Abstract
With many types of systems, elements, threats, attacks, vulnerabilities, threat actors and so on, it is natural to wonder whether some conceptual order could be imposed on the complex and seemingly chaotic space of ICS security. Taxonomies and ontologies are among means by which humans bring order, meaning and knowledge management to broad domains of things, concepts and principles. For this reason, in this chapter we offer an overview of selected ICS security taxonomies and elements of emerging ontologies. The migration of data processing to open web infrastructures poses a great challenge for ICS in terms of information fusion and knowledge management. In this regard, ICS architectures can benefit from the use of ontologies, namely models of the underlying semantics of data. Ontologies are already used in a variety of applications, from Search Engine Optimization, Knowledge Discovery (e.g. elicitation of patterns of interactions within genomic data), and traditional AI and common-sense reasoning. The use of ontologies to complement ICS security taxonomies is a logical extension. The first section (Sect. 7.2) of this chapter presents key concepts, and their relationships, in a discussion of established taxonomies. Section 7.3 discusses ongoing research related to ICS security taxonomies and extended approaches based on ontologies. Section 7.4 summarizes the current status and discusses future trends in regards to ICS security taxonomies. Unless otherwise indicated ICS refers to all control systems, SCADA and DCS; as well as other control system configurations and constituent parts. In those instances where a specific type of control system is the subject, it will be indicated by name.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This was based on Landwehr’s taxonomies on operating system flaws.
- 2.
It was initially developed as a component in a model intended to contribute to development of a larger taxonomy (See, Fleury et al. 2008).
- 3.
Previously titled Recommended Security Controls for Federal Information Systems. Revision 4 represents the most comprehensive re-write of SP 800-53 since 2005. It was developed by an interagency partnership consisting of the Department of Defense the Intelligence Community, and the Committee on National Security that began working in 2009, culminating with the release of revision 4 in 2013 (Joint Task Force Transformation Initiative 2013).
- 4.
Revision 4 of NIST SP 800-53 has removed the class designations from the security control families. This was because many of the security controls within a family may be linked to various classes. However, this is not meant to preclude the use of the classes where they would be helpful (Joint Task Force Transformation Initiative 2013, p. F-3).
- 5.
General ones, like “part-of” and “associated with”, or domain-specific, like “exploited-by”, “connected-to”, “runs-on”, “installed-on” (see Choraś 2009 for a list of relevant semantic relationships).
- 6.
Such as RDF and OWL: see http://www.w3.org/standards/techs/owl#w3c_all.
- 7.
As attested by the FOIS conference series (Formal Ontology in Information Systems): http://www.iaoa.org/fois/.
- 8.
- 9.
Interestingly enough, one of the contributors to this book chapter has recently presented a similar hybrid approach, where the Bayesian statistical computation was performed by ACT-R cognitive architecture (Oltramari 2014).
- 10.
- 11.
Regarding ontology modularity and implications at the level of semantic interoperability (see Parent 2009).
References
Allemang, D. H. (2011). Semantic web for the working ontologist: Effective modeling in RDFS and OWL. Amsterdam: Elsevier.
Bishop, M. (1995). CSE-95-10 A taxonomy of unix system and network vulnerabilities. Davis: Department of Computer Science, University of California at Davis.
Brewster, T. (2014, July 13). US energy firms report cyber attacks. Retrieved from Tech Week Europe: http://www.techweekeurope.co.uk/workspace/energy-firms-cyber-incidents-dragonfly-energetic-bear-148457.
Choraś, M.F. (2009). Decision aid tool and ontology-based reasoning for critical infrastructure vulnerabilities and threat analysis. In E.R. Bloomfield (Ed.), CRITIS (Vol. 6027, pp. 98–110). Berlin: Springer-Verlag.
Clayton, M. (2011, November 18). Cyberattack on Illinois water utility may confirm Stuxnet warnings. Christian Monitor. http://www.csmonitor.com/USA/2011/1118/Cyberattack-on-Illinois-water-utility-may-confirm-Stuxnet-warnings.
Dell. (2015). Dell security annual threat report. Round Rock, TX: Dell Inc.
Department of Homeland Security, Office of Cybersecurity and Communications. (2014). Industrial control systems assessment FY 2014 overview and analysis. Washington, DC: Department of Homeland Security.
Dreyer, T. L. (2003). ScadaOnWeb—Web based supervisory control and data acquisition. The Semantic Web—ISWC 2003 (pp. 788–801). Berlin: Springer.
