DOI QR코드

DOI QR Code

A study on the cyber security assessment modeling of critical infrastructure

핵심기반시설 사이버 보안 평가 모델링 기법 연구

  • 엄익채 (한전KDN(주) 보안컨설팅팀)
  • Received : 2019.06.28
  • Accepted : 2019.08.20
  • Published : 2019.08.28

Abstract

The purpose of this study is to analyze cyber security risk modeling of critical infrastructure, draw out limitations and improvement measures. This paper analyzed cyber security risk modeling of national critical infrastructure like as electricity sector, nuclear power plant, SCADA. This paper analyzed the 26 precedent research cases of risk modeling in electricity sector, nuclear power plant, SCADA. The latest Critical Infrastructure is digitalized and has a windows operating system. Critical Infrastructure should be operated at all times, it is not possible to patch a vulnerability even though find vulnerability. This paper suggest the advanced cyber security modeling characteristic during the life cycle of the critical infrastructure and can be prevented.

Keywords

Critical Infrastructure;Risk modeling;Vulnerability life cycle;Vulnerability detection model;Attack graph

References

  1. An Overview of Threat and Risk asseessment. (2002). Newyork : SANS.
  2. R. Radvanovsky. & J. Brodsky.(2013). Handbook of SCADA/Control Systems Security. : CRC Press.
  3. E. Byres. & D. Leversage.(2007). Security incidents and trends in SCADA and process industries. The industrial ethernet book, 39, 26. DOI:10.1016/b978-0-12-397189-0.00002-1
  4. T. Gopal. M. Subbaraju. & R. Joshi. (2014). Methodology to articulate the requirements for security In SCADA. fourth international conference on innovative computing technology, 58-60. DOI:10.1109/INTECH.2014.6927744
  5. A. Cardenas. & S. Amin. (2011). Attacks against process control systems: risk assessment, detection, and response. Proceedings of the 6th ACM symposium on information, computer and communications security,. 121-123. DOI:10.1145/1966913.1966959
  6. J. Guan. & J. Hieb. (2011). A digraph model for risk identification and management in SCADA systems. 2011 IEEE international conference on intelligence and security informatics, 53-54. DOI:10.1109/ISI.2011.5983990
  7. L. Durante. & A. Venzano. (2013). Review of security issues in industrial networks. IEEE Trans Industry Information, 35-36. DOI:10.1109/tii.2012.2198666
  8. Y. Y. Haimes. & C. G. Chittester. (2005). A roadmap for quantifying the efficacy of risk management of information security and interdependent SCADA systems. 2005 IEEE international conference on intelligence and security informatics, 72-74. DOI:10.2202/1547-7355.1117
  9. G. Dondossola. & F. Garrone. (2009). Supporting cyber risk assessment of power control systems with experimental data. Power systems conference and exposition, 2, 36-38. DOI:10.1109/PSCE.2009.4840170
  10. F. Baiardi. (2009). Hierarchical, model-based risk management of critical infrastructures. Reliabilty Engineering System Safety journal, 94(9), 1403-1415. DOI:10.1016/j.ress.2009.02.001 https://doi.org/10.1016/j.ress.2009.02.001
  11. M. Warren. (2009). Safeguarding Australia from cyber-terrorism:a proposed cyber-terrorism SCADA risk framework for industry adoption. Australian information warfare and security conference, 23-27. DOI:10.4225/75/57a7f3c09f482
  12. M. Franz. & D. Miller. (2004). The use of attack trees in assessing vulnerabilities in SCADA systems. Proceedings of the international infrastructure survivability workshop, 1, 42-44.
  13. G. Dondossola. & F. Garrone. (2009). Supporting cyber risk assessment of power control systems with experimental data. Power systems conference and exposition, 3, 12-15. DOI:10.1109/PSCE.2009.4840170
  14. J. Szanto. (2011). Cyber risk assessment of power control systems metrics weighed by attack experiments. Power and energy society general journal. 112-116. DOI:10.1109/PES.2011.6039589
  15. Window of exposure a real problem for SCADA systems Recommendations for Europe on SCADA patching.(2013).: ENISA
  16. G. N. Ericsson. (2009). Information security for electric power utilities (EPUs)-CIGR developments on frameworks, risk assessment, and technology. IEEE Trans Power Delivery journal, 24(3), 1174-1181. DOI: 10.1109/tpwrd.2008.2008470 https://doi.org/10.1109/TPWRD.2008.2008470
