VCSTC: Virtual Cyber Security Testing Capability – An Application Oriented Paradigm for Network Infrastructure Protection

This paper provides a literature review and survey of maturity and process capability models, Critical Infrastructure Protection (CIP) tools and frameworks to identify strategies for assessing and measuring resilience and risk management capabilities, with a specific focus on the electricity generating sector. The focus is on the use of models such as CERT-RMM, and others, as a means of addressing challenges associated with cyber security and risk management. Foundational concepts, terminology and definitions are provided; examples of maturity and process capability models are presented and discussed, tools that enable process capability and resilience are identified, including those specific to the electricity generating sector. The evolution of models and how they have addressed challenges is presented, in addition to the characteristics and differences of models and the growth in domains where they can be used. The benefits of the application of process capability and maturity models in maintaining and enhancing resilience and cyber security protection is supported in this paper and recommendations for research opportunities that may yield further insight and measurement capabilities are offered.

Download Full-text

Maturity and Process Capability Models and Their Use in Measuring Resilience in Critical Infrastructure Protection Sectors

International Journal of Strategic Information Technology and Applications ◽

10.4018/ijsita.2014040104 ◽

2014 ◽

Vol 5 (2) ◽

pp. 44-63

Author(s):

Clemith J. Houston Jr. ◽

Douglas C. Sicker

Keyword(s):

Risk Management ◽

Cyber Security ◽

Critical Infrastructure ◽

Process Capability ◽

Critical Infrastructure Protection ◽

Infrastructure Protection ◽

Management Capabilities ◽

Use Of Models ◽

Measurement Capabilities ◽

Provided Examples

This paper provides a literature review and survey of maturity and process capability models, Critical Infrastructure Protection (CIP) tools and frameworks to identify strategies for assessing and measuring resilience and risk management capabilities, with a specific focus on the electricity generating sector. The focus is on the use of models such as CERT-RMM, and others, as a means of addressing challenges associated with cyber security and risk management. Foundational concepts, terminology and definitions are provided; examples of maturity and process capability models are presented and discussed, tools that enable process capability and resilience are identified, including those specific to the electricity generating sector. The evolution of models and how they have addressed challenges is presented, in addition to the characteristics and differences of models and the growth in domains where they can be used. The benefits of the application of process capability and maturity models in maintaining and enhancing resilience and cyber security protection is supported in this paper and recommendations for research opportunities that may yield further insight and measurement capabilities are offered.

Download Full-text

Critical Information Infrastructure Protection (CIIP) and Cyber Security in Africa – Has the CIIP and Cyber Security Rubicon Been Crossed?

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering - e-Infrastructure and e-Services for Developing Countries ◽

10.1007/978-3-642-29093-0_11 ◽

2012 ◽

pp. 116-124

Author(s):

Basie von Solms ◽

Elmarie Kritzinger

Keyword(s):

Cyber Security ◽

Information Infrastructure ◽

Infrastructure Protection ◽

Critical Information

Download Full-text

Automated security testing for web applications on industrial automation and control systems

at - Automatisierungstechnik ◽

10.1515/auto-2019-0021 ◽

2019 ◽

Vol 67 (5) ◽

pp. 383-401

Author(s):

Steffen Pfrang ◽

Anne Borcherding ◽

David Meier ◽

Jürgen Beyerer

Keyword(s):

