Assurance techniques for assessing security control efficacy:an industrial control systems case study

Knowles, Carl William (2016) Assurance techniques for assessing security control efficacy:an industrial control systems case study. PhD thesis, UNSPECIFIED.

[img]
PDF (2016knowlesphd)
2016knowlesphd.pdf - Published Version
Restricted to Repository staff only until 7 June 2021.
Available under License Creative Commons Attribution-NonCommercial-NoDerivs.

Download (6MB)

Abstract

This thesis establishes the “assurance technique” as the central mechanism through which we gather evidence to make claims of assurance about security. The use of such assurance techniques in the process of assessing Industrial Control System (ICS) environments is explored. In doing so it provides six key contributions to knowledge: (i) a state-of-the-art survey of ICS security research, which culminates in a framework for future research, of which the assessment of security control efficacy is one element; (ii) claims about the effectiveness and cost-effectiveness of 20 assurance techniques used to assess the efficacy of security control implementation (e.g., a penetration test); (iii) claims about the effectiveness and cost-effectiveness of 5 assurance techniques used to assess the competency of individuals to use the assurance techniques that assess security controls (e.g., a multiple-choice examination); (iv) demonstration of the need for standardisation in a subset of these assurance techniques, based on an analysis of the real-world readiness and competence of the industry to deliver them; (v) the establishment of five novel principles (“PASIV”) to guide the safe use of assurance techniques within operationally sensitive areas of ICS environments, and the determination of potential assurance technique use across three phases of the system development life cycle; and (vi) the mapping of assurance techniques to security control families within ISO/IEC 27001:2013 (and its ICS-specific counterpart, ISO/IEC TR 27019:2013) to identify potential sources of audit evidence generation about security control efficacy.

Item Type:
Thesis (PhD)
ID Code:
79962
Deposited By:
Deposited On:
08 Jun 2016 08:26
Refereed?:
No
Published?:
Unpublished
Last Modified:
11 Jan 2020 05:10