Biblio

Complex military systems are typically cyber-physical systems which are the targets of high level threat actors, and must be able to operate within a highly contested cyber environment. There is an emerging need to provide a strong level of assurance against these threat actors, but the process by which this assurance can be tested and evaluated is not so clear. This paper outlines an initial framework developed through research for evaluating the cyber-worthiness of complex mission critical systems using threat models developed in SysML. The framework provides a visual model of the process by which a threat actor could attack the system. It builds on existing concepts from system safety engineering and expands on how to present the risks and mitigations in an understandable manner.

Cyber-Physical Systems (CPSs) interconnect the physical world with digital computers and networks in order to automate production and distribution processes. Nowadays, most CPSs do not work in isolation, but their digital part is connected to the Internet in order to enable remote monitoring, control and configuration. Such a connection may offer entry-points enabling attackers to gain control silently and exploit access to the physical world at the right time to cause service disruption and possibly damage to the surrounding environment. Prevention and monitoring measures can reduce the risk brought by cyber attacks, but the residual risk can still be unacceptably high in critical infrastructures or services. Resilience - i.e., the ability of a system to withstand adverse events while maintaining an acceptable functionality - is therefore a key property for such systems. In our research, we seek a model-free, quantitative, and general-purpose evaluation methodology to extract resilience indexes from, e.g., system logs and process data. While a number of resilience metrics have already been put forward, little experimental evidence is available when it comes to the cyber security of CPSs. By using the model of a real wastewater treatment plant, and simulating attacks that tamper with a critical feedback control loop, we provide a comparison between four resilience indexes selected through a thorough literature review involving over 40 papers. Our results show that the selected indexes differ in terms of behavior and sensitivity with respect to specific attacks, but they can all summarize and extract meaningful information from bulky system logs. Our evaluation includes an approach for extracting performance indicators from observed variables which does not require knowledge of system dynamics; and a discussion about combining resilience indexes into a single system-wide measure is included. 11The authors wish to thank Leonardo S.p.A. for its financial support. The research herein presented is partially supported by project NEFERIS awarded by the Italian Ministry of Defense to Leonardo S.p.A. in partnership with the University of Genoa. This work received funding from the European Union's Horizon 2020 research and innovation program under grant agreement No 830892 for project SPARTA.

Due to their specific features, blockchains have become popular in recent years. Blockchains are layered systems where security is a critical factor for their success. The main focus of this work is to systematize knowledge about security and privacy issues of blockchains. To this end, we propose a security reference architecture based on models that demonstrate the stacked hierarchy of various threats as well as threat-risk assessment using ISO/IEC 15408. In contrast to the previous surveys [23], [88], [11], we focus on the categorization of security vulnerabilities based on their origins and using the proposed architecture we present existing prevention and mitigation techniques. The scope of our work mainly covers aspects related to the nature of blockchains, while we mention operational security issues and countermeasures only tangentially.

Cloud computing is not adequately secure due to the currently used traditional trust methods such as global trust model and local trust model. These are prone to security vulnerabilities. This paper introduces a trust model based on the fuzzy mathematics and gray relational theory. Fuzzy mathematics and gray relational analysis (Fuzzy-GRA) aims to improve the poor dynamic adaptability of cloud computing. Fuzzy-GRA platform is used to test and validate the behavior of the model. Furthermore, our proposed model is compared to other known models. Based on the experimental results, we prove that our model has the edge over other existing models.

The heart of research pumps for analyzing risks in today's competitive business environment where big, massive computations are performed on interconnected devices pervasively. Advanced computing environments i.e. Cloud, big data and Internet of things are taken under consideration for finding and analyzing business risks developed from evolutionary, interoperable and digital devices communications with massive volume of data generated. Various risks in advanced computational environment have been identified in this research and are provided with risks mitigation strategies. We have also focused on how risk management affects these environments and how that effect can be mitigated for software and business quality improvement.

Incident prioritization is nowadays a part of many approaches and tools for network security and risk management. However, the dynamic nature of the problem domain is often unaccounted for. That is, the prioritization is typically based on a set of static calculations, which are rarely adjusted. As a result, incidents are incorrectly prioritized, leading to an increased and misplaced effort in the incident response. A higher degree of automation could help to address this problem. In this paper, we explicitly consider flaws in the prioritization an unalterable circumstance. We propose an adaptive incident prioritization, which allows to automate certain tasks for the prioritization model management in order to continuously assess and improve a prioritization model. At the same time, we acknowledge the human analyst as the focal point and propose to keep the human in the loop, among others by treating understandability as a crucial requirement.

In this paper, we propose a game-attack graph-based risk assessment model for industrial Internet system. Firstly, use non-destructive asset profiling to scan components and devices included in the system and their open services and communication protocols. Further compare the CNVD and CVE to find the vulnerability through the search engine keyword segment matching method, and generate an asset threat list. Secondly, build the attack rule base based on the network information, and model the system using the attribute attack graph. Thirdly, combine the game theory with the idea of the established model. Finally, optimize and quantify the analysis to get the best attack path and the best defense strategy.

Within “Industrie 4.0” approach 3D printing technology is characterized as one of the disruptive innovations. Conventional supply chains are replaced by value-added networks. The spatially distributed development of printed components, e.g. for the rapid delivery of spare parts, creates a new challenge when differentiating between “original part”, “copy” or “counterfeit” becomes necessary. This is especially true for safety-critical products. Based on these changes classic branded products adopt the characteristics of licensing models as we know them in the areas of software and digital media. This paper describes the use of digital rights management as a key technology for the successful transition to Additive Manufacturing methods and a key for its commercial implementation and the prevention of intellectual property theft. Risks will be identified along the process chain and solution concepts are presented. These are currently being developed by an 8-partner project named SAMPL (Secure Additive Manufacturing Platform).

With the increasing security threats to the information of Industrial Cyber-physical Control Systems, the quantitative assessment of security risk becomes an important basis of information security research. Based on fuzzy hierarchy analysis, this paper constructs the hierarchical model of industrial control system safety risk evaluation, and obtains the exact value of risk. Experimental results show that the proposed method can effectively quantify the control system risk, which provides a basis for industrial control system risk management decision.

Once an individual employs the use of the Internet for accessing information; carrying out transactions and sharing of data on the Cloud, they are connected to diverse computers on the network. As such, security of such transmitted data is most threatened and then potentially creating privacy risks of users on the federated identity management system in the Cloud. Usually, User's attributes or Personal Identifiable Information (PII) are needed to access Services on the Cloud from different Service Providers (SPs). Sometime these SPs may by themselves violate user's privacy by the reuse of user's attributes offered them for the release of services to the users without their consent and then carrying out activities that may appear malicious and then causing damage to the users. Similarly, it should be noted that sensitive user's attributes (e.g. first name, email, address and the likes) are received in their original form by needed SPs in plaintext. As a result of these problems, user's privacy is being violated. Since these SPs may reuse them or connive with other SPs to expose a user's identity in the cloud environment. This research is motivated to provide a protective and novel approach that shall no longer release original user's attributes to SPs but pseudonyms that shall prevent the SPs from violating user's privacy through connivance to expose the user's identity or other means. The paper introduces a conceptual framework for the proposed user's attributes privacy protection in a federated identity management system for the cloud. On the proposed system, the use of pseudonymous technique also called Privacy Token (PT) is employed. The pseudonymous technique ensures users' original attributes values are not sent directly to the SP but auto generated pseudo attributes values. The PT is composed of: Pseudo Attribute values, Timestamp and SPİD. These composition of the PT makes it difficult for the User's PII to be revealed and further preventing the SPs from being able to keep them or reuse them in the future without the user's consent for any purpose. Another important feature of the PT is its ability to forestall collusion among several collaborating service providers. This is due to the fact that each SP receives pseudo values that have no direct link to the identity of the user. The prototype was implemented with Java programming language and its performance tested on CloudAnalyst simulation.

Online Social Networks(OSN) plays a vital role in our day to day life. The most popular social network, Facebook alone counts currently 2.23 billion users worldwide. Online social network users are aware of the various security risks that exist in this scenario including privacy violations and they are utilizing the privacy settings provided by OSN providers to make their data safe. But most of them are unaware of the risk which exists after deletion of their data which is not really getting deleted from the OSN server. Self destruction of data is one of the prime recommended methods to achieve assured deletion of data. Numerous techniques have been developed for self destruction of data and this paper discusses and evaluates these techniques along with the various privacy risks faced by an OSN user in this web centered world.

A prioritized cyber defense remediation plan is critical for effective risk management in cyber-physical systems (CPS). The increased integration of Information Technology (IT)/Operational Technology (OT) in CPS has to lead to the need to identify the critical assets which, when affected, will impact resilience and safety. In this work, we propose a methodology for prioritized cyber risk remediation plan that balances operational resilience and economic loss (safety impacts) in CPS. We present a platform for modeling and analysis of the effect of cyber threats and random system faults on the safety of CPS that could lead to catastrophic damages. We propose to develop a data-driven attack graph and fault graph-based model to characterize the exploitability and impact of threats in CPS. We develop an operational impact assessment to quantify the damages. Finally, we propose the development of a strategic response decision capability that proposes optimal mitigation actions and policies that balances the trade-off between operational resilience (Tactical Risk) and Strategic Risk.

This paper presents approach for critical energy infrastructure's (CEI) cyber resilience assessment. The CEI is the vital physical system of systems, whose accidents and failures lead to damage of economy, environment, impact on health and lives of people. The analysis of cyber incidents with Ukrainian CEI confirms the importance of the task of increasing its cyber resilience to external hostile influences and keeping of the appropriate level of functionality, safety and reliability. This paper is devoted to development of approach for CEI's cyber resilience assessment considering the important capacities of its systems (adaptivity, restoration, absorbability, preventive) and interdependencies between them. This approach is based on application of multilevel fuzzy logic models (called as logic-linguistic models, LLM) taking into consideration the data available from expert's knowledge. The comparison between risk management and resilience assurance is performed. The new risk-oriented definition of resiliency is suggested.

The term “smart” has been used in many ways for describing systems and infrastructure such as smart city, smart home, smart grid, smart meter, etc. These systems may lie in the domain of critical security systems where security can be estimated in terms of confidentiality, integrity and some cases may involve availability for protection against the theft or damage of system resources as well as disruption of the system services. Although, in spite of, being a hot topic to enhance the quality of life, there is no concrete definition of what smart system is and what should be the characteristics of it. Thus, there is a need to identify what these systems actually are and how they can be designed securely. This work firstly attempts to describe attributes related to the smartness to define smart systems. Furthermore, we propose a secure smart system development life cycle, where the security is weaved at all the development phase of smart systems according to principles, guidelines, attack patterns, risk, vulnerability, exploits, and defined rules. Finally, the comparative study is performed for evaluation of traditional security modeling techniques for early assessment of threats and risks in smart systems.

A term systems of systems (SoS) refers to a setup in which a number of independent systems collaborate to create a value that each of them is unable to achieve independently. Complexity of a SoS structure is higher compared to its constitute systems that brings challenges in analyzing its critical properties such as security. An SoS can be seen as a set of connected systems or services that needs to be adequately protected. Communication between such systems or services can be considered as a service itself, and it is the paramount for establishment of a SoS as it enables connections, dependencies, and a cooperation. Given that reliable and predictable communication contributes directly to a correct functioning of an SoS, communication as a service is one of the main assets to consider. Protecting it from malicious adversaries should be one of the highest priorities within SoS design and operation. This study aims to investigate the attack propagation problem in terms of service-guarantees through the decomposition into sub-services enriched with preconditions and postconditions at the service levels. Such analysis is required as a prerequisite for an efficient SoS risk assessment at the design stage of the SoS development life cycle to protect it from possibly high impact attacks capable of affecting safety of systems and humans using the system.

Social Virtual Reality based Learning Environments (VRLEs) such as vSocial render instructional content in a three-dimensional immersive computer experience for training youth with learning impediments. There are limited prior works that explored attack vulnerability in VR technology, and hence there is a need for systematic frameworks to quantify risks corresponding to security, privacy, and safety (SPS) threats. The SPS threats can adversely impact the educational user experience and hinder delivery of VRLE content. In this paper, we propose a novel risk assessment framework that utilizes attack trees to calculate a risk score for varied VRLE threats with rate and duration of threats as inputs. We compare the impact of a well-constructed attack tree with an adhoc attack tree to study the trade-offs between overheads in managing attack trees, and the cost of risk mitigation when vulnerabilities are identified. We use a vSocial VRLE testbed in a case study to showcase the effectiveness of our framework and demonstrate how a suitable attack tree formalism can result in a more safer, privacy-preserving and secure VRLE system.

This paper analyzes information network security risk assessment methods and models. Firstly an improved AHP method is proposed to assign the value of assets for solving the problem of risk judgment matrix consistency effectively. And then the neural network technology is proposed to construct the neural network model corresponding to the risk judgment matrix for evaluating the individual risk of assets objectively, the methods for calculating the asset risk value and system risk value are given. Finally some application results are given. Practice proves that the methods are correct and effective, which has been used in information network security risk assessment application and offers a good foundation for the implementation of the automatic assessment.

Electronic Medical Record (EMR) is a medical record management system. EMR contains personal data of patients that is critical. The critical nature of medical records is the reason for the necessity to develop security policies as guidelines for EMR in SIMRS in XZY Hospital. In this study, analysis and risk assessment conducted to EMR management at SIMRS in XZY Hospital. Based on this study, the security of SIMRS in XZY Hospital is categorized as high. Security and Privacy Control mapping based on NIST SP800-53 rev 5 obtained 57 security controls related to privacy aspects as control options to protect EMR in SIMRS in XZY Hospital. The policy designing was done using The Triangle framework for Policy Analysis. The analysis obtained from the policy decisions of the head of XYZ Hospital. The contents of the security policy are provisions on the implementation of security policies of EMR, outlined of 17 controls were selected.