Control Systems ◽

Cyber Security ◽

Web Application ◽

Web Applications ◽

Security Testing ◽

Industrial Automation ◽

Local Networks ◽

Automation And Control ◽

And Control ◽

The Web

Abstract Industrial automation and control systems (IACS) play a key role in modern production facilities. On the one hand, they provide real-time functionality to the connected field devices. On the other hand, they get more and more connected to local networks and the internet in order to facilitate use cases promoted by “Industrie 4.0”. A lot of IACS are equipped with web servers that provide web applications for configuration and management purposes. If an attacker gains access to such a web application operated on an IACS, he can exploit vulnerabilities and possibly interrupt the critical automation process. Cyber security research for web applications is well-known in the office IT. There exist a lot of best practices and tools for testing web applications for different kinds of vulnerabilities. Security testing targets at discovering those vulnerabilities before they can get exploited. In order to enable IACS manufacturers and integrators to perform security tests for their devices, ISuTest was developed, a modular security testing framework for IACS. This paper provides a classification of known types of web application vulnerabilities. Therefore, it makes use of the worst direct impact of a vulnerability. Based on this analysis, a subset of open-source vulnerability scanners to detect such vulnerabilities is selected to be integrated into ISuTest. Subsequently, the integration is evaluated. This evaluation is twofold: At first, willful vulnerable web applications are used. In a second step, seven real IACS, like a programmable logic controller, industrial switches and cloud gateways, are used. Both evaluation steps start with the manual examination of the web applications for vulnerabilities. They conclude with an automated test of the web applications using the vulnerability scanners automated by ISuTest. The results show that the vulnerability scanners detected 53 % of the existing vulnerabilities. In a former study using commercial vulnerability scanners, 54 % of the security flaws could be found. While performing the analysis, 45 new vulnerabilities were detected. Some of them did not only break the web server but crashed the whole IACS, stopping the critical automation process. This shows that security testing is crucial in the industrial domain and needs to cover all services provided by the devices.

Download Full-text

A Study on Cyber Security Threats in a Shipboard Integrated Navigational System

Journal of Marine Science and Engineering ◽

10.3390/jmse7100364 ◽

2019 ◽

Vol 7 (10) ◽

pp. 364 ◽

Cited By ~ 3

Author(s):

Svilicic ◽

Rudan ◽

Jugović ◽

Zec

Keyword(s):

Cyber Security ◽

Route Planning ◽

Regulatory Compliance ◽

Security Testing ◽

Vulnerability Scanner ◽

Radar Systems ◽

Electronic Chart ◽

Planning Status ◽

Navigational System ◽

Route Monitoring

The integrated navigational system (INS) enhances the effectiveness and safety of ship navigation by providing multifunctional display on the basis of integration of at least two navigational functions, the voyage route monitoring with Electronic Chart Display and Information System (ECDIS) and collision avoidance with radar. The INS is essentially a software platform for fusion of data from the major ECDIS and radar systems with sensors for the additional navigation functions of route planning, status and data display, and alert management. This paper presents a study on cyber security resilience examination of a shipboard INS installed on a RoPax ship engaged in international trade. The study was based on a mixed-method approach, combining an interview of the ship's navigational ranks and cyber security testing of the INS using an industry vulnerability scanner. The identified threats were analyzed qualitatively to study the source of cyber risks threatening the INS. The results obtained point out cyber threats related to weaknesses of the INS underlying operating system, suggesting a need for occasional preventive maintenance in addition to the regulatory compliance required.

Download Full-text

Towards a Cyber Secure Shipboard Radar

Journal of Navigation ◽

10.1017/s0373463319000808 ◽

2019 ◽

Vol 73 (3) ◽

pp. 547-558 ◽

Cited By ~ 2

Author(s):

Boris Svilicic ◽

Igor Rudan ◽

Vlado Frančić ◽

Djani Mohović

Keyword(s):

Operating System ◽

Cyber Security ◽

Software Tool ◽

Security Testing ◽

Cyber Threats ◽

Radar Systems ◽

Holistic Understanding ◽

Computational Testing

This paper presents a comparative cyber security resilience estimation of shipboard radars that are implemented on two oil/chemical tankers certified as SOLAS ships. The estimated radars were chosen from the same manufacturer, but belonged to different generations. The estimation was conducted by means of ships' crew interviews and computational testing of the radars using a widely deployed vulnerability scanning software tool. The identified cyber threats were analysed qualitatively in order to gain a holistic understanding of cyber risks threatening shipboard radar systems. The results obtained experimentally indicate that potential cyber threats mainly relate to maintenance of the radars' underlying operating system, suggesting the need for regulatory standardisation of periodic cyber security testing of radar systems.

Download Full-text

Approaching the Automation of Cyber Security Testing of Connected Vehicles

Proceedings of the Third Central European Cybersecurity Conference on - CECC 2019 ◽

10.1145/3360664.3360729 ◽

2019 ◽

Author(s):

Stefan Marksteiner ◽

Zhendong Ma

Keyword(s):

Cyber Security ◽

Connected Vehicles ◽

Security Testing

Download Full-text