Chiem Trieu Phong,Wei Qi Yan

DOI: https://doi.org/10.4018/ijdcf.2014100104

2014-01-01

International Journal of Digital Crime and Forensics

Abstract:Penetration testing is an effort to attack a system using similar techniques and tools adopted by real hackers. The ultimate goal of penetration testing is to call to light as many existing vulnerabilities as possible, then come up with practical solutions to remediate the problems; thus, enhance the system security as a whole. The paper introduces concepts and definitions related to penetration testing, together with different models and methodologies to conduct a penetration test. A wide range of penetration testing state-of-the-art, as well as related tools (both commercial and free open source available on the market) are also presented in relatively rich details.

Jeremy Straub

2023-06-07

Abstract:Penetration testing increases the security of systems through tasking testers to 'think like the adversary' and attempt to find the ways that an attacker would break into the system. For many systems, this can be conducted in a safe and controlled way; however, some systems are so critical to human life and safety that the risk of their failure or disablement due to active penetration testing cannot be assumed. These systems are also critical to evaluate the security of, to prevent attackers from disabling them or causing their maloperation; however, this must be done in a manner that doesn't risk the very malady that testing seeks to avoid through the testing process itself. This paper presents P2SCP, a paradigm for penetration testing of systems that cannot be subjected to the risk of penetration testing. It discusses how data collection, the creation of digital twins and cousins and evaluative analysis can be utilized to conduct virtual penetration tests on critical infrastructure systems. This proposed paradigm is analyzed through the use of several case studies.

Cryptography and Security

Bright Ojo,Justine Chilenovu Ogborigbo,Maureen Oluchukwuamaka Okafor

DOI: https://doi.org/10.30574/wjarr.2024.22.3.1921

2024-06-30

World Journal of Advanced Research and Reviews

Abstract:Critical infrastructure must withstand cyber and physical assaults in today's interconnected world. This study explores innovative strategies to shield these systems from cyber-physical threats. As networks become more connected, cyberattacks grow more sophisticated, making it imperative to safeguard sectors like transportation, energy, water, and information. The paper analyzes the present and future threat landscape, identifying vulnerabilities within critical infrastructures and proposing targeted mitigation strategies to enhance security. The research leverages AI and machine learning to develop detection tools that identify and predict cyber-physical attacks, enhancing response times and preventive measures. Additionally, resilience engineering and architecture are crucial in fortifying infrastructure, enabling it to withstand and recover from attacks while maintaining essential functions. The study also reviews legislation and policies surrounding infrastructure protection, pinpointing shortcomings and recommending improvements to bolster national security. Effective countermeasures against cyber-physical threats require collaboration and information sharing among government bodies, industry stakeholders, and educational institutions. These partnerships facilitate the exchange of knowledge, best practices, and tools to address threats efficiently. Furthermore, the paper highlights the importance of training programs that equip professionals with skills to integrate cyber and physical security defenses. Exploring the integration of blockchain, IoT, and autonomous technologies could further enhance the resilience of critical systems. These technologies foster secure communications and automated responses to incidents. Lastly, community awareness initiatives play a vital role in preparing for and mitigating cyber-physical attacks, ensuring that public readiness and resilience are maintained. This comprehensive approach aims to fortify critical infrastructure against evolving cyber threats, ensuring continuous operation and security.

Uchenna D Ani,Jeremy D McK. Watson,Jason R.C. Nurse,Al Cook,Carsten Maple

DOI: https://doi.org/10.48550/arXiv.1904.01551

2019-04-03

Abstract:As new technologies such as the Internet of Things (IoT) are integrated into Critical National Infrastructures (CNI), new cybersecurity threats emerge that require specific security solutions. Approaches used for analysis include the modelling and simulation of critical infrastructure systems using attributes, functionalities, operations, and behaviours to support various security analysis viewpoints, recognising and appropriately managing associated security risks. With several critical infrastructure protection approaches available, the question of how to effectively model the complex behaviour of interconnected CNI elements and to configure their protection as a system-of-systems remains a challenge. Using a systematic review approach, existing critical infrastructure protection approaches (tools and techniques) are examined to determine their suitability given trends like IoT, and effective security modelling and analysis issues. It is found that empirical-based, agent-based, system dynamics-based, and network-based modelling are more commonly applied than economic-based and equation-based techniques, and empirical-based modelling is the most widely used. The energy and transportation critical infrastructure sectors reflect the most responsive sectors, and no one Critical Infrastructure Protection (CIP) approach - tool, technique, methodology or framework -- provides a fit-for-all capacity for all-round attribute modelling and simulation of security risks. Typically, deciding factors for CIP choices to adopt are often dominated by trade-offs between complexity of use and popularity of approach, as well as between specificity and generality of application in sectors.

