Case Study: Conducting a Risk Assessment for Edison International Industrial Control Systems

Photo by paul from Pexels

Electrical generation is the lifeblood of the US and the global economy, according to Webb (2016). One firm that dominates the creation of electricity in southern California is Edison International. According to their filings with the Securities and Exchange Commission (SEC), “Edison International is the parent holding company of [Southern California Edison] and Edison Energy Group” (Edison International, 2020, p. 3). Southern California Edison (SCE) is a public utility that generates electricity for a population that covers almost 50,000 square miles in southern California (Edison International, 2020). Edison Energy Group is the second. It provides “data-driven energy solutions to commercial, institutional and industrial customers” (Edison International, 2020, p. 3).

Edison Energy Group’s website states that it “provides a suite of specialized enterprise energy services across sustainability, analytics, renewables, supply, demand, and efficiency, we work with our clients to help them resolve the key challenges of cost, carbon, and the increasingly complex choices in energy today” (Edison Energy, 2021, para. 6). Essentially, Edison Energy Group is a services firm that provides information to its clients about industrial, commercial, and governmental grid design and efficiency.

This paper will review Edison International’s management structure and industry focus and its financial standing. The paper will then discuss various aspects of cybersecurity risk management relevant to Edison management, including how to document specific risks Edison International might face. Finally, this paper will address high-risk concerns through the application of proven mitigation techniques.

Edison International

Management Structure

Edison International has a diverse team of leaders. Overseeing them is Pedro Pizarro as President and Chief Executive Officer (CEO) while David Heller is the Vice President for Enterprise Risk Management and Insurance and the General Auditor (Edison International, 2021). Mr. Heller reports to Senior Vice President and Chief Financial Officer, Ms. Maria Rigatti (Edison International, 2021; Official Board, n.d.). Adam Tuzzolino is the Manager of Cybersecurity Engineering. (LinkedIn, 2021). Edison International has a multitude of cybersecurity concerns according to its filings with the SEC (Edison International, 2020).

Industry and Purpose

Edison International is a holding company for SCE and Edison Energy Group. According to Fontinelle (2021), holding companies essentially hold stock of other companies. The companies that Edison International holds, however, do a lot related to the economy. Of particular interest is SCE. SCE provides electricity to southern California, including the County of Los Angeles. Los Angeles County is the largest county in California in terms of population (Census Bureau, n.d.). California, as a state, has the fifth largest economy in the world, sitting between Germany and India (Hughes, 2020). Providing electricity to that part of the world is vital to California’s long-term economic outlook.

Relevant Aspects of Edison International’s Computing Network and Infrastructure

As a business, Edison International has standard cybersecurity concerns with corporate networks, such as access control, data loss prevention and business continuity. However, what makes Edison International unique is that it manages a large electrical grid. According to its filings with the SEC, it recognizes that its SCE subsidiary requires:

[T]he continuous availability of critical information technology systems, sensitive customer and employee data and network infrastructure and information, all of which are targets for malicious actors. New cyber and physical threats arise as SCE moves from an analog to a digital electric grid. (Edison International, 2020, p. 48)

Edison International’s Organizational Risks

Electrical generation uses Industrial Control Systems (ICS) to create and distribute power where it needs to go. Within the utility sector, risks to ICS remain high (Khodabakhsh et al., 2020; ). ICS systems are those that are “used to control industrial processes such as manufacturing, product handling, production, and distribution” (National Institutes of Standards and Technology, 2019, para. 1). According to Khodabakhsh et al. (2020), they comprise “assets such as supervisory control systems and data acquisition (SCADA), distributed control systems (DCS), and human machine interfaces (HMI) that are commonly used for monitoring and control of their critical infrastructure” (p. 1). Vendors increasingly developed them to use internet-based communication protocols (Akpinar & Ozcelik, 2018).

The Cybersecurity and Infrastructure Security Agency (CISA) (2021) has released detailed advisories surrounding ICS prompted by several examples of ICS attacks that made headlines. One of the first occurred in 2000 when Vitek Boden used stolen radio equipment and drove to 46 radio-controlled sewage control systems in Queensland, Australia (Abrams & Weiss, 2008). In each case, he used the stolen radio equipment to shut off industrial controls remotely that the maintenance company installed for remote access. This led to 800,000 gallons of untreated sewage released into the water supply. Citing the Australian Environmental Protection Agency, Abrams and Weiss (2008) note, “Marine life died, the creek water turned black, and the stench was unbearable for residents” (p. 1).

