scholarly journals Security Control Assessment of Supervisory Control and Data Acquisition for Power Utilities in Tanzania

2020 ◽  
Vol 5 (7) ◽  
pp. 785-789
Author(s):  
Job Asheri Chaula ◽  
Godfrey Weston Luwemba
Keyword(s):  
Data Acquisition ◽  
Supervisory Control ◽  
Cyber Security ◽  
Critical Infrastructure ◽  
Security Evaluation ◽  
Evaluation Tool ◽  
Security Vulnerabilities ◽  
Security Controls ◽  
Security Control ◽  
Security Compliance

The primary purpose of this research was to assess the adequacy and effectiveness of security control of the Supervisory Control and Data Acquisition (SCADA) communication network used by infrastructure companies. Initially, the SCADA networks were physically separated from other networks connected to the internet and hence assumed secure. However, the modern SCADA are now integrated with other network resulting in new security vulnerabilities and attacks similar to those found in traditional IT. Thus, it is important to reassess the security controls of the SCADA because it is operated in an open network environment. In this research, a case of the SCADA security controls in the power sector in Tanzania was assessed, whereby a specific SCADA implementation was studied. The data were gathered using observation, testing, interviews, questionnaire and documentation reviews. The results were analyzed using the Cyber Security Evaluation Tool (CSET) and checked for compliance based on the National Institute of Standards and Technology (NIST) and North America Electric Reliability Corporation (NERC) standards. The findings have shown that there exist security vulnerabilities both in security compliance of the standard and component-based vulnerabilities. Additionally, there is inadequate of audit and accountability, personnel security and system and information integrity. Also, for the component-based security compliance, the finding shows that identification and authentication, security management and audit and accountability. On the basis of the results, the research has indicated the areas that require immediate action in order to protect the critical infrastructure.

scholarly journals Examining the Impact of Technical Controls, Accountability and Monitoring towards Cyber Security Compliance in E-government Organisations

2021 ◽  
Author(s):  
Mohammed Alqahtani ◽  
Robin Braun
Keyword(s):  
Information Systems ◽  
Cyber Security ◽  
Social Systems ◽  
Monitoring And Evaluation ◽  
Employee Attitudes ◽  
Security Technology ◽  
Security Controls ◽  
Security Compliance ◽  
The Impact ◽  
Technical Measures

Abstract IT infrastructure and systems are made up of technical as well as social systems that work in alliance to ensure that organization's goals and objectives are met. Security controls and measures are developed and used to guard data and information systems of the organization. The breaches of Cyber security are primarily caused by the misuse of information systems and failure to comply with cyber security measures. Cyber security non-compliance is a major concern for organizations. For effective compliance and human acceptance of cyber security technology and complying with cyber practices, it is essential to ascertain, research, and examine the factors which contribute to the compliance and implementation of cyber security. This study has utilized an enhanced UTAUT2 i.e. Unified Theory of Acceptance and Use of Technology 2 model and assessed its relationship with cyber security compliance. Five new formal and informal factors that affect cyber security compliance in organizations are identified and evaluated. The research questions addressed are: how the formal factors of technical measures; accountability; monitoring and evaluation impact employee's behaviour towards cyber security compliance. The study comprises a correlational survey of employees working at e-government organizations in Saudi Arabia. Results indicate that there is a significant role play by technical measures; accountability; monitoring and evaluation, on employee attitudes and behaviour towards cyber security compliance.

Exploring the Relationship Between Technology Adoption and Cyber Security Compliance

2021 ◽  
Vol 17 (4) ◽  
pp. 40-62
Author(s):  
Mohammed Saeed A Alqahtani ◽  
Eila Erfani
Keyword(s):  
Cyber Security ◽  
Social Systems ◽  
It Infrastructure ◽  
Security Controls ◽  
Use Of Technology ◽  
Security Compliance ◽  
The Relationship ◽  
Goals And Objectives ◽  
Security Organizations ◽  
Practical Implications

IT infrastructure and systems are made up of technical and social systems that work together to ensure that organization's goals and objectives are met. Security controls and measures are developed and used to protect an organization's data and information systems. To improve cyber security, organizations focus most of their efforts on incorporating new technological approaches in products and processes, leaving out the most important and vulnerable factor. So this study intends to provide some practical implications to the technology developers and policymakers while identifying the factors that affect cyber security compliance in an organization or home environment for general users, HR, IT administrators, engineers, and others. It explored the Unified Theory of Acceptance and Use of Technology 2 (UTAUT2) model and assessed the effect of its factors on cyber security compliance in organizations.

