Development, Distribution, and Maintenance of Application Security Controls for Nuclear

2018 ◽  
Vol 4 (4) ◽  
Author(s):  
Karl Waedt ◽  
Yongjian Ding ◽  
Antonio Ciriello ◽  
Xinxin Lou
Keyword(s):  
Critical Infrastructure ◽  
Application Security ◽  
Security Controls ◽  
Industry Standards ◽  
Nuclear Domain ◽  
Master Thesis ◽  
Security Control ◽  
Administrative Measure ◽  
Extensible Markup ◽  
Or Team

The generic concept of security controls, as initially deployed in the information security domain, is gradually used in other business domains, including industrial security for critical infrastructure and cybersecurity of nuclear safety instrumentation & control (I&C). A security control, or less formally, a security countermeasure can be any organizational, technical, or administrative measure that helps in reducing the risk imposed by a cybersecurity threat. The new IAEA NST036 lists more than 200 such countermeasures. NIST SP800-53 Revision 4 contains about 450 pages of security countermeasure descriptions, which are graded according to three levels of stringency. In order to facilitate and formalize the process of developing, precisely describing, distributing, and maintaining more complex security controls, the application security controls (ASC) concept is introduced by the new ISO/IEC 27034 multipart standard. An ASC is an extensible semiformal representation of a security control (extensible markup language or javascript object notation-based), which contains a set of mandatory and optional parts as well as possible links to other ASCs. A set of ASCs may be developed by one company and shipped together with a product of another company. ISO/IEC 27034-6 assumes that ASCs are developed by an organization or team specialized in security and that the ASCs are forwarded to customers for direct use or for integration into their own products or services. The distribution of ASCs is supported and formalized by the organization normative frameworks (ONFs) and application normative frameworks (ANFs) deployed in the respective organizational units. The maintenance and continuous improvement of ASCs is facilitated by the ONF process and ANF process. This paper will explore the applicability of these industry standards based ASC lifecycle concepts for the nuclear domain in line with IEC 62645, IEC 62859, and the upcoming IEC 63096. It will include results from an ongoing bachelor thesis and master thesis, mentored by two of the authors, as well as nuclear-specific deployment scenarios currently being evaluated by a team of cybersecurity Ph.D. candidates.

Development, Distribution and Maintenance of Application Security Controls for Nuclear

2017 ◽  
Author(s):  
Karl Waedt ◽  
Yongjian Ding ◽  
Antonio Ciriello ◽  
Xinxin Lou
Keyword(s):  
Critical Infrastructure ◽  
Formal Representation ◽  
Application Security ◽  
Security Controls ◽  
Industry Standards ◽  
Nuclear Domain ◽  
Master Thesis ◽  
Security Control ◽  
Administrative Measure ◽  
Or Team

The generic concept of Security Controls, as initially deployed in the information security domain, is gradually used in other business domains, including industrial security for critical infrastructure and cybersecurity of nuclear safety I&C. A Security Control, or less formally, a security countermeasure can be any organizational, technical or administrative measure that helps in reducing the risk imposed by a cybersecurity threat. The new IAEA NST036 lists more than 200 such countermeasures. NIST SP800-53 Rev. 4 contains about 450 pages of security countermeasure descriptions, which are graded according to three levels of stringency. In order to facilitate and formalize the process of developing, precisely describing, distributing and maintaining more complex security controls, the Application Security Controls (ASC) concept is introduced by the new ISO/IEC 27034 multipart standard. An ASC is an extensible semi-formal representation of a security control (e.g. XML or JSON-based), which contains a set of mandatory and optional parts as well as possible links to other ASCs. A set of Application Security Controls may be developed by one company and shipped together with a product of another company. ISO/IEC 27034-6 assumes that ASCs are developed by an organization or team specialized in security and that the ASCs are forwarded to customers for direct use or for integration into their own products or services. The distribution of ASCs is supported and formalized by the Organization Normative Frameworks (ONF) and Application Normative Frameworks (ANF) deployed in the respective organizational units. The maintenance and continuous improvement of ASCs is facilitated by the ONF Process and ANF Process. This paper will explore the applicability of these industry standards based ASC lifecycle concepts for the nuclear domain in line with IEC 62645, IEC 62859 and the up-coming IEC 63096. It will include results from an ongoing bachelor thesis and master thesis, mentored by two of the authors, as well as nuclear specific deployment scenarios currently being evaluated by a team of cybersecurity PhD candidates.

