This particular article is discussed about the issues which are related to the ineffective process control system management which also increased the vulnerabilities related to security. In this study, a risk management framework is used for enhancing the correspondences as well as focused on relationships among various organizational domains. The paper summarized the cyber security baseline needs as well as expectations which are related to the framework of risk management (Leith & Piper, 2013). The monetary success of the petrochemical business is based on safety of the process control systems. The paper also provides a current threats which are posed by the insiders and the system persuaded threats can able to corrode enactment of system based on shut downs, disruption of production as well as contamination. The main aim of this particular article is to focus on the application of the business prudent controls as well as discuss how disparities into implementation of the controls that can worsen the vulnerabilities of the system (Sadeghi, Wachsmann & Waidner, 2015). The main focus of the system vulnerabilities are related to lack of encryption, misalignment of the perception of the staffs of information asset values and exposure focused to use of the USB ports. The paper is also examined the communicational data commencing the process control systems towards the commercial IT systems. The paper also included of discussing about the risk management outline models that are taken to improve the communications as well as relations among the structural domains (Collier & Lakoff, 2015).
With use of the risk management framework, the procedure for establishment of security for the control systems and addressed the cyber security standard necessities that provides with the threat dynamics. The security controls which are taken into considerations such as NIST SP 800-53 which provided of guidance as well as recommended of practices towards the security systems (Chang, Kuo, & Ramachandran, 2016). The managers are adopted of IT solutions for promotion of the business systems connectivity as well as remote access competences. The security solutions of possible issues are considered to contract the security issues into IT systems, protections that are taken into presenting the solutions towards the Industrial control systems (ICS) environments. Security word is used in this study to deal with the unwanted access, intentional interference and unwanted operations into the industrial environments (Leith & Piper, 2013). In this case, security controls are used to protect confidentiality as well as availability of information (Mann, 2017). The ICS networks are allowed the decision makers to access of real time data related to the operational systems. “Transmission control protocol/internet protocol networking such as file transfer protocol” are used for facilitation of the exchange of data to understand the security threats. The security issues are explained into this study such as improper network connectivity, improper maintenance and unauthorized use of other’s information. In order to cope up with those security issues, passwords, user IDs are used to be implemented for use of personnel (McIlwraith, 2016). Due to lack of understanding of the security measures and nonexistence of security awareness, the governments can access the links like dial up modems and IP links for the purpose of distant diagnostics, monitoring as well as maintenance. It is compromised integrity of data into the transit along with system availability. There is some sort of interconnections among the corporate networks, those are required of integration with various communicational standards for transferring of data among the systems (Penzenstadler et al., 2014). The security arrangements of conceivable issues are intended to bargain the security issues into IT frameworks, precautionary measures that are taken into presenting the arrangements towards the ICS situations. Security word is utilized as a part of this examination to manage the undesirable access, purposeful impedance and undesirable tasks into the mechanical conditions. For this situation, security controls are utilized to ensure secrecy and additionally accessibility of data (Jacobsson, Boldt, & Carlsson, 2016). The ICS systems are enabled the leaders to access of constant information identified with the operational frameworks.
Threats towards the ICS are included from various sources such as antagonistic governments, engineering spies, workers, hateful introducers and the natural sources from the difficulties of the system, mistakes from the human sides and failures of equipment’s. In order to protect from the adversarial threats along with the natural threats, it is required to be implemented of the security strategies towards the ICT threats (Krombholz et al., 2015). There are risk scenarios, security mitigation strategies which are designed for addressing the characteristics of the security threats. The possible threat agents which are recognized in this study are “attackers, bot-network operators, criminal groups, foreign intelligence services, insiders, spammers, spyware authors in addition to terrorists”. The possible security vulnerabilities from the cyber security perspective are relative vulnerability which are related to asset towards malicious and malevolent acts (Kogan, Sudit, & Vasarhelyi, 2018). There is higher level of protection which are required to determine relative consequences and values, management, comparative degree of the security threats in contradiction of the facility. It is resolute by means of the risk assessment in addition to risk management. There are some of the security vulnerabilities which are appropriate concerning the process industry are control systems knowledge as well as control data which are unauthorized. There are some inadequate policies and procedures which can govern the control system securities (Cherdantseva et al., 2016). There are inadequate intended control system networks that has nonexistence of adequate defence into complexity mechanisms. There are also some insufficient application tools that can detect as well as report on anomalous activities (Duffield, 2014). The study also discussed the remote access towards the control system with proper access control.
