0
Research Papers

Planning the Selection and Assignment of Security Forensics Countermeasures

[+] Author and Article Information
Edita Bajramovic

AREVA GmbH,
Henri-Dunant-Strasse 50,
Erlangen 91058, Germany
e-mail: edita.bajramovic@areva.com

Jürgen Bochtler

Siemens AG,
Freyeslebenstrasse 1,
Erlangen 91058, Germany
e-mail: juergen.bochtler@siemens.com

Ines Ben Zid

AREVA GmbH,
Henri-Dunant-Strasse 50,
Erlangen 91058, Germany
e-mail: ines.ben-zid@areva.com

Andreas Lainer

Friedrich-Alexander-University
Erlangen-Nuremberg,
Department of Computer Science,
Martensstrasse 5,
Erlangen 91058, Germany
e-mial: andreas.lainer@fau.de

1Present address: Friedrich-Alexander-University Erlangen-Nuremberg, Department of Computer Science, Martensstrasse 5, Erlangen 91058, Germany.

Manuscript received October 29, 2017; final manuscript received June 13, 2018; published online September 10, 2018. Assoc. Editor: John F. P. de Grosbois.

ASME J of Nuclear Rad Sci 4(4), 041008 (Sep 10, 2018) (9 pages) Paper No: NERS-17-1216; doi: 10.1115/1.4040650 History: Received October 29, 2017; Revised June 13, 2018

Cybersecurity incidents are stressful, complex in nature, and are frequently not systematically considered in daily tasks. When correctly managed, operational readiness procedures ensure the availability of data required to successfully and quickly recover from a security incident, while lessening the adverse effect. Therefore, protective measures, such as implementation of data diodes, are playing an essential role in defending instrumentation and control (I&C) systems. In addition, applicability of the newest forensic and digital evidence-related standards to the nuclear domain is being evaluated. Results of such evaluation are being considered in the three-dimensional and two-dimensional modeling of cybersecurity relevant assets. The development of the new IEC 63096, downstream standard of IEC 62645, will also support the proposed evaluation and modeling. However, IEC 63096 covers not only forensic and incident management-related security controls but also a broad range of cybersecurity controls. This paper will further explore the security degree-specific selection and overall assignment of forensic-related security controls for the nuclear domain. Results from ongoing prototype developments will be used to demonstrate possible alternative selections and assignments, along with their contribution to different security metrics.

FIGURES IN THIS ARTICLE
<>
Copyright © 2018 by ASME
Your Session has timed out. Please sign back in to continue.

