Home > Research > Publications & Outputs > Assurance Techniques for Industrial Control Sys...

Electronic data

  • AT_ICS

    1 MB, PDF-document

    Available under license: Lancaster ACM

View graph of relations

Assurance Techniques for Industrial Control Systems (ICS)

Research output: Contribution in Book/Report/ProceedingsPaper

Published
Publication date10/2015
Host publicationCPS-SPC '15 Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy
Place of PublicationNew York
PublisherACM
Pages101-112
Number of pages12
ISBN (Print)9781450338271
<mark>Original language</mark>English

Abstract

Assurance techniques generate evidence that allow us to make claims of assurance about security. For the purpose of certification to an assurance scheme, this evidence enables us to answer the question: are the implemented security controls consistent with organisational risk posture? This paper uses interviews with security practitioners to assess how ICS security assessments are conducted in practice, before introducing the five "PASIV" principles to ensure the safe use of assurance techniques. PASIV is then applied to three phases of the system development life cycle (development; procurement; operational), to determine when and when not, these assurance techniques can be used to generate evidence. Focusing then on the operational phase, this study assesses how assurances techniques generate evidence for the 35 security control families of ISO/IEC 27001:2013.