- Volume 17 Issue 8
DOI QR Code
A study on the cyber security assessment modeling of critical infrastructure
핵심기반시설 사이버 보안 평가 모델링 기법 연구
- Euom, Ieck-Chae (Cyber Security Consulting Team, KEPCO KDN)
- 엄익채 (한전KDN(주) 보안컨설팅팀)
- Received : 2019.06.28
- Accepted : 2019.08.20
- Published : 2019.08.28
The purpose of this study is to analyze cyber security risk modeling of critical infrastructure, draw out limitations and improvement measures. This paper analyzed cyber security risk modeling of national critical infrastructure like as electricity sector, nuclear power plant, SCADA. This paper analyzed the 26 precedent research cases of risk modeling in electricity sector, nuclear power plant, SCADA. The latest Critical Infrastructure is digitalized and has a windows operating system. Critical Infrastructure should be operated at all times, it is not possible to patch a vulnerability even though find vulnerability. This paper suggest the advanced cyber security modeling characteristic during the life cycle of the critical infrastructure and can be prevented.
Critical Infrastructure;Risk modeling;Vulnerability life cycle;Vulnerability detection model;Attack graph
- An Overview of Threat and Risk asseessment. (2002). Newyork : SANS.
- R. Radvanovsky. & J. Brodsky.(2013). Handbook of SCADA/Control Systems Security. : CRC Press.
- E. Byres. & D. Leversage.(2007). Security incidents and trends in SCADA and process industries. The industrial ethernet book, 39, 26. DOI:10.1016/b978-0-12-397189-0.00002-1
- T. Gopal. M. Subbaraju. & R. Joshi. (2014). Methodology to articulate the requirements for security In SCADA. fourth international conference on innovative computing technology, 58-60. DOI:10.1109/INTECH.2014.6927744
- A. Cardenas. & S. Amin. (2011). Attacks against process control systems: risk assessment, detection, and response. Proceedings of the 6th ACM symposium on information, computer and communications security,. 121-123. DOI:10.1145/1966913.1966959
- J. Guan. & J. Hieb. (2011). A digraph model for risk identification and management in SCADA systems. 2011 IEEE international conference on intelligence and security informatics, 53-54. DOI:10.1109/ISI.2011.5983990
- L. Durante. & A. Venzano. (2013). Review of security issues in industrial networks. IEEE Trans Industry Information, 35-36. DOI:10.1109/tii.2012.2198666
- Y. Y. Haimes. & C. G. Chittester. (2005). A roadmap for quantifying the efficacy of risk management of information security and interdependent SCADA systems. 2005 IEEE international conference on intelligence and security informatics, 72-74. DOI:10.2202/1547-7355.1117
- G. Dondossola. & F. Garrone. (2009). Supporting cyber risk assessment of power control systems with experimental data. Power systems conference and exposition, 2, 36-38. DOI:10.1109/PSCE.2009.4840170
- F. Baiardi. (2009). Hierarchical, model-based risk management of critical infrastructures. Reliabilty Engineering System Safety journal, 94(9), 1403-1415. DOI:10.1016/j.ress.2009.02.001 https://doi.org/10.1016/j.ress.2009.02.001
- M. Warren. (2009). Safeguarding Australia from cyber-terrorism:a proposed cyber-terrorism SCADA risk framework for industry adoption. Australian information warfare and security conference, 23-27. DOI:10.4225/75/57a7f3c09f482
- M. Franz. & D. Miller. (2004). The use of attack trees in assessing vulnerabilities in SCADA systems. Proceedings of the international infrastructure survivability workshop, 1, 42-44.
