Advanced Approach to Information Security Management System Model for Industrial Control System

Park, Sanghyun; Lee, Kyungho

doi:https://doi.org/10.1155/2014/348305

The Scientific World Journal

On this page

Abstract Introduction Conclusions References Copyright Related Articles

Special Issue

Strategic Management Advanced Service for Sustainable Computing Environment

View this Special Issue

Research Article | Open Access

Volume 2014 | Article ID 348305 | https://doi.org/10.1155/2014/348305

Advanced Approach to Information Security Management System Model for Industrial Control System

Sanghyun Park¹and Kyungho Lee¹

Academic Editor: Sang-Soo Yeo

Received13 Apr 2014

Accepted06 Jun 2014

Published21 Jul 2014

Abstract

Organizations make use of important information in day-to-day business. Protecting sensitive information is imperative and must be managed. Companies in many parts of the world protect sensitive information using the international standard known as the information security management system (ISMS). ISO 27000 series is the international standard ISMS used to protect confidentiality, integrity, and availability of sensitive information. While an ISMS based on ISO 27000 series has no particular flaws for general information systems, it is unfit to manage sensitive information for industrial control systems (ICSs) because the first priority of industrial control is safety of the system. Therefore, a new information security management system based on confidentiality, integrity, and availability as well as safety is required for ICSs. This new ISMS must be mutually exclusive of an ICS. This paper provides a new paradigm of ISMS for ICSs, which will be shown to be more suitable than the existing ISMS.

1. Introduction

In general information systems, almost all security groups use the international information security management system (ISMS) standard which is ISO 27000 series. ISO 27000 series focuses on protection of confidentiality, integrity, and availability of information [1–3]. This ISMS is appropriate for general information systems, where the main threats are dynamic and variable, like malicious hacking.

However, industrial control systems (ICSs) are different from general information systems. While protection from dynamic, variable threats is important on an ICS, safety is most crucial in industrial control [4–6].

When national infrastructures, like nuclear power plants, deploy an ICS, the ICS is evaluated on the basis of safety [7]. In the field, safety is evaluated by IEC 61508 and IEC 61511. IEC 61508 is the international standard for Functional Safety of Electrical-Electronic-Programmable Electronic Safety-Related Systems and IEC 61511 is the technical standard that defines practices in the engineering of systems that ensures safety of an industrial process (see Figure 1).

ISMS is based on confidentiality, integrity, and availability, and the security needs of ICS are not mutually exclusive because the nature of such businesses is different from general information systems. ICS is of significance in the control of national infrastructures. These systems have unquestionable value, and they must be safe [7, 8]. For this reason, ICSs require safety first, rather than other ISMS based attributes. In the field, process owners for ICSs in fact follow the safety standards IEC 61508 and IEC 61511.

In short, it should be configured to a new ISMS based on views of confidentiality, integrity, and availability, as well as safety (see Figure 2).

The ISMS is framework which has presented three views which are confidentiality, integrity, and availability to protect information [1]. However, this paper casts doubt on sufficiency for the three views of existing ISMS to protect assets from internal and external threats and vulnerabilities in ICS.

In case of ICS, social impact due to threats and vulnerabilities like hacking, natural disaster, and internal problems for system cannot compare with general information systems and has great damage that brings out severe economic and social dislocation [4, 5, 8]. Thus, safety becomes the main keyword in ICS.

The requirements of IEC 61511 are based on safety, whereas the requirements and controls of ISO 27001 and NIST SP 800-53 are based on confidentiality, integrity, and availability [7]. When it comes to the safety in ISO 27001 and NIST SP 800-53, it is just a part of availability, so the safety of IEC 61511 is different from the safety of NIST SP 800-53 and ISO 27001.

As a result, this paper suggests that safety presented IEC 61511 should be considered as a part of new ISMS with confidentiality, integrity, and availability. The reason is that information in ICSs could be exposed, leaked, or tweaked if internal safety for system is not guaranteed for unexpected environmental changes like fluctuation of temperature and humidity in ICSs and absence of safety from external threats and vulnerabilities like hacking and natural disaster have a great ripple effect socioeconomically [8, 9].

Therefore, safety should be acknowledged as essential value in ISMS of equal level with confidentiality, integrity, and availability in ICS.

