OntoEDS: Protecting Energy Delivery Systems by Collaboratively Analyzing Security Requirements

Lamp, Josephine; Rubio-Medrano, Carlos E.; Zhao, Ziming; Ahn, Gail-Joon

doi:10.1109/cic.2017.00012

Cited by 4 publications

(3 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…OntoEDS [13] is a collaborative tool that models security requirements into a comprehensive, EDS-specific ontology, allowing for stakeholders and security experts in the EDS field to model and understand security requirements, their interdependencies, and their specific implementations, as well as retrieve and synthesize these requirements in an easy-to-use and tailored manner. OntoEDS also establishes a solid foundation of which additional tools can be built off of to help implement, analyze, and evaluate such security requirements.…”

Section: Ontology Modeling For Edsmentioning

confidence: 99%

“…For example, the NIST 800-82 document [21] describes EDS instances and their functional relationships, including what assets control or send data to each other. For the purposes of our ExSol approach, we leveraged the OntoEDS tool [13], previously described in Section 2.3, which provides a well-defined ontological representation containing a variety of requirements that elucidate system configurations and security features for EDS, such as information about threats and attacks that target specific assets, and information about what security features or requirements protect those assets against what attacks and threats.…”

Section: Modeling Security Requirementsmentioning

confidence: 99%

See 1 more Smart Citation

ExSol

et al. 2021

Self Cite

View full text Add to dashboard Cite

No longer just prophesied about, cyber-attacks to Energy Delivery Systems (EDS) (e.g., the power grid, gas and oil industries) are now very real dangers that result in non-trivial economical losses and inconveniences to modern societies. In such a context, risk analysis has been proposed as a valuable way to identify, analyze, and mitigate potential vulnerabilities, threats, and attack vectors. However, performing risk analysis for EDS is difficult due to their innate structural diversity and interdependencies, along with an always-increasing threatscape. Therefore, there is a need for a methodology to evaluate the current system state, identify vulnerabilities, and qualify risk at multiple granularities in a collaborative manner among different actors in the context of EDS. With this in mind, this article presents ExSol , a collaborative, real-time, risk assessment ecosystem that features an approach for modeling real-life EDS infrastructures, an ontology traversal technique that retrieves well-defined security requirements from well-reputed documents on cyber-protection for EDS infrastructures, as well as a methodology for calculating risk for a single asset and for an entire system. Moreover, we also provide experimental evidence involving a series of attack scenarios in both simulated and real-world EDS environments, which ultimately encourage the adoption of ExSol in practice.

show abstract

Section: Ontology Modeling For Edsmentioning

confidence: 99%

Section: Modeling Security Requirementsmentioning

confidence: 99%

ExSol

et al. 2021

Self Cite

View full text Add to dashboard Cite

show abstract

“…As a part of previous work [9], we developed 4 different types of ontology projections, namely, Scenario, Domain, Goal and Risk projections. Scenario projections provide facts describing a system that include agent behavior and environmental context.…”

Section: Introductionmentioning

confidence: 99%

The danger of missing instructions

Lamp

Rubio-Medrano

Zhao

et al. 2018

Proceedings of the 2018 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologi

Self Cite

View full text Add to dashboard Cite

The proliferation of networked medical devices has resulted in the development of innovative Medical Cyber-Physical Systems (MCPS) that promise more coordinated and high quality of care for patients. Unsurprisingly, the cybersecurity of MCPS is of high concern, as they are life-critical systems that, if compromised, may result in dire consequences to the patient. A variety of security requirements have been developed over the past 10 years as a result of governmental acts such as HITECH in order to better secure and protect healthcare environments. However, it is unclear how applicable these requirements may be to MCPS infrastructures. As a result, this case study analyzes current healthcare security requirements and their applicability to MCPS using an approach that leverages ontological representations and automated requirement traversal techniques. Using such a methodology, we find that 70% of applicable requirements/risks for MCPS components are missing from the security documentation, including serious items such as Authentication, Data Encryption, DoS attacks, and Legacy Vulnerabilities. We also validate our results within real-world instances and find that almost half of the relevant requirements are not implemented within existing MCPS architectures. CCS CONCEPTS • Security and privacy → Security requirements; • Computer systems organization → Embedded and cyber-physical systems;

show abstract