Abstract
Critical infrastructures (CIs) are an essential enabler of a nation's well-being and span a multitude of sectors. It is critical to ensure their resilience and protection against security threats, straight from the design phase. Nowadays, CIs take the form of complex socio-technical systems, which rely heavily on digital technology and off-the-shelf components, introducing challenges due to non-composability of security properties. A comprehensive approach for their protection integrates physical security, cybersecurity, risk management, and collaboration with the stakeholders, as they play a key role in identifying and managing vulnerabilities and in the impact evaluation of potential security breaches. Other key requirements in the context of CIs are interoperability, automation and governance, which are often neglected in the process of crafting security policies, as this takes as input the system as-is and disregards architectural design considerations. In this paper, we propose a methodology that takes care of the inter-dependencies between security goals in a given CI and the relevant countermeasures for its subsystems. Our approach considers the relationships between the CI subsystems, focusing on organizational security objectives and the requisite countermeasures to achieve these objectives. The methodology is supported by a context-independent Reference Model for Information Assurance and Security, which can be applied across diverse critical sectors. To complement the methodology, we propose a formal language that enables the verification of the fulfillment of the security goals in a specific solution architecture. The aim is to enable and support CI security, promoting resilience and adaptability in the face of evolving threats. Leveraging the formal language, the proposed methodology can be integrated into an open-source automated tool-chain for the validation of composite systems. Through these contributions, we effectively address the unique security challenges inherent in CI, facilitating automation and interoperability to enhance security and governance in these crucial domains.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