Cryptography and Security,Networking and Internet Architecture,Systems and Control

Nabin Chowdhury,Vasileios Gkioulos

DOI: https://doi.org/10.1108/ics-07-2020-0121

2021-08-24

Information and Computer Security

Abstract:Purpose The purpose of this paper can be encapsulated in the following points: identify the research papers published on the topic: competencies and skills necessary for critical infrastructure (CI) cyber-security (CS) protection; determine main focus areas within the identified literature and evaluate the dependency or lack thereof between them: make recommendations for future research. Design/methodology/approach This study is based on a systematic literature review conducted to identify scientific papers discussing and evaluating competencies, skills and essential attributes needed by the CI workforce for CS and preparedness to attacks and incidents. Findings After a comparative analysis of the articles reviewed in this study, a variety of skills and competencies was found to be necessary for CS assurance in CIs. These skills have been grouped into four categories, namely, technical, managerial, implementation and soft skills. Nonetheless, there is still a lack of agreement on which skills are the most critical and further research should be conducted on the relation between specific soft skills and CS assurance. Research limitations/implications Investigation of which skills are required by industry for specific CS roles, by conducting interviews and sending questionnaire\surveys, would allow consolidating whether literature and industry requirements are equivalent. Practical implications Findings from this literature review suggest that more effort should be taken to conciliate current CS curricula in academia with the skills and competencies required for CS roles in the industry. Originality/value This study provides a previously lacking current mapping and review of literature discussing skills and competencies evidenced as critical for CS assurance for CI. The findings of this research are useful for the development of comprehensive solutions for CS awareness and training.

Henry Matey Akwetey,Paul Danquah,Godfred Yaw Koi-Akrofi,Isaac Asampana

DOI: https://doi.org/10.48550/arXiv.2202.12970

2022-02-02

Abstract:A technology platform that is gradually bridging the gap between object visibility and remote accessibility is the Internet of Things (IoT). Rapid deployment of this application can significantly transform the health, housing, and power (distribution and generation) sectors, etc. It has considerably changed the power sector regarding operations, services optimization, power distribution, asset management and aided in engaging customers to reduce energy consumption. Despite its societal opportunities and the benefits it presents, the power generation sector is bedeviled with many security challenges on the critical infrastructure. This review discusses the security challenges posed by IoT in power generation and critical infrastructure. To achieve this, the authors present the various IoT applications, particularly on the grid infrastructure, from an empirical literature perspective. The authors concluded by discussing how the various entities in the sector can overcome these security challenges to ensure an exemplary future IoT implementation on the power critical infrastructure value chain.

Cryptography and Security

Yagmur Yigit,Mohamed Amine Ferrag,Iqbal H. Sarker,Leandros A. Maglaras,Christos Chrysoulas,Naghmeh Moradpoor,Helge Janicke

2024-05-08

Abstract:Critical National Infrastructure (CNI) encompasses a nation's essential assets that are fundamental to the operation of society and the economy, ensuring the provision of vital utilities such as energy, water, transportation, and communication. Nevertheless, growing cybersecurity threats targeting these infrastructures can potentially interfere with operations and seriously risk national security and public safety. In this paper, we examine the intricate issues raised by cybersecurity risks to vital infrastructure, highlighting these systems' vulnerability to different types of cyberattacks. We analyse the significance of trust, privacy, and resilience for Critical Infrastructure Protection (CIP), examining the diverse standards and regulations to manage these domains. We also scrutinise the co-analysis of safety and security, offering innovative approaches for their integration and emphasising the interdependence between these fields. Furthermore, we introduce a comprehensive method for CIP leveraging Generative AI and Large Language Models (LLMs), giving a tailored lifecycle and discussing specific applications across different critical infrastructure sectors. Lastly, we discuss potential future directions that promise to enhance the security and resilience of critical infrastructures. This paper proposes innovative strategies for CIP from evolving attacks and enhances comprehension of cybersecurity concerns related to critical infrastructure.

Cryptography and Security

Li Jianhua

DOI: https://doi.org/10.11999/jeit191055

2020-01-01

Abstract:Energy critical infrastructure has undergone transformative rapid development in the context of the rapid development of information technology, and has been deeply integrated with new technologies such as Artificial Intelligence (AI), big data, and the Internet of Things. While information technology significantly improves the efficiency and performance of energy critical infrastructure, it also brings new types of security threats that are more persistent and covert. An urgent problem is how to establish a systematic and intelligent security defense system for energy critical infrastructure. This paper starts with the development trend of energy critical infrastructure, and analyzes the mechanism of the traditional and new security threat mechanisms it faces. On this basis, insightful analysis on the research status and evolution trends of defense technologies for energy critical infrastructures is made.

