1.26 MB, PDF document
Available under license: None
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
Assurance Techniques for Industrial Control Systems (ICS). / Knowles, William; Such Aparicio, Jose Miguel; Gouglidis, Antonios et al.
CPS-SPC '15 Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy. New York : ACM, 2015. p. 101-112.Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
}
TY - GEN
T1 - Assurance Techniques for Industrial Control Systems (ICS)
AU - Knowles, William
AU - Such Aparicio, Jose Miguel
AU - Gouglidis, Antonios
AU - Misra, Gaurav
AU - Rashid, Awais
PY - 2015/10
Y1 - 2015/10
N2 - Assurance techniques generate evidence that allow us to make claims of assurance about security. For the purpose of certification to an assurance scheme, this evidence enables us to answer the question: are the implemented security controls consistent with organisational risk posture? This paper uses interviews with security practitioners to assess how ICS security assessments are conducted in practice, before introducing the five "PASIV" principles to ensure the safe use of assurance techniques. PASIV is then applied to three phases of the system development life cycle (development; procurement; operational), to determine when and when not, these assurance techniques can be used to generate evidence. Focusing then on the operational phase, this study assesses how assurances techniques generate evidence for the 35 security control families of ISO/IEC 27001:2013.
AB - Assurance techniques generate evidence that allow us to make claims of assurance about security. For the purpose of certification to an assurance scheme, this evidence enables us to answer the question: are the implemented security controls consistent with organisational risk posture? This paper uses interviews with security practitioners to assess how ICS security assessments are conducted in practice, before introducing the five "PASIV" principles to ensure the safe use of assurance techniques. PASIV is then applied to three phases of the system development life cycle (development; procurement; operational), to determine when and when not, these assurance techniques can be used to generate evidence. Focusing then on the operational phase, this study assesses how assurances techniques generate evidence for the 35 security control families of ISO/IEC 27001:2013.
KW - ICS
KW - SCADA
KW - Risk Management
KW - Assurance Techniques
M3 - Conference contribution/Paper
SN - 9781450338271
SP - 101
EP - 112
BT - CPS-SPC '15 Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy
PB - ACM
CY - New York
ER -