XForms User Interfaces for Small Arcane Nontrivial Datasets

2014 ◽  
Author(s):  
Joshua Lubell
Keyword(s):  
User Interfaces ◽  
Data Model ◽  
Security Controls ◽  
Custom Software ◽  
Security Control ◽  
Extensible Markup ◽  
Model View Controller ◽  
Behavioral Requirements ◽  
Cyber Risk ◽  
Model View

Small Arcane Nontrivial Datasets (SANDs) are frequently complex enough to warrant custom software for access and editing, yet too small or specialized to justify a full-blown server-based database application. Such data is typically presented in tabular form within documents or as editable spreadsheets. To test the alternative of using XForms as a user interface for SANDs, an application was built for browsing a conformance test suite for Product and Manufacturing Information, a formal specification of a product's functional and behavioral requirements as they apply to production. XForms proved a much better match than tabulations for the underlying data model. To further test the concept, XForms was evaluated for use with the National Institute of Standards and Technology (NIST) Special Publication 800-53 security control catalog, which is a comprehensive catalog of security controls for managing cyber-risk, many parts of which are already available in extensible markup language (XML) form. The model-view-controller (MVC) software pattern of XForms seems well-suited for creating specialized applications for tailoring and navigating this catalog.

scholarly journals Security Control Assessment of Supervisory Control and Data Acquisition for Power Utilities in Tanzania

2020 ◽  
Vol 5 (7) ◽  
pp. 785-789
Author(s):  
Job Asheri Chaula ◽  
Godfrey Weston Luwemba
Keyword(s):  
Data Acquisition ◽  
Supervisory Control ◽  
Cyber Security ◽  
Critical Infrastructure ◽  
Security Evaluation ◽  
Evaluation Tool ◽  
Security Vulnerabilities ◽  
Security Controls ◽  
Security Control ◽  
Security Compliance

The primary purpose of this research was to assess the adequacy and effectiveness of security control of the Supervisory Control and Data Acquisition (SCADA) communication network used by infrastructure companies. Initially, the SCADA networks were physically separated from other networks connected to the internet and hence assumed secure. However, the modern SCADA are now integrated with other network resulting in new security vulnerabilities and attacks similar to those found in traditional IT. Thus, it is important to reassess the security controls of the SCADA because it is operated in an open network environment. In this research, a case of the SCADA security controls in the power sector in Tanzania was assessed, whereby a specific SCADA implementation was studied. The data were gathered using observation, testing, interviews, questionnaire and documentation reviews. The results were analyzed using the Cyber Security Evaluation Tool (CSET) and checked for compliance based on the National Institute of Standards and Technology (NIST) and North America Electric Reliability Corporation (NERC) standards. The findings have shown that there exist security vulnerabilities both in security compliance of the standard and component-based vulnerabilities. Additionally, there is inadequate of audit and accountability, personnel security and system and information integrity. Also, for the component-based security compliance, the finding shows that identification and authentication, security management and audit and accountability. On the basis of the results, the research has indicated the areas that require immediate action in order to protect the critical infrastructure.

Practical Web Application Security Audit Following Industry Standards and Compliance

2011 ◽  
pp. 259-279
Author(s):  
Shakeel Ali
Keyword(s):  
Web Application ◽  
Assessment Process ◽  
Security Assessment ◽  
Web Application Security ◽  
Application Security ◽  
Security Issues ◽  
Pci Dss ◽  
Industry Standards ◽  
Before And After ◽  
Security Standards

A rapidly changing face of internet threat landscape has posed remarkable challenges for security professionals to thwart their IT infrastructure by applying advanced defensive techniques, policies, and procedures. Today, nearly 80% of total applications are web-based and externally accessible depending on the organization policies. In many cases, number of security issues discovered not only depends on the system configuration but also the application space. Rationalizing security functions into the application is a common practice but assessing their level of resiliency requires structured and systematic approach to test the application against all possible threats before and after deployment. The application security assessment process and tools presented here are mainly focused and mapped with industry standards and compliance including PCI-DSS, ISO27001, GLBA, FISMA, SOX, and HIPAA, in order to assist the regulatory requirements. Additionally, to retain a defensive architecture, web application firewalls have been discussed and a map between well-established application security standards (WASC, SANS, OWASP) is prepared to represent a broad view of threat classification.

