A vulnerability-driven cyber security maturity model for measuring national critical infrastructure protection preparedness

Critical infrastructures are vital assets for the public safety, economic welfare and national security of countries. Cyber systems are used extensively to monitor and control critical infrastructures. A number of infrastructures are connected to the Internet via corporate networks. Cyber security is, therefore, an important item of the national security agenda of a country. The intense interest in cyber security has initiated research focusing on national cyber security maturity assessments. However, little, if any, research is dedicated to maturity assessments of national critical infrastructure protection efforts. Instead, the vast majority of studies merely examine diverse national-level security best practices ranging from cyber crime response to privacy protection. This paper proposes a maturity model for measuring the readiness levels of national critical infrastructure protection efforts. The development of the model involves two steps. The first step analyzes data pertaining to national cyber security projects using grounded theory to extract the root causes of the susceptibility of critical infrastructures to cyber threats. The second step determines the maturity criteria by introducing the root causes to subject-matter experts polled in a Delphi survey. The resulting survey-based maturity model is applied to assess the critical infrastructure protection efforts in Turkey. The results are realistic and intuitively appealing, demonstrating that the maturity model is useful for evaluating the national critical infrastructure protection preparedness of developing countries such as Turkey

Australian national critical infrastructure protection : a case study

Australia has developed sophisticated national security policies and physical security agencies to protect against current and future security threats associated with critical infrastructure protection and cyber warfare protection. This paper will discuss some of the common security risks that face Australia and how their government policies and strategies have been developed and changed over time, for example, the proposed Australian Homeland Security department. This paper will discuss the different steps that Australia has undertaken in relation to developing national policies to deal with critical infrastructure protection.<br /

Protection of Australia in the cyber age

Australia has developed sophisticated national security policies and physical security agencies to protect against current and future security threats associated with critical infrastructure protection and cyber warfare protection. In this paper, the authors examine some common security risks that face Australia and how government policies and strategies have been developed and changed over time, for example, the proposed Australian Homeland Security department. This paper discusses the different steps that Australia has undertaken in relation to developing national policies to deal with critical infrastructure protection.<br /

Decentralized Translator of Trust: Supporting Heterogeneous TEE for Critical Infrastructure Protection

Trusted execution environment (TEE) technology has found many applications in mitigating various security risks in an efficient manner, which is attractive for critical infrastructure protection. First, the natural of critical infrastructure requires it to be well protected from various cyber attacks. Second, performance is usually important for critical infrastructure and it cannot afford an expensive protection mechanism. While a large number of TEE-based critical infrastructure protection systems have been proposed to address various security challenges (e.g., secure sensing and reliable control), most existing works ignore one important feature, i.e., devices comprised the critical infrastructure may be equipped with multiple incompatible TEE technologies and belongs to different owners. This feature makes it hard for these devices to establish mutual trust and form a unified TEE environment. To address these challenges and fully unleash the potential of TEE technology for critical infrastructure protection, we propose DHTee, a decentralized coordination mechanism. DHTee uses blockchain technology to support key TEE functions in a heterogeneous TEE environment, especially the attestation service. A Device equipped with one TEE can interact securely with the blockchain to verify whether another potential collaborating device claiming to have a different TEE meets the security requirements. DHTee is also flexible and can support new TEE schemes without affecting devices using existing TEEs that have been supported by the system.Comment: Appeared in ACM BSCI'2

Supply chain management security : the weak link of Australian critical infrastructure protection

Secure management of Australia&rsquo;s commercial Critical Infrastructure presents ongoing challenges to both the owners of this infrastructure as well as to the Australian Federal government. The security management process is currently managed through high-level information sharing via collaboration, but does this situation suit the commercial sector? One of the issues facing Australia is that the majority of critical infrastructure resides under the control of the business sector and certain aspects such of the critical infrastructure such as Supply Chain Management (SCM) systems are distributed entities that span a number of commercial organisations. Another issue is that these SCM systems can be used for the transportation of varied items, such as retail items or food. This paper will explore the security issue related to food SCM systems and their relationship to critical infrastructure. The paper will focuses upon the security and risk issues associated with SCM system protection within the realms of critical infrastructure protection. The paper will review the security standard ISO 28000 - Supply Chain Security Management Standard. The paper will propose a new conceptual security risk analysis approach that will form the basis of a future Security Risk Analysis approach. This new approach will be aimed at protecting SCM systems.<br /

Cyber-Physical Threat Intelligence for Critical Infrastructures Security

Modern critical infrastructures can be considered as large scale Cyber Physical Systems (CPS). Therefore, when designing, implementing, and operating systems for Critical Infrastructure Protection (CIP), the boundaries between physical security and cybersecurity are blurred. Emerging systems for Critical Infrastructures Security and Protection must therefore consider integrated approaches that emphasize the interplay between cybersecurity and physical security techniques. Hence, there is a need for a new type of integrated security intelligence i.e., Cyber-Physical Threat Intelligence (CPTI). This book presents novel solutions for integrated Cyber-Physical Threat Intelligence for infrastructures in various sectors, such as Industrial Sites and Plants, Air Transport, Gas, Healthcare, and Finance. The solutions rely on novel methods and technologies, such as integrated modelling for cyber-physical systems, novel reliance indicators, and data driven approaches including BigData analytics and Artificial Intelligence (AI). Some of the presented approaches are sector agnostic i.e., applicable to different sectors with a fair customization effort. Nevertheless, the book presents also peculiar challenges of specific sectors and how they can be addressed. The presented solutions consider the European policy context for Security, Cyber security, and Critical Infrastructure protection, as laid out by the European Commission (EC) to support its Member States to protect and ensure the resilience of their critical infrastructures. Most of the co-authors and contributors are from European Research and Technology Organizations, as well as from European Critical Infrastructure Operators. Hence, the presented solutions respect the European approach to CIP, as reflected in the pillars of the European policy framework. The latter includes for example the Directive on security of network and information systems (NIS Directive), the Directive on protecting European Critical Infrastructures, the General Data Protection Regulation (GDPR), and the Cybersecurity Act Regulation. The sector specific solutions that are described in the book have been developed and validated in the scope of several European Commission (EC) co-funded projects on Critical Infrastructure Protection (CIP), which focus on the listed sectors. Overall, the book illustrates a rich set of systems, technologies, and applications that critical infrastructure operators could consult to shape their future strategies. It also provides a catalogue of CPTI case studies in different sectors, which could be useful for security consultants and practitioners as well

