An Approach to Organizational Cybersecurity

Large organizations must plan for Cybersecurity throughout their entire network, taking into account network granularity and outside subcontractors. The United States Department of Defense (DoD) has large networked systems that span the globe, crossing multiple intra-organizational systems. This larger network includes Information Systems typical of enterprise networks, SCADA Systems monitoring critical infrastructure, newer Cyber-physical systems, and mobile networks. With increased connectivity within the DoD and to external organizations, Cybersecurity is seen as a critical organizational need. There is not currently a standard evaluation process to gauge whether various Cybersecurity technologies adequately meet the needs of either the DoD at large or the context of lower-tier organizations. We introduce the DoD-Centric and Independent Technology Evaluation Capability (DITEC), an enterprise-ready evaluation tool that offers a repeatable evaluation process, the ability to take prior product evaluations into account during the acquisition process, and tools to assist security non-experts in understanding which technologies meet their specific needs. This work describes DITEC and the Cyber-SCADA Evaluation Capability (C-SEC), an implementation of DITEC in a Cyber-Physical context.

[1]  Jose Romero-Mariona DITEC (DoD-Centric and Independent Technology Evaluation Capability): A Process for Testing Security , 2014, 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops.

[2]  Jose Romero-Mariona,et al.  DITEC User Priority Designation (UPD) Algorithm: An Approach to Prioritizing Technology Evaluations , 2014 .

[3]  Jose Romero-Mariona,et al.  TMT: Technology Matching Tool for SCADA Network Security , 2016, 2016 Cybersecurity Symposium (CYBERSEC).

[4]  Jose Romero-Mariona,et al.  C-SEC (Cyber SCADA evaluation capability): Securing critical infrastructures , 2015, 2015 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW).

[5]  Srinivasan Seshan,et al.  Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things , 2015, HotNets.

[6]  Stefano Panzieri,et al.  Improving network security monitoring for industrial control systems , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[7]  Muthu Ramachandran,et al.  The Improved Cloud Computing Adoption Framework to Deliver Secure Services , 2015, ESaaSA@CLOSER.

[8]  Eduardo B. Fernández,et al.  Enterprise security pattern: a new type of security pattern , 2014, Secur. Commun. Networks.

[9]  Sushil Jajodia,et al.  Cauldron mission-centric cyber situational awareness with defense in depth , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[10]  Jose Romero-Mariona,et al.  Security in the Industrial Internet of Things - The C-SEC Approach , 2016, IoTBD.

[11]  Athanasios V. Vasilakos,et al.  Security of the Internet of Things: perspectives and challenges , 2014, Wireless Networks.

[12]  Muthu Ramachandran,et al.  Cloud Computing Adoption Framework – a security framework for business clouds , 2015 .

[13]  Glenn A. Fink,et al.  Security and privacy grand challenges for the Internet of Things , 2015, 2015 International Conference on Collaboration Technologies and Systems (CTS).

[14]  C. Warren Axelrod Enforcing security, safety and privacy for the Internet of Things , 2015, 2015 Long Island Systems, Applications and Technology.

[15]  Amy J. C. Trappey,et al.  Using System Dynamics Analysis for Performance Evaluation of IoT Enabled One-Stop Logistic Services , 2015, 2015 IEEE International Conference on Systems, Man, and Cybernetics.

[16]  Ahmed Serhrouchni,et al.  Taxonomy of attacks on industrial control protocols , 2015, 2015 International Conference on Protocol Engineering (ICPE) and International Conference on New Technologies of Distributed Systems (NTDS).