Figure 1
![A Conceptual Model of an ICS: Safety and Security Goals (Adapted from [3, 8])](profile/Jose_Such2/publication/282604972/figure/fig1/AS:614171263660066@1523441248606/A-Conceptual-Model-of-an-ICS-Safety-and-Security-Goals-Adapted-from-3-8.png)
Source publication
Assurance techniques generate evidence that allow us to make claims of assurance about security. For the purpose of certification to an assurance scheme, this evidence enables us to answer the question: are the implemented security controls consistent with organisational risk posture? This paper uses interviews with security practitioners to assess...
Contexts in source publication
Context 1
... limitation of such a mapping is that it highlights only potential uses of assurance techniques, and the need for fur- ther review with respect to three factors. First, on where these assurance techniques are used. For example, as shown in Figure 1, operational sensitivity increases at lower layers of ICSs, and this mapping does not consider the opportuni- ties for assessing ICS components that bridge the IT network boundary. Second, how they are used. The enforcement of PASIV principles requires assumptions not explicit in the mapping. A conspicuous example of this is for architec- ture review. Part of this process requires the mapping of current assets and communications channels. Active ...
Context 2
... infrastructure such as that of utility industries (e.g., oil and gas) is a frequently cited example of an ICSs, al- though their usage is far more diverse and widespread. Ser- vice industries (e.g., logistics), and manufacturing industries (e.g., aerospace) make heavy use of ICS technologies. The technologies that support ICSs are largely similar in con- cept, and in many cases, identical. The technological sim- ilarity can be further expanded to small-scale installations, such as Building Automation Systems, although they are not addressed here. At a conceptual level, an ICS can be seen as a series of lay- ers, split into two areas ( Figure 1). Layers 0-3 constitute the "Operational Technology (OT) environment". Present in layers 0-2 are safety systems, the sensors and actuators that monitor and manipulate physical processes, and the de- vices enforcing the intended logic of such processes. Multiple instances of layers 0-2 may exist, which may be geographi- cally clustered or dispersed (e.g., a utility network may have many thousand "field sites"). In both cases, they have been conceptually labelled "Cell Zones". Layer 3 manages OT environment wide functions. Layer 3 systems capture and archive cell zone process data, monitor these processes, and take managerial action as necessary. Layers 4-5 are known as the "IT Environment" where enterprise functions are tradi- tionally found. Centralised IT services are found here (e.g., business-to-customer services). Both the OT and IT en- vironments may be physically isolated from each other, in what is known as an "air gap" which can act as a secu- rity feature. However, these networks in contemporary ICSs are frequently interconnected, due to the potential to fa- cilitate core business functions (e.g., to enable automation in a manufacturing system, through linking the consumer purchasing system to the production line). The terms OT and ICS are frequently used synonymously; however, here ICS refers more holistically to all layers of the conceptual model to account for components and processes that span this boundary (often in both ...
Citations
... Conducting such engagements helps organisations understand both the psychological factors and the techniques employed during genuine cyber attacks. In doing so, underlying vulnerabilities can be detected and patched, and incident response teams can be trained by being kept updated about tools and techniques used by modern attackers [42]. ...
... Several works discuss and propose solutions for the general concerns raised from the presented surveys [11,27,42,57,81]. Conklin, for example, discusses the issues linked with utilising IT-specific methodologies within an industrial context, especially concerning the Confidentiality, Integrity and Availability (CIA) Triad [11]. ...
... While the analysis does not provide insight into the technical differences between IT and OT, the cultural differences observed show that substantial readjustment is required to ensure the smooth transition to the convergence of the two technologies. Finally, Knowles et al. discuss assurance techniques for ICS, including penetration testing [42]. In this study, simulated security assessments are identified as being able to generate demonstrable audit evidence to assess and improve risk posture. ...
Assurance techniques such as adversary-centric security testing are an essential part of the risk assessment process for improving risk mitigation and response capabilities against cyber attacks. While the use of these techniques, including vulnerability assessments, penetration tests, and red team engagements, is well established within Information Technology (IT) environments, there are challenges to conducting these within Operational Technology (OT) environments, often due to the critical nature of the OT system. In this paper, we provide an analysis of the technical differences between IT and OT from an asset management perspective. This analysis provides a base for identifying how these differences affect the phases of adversary-centric security tests within industrial environments. We then evaluate these findings by using adversary-centric security testing techniques on an industrial control system testbed. Results from this work demonstrate that while legacy OT is highly susceptible to disruption during adversary-centric security testing, modern OT that uses better hardware and more optimised software is significantly more resilient to tools and techniques used for security testing. Clear requirements can, therefore, be identified for ensuring appropriate adversary-centric security testing within OT environments by quantifying the risks that the tools and techniques used during such engagements present to the operational process.
