Bedir TEKİNERDOĞAN, Gülsüm Ece EKŞİ, Cağatay CATAL

3718

Software security management in critical infrastructures: a systematic literature review

Software security management in critical infrastructures: a systematic literature review

Critical infrastructure (CI) is an integrated set of systems and assets that are essential to ensure the functioning of a nation, including its economy, the public’s health and/or safety. Hence, protecting critical infrastructures (CI) is vital because of the potential severe consequences that may emerge at the national level. Many CIs are now controlled by software, and likewise, software is often the major source of many security problems in critical infrastructures. Software security management in CIs has been addressed in the literature and several useful approaches have been provided. Yet, these approaches are fragmented over multiple different studies, often do not explicitly relate to CIs, and a synthesized overview of the state-of-the-art on software security in CIs is lacking. To this end, this article presents the results of a systematic literature review (SLR) that identifies and synthesizes how software security has been addressed in CIs. This study identifies and synthesizes the current approaches applied for security management in critical systems in terms of identified security threats, adopted solutions, CI domains, and evaluation approaches. Hereby 32 primary studies were retrieved from electronic databases to respond to the research questions defined in this study. Based on the outcome of the SLR the reported approaches are discussed, and a roadmap is described for security management in CIs. The results of the SLR identify the current open challenges and pave the way for further research. In addition, practitioners can benefit from the best practices in the security management of CIs.
PDF

