Towards usable cyber security requirements

As digital instrumentation in Nuclear Power Plants (NPPs) is becoming increasingly complex, both attack vectors and defensive strategies are evolving based on new technologies and vulnerabilities. Continued efforts have been made to develop a variety of measures for the cyber defense of these infrastructures, which often consist in adapting security measures previously developed for other critical infrastructure sectors according to the requirements of NPPs. That being said, due to the very recent development of these solutions, there is a lack of agreement or standardization when it comes to their adoption at an industrial level. To better understand the state of the art in NPP Cyber-Security (CS) measures, in this work, we conduct a Systematic Literature Review (SLR) to identify scientific papers discussing CS frameworks, standards, guidelines, best practices, and any additional CS protection measures for NPPs. From our literature analysis, it was evidenced that protecting the digital space in NPPs involves three main steps: (i) identification of critical digital assets; (ii) risk assessment and threat analysis; (iii) establishment of measures for NPP protection based on the defense-in-depth model. To ensure the CS protection of these infrastructures, a holistic defense-in-depth approach is suggested in order to avoid excessive granularity and lack of compatibility between different layers of protection. Additional research is needed to ensure that such a model is developed effectively and that it is based on the interdependencies of all security requirements of NPPs.

Download Full-text

The Study on the Cyber Security Requirements of Cyber-Physical Systems for Cyber Security Frameworks

IEMEK Journal of Embedded Systems and Applications ◽

10.14372/iemek.2012.7.5.255 ◽

2012 ◽

Vol 7 (5) ◽

pp. 255-265

Author(s):

Soo-Youl Park ◽

Wook-Jin Choi ◽

Bo-Heung Chung ◽

Jeong-Nyeo Kim ◽

Joo-Man Kim

Keyword(s):

Cyber Security ◽

Cyber Physical Systems ◽

Security Requirements ◽

Physical Systems

Download Full-text

Towards a Framework for the Extension and Visualisation of Cyber Security Requirements in Modelling Languages

2017 10th International Conference on Developments in eSystems Engineering (DeSE) ◽

10.1109/dese.2017.29 ◽

2017 ◽

Cited By ~ 1

Author(s):

Curtis L Maines ◽

Bo Zhou ◽

Stephen Tang ◽

Qi Shi

Keyword(s):

Cyber Security ◽

Security Requirements ◽

Modelling Languages

Download Full-text

Impact and Key Challenges of Insider Threats on Organizations and Critical Businesses

Electronics ◽

10.3390/electronics9091460 ◽

2020 ◽

Vol 9 (9) ◽

pp. 1460

Author(s):

Neetesh Saxena ◽

Emma Hayes ◽

Elisa Bertino ◽

Patrick Ojo ◽

Kim-Kwang Raymond Choo ◽

...

Keyword(s):

Cyber Security ◽

Critical Infrastructure ◽

Mitigation Strategies ◽

Security Requirements ◽

Future Research ◽

Insider Threat ◽

Open Problems ◽

Insider Threats ◽

Private Sector Organizations ◽

Public And Private Sector

The insider threat has consistently been identified as a key threat to organizations and governments. Understanding the nature of insider threats and the related threat landscape can help in forming mitigation strategies, including non-technical means. In this paper, we survey and highlight challenges associated with the identification and detection of insider threats in both public and private sector organizations, especially those part of a nation’s critical infrastructure. We explore the utility of the cyber kill chain to understand insider threats, as well as understanding the underpinning human behavior and psychological factors. The existing defense techniques are discussed and critically analyzed, and improvements are suggested, in line with the current state-of-the-art cyber security requirements. Finally, open problems related to the insider threat are identified and future research directions are discussed.

Download Full-text

Industrial control systems: The biggest cyber threat

Annals of Civil and Environmental Engineering ◽

10.29328/journal.acee.1001026 ◽

2020 ◽

Vol 4 (1) ◽

pp. 044-046

Author(s):

Beretas Christos P

Keyword(s):

Control Systems ◽

Cyber Security ◽

Security Policy ◽

Security Requirements ◽

Security Policies ◽

Western World ◽

Control Analysis ◽

Industrial Control ◽

Industrial Control Systems ◽

Cyber Threats

Industrial control systems (ICS) are critical, as in these systems, cyber threats have the potential to affect, disorganize, change their mode of operation, act as an information extraction vehicle, and ultimately turn against itself. Creating risks to the system itself, infrastructure, downtime, leakage of sensitive data, and even loss of human life. Industrial control systems (ICS) are vital to the operation of all the modern automated infrastructure in the western world, such as power plant and power stations. Industrial control systems (ICS) differ from the traditional information systems and infrastructures of organizations and companies, a standard cyber security strategy cannot be implemented but part of it adapting to the real facts and needs of each country, legislation and infrastructure. These systems require continuous operation, reliability and rapid recovery when attacked electronically with automated control, isolation and attack management processes. Incorrect settings and lack of strategic planning can lead to unprotected operation of critical installations, as they do not meet the cyber security requirements. Industrial control systems (ICS) require special protection in their networks, as they should be considered vulnerable in all their areas, they need protection from cyber attacks against ICS, SCADA servers, workstations, PLC automations, etc. Security policies to be implemented should provide protection against cyber threats, and systems recovery without affecting the operation and reliability of operating processes. Security policies such as security assessment, smart reporting, vulnerability and threat simulation, integrity control analysis, apply security policy to shared systems, intrusion detection and prevention, and finally firewall with integrated antivirus and sandbox services should be considered essential entities.

