SCADA Cybersecurity in Factories of the Future
Lead Research Organisation:
University of Glasgow
Department Name: School of Computing Science
Abstract
The integrity and security of ICS and SCADA systems are absolutely central to their function and
reliable availability. Despite this, appropriate security-related technologies and methodologies
are limited and still very much in their early development.
This project proposes the development of a baseline metric model for the classification of the
overall vulnerability level of ICS and SCADA components and devices, used across the supply
chain. A supply chain here refers to the variety of devices that could potentially be used to
manufacture a product, or execute a process. A metric model of this type will help industries
identify how vulnerable a specific component is, such as a Programmable Logic Controller (PLC)
or a Remote Terminal Unit (RTU), within a wider risk assessment. The application of baseline
metric systems to the evaluation of the security of computer systems and networks is not in
itself a new approach. One example has been produced by the Communications-Electronics
Security Group (CESG), and provides security guidance for cloud computing environments [1]. It
consists of a set of security principles forming baseline guidance for public sector organizations
who handle sensitive data via cloud services. Another notable example is the ISA 62443 Standard
[2]. This standard draws on conformance metrics to establish a baseline model for quantifying
compliance to Industrial Automation and Control System (IACS) security practices. Another
group have explored the quantitative assessment of vulnerabilities within SCADA systems,
primarily elaborating on the cost/benefit calculations for risk management, thereby allowing
managers to make more informed security decisions [3]. Furthermore, other studies have
developed a quantitative model that could be used to aggregate vulnerability metrics,
specifically for enterprise IT and networks [4]. The research proposed here will further develop
and extend the baseline metric methodology as applied to security, with a particular focus on
the vulnerability analysis of critical infrastructure components. This research will result in the
development of usable models and methods that will aide the process of risk assessment and
management of ICS/SCADA components and systems.
Proposed are four key phases to the project, resulting in multiple deliverables throughout the
period of the research, and these are defined below. There is one primary overall hypothesis for
the project, and four separate secondary hypotheses, one for each phase, as illustrated below
under each phase heading.
- Primary Hypothesis: The formation of a metric system will (i) aid the process of security
management in ICS environments, (ii) help individuals to make decisions regarding risk
management, and (iii) contribute to the development and implementation of more informed
and cost-effective decision making for security safeguards.
reliable availability. Despite this, appropriate security-related technologies and methodologies
are limited and still very much in their early development.
This project proposes the development of a baseline metric model for the classification of the
overall vulnerability level of ICS and SCADA components and devices, used across the supply
chain. A supply chain here refers to the variety of devices that could potentially be used to
manufacture a product, or execute a process. A metric model of this type will help industries
identify how vulnerable a specific component is, such as a Programmable Logic Controller (PLC)
or a Remote Terminal Unit (RTU), within a wider risk assessment. The application of baseline
metric systems to the evaluation of the security of computer systems and networks is not in
itself a new approach. One example has been produced by the Communications-Electronics
Security Group (CESG), and provides security guidance for cloud computing environments [1]. It
consists of a set of security principles forming baseline guidance for public sector organizations
who handle sensitive data via cloud services. Another notable example is the ISA 62443 Standard
[2]. This standard draws on conformance metrics to establish a baseline model for quantifying
compliance to Industrial Automation and Control System (IACS) security practices. Another
group have explored the quantitative assessment of vulnerabilities within SCADA systems,
primarily elaborating on the cost/benefit calculations for risk management, thereby allowing
managers to make more informed security decisions [3]. Furthermore, other studies have
developed a quantitative model that could be used to aggregate vulnerability metrics,
specifically for enterprise IT and networks [4]. The research proposed here will further develop
and extend the baseline metric methodology as applied to security, with a particular focus on
the vulnerability analysis of critical infrastructure components. This research will result in the
development of usable models and methods that will aide the process of risk assessment and
management of ICS/SCADA components and systems.
Proposed are four key phases to the project, resulting in multiple deliverables throughout the
period of the research, and these are defined below. There is one primary overall hypothesis for
the project, and four separate secondary hypotheses, one for each phase, as illustrated below
under each phase heading.
- Primary Hypothesis: The formation of a metric system will (i) aid the process of security
management in ICS environments, (ii) help individuals to make decisions regarding risk
management, and (iii) contribute to the development and implementation of more informed
and cost-effective decision making for security safeguards.
People |
ORCID iD |
| Angelos Marnerides (Primary Supervisor) | |
| Marco Cook (Student) |
Studentship Projects
| Project Reference | Relationship | Related To | Start | End | Student Name |
|---|---|---|---|---|---|
| EP/R511936/1 | 01/10/2017 | 30/09/2022 | |||
| 2514671 | Studentship | EP/R511936/1 | 01/10/2017 | 09/12/2022 | Marco Cook |