... Individuals performance assessment and verification are essential for different industries and organizations. A possible future direction is to develop an assurance technique that can assess the competencies of the individuals for conducting the security assessment [58]. This technique will be helpful for an individual in improving security assurance skills. ...
Security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediateand enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of securityassurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding informationprotection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challengesdue to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used forsecurity evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts havebeen made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physicalsystems (CPS) in a wide range of domains. We systematically review the requirements, processes, and activities involved in systemsecurity assurance including security requirements, security metrics, system and environments and assurance methods. We shed lighton the challenges and gaps that have been identified by the existing literature related to system security assurance and correspondingsolutions. Finally, we discussed the limitations of the present methods and future research directions.
... However, it is still unclear how these security testing techniques apply to the SPA system and what are the practices used by third-party developers in this ecosystem. Assurance techniques are known to have different cost-effectiveness in practice [133], and that cost-effectiveness for one very same assurance technique has been shown to vary across different cyber-physical systems [12], such as Industrial Control Systems [66]. Therefore, a direction for future research is to study and evaluate how these assurance techniques will perform for the case of SPA and whether or not SPA's unique features like voice recognition and its integration with other technologies like the cloud and other smart devices require novel techniques or methodologies. ...
... Additionally, authors in [154] show that physical properties can be used to compromise the SPA by using high frequencies signals to attack the non-linearity in SPA devices microphones as detailed above in Section 4.1. A set of key research questions to answer revolve around which assurance techniques can be used to improve security in SPA systems (see Appendix A in [66]). In particular: 1) Can a review of standards and procedures be used to mitigate security risks in SPA systems? ...
Smart Home Personal Assistants (SPA) are an emerging innovation that is changing the means by which home users interact with technology. However, several elements expose these systems to various risks: (i) the open nature of the voice channel they use, (ii) the complexity of their architecture, (iii) the AI features they rely on, and (iv) their use of a wide range of underlying technologies. This article presents an in-depth review of SPA’s security and privacy issues, categorizing the most important attack vectors and their countermeasures. Based on this, we discuss open research challenges that can help steer the community to tackle and address current security and privacy issues in SPA. One of our key findings is that even though the attack surface of SPA is conspicuously broad and there has been a significant amount of recent research efforts in this area, research has so far focused on a small part of the attack surface, particularly on issues related to the interaction between the user and the SPA devices. To the best of our knowledge, this is the first article to conduct such a comprehensive review and characterization of the security and privacy issues and countermeasures of SPA.
... For example, any type of cyber-attack on power supply, mobile units (rolling-stock system), communication systems, and communication network could cause power outages, compromise safety, affect operations and maintenance, and damage infrastructure. [64][65][66] Steele et al. 67 noted the need to protect smart grids and railways from cyber threats. ...
... Drljača and Latinović, 66 Laita and Belaissaoui, 67 and Alencar et al. 68 ...
... This vulnerability also depends upon the maturity of the integration of IT with OT; e.g., ERTMS (European Rail Traffic Management System) level 3, which is fully digital, is more vulnerable to cyber threats. The operational goals of IT security are confidentiality, integrity, and availability (CIA) and the operational goals of OT security are safety, reliability, and availability (SRA) [67]. OT security generally deals with industrial control systems (ICS) like SCADA systems. ...
Digitalisation has brought many positive changes towards operation and maintenance of railway system. Emerging digital technologies facilitate the implementation of enhanced eMaintenance solutions through the utilisation of distributed computing and artificial intelligence. Digital technology is expected to improve the railway system’s sustainability, availability, reliability, maintainability, capacity, safety, and security including cybersecurity. In the digitalised railway, however, cybersecurity is essential to achieve overall system dependability. Lack of cybersecurity has negative consequences, including reputational damage, heavy costs, service unavailability and risk to the safety of employees and passengers.
Open access data indicates that many railway organisations focus on detecting security threats with less emphasis on forecasting them. To prepare in advance for cyberattacks, it is essential that Information and Communication Technology (ICT) and Operational Technology (OT) are continually updated to enable security analytics approach. This approach will help railways to establish proactive security measures to quickly predict and prevent cyberattacks. The current standards and guidelines related to cybersecurity in railways (e.g. AS 7770- Rail Cyber Security, APTA SS-CCS-004-16, BS EN 50159:2010+A1:2020) are proprietary (i.e. either organisation-specific or country-specific) and are followed by most railway organisations. These proprietary standards and guidelines lack in providing a holistic approach to enable interoperability, scalability, orchestration, adaptability, and agility for railway stakeholders. Therefore, there is a need to develop a generic cybersecurity framework for digitalised railways to facilitate proactive cybersecurity and threat intelligence sharing within the railways.
