Syed,M. Rahman,Shannon E. Donahue

DOI: https://doi.org/10.48550/arXiv.1002.1950

2010-02-10

Abstract:As physical and information security boundaries have become increasingly blurry many organizations are experiencing challenges with how to effectively and efficiently manage security within the corporate. There is no current standard or best practice offered by the security community regarding convergence; however many organizations such as the Alliance for Enterprise Security Risk Management (AESRM) offer some excellent suggestions for integrating a converged security program. This paper reports on how organizations have traditionally managed asset protection, why that is changing and how to establish convergence to optimize security value to the business within an enterprise.

Cryptography and Security

Jiming Chen,Vijay Gupta,Daniel E. Quevedo,Pietro Tesi

DOI: https://doi.org/10.1002/rnc.5051

IF: 3.8973

2020-01-01

International Journal of Robust and Nonlinear Control

Abstract:Due to advances in computing and communication technologies, there has been a growing interest in cyberphysical systems (CPS). These are systems where physical devices are monitored/controlled via embedded computers and networks. By exploiting sensing, computation, and networking capabilities, CPS are paving the way for a new generation of engineering systems, which enable automatic decision‐making processes in fields ranging from customized manufacturing and transportation to health care and energy. Integration of information technology methods with a physical system such as a power grid, transportation system, and supply chain to form a “smart” infrastructure holds the promise of greater efficiency, reliability, and sustainability. However, any such coupling introduces privacy and security issues. The “systems and control” community has contributed to the CPS agenda, addressing issues like estimation, control, and coordination under information constraints. However, a deep understanding of the privacy and security requirements in CPS and their influence on classical control‐theoretic paradigms is still missing...

Bassam Zahran,Adamu Hussaini,Aisha Ali-Gombe

DOI: https://doi.org/10.48550/arXiv.2302.09426

2023-02-19

Abstract:IoT is undoubtedly considered the future of the Internet. Many sectors are moving towards the use of these devices to aid better monitoring, controlling of the surrounding environment, and manufacturing processes. The Industrial Internet of things is a sub-domain of IoT and serves as enablers of the industry. IIoT is providing valuable services to Industrial Control Systems such as logistics, manufacturing, healthcare, industrial surveillance, and others. Although IIoT service-offering to ICS is tempting, it comes with greater risk. ICS systems are protected by isolation and creating an air-gap to separate their network from the outside world. While IIoT by definition is a device that has connection ability. This creates multiple points of entry to a closed system. In this study, we examine the first automated risk assessment system designed specifically to deal with the automated risk assessment and defining potential threats associated with IT/OT convergence based on OCTAVE Allegro- ISO/IEC 27030 Frameworks.

Cryptography and Security

Yen-Neng Chiang,Yi-Wei Ma,Jiann-Liang Chen,Yi-Hao Tu,Chia-Wei Tsou

DOI: https://doi.org/10.70003/160792642024072504005

2024-07-31

Abstract:The utilization of network technology in Industrial Control Systems (ICS) is becoming increasingly prevalent due to advancements in the Fifth Generation Networks (5G), the Internet of Things (IoT), cloud computing, and big data. These technologies have significantly enhanced intelligent mobile device data transmission speed and interaction levels. The connection of ICS devices to a network gives rise to supplementary security considerations. Hence, this paper must analyze and synthesize pertinent scholarly works on cyber security and safety within the ICS sector. This paper further categorizes the security risks that ICS may encounter into six distinct areas: attack, detect, risk estimation, incident response, protect, and incident prevention. Extensive literature evaluations and rigorous research were conducted to examine the subject matter thoroughly. Based on the findings, comprehensive suggestions and strategic approaches were produced for each specific area. This paper proposed the ICS-based Purdue Enterprise Reference Architecture (PERA) to evaluate the threat and solution for enhancing ICS security and safety.

Engineering,Computer Science

Kyle Dees,Shawon Rahman

DOI: https://doi.org/10.48550/arXiv.1512.00064

2015-11-30

Computers and Society

Abstract:As a result of the increased dependency on obtaining information and connecting each computer together for ease of access or communication, organizations risk being attacked and losing private information through breaches or insecure business activities. To help protect organizations and their assets, companies need to develop a strong understanding of the risks imposed on their company and the security solutions designed to prevent or minimize vulnerabilities. To reduce the impact threats have on a network, organizations need to: design a defense layer system that provides multiple instances of protection to prevent unauthorized access to core information, implement a strong network hardware/intrusion prevention system, and create all-inclusive network or security policies that detail user rules and company rights. In order to enhance the overall security of a basic infrastructure, this paper will provide a detailed look into gathering the organizational requirements, designing and implementing a secure physical network layout, and selecting the standards needed to prevent unauthorized access

Joseph H. Schuessler

DOI: https://doi.org/10.1080/15536548.2013.10845676

2013-04-01

Journal of Information Privacy and Security

Abstract:Information Systems Security (ISS) is of major concern to not only network administrators, but also for managers of organizations for a variety of reasons including: the need for organizations to comply with various regulatory agencies, the reliance on information systems to provide the organizational backbone to the organization, and rising operational dependence on ecommerce to conduct daily business activities. These aspects create challenges for network managers who are tasked with balancing the needs of stakeholders with protection of sensitive information and valuable hardware. Despite ISS being largely a managerial issue, managerial concern for ISS is inadequate, evidenced by its consistently low ranking as a key issue in information systems management surveys. This research seeks to examine the current state of threats faced by organizations and the countermeasures they employ by examining prior research on the subject and comparing the results of that research to interview responses from “experts” in positions that required both a technical and managerial understanding of the threats and countermeasures faced and used respectively. Results suggest that, based on interview responses from experts, both threats and countermeasure responses have changed over time. Interpretation of the results will help systems administrators and network managers better understand modern threats and point towards potential remedies to mitigate the risk generated by such threats.

Florence Sèdes

2024-06-17

Abstract:Major transformations related to information technologies affect InformationSystems (IS) that support the business processes of organizations and their actors. Deployment in a complex environment involving sensitive, massive and heterogeneous data generates risks with legal, social and financial impacts. This context of transition and openness makes the security of these IS central to the concerns of organizations. The digitization of all processes and the opening to IoT devices (Internet of Things) has fostered the emergence of a new formof crime, i.e. cybercrime.This generic term covers a number of malicious acts, the majority of which are now perpetrated using social engineering strategies, a phenomenon enabling a combined exploitation of ``human'' vulnerabilities and digital tools. The maliciousness of such attacks lies in the fact that they turn users into facilitators of cyber-attacks, to the point of being perceived as the ``weak link'' of <a class="link-external link-http" href="http://cybersecurity.As" rel="external noopener nofollow">this http URL</a> deployment policies prove insufficient, it is necessary to think about upstream steps: knowing how to anticipate, identifying weak signals and outliers, detect early and react quickly to computer crime are therefore priority issues requiring a prevention and cooperation <a class="link-external link-http" href="http://approach.In" rel="external noopener nofollow">this http URL</a> this overview, we propose a synthesis of literature and professional practices on this subject.

Cryptography and Security,Databases

Riham Altawy,Amr M. Youssef

DOI: https://doi.org/10.1109/access.2016.2521727

IF: 3.9

2016-01-01

IEEE Access

Abstract:The new culture of networked systems that offer everywhere accessible services has given rise to various types of security tradeoffs. In fact, with the evolution of physical systems that keep getting integrated with cyber frameworks, cyber threats have far more critical effects as they get reflected on the physical environment. As a result, the issue of security of cyber physical systems requires a special holistic treatment. In this paper, we study the tradeoff between security, safety, and availability in such systems and demonstrate these concepts on implantable medical devices as a case study. We discuss the challenges and constraints associated with securing such systems and focus on the tradeoff between security measures required for blocking unauthorized access to the device and the safety of the patient in emergency situations where such measures must be dropped to allow access. We analyze the up to date proposed solutions and discuss their strengths and limitations.

computer science, information systems,telecommunications,engineering, electrical & electronic

Iosif Progoulakis,Paul Rohmeyer,Nikitas Nikitakos

DOI: https://doi.org/10.3390/jmse9121384

IF: 2.744

2021-12-05

Journal of Marine Science and Engineering

Abstract:The integration of IT, OT, and human factor elements in maritime assets is critical for their efficient and safe operation and performance. This integration defines cyber physical systems and involves a number of IT and OT components, systems, and functions that involve multiple and diverse communication paths that are technologically and operationally evolving along with credible cyber security threats. These cyber security threats and risks as well as a number of known security breach scenarios are described in this paper to highlight the evolution of cyber physical systems in the maritime domain and their emerging cyber vulnerabilities. Current industry and governmental standards and directives related to cyber security in the maritime domain attempt to enforce the regulatory compliance and reinforce asset cyber security integrity for optimum and safe performance with limited focus, however, in the existing OT infrastructure and systems. The use of outside-of-the-maritime industry security risk assessment tools and processes, such the API STD 780 Security Risk Assessment (SRA) and the Bow Tie Analysis methodologies, can assist the asset owner to assess its IT and OT infrastructure for cyber and physical security vulnerabilities and allocate proper mitigation measures assuming their similarities to ICS infrastructure. The application of cyber security controls deriving from the adaptation of the NIST CSF and the MITRE ATT&CK Threat Model can further increase the cyber security integrity of maritime assets, assuming they are periodically evaluated for their effectiveness and applicability. Finally, the improvement in communication among stakeholders, the increase in operational and technical cyber and physical security resiliency, and the increase in operational cyber security awareness would be further increased for maritime assets by the convergence of the distinct physical and cyber security functions as well as onshore- and offshore-based cyber infrastructure of maritime companies and asset owners.

