To read this content please select one of the options below:

A review of security assessment methodologies in industrial control systems

Qais Saif Qassim (College of Computer Science and Information Technology, Universiti Tenaga Nasional, Selangor, Malaysia)
Norziana Jamil (Institute of Informatics and Computing in Energy, Universiti Tenaga Nasional, Selangor, Malaysia and College of Computer Science and Information Technology, Universiti Tenaga Nasional, Selangor, Malaysia)
Maslina Daud (CyberSecurity Malaysia, Seri Kembangan, Selangor, Malaysia)
Ahmed Patel (Department of Computer Science, Universidade Estadual do Ceara, Fortaleza, Brazil)
Norhamadi Ja’affar (CyberSecurity Malaysia, Seri Kembangan, Selangor, Malaysia)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 7 February 2019

Issue publication date: 27 February 2019

1484

Abstract

Purpose

The common implementation practices of modern industrial control systems (ICS) has left a window wide open to various security vulnerabilities. As the cyber-threat landscape continues to evolve, the ICS and their underlying architecture must be protected to withstand cyber-attacks. This study aims to review several ICS security assessment methodologies to identify an appropriate vulnerability assessment method for the ICS systems that examine both critical physical and cyber systems so as to protect the national critical infrastructure.

Design/methodology/approach

This paper reviews several ICS security assessment methodologies and explores whether the existing methodologies are indeed sufficient to meet the cyber security assessment exercise required to validate the security of electrical power control systems.

Findings

The study showed that most of the examined methodologies seem to concentrate on vulnerability identification and prioritisation techniques, whilst other security techniques received noticeably less attention. The study also showed that the least attention is devoted to patch management process due to the critical nature of the SCADA system. Additionally, this review portrayed that only two security assessment methodologies exhibited absolute fulfilment of all NERC-CIP security requirements, whilst the others only partially fulfilled the essential requirements.

Originality/value

This paper presents a review and a comparative analysis of several standard SCADA security assessment methodologies and guidelines published by internationally recognised bodies. In addition, it explores the adequacy of the existing methodologies in meeting cyber security assessment practices required for electrical power networks.

Keywords

Acknowledgements

This research study is supported by the Ministry of Science, Technology and Innovation Malaysia (MOSTI) through DSTIN project and Tenaga Nasional Berhad through TNB Seed Fund 2016.

Citation

Qassim, Q.S., Jamil, N., Daud, M., Patel, A. and Ja’affar, N. (2019), "A review of security assessment methodologies in industrial control systems", Information and Computer Security, Vol. 27 No. 1, pp. 47-61. https://doi.org/10.1108/ICS-04-2018-0048

Publisher

:

Emerald Publishing Limited

Copyright © 2019, Emerald Publishing Limited

Related articles