A survey of cyber security management in industrial control systems

Knowles, William; Prince, Daniel; Hutchison, David; Disso, Jules Ferdinand Pagna; Jones, Kevin

doi:10.1016/j.ijcip.2015.02.002

Cited by 245 publications

(128 citation statements)

References 104 publications

Supporting

Mentioning

128

Contrasting

Order By: Relevance

“…A brief introduction to traditional risk modelling techniques is available in [11], and several reviews of risk assessment in critical complex system exist [13][14][15][16]. In summary the most popular approaches, include Fault Tree Analysis [4], Attack Trees [6], Cause-consequence/effect diagrams [7], Bayesian networks [8,9] and CORAS diagrams [12].…”

Section: Comparison To Other Modelling Approachesmentioning

confidence: 99%

Determining and Sharing Risk Data in Distributed Interdependent Systems

et al. 2017

Self Cite

View full text Add to dashboard Cite

Abstract-While the risks induced by system dependencies have been studied; little is known about modelling complex collections of supposedly independent systems at different geographical locations, which are in reality interdependent due to sharing often-unrecognized common elements. It could be argued that any risk analysis of a large infrastructure that does not take account of such interdependencies is dangerously introspective. We present a top-down, goal-to-dependencies approach to modelling and understanding such Complex Systems, which uses secure, distributed computing protocols to share risk data between the risk models of interdependent systems. We present a Bayesian-sensitivity measure of risk, which is both intuitively satisfying and accords with everyday notions of risk. The core benefit of this approach is to capture dependencies between systems and share risk data such that failure of an entity along the 'supply chain' can be rapidly propagated to those who depend on it allowing them to calculate the likely impact and respond accordingly.

show abstract

Section: Comparison To Other Modelling Approachesmentioning

confidence: 99%

Determining and Sharing Risk Data in Distributed Interdependent Systems

et al. 2017

Self Cite

View full text Add to dashboard Cite

show abstract

“…[41]). An example specific for the chemical industry is the Chemical Sector Coordinating Council, which works in partnership with the Department of Homeland Security and has established a national control systems security programme to specifically address the cybersecurity issues within PCS systems in critical infrastructures ( [4], p.22; [8]). Last, the Chemical Facility Anti-Terrorism Standards (CFATS) requires chemical facilities designated by DHS to comply with Risk-Based Performance Standards, including the standard that regulated facilities must deter cyber sabotage, including preveting remote access to critical PCS and ICS systems (DHS [14,15]).…”

Section: Strengthening the Role Of Government?mentioning

confidence: 99%

“…Three public supervising agencies monitor the risk of a chemical accident in the Rijnmond area: the Occupational Safety and Health Agency, a national inspectorate entrusted with occupational health and safety; the regional 'Safety Region Board', which includes the specialized regional Fire Brigade for ex post crisis management, and DCMR, the regional environmental protection agency mandated for licensing and inspecting major hazard facilities. 8 Together, these three agencies monitor compliance to the European Seveso regulation for industrial safety, implemented in the Netherlands in the Major Accidents Hazards Decree, and in the environmental license. Although each of these agencies carries out frequent inspections of chemical facilities in the Rijnmond area, none of them currently includes cybersecurity in their inspections; nor is it part of the licensing requirements.…”

Section: Strengthening the Role Of Government?mentioning

confidence: 99%

New governance of corporate cybersecurity: a case study of the petrochemical industry in the Port of Rotterdam

Erp

2017

Crime Law Soc Change

View full text Add to dashboard Cite

The petro-chemical industry is a critical infrastructure that is vulnerable to cybercrime. In particular, industrial process control systems contain many vulnerabilities and are known targets for hackers. A cyberattack to a chemical facility can cause enormous risks to the economy, the environment, and public health and safety. This gives rise to the question how corporate cybersecurity has developed; how it is governed; and whether it should be subject to public oversight. This paper presents a case study of the governance of cybersecurity in the petrochemical industry in the Rotterdam Mainport area in the Netherlands, which reflects the 'new governance' view that cybersecurity can best be governed through voluntary public-private partnerships. The paper finds however that actual collaborative governance is not developing in the petrochemical industry in the port of Rotterdam; that corporate awareness and investment in cybersecurity stay behind standards, and that cybersecurity is not included in regulatory inspections. The paper places these findings in the context of three problems often associated with 'new governance' particularly pressing in cybersecurity governance: a weak role of government in publicprivate collaborative arrangements; an expectation that businesses will invest in self-regulation even in the absence of incentives to do so, and a lack of information exchange. In the port of Rotterdam, these problems result in a lack of obligations and accountability pressure on petrochemical corporations, leaving on of the most important chemical industrial hazards of today, largely unregulated. Crime Law Soc Change (2017) 68:75-93

show abstract

“…Given the near-ubiquitous use of information systems by both enterprise and individuals, a breach of NIS can result in severe consequences beyond the purely economic, with potential repercussions for other forms of critical infrastructure, such as loss of energy supplies or failure of transport networks (2006, p. 5). Indeed, as Knowles et al indicate, corporate networks and the Internet increasingly form part of industrial control systems, presenting potential risks to physical industrial systems through the misuse or attack of computer systems [48]. However, and of direct relevance to this paper, the 2006 Commission Communication proposes a strategy for ensuring NIS that goes beyond the initial discussions in the 2001 Communication and the previously limited role of the private sector under the 2004 ENISA Regulation, through direct interaction and engagement with private stakeholders, based on Bdialogue, partnership and empowerment^(2006, p. 6).…”

Section: Conceptualising the Role Of Private Actors In Network And Inmentioning

confidence: 99%

‘Dialogue, partnership and empowerment for network and information security’: the changing role of the private sector from objects of regulation to regulation shapers

Carrapiço

Farrand

2016

Crime Law Soc Change

View full text Add to dashboard Cite

The protection of cyberspace has become one of the highest security priorities of governments worldwide. The EU is not an exception in this context, given its rapidly developing cyber security policy. Since the 1990s, we could observe the creation of three broad areas of policy interest: cyber-crime, critical information infrastructures and cyber-defence. One of the main trends transversal to these areas is the importance that the private sector has come to assume within them. In particular in the area of critical information infrastructure protection, the private sector is seen as a key stakeholder, given that it currently operates most infrastructures in this area. As a result of this operative capacity, the private sector has come to be understood as the expert in network and information systems security, whose knowledge is crucial for the regulation of the field. Adopting a Regulatory Capitalism framework, complemented by insights from Network Governance, we can identify the shifting role of the private sector in this field from one of a victim in need of protection in the first phase, to a commercial actor bearing responsibility for ensuring network resilience in the second, to an active policy shaper in the third, participating in the regulation of NIS by providing technical expertise. By drawing insights from the above-mentioned frameworks, we can better understand how private actors are involved in shaping regulatory responses, as well as why they have been incorporated into these regulatory networks.

show abstract

A survey of cyber security management in industrial control systems

Cited by 245 publications

References 104 publications

Determining and Sharing Risk Data in Distributed Interdependent Systems

Determining and Sharing Risk Data in Distributed Interdependent Systems

New governance of corporate cybersecurity: a case study of the petrochemical industry in the Port of Rotterdam

‘Dialogue, partnership and empowerment for network and information security’: the changing role of the private sector from objects of regulation to regulation shapers

Contact Info

Product

Resources

About