Skip to main content

Tipp

Weitere Kapitel dieses Buchs durch Wischen aufrufen

2018 | OriginalPaper | Buchkapitel

Cyber-Risks in the Industrial Internet of Things (IIoT): Towards a Method for Continuous Assessment

verfasst von : Carolina Adaros Boye, Paul Kearney, Mark Josephs

Erschienen in: Information Security

Verlag: Springer International Publishing

share
TEILEN

Abstract

Continuous risk monitoring is considered in the context of cybersecurity management for the Industrial Internet-of-Thing. Cyber-risk management best practice is for security controls to be deployed and configured in order to bring down risk exposure to an acceptable level. However, threats and known vulnerabilities are subject to change, and estimates of risk are subject to many uncertainties, so it is important to review risk assessments and update controls when required. Risks are typically reviewed periodically (e.g. once per month), but the accelerating pace of change means that this approach is not sustainable, and there is a requirement for continuous monitoring of cybersecurity risks. The method described in this paper aims to alert security staff of significant changes or trends in estimated risk exposure to facilitate rational and timely decisions. Additionally, it helps predict the success and impact of a nascent security breach allowing better prioritisation of threats and selection of appropriate responses. The method is illustrated using a scenario based on environmental control in a data centre.
Fußnoten
1
This means basing the analysis only on known attack mechanisms and failure modes.
 
