Cyberphysical Security in Networked Control †MyAssignmenthelp.com

Question: Discuss about the Cyberphysical Security in Networked Control. Answer: Introduction Information is considered to be the most valued asset of any sector. Information is susceptible to various types of risks as well as threats. With the emergence of information technology, the cyber threats are increasing at a fast pace. Information security focuses on protecting the valuable and sensitive data of an organization. Information security is involved in protecting the integrity, confidentiality and availability of the information. Banking sectors deal with financial data that needs to be protected. Nabil Bank is known as the first commercial private bank of Nepal (Nabilbank.com 2017). Nabil Bank is involved in providing wide range of banking services via its 52 representation points. This report discusses and plans a security program for providing information security to Nabil Bank. It tries to improve the present security structure of Nabil Bank. This report gives a brief overview of information security. It gives suggestion about the kinds of security models that can be adopted by Nabil Bank for better and secure operations. Threat identification along with risk assessment is also carried out in this report. This report discusses about the ISO standards as well as modes that will be suitable for Nabil Bank with proper reasoning. The training requirements are also provided in this report for adopting security programs in an effective manner. This report recommends certain steps and procedures that can be taken by Nabil bank for improving its security infrastructure and for making the system of information security strong. Information security can be considered to be a practice of defending and protecting information from any kind of unauthorized access, misuse, disclosure, modification and disruption (Vacca 2012). The modern generation is completely dependent on the information and communication technology for confidential as well as commercial purposes. There are several risks as well as threats that are associated with information technology like safety risk, environmental risk, physical risk and financial risk. Security concerns that are related to ICT are gaining major importance with time. All the organizations in every sector face some kind of security issues (Webb et al. 2014). Strong information security structure as well as risks can be adopted in an organization to protect it from risks and threats. Risks can be mitigated and prevented by several methods and techniques. Information security has certain aspects like confidentiality, availability and integrity. When the information cannot be accessed by any unauthorized user then the confidential aspect of information is achieved (Von Solms and Van Niekerk 2013). When the information cannot be misused, destructed or modified by an attacker or user than the integrity of the information is maintained. When the right information is available to the right or authorized person at the correct time with no such interference or obstruction then the availability of information is achieved. Banking sectors have been a major target for the hackers, crackers as well as the cyber criminals. Information security aims at identifying the risks and mitigating it for protecting sensitive information. Current Security Situation and Titles of the Security Personnel Nabil Bank was founded in July, 1984. Their main objective is to extend the services of modern banking to different sectors of the society. Nabil Bank provides several banking and financial services via its 52 representation points. It has introduced several innovative and modern marketing concepts and products in banking sector. Their main objective is customer satisfaction. Highly qualified personnel are responsible for managing the daily operations. Sensitive financial information is handled by the bank. Risk management is carried out by highly experienced and qualifies management team. Nabil Bank is totally equipped with advanced technology that consists of banking software of international standard for supporting E-transactions and E-channels. Their aim is to provide a complete and secure financial solution to their customers. The risk management team is highly efficient in assessing the risk and providing information security to the organization (Sandberg, Amin and Johansson 20 15). There are many security personnel present in the risk management team. They are as follows: Chief Risk Officer: The main duty of the Chief Risk Officer is to implement risk functions, tools as well as systems for identifying, assessing, measuring, monitoring and reporting risks. They identify main risk areas and enhance the function of security architect. They are also responsible for implementing security program. Head of Credit Risk Management: They are responsible for implementing procedures and policies for the purpose of reducing credit risk. They are also involved in building financial models that have the capability to predict any type of credit risk that can affect the organization. The credit risk management team reports to their head regarding daily operations and activities. Senior Credit Analyst: They are responsible for reviewing and assessing financial history of a company or an individual for the purpose of determining whether the candidate is eligible for getting loan. They evaluate financial statements like balance sheets as well as income statements for understanding the default risk level. Compliance and Operational Risk Manager: They are responsible for handling the risk related to legal sanctions, financial loss or loss of banks reputation. They ensure that the bank complies with the government laws, standards and its own code of ethics and conducts. They also manage any type of risk arising because of failure of internal processes, systems, people as well as external events. Risk Assessment and Threat Identification Risk assessment deals with