Water-Tight IoT–Just Add Security

The security of IoT-based digital solutions is a critical concern in the adoption of Industry 4.0 technologies. These solutions are increasingly being used to support the interoperability of critical infrastructure, such as in the water and energy sectors, and their security is essential to ensure the continued reliability and integrity of these systems. However, as our research demonstrates, many digital solutions still lack basic security mechanisms and are vulnerable to attacks that can compromise their functionality. In this paper, we examine the security risks associated with IoT-based digital solutions for critical infrastructure in the water sector, and refer to a set of good practices for ensuring their security. In particular, we analyze the risks associated with digital solutions not directly connected with the IT system of a water utility. We show that they can still be leveraged by attackers to trick operators into making wrong operational decisions.publishedVersio

Accelerating Cyber Security Improvements for Critical Infrastructure Industrial Control Systems

This thesis study introduces operational concepts for accelerating necessary cyber security improvements for critical infrastructure industrial control systems. National critical infrastructures’ industrial control systems experienced a 20% annual increase in cyber incidents during fiscal year 2015 (DHS ICS-CERT, 2015). Industrial control systems are used in several critical infrastructure sectors to include energy, transportation, manufacturing, and water utilities. Critical infrastructures support public health and life safety, economic vitality, national defense, and overarching societal well-being. Significant damage or disruptions to a critical infrastructure could result in potentially catastrophic and cascading consequences. For example, a disruptive cyber-attack on a water utility would have life safety and health consequences when fire hydrants fail during a fire, and hospitals’ operations are impaired

Cyber-physical security for ports infrastructure

Taking advantage of the benefits associated with digital means has become a main priority for ports globally. The effective and smooth integration of Information Technology (IT) applications and those systems that support the conduct of operations (Operational Technology (OT) systems), along with the accurate “adjustment” of the human factor elements should be viewed as a very critical pillar for optimized safe and efficient operations in ports. The afore mentioned assimilation characterizes cyber-physical systems and entails an extended number of IT and OT modules, systems and tasks involving various data transmission routes that are advancing in a technological and operational level alongside plausible cybersecurity threats. These cybersecurity risks, threats and vulnerabilities are depicted in this article to emphasize the progression of cyber- physical systems in the wider maritime industry and port domains, along with their rising cybersecurity vulnerabilities. Existing and applicable industry and government standards and mandates associated with cybersecurity attempt to impose regulatory compliance and increase asset cybersecurity integrity with reduced emphasis however, in the existing OT (Operational Technology) components and systems. The use of security risk assessment tools and processes that are used in other industrial sectors, such as the Security Risk Assessment (SRA) and the Bow Tie Analysis methods, can support the evaluation of IT/OT infrastructure for cyber-physical security susceptibilities and then assign suitable reactive measures. The implementation of cybersecurity safeguards that arise through the implementation of the MITRE ATT&CK Threat Model can enhance the cybersecurity posture of those assets that support the logistics chain, assuming that they are intermittently adapted following evaluations for their effectiveness and suitability. Finally, the improvement of stakeholder communication and cyber-awareness along with the increase in cyber- physical security resiliency can further be aided by the effective convergence of the segregated cyber and physical security elements of waterside or landside-based IT/OT infrastructure

Cyber Threat Intelligence for Improving Cybersecurity and Risk Management in Critical Infrastructure

Cyber-attack is one of the significant threats affecting to any organisation specifically to the Critical Infrastructure (CI) organisation. These attacks are nowadays more sophisticated, multi-vectored and less predictable, which make the Cyber Security Risk Management (CSRM) task more challenging. Critical Infrastructure needs a new line of security defence to control these threats and minimise risks. Cyber Threat Intelligence (CTI) provides evidence-based information about the threats aiming to prevent threats. There are existing works and industry practice that emphasise the necessity of CTI and provides methods for threat intelligence and sharing. However, despite these significant efforts, there is a lack of focus on how CTI information can support the CSRM activities so that the organisation can undertake appropriate controls to mitigate the risk proactively. This paper aims to fill this gap by integrating CTI for improving cybersecurity risks management practice specifically focusing on the critical infrastructure. In particular, the proposed approach contributes beyond state of the art practice by incorporating CTI information for the risk management activities. This helps the organisation to provide adequate and appropriate controls from strategic, tactical and operational perspectives. We have integrated concepts relating to CTI and CSRM so that threat actor's profile, attack detailed can support calculating the risk. We consider smart grid system as a Critical Infrastructure to demonstrate the applicability of the work. The result shows that cyber risks in critical infrastructures can be minimised if CTI information is gathered and used as part of CSRM activities. CTI not only supports understanding of threat for accurate risk estimation but also evaluates the effectiveness of existing controls and recommend necessity controls to improve overall cybersecurity. Also, the result shows that our approach provides early warning about issues that need immediate attention