oceanography,engineering, marine, ocean

Qi-Xian Huang,Ming-Chang Lu,Min-Yi Chiu,Yuan-Chia Tsai,Hung-Min Sun

DOI: https://doi.org/10.3390/s22051882

IF: 3.9

2022-01-01

Sensors

Abstract:Cyberattacks are increasing in both number and severity for private, corporate, and governmental bodies. To prevent these attacks, many intrusion detection systems and intrusion prevention systems provide computer security by monitoring network packets and auditing system records. However, most of these systems only monitor network packets rather than the computer itself, so physical intrusion is also an important security issue. Furthermore, with the rapid progress of the Internet of Things (IoT) technology, security problems of IoT devices are also increasing. Many IoT devices can be disassembled for decompilation, resulting in the theft of sensitive data. To prevent this, physical intrusion detection systems of the IoT should be considered. We here propose a physical security system that can protect data from unauthorized access when the computer chassis is opened or tampered with. Sensor switches monitor the chassis status at all times and upload event logs to a cloud server for remote monitoring. If the system finds that the computer has an abnormal condition, it takes protective measures and notifies the administrator. This system can be extended to IoT devices to protect their data from theft.

Giuseppe Cascavilla,Damian A. Tamburri,Francesco Leotta,Massimo Mecella,WillemJan Van Den Heuvel

DOI: https://doi.org/10.1016/j.infsof.2023.107260

2023-11-29

Abstract:Context: The demand for protection and security of physical spaces and urban areas increased with the escalation of terroristic attacks in recent years. We envision with the proposed cyber-physical systems and spaces, a city that would indeed become a smarter urbanistic object, proactively providing alerts and being protective against any threat. Objectives: This survey intend to provide a systematic multivocal literature survey comprised of an updated, comprehensive and timely overview of state of the art in counter-terrorism cyber-physical systems, hence aimed at the protection of cyber-physical spaces. Hence, provide guidelines to law enforcement agencies and practitioners providing a description of technologies and best practices for the protection of public spaces. Methods: We analyzed 112 papers collected from different online sources, both from the academic field and from websites and blogs ranging from 2004 till mid-2022. Results: a) There is no one single bullet-proof solution available for the protection of public spaces. b) From our analysis we found three major active fields for the protection of public spaces: Information Technologies, Architectural approaches, Organizational field. c) While the academic suggest best practices and methodologies for the protection of urban areas, the market did not provide any type of implementation of such suggested approaches, which shows a lack of fertilization between academia and industry. Conclusion: The overall analysis has led us to state that there is no one single solution available, conversely, multiple methods and techniques can be put in place to guarantee safety and security in public spaces. The techniques range from architectural design to rethink the design of public spaces keeping security into account in continuity, to emerging technologies such as AI and predictive surveillance.

Computers and Society,Cryptography and Security,Information Theory,Software Engineering

J Ceasar Aguma,Bruce McMillin,Amelia Regan

DOI: https://doi.org/10.48550/arXiv.1805.01975

2018-05-05

Cryptography and Security

Abstract:Computing and technology have vastly changed since the introduction of firewall technology in 1988. The internet has grown from a simple network of networks to a cyber and physical entity that encompasses the entire planet. Cyber-physical systems(CPS) now control most of the day to day operations of human civilization from autonomous cars to nuclear energy plants. While phenomenal, this growth spurt has created new security threats. These are threats that cannot be blocked by a firewall for they are not only cyber but cyber-physical. In light of these new cyber-physical threats, this text proposes a security measure that promises to enhance the security of cyber-physical systems. Using theoretical cyber, physical, and cyber-physical attack scenarios, this text will highlight the need for some sort of monitor in cyber-physical systems as an extra security measure. Additionally, this text will illustrate the efficiency of said monitor using a Shannon entropy proof, and a multiple security domain nondeducibility(MSDND) proof.

