What makes an industrial control system security testbed credible and acceptable? Towards a design consideration framework

The convergence of Industrial Control System (ICS) with Information Technologies (IT) coupled with the resulting and widely publicized cyber security incidents have made ICS security and resilience issues of critical concern to operators and governments. The inability to apply traditional IT security practice to ICSs further complicates the challenges of effectively securing critical industrial systems. To investigate these challenges without impacting upon live system operations, testbeds are being widely used as viable options to explore, develop and assess security risks and controls. However, how an ICS testbed is designed, and its attributes, can directly impact not only on its viability but also its credibility and acceptance for use as a whole. Through a systematic review and analysis of ICS security testbed design factors, a novel outline conceptual mapping of design factors for building credibility and acceptance is proposed. These design considerations include: design objectives, implementation approach, architectural component coverage, core operational characteristics, and evaluation approach

Human factor security: evaluating the cybersecurity capacity of the industrial workforce

Purpose: As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the current highly competitive environment. Many recorded industrial cyber-attacks have successfully beaten technical security solutions by exploiting human-factor vulnerabilities related to security knowledge and skills and manipulating human elements into inadvertently conveying access to critical industrial assets. Knowledge and skill capabilities contribute to human analytical proficiencies for enhanced cybersecurity readiness. Thus, a human-factored security endeavour is required to investigate the capabilities of the human constituents (workforce) to appropriately recognise and respond to cyber intrusion events within the industrial control system (ICS) environment. / Design/methodology/approach: A quantitative approach (statistical analysis) is adopted to provide an approach to quantify the potential cybersecurity capability aptitudes of industrial human actors, identify the least security-capable workforce in the operational domain with the greatest susceptibility likelihood to cyber-attacks (i.e. weakest link) and guide the enhancement of security assurance. To support these objectives, a Human-factored Cyber Security Capability Evaluation approach is presented using conceptual analysis techniques. / Findings: Using a test scenario, the approach demonstrates the capacity to proffer an efficient evaluation of workforce security knowledge and skills capabilities and the identification of weakest link in the workforce. / Practical implications: The approach can enable organisations to gain better workforce security perspectives like security-consciousness, alertness and response aptitudes, thus guiding organisations into adopting strategic means of appropriating security remediation outlines, scopes and resources without undue wastes or redundancies. / Originality/value: This paper demonstrates originality by providing a framework and computational approach for characterising and quantify human-factor security capabilities based on security knowledge and security skills. It also supports the identification of potential security weakest links amongst an evaluated industrial workforce (human agents), some key security susceptibility areas and relevant control interventions. The model and validation results demonstrate the application of action research. This paper demonstrates originality by illustrating how action research can be applied within socio-technical dimensions to solve recurrent and dynamic problems related to industrial environment cyber security improvement. It provides value by demonstrating how theoretical security knowledge (awareness) and practical security skills can help resolve cyber security response and control uncertainties within industrial organisations

Vulnerability-Based Impact Criticality Estimation for Industrial Control Systems

Cyber threats directly affect the critical reliability and availability of modern Industry Control Systems (ICS) in respects of operations and processes. Where there are a variety of vulnerabilities and cyber threats, it is necessary to effectively evaluate cyber security risks, and control uncertainties of cyber environments, and quantitative evaluation can be helpful. To effectively and timely control the spread and impact produced by attacks on ICS networks, a probabilistic Multi-Attribute Vulnerability Criticality Analysis (MAVCA) model for impact estimation and prioritised remediation is presented. This offer a new approach for combining three major attributes: vulnerability severities influenced by environmental factors, the attack probabilities relative to the vulnerabilities, and functional dependencies attributed to vulnerability host components. A miniature ICS testbed evaluation illustrates the usability of the model for determining the weakest link and setting security priority in the ICS. This work can help create speedy and proactive security response. The metrics derived in this work can serve as sub-metrics inputs to a larger quantitative security metrics taxonomy; and can be integrated into the security risk assessment scheme of a larger distributed system

The Internet of Things in Ports: Six Key Security and Governance Challenges for the UK (Policy Brief)

In January 2019, the UK Government published its Maritime 2050 on Navigating the Future strategy. In the strategy, the government highlighted the importance of digitalization (with well-designed regulatory support) to achieve its goal of ensuring that the UK plays a global leadership role in the maritime sector. Ports, the gateways for 95% of UK trade movements, were identified as key sites for investment in technological innovation. The government identified the potential of the Internet of Things (IoT), in conjunction with other information-sharing technologies, such as shared data platforms, and Artificial Intelligence applications (AI), to synchronize processes within the port ecosystem leading to improved efficiency, safety, and environmental benefits, including improved air quality and lower greenhouse gas emissions

Securing industrial control system environments: the missing piece

Cyberattacks on industrial control systems (ICSs) are no longer matters of anticipation. These systems are continually subject to malicious attacks without much resistance. Network breaches, data theft, denial of service, and command and control functions are examples of common attacks on ICSs. Despite available security solutions, safety, security, resilience, and performance require both private public sectors to step-up strategies to address increasing security concerns on ICSs. This paper reviews the ICS security risk landscape, including current security solution strategies in order to determine the gaps and limitations for effective mitigation. Notable issues point to a greater emphasis on technology security while discounting people and processes attributes. This is clearly incongruent with; emerging security risk trends, the biased security strategy of focusing more on supervisory control and data acquisition systems, and the emergence of more sector-specific solutions as against generic security solutions. Better solutions need to include approaches that follow similar patterns as the problem trend. These include security measures that are evolutionary by design in response to security risk dynamics. Solutions that recognize and include; people, process and technology security enhancement into asingle system, and addressing all three-entity vulnerabilities can provide a better solution for ICS environments

