A propose technical security metrics model for SCADA systems

Information security metrics are very important to guide the direction for measuring the effectiveness of security controls in compliance with the information security standards. However, lack of method to guide organization in choosing the technical security metrics may cause technical security control objectives and capabilities failed. This research proposes a model of technical security metrics to measure the effectiveness of network security management, such as network security controls and services such as firewall and Intrusion Detection Prevention System (IDPS) in the protection of Supervisory and Data Acquisition (SCADA) systems. The methodology used is Plan-Do-Check-Act process model. The proposed technical security metric provides guidance for SCADA owners in complying with requirements of ISO/IEC 27001 Information Security Management System (ISMS) standard. The proposed model should be able to provide a comprehensive measurement and prove the effectiveness of ISO/IEC 27004 ISMS Measurement standard.

[1]  Siri Skaaland,et al.  Measuring the effectiveness of information security controls , 2008 .

[2]  P. Gallagher Recommended Security Controls for Federal Information Systems and Organizations , 2010 .

[3]  Robin A. Gandhi,et al.  An integrated framework for control system simulation and regulatory compliance monitoring , 2011, Int. J. Crit. Infrastructure Prot..

[4]  Stefan Biffl,et al.  Addressing misalignment between information security metrics and business-driven security objectives , 2010, MetriSec '10.

[5]  Reijo Savola,et al.  Towards a Security Metrics Taxonomy for the Information and Communication Technology Industry , 2007, International Conference on Software Engineering Advances (ICSEA 2007).

[6]  Himanshu Khurana,et al.  Towards A Taxonomy Of Attacks Against Energy Control Systems , 2008, Critical Infrastructure Protection.

[7]  Steven M. Bellovin On the Brittleness of Software and the Infeasibility of Security Metrics , 2006, IEEE Security & Privacy Magazine.

[8]  Stewart Kowalski,et al.  Information Security Metrics: Research Directions , 2011 .

[9]  Marianne M. Swanson,et al.  Recommended Security Controls for Federal Information Systems , 2005 .

[10]  J. Stamp,et al.  Reference Model for Control and Automation Systems in Electrical Power , 2005 .

[11]  Rayford B. Vaughn,et al.  Information assurance measures and metrics - state of practice and proposed taxonomy , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[12]  G. Manimaran,et al.  Cyber Attack Exposure Evaluation Framework for the Smart Grid , 2011, IEEE Transactions on Smart Grid.

[13]  G. Manimaran,et al.  Vulnerability Assessment of Cybersecurity for SCADA Systems , 2008, IEEE Transactions on Power Systems.

[14]  Rayford B. Vaughn,et al.  Information system security compliance to FISMA standard: a quantitative measure , 2010, Telecommun. Syst..

[15]  Joint Task Force Transformation Initiative,et al.  Security and Privacy Controls for Federal Information Systems and Organizations , 2013 .

[16]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .