This thesis establishes the “assurance technique” as the central mechanism through which we gather evidence to make claims of assurance about security. The use of such assurance techniques in the process of assessing Industrial Control System (ICS) environments is explored. In doing so it provides six key contributions to knowledge: (i) a state-of-the-art survey of ICS security research, which culminates in a framework for future research, of which the assessment of security control efficacy is one element; (ii) claims about the effectiveness and cost-effectiveness of 20 assurance techniques used to assess the efficacy of security control implementation (e.g., a penetration test); (iii) claims about the effectiveness and cost-effectiveness of 5 assurance techniques used to assess the competency of individuals to use the assurance techniques that assess security controls (e.g., a multiple-choice examination); (iv) demonstration of the need for standardisation in a subset of these assurance techniques, based on an analysis of the real-world readiness and competence of the industry to deliver them; (v) the establishment of five novel principles (“PASIV”) to guide the safe use of assurance techniques within operationally sensitive areas of ICS environments, and the determination of potential assurance technique use across three phases of the system development life cycle; and (vi) the mapping of assurance techniques to security control families within ISO/IEC 27001:2013 (and its ICS-specific counterpart, ISO/IEC TR 27019:2013) to identify potential sources of audit evidence generation about security control efficacy.
| Identifer | oai:union.ndltd.org:bl.uk/oai:ethos.bl.uk:689208 |
| Date | January 2016 |
| Creators | Knowles, Carl William |
| Publisher | Lancaster University |
| Source Sets | Ethos UK |
| Detected Language | English |
| Type | Electronic Thesis or Dissertation |
| Source | http://eprints.lancs.ac.uk/79962/ |
Page generated in 0.0934 seconds