Article: A security architectural pattern for risk management of industry control systems within critical national infrastructure Journal: International Journal of Critical Infrastructures (IJCIS) 2017 Vol.13 No.2/3 pp.113 - 132 Abstract: SCADA and ICS security have been focusing on addressing issues such as vulnerability discovery and intrusion detection within critical national infrastructure. Less attention has been paid to architectural solutions to the cyber security risks from an information assurance perspective. Security controls are not always traced back to the business requirements. This paper presents a holistic end-to-end view of the requirements, medium to high severity risks and proposes a generic security architectural pattern to address them. The architectural pattern is developed based on the Sherwood Applied Business Security Architecture (SABSA) top two layers, contextual and conceptual, which are responsible for understanding the business requirements and development of a concept architecture and strategy. Moreover, this research is motivated by industrial practices and has reflected the recent changes of GCHQ's mission. This research also contributes to the SCADA/ICS risk assessment by deriving holistic sets of risk management and architectural design requirements for SCADA/ICS. Inderscience Publishers - linking academia, business and industry through research

Title: A security architectural pattern for risk management of industry control systems within critical national infrastructure

Authors: Andy Wood; Ying He; Leandros A. Maglaras; Helge Janicke

Addresses: Department of Computer Science and Informatics, De Montfort University, The Gateway, Leicester, LE1 9BH, UK ' Department of Computer Science and Informatics, De Montfort University, The Gateway, Leicester, LE1 9BH, UK ' Department of Computer Science and Informatics, De Montfort University, The Gateway, Leicester, LE1 9BH, UK ' Department of Computer Science and Informatics, De Montfort University, The Gateway, Leicester, LE1 9BH, UK

Abstract: SCADA and ICS security have been focusing on addressing issues such as vulnerability discovery and intrusion detection within critical national infrastructure. Less attention has been paid to architectural solutions to the cyber security risks from an information assurance perspective. Security controls are not always traced back to the business requirements. This paper presents a holistic end-to-end view of the requirements, medium to high severity risks and proposes a generic security architectural pattern to address them. The architectural pattern is developed based on the Sherwood Applied Business Security Architecture (SABSA) top two layers, contextual and conceptual, which are responsible for understanding the business requirements and development of a concept architecture and strategy. Moreover, this research is motivated by industrial practices and has reflected the recent changes of GCHQ's mission. This research also contributes to the SCADA/ICS risk assessment by deriving holistic sets of risk management and architectural design requirements for SCADA/ICS.

Keywords: industry control systems; critical national infrastructure; CNI; security architectural pattern; risk management; business requirements; SABSA.

DOI: 10.1504/IJCIS.2017.088229

International Journal of Critical Infrastructures, 2017 Vol.13 No.2/3, pp.113 - 132

Received: 01 Nov 2016
Accepted: 28 Dec 2016
Published online: 30 Nov 2017 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: A security architectural pattern for risk management of industry control systems within critical national infrastructure

Keep up-to-date