___

  • [1] Adepu S, Kang E, Mathur AP. Challenges in Secure Engineering of Critical Infrastructure Systems. In: IEEE/ACM International Conference on Automated Software Engineering Workshop (ASEW); San Diego, USA 2019; 61–64.
  • [2] Gad M, Abualhaol I. Securing Smart Cities Systems and Services: A Risk-Based Analytics-Driven Approach. Transportation and Power Grid in Smart Cities: Communication Networks and Services. USA: John Wiley & Sons, 2018.
  • [3] Zhu Q, Basar T. A Dynamic Game-Theoretic Approach to Resilient Control System Design for Cascading Failures. In: International Conference on High Confidence Networked Systems (HiCoNS); Beijing China 2012; 41–46.
  • [4] Hunter D, Parry J, Radke K, Fidge C. Authenticated Encryption for Time-Sensitive Critical Infrastructure. In: Proceedings of the Australasian Computer Science Week Multiconference (ACSW); Geelong, Australia 2017; 19: pp. 1–10.
  • [5] Mylrea M, Gourisetti SNG. Blockchain for Supply Chain Cybersecurity, Optimization and Compliance. In: Resilience Week (RWS); Denver, USA 2018. pp. 70–76.
  • [6] Kitchenham B, Charters S. Guidelines for performing systematic literature reviews in software engineering, EBSE Technical Report; 2007.
  • [7] Lee RM, Assante MJ, Conway T. Analysis of the Cyber Attack on the Ukrainian Power Grid. In: Electricity Information Sharing and Analysis Center, Tech. Rep.; 2016.
  • [8] Albright D, Brannan P, Walrond C. Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? Preliminary Assessment. In: Institute of Science and International Security; 2010.
  • [9] T. F. U.S.-Canada, Power System Outage, Final report on the august 14, 2003 blackout in the united states and canada: Causes and recommendations, 2004.
  • [10] Gonen S, Sayan H, Yılmaz EN, Ustunsoy F, Karacayılmaz G. False Data Injection Attacks and the Insider Threat in Smart Systems. Computers & Security; 2020. 97.
  • [11] Chekole EG, Ochoa M, Chattopadhyay S. SCOPE: Secure Compiling of PLCs in Cyber-Physical Systems. International Journal of Critical Infrastructure Protection; 2021. 33.
  • [12] Baker T, Asim M, MacDermott A, Iqbal F, Kamoun F et al. A secure fog-based platform for SCADA-based IoT critical infrastructure. Software: Practice and Experience; 2019; 33 (5): pp. 503-518.
  • [13] Rindell K, Holvitie J. Security Risk Assessment and Management as Technical Debt. In: International Conference on Cyber Security and Protection of Digital Services (Cyber Security); Oxford, UK; 2019. pp. 1-8.
  • [14] Nunes FJB, Belchior AD, Albuquerque AB. Security Engineering Approach to Support Software Security. In: World Congress on Services; Miami, USA; 2010. pp. 48-55.
  • [15] Tung YH, Lo SC, Shih JF, Lin HF. An integrated security testing framework for Secure Software Development Life Cycle. Asia-Pacific Network Operations and Management Symposium (APNOMS); Kanazawa, Japan; 2016. pp. 1-4.
  • [16] Gourisetti SNG, Mylrea M, Patangia H. Cybersecurity vulnerability mitigation framework through empirical paradigm: Enhanced prioritized gap analysis. Future Generation Computer Systems; 2020. 105: pp. 410-431.
  • [17] Kang K, Khallaf R, Hastak M. Systematic Literature Review on Critical Infrastructure Interdependencies impacted by Natural Disasters. In: Conference: International Conference on Maintenance and Rehabilitation of Constructed Infrastructure Facilities (MAIREINFRA); South Korea; 2017. pp. 1–6.
  • [18] Luiijf E, Klaver M. Analysis and lessons identified on critical infrastructures and dependencies from an empirical data set. International Journal of Critical Infrastructure Protection; 2021. 35.
  • [19] Kyei RO, Tam V, Ma M, Mashiri F. Critical review of the threats affecting the building of critical infrastructure resilience. International Journal of Disaster Risk Reduction 2021; 60: 1-11.
  • [20] Ani UPD, Watson JDM, Nurse JRC, Cook A. A Review of Critical Infrastructure Protection Approaches: Improving Security through Responsiveness to the Dynamic Modelling Landscape. In: PETRAS/IET Conference Living in the Internet of Things: Cybersecurity of the IoT; London, England; 2019.
  • [21] Pirbhulala S, Gkioulosa V, Katsikasa S. A Systematic Literature Review on RAMS analysis for critical infrastructures protection. International Journal of Critical Infrastructure Protection; 2021. 33.
  • [22] Wohlin C. Guidelines for snowballing in systematic literature studies and a replication in software engineering. In: International Conference on Evaluation and Assessment in Software Engineering (EASE); New York, United States; 2014. 38: pp. 1-10.
  • [23] Kitchenham B, Budgen D, Brereton OP, Turner M, Bailey J et al. Systematic literature reviews in software engineering - a systematic literature review. Information and Software Technology 2009; 51 (1): pp. 7-15.
  • [24] Koch T, Möller DPF, Deutschmann A. A Python-Based Simulation Software for Monitoring the Operability State of Critical Infrastructures Under Emergency Conditions. In: IEEE International Conference on Electro/Information Technology (EIT); Rochester, USA; 2018. pp. 290-295.
  • [25] Yasakethu SLP, Jiang J, Graziano A. Intelligent risk detection and analysis tools for critical infrastructure protection. In: Eurocon; Zagreb, Croatia; 2013. pp. 52-59.
  • [26] Cantelli-Forti A, Capria A, Saverino AL, Berizzi F, Adami D et al. Critical infrastructure protection system design based on SCOUT multitech seCurity system for intercOnnected space control groUnd staTions. International Journal of Critical Infrastructure Protection; 2020. 32.
  • [27] Horowitz BM, Pierce KM. The integration of diversely redundant designs, dynamic system models, and state estimation technology to the cyber security of physical systems. Systems Engineering 2013; 16 (4): pp. 401-412.
  • [28] Farzan F, Jafari MA, Wei D, Lu Y. Cyber-related risk assessment and critical asset identification in power grids. In: Innovative Smart Grid Technologies (ISGT); Washington, DC, USA; 2014. pp. 1-5.
  • [29] Maziku H, Shetty S, Nicol DM. Security risk assessment for SDN-enabled smart grids. Computer Communications 2019; 133: pp.1-11.
  • [30] Robertson P, Gordon C, Loo S. Implementing Security for Critical Infrastructure Wide-Area Networks. In: Power and Energy Automation Conference; Spokane, WA, USA; 2013. pp.1-10.
  • [31] Lin CT, Wu SL, Lee ML. Cyber Attack and Defense on Industry Control Systems. In: IEEE Conference on Dependable and Secure Computing; Taipei, Taiwan; 2017. pp. 524-526.
  • [32] Lee S, Chen L, Duan S, Chinthavali S, Shankar M et al. URBAN-NET: A network-based infrastructure monitoring and analysis system for emergency management and public safety. In: IEEE International Conference on Big Data (Big Data); Washington, USA; 2016. pp. 2600-2609.
  • [33] Caire R, Sanchez J, Hadjsaid N. Vulnerability analysis of coupled heterogeneous critical infrastructures: A Cosimulation approach with a testbed validation. In: IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT Europe); Lyngby, Denmark; 2013. pp. 1-5.
  • [34] Lee S, Chinthavali S, Duan S, Shankar M. Utilizing Semantic Big Data for realizing a National-scale Infrastructure Vulnerability Analysis System. International Workshop on Semantic Big Data (SBD); 2016. 3: pp. 1-6.
  • [35] Schmidt RF. Software Engineering Architecture-driven Software Development. USA: Morgan Kaufmann, 2013.
  • [36] Dantas H, Erkin Z, Doerr C. eFuzz: A Fuzzer for DLMS/COSEM Electricity Meters. Proceedings of the 2nd Workshop on Smart Energy Grid Security (SEGS) 2014; 31-38.
  • [37] Tseng KY, Chen D, Kalbarczyk Z, Iyer RK. Characterization of the error resiliency of power grid substation devices. In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN); Boston, USA; 2012. pp.1-8.
  • [38] Faza A, Sedigh S, McMillin B. Integrated Cyber-Physical Fault Injection for Reliability Analysis of the Smart Grid. In: Schoitsch E. (eds) Computer Safety, Reliability, and Security (SAFECOMP), Lecture Notes in Computer Science; Springer, Berlin, Heidelberg; 2010. 6351: pp. 277-290.
  • [39] Zhu Q, Rieger C, Basar T. A hierarchical security architecture for cyber-physical systems. International Symposium on Resilient Control Systems (ISRCS); Boise, ID, USA; 2011. pp.15-20.
  • [40] Windelberg M. Objectives for managing cyber supply chain risk. International Journal of Critical Infrastructure Protection; 2016. 12: pp. 4-11.
  • [41] Kampovaa K, Loveceka T, Rehakb D. Quantitative approach to physical protection systems assessment of critical infrastructure elements: Use case in the Slovak Republic. International Journal of Critical Infrastructure Protection; 2020. 30.
  • [42] Leszczyna R, Wrobel MR. Threat intelligence platform for the energy sector. Software: Practice and Experience; 2019. 49 (8): pp. 1225-1254.
Turkish Journal of Electrical Engineering and Computer Sciences-Cover
  • ISSN: 1300-0632
  • Yayın Aralığı: Yılda 6 Sayı
  • Yayıncı: TÜBİTAK
Arşiv
Sayıdaki Diğer Makaleler

