GAP-ANALYSIS OF ASSURANCE CASE-BASED CYBERSECURITY ASSESSMENT: TECHNIQUE AND CASE STUDY
Article Sidebar
Main Article Content
Abstract
The subject matter of the article is the processes of cybersecurity assessment. The goal is to develop technique for gap-analysis of cybersecurity analysis process. The task to be solved is to develop a method for analyzing gaps in the process of assessment of non-functional requirements for safety and cybersecurity of ICS. It is based on the classification of requirements, taking into account the possibility of their decomposition, which includes the construction of an advanced security assurance and determination of counter-measures to address detected gaps. Conclusions. The scientific novelty of the results obtained is as follows: the method for ensuring the information security of digital components of the I&Cs was further developed by analyzing the discrepancies of requirements using vulnerability description procedures and assessing the severity of the intrusions consequences, as well as determining the set of countermeasures by the "security-cost" criterion, which makes it possible to reduce risks to an acceptable level.
Article Details
References
Cisco 2017 Annual cybersecurity report, available at: https://www.cisco.com/c/m/en_au/products/security/offers/annual-cybersecurity-report-2017.html (last accessed March 4, 2018).
Illiashenko, O., Kharchenko, V. and Jervan, G. (2013), “Security of industrial FPGA-based I&C systems: normative base and sis approach”, Radioelectronic and computer systems, No. 3 (62), pp. 86-91.
Illiashenko, O., Kharchenko V., Kovalenko, A., Sklyar, V. and Boyarchuk, A. (2014), “Security informed safety assessment of NPP I&C systems: GAP-IMECA technique”, Proceedings of the 22nd International Conference on Nuclear Engineering ICONE 22, Czech Republic.
Bishop, P.G., Bloomfield, R.E. and Guerra, S. (2004), “The future of goal-based assurance cases”, Workshop on Assurance Cases, 2004 International Conference on Dependable Systems and Networks, Florence.
Bloomfield, R., Netkachova, K. and Stroud, R. (2013), “Security-Informed Safety: If It’s Not Secure, It’s Not Safe”, A. Gorbenko, A. Romanovsky, V. Kharchenko (Eds.): SERENE 2013, LNCS 8166, pp. 17-32.
Cyra, L. and Gorski, J. (2011), SCF - A Framework Supporting Achieving and Assessing Conformity with Standards. Special Issue: Secure Semantic Web. 33(1), 80 p.
Williams, J.R. and George, F.J. (1998), A Framework for Reasoning about Assurance, Document Number ATR 97043, Arca Systems, Inc. 23 April 1998.
Towards an Assurance Case Practice for Medical Devices, Carnegie Mellon University, available at:
http://www.sei.cmu.edu/reports/09tn018.pdf (last accessed March 4, 2018).
A Method of Trust Case Templates to Support Standards Conformity Achievement and Assessment, available at:
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.163.906&rep=rep1&type=pdf (last accessed March 4, 2018).
Illiashenko, O., Potii, O. and Komin D. (2015), “Advanced security assurance case based on ISO/IEC 15408”, Conference: DepCoS - RELCOMEX 2015, At Brunow Palace, Vol.: Theory and Engineering of Complex Systems and Dependability, Proc. of the Tenth Int. Conf. on Dependability and Complex Systems DepCoS-RELCOMEX, Brunów, Poland, pp 391-401.
Illiashenko, O., Broshevan, Ye. and Kharchenko, V. (2016), “Cybersecurity Case for FPGA-Based NPP Instrumentation and Control Systems”, Paper No. ICONE24-60440, pp. V005T15A027, 24th International Conference on Nuclear Engineering, Vol. 5: Student Paper Competition; Charlotte, North Carolina, USA, doi: 10.1115/ICONE24-60440.
Babeshko, E. (2008), “Applying F(I)MEA technique for SCADA-based industrial control systems dependabilty assessment and ensuring”, Proc. of Int. Conf. on Dependability of Computer Systems DepCoS-Relcomex 2008, Academic Press, 5.
Tempus SEREIN. Modernization of postgraduate studies on security and resilience for human and industry related domains, available at: http://serein.eu.org/ (last accessed March 4, 2018).