A survey of cyber security management in industrial control systems

International Journal of Critical Infrastructure Protection

Volumn 9, Issue , 2015, Pages 52-80

  Knowles, William ^a   Prince, Daniel ^a   Hutchison, David ^a   Disso, Jules Ferdinand Pagna ^b   Jones, Kevin ^b  

^a LANCASTER UNIVERSITY   (United Kingdom)

^b AIRBUS GROUP INNOVATIONS   (Germany)

Author keywords

Industrial control systems; Risk assessment; Risk management; Risk metrics; SCADA systems; Security metrics

Indexed keywords

RISK ASSESSMENT; RISK MANAGEMENT; SCADA SYSTEMS; SECURITY OF DATA; SURVEYS;

BUSINESS PROCESS; CORPORATE NETWORKS; CYBER SECURITY; CYBER THREATS; INDUSTRIAL CONTROL SYSTEMS; PAPER SURVEYS; RISK METRICS; SECURITY METRICS;

INDUSTRIAL RESEARCH;

EID: 84929278091     PISSN: 18745482     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.ijcip.2015.02.002     Document Type: Article

References (232)

1. M. Afzaal, C. Di Sarno, L. Coppolino, S. D[U+05F3]Antonio and L. Romano., A resilient architecture for forensic storage of events in critical infrastructures, Proceedings of the Fourteenth IEEE International Symposium on High-Assurance Systems Engineering, pp. 48-55, 2012.
2. C. Alcaraz, G. Fernandez and F. Carvajal., Security aspects of SCADA and DCS environments, in Critical Infrastructure Protection, J. Lopez, R. Setola and S. Wolthusen (Eds.), Springer-Verlag, Berlin Heidelberg, Germany, pp. 120-149, 2012.
3. C. Alcaraz and J. Lopez., Analysis of requirements for critical control systems, International Journal of Critical Infrastructure Protection, vol. 5(3-4), pp. 137-145, 2012.
4. American Chemistry Council., Guidance for Addressing Cyber Security in the Chemical Industry, Version 3.0, Washington, DC, 2006.
5. American Gas Association., Cryptographic Protection of SCADA Communications, Part 1: Background, Policies and Test Plan, AGA Report No. 12, Washington, DC, 2006.
6. American Petroleum Institute., Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Washington, DC, 2003.
7. American Petroleum Institute., Security Guidelines for the Petroleum Industry, Washington, DC, 2005.
8. American Petroleum Institute., Pipeline SCADA Security, Second Edition, API Standard 1164, Washington, DC, 2009.
9. S. Amin, G. Schwartz and A. Hussain., In quest of benchmarking security risks to cyber-physical systems, IEEE Network, vol. 27(1), pp. 19-24, 2013.
10. Z. Anwar and R. Campbell., Automated assessment of compliance with security best practices, in Critical Infrastructure Protection II, M. Papa and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 173-187, 2008.
11. Association of German Engineers (VDI)., IT-Security for Industrial Automation - Example of use of the general model for manufacturers in factory automation - Process control system of an LDPE plant, VDI/VDE 2182, Blatt 3.1, Dusseldorf, Germany, 2013.
12. Z. Aung and K. Watanabe., A framework for modeling interdependencies in Japan[U+05F3]s critical infrastructures, in Critical Infrastructure Protection III, C. Palmer and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 243-257, 2009.
13. N. Bartol, B. Bates, K. Goertzel and T. Winograd., Measuring Cyber Security and Information Assurance: A State-of-the-Art Report, Information Assurance Technology Analysis Center, Herndon, Virginia, 2009.
14. M. Beccuti, S. Chiaradonna, F. Di Giandomenico, S. Donatelli, G. Dondossola and G. Franceschinis., Quantification of dependencies between electrical and information infrastructures, International Journal of Critical Infrastructure Protection, vol. 5(1), pp. 14-27, 2012.
15. M. Berg and J. Stamp., A Reference Model for Control and Automation Systems in Electrical Power, SAND2005-1000C, Sandia National Laboratories, Albuquerque, New Mexico, 2005.
16. E. Bompard, T. Huang, Y. Wu and M. Cremenescu., Classification and trend analysis of threat origins to the security of power systems, International Journal of Electrical Power and Energy Systems, vol. 50, pp. 50-64, 2013.
17. E. Bompard, R. Napoli and F. Xue., Assessment of information impacts in power system security against malicious attacks in a general framework, Reliability Engineering and System Safety, vol. 94(6), pp. 1087-1094, 2009.
18. C. Bowen, T. Buennemeyer and R. Thomas., A plan for SCADA security to deter DDoS attacks, Proceedings of the Department of Homeland Security: R&D Partnering Conference, 2005.
19. P. Bowen, J. Hash and M. Wilson., Information Security Handbook: A Guide for Managers, NIST Special Publication 800-100, National Institute of Standards and Technology, Gaithersburg, Maryland, 2006.
20. W. Boyer and M. McQueen., Ideal based cyber security technical metrics for control systems, in Critical Information Infrastructures Security, J. Lopez and B. Hämmerli (Eds.), Springer-Verlag, Berlin, Heidelberg, Germany, pp. 246-260, 2008.
21. T. Brandstetter, K. Knorr and U. Rosenbaum., A manufacturer-specific security assessment methodology for critical infrastructure components, in Critical Infrastructure Protection IV, T. Moore and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 229-244, 2010.
22. British Standards Institution., Information Technology - Security Techniques - Information Security Management - Measurement, BS ISO/IEC 27004:2009, London, United Kingdom, 2009.
