A Dynamic Cyber Security Situational Awareness Framework for Healthcare ICT Infrastructures

The healthcare sectors have experienced a massive technical evolution over the past decade by integration of medical devices with IT at both physical and cyber level for a critical Health Care Information Infrastructure (HCII). HCII provides huge benefits for the health care service delivery but evolving digital interconnectivity among medical and IT devices has also changed the threat landscape. In particular, systems are now more exposed to the cyber-attacks due to sensitivity and criticality of patient health care information and accessibility of medical devices and this pose any potential disruption of healthcare service delivery. There is a need to enhance security and resilience of HCII. In this paper, we present a Cyber Security Situational Awareness Framework that aims to improve the security and resilience of the overall HCII. The framework aims to develop a novel dynamic Situational Awareness approach on the health care ecosystem. We consider bio inspired Swarm Intelligence and its inherent features with the main principles of the Risk and Privacy assessment and management and Incident handling to ensure security and resilience of healthcare service delivery

Cyber-Physical Threat Intelligence for Critical Infrastructures Security

Modern critical infrastructures can be considered as large scale Cyber Physical Systems (CPS). Therefore, when designing, implementing, and operating systems for Critical Infrastructure Protection (CIP), the boundaries between physical security and cybersecurity are blurred. Emerging systems for Critical Infrastructures Security and Protection must therefore consider integrated approaches that emphasize the interplay between cybersecurity and physical security techniques. Hence, there is a need for a new type of integrated security intelligence i.e., Cyber-Physical Threat Intelligence (CPTI). This book presents novel solutions for integrated Cyber-Physical Threat Intelligence for infrastructures in various sectors, such as Industrial Sites and Plants, Air Transport, Gas, Healthcare, and Finance. The solutions rely on novel methods and technologies, such as integrated modelling for cyber-physical systems, novel reliance indicators, and data driven approaches including BigData analytics and Artificial Intelligence (AI). Some of the presented approaches are sector agnostic i.e., applicable to different sectors with a fair customization effort. Nevertheless, the book presents also peculiar challenges of specific sectors and how they can be addressed. The presented solutions consider the European policy context for Security, Cyber security, and Critical Infrastructure protection, as laid out by the European Commission (EC) to support its Member States to protect and ensure the resilience of their critical infrastructures. Most of the co-authors and contributors are from European Research and Technology Organizations, as well as from European Critical Infrastructure Operators. Hence, the presented solutions respect the European approach to CIP, as reflected in the pillars of the European policy framework. The latter includes for example the Directive on security of network and information systems (NIS Directive), the Directive on protecting European Critical Infrastructures, the General Data Protection Regulation (GDPR), and the Cybersecurity Act Regulation. The sector specific solutions that are described in the book have been developed and validated in the scope of several European Commission (EC) co-funded projects on Critical Infrastructure Protection (CIP), which focus on the listed sectors. Overall, the book illustrates a rich set of systems, technologies, and applications that critical infrastructure operators could consult to shape their future strategies. It also provides a catalogue of CPTI case studies in different sectors, which could be useful for security consultants and practitioners as well

