Industry has begun in the last years to take into consideration the use of Public Information Infrastructures (including the Internet) for remotely monitoring, managing and maintaining their technical systems. Concurrently, technical and business information systems are getting interconnected both through private and public networks. As a result, industry is exposed to internal and external cyber-threats, and the security assessment of the ICT infrastructures assumes a predominant relevance. However, underlying every useful security methodology there is a system description which decomposes the system in term of services, component, relationships and assets. In this paper, we focus our attention on a particular type of system asset to which, to our knowledge, the usual security assessment methodologies do not pay sufficient attention, the information asset. Such an asset, in fact, represents the core of every ICT infrastructure (commands sent to components are information assets, data stored into databases are information assets, data flowing through the network are information assets); therefore we believe that its proper description and analysis is key for assuring reliable results for security assessments. Starting from some classical definitions of information and knowledge, we examine this type of asset aiming at identifying the more suitable representation with respect to its security attributes. In more detail, we identify as interesting properties the interdependence between information assets, their life cycles, their dynamics (i.e. the flows of the information assets within the system), their topological location (in term of subsystems that hosts the information assets) and the correlation between the information assets and the vulnerabilities affecting the components of the system. We provide then a formal modelling framework for describing the characteristics of the information assets under a security assessment perspective.
[1]
Robert M. Losee,et al.
A Discipline Independent Definition of Information
,
1997,
J. Am. Soc. Inf. Sci..
[2]
Christopher J. Alberts,et al.
Managing Information Security Risks: The OCTAVE Approach
,
2002
.
[3]
R.W. Thomas,et al.
Next generation SCADA security: best practices and client puzzles
,
2005,
Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.
[4]
ALLAN D. PRATT,et al.
The Information of the Image
,
1981
.
[5]
Masera Marcelo,et al.
A Framework for the Security Assessment of Remote Control Applications of Critical Infrastructures
,
2006
.
[6]
Gordon Lynn Miller.
Resonance, information, and the primacy of process : ancient light on modern information and communication theory and technology
,
1987
.
[7]
David A. Bell,et al.
The Bell-LaPadula Model
,
1996
.
[8]
P. Drucker,et al.
Beyond the information revolution
,
1999
.
[9]
Y. Bar-Hillel.
An Examination of Information Theory
,
1955,
Philosophy of Science.
[10]
T. Paukatong.
SCADA Security: A New Concerning Issue of an In-house EGAT-SCADA
,
2005,
2005 IEEE/PES Transmission & Distribution Conference & Exposition: Asia and Pacific.
[11]
Gregory Piatetsky-Shapiro,et al.
Knowledge Discovery in Databases: An Overview
,
1992,
AI Mag..
[12]
H. L. Resnikoff.
The illusion of reality
,
1988
.
[13]
B. Fulton.
Technical and administrative cyber security issues with implementation of a SCADA security upgrade
,
2005
.
[14]
Indrajit Ray,et al.
Security Vulnerabilities in Software Systems: A Quantitative Perspective
,
2005,
DBSec.
[15]
Matt Bishop,et al.
A Critical Analysis of Vulnerability Taxonomies
,
1996
.
[16]
Matt Bishop,et al.
Computer Security: Art and Science
,
2002
.