23. W. Burr, D. Dodson, E. Newton, R. Perlner, W. Polk, S. Gupta and E. Nabbus., Electronic Authentication Guideline, NIST Special Publication 800-63-2, National Institute of Standards and Technology, Gaithersburg, Maryland, 2013.
24. E. Byres, M. Franz and D. Miller., The use of attack trees in assessing vulnerabilities in SCADA systems, Proceedings of the International Infrastructure Survivability Workshop, 2004.
25. R. Caralli, J. Allen and D. White., CERT Resilience Management Model (CERT-RMM): A Maturity Model for Managing Operational Resilience, Pearson Education, Boston, Massachusetts, 2011.
26. A. Carcano, A. Coletta, M. Guglielmi, M. Masera, I. Nai Fovino and A. Trombetta., A multidimensional critical state analysis for detecting intrusions in SCADA systems, IEEE Transactions on Industrial Informatics, vol. 7(2), pp. 179-186, 2011.
27. A. Cardenas, S. Amin, Z. Lin, Y. Huang, C. Huang and S. Sastry., Attacks against process control systems: Risk assessment, detection and response, Proceedings of the Sixth ACM Symposium on Information, Computer and Communications Security, pp. 355-366, 2011.
28. Carnegie Mellon University., Systems Security Engineering Capability Maturity Model (SSE-CMM), Model Description Document, Version 2.0, Pittsburgh, Pennsylvania, 1999.
29. Center for Internet Security., CIS Security Benchmarks, East Greenbush, New York, 2014.
30. Centre for the Protection of National Infrastructure., Good Practice Guide, Process Control and SCADA Security, Guide 2: Implement Secure Architecture, London, United Kingdom, 2008.
31. Centre for the Protection of National Infrastructure., Good Practice Guide, Process Control and SCADA Security, Guide 4: Improve Awareness and Skills, London, United Kingdom, 2008.
32. Centre for the Protection of National Infrastructure., Good Practice Guide, Process Control and SCADA Security, Guide 7: Establish Ongoing Governance, London, United Kingdom, 2008.
33. Centre for the Protection of National Infrastructure., Resilience in Converged Networks: Good Practice Guidance, London, United Kingdom, 2009.
34. Centre for the Protection of National Infrastructure., Cyber Security in Civil Aviation, London, United Kingdom, 2012.
35. M. Cheminod, I. Bertolotti, L. Durante, P. Maggi, D. Pozza, R. Sisto and A. Valenzano., Detecting chains of vulnerabilities in industrial networks, IEEE Transactions on Industrial Informatics, vol. 5(2), pp. 181-193, 2009.
36. S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner and A. Valdes., Using model-based intrusion detection for SCADA networks, Proceedings of the SCADA Security Scientific Symposium, 2007.
37. E. Chew, M. Swanson, K. Stine, N. Bartol, A. Brown and W. Robinson., Performance Measurement Guide for Information Security, NIST Special Publication 800-55, National Institute of Standards and Technology, Gaithersburg, Maryland, 2008.
38. P. Chopade and M. Bikdash., Structural and functional vulnerability analysis for survivability of smart grid and SCADA network under severe emergencies and WMD attacks, Proceedings of the IEEE International Conference on Technologies for Homeland Security, pp. 99-105, 2013.
39. P. Cichonski, T. Millar, T. Grance and K. Scarfone., Computer Security Incident Handling Guide, NIST Special Publication 800-61, Revision 2, National Institute of Standards and Technology, Gaithersburg, Maryland, 2012.
40. D. Clark and D. Wilson., A comparison of commercial and military computer security policies, Proceedings of the IEEE Symposium on Security and Privacy, p. 184-194, 1987.
41. G. Coates, K. Hopkinson, S. Graham and S. Kurkowski., A trust system architecture for SCADA network security, IEEE Transactions on Power Delivery, vol. 25(1), pp. 158-169, 2010.
42. Community Research and Development Information Service., Critical Information Infrastructure Research Coordination (CI2RCO), European Commission, Luxembourg, 2007.
43. Community Research and Development Information Service., Critical Utility Infrastructural Resilience (CRUTIAL), European Commission, Luxembourg, 2008.
44. Community Research and Development Information Service., Design of an Interoperable European Federated Simulation Network for Critical Infrastructures (DIESIS), European Commission, Luxembourg, 2010.
45. Community Research and Development Information Service., European Network for the Security of Control and Real-Time Systems (ESCoRTS), European Commission, Luxembourg, 2010.
46. Community Research and Development Information Service., European Risk Assessment and Contingency Planning Methodologies for Interconnected Energy Networks (EURACOM), European Commission, Luxembourg, 2011.
47. Community Research and Development Information Service., Increasing Security and Protection through Infrastructure Resilience (INSPIRE), European Commission, Luxembourg, 2011.
48. Community Research and Development Information Service., Semantically Enhanced Resilient and Secure Critical Infrastructure Services (SERSCIS), European Commission, Luxembourg, 2011.
49. Community Research and Development Information Service., Tool for Systemic Risk Analysis and Secure Mediation of Data Exchanged across Linked Critical Information Infrastructures (MICIE), European Commission, Luxembourg, 2011.
50. Community Research and Development Information Service., Vital Infrastructure, Networks, Information and Control Systems Management (VIKING), European Commission, Luxembourg, 2011.
51. Community Research and Development Information Service., Wireless Sensor Networks for the Protection of Critical Infrastructures (WSAN4CIP), European Commission, Luxembourg, 2011.
52. Community Research and Development Information Service., Emergency Management in Large Infrastructures (EMILI), European Commission, Luxembourg, 2012.
53. Community Research and Development Information Service., Strategic Risk Assessment and Contingency Planning in Interconnected Transport Networks (STAR-TRANS), European Commission, Luxembourg, 2012.
