July 2015
·
49 Reads
This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.
July 2015
·
49 Reads
February 2015
·
10,591 Reads
·
376 Citations
Reliability Engineering & System Safety
The migration towards digital control systems creates new security threats that can endanger the safety of industrial infrastructures. Addressing the convergence of safety and security concerns in this context, we provide a comprehensive survey of existing approaches to industrial facility design and risk assessment that consider both safety and security. We also provide a comparative analysis of the different approaches identified in the literature. Free download of the article on the following link until May 21, 2015 http://authors.elsevier.com/a/1Qn-43OQ~f8zFQ
September 2014
·
89 Reads
·
61 Citations
Lecture Notes in Computer Science
The digitalization of industrial control systems (ICS) raises several security threats that can endanger the safety of the critical infrastructures supervised by such systems. This paper presents an analysis method that enables the identification and ranking of risks leading to a safety issue, regardless of the origin of those risks: accidental or due to malevolence. This method relies on a modeling formalism called BDMP (Boolean logic Driven Markov Processes) that was initially created for safety studies, and then adapted to security. The use of the method is first illustrated on a simple case to show how it can be used to make decisions in a situation where security requirements are in conflict with safety requirements. Then it is applied to a realistic industrial system: a pipeline and its instrumentation and control system in order to highlight possible interactions between safety and security.
June 2013
·
136 Reads
·
12 Citations
IFAC Proceedings Volumes
This paper provides an overview of the work of the International Electrotechnical Committee (IEC) on the development of a series of standards dealing with the cyber security of nuclear power plant (NPP) instrumentation and control (I&C) systems. In particular, the status and content of the first, top level document of the series, IEC 62645, is described. A more recent draft, IEC 62859, dealing with the coordination between safety and cyber security aspects, is also presented. Future work and perspectives associated with this new series of standards are finally discussed.
March 2013
This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals. The objective of this survey is to present a complete overview of graphical attack and defense modeling techniques based on DAGs. This consists of summarizing the existing methodologies, comparing their features and proposing a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements.
March 2013
·
603 Reads
·
371 Citations
Computer Science Review
This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals. The objective of this survey is to present a complete overview of graphical attack and defense modeling techniques based on DAGs. This consists of summarizing the existing methodologies, comparing their features and proposing a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements.
February 2013
·
412 Reads
·
168 Citations
Reliability Engineering & System Safety
The purpose of this paper is to give a comprehensive view of methods, models, tools and techniques that have been created in safety engineering and transposed to security engineering, or vice versa. Since the concepts of safety and security can somewhat vary according to the context, the first section of the paper deals with the scope and definitions that will be used in the sequel. The similarities and differences between the two domains are analyzed. A careful screening of the literature (this paper contains 201 references) made it possible to identify cross-fertilizations in various fields such as architectural concepts (e.g. defense in depth, security or safety kernels), graphical formalisms (e.g. attack trees), structured risk analyses or fault tolerance and prevention techniques.
October 2012
·
2,475 Reads
·
85 Citations
Attack modeling has recently been adopted by security analysts as a useful tool in risk assessment of cyber-physical systems. We propose in this paper to model the Stuxnet attack with BDMP (Boolean logic Driven Markov Processes) formalism and to show the advantages of such modeling. After a description of the architecture targeted by Stuxnet, we explain the steps of the attack and model them formally with a BDMP. Based on estimated values of the success probabilities and rates of the elementary attack steps, we give a quantification of the main possible sequences leading to the physical destruction of the targeted industrial facility. This example completes a series of papers on BDMP applied to security by modeling a real case study. It highlights the advantages of BDMP compared to attack trees often used in security assessment.
October 2012
·
941 Reads
·
25 Citations
June 2011
·
647 Reads
·
17 Citations
This paper discusses the implementation and use of the BDMP (Boolean logic Driven Markov Processes) formalism, recently adapted to graphical attack modeling. Theoretically, it offers an attractive trade-off between readability, scalability, modeling power and quantification capabilities. In practice, efficient model construction and analysis need complementary tools and enhancements. They have been developed only once the implementation and the first security studies have been realized. In particular, attack sequence filtering based on attacker profiles and sensitivity analysis provide a significant help. Perspectives include the addition of a security pattern library or the connection with other modeling frameworks.