Cyber-Physical Threat Intelligence for Critical Infrastructures Security

Modern critical infrastructures can be considered as large scale Cyber Physical Systems (CPS). Therefore, when designing, implementing, and operating systems for Critical Infrastructure Protection (CIP), the boundaries between physical security and cybersecurity are blurred. Emerging systems for Critical Infrastructures Security and Protection must therefore consider integrated approaches that emphasize the interplay between cybersecurity and physical security techniques. Hence, there is a need for a new type of integrated security intelligence i.e., Cyber-Physical Threat Intelligence (CPTI). This book presents novel solutions for integrated Cyber-Physical Threat Intelligence for infrastructures in various sectors, such as Industrial Sites and Plants, Air Transport, Gas, Healthcare, and Finance. The solutions rely on novel methods and technologies, such as integrated modelling for cyber-physical systems, novel reliance indicators, and data driven approaches including BigData analytics and Artificial Intelligence (AI). Some of the presented approaches are sector agnostic i.e., applicable to different sectors with a fair customization effort. Nevertheless, the book presents also peculiar challenges of specific sectors and how they can be addressed. The presented solutions consider the European policy context for Security, Cyber security, and Critical Infrastructure protection, as laid out by the European Commission (EC) to support its Member States to protect and ensure the resilience of their critical infrastructures. Most of the co-authors and contributors are from European Research and Technology Organizations, as well as from European Critical Infrastructure Operators. Hence, the presented solutions respect the European approach to CIP, as reflected in the pillars of the European policy framework. The latter includes for example the Directive on security of network and information systems (NIS Directive), the Directive on protecting European Critical Infrastructures, the General Data Protection Regulation (GDPR), and the Cybersecurity Act Regulation. The sector specific solutions that are described in the book have been developed and validated in the scope of several European Commission (EC) co-funded projects on Critical Infrastructure Protection (CIP), which focus on the listed sectors. Overall, the book illustrates a rich set of systems, technologies, and applications that critical infrastructure operators could consult to shape their future strategies. It also provides a catalogue of CPTI case studies in different sectors, which could be useful for security consultants and practitioners as well

Mission Assurance: A Review of Continuity of Operations Guidance for Application to Cyber Incident Mission Impact Assessment (CIMIA)

Military organizations have embedded information technology (IT) into their core mission processes as a means to increase operational efficiency, improve decision-making quality, and shorten the sensor-to-shooter cycle. This IT-to-mission dependence can place the organizational mission at risk when an information incident (e.g., the loss or manipulation of a critical information resource) occurs. Non-military organizations typically address this type of IT risk through an introspective, enterprise-wide focused risk management program that continuously identifies, prioritizes, and documents risks so an economical set of control measures (e.g., people, processes, technology) can be selected to mitigate the risks to an acceptable level. The explicit valuation of information resources in terms of their ability to support the organizational mission objectives provides transparency and enables the creation of a continuity of operations plan and an incident recovery plan. While this type of planning has proven successful in static environments, military missions often involve dynamically changing, time-sensitive, complex, coordinated operations involving multiple organizational entities. As a consequence, risk mitigation efforts tend to be localized to each organizational entity making the enterprise-wide risk management approach to mission assurance infeasible. This thesis investigates the concept of mission assurance and presents a content analysis of existing continuity of operations elements within military and non-military guidance to assess the current policy landscape to highlight best practices and identify policy gaps in an effort to further enhance mission assurance by improving the timeliness and relevance of notification following an information incident

