Abstract
The paper presents current cybersecurity issues in industrial automation and control systems (IACS). It also reviews the state of the art in literature, standards and frameworks used to evaluate and certify industrial control devices. Nowadays the Common Criteria (CC) security assurance methodology is commonly used for the vast majority of information technology (IT) products but not for IACS components. The paper proposes a security evaluation method of IACS to be based on the CC approach. The CC standard has not been used in industry so far and this is why it became the main motivation of the author’s doctoral research work in that field. The implementation of CC security requirements can enhance the “safety” of functional features in control devices by adding “security” measures typical of IT products. The paper delivers input information to the first stage of the author’s research whose goal is the identification of design needs and requirements for building the security evaluation method. As a result, in the next stage, the evaluation method can be built according to the model of a control system and to the criteria taken from the CC standard adjusted to IACS needs. Coupling both “security” and “safety” for industrial control systems is a promising way of using the CC assurance methodology for a new kind of devices.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Common Criteria for Information Technology Security Evaluation. Part 1: Introduction and general model. CCMB-2017-04-001, Version 3.1, Revision 5, April 2017
Common Criteria for Information Technology Security Evaluation. Part 2: Security functional components. CCMB-2017-04-002, Version 3.1, Revision 5, April 2017
Common Criteria for Information Technology Security Evaluation. Part 3: Security assurance components. CCMB-2017-04-003, Version 3.1, Revision 5, April 2017
Common Methodology for Information Technology Security Evaluation – Evaluation Methodology. CCMB-2017-04-004, Version 3.1, Revision 5, April 2017
ISO/IEC 18045:2008 – Information technology – Security techniques – Methodology for IT security evaluation
ICS-CERT Homepage. https://ics-cert.us-cert.gov/. Accessed 22 Oct 2018
ICS-CERT Annual Assessment Report FY 2016. US Department of Homeland Security, National Cybersecurity and Integration Center (NCCIC) (2016)
Yang, W., Zhao, Q.: Cyber security issues of critical components for industrial control system. In: Proceedings of 2014 IEEE Chinese Guidance, Navigation and Control Conference, pp. 2698–2703. IEEE, Yantai (2014)
Miyachi, T., Yamada, T.: Current issues and challenges on cyber security for industrial automation and control systems. In: 2014 Proceedings of the SICE Annual Conference (SICE), pp. 821–826. IEEE, Sapporo (2014)
Karnouskos, S.: Stuxnet worm impact on industrial cyber-physical system security. In: 37th Annual Conference on IEEE Industrial Electronics Society, IECON 2011, pp. 4490–4494. IEEE, Melbourne (2011)
Robert M. Lee, R.M., Assante, M.,J., Conway, T.: Analysis of the Cyber Attack on the Ukrainian Power Grid. E-ISAC, Washington (2016)
Valentine Jr., S.E.: PLC Code Vulnerabilities Through SCADA Systems. (Doctoral dissertation), University of South Carolina (2013)
Webster, J., Watson, R.T.: Analyzing the past to prepare for the future: writing a literature review. MIS Q. 26(2), xiii–xxiii (2002)
Theron, P., Bologna, S.: Proposals from the ERNCIP Thematic Group, “Case Studies for the Cyber-security of Industrial Automation and Control Systems”, for a European IACS Components Cyber-security Compliance and Certification Scheme. EUR – Scientific and Technical Research series (2014). ISSN 1831-9424, ISBN 978-92-79-45417-2
ENISA Homepage. https://www.enisa.europa.eu/. Accessed 03 Oct 2018
Communication network dependencies for ICS/SCADA Systems. ENISA (2016). ISBN 978-92-9204-192-2, https://doi.org/10.2824/397676, https://www.enisa.europa.eu/publications/ics-scada-dependencies
Dufkova, A., Budd, J., Homola, J., Marden, M.: Good practice guide for CERTs in the area of Industrial Control Systems. Computer Emergency Response Capabilities considerations for ICS. ENISA (2013)
