Abstract
Large organizations must plan for Cybersecurity throughout their entire network, taking into account network granularity and outside subcontractors. The United States Department of Defense (DoD) has large networked systems that span the globe, crossing multiple intra-organizational systems. This larger network includes Information Systems typical of enterprise networks, SCADA Systems monitoring critical infrastructure, newer Cyber-physical systems, and mobile networks. With increased connectivity within the DoD and to external organizations, Cybersecurity is seen as a critical organizational need. There is not currently a standard evaluation process to gauge whether various Cybersecurity technologies adequately meet the needs of either the DoD at large or the context of lower-tier organizations. We introduce the DoD-Centric and Independent Technology Evaluation Capability (DITEC), an enterprise-ready evaluation tool that offers a repeatable evaluation process, the ability to take prior product evaluations into account during the acquisition process, and tools to assist security non-experts in understanding which technologies meet their specific needs. This work describes DITEC and the Cyber-SCADA Evaluation Capability (C-SEC), an implementation of DITEC in a Cyber-Physical context.
The rights of this work are transferred to the extent transferable according to title 17 § 105 U.S.C.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Axelrod, C.W.: Enforcing security, safety and privacy for the internet of things. In: 2015 IEEE Long Island Systems, Applications and Technology Conference (LISAT), pp. 1–6. IEEE (2015)
Bunge, J.: Agriculture giants boost cybersecurity to shield farm data (2015)
Chang, V., Kuo, Y.-H., Ramachmandaran, M.: Cloud computing adoption framework: a security framework for business clouds. Future Gener. Comput. Syst. 57, 24–41 (2016)
Cruz, T., Barrigas, J., Proena, J., Graziano, A., Panzieri, S., Lev, L., Simões, P.: Improving network security monitoring for industrial control systems. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (I), pp. 878– 881. IEEE (2015)
Dalesio, E.P.: Duke energy executive says utility battles off steady cyberattacks. Charlotte Obs. (2015)
Dalesio, E.P.: Duke Energy Corp. CEO Lynn Good says the volume of cyberattacks on the country’s largest electric company is astonishing. Charlotte Obs. (2016)
DoD: Cybersecurity/Information Assurance (IA). United States Department of Defense, Defense Contract Management Agency (2014)
Drias, Z., Serhrouchni, A., Vogel, O.: Taxonomy of attacks on industrial control protocols. In: 2015 International Conference on Protocol Engineering (ICPE) and International Conference on New Technologies of Distributed Systems (NTDS), pp. 1–6. IEEE (2015)
ESET: ESET finds connection between cyber espionage and electricity outage in Ukraine. Technical report (2016)
Fink, G.A., Zarzhitsky, D.V., Carroll, T.E., Farquhar, E.D.: Security and privacy grand challenges for the internet of things. In: 2015 International Conference on Collaboration Technologies and Systems (CTS), pp. 27–34 (2015)
Hallman, R., Romero-Mariona, J., Kline, M., San Miguel, J.: DITEC user priority designation (UPD) algorithm: an approach to prioritizing technology evaluations. Technical report, DTIC Document (2014)
Hentunen, D.: Havex hunts for ICS/SCADA systems (2014)
Hsu, A.P.T., Lee, W.T., Trappey, A.J.C., Trappey, C.V., Chang, A.C.: Using system dynamics analysis for performance evaluation of IoT enabled one-stop logistic services. In: IEEE International Conference on Systems, Man, and Cybernetics (SMC), pp. 1291–1296 (2015)
Hultquist, J.: Sandworm team and the Ukrainian power authority attacks (2016)
ICS-CERT: ICSB-11-327-01-Illinois Water Pump Failure Report, United States Department Of Homeland Security (DHS) Industrial Control Systems Cyber-Emergency Response Team (ICS-CERT). Technical report (2011)