Security that matters: critical infrastructure and objects of protection

Critical infrastructure protection is prominently concerned with objects that appear indispensable for the functioning of social and political life. However, the analysis of material objects in discussions of critical infrastructure protection has remained largely within the remit of managerial responses, which see matter as simply passive, a blank slate. In security studies, critical approaches have focused on social and cultural values, forms of life, technologies of risk or structures of neoliberal globalization. This article engages with the role of "things" or of materiality for theories of securitization. Drawing on the materialist feminism of Karen Barad, it shows how critical infrastructure in Europe neither is an empty receptacle of discourse nor has "essential" characteristics; rather, it emerges out of material-discursive practices. Understanding the securitization of critical infrastructure protection as a process of materialization allows for a reconceptualization of how security matters and its effects

When risk does not trigger policy change: the case of Georgia's approach to the protection of critical infrastructure

As the world becomes more dependent on technology and interconnected systems, the need for robust critical infrastructure protection measures has become increasingly important for countries worldwide. Protecting critical infrastructure, such as pipelines, railways, networks of telecommunication, and many more, is vital for safeguarding essential systems and services from different threats, such as cyber-attacks, physical threats, natural disasters, and so on, ensuring the continuity of daily life and national security. Against this background, this study seeks to explore the continuity of policy in Georgia regarding critical infrastructure protection, or in fact the absence of a policy for critical infrastructure protection, since in time period of interest for this study, no such policy has been developed. The fact that there is no legal framework that regulates this issue seems puzzling, given both the rising significance of this all over the world and the security threats faced by Georgia in the last two decades. In order to understand the reasons behind the continued absence of a legal framework for critical infrastructure protection, this thesis employs the theories of policy change and non-change to look for possible factors hindering policy change in Georgia. Utilizing elite and expert interviews together with legal documents of Georgia, this thesis came to the conclusion that the prime reason for the enduring absence of a policy framework regarding critical infrastructure protection, are historical legacies of Georgian policy-making, which contains in itself several themes and topics such as general neglect towards security issues and path-dependent nature of institutions. This means that the historical institutionalist account seems particularly well suited to account for the enduring absence of such a policy framework in Georgia

IMPLEMENTATION OF RISK ASSESSMENT FOR CRITICAL INFRASTRUCTURE PROTECTION WITH THE USE OF RISK MATRIX

The object of research:&nbsp;risk assessment for critical infrastructure protection in Ukraine. Investigated problem:&nbsp;adaptation and implementation of European Union’s approach to the risk assessment for critical infrastructure for the conditions of Ukraine. The main scientific results:&nbsp;The most relevant types of threats of natural and man-made origin for the security of critical infrastructure in Ukraine are investigated. The adaptation and implementation of European Union’s approach to the risk assessment for critical infrastructure for the conditions of Ukraine is realized. For this the character of changes of natural and man-made emergencies in Ukraine in the context of impact on critical infrastructure is investigated. The risk of economic losses due to emergencies in Ukraine has been evaluated with the use of risk matrix, taking into account the adapted approach applied in the European Union. Field of practical use of research results:&nbsp;Critical infrastructure facility including systems and physical or virtual resources that provide functions and services, failure of which can lead to significant negative consequences for society, social and economic development of the country and ensuring national security. Among them the most important are objects of electric-power industry, especially important objects of the oil and gas industry; units of the state government and local administration; objects of possible terrorist attacks; facilities subject to protection and defense in emergencies and during special periods; facilities subject to mandatory protection by the State Protection Service under contracts. Innovative technology product:&nbsp;methodology for assessing threats and risks to critical infrastructure, which can greatly contribute to the development of measures to prevent and minimize the negative consequences of emergencies possible in Ukraine at critical infrastructure objects. Scope of the innovative technology product:&nbsp;state system for critical infrastructure protection in Ukraine

Hosting critical infrastructure services in the cloud environment considerations

Critical infrastructure technology vendors will inevitability take advantage of the benefits offered by the cloud computing paradigm. While this may offer improved performance and scalability, the associated security threats impede this progression. Hosting critical infrastructure services in the cloud environment may seem inane to some, but currently remote access to the control system over the internet is commonplace. This shares the same characteristics as cloud computing, i.e., on-demand access and resource pooling. There is a wealth of data used within critical infrastructure. There needs to be an assurance that the confidentiality, integrity and availability of this data remains. Authenticity and non-repudiation are also important security requirements for critical infrastructure systems. This paper provides an overview of critical infrastructure and the cloud computing relationship, whilst detailing security concerns and existing protection methods. Discussion on the direction of the area is presented, as is a survey of current protection methods and their weaknesses. Finally, we present our observation and our current research into hosting critical infrastructure services in the cloud environment, and the considerations for detecting cloud attacks. © 2015 Inderscience Enterprises Ltd