Achieving ICS resilience and security through granular data flow management

CPS-SPC 2016 - Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2016

Volumn , Issue , 2016, Pages 93-101

  Green, Benjamin ^a   Krotofil, Marina ^b   Hutchison, David ^c  

^a LANCASTER UNIVERSITY   (United Kingdom)

^b Honeywell Industrial Cyber Security Lab   (United States)

^c LANCASTER UNIVERSITY   (United Kingdom)

Author keywords

Data flow; Industrial control systems; Resilience; Risk assessment; SCADA; Security; Socio technical systems

Indexed keywords

CONTROL SYSTEMS; DATA HANDLING; DATA TRANSFER; EMBEDDED SYSTEMS; RISK ASSESSMENT; SCADA SYSTEMS;

DATA FLOW; INDUSTRIAL CONTROL SYSTEMS; RESILIENCE; SCADA; SECURITY; SOCIOTECHNICAL SYSTEMS;

INTELLIGENT CONTROL;

EID: 85001759344     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2994487.2994498     Document Type: Conference Paper

References (38)

1. A. Bolshev, J. Larsen, M. Krotofil, and R. Whitmann. A rising tide: Design exploits in industrial control systems. In 10th USENIX Workshop on Offensive Technologies (WOOT 16), Aug. 2016.
2. British Standards Institute. Information technology - Security techniques - Code of Practice for Information Security Management. 2005.
3. British Standards Institute. BS ISO/IEC 31010 - Risk management - Risk Assessment Techniques. 2010.
4. British Standards Institute. BS ISO/IEC 27001 - Information Technology - Security Techniques - Information Security Management Systems - Requirements. 2013.
5. British Standards Institute. BS ISO/IEC 27002 - Information Technology - Security Techniques - Code of Practice for Information Security Controls. 2013.
6. British Standards Institute. BS ISO/IEC 27019:2013 - Security Techniques - Information Security Management Guidelines Based On ISO/IEC 27002 for Process Control Systems Specific to Utility Industry. 2013.
7. P. Carson. The IT vs. OT debate | Intelligent Utility. Intelligent Utility Magazine, pages 32-34, 2010.
8. Centre for the Protection of National Infrastructure. Cyber Security. http://www.cpni.gov.uk/advice/cyber/. Retrieved: December, 2015.
9. Centre for the Protection of National Infrastructure. Risk Assessment. http://www.cpni.gov.uk/Security-Planning/Business-continuity-plan/Risk-assessment/. Retrieved: December, 2015.
10. Centre for the Protection of National Infrastructure. The National Infrastructure. http://www.cpni.gov.uk/about/cni/, 2014. Retrieved: January, 2016.
11. Centre for the Protection of National Infrastructure. Security for Industrial Control Systems: Manage the Business Risk (a good practice guide). 2015.
12. Centre for the Protection of National Infrastructure. Select and Implement Security Improvements. 2015.
13. Check Point Software Technologies. Critical Infrastructure & ICS/SCADA. https://www.checkpoint.com/products-solutions/critical-infrastructure/, 2016. Retrieved: July, 2016.
14. Council on Cyber Security. The Critical Security Controls for Effective Cyber Defense. 2014.
15. DEFRA. Waste Water Treatment in the United Kingdom. http://tinyurl.com/nhkhhyb, 2012. Retrieved: June, 2015.
16. P. Didier, F. Macias, J. Harstad, R. Antholine, A. Johnston, S, S. Piyecsky, M. Schillace, G. Wilcox, D. Zaniewski, and S. Zuponcic. Converged Plantwide Ethernet (CPwE) Design and Implementation Guide. CISCO Systems and Rockwell Automation, 2011.
17. B. Green, D. Hutchison, S. A. F. Frey, and A. Rashid. Testbed Diversity as a Fundamental Principle for Effective ICS Security Research. In International Workshop on Security and Resilience of Cyber-Physical Infrastructures, pages 1-8, 2016.
18. B. Green, D. Prince, U. Roedig, J. Busby, and D. Hutchison. Socio-Technical Security Analysis of Industrial Control Systems (ICS). In 2nd International Symposium for ICS & SCADA Cyber Security Research(ICS-CSR), 2014.
19. E. Humphreys. Information Security Management Standards: Compliance, Governance and Risk Management. Information Security Technical Report, 13(4):247-255, 2008.
20. Joint Task Force Transformation Initiative. Guide for Conducting Risk Assessments. NIST Publication, 2012.
21. Joint Task Force Transformation Initiative. Security and Privacy Controls for Federal Information Systems and Organizations Security and Privacy Controls for Federal Information Systems and Organizations. NIST Special Publication, 2013.
22. A. Jones and D. Ashenden. Risk Managment for Computer Security - Protecting Your Network and Information Assets. Elsevier, 2005.
23. Kaspersky Lab. ICS Vulnerabilities Statistics 2015. http://tinyurl.com/jh4658o, 2015. Retrieved: June, 2015.
24. W. Knowles, J. M. Such, A. Gouglidis, G. Misra, and A. Rashid. Assurance Techniques for Industrial Control Systems (ICS). In Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy, pages 101-112. ACM, 2015.
25. A. P. Mathur and N. O. Tippenhauer. Swat: a water treatment testbed for research and training on ics security. In 2016 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater), pages 31-36, April 2016.
26. National Institute of Standards and Technology. FIPS PUB 199: Standards for Security Categorization of Federal Information and Information Systems. 2004.
27. Norwegian Oil and Gas Association. 110 - Recommended Guidelines for Implementation of Information Security in Process Control, Safety and Support ICT Systems During the Engineering, Procurement and Commissioning Phases. Technical report, 2008.
28. B. Paske, B. Green, D. Prince, and D. Hutchison. Design and Construction of an Industrial Control System Testbed. In PGNET, pages 151-156, 2014.
29. R. Ross. Managing enterprise security risk with NIST standards. Computer, 40(8):88-91, 2007.
30. T. Sauter, S. Soucek, W. Kastner, and D. Dietrich. The Evolution of Factory and Building Automation. IEEE Industrial Electronics Magazine, 5(3):35-48, Sept 2011.
31. R. Singla and A. Khosla. Intelligent Security System for HMI in SCADA Applications. International Journal of Modeling and Optimization, 2(4):444-448, 2012.
32. K. Stouffer, S. Lightman, V. Pillitteri, M. Abrams, and A. Hahn. Guide to Industrial Control Systems (ICS) Security. NIST Special Publication, 2015.
33. U.S. Department of Homeland Security. Assessment Program Overview. https://ics-cert.us-cert.gov/Assessments, 2016. Retrieved: September, 2016.
34. U.S. Department of Homeland Security. Control Systems Architecture Analysis Services. http://tinyurl.com/gnr4g5g, 2016. Retrieved: September, 2016.
35. U.S. Department of Homeland Security. Cyber Resilience Review & Cyber Security Evaluation Tool. http://tinyurl.com/jqes9te, 2016. Retrieved: September, 2016.
36. J. M. Weiss. Presentation on how to hack a chemical plant and its implication to actual issues at a nuclear plant. http://tinyurl.com/jr985ru, 2015. Retrieved: January, 2016.
37. M. Whitman and H. Mattord. Principles of information security. Cengage Learning, Boston, 4 edition, 2011.
38. Wireshark.org. About Wireshark. https://www.wireshark.org/, 2016. Retrieved: July, 2016.