A review of security assessment methodologies in industrial control systems

Qais Saif Qassim, Norziana Jamil, Maslina Daud, Ahmed Patel, Norhamadi Ja’affar

Research output: Contribution to journalArticle

Abstract

Purpose: The common implementation practices of modern industrial control systems (ICS) has left a window wide open to various security vulnerabilities. As the cyber-threat landscape continues to evolve, the ICS and their underlying architecture must be protected to withstand cyber-attacks. This study aims to review several ICS security assessment methodologies to identify an appropriate vulnerability assessment method for the ICS systems that examine both critical physical and cyber systems so as to protect the national critical infrastructure. Design/methodology/approach: This paper reviews several ICS security assessment methodologies and explores whether the existing methodologies are indeed sufficient to meet the cyber security assessment exercise required to validate the security of electrical power control systems. Findings: The study showed that most of the examined methodologies seem to concentrate on vulnerability identification and prioritisation techniques, whilst other security techniques received noticeably less attention. The study also showed that the least attention is devoted to patch management process due to the critical nature of the SCADA system. Additionally, this review portrayed that only two security assessment methodologies exhibited absolute fulfilment of all NERC-CIP security requirements, whilst the others only partially fulfilled the essential requirements. Originality/value: This paper presents a review and a comparative analysis of several standard SCADA security assessment methodologies and guidelines published by internationally recognised bodies. In addition, it explores the adequacy of the existing methodologies in meeting cyber security assessment practices required for electrical power networks.

Original languageEnglish
Pages (from-to)47-61
Number of pages15
JournalInformation and Computer Security
Volume27
Issue number1
DOIs
Publication statusPublished - 11 Mar 2019

Fingerprint

Control systems
Critical infrastructures
SCADA systems
Power control
Methodology
Vulnerability

All Science Journal Classification (ASJC) codes

  • Management Information Systems
  • Software
  • Information Systems
  • Computer Networks and Communications
  • Information Systems and Management
  • Management of Technology and Innovation

Cite this

Qassim, Qais Saif ; Jamil, Norziana ; Daud, Maslina ; Patel, Ahmed ; Ja’affar, Norhamadi. / A review of security assessment methodologies in industrial control systems. In: Information and Computer Security. 2019 ; Vol. 27, No. 1. pp. 47-61.
@article{69e951f4e5bc484085ddcad5b6871016,
title = "A review of security assessment methodologies in industrial control systems",
abstract = "Purpose: The common implementation practices of modern industrial control systems (ICS) has left a window wide open to various security vulnerabilities. As the cyber-threat landscape continues to evolve, the ICS and their underlying architecture must be protected to withstand cyber-attacks. This study aims to review several ICS security assessment methodologies to identify an appropriate vulnerability assessment method for the ICS systems that examine both critical physical and cyber systems so as to protect the national critical infrastructure. Design/methodology/approach: This paper reviews several ICS security assessment methodologies and explores whether the existing methodologies are indeed sufficient to meet the cyber security assessment exercise required to validate the security of electrical power control systems. Findings: The study showed that most of the examined methodologies seem to concentrate on vulnerability identification and prioritisation techniques, whilst other security techniques received noticeably less attention. The study also showed that the least attention is devoted to patch management process due to the critical nature of the SCADA system. Additionally, this review portrayed that only two security assessment methodologies exhibited absolute fulfilment of all NERC-CIP security requirements, whilst the others only partially fulfilled the essential requirements. Originality/value: This paper presents a review and a comparative analysis of several standard SCADA security assessment methodologies and guidelines published by internationally recognised bodies. In addition, it explores the adequacy of the existing methodologies in meeting cyber security assessment practices required for electrical power networks.",
author = "Qassim, {Qais Saif} and Norziana Jamil and Maslina Daud and Ahmed Patel and Norhamadi Ja’affar",
year = "2019",
month = "3",
day = "11",
doi = "10.1108/ICS-04-2018-0048",
language = "English",
volume = "27",
pages = "47--61",
journal = "Information and Computer Security",
issn = "2056-4961",
publisher = "Emerald Group Publishing Ltd.",
number = "1",

}

A review of security assessment methodologies in industrial control systems. / Qassim, Qais Saif; Jamil, Norziana; Daud, Maslina; Patel, Ahmed; Ja’affar, Norhamadi.

In: Information and Computer Security, Vol. 27, No. 1, 11.03.2019, p. 47-61.

Research output: Contribution to journalArticle

TY - JOUR

T1 - A review of security assessment methodologies in industrial control systems

AU - Qassim, Qais Saif

AU - Jamil, Norziana

AU - Daud, Maslina

AU - Patel, Ahmed

AU - Ja’affar, Norhamadi

PY - 2019/3/11

Y1 - 2019/3/11

N2 - Purpose: The common implementation practices of modern industrial control systems (ICS) has left a window wide open to various security vulnerabilities. As the cyber-threat landscape continues to evolve, the ICS and their underlying architecture must be protected to withstand cyber-attacks. This study aims to review several ICS security assessment methodologies to identify an appropriate vulnerability assessment method for the ICS systems that examine both critical physical and cyber systems so as to protect the national critical infrastructure. Design/methodology/approach: This paper reviews several ICS security assessment methodologies and explores whether the existing methodologies are indeed sufficient to meet the cyber security assessment exercise required to validate the security of electrical power control systems. Findings: The study showed that most of the examined methodologies seem to concentrate on vulnerability identification and prioritisation techniques, whilst other security techniques received noticeably less attention. The study also showed that the least attention is devoted to patch management process due to the critical nature of the SCADA system. Additionally, this review portrayed that only two security assessment methodologies exhibited absolute fulfilment of all NERC-CIP security requirements, whilst the others only partially fulfilled the essential requirements. Originality/value: This paper presents a review and a comparative analysis of several standard SCADA security assessment methodologies and guidelines published by internationally recognised bodies. In addition, it explores the adequacy of the existing methodologies in meeting cyber security assessment practices required for electrical power networks.

AB - Purpose: The common implementation practices of modern industrial control systems (ICS) has left a window wide open to various security vulnerabilities. As the cyber-threat landscape continues to evolve, the ICS and their underlying architecture must be protected to withstand cyber-attacks. This study aims to review several ICS security assessment methodologies to identify an appropriate vulnerability assessment method for the ICS systems that examine both critical physical and cyber systems so as to protect the national critical infrastructure. Design/methodology/approach: This paper reviews several ICS security assessment methodologies and explores whether the existing methodologies are indeed sufficient to meet the cyber security assessment exercise required to validate the security of electrical power control systems. Findings: The study showed that most of the examined methodologies seem to concentrate on vulnerability identification and prioritisation techniques, whilst other security techniques received noticeably less attention. The study also showed that the least attention is devoted to patch management process due to the critical nature of the SCADA system. Additionally, this review portrayed that only two security assessment methodologies exhibited absolute fulfilment of all NERC-CIP security requirements, whilst the others only partially fulfilled the essential requirements. Originality/value: This paper presents a review and a comparative analysis of several standard SCADA security assessment methodologies and guidelines published by internationally recognised bodies. In addition, it explores the adequacy of the existing methodologies in meeting cyber security assessment practices required for electrical power networks.

UR - http://www.scopus.com/inward/record.url?scp=85061306497&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85061306497&partnerID=8YFLogxK

U2 - 10.1108/ICS-04-2018-0048

DO - 10.1108/ICS-04-2018-0048

M3 - Article

VL - 27

SP - 47

EP - 61

JO - Information and Computer Security

JF - Information and Computer Security

SN - 2056-4961

IS - 1

ER -