ABSTRACT
As IT/OT convergence continues to evolve, the traditionally isolated ICS/OT systems are increasingly exposed to a myriad of online and offline threats. Although IIoT enhances the reachability in ICS, improved data analytics, ensuring ease of access and decision making, it unwittingly opens the ICS environment to attackers. The design of IIoT introduces multiple entry points to an isolated system, which is used to protect itself via air-gapping and risk avoidance strategies. This study explores a comprehensive mapping of threats and risks for IT/OT convergence. Additionally, we propose IIoT-ARAS - an automated risk assessment system based on OCTAVE Allegro and ISO/IEC 27030 methodologies. The design of IIoT-ARAS is aimed to be agentless, with minimum interruptions to the OT environment. Furthermore, the system performs automated regular asset inventory checks, threshold optimization, probability computation, risk evaluations, and contingency plan configuration.
Supplemental Material
- Caralli, Richard A., et al. Introducing octave allegro: Improving the information security risk assessment process. No. Carnegie Mellon University/SEI-2007-TR-012. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst, 2007.Google ScholarCross Ref
- "Guidelines for Security and Privacy in Internet of Things" ISO/IEC 27030, https://www.iso27001security.com/html/27030.htmlGoogle Scholar
- Zahran, Bassam, Stacy Nicholson, and Aisha Ali-gombe. "Cross-Platform Malware: Study of the Forthcoming Hazard Adaptation and Behavior." Proceedings of the International Conference on Security and Management (SAM). The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp), 2019.Google Scholar
- Conto, Ruggero, and Lawrence Orans. OT Security Best Practices, 14 Sept. 2018, www.gartner.com/doc/reprints?id=1--242JE25AGoogle Scholar
Index Terms
- IIoT-ARAS: IIoT/ICS Automated Risk Assessment System for Prediction and Prevention
Recommendations
A Survey of IIoT Protocols: A Measure of Vulnerability Risk Analysis Based on CVSS
Industrial Internet of Things (IIoT) is present in many participants from the energy, health, manufacturing, transport, and public sectors. Many factors catalyze IIoT, such as robotics, artificial intelligence, and intelligent decentralized ...
Automated ICS template for STRIDE Microsoft Threat Modeling Tool
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and SecurityIndustrial Control Systems (ICS) are specific systems that combine information technology (IT) and operational technology (OT). Due to their interconnection and remote accessibility, they become a target for cyberattacks. As a result of their complexity ...
Continuous Risk Management for Industrial IoT: A Methodological View
Risks and Security of Internet and SystemsAbstractEmergent cyber-attacks and exploits targeting Operational Technologies (OT) call for a proactive risk management approach. The convergence between OT and the Internet-of-Things in industries introduces new opportunities for cyber-attacks that have ...
Comments