Laitteistot suojataan luvattomien laitteiden (näppäilynauhoittimet, langattomat lähettimet ml. mobiililaitteet ja vastaavat) liittämistä vastaan.
The organization has maintained a basic configuration requirement for IT systems and industrial control systems that takes into account security principles, such as the concept of least functionality.
The organization must ensure the integrity of its hardware components. This can be done:
The organization must use equipment identification as a means of establishing a connection.
Where appropriate, the organization should use location-aware technologies to validate the integrity of authentication based on known device locations.
The organization shall list all relevant protected assets to determine ownership and to ensure that security measures cover all necessary items.
A large portion of the protected assets (including data sets, data systems, personnel / units, and partners) are treated through other tasks. In addition, the organization must list other important assets, which may be, depending on the nature of its operations, e.g. hardware (servers, network equipment, workstations, printers) or infrastructure (real estate, power generation, air conditioning). In addition the organization should make sure that relevant external devices are documented.
For example, data processing equipment, as well as other important equipment, should be placed in the premises safely and with consideration. Placement should restrict unauthorized access to devices.
Equipment should be serviced at intervals recommended by the supplier and in accordance with the supplier's specifications.
The operation of basic services (such as electricity, telecommunications, water supply, sewerage, heating, ventilation and air conditioning) will be monitored to ensure that their capacity covers business growth.
Organisation must setup and maintain redundant equipment to their ICT environment which can adequately ensure business needs. The equipment should be setup to have the needed resources, capabilities and functions to run the needed operations.
The organization should define policies, processes or technical measures to handle the loss, misuse, damaging and theft of organizational assets. These could include the following:
The organization establishes and enforces strict controls over the use of maintenance tools and portable storage devices in the organization's OT/ICS environments. These include:
Surge protectors prevent current level rises and falls from damaging the equipment. Uninterruptible power supplies (UPS), on the other hand, guarantee a limited amount of battery power, which allows you to work even during short power outages. Critical equipment is held in connection to a UPS.
Alarm systems monitor the level of key environmental conditions (e.g. temperature and humidity) that can adversely affect the operation of data processing equipment. There should also be a functioning fire alarm system in the environment.
Power and communication cables that either move data themselves or support data transmission services are protected from damage, eavesdropping and interference.
The safety of cabling should take into account e.g. the following points:
All buildings and all incoming power lines and external communication lines are equipped with lightning protection.
Electronic devices such as cables, monitors, copiers, tablets and smartphones leak electromagnetic radiation, from which it is possible to find out the original transmitted data with the right hardware and, for example, steal the entered username and password.
Openings in the premises' structures (windows, doors, air conditioning) are protected to prevent radiation from escaping. In addition, equipment handling confidential data is located so as to minimize the risk of leakage due to electromagnetic leakage.
Maintenance performed on the equipment is recorded in a log, which contains information e.g.: