The Impact of Social Engineering on Industrial Control System Security
- 16 October 2015
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM)
Abstract
In assessing the security posture of Industrial Control Systems (ICS), several approaches have been proposed, including attack graphs, attack trees, Bayesian networks and security ideals. Predominantly focusing on technical vulnerabilities, challenges stemming from social and organisational factors are often reviewed in isolation, if at all. Taking a mean time-to-compromise (MTTC) metric as a base for expansion, we explore the impact social engineering attack vectors (malicious e-mails) could have on such assessments. The applied method takes a holistic view, to better understand the potential impact of social engineering across a small European utility company. The results of this review are analysed and discussed, highlighting the level of access an attacker could gain through social engineering, and the need for assessment metrics to include vulnerabilities stemming not only from technical factors, but social and organisational ones as well.Keywords
This publication has 15 references indexed in Scilit:
- Power System Reliability Evaluation With SCADA Cybersecurity ConsiderationsIEEE Transactions on Smart Grid, 2015
- Modeling the Ripple Effects of IT‐Based Incidents on Interdependent Economic SystemsSystems Engineering, 2014
- Socio-Technical Security Analysis of Industrial Control Systems (ICS)Published by BCS Learning and Development Limited ,2014
- A Unified Framework for Measuring a Network's Mean Time-to-CompromisePublished by Institute of Electrical and Electronics Engineers (IEEE) ,2013
- A survey SCADA of and critical infrastructure incidentsPublished by Association for Computing Machinery (ACM) ,2012
- Success Likelihood of Ongoing Attacks for Intrusion Detection and Response SystemsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2009
- Ideal Based Cyber Security Technical Metrics for Control SystemsLecture Notes in Computer Science, 2008
- Cyber security risk assessment for SCADA and DCS networksISA Transactions, 2007
- Comparing Electronic Battlefields: Using Mean Time-To-Compromise as a Comparative Security MetricPublished by Springer Science and Business Media LLC ,2007
- A quantitative model of the security intrusion process based on attacker behaviorIEEE Transactions on Software Engineering, 1997