a number of steps and procedures for understanding the asset values, possible threats, system vulnerabilities, and predictable impacts of threats along with the likelihood of threats (Kit et al. 2014). Risk can be defined as vulnerability functions as well as the expected impacts of threats. Risk depends on the probability of the occurrence of threat. System characterization is the first step in risk assessment. Information about the software and hardware involved is initially found out (Aloini, Dulmin and Mininno 2012). NIST framework of risk management involves assessment of risk after all the risks have been framed. This framework integrates business processes, company goals, mission, SDLC processes and information security infrastructure for effective risk assessment. The methodology of risk assessment includes a process, risk model, an approach for assessment and analysis approach (Lo and Chen 2012). After risk identification is carried out, the risks are monitored. ENISA framework will be effective in the E-transaction processes of Nabil Bank for the purpose of assessing risks (Theoharidou, Mylonas and Gritzalis 2012). This model identifies the risk and analyses it for the purpose of evaluation. Information security can be enhanced in an organization only by identifying the possible threats and risks. Threat can be considered to be a potential for some kind of trouble or damage to IT infrastructure. After proper identification of threats a well planned security program can be carried out in order to protect the bank from any data and security breach. Nabil Bank provides several financial and banking services. It also provides online banking facilities to the customers. There are two broad categories of threats that are identified initially. These are the internal and external threats. Internal threats: Business practices and processes of a financial institute have a huge influence on internal threats. If more number of employees is able to access sensitive customer information then the probability of threats will be more. The intensity of internal threats is less as they are under the control of the bank. External threats: These threats have a greater intensity as they are not under the control of the bank. External threats can be reviewed by listing the reasons and ways in which personal data can be accessed, identifying the ways by which the banks system is connected to outside world via emails and networks, identifying service providers that have access to the data. Then the exposure of the threat is identified. Some of the threats that have been identified in the internet banking system of Nabil Bank are phishing, spyware, viruses, Trojan horses as well as key loggers. In phishing attack hoax mails are used for committing a fraud activity (Hong 2012). Online thieves can steal sensitive data of the customers to misuse it. Spyware is a type of malicious software that collects valuable information of the users in a secretive manner for misusing and modifying it (Giannetsos and Dimitriou 2013). Viruses can get attached to another program like spreadsheets for replicating itself. Trojan horses are another type of threat where an application acts like a secure application and harms the system in which it is downloaded or injected. Key logger software is considered to be the most harmful threat of Nabil Bank (Dadkhah and Jazi 2014). If key logger software is installed in the electronic device of the customer from where the customer accesses online banking services, then it tracks all the informati on that is used by the customers. This information can be used by the attackers in order to steal money from the bank. The financial database of the bank can be hacked to access sensitive financial data (Martins, C., Oliveira and Popovi? 2014). Deliberate and external threats are extremely harmful for the banking sector as it causes huge financial loss. After identifying the threats, their exposure must be determined to rank them based on their intensity. This will be extremely helpful for the bank to mitigate risk in an efficient manner. Security Models Security models are responsible for providing standards for the purpose of comparison and reference. Nabil Bank uses the NIST access control model for the purpose of identification of access mechanism that is used in different levels that exist in the bank. Management level is involved in dealing with information that will help in the strategic planning process. The level that deals with administration work will be responsible for controlling operational data. The technical layer of the bank deals with daily operational data that is needed for running the business. NIST framework is responsible for describing the present cyber security posture, their target state, find out ways to improve risk management and fosters the process of communication between the external and internal stakeholders of the bank. The present risk management procedure is not replaced when the bank uses NIST framework. Rather the NIST framework tries to complement the present security structure (Chang, Kuo and Ramachandran 2016). The bank can use its current structure and leverage NIST framework for the purpose of identifying opportunities for improving the current risk security management. The security models of NIST framework will be highly beneficial for Nabil Bank as their documents are available at free of cost. It can also be updated by government. Risk assessment guidelines, security plans and privacy control plans are provided NIST framework (Malik and Nazir 2012). Strong information security policies can be implemented for protecting the banks valuable information . Development of Security Program Nabil Bank is a large sized company having 52 points of representation across Nepal. The organization structure that is present in the bank is hierarchical in nature. The organization has code of ethics and conducts incorporated in its culture. The main objective of the bank is to provide a single