On the Cost of Security Compliance in Information Systems

The onward development of information and communication technology has led to a new industrial revolution called Industry 4.0. This revolution involves Cyber-Physical Production Systems (CPPS), which consist of intelligent Cyber-Physical Systems that may be able to adapt themselves autonomously in a production environment. At the moment, machines in industrial environments are often not connected to the internet, which thus needs a point-to-point connection to access the device if necessary. Through Industry 4.0, these devices should enable remote access for smart maintenance through a connection to the outside world. However, this connection opens the gate for possible cyber-attacks and thus raises the question about providing security for these environments. Therefore, this paper used an adapted approach based on SixSigma to solve this security problem by investigating security standards. Security requirements were gathered and mapped to controls from well known security standards, formed into a catalog. This catalog includes assessment information to check how secure a solution for a use case is and also includes a link to an estimation method for implementation cost. Thus this paper’s outcome shows how to make Industry 4.0 use cases secure by fulfilling security standard controls and how to estimate the resulting implementation costs.

[1]  Ani Bicaku,et al.  Monitoring Industry 4.0 applications for security and safety standard compliance , 2018, 2018 IEEE Industrial Cyber-Physical Systems (ICPS).

[2]  Malte Brettel,et al.  How Virtualization, Decentralization and Network Building Change the Manufacturing Landscape: An Industry 4.0 Perspective , 2014 .

[3]  Zhendong Ma,et al.  Security Viewpoint in a Reference Architecture Model for Cyber-Physical Production Systems , 2017, 2017 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[4]  Mario Piattini,et al.  A common criteria based security requirements engineering process for the development of secure information systems , 2007, Comput. Stand. Interfaces.

[5]  George Yee Security Metrics: An Introduction and Literature Review , 2013 .

[6]  Christoph Schmittner,et al.  Combining Safety and Security Engineering for Trustworthy Cyber-Physical Systems , 2015, ERCIM News.

[7]  Rainer Drath,et al.  Industrie 4.0: Hit or Hype? [Industry Forum] , 2014, IEEE Industrial Electronics Magazine.

[8]  TU MarioHermann Design Principles for Industrie 4 . 0 Scenarios , 2015 .

[9]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティ管理策の実践のための規範 : ISO/IEC 27002 = Information technology-Security techniques-Code of practice for information security controls : ISO/IEC 27002 , 2013 .

[10]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[11]  Daniel Mellado,et al.  A systematic review of security requirements engineering , 2010, Comput. Stand. Interfaces.

[12]  Joint Task Force Transformation Initiative,et al.  Security and Privacy Controls for Federal Information Systems and Organizations , 2013 .

[13]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[14]  Silia Maksuti,et al.  Connected cars — Threats, vulnerabilities and their impact , 2018, 2018 IEEE Industrial Cyber-Physical Systems (ICPS).

[15]  Markus Tauber,et al.  On the cost of cyber security in smart business , 2017, 2017 12th International Conference for Internet Technology and Secured Transactions (ICITST).