24,450 research outputs found
Model-Based Security Testing
Security testing aims at validating software system requirements related to
security properties like confidentiality, integrity, authentication,
authorization, availability, and non-repudiation. Although security testing
techniques are available for many years, there has been little approaches that
allow for specification of test cases at a higher level of abstraction, for
enabling guidance on test identification and specification as well as for
automated test generation.
Model-based security testing (MBST) is a relatively new field and especially
dedicated to the systematic and efficient specification and documentation of
security test objectives, security test cases and test suites, as well as to
their automated or semi-automated generation. In particular, the combination of
security modelling and test generation approaches is still a challenge in
research and of high interest for industrial applications. MBST includes e.g.
security functional testing, model-based fuzzing, risk- and threat-oriented
testing, and the usage of security test patterns. This paper provides a survey
on MBST techniques and the related models as well as samples of new methods and
tools that are under development in the European ITEA2-project DIAMONDS.Comment: In Proceedings MBT 2012, arXiv:1202.582
Applying Lessons from Cyber Attacks on Ukrainian Infrastructures to Secure Gateways onto the Industrial Internet of Things
Previous generations of safety-related industrial control systems were ‘air gapped’. In other words, process control
components including Programmable Logic Controllers (PLCs) and smart sensor/actuators were disconnected and
isolated from local or wide area networks. This provided a degree of protection; attackers needed physical access to
compromise control systems components. Over time this ‘air gap’ has gradually been eroded. Switches and
gateways have subsequently interfaced industrial protocols, including Profibus and Modbus, so that data can be
drawn from safety-related Operational Technology into enterprise information systems using TCP/IP. Senior
management uses these links to monitor production processes and inform strategic planning. The Industrial Internet
of Things represents another step in this evolution – enabling the coordination of physically distributed resources
from a centralized location. The growing range and sophistication of these interconnections create additional
security concerns for the operation and management of safety-critical systems. This paper uses lessons learned
from recent attacks on Ukrainian critical infrastructures to guide a forensic analysis of an IIoT switch. The intention
is to identify and mitigate vulnerabilities that would enable similar attacks to be replicated across Europe and North
America
Recommended from our members
Evaluating the resilience and security of boundaryless, evolving socio-technical Systems of Systems
PrivacyScore: Improving Privacy and Security via Crowd-Sourced Benchmarks of Websites
Website owners make conscious and unconscious decisions that affect their
users, potentially exposing them to privacy and security risks in the process.
In this paper we introduce PrivacyScore, an automated website scanning portal
that allows anyone to benchmark security and privacy features of multiple
websites. In contrast to existing projects, the checks implemented in
PrivacyScore cover a wider range of potential privacy and security issues.
Furthermore, users can control the ranking and analysis methodology. Therefore,
PrivacyScore can also be used by data protection authorities to perform
regularly scheduled compliance checks. In the long term we hope that the
transparency resulting from the published benchmarks creates an incentive for
website owners to improve their sites. The public availability of a first
version of PrivacyScore was announced at the ENISA Annual Privacy Forum in June
2017.Comment: 14 pages, 4 figures. A german version of this paper discussing the
legal aspects of this system is available at arXiv:1705.0888
- …