scholarly journals Measuring Security for Applications Hosted in Cloud

2019 ◽  
Vol 8 (10) ◽  
pp. 2957-2963
Keyword(s):  
Cloud Service ◽  
Cloud Adoption ◽  
Security Controls ◽  
Detailed Method ◽  
Cloud Application ◽  
Security Control ◽  
Security Levels ◽  
Cloud Applications ◽  
Holding Back ◽  
Control Implementation

Despite the numerous benefits of cloud computing, concerns around security, trust and privacy are holding back the cloud adoption. Lack of visibility and tangible measurement of the security posture of any cloud hosted application is a disadvantage to cloud service customers. Decision to migrate workloads on the Cloud requires thoughtful analysis about security implications and ability to measure the security controls after hosting. In this paper, we propose a framework to quantitatively measure different aspects of information security for Cloud applications. This framework has a system through which we can define applications specific controls, gather information on control implementation, calculate the security levels for applications and present them to stakeholders through dashboards. Framework also includes detailed method to quantify the security of a Cloud application considering different aspects of security, control criticalities, stakeholder responsibilities and cloud service models. System and method provide visibility to Cloud customer on the security posture of their cloud hosted applications.

Planning the Selection and Assignment of Security Forensics Countermeasures

2018 ◽  
Vol 4 (4) ◽  
Author(s):  
Edita Bajramovic ◽  
Jürgen Bochtler ◽  
Ines Ben Zid ◽  
Andreas Lainer
Keyword(s):  
Three Dimensional ◽  
Digital Evidence ◽  
Incident Management ◽  
Security Metrics ◽  
Protective Measures ◽  
Security Incident ◽  
Security Controls ◽  
Dimensional Modeling ◽  
Nuclear Domain ◽  
And Control

Cybersecurity incidents are stressful, complex in nature, and are frequently not systematically considered in daily tasks. When correctly managed, operational readiness procedures ensure the availability of data required to successfully and quickly recover from a security incident, while lessening the adverse effect. Therefore, protective measures, such as implementation of data diodes, are playing an essential role in defending instrumentation and control (I&C) systems. In addition, applicability of the newest forensic and digital evidence-related standards to the nuclear domain is being evaluated. Results of such evaluation are being considered in the three-dimensional and two-dimensional modeling of cybersecurity relevant assets. The development of the new IEC 63096, downstream standard of IEC 62645, will also support the proposed evaluation and modeling. However, IEC 63096 covers not only forensic and incident management-related security controls but also a broad range of cybersecurity controls. This paper will further explore the security degree-specific selection and overall assignment of forensic-related security controls for the nuclear domain. Results from ongoing prototype developments will be used to demonstrate possible alternative selections and assignments, along with their contribution to different security metrics.

Planning the Selection and Assignment of Security Forensics Countermeasures

2017 ◽  
Author(s):  
Edita Bajramovic ◽  
Jürgen Bochtler ◽  
Ines Ben Zid ◽  
Andreas Lainer
Keyword(s):  
Essential Role ◽  
Digital Evidence ◽  
Incident Management ◽  
Security Metrics ◽  
Protective Measures ◽  
2D Modeling ◽  
Security Incident ◽  
Security Controls ◽  
Nuclear Domain ◽  
Operational Readiness

Cybersecurity incidents are stressful, complex in nature, and frequently are not systematically considered in daily tasks. When correctly managed, operational readiness procedures make sure the availability of data required to successfully and quickly recover from a security incident while lessening the adverse effect. Therefore, protective measures, such as implementation of data diodes, are playing an essential role in defending I&C systems. In addition, applicability of the newest forensic and digital evidence-related standards to the nuclear domain is being evaluated. Results of such evaluation are being considered in the 3D and 2D modeling of cybersecurity relevant assets. The development of the new IEC 63096, downstream standard of IEC 62645, will also support the proposed evaluation and modeling. However, IEC 63096 covers not only forensic and incident management-related security controls but also a broad range of cybersecurity controls. This paper will further explore the security degree-specific selection and overall assignment of forensic-related security controls for the nuclear domain. Results from ongoing prototype developments will be used to demonstrate possible alternative selections and assignments along with their contribution to different security metrics.

scholarly journals Towards Cross-Standard Compliance Readiness: Security Requirements Model for Smart Grid

