Cyber-risks in the Industrial Internet of Things (IIoT): towards a method for continuous assessment.

Continuous risk monitoring is considered in the context of cybersecurity management for the Industrial Internet-of-Thing. Cyber risk management best practice is for security controls to be deployed and configured in order to bring down risk exposure to an acceptable level. However, threats and known vulnerabilities are subject to change, and estimates of risk are subject to many uncertainties, so it is important to review risk assessments and update controls when required. Risks are typically reviewed periodically (e.g. once per month), but the accelerating pace of change means that this approach is not sustainable, and there is a requirement for continuous monitoring of cybersecurity risks. The method described in this paper aims to alert security staff of significant changes or trends in estimated risk exposure to facilitate rational and timely decisions. Additionally, it helps predict the success and impact of a nascent security breach allowing better prioritisation of threats and selection of appropriate responses. The method is illustrated using a scenario based on environmental control in a data centre

Advanced Topics in Systems Safety and Security

This book presents valuable research results in the challenging field of systems (cyber)security. It is a reprint of the Information (MDPI, Basel) - Special Issue (SI) on Advanced Topics in Systems Safety and Security. The competitive review process of MDPI journals guarantees the quality of the presented concepts and results. The SI comprises high-quality papers focused on cutting-edge research topics in cybersecurity of computer networks and industrial control systems. The contributions presented in this book are mainly the extended versions of selected papers presented at the 7th and the 8th editions of the International Workshop on Systems Safety and Security—IWSSS. These two editions took place in Romania in 2019 and respectively in 2020. In addition to the selected papers from IWSSS, the special issue includes other valuable and relevant contributions. The papers included in this reprint discuss various subjects ranging from cyberattack or criminal activities detection, evaluation of the attacker skills, modeling of the cyber-attacks, and mobile application security evaluation. Given this diversity of topics and the scientific level of papers, we consider this book a valuable reference for researchers in the security and safety of systems

Vulnerability modelling for hybrid IT systems

Common vulnerability scoring system (CVSS) is an industry standard that can assess the vulnerability of nodes in traditional computer systems. The metrics computed by CVSS would determine critical nodes and attack paths. However, traditional IT security models would not fit IoT embedded networks due to distinct nature and unique characteristics of IoT systems. This paper analyses the application of CVSS for IoT embedded systems and proposes an improved vulnerability scoring system based on CVSS v3 framework. The proposed framework, named CVSSIoT, is applied to a realistic IT supply chain system and the results are compared with the actual vulnerabilities from the national vulnerability database. The comparison result validates the proposed model. CVSSIoT is not only effective, simple and capable of vulnerability evaluation for traditional IT system, but also exploits unique characteristics of IoT devices.Proceedings of the IEEE International Conference on Industrial Technolog

Near-Real Time, Semi-Automated Threat Assessment of Information Environments

Threat assessment is a crucial process for monitoring and defending against potential threats in an organization’s information environment and business operations. Ensuring the security of information infrastructure requires effective information security practices. However, existing models and methodologies often fall short of addressing the dynamic and evolving nature of cyberattacks. Moreover, critical threat intelligence extracted from the threat agents lacks the ability to capture essential attributes such as motivation, opportunity, and capability (M, O, C). This contribution to knowledge clarification introduces a semi-automatic threat assessment model that can handle situational awareness data or live acquired data stream from networks, incorporating information security techniques, protocols, and real-time monitoring of specific network types. Additionally, it focuses on analysing and implementing network traffic within a specific real-time information environment. To develop the semi-automatic threat assessment model, the study identifies unique attributes of threat agents by analysing Packet Capture Application Programming Interface (PCAP) files and data stream collected between 2012 and 2019. The study utilizes both hypothetical and real-world examples of threat agents to evaluate the three key factors: motivation, opportunity, and capability. This evaluation serves as a basis for designing threat profiles, critical threat intelligence, and assessing the complexity of process. These aspects are currently overlooked in existing threat agent taxonomies, models, and methodologies. By addressing the limitations of traditional threat assessment approaches, this research contributes to advancing the field of cybersecurity. The proposed semi-automatic threat assessment model offers improved awareness and timely detection of threats, providing organizations with a more robust defence against evolving cyberattacks. This research enhances the understanding of threat agents’ attributes and assists in developing proactive strategies to mitigate the risks associated with cybersecurity in the modern information environment

QR-SACP: Quantitative Risk-based Situational Awareness Calculation and Projection through Threat Information Sharing

When a threat is observed, one of the most important challenges is to choose the most appropriate and adequate timely decisions in response to the current and near future situation in order to have the least consequences and costs. Making the appropriate and sufficient decisions requires knowing what situations the threat has engendered or may engender. In this paper, we propose a quantitative risk-based method called QR-SACP to calculate and project situational awareness in a network based on threat information sharing. In this method, we investigate a threat from different aspects and evaluate the threat's effects through dependency weight among a network's services. We calculate the definite effect of a threat on a service and the cascading propagation of the threat's definite effect on other dependent services to that service. In addition, we project the probability of a threat propagation or recurrence of the threat in other network services in three ways: procedurally, network connections and similar infrastructure or services. Experimental results demonstrate that the QR-SACP method can calculate and project definite and probable threats' effects across the entire network and reveal more details about the threat's current and near future situations.Comment: 20 pages, 11 figure

Measuring the accuracy of software vulnerability assessments: experiments with students and professionals

Assessing the risks of software vulnerabilities is a key process of software development and security management. This assessment requires to consider multiple factors (technical features, operational environment, involved assets, status of the vulnerability lifecycle, etc.) and may depend from the assessor's knowledge and skills. In this work, we tackle with an important part of this problem by measuring the accuracy of technical vulnerability assessments by assessors with dierent level and type of knowledge. We report an experiment to compare how accurately students with dierent technical education and security professionals are able to assess the severity of software vulnerabilities with the Common Vulnerability Scoring System (v3) industry methodology. Our results could be useful for increasing awareness about the intrinsic subtleties of vulnerability risk assessment and possibly better compliance with regulations. With respect to academic education, professional training and human resources selections our work suggests that measuring the effects of knowledge and expertise on the accuracy of software security assessments is feasible albeit not easy

DAG-Based Attack and Defense Modeling: Don't Miss the Forest for the Attack Trees

This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals. The objective of this survey is to present a complete overview of graphical attack and defense modeling techniques based on DAGs. This consists of summarizing the existing methodologies, comparing their features and proposing a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements

Survey of Attack Projection, Prediction, and Forecasting in Cyber Security

This paper provides a survey of prediction, and forecasting methods used in cyber security. Four main tasks are discussed first, attack projection and intention recognition, in which there is a need to predict the next move or the intentions of the attacker, intrusion prediction, in which there is a need to predict upcoming cyber attacks, and network security situation forecasting, in which we project cybersecurity situation in the whole network. Methods and approaches for addressing these tasks often share the theoretical background and are often complementary. In this survey, both methods based on discrete models, such as attack graphs, Bayesian networks, and Markov models, and continuous models, such as time series and grey models, are surveyed, compared, and contrasted. We further discuss machine learning and data mining approaches, that have gained a lot of attention recently and appears promising for such a constantly changing environment, which is cyber security. The survey also focuses on the practical usability of the methods and problems related to their evaluation