Sandra Smyth

2023-12-18

Abstract:As per Adusumilli (2015),'70% of corporate business systems today are legacy applications. Recent statistics prove that over 60% of IT budget is spent on maintaining these Legacy systems, showing the rigidity and the fragile nature of these systems.' Usually, testing is included during the software development cycle, using testing techniques such as unit testing, integration testing, and system testing before releasing the product. After the software product is released to production, no additional testing is done; the testing process is back to the table only when modifications are made. Techniques such as regression testing are included to ensure the changes do not affect existing functionality, but testing nonfunctional features that are rarely included in such regression tests' scope. Schrader (2021) affirms that 'legacy systems are often maintained only to ensure function,' and IT organizations may fail to consider the cybersecurity perspective to remain secure. Legacy systems are a high-risk component for the organization that must be carefully considered when structuring a cyber security strategy. This paper aims to help the reader understand some measures that can be taken to secure legacy systems, explaining what penetration testing is and how this testing technique can help secure legacy systems. Keywords: Testing, legacy, security, risks, prevention, mitigation, pentesting.

Software Engineering

Somali Chaterji,Parinaz Naghizadeh,Muhammad Ashraful Alam,Saurabh Bagchi,Mung Chiang,David Corman,Brian Henz,Suman Jana,Na Li,Shaoshuai Mou,Meeko Oishi,Chunyi Peng,Tiark Rompf,Ashutosh Sabharwal,Shreyas Sundaram,James Weimer,Jennifer Weller

DOI: https://doi.org/10.48550/arXiv.2001.00090

2019-12-20

Abstract:Cyberphysical systems (CPS) are ubiquitous in our personal and professional lives, and they promise to dramatically improve micro-communities (e.g., urban farms, hospitals), macro-communities (e.g., cities and metropolises), urban structures (e.g., smart homes and cars), and living structures (e.g., human bodies, synthetic genomes). The question that we address in this article pertains to designing these CPS systems to be resilient-from-the-ground-up, and through progressive learning, resilient-by-reaction. An optimally designed system is resilient to both unique attacks and recurrent attacks, the latter with a lower overhead. Overall, the notion of resilience can be thought of in the light of three main sources of lack of resilience, as follows: exogenous factors, such as natural variations and attack scenarios; mismatch between engineered designs and exogenous factors ranging from DDoS (distributed denial-of-service) attacks or other cybersecurity nightmares, so called "black swan" events, disabling critical services of the municipal electrical grids and other connected infrastructures, data breaches, and network failures; and the fragility of engineered designs themselves encompassing bugs, human-computer interactions (HCI), and the overall complexity of real-world systems. In the paper, our focus is on design and deployment innovations that are broadly applicable across a range of CPS application areas.

Computers and Society,Distributed, Parallel, and Cluster Computing,Systems and Control

Lukumba Phiri,Simon Tembo

DOI: https://doi.org/10.31695/ijasre.2022.8.5.1

2022-01-01

International Journal of Advances in Scientific Research and Engineering

Abstract:The number of successful attacks on vital infrastructure has increased, as has the sophistication of the attacks. Many cybersecurity strategies include traditional best practices, but they frequently overlook organizational circumstances and unique critical infrastructure protection requirements. The goal of this qualitative multiple case research was to look into the cybersecurity tactics employed by IT managers and compliance officers to protect critical infrastructure from cyber threats. The participants in this study were IT managers and compliance officials from four Zambian case organizations. The conceptual framework was based on the routine activity theory published by criminologists Cohen and Felson in 1979. Interviews with two IT managers, three compliance officers, and 25 papers relating to cybersecurity and policy governance were used to gather data. Four significant themes emerged from data triangulation: the need for a robust worker training program, prioritizing infrastructure resiliency, the importance of security awareness, and the importance of organizational leadership support and investment. This research uncovered essential tactics that can help OT and compliance professionals enhance their cybersecurity strategy, which can help reduce successful assaults on critical infrastructure. The study findings will contribute to positive social change through an exploration and contextual analysis of cybersecurity strategy with situational awareness of OT practices to enhance cyber threat mitigation and inform business processes.