Automating Security Risk and Requirements Management for Cyber-Physical Systems

Cyber-physische Systeme ermöglichen zahlreiche moderne Anwendungsfälle und Geschäftsmodelle wie vernetzte Fahrzeuge, das intelligente Stromnetz (Smart Grid) oder das industrielle Internet der Dinge. Ihre Schlüsselmerkmale Komplexität, Heterogenität und Langlebigkeit machen den langfristigen Schutz dieser Systeme zu einer anspruchsvollen, aber unverzichtbaren Aufgabe. In der physischen Welt stellen die Gesetze der Physik einen festen Rahmen für Risiken und deren Behandlung dar. Im Cyberspace gibt es dagegen keine vergleichbare Konstante, die der Erosion von Sicherheitsmerkmalen entgegenwirkt. Hierdurch können sich bestehende Sicherheitsrisiken laufend ändern und neue entstehen. Um Schäden durch böswillige Handlungen zu verhindern, ist es notwendig, hohe und unbekannte Risiken frühzeitig zu erkennen und ihnen angemessen zu begegnen. Die Berücksichtigung der zahlreichen dynamischen sicherheitsrelevanten Faktoren erfordert einen neuen Automatisierungsgrad im Management von Sicherheitsrisiken und -anforderungen, der über den aktuellen Stand der Wissenschaft und Technik hinausgeht. Nur so kann langfristig ein angemessenes, umfassendes und konsistentes Sicherheitsniveau erreicht werden. Diese Arbeit adressiert den dringenden Bedarf an einer Automatisierungsmethodik bei der Analyse von Sicherheitsrisiken sowie der Erzeugung und dem Management von Sicherheitsanforderungen für Cyber-physische Systeme. Das dazu vorgestellte Rahmenwerk umfasst drei Komponenten: (1) eine modelbasierte Methodik zur Ermittlung und Bewertung von Sicherheitsrisiken; (2) Methoden zur Vereinheitlichung, Ableitung und Verwaltung von Sicherheitsanforderungen sowie (3) eine Reihe von Werkzeugen und Verfahren zur Erkennung und Reaktion auf sicherheitsrelevante Situationen. Der Schutzbedarf und die angemessene Stringenz werden durch die Sicherheitsrisikobewertung mit Hilfe von Graphen und einer sicherheitsspezifischen Modellierung ermittelt und bewertet. Basierend auf dem Modell und den bewerteten Risiken werden anschließend fundierte Sicherheitsanforderungen zum Schutz des Gesamtsystems und seiner Funktionalität systematisch abgeleitet und in einer einheitlichen, maschinenlesbaren Struktur formuliert. Diese maschinenlesbare Struktur ermöglicht es, Sicherheitsanforderungen automatisiert entlang der Lieferkette zu propagieren. Ebenso ermöglicht sie den effizienten Abgleich der vorhandenen Fähigkeiten mit externen Sicherheitsanforderungen aus Vorschriften, Prozessen und von Geschäftspartnern. Trotz aller getroffenen Maßnahmen verbleibt immer ein gewisses Restrisiko einer Kompromittierung, worauf angemessen reagiert werden muss. Dieses Restrisiko wird durch Werkzeuge und Prozesse adressiert, die sowohl die lokale und als auch die großräumige Erkennung, Klassifizierung und Korrelation von Vorfällen verbessern. Die Integration der Erkenntnisse aus solchen Vorfällen in das Modell führt häufig zu aktualisierten Bewertungen, neuen Anforderungen und verbessert weitere Analysen. Abschließend wird das vorgestellte Rahmenwerk anhand eines aktuellen Anwendungsfalls aus dem Automobilbereich demonstriert.Cyber-Physical Systems enable various modern use cases and business models such as connected vehicles, the Smart (power) Grid, or the Industrial Internet of Things. Their key characteristics, complexity, heterogeneity, and longevity make the long-term protection of these systems a demanding but indispensable task. In the physical world, the laws of physics provide a constant scope for risks and their treatment. In cyberspace, on the other hand, there is no such constant to counteract the erosion of security features. As a result, existing security risks can constantly change and new ones can arise. To prevent damage caused by malicious acts, it is necessary to identify high and unknown risks early and counter them appropriately. Considering the numerous dynamic security-relevant factors requires a new level of automation in the management of security risks and requirements, which goes beyond the current state of the art. Only in this way can an appropriate, comprehensive, and consistent level of security be achieved in the long term. This work addresses the pressing lack of an automation methodology for the security-risk assessment as well as the generation and management of security requirements for Cyber-Physical Systems. The presented framework accordingly comprises three components: (1) a model-based security risk assessment methodology, (2) methods to unify, deduce and manage security requirements, and (3) a set of tools and procedures to detect and respond to security-relevant situations. The need for protection and the appropriate rigor are determined and evaluated by the security risk assessment using graphs and a security-specific modeling. Based on the model and the assessed risks, well-founded security requirements for protecting the overall system and its functionality are systematically derived and formulated in a uniform, machine-readable structure. This machine-readable structure makes it possible to propagate security requirements automatically along the supply chain. Furthermore, they enable the efficient reconciliation of present capabilities with external security requirements from regulations, processes, and business partners. Despite all measures taken, there is always a slight risk of compromise, which requires an appropriate response. This residual risk is addressed by tools and processes that improve the local and large-scale detection, classification, and correlation of incidents. Integrating the findings from such incidents into the model often leads to updated assessments, new requirements, and improves further analyses. Finally, the presented framework is demonstrated by a recent application example from the automotive domain