Leszczyna, R., et al.: Protecting Industrial Control Systems. Recommendations for Europe and Member States. ENISA (2011). https://www.enisa.europa.eu/publications/protecting-industrial-control-systems.-recommendations-for-europe-and-member-states/
Babu, B., Ijyas, T., Muneer, P., Varghese, J.: Security issues in SCADA based industrial control systems. In: 2017 2nd International Conference on Anti-Cyber Crimes (ICACC). IEEE (2017)
Calvo, I., Etxeberria-Agiriano, I., Iñigo, M.A., González-Nalda, P.: Key vulnerabilities of industrial automation and control systems and actions to prevent cyber-attacks. IJOE (Int. J. Online Eng.) 12(1), 9–16 (2016)
Xie, F., Peng, Y., Zhao, W., Gao, Y., Han, X.: Evaluating industrial control devices security: standards, technologies and challenges. In: Saeed, K., Snášel, V. (eds.) CISIM 2014. LNCS, vol. 8838, pp. 624–635. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45237-0_57
General Electric. https://www.ge.com/digital/cyber-security. Accessed 07 Mar 2018
Piggin, R.S.H.: Development of industrial cyber security standards: IEC 62443 for SCADA and Industrial Control System security. In: IET Conference on Control and Automation 2013: Uniting Problems and Solutions, pp. 1–6. IEEE, Birmingham (2013)
Leszczyna, R.: Cybersecurity and privacy in standards for smart grids – a comprehensive survey. In: O’Connor, R., Schummy, H. (eds.) Computer Standards and Interfaces, vol. 56, pp. 62–73. Elsevier (2018)
ISA, ISA99: Industrial automation and control systems security. https://www.isa.org/isa99/. Accessed 24 Jan 2018
ISO/IEC, ISO/IEC TR 27019:2017 Information technology — Security techniques — Information security controls for the energy utility industry. https://www.iso.org/standard/68091.html. Accessed 21 Jan 2018
Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M., Hahn, A.: NIST SP 800-82 Guide to Industrial Control Systems (ICS) Security Revision 2. NIST (2015)
Vavra, J., Hromada, M.: An evaluation of cyber threats to industrial control systems. In: International Conference on Military Technologies (ICMT), pp. 1–5. IEEE, Brno (2015)
The Common Criteria Homepage. http://www.commoncriteriaportal.org/. Accessed 03 Jan 2018
SOG-IS MRA – Mutual Recognition Agreement of Information Technology Security Evaluation Certificates, version 3.0. Final version January 8th, 2010. https://www.sogis.org/uk/mra_en.html. Accessed 23 Jan 2018
CCRA – Arrangement on the Recognition of Common Criteria Certificates. In the field of Information Technology Security, 2 July 2014. http://www.commoncriteriaportal.org/ccra/. Accessed 23 Jan 2018
CC certified products list. http://www.commoncriteriaportal.org/products/. Accessed 23 Jan 2018
Bialas, A.: Common criteria related security design patterns for intelligent sensors—knowledge engineering-based implementation. Sensors 11, 8085–8114 (2011)
Bialas, A.: Computer-aided sensor development focused on security issues. Sensors 16, 759 (2016)
Rogowski, D.: Software support for Common Criteria security development process on the example of a data diode. In: Zamojski, W., et al. (eds.) Proceedings of the Ninth International Conference on Dependability and Complex Systems DepCoS-RELCOMEX. Advances in Intelligent Systems and Computing, vol. 286, pp. 363–372. Springer (2014)
Acknowledgment
I would like to thank Prof. Andrzej Bialas for his support in my research work regarding the security evaluation method for ICS and Ms Barbara Flisiuk for her insightful proofreading.
Research activities are financed within the “Implementation Doctorates” program of the Polish Ministry of Science and Higher Education.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Rogowski, D. (2019). Identification of Information Technology Security Issues Specific to Industrial Control Systems. In: Zamojski, W., Mazurkiewicz, J., Sugier, J., Walkowiak, T., Kacprzyk, J. (eds) Contemporary Complex Systems and Their Dependability. DepCoS-RELCOMEX 2018. Advances in Intelligent Systems and Computing, vol 761. Springer, Cham. https://doi.org/10.1007/978-3-319-91446-6_37
Download citation
DOI: https://doi.org/10.1007/978-3-319-91446-6_37
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-91445-9
Online ISBN: 978-3-319-91446-6
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)