An Overview of Information and Cyber Security Standards
DOI:
https://doi.org/10.13052/jicts2245-800X.1215Keywords:
information security, cyber security, standards, security goals, security domainAbstract
Advances in digitalization, particularly those regarding cyber-physical systems (CPS) have stimulated the adoption of digital capabilities such as Industrial IoT, machine learning, cloud services, and the use of digital twins. The increased digital sophistication of CPS is not without risk, particularly regarding the potential for information/cyber security incidents. Whilst the need for security of enterprise information security is not new, A significant challenge is understanding what security standards may be available and applicable when developing security controls and technical measures to protect CPS. This paper explores what research is available regarding the choice and comparison of information/cyber security standards. It provides a snapshot of the security standards landscape at the start of 2024. Issues relating to development and adoption of security standards are examined, illustrated using inconsistencies in language regarding three key terms: availability, integrity, and confidentiality.
Downloads
References
Leyden, J. (2013) “Drug gang hacks into Belgian seaport, cops seize TONNE of smack.” The Register. Available: https:/www.theregister.com/2013/06/18/drug_smugglers_using_hackers/.
EC3 (2013) “Hackers deployed to facilitate drugs smuggling.” Cyber Bits, European Cybercrime Centre, Europol, The Hague. Intelligence Notification 004-2013. Available: https:/www.europol.europa.eu/sites/default/files/documents/cyberbits_04_ocean13.pdf.
Pang, T.Y.; Pelaez Restrepo, J.D.; Cheng, C.-T.; Yasin, A.; Lim, H.; Miletic, M. (2021) “Developing a Digital Twin and Digital Thread Framework for an ‘Industry 4.0’ Shipyard.” Applied Science, 11, 1097. DOI: 10.3390/app11031097.
Karie, N.M., Sahri, N.M., Yang, W., Valli, C. and Kebande, V.R. (2021) “A review of security standards and frameworks for IoT-based smart environments.” IEEE Access, vol. 9, pp. 121975–121995, DOI: 10.1109/ACCESS.2021.3109886.
Sommestad, T., Ericsson, G.N. and Nordlander, J., (2010, July) “SCADA system cyber security – A comparison of standards.” IEEE PES General Meeting, Minneapolis, MN, USA, pp. 1–8, DOI: 10.1109/PES.2010.5590215.
Zhou, X., Xu, Z., Wang, L. and Chen, K. (2017, April) “What should we do? A structured review of SCADA system cyber security standards.” In: 4th International Conference on Control, Decision and Information Technologies (CoDIT), Barcelona, Spain, pp. 0605–0614, DOI: 10.1109/CoDIT.2017.8102661.
Linnosmaa, J., Papakonstantinou, N., Malm, T., Kotelba, A. and Pärssinen, J. (2021, November) “Survey of cybersecurity standards for nuclear instrumentation and control systems.” In: International Symposium on Future I&C for Nuclear Power Plants, ISOFIC 2021: Online. Okayama University
Arora, V., 2010. Comparing different information security standards: COBIT vs. ISO 27001. BSI Stand, pp. 7–9. Available: https:/varunarora.com/assets/iso27001-vs-cobit/paper.pdf.
Glavič, P. (2021) “Special Issue: Feature Papers to Celebrate the Inaugural Issue of Standards.” Standards, 1(1), pp. 17–18; DOI: 10.3390/standards1010003.
Robinson, R.C. (2022) “The Linguistic Challenge for Standards.” Standards, 2, pp. 449–459. DOI: 10.3390/standards2040030.
ISO (2000) “Information technology. Code of practice for information security management.” International Organization for Standardization (ISO), Geneva, Switzerland.
ISO (2005) “Information technology – Security techniques – Code of practice for information security management.” International Organization for Standardization (ISO), Geneva, Switzerland.
Frangopoulos, E.D. and Eloff, M.M. (2004, June) “A Comparative Study of Standards and Practices Related to Information Security Management.” In ISSA (pp. 1–15).
Evans, R.P., Hill, R.C. and Rodriquez, J.G. (2005) “A Comparison of Cross-Sector Cyber Security Standards.” Idaho National Laboratories. Idaho National Labs Rep. INL/EXT-05-00656. DOI: 10.2172/911585.
Trappey, A.J., Trappey, C.V., Govindarajan, U.H., Chuang, A.C. and Sun, J.J. (2017) “A review of essential standards and patent landscapes for the Internet of Things: A key enabler for Industry 4.0.” Advanced Engineering Informatics, vpl. 33, pp. 208–229. DOI: 10.1016/j.aei.2016.11.007.
Leszczyna, R. (2018) “A review of standards with cybersecurity requirements for smart grid.” Computers & Security, vol. 77, pp. 262–276. DOI: 10.1016/j.cose.2018.03.011.
Tsohou, A., Kokolakis, S., Lambrinoudakis, C. and Gritzalis, S., (2010) “A security standards’ framework to facilitate best practices’ awareness and conformity.” Information Management & Computer Security, 18(5), pp. 350–365. DOI: 10.1108/09685221011095263.
Beckers, K., Côté, I., Fenz, S., Hatebur, D., Heisel, M. (2014). A Structured Comparison of Security Standards. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds) Engineering Secure Future Internet Services and Systems. Lecture Notes in Computer Science, vol. 8431. Springer, Cham. DOI: 10.1007/978-3-319-07452-8_1.
Sunyaev, A. (2011). “Designing a Security Analysis Method for Healthcare Telematics in Germany.” In: Health-Care Telematics in Germany. Gabler. DOI: 10.1007/978-3-8349-6519-6_5.
Paudel, S., Tauber, M., Wagner, C., Hudic, A. and Ng, W.K. (2014, December) “Categorization of standards, guidelines and tools for secure system design for critical infrastructure it in the cloud.” In: 2014 IEEE 6th International Conference on Cloud Computing Technology and Science, pp. 956–963. DOI: 10.1109/CloudCom.2014.172.
Di Giulio, C., Sprabery, R., Kamhoua, C., Kwiat, K., Campbell, R.H. and Bashir, M.N. (2017, June) “Cloud standards in comparison: Are new security frameworks improving cloud security?” In: 2017 IEEE 10th International Conference on Cloud Computing (CLOUD), Honololu, HI, USA. pp.50-57, DOI: 10.1109/CLOUD.2017.16.
CSA (2016) “‘The Treacherous Twelve’ Cloud Computing Top Threats in 2016.” Cloud Security Alliance, Bellingham, WA. Available: https:/cloudsecurityalliance.org/artifacts/the-treacherous-twelve-cloud-computing-top-threats-in-2016/.
de Franco Rosa, F., Jino, M., Bueno, P.M.S. and Bonacin, R. (2018, April) “Coverage-based heuristics for selecting assessment items from security standards: a core set proposal.” In: 2018 Workshop on Metrology for Industry 4.0 and IoT, Brescia, Italy. pp. 192–197, DOI: 10.1109/METROI4.2018.8428307.
de Franco Rosa, F., Jino, M., Bonacin, R. (2018). “Towards an Ontology of Security Assessment: A Core Model Proposal.” In: Latifi, S. (ed) Information Technology - New Generations. Advances in Intelligent Systems and Computing, vol. 738. Springer, Cham. DOI: 10.1007/978-3-319-77028-4_12.
Stouffer, K. (2004), System Protection Profile–Industrial Control Systems Version 1.0, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD. DOI: 10.6028/NIST.IR.7176.
Piggin, R.S.H. (2013, June) “Development of industrial cyber security standards: IEC 62443 for SCADA and Industrial Control System security.” In: IET Conference on Control and Automation 2013: Uniting Problems and Solutions, Birmingham, pp. 1–6, DOI: 10.1049/cp.2013.0001.
Tsohou, A., Kokolakis, S., Lambrinoudakis, C. and Gritzalis, S. (2010a) “Information systems security management: a review and a classification of the ISO standards.” In: Sideridis, A.B., Patrikakis, C.Z. (eds) Next Generation Society. Techno-logical and Legal Issues. e-Democracy 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol.26. Springer, Berlin, Heidelberg. DOI: 10.1007/978-3-642-11631-5_21.
Mussmann, A., Brunner, M. and Breu, R. (2020, March) “Mapping the State of Security Standards Mappings.” In: Wirtschaftsinformatik (zentrale tracks), pp. 1309–1324. DOI: 10.30844/wi_2020_l4-mussmann.
