Our activities in the field of IT security stem from deep technical considerations of vital importance to the security of computer based systems, from social aspects and from security principles at system level. The combination of these three points of departure paves the way for results that are based both on insight into the possibilities of technology and the capabilities of users and organisations as well as an understanding of the system and the needs of the customer.
IT security in interconnected systems
FOI studies new types of security solution for the exchange of information and services across organisational and national borders without compromising security. The purpose of this work is to manage the challenges that arise as systems become increasingly difficult to oversee and often consist of a number of information systems coupled together.
Assessment of information security
The increasingly central role played by information systems in public life and the widespread interconnection of systems place increasingly demanding requirements on the need to be able to manage the risks involved. Information security assessment increases our knowledge of the information security within organisations and systems through determining the levels of relevant security features. This is essential for the effective management of risks and security requirements. FOI develops structured methods for risk management and the assessment of information security where both social and technical factors are concerned.
Defence and IT systems
The complexity of information systems makes it difficult for users and system administrators to foresee the consequences of actions that they take. Potential attackers are becoming ever more driven and more dedicated, which means that the ability to deal dynamically with new and previously unknown threats is increasingly important. FOI is studying methodology and techniques for mapping the structure, information content and weaknesses of own and hostile IT systems, arranging IT defence exercises, running simulations and studying electronic warfare against computers, networks and digital control systems, as well as analysing collected data traffic with the aid of a range of techniques and tools.
Activities in this area are oriented strongly towards customers’ needs and are based on close contact with the Swedish Armed Forces, the Swedish Defence Materiel Administration (FMV), the Swedish Civil Contingencies Agency (MSB) and other customers. FOI’s research scientists often provide customers with expert support in IT security during the specification of requirements and the procurement of IT systems. Researchers in this area are available at short notice to carry out technical investigations of IT security incidents by way of support to society. They also carry out assessments of the different computer security solutions on the market.
During 2010 FOI was assigned the role of Centre of Excellence for the SCADA project being run by MSB, the Swedish Civil Contingencies Agency. The SCADA (Supervisory Control and Data Acquisition) project involves research into the security of industrial control and monitoring systems. FOI’s assignment includes the setting up and running of training and exercises for companies and authorities seeking to improve the security of their IT systems.
It is May 2010. In Stockholm, Linköping, Tallinn, Riga, Kaunas and Brussels some of Europe’s leading IT experts are sitting at their computers. Via virtual networks they are trying to protect the control systems of two steam engines located on a bench outside a computer room in Linköping and providing power for a miniature toy factory placed next to the steam engines on the bench. The control systems are subjected to constant sabotage attacks by leading Estonian experts acting as “IT saboteurs”.
The fact that the exercise, for which FOI acted as principal arranger and designer of the technical platform, was held in 2010 can be attributed largely to the increased interest in cyber warfare that there has been in recent years. FOI scientists have long been trying to draw attention to the vulnerability of today’s industrial control systems. These systems, operated in the past as closed systems, are now increasingly controlled via the Internet, for instance when a remote operator wishes to read off the system usage as a basis for invoice generation in a business system. This enables large savings to be made but increases the risk of outsiders being able to penetrate the system.