Enhancing Navigator Competence by Demonstrating Maritime Cyber Security

publishedVersio

A Shared Cybersecurity Awareness Platform, Journal of Telecommunications and Information Technology, 2021, nr 3

Ensuring a good level of cybersecurity of global IT systems requires that specific procedures and cooperation frameworks be adopted for reporting threats and for coordinating the activities undertaken by individual entities. Technical infrastructure enabling safe and reliable online collaboration between all teams responsible for security is an important element of the system as well. With the above taken into consideration, the paper presents a comprehensive distributed solution for continuous monitoring and detection of threats that may affect services that provision is essential to security and broadly understood the state’s economic interests. The said solution allows to collect, process and share distributed knowledge on hazard events. The partnership-based model of cooperation between the system’s users allows the teams to undertake specific activities at the central level, facilitates global cyber threat awareness, and enhances the process of predicting and assessing cyber risks in order to ensure a near-realtime response. The paper presents an overview of the system’s architecture, its main components, features, and threat intelligence tools supporting the safe sharing of information concerning specific events. It also offers a brief overview of the system’s deployment and its testing in an operational environment of NASK’s Computer Security Incident Response Team (CSIRT) and Security Operation Center (SOC) of essential services operator

A Dynamic Framework Enhancing Situational Awareness in Cybersecurity SOC—IR

Organizations today face a significant challenge in protecting their valuable IT assets. Cyber criminals unlimited to physical boundaries are able to disrupt and destroy cyber infrastructure, deny organizations access to IT services and steal sensitive data. With the purpose of employing socio-technical systems to detect, analyze and respond to these threats, enterprises organize security operations centres at the heart of their entities. As the environment constantly shifts (i.e., in 2020 the corona virus triggered a digital upheaval creating new attack surfaces; today the Ukrainian war have triggered cyber-conflict) the dependency on these systems increases the need for situational awareness. Essentially, having the capability to gather relevant information from the environment, the means to understand the gathered information, and reflecting that gained understanding for the current environment. This exploratory study examines how such capabilities are operationalized in leading Managed security service providers (MSSPs) providing cybersecurity operations and incident response, and looks at how situation awareness knowledge is constructed through the organizational levels of the enterprise detection & response. In this context, situational awareness span over different levels in the organization starting from team personnel, ending at top management. Thus, providing situational awareness at the different organizational levels is considered a complex process involving various sources of information, different levels of perspective, and different interpretations which trigger a complex set of decision-making processes. To explore this, we constructed a theory-informed narrative using a theoretical lens that resulted in the formulation of a conceptual framework. Thus, through interviews with practitioners from across the organizational levels of two leading MSSPs; parallel to inquiring about general aspects surrounding the subject of enterprise response, the conceptual frame-work was validated. The interview responses were then coded using categorization. The analysis informed the development of the conceptual framework, and so the framework was adjusted to account for the findings. Through interpretation of empirical evidence, the result is a final validated framework which models how cybersecurity operations are operationalized in the enterprise detection & response of leading MSSPs. With emphasis on situation awareness, the framework shows how technology, people and processes either support or engage in the perception, comprehension and projection of situation awareness knowledge in order to make informed decisions. Consequently, the framework takes into account the activities held post-incident to reflect upon the response, which we argue allows for the construction of team situation awareness. Our work contributes to situation awareness theory in the context of cybersecurity operations and incident response by advancing the understanding of the organizational capabilities of MSSPs to develop awareness of the cyber-threat landscape and the broader operational dynamics. By introducing the dynamic framework enhancing situation awareness in cybersecurity SOC—IR we expand on the models of Endsley (1995) and Ahmad et al. (2021) by combining elements of existing work with empirical findings to reflect best practices applied in MSSPs