References

ISO/IEC, 2011, “ Information Technology — Security Techniques — Information Security Risk Management,” International Organization for Standardization/International Electrotechnical Commission, Geneva, Switzerland, Standard No. ISO/IEC 27005. https://www.iso.org/standard/75281.html
IEC, 2016, “ Nuclear Power Plants—Instrumentation and Control Systems—Security Controls,” International Electrotechnical Commission, Geneva, Switzerland, Standard No. IEC 63096. http://npic-hmit2017.org/wp-content/data/pdfs/158-20165.pdf
IEC, 2014, “ Nuclear Power Plants—I&C Systems—Requirements for Security Programmes for Computer-Based Systems,” International Electrotechnical Commission, Geneva, Switzerland, Standard No. IEC 62645. https://webstore.iec.ch/publication/7311
Bajramovic, E. , 2016, “ Survey of Digital Forensic Readiness in Critical Infrastructure,” Department of Computer Science, Friedrich-Alexander University Erlangen-Nuremberg, Erlangen, Germany.
Scott, A. , 2015, Tactical Data Diodes in Industrial Control Automation Systems. SysAdmin, Audit, Network and Security, (SANS) Institute InfoSec Reading Room, Global Region, US.
Li, J. , Bajramovic, E. , Gao, Y. , and Parekh, M. , 2016, “ Graded Security Forensics Readiness for SCADA Systems,” Informatik 2016, H. C. Mayr , and M. Pinzger , eds., Lecture Notes in Informatics, Bonn, Germany, pp. 581–592.
IEC, 2013, “ Industrial Communication Networks—Network and System Security—Part 3-3: System Security Requirements and Security Levels,” International Electrotechnical Commission, Geneva, Switzerland, Standard No. IEC 62443-3-3. https://webstore.iec.ch/publication/7033
Waedt, K. , Lillo, E. , and Zavarsky, P. , 2015, “ Identification of the Critical Components of an ICS and Options to Protect Them ,” World Institute for Nuclear Security (WINS) Workshop on Effective Integration of Physical Protection and Cyber Security, Vienna, Austria.
Knapp, E. , and Langill, J. , 2014, “ Security Monitoring of Industrial Control Systems,” Industrial Network Security, 2nd ed., Syngress Publishing, Waltham, MA.
Bajramovic, E. , Waedt, K. , Gao, Y. , and Parekh, M. , 2016, “ Cybersecurity Aspects in the I&C Design of Nuclear Power Plants,” Third International Nuclear Power Plants Summit, Istanbul, Turkey, Mar. 8.
Waedt, K. , and Ding, Y. , 2013, “ Safety and Cybersecurity Aspects in the Safety I&C Design for NPPs ,” Third China (International) Conference on Nuclear Power I&C Technology, Shanghai, China.
ISO/IEC, 2015, “ Information Technology — Security Techniques — Guidelines for the Analysis and Interpretation of Digital Evidence,” International Organization for Standardization/International Electrotechnical Commission, Geneva, Switzerland, Standard No. ISO/IEC 27042. https://www.iso.org/standard/44406.html
ISO/IEC, 2015, “ Information Technology—Security Techniques—Incident Investigation Principles and Processes,” International Organization for Standardization/ International Electrotechnical Commission, Geneva, Switzerland, Standard No. ISO/IEC 27043. https://www.iso.org/standard/44407.html
Bochtler, J. , Quinn, E. L. , and Bajramovic, E. , 2017, “ Development of a New International Electrotechnical Commission Standard on Cybersecurity Controls for Nuclear Power Plants,” Nuclear Plant Instrumentation, Control & Human Machine Interface Technologies, San Francisco, CA, June 11–15.
Homeland Security, 2008, Recommended Practice: Creating Cyber Forensics Plans for I&C Systems, Homeland Security, Washington, DC.
Kent, K. , Chevalier, S. , Grance, T. , and Dang, H. , 2006, “ Guide to Integrating Forensic Techniques Into Incident Response,” National Institute of Standards and Technology, Gaithersburg, MD, Report No. NIST SP 800-86. https://www.nist.gov/publications/guide-integrating-forensic-techniques-incident-response
UcedaVelez, T. , and Morana, M. , 2015, “ Threat Modelling and Risk Management,” Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis, Wiley, Hoboken, NJ.
Tu, M. , Xu, D. , Butler, E. , and Schwartz, A. , 2012, “ Forensic Evidence Identification and Modeling for Attacks Against a Simulated Online Business,” J. Digital Forensics, Security Law, 7(4), p. 4. http://ojs.jdfsl.org/index.php/jdfsl/article/view/48
Lee, R. , 2015, “ Active Cyber Defense Cycle: Asset Identification and Network Security Monitoring, Control Engineering,” Control Engineering, Downers Grove, IL, accessed Oct. 15, 2016, https://www.controleng.com/single-article/active-cyber-defense-cycle-asset-identification-and-network-security-monitoring/dcd2a7ac2b4f7cfd98e292dfd1e5c88a.html
ISO/IEC, 2011, “ Information Technology—Security Techniques—Application Security—Part 1: Overview and Concepts,” International Organization for Standardization/ International Electrotechnical Commission, Geneva, Switzerland, Standard No. ISO/IEC 27034-1. https://www.iso.org/standard/44378.html

Figures

Grahic Jump Location
Fig. 6

ISO/IEC 27042 digital forensics investigation process [12]

Grahic Jump Location
Fig. 4

Example overall security zones model [11]

Grahic Jump Location
Fig. 3

Secure centralized logging via data diode [6,9]

Grahic Jump Location
Fig. 2

Data diode (low sec. to higher sec. zone) [5,6].

Grahic Jump Location
Fig. 1

Data diode (high sec. to low sec. zone) [6].

Grahic Jump Location
Fig. 8

An example of an Organization-Wide ASC Library [20]

Grahic Jump Location
Fig. 5

Applicability of standards to investigation process classes and activities [12,13]

Grahic Jump Location
Fig. 7

An example attack tree of an insider threat “copying confidential data to USB [18]”

Grahic Jump Location
Fig. 9

An example attack tree for modifying a water pump control system with applied ASCs

Tables

Errata

Some tools below are only available to our subscribers or users with an online account.

Related Content

Customize your page view by dragging and repositioning the boxes below.

Related Journal Articles
Related eBook Content
Topic Collections

Sorry! You do not have access to this content. For assistance or to subscribe, please contact us:

  • TELEPHONE: 1-800-843-2763 (Toll-free in the USA)
  • EMAIL: asmedigitalcollection@asme.org
Sign In