Data-driven power system operation: Exploring the balance between cost and risk

Supervised machine learning has been successfully used in the past to infer a system's security boundary by training classifiers (also referred to as security rules) on a large number of simulated operating conditions. Although significant research has been carried out on using classifiers for the detection of critical operating points, using classifiers for the subsequent identification of suitable preventive/corrective control actions remains underdeveloped. This paper focuses on addressing the challenges that arise when utilizing security rules for control purposes. The inherent trade-off between operating cost and security risk is explored in detail. To optimally navigate this trade-off, a novel approach is proposed that uses an ensemble learning method (AdaBoost) to infer a probabilistic description of a system's security boundary and Platt Calibration to correct the introduced bias. Subsequently, a general-purpose framework for building probabilistic and disjunctive security rules of a system's secure operating domain is developed that can be embedded within classic operation formulations. Through case studies on the IEEE 39-bus system, it is showcased how security rules can be efficiently utilized to optimally operate the system under multiple uncertainties while respecting a user-defined cost-risk balance. This is a fundamental step towards embedding data-driven models within classic optimisation approaches

Towards the Model-Driven Engineering of Secure yet Safe Embedded Systems

We introduce SysML-Sec, a SysML-based Model-Driven Engineering environment aimed at fostering the collaboration between system designers and security experts at all methodological stages of the development of an embedded system. A central issue in the design of an embedded system is the definition of the hardware/software partitioning of the architecture of the system, which should take place as early as possible. SysML-Sec aims to extend the relevance of this analysis through the integration of security requirements and threats. In particular, we propose an agile methodology whose aim is to assess early on the impact of the security requirements and of the security mechanisms designed to satisfy them over the safety of the system. Security concerns are captured in a component-centric manner through existing SysML diagrams with only minimal extensions. After the requirements captured are derived into security and cryptographic mechanisms, security properties can be formally verified over this design. To perform the latter, model transformation techniques are implemented in the SysML-Sec toolchain in order to derive a ProVerif specification from the SysML models. An automotive firmware flashing procedure serves as a guiding example throughout our presentation.Comment: In Proceedings GraMSec 2014, arXiv:1404.163

Efficient Security and Authentication for Edge-Based Internet of Medical Things

Internet of Medical Things (IoMT)-driven smart health and emotional care is revolutionizing the healthcare industry by embracing several technologies related to multimodal physiological data collection, communication, intelligent automation, and efficient manufacturing. The authentication and secure exchange of electronic health records (EHRs), comprising of patient data collected using wearable sensors and laboratory investigations, is of paramount importance. In this article, we present a novel high payload and reversible EHR embedding framework to secure the patient information successfully and authenticate the received content. The proposed approach is based on novel left data mapping (LDM), pixel repetition method (PRM), RC4 encryption, and checksum computation. The input image of size $M imes N$ is upscaled by using PRM that guarantees reversibility with lesser computational complexity. The binary secret data are encrypted using the RC4 encryption algorithm and then the encrypted data are grouped into 3-bit chunks and converted into decimal equivalents. Before embedding, these decimal digits are encoded by LDM. To embed the shifted data, the cover image is divided into $2 imes 2$ blocks and then in each block, two digits are embedded into the counter diagonal pixels. For tamper detection and localization, a checksum digit computed from the block is embedded into one of the main diagonal pixels. A fragile logo is embedded into the cover images in addition to EHR to facilitate early tamper detection. The average peak signal to noise ratio (PSNR) of the stego-images obtained is 41.95 dB for a very high embedding capacity of 2.25 bits per pixel. Furthermore, the embedding time is less than 0.2 s. Experimental results reveal that our approach outperforms many state-of-the-art techniques in terms of payload, imperceptibility, computational complexity, and capability to detect and localize tamper. All the attributes affirm that the proposed scheme is a potential candidate for providing better security and authentication solutions for IoMT-based smart health