... This is true when considering safety (i.e., the absence of risk connected with unintentional malfunctions) and security (i.e., the absence of risk linked with intentional attacks) [34]. To perform transparent, complete and accountable risk assessment, it is fundamental to explicitly account for the role objects play in Events and Actions in which they participate, and for how their status affects safety and security interplay: a door being locked causes the impossible escape event in case of fire but simultaneously stops the action of a burglar entering your house [22,26,35]. Formalisms widely employed in industry and academia to conduct risk assessment -such as fault trees [30] and attack trees [33] -are not equipped to explicitly reason about objects. ...
September 2014
Lecture Notes in Computer Science
... For an information security management system most authors [11,[15][16][17][18][19][20][21][22][23][24][25][26] ...
June 2013
IFAC Proceedings Volumes
... Threats to systems or individuals are complex and varied (Bubnovskaia, Leonidova & Lysova, 2019;Leveson, 2020), differing in nature (ex., malicious/accidental), origin (ex., internal/external), and target (ex., individual/system/environment) (Andéol-Aussage et al. 2013;Brantingham & Brantingham, 1991;Piètre-Cambacédès & Chaudet, 2010). Personnel training, OSH standards, and system redundancies are often used to address internally or system-originating threats to safety, like equipment malfunctions and human error (Kriaa et al., 2015). Crime prevention and physical security strategies, conversely, are used to address maliciously originating threats, such as intrusion, sabotage, or violence (Kriaa et al., 2015;Piètre-Cambacédès & Chaudet, 2010). ...
February 2015
Reliability Engineering & System Safety
... A well-known example of such an attack is Stuxnet (2010) [32], [33], a sophisticated malware that targeted the Natanz uranium enrichment facility in Iran. Stuxnet aimed to disrupt the centrifuges by manipulating the industrial control systems without detection. ...
October 2012
... Fig. 1 shows the attack graph on the Multi-cloud Enterprise Network that consists of directed links representing the exploits and nodes the states. These kinds of networks are directed acyclic graphs (DAGs), i.e. without cycles [9]. ...
March 2013
Computer Science Review
... Combined hybrid approaches to safety and security analysis are becoming increasingly important [5,6]. A well-structured joint analysis process can identify attack potentials, explore failure scenarios, and streamline system design. ...
February 2013
Reliability Engineering & System Safety
... Impacts of a terroristic attack in terms of security can be measured in economic losses and public effects, impacts in terms of safety through casualties. For a review of the different security and safety definitions see CAMBACÉDÈS & CHAUDET (2010). No. 81, 1 st Q. 2011 automation of productive services have created a world-wide network in which all kinds of users operate. ...
March 2010
... Threats to systems or individuals are complex and varied (Bubnovskaia, Leonidova & Lysova, 2019;Leveson, 2020), differing in nature (ex., malicious/accidental), origin (ex., internal/external), and target (ex., individual/system/environment) (Andéol-Aussage et al. 2013;Brantingham & Brantingham, 1991;Piètre-Cambacédès & Chaudet, 2010). Personnel training, OSH standards, and system redundancies are often used to address internally or system-originating threats to safety, like equipment malfunctions and human error (Kriaa et al., 2015). ...
June 2010
International Journal of Critical Infrastructure Protection
... In order to propose improved methodologies for joint S&S risk analysis throughout the system lifecycle, it is crucial to explore the relationships between these two domains. Numerous authors have discussed the similarities and differences between S&S, including [17,[42][43][44]. S&S share a common aim of addressing undesirable events within the system and engage in overlapping tasks, such as identifying, analysing, assessing, and mitigating risks. ...
October 2012
... One possible solution involves the definition of information security zones with the plant and using "data diodes" that often claim to provide 100% one way data passage. As explained in [16] however, such devices are far from a "silver bullet" due to the inability of the receiver to provide feedback, such as acknowledgements, to the sender and this could result in missing data. ...