54. Community Research and Development Information Service., A Framework for Electrical Power Systems Vulnerability Identification, Defense and Restoration (AFTER), European Commission, Luxembourg, 2014.
55. Community Research and Development Information Service., Critical Infrastructure Security Analysis (CRISALIS), European Commission, Luxembourg, 2014.
56. Community Research and Development Information Service., Cybersecurity on SCADA: Risk Prediction, Analysis and Reaction Tools for Critical Infrastructures (COCKPITCI), European Commission, Luxembourg, 2014.
57. Community Research and Development Information Service., Prevention, Protection and Reaction to Cyber Attacks on Critical Infrastructures (PRECYSE), European Commission, Luxembourg, 2014.
58. Community Research and Development Information Service., Protection of Critical Infrastructures against High Power Microwave Threats (HIPOW), European Commission, Luxembourg, 2014.
59. Community Research and Development Information Service., Strategies for the Improvement of Critical Infrastructure Resilience to Electromagnetic Attacks (STRUCTURES), European Commission, Luxembourg, 2014.
60. C. Davis, J. Tate, H. Okhravi, C. Grier, T. Overbye and D. Nicol., SCADA cyber security testbed development, Proceedings of the Thirty-Eighth North American Power Symposium, pp. 483-488, 2006.
61. S. De Porcellinis, G. Oliva, S. Panzieri and R. Setola., A holistic-reductionistic approach for modeling interdependencies, in Critical Infrastructure Protection III, C. Palmer and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 215-227, 2009.
62. P. Didier, F. Macias, J. Harstad, R. Antholine, S. Johnston, S. Piyevsky, M. Schillace, G. Wilcox, D. Zaniewski and S. Zuponcic., Converged Plantwide Ethernet (CPwE) Design and Implementation Guide, ENET-TD001E-EN-P, Cisco Systems, San Jose, California and Rockwell Automation, Milwaukee, Wisconsin, 2011.
63. Digital Bond, Field Device Protection Profile for SCADA Systems in Medium Robustness Environments., Version 0.75, Sunrise, Florida, 2006.
64. J. Disso, K. Jones and S. Bailey, A plausible solution to SCADA security honeypot systems, Proceedings of the Eighth International Conference on Broadband and Wireless Computing, Communication and Applications, pp. 443-448, 2013.
65. I. dos Anjos, A. Brito and P. Motta Pires., A model for security management of SCADA systems, Proceedings of the Thirteenth IEEE International Conference on Emerging Technologies and Factory Automation, pp. 448-451, 2008.
66. D. Dzung, M. Naedele, T. von Hoff and M. Crevatin., Security for industrial communication systems, Proceedings of the IEEE, vol. 93(6), pp. 1152-1177, 2005.
67. S. East, J. Butts, M. Papa and S. Shenoi., A taxonomy of attacks on the DNP3 protocol, in Critical Infrastructure Protection III, C. Palmer and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 67-81, 2009.
68. Electric Power Research Institute., Security Measures and Metrics Valuation Methodology, Palo Alto, California, 2006.
69. Electric Power Research Institute., Transmission System SQRA Assessment Methods, Palo Alto, California, 2009.
70. Electric Power Research Institute., Cyber Security and Privacy - Program 183, Palo Alto, California, 2013.
71. Engineering and Physical Sciences Research Council., Providing Autonomous Capabilities for Evolving SCADA (PACES), Swindon, United Kingdom, 2014.
72. G. Ericsson., Management of information security for an electric power utility - On security domains and use of the ISO/IEC17799 standard, IEEE Transactions on Power Delivery, vol. 20(2), pp. 683-690, 2005.
73. G. Ericsson., Information security for electric power utilities - CIGRÉ developments on frameworks, risk assessment and technology, IEEE Transactions on Power Delivery, vol. 24(3), pp. 1174-1181, 2009.
74. G. Ericsson., Cyber security and power system communication - Essential parts of a smart grid infrastructure, IEEE Transactions on Power Delivery, vol. 25(3), pp. 1501-1507, 2010.
75. European Commission., Proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union, COM(2013) 48 final, Brussels, Belgium, 2013.
76. European Network and Information Security Agency., Protecting Industrial Control Systems - Recommendations for Europe and Member States, Heraklion, Crete, Greece, 2011.
77. European Network and Information Security Agency., Protecting Industrial Control Systems, Annex V: Key Findings, Heraklion, Crete, Greece, 2011.
78. M. Fabron, E. Cornelius., Recommended Practice: Creating Cyber Forensics Plans for Control Systems, U.S. Department of Homeland Security, Washington, DC, 2008.
79. M. Fabro, V. Maio, Using Operational Security (OPSEC) to Support a Cyber Security Culture in Control Systems Environments, Version 1.0, Idaho National Laboratory, Idaho Falls, Idaho, 2007.
80. E. Fernandez and M. Larrondo-Petrie., Designing secure SCADA systems using security patterns, Proceedings of the Forty-Third Hawaii International Conference on System Sciences, 2010.
81. T. Fleury, H. Khurana, V. Welch., Towards a taxonomy of attacks against energy control systems, in Critical Infrastructure Protection II, M. Papa and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 71-85, 2008.
82. G. Francia, D. Thornton and T. Brookshire., Wireless vulnerability of SCADA systems, Proceedings of the Fiftieth Annual Southeast Regional Conference, pp. 331-332, 2012.
83. R. Friend Cassidy, A. Chavez, J. Trent and J. Urrea., Remote forensic analysis of process control systems, in Critical Infrastructure Protection, E. Goetz and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 223-235, 2007.
84. B. Genge, C. Siaterlis, I. Nai Fovino and M. Masera., A cyber-physical experimentation environment for the security analysis of networked industrial control systems, Computers and Electrical Engineering, vol. 38(5), pp. 1146-1161, 2012.
85. C. Glantz and L. O[U+05F3]Neil., 21 Steps Security Metrics Tool, Technical Report, Institute for Information Infrastructure Protection (I3P), Dartmouth College, Hanover, New Hampshire, 2002.
86. N. Goldenberg and A. Wool., Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems, International Journal of Critical Infrastructure Protection, vol. 6(2), pp. 63-75, 2013.
87. D. Hadiosmanovic, D. Bolzoni and P. Hartel., A log mining approach for process monitoring in SCADA, International Journal of Information Security, vol. 11(4), pp. 231-251, 2012.
88. A. Hahn, B. Kregel, M. Govindarasu, J. Fitzpatrick, R. Adnan, S. Sridhar and M. Higdon., Development of the PowerCyber SCADA security testbed, Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, article no. 21, 2010.
89. M. Henry, R. Layer and D. Zaret., Coupled Petri nets for computer network risk analysis, International Journal of Critical Infrastructure Protection, vol. 3(2), pp. 67-75, 2010.
90. J. Hieb, J. Graham and J. Guan., An ontology for identifying cyber intrusion induced faults in process control systems, in Critical Infrastructure Protection III, C. Palmer and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 125-138, 2009.
91. L. Ibrahim, E. Harwell, B. Howard, K. Johnson, J. Meeker, M. Virga and C. Wells., The Federal Aviation Administration Integrated Capability Maturity Model (FAA-iCMM) Appraisal Method, Version 2.0, U.S. Federal Aviation Administration, Washington, DC, 2001.
92. L. Ibrahim, J. Jarzombek, M. Ashford, R. Bate, P. Croll, M. Horn, L. LaBruyere, C. Wells., and members of the Safety and Security Extensions Project Team, Safety and Security Extensions for Integrated Capability Maturity Models, U.S. Federal Aviation Administration, Washington, DC, 2004.
93. V. Igure, S. Laughter and R. Williams., Security issues in SCADA networks, Computers and Security, vol. 25(7), pp. 498-506, 2006.
94. Institute of Electrical and Electronics Engineers., IEEE Guide for Electric Power Substation Physical and Electronic Security, IEEE 1402-2000, Piscataway, New Jersey, 2000.
95. Institute of Electrical and Electronics Engineers., IEEE Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities, IEEE 1686-2007, Piscataway, New Jersey, 2007.
96. Institute of Electrical and Electronics Engineers., IEEE Trial Use Standard for Retrofit Cyber Security of Serial SCADA Links and IED Remote Access, IEEE P1689, Piscataway, New Jersey, 2007.
97. Institute of Electrical and Electronics Engineers., IEEE Trial-Use Standard for a Cryptographic Protocol for Cyber Security of Substation Serial Links, IEEE 1711-2010, Piscataway, New Jersey, 2010.
98. International Electrotechnical Commission., Power Systems Management and Associated Information Exchange - Data and Communications Security, IEC/TS 62351-1 ed1.0, Geneva, Switzerland, 2007.
99. International Electrotechnical Commission., Industrial Communication Networks - Network and System Security - Part 1-1: Terminology, Concepts and Models, IEC/TS 62443-1-1 ed1.0, Geneva, Switzerland, 2009.
100. International Electrotechnical Commission., Industrial Communication Networks - Profiles - Part 3-1: Functional Safety Fieldbuses - Additional Specifications for CPF 1, IEC 61784-3-1 ed2.0, Geneva, Switzerland, 2010.
101. International Organization for Standardization., Information Technology - Security Techniques - Code of Practice for Information Security Management, ISO/IEC 27002:2005, Geneva, Switzerland, 2005.
102. International Organization for Standardization., Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 1: Introduction and General Model, ISO/IEC 15408-1:2009, Geneva, Switzerland, 2009.
103. International Society of Automation., Security for Industrial Automation and Control Systems, Part 2-1: Industrial Automation and Control System Security Management System, ISA-62443-2-1 (99.02.01), Research Triangle Park, North Carolina, 2012.
104. International Society of Automation., Security for Industrial Automation and Control Systems, Part 3-2: Security Risk Assessment and System Design, ISA-62443-3-2, Research Triangle Park, North Carolina, 2013.
105. W. Jansen., Directions in Security Metrics Research, NISTIR 7564, National Institute of Standards and Technology, Gaithersburg, Maryland, 2009.
106. A. Jaquith., Security Metrics: Replacing Fear, Uncertainty and Doubt, Pearson Education, Upper Saddle River, New Jersey, 2007.
107. W. Jayawickrama., Managing critical information infrastructure security compliance: A standard based approach using ISO/IEC 17799 and 27001, in On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops, R. Meersman, Z. Tari and P. Herrero (Eds.), Springer-Verlag, Berlin Heidelberg, Germany, pp. 565-574, 2006.
108. J. Jiang and L. Yasakethu., Anomaly detection via one class SVM for protection of SCADA systems, Proceedings of the International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, pp. 82-88, 2013.
109. R. Kissel, K. Stine, M. Scholl, H. Rossman, J. Fahlsing and J. Gulick., Security Considerations in the System Development Life Cycle, NIST Special Publication 800-64, Revision 2, National Institute of Standards and Technology, Gaithersburg, Maryland, 2008.
110. W. Knowles, D. Prince and D. Hutchison., Perceptual influences on risk assessments and the challenges for information security and network management, Proceedings of the Thirteenth Annual Post Graduate Symposium on the Convergence of Telecommunications, Networking and Broadcasting, 2012.
111. W. Knowles, D. Prince, D. Hutchinson, J. Disso and K. Jones., Towards real-time assessment of industrial control systems: A framework for future research, Proceedings of the First International Symposium on ICS and SCADA Cyber Security Research, pp. 106-109, 2013.
112. R. Langer., Robust Control System Networks: How to Achieve Reliable Control after Stuxnet, Momentum Press, New York, 2012.
113. R. Larkin, J. Lopez, J. Butts and M. Grimaila., Evaluation of security solutions in the SCADA environment, ACM SIGMIS Database, vol. 45(1), pp. 38-53, 2014.
114. C. Lee, J. Song, D. Lee, H. Jung and G. Lee., A cyber-security implementation framework for nuclear power plant control systems, in Convergence and Hybrid Information Technology, G. Lee, D. Howard and D. Slezak (Eds.), Springer-Verlag, Berlin Heidelberg, Germany, pp. 190-195, 2011.
115. E. LeMay, M. Ford, K. Keefe, W. Sanders and C. Muehrcke., Model-based security metrics using adversary view security evaluation (ADVISE), Proceedings of the Eighth International Conference on Quantitative Evaluation of Systems, pp. 191-200, 2011.
116. G. Li, W. Ju and D. Shi., Functional vulnerability assessment of SCADA networks, Proceedings of the Asia-Pacific Power and Energy Engineering Conference, 2012.
117. H. Lin, A. Slagell, C. Di Martino, Z. Kalbarczyk and R. Iyer., Adapting Bro into SCADA: Building a specification-based intrusion detection system for the DNP3 protocol, Proceedings of the Eighth Annual Workshop on Cyber Security and Information Intelligence Research, article no. 5, 2013.
118. N. Liu, J. Zhang and X. Wu., Asset analysis of risk assessment for IEC 61850 based power control systems - Part I: Methodology, IEEE Transactions on Power Delivery, vol. 26(2), pp. 869-875, 2011.
119. N. Liu, J. Zhang, H. Zhang and W. Liu., Security assessment for communication networks of power control systems using attack graph and MCDM, IEEE Transactions on Power Delivery, vol. 25(3), pp. 1492-1500, 2010.
120. E. Luiijf, M. Ali and A. Zielstra., Assessing and improving SCADA security in the Dutch drinking water sector, International Journal of Critical Infrastructure Protection, vol. 4(3-4), pp. 124-134, 2011.
121. T. Macaulay and B. Singer., Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI and SIS, CRC Press, Boca Raton, Florida, 2012.
122. A. Mahmood, C. Leckie, J. Hu, Z. Tari and M. Atiquzzaman., Network traffic analysis and SCADA security, in Handbook of Information and Communication Security, P. Stavroulakis and M. Stamp (Eds.), Springer, Berlin, Heidelberg, Germany, pp. 383-405, 2010.
123. M. Mallouhi, Y. Al-Nashif, D. Cox, T. Chadaga and S. Hariri., A testbed for analyzing security of SCADA control systems, Proceedings of the IEEE Power and Energy Society Conference on Innovative Smart Grid Technologies, 2011.
124. M. Masera, I. Nai Fovino and R. Leszczyna., Security assessment of a turbo-gas power plant, in Critical Infrastructure Protection II, M. Papa and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 31-40, 2008.
125. A. McIntyre., PCS Security Technology Evaluation Tool (P-STET), Institute for Information Infrastructure Protection (I3P), Dartmouth College, Hanover, New Hampshire, 2003.
126. A. McIntyre., I3P Task 3 Security Metrics Tools Final Report, Institute for Information Infrastructure Protection (I3P), Dartmouth College, Hanover, New Hampshire, 2007.
127. A. McIntyre, B. Becker and R. Halbgewachs., Security Metrics for Process Control Systems, SAND2007-2070P, Sandia National Laboratories, Albuquerque, New Mexico, 2007.
128. B. Miller and D. Rowe., A survey of SCADA and critical infrastructure incidents, Proceedings of the First Annual Conference on Research in Information Technology, pp. 51-56, 2012.
129. Z. Mohajerani, F. Farzan, M. Jafary, Y. Lu, D. Wei, N. Kalenchits, B. Boyer, M. Muller and P. Skare., Cyber-related risk assessment and critical asset identification within the power grid, Proceedings of the IEEE Power and Energy Society Transmission and Distribution Conference and Exposition, 2010.
130. D. Moore., Application of the API/NPRA SVA methodology to transportation security issues, Journal of Hazardous Materials, vol. 130(1-2), pp. 107-121, 2006.
131. T. Morris, A. Srivastava, B. Reaves, W. Gao, K. Pavurapu and R. Reddi., A control system testbed to validate critical infrastructure protection concepts, International Journal of Critical Infrastructure Protection, vol. 4(2), pp. 88-103, 2011.
132. T. Morris, R. Vaughn and Y. Dandass., A retrofit network intrusion detection system for Modbus RTU and ASCII industrial control systems, Proceedings of the Forty-Fifth Hawaii International Conference on System Sciences, pp. 2338-2345, 2012.
133. I. Nai Fovino, A. Carcano and M. Masera., A secure and survivable architecture for SCADA systems, Proceedings of the Second International Conference on Dependability, pp. 34-39, 2009.
134. I. Nai Fovino, A. Carcano, M. Masera and A. Trombetta., An experimental investigation of malware attacks on SCADA systems, International Journal of Critical Infrastructure Protection, vol. 2(4), pp. 139-145, 2009.
135. I. Nai Fovino, A. Coletta, A. Carcano and M. Masera., Critical state based filtering system for securing SCADA network protocols, IEEE Transactions on Industrial Electronics, vol. 59(10), pp. 3943-3950, 2012.
136. I. Nai Fovino, L. Guidi, M. Masera and A. Stefanini., Cyber security assessment of a power plant, Electric Power Systems Research, vol. 81(2), pp. 518-526, 2011.
137. I. Nai Fovino, M. Masera, L. Guidi and G. Carpi., An experimental platform for assessing SCADA vulnerabilities and countermeasures in power plants, Proceedings of the Third Conference on Human System Interactions, pp. 679-686, 2010.
138. B. Nartmann, T. Brandstetter and K. Knorr., Cyber security for energy automation systems - New challenges for vendors, Proceedings of the Twentieth International Conference on Electricity Distribution, 2009.
139. National Infrastructure Security Coordination Centre., Firewall Deployment for SCADA and Process Control Networks, Good Practice Guide, London, United Kingdom, 2005.
140. National Institute of Standards and Technology., Standards for Security Categorization of Federal Information and Information Systems, FIPS PUB 199, Gaithersburg, Maryland, 2004.
141. National Institute of Standards and Technology., System Protection Profile - Industrial Control Systems Version 1.0, NISTIR 7176, Gaithersburg, Maryland, 2004.
142. National Institute of Standards and Technology., Minimum Security Requirements for Federal Information and Information Systems, FIPS PUB 200, Gaithersburg, Maryland, 2006.
143. National Institute of Standards and Technology., Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, NIST Special Publication 800-37, Revision 1, Gaithersburg, Maryland, 2010.
144. National Institute of Standards and Technology., Managing Information Security Risk: Organization, Mission and Information System View, NIST Special Publication 800-39, Gaithersburg, Maryland, 2011.
145. National Institute of Standards and Technology., Guide for Conducting Risk Assessments, NIST Special Publication 800-30, Revision 1, Gaithersburg, Maryland, 2012.
146. National Institute of Standards and Technology., Personal Identity Verification (PIV) of Federal Employees and Contractors, FIPS PUB 201-2, Gaithersburg, Maryland, 2013.
147. National Institute of Standards and Technology., Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publication 800-53, Revision 4, Gaithersburg, Maryland, 2013.
148. National Institute of Standards and Technology., Comments Received in Response to: Request for Comments on the Preliminary Cybersecurity Framework, Gaithersburg, Maryland, 2014.
149. National Institute of Standards and Technology., Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, Gaithersburg, Maryland, 2014.
150. National Institute of Standards and Technology., Industrial Control System Security (ICS), Gaithersburg, Maryland, 2014.
151. National Security Agency, NSA develops INFOSEC assessment training and rating program., Fort Meade, Maryland, March 14, 2002.
152. M. Negrete-Pincetic, F. Yoshida and G. Gross., Towards quantifying the impacts of cyber attacks in the competitive electricity market environment, Proceedings of the IEEE PowerTech Conference, 2009.
153. A. Nicholson, S. Webber, S. Dyer, T. Patel and H. Janicke., SCADA security in the light of cyber-warfare, Computers and Security, vol. 31(4), pp. 418-436, 2012.
154. North American Electric Reliability Corporation., Critical Infrastructure Protection (CIP) 001-011, Washington, DC, 2013.
155. North American Electric Reliability Corporation., Cyber Risk Preparedness Assessment: Table-Top Exercise 2012 Report, Washington, DC, 2013
156. Norwegian Oil and Gas Association., Guideline 104: Information Security Baseline Requirements for Process Control, Safety and Support ICT Systems, Stavanger, Norway, 2009.
157. Norwegian Oil and Gas Association., Guideline 110: Implementation of Information Security in Process Control, Safety and Support ICT Systems during the Engineering, Procurement and Commissioning Phases, Stavanger, Norway, 2009.
158. Norwegian Oil and Gas Association., Guideline 123: Classification of Process Control, Safety and Support ICT Systems based on Criticality, Stavanger, Norway, 2009.
159. B. Obama., Executive Order 13636: Improving Critical Infrastructure Cybersecurity, The White House, Washington, DC, February 12, 2013.
160. H. Okhravi and D. Nicol., Application of trusted network technology to industrial control networks, International Journal of Critical Infrastructure Protection, vol. 2(3), pp. 84-94, 2009.
161. Organization for Security and Cooperation in Europe., Good Practices Guide on Non-Nuclear Critical Energy Infrastructure Protection from Terrorist Attacks Focusing on Threats Emanating from Cyberspace, Vienna, Austria, 2013.
162. S. Papa, W. Casper and S. Nair., Availability based risk analysis for SCADA embedded computer systems, Proceedings of the International Conference on Security and Management, 2011.
163. R. Parks and E. Rogers., Vulnerability assessment for critical infrastructure control systems, IEEE Security and Privacy, vol. 6(6), pp. 37-43, 2008.
164. M. Paulk, B. Curtis, M. Chrissis and C. Weber., Capability Maturity Model for Software, Version 1.1, CMU/SEI-93-TR-024, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, 1993.
165. C. Queiroz, A. Mahmood, J. Hu, Z. Tari and X. Yu., Building a SCADA security testbed, Proceedings of the Third International Conference on Network and System Security, pp. 357-364, 2009.
166. C. Queiroz, A. Mahmood and Z. Tari., SCADASim - A framework for building SCADA simulations, IEEE Transactions on Smart Grid, vol. 2(4), pp. 589-597, 2011.
167. C. Queiroz, A. Mahmood and Z. Tari., A probabilistic model to predict the survivability of SCADA systems, IEEE Transactions on Industrial Informatics, vol. 9(4), pp. 1975-1985, 2013.
