Research output: Thesis › Doctoral Thesis
Research output: Thesis › Doctoral Thesis
}
TY - BOOK
T1 - Augmenting ICS cyber security risk assessments
T2 - assimilation of socio-technical characteristics and constructs
AU - Green, Benjamin
PY - 2018
Y1 - 2018
N2 - Industrial Control Systems (ICSs) are applied to the monitoring, control, and automation of operational processes. Example industries include water, electricity, gas, and discrete manufacturing, some of which can be considered critical national infrastructure. Over recent years, an increase in disclosed ICS specific vulnerabilities, and cyber attacks, have been witnessed. The potential direct and cascading impact of these presents a significant risk, with dramatically detrimental consequences from a societal perspective. Complex relationships between essential services, and loss or compromise there of, provide motivation for this thesis.Modern ICSs rely on enterprise to plant floor connectivity. Where the size, diversity, and therefore complexity of an ICS increases, operational requirements, goals, and challenges, defined by users across various sub-systems will ultimately follow. Recent trends in technology convergence may cause system operators to lose a comprehensive understanding of end-to-end requirements. This presents a risk to system security and resilience, where the most minor of changes to sensor signals, can result in operational process degradation and failure. Furthermore, sensors once solely applied for operational process use, now act as inputs supporting a diverse set of organisational requirements. If these are not fully understood, incomplete cyber security risk assessment, and inappropriate implementation of security controls, could occur. This acts as a guiding principle across all thesis chapters, with core objectives set out to better understand and improve current approaches to the assessment of cyber-induced risk.In setting thesis objectives, three prerequisite questions were laid out, leading towards three core research questions, across four phases (Discover, Define, Develop, and Deliver). Initial phases related to ascertaining how ICSs can be understood from a social and technical perspective, who is likely to target ICSs with malicious intent, and how could attacks be conducted from a practical perspective. Applying this as a foundation, based on existing literature and practical experimentation, latter phases were better able to elicit pertinent challenges in current cyber security risk assessment practices, prior to the identification of appropriate mechanisms by which challenges may be addressed. In answering each research question, a mixed approach including literature reviews, practical experimentation, and industry engagement, was applied. Taking this approach has resulted in an output with practical contributions and impact, across both academia and industry alike.This thesis provides contributions across a number of discrete areas, including; a method by which ICSs can be defined from a social and technical perspective; an understanding of relevant threat actors, including tools and techniques which could be applied in the targeting of ICSs; how ICS cyber security risk assessments are currently approached by academia and industry, including a mechanism for their review, and identification of key gaps; approaches to the inclusion of socially derived cyber security risk within an assessment, including the identification of key challenges; and an approach to aid initial phases of ICS cyber security risk assessments. More specifically, how one can obtain a joint socio-technical understanding of system characteristics and constructs, as a prerequisite to cyber security risk assessments.Additional contribution in the form of a comprehensive ICS testbed environment, was developed to support thesis objectives. This facility continues to be of high value in initial stages of future work, more specifically, in the development of tools for use during a cyber security risk assessment, and ongoing risk management/mitigation.
AB - Industrial Control Systems (ICSs) are applied to the monitoring, control, and automation of operational processes. Example industries include water, electricity, gas, and discrete manufacturing, some of which can be considered critical national infrastructure. Over recent years, an increase in disclosed ICS specific vulnerabilities, and cyber attacks, have been witnessed. The potential direct and cascading impact of these presents a significant risk, with dramatically detrimental consequences from a societal perspective. Complex relationships between essential services, and loss or compromise there of, provide motivation for this thesis.Modern ICSs rely on enterprise to plant floor connectivity. Where the size, diversity, and therefore complexity of an ICS increases, operational requirements, goals, and challenges, defined by users across various sub-systems will ultimately follow. Recent trends in technology convergence may cause system operators to lose a comprehensive understanding of end-to-end requirements. This presents a risk to system security and resilience, where the most minor of changes to sensor signals, can result in operational process degradation and failure. Furthermore, sensors once solely applied for operational process use, now act as inputs supporting a diverse set of organisational requirements. If these are not fully understood, incomplete cyber security risk assessment, and inappropriate implementation of security controls, could occur. This acts as a guiding principle across all thesis chapters, with core objectives set out to better understand and improve current approaches to the assessment of cyber-induced risk.In setting thesis objectives, three prerequisite questions were laid out, leading towards three core research questions, across four phases (Discover, Define, Develop, and Deliver). Initial phases related to ascertaining how ICSs can be understood from a social and technical perspective, who is likely to target ICSs with malicious intent, and how could attacks be conducted from a practical perspective. Applying this as a foundation, based on existing literature and practical experimentation, latter phases were better able to elicit pertinent challenges in current cyber security risk assessment practices, prior to the identification of appropriate mechanisms by which challenges may be addressed. In answering each research question, a mixed approach including literature reviews, practical experimentation, and industry engagement, was applied. Taking this approach has resulted in an output with practical contributions and impact, across both academia and industry alike.This thesis provides contributions across a number of discrete areas, including; a method by which ICSs can be defined from a social and technical perspective; an understanding of relevant threat actors, including tools and techniques which could be applied in the targeting of ICSs; how ICS cyber security risk assessments are currently approached by academia and industry, including a mechanism for their review, and identification of key gaps; approaches to the inclusion of socially derived cyber security risk within an assessment, including the identification of key challenges; and an approach to aid initial phases of ICS cyber security risk assessments. More specifically, how one can obtain a joint socio-technical understanding of system characteristics and constructs, as a prerequisite to cyber security risk assessments.Additional contribution in the form of a comprehensive ICS testbed environment, was developed to support thesis objectives. This facility continues to be of high value in initial stages of future work, more specifically, in the development of tools for use during a cyber security risk assessment, and ongoing risk management/mitigation.
U2 - 10.17635/lancaster/thesis/362
DO - 10.17635/lancaster/thesis/362
M3 - Doctoral Thesis
PB - Lancaster University
ER -