A second example involves Programmable Logic Controllers (PLC) and a type of malware called a worm. PLCs are another type of ICS. According to Kaspersky (2021), threat actors design worms with an eye towards self-replication: “[w]orms do not require activation — or any human intervention — to execute or spread their code” (para. 1). A worm is a self-replicating program designed to disrupt operations. Spenneberg et al. (2016) documented as a proof-of-concept a worm in a popular PLC that would consume PLC resources and significantly affect operations. Researchers presented this scenario at a renowned cybersecurity conference.

A final example of an in-the-wild risk to ICS is WIN32/Industroyer. This malware targets ICS used in electrical substations (of which Edison International has many). According to Cherepanov (2017), WIN32/Industroyer targets four distinct ICS protocols, showing the threat actors had advanced knowledge of ICS design. The malware installs a separate backdoor to additional attacks, wipes data, and contains additional payloads designed to control ICS (Cherepanov, 2017).

Threats to ICS are increasing (Radanliev et al., 2018). Therefore, organizations must determine their ICS risk; for this, there is a standard formulation: risk equals the likelihood of a threat exploiting a vulnerability and causing an impact on operations (National Institute of Standards and Technology, 2012). Figure 1 shows this graphically. This paper will explore each of these as they apply to Edison International.

Figure 1

Determining risks

Adapted from “Guide for Conducting Risk Assessments (SP 800–30, rev. 1)” by National Institute of Standards and Technology, 2012.

Threats

The National Institute of Standards and Technology (NIST) (2012) defines a threat as “any circumstance or event with the potential to harm organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service” (p. 8). Applied to Edison International, threats come from a variety of sources. The US Intelligence Community (IC) states cybersecurity attacks from “nation states and their surrogates will remain acute” (Office of the Director of National Intelligence, 2021, p. 20). The IC notes that cybersecurity operations are increasingly a tool that countries apply to increase their national power; these operations will affect civilians and non-military targets. The Annual Threat Assessment from the IC also calls out threat actors who have attacked “software and [information technology] service supply chains” (p. 21).

While nation state threat actors are important to counter, threats come in a variety of flavors, both intentional and accidental. Additional intentional threats include criminals and activists who might target Edison International; the techniques might be the same but the motivations are different. Nation states seek to cause disruptions to rivals; criminals seek financial gain; activists look to increase the visibility of their cause. Edison International must account for accidental threats, including natural disasters and errors caused by users as well.

An important way to understand what threats Edison International faces is via a threat model. A threat model creates a picture of the overall attack surface Edison International presents. The attack surface is what a threat actor sees at the perimeter of a system where they will try to enter (National Institutes of Standards and Technology, 2019). Understanding the attack surface is knowing what parts of the Edison International’s information systems are vulnerable and need to be tested, according to OWASP (2021).

Developing a threat model involves decomposing the information system into its individual components, identifying the risks presented (because of design or software elements used) and developing countermeasures to each of the risks identified (Shostack, 2014). Analysts use the threat modeling process to “analyze potential attacks or threats, and can also be supported by threat libraries or attack taxonomies” (Xiong & Lagerström, 2019, p. 56). Analysts then collate each of these attacks into a sense of situational awareness, i.e. the attack surface of the systems in question.

Using the STRIDE model allows Edison International to consider the range of threats it faces. Each letter in the mnemonic stands for a distinct threat tactic: S for spoofing, T for tampering, R for repudiation, I for information disclosure, D for denial of service, and E for elevation of privileges. Table 2 defines each of these terms. Each intentional threat actor in this section can and will use one or more of these threat tactics to reach their aim. MITRE (2020) has created a detailed list of attack techniques threat actors have employed that Edison International can use to inform its threat model.

Table 2

Definitions for each letter in the STRIDE threat model method

Adapted from “Threat Modeling: Designing for Security” by A. Shostack, 2014. Copyright 2014 by Wiley.

Vulnerabilities

Cybersecurity professionals define a vulnerability as a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source” (National Institute of Standards and Technology, 2012, p. 9). There are a multitude of vulnerabilities in ICS that Edison International must know. NIST published its Guide to Industrial Control Systems (ICS) Security in 2015. Appendix C of this NIST document breaks down vulnerabilities into five categories: architecture and design, configuration and maintenance, physical access, software development, and communications and network (Stouffer et al., 2015).