Development, Distribution and Maintenance of Application Security Controls for Nuclear

2017 ◽  
Author(s):  
Karl Waedt ◽  
Yongjian Ding ◽  
Antonio Ciriello ◽  
Xinxin Lou
Keyword(s):  
Critical Infrastructure ◽  
Formal Representation ◽  
Application Security ◽  
Security Controls ◽  
Industry Standards ◽  
Nuclear Domain ◽  
Master Thesis ◽  
Security Control ◽  
Administrative Measure ◽  
Or Team

The generic concept of Security Controls, as initially deployed in the information security domain, is gradually used in other business domains, including industrial security for critical infrastructure and cybersecurity of nuclear safety I&C. A Security Control, or less formally, a security countermeasure can be any organizational, technical or administrative measure that helps in reducing the risk imposed by a cybersecurity threat. The new IAEA NST036 lists more than 200 such countermeasures. NIST SP800-53 Rev. 4 contains about 450 pages of security countermeasure descriptions, which are graded according to three levels of stringency. In order to facilitate and formalize the process of developing, precisely describing, distributing and maintaining more complex security controls, the Application Security Controls (ASC) concept is introduced by the new ISO/IEC 27034 multipart standard. An ASC is an extensible semi-formal representation of a security control (e.g. XML or JSON-based), which contains a set of mandatory and optional parts as well as possible links to other ASCs. A set of Application Security Controls may be developed by one company and shipped together with a product of another company. ISO/IEC 27034-6 assumes that ASCs are developed by an organization or team specialized in security and that the ASCs are forwarded to customers for direct use or for integration into their own products or services. The distribution of ASCs is supported and formalized by the Organization Normative Frameworks (ONF) and Application Normative Frameworks (ANF) deployed in the respective organizational units. The maintenance and continuous improvement of ASCs is facilitated by the ONF Process and ANF Process. This paper will explore the applicability of these industry standards based ASC lifecycle concepts for the nuclear domain in line with IEC 62645, IEC 62859 and the up-coming IEC 63096. It will include results from an ongoing bachelor thesis and master thesis, mentored by two of the authors, as well as nuclear specific deployment scenarios currently being evaluated by a team of cybersecurity PhD candidates.

scholarly journals PENINGKATAN KEAMANAN SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) PADA SMART GRID SEBAGAI INFRASTRUKTUR KRITIS

2016 ◽  
Vol 6 (1) ◽  
pp. 59
Author(s):  
Ahmad Budi Setiawan
Keyword(s):  
Information Security ◽  
Smart Grid ◽  
Data Acquisition ◽  
Supervisory Control ◽  
Cyber Security ◽  
Control Unit ◽  
Group Discussions ◽  
Automation Systems ◽  
Internet Networks ◽  
Depth Interviews

<p class="Abstract"><em><span lang="EN-US">SCADA (Supervisory Control and Data Acquisition) systems as the control unit of the smart grid has been used in almost various industries around the world in terms of automation systems. Smart grid technology combines the energy infrastructure and telecommunications and Internet networks. The system provides the operational ease and efficiency in the industry. However, the system has a lot of vulnerabilities in information security aspects that can have a major impact for the industry and even the economy. This study tried to design in building a smart grid cyber security, it includes the strategies that must be done and the information security system architecture to be built. The study was conducted qualitative in-depth interviews, focus group discussions and direct observation. Results of this research is the design strategy recommendations ddalam development of smart grid cyber security. Recommendation results of this study also intended as a suggestion-making framework for smart grid cyber security as a reference implementation of the smart grid in Indonesia.</span></em></p>

Development, Distribution, and Maintenance of Application Security Controls for Nuclear

2018 ◽  
Vol 4 (4) ◽  
Author(s):  
Karl Waedt ◽  
Yongjian Ding ◽  
Antonio Ciriello ◽  
Xinxin Lou
Keyword(s):  
Critical Infrastructure ◽  
Application Security ◽  
Security Controls ◽  
Industry Standards ◽  
Nuclear Domain ◽  
Master Thesis ◽  
Security Control ◽  
Administrative Measure ◽  
Extensible Markup ◽  
Or Team