  17. S. Grses. & M. Heisel. (2010). A comparison of security requirements SCADA engineering methods. Requirements of Security Enginering journal, 15(1), 7-40. DOI:10.1007/s00766-009-0092-x
  18. D. Thornton. & J. Dawson. (2012). Security best practices and risk assessment of SCADA and industrial control systems. Proceedings of the 2012 world congress in computer science, computer engineering, and applied computing, 111-114. DOI:10.1109/rusautocon.2018.8501811
  19. R. Folkers. & J. Roberts. (2006). Scenario-based approach to risk analysis in support of cyber security. Proceedings of the 5th international topical meeting on nuclear plant instrumentation controls, and human machine interface technology, 5(3), 293-300. DOI:10.1002/sec.321
  20. R. Filippini. & M. Schimmer. (2012). Risk assessment methodologies for critical infrastructure protection. European Commission Joint Research Centre Institute for the Protection and Security of the Citizen journal, 18, 50-57. DOI:10.1016/j.ijcip.2017.07.001
  21. K. Z. Snow. & D. R. Zaret. (2009). Evaluating the risk of cyber attacks on SCADA systems via Petri net analysis with application to hazardous liquid loading operations. IEEE conference on technologies for homeland security, 154-157. DOI:10.1109/ths.2009.5168093
  22. S. Rudrapattana. & P. Kijsanayothin. (2014). Cyber security analysis of smart grid SCADA systems with game models. Proceedings of the 9th annual cyber and information security research conference, 143-145. DOI:10.1145/2602087.2602089
  23. F. Massacci. & F. Paci. (2013). An experimental comparison of two risk-based security methods. ACM/IEEE international symposium on empirical software engineering and measurement, 182-186. DOI:10.1109/ESEM.2013.29
  24. M. R. Permann. & K. Rohde. (2005). Cyber assessment methods for SCADA security. 15th annual joint ISA POWID/EPRI controls and instrumentation conference., .63-68.
  25. A. Zielstra. (2013). Assessing and improving SCADA security in the dutch drinking water sector. Critical information infrastructure security journal,4(9),124-134. DOI:10.1016/j.ijcip.2011.08.002 https://doi.org/10.4236/jis.2013.42014
  26. A. Krings. & J. Alves. (2012). Risk analysis and probabilistic survivability assessment an assessment approach for power substation hardening. Proceedings of ACM workshop on scientific aspects of cyber terrorism. DOI:10.1109/isgt.2017.8085978
  27. D. Gertman. & R. Folker. (2006). Scenario based approach to risk analysis in support of cyber security. Proceedings of the 5th international topical meeting on nuclear plant instrumentation controls, and human machine interface technology, 5(9),293-300. DOI:10.1002/sec.321
  28. S. Patel. & J. Graham. (2008). Quantitatively assessing the vulnerability of critical information systems. new method for evaluating security enhancements International Journal, 28(9), 483-491. DOI:10.1016/j.ijinfomgt.2008.01.009
  29. M. H. Henry. & R. M. Layer. (2009). Evaluating the risk of cyber attacks on SCADA systems via Petri net analysis with application to hazardous liquid loading operations. IEEE conference on technologies for homeland security. 76-79. DOI:10.1109/ths.2009.5168093
  30. Cyber Security Technical Assesment Methodology: Vulnerability Identification and Mitigation Overview of Threat and Risk asseessment.(2016). Newyork : EPRI.
  31. NEI 13-10 Cyber Security Control Assesment Rev5.(2016). Washington D.C: Nuclear Energy Institute
  32. S. Y. Oh. & J. K. Hong. (2018). Vulnerability Case Analysis of Wireless Moving Vehicle. journal of the Korea convergence society , 9(8), 41-46. DOI:10.15207/JKCS.2018.9.8.041
  33. J. K. Cho. (2019). Study on Improvement of Vulnerability Diagnosis Items for PC Security Enhancement. Journal of Convergence for information Technology, 9(3), 1-7. DOI:10.22156/CS4SMB.2019.9.3.001
  34. O. H. Alhazmi. & Y. K. Malaiya. (2007).Measuring, Analyzing and Predicting Security Vulnerabilities in Software Systems. Computers&Security journal, 26(3), 219-228. DOI:10.1016/j.cose.2006.10.002