Ideal Based Cyber Security Technical Metrics for Control Systems

Boyer, Wayne F.; McQueen, Miles

doi:10.1007/978-3-540-89173-4_21

Cited by 39 publications

(42 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This is clearly a simplistic approach, and is unlikely to give the strongest indicator of the vulnerability of the network. This is similar to other work which has been performed on assessing overall vulnerability by the presence of low-level vulnerabilities [6] [25][27] [40]. One potentially viable way to do this would be to combine it with control lists that have different levels of controls, e.g.…”

Section: Discussionmentioning

confidence: 59%

“…Our approach to vulnerability assessment is based on the thesis that all infrastructures are vulnerable, and that this vulnerability can only be mitigated 6 with the implementation of certain controls. This is similar to higher-level risk assessment methodologies (e.g.…”

Section: A Controls-based Approachmentioning

confidence: 99%

“…There are many ways these sub-controls can be combined to give the overall effectiveness of the defence against the vulnerabilities they are mitigating. While there are several attempts at accumulating vulnerabilities' risk to give an overall assessment [6] [25][27] [40], no equivalent has been proposed for controls. The method we will use for this example is simply to divide the sub-controls in place by the total sub-controls for that control.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Exploring a Controls-Based Assessment of Infrastructure Vulnerability

Farnan

Nurse

2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Assessing the vulnerability of an enterprise's infrastructure is an important step in judging the security of its network and the trustworthiness and quality of the information that flows through it. Currently, low-level infrastructure vulnerability is often judged in an ad hoc manner, based on the criteria and experience of the assessors. While methodological approaches to assessing an organisation's vulnerability exist, they are often targeted at higher-level threats, and can fail to accurately represent risk. Our aim in this paper therefore, is to explore a novel, structured approach to assessing low-level infrastructure vulnerability. We do this by placing the emphasis on a controls-based evaluation over a vulnerability-based evaluation. This work aims to investigate a framework for the pragmatic approach that organisations currently use for assessing low-level vulnerability. Instead of attempting to find vulnerabilities in infrastructure, we instead assume the network is insecure, and measure its vulnerability based on the controls that have (and have not) been put in place. We consider different control schemes for addressing vulnerability, and show how one of them, namely the Council on Cyber Security's Top 20 Critical Security Controls, can be applied.

show abstract

Section: Discussionmentioning

confidence: 59%

Section: A Controls-based Approachmentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

Exploring a Controls-Based Assessment of Infrastructure Vulnerability

Farnan

Nurse

2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Since the TA architecture considers issues across each OTI viewpoint, the inclusion or adaptation of any method that could support them was vital. While existing methods [23][24][25][26][27] provide interesting insight into the assessment of security, it appears some may face challenges when considering multiple OTI viewpoints. Through basic adaptation, the method in [28] appears to provide a good starting point.…”

Section: Case Studymentioning

confidence: 99%

Threat awareness for critical infrastructures resilience

Gouglidis

Green

Busby

et al. 2016

2016 8th International Workshop on Resilient Networks Design and Modeling (RNDM)

View full text Add to dashboard Cite

Abstract-Utility networks are part of every nation's critical infrastructure, and their protection is now seen as a high priority objective. In this paper, we propose a threat awareness architecture for critical infrastructures, which we believe will raise security awareness and increase resilience in utility networks. We first describe an investigation of trends and threats that may impose security risks in utility networks. This was performed on the basis of a viewpoint approach that is capable of identifying technical and non-technical issues (e.g., behaviour of humans). The result of our analysis indicated that utility networks are affected strongly by technological trends, but that humans comprise an important threat to them. This provided evidence and confirmed that the protection of utility networks is a multi-variable problem, and thus, requires the examination of information stemming from various viewpoints of a network. In order to accomplish our objective, we propose a systematic threat awareness architecture in the context of a resilience strategy, which ultimately aims at providing and maintaining an acceptable level of security and safety in critical infrastructures. As a proof of concept, we demonstrate partially via a case study the application of the proposed threat awareness architecture, where we examine the potential impact of attacks in the context of social engineering in a European utility company.

show abstract

“…The ideal-based metrics are agreements on the attributes of an ideal cybersecurity system and then assessing how closely the considered system approaches the ideal. 64 Using the known approaches in Sect. 3, MITIGATING STRATEGIES, and ideal-based metrics, one can make a positive statement-of-measure for cybersecurity protection.…”

Section: Ideal-based Metricmentioning

confidence: 99%