http://homepage.cs.latrobe.edu.au/sloke/papers/1-s2.0-S0167739X12001318-main.pdf

Mobile cloud computing

This document provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements The document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks

/pdf/guide-to-industrial-control-systems-ics-security-48jy3kri07.pdf

Guide to Industrial Control Systems (ICS) Security

The development of a trustworthy smart grid requires a deeper understanding of potential impacts resulting from successful cyber attacks. Estimating feasible attack impact requires an evaluation of the grid's dependency on its cyber infrastructure and its ability to tolerate potential failures. A further exploration of the cyber-physical relationships within the smart grid and a specific review of possible attack vectors is necessary to determine the adequacy of cybersecurity efforts. This paper highlights the significance of cyber infrastructure security in conjunction with power application security to prevent, mitigate, and tolerate cyber attacks. A layered approach is introduced to evaluating risk based on the security of both the physical power applications and the supporting cyber infrastructure. A classification is presented to highlight dependencies between the cyber-physical controls required to support the smart grid and the communication and computations that must be protected from cyber attack. The paper then presents current research efforts aimed at enhancing the smart grid's application and infrastructure security. Finally, current challenges are identified to facilitate future research efforts.

Cyber–Physical System Security for the Electric Power Grid

With the exponential growth of cyber-physical systems (CPSs), new security challenges have emerged. Various vulnerabilities, threats, attacks, and controls have been introduced for the new generation of CPS. However, there lacks a systematic review of the CPS security literature. In particular, the heterogeneity of CPS components and the diversity of CPS systems have made it difficult to study the problem with one generalized model. In this paper, we study and systematize existing research on CPS security under a unified framework. The framework consists of three orthogonal coordinates: 1) from the security perspective, we follow the well-known taxonomy of threats, vulnerabilities, attacks and controls; 2) from the CPS components perspective, we focus on cyber, physical, and cyber-physical components; and 3) from the CPS systems perspective, we explore general CPS features as well as representative systems (e.g., smart grids, medical CPS, and smart cars). The model can be both abstract to show general interactions of components in a CPS application, and specific to capture any details when needed. By doing so, we aim to build a model that is abstract enough to be applicable to various heterogeneous CPS applications; and to gain a modular view of the tightly coupled CPS components. Such abstract decoupling makes it possible to gain a systematic understanding of CPS security, and to highlight the potential sources of attacks and ways of protection. With this intensive literature review, we attempt to summarize the state-of-the-art on CPS security, provide researchers with a comprehensive list of references, and also encourage the audience to further explore this emerging field.

https://ieeexplore.ieee.org/ielaam/6488907/8172502/7924372-aam.pdf

Cyber-Physical Systems Security—A Survey

NIST Special Publication 800-144 - Cloud computing can and does mean different things to different people. The common characteristics most interpretations share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and displacement of data and services from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.~

/pdf/guidelines-on-security-and-privacy-in-public-cloud-computing-2x2n11uw6u.pdf

Guidelines on Security and Privacy in Public Cloud Computing

/pdf/risk-management-guide-for-information-technology-systems-4xdf9eymj7.pdf

Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology

Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. Organizations use risk assessment, the first step in the risk management methodology, to determine the extent of the potential threat, vulnerabilities, and the risk associated with an information technology (IT) system. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process, the second step of risk management, which involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process. This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems throughout their system development life cycle (SDLC). The ultimate goal is to help organizations to better manage IT-related mission risks.Organizations may choose to expand or abbreviate the comprehensive processes and steps suggested in this guide and tailor them to their site environment in managing IT-related mission risks. In addition, this guide provides information on the selection of cost-effective security controls. These controls can be used to mitigate risk for the better protection of mission-critical information and the IT systems that process, store, and carry this information.The third step in the process is continual evaluation and assessment. In most organizations, IT systems will continually be expanded and updated, their components changed, and their software applications replaced or updated with newer versions. In addition, personnel changes will occur and security policies are likely to change over time. These changes mean that new risks will surface and risks previously mitigated may again become a concern. Thus, the risk management process is ongoing and evolving.

SP 800-30. Risk Management Guide for Information Technology Systems

: The purpose of the Engineering Principles for Information Technology (IT) Security (HP-ITS) is to present a list of system-level security principles to he considered in the design, development, and operation of an information system. Ideally, the principles presented here would he used from the onset of a program-at the beginning of, or during the design phase- and then employed throughout the system's life-cycle. However, these principles are also helpful in affirming and confirming the security posture of already deployed information systems. The principles are short and concise and can he used by organizations to develop their system life-cycle policies.

/pdf/engineering-principles-for-information-technology-security-a-47plfu5rbe.pdf

Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A

/pdf/engineering-principles-for-information-technology-security-a-2909l59b4v.pdf

Engineering principles for information technology security (a baseline for achieving security) :: recommendations of the National Institute of Standards and Technology

The Engineering Principles for Information Technology (IT) Security (EP-ITS) presents a list of system-level security principles to be considered in the design, development, and operation of an information system. This document is to be used by IT security stakeholders and the principles introduced can be applied to general support systems and major applications. EP-ITS presents principles that apply to all systems, not ones tied to specific technology areas. These principles provide a foundation upon which a more consistent and structured approach to the design, development, and implementation of IT security capabilities can be constructed. While the primary focus of these principles remains on the implementation of technical countermeasures, these principles highlight the fact that, to be effective, a system security design should also consider non-technical issues, such as policy, operational procedures, and user education.

Alexis Feringa

Papers

Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology

SP 800-30. Risk Management Guide for Information Technology Systems

Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A

Engineering principles for information technology security (a baseline for achieving security) :: recommendations of the National Institute of Standards and Technology

SP 800-27 Rev. A. Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A