Architecture and Design

Architecture and design vulnerabilities are flaws built into how Edison International might create an ICS. For example, Stouffer et al. (2015) describe a particular vulnerability where the ICS does not have a defined security perimeter. This lack of perimeter means Edison International cannot ensure they have properly deployed the controls they rely on for protecting the confidentiality, availability, and integrity of the ICS. This can lead to potentially unauthorized access to the ICS and its data (information disclosure in the STRIDE process).

Configuration And Maintenance

Configuration and maintenance vulnerabilities occur when organizations like Edison International do not properly care for their ICS. Here, improperly configured ICS creates openings to Edison International from unnecessary services, functions, ports, and protocols (Stouffer et al., 2015). Leaving default configurations from an installation will expose weaknesses and services to attack, leading to tampering or elevation of privileges under a STRIDE model.

Physical Access

Stouffer et al. (2015) cite allowing unauthorized personnel to have physical access to an ICS as a physical vulnerability that Edison International must remediate. Failure to do so can lead to theft or destruction of data or hardware and unauthorized changes to the ICS through a variety of means. This is potentially a denial of service within STRIDE’s framework.

Software Development

Software development vulnerabilities occur when developers use bad coding practices, such as improper data validation techniques on user inputs and received data to the ICS. Such a vulnerability will create many “vulnerabilities including buffer overflows, command injections, cross-site scripting, and path traversals” (Stouffer et al., 2015, p. C-9). Such attacks will lead to tampering or elevation of privileges under a STRIDE model.

Communications And Network

Communications and network vulnerabilities are those that happen when part of the ICS is communicating with each other. For example, if two ICS components communicate over a wireless network, Stouffer et al. (2015) note there needs to be sufficient data protection between the two points. These ICS elements transmit sensitive information on behalf of Edison International and should have strong encryption in place to secure the communications link. A lack of encryption on these communications can lead to tampering noted in the STRIDE rubric.

Likelihood

Returning to NIST’s (2012) Guide for Conducting Risk Assessments, the document defines likelihood as a “weighted risk factor based on an analysis of the probability that a threat can exploit a vulnerability (or set of vulnerabilities)” (p. 10). Unfortunately, determining the likelihood of a cyber attack is challenging. While the Cyber Risk Task Force of the American Academy of Actuaries (2021) notes such attacks are very real in the modern world, using past data to determine future probability is hard because data sharing about past attacks is notoriously difficult to come by.

CISA (n.d.) within the US government requests the business community to share cyber threat data with them to better inform the larger cybersecurity community, but is not a requirement. Recently, the US Senate removed a requirement that would have mandated such reporting to CISA from the National Defense Authorization Act, dooming it to possibly passing at a later date (Starks, 2021). However, each critical infrastructure sector maintains an Information Sharing and Analysis Center (ISAC) and the utilities sector is no different.

The Electricity Information Sharing and Analysis Center (E-ISAC) (2020) serves to lessen the risk of cyber and physical security risks for its members; principally, the E-ISAC does this through its Cybersecurity Risk Information Sharing Program (CRISP) program. Edison International is presumably a member of E-ISAC based on its geographical coverage and importance to the southern California region; E-ISAC does not publish its membership roster.

Irrespective of the determining actual probabilities that a threat actor could exploit a vulnerability, Edison International needs only look at recent zero-day attacks announced to see there is always a high likelihood of attempted penetration. For example, researchers discovered a new vulnerability for Log4j (a key part of many Unix logging systems) and issued an alert on December 10, 2021 (National Institute of Standards and Technology, 2021). Four days later, attackers launched over 840,000 attacks on Log4j components (Jeffrey, 2021).

Impact

Impact is the amount of damage expected from a particular threat exploiting vulnerability for Edison International (National Institute of Standards and Technology, 2012). In more practical terms, impacts are usually costs associated with an ICS component failure and the need to replace it, paying to address reputational damage from angry customers, or for addressing new regulatory requirements on the heels of an attack Edison International might have failed to address.

Calculating Edison International’s Risk Exposure

NIST (2012) describes a method for document specific risks. The first step in the process is to determine the threat sources or events. Next, Edison International would determine the vulnerabilities it faces within its attack surface from each threat source. Third, the utility should determine the likelihood a threat would exploit each identified vulnerability and then determine what impact that exploitation would have on its operations. Figure 2 below outlines the overall risk assessment process.

Figure 2

Risk Assessment Process

Adapted from “Guide for Conducting Risk Assessments (SP 800–30, rev. 1)” by National Institute of Standards and Technology, 2012.

