895,673 research outputs found
Security Assessment of Systems of Systems
Engineering Systems of Systems is one of the new chal-lenges of the last few years. This depends on the increasing number of systems that must interact one with another to achieve a goal. One peculiarity of Systems of Systems is that they are made of systems able to live on their own with well-established functionalities and requirements, and that are not necessarily aware of the joint mission or prepared to collaborate. In this emergent scenario, securi-ty is one crucial aspect that must be considered from the very beginning. In fact, the security of a System of Sys-tems is not automatically granted even if the security of each constituent system is guaranteed. The aim of this paper is to address the problem of assessing security properties in Systems of Systems. We discuss the specific security aspects of such emergent systems, and propose the TeSSoS approach, which includes modelling and testing security properties in Systems of Systems and introduces the Red and Blue Requirements Specification concepts.Ministerio dell'Universitá e della Ricerca (Italia) GAUSS 2015KWREMXMinisterio de Economía y Competitividad TIN2016-76956-C3-2-R (POLOLAS
Dynamic real-time risk analytics of uncontrollable states in complex internet of things systems, cyber risk at the edge
The Internet of Things (IoT) triggers new types of cyber risks. Therefore,
the integration of new IoT devices and services requires a self-assessment of
IoT cyber security posture. By security posture this article refers to the
cybersecurity strength of an organisation to predict, prevent and respond to
cyberthreats. At present, there is a gap in the state of the art, because there
are no self-assessment methods for quantifying IoT cyber risk posture. To
address this gap, an empirical analysis is performed of 12 cyber risk
assessment approaches. The results and the main findings from the analysis is
presented as the current and a target risk state for IoT systems, followed by
conclusions and recommendations on a transformation roadmap, describing how IoT
systems can achieve the target state with a new goal-oriented dependency model.
By target state, we refer to the cyber security target that matches the generic
security requirements of an organisation. The research paper studies and adapts
four alternatives for IoT risk assessment and identifies the goal-oriented
dependency modelling as a dominant approach among the risk assessment models
studied. The new goal-oriented dependency model in this article enables the
assessment of uncontrollable risk states in complex IoT systems and can be used
for a quantitative self-assessment of IoT cyber risk posture
Security assessment of audience response systems using software defined radios
Audience response systems, also known as clickers, are used at many academic institutions to offer active learning environments. Since these systems are used to administer graded assignments, and sometimes even exams, it is crucial to assess their security. Our work seeks to exploit and document potential vulnerabilities of clickers. For this purpose, we use software defined radios to perform eavesdropping attacks on an audience response system in production. The results of our study demon- strate that clickers are easily exploitable. We build a prototype and show that it is practically possible to covertly steal answers from a peer or even the entire classroom, with high levels of confidence. As a result of this study, we discourage using clickers for high-stake assessments, unless manufacturers provide proper security protection.http://people.bu.edu/staro/MIT_Conference_Khai.pdfAccepted manuscrip
Why We Cannot (Yet) Ensure the Cybersecurity of Safety-Critical Systems
There is a growing threat to the cyber-security of safety-critical systems.
The introduction of Commercial Off The Shelf (COTS) software, including
Linux, specialist VOIP applications and Satellite Based Augmentation Systems
across the aviation, maritime, rail and power-generation infrastructures has created
common, vulnerabilities. In consequence, more people now possess the technical
skills required to identify and exploit vulnerabilities in safety-critical systems.
Arguably for the first time there is the potential for cross-modal attacks
leading to future ‘cyber storms’. This situation is compounded by the failure of
public-private partnerships to establish the cyber-security of safety critical applications.
The fiscal crisis has prevented governments from attracting and retaining
competent regulators at the intersection of safety and cyber-security. In particular,
we argue that superficial similarities between safety and security have led
to security policies that cannot be implemented in safety-critical systems. Existing
office-based security standards, such as the ISO27k series, cannot easily be integrated
with standards such as IEC61508 or ISO26262. Hybrid standards such as
IEC 62443 lack credible validation. There is an urgent need to move beyond
high-level policies and address the more detailed engineering challenges that
threaten the cyber-security of safety-critical systems. In particular, we consider
the ways in which cyber-security concerns undermine traditional forms of safety
engineering, for example by invalidating conventional forms of risk assessment.
We also summarise the ways in which safety concerns frustrate the deployment of
conventional mechanisms for cyber-security, including intrusion detection systems
- …