Abstract
Information technology is essential to today’s manufacturing systems, but it makes them more vulnerable to cyber security threats than ever before. This chapter discusses the challenges to developing automatable configuration checklists for manufacturing environments using the Security Content Automation Protocol (SCAP) family of standards. Increased use of SCAP in manufacturing environments could reduce security vulnerabilities and the likelihood of damaging cyber attacks on manufacturing systems. However, complex relationships and dependencies within and between checklist rules, checking instructions and software result in platform fragmentation. Platform fragmentation makes it difficult to reuse or repurpose existing SCAP-expressed checklist content. Recent research and technological developments can be leveraged to yield potentially promising approaches for mitigating platform fragmentation and improving reuse.
Chapter PDF
Similar content being viewed by others
References
M. Bauer, Paranoid Penguin: AppArmor in Ubuntu 9, Linux Journal, issue 185, September 1, 2009.
Beckhoff Automation, Manual CX9020, Embedded PC, Version 1.8, Verl, Germany (download.beckhoff.com/download/document/ipc/embedded-pc/embedded-pc-cx/cx9020_hwen.pdf), 2017.
E. Byres, A. Ginter and J. Langill, How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems, Version 1.0, Tofino Security, Lantzville, Canada, 2011.
R. Candell, T. Zimmerman and K. Stouffer, An Industrial Control System Cybersecurity Performance Testbed, NISTIR 8089, National Institute of Standards and Technology, Gaithersburg, Maryland, 2015.
Center for Internet Security, CIS Benchmarks, East Greenbush, New York (benchmarks.cisecurity.org), 2017.
A. Creery and E. Byres, Industrial cybersecurity for power system and SCADA networks, Proceedings of the Industry Applications Society Fifty-Second Annual Petroleum and Chemical Industry Conference, pp. 303–309, 2005.
C. Fairchild and T. Harman, ROS Robotics by Example, Packt Publishing, Birmingham, United Kingdom, 2016.
W. Fitzgerald and S. Foley, Avoiding inconsistencies in the Security Content Automation Protocol, Proceedings of the IEEE Conference on Communications and Network Security, pp. 454–461, 2013.
R. Fritz, CIS Google Android, Android 4 Benchmark V1.0.0, Center for Internet Security, East Greenbush, New York (learn.cisecurity.org/benchmarks), 2012.
T. Hedberg, J. Lubell, L. Fischer, L. Maggiano and A. Feeney, Testing the digital thread in support of model-based manufacturing and inspection, Journal of Computing and Information Science in Engineering, vol. 16(2), 2016.
C. Hlyne, P. Zavarsky and S. Butakov, SCAP benchmark for Cisco router security configuration compliance, Proceedings of the Tenth International Conference on Internet Technology and Secured Transactions, pp. 270–276, 2015.
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), Advisory (ICSA-16-278-02), Beckhoff Embedded PC Images and TwinCAT Components Vulnerabilities, U.S. Department of Homeland Security, Washington, DC (ics-cert.us-cert.gov/advisories/ICSA-16-278-02), January 5, 2014.
P. Kampanakis, Security automation and threat information-sharing options, IEEE Security and Privacy, vol. 12(5), pp. 42–51, 2014.
E. Kimber, Hyperdocument authoring link management using Git and XQuery in service of an abstract hyperdocument management model applied to DITA hyperdocuments, Proceedings of Balisage: The Markup Conference, vol. 15, 2015.
C. Kuo and C. Yang, Security design for configuration management of Android devices, Proceedings of the Thirty-Ninth Annual Computer Software and Applications Conference, vol. 3, pp. 249–254, 2015.
R. Lee, M. Assante and T. Conway, German Steel Mill Cyber Attack, ICS CP/PE (Cyber-Physical or Process Effects), Case Study Paper, SANS Institute, Bethesda, Maryland (ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf), 2014.
J. Lubell, Extending the cybersecurity digital thread with XForms, Proceedings of Balisage: The Markup Conference, vol. 15, 2015.
G. McGuire and E. Reid, The State of Security Automation Standards – 2011, A Survey, MP110439, MITRE Corporation, Bedford, Massachusetts (http://www.mitre.org/sites/default/files/pdf/11_3822.pdf), 2011.
S. McLaughlin, C. Konstantinou, X. Wang, L. Davi, A. Sadeghi, M. Maniatakos and R. Karri, The cybersecurity landscape in industrial control systems, Proceedings of the IEEE, vol. 104(5), pp. 1039–1057, 2016.
M. Munaro, C. Lewis, D. Chambers, P. Hvass and E. Menegatti, RGB-D human detection and tracking for industrial environments, Proceedings of the Thirteenth Conference on Intelligent Autonomous Systems, pp. 1655–1668, 2014.
National Cybersecurity and Communications Integration Center/Industrial Control Systems Cyber Emergency Response Team, NCCIC/ICS-CERT Industrial Control Systems Assessment Summary Report, FY 2015, U.S. Department of Homeland Security, Washington, DC, 2016.
National Institute of Standards and Technology, Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publication 800-53, Revision 4, Gaithersburg, Maryland, 2013.
National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, Gaithersburg, Maryland, 2014.
National Institute of Standards and Technology, The United States Government Configuration Baseline (USGCB), Gaithersburg, Maryland (usgcb.nist.gov), 2017.
OASIS, Darwin Information Typing Architecture (DITA) Version 1.3 Part 0: Overview (Plus Errata 01), OASIS Standard (Incorporating Approved Errata), Burlington, Massachusetts, 2016.
Object Management Group, OMG Unified Modeling Language (OMG UML), Version 2.5, Document No. Formal/2015-03-01, Needham, Massachusetts, 2015.
OpenSCAP, SCAP Security Guide (www.open-scap.org/security-policies/scap-security-guide), 2017.
OVAL, OVAL Documentation (ovalproject.github.io), 2017.
M. Preisler, Contributing to SCAP Security Guide – Part 1 (martin.preisler.me/2016/10/contributing-to-scap-security-guide-part-1), October 28, 2016.
S. Quinn, K. Scarfone and D. Waltermire, Guide to Adopting and Using the Security Content Automation Protocol (SCAP), Version 1.2 (Draft), NIST Special Publication 800-117, Revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland, 2012.
S. Quinn, M. Souppaya, M. Cook and K. Scarfone, National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, NIST Special Publication 800–70, Revision 3, National Institute of Standards and Technology, Gaithersburg, Maryland, 2015.
S. Radack and R. Kuhn, Managing security: The Security Content Automation Protocol, IT Professional, vol. 13(1), pp. 9–11, 2011.
A. Sadeghi, C. Wachsmann and M. Waidner, Security and privacy challenges in the industrial Internet of Things, Proceedings of the Fifty-Second ACM/EDAC/IEEE Design Automation Conference, 2015.
SwRI Manufacturing Technologies, ROS-Industrial, San Antonio, Texas (rosindustrial.org), 2017.
D. Vecchiato, M. Vieira and E. Martins, The perils of Android security configuration, IEEE Computer, vol. 49(6), pp. 15–21, 2016.
D. Waltermire and B. Cheikes, Forming Common Platform Enumeration (CPE) Names from Software Identification (SWID) Tags, NISTIR 8085 (Draft), National Institute of Standards and Technology, Gaithersburg, Maryland, 2015.
D. Waltermire, B. Cheikes, L. Feldman and G. Witte, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags, NISTIR 8060, National Institute of Standards and Technology, Gaithersburg, Maryland, 2016.
D. Waltermire, C. Schmidt, K. Scarfone and N. Ziring, Specification for the Extensible Configuration Checklist Description Format (XCCDF), Version 1.2, NISTIR 7275, Revision 4, National Institute of Standards and Technology, Gaithersburg, Maryland, 2012.
R. White, H. Christensen and M. Quigley, SROS: Securing ROS over the wire, in the graph and through the kernel, presented at the IEEE-RAS International Conference on Humanoid Robots, 2016.
World Wide Web Consortium, Extensible Markup Language (XML) 1.0 (Fifth Edition), W3C Recommendation, Massachusetts Institute of Technology, Cambridge, Massachusetts (www.w3.org/TR/REC-xml), 2008.
T. Zimmerman, Metrics and Key Performance Indicators for Robotic Cybersecurity Performance Analysis, NISTIR 8177, National Institute of Standards and Technology, Gaithersburg, Maryland, 2017.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 IFIP International Federation for Information Processing (outside the US)
About this paper
Cite this paper
Lubell, J., Zimmerman, T. (2017). CHALLENGES TO AUTOMATING SECURITY CONFIGURATION CHECKLISTS IN MANUFACTURING ENVIRONMENTS. In: Rice, M., Shenoi, S. (eds) Critical Infrastructure Protection XI. ICCIP 2017. IFIP Advances in Information and Communication Technology, vol 512. Springer, Cham. https://doi.org/10.1007/978-3-319-70395-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-70395-4_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70394-7
Online ISBN: 978-3-319-70395-4
eBook Packages: Computer ScienceComputer Science (R0)