Threat-Vulnerability Pairs

A complete cybersecurity risk assessment for Edison International is beyond this paper. However, using the threats and vulnerabilities already presented, examples become obvious using the process described in Figure 2. For brevity’s sake, this paper will only use the intentionally malicious threats described earlier: nation-state attackers, financially motivated criminals, and activists seeking to promote their cause. This paper randomly pairs each of these three threat sources with one of the five vulnerabilities discussed: lack of security perimeter, improper system configurations, unauthorized physical access to Edison International facilities, improper data validation, and a lack of data protection between nodes. As noted previously, in a full risk assessment, Edison International should map each threat source to each vulnerability.

This creates five threat-vulnerability pairs (P). Table 3 below provides them along with a brief narrative description of each. Each description also notes the associated MITRE (2020) attack technique in parentheses relevant to each P value.

Table 3

Edison International Threat-Vulnerability Pairs with Associated MITRE Attack Techniques

Adapted from “Guide for Conducting Risk Assessments (SP 800–30, rev. 1)” by National Institute of Standards and Technology, 2012 and “ICS Attack Techniques” by MITRE, 2020. Copyright 2020 by MITRE.

Risk Matrix

With qualitative values for likelihood and impact, Edison International can build a table that shows their intersection. The company should define these qualitative values (high, moderate, and low) in terms of their business needs. High likelihood might mean there is an openly available proof-of-concept piece of software for a known vulnerability on the internet, while a low impact could be that the affected system would not disrupt electrical generation and distribution. Table 4 below presents such a matrix combining likelihood and impact. This is only an example matrix; the company would need to tailor its values to Edison International’s risk tolerance levels.

Table 4

Likelihood-impact matrix to show risk levels

Adapted from “Guide for Conducting Risk Assessments (SP 800–30, rev. 1)” by National Institute of Standards and Technology, 2012.

Table 4 implements a high-water mark process. Whatever the highest value is for either likelihood or impact becomes the risk level associated with that combination. The exception to this is the two combinations of low and high likelihood and impact. For those two items (low likelihood, high impact and high likelihood, low impact) this matrix splits the difference and marks both as moderate. For each threat-vulnerability pair in table 3, Edison International can enter the business appropriate likelihood and impact and then calculate the risks each pair presents to its business. Table 5 presents examples of what these results might look like using the matrix in Table 4.

Table 5

Likelihood, impact, and associated risk for each identified threat-vulnerability pair

Adapted from “Guide for Conducting Risk Assessments (SP 800–30, rev. 1)” by National Institute of Standards and Technology, 2012.

Like most organizations, Edison International does not possess unlimited resources and must prioritize where to get the greatest return on its investment in controls. Reviewing the information in Table 5, Edison International should focus its resources on resolving those concerns with the highest risks: TV2 (a cyber criminal could attack an ICS with default system configurations) and TV4 (a nation state could attack a database that stores ICS information using SQL injection techniques).

Mitigation Techniques for Edison International’s High-Risk Pairs

How might Edison International address the two high-risk items? MITRE (2020) recommends specific countermeasures for each attack technique associated with the threat-vulnerability pairs.

P2 — Crime — System Configuration

To mitigate against ICS attack technique T0885 — Commonly Used Port, MITRE (2021b) recommends several changes. First, each controller deployed by Edison International in the field should “require users to authenticate for all remote or local management sessions” (para. 3). MITRE’s (2021b) second recommended mitigation is to disable all unnecessary ports and protocols; only allow what is absolutely necessary to function on the ICS component. Edison International can confirm this standard by using a commercially available Security Content Automation Protocol (SCAP) enabled vulnerability scanners to look for open ports and protocols. SCAP is “a suite of specifications for exchanging security automation content used to assess configuration compliance and to detect vulnerable versions of software” (National Institute of Standards and Technology, 2016, para. 1).

Third, Edison International should install a network-based intrusion prevention system. Such a system analyzes specific information from the network attached ICS components to seek the characteristics that show an attack is occurring and prevent the attacking traffic from reaching its target (Wang & Xu, 2020). The last recommendation MITRE (2021b) makes is to segment the ICS components into their own distinct network space. Experts call this network segmentation. Specifically, Edison International should “[c]onfigure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment” (para. 3).

P4 — Nation state — Data Validation

To address the concerns in T0811 — Data from Information Repositories, MITRE (2021a) similarly makes a series of recommendations. First, Edison International must encrypt the information in its databases. There are many options for such an encryption scheme; Edison International should find the one that provides the correct balance between key management and flexibility (Ocenas et al., 2020). Second, Edison International should make use of a Privileged Account Management (PAM) solution that will “minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software” (MITRE, 2021a, para.1). There are several available for purchase and implementation.

