Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

The future of Cybersecurity in Italy: Strategic focus area

This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

Governance and information governance: some ethical considerations within an expanding information society

Governance and information governance ought to be an integral part of any government or organisations information and business strategy. More than ever before information and knowledge can be produced, exchanged, shared and communicated through many different mediums. Whilst sharing information and knowledge provides many benefits it also provides many challenges and risks to governments, global organisations and the individual citizen. Information governance is one element of a governance and compliance programme, but an increasingly important one, because many regulations apply to how information is managed and protected from theft and abuse, much of which resides with external agencies usually outside the control of the individual citizen. This paper explores some of the compliance and quality issues within governance and information governance including those ethical concerns as related to individual citizens and multiple stakeholders engaged directly or indirectly in the governance process

State-of-the-Art in Security Thinking for the Internet of Things (IoT)

In this paper we propose a model for Internet of Things (IoT) practitioners and researchers on how to use security thinking in parallel with the IoT technological developments. While security is recognized as a top priority, repeatedly, IoT products have become a target by diverse security attacks. This raises the importance for an IoT security mindset that contributes to building more holistic security measures. In understanding this, we present the state-of-the-art in IoT security. This resulted in the identification of three dimensions (awareness, assessment and challenges) that are needed to develop an IoT security mindset. We then interviewed four security and IoT-related experts from three different organizations that formed the basis for our pilot study to test the model. Our results show that the identified three-dimensional model highlights continuous security thinking as a serious matter to sustain IoT development with positive outcomes for its users

2011 Strategic roadmap for Australian research infrastructure

The 2011 Roadmap articulates the priority research infrastructure areas of a national scale (capability areas) to further develop Australia’s research capacity and improve innovation and research outcomes over the next five to ten years. The capability areas have been identified through considered analysis of input provided by stakeholders, in conjunction with specialist advice from Expert Working Groups   It is intended the Strategic Framework will provide a high-level policy framework, which will include principles to guide the development of policy advice and the design of programs related to the funding of research infrastructure by the Australian Government. Roadmapping has been identified in the Strategic Framework Discussion Paper as the most appropriate prioritisation mechanism for national, collaborative research infrastructure. The strategic identification of Capability areas through a consultative roadmapping process was also validated in the report of the 2010 NCRIS Evaluation. The 2011 Roadmap is primarily concerned with medium to large-scale research infrastructure. However, any landmark infrastructure (typically involving an investment in excess of $100 million over five years from the Australian Government) requirements identified in this process will be noted. NRIC has also developed a ‘Process to identify and prioritise Australian Government landmark research infrastructure investments’ which is currently under consideration by the government as part of broader deliberations relating to research infrastructure. NRIC will have strategic oversight of the development of the 2011 Roadmap as part of its overall policy view of research infrastructure

Legal linked data ecosystems and the rule of law

This chapter introduces the notions of meta-rule of law and socio-legal ecosystems to both foster and regulate linked democracy. It explores the way of stimulating innovative regulations and building a regulatory quadrant for the rule of law. The chapter summarises briefly (i) the notions of responsive, better and smart regulation; (ii) requirements for legal interchange languages (legal interoperability); (iii) and cognitive ecology approaches. It shows how the protections of the substantive rule of law can be embedded into the semantic languages of the web of data and reflects on the conditions that make possible their enactment and implementation as a socio-legal ecosystem. The chapter suggests in the end a reusable multi-levelled meta-model and four notions of legal validity: positive, composite, formal, and ecological

A Conceptual Model of an Information Security Domain Knowledge Base

Information Security breaches and threats continue to grow worldwide. Securing information systems issues persist despite the development of several Information security standards. The low adoption rate of these security standards is one of the main contributing factors for this growing problem. As emerging economies seek to be a part of the digital economy it is prudent that they make information security a priority. The lack of effective Information Security Strategies in developing countries has resulted in these countries facing the problem of becoming targets for cyber criminals. In this research we present a Conceptual Model and a design of an Information Security Domain Knowledge Base (InfoSec DKB) that can assist in developing and managing information security strategies. This design is based on a combination of decision making, security and auditing frameworks, namely concepts of the Value Focused Thinking (VFT) approach used in decision making, the Guidelines for Management of IT security (ISO/IEC 27001), Control Objectives for Information and Related Technologies (COBIT)

Modelling Telecommunications Operators and Adversaries using Game Theory

Telecommunications systems being inherently distributed and collaborative in nature present a plurality of attack surfaces to malicious entities and hence vulnerable to many potential attacks even indirectly demanding a need in prioritising security. The choice of security implementations depends upon the currently understood threats, future possible threat vectors, and the dependencies between systems. Executing these choices while contemplating the financial aspects is exceptionally difficult. It is thus critical to have a perceptible decision support framework for better security decision-making. This thesis studies the strategic nature of the interaction between the Telecoms operators and attackers utilising game theory to understand their strategic decision-making characteristics strengthening security decisions. To understand the security investment decision-making criteria of operators, this thesis utilises static security investment games. Through these games, we study the effects of security investment decision of an operator on other operators' behaviour. We determine conditions supporting the security investment decisions and propose strategic recommendations supplementing the dependency conditions. We then study attackers' behaviour considering them with strategic incentives in contrary to their strictly-bounded rationality in traditional game-theoretic modelling approaches. We utilise a behavioural approach and design a decision-flow model capturing the choices of attackers in the attack process. An outcome of this work is a generalised attack framework. Moreover, using this framework, we derive attack strategies optimising attackers' effort. Through this work, we are probing the foundations for drawing inferences about attackers' strategic characteristics from a cybersecurity perspective