Executive SummaryThe continuous growth of cyber security threats and attacks including the increasing sophistication of malware is impacting the security of critical infrastructure, industrial control systems, and Supervisory Control and Data Acquisition (SCADA) control systems. The reliable operation of modern infrastructures depends on computerized systems and SCADA systems. Since the emergence of Internet and World Wide Web technologies, these systems were integrated with business systems and became more exposed to cyber threats. There is a growing concern about the security and safety of the SCADA control systems. The Presidential Decision Directive 63 document established the framework to protect the critical infrastructure and the Presidential document of 2003, the National Strategy to Secure Cyberspace stated that securing SCADA systems is a national priority. T he critical infrastructure includes telecommunication, transportation, energy, banking, finance, water supply, emergency services, government services, agriculture, and other fundamental systems and services that are critical to the security, economic prosperity, and social well-being of the public. The critical infrastructure is characterized by interdependencies (physical, cyber, geographic, and logical) and complexity (collections of interacting components). Therefore, information security management principles and processes need to be applied to SCADA systems without exception. Critical infrastructure disruptions can directly and indirectly affect other infrastructures, impact large geographic regions, and send ripples throughout the national and global economy. For example, under normal operating conditions, the electric power infrastructure requires fuels (natural gas and petroleum), transportation, water, banking and finance, telecommunication, and SCADA systems for monitoring and control.In this paper, we provide an analysis of key developments, architecture, potential vulnerabilities, and security concerns including recommendations toward improving security for SCADA control systems. We discuss the most important issues concerning the security of SCADA systems including a perspective on enhancing security of these systems. We briefly describe the SCADA architecture, and identify the attributes that increase the complexity of these systems including the key developments that mark the evolution of the SCADA control systems along with the growth of potential vulnerabilities and security concerns. Then, we provide recommendations toward an enhanced security for SCADA control systems. More efforts should be planned on reducing the vulnerabilities and improving the security operations of these systems. It is necessary to address not only the individual vulnerabilities, but the breadth of risks that can interfere with critical operations.We describe key requirements and features needed to improve the security of the current SCADA control systems. For example, in assessing the risk for SCADA systems, use of general methods for risk analysis inclu...
Power grid information security and protection has aspects of both Industrial Control Systems (ICS) as well as Information Technology (IT) Systems. Although both ICS and IT systems require information security services to combat malicious attacks, the specifics of how these services are used for the power grid depend upon appropriate risk assessment and risk control. Distinct types of attacks targeting ICS and IT systems as well as different performance requirements of these systems determine a specific priority order of the security services implemented for each system.Threat profiles of the power transmission and distribution management functions, where availability is paramount to all other security services, differ significantly from threat profiles of IT functions such as utility customer billing where confidentiality is a greater concern -hence warranting different security posturing.This paper discusses different approaches for security risk management in the context of the smart power grid. Methodologies proposed for risk assessment include threat and vulnerability modeling schemes which help in identifying and categorizing the threats, as well as in analyzing their impacts, and subsequently prioritizing them. Risk management planning techniques as they apply to both ICS and IT systems are also discussed.
Executive SummaryIn the ACM guidelines for curricula at educational institutions, the recommendations for Information Security Assurance (ISA) education do not specify the topics, courses, or sequence of courses. As a consequence, there are numerous ISA education models and curricula in existence at educational institutions around the world. Organizations employing ISA professionals generally base their assessment of an individual's skill level based on academic qualifications or certifications. While academic qualifications support broad knowledge and skills in general, professional certifications may be effective in a limited area of operations. Academic programs exposing the students to theoretical concepts and problem solving experience are critical for preparing graduates for jobs in the information security. The critical importance of information security curriculum at universities is stressed. Therefore, it is appropriate to evaluate the quality of academic information security programs and suggest changes or improvements in the curricula to ensure that undergraduates and graduates have gained the required skills after completing their studies.Despite a variety of ISA curricula and diverse educational models, universities often fail to provide their graduates with skills demanded by employers. There is a big discrepancy between the levels of skills expected by employers and those the graduates have after completing their studies.In U.S., many educational institutions defined the educational model and curricula based on standards and guidelines promoted by government or other organizations, resulting in numerous ISA education models and curricula. However, the focus is on practical, low level skills which are identified in various standards. Issues related to Information Security curricula include content, didactic methodology, and degrees in Information Security. In addition, ABET accreditation criteria of 2005-2006 for US computing programs (computer engineering, computer science, information systems) still do not include criteria for evaluating information security education. Information security education in other countries is briefly compared with the ISA educational programs in the U.S.We identified that there is greater variation and flexibility in the ISA Material published as part of this journal, either on-line or in print, is copyrighted by the publisher of the Journal of Information Technology Education. Permission to make digital or paper copy of part or all of these works for personal or classroom use is granted without fee provided that the copies are not made or distributed for profit or commercial advantage AND that copies 1) bear this notice in full and 2) give the full citation on the first page. It is permissible to abstract these works so long as credit is given. To copy in all other cases or to republish or to post on a server or to redistribute to lists requires specific permission and payment of a fee. Contact Editor@JITE.org to request redistribution permission.
In the ACM guidelines for curricula at educational institutions, the recommendations for Information Security Assurance (ISA) education do not specify the topics, courses, or sequence of courses. As a consequence, there are numerous ISA education models and curricula in existence at educational institutions around the world. Therefore, it is appropriate to evaluate the quality of academic information security programs and suggest changes or improvements in the curricula to ensure that undergraduates and graduates have gained the required skills after completing their studies. Despite a variety of ISA curricula and diverse educational models, universities often fail to provide their graduates with skills demanded by employers. In this paper, we make suggestions for the actions that should make the ISA curricula in the universities responsive to the needs of the general population and the industry in which graduates with ISA skills and specialization will be employed.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
Contact Info
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Product
Resources
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.