Quanqi Ye,Heng Chuan Tan,Daisuke Mashima,Binbin Chen,Zbigniew Kalbarczyk

DOI: https://doi.org/10.36227/techrxiv.15147171

2021-08-12

Abstract:Industrial Control Systems (ICS) are traditionally designed to operate in an "air-gapped" environment. With the advent of digital technologies, many ICS are adopting IT solutions to improve interoperability and operational efficiency. Thus, the air-gap assumption no longer holds in practice. Most ICS devices today are modernized with networking capabilities to facilitate system maintenance, upgrades, and troubleshooting. Since these devices are connected to the Internet, ICS networks face the same security threats as regular IT systems. In addition, ICS operators can connect commercial off-the-shelf (COTS) equipment to ICS networks to perform operational tasks. Those COTS devices are usually personal computers or even mobile devices, which can be infected with malware and become weapons against ICS. In this position paper, we examine the design challenges of establishing trust between COTS equipment and ICS. We also present some commonly used security solutions and discuss their deployment challenges due to issues caused by legacy systems. Finally, we introduce the Trusted Execution Environment (TEE), a technology commonly available on modern COTS devices, as a trust anchor for establishing secure communications with the ICS infrastructure. We discuss some research gaps related to the use of TEE and propose some recommendations to guide future research.

Peter Kieseberg,Edgar Weippl

DOI: https://doi.org/10.1007/978-3-319-71440-0_1

2017-11-19

Abstract:Within the last decade, Security became a major focus in the traditional IT-Industry, mainly through the interconnection of systems and especially through the connection to the Internet. This opened up a huge new attack surface, which resulted in major takedowns of legitimate services and new forms of crime and destruction. This led to the development of a multitude of new defense mechanisms and strategies, as well as the establishing of Security procedures on both, organizational and technical level. Production systems have mostly remained in isolation during these past years, with security typically focused on the perimeter. Now, with the introduction of new paradigms like Industry 4.0, this isolation is questioned heavily with Physical Production Systems (PPSs) now connected to an IT-world resulting in cyber-physical systems sharing the attack surface of traditional web based interfaces while featuring completely different goals, parameters like lifetime and safety, as well as construction. In this work, we present an outline on the major security challenges faced by cyber-physical production systems. While many of these challenges harken back to issues also present in traditional web based IT, we will thoroughly analyze the differences. Still, many new attack vectors appeared in the past, either in practical attacks like Stuxnet, or in theoretical work. These attack vectors use specific features or design elements of cyber-physical systems to their advantage and are unparalleled in traditional IT. Furthermore, many mitigation strategies prevalent in traditional IT systems are not applicable in the industrial world, e.g., patching, thus rendering traditional strategies in IT-Security unfeasible. A thorough discussion of the major challenges in CPPS-Security is thus required in order to focus research on the most important targets.

David Hood,Syed Shawon Rahman

DOI: https://doi.org/10.48550/arXiv.1111.1770

2011-11-07

Cryptography and Security

Abstract:Information security is one of the most important aspects of technology, we cannot protect the best interests of our organizations' assets (be that personnel, data, or other resources), without ensuring that these assetsare protected to the best of their ability. Within the Defense Department, this is vital to the security of not just those assets but also the national security of the United States. Compromise insecurity could lead severe consequences. However, technology changes so rapidly that change has to be made to reflect these changes with security in mind. This article outlines a growing technological change (virtualization and cloud computing), and how to properly address IT security concerns within an operating environment. By leveraging a series of encrypted physical and virtual systems, andnetwork isolation measures, this paper delivered a secured high performance computing environment that efficiently utilized computing resources, reduced overall computer processing costs, and ensures confidentiality, integrity, and availability of systems within the operating environment.