Khaitan and McCalley (2015) analyzed that the industrial control systems are monitored as well as operated of industrial infrastructure in order to increase occurrence of the cyber-attacks. There is development of the ICS environment to comprise of operating system platforms and there is also connectivity to trade of the LAN and www occurred into ICS environments. Kizza (2017) discussed that cyber security plan is such a paper that can provide of safety needs for ICS besides describe the security controls in strategic to meet with the security requirements. The security controls are fallen into NIST SP 800-53 planning which is provided of development of integrated ICS cyber security plan. Into baseline security necessities, the security plan is described of the user responsibilities and there is expected behaviour regarded to the information system (Leith & Piper, 2013). There are also some cyber security plan policies which are taken into inadequate policies as well as culture which can govern the control system securities. Rittinghouse and Ransome (2016) analyzed that there is an inadequate designed control system with proper access control. There are also system administration along with software tools which are used into the control systems are not sufficiently maintained. There is purpose of the security controls of the petrochemical ICS that are established on the process organization’s acceptance of the risks. There are evaluation as well as apply of the security controls which are provided of functional measures as well as policies in addition to procedures required to manage of the process related to the security risks and issues (Sicari et al., 2015). The risk management framework are included of management of ICS risk processes. The access controls are addressing the access enforcements, flow of information and management of the login information, remote access controls as well as wireless access controls.
In this study, there is audit processing, analysis as well as generation of reports. The employees are trained of the security awareness as well as management of training content in addition to records. There is configuration management of the components of system, along with management of the system changes. Chang, Kuo and Ramachandran (2016) stated that there is also maintenance as well as maintenance of the control tools and maintenance personnel. Environmental protection, management of the access authorization and control towards the access to facilities are taken into considerations as the security control measures. Into the petrochemical industry, there is managing of access logs, managing of the equipment’s, cabling, besides defense of fires as well as lightning (Leith & Piper, 2013). There is integrity of information, protection of the informational flaws, malicious protection of code, detection of intrusion, control of the security alerts as well as handling of software errors. When there is implementation as well as assessing of effectiveness, the security controls are identified into this paper is contributed towards the organizational confidences which is required of system security. Sadeghi, Wachsmann and Waidner (2015) analyzed that there are security controls that are taken as on-going risk assessment in addition to establishment of the established of security practices towards inclusive ICS security planning. It is provided of integrated program which is harmonized with related corrections of the physical security, workers security in addition steadiness of business. There is also cross functional risk management for improved ensure of sustained financial success. There is assurance of the security controls of the petrochemical ICS that depend on the procedure association's resilience of the dangers. There are assessment and apply of the security controls which are given of practical measures and in addition arrangements notwithstanding techniques required to oversee of the procedure identified with the security dangers and issues (Jacobsson, Boldt, & Carlsson 2016). The hazard administration structure are incorporated of administration of ICS chance procedures. The result is the legacy systems as well as constituent devices which are unprotected to the modern external threats with weak security tools.