In order to prove this point, we will compare and analyze security controls or requirements of three international standards, namely, ISO 27001, NIST SP 800-53, and IEC 61511. If the safety requirements of IEC 61511, which is followed by people in the ICS field, barely match the security controls that include 21 requirements of ISO 27001, or the security controls of NIST SP 800-53, the ISMS for ICSs, in its present form, is faulty and ineffective [1, 10, 11].

This paper will also compare and analyze common security controls of NIST SP 800-53 that were successfully carried out by the South Korea energy group (thermal, gas, nuclear, combined cycle, electricity, and power exchange) using safety requirements of IEC 61511. The reason for using common security controls to compare with requirements of IEC 61511 is that common security controls are sufficient for every ICS, regardless of the specific application. For these reasons, comparing common security controls and safety requirements of IEC 61511 is essential to further generalize this for every ICS. If the result of matching is the same with the above result of comparison for safety requirements of IEC 61511, security controls of ISO 27001, and security controls of NIST Special Publication 800-53, this analysis can also prove that the ISMS is presently faulty and ineffective in a general ICS environment. In other words, the ISMS that focuses on confidentiality, integrity, and availability of information based on ISO 27000 series is unfit to manage sensitive information on an ICS.

2. Introduction of Control Sets for ISO 27001, NIST SP 800-53, and IEC 61511

2.1. Domains for Security Controls and Requirements of ISO 27001

ISO 27001 is a document published by ISO and IEC on information technology-security techniques-information security management system-requirements. This document specifies the requirements and security controls for establishing, implementing, maintaining, and continually improving an ISMS within the context of the organization. The security controls presented by ISO 27001 are composed of 34 subdomains in 14 domains. The total number of security controls, which includes 21 requirements, is 140 pieces. The domains for security controls and requirements of ISO 27001 are presented in Figure 3 [1].

2.2. Domains for Security Controls of NIST SP 800-53

The NIST Special Publication 800-53 is a document published by NIST for Recommended Security Controls in Federal Information Systems and Organizations. This document especially recommends security controls for ICSs. The recommended security controls are composed of 90 subdomains in 17 domains. The total number of controls is 186 pieces. The domains for recommended security controls are shown in Figure 4 [10].

2.3. Domains for Safety Requirements of IEC 61511

IEC 61511 is a technical standard used in the engineering of systems, and it ensures the safety of an industrial process. IEC 61511 consists of 3 chapters. The first chapter is called “framework, definitions, system, hardware and software requirements”; the second chapter is called “guidelines for the application of IEC 61511-1”; and the third chapter is called “guidance for the determination of the required safety integrity levels.” The safety requirements of IEC 61511 are divided into five safety parts and the safety parts consist of development, allocation, design, installation, commissioning, validation, operation, modification, and decommissioning for an ICS. The safety requirements of IEC 61511 are composed of 15 domains and the total number of controls is 215 pieces. The domain for requirements and overall framework of IEC 61511 are shown in Figures 5 and 6 [7].

3. Matching Analysis for Security Controls and Requirements of International Standards

Each part of IEC 61511 has several requirements that include the security controls of NIST SP 800-53 or the security controls of ISO 27001.

In order to prove this point, we compare and analyze the security controls/requirements of three international standards, namely ISO 27001, NIST SP 800-53, and IEC 61511, below.

3.1. Preparation of Matching Analysis for Security Controls and Requirements of International Standards

We present a comparative security controls list for IEC 61511, ISO 27001, and NIST SP 800-53. The example for list up is presented in Table 1 [1, 7].

3.2. Result of Matching Analysis for Security Controls and Requirements of International Standards

In order to find out whether security controls for international standards match, we compare the requirements of IEC 61511 with security controls of NIST SP 800-53 and security controls of ISO 27001.

There are two results based on this comparison. Firstly, the percentage of matching security controls of ISO 27001 with safety requirements of IEC 61511 is 15%. Specifically, the total number of security controls for ISO 27001 is 140 pieces and 21 pieces of these matched with safety requirements of IEC 61511.

Secondly, the percentage of matching security controls for NIST SP 800-53 with safety requirements of IEC 61511 is 16.49%. Specifically, the total number of security controls of NIST SP 800-53 is 194 pieces and 34 pieces of these matched with safety requirements of IEC 61511.

In short, the percentage of matching requirements of IEC 61511, with both security controls of NIST SP 800-53 and security controls of ISO 27001, is quite low. These results mean that ISMS based on ISO 27001 or NIST SP 800-53 is insufficient for a real industrial control system’s environment because the ISMS does not reflect specificity for the nature of ICS. The specificity is safety, which is a core value on the IEC 61511 (see Table 2 and Figure 7).

3.3. Extracting Items from IEC 61511 to Append New ISMS

The extracting items from IEC 61511 to append new ISMS are selected by certain conditions as follows. The first step is to choose nonmatching requirements of all for IEC 61511 with requirements and controls for NIST SP 800-53 and ISO 27001. The next step is to choose general requirements in each ICS life-cycle types of the nonmatching requirements for IEC 61511 with requirements and controls of NIST SP 800-53 and ISO 27001 and the general requirements are the extracting items. The reason to select general requirements of nonmatching requirements is to maintain a level of requirements and controls with ISO 27001 and NIST SP 800-53 and assure safety for new ISMS [12, 13].

The recommended extracting items of safety from IEC 61511 to develop new ISMS are shown in Table 3.

This paper presents that the safety has two meanings broadly. The first meaning is safety against external factors like hacking and natural disaster; another is safety against internal factors like internal failure for system.

The requirements of IEC 61511 and the requirements of ISO 27001 and NIST SP 800-53 do not present direct requirements against internal and external threats and vulnerabilities to hinder safety in ICS. Instead, requirements of IEC 61511 present safety requirements in each ICS life-cycle types that guarantee safety from the internal and external threats and vulnerabilities, and the safety requirements aim to improve safety for ICS that is core to manage well risk from the internal and external threats and vulnerabilities.

4. Matching Analysis for Common Security Controls of NIST SP 800-53 in South Korea Energy Industry and Safety Requirements of IEC 61511

Each part of IEC 61511 has several requirements that include the security controls of NIST SP 800-53. In this section, we will not compare and analyze whole security controls of international standards, but instead we will compare and analyze common security controls of NIST SP 800-53 that were successfully carried out by the South Korea energy group (thermal, gas, nuclear, combined cycle, electricity, and power exchange) with safety requirements of IEC 61511. This is because entire security controls of NIST SP 800-53 do not apply to the South Korea energy group.

In order to find out the common security controls from the entire security controls of NIST SP 800-53, we constructed evaluation frame that has security controls of NIST SP 800-53. We asked the South Korea energy group, that is, power exchange, electricity, gas, combined cycle, nuclear, and thermal groups, to fill out a questionnaire [10, 11, 14] (see Table 4).

4.1. The Data Gathering to Find Out Common Security Controls of NIST SP 800-53 in South Korea Energy Industry

In order to gather data, we drew up an evaluation sheet for the security controls based on the NIST Special Publication 800-53 that includes security guidance and recommends security controls for ICSs [15–18].

The evaluation sheet is shown in Figure 8.

Answers for each item are classified as yes, no, partial, and N/A. Developers, operators of energy management system, and process owners filled up the questionnaire.

4.2. The Result for Common Security Controls of NIST SP 800-53 in South Korea Energy Industry

We compared and analyzed the current security controls status for the South Korea energy group (thermal, gas, nuclear, combined cycle, electricity, and power exchange) and then collected a common security controls mean, that is, controls for every South Korea group to carry out successfully. The common security controls are as show in Table 5.

4.3. Results of Matching Analysis for Common Security Controls of NIST SP 800-53 in South Korea Energy Groups and Requirements IEC 61511

The safety requirements of IEC 61511 match common security controls of NIST SP 800-53. In fact, it may be more difficult to match the safety requirements of IEC 61511 with common security controls of NIST SP 800-53 due to the nature of the standard. The standard generalizes requirements, while the value for common security controls of NIST SP 800-53 compare well enough with the safety requirements of IEC 61511 (see Table 6).

It is difficult to match common security controls of NIST SP 800-53 with safety requirements of IEC 61511 perfectly; however, the safety requirements of IEC 61511 match with common security controls. In other words, it is not hard to include safety as an ICS attribute.

The point of this paper is that the safety emphasized on IEC 61511 can reflect information security management system for ICS.

5. Conclusions

This paper presented two methodologies to prove that a new information security management system based on confidentiality, integrity, availability, and safety is required on the industrial control system.

The first methodology was analysis of matching security controls with international standards. From the first methodology, it was seen that the percentage of matching between the requirements of IEC 61511, the security controls of NIST SP 800-53, and the security controls of ISO 27001 is very low. These results mean that ISMS based on ISO 27001 or NIST SP 800-53 is insufficient to make for real ICSs because the ISMS does not reflect specificity of the nature of ICSs (see Figure 9).

