Abstract
Industrial Control Systems (ICSs) are of the most important components of National Critical Infrastructure. They can provide control capabilities in complex systems of critical importance such as energy production and distribution, transportation, telecoms etc. Protection of such systems is the cornerstone of essential service provision with resilience and in timely manner. Effective risk management methods form the basis for the protection of an Industrial Control System. However, the nature of ICSs render traditional risk management methods insufficient. The proprietary character and the complex interrelationships of the various systems that form an ICS, the potential impacts outside its boundaries, along with emerging trends such as the exposure to the Internet, necessitate revisiting traditional risk management methods, in a way that treat an ICS as a system-of-systems rather than a single, one-off entity. Towards this direction, in this paper we present enhancements to the traditional risk management methods at the phase of risk assessment, by utilising the cybernetic construct of the Viable System Model (VSM) as a means towards a holistic view of the risks against Critical Infrastructure. For the purposes of our research, utilising VSM’s recursive nature, we model the Supervisory Control and Data Acquisition (SCADA) system, a most commonly used ICS, as a VSM and identify the various assets, interactions with the internal and external environment, threats and vulnerabilities.
This work was supported by the Systems Centre and the EPSRC funded Industrial Doctorate Centre in Systems (Grant EP/G037353/1).
Chapter PDF
Similar content being viewed by others
Keywords
- Critical Infrastructure
- Risk Assessment Process
- Risk Assessment Method
- Viable System Model
- Industrial Control System
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Stouffer, K., Falco, J., Scarfone, K.: Guide to industrial control systems (ics) security. NIST Special Publication 800(82) 16–16
European Commission: Council directive 2008/114/ec of 8 december 2008 on the identification and designation of european critical infrastructures and the assessment of the need to improve their protection. Official Journal of the European Union (2008)
Peltier, T.R.: Information security risk analysis. CRC Press (2005)
Stoneburner, G., Goguen, A.Y., Feringa, A.: SP 800-30. risk management guide for information technology systems. Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States (2002)
Alberts, C.J., Dorofee, A.: Managing information security risks: the OCTAVE approach. Addison-Wesley Longman Publishing Co., Inc. (2002)
Karabacak, B., Sogukpinar, I.: Isram: information security risk analysis method. Computers & Security 24(2), 147–159 (2005)
Stouffer, K., Falco, J., Kent, K.: Guide to supervisory control and data aquisition (scada) and industrial control systems security. Recommendations of the National Institute of Standards and Technology (NIST). Special Publication, 800–82 (2006)
Georgios, G., Roberto, F., Muriel, S.: Risk assessment methodologies for critical infrastructure protection. part i: A state of the art. EUR - scientific and technical research reports, JRC.G.6-Security technology assessment (2012)
Espejo, R., Harnden, R.: The viable system model: interpretations and applications of Stafford Beer’s VSM. Wiley, Chichester (1989)
Rinaldi, S.M., Peerenboom, J.P., Kelly, T.K.: Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Systems 21(6), 11–25 (2001)
Chunlei, W., Lan, F., Yiqi, D.: A simulation environment for scada security analysis and assessment. In: 2010 International Conference on Measuring Technology and Mechatronics Automation (ICMTMA), vol. 1, pp. 342–347. IEEE (2010)
Taylor, C., Krings, A., Alves-Foss, J.: Risk analysis and probabilistic survivability assessment (rapsa): An assessment approach for power substation hardening. In: Proc. ACM Workshop on Scientific Aspects of Cyber Terrorism(SACT), Washington, DC, vol. 64 (2002)
Beer, S.: Brain of the firm: the managerial cybernetics of organization. J. Wiley, New York (1981)
Beer, S.: The heart of enterprise. John Wiley & Sons, Chichester (1994)
Hutchinson, B., Warren, M.: Information warfare: using the viable system model as a framework to attack organisations. Australasian Journal of Information Systems 9(2) (2007)
Alqurashi, E., Wills, G., Gilbert, L.: A viable system model for information security governance: Establishing a baseline of the current information security operations system. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds.) SEC 2013. IFIP AICT, vol. 405, pp. 245–256. Springer, Heidelberg (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Spyridopoulos, T., Topa, IA., Tryfonas, T., Karyda, M. (2014). A Holistic Approach for Cyber Assurance of Critical Infrastructure with the Viable System Model. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds) ICT Systems Security and Privacy Protection. SEC 2014. IFIP Advances in Information and Communication Technology, vol 428. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-55415-5_37
Download citation
DOI: https://doi.org/10.1007/978-3-642-55415-5_37
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-55414-8
Online ISBN: 978-3-642-55415-5
eBook Packages: Computer ScienceComputer Science (R0)