Fleury, T., Khurana, H., & Welch, V. (2008). Towards a taxonomy of attacks against energy control systems. In M. Pappa, S. Shenoi, & IFIP International Federation for Information Processing (Eds.), Critical infrastructure protection II (Vol. 290, pp. 71–85). Boston: Springer.
Flowers, A. (2015, March 31). An organizational typology of cyberattacks: Implications for the energy and utility critical infrastructure sector. In 4th Annual Cyber Security for Energy & Utilities Conference, Abu Dhabi, United Arab Emirates.
Igure, V., & Williams, R. (2008). Taxonomies of attacks and vulnerabilities in computer systems. IEEE Communications Surveys & Tutorials, 10, 6–19.
Joint Task Force Transformation Initiative. (2013). NIST Special Publication 800-53r4: Security and privacy controls for federal information systems and organizations. Gaithersburg: U.S. Department of Commerce, National Institute of Standards and Technology.
Kozik, R.C. (2010). Fusion of Bayesian and ontology approach applied to decision support system for critical infrastructures protection. In P. Chatzimisios (Ed.), MobiLight (Vol. 45, pp. 451–463). Institute for Computer Sciences, Social Informatics and Telecommunications Engineering.
Kusher, D. (2013, February 26). The real story of Stuxnet. IEEE Spectrum. Retrieved from http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet/.
Line, M., Zand, A., Stringhini, G., & Kemmerer, R. (2014). Targeted attacks against industrial control systems: Is the power industry prepared? CCS’14 2014 ACM SIGSAC conference on computer & communications security SEGS, Proceedings of the 2nd workshop on smart energy grid security. Scottsdale, AZ: Association of Computing Machinery (ACM).
Lyne, J. (2014). Security threat trends in 2015: Predicting what cybersecurity will look like in 2015 and beyond. Chicago: Sophos.
McAfee Foundstone Professional Services and McAfee Labs (2011, February 10). White paper: Global energy cyberattacks: “Night Dragon”. McAfee. Retrieved from http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf.
Nabil, S.B. (2012). Security ontology for semantic SCADA (pp. 179–192). ICWIT.
Oltramari, A.B. (2014). General requirements of a hybrid-modeling framework for cyber security. Proceedings of the military communications conference (MILCOM), Baltimore.
Parent, C. (2009). Modular ontologies: Concepts, theories and techniques for knowledge modularization. Berlin: Springer.
Peter, T. (2014, May 21). US utility’s control systems hit by advanced cyber attack—DHS. Reuters. Retrieved from http://rt.com/usa/160328-utility-cyber-attack-hack/.
Rockall, W. (2014, July 24). Cyber attacks on energy companies: Do we need specific laws to protect us? Media Network Blog. Retrieved from http://www.theguardian.com/media-network/media-network-blog/2014/jul/24/cyber-attacks-energy-energetic-bear.
Smith, S. (2014). A proposal for a taxonomy for vulnerabilities in supervisory control and data acquisition (SCADA) systems. Aberdeen, MD: Army Research Lab Aberdeen Proving Ground.
Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M., & Hahn, A. (2015). NIST Special Publication 800-82: Guide to industrial control systems (ICS) security, R2. Gaithersburg: National Institute of Standards and Technology.
Symantec (2014, July 7). Dragonfly: Cyberespionage attacks against energy supplies: Symantec security response. Retrieved from http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf.
Tsipenyuk, K., Chess, B., & McGraw, G. (December, 2005). Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security & Privacy, 81–84.
U.S. District Court Western District of Pennsylvania (2014, May 12). U.S. v. Wang Dong, Sun Kaillian, Wen Xinyu, Huang Zhenyu, and Gu Chunhui. Criminal No. 14-118.
Yadron, D., & Mann, T. (2014, October 29). Computer spies target control systems made by GE, Siemens. The Wall Street Journal. Retrieved from http://www.wsj.com/articles/computer-spies-target-control-systems-made-by-ge-siemens-1414630558.
Zhu, B., Joseph, A., & Sastry, S. (2011). A taxonomy of cyber attacks on SCADA systems. Proceedings of the 2011 international conference on internet of things and 4th international conference on cyber, physical, and social computing (pp. 380–388). Washington, DC: IEEE Computer Society.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Flowers, A.S., Smith, S.C., Oltramari, A. (2016). Security Taxonomies of Industrial Control Systems. In: Colbert, E., Kott, A. (eds) Cyber-security of SCADA and Other Industrial Control Systems. Advances in Information Security, vol 66. Springer, Cham. https://doi.org/10.1007/978-3-319-32125-7_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-32125-7_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-32123-3
Online ISBN: 978-3-319-32125-7
eBook Packages: Computer ScienceComputer Science (R0)