Review of the industrial control systems on which the industrial infrastructure are relied is revealed on security vulnerabilities which are demoralized on steady basis. There is high concern on the legacy ICS with no such security mechanisms which are related to World Wide Web. There is higher old as well as new control system configurations that are exploited to computer savvy hackers (Jacobsson, Boldt, & Carlsson, 2016). There is reliable operations of the critical infrastructure that are relied on sustainability of the ICS configurations in the environments. The supervisory systems are operated of dispersed control systems and it is acquired of system data to monitor as well as control at the central servers. The control network configurations are provided of communicational links, that the control system devices as well as software are lied. The security vulnerabilities of the industrial control systems are resulted since the legacy devices as well as software into ICS environments (Cherdantseva et al., 2016). There are difficulty and expense to address of the ICS security that are delayed the security environments and there is also upgrade of the system into the critical infrastructure. There is modern ICS utilization of the internal protocol, connectivity towards corporate LAN which are mandatory to permit of the business systems admission to the ICS data. There are access paths in ICS created of the opportunities towards the breach security (Collier & Lakoff, 2015). There are some security vulnerabilities which are exploited to increase into frequency. ICS are vulnerable towards TCP/IP DoS attacks which exploited of retransmission of the time out mechanisms. There are some unsecured protocols like FTP, Telnet that are used into ICS operations. Sicari et al., (2015) argued that ICS is implemented into the industry standard hardware as well as operating systems that are susceptible to the security exposures which outbreak the business IT systems and employed with minimum security technologies as well as security practices. The security services are provided of unrequired attack vectors that are being exploited (Leith & Piper, 2013). ICS operations are occurred into isolated environment as well as there are trust over the communicational network. Online security administration and procedures audit processes and the computer forensic data are not compulsory. Real time monitoring tools are not available and are not configured towards the security breaches. Logs are not available to be deserted due to absence of the normal monitoring processes.
Chang, V., Kuo, Y. H., & Ramachandran, M. (2016). Cloud computing adoption framework: A security framework for business clouds. Future Generation Computer Systems, 57, 24-41.
Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., & Stoddart, K. (2016). A review of cyber security risk assessment methods for SCADA systems. Computers & security, 56, 1-27.
Collier, S. J., & Lakoff, A. (2015). Vital systems security: Reflexive biopolitics and the government of emergency. Theory, Culture & Society, 32(2), 19-51.
Duffield, M. (2014). Global governance and the new wars: the merging of development and security. Zed Books Ltd..
Jacobsson, A., Boldt, M., & Carlsson, B. (2016). A risk analysis of a smart home automation system. Future Generation Computer Systems, 56, 719-733.
Khaitan, S. K., & McCalley, J. D. (2015). Design techniques and applications of cyberphysical systems: A survey. IEEE Systems Journal, 9(2), 350-365.
Kizza, J. M. (2017). Guide to computer network security. Springer.
Kogan, A., Sudit, E. F., & Vasarhelyi, M. A. (2018). Continuous online auditing: A program of research. In Continuous Auditing: Theory and Application (pp. 125-148). Emerald Publishing Limited.
Krombholz, K., Hobel, H., Huber, M., & Weippl, E. (2015). Advanced social engineering attacks. Journal of Information Security and applications, 22, 113-122.
Leith H.M., & Piper, John W. (2013). Current information security systems designed to address social engineering security threats. Science Direct, 26(6), 982-993. https://doi.org/10.1016/j.jlp.2013.10.009.
Mann, I. (2017). Hacking the human: social engineering techniques and security countermeasures. Routledge.
McIlwraith, A. (2016). Information security and employee behaviour: how to reduce risk through employee education, training and awareness. Routledge.
Penzenstadler, B., Raturi, A., Richardson, D., & Tomlinson, B. (2014). Safety, security, now sustainability: The nonfunctional requirement for the 21st century. IEEE software, 31(3), 40-47.
Rittinghouse, J. W., & Ransome, J. F. (2016). Cloud computing: implementation, management, and security. CRC press.
Sadeghi, A. R., Wachsmann, C., & Waidner, M. (2015, June). Security and privacy challenges in industrial internet of things. In Proceedings of the 52nd annual design automation conference (p. 54). ACM.
Sicari, S., Rizzardi, A., Grieco, L. A., & Coen-Porisini, A. (2015). Security, privacy and trust in Internet of Things: The road ahead. Computer networks, 76, 146-164.