Abstract
Protecting critical infrastructure assets such as telecommunications networks and energy generation and distribution facilities from cyber attacks is a major challenge. However, because security is a complex and multi-layered topic, a foundation for manufacturers to assess the security of products used in critical infrastructures is often missing. This paper describes a structured security assessment methodology that is specifically designed for use by manufacturers during product development. The methodology, which incorporates risk analysis, theoretical assessment and practical assessment, anticipates operational security challenges before products are deployed in critical infrastructures.
Chapter PDF
Similar content being viewed by others
References
C. Alberts, A. Dorofee, J. Stevens and C. Woody, Introduction to the OCTAVE Approach, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania (www.cert.org/octave/approach_intro.pdf), 2003.
M. Braun, Process Optimization of Practical Security Assessments, Master’s Thesis, University of Applied Sciences, Augsburg, Germany, 2008.
Bundesamt fuer Sicherheit in der Informationstechnik, Durchfuehrung fuer Penetrationstests, Bonn, Germany (www.bsi.bund.de/cae/servlet/content blob/487300/publicationFile/30684/penetrationstest_pdf.pdf), 2003.
Bundesverband der Energie und Wasserwirtschaft, White Paper: Requirements for Secure Control and Telecommunication Systems, Version 1.0, Berlin, Germany (branchenkommunikation-energie.bdew.de/bdew.nsf/id/ 52929DBC7CEEED1EC125766C000588AD/$file/Whitepaper_Secure_Sys tems_Vedis_1.0final.pdf), 2008.
R. Carlson, J. Dagle, S. Shamsuddin and R. Evans, A Summary of Control System Security Standards Activities in the Energy Sector, National SCADA Test Bed, U.S. Department of Energy, Washington, DC, 2005.
Common Criteria Recognition Agreement Members, Common Criteria v3.1. Release 3, National Information Assurance Partnership, U.S. Department of Defense, Fort George Meade, Maryland (www.commoncriteria portal.org/thecc.html), 2009.
P. Herzog, OSSTMM – Open Source Software Testing Methodology, Institute for Security and Open Methodologies, New York (www.isecom.org /osstmm).
Idaho National Laboratory, Cyber Security Procurement Language for Control Systems, Version 1.8, Technical Report INL/EXT-06-11516, Revision 3, Idaho Falls, Idaho (www.msisac.org/scada/documents/4march08 scadaprocure.pdf), 2008.
International Organization for Standardization, ISO/IEC 27005:2008(E), Information Technology – Security Techniques – Information Security Risk Management, Geneva, Switzerland, 2008.
North American Electric Reliability Corporation, Critical Infrastructure Protection Program, Princeton, New Jersey (www.nerc.com/page.php?cid = 6|69).
North American Electric Reliability Corporation, Security Guideline for the Electricity Sector: Identifying Critical Assets, Version 1.0, Princeton, New Jersey (www.nerc.com/docs/cip/sgwg/Critcal%20Asset_ID_Fin al_Clean.pdf), 2009.
Office of Energy Assurance, Energy Infrastructure Risk Management Checklists for Small and Medium Sized Energy Facilities, U.S. Department of Energy, Washington, DC (www.esisac.com/publicdocs/assessment _methods/Risk_Management_Checklist_Small_Facilities.pdf), 2002.
Open Information Systems Security Group, Information Systems Security Assessment Framework (ISSAF), Draft 0.2.1B, Colorado Springs, Colorado (www.oissg.org/downloads/issaf-0.2/information-systems-security- assessment-framework-issaf-draft-0.2.1b/download.html), 2006.
OWASP Foundation, Open Web Application Security Project Testing Guide, Version 3.0, Columbia, Maryland (www.owasp.org/images/5/56 /OWASP_Testing_Guide_v3.pdf), 2008.
K. Scarfone, M. Souppaya, A. Cody and A. Orebaugh, Technical Guide to Information Security Testing and Assessment, NIST Special Publication 800-115, National Institute of Standards and Technology, Gaithersburg, Maryland (csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf), 2008.
Siemens Enterprise Communications, CCTA Risk Analysis and Management Method (CRAMM), Milton Keynes, United Kingdom (www.cramm .com/overview/howitworks.htm), 2009.
G. Stoneburner, A. Goguen and A. Feringa, Risk Management Guide for Information Technology Systems, NIST Special Publication 800-30, National Institute of Standards and Technology, Gaithersburg, Maryland (csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf), 2002.
K. Stouffer, J. Falco and K. Scarfone, Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82, National Institute of Standards and Technology, Gaithersburg, Maryland (csrc.nist .gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf), 2008.
Tenable Network Security, Nessus – The network vulnerability scanner, Columbia, Maryland (www.nessus.org/nessus).
US-CERT, Cyber Security Self-Assessment Tool, Control System Security Program, U.S. Department of Homeland Security, Washington, DC (www.us-cert.gov/control_systems/satool.html).
US-CERT, Standards and References, Control System Security Program, U.S. Department of Homeland Security, Washington, DC (www.us-cert.gov/control_systems/csstandards.html).
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 IFIP International Federation for Information Processing
About this paper
Cite this paper
Brandstetter, T., Knorr, K., Rosenbaum, U. (2010). A Manufacturer-Specific Security Assessment Methodology for Critical Infrastructure Components. In: Moore, T., Shenoi, S. (eds) Critical Infrastructure Protection IV. ICCIP 2010. IFIP Advances in Information and Communication Technology, vol 342. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16806-2_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-16806-2_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16805-5
Online ISBN: 978-3-642-16806-2
eBook Packages: Computer ScienceComputer Science (R0)