The generic concept of security controls, as initially deployed in the information security domain, is gradually used in other business domains, including industrial security for critical infrastructure and cybersecurity of nuclear safety instrumentation & control (I&C). A security control, or less formally, a security countermeasure can be any organizational, technical, or administrative measure that helps in reducing the risk imposed by a cybersecurity threat. The new IAEA NST036 lists more than 200 such countermeasures. NIST SP800-53 Revision 4 contains about 450 pages of security countermeasure descriptions, which are graded according to three levels of stringency. In order to facilitate and formalize the process of developing, precisely describing, distributing, and maintaining more complex security controls, the application security controls (ASC) concept is introduced by the new ISO/IEC 27034 multipart standard. An ASC is an extensible semiformal representation of a security control (extensible markup language or javascript object notation-based), which contains a set of mandatory and optional parts as well as possible links to other ASCs. A set of ASCs may be developed by one company and shipped together with a product of another company. ISO/IEC 27034-6 assumes that ASCs are developed by an organization or team specialized in security and that the ASCs are forwarded to customers for direct use or for integration into their own products or services. The distribution of ASCs is supported and formalized by the organization normative frameworks (ONFs) and application normative frameworks (ANFs) deployed in the respective organizational units. The maintenance and continuous improvement of ASCs is facilitated by the ONF process and ANF process. This paper will explore the applicability of these industry standards based ASC lifecycle concepts for the nuclear domain in line with IEC 62645, IEC 62859, and the upcoming IEC 63096. It will include results from an ongoing bachelor thesis and master thesis, mentored by two of the authors, as well as nuclear-specific deployment scenarios currently being evaluated by a team of cybersecurity Ph.D. candidates.

Fostering SCADA and IT Relationships

2011 ◽  
Vol 1 (3) ◽  
pp. 1-11
Author(s):  
Christopher Beggs ◽  
Ryan McGowan
Keyword(s):  
Organizational Structure ◽  
Supervisory Control ◽  
Cyber Security ◽  
Critical Infrastructure ◽  
Roles And Responsibilities ◽  
Concept Model ◽  
Scada Security ◽  
Business Operations ◽  
Security Training ◽  
Working Together

In recent years, critical infrastructure utilities have been faced with conflicting attitudes and cultural differences of where SCADA (Supervisory Control and Data Acquisition) and IT fit into an organizational structure. This lack of understanding between SCADA, IT processes, and business operations remains a concern for many utilities within the SCADA community. The importance of SCADA and IT relationships is an area of the SCADA landscape that is often unrecognised. This paper examines the results and findings of a SCADA and IT relationship survey that was undertaken to identify where SCADA operations fit within organizations around the world. It describes several proposed models that define the role and responsibility of SCADA within an organizational structure. It also presents a concept model for SCADA security responsibility and identifies key observations of SCADA and IT working together at the INL Control System Cyber Security Training in Idaho, USA. The main findings of the research suggest that clear defined roles and responsibilities for SCADA operations and SCADA security need to be established and secondly, that immediate cultural driven change is required in order to improve SCADA and IT relationships.

An Approach to Governance of CyberSecurity in South Africa

2012 ◽  
Vol 2 (4) ◽  
pp. 13-27 ◽  
Author(s):  
Joey Jansen van Vuuren ◽  
Louise Leenen ◽  
Jackie Phahlamohlaka ◽  
Jannie Zaaiman
Keyword(s):  
South Africa ◽  
Cyber Security ◽  
Security Policy ◽  
Critical Infrastructure ◽  
Holistic Approach ◽  
Governance Structure ◽  
Policy Framework ◽  
Security Controls ◽  
The Uk ◽  
And Control

A government has the responsibility to provide, regulate and maintain national security, which includes human security for its citizens. Recent declarations from the UK and USA governments about setting up cybersecurity organisations and the appointment of cyber czars reflect a global recognition that the Internet is part of the national critical infrastructure that needs to be safeguarded and protected. Although the South African government approved a draft National Cyber Security Policy Framework in March 2012, the country still needs a national cybersecurity governance structure in order to effectively control and protect its cyber infrastructure. Whilst various structures have been established to deal with cybersecurity in South Africa, they are inadequate and implementation of the policy is still in the very early stages. Structures need to be in place to set the security controls and policies and also to govern their implementation. It is important to have a holistic approach to cybersecurity, with partnerships between business, government and civil society put in place to achieve this goal. This paper investigates different government organisational structures created for the control of national cybersecurity in selected countries of the world. The main contribution is a proposed approach that South Africa could follow in implementing its proposed cybersecurity policy framework, taking into account the challenges of legislation and control of cybersecurity in Africa, and in particular, in South Africa.

Sign in / Sign up

Export Citation Format

Share Document