Fatai Adeshina Adelani,Tosin Michael Olatunde,Johnson Sunday Oliha

DOI: https://doi.org/10.53294/ijfetr.2024.6.2.0029

2024-04-30

International Journal of Frontiers in Engineering and Technology Research

Abstract:This review paper examines the theoretical perspectives on cybersecurity challenges facing critical water infrastructure, with a focus on comparative insights from Africa and the United States. By exploring foundational theories of risk management, resilience, and deterrence, the paper delineates how these concepts are applied and adapted to address the cybersecurity needs of critical water systems within the distinct contexts of the two regions. The analysis identifies common challenges such as malware attacks, system vulnerabilities, human factors, and how regional differences influence technological infrastructure, regulatory environments, and cyber threat landscapes. Through a comparative analysis, the paper highlights lessons learned and best practices from both regions, emphasizing the importance of capacity building, comprehensive risk management, and the role of public-private partnerships. The paper concludes with a call for future research to develop adaptable theoretical models that address different regions' unique cybersecurity challenges, underlining theoretical understanding's critical role in enhancing the global resilience of critical water infrastructure against cyber threats.

Alexis Pengfei Zhao,Shuangqi Li,Chenghong Gu,Xiaohe Yan,Paul Jen-Hwa Hu,Zhaoyu Wang,Da Xie,Zhidong Cao,Xinlei Chen,Chenye Wu,Tianyi Luo,Zikang Wang,Ignacio Hernando-Gil

DOI: https://doi.org/10.1109/jestie.2024.3434350

2024-01-01

IEEE Journal of Emerging and Selected Topics in Industrial Electronics

Abstract:In an era characterized by extensive use of and reliance on information and communications technology (ICT), cyber-physical power systems (CPPS) have emerged as a critical integral of modern power infrastructures, providing vital energy sources to consumers, communities, and industries worldwide. The integration of ICT in these systems, while beneficial, introduces a rapidly evolving range of cybersecurity challenges that significantly threaten their confidentiality, integrity, and availability. To address this, our article offers a comprehensive and timely survey of the current landscape of cyber vulnerabilities in CPPS, reflecting the latest developments in the field up to the present. This includes an in-depth analysis of the diverse types of cyber threats to CPPS and their potential consequences, underscoring the necessity for a broad, multidisciplinary approach. Our review is distinguished by its thoroughness and timeliness, covering recent research to offer one of the most current overviews of cybersecurity in CPPSs. We adopt a holistic perspective, integrating technical, societal, environmental, and policy implications, thereby providing a more comprehensive understanding of cybersecurity in CPPSs. We delve into the complexities of cyberattacks, exploring sophisticated, targeted attacks alongside common threats, and emphasize the dynamic nature of cyber threats, providing insights into their evolution and future trends. Additionally, our review highlights critical yet often overlooked challenges such as system visibility and standardization in security protocols, arguing their significance in enhancing CPPS resilience. Furthermore, our work gives special attention to the aspects of restoration and recovery post-cyberattack, an area less emphasized in existing literature. Through this comprehensive overview of the current state and evolving challenges of CPPS security, our article serves as an indispensable resource for research, practice, and policymaking dedicated to safeguarding the safety, reliability, and resilience of ICTempowered energy systems.

S. Altayaran,Wael Elmedany

DOI: https://doi.org/10.1109/ICDABI53623.2021.9655950

2021-10-25

Abstract:The rising of technology in the 21st century grows in a way that we never thought of before. The COVID-19 pandemic shifted many organizations in different sizes, specialties, and sectors to work online, resulting in a critical need to secure their software, applications, and web-based applications. Furthermore, Organizations that do not implement security in the Software Development Life Cycle (SDLC) process often discover that their applications suffer from security flaws and security bugs, thus exposing their applications to attacks. Applying security measures to the SDLC will ensure that applications are secure from the early planning stages until release. Penetration testing is an essential security measure and is counted as one of the best security practices applied to applications because it focuses on the technical part of application security. Each kind of application the organization uses, in-house developed applications or on-the-shelf applications, has its method for penetration testing. This paper is a systematic literature review that examines the web application security measures and the penetration testing methods and tools to detect vulnerabilities on web applications. Moreover, it gives a general view of adapting penetration testing as a security approach to the SDLC.

