Supporting Cybersecurity Compliance Assessment of Industrial Automation and Control System Components
The chapter presents a case study demonstrating how security requirements of an Industrial Automation and Control System (IACS) component can be represented in a form of Protection Profile that is based on IEC 62443 standards and how compliance assessment of such component can be supported by explicitly representing a conformity argument in a form based on the OMG SACM metamodel. It is also demonstrated how an advanced argument assessment mechanism based on Dempster-Shafer belief function theory can be used to support assessors while analyzing and assessing the conformity argument related to an IACS component. These demonstrations use a NOR-STA tool for representing, managing and assessment of evidence-based arguments, which have been developed in our research group.
KeywordsCybersecurity IACS component Protection profile Security standards Evidence-based argument Conformance case Certification Tools
This work was partially supported by a Statutory Grant of Polish Ministry of Science and Higher Education. The RTU Protection Profile presented in this chapter is based on the RTU Protection Profile originally introduced by Mr. Tomasz Szala from the Mikronika company to the NET-PL group working on validation of the IACS Components Cybersecurity Certification Framework (ICCF).
- 1.Paul Theron Introduction to the European IACS components Cybersecurity Certification Framework (ICCF). DOI:10.276D/717569Google Scholar
- 2.Structured Assurance Case Metamodel (SACM), version 2.0, Object Management Group (2017)Google Scholar
- 3.ISO/IEC 15026 Systems and software engineering – systems and software assuranceGoogle Scholar
- 4.www.argevide.com/services/en/support/nor-sta/manual (visited 10.10.2017)
- 5.ISO 15408 (2009) Information technology – Security techniques – evaluation criteria for IT security – Part 1: introduction and general model. ISOGoogle Scholar
- 10.Finnegan A, Mccaffery F (2014) A security argument pattern for medical device assurance cases, In: 2014 IEEE International symposium on software reliability engineering workshops. IEEE, pp 220–225Google Scholar
- 11.Othmane L,Angin P,Bhargava B(2014), Using assurance cases to develop iteratively security features using scrum. In: 2014 Ninth international conference on availability, reliability and security (ARES), IEEEGoogle Scholar
- 12.International Society of Automation (ISA), www.isa.org (visited 10.08.2017)
- 13.IEC 62443-1-1 (2009) Industrial communication networks – Network and system security – Part 1-1: terminology, concepts and models, IECGoogle Scholar
- 14.IEC 62443-4-2 Technical security requirements for IACS componentsGoogle Scholar
- 15.Cyra L, Górski J (2011) Support for argument structures review and assessment, reliability engineering and system safety, vol 96. Elsevier, pp 26–37Google Scholar