A Security, Privacy and Trust Methodology for IIoT

The implements of IoT and industrial IoT (IIoT) are increasingly becoming the consensus with Industry 4.0. Relevant data-driven methodologies are typically concentrated on the scoring systems of CVE prioritization schemes, the scoring formulas of CVSS metrics, and other vulnerability impact factors. However, these prioritized lists such as the CWE/SANS Top 25 suffer from a critical weakness: they fail to consider empirical evidence of exploits. Considering the distinct properties and specific risks of SCADA systems in IIoT, this paper overcomes the inherent limitation of IIoT empirical research which is the sample size of exploits by collecting data manually. This study then developed an exploits factors-embedded regression model to statistically access the significant relationships between security, privacy, and trust-based vulnerability attributes. Through this data-driven empirical methodology, the study elucidated the interactions of security, privacy, and trust in IIoT with professional quantitative indicators, which would provide grounds for substantial further related work. In addition to the security privacy and trust regression analysis, this study further explores the impact of IoT and IIoT by difference-in-difference (DID) approach, applying bootstrap standard error with Kernel option and quantile DID test to evaluate the robustness of DID model. In general, the empirical results indicated that: 1) the CVSS score of vulnerability is irrelevant to the disclosure of exploits, but is positively correlated with CWEs by Density and CVE year, 2) among the exploits of SCADA-related authors, the more identical CWEs that exist in these exploits, the higher the CVSS score of the exploit CVE will be, and CVE year has a negative moderating effect within this relationship; 3) the CVSS scores of SCADA exploits have significantly decreased in comparison with non-SCADA after the promulgation of Industry 4.0

Supporting Cyber-Physical Systems with Wireless Sensor Networks: An Outlook of Software and Services

Sensing, communication, computation and control technologies are the essential building blocks of a cyber-physical system (CPS). Wireless sensor networks (WSNs) are a way to support CPS as they provide fine-grained spatial-temporal sensing, communication and computation at a low premium of cost and power. In this article, we explore the fundamental concepts guiding the design and implementation of WSNs. We report the latest developments in WSN software and services for meeting existing requirements and newer demands; particularly in the areas of: operating system, simulator and emulator, programming abstraction, virtualization, IP-based communication and security, time and location, and network monitoring and management. We also reflect on the ongoing efforts in providing dependable assurances for WSN-driven CPS. Finally, we report on its applicability with a case-study on smart buildings

Developing a distributed electronic health-record store for India

The DIGHT project is addressing the problem of building a scalable and highly available information store for the Electronic Health Records (EHRs) of the over one billion citizens of India

Assessing police privatisation in the United Arab Emirates

The growth of private security companies and the privatisation of police is a development that has been witnessed around the world in both developing and developed nations. The rapid pace of transformation in policing in the UAE potentially poses severe risks to the future of policing. Different categories of risks have been identified in connection with the transference of public functions to the private sector: regulatory, economic and social risks. In the UAE, the outsourcing of policing operations to the private security sector is significantly embedded as a key policy objective driven by a wider commitment to deliver efficient public services. While the UAE and institutions are committed to applying best practice and principles in this area, a framework to assess police privatisation was lacking. The aim of this research was to investigate the effectiveness of governance, oversight and accountability of private security in the UAE. The theoretical basis for this research was underpinned by privatisation theory and principles of accountability and control systems. The research design employed an action research strategy gathering qualitative and quantitative data. Action research was adopted as a means for addressing organisational change and enabled the private and public sector organisations to adopt invigorated perspectives and stimulated engagement regarding organisational issues and cross-sector partnership. In terms of external controls influencing governance and accountability there were gaps when benchmarked against key dimensions identified in the literature. There was a lack of a comprehensive evaluation framework that addresses all dimensions and an absence of systematic and meaningful evaluation of programme effectiveness impacting sector stakeholders. Findings revealed a lack of democratic accountability and public engagement, market control in terms of self-regulation, regulatory limitations and limited engagement and trust between the public and private security organisations. Assessment of internal controls revealed moderate performance in terms of motivation and morale of security personnel and weaknesses in recruitment and training and organisational learning capacity. A framework was formulated contributing a holistic and integrated approach for assessing private security performance. The evaluation dimension contains key factors, such as evaluation criteria and evaluation mechanisms, with associated criteria specifying the nature of the content of the evaluation criteria, such as comprehensiveness and reflection of stakeholder priorities. A key change objective is the implementation of multi-level, multi-dimensional evaluation mechanisms, with compliance measures related to diverse evaluation mechanisms and regularity of evaluation. This framework reflects an embedded approach to assessing the performance of private security model evaluation as a reflexive social process that enables continuous reflection and emergent transformation