Energies ◽  
2021 ◽  
Vol 14 (21) ◽  
pp. 6862
Author(s):  
Milan Stojkov ◽  
Nikola Dalčeković ◽  
Branko Markoski ◽  
Branko Milosavljević ◽  
Goran Sladić
Keyword(s):  
Smart Grid ◽  
Critical Infrastructure ◽  
Unified Modeling Language ◽  
Building Blocks ◽  
Security Requirements ◽  
Security Controls ◽  
Geographical Regions ◽  
Custom Made ◽  
Security Standards ◽  
Iec 62443

The critical infrastructure is constantly under cyber and physical threats. Applying security controls without guidance or traceability can create a false sense of security. Security standards facilitate security knowledge and control best practices in a more systematic way. However, the number of standards is continually increasing. Product providers that operate in multiple geographical regions often face the obligation to comply with multiple standards simultaneously. This introduces the problem of the convenient interpretation of different standards. Thus, a comprehensive analysis of the requirements from different security standards and guidelines applicable to the smart grid has been performed to detect similarities that can be shaped into entities of the conceptual model for requirement representation. The purpose of the model—presented in a form of a Unified Modeling Language (UML) class diagram—is to give product providers a canonical way to map requirements from arbitrary standards, guidelines, and regulations and accelerate the cross-standard compliance readiness by defining priority for requirement implementation. In addition, the research showed that multiple vectors should impact the priority of the implementation of the security controls defined through the requirements: domain affiliation, the essence of the requirement, associated threats, risks, and social dependencies between actors involved in the implementation. To examine the model correctness, NISTIR 7628—de facto smart grid standard—was used to provide insights into how the model would be used for requirements implementation tracking. The structure of individual requirements was analyzed to detect the building blocks and extract relevant parts that can be mapped to the model components. Further, all requirements were classified into one of the defined domains to provide the basis for referencing similar requirements from different standards. Finally, one arbitrary requirement was used to demonstrate model usage, and depict all available information that can be provided to the users in a custom-made scenario where the need arises to have simultaneous alignment with three standards—NISTIR 7628, NIST 800-53, and IEC 62443-3-3.

scholarly journals Extending the Cybersecurity Digital Thread with XForms

2015 ◽  
Author(s):  
Joshua Lubell
Keyword(s):  
User Interface ◽  
Data Sources ◽  
Extensible Markup Language ◽  
Markup Language ◽  
Security Technologies ◽  
Security Controls ◽  
Special Publication ◽  
Extensible Markup ◽  
Automated Processing ◽  
A Current

The digital thread for cybersecurity enables security technologies and data sources to interoperate. It consists of an integrated collection of languages, taxonomies, and metrics represented using the Extensible Markup Language (XML). A current gap in the cybersecurity digital thread is the lack of good software for tailoring the security controls found in National Institute of Standards and Technology's (NIST) Special Publication (SP) 800-53, and exporting the result in a structured XML format. An application built using XForms demonstrated success in providing a specialized user interface for tailoring security controls, enforcing NIST SP 800-53 tailoring guidelines, and in generating XML content suitable for automated processing by other cybersecurity tools.

An Empirical Evaluation of the Assimilation of Industry-Specific Data Standards Using Firm-Level and Community-Level Constructs

2012 ◽  
pp. 287-312
Author(s):  
Rubén A. Mendoza ◽  
T. Ravichandran
Keyword(s):  
Financial Services ◽  
Network Effects ◽  
Empirical Evaluation ◽  
Community Level ◽  
Relative Advantage ◽  
Firm Level ◽  
Organizational Assimilation ◽  
Industry Level ◽  
Industry Standards ◽  
Extensible Markup

Vertical standards focus on industry-specific product and service descriptions, and are generally implemented using the eXtensible Markup Language (XML). Vertical standards are complex technologies with an organizational adoption locus but subject to inter-organizational dependence and network effects. Understanding the assimilation process for vertical standards requires that both firm and industry-level effects be considered simultaneously. In this paper, the authors develop and evaluate a two-level model of organizational assimilation that includes both firm and industry-level effects. The study was conducted in collaboration with OASIS, a leading cross-industry standards-development organization (SDO), and with ACORD, the principal SDO for the insurance and financial services industries. Results confirm the usefulness of incorporating firm-level and community-level constructs in the study of complex networked technologies. Specifically, the authors’ re-conceptualization of the classical DoI concepts of relative advantage and complexity are shown to be appropriate and significant in predicting vertical standards assimilation. Additionally, community-level constructs such as orphaning risk and standard legitimation are also shown to be important predictors of assimilation.

Sign in / Sign up

Export Citation Format

Share Document