Security in remote monitoring devices in critical areas

Dissertação de mestrado integrado em Engineering and Management of Information SystemsThe use of Information Technologies has grown exponentially over the past years affecting many critical sectors from the industrial to the financial, energy, and health sectors. The ability to track and remotely monitor people and objects in real-time is one of the changes made possible by Information Technologies. Although those Information Technologies innovations sprang several significant advantages for people and organizations, there are also some security and privacy concerns regarding the monitoring of people, objects, and processes in critical areas. Every day new and more effective cyberattacks are discovered which steal sensitive information from their holders and affect people and organizations. Computational power is increasing and organizations are emerging whose main objective is to profit from the sale of the stolen information assets. These attacks can impact critical areas, such as health and energy; they may even jeopardize the physical integrity of individuals. In Healthcare, a Critical Area, the number of Remote Patient Monitoring Devices Systems is increasing, and the number of patients using them increases as well. At the same time, there have been identified new security vulnerabilities on high technological medical devices. People privacy is also being called into question. Several privacy gaps have forced governments to take action with the main objective of safeguarding the privacy of their citizens, as was the case with the much-discussed General Data Protection Regulation of the European Union. Standards and Frameworks play an important role in the improvement o security. In this scientific work, it was developed and validated a proposal of a sector-specific Security Framework that can be applied to Remote Patient Monitoring Devices Systems to improve their overall security. That framework is based on the best widely spread Security Standards and Frameworks. The Framework define 30 requirements divided into 5 assets. Each requirement has one or more functions, in a total of 4 available. It was also defined 8 implementation groups. To validate the Framework it was developed a Remote Patient Monitoring Device System Simulator composed by a Micro-controller NodeMCU with an ESP8266 Wi-Fi chip connected to a Heart Rate Analog Sensor, and an Interface. When applied to the Framework, the developed simulator obtained a score of 9 in 29 available requirements for that implementation group device. The selected research method used to guide this scientific research was the Design Science Research.A utilização das Tecnologias de Informação tem crescido exponencialmente ao longo dos últimos anos afetando vários setores críticos que vão desde a indústria, passando pelo setor financeiro, energético e até mesmo pela saúde. A capacidade de acompanhamento e monitorização remota de pessoas e objetos em tempo real é uma das mudanças potenciadas pelas Tecnologias de Informação. Embora destas inovações ao nível das Tecnologias de Informação advenham um conjunto de vantagens significativas para pessoas e organizações, surgem também algumas preocupações ao nível da segurança e privacidade no que concerne à monitorização de pessoas, objetos e processos em áreas críticas. Diariamente são identificados e descritos novos e mais eficazes ataques cibernéticos, a pessoas e organizações com o intuito de roubar informação sensível para os seus detentores. O poder computacional é crescente e insurgem-se organizações cujo principal objetivo é lucrar com a venda de ativos informacionais roubados. Estes ataques podem atingir áreas tão críticas, como o setor da saúde e energético, podendo mesmo colocar em causa a integridade física de pessoas. Nos cuidados de saúde, uma área crítica, o número de Sistemas de Dispositivos de Monitorização Remota esta a crescer, bem como o número de pacientes que os usam. Ao mesmo tempo, têm sido identificadas novas vulnerabilidades de segurança em dispositivos médicos altamente tecnológicos. A privacidade das pessoas está também a ser comprometida. É possível assistir-se a várias falhas ao nível da privacidade que obrigou os governos a tomar medidas com o principal objetivo de salvaguardar a privacidade dos seus cidadãos como foi o caso do tão falado Regulamento Geral de Proteção de Dados da União Europeia. Standards e Frameworks desempenham um papel importante na melhoria da segurança. Neste trabalho de investigação foi desenvolvida e validada uma proposta de Framework de Segurança específica para o setor da Saúde e que pode ser aplicada em Sistemas de Dispositivos de Monitorização Remota com o objetivo de aumentar a sua segurança. Esta Framework é baseada nas melhores e mais usadas Frameworks e Standards. A Framework define 30 requisitos divididos em 5 ativos. Cada requisito tem uma ou mais funções, de um total de 4. Foi também definido 8 grupos de implementação. Para validar a Framework foi desenvolvido um Simulador composto por um micro controlador NodeMCU com um chip Wi-FI ESP8266 conectado a um Sensor Analógico de Frequência Cardíaca. Quando aplicado à Framework, o simulador obteve um score de 9 em 29 requisitos disponíveis para aquele grupo de implementação. A metodologia de investigação selecionada para guiar este projeto foi a Design Science Research