Literatur
2.
Zurück zum Zitat Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., Stoddart, K.: A review of cyber security risk assessment methods for SCADA systems. Comput. Secur. 56, 1–27 (2016) CrossRef Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., Stoddart, K.: A review of cyber security risk assessment methods for SCADA systems. Comput. Secur. 56, 1–27 (2016) CrossRef
3.
Zurück zum Zitat Cisco: Cisco 2017 annual security report. Technical report (2017) Cisco: Cisco 2017 annual security report. Technical report (2017)
4.
Zurück zum Zitat Cook, E., Kearney, P.: Security challenges and cybercrime. J. Inst. Telecommun. Prof. 9, 22–25 (2015) Cook, E., Kearney, P.: Security challenges and cybercrime. J. Inst. Telecommun. Prof. 9, 22–25 (2015)
6.
Zurück zum Zitat Dempsey, K., et al.: Information security continuous monitoring (ISCM) for federal information systems and organizations: National institute of standards and technology special publication 800–137 (2012) Dempsey, K., et al.: Information security continuous monitoring (ISCM) for federal information systems and organizations: National institute of standards and technology special publication 800–137 (2012)
7.
Zurück zum Zitat Dempsey, K., Ross, R., Stine, K.: Supplemental guidance on ongoing authorization (2014) Dempsey, K., Ross, R., Stine, K.: Supplemental guidance on ongoing authorization (2014)
8.
Zurück zum Zitat Desnitsky, V., Kotenko, I., Nogin, S.: Detection of anomalies in data for monitoring of security components in the internet of things. In: 2015 XVIII International Conference on Soft Computing and Measurements (SCM), pp. 189–192. IEEE (2015) Desnitsky, V., Kotenko, I., Nogin, S.: Detection of anomalies in data for monitoring of security components in the internet of things. In: 2015 XVIII International Conference on Soft Computing and Measurements (SCM), pp. 189–192. IEEE (2015)
11.
Zurück zum Zitat Greensmith, J.: Securing the internet of things with responsive artificial immune systems. In: Proceedings of the 2015 Annual Conference on Genetic and Evolutionary Computation, pp. 113–120. ACM (2015) Greensmith, J.: Securing the internet of things with responsive artificial immune systems. In: Proceedings of the 2015 Annual Conference on Genetic and Evolutionary Computation, pp. 113–120. ACM (2015)
12.
Zurück zum Zitat Henrie, M.: Cyber security risk management in the SCADA critical infrastructure environment. Eng. Manag. J. 25(2), 38–45 (2013) CrossRef Henrie, M.: Cyber security risk management in the SCADA critical infrastructure environment. Eng. Manag. J. 25(2), 38–45 (2013) CrossRef
13.
Zurück zum Zitat Huang, H., Xie, D.: Real-time network risk evaluation paradigm-inspired by immune. In: 2015 11th International Conference on Natural Computation (ICNC), pp. 786–790. IEEE (2015) Huang, H., Xie, D.: Real-time network risk evaluation paradigm-inspired by immune. In: 2015 11th International Conference on Natural Computation (ICNC), pp. 786–790. IEEE (2015)
14.
Zurück zum Zitat IBM Institute for Business Value: Internet of threats. securing the internet of things for industrial and utility companies (2018) IBM Institute for Business Value: Internet of threats. securing the internet of things for industrial and utility companies (2018)
15.
Zurück zum Zitat ISO/IEC: Iso/iec 27005:2011. information security risk management (2011) ISO/IEC: Iso/iec 27005:2011. information security risk management (2011)
16.
Zurück zum Zitat Jing, Q., Vasilakos, A.V., Wan, J., Lu, J., Qiu, D.: Security of the internet of things: perspectives and challenges. Wirel. Netw. 20(8), 2481–2501 (2014) CrossRef Jing, Q., Vasilakos, A.V., Wan, J., Lu, J., Qiu, D.: Security of the internet of things: perspectives and challenges. Wirel. Netw. 20(8), 2481–2501 (2014) CrossRef
17.
Zurück zum Zitat Kotenko, I., Saenko, I., Ageev, S.: Countermeasure security risks management in the internet of things based on fuzzy logic inference. In: 2015 IEEE on Trustcom/BigDataSE/ISPA, vol. 1, pp. 654–659. IEEE (2015) Kotenko, I., Saenko, I., Ageev, S.: Countermeasure security risks management in the internet of things based on fuzzy logic inference. In: 2015 IEEE on Trustcom/BigDataSE/ISPA, vol. 1, pp. 654–659. IEEE (2015)
18.
Zurück zum Zitat Lin, S.W., et al.: Industrial internet reference architecture. Technical report, Industrial Internet Consortium (IIC) (2015) Lin, S.W., et al.: Industrial internet reference architecture. Technical report, Industrial Internet Consortium (IIC) (2015)
19.
Zurück zum Zitat Linda, O., Manic, M., Vollmer, T.: Improving cyber-security of smart grid systems via anomaly detection and linguistic domain knowledge. In: 2012 5th International Symposium on Resilient Control Systems (ISRCS), pp. 48–54. IEEE (2012) Linda, O., Manic, M., Vollmer, T.: Improving cyber-security of smart grid systems via anomaly detection and linguistic domain knowledge. In: 2012 5th International Symposium on Resilient Control Systems (ISRCS), pp. 48–54. IEEE (2012)