The second methodology involved analysis of matching of the common security controls of NIST SP 800-53 that were successfully carried out by the South Korea energy group (thermal, gas, nuclear, combined cycle, electricity, and power exchange) with the safety requirements of IEC 61511. These results showed that it is difficult to match common security controls of NIST SP 800-53 in South Korea with safety requirements of IEC 61511 perfectly. However, the safety requirements of IEC 61511 match reasonably well with common security controls. In other words, it is not hard for safety to be included in an industrial control system.

The ICS is different from a general information system and an ISMS based on confidentiality, integrity, and availability never achieves mutually exclusive security policy for an ICS.

Just as integrity is significant for finance and confidentiality is significant for manufacturing, safety is significant for ICSs [3, 5, 6]. This paper proves that safety is very significant for ICSs, and safety should be included in an ISMS based on confidentiality, integrity, and availability of information.

In brief, a new ISMS based on confidentiality, integrity, and availability as well as safety is required in ICSs. This new information security management system is mutually exclusive to the nature of industrial control system.

We expect that the performance of information security for ICSs will be improved through our work.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgment

This work was supported by a grant from Korea University.

References

International Organization for Standardization, ISO 27001, 2013.
K. Beckers, “Goal-based establishment of an information security management system compliant to ISO 27001,” Theory and Practice of Computer, vol. 8327, pp. 102–113, 2014.
View at: Google Scholar
E. Humphreys, “Information security management standards: compliance, governance and risk management,” Information Security Technical Report, vol. 13, no. 4, pp. 247–255, 2008.
View at: Publisher Site | Google Scholar
X. Xu, “Global and initiative safety mechanism in industrial control system,” International Journal of Computational Science and Engineering, vol. 9, no. 1-2, pp. 139–146, 2014.
View at: Google Scholar
R. D. Larkin, J. Lopez Jr., J. W. Butts, and M. R. Grimaila, “Evaluation of security solutions in the SCADA environment,” ACM SIGMIS Database, vol. 45, no. 1, pp. 38–53, 2014.
View at: Publisher Site | Google Scholar
I. N. Fovino, “SCADA system cyber security,” in Secure Smart Embedded Devices, Platforms and Applications, pp. 451–471, Springer, 2014.
View at: Google Scholar
International Electrotechnical Commission, IEC 61511-1, 2003.
J. Weiss, “Industrial Control System (ICS) cyber security for water and wastewater systems,” Securing Water and Wastewater Systems, vol. 2, pp. 87–105, 2014.
View at: Publisher Site | Google Scholar
T. Lu, “Cyberphysical security for industrial control systems based on wireless sensor networks,” International Journal of Distributed Sensor Networks, vol. 2014, Article ID 438350, 17 pages, 2014.
View at: Publisher Site | Google Scholar
National Institute of Standards and Technology, NIST Special Publication 800-53, 2009.
“National Institute of Standards and Technology,” NIST Special Publication 800-82, 2011.
View at: Google Scholar
I. H. Al-Mayahi and S. P. Mansoor, “Information security policy development,” Journal of Advanced Management Science, vol. 2, no. 2, pp. 135–139, 2014.
View at: Publisher Site | Google Scholar
F. Parra, “A nomological network analysis of research on information security management systems,” in Proceedings of the 47th Hawaii International Conference on System Sciences (HICSS '14), pp. 4336–4345, January 2014.
View at: Publisher Site | Google Scholar
J. Mun, “Security controls based on K-ISMS in cloud computing service,” in Advanced in Computer Science and Its Applications, vol. 297, pp. 391–404, Springer, 2014.
View at: Publisher Site | Google Scholar
International Organization for Standardization, ISO 27004, 2009.
National Institute of Standards and Technology, NIST Special Publication 800-55, 2007.
R. Bojanc and B. Jerman-Blažič, “An economic modelling approach to information security risk management,” International Journal of Information Management, vol. 28, no. 5, pp. 413–422, 2008.
View at: Publisher Site | Google Scholar
K. Farn, S. Lin, and A. R. Fung, “A study on information security management system evaluation—assets, threat and vulnerability,” Computer Standards & Interfaces, vol. 26, no. 6, pp. 501–513, 2004.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2014 Sanghyun Park and Kyungho Lee. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

5716

Downloads

1820

Citations