Sandip C. Patel

Improving the cyber security of SCADA communication networks

 SCADA: Supervisory control and data acquisition  SCADA networks enable operating many devices remotely such as track switches, traffic signals, electric circuit breakers, valves, relays, sensors, and water and gas pumps.

Securing SCADA systems

Purpose – Supervisory control and data acquisition (SCADA) systems are widely used by utility companies during the production and distribution of oil, gas, chemicals, electric power, and water to control and monitor these operations. A cyber attack on a SCADA system cannot only result in a major financial disaster but also in devastating damage to public safety and health. The purpose of this paper is to survey the literature on the cyber security of SCADA systems and then suggest two categories of security solutions.Design/methodology/approach – The paper proposes the use of secure socket layer/transport layer security (SSL/TLS) and IP security (IPsec) solutions, implemented on the test‐bed at the University of Louisville, as the optimal choices when considering the level of security a solution can provide and the difficulty of implementing such a security measure. The paper analyzes these two solution choices, discuss their advantages and disadvantages, and present details on efficient ways of implement...

Security Enhancements for Distributed Control Systems

Security enhancements for distributed control systems (DCSs) must be sensitive to operational issues, especially availability. This paper presents three security enhancements for DCSs that satisfy this requirement: end-to-end security for DCS protocol communications, role-based authorization to control access to devices and prevent unauthorized changes to operational parameters, and reduced operating system kernels for enhanced device security. The security enhancements have been implemented on a laboratory-scale testbed utilizing the DNP3 protocol, which is widely used in electrical power distribution systems. The test results show that the performance penalty for implementing the security enhancements is modest, and that the implemented mechanisms do not interfere with plant operations.

A Risk-Assessment Model for Cyber Attacks on Information Systems

Industrial process-plants are an integral part of a nations economy and critical infrastructure. The information systems used by automated industrial plants are enticing targets of cyber attacks. However, the financial damages resulting from these cyber attacks are difficult to estimate since the resultant losses are not as tangible as physical losses. In this paper, we propose a mathematical model for determining the financial losses resulting from cyber attacks on a computer-based information system used in industrial plants. Limited work has been published to systematically explore the types of possible cyber attacks and their financial impact on the process. The primary objective of this research is to propose a risk-assessment model to assess the impact of cyber attacks on a plant that runs fully or partially by control systems such as supervisory control and data acquisition (SCADA). Managers could use the model for cost/benefit analysis of security software and hardware acquisition. We also illustrate this models use on a SCADA system using a case. The proposed model could be applied to different industries and organizations with minor modifications to reflect the specifics of that industry or organization. Index Terms-Cyber attacks, computer security, risk assessment, control systems, information systems.

A review of research trends in strategic information-systems planning

Research that addresses the alignment of information systems (IS) and business strategies has been a subject of growing interest to both academicians and business practitioners. Strategic IS planning (SISP) plays a major role in the alignment of IS strategy with the business strategy. Although a number of studies have explored various aspects of SISP and its role in the alignment, there is lack of review papers that examine specific research-trends in SISP. This article examines four aspects of recent SISP research, namely, research context, research subtopic, research method, and the unit of analysis by examining 132 articles from three prime IS journals specifically, ISR, MISQ, and JMIS. The results indicate that the most frequent research context was single-organisational, the most common research topic was alignment of IT and business plans, the most widely used research-method was empirical, and the most frequent unit-of-analysis was the top management.

E-government application development using the Six Sigma approach

For an e-government system to be successful, high quality application-software that supports the e-government services is a critical factor. One key aspect in the software development is quality control implemented during the process of the software development project. However, little research has been published to examine how to improve the quality of e-government applications using better process management. In this paper, we present a framework for integrating the Six Sigma methods and tools into the e-government application development process. The proposed framework associates Six Sigmas define-measure-analyse-design-verify (DMADV) procedure and associated tools to various phases of the software development life cycle.

Securing computerised models and data against integrity attacks

Many computerised systems use electronic models that get triggered when certain business conditions arise. Unauthorised triggering of such computerised models has been overlooked in the security literature. In this paper, we propose two frameworks to analyse the security of systems that have the data-triggering computerised model architecture. The frameworks help understand how to mitigate the cyber attacks that can be launched against the data-model systems, by modifying the computerised models or the data. We then propose a Deterministic Specification distributed intrusion Detection System (DSdIDS) to secure the data-triggering model systems from internal as well as external cyber threats.

Issues in user authentication using security questions

Security questions are a human-authentication method leveraging unique private knowledge that only the valid user has and provide a reliable means for supplementary authentication. Security questions offer a low-cost alternative for password-resets and provide an additional layer of security beyond the traditional username-and-password protection method. In this survey paper, we review current literature on security questions, examine the issues on their use and identify the areas that need further research. The results of our review indicate that the current literature has acknowledged and discussed how security questions are susceptible to predominantly three types of attacks: blind guess, focused guess and observation. We found gaps in the literature in areas of using automated systems to provide real-time evaluation of responses and providing feedback to users to improve security. Finally, we outline potential directions for future research in using security questions more effectively.

Information-technology security in higher-education curricula

This research investigates how the curricula of educational institutions have responded to the need for increased security professionals in the post 9/11 Era. We hypothesise that the world of academia would respond to this increased emphasis on information technology (IT) security since they typically serve as the feeder system for organisations seeking to fill professional vacancies. In particular, we address the response of universities to the need for security professionals by analysing if Master of Public Administration (MPA) and Master of Business Administration (MBA) programme curricula include IT-security. In addition, we analyse higher-education curricula for inclusion of the security of Supervisory Control and Data Acquisition networks, which form the critical infrastructures that are crucial to the national and economic safety of the USA.