., Soloduha V. A. Kiberoruzhie i kiberbezopasnost’. O slozhnyh veshchah prostymi slovami. – Moskva. Vologda: Infra-Inzheneriya, 2020. – 692 p.
Vajl P., Vorner S. Cifrovaya transformaciya biznesa: Izmenenie biznes-modeli dlya organizacii novogo pokoleniya. – M.: Al’pina Pablisher, 2019. – 257 p.
Kiberbezopasnost’ cifrovoj industrii. Teoriya i praktika funkcional’noj ustojchivosti k kiberatakam / Pod redakciej professora RAN, doktora tekhnicheskih nauk D. P. Zegzhdy. – M.: Goryachaya liniya – Telekom, 2020. – 560 s.: il.
https://media.kaspersky.com/ru/business-security/enterprise/brochure-soc-powered-by-kl.pdf.
Miloslavskaya N. G., Senatorov M. YU., Tolstoj A. I. Upravlenie incidentami informacionnoj bezopasnosti i nepreryvnost’yu biznesa. Uchebnoe posobie dlya vuzov. – 2‑e – M.: Goryachaya liniya – Telekom, 2019. – 170 p.– Seriya “Voprosy upravleniya informacionnoj bezopasnost’yu”. Vypusk 3.
Andrianov V. V., ZefirovS. L., Golovanov V. B. , GolduevN. A. – 2‑e izd., pererab. i dop. Obespechenie informacionnoj bezopasnosti biznesa– M.: CIPSiR: Al’pina Pablisherz, 2011. – 373 p.
Koneev I. R. Sistema upravleniya nepreryvnost’yu biznesa: Pochemu ona dolzhna byt’ vnedrena na kazhdom predpriyatii? – M.: LENAND, 2016. – 352 p.
URL: http://www.itsec.ru/news/krupneyshiy-v-ssha-proizvoditel-volokonnih-lazerov-stal-zhertvoy-vimogatelksogo-po
URL: https://www.securitylab.ru/news/512278.php
https://reports.weforum.org/global-risks-report‑2020/executive-summary/
http://www.niivk.ru/index.php?id=107
http://www.niivk.ru/images/ISRC.pdf
Author
Ksenia N. Temnikova, Moscow Polytechnic University, Associate Professor of the Department of Information Security, Profconsult ISM expert, Candidate of Economic Sciences,
ORCID 0000-0002-9645-7886,
RSCI identifier SPIN code: 6988-2051.
Profile: consulting, implementation and audit of Information Security Management Systems and Business Continuity Management Systems, investments in industrial robots, investments in laser technological complexes.
Readers feedback