ICS-CERT: ICS-CERT alerts, United States Department of Homeland Security (DHS) Industrial Control Systems Cyber-Emergency Response Team (ICS-CERT) (2016)
Jajodia, S., Noel, S., Kalapa, P., Albanese, M., Williams, J.: Cauldron mission-centric cyber situational awareness with defense in depth. In: Military Communications Conference 2011, MILCOM 2011, pp. 1339–1344 (2011)
Jing, Q., Vasilakos, A.V., Wan, J., Lu, J., Qiu, D.: Security of the internet of things: perspectives and challenges. Wirel. Netw. 20(8), 2481–2501 (2014)
Kerr, L., Hallman, R., Major, M., Romero-Mariona, J., Bryan, J., Kline, M., San Miguel, J., Coronado, B.: TMT: technology matching tool for SCADA network security. In: 2016 Cybersecurity Symposium. University of Idaho, Springer, Heidelberg (2016, in press)
Krebs, B.: DHS blasts reports of Illinois water station hack (2011)
Meltzer, D.: Securing the industrial internet of things. ISSA J., 24–30 (2015)
Moral-GarcÃa, S., Moral-Rubio, S., Rosado, D.G., Fernández, E.B., Fernández-Medina, E.: Enterprise security pattern: a new type of security pattern. Secur. Commun. Netw. 7(11), 1670–1690 (2014)
NIST: Cybersecurity Framework. National Institute for Standards and Technology, 100 Bureau Drive Gaithersburg, MD 20899 (2015)
Ponemon, I.: Fourth annual benchmark study on patient privacy and data security. Technical report (2014)
Ponemon, I.: Sixth annual benchmark study on privacy & security of healthcare data. Technical report (2016)
Ramachandran, M., Chang, V., Li, C.-S.: The improved cloud computing adoption framework to deliver secure services. In: Proceedings of ESaaSA 2015-2nd International Workshop on Emerging Software as a Service and Analytics, in conjunction with the 5th International Conference on Cloud Computing and Services Science-CLOSER 2015, pp. 73–79. Scitepress (2015)
Romero-Mariona, J.: DITEC (DoD-centric and independent technology evaluation capability): a process for testing security. In: 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops (ICSTW), pp. 24–25 (2014)
Romero-Mariona, J., Hallman, R., Kline, M., San Miguel, J., Major, M., Kerr, L.: Security in the industrial internet of things - the C-SEC approach. In: Proceedings of the International Conference on Internet of Things and Big Data, pp. 421–428. INSTICC, SCITEPRESS Science and Technology Publications (2016)
Romero-Mariona, J., Kline, M., Miguel, J.S.: C-SEC (cyber SCADA evaluation capability): securing critical infrastructures. In: 2015 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pp. 38–38. IEEE (2015)
Symantec: Dragonfly: western energy companies under sabotage threat. Technical report (2014)
TrendMicro: Report on cyber-security and critical infrastructure in the americas. Technical report, Organization of American States (2015)
Wyant, S.: Monsanto confirms security breach at precision planting unit (2014)
Yu, T., Sekar, V., Seshan, S., Agarwal, Y., Xu, C.: Handling a trillion (unfixable) flaws on a billion devices: rethinking network security for the internet-of-things. In: Proceedings of the 14th ACM Workshop on Hot Topics in Networks, HotNets-XIV, pp. 5:1– 5:7. ACM (2015)
Zetter, K.: Exclusive: comedy of errors led to false water-pump hack report (2011)
Zhu, B., Sastry, S.: SCADA-specific intrusion detection/prevention systems: a survey and taxonomy. In: Proceedings of the 1st Workshop on Secure Control Systems (SCS) (2010)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG (outside the USA)
About this paper
Cite this paper
Romero-Mariona, J. et al. (2017). An Approach to Organizational Cybersecurity. In: Chang, V., Ramachandran, M., Walters, R., Wills, G. (eds) Enterprise Security. ES 2015. Lecture Notes in Computer Science(), vol 10131. Springer, Cham. https://doi.org/10.1007/978-3-319-54380-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-54380-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-54379-6
Online ISBN: 978-3-319-54380-2
eBook Packages: Computer ScienceComputer Science (R0)