An educational framework to support industrial control system security engineering

Benjuma, Nuria Mahmud

January 2017

Industrial Control Systems (ICSs) are used to monitor and control critical infrastructure such as electricity and water. ICS were originally stand-alone systems, but are now widely being connected to corporate national IT networks, making remote monitoring and more timely control possible. While this connectivity has brought multiple benefits to ICS, such as cost reductions and an increase in redundancy and flexibility, ICS were not designed for open connectivity and therefore are more prone to security threats, creating a greater requirement for adequate security engineering approaches. The culture gap between developers and security experts is one of the main challenges of ICS security engineering. Control system developers play an important role in building secure systems; however, they lack security training and support throughout the development process. Security training, which is an essential activity in the defence-indepth strategy for ICS security, has been addressed, but has not been given sufficient attention in academia. Security support is a key means by which to tackle this challenge via assisting developers in ICS security by design. This thesis proposes a novel framework, the Industrial Control System Security Engineering Support (ICS-SES), which aims to help developers in designing secure control systems by enabling them to reuse secure design patterns and improve their security knowledge. ICS-SES adapts pattern-based approach to guide developers in security engineering, and an automated planning technique to provide adaptive on-the-job security training tailored to personal needs. The usability of ICS-SES has been evaluated using an empirical study in terms of its effectiveness in assisting the design of secure control systems and improving developers’ security knowledge. The results show that ICS-SES can efficiently help control system designers to mitigate security vulnerabilities and improve their security knowledge, reducing the difficulties associated with the security engineering process, and the results have been found to be statically significant. In summary, ICS-SES provides a unified method of supporting an ICS security by design approach. It fosters a development environment where engineers can improve their security knowledge while working in a control system production line.

Internet of Things inom integrerad vård för äldre : En kvalitativ studie ur ett säkerhetsperspektiv / Internet of Things in integrated care for the elderly : A qualitative study from a security perspective

Filip, Tomas, Kirill, Kobets

January 2020

I samma takt som den äldre populationen i de flesta länder fortsatt växer så ökar efterfrågan för äldrevård. Samtidigt har Internet of Things (IoT) snabbt blivit ett av det mest välkända och omtalade begreppet kring företag och teknologi. Ett tillämpningsområde som IoT idag riktar sig mot är hälso- och sjukvården. IoT förväntas inom detta område kunna förse äldre med integrerad vård som i framtiden kan minska sjukvård och kostnader. Teknologins alla fördelar har dock även medfört nackdelar i form av nya säkerhetsattacker och sårbarheter i hälso- och sjukvårdssystemen. Problemet med IoT teknologin är att den i dagsläget inte stöds av adekvata åtgärder för sekretess och säkerhet. Syftet med studien var att undersöka hur frågor kring säkerhet påverkar utvecklingen av IoT lösningar riktade mot integrerad vård för äldre. Via semi-strukturerade intervjuer med fem informanter med erfarenhet och kompetens inom området för integrerad vård för äldre, IoT och säkerhet kunde empirin för studien samlas in. Vidare analyserades det empiriska resultatet tillsammans med litteraturen vilket resulterade i att ett antal faktorer som påverkar utvecklingen av IoT lösningar riktade mot integrerad vård för äldre identifierades. Resultatet för studien visar att faktorerna tid, ekonomi och användarvänlighet påverkar aktörers val av att prioritera funktionalitet före säkerhet under utveckling. Aktörer tvingas istället göra ett antal avvägningar och arbeta på olika sätt för att implementera tillräcklig säkerhet i sina IoT lösningar. Vidare visar resultatet att bristen på tydliga riktlinjer och standarder är en faktor som påverkar aktörers förenlighet med lagar och regler som ställer hårda krav på säkerheten. Utöver detta visar resultatet att det är viktigt att definiera ägandefrågan under utvecklingsstadiet eftersom frågan i dagsläget är otydlig och diffus. / As the elderly population in most countries continues to grow, the demand for elderly care is increasing. At the same time, the Internet of Things (IoT) has quickly become one of the most well-known and widely spoken concept of business and technology. One area of use that IoT is currently addressing is healthcare. In this area, IoT is expected to be able to provide the elderly with integrated care that in the future can reduce healthcare and costs. All the advantages of IoT have also brought disadvantages in the form of new security attacks and vulnerabilities in the health care systems. The problem with the IoT technology is that it is not currently supported by adequate privacy and security measures. The purpose of the study was to investigate how security issues affect the development of IoT solutions aimed at integrated care for the elderly. Through semi-structured interviews with five informants with experience and competence in the field of integrated care for elderly, IoT and security, the empirical data for the study could be collected. Furthermore, the empirical result was analyzed together with the literature, and a number of factors were identified that have influence on the development of IoT solutions aimed at integrated care for the elderly. The results of the study show that the factors of time, economy and user friendliness affect the actors' choice of prioritizing functionality before security during development. Instead, actors are forced to make a number of tradeoffs and work in different ways to implement adequate security in their IoT solutions. Furthermore, the results show that the lack of clear guidelines and standards is a factor that influences actors' compliance with laws and regulations that impose strict safety requirements. In addition, the results show that it is important to define the ownership issue during the development stage, as the issue is currently unclear and diffuse.

Internet of Things

IoT

CIA Triad

Security by design

säkerhet

informationssäkerhet

integrerad vård för äldre

Information Systems, Social aspects