Design Considerations for Building Credible Security Testbeds: Perspectives from Industrial Control System Use Cases

This paper presents a mapping framework for design factors and an implementation process for building credible Industrial Control Systems (ICS) security testbeds. The security and resilience of ICSs has become a critical concern to operators and governments following widely publicised cyber security events. The inability to apply conventional Information Technology security practice to ICSs further compounds challenges in adequately securing critical systems. To overcome these challenges, and do so without impacting live environments, testbeds are widely used for the exploration, development, and evaluation of security controls. However, how a testbed is designed and its attributes, can directly impact not only its viability but also its credibility. Combining systematic and thematic analysis, and the mapping of identified ICS security testbed design attributes, we propose a novel relationship map of credibility-supporting design factors (and their associated attributes) and a process implementation flow structure for ICS security testbeds. The framework and implementation process highlight the significance of demonstrating some design factors such as user/experimenter expertise, clearly defined testbed design objectives, simulation implementation approach, covered architectural components, core structural and functional characteristics covered, and evaluations to enhance confidence, trustworthiness and acceptance of ICS security testbeds as credible. These can streamline testbed requirement definition, improve design consistency and quality while reducing implementation costs.

[1]  J. M. Voogd,et al.  The Generic Methodology for Verification and Validation to support acceptance of models, simulations and data , 2013 .

[2]  André Thomas,et al.  Contribution to reusability and modularity of manufacturing systems simulation models: Application to distributed control simulation within DFT context , 2008 .

[3]  B. J. Fogg,et al.  Credibility and computing technology , 1999, CACM.

[4]  Iain Buchan,et al.  Clinical prediction in defined populations: a simulation study investigating when and how to aggregate existing models , 2017, BMC Medical Research Methodology.

[5]  Alexander Gluhak,et al.  A survey on facilities for experimental internet of things research , 2011, IEEE Communications Magazine.

[6]  Aditya Ashok,et al.  Cyber-Physical Security Testbeds: Architecture, Application, and Evaluation for Smart Grid , 2013, IEEE Transactions on Smart Grid.

[7]  Igor Nai Fovino,et al.  An experimental platform for assessing SCADA vulnerabilities and countermeasures in power plants , 2010, 3rd International Conference on Human System Interaction.

[8]  Maria J Grant,et al.  A typology of reviews: an analysis of 14 review types and associated methodologies. , 2009, Health information and libraries journal.

[9]  Alasdair Gilchrist Introducing Industry 4.0 , 2016 .

[10]  Richard Candell,et al.  An Industrial Control System Cybersecurity Performance Testbed , 2015 .

[11]  Simin Nadjm-Tehrani,et al.  RICS-el: Building a National Testbed for Research and Training on SCADA Security (Short Paper) , 2018, CRITIS.

[12]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[13]  Robert G. Sargent,et al.  Verification and validation of simulation models , 2013, Proceedings of Winter Simulation Conference.

[14]  Béla Genge,et al.  Cyber-physical testbeds , 2014, CACM.

[15]  Chris Hankin,et al.  Open Testbeds for CNI , 2018 .

[16]  Thiago Alves,et al.  Virtualization of Industrial Control System Testbeds for Cybersecurity , 2016, ICSS '16.

[17]  David Hutchison,et al.  A survey of cyber security management in industrial control systems , 2015, Int. J. Crit. Infrastructure Prot..

[18]  Anders Skoogh,et al.  Cyber-Physical Production Testbed: Literature Review and Concept Development , 2018 .

[19]  Charles R. McLean,et al.  Modeling and Simulation of Critical Infrastructure Systems for Homeland Security Applications , 2011 .

[20]  Ricardo Olmos,et al.  The role of domain knowledge in cognitive modeling of information search , 2017, Information Retrieval Journal.

[21]  Michail Maniatakos,et al.  The Cybersecurity Landscape in Industrial Control Systems , 2016, Proceedings of the IEEE.

[22]  Yuval Elovici,et al.  Security Testbed for Internet-of-Things Devices , 2019, IEEE Transactions on Reliability.

[23]  Timothy G. Trucano,et al.  Predictive Capability Maturity Model for computational modeling and simulation. , 2007 .

[24]  Anna Scaglione,et al.  A Real-Time Testbed Environment for Cyber-Physical Security on the Power Grid , 2015, CPS-SPC@CCS.

[25]  V. Braun,et al.  Using thematic analysis in psychology , 2006 .

[26]  H. Snooks,et al.  Assessment of consent models as an ethical consideration in the conduct of prehospital ambulance randomised controlled clinical trials: a systematic review , 2017, BMC Medical Research Methodology.

[27]  Theodore J. Williams,et al.  The Purdue Enterprise Reference Architecture , 1992, DIISM.

[28]  Marcus Reul,et al.  Bringing usability to industrial control systems , 2009, CHI Extended Abstracts.