Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

Between Hype and Understatement: Reassessing Cyber Risks as a Security Strategy

Most of the actions that fall under the trilogy of cyber crime, terrorism,and war exploit pre-existing weaknesses in the underlying technology.Because these vulnerabilities that exist in the network are not themselvesillegal, they tend to be overlooked in the debate on cyber security. A UKreport on the cost of cyber crime illustrates this approach. Its authors chose to exclude from their analysis the costs in anticipation of cyber crime, such as insurance costs and the costs of purchasing anti-virus software on the basis that "these are likely to be factored into normal day-to-day expenditures for the Government, businesses, and individuals. This article contends if these costs had been quantified and integrated into the cost of cyber crime, then the analysis would have revealed that what matters is not so much cyber crime, but the fertile terrain of vulnerabilities that unleash a range of possibilities to whomever wishes to exploit them. By downplaying the vulnerabilities, the threats represented by cyber war, cyber terrorism, and cyber crime are conversely inflated. Therefore, reassessing risk as a strategy for security in cyberspace must include acknowledgment of understated vulnerabilities, as well as a better distributed knowledge about the nature and character of the overhyped threats of cyber crime, cyber terrorism, and cyber war

Analysis of operating system diversity for intrusion tolerance

One of the key benefits of using intrusion-tolerant systems is the possibility of ensuring correct behavior in the presence of attacks and intrusions. These security gains are directly dependent on the components exhibiting failure diversity. To what extent failure diversity is observed in practical deployment depends on how diverse are the components that constitute the system. In this paper, we present a study with operating system's (OS's) vulnerability data from the NIST National Vulnerability Database (NVD). We have analyzed the vulnerabilities of 11 different OSs over a period of 18 years, to check how many of these vulnerabilities occur in more than one OS. We found this number to be low for several combinations of OSs. Hence, although there are a few caveats on the use of NVD data to support definitive conclusions, our analysis shows that by selecting appropriate OSs, one can preclude (or reduce substantially) common vulnerabilities from occurring in the replicas of the intrusion-tolerant system

Efficient Attack Graph Analysis through Approximate Inference

Attack graphs provide compact representations of the attack paths that an attacker can follow to compromise network resources by analysing network vulnerabilities and topology. These representations are a powerful tool for security risk assessment. Bayesian inference on attack graphs enables the estimation of the risk of compromise to the system's components given their vulnerabilities and interconnections, and accounts for multi-step attacks spreading through the system. Whilst static analysis considers the risk posture at rest, dynamic analysis also accounts for evidence of compromise, e.g. from SIEM software or forensic investigation. However, in this context, exact Bayesian inference techniques do not scale well. In this paper we show how Loopy Belief Propagation - an approximate inference technique - can be applied to attack graphs, and that it scales linearly in the number of nodes for both static and dynamic analysis, making such analyses viable for larger networks. We experiment with different topologies and network clustering on synthetic Bayesian attack graphs with thousands of nodes to show that the algorithm's accuracy is acceptable and converge to a stable solution. We compare sequential and parallel versions of Loopy Belief Propagation with exact inference techniques for both static and dynamic analysis, showing the advantages of approximate inference techniques to scale to larger attack graphs.Comment: 30 pages, 14 figure

Flexible and Robust k-Zero Day Safety Network Security Metrics to Measure the Risk on Different Vulnerabilities

Today's computer systems face sophisticated attackers who combine multiple vulnerabilities to penetrate networks with devastating impact. The overall security of a network cannot be determined by simply counting the number of vulnerabilities. In fact, the security risk of unknown vulnerabilities has been considered as something immeasurable due to the less predictable nature of software flaws. This causes a major difficulty to security metrics, because a more secure configuration would be of little value if it were equally susceptible to zero-day attacks. In this paper, instead of just counting how much such vulnerability would be required for compromising network assets we can also attempting to rank unknown vulnerabilities. We propose a Flexible and Robust k-Zero Day Safety security model to rank the zero-day attacks by using collaborative filtering technique to different (types of) zero-day vulnerabilities and novel security metrics for uncertain and dynamic data. DOI: 10.17762/ijritcc2321-8169.15073

Investing in America\u27s Surface Transportation Infrastructure: The Need for a Multi-Year Reauthorization Bill: Hearing Before the S. Comm. on Env\u27t & Pub. Works, 116th Cong., July 10, 2019

The Fourth National Climate Assessment, released in November 2018, described the serious impacts of climate change already being felt throughout the U.S., and made clear that the risks to communities all across the country are growing rapidly. These findings, along with those in the 2018 Intergovernmental Panel on Climate Change (IPCC) report should serve as an immediate call to action. Even if we manage to limit planetary warming to just 2 degrees Celsius, the world will still face increased chances of economic and social upheaval from more severe flooding, droughts, heatwaves, and other climate impacts as well as devastating environmental consequences, the IPCC report warns. The consensus from leading scientific research academies within the United States and internationally is clear: multiple lines of evidence indicate, and have indicated for years, that our atmosphere is warming, sea levels are rising, the magnitude and frequency of certain extreme weather events is increasing, and that human activity is the primary driver of climate change. As described in the IPCC Special Report, the consensus is that countries around the world must rapidly decarbonize their economies, cutting greenhouse gas emissions in half by 2030 and to near zero by 2050. The U.S. Department of Defense, and leaders within the defense and national security communities, have also recognized climate change as a “national security issue” that requires adapting military operations and planning to ensure readiness. Despite our understanding of the consequences we will face and the urgency to act, U.S. GHG emissions from fossil fuel combustion increased by 2.7 percent in 2018, according the Rhodium Group. Clearly more action is needed. While we all recognize the importance of transportation in our daily lives and for our economy, it is also important to recognize that the transportation sector is the largest contributor of GHG emissions in the United States, and is already facing significant impacts from climate change. There is an urgent need, therefore, to transition to a low-carbon and more resilient transportation system. Such a transition would not only reduce emissions and fight climate change, it also would bring additional important benefits, including protecting public health by reducing conventional air pollution, providing more mobility options, and driving innovation and economic growth through policy action and through public and private investment

Review of k-Zero Day Safety Network Security Metrics to Measure the Risk on Different Vulnerabilities

Today's computer networks face intelligent attackers who combine multiple vulnerabilities to penetrate networks with destructive impact. The overall network security cannot be determined by simply counting the number of vulnerabilities. Due to the less predictable nature of software flaws we can’t measure the security risk of unknown vulnerabilities. This affects to security metrics, because a safer configuration would be of little value if it were equally vulnerable to zero-day attacks. In this paper, instead of just measuring how much such vulnerability would be required for compromising network assets we can also attempting to rank unknown vulnerabilities. By using collaborative filtering technique to different (types of) zero-day vulnerabilities and novel security metrics for uncertain and dynamic data we propose a Flexible and Robust k-Zero Day Safety security model to rank the zero-day attacks. DOI: 10.17762/ijritcc2321-8169.16044