20.
Zurück zum Zitat Liu, C., Zhang, Y., Zeng, J., Peng, L., Chen, R.: Research on dynamical security risk assessment for the internet of things inspired by immunology. In: 2012 Eighth International Conference on Natural Computation (ICNC), pp. 874–878. IEEE (2012) Liu, C., Zhang, Y., Zeng, J., Peng, L., Chen, R.: Research on dynamical security risk assessment for the internet of things inspired by immunology. In: 2012 Eighth International Conference on Natural Computation (ICNC), pp. 874–878. IEEE (2012)
21.
Zurück zum Zitat Macaulay, T.: RIoT Control: Understanding and Managing Risks and the Internet of Things. Morgan Kaufmann, San Francisco (2016) Macaulay, T.: RIoT Control: Understanding and Managing Risks and the Internet of Things. Morgan Kaufmann, San Francisco (2016)
22.
Zurück zum Zitat Mateski, M., et al.: Cyber threat metrics. Sandia National Laboratories (2012) Mateski, M., et al.: Cyber threat metrics. Sandia National Laboratories (2012)
23.
Zurück zum Zitat Moss, D.L.: Data center operating temperature: The sweet spot (2011) Moss, D.L.: Data center operating temperature: The sweet spot (2011)
24.
Zurück zum Zitat Pan, S., Morris, T., Adhikari, U.: Developing a hybrid intrusion detection system using data mining for power systems. IEEE Trans. Smart Grid 6(6), 3104–3113 (2015) CrossRef Pan, S., Morris, T., Adhikari, U.: Developing a hybrid intrusion detection system using data mining for power systems. IEEE Trans. Smart Grid 6(6), 3104–3113 (2015) CrossRef
26.
Zurück zum Zitat Sadeghi, A.R., Wachsmann, C., Waidner, M.: Security and privacy challenges in industrial internet of things. In: 2015 52nd ACM/EDAC/IEEE on Design Automation Conference (DAC), pp. 1–6. IEEE (2015) Sadeghi, A.R., Wachsmann, C., Waidner, M.: Security and privacy challenges in industrial internet of things. In: 2015 52nd ACM/EDAC/IEEE on Design Automation Conference (DAC), pp. 1–6. IEEE (2015)
27.
Zurück zum Zitat Smith, B.J., Sholander, P.E., Phelan, J.M., Wyss, G.D., Varnado, G.B., Depoy, J.M.: Risk assessment for physical and cyber attacks on critical infrastructures. Technical report, Sandia National Laboratories (2005) Smith, B.J., Sholander, P.E., Phelan, J.M., Wyss, G.D., Varnado, G.B., Depoy, J.M.: Risk assessment for physical and cyber attacks on critical infrastructures. Technical report, Sandia National Laboratories (2005)
28.
Zurück zum Zitat Spyridopoulos, T., Maraslis, K., Tryfonas, T., Oikonomou, G., Li, S.: Managing cyber security risks in industrial control systems with game theory and viable system modelling. In: 2014 9th International Conference on System of Systems Engineering (SOSE), pp. 266–271. IEEE (2014) Spyridopoulos, T., Maraslis, K., Tryfonas, T., Oikonomou, G., Li, S.: Managing cyber security risks in industrial control systems with game theory and viable system modelling. In: 2014 9th International Conference on System of Systems Engineering (SOSE), pp. 266–271. IEEE (2014)
29.
Zurück zum Zitat Symantec: Istr-internet security threat report. Technical report (2017) Symantec: Istr-internet security threat report. Technical report (2017)
30.
Zurück zum Zitat The Open Group: Fair - ISO/IEC 27005 cookbook (2010) The Open Group: Fair - ISO/IEC 27005 cookbook (2010)
31.
Zurück zum Zitat Wang, J., Fan, K., Mo, W., Xu, D.: A method for information security risk assessment based on the dynamic bayesian network. In: 2016 International Conference on Networking and Network Applications (NaNA), pp. 279–283. IEEE (2016) Wang, J., Fan, K., Mo, W., Xu, D.: A method for information security risk assessment based on the dynamic bayesian network. In: 2016 International Conference on Networking and Network Applications (NaNA), pp. 279–283. IEEE (2016)
32.
Zurück zum Zitat Yang, Y., McLaughlin, K., Sezer, S., Littler, T., Im, E.G., Pranggono, B., Wang, H.: Multiattribute SCADA-specific intrusion detection system for power networks. IEEE Trans. Power Deliv. 29(3), 1092–1102 (2014) CrossRef Yang, Y., McLaughlin, K., Sezer, S., Littler, T., Im, E.G., Pranggono, B., Wang, H.: Multiattribute SCADA-specific intrusion detection system for power networks. IEEE Trans. Power Deliv. 29(3), 1092–1102 (2014) CrossRef
33.
Zurück zum Zitat Zhang, Q., Zhou, C., Tian, Y.C., Xiong, N., Qin, Y., Hu, B.: A fuzzy probability bayesian network approach for dynamic cybersecurity risk assessment in industrial control systems. IEEE Trans. Industr. Inf. 14(6), 2497–2506 (2017) CrossRef Zhang, Q., Zhou, C., Tian, Y.C., Xiong, N., Qin, Y., Hu, B.: A fuzzy probability bayesian network approach for dynamic cybersecurity risk assessment in industrial control systems. IEEE Trans. Industr. Inf. 14(6), 2497–2506 (2017) CrossRef
Metadaten
Titel
Cyber-Risks in the Industrial Internet of Things (IIoT): Towards a Method for Continuous Assessment
verfasst von
Carolina Adaros Boye
Paul Kearney
Mark Josephs
Copyright-Jahr
2018
DOI
https://doi.org/10.1007/978-3-319-99136-8_27

Premium Partner