This study presents a systematic approach to secure industrial control systems based on establishing a business case followed by the development of a security programme. To support these two fundamental activities the authors propose a new method for security cost estimation and a security assessment scheme. In this study they explain the cost evaluation technique and illustrate with a case study concerning the assessment of the cost of information security assurance activities in a division of a Polish manufacturer of passenger and commercial tyres. They further present the steps of their security assessment scheme and demonstrate how they integrate with the overall approach for protecting industrial control systems.

References

1. 1)
  - 20. ‘Airmic: Together Leading in Risk’, http://www.airmic.com/, accessed April 2014.
2. 2)
  - 1. ENISA: ‘Protecting industrial control systems – recommendations for Europe and Member States’. ENISA, 2011.
3. 3)
  - 24. ANSI/ISA, ANSI/ISA-99.02.01-2009 Security for Industrial Automation and Control Systems: ‘Establishing an industrial automation and control systems security program’ (ISA, 2011).
4. 4)
  - 10. Sonnenreich, W., Albanese, J., Stout, B.: ‘Return on security investment (ROSI): a practical quantitative model’, J. Res. Pract. Inf. Technol., 2006, 38, pp. 55–66.
5. 5)
  - 37. Fovino, I.N., Masera, M.: ‘InSAW – industrial security assessment workbench’. IEEE 1st Int. Conf. Infrastructure Systems and Services: Building Networks for a Brighter Future, 2008, pp. 1–5.
6. 6)
  - 4. Rezmierski, V., Deering, S., Fazio, A., Ziobro, S.: ‘Incident cost analysis and modeling project’. Committee on Institutional Cooperation, 1998.
7. 7)
  - 30. Drury, C.: ‘Management and cost accounting’ (Thomson Learning, 2004, 6th edn.).
8. 8)
  - 41. Duggan, D.P.: ‘Penetration testing of industrial control systems’ (Sanaia National Laboratories, Albuquerque, 2005).
9. 9)
  - 15. Stouffer, K.: ‘NIST SP 800-82 guide to industrial control systems (ICS) security. Revision 1’. NIST, 2013.
10. 10)
  - 29. Symantec, ‘Small business risk calculator’, http://eval.symantec.com/flashdemos/campaigns/small_business/roi/, accessed April 2014.
11. 11)
  - 14. Stouffer, K., Falco, J., Scarfone, K.: ‘NIST SP 800-82: guide to industrial control systems (ICS) security’. NIST, 2011.
12. 12)
  - 9. US Department of Commerce: ‘Federal information processing standards publication 191: guideline for the analysis of local area network security’. 1994.
13. 13)
  - 33. Ramachandran, J.: ‘Designing security architecture solutions’ (Wiley, 2002).
14. 14)
  - 19. NIST SP 800-30 Rev. 1: ‘Guide for conducting risk assessments’ (Gaithersburg, USA, 2012).
15. 15)
  - 26. ‘Data Breach Risk Calculator’, https://databreachcalculator.com/, accessed April 2014.
16. 16)
  - 12. CMS: ‘Cost calculators and ROI’, http://www.cmsconnect.com/Marketing/CalMain.htm, accessed April 2014.
17. 17)
  - 28. ‘TCO calculator: websense hosted email security calculator’, http://www.websense.com/content/TCOCalculator.aspx, accessed April 2014.
18. 18)
  - 42. Xu, Y., Dong, Z.Y., Xu, Z., Meng, K., Wong, K.P.: ‘An intelligent dynamic security assessment framework for power systems with wind power’, IEEE Trans. Ind. Inf., 2012, 8, (4), pp. 995–1003 (doi: 10.1109/TII.2012.2206396).
19. 19)
  - R. Leszczyna , I.N. Fovino , M. Masera . Simulating Malware with MAlSim. J. Comput. Virol. , 1 , 65 - 75.
20. 20)
  - 5. Rezmierski, V., Carroll, A., Hine, J.: ‘Incident cost analysis and modeling project 11’. Committee on Institutional Cooperation, 2000.
21. 21)
  - 31. National Institute of Standards and Technology (NIST): ‘MIST SP 800-12: an introduction to computer security: the NIST handbook’ (US Government Printing Office, 1995).
22. 22)
  - 16. Leszczyna, R., Fovino, I.N., Masera, M.: ‘Approach to security assessment of critical infrastructures’ information systems’, IET Inf. Secur., 2011, 5, (3), pp. 135 (doi: 10.1049/iet-ifs.2010.0261).
23. 23)