The proposed Cybersecurity Information Delivery Framework integrates existing models, technologies, and standards to minimise the risks of cyberattacks in the railway. The framework uses different layers of Open System Architecture for Condition-Based Maintenance (OSA-CBM) in the context of cybersecurity to deliver threat intelligence. The framework implements an extended Cyber Kill Chain (CKC) and an Industrial Control System (ICS) Kill Chain to detect cyberattacks. The framework also incorporates the proposed Railway Defender Kill Chain (RDKC) to enable proactive cybersecurity. The proposed framework enhances cybersecurity maturity level and delivers threat intelligence to enable proactive cybersecurity to improve information assurance in the railway.
http://ltu.diva-portal.org/smash/get/diva2:1423651/FULLTEXT01.pdf
... This vulnerability also depends upon the maturity of the integration of IT with OT; e.g., ERTMS (European Rail Traffic Management System) level 3, which is fully digital, is more vulnerable to cyber threats. The operational goals of IT security are confidentiality, integrity, and availability (CIA) and the operational goals of OT security are safety, reliability, and availability (SRA) [67]. OT security generally deals with industrial control systems (ICS) like SCADA systems. ...
Most organizations focus on intrusion prevention technologies, with lessemphasis on prediction and detection. This research looks at prediction anddetection in the railway industry. It uses an extended cyber kill chain (CKC)model and an industrial control system (ICS) cyber kill chain for detectionand proposes predictive technologies that will help railway organizationspredict and recover from cyber-attacks. The extended CKC model consistsof both internal and external cyber kill chain; breaking the chain at anearly stage will help the defender stop the adversary’s malicious actions.This research incorporates an OSA (open system architecture) for railwayswith the railway cybersecurity OSA-CBM (open system architecture forcondition-based maintenance) architecture. The railway cybersecurity OSA-CBM architecture consists of eight layers; cybersecurity information movesfrom the initial level of data acquisition to data processing, data analysis, inci-dent detection, incident assessment, incident prognostics, decision support,and visualization.The main objective of the research is to predict, prevent, detect, andrespond to cyber-attacks early in the CKC by using defensive controls calledthe Railway Defender Kill Chain (RDKC).The contributions of the research are as follows. First, it adapts and mod-ifies the railway cybersecurity OSA-CBM architecture for railways. Second,it adapts the cyber kill chain model for the railway. Third, it introduces theRailway Defender Kill Chain. Fourth, it presents examples of cyber-attackscenarios in the railway system.
... OTI can be used to increase awareness on both technical and non-technical risks. The technical risks may be identified by conducting several security assessments [12]. These may unveil potential vulnerabilities and also provide information on how they can be exploited. ...
Human and organizational issues are able to create both vulnerabilities and resilience to threats. In this chapter, we investigate human and organizational factors, conducted through ethnographic studies of operators and sets of interviews with staff responsible for security, reliability and quality in two different organizations , which own and operate utility networks. Ethnography is a qualitative orientation to research that emphasizes the detailed observation and interview of people in naturally occurring settings. Our findings indicate that 'human error' forms the biggest threat to cyber-security and that there is a need for Security Operational Centres to document all cyber-security accidents. Also, we conclude that it will always be insufficient to assess mental security models in terms of their technical correct-ness, as it is sometimes more important to know how well they represent prevailing social issues and requirements. As a practical recommendation from this work, we
... The most common ICS network protocols were originally designed to work in closed and secured networks: They have few, if any, security mechanisms, and have been shown to be easy to exploit to the point that an accessible open port can provide full unauthenticated control to the ICS device [11,17]. On the field of defense, efforts concentrated on offering standardized security guidelines for ICS and SCADA systems [8,18], suggesting network segmentation and firewalls. Despite this, recently many ICS devices have been exposed on the Internet with little to no protection. ...
Industrial Control Systems (ICS) are nowadays interconnected with various networks and, ultimately, with the Internet. Due to this exposure, malicious actors are interested into compromising ICS - not only for advanced and targeted attacks, but also in the context of more frequent network scanning and mass exploiting of directly Internet-exposed devices. To understand the level of interest towards Internet-connected ICS, we deploy a scalable network of low-interaction ICS honeypots based on the popular conpot framework, integrated with an analysis pipeline, and we analyze the in-the-wild traffic directed through a set of ICS-specific protocols. We present the results of running our honeypots for several months, showing that, although most of the traffic is originated by known, legitimate network scanners, and follows patterns similar to those of well-known ICS network mapping scripts, we found several requests from unknown actors that do not follow this pattern and may hint at malicious traffic.
