Chapter 8 ENHANCING THE SAFETY, SECURITY AND RESILIENCE OF ICT AND SCADA SYSTEMS USING ACTION RESEARCH

Abstract This paper discusses the results of a questionnaire-based survey used to assess the safety, security and resilience of information and communications technology (ICT) and supervisory control and data acquisition (SCADA) systems used in the Norwegian oil and gas industry. The survey identifies several challenges, including the involvement of professionals with different backgrounds and expertise, lack of common risk perceptions, inadequate testing and integration of ICT and SCADA systems, poor information sharing related to undesirable incidents and lack of resilience in the design of technical systems. Action research is proposed as a process for addressing these challenges in a systematic manner and helping enhance the safety, security and resilience of ICT and SCADA systems used in oil and gas operations

Reviewing qualitative research approaches in the context of critical infrastructure resilience

Modern societies are increasingly dependent on the proper functioning of critical infrastructures (CIs). CIs produce and distribute essential goods or services, as for power transmission systems, water treatment and distribution infrastructures, transportation systems, communication networks, nuclear power plants, and information technologies. Being resilient becomes a key property for CIs, which are constantly exposed to threats that can undermine safety, security, and business continuity. Nowadays, a variety of approaches exist in the context of CIs’ resilience research. This paper provides a state-of-the-art review on the approaches that have a complete qualitative dimension, or that can be used as entry points for semi-quantitative analyses. The study aims to uncover the usage of qualitative research methods through a systematic review based on PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses). The paper identifies four principal dimensions of resilience referred to CIs (i.e., techno-centric, organisational, community, and urban) and discusses the related qualitative methods. Besides many studies being focused on energy and transportation systems, the literature review allows to observe that interviews and questionnaires are most frequently used to gather qualitative data, besides a high percentage of mixed-method research. The article aims to provide a synthesis of literature on qualitative methods used for resilience research in the domain of CIs, detailing lessons learned from such approaches to shed lights on best practices and identify possible future research directions

A Conceptual Model for the Development of a National Cybersecurity Index: An Integrated Framework

As ICT and cyberspace become sources of impressive innovation, the reliance of organizations, governments, and people on them will increase. However, with this vast reliance, hazardous vulnerabilities have emerged. These vulnerabilities may be exploited, resulting in information and cybersecurity issues at the national as well as the international levels. Cybersecurity is critical for sustaining resilience in critical infrastructures (CI) as well as information infrastructures (CII). Accordingly, cybersecurity should be incorporated into the economic and national security model of a nation. With this in mind, a cybersecurity index is a necessary tool to compare the performance of nations in terms of cybersecurity initiatives, and in articulating effective cybersecurity policies and strategies. This paper proposes a holistic framework for building a cybersecurity index taking into consideration the technological, legal, economic, cultural, and international relations factors pertinent to countries and paves the way for cybersecurity measures and metrics to be established and tested

Electric System Vulnerabilities: a State of the Art of Defense Technologies

Vulnerability of the European electrical infrastructure appears to be growing due to several factors: - demand is always growing, and, although this growth may be forecast, it cannot be anytime easily faced; - transactions increase, following electrical system liberalisation, and this involves operating the whole infrastructure closer to the system capacity and security limits; - an increased control systems complexity, required for secure system operation, may in turn raise system vulnerability, due both to accidental faults and malicious attacks; - critical infrastructures, and the electrical system primarily, are well known to be a privileged target in warfare, as well as terrorist attacks. In recent years, both Europe and America have experienced a significant number of huge blackouts, whose frequency and impact looks progressively growing. These events had common roots in the fact that current risk assessment methodologies and current system controls appear to be no longer adequate. Beyond the growing complexity of the electrical system as a whole, two main reasons can be listed: - system analysis procedures based on these methodologies did not identify security threats emerging from failures of critical physical components; - on-line controls were not able to avoid system collapse. This report provides a state-of-the-art of the technology on both regards: - as far as risk assessment methodologies are concerned, an overview of the conceptual power system reliability framework is provided, and the current N-1 principle for risk assessment in power systems is introduced, together with off-the-shelf enforcement methodologies, like optimal power flow. Emerging methodologies for dynamic security assessment are also discussed. The power system reliability approach is compared with the global approach to dependability introduced by computer scientists, and the conceptual clashes pointed out. Ways ahead to conciliate both views are outlined. - concerning power system controls, the report overviews the existing defense plans, making specific reference to the current Italian situation. The two major recent blackout events in the American North East and Italy are analysed, and the drawbacks of the existing arrangements and the installed control systems are discussed. Emerging technologies, such as phasor measurement units and wide area protection are introduced. Their likely impact on the existing control room is discussed. Finally, potential cyber vulnerabilities of the new control systems are introduced, the role of communication standards in that context is discussed, and an overview of the current state of the art is presented.JRC.G.6-Sensors, radar technologies and cybersecurit