A Dynamic Framework Enhancing Situational Awareness in Cybersecurity SOC—IR

Organizations today face a significant challenge in protecting their valuable IT assets. Cyber criminals unlimited to physical boundaries are able to disrupt and destroy cyber infrastructure, deny organizations access to IT services and steal sensitive data. With the purpose of employing socio-technical systems to detect, analyze and respond to these threats, enterprises organize security operations centres at the heart of their entities. As the environment constantly shifts (i.e., in 2020 the corona virus triggered a digital upheaval creating new attack surfaces; today the Ukrainian war have triggered cyber-conflict) the dependency on these systems increases the need for situational awareness. Essentially, having the capability to gather relevant information from the environment, the means to understand the gathered information, and reflecting that gained understanding for the current environment.This exploratory study examines how such capabilities are operationalized in leading Managed security service providers (MSSPs) providing cybersecurity operations and incident response, and looks at how situation awareness knowledge is constructed through the organizational levels of the enterprise detection & response. In this context, situational awareness span over different levels in the organization starting from team personnel, ending at top management. Thus, providing situational awareness at the different organizational levels is considered a complex process involving various sources of information, different levels of perspective, and different interpretations which trigger a complex set of decision-making processes. To explore this, we constructed a theory-informed narrative using a theoretical lens that resulted in the formulation of a conceptual framework. Thus, through interviews with practitioners from across the organizational levels of two leading MSSPs; parallel to inquiring about general aspects surrounding the subject of enterprise response, the conceptual framework was validated. The interview responses were then coded using categorization. The analysis informed the development of the conceptual framework, and so the framework was adjusted to account for the findings. Through interpretation of empirical evidence, the result is a final validated framework which models how cybersecurity operations are operationalized in the enterprise detection & response of leading MSSPs. With emphasis on situation awareness, the framework shows how technology, people and processes either support or engage in the perception, comprehension and projection of situation awareness knowledge in order to make informed decisions. Consequently, the framework takes into account the activities held post-incident to reflect upon the response, which we argue allows for the construction of team situation awareness. Our work contributes to situation awareness theory in the context of cybersecurity operations and incident response by advancing the understanding of the organizational capabilities of MSSPs to develop awareness of the cyber-threat landscape and the broader operational dynamics. By introducing the dynamic framework enhancing situation awareness in cybersecurity SOC—IR we expand on the models of Endsley (1995) and Ahmad et al. (2021) by combining elements of existing work with empirical findings to reflect best practices applied in MSSPs

Establishing cyber situational awareness in industrial control systems

The cyber threat to industrial control systems is an acknowledged security issue, but a qualified dataset to quantify the risk remains largely unavailable. Senior executives of facilities that operate these systems face competing requirements for investment budgets, but without an understanding of the nature of the threat cyber security may not be a high priority. Operational managers and cyber incident responders at these facilities face a similarly complex situation. They must plan for the defence of critical systems, often unfamiliar to IT security professionals, from potentially capable, adaptable and covert antagonists who will actively attempt to evade detection. The scope of the challenge requires a coherent, enterprise-level awareness of the threat, such that organisations can assess their operational priorities, plan their defensive posture, and rehearse their responses prior to such an attack. This thesis proposes a novel combination of concepts found in risk assessment, intrusion detection, education, exercising, safety and process models, fused with experiential learning through serious games. It progressively builds a common set of shared mental models across an ICS operation to frame the nature of the adversary and establish enterprise situational awareness that permeates through all levels of teams involved in addressing the threat. This is underpinned by a set of coping strategies that identifies probable targets for advanced threat actors, proactively determining antagonistic courses of actions to derive an appropriate response strategy