  - 39. Hussain, A., Schwab, S., Thomas, R., Fahmy, S., Mirkovic, J.: ‘DDoS experiment methodology’. Proc. DETER Community Workshop on Cyber Security Experimentation, 2006.
24. 24)
  - 46. Lopez, J., Alcaraz, C., Roman, R.: ‘Smart control of operational threats in control substations’, Comput. Secur., 2013, 38, pp. 14–27 (doi: 10.1016/j.cose.2013.03.013).
25. 25)
  - 8. Mercuri, R.T.: ‘Analyzing security costs’, Commun. ACM, 2003, 46, (6), pp. 15–18 (doi: 10.1145/777313.777327).
26. 26)
  - A. Creery , E. Byres . Industrial Cyber-security for power system and SCADA networks. IEEE Ind. Appl. , 4 , 49 - 55
27. 27)
  - 35. Tipton, H.F., Nozaki, M.K.: ‘Information security management handbook’ (Auerbach Publications, Boston, MA, 2010, 6th edn.), vol. 4.
28. 28)
  - 21. ‘Risk Management’, http://www.enisa.europa.eu/activities/risk-management, accessed April 2014.
29. 29)
  - 23. National Institute of Standards and Technology (NIST): ‘NIST SP 800-53 Rev. 3 recommended security controls for Federal Information Systems and Organizations’ (US Government Printing Office, 2009).
30. 30)
  - 2. Falliere, N., Murchu, L.O., Chien, E.: ‘W32.Stuxnet Dossier’. Symantec Security Response, 2011.
31. 31)
  - 36. Purser, S.: ‘A practical guide to managing information security (artech house technology management library’ (Artech House, Inc., Norwood, MA, 2004).
32. 32)
  - 45. Amin, S., Cárdenas, A.A., Sastry, S.S.: ‘Safe and secure networked control systems under denial-of-service attacks’, in Majumdar, R., Tabuada, P. (Eds): Hybrid Systems: Computation and Control (Springer, Berlin, Heidelberg, 2009), vol. 5469, pp. 31–45.
33. 33)
  - 27. Tech//404 data loss cost calculator’, www.tech-404.com/calculator.html, accessed June 2009.
34. 34)
  - 44. Cheminod, M., Durante, L., Valenzano, A.: ‘Review of security issues in industrial networks’, IEEE Trans. Ind. Inf., 2013, 9, (1), pp. 277–293 (doi: 10.1109/TII.2012.2198666).
35. 35)
  - 13. Postini, ‘Return on investment calculator’, http://www.postini.com/services/roi_calculator.html, accessed April 2010.
36. 36)
  - 11. Li, J., Su, X.: ‘Making cost effective security decision with real option thinking’. Int. Conf. Software Engineering Advances, 2007, ICSEA 2007, 2007, p. 14.
37. 37)
  - 34. Peltier, T.R.: ‘Information security policies and procedures: a practitioner's reference’ (Auerbach Publications, Boston, MA, 2004, 2nd edn.).
38. 38)
  - 18. ISO/IEC 27005:2011: ‘Information technology – Security techniques – Information security risk management’, 2011.
39. 39)
  - 6. Caulkins, J.P., Hough, E., Mead, N.R., Osman, H.: ‘Optimizing investments in security countermeasures: a practical tool for fixed budgets’, IEEE Secur. Priv., 2007, 5, (5), pp. 57–60 (doi: 10.1109/MSP.2007.117).
40. 40)
  - 40. Herzog, P.: ‘OSSTMM 3 – the open source security testing methodology manual’. ISECOM, 2010.
41. 41)
  - 25. Xie, N., Mead, N.R.: ‘SQUARE project: cost/benefit analysis framework for information security improvement projects in small companies’. Carnegie Mellon University, 2004.
42. 42)
  - 17. Fovino, I.N., Masera, M., Leszczyna, R.: ‘ICT security assessment of a power plant, a case study’. Proc. Second Annual (IFIP) Working Group 11, Tenth Int. Conf., 2008.
43. 43)
  - 22. ‘Process control and SCADA security - good practice guidelines’, http:// www.cpni.gov.uk/advice/cyber/scada/, accessed April 2014.
44. 44)
  - 3. Byres, E., Lowe, J.: ‘The myths and facts behind cyber security risks for industrial control system’. Proceedings of the VDE Congress, VDE Association for Electrical Electronic & Information Technologies, October 2004.
45. 45)
  - 7. Mead, N.R., Stehney, T.: ‘Security quality requirements engineering (SQUARE) methodology’, SIGSOFT Softw. Eng. Notes, 2005, 30, (4), pp. 1–7 (doi: 10.1145/1082983.1083214).
46. 46)
  - 32. Lusignan, R., Steudler, O., Allison, J.: ‘Managing cisco network security: building rock-solid networks’ (Syngress, 2000).

Approaching secure industrial control systems

References

Related content