Final published version
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
}
TY - GEN
T1 - The impact of social engineering on Industrial Control System security
AU - Green, Benjamin
AU - Prince, Daniel
AU - Busby, Jeremy
AU - Hutchison, David
PY - 2015
Y1 - 2015
N2 - In assessing the security posture of Industrial Control Systems (ICS), several approaches have been proposed, including attack graphs, attack trees, Bayesian networks and security ideals. Predominantly focusing on technical vulnerabilities, challenges stemming from social and organisational factors are often reviewed in isolation, if at all. Taking a mean time-to-compromise (MTTC) metric as a base for expansion, we explore the impact social engineering attack vectors (malicious e-mails) could have on such assessments. The applied method takes a holistic view, to better understand the potential impact of social engineering across a small European utility company. The results of this review are analysed and discussed, highlighting the level of access an attacker could gain through social engineering, and the need for assessment metrics to include vulnerabilities stemming not only from technical factors, but social and organisational ones as well.
AB - In assessing the security posture of Industrial Control Systems (ICS), several approaches have been proposed, including attack graphs, attack trees, Bayesian networks and security ideals. Predominantly focusing on technical vulnerabilities, challenges stemming from social and organisational factors are often reviewed in isolation, if at all. Taking a mean time-to-compromise (MTTC) metric as a base for expansion, we explore the impact social engineering attack vectors (malicious e-mails) could have on such assessments. The applied method takes a holistic view, to better understand the potential impact of social engineering across a small European utility company. The results of this review are analysed and discussed, highlighting the level of access an attacker could gain through social engineering, and the need for assessment metrics to include vulnerabilities stemming not only from technical factors, but social and organisational ones as well.
U2 - 10.1145/2808705.2808717
DO - 10.1145/2808705.2808717
M3 - Conference contribution/Paper
SN - 9781450338271
SP - 23
EP - 29
BT - CPS-SPC '15 Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy
PB - ACM
CY - New York
T2 - ACM Workshop on Cyber-Physical Systems Security & Privacy (CPS-SPC)
Y2 - 16 October 2015
ER -