Читать книгу Building an Effective Security Program for Distributed Energy Resources and Systems - Mariana Hentea - Страница 77

Cybersecurity is the ability to protect or defend the use of cyberspace from cyber attacks [CNSSI 4009]. Further, a cybersecurity attack is defined as an attack via cyberspace for the purpose of disrupting, disabling, or destroying a computing environment/infrastructure [CNSSI 4009]. However, this definition excludes the possibility of physical attacks, unintentional human errors, and natural disasters that can also disrupt a computing environment/infrastructure. Physical attacks may be realized without using the cyberspace, but still causing harm to cyberspace. Often two definitions are combined into one definition. For example, the cybersecurity definition [CNSSI 4009] is concatenated with another definition (measures taken to protect a computer or computerized system [IT and OT] against unauthorized access or attack) to make the cybersecurity definition provided by the US Department of Energy (DOE) [DOE 2014a].

However, no unique definition for cybersecurity is available across the Internet [Franscella 2013]. As pointed out in [Vacca 2012], no formal accepted definition of cybersecurity currently exists. On the use of cybersecurity versus cyber security, the communities agreed on using the word cybersecurity [Franscella 2013].

Often the cybersecurity is covering all security dimensions from technology to economic and social, legal, law enforcement, human rights, national security, warfare, international stability, intelligence, and other aspects. The widespread use of this term often masks the broad and complex nature of the subject matter [OECD 2015].

When comparing cybersecurity with information security, some people regard these concepts as overlapping, being the same thing [ENISA 2015a]. Others may view information security as focused on protecting specific individual systems and the information within organizations, while cybersecurity is seen as being focused on protecting the infrastructure and networks of critical information infrastructures.

Information security is defined as measures adopted to prevent the unauthorized use, misuse, modification, or denial of use of knowledge, facts, data, or capabilities [Maiwald 2004]. This term is defined in [NISTIR 7298r2] as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. Although this definition may seem more focused (implying security goals such as confidentiality, integrity, and availability), it is still not accurate because protection measures should also provide for non‐repudiation and other attributes of the information.

Although there is no universally accepted nor straightforward definition of cybersecurity or information security [ENISA 2015a], we need to understand the differences among these various definitions and views.

The recommendations of the [OECD 2015] document introduce the concept of digital security risk (see definition in Appendix A) that requires a response fundamentally different in nature from other categories of risk needs to be countered. To that effect, the term cybersecurity and more generally the prefix cyber that helped convey this misleading sense of specificity do not appear in the recommendation. Digital security risk is dynamic in nature. It includes aspects related to the digital and physical environments, the people involved in the activity, and the organizational processes supporting it.

The abundance of definitions for security terms is the result of various aspects and attributes that an interested party may want to emphasize in the definition of a concept. Also, many security‐ and privacy‐related concepts and terms evolved as the security paradigms changed in time, particularly in the way IT security was addressed. Appendix A includes a table showing different definitions for common security terms as provided by known standards and glossaries.

This is an indication of the development of a field where a foundation for defining the basic concepts is still evolving. However, it is necessary to have more consistent definitions among related and dependent terms. An appropriate balance between comprehensive and extended definitions is needed also for promoting terms that are useful to users and general public, not only to security experts and researchers. These terms are needed in communicating, writing, and understanding news and documents dealing with security policies, directives, instructions, and guidance.

Often, the lack of knowledge of the definitions or lack of unique definitions prompts for defining these terms in each industry. For example, DOE published a glossary of concepts including a set of cybersecurity terms in [DOE 2014a]. Several terms are taken from other documents, or they are adapted for the energy sector use. There is a problem when these dictionaries are not continuously updated; when new terms may appear, some terms could become obsolete or be changed in the referenced glossary. Therefore, one solution is to check the definitions and their maintenance status of these terms. The security team needs to agree on the basic terms to avoid language confusion and avoid rolling out ambiguous activities.

Since some security terms do not have common definitions or new updates emerge, we recommend previewing the definition of the most current dictionaries of security terms and concepts as defined by known standard organizations such as the International Organization for Standardization (ISO)/IEC, the Internet Engineering Task Force (IETF), and International Society of Automation (ISA). Often the glossary adopted by an organization may need to be revised. Definitions of related security terms (cybersecurity, threat, vulnerability, asset, countermeasure, exposure, security service, etc.) are also available in published guides maintained by security professionals such as [Harris 2013], [Krutz 2004]. Figure 2.11 shows a visual representation of the relationships among different security concepts (terms). Definitions of the terms are provided in [CC 2.3] (see also Appendix A).

Figure 2.11 Security concepts and relationships.

Source: [CC 2.3]. Public Domain.

In addition, security and privacy concepts have to be understood by users, security designers, and managers; otherwise misunderstanding creates confusion or ambiguity in communication that undermines the successful implementation of security and privacy programs.

The assets may have vulnerabilities that may be exploited by a threat agent leading to risk that can damage the asset. The owner of the assets wants to minimize the risk and uses countermeasures (controls or safeguards). Applying the right countermeasure can eliminate the vulnerability and exposure and thus reduce the risk. One issue is that eliminating the threat agent may not be possible, but it is possible to protect the asset and prevent the threat agent from exploiting vulnerabilities within the asset's environment.

These terms and definitions of security terms continue to change and evolve with technology developments, emerging new technologies, and research trends. This work [Von Solms 2013] discusses the similarities and differences between these terms: cybersecurity, information security, and communications security. The authors argue that cybersecurity goes beyond the boundaries of traditional information security to include not only the protection of information resources but also that of other assets, including the reference to the human factor. Figure 2.12 illustrates graphically the relationships among these concepts.

Figure 2.12 Information security and cybersecurity relationship.

Source: [Von Solms 2013]. © 2013, Elsevier.

This work [Craigen 2014] is another attempt to provide a new definition for the term cybersecurity from a multidisciplinary perspective as follows:

Cybersecurity is the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace‐enabled systems from occurrences

that misalign de jure from de facto property rights.

However, the definition is missing the point that cybersecurity is a field of research, an industry, and a societal issue. There are many different theoretical and interpretational aspects that could or even should be considered when discussing cybersecurity as a concept and a term.

Appendix A includes several definitions promoted by organizations and glossaries including DOE. Although there is no universally accepted nor straightforward definition of cybersecurity and other related terms, we need to understand these definitions and views.