Collaboration in security assessments for critical infrastructures

Security assessments for IT systems in critical infrastructures involve many different stakeholders. Only the combination of their knowledge can produce a comprehensive view of the system structure and of the vulnerabilities and threats to the system. In order to enable all stakeholders to update the assessment information on a regular basis, the collaboration process needs methodological and technical support. We formalize this process with regard to the ESSAM assessment method and introduce a central knowledge base that facilitates the intra-organizational collaboration between development teams for different systems.

[1]  Peter Jarratt,et al.  RAMeX: a prototype expert system for computer security risk analysis and management , 1995, Comput. Secur..

[2]  Matt Bishop Education in information security , 2000, IEEE Concurr..

[3]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[4]  P. Meunier,et al.  Sharing Vulnerability Information using a Taxonomically-correct, Web-based Cooperative Database , 2001 .

[5]  Thomas Peltier,et al.  Information Technology: Code of Practice for Information Security Management , 2001 .

[6]  Markus Schumacher,et al.  Collaborative attack modeling , 2002, SAC '02.

[7]  Thomas P. von Hoff,et al.  Security for Industrial Communication Systems , 2005, Proceedings of the IEEE.

[8]  Mario Piattini,et al.  Secure information systems development - a survey and comparison , 2005, Comput. Secur..

[9]  Mikko T. Siponen,et al.  Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods , 2005, Inf. Organ..

[10]  Matt Bishop,et al.  Uncovering Assumptions in Information Security , 2005 .

[11]  Mikko T. Siponen,et al.  An analysis of the traditional IS security approaches: implications for research and practice , 2005, Eur. J. Inf. Syst..

[12]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[13]  Jeffrey L. Hieb,et al.  Cyber security risk assessment for SCADA and DCS networks. , 2007, ISA transactions.

[14]  Martin Naedele,et al.  Addressing IT Security for Critical Control Systems , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[15]  Karen A. Scarfone,et al.  The Common Vulnerability Scoring System (CVSS) and its Applicability to Federal Agency Systems , 2007 .

[16]  Walter Brenner,et al.  ESSAM: A Method for Security Assessments by Embedded Systems Manufacturers , 2008 .

[17]  J. Initiative SP 800-53 Rev. 3. Recommended Security Controls for Federal Information Systems and Organizations , 2009 .