... Previous research looked at how the assurance techniques and testing methodologies most commonly used in regular IT systems [106], such as penetration testing, static & dynamic analysis, fuzzing, formal verification, etc., apply to cyber-physical systems. Assurance techniques are known to have different cost-effectiveness in practice [107], and that cost-effectiveness for one very same assurance technique has been shown to vary across different cyber-physical systems [108], such as Industrial Control Systems [109]. Therefore, a direction for future research is to study and evaluate how these assurance techniques will perform for the case of SPA and whether or not SPA's unique features like voice recognition and its integration with other technologies like the cloud and other smart devices require novel techniques or methodologies. ...
Smart Home Personal Assistants (SPA) are an emerging innovation that is changing the way in which home users interact with the technology. However, there are a number of elements that expose these systems to various risks: i) the open nature of the voice channel they use, ii) the complexity of their architecture, iii) the AI features they rely on, and iv) their use of a wide-range of underlying technologies. This paper presents an in-depth review of the security and privacy issues in SPA, categorizing the most important attack vectors and their countermeasures. Based on this, we discuss open research challenges that can help steer the community to tackle and address current security and privacy issues in SPA. One of our key findings is that even though the attack surface of SPA is conspicuously broad and there has been a significant amount of recent research efforts in this area, research has so far focused on a small part of the attack surface, particularly on issues related to the interaction between the user and the SPA devices. We also point out that further research is needed to tackle issues related to authorization, speech recognition or profiling, to name a few. To the best of our knowledge, this is the first article to conduct such a comprehensive review and characterization of the security and privacy issues and countermeasures of SPA.
... The ISA/IEC 62443 series of Standards [23] are considered the future de facto reference standards for security in IAS [24]. One of the integral concepts of this series is the segmentation of the IAS network into different security zones. ...
Featured Application
The paper presents a concept to actively and automatically respond to security intrusions in Industrial Automation Systems. It is comprised of reactive actions, and security and operational policies that consider both security and architectural trends of this kind of systems. This concept is of significance to system stakeholders that wish to increase the security of their system by implementing automatic and active protection.
Abstract
System intrusions violate the security of a system. In order to maintain it, it is necessary to decrease the chances of intrusions occurring or by detecting them as soon as they ensue in order to respond to them in a timely manner. These responses are divided in two types: passive or reactive responses. Passive responses are limited to only notification and alerting; whereas, reactive responses influence the intrusion by undoing or diminishing its consequences. Unfortunately, some reactive responses may influence the underlying system where the intrusion has occurred. This is especially a concern in the field of Industrial Automation Systems, as these systems are critical and have a well-defined set of operational requirements that must be maintained. Hence, automatic reactive responses are often not considered or are limited to human intervention. This paper addresses this issue by introducing a concept for reactive protection that integrates the automatic execution of active responses that do not influence the operation of the underlying Industrial Automation System. This concept takes into consideration architectural and security trends, as well as security and operational policies of Industrial Automation Systems. It also proposes a set of reactive actions that can be taken in the presence of intrusions in order to counteract them or diminish their effects. The feasibility and applicability of the presented concept for Industrial Automation Systems is supported by the implementation and evaluation of a prototypical Reactive Protection System.
... Information security governance is an increasingly critical component of organizational management, and an overall system security structure that covers the attributes of a CPS environment is required [2] [3]. Currently, organizations are collectively measuring and evaluating the capability of information security management; however, objectively evaluating a target system is difficult because security-level evaluation systems are not based on the individual characteristics of an organization or the organization's information security activities [4]. In addition, most standards-based information security management systems (ISMSs) have a silos effect because they do not have sufficient consideration of connectivity between security controls [5]. ...
As the area covered by the CPS grows wider, agencies such as public institutions and critical infrastructure are collectively measuring and evaluating information security capabilities. Currently, these methods of measuring information security are a concrete method of recommendation in related standards. However, the security controls used in these methods are lacking in connectivity, causing silo effect. In order to solve this problem, there has been an attempt to study the information security management system in terms of maturity. However, to the best of our knowledge, no research has considered the specific definitions of each level that measures organizational security maturity or specific methods and criteria for constructing such levels. This study developed an information security maturity model that can measure and manage the information security capability of critical infrastructure based on information provided by an expert critical infrastructure information protection group. The proposed model is simulated using the thermal power sector in critical infrastructure of the Republic of Korea to confirm the possibility of its application to the field and derive core security processes and goals that constitute infrastructure security maturity. The findings will be useful for future research or practical application of infrastructure ISMSs.