and secure financial solution to its customers. Nabil Bank gives first priority to its customer. The employees follow a code of ethics in the organization (Peltier 2016). They act in an honest manner to protect the interest of their clients (Hu et al. 2012). The bank takes major action against any employee who commits any misconduct. Strong information security policies can be implemented for protecting the banks valuable information. A well planned security program can be effective for protecting the bank from any security risks and threats. Financial data breach will cause loss to the clients and also will affect the reputation of the bank. The following steps can be taken in order to dev elop an efficient security program: Risk assessment: The first step in this process is to identify what department deals with what information. The bank also needs to find out who has access to what sensitive information. The second step will be to identify external and internal threats and determine its probability of occurrence. The last step is to determine whether the existing policies are adequate for protecting the information. Current policy adjustments: A security policy must be designed to protect the customer information. This policy must be approved by the board of directors in order to carry enhance the information security of the bank. Security control design: The management should focus on developing security control plans for all the business units. There must be security guidelines present. Access controls need to be designed where authentication procedures like passwords, PINs, electronic tokens are used. Biometric identification and firewalls can be implemented for protecting the databases that store sensitive financial data. The networks can be protected by implementing firewalls. The customer details can be encrypted to protect it from any unauthorized access. Response plan: The management team must develop and design a response plan for overcoming a security breach situation. The person who is in charge of maintaining customer information must design this plan. It must be well written. The plan needs to include the contact details of law agencies for taking appropriate steps. Service provider: The contract between the bank and service provider must contain effective response plans. The bank must ensure that the contract contains appropriate standards for information security. Testing: The testing of the security controls and plans must be done to make sure that the bank is well protected from any type of security threat and risk (Shackelford et al. 2015). The parties involved in the contract must conduct control testing. They must conduct ethical hacking to find out the effectiveness of the security policies and plans. Roles and Responsibilities Chief Risk Officer: The main duty of the Chief Risk Officer is to implement risk functions, tools as well as systems for identifying, assessing, measuring, monitoring and reporting risks. They identify main risk areas and enhance the function of security architect. They are also responsible for implementing security program. Security Manager: The role of the security manager is to collect and utilize information in an effective manner to achieve the goal of the organization. They are responsible for proper communication of information among various layers. Senior Credit Analyst: They are responsible for reviewing and assessing financial history of a company or an individual for the purpose of determining whether the candidate is eligible for getting loan. They evaluate financial statements like balance sheets as well as income statements for understanding the default risk level. Information security of Nabil Bank can be improved by adding more designations and roles so that there is no overlap of responsibilities of the employees (Ahmad, Maynard and Park 2014). Some of the new titles that can play an effective role in improving information security are: Technical security manager: The technical aspects of security will be looked after by these managers. They will be involved in firewall implementation and encryption processes. Program security manager: The third pert or vendor risks can be evaluated by these managers. CISO: The whole security policies can be looked after by CISO. CISO can take the responsibility of design strong security policies for the organization. Source code manager: The source codes can be reviewed by these managers for detecting any type of vulnerability. There can be many specialized roles like virus technicians whose responsibility will be to detect new virus as well as develop a defense plan to fight the virus. Training Requirements The employees of Nabil Bank must be aware of the need of a strong information security program. Employee training can be considered to be a critical component for the information security of bank. Management must document the information regarding which employee has access to what valuable information of the customers (Hu et al. 2012). The employees must be made aware of the security policies of the bank. They must be trained to identify valuable customer information. Employees must be given training on how to implement the written policies that governs the disclosure of the information of the customers (Lebek et al. 2013). There need to be regular meetings to discuss new policies and modify existing policies for improving the present information security policy. ISO Standards and Models ISO model is used in most of the industries. ISO standards provide a common base to all the organizations in order to develop security standards and policies (Disterer 2013). Organizations are able to develop inter organizational deals by using ISO standards. ISO/IEC 27001: This standard helps in implementing ISO/IEC 27002 in order to set up ISMS (Susanto, Almunawar and Tuan 2012). ISO/IEC 27002: This standard addresses the security needs of an organization. It also helps in developing security policies (Ramanauskaite et al. 