The Industrial Internet of Things (IIoT) is a term applied to the industrial application of M2M devices. The security of IIoT devices is a difficult problem and where the automation of critical infrastructure is intended, risks may be unacceptable. Remote attacks are a significant threat and solutions are sought which are secure by default. The problem space may be analyzed using threat modelling methods. Software Defined Networks (SDN) provide mitigation for remote attacks which exploit local area networks. Similar concepts applied to the WAN may improve availability and performance and provide granular data on link characteristics. Schemes such as the Software Defined Perimeter allow IIoT devices to communicate on the Internet, mitigating avenues of remote attack. Finally, separation of duties at the IIoT device may prevent attacks on the integrity of the device or the confidentiality and integrity of its communications. Work remains to be done on the mitigation of DDoS.

There are increasing threats for cyberspace. This paper tries to identify how extreme cybersecurity incidents occur based on the scenario of a targeted attack through emails. Knowledge on how extreme cybersecurity incidents occur helps in identifying the key points on how they can be prevented from occurring. The model based on system thinking approach to the understanding how communication influences entities and how tiny initiating events scale up into extreme events provides a condensed figure of the cyberspace and surrounding threats. By taking cyberspace layers and characteristics of cyberspace identified by this model into consideration, it predicts most suitable risk mitigations.

The method of assessment of degree of compliance of divisions of the complex distributed corporate information system to a number of information security indicators is offered. As a result of the methodology implementation a comparative assessment of compliance level of each of the divisions for the corporate information security policy requirements may be given. This assessment may be used for the purpose of further decision-making by the management of the corporation on measures to minimize risks as a result of possible implementation of threats to information security.

Cyber insurance is a viable method for cyber risk transfer. However, the cyber insurance faces critical challenges, the most important of which is lack of statistical data. In this paper, we proposed an incentive model considering monitoring signals for cybersecurity information haring based on the principal-agent theory. We studied the effect of monitoring signals on increasing the rationality of the incentive contract and reducing moral hazard in the process of cybersecurity information sharing, and analyzed factors influencing the effectiveness of the incentive contract. We show that by introducing monitoring signals, the insurer can collect more information about the effort level of the insured, and encourage the insured to share cybersecurity information based on the information sharing output and monitoring signals of the effort level, which can not only reduce the blindness of incentive to the insured in the process of cybersecurity information sharing, but also reduce moral hazard.

For complex technical objects the research of cybersecurity problems should take into account both physical and information properties of the object. The paper considers a hybrid model that unifies information and physical models and may be used as a tool for countering cyber threats and for cybersecurity risk assessment at the design and operational stage of an object's lifecycle.

The rapid evolution of the Information and Communications Technology (ICT) services transforms the conventional electrical grid into a new paradigm called Smart Grid (SG). Even though SG brings significant improvements, such as increased reliability and better energy management, it also introduces multiple security challenges. One of the main reasons for this is that SG combines a wide range of heterogeneous technologies, including Internet of Things (IoT) devices as well as Supervisory Control and Data Acquisition (SCADA) systems. The latter are responsible for monitoring and controlling the automatic procedures of energy transmission and distribution. Nevertheless, the presence of these systems introduces multiple vulnerabilities because their protocols do not implement essential security mechanisms such as authentication and access control. In this paper, we focus our attention on the security issues of the IEC 60870-5-104 (IEC-104) protocol, which is widely utilized in the European energy sector. In particular, we provide a SCADA threat model based on a Coloured Petri Net (CPN) and emulate four different types of cyber attacks against IEC-104. Last, we used AlienVault's risk assessment model to evaluate the risk level that each of these cyber attacks introduces to our system to confirm our intuition about their severity.

Supervisory control and data acquisition (SCADA) systems are becoming increasingly susceptible to cyber-physical attacks on both physical and cyber layers of critical information infrastructure. Failure Mode and Effects Analysis (FMEA) have been widely used as a structured method to prioritize all possible vulnerable areas (failure modes) for design review of security of information systems. However, traditional RPN based FMEA has some inherent problems. Besides, there is a lacking of application of FMEA for security in SCADAs under vague and uncertain environment. Thus, the main purpose of this study was to propose a new evaluation model, which not only intends to recover above mentioned problems, but also intends to evaluate, prioritize and correct security risk of SCADA system's threat modes. A numerical case study was also conducted to demonstrate that the proposed new evaluation model is not only capable of addressing FMEA's inherent problems but also is best suited for a semi-quantitative high level analysis of a secure SCADA's failure modes in the early design phases.