ABSTRACT
The numbers and severity of global cyber security attacks on Industrial Control Systems have increased over recent years. However, there are also significant efforts to improve defensive capabilities. While comprehensive reviews of risk assessment efforts exist, little detail is currently available on how they are being applied by security practitioners. This paper provides a summary of the approaches adopted by security practitioners, outlining key phases applied to risk assessment, application of existing predefined methodologies, and challenges faced throughout the overall process.
- Hilary Arksey and Peter T. Knight. 1999. Interviewing for social scientists: An introductory resource with examples. Sage, London. Google ScholarCross Ref
- British Standards Institute. 2010. BS ISO/IEC 31010 - Risk Management - Risk Assessment Techniques. (2010).Google Scholar
- Jeremy Simon Busby, Benjamin Green, and David Hutchison. 2017. Analysis of Affordance, Time, and Adaptation in the Assessment of Industrial Control System Cybersecurity Risk. Risk Analysis (2017).Google Scholar
- Donald Thomas Campbell and Julian C. Stanley. 1963. Experimental and quasiexperimental designs for research on teaching. Ravenio Books.Google Scholar
- David Canter, Jennifer Brown, and Michael Brenner. 1985. The research interview: Uses and approaches. Academic Press, New York.Google Scholar
- Yulia Cherdantseva, Pete Burnap, Andrew Blyth, Peter Eden, Kevin Jones, Hugh Soulsby, and Kristan Stoddart. 2016. A review of cyber security risk assessment methods for SCADA systems. computers & security 56 (2016), 1--27.Google Scholar
- CPNI. 2017. Critical National Infrastructure. (2017). https://www.cpni.gov.uk/critical-national-infrastructure-0Google Scholar
- Dragos. 2017. CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations. Technical Report. https://dragos.com/blog/crashoverride/CrashOverride-01.pdfGoogle Scholar
- James H. Frey. 1983. Survey Research by Telephone. SAGE Publications, Beverly Hills.Google Scholar
- Deianira Ganga and Sam Scott. 2006. Cultural "insiders" and the issue of positionality in qualitative migration research: Moving" across" and moving "along" researcher-participant divides. In Forum Qualitative Sozialforschung/Forum: Qualitative Social Research, Vol. 7.Google Scholar
- Barney Glaser and Anselm Strauss. 1967. Grounded theory: the discovery of grounded theory. Sociology The Journal Of The British Sociological Association 12 (1967), 27--49.Google Scholar
- Benjamin Green, Sylvain Andre, Francis Frey, Awais Rashid, and David Hutchison. 2016. Testbed diversity as a fundamental principle for effective ICS security research. In SERECIN.Google Scholar
- Benjamin Green, Marina Krotofil, and David Hutchison. 2016. Achieving ICS Resilience and Security Through Granular Data Flow Management. In Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy. ACM, 93--101. Google ScholarDigital Library
- Benjamin Green, Anhtuan Lee, Rob Antrobus, Utz Roedig, David Hutchison, and Awais Rashid. 2017. Pains, Gains and PLCs: Ten Lessons from Building an Industrial Control Systems Testbed for Security Research. In 10th USENIX Workshop on Cyber Security Experimentation and Test (CSET 17). USENIX Association.Google ScholarDigital Library
- Benjamin Green, Daniel Prince, Jerry Busby, and David Hutchison. 2015. The Impact of Social Engineering on Industrial Control System Security. In Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy. ACM, 23--29. Google ScholarDigital Library
- Benjamin Green, Daniel Prince, Jerry Busby, and David Hutchison. 2017. Interview Protocol/Guide. (2017). https://tinyurl.com/ybo9r9bkGoogle Scholar
- ISA/IEC. 2017. Security for Industrial Automation and Control Systems: Security Risk Assessment, System Partitioning and Security Levels. Technical Report. ISA/IEC.Google Scholar
- Joint Task Force Transformation Initiative. 2012. Guide for Conducting Risk Assessments. Technical Report.Google Scholar
- Nigel King, C. Cassell, and G. Symon. 1994. Qualitative methods in organizational research: A practical guide. The Qualitative Research Interview 17 (1994).Google Scholar
- William Knowles, Daniel Prince, David Hutchison, Jules Ferdinand Pagna Disso, and Kevin Jones. 2015. A survey of cyber security management in industrial control systems. International Journal of Critical Infrastructure Protection 9 (2015), 52--80. Google ScholarDigital Library
- Grant McCracken. 1988. The long interview. Vol. 13. Sage, London. Google ScholarCross Ref
- Ben Paske, Benjamin Green, Daniel Prince, and David Hutchison. 2014. Design and Construction of an Industrial Control System Testbed. In PGNET. 151--156.Google Scholar
- Michael Quinn Patton. 1990. Qualitative evaluation and research methods. SAGE, London.Google Scholar
- Janet Powney and Mike Watts. 1987. Interviewing in educational research. Routledge & Kegan Paul, Ablingdon.Google Scholar
- Herbert J. Rubin and Irene S. Rubin. 2011. Qualitative interviewing: The art of hearing data. Sage, London.Google Scholar
- Robert Philip Weber. 1985. Basic Content Analysis (first ed.). Sage Publications, Beverly HillGoogle Scholar
Index Terms
- "How Long is a Piece of String":: Defining Key Phases andObserved Challenges within ICS Risk Assessment
Recommendations
Cyber In-security of Industrial Control Systems: A Societal Challenge
SAFECOMP 2015: Proceedings of the 34th International Conference on Computer Safety, Reliability, and Security - Volume 9337Our society and its citizens increasingly depend on the undisturbed functioning of critical infrastructures CI, their products and services. Many of the CI services as well as other organizations use Industrial Control Systems ICS to monitor and control ...
Automated ICS template for STRIDE Microsoft Threat Modeling Tool
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and SecurityIndustrial Control Systems (ICS) are specific systems that combine information technology (IT) and operational technology (OT). Due to their interconnection and remote accessibility, they become a target for cyberattacks. As a result of their complexity ...
PLC Logic-Based Cybersecurity Risks Identification for ICS
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and SecurityIn recent years, Informational Technologies (IT) was massively deployed into Industrial Control Systems (ICS) mainly for its economic benefits. However, this new paradigm, converging IT and Operational Technologies (OT), brings new challenges that ...
Comments