Security Reporting

Project title Security reporting
Reference number HIG43706; NFR164369
Effort 1 PhD student
Primary contact Professor Einar Snekkenes
Staff Vitaliy Pavlenko
Project web page
Project summary Supervisory control and data acquisition (SCADA) networks contain computers and applications that perform key functions in providing essential services and commodities (e.g., electricity, natural gas, gasoline, water, waste treatment, transportation). As such, they are part of the nation’s critical infrastructure and require protection from a variety of threats that exist in cyber space today. SCADA networks were initially designed to maximize functionality, with little attention paid to security. As a result, performance, reliability, flexibility and safety of distributed control/SCADA systems are robust, while the security of these systems is often weak. This makes some SCADA networks potentially vulnerable to disruption of service, process redirection, or manipulation of operational data that could result in public safety concerns and/or serious disruptions to the nation’s critical infrastructure. Cyber attacks or even worse, insider attacks on SCADA systems in energy production and distribution systems could endanger public health and safety as well as invoke serious environmental damage. The introduction of enterprise integration strategies coupled with lack of IT security knowledge has left process control systems vulnerable. The objective is to identify steps companies can take to reduce IT vulnerability in process control systems and create an effective information security strategy and to become more reliant and robust. The research questions is: Is it possible to set up a security metrics Balanced Scorecard for security reporting to “continuously” validate the security level? Regarding to electrical infrastructure the aim of this thesis is in contribution to “Beredskapsforskriften” to describe a model or prototype of scorecard for security metrics in a SCADA network. The intention is though to create at toolkit of security metrics yielded an appropriate for information security risk management in various types of critical infrastructure.
Principal objectives and subgoals The objective of the project is to investigate how reporting of security indicators to management can contribute toward reduction of vulnerabilities in critical infrastructure. Identify laws, regulations eg. related to information security in the chosen area of critical infrastructure. Identify a set of valid security mapped to relevant laws and regulations. Initiate a security metrics library and a tool for setting up a metrics program. Strategies for automated collection of parameters, indicators and security metrics. Strategies for representing the found metrics in tables, graphs, figures and Scorecards. Organizing and preparing data, an initial reading through the information, coding the data, developing from the metrics according to description and thematic analysis find in Balanced Scorecard theories. Strategies used for validating the accuracy of the found metrics, as well as remediation strategies utility companies should adopt to mitigate risk.