Milicevic, D. and Goeken, M. (2010) “Ontology-based evaluation of ISO 27001.” In: Cellary, W., Estevez, E. (eds) Soft-ware Services for e-World. I3E 2010. IFIP Advances in Information and Communication Technology, vol. 341. Springer, Berlin, Heidelberg. DOI: 10.1007/978-3-642-16283-1_13.
ISO (2020) Information technology – Security techniques – Information security management systems – Overview and vocabulary. International Organization for Standardization (ISO), Geneva, Switzerland.
Ehrlich, M., Trsek, H., Wisniewski, L. and Jasperneite, J. (2019, October) “Survey of Security Standards for an automated Industrie 4.0 compatible Manufacturing.” In: ECON 2019 – 45th Annual Conference of the IEEE Industrial Electronics Society, Lisbon, Portugal. pp. 2849–2854, DOI: 10.1109/IECON.2019.8927559.
Haufe, K., Colomo-Palacios, R., Dzombeta, S., Brandis, K. and Stantchev, V. (2016) “Security management standards: A mapping.” Procedia Computer Science, vol. 100, pp. 755–761. DOI: 10.1016/j.procs.2016.09.221.
ISO (2013) Information technology – Security techniques – Information security management systems – Requirements. International Organization for Standardization (ISO), Geneva, Switzerland.
Barlette, Y. and Fomin, V.V. (2010) “The adoption of information security management standards: A literature review.” In: Information Resource Management Association (Ed.), Information Resources Management: Concepts, Methodologies, Tools and Applications. pp. 69–90. IGI Global. DOI: 10.4018/978-1-61520-965-1.ch104.
Taherdoost, H., (2022) “Understanding Cybersecurity Frameworks and Information Security Standards – A Review and Comprehensive Overview.” Electronics, 11(14), p. 2181. DOI: 10.3390/electronics11142181.
ISO (2015a) “International Classification for Standards.” International Organization for Standardization (ISO), Geneva, Switzerland. Seventh edition, ISBN 978-92-67-10652-6 Available online: https:/www.iso.org/files/live/sites/isoorg/files/archive/pdf/en/international_classification_for_standards.pdf.
BSI “British Standards Online.” British Standards, London. Available online: https:/bsol.bsigroup.com/.
ISO. 35.030 IT Security Including encryption. International Organization for Standardization, Geneva, Switzerland. Avail-able online: https:/www.iso.org/ics/35.030/x/.
IEC Webstore. International Electrotechnical Commission, Geneva. Available: https:/webstore.iec.ch/advsearchform.
IEC (2018) “Guide 120 - Security aspects - Guidelines for their inclusion in publications.” International Electrotechnical Commission, Geneva.
NIST (2018a) “NIST Special Publication 800-series General Information.” National Institute of Standards and Technology, Gaithersburg, MD, USA. Available online: https:/www.nist.gov/itl/publications-0/nist-special-publication-800-series-general-information.
NIST (2018b) “NIST Special Publication 1800-series General Information.” National Institute of Standards and Technology, Gaithersburg, MD, USA. Available online: https:/www.nist.gov/itl/publications-0/nist-special-publication-1800-series-general-information.
NIST (2021) “Publication Identifier Syntax for NIST Technical Series Publications.” Information Services Office, National Institute of Standards and Technology, Gaithersburg, MD, USA. Available online: https:/www.nist.gov/document/publication-identifier-proposal.
CSRC Current Publications. Computer Security Resource Center (CSRC), National Institute of Standards and Technology, Gaithersburg, MD, USA. Available online: https:/csrc.nist.gov/publications/search.
Freed, A.M. (2013) “David Lacey on What’s Wrong with Today’s ISO27k Standards.” The State of Security. Trip-wire.com Available online: https:/web.archive.org/web/20131014052141/https:/www.tripwire.com/state-of-security/regulatory-compliance/david-lacey-whats-wrong-todays-iso27k-standards/.
Melancon, D. (2013) “NIST: It’s Time to Abandon Control Frameworks as We Know Them.” The State of Security, Trip-wire.com. Available online: https:/web.archive.org/web/20131009090221/http:/www.tripwire.com/state-of-security/security-data-protection/nist-its-time-to-abandon-control-frameworks-as-we-know-them/.
