When the bytes go out: will power outages affect my IT security model?

Author: Noel Davis, Subject specialist (Infrastructure programme)

Should any scheduled power outages occur over the winter, they will have the potential to interrupt normal business operations to varying degrees.  Current predictions are that these will be limited to evenings and not occur during core business hours.

Ensuring staff can work as expected will reduce the threat of them attempting to circumvent security policy and processes as they attempt to maintain their work priorities.

Previous blogs in this series have mentioned the options of providing continuous power through backup generators and if that’s not possible, the importance of ensuring the data backup process is as complete as it can be with the resources available; and that all actions required to return to normal business are detailed in the member disaster recovery (DR) plan.

The implementation of GDPR in May 2018 should have caused Jisc members to review their data collection, retention, access, and usage processes.

These processes should have been documented and disseminated to all data users. They would have been supported by technical controls appropriate to each action designed to ensure that compliance was maintained.

If power outages do restrict access to data required for staff to complete tasks, the greatest threat is undoubtedly the copying of datasets for personal/local use.

Clearly this elevates the risk of data loss if devices or removable storage are used and removed from site where loss or theft could occur. Secondly, these datasets will not dynamically update as staff conduct their normal work and make data transactions.

Work practices that were put in place after Covid-19 will offer opportunity for users to relocate their workplace if the main site power is out.

Most Jisc members will have provided remote access to core systems and data by requiring core data access via managed tools that use a dedicated encrypted link and configuration(s) that prevent local storage access and, if possible, ‘screen snipping’ through copy and paste techniques.

Those Jisc members who retain their core data onsite will be at greater risk of the above being attempted if services must be shut down for any period.

Those that make use of a cloud-based storage solution will be at less risk due to the increased power redundancy cloud providers put in place as part of their replication and resilience plans.

Mobile services usually have resilient power options: GSM and data are also more likely to remain in service and allow users to access data in accordance with established processes.

Of course, there will be exceptions argued and it may be that provision has to be made for key staff to have continuous access to the data they require to complete their tasks.

If temporary copies of data must be made for use, there are controls that can be applied. The Cyber Essentials scheme does require the encryption of device local storage; many Jisc members have extended this by adding configuration policies that prevent the usage of removable media or unencrypted removable media, however, this often doesn’t trap everything as curriculum endpoints often need USB ports enabled for students to conduct learning.

Encrypting removable storage does secure the data and current encryption algorithms are very good, but not impossible to break.  Forcing encryption and allowing their use won’t give insight into what or where that data is.

If it is lost and it is reported to you, then you may be required to report it to the Information Commissioner’s Office (ICO); this could have a reputation risk.

Where this exception must be accommodated, then it may be an opportunity to start on your progression to complying with the ISO 27001(2013) information security management standard.

This standard is considered best industry practice and contains a set of controls either detailed at Annex A or in the ISO27002(2013) document.

Control set A.10 covers cryptology and is quite short, but there are connections to other control sections that would need to also be addressed to achieve compliance and subsequent accreditation.  Nevertheless, visiting this and slowly progressing control compliance is recommended.

And finally, power outage could affect the physical security of your estate.

If an access control system is in use either wholly or partially across the estate, understanding how this is configured to act in the case of power loss is important; this applies to CCTV coverage as well (alarm systems will usually have backup power supplies).

Does the access control fail with doors unlocked?  If it does and this happens in the evening, does this leave people, residences, and expensive equipment suites accessible for intrusion or theft?

Author: Noel Davis, Subject specialist (Infrastructure programme)

Leave a Reply

Your email address will not be published. Required fields are marked *