Omar Shareef

DOI: https://doi.org/10.47760/ijcsmc.2024.v13i02.006

2024-02-28

International Journal of Computer Science and Mobile Computing

Abstract:The security and resilience of organizational IT systems are of paramount importance in today's fast-paced digital environment. With the proliferation of “cyber threats”, organizations must adopt proactive measures to protect their assets and maintain operational continuity. The purpose of this article is to provide insight into the nuances of the implementation of a robust framework for “IT controls”, so that organizations seeking to strengthen their defenses can better understand the importance of each component. The article begins by emphasizing the foundational role of governance and oversight in establishing clear policies, procedures, and accountability structures. Strong governance sets the stage for cultivating a culture of compliance and accountability throughout the organization. Next, the article delves into the critical aspect of “risk management”, highlighting the importance of identifying and mitigating IT-related risks to safeguard organizational security and resilience. Through comprehensive “risk assessments”, organizations can prioritize mitigation efforts and allocate resources effectively. In order to prevent unauthorized access to critical IT systems and resources, access controls are discussed, emphasizing the importance of robust authentication mechanisms and role-based access controls. Change management processes are explored as essential components in managing IT changes effectively, minimizing the risk of disruptions and vulnerabilities associated with system changes. “Data security” emerges as a key focus area, with an emphasis on protecting the confidentiality, integrity, and availability of organizational data assets through robust encryption, access controls, and data loss prevention technologies. Incident management processes are highlighted as crucial for responding swiftly and effectively to security incidents, minimizing their impact and restoring normal operations promptly. Compliance and audit processes are discussed in the context of ensuring adherence to regulatory requirements and industry standards, mitigating the risk of non-compliance penalties and reputational damage. The importance of security awareness training in cultivating a culture of security among employees is emphasized, along with the need for continuous monitoring and improvement to adapt to evolving “threats” effectively. Overall, the article underscores the importance of implementing a comprehensive framework for IT controls to enhance “organizational security”, “compliance” and resilience in today's digital landscape. Through collaborative efforts across all levels of the organization, organizations can effectively “mitigate risks”, safeguard their assets and achieve their business objectives amidst evolving “cyber threats”.

Rajan R.,Venkata Subramanian Dayanandan,Shankar P.,Ranganath Tngk

DOI: https://doi.org/10.4018/978-1-7998-5024-3.ch014

2021-01-01

Abstract:A smart city aims at developing an ecosystem wherein the citizens will have instant access to amenities required for a healthy and safe living. Since the mission of smart city is to develop and integrate many facilities, it is envisaged that there is a need for making the information available instantly for right use of such infrastructure. So, there exists a need to design and implement a world-class physical security measures which acts as a bellwether to protect people life from physical security threats. It is a myth that if placing adequate number of cameras alone would enhance physical security controls in smart cities. There is a need for designing and building comprehensive physical security controls, based on the principles of “layered defense-in-depth,” which integrates all aspects of physical security controls. This chapter will review presence of existing physical security technology controls for smart cities in line with the known security threats and propose the need for an AI-enabled physical security premise.

LI Yufeng,LAN Julong,XUE Xiangyang

DOI: https://doi.org/10.3969/j.issn.1009-6868.2011.04.007

2011-01-01

Abstract:This paper proposes a Common Security and Control Framework(CSCF) for application security,network security,information security,and behavioral security in tri-network convergence.CSCF has an independent architecture and can be operated transparently across the whole network.It treats the network link as the control object and can perform functions such as link traffic identification and link traffic analysis.It can also check and control a security problem at one point and initiate a whole-system response.CSCF is based on a distributed security and control platform with high scalability.This paper discusses the development of techniques used to establish a security system that proactively defends against threats,flexibly reacts to and blocks threats as they occur,and traces threats.

Chuadhry Mujeeb Ahmed,Jianying Zhou

DOI: https://doi.org/10.48550/arXiv.2004.03178

2020-04-07

Abstract:The integration of cyber technologies (computing and communication) with the physical world gives rise to complex systems referred to as Cyber Physical Systems (CPS), for example, manufacturing, transportation, smart grid, and water treatment. Many of those systems are part of the critical infrastructure and need to perform safely, reliably, and securely in real-time. CPS security is challenging as compared to the conventional IT systems. An adversary can compromise the system in both the cyber and the physical domains. However, the unique set of technologies and processes being used in a CPS also bring up opportunities for defense. CPS security has been approached in several ways due to the complex interaction of physical and cyber components. In this work, a comprehensive study is taken to summarize the challenges and the proposed solutions for securing CPS from a Physics-based perspective.

Cryptography and Security,Systems and Control

Wajeb Gharibi,Abdulrahman Mirza

DOI: https://doi.org/10.48550/arXiv.1105.2002

2011-05-10

Cryptography and Security

Abstract:This article aims to highlight current trends on the market of corporate antivirus solutions. Brief overview of modern security threats that can destroy IT environment is provided as well as a typical structure and features of antivirus suits for corporate users presented on the market. The general requirements for corporate products are determined according to the last report from av-comparatives.org [1]. The detailed analysis of new features is provided based on an overview of products available on the market nowadays. At the end, an enumeration of modern trends in antivirus industry for corporate users completes this article. Finally, the main goal of this article is to stress an attention about new trends suggested by AV vendors in their solutions in order to protect customers against newest security threats.