Several standards and best practices have been proposed for critical infrastructure protection. However, the scale and complexity of critical infrastructure assets renders manual compliance checking difficult, if not impossible. This paper focuses on the automated assessment of security compliance of electrical power grid assets. A security model based on predicate calculus is used to express infrastructure elements (e.g., devices, services, protocols, access control implementations) as “facts” and security standards and best practices as “rules” that specify constraints on the facts. A tool chain is applied to automatically generate the security model from specifications and to check compliance with standards and best practices. The tool chain also supports the visualization of network topology and security assessment results to reveal possible points of attack.
Chapter PDF
Similar content being viewed by others
References
American Gas Association, Cryptographic Protection of SCADA Communications; Part 1: Background, Policies and Test Plan, AGA Report No. 12 (Part 1), Draft 5, Washington, DC (www.gtiservices.org/security /AGA12Draft5r3.pdf), 2005.
AT'T Research, Graphviz — Graph Visualization Software, Florham Park, New Jersey (www.graphviz.org).
British Columbia Institute of Technology, Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, National Infrastructure Security Co-ordination Centre, London, United Kingdom, 2005.
British Columbia Institute of Technology, Industrial Security Incident Database, Burnaby, Canada.
R. Chandia, J. Gonzalez, T. Kilpatrick, M. Papa and S. Shenoi, Security strategies for SCADA networks, in Critical Infrastructure Protection, E. Goetz and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 117–131, 2007.
Cooperative Association for Internet Data Analysis, The CAIDA web site, La Jolla, California (www.caida.org).
R. Dacey, Critical Infrastructure Protection: Challenges in Securing Control Systems, Report GAO-04-140T, United States General Accounting Office, Washington, DC (www.gao.gov/new.items/d04140t.pdf), 2004.
Distributed Management Task Force, Common Information Model (CIM) Infrastructure Specification, Document DSP0004 Version 2.3 Final, Portland, Oregon (www.dmtf.org/standards/published_documents /DSP0004V2.3_final.pdf), 2005.
Federal Energy Regulatory Commission, Mandatory Reliability Standards for Critical Infrastructure Protection, Docket No. RM06-22-000; Order No. 706, Washington, DC (ferc.gov/whats-new/comm-meet/2008/011708/E-2.pdf), 2008.
Industrial Automation Open Networking Association, The IAONA Handbook for Network Security, Version 1.3, Magdeburg, Germany (www.iaona.org/pictures/files/1122888138-IAONA_HNS1_3-reduced_050 725.pdf), 2005.
Instrumentation Systems and Automation Society, Security Technologies for Manufacturing and Control Systems (ANSI/ISA-TR99.00.01-2004), Research Triangle Park, North Carolina, 2004.
M. Masera and I. Nai Fovino, A service-oriented approach for assessing infrastructure security, in Critical Infrastructure Protection, E. Goetz and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 367–379, 2007.
D. Maynor and R. Graham, SCADA security and terrorism: We're not crying wolf! presented at the Black Hat Federal Conference, 2006.
J. Meserve, Sources: Staged cyber attack reveals vulnerability in power grid, Cable News Network, Atlanta, Georgia (www.cnn.com/2007/US /09 /26/power.at.risk), September 26, 2007.
National Institute of Standards and Technology, Standards for Security Categorization of Federal Information and Information Systems, FIPS Publication 199, Gaithersburg, Maryland, 2004.
M. Rash, psad: Intrusion detection for iptables (www.cipherdyne.com /psad).
R. Ross, A. Johnson, S. Katzke, P. Toth, G. Stoneburner and G. Rogers, Guide for Assessing the Security Controls in Federal Information Systems, NIST Special Publication 800-53A, National Institute of Standards and Technology, Gaithersburg, Maryland, 2008.
SourceForge.net, AfterGlow (afterglow.sourceforge.net).
Y. Stamatiou, E. Skipenes, E. Henriksen, N. Stathiakis, A. Sikianakis, E. Charalambous, N. Antonakis, K. Stolen, F. den Braber, M. Sodal Lund, K. Papadaki and G. Valvis, The CORAS approach for model-based risk management applied to a telemedicine service Proceedings of the European Medical Informatics Conference, pp. 206–211, 2003.
K. Ziegler, NERC cyber security standards to become mandatory in United States Electric Energy Industry News, January 21, 2008.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Anwar, Z., Campbell, R. (2008). Automated Assessment Of Compliance With Security Best Practices. In: Papa, M., Shenoi, S. (eds) Critical Infrastructure Protection II. ICCIP 2008. The International Federation for Information Processing, vol 290. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-88523-0_13
Download citation
DOI: https://doi.org/10.1007/978-0-387-88523-0_13
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-88522-3
Online ISBN: 978-0-387-88523-0
eBook Packages: Computer ScienceComputer Science (R0)