Third, MITRE (2021a) recommends Edison International restrict permissions to files and directories on the database server. This will prevent threat actors from interacting with and collecting data from the database server. This coincides with the fourth recommendation for Edison International: ensuring users and groups have only the permissions via a properly configured Identity and Access Management (IdAM) program (MITRE, 2021a). Finally, Edison International should “develop an auditing mechanism to conduct periodic reviews of accounts and privileges for critical and sensitive repositories” (para. 3)

Beyond the High-Risk Findings

Once Edison International addresses these two high-risk threat-vulnerabilities pairs, they can then focus on the moderate-risk items (P1 and P3) before moving on to the low-risk item (P5) presented in this example risk assessment. For each of the techniques listed in Table 3 and the calculated risks in Table 5, MITRE (2020) provides specific mitigation tactics Edison International should implement.

Conclusion

Edison International provides energy for an important part of the world. Understanding the threats and vulnerabilities companies like Edison International face will improve cybersecurity across the country’s critical infrastructure. Within the utility sector, risks to Industrial Control Systems (ICS) remain high. Cybersecurity and Infrastructure Security Agency (CISA) (2021) has released detailed advisories surrounding ICS.

Tried-and-true processes exist for assessing risks. While there are many processes for conducting a risk assessment, the US government’s process is straight-forward. Edison International should find the process that best meets their business needs. In the process described previously, Edison International must identify its threats and understand its vulnerabilities. From there, they should estimate, with key management officials, the likelihood of those threat-vulnerability pairs affecting operations. The company can rank each threat-vulnerability pair, and its associated likelihood and impact, using a standard risk matrix. This will allow Edison International to focus their resources on those pairs most likely to cause significant damage to its operations and business.

References

Abrams, M., & Weiss, J. (2008, July 23). Malicious control system cyber security attack case study– Maroochy Water Services, Australia. Burlington; MITRE.

Akpinar, K. O., & Ozcelik, I. (2018). Development of the ECAT preprocessor with the Trust Communication Approach. Security and Communication Networks, 1–16. https://doi.org/10.1155/2018/2639750

Census Bureau. (n.d.). U.S. Census Bureau quickfacts: Los Angeles County. QuickFacts. Retrieved December 10, 2021, from https://www.census.gov/quickfacts/fact/table/losangelescountycalifornia,CA/PST045219

Cherepanov, A. (2017, June 12). WIN32/Industroyer: a new threat for industrial control systems. San Diego; ESET.

Cyber Risk Task Force, Casualty Practice Council. (2021, August). Cyber risk toolkit. Washington, DC; American Academy of Actuaries.

Cybersecurity and Infrastructure Security Agency. (n.d.). Systemic cyber risk reduction. Cybersecurity and Infrastructure Security Agency. Retrieved January 9, 2022, from https://www.cisa.gov/systemic-cyber-risk-reduction

Cybersecurity and Infrastructure Security Agency. (2021, June 21). ICS Advisory (ICSA-14–178–01). Cybersecurity and Infrastructure Security Agency. Retrieved January 11, 2022, from https://www.cisa.gov/uscert/ics/advisories/ICSA-14-178-01

Edison Energy. (2021). Global Enterprise Energy Services & Advisory. Edison Energy. Retrieved December 10, 2021, from https://www.edisonenergy.com/

Edison International. (2020, December 31). Edison International, Form 10-K. Form 10-K. Retrieved December 10, 2021, from https://www.sec.gov/ix?doc=%2FArchives%2Fedgar%2Fdata%2F0000827052%2F000082705221000019%2Feix-20201231.htm

Edison International. (2021). Pedro J. Pizarro. Edison International. Retrieved December 10, 2021, from https://www.edison.com/home/about-us/leadership/edison-international-leaders/pedro-j-pizarro.html

Electricity Information Sharing and Analysis Center. (2020, October). E-ISAC long-term strategic plan update. Washington, DC; Electricity Information Sharing and Analysis Center.

Fontinelle, A. (2021, December 7). Getting a grip on holding companies. Investopedia. Retrieved December 10, 2021, from https://www.investopedia.com/terms/h/holdingcompany.asp

Hughes, R. A. (2020, October 26). If California were a country. Bull Oak Capital. Retrieved December 10, 2021, from https://bulloakcapital.com/