Designing Security Policies for Complex SCADA Systems Protection

The management and protection of these SCADA systems must constantly evolve towards integrated decision making and policy driven by cyber security requirements. The current research stream in this domain aims, accordingly, to foster the smartness of the field equipment which exist through the generic concept of SCADA management and operation. Those components are governed by policies which depend on the components roles, as well as on the evolution of the crisis which also confer to the latter the latitude to react based on their own perception of the crisis evolution. Their latitude is calculated based on the component smartness and is strongly determined by, and depending on, the cyber safety of the component environment. Existing work related to crisis management tends to consider that components evolve and are organized in systems but as far as we know, no systemic solution exists which integrates all of the above requirements. This paper proposes an innovative version of ArchiMate® for the SCADA components modelling purpose to enrich their collaborations and, more particularly, the description of their behavior endorsed in the cyber-policy. Our work has been illustrated in the frame of a critical infrastructure in the field of petroleum supply and storage networks

ICT Governance Acquisition Requirement Principle: Toward the Selection of the Suitable Exploitation Mode of a Secure e-Business Architecture for Small and Medium Enterprises

The importance of the Governance of IT is becoming more and more important in the enterprises especially since the accounting scandals of 2002 and more currently through the ongoing market crisis. While all political leaders say that the world economy’s is at grave risk, development are done to firstly elaborate appropriate framework to enforce and guarantee the stability of the financial sector and by extension to all sectors of the industrial economy and secondly, to enhance the governance all of these public and private companies. Sarbanes-Oxley is one of these laws that aims to provide guarantees over the company’s accountability. The ISO/EIC 38500 [14] is one standard that provides a framework for effective governance of IT. This framework provides guiding six principles: Establish responsibilities, Plan to best support the organization, Acquire validly, Ensure performance when required, Ensure conformance with rules and Ensure respect for human factors. The principle “Acquire validly“ aims at ensuring that the acquisition of IT components and of the exploitation mode is realized with the assurance that it is aligned with the business strategy A lot of SME from the industrial but also from the financial sector is still unable to correctively choose the optimal compromise for exploiting their e-business solution regarding their business needs. Effectively, choosing the best way for an IT infrastructure exploitation accordingly with the security requirement is a professional activity that can’t always be appropriately conduct by a SME staff. Although a lot of criteria influence the exploitation mode to be chosen – independency regarding an IT company, cost and profitability of the solution, technology used – security remain the major influencing factor. This document has for objective to analyse the aspects of security measures related to the e-business, according to the geographical place of the e-business architecture: in the company itself, outsourced, or an intermediate place between those two. The first part of this document defines what we understand by "exploitation mode", the second analyses the security aspects related to each component of an e-business architecture according to its exploitation mode, and finally the last part makes an analysis of the security of general architecture, always according to its exploitation mode

Designing Security Policies for Complex SCADA Systems Protection

The management and protection of these SCADA systems must constantly evolve towards integrated decision making and policy driven by cyber security requirements. The current research stream in this domain aims, accordingly, to foster the smartness of the field equipment which exist through the generic concept of SCADA management and operation. Those components are governed by policies which depend on the components roles, as well as on the evolution of the crisis which also confer to the latter the latitude to react based on their own perception of the crisis evolution. Their latitude is calculated based on the component smartness and is strongly determined by, and depending on, the cyber safety of the component environment. Existing work related to crisis management tends to consider that components evolve and are organized in systems but as far as we know, no systemic solution exists which integrates all of the above requirements. This paper proposes an innovative version of ArchiMate® for the SCADA components modelling purpose to enrich their collaborations and, more particularly, the description of their behavior endorsed in the cyber-policy. Our work has been illustrated in the frame of a critical infrastructure in the field of petroleum supply and storage networks

Strengthening the Management of Ubiquitous Internet by Refining ISO/IEC 27001 Implementation Using a Generic Responsibility Model

The recent emergence of decentralized networks and ubiquitous Internet has highlighted the need for a better management of the companies’ IT architecture and for an improvement of the users of the network’s responsibility. Many standards have recently emerged to face these requirements. By analyzing them, we observe that they all include reference to the user responsibility but also that no common understanding of it exists. These statements have oriented our research toward the elaboration of an innovative, simple and pragmatic responsibility model that includes a user commitment dimension. ISO/IEC 27001:2005 is one of that new standard that aims at providing a framework for improving the information system management and the security of IT architecture. Although this standard is recognized over the globe, many surveys and cases studies provide interesting feedback about its implementation problems. In this paper, we introduce our responsibility model, we depict the responsibility aspects encompassed in ISO 27001 and we propose some improvement perspectives to face these problems and strengthen its implementation

Management Framework for the Visualization of Smart Monitoring Architectures Apply to Distributed Ubiquity Mobility Platform

Smart Mobility is proved to be a high priority topic in regard to arising European societal challenges. Deploying smart mobility required both technological and monitoring knowledge, and one important key features of the initiative stay in the multiplicity of the final users. Its goal is, depending on the type of users, to provide the required accurate data through a dynamic monitoring application. This implies to collect data coming from physical sensors deployed in all the parking areas of a region. Those sensors are simple, meaning that the information that they can collect is limited to an entry or exit signal of a vehicle. This paper presents an architecture for applying the visualization of smart monitoring architecture to a distributed ubiquity mobility platform and show a deployment in the frame of a use case. The later has been developed in a European region and consists in a smart mobility monitoring project

MoiseInst: An Organizational Model for Specifying Rights and Duties of Autonomous Agents

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.108.3187&rep=rep1&type=pdfInternational audienc

Strengthening the Management of Ubiquitous Internet by Refining ISO/IEC 27001 Implementation Using a Generic Responsibility Model

The recent emergence of decentralized networks and ubiquitous Internet has highlighted the need for a better management of the companies’ IT architecture and for an improvement of the users of the network’s responsibility. Many standards have recently emerged to face these requirements. By analyzing them, we observe that they all include reference to the user responsibility but also that no common understanding of it exists. These statements have oriented our research toward the elaboration of an innovative, simple and pragmatic responsibility model that includes a user commitment dimension. ISO/IEC 27001:2005 is one of that new standard that aims at providing a framework for improving the information system management and the security of IT architecture. Although this standard is recognized over the globe, many surveys and cases studies provide interesting feedback about its implementation problems. In this paper, we introduce our responsibility model, we depict the responsibility aspects encompassed in ISO 27001 and we propose some improvement perspectives to face these problems and strengthen its implementation