Managing data from critical functions is part of future security of supply

The architecture of information systems used in organisations that are critical for security of supply must be carefully designed to ensure that the organisation retains control of the data.

WithSecure Chief Information Security Officer Erka Koivunen.

A great deal of critical information will be generated as society becomes increasingly digitalised, with growing opportunities to combine and analyse data. This development also affects vital functions of society, such as health care, logistics, financial sector and telecommunication operators, which process large volumes of data in their systems.

It is important for organisations of critical importance to security of supply to understand what kind of data they are processing in their information systems, and at least equally important to understand what information is accessible to their own staff and to external IT system service providers and their subcontracting chains.

“It is essential for data protection that the information systems involved in processing data remain unimpaired and under control throughout the life cycle of the data. There will not necessarily be any outward signs that a system has been compromised by outsiders – until it’s too late,” explains WithSecure Chief Information Security Officer Erka Koivunen.

Critical infrastructure businesses hold confidential information related to security of supply in Finland, and businesses are usually interconnected both within and across international borders. This interdependence means that a threat to one business may also affect the operations of another.

Businesses of critical importance to security of supply, or their information system service providers, are not exclusively in Finnish ownership. A growing number of these businesses are also moving their information systems onto cloud services, making them increasingly reliant on foreign service providers.

Data from smart solutions may interest authoritarian states

Organisations that are crucial for security of supply often generate large data volumes without necessarily appreciating their importance. For example, data used for managing the energy sector may interest authoritarian states. Even where information does not include personal data, the global tension between authoritarian states and democracies governed by the rule of law must be considered when assessing the risks involved in outsourcing and selecting service providers.

Many vital functions of our future society, such as energy provision and traffic control, will rely on smart solutions. These solutions are often networked online, and may therefore be more vulnerable to unauthorised intrusion or deliberate influence. The operations of a Finnish airport operator or pharmaceutical service provider may be affected, for example, if a foreign service provider is subject to such deliberate influence.

Never before have businesses had access to such effective security technology.

Information generated by smart solutions is also used for training artificial intelligence. Authoritarian states are seeking data from Western countries for developing their own AI solutions. Face or speech recognition are examples of AI systems that require the broadest possible range of data.

Erka Koivunen is expecting to see a transition to a truly digital native character in which information technology enables services that have not previously been possible. One danger that nevertheless remains in a world based on smart solutions is our ongoing lack of access to the grounds for decisions taken by various algorithms that are closely guarded business secrets.

There are already ways to manage data

Protecting critical infrastructure requires broad cooperation throughout society. Supo seeks to combat threats to national security and provide relevant preventative guidance to businesses and public authorities.

As businesses continue to own critical infrastructure, they must also take in-house measures to protect it.

“Never before have businesses had access to such effective security technology,” Erka Koivunen explains.

He insists that we should understand our data: where it comes from, how confidential it is, or what kind of usage restrictions it involves. Once these aspects are clear, it is fairly easy to specify various access privileges for data users.

“The meta-framework created to meet GDPR requirements serves as a good basis for this. It is worth cherishing this functional classification system with the patience of a librarian,” Koivunen says.

Security clearance vetting reports prepared by Supo are also one element in protecting security of supply businesses from the risks posed by users.

Previous arrangements that protected information systems from security anomalies by requiring non-recurrent user authentication are no longer enough. Modern technology bases protection on multilayer strong authentication and detection of in-use anomalies. Each user’s device and actions can be checked and logged. Data on the same actions can be collected from terminals and cloud services, thereby verifying observations.

The business must also monitor this control mechanism to ensure that it is not misused.

Organisations should also use non-IT solutions to manage their data. For example, a public administration organisation processing classified information pursuant to the Act on the Openness of Government Activities may apply security and defence procurement criteria when making purchases. This enables security considerations to be taken into account, for example in competitive tendering for information system services.