Engineering,Medicine,Computer Science

Ioannis Zografopoulos,Juan Ospina,XiaoRui Liu,Charalambos Konstantinou

DOI: https://doi.org/10.48550/arXiv.2101.10198

2021-01-25

Cryptography and Security

Abstract:Cyber-physical systems (CPS) are interconnected architectures that employ analog, digital, and communication resources for their interaction with the physical environment. CPS are the backbone of enterprise, industrial, and critical infrastructure. Thus, their vital importance makes them prominent targets for malicious attacks aiming to disrupt their operations. Attacks targeting cyber-physical energy systems (CPES), given their mission-critical nature, can have disastrous consequences. The security of CPES can be enhanced leveraging testbed capabilities to replicate power system operations, discover vulnerabilities, develop security countermeasures, and evaluate grid operation under fault-induced or maliciously constructed scenarios. In this paper, we provide a comprehensive overview of the CPS security landscape with emphasis on CPES. Specifically, we demonstrate a threat modeling methodology to accurately represent the CPS elements, their interdependencies, as well as the possible attack entry points and system vulnerabilities. Leveraging the threat model formulation, we present a CPS framework designed to delineate the hardware, software, and modeling resources required to simulate the CPS and construct high-fidelity models which can be used to evaluate the system's performance under adverse scenarios. The system performance is assessed using scenario-specific metrics, while risk assessment enables system vulnerability prioritization factoring the impact on the system operation. The overarching framework for modeling, simulating, assessing, and mitigating attacks in a CPS is illustrated using four representative attack scenarios targeting CPES. The key objective of this paper is to demonstrate a step-by-step process that can be used to enact in-depth cybersecurity analyses, thus leading to more resilient and secure CPS.

Ankur Shukla,Basel Katt,Livinus Obiora Nweke,Prosper Kandabongee Yeng,Goitom Kahsay Weldehawaryat

DOI: https://doi.org/10.1016/j.cosrev.2022.100496

2022-07-29

Abstract:System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions.

Cryptography and Security,Software Engineering

Craig Rieger,Milos Manic

DOI: https://doi.org/10.48550/arXiv.1812.02710

2018-12-07

Abstract:This short paper is presented in observance and promotion of November, the National Month of Critical Infrastructure Security and Resilience (CISR), established by the United States Department of Homeland Security in 2013. The CISR term focuses on essential assets (critical infrastructures) and two ultimate goals of making them secure and resilient. These assets and goals were put together in 2013 in the now well-known Presidential Policy Directive on CISR (PPD-21). This paper presents easy-to-ready material laying down the building blocks of CISR - what it means to you as a regular citizen, professional, or government worker. This paper presents concepts behind security and resilience pertinent to various types of activities - from every day to field-specific activities. This paper also presents basic elements to the field: 1. high-level introduction to the organizational units dealing with CISR in the United States; 2. explanation of basic terms and a list of further reading material; and 3. several discussion topics on the vision and future of CISR in critical infrastructure cyber-physical systems.

Cryptography and Security

Giovanna Dondossola,Geert Deconinck,Felicita Di Giandomenico,Susanna Donatelli,Mohamed Kaaniche,Paulo Verissimo

DOI: https://doi.org/10.48550/arXiv.1211.5736

2012-11-25

Performance

Abstract:The paper refers to CRUTIAL, CRitical UTility InfrastructurAL Resilience, a European project within the research area of Critical Information Infrastructure Protection, with a specific focus on the infrastructures operated by power utilities, widely recognized as fundamental to national and international economy, security and quality of life. Such infrastructures faced with the recent market deregulations and the multiple interdependencies with other infrastructures are becoming more and more vulnerable to various threats, including accidental failures and deliberate sabotage and malicious attacks. The subject of CRUTIAL research are small scale networked ICT systems used to control and manage the electric power grid, in which artifacts controlling the physical process of electricity transportation need to be connected with corporate and societal applications performing management and maintenance functionality. The peculiarity of such ICT-supported systems is that they are related to the power system dynamics and its emergency conditions. Specific effort need to be devoted by the Electric Power community and by the Information Technology community to influence the technological progress in order to allow commercial intelligent electronic devices to be effectively deployed for the protection of citizens against cyber threats to electric power management and control systems. A well-founded know-how needs to be built inside the industrial power sector to allow all the involved stakeholders to achieve their service objectives without compromising the resilience properties of the logical and physical assets that support the electric power provision.

Krutarth Chauhan

2024-07-24

Abstract:Conventional security solutions are insufficient to address the urgent cybersecurity challenge posed by insider attacks. While a great deal of research has been done in this area, our systematic literature analysis attempts to give readers a thorough grasp of penetration testing's role in reducing insider risks. We aim to arrange and integrate the body of knowledge on insider threat prevention by using a grounded theory approach for a thorough literature review. This analysis classifies and evaluates the approaches used in penetration testing today, including how well they uncover and mitigate insider threats and how well they work in tandem with other security procedures. Additionally, we look at how penetration testing is used in different industries, present case studies with real-world implementations, and discuss the obstacles and constraints that businesses must overcome. This study aims to improve the knowledge of penetration testing as a critical part of insider threat defense, helping to create more comprehensive and successful security policies.

Cryptography and Security