168. S. Quinn, M. Souppaya, M. Cook and K. Scarfone., National Checklist Program for IT Products - Guidelines for Checklist Users and Developers, NIST Special Publication 800-70, Revision 2, National Institute of Standards and Technology, Gaithersburg, Maryland, 2011.
169. P. Ralston, J. Graham and J. Hieb., Cyber security risk assessment for SCADA and DCS networks, ISA Transactions, vol. 46(4), pp. 583-594, 2007.
170. B. Reaves and T. Morris., An open virtual testbed for industrial control system security research, International Journal of Information Security, vol. 11(4), pp. 215-229, 2012.
171. S. Rinaldi, J. Peerenboom and T. Kelly, Identifying., understanding and analyzing critical infrastructure interdependencies, IEEE Control Systems, vol. 21(6), pp. 11-25, 2001.
172. O. Rysavy, J. Rab and M. Sveda., Improving security in SCADA systems through firewall policy analysis, Proceedings of the Federated Conference on Computer Science and Information Systems, pp. 1435-1440, 2013.
173. J. Santos, Y. Haimes and C. Lian., A framework for linking cybersecurity metrics to the modeling of macroeconomic interdependencies, Risk Analysis, vol. 27(5), pp. 1283-1297, 2007.
174. K. Scarfone and P. Hoffman., Guidelines on Firewalls and Firewall Policy, NIST Special Publication 800-41, Revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland, 2009.
175. F. Schuster and A. Paul., A distributed intrusion detection system for industrial automation networks, Proceedings of the Seventeenth IEEE International Conference on Emerging Technologies and Factory Automation, 2012.
176. R. Shyamasundar., Security and protection of SCADA: A bigdata algorithmic approach, Proceedings of the Sixth International Conference on Security of Information and Networks, pp. 20-27, 2013.
177. M. Siponen and R. Willison., Information security management standards: Problems and solutions, Information and Management, vol. 46(5), pp. 267-270, 2009.
178. J. Slay and E. Sitnikova., The development of a generic framework for the forensic analysis of SCADA and process control systems, in Forensics in Telecommunications, Information and Multimedia, M. Sorell (Ed.), Springer, Berlin Heidelberg, Germany, pp. 77-82, 2009.
179. Software Engineering Institute., Capability Maturity Model Integration (CMMI), Version 1.3, CMU/SEI-2010-TR-033, Carnegie Mellon University, Pittsburgh, Pennsylvania, 2010.
180. T. Sommestad, G. Ericsson and J. Nordlander., SCADA system cyber security - A comparison of standards, Proceedings of the IEEE Power and Energy Society General Meeting, 2010.
181. A. Srivastava and J. Gupta., New methodologies for security risk assessment of oil and gas industry, Process Safety and Environmental Protection, vol. 88(6), pp. 407-412, 2010.
182. J. Sterbenz, D. Hutchison, E. Cetinkaya, A. Jabbar, J. Rohrer, M. Scholler and P. Smith., Resilience and survivability in communication networks: Strategies, principles and survey of disciplines, Computer Networks, vol. 54(8), pp. 1245-1265, 2010.
183. K. Stine, R. Kissel, W. Barker, J. Fahlsing and J. Gullick., Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories, NIST Special Publication 800-60, Revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland, 2008.
184. M. Stoddard, R. Carlson, Y. Haimes, D. Bodeau, C. Lian, J. Santos, C. Glantz and J. Shaw., Process Control System Security Metrics - State of Practice, Institute for Information Infrastructure Protection (I3P), Dartmouth College, Hanover, New Hampshire, 2005.
185. K. Stouffer, J. Falco and K. Scarfone., Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82, National Institute of Standards and Technology, Gaithersburg, Maryland, 2011.
186. M. Swanson, J. Hash and P. Bowen., Guide for Developing Security Plans for Federal Information Systems, NIST Special Publication 800-18, Revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland, 2006.
187. Swedish Emergency Management Agency., Guide to Increased Security in Process Control Systems for Critical Societal Functions, Stockholm, Sweden, 2008.
188. Technical Support Working Group., Securing Your SCADA and Industrial Control Systems, Department of Defense, Washington, DC, 2005.
189. C. Ten, C. Liu and M. Govindarasu., Vulnerability assessment of cybersecurity for SCADA systems using attack trees, Proceedings of the IEEE Power and Energy Society General Meeting, 2007.
190. C. Ten, C. Liu and G. Manimaran., Vulnerability assessment of cybersecurity for SCADA systems, IEEE Transactions on Power Systems, vol. 23(4), pp. 1836-1846, 2008.
191. M. Theoharidou, P. Kotzanikolaou and D. Gritzalis., A multi-layer criticality assessment methodology based on interdependencies, Computers and Security, vol. 29(6), pp. 643-658, 2010.
192. Tripwire., Update NERC Survey Data, Portland, Oregon, 2014.
193. Trusted Computing Group., IF-MAP Metadata for ICS Security, Specification Version 1.0, Revision 39, Beaverton, Oregon, 2012.
194. U.S. Department of Defense., Information Assurance (IA), Department of Defense Directive 8500.1, Washington, DC, 2002.
195. U.S. Department of Defense., Information Assurance (IA) Implementation, Department of Defense Directive 8500.2, Washington, DC, 2003.
196. U.S. Department of Defense., Risk Management Framework (RMF) for DoD Information Technology (IT), Department of Defense Instruction 8510.01, Washington, DC, 2014.
197. U.S. Department of Energy., 21 Steps to Improve Cyber Security for SCADA Systems, Washington, DC, 2002.
198. U.S. Department of Energy., Energy Infrastructure Risk Management Checklists for Small and Medium Sized Energy Facilities, Washington, DC, 2002.