Alexander, A. “When Consensus Is a Bad Way to Decide”. Available online: https:/www.theunion.com/news/twi/when-consensus-is-a-bad-way-to-decide/.
DSBTFCS (1970) “Security Controls for Computer Systems.” Defense Science Board Task Force on Computer Security. Available online: https:/www.rand.org/pubs/reports/R609-1.html.
ISO (2022a) “27001 Information security, cybersecurity and privacy protection. Information security management system. Requirements.” International Organization for Standardization (ISO), Geneva, Switzerland.
Malatji, M., (2023, January) “Management of enterprise cyber security: A review of ISO/IEC 27001:2022.” In 2023 International Conference On Cyber Management And Engineering (CyMaEn), Bangkok, Thailand, pp. 117–122, DOI: 10.1109/CyMaEn57228.2023.10051114.
ISO (2022b) “27400 Cybersecurity – IoT security and privacy – Guidelines.” International Organization for Standardization (ISO), Geneva, Switzerland.
Culot, G., Fattori, F., Podrecca, M., and Sartor, M. (2019, Sept.) “Addressing Industry 4.0 Cybersecurity Challenges,” in IEEE Engineering Management Review, vol. 47(3), pp. 79–86, DOI: 10.1109/EMR.2019.2927559.
ISO (1989) “ISO 7498-2 “Information processing systems – Open Systems Interconnection – Basic Reference Model – Part 2: Security Architecture” International Organization for Standardization (ISO), Geneva.
DTI (1991). “Information Technology Security Evaluation Criteria (ITSEC).” Version 1.2. Department for Trade and Industry, London.
OECD (1992). Guidelines for the Security of Information Systems. Paris: OECD Organization for Economic Cooperation and Development. Available: http:/www.oecd.org/sti/ieconomy/oecdguidelinesforthesecurityofinformationsystems1992.htm.
BSI (1995) B7799-1:1995 Information security management - Part 1. Code of practice for information security management systems. London: British Standards Institution. p1.
I2SF (1999) “Generally Accepted System Security Principles (GASSP) – Version 2.0”, June 1999, International Information Security Foundation, USA.
Maconachy, W.V., Schou, C.D., Ragsdale, D. and Welch, D., (2001, June) “A model for information assurance: An integrated approach.” In Proceedings of the 2001 IEEE workshop on information assurance and security (Vol. 310, pp. 5–6). United States Military Academy, West Point. IEEE. Available: https:/os.ecci.ucr.ac.cr/ci0122/Temas/Semana-02/MSRW-Paper.pdf.
Stoneburner, G. (2001), Underlying Technical Models for Information Technology Security, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https:/tsapps.nist.gov/publication/get_pdf.cfm?pub_id=151250 (Accessed January 13, 2024).
Firesmith, D. G., (2003) “Common Concepts Underlying Safety, Security, and Survivability Engineering.” Software Engineering Institute, Carnegie Mellon University, Technical Note CMU/SEI-2003-TN-033. DOI: 10.1184/R1/6572621.v1.
Avizienis, A., Laprie, J.C., Randell, B. and Landwehr, C. (2004) “Basic concepts and taxonomy of dependable and secure computing.” IEEE transactions on dependable and secure computing, 1(1), pp. 11–33. DOI: 10.1109/TDSC.2004.2.
Stine, K., Kissel, R., Barker, W., Fahlsing, J. and Gulick, J., (2008). “Guide for mapping types of information and information systems to security categories.” NIST Special Publication (SP) 800-60 V.1, R.1. National Institute of Standards and Technology, Gaithersburg, MD. DOI: 10.6028/NIST.SP.800-60v1r1.
NIST (2010) Guide for Applying the Risk Management Framework to Federal Information Systems. Special Publication 800-37 Revision 1. Gaithersburg, MD: National Institute of Standards and Technology.
Zafar, N., Arnautovic, E., Diabat, A. and Svetinovic, D., 2014. “System security requirements analysis: A smart grid case study.” Systems Engineering, 17(1), pp. 77–88. DOI: 10.1002/sys.21252.
ISO (2018) “ISO/IEC 27000 Information technology – Security techniques – Information security management systems – Overview and vocabulary.”
