MOSTO: A toolkit to facilitate security auditing of ICS devices using Modbus/TCP

The integration of the Internet into industrial plants has connected Industrial Control Systems (ICS) worldwide, resulting in an increase in the number of attack surfaces and the exposure of software and devices not originally intended for networking. In addition, the heterogeneity and technical obsolescence of ICS architectures, legacy hardware, and outdated software pose significant challenges. Since these systems control essential infrastructure such as power grids, water treatment plants, and transportation networks, security is of the utmost importance. Unfortunately, current methods for evaluating the security of ICS are often ad-hoc and difficult to formalize into a systematic evaluation methodology with predictable results. In this paper, we propose a practical method supported by a concrete toolkit for performing penetration testing in an industrial setting. The primary focus is on the Modbus/TCP protocol as the field control protocol. Our approach relies on a toolkit, named MOSTO, which is licensed under GNU GPL and enables auditors to assess the security of existing industrial control settings without interfering with ICS workflows. Furthermore, we present a model-driven framework that combines formal methods, testing techniques, and simulation to (formally) test security properties in ICS networks

Evaluating the integration of supply chain information systems: A case study

Supply chain management (SCM) is the integrated management of business links, information flows and people. It is with this frame of reference that information systems integration from both intra- and inter-organisational levels becomes significant. Enterprise application integration (EAI) has emerged as software technologies to address the issue of integrating the portfolio of SCM components both within organisations and through cross-enterprises. EAI is based on a diversity of integration technologies (e.g. message brokers, ebXML) that differ in the type and level of integration they offer. However, none of these technologies claim to be a panacea to overcoming all integration problems but rather, need to be pieced together to support the linking of diverse applications that often exist within supply chains. In exploring the evaluation of supply chain integration, the authors propose a framework for evaluating the portfolio of integration technologies that are used to unify inter-organisational and intra-organisational information systems. The authors define and classify the permutations of information systems available according to their characteristics and integration requirements. These, classifications of system types are then adopted as part of the evaluation framework and empirically tested within a case study

Correlating Architecture Maturity and Enterprise Systems Usage Maturity to Improve Business/IT Alignment

This paper compares concepts of maturity models in the areas of Enterprise Architecture and Enterprise Systems Usage. We investigate whether these concepts correlate, overlap and explain each other. The two maturity models are applied in a case study. We conclude that although it is possible to fully relate constructs from both kinds of models, having a mature architecture function in a company does not imply a high Enterprise Systems Usage maturity

Towards a novel framework for the assessment of enterprise application integration packages

In addressing enterprise integration problems, a diversity of technologies such as CORBA and XML were promoted, yet no single integration technology solves all integration problems. As a result, a new generation of software called Enterprise Application Integration (EAI) is emerging to addresses many integration problems by combining a diversity of integration technologies (e.g. message brokers, adapters, XML). Since EAI is a new research area, there is an absence of literature discussing issues like its adoption, evaluation and implementation. This paper, examines the application of two frameworks for the evaluation of EAI packages in the practical arena. In doing so, the authors use case study strategy to investigate integration issues. Empirical data derived from the case study suggest additions to the two evaluation frameworks. Therefore, the authors revised and extend previous works by proposing a novel evaluation framework for the assessment of EAI packages. The proposed framework makes novel contribution at two levels. First, at the conceptual level, as it incorporates criteria identified separately in previous studies as evaluation criteria. The proposed framework can be used as a decision-making tool and, supports management when taking decisions regarding the adoption of EAI. Additionally, it can be used by researchers to analyse and understand the capabilities o

Migrating agile methods to standardized development practice

Situated process and quality frame-works offer a way to resolve the tensions that arise when introducing agile methods into standardized software development engineering. For these to be successful, however, organizations must grasp the opportunity to reintegrate software development management, theory, and practice

Beyond enterprise resource planning projects: innovative strategies for competitive advantage

ABSTRACT A rapidly changing business environment and legacy IT problems has resulted in many organisations implementing standard package solutions. This 'common systems' approach establishes a common IT and business process infrastructure within organisations and its increasing dominance raises several important strategic issues. These are to what extent do common systems impose common business processes and management systems on competing firms, and what is the source of competitive advantage if the majority of firms employ almost identical information systems and business processes? A theoretical framework based on research into legacy systems and earlier IT strategy literature is used to analyse three case studies in the manufacturing, chemical and IT industries. It is shown that the organisations are treating common systems as the core of their organisations' abilities to manage business transactions. To achieve competitive advantage they are clothing these common systems with information systems designed to capture information about competitors, customers and suppliers, and to provide a basis for sharing knowledge within the organisation and ultimately with economic partners. The importance of these approaches to other organisations and industries is analysed and an attempt is made at outlining the strategic options open to firms beyond the implementation of common business systems

Integrating IVHM and Asset Design

Integrated Vehicle Health Management (IVHM) describes a set of capabilities that enable effective and efficient maintenance and operation of the target vehicle. It accounts for the collection of data, conducting analysis, and supporting the decision-making process for sustainment and operation. The design of IVHM systems endeavours to account for all causes of failure in a disciplined, systems engineering, manner. With industry striving to reduce through-life cost, IVHM is a powerful tool to give forewarning of impending failure and hence control over the outcome. Benefits have been realised from this approach across a number of different sectors but, hindering our ability to realise further benefit from this maturing technology, is the fact that IVHM is still treated as added on to the design of the asset, rather than being a sub-system in its own right, fully integrated with the asset design. The elevation and integration of IVHM in this way will enable architectures to be chosen that accommodate health ready sub-systems from the supply chain and design trade-offs to be made, to name but two major benefits. Barriers to IVHM being integrated with the asset design are examined in this paper. The paper presents progress in overcoming them, and suggests potential solutions for those that remain. It addresses the IVHM system design from a systems engineering perspective and the integration with the asset design will be described within an industrial design process

Using ERP as a basis for Enterprise application integration

Architecting and implementing e-Business supply chain solutions across and within the modern day enterprise, is now becoming a necessity in order to maintain competitive and be adaptable to market needs. As such, the integration of information and processes is a vital step, using technologies such as using Enterprise Resource Planning (ERP), Supply Chain Management (SCM) and enterprise portal platforms. The effective sharing of resource planning and other enterprise related data across and within the enterprise is typically seen as a facet of a business to business (B2B) platform. However, such infrastructures typically involve a tight integration across intra and inter-organisational systems. This paper examines an Enterprise Application Integration (EAI) initiative taken by a global manufacturer of industrial automation products, which attempted to utilise ERP as an integration tool across its internal B2B infrastructure, to achieve such an aim. This paper discusses those integration considerations and complexities, experienced by the case company upon embarking on an EAI integration programme through the adoption of a core ERP as a catalyst for organizational change. In doing so the authors present an analysis of the inherent risks and limitations of this approach in terms of previously published literature in the field, relating to technology-driven organizational change and EAI impact and adoption frameworks