199. U.S. Department of Energy., Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), Version 1.0, Washington, DC, 2012.
200. U.S. Department of Energy., Electricity Subsector Cybersecurity Risk Management Process, DOE/OE-0003, Washington, DC, 2012.
201. U.S. Department of Energy., Oil and Natural Gas Subsector Cyber Security Capability Maturity Model (ONG-C2M2), Version 1.1, Washington, DC, 2014.
202. U.S. Department of Homeland Security., Chemical Facility Anti-Terrorism Standards Interim Final Rule, DHS-2006-0073, Washington, DC, 2006.
203. U.S. Department of Homeland Security., CSAT Security Vulnerability Assessment: Questions, Version 1.0, Washington, DC, 2008.
204. U.S. Department of Homeland Security., Recommended Practice for Patch Management of Control Systems, Washington, DC, 2008.
205. U.S. Department of Homeland Security., CSAT Site Security Plan: Instructions, Version 1.0, Washington, DC, 2009.
206. U.S. Department of Homeland Security., CSAT Top-Screen: Questions, Version 2.8, Washington, DC, 2009.
207. U.S. Department of Homeland Security., Cyber Security Procurement Language for Control Systems, Washington, DC, 2009.
208. U.S. Department of Homeland Security., Primer Control Systems Cyber Security Framework and Technical Metrics, Washington, DC, 2009.
209. U.S. Department of Homeland Security., Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies, Washington, DC, 2009.
210. U.S. Department of Homeland Security., Risk-Based Performance Standards Guidance, Chemical Facility Anti-Terrorism Standards, Washington, DC, 2009.
211. U.S. Department of Homeland Security., CSAT Top-Screen Survey Application: User Guide, Version 1.99, Washington, DC, 2010.
212. U.S. Department of Homeland Security., Catalog of Control Systems Security: Recommendations for Standards Developers, Washington, DC, 2011.
213. U.S. Department of Homeland Security., CSAT Security Vulnerability Assessment Application: Instructions, Version 2.1, Washington, DC, 2011.
214. U.S. Department of Homeland Security., Cyber Security Evaluation Tool: Performing a Self Assessment, Washington, DC, 2012.
215. U.S. Department of Homeland Security., ICS-CERT Year in Review 2012, Washington, DC, 2012.
216. U.S. Department of Homeland Security. and Centre for the Protection of National Infrastructure, Configuring and Managing Remote Access for Industrial Control Systems, Washington, DC and London, United Kingdom, 2010.
217. U.S. Department of Homeland Security. and Centre for the Protection of National Infrastructure, Cyber Security Assessments of Industrial Control Systems, Washington, DC and London, United Kingdom, 2010.
218. U.S. Environmental Protection Agency., VSAT - Risk Assessment Tool for Water Sector Utilities, Washington, DC, 2010.
219. U.S. Nuclear Regulatory Commission., Cyber Security Programs for Nuclear Facilities, Regulatory Guide 5.71, Washington, DC, 2010.
220. U.S. Transportation Security Administration., Pipeline Security Guidelines, Washington, DC, 2011.
221. P. Verissimo, N. Neves and M. Correia., The CRUTIAL reference critical information infrastructure architecture: A blueprint, International Journal of System of Systems Engineering, vol. 1(1/2), pp. 78-95, 2008.
222. VGB PowerTech., IT Security for Generating Plants, Essen, Germany, 2006.
223. C. Wang, L. Fang and Y. Dai., A simulation environment for SCADA security analysis and assessment, Proceedings of the International Conference on Measuring Technology and Mechatronics Automation, vol. 1, pp. 342-347, 2010.
224. W. Wang and Z. Lu., Cyber security in the smart grid: Survey and challenges, Computer Networks, vol. 57(5), pp. 1371-1344, 2013.
225. J. Watters, S. Morrissey, D. Bodeau and S. Powers., The Risk-to-Mission Assessment Process (RiskMAP): A Sensitivity Analysis and an Extension to Treat Confidentiality Issues, Institute for Information Infrastructure Protection (I3P), Dartmouth College, Hanover, New Hampshire, 2009.
226. G. Weaver, C. Cheh, E. Rogers, W. Sanders and D. Gammel., Toward a cyber-physical topology language: Applications to NERC CIP audit, Proceedings of the First ACM workshop on Smart Energy Grid Security, pp. 93-104, 2013.
227. M. Wilson, D. de Zafra, S. Pitcher, J. Tressler and J. Ippolito., Information Technology Security Training Requirements: A Role- and Performance-Based Model, NIST Special Publication 800-16, National Institute of Standards and Technology, Gaithersburg, Maryland, 1998.
228. M. Wilson and J. Hash., Building an Information Technology Security Awareness and Training Program, NIST Special Publication 800-50, National Institute of Standards and Technology, Gaithersburg, Maryland, 2003.
229. J. Wu and K. Kobara., Comparison of tools and simulators for control system security studies, Proceedings of the Tenth IEEE International Conference on Industrial Informatics, pp. 45-50, 2012.
230. H. Yakkali and N. Subramanian., Efficient design of SCADA systems using minimum spanning trees and the NFR Framework, Proceedings of the Forty-Second Southeastern Symposium on System Theory, pp. 346-351, 2010.
231. Y. Yang, K. McLaughlin, T. Littler, S. Sezer, B. Pranggono and H. Wang., Intrusion detection system for IEC 60870-5-104 based SCADA networks, Proceedings of the IEEE Power and Energy Society General Meeting, 2013.
232. B. Zhu and S. Sastry., SCADA-specific intrusion detection/prevention systems: A survey and taxonomy, Proceedings of the First Workshop on Secure Control Systems, 2010.