Download Full-text

The Mean Failure Cost Cybersecurity Model to Quantify Security in E-Learning Environments

Developing Successful Strategies for Global Policies and Cyber Transparency in E-Learning - Advances in Educational Marketing, Administration, and Leadership ◽

10.4018/978-1-4666-8844-5.ch007 ◽

2016 ◽

pp. 95-120

Author(s):

Neila Rjaibi ◽

Latifa Ben Arfa Rabai ◽

Ali Mili

Keyword(s):

Risk Management ◽

Cyber Security ◽

Learning Systems ◽

Security Requirements ◽

Security Threats ◽

Security Risk ◽

Failure Cost ◽

E Learning ◽

The Mean ◽

Security Risk Management

This chapter presents an overview of security challenges in e-Learning systems, and discusses a recent review related research on security risk management approaches in e-Learning to give a proper context to our work. The literature review proves a lack in quantitative security risk management models applied to e-learning system and presents the strengths of the Mean Failure Cost model in quantifying security threats with a financial risk measure. Moreover, we focus on presenting security aspects of e-Learning applications, and analyze its respective stakeholders, security requirements, architectural components and threats. The Mean Failure Cost (MFC) cyber security measure suitable for e-Learning systems is defined and computed. We adapt it to quantify security threats and risk within e-learning systems. It is based on the identification of system's architecture, the well-defined classes of stakeholders, the list of possible threats and vulnerabilities and the specific security requirements related to e-Learning systems and applications.

Download Full-text

Design and preliminary evaluation of a cyber Security Requirements Education Game (SREG)

Information and Software Technology ◽

10.1016/j.infsof.2017.12.002 ◽

2018 ◽

Vol 95 ◽

pp. 179-200 ◽

Cited By ~ 19

Author(s):

Affan Yasin ◽

Lin Liu ◽

Tong Li ◽

Jianmin Wang ◽

Didar Zowghi

Keyword(s):

Cyber Security ◽

Security Requirements ◽

Preliminary Evaluation

Download Full-text

Risk Management and Standard Compliance for Cyber-Physical Systems of Systems

Infocommunications journal ◽

10.36244/icj.2021.2.5 ◽

2021 ◽

Vol 13 (2) ◽

pp. 32-39

Author(s):

George Matta ◽

Sebastian Chlup ◽

Abdelkader Magdy Shaaban ◽

Christoph Schmittner ◽

Andreas Pinzenöhler ◽

...

Keyword(s):

Risk Management ◽

Cyber Security ◽

Security Analysis ◽

Cyber Physical Systems ◽

Risk Identification ◽

Security Requirements ◽

Systems Of Systems ◽

Physical Systems ◽

Railway Systems ◽

Industry Standards

The Internet of Things (IoT) and cloud technologies are increasingly implemented in the form of Cyber-Physical Systems of Systems (CPSoS) for the railway sector. In order to satisfy the security requirements of Cyber-Physical Systems (CPS), domainspecific risk identification assessment procedures have been developed. Threat modelling is one of the most commonly used methods for threat identification for the security analysis of CPSoS and is capable of targeting various domains. This paper reports our experience of using a risk management framework identify the most critical security vulnerabilities in CPSoS in the domain and shows the broader impact this work can have on the domain of safety and security management. Moreover, we emphasize the application of common analytical methods for cyber-security based on international industry standards to identify the most vulnerable assets. These will be applied to a meta-model for automated railway systems in the concept phase to support the development and deployment of these systems. Furthermore, it is the first step to create a secure and standard complaint system by design.

Download Full-text

Prospects for the development of cross—border electronic commerce between the Russian Federation and the People’s Republic of China

Entrepreneur’s Guide ◽

10.24182/2073-9885-2021-14-3-18-28 ◽

2021 ◽

Vol 14 (3) ◽

pp. 18-28

Author(s):

F. F. Sharipov ◽

M. A. Dyakonova

Keyword(s):

Electronic Commerce ◽

Russian Federation ◽

Cyber Security ◽

Business Development ◽

Security Requirements ◽

People’S Republic Of China ◽

People's Republic Of China ◽

Republic Of China ◽

Cross Border ◽

The Russian Federation

Among the trends of business development on the border territory between Russia and China, according to the authors, electronic commerce is attractive. Practical examples have identified the development of cross–border e–commerce between our countries, taking into account the variety, pricing, promotion and settlement of the delivered goods. Sales are projected to grow steadily over the next four years, considering the need to adopt the latest technologies and cyber security requirements.

Download Full-text