2013). ISO model is well suited for Nabil Bank because it will assist the bank in developing management system for managing information security. The ENISA model can also be suitable for Nabil Bank for the purpose of securing the E-transaction and E-channel. Conclusion This report concluded that Nabil Bank can improve its information security by adopting a well defined security program. This report discussed about the critical factors of information security like confidentiality, availability and integrity. It said that the breach of data and information security can lead to serious and potential losses. The main purpose of assessing risk is to identify organizational threats and vulnerabilities. Internal threats can be identified by finding out which staff has access to which information and overlapping information. It pointed out that the security system of the bank is accessed by an unauthorized outsider then this result in external threats. It gave a description about the security program that can be adopted by Nabil Bank. This report discussed about the current roles and suggested an improvement plan for making the information security of the organization strong. It suggested that the employees must be made aware of the security policies of th e bank. This report concluded that ISO model is suitable for the bank and ENISA model is suitable for its electronic transaction system. The advanced technologies as well the communication channels need to be protected from attackers. Recommendations Nabil Bank can secure its information and data from unauthorized access by following certain steps: Encryption: Financial data must be encrypted so that the hackers cannot get access to it. Employee training: Proper training must be imparted to the employees to enhance the information security. Updated software: Latest version of the software must be installed in the system. It must be updated regularly. Firewall: Firewall implementation will protect financial information from any external intrusion. References Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an organizational multi-strategy perspective.Journal of Intelligent Manufacturing,25(2), pp.357-370. Aloini, D., Dulmin, R. and Mininno, V., 2012. Risk assessment in ERP projects.Information Systems,37(3), pp.183-199. Chang, V., Kuo, Y.H. and Ramachandran, M., 2016. Cloud computing adoption framework: A security framework for business clouds.Future Generation Computer Systems,57, pp.24-41. Dadkhah, M. and Jazi, M.D., 2014. Secure payment in E-commerce: Deal with Keyloggers and Phishings.International Journal of Electronics Communication and Computer Engineering,5(3), pp.656-660. Disterer, G., 2013. ISO/IEC 27000, 27001 and 27002 for information security management.Journal of Information Security,4(02), p.92. Giannetsos, T. and Dimitriou, T., 2013, April. Spy-Sense: spyware tool for executing stealthy exploits against sensor networks. InProceedings of the 2nd ACM workshop on Hot topics on wireless network security and privacy(pp. 7-12). ACM. Hong, J., 2012. The state of phishing attacks.Communications of the ACM,55(1), pp.74-81. Hu, Q., Dinev, T., Hart, P. and Cooke, D., 2012. Managing employee compliance with information security policies: The critical role of top management and organizational culture.Decision Sciences,43(4), pp.615-660. Hu, Q., Dinev, T., Hart, P. and Cooke, D., 2012. Managing employee compliance with information security policies: The critical role of top management and organizational culture.Decision Sciences,43(4), pp.615-660. Kit, R.I.S., Allen, K., Mazzotti, F.J. and Briggs-Gonzalez, V., 2014. Risk Assessment Methodology. Lebek, B., Uffen, J., Breitner, M.H., Neumann, M. and Hohler, B., 2013, January. Employees' information security awareness and behavior: A literature review. InSystem Sciences (HICSS), 2013 46th Hawaii International Conference on(pp. 2978-2987). IEEE. Lo, C.C. and Chen, W.J., 2012. A hybrid information security risk assessment procedure considering interdependences between controls.Expert Systems with Applications,39(1), pp.247-257. Malik, A. and Nazir, M.M., 2012. Security framework for cloud computing environment: A review.Journal of Emerging Trends in Computing and Information Sciences,3(3), pp.390-394. Martins, C., Oliveira, T. and Popovi?, A., 2014. Understanding the Internet banking adoption: A unified theory of acceptance and use of technology and perceived risk application.International Journal of Information Management,34(1), pp.1-13. Nabilbank.com. 2017.About Nabil Bank - Nabil Bank Limited First Private Commercial Bank. [online] Available at: https://www.nabilbank.com/intro/about-nabil-bank/11-product-services/deposit-products [Accessed 5 Oct. 2017]. Peltier, T.R., 2016.Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press. Ramanauskait?, S., Olifer, D., Goranin, N. and ?enys, A., 2013. Security ontology for adaptive mapping of security standards.International Journal of Computers, Communications Control (IJCCC),8(6), pp.813-825. Sandberg, H., Amin, S. and Johansson, K.H., 2015. Cyberphysical security in networked control systems: An introduction to the issue.IEEE Control Systems,35(1), pp.20-23. Shackelford, S.J., Proia, A.A., Martell, B. and Craig, A.N., 2015. Toward a Global Cybersecurity Standard of Care: Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices.Tex. Int'l LJ,50, p.305. Susanto, H., Almunawar, M.N. and Tuan, Y.C., 2012. Information security challenge and breaches: novelty approach on measuring ISO 27001 readiness level.International Journal of Engineering and Technology. IJET Publications UK,2(1). Theoharidou, M., Mylonas, A. and Gritzalis, D., 2012. A risk assessment method for smartphones.Information security and privacy research, pp.443-456. Vacca, J.R., 2012.Computer and information security handbook. Newnes. Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security.computers security,38, pp.97-102. Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management.Computers security,44, pp.1-15.