Acireale/Italy, February 2018: How BaxEnergy achieved ISO/IEC 27001:2017 certification
Energy Studio Pro® continues to remain the safest choice for building utility-grade monitoring and control rooms. In a move to further increase the level of security of its products, BaxEnergy recently certified the entire development lifecycle to be compliant with security requirements of latest international standards.
“Security is our top priority for 2018 and with a constantly growing number of cyber-attacks and security threats out there, well, we could not wait any further” Dr. Massaro, BaxEnergy CEO, declared.
BaxEnergy made the choice of the highest quality possible since the very beginning and complied with the ISO 9001 back in 2011. “Now with the ISO/IEC 27001:2017 certification, we raised the security bar even higher and bullet-proofed the entire set of development processes” Ms. Purrazzo, CIO of BaxEnergy, said.
The more digital technologies are employed to match demand and actual consumption of energy, the more they put the entire energy sector at risk of cyber-attacks. Threats can have many faces—information theft, service disruption, environmental damage, blackouts—and given the current tight interconnections of smart grids and gas pipeline, no part of the world is really exempt from such risks.
Compliance with the ISO/IEC 27001:2017 standard indicates that a company implements an effective Information Security Management System (ISMS). An ISMS is the comprehensive set of internal processes used to manage sensitive information in order to ensure confidentiality, integrity and availability of data. In other words, a company compliant with ISO/IEC 27001:2017 is a company that worked intensively to implement all metrics required by the international standards and subsequently every day manages data and builds products according to the latest and strictest security standards.
Success Stories in Security
On February 28, GitHub – the largest code repository service, literally the place where thousands of individual developers as well as corporates store and share their code – experienced the strongest ever recorded denial-of-service attack. A denial-of-service attack aims at bombarding the target site with so many requests and so much traffic that it can’t handle, and in the end collapses. Taking down a web site like GitHub is a serious outage that would affect any companies in the world dealing with code. Those companies would be prevented from saving, restoring or versioning their work. Because of the mission-critical service it provides, GitHub is quite an attractive target for attackers. Well-aware of this, over time the company developed and implemented a set of measures to fend off and even detect such attacks.
The world of cyber-security is populated by the ghosts of way too many sad stories about successful hackers, but the GitHub story of the 28th of February 2018, instead, is different.
In spite of an attack that incredibly peaked at 1350 GB per second, GitHub was down for no more than ten minutes. While ten minutes are still a lot of time for a mission-critical service, it is only a blink of the eye compared to what could have happened. Consider, for example, that only in 2015 a similar attack, a lot more lightweight, took GitHub down for five days.
What does it mean?
It means that any money spent taking care of the internal management processes, document workflows, network infrastructure and development practices is much more money saved off of possible cyber-attacks. Having an effective ISMS in place is a deterrent but may not actually discourage attackers from trying. At the same time, an effective ISMS in place will soon discourage attackers from insisting once they bang their head against the wall of high-quality security practices.
ISO/IEC 27001:2017 is the most up-to-date set of security metrics for companies to look at to be able to be as quick as GitHub to react and further discourage attacks.
What Is ISO/IEC 27001:2017, Exactly?
Getting the ISO/IEC 27001:2017 certification demonstrates the strong commitment of a company to be rigorous about information security at every level. At the foundation of the standard lies the following set of achievements, globally known as an ISMS.
- The company has developed a repeatable procedure for analysing threats and vulnerabilities within the company and its products as far as information security is concerned.
- The company has implemented a set of tools and practices to address any identified security risks. This includes secure software development practices as well as safe document management workflows and secured communications within the company and outside of it.
- The company has internal policies for performing a threat analysis periodically so that new measures can be taken and the level of security can be maintained high on an ongoing basis.
Compliance with the internationally-recognized ISO/IEC 27001:2017 standard is assessed by an independent third-party audit company and overall ascertains that company’s security management program is overarching and follows all known leading practices.
For BaxEnergy customers, our achievement of the ISO/IEC 27001:2017 certification means even more assurance about the overall quality of our products and the breadth and strength of our security practices.
How We Did It
Designing and building an ISMS, as necessary for the certification, is never easy. In our case, it required the full commitment of the entire Information Technology team. The team went thoroughly through the list of requirements and did any due risk assessment analysis adapted to the needs of the company and the services it provides.
The team also checked and adapted, where necessary, security controls for the entire information system. Controls ranged from internal security policies to asset management, from access control to operation and communication security, and also cryptography, suppliers’ relationships, data security accident treatment, business continuity management and more.
In particular, the feedback from the audit team was very positive regarding our data center, the efficiency of the internal fibre-based network and the tools in place to strengthen information security, such as deep logging, intrusion detection and data leakage systems.