Cyber-Physical Threat Intelligence for Critical Infrastructures Security

Modern critical infrastructures can be considered as large scale Cyber Physical Systems (CPS). Therefore, when designing, implementing, and operating systems for Critical Infrastructure Protection (CIP), the boundaries between physical security and cybersecurity are blurred. Emerging systems for Critical Infrastructures Security and Protection must therefore consider integrated approaches that emphasize the interplay between cybersecurity and physical security techniques. Hence, there is a need for a new type of integrated security intelligence i.e., Cyber-Physical Threat Intelligence (CPTI). This book presents novel solutions for integrated Cyber-Physical Threat Intelligence for infrastructures in various sectors, such as Industrial Sites and Plants, Air Transport, Gas, Healthcare, and Finance. The solutions rely on novel methods and technologies, such as integrated modelling for cyber-physical systems, novel reliance indicators, and data driven approaches including BigData analytics and Artificial Intelligence (AI). Some of the presented approaches are sector agnostic i.e., applicable to different sectors with a fair customization effort. Nevertheless, the book presents also peculiar challenges of specific sectors and how they can be addressed. The presented solutions consider the European policy context for Security, Cyber security, and Critical Infrastructure protection, as laid out by the European Commission (EC) to support its Member States to protect and ensure the resilience of their critical infrastructures. Most of the co-authors and contributors are from European Research and Technology Organizations, as well as from European Critical Infrastructure Operators. Hence, the presented solutions respect the European approach to CIP, as reflected in the pillars of the European policy framework. The latter includes for example the Directive on security of network and information systems (NIS Directive), the Directive on protecting European Critical Infrastructures, the General Data Protection Regulation (GDPR), and the Cybersecurity Act Regulation. The sector specific solutions that are described in the book have been developed and validated in the scope of several European Commission (EC) co-funded projects on Critical Infrastructure Protection (CIP), which focus on the listed sectors. Overall, the book illustrates a rich set of systems, technologies, and applications that critical infrastructure operators could consult to shape their future strategies. It also provides a catalogue of CPTI case studies in different sectors, which could be useful for security consultants and practitioners as well

Assessing the cyber-security status of the metropolitan municipalities in South Africa.

Doctoral Degree. University of KwaZulu-Natal, Durban.The intention of this enquiry was to assess the status of cyber-security in the metropolitan municipalities in South Africa. The focus on this level of local government was driven by the fact that metropolitan municipalities are the economic hubs with a variety of industrial facilities and are the places with high population densities. The metropolitan municipalities have adopted information infrastructures to support the daily administrative processes and, equally important, to support the delivery of essential services such as the distribution of electricity and clean water to the local citizens and communities. Entrenched in the adoption of information infrastructures are the cyber ills which if left unattended could have devastating consequences on people and industrial facilities. Failures or interruptions to information infrastructures have cascading effects due to interconnectedness of these infrastructures. The study used the Constructivist Grounded Theory Methodology to explore the activities that are performed by the metropolitan municipalities with the intention to determine what needs to be in place to safeguard their information infrastructures from cyber ills. Cyber-security is a serious concern in all types of businesses that are largely supported by information infrastructures in pursuit of the business objectives. Information infrastructures are susceptible to cyber-security threats, which if left unattended can shut the municipality operations down with disastrous consequences. A substantive theory of integrated development cyber-security emerged from the Constructivist Grounded Theory Methodology processes of data collecting through comprehensive interviews, initial coding, focused coding, memoing, and theoretical coding. A municipal cyber-security conceptual framework was developed from the integrated development cyber-security theory constructs of integrated development cyber-security which are the core category, cyber-security governance category, cyber-security technical operations category, and human issues in cyber-security category. The conceptual framework was used to formulate the cyber-security status assessment survey questionnaire that was adopted as an instrument to assess the cyber-security status in the metropolitan municipalities. The cyber-security status assessment instrument was deployed in metropolitan municipalities, wherein data was collected and statistically analysed to test and confirm its validity. The assessment results were analysed and showed the as is posture of cyber-security, the gaps in the current implemented cyber-security controls were identified together with the risks associated with those gaps, corrective actions to address the identified deficiencies were identified and recommended/communicated to the management of relevant municipalities