STOP-IT: strategic, tactical, operational protection of water infrastructure against cyberphysical threats

Water supply and sanitation infrastructures are essential for our welfare, but vulnerable to several attack types facilitated by the ever-changing landscapes of the digital world. A cyber-attack on critical infrastructures could for example evolve along these threat vectors: chemical/biological contamination, physical or communications disruption between the network and the supervisory SCADA. Although conceptual and technological solutions to security and resilience are available, further work is required to bring them together in a risk management framework, strengthen the capacities of water utilities to systematically protect their systems, determine gaps in security technologies and improve risk management approaches. In particular, robust adaptable/flexible solutions for prevention, detection and mitigation of consequences in case of failure due to physical and cyber threats, their combination and cascading effects (from attacks to other critical infrastructure, i.e. energy) are still missing. There is (i) an urgent need to efficiently tackle cyber-physical security threats, (ii) an existing risk management gap in utilities’ practices and (iii) an un-tapped technology market potential for strategic, tactical and operational protection solutions for water infrastructure: how the H2020 STOP-IT project aims to bridge these gaps is presented in this paper.Postprint (published version

Security Culture in Industrial Control Systems Organisations: A Literature Review

Industrial control systems (ICS) are a key element of a country’s critical infrastructure, which includes industries like energy, water, and transport. In recent years, an increased convergence of operational and information technology has been taking place in these systems, increasing their cyber risks, and making security a necessity. People are often described as one of the biggest security risks in ICS, and historic attacks have demonstrated their role in facilitating or deterring them. One approach to enhance the security of organisations using ICS is the development of a security culture aiming to positively influence employees’ security perceptions, knowledge, and ultimately, behaviours. Accordingly, this work aims to review the security culture literature in organisations which use ICS and the factors that affect it, to provide a summary of the field. We conclude that the factors which affect security culture in ICS organisations are in line with the factors discussed in the general literature, such as security policies and management support. Additional factors related to ICS, such as safety culture, are also highlighted. Gaps are identified, with the limited research coverage being the most prominent. As such, proposals for future research are offered, including the need to conduct research with employees whose roles are not security related

The Role of Transportation in Campus Emergency Planning, MTI Report 08-06

In 2005, Hurricane Katrina created the greatest natural disaster in American history. The states of Louisiana, Mississippi and Alabama sustained significant damage, including 31 colleges and universities. Other institutions of higher education, most notably Louisiana State University (LSU), became resources to the disaster area. This is just one of the many examples of disaster impacts on institutions of higher education. The Federal Department of Homeland Security, under Homeland Security Presidential Directive–5, requires all public agencies that want to receive federal preparedness assistance to comply with the National Incident Management System (NIMS), which includes the creation of an Emergency Operations Plan (EOP). Universities, which may be victims or resources during disasters, must write NIMS–compliant emergency plans. While most university emergency plans address public safety and logistics management, few adequately address the transportation aspects of disaster response and recovery. This MTI report describes the value of integrating transportation infrastructure into the campus emergency plan, including planning for helicopter operations. It offers a list of materials that can be used to educate and inform campus leadership on campus emergency impacts, including books about the Katrina response by LSU and Tulane Hospital, contained in the report´s bibliography. It provides a complete set of Emergency Operations Plan checklists and organization charts updated to acknowledge lessons learned from Katrina, 9/11 and other wide–scale emergencies. Campus emergency planners can quickly update their existing emergency management documents by integrating selected annexes and elements, or create new NIMS–compliant plans by adapting the complete set of annexes to their university´s structures

Towards an open cloud marketplace: vision and first steps

As one of the most promising, emerging concepts in Information Technology (IT), cloud computing is transforming how IT is consumed and managed; yielding improved cost efficiencies, and delivering flexible, on-demand scalability by reducing computing infrastructures, platforms, and services to commodities acquired and paid-for on-demand through a set of cloud providers. Today, the transition of cloud computing from a subject of research and innovation to a critical infrastructure is proceeding at an incredibly fast pace. A potentially dangerous consequence of this speedy transition to practice is the premature adoption, and ossification, of the models, technologies, and standards underlying this critical infrastructure. This state of affairs is exacerbated by the fact that innovative research on production-scale platforms is becoming the purview of a small number of public cloud providers. Specifically, the academic research communities are effectively excluded from the opportunity to contribute meaningfully to the evolution not to mention innovation and healthy mutation of cloud computing technologies. As the dependence on our society and economy on cloud computing increases, so does the realization that the academic research community cannot be shut out from contributing to the design and evolution of this critical infrastructure. In this article we provide an alternative vision that of an Open Cloud eXchange (OCX) a public cloud marketplace, where many stakeholders, rather than just a single cloud provider, participate in implementing and operating the cloud, thus creating an ecosystem that will bring the innovation of a broader community to bear on a much healthier and more efficient cloud marketplace