Anomaly detection in rotating machinery using autoencoders based on bidirectional LSTM and GRU neural networks

Dhiren Kumar Behera, Rabinarayan Sethi, Krishna Chandra Patra

Offline tuning mechanism of joint angular controller for lower-limb exoskeleton with adaptive biogeographical-based optimization

Mohammad Soleimani Amiri, Rizauddin Ramli

A novel deep reinforcement learning based stock price prediction using knowledge graph and community aware sentiments

Zeynep Hilal KİLİMCİ, Anıl Berk ALTUNER

A Comprehensive Survey for Non-Intrusive Load Monitoring

Eray YILDIZ, Efe İsa TEZDE

An adaptive search equation-based artificial bee colony algorithm for transportation energy demand forecasting

Safa DÖRTERLER, Durmuş ÖZDEMİR

Evaluating the role of carbon quantum dots covered silica nanofillers on the partial discharge performance of transformer insulation

Kasi Viswanathan PALANISAMY, Chandrasekar SUBRAMANIAM, Balaji SAKTHIVEL

Missing samples reconstruction using an efficient and robust instantaneous frequency estimation algorithm

Sadiq Ali, Nabeel Ali Khan

A novel crimping technique approach for high power white good plugs

Ömer BOSTAN, Ömer Cihan KIVANÇ, Okan ÖZGÖNENEL, Şahin GÜZEL, Mert DEMİRSOY

Stochastic day-ahead optimal scheduling of multimicrogrids: an alternating direction method of multipliers (ADMM) approach

Amin Safari, Hossein Nasiraghdam

Development of a control algorithm and conditioning monitoring for peak load balancing in smart grids with battery energy storage system

İbrahim ŞENGÖR, Sezai TAŞKIN, Turhan ATICI, Macit TOZAK, Osman DEMİRCİ