Cyber threats, harsh environment and the European High North (EHN) in a human security and multi-level regulatory global dimension: Which framework applicable to critical infrastructures under “Exceptionally critical infrastructure conditions” (ECIC)?

Business opportunities in the European High North (EHN) are accompanied by the danger of cyber-threats, especially to critical infrastructures which in these Arctic regions become “extra critical” because of the harsh environmental climatic conditions and remoteness of distances. Critical infrastructures (CI) in the EHN are crucial for numerous sectors, such as the energy sector which is completely depended on digitalization, internet and computers’ commands. Such a new condition of extra criticality should also include human security concerns to avoid human disasters. An effective legal framework under “exceptionally critically infrastructure conditions” (ECIC) for this technology is important not only in terms of national legislation, but also in view of a regional, international and global networks character. This paper links for the first time, law, internet and cybersecurity, environment and society in a global human security dimension in a multi-regulatory contextual analysis. The aim is to trace the legal framework for response to a cyber-attack to critical infrastructure in the energy sector and takes Norway as a case study because this country is highly dependent on cyber technology and on critical infrastructures. The question of research is: using a human security focus in the case of cyber-threats under ECIC in the EHN, what ways can an assessment recommend to improve international, and regional law? Five analytical tasks are undertaken: 1) the concept of critical infrastructure vulnerability to cyber-attacks under “exceptionally critically infrastructure conditions” (ECIC) in the EHN with focus on the energy sector is explained in connection to the notion of human security, 2) a backdrop of regional and international collaboration is followed, 3) a trajectory of multilevel contextual analysis of the different sources of law and policy applicable to cyber-threats to CI is outlined, and 4) an examination of cooperation under the North Atlantic Treaty Organization (NATO)

ICT aspects of power systems and their security

This report provides a deep description of four complex Attack Scenarios that have as final goal to produce damage to the Electric Power Transmission System. The details about protocols used, vulnerabilities, devices etc. have been for obvious reasons hidden, and the ones presented have to be understood as mere (even if realistic) simplified versions of possible power systems.JRC.DG.G.6-Security technology assessmen

Multi-aspect rule-based AI: Methods, taxonomy, challenges and directions towards automation, intelligence and transparent cybersecurity modeling for critical infrastructures

Critical infrastructure (CI) typically refers to the essential physical and virtual systems, assets, and services that are vital for the functioning and well-being of a society, economy, or nation. However, the rapid proliferation and dynamism of today\u27s cyber threats in digital environments may disrupt CI functionalities, which would have a debilitating impact on public safety, economic stability, and national security. This has led to much interest in effective cybersecurity solutions regarding automation and intelligent decision-making, where AI-based modeling is potentially significant. In this paper, we take into account “Rule-based AI” rather than other black-box solutions since model transparency, i.e., human interpretation, explainability, and trustworthiness in decision-making, is an essential factor, particularly in cybersecurity application areas. This article provides an in-depth study on multi-aspect rule based AI modeling considering human interpretable decisions as well as security automation and intelligence for CI. We also provide a taxonomy of rule generation methods by taking into account not only knowledge-driven approaches based on human expertise but also data-driven approaches, i.e., extracting insights or useful knowledge from data, and their hybridization. This understanding can help security analysts and professionals comprehend how systems work, identify potential threats and anomalies, and make better decisions in various real-world application areas. We also cover how these techniques can address diverse cybersecurity concerns such as threat detection, mitigation, prediction, diagnosis for root cause findings, and so on in different CI sectors, such as energy, defence, transport, health, water, agriculture, etc. We conclude this paper with a list of identified issues and opportunities for future research, as well as their potential solution directions for how researchers and professionals might tackle future generation cybersecurity modeling in this emerging area of study