- G. Dondossola. & F. Garrone. (2009). Supporting cyber risk assessment of power control systems with experimental data. Power systems conference and exposition, 3, 12-15. DOI:10.1109/PSCE.2009.4840170
- J. Szanto. (2011). Cyber risk assessment of power control systems metrics weighed by attack experiments. Power and energy society general journal. 112-116. DOI:10.1109/PES.2011.6039589
- Window of exposure a real problem for SCADA systems Recommendations for Europe on SCADA patching.(2013).: ENISA
- G. N. Ericsson. (2009). Information security for electric power utilities (EPUs)-CIGR developments on frameworks, risk assessment, and technology. IEEE Trans Power Delivery journal, 24(3), 1174-1181. DOI: 10.1109/tpwrd.2008.2008470 https://doi.org/10.1109/TPWRD.2008.2008470
- S. Grses. & M. Heisel. (2010). A comparison of security requirements SCADA engineering methods. Requirements of Security Enginering journal, 15(1), 7-40. DOI:10.1007/s00766-009-0092-x
- D. Thornton. & J. Dawson. (2012). Security best practices and risk assessment of SCADA and industrial control systems. Proceedings of the 2012 world congress in computer science, computer engineering, and applied computing, 111-114. DOI:10.1109/rusautocon.2018.8501811
- R. Folkers. & J. Roberts. (2006). Scenario-based approach to risk analysis in support of cyber security. Proceedings of the 5th international topical meeting on nuclear plant instrumentation controls, and human machine interface technology, 5(3), 293-300. DOI:10.1002/sec.321
- R. Filippini. & M. Schimmer. (2012). Risk assessment methodologies for critical infrastructure protection. European Commission Joint Research Centre Institute for the Protection and Security of the Citizen journal, 18, 50-57. DOI:10.1016/j.ijcip.2017.07.001
- K. Z. Snow. & D. R. Zaret. (2009). Evaluating the risk of cyber attacks on SCADA systems via Petri net analysis with application to hazardous liquid loading operations. IEEE conference on technologies for homeland security, 154-157. DOI:10.1109/ths.2009.5168093
- S. Rudrapattana. & P. Kijsanayothin. (2014). Cyber security analysis of smart grid SCADA systems with game models. Proceedings of the 9th annual cyber and information security research conference, 143-145. DOI:10.1145/2602087.2602089
- F. Massacci. & F. Paci. (2013). An experimental comparison of two risk-based security methods. ACM/IEEE international symposium on empirical software engineering and measurement, 182-186. DOI:10.1109/ESEM.2013.29
- M. R. Permann. & K. Rohde. (2005). Cyber assessment methods for SCADA security. 15th annual joint ISA POWID/EPRI controls and instrumentation conference., .63-68.
- A. Zielstra. (2013). Assessing and improving SCADA security in the dutch drinking water sector. Critical information infrastructure security journal,4(9),124-134. DOI:10.1016/j.ijcip.2011.08.002 https://doi.org/10.4236/jis.2013.42014
- A. Krings. & J. Alves. (2012). Risk analysis and probabilistic survivability assessment an assessment approach for power substation hardening. Proceedings of ACM workshop on scientific aspects of cyber terrorism. DOI:10.1109/isgt.2017.8085978
- D. Gertman. & R. Folker. (2006). Scenario based approach to risk analysis in support of cyber security. Proceedings of the 5th international topical meeting on nuclear plant instrumentation controls, and human machine interface technology, 5(9),293-300. DOI:10.1002/sec.321
- S. Patel. & J. Graham. (2008). Quantitatively assessing the vulnerability of critical information systems. new method for evaluating security enhancements International Journal, 28(9), 483-491. DOI:10.1016/j.ijinfomgt.2008.01.009
- M. H. Henry. & R. M. Layer. (2009). Evaluating the risk of cyber attacks on SCADA systems via Petri net analysis with application to hazardous liquid loading operations. IEEE conference on technologies for homeland security. 76-79. DOI:10.1109/ths.2009.5168093
- Cyber Security Technical Assesment Methodology: Vulnerability Identification and Mitigation Overview of Threat and Risk asseessment.(2016). Newyork : EPRI.
- NEI 13-10 Cyber Security Control Assesment Rev5.(2016). Washington D.C: Nuclear Energy Institute
- S. Y. Oh. & J. K. Hong. (2018). Vulnerability Case Analysis of Wireless Moving Vehicle. journal of the Korea convergence society , 9(8), 41-46. DOI:10.15207/JKCS.2018.9.8.041
- J. K. Cho. (2019). Study on Improvement of Vulnerability Diagnosis Items for PC Security Enhancement. Journal of Convergence for information Technology, 9(3), 1-7. DOI:10.22156/CS4SMB.2019.9.3.001
- O. H. Alhazmi. & Y. K. Malaiya. (2007).Measuring, Analyzing and Predicting Security Vulnerabilities in Software Systems. Computers&Security journal, 26(3), 219-228. DOI:10.1016/j.cose.2006.10.002