Ownership Structure Reform and Bank Performance in Nigeria

Nigeria undertook a major bank structure reform between 2004 and 2006. A pivotal plank of that reform was the pegging of government ownership in deposit money banks to 10%. This was informed by the general economic theory that state ownership in commercial undertakings hurts operating performance. This paper anayzes the implications of this reform on operating performance of banks in Nigeria. Results from descriptive statistics indicate that government ownership in Nigerian banks is about 4%; 6% > the limit prescribed by the Central Bank of Nigeria. The coefficient of government ownership is not only rightly signed but also statistically significant. With a coefficient of -0.0568, the results confirm theoretical conclusion that government ownership hurts operating performance. The results support the outcome of the Nigerian study of Thorsten B. et al (2003) who assessed the effect of privatization on bank performance in Nigeria over the period 1990-2001. The result further provides an empirical answer to a question recently posed by the governor of the Central Bank of Nigeria – does ownership of financial institution matter? It appears that in a normal environment government shareholding of financial institutions should be limited as far as possible because of the tendency of government to stifle performance through suboptimal investment decisions, frequently on political expediency other than economic consideration.Keywords: Government ownership, operating performance, corporate governance, reform

A Review of Critical Infrastructure Protection Approaches: Improving Security through Responsiveness to the Dynamic Modelling Landscape

As new technologies such as the Internet of Things (IoT) are integrated into Critical National Infrastructures (CNI), new cybersecurity threats emerge that require specific security solutions. Approaches used for analysis include the modelling and simulation of critical infrastructure systems using attributes, functionalities, operations, and behaviours to support various security analysis viewpoints, recognising and appropriately managing associated security risks. With several critical infrastructure protection approaches available, the question of how to effectively model the complex behaviour of interconnected CNI elements and to configure their protection as a system-of-systems remains a challenge. Using a systematic review approach, existing critical infrastructure protection approaches (tools and techniques) are examined to determine their suitability given trends like IoT, and effective security modelling and analysis issues. It is found that empirical-based, agent-based, system dynamics-based, and network-based modelling are more commonly applied than economic-based and equation-based techniques, and empirical-based modelling is the most widely used. The energy and transportation critical infrastructure sectors reflect the most responsive sectors, and no one Critical Infrastructure Protection (CIP) approach - tool, technique, methodology or framework -- provides a fit-for-all capacity for all-round attribute modelling and simulation of security risks. Typically, deciding factors for CIP choices to adopt are often dominated by trade-offs between complexity of use and popularity of approach, as well as between specificity and generality of application in sectors

A review of the use and utility of industrial network-based open source simulators: functionality, security, and policy viewpoints

Simulation can provide a useful means to understand issues linked to industrial network operations. For transparent, collaborative, cost-effective solutions development, and to attract the broadest interest base, simulation is critical and open source suggested, because it costs less to access, install, and use. This study contributes new insights from security and functionality characteristics metrics to underscore the use and effectiveness of open source simulators. Several open source simulators span applications in communications and wireless sensor networks, industrial control systems, and the Industrial Internet of Things. Some drivers for their use span are as follows: supported license types; programming languages; operating systems platforms; user interface types; documentation and communication types; citations; code commits; and number of contributors. Research in these simulators is built around performance and optimization relative to flexibility, scalability, mobility, and active user support. No single simulator addresses all these conceivable characteristics. In addition to modeling contexts that match real-world scenarios and issues, an effective open source simulator needs to demonstrate credibility, which can be gained partly through actively engaging experts from interdisciplinary teams along with user contributions integrated under tight editorial controls. Government-led policies and regulations are also necessary to support their wider awareness and more productive use for real-world purposes

Assessing public knowledge, attitudes and determinants of third COVID-19 vaccine booster dose acceptance:current scenario and future perspectives

BACKGROUND: People with weakened immune systems may not develop adequate protection after taking two doses of the mRNA-combined COVID-19 vaccine. The additional dose may improve the level of protection against Covid-19. OBJECTIVES: Current study aimed to evaluate the knowledge, attitude and determents of third COVID-19 vaccine booster dose acceptance among population in the UAE. METHODS AND MATERIALS: This is online descriptive cross-sectional community-based study conducted among the students and faculty of Ajman University from 25 August to 20 October 2021. The questionnaire, which was in the English language, encompassed two sections containing 22 items. Section one gathered the demographic details of the respondents, while Section two used 13 questions to evaluate the respondents’ knowledge of and attitude to the third COVID-19 vaccine booster dose. RESULTS: 614 respondents participated in this study. The average knowledge score was 44.6% with a 95% confidence interval (CI) of [41%, 49%]. Better knowledge scores were observed in postgraduates (OR 4.29; 95% CI 2.28–8.11), employees in the healthcare sector (OR 1.62; 95% CI 1.05–2.51), participants who had relatives infected with the Covid-19 (OR 1.46; 95% CI 1.05–2.02), participants who had infected with Covid-19 (OR 2.21; 95% CI 1.43–3.43) and participants who had received first two doses of the COVID-19 vaccine (OR 2.08; 95% CI 1.40–3.11). The average attitude score was 70.2% with a 95% confidence interval (CI) of [69.2%, 71.2%]. CONCLUSION: Necessary steps should be taken by the government and public health authorities, in line with the local culture, to increase vaccination acceptance and foster positive attitudes towards the vaccine. A suitable approach to this would be to develop an educational framework that could demonstrate the risks of vaccine avoidance or delay to the general population. Moreover, health authorities should pay more attention to the false information being disseminated across the internet, especially social media. Also, healthcare workers should be trained in vaccinology and virology to make sure that they are able to understand important developments in these fields and convey the findings to their patients