Towards Standardisation Measures to Support the Security of Control and Real-Time Systems for Energy Critical Infrastructures

This report outlines the context for control and real time systems vulnerability in the energy sector, their role in energy critical infrastructures and their emerging vulnerabilities as they were put in light by some recent episodes. Then it provides a survey on the current efforts to set up reference frameworks addressing the broad issue of supervisory and control systems security. It discusses the role of standards and outlines the reference approaches in that respect. The current attitude of Europe towards the issue of control systems security is discussed and compared with the US situation, based on a stakeholder consultation, and gaps and challenges are outlined. A set of recommendations for policy measures to address the issue is given.JRC.DG.G.6-Security technology assessmen

Towards trustworthy end-to-end communication in industry 4.0

Industry 4.0 considers integration of IT and control systems with physical objects, software, sensors and connectivity in order to optimize manufacturing processes. It provides advanced functionalities in control and communication for an infrastructure that handles multiple tasks in various locations automatically. Automatic actions require information from trustworthy sources. Thus, this work is focused on how to ensure trustworthy communication from the edge devices to the backend infrastructure. We derive a meta-model based on RAMI 4.0, which is used to describe an end-to-end communication use case for an Industry 4.0 application scenario and to identify dependabilities in case of security challenges. Furthermore, we evaluate secure messaging protocols and the integration of Trusted Platform Module (TPM) as a root of trust for dataexchange. We define a set of representative measurable indicator points based on existing standards and use them for automated dependability detection within the whole system

A Framework for Understanding, Prioritizing, and Applying Systems Security Engineering Processes, Activities, and Tasks

Current systems security practices lack an effective approach to prioritize and tailor systems security efforts to develop and field secure systems in challenging operational environments, which results in business and mission stakeholders becoming more susceptible to an array of disruptive events. This work informs Systems Engineers on recent developments in the field of system security engineering and provides a framework for more fully understanding the application of Systems Security Engineering (SSE) processes, activities, and tasks as described in the recently released National Institute of Standards and Technology (NIST) Special Publication 800-160. This SSE framework uniquely offers a repeatable and tailorable methodology that allows system developers to focus on high Return-on-Investment (RoI) SSE processes, activities, and tasks to more efficiently meet stakeholder protection needs and deliver trustworthy secure systems

The simulated security assessment ecosystem:Does penetration testing need standardisation?

Simulated security assessments (a collective term used here for penetration testing, vulnerability assessment, and related nomenclature) may need standardisation, but not in the commonly assumed manner of practical assessment methodologies. Instead, this study highlights market failures within the providing industry at the beginning and ending of engagements, which has left clients receiving ambiguous and inconsistent services. It is here, at the prior and subsequent phases of practical assessments, that standardisation may serve the continuing professionalisation of the industry, and provide benefits not only to clients but also to the practitioners involved in the provision of these services. These findings are based on the results of 54 stakeholder interviews with providers of services, clients, and coordinating bodies within the industry. The paper culminates with a framework for future advancement of the ecosystem, which includes three recommendations for standardisation

EISMF

Thesis (S.M. in Engineering and Management)--Massachusetts Institute of Technology, Engineering Systems Division, System Design and Management Program, 2011.Cataloged from PDF version of thesis.Includes bibliographical references (p. 124-130).There are several technological solutions available in the market to help organizations with information security breach detection and prevention such as intrusion detection and prevention systems, antivirus software, firewalls, and spam filters. There is no doubt in the fact that significant progress has been made in the technological side of information security. However, when we study causes of information security breaches, we find that a significant number are caused by non-technical reasons such as social engineering, theft of computing device or portable hard drive, human behavior, and human error. This leads us to conclude that information security should not be viewed through technology perspective only. Instead, a more holistic approach is required. This thesis provides a systems approach towards information security management and include technological, management and social aspects. This thesis starts with introduction especially background and motivation of the author, followed by literature research. Next, Enterprise Information Security Management Framework is presented leading to estimation of an organization's information security management maturity-level. Finally, conclusion and potential future work are presented.by Dhirendra Sharma.S.M.in Engineering and Managemen