Automated Assessment Of Compliance With Security Best Practices

  • Zahid Anwar
  • Roy Campbell
Conference paper
Part of the The International Federation for Information Processing book series (IFIPAICT, volume 290)

Several standards and best practices have been proposed for critical infrastructure protection. However, the scale and complexity of critical infrastructure assets renders manual compliance checking difficult, if not impossible. This paper focuses on the automated assessment of security compliance of electrical power grid assets. A security model based on predicate calculus is used to express infrastructure elements (e.g., devices, services, protocols, access control implementations) as “facts” and security standards and best practices as “rules” that specify constraints on the facts. A tool chain is applied to automatically generate the security model from specifications and to check compliance with standards and best practices. The tool chain also supports the visualization of network topology and security assessment results to reveal possible points of attack.


Security best practices compliance assessment first order logic 


  1. 1.
    American Gas Association, Cryptographic Protection of SCADA Communications; Part 1: Background, Policies and Test Plan, AGA Report No. 12 (Part 1), Draft 5, Washington, DC ( /AGA12Draft5r3.pdf), 2005.
  2. 2.
    AT'T Research, Graphviz — Graph Visualization Software, Florham Park, New Jersey (
  3. 3.
    British Columbia Institute of Technology, Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, National Infrastructure Security Co-ordination Centre, London, United Kingdom, 2005.Google Scholar
  4. 4.
    British Columbia Institute of Technology, Industrial Security Incident Database, Burnaby, Canada.Google Scholar
  5. 5.
    R. Chandia, J. Gonzalez, T. Kilpatrick, M. Papa and S. Shenoi, Security strategies for SCADA networks, in Critical Infrastructure Protection, E. Goetz and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 117–131, 2007.CrossRefGoogle Scholar
  6. 6.
    Cooperative Association for Internet Data Analysis, The CAIDA web site, La Jolla, California (
  7. 7.
    R. Dacey, Critical Infrastructure Protection: Challenges in Securing Control Systems, Report GAO-04-140T, United States General Accounting Office, Washington, DC (, 2004.Google Scholar
  8. 8.
    Distributed Management Task Force, Common Information Model (CIM) Infrastructure Specification, Document DSP0004 Version 2.3 Final, Portland, Oregon ( /DSP0004V2.3_final.pdf), 2005.Google Scholar
  9. 9.
    Federal Energy Regulatory Commission, Mandatory Reliability Standards for Critical Infrastructure Protection, Docket No. RM06-22-000; Order No. 706, Washington, DC (, 2008.Google Scholar
  10. 10.
    Industrial Automation Open Networking Association, The IAONA Handbook for Network Security, Version 1.3, Magdeburg, Germany ( 725.pdf), 2005.
  11. 11.
    Instrumentation Systems and Automation Society, Security Technologies for Manufacturing and Control Systems (ANSI/ISA-TR99.00.01-2004), Research Triangle Park, North Carolina, 2004.Google Scholar
  12. 12.
    M. Masera and I. Nai Fovino, A service-oriented approach for assessing infrastructure security, in Critical Infrastructure Protection, E. Goetz and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 367–379, 2007.CrossRefGoogle Scholar
  13. 13.
    D. Maynor and R. Graham, SCADA security and terrorism: We're not crying wolf! presented at the Black Hat Federal Conference, 2006.Google Scholar
  14. 14.
    J. Meserve, Sources: Staged cyber attack reveals vulnerability in power grid, Cable News Network, Atlanta, Georgia ( /09 /26/, September 26, 2007.Google Scholar
  15. 15.
    National Institute of Standards and Technology, Standards for Security Categorization of Federal Information and Information Systems, FIPS Publication 199, Gaithersburg, Maryland, 2004.Google Scholar
  16. 16.
    M. Rash, psad: Intrusion detection for iptables ( /psad).
  17. 17.
    R. Ross, A. Johnson, S. Katzke, P. Toth, G. Stoneburner and G. Rogers, Guide for Assessing the Security Controls in Federal Information Systems, NIST Special Publication 800-53A, National Institute of Standards and Technology, Gaithersburg, Maryland, 2008.Google Scholar
  18. 18., AfterGlow ( Scholar
  19. 19.
    Y. Stamatiou, E. Skipenes, E. Henriksen, N. Stathiakis, A. Sikianakis, E. Charalambous, N. Antonakis, K. Stolen, F. den Braber, M. Sodal Lund, K. Papadaki and G. Valvis, The CORAS approach for model-based risk management applied to a telemedicine service Proceedings of the European Medical Informatics Conference, pp. 206–211, 2003.Google Scholar
  20. 20.
    K. Ziegler, NERC cyber security standards to become mandatory in United States Electric Energy Industry News, January 21, 2008.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Zahid Anwar
    • 1
  • Roy Campbell
    • 1
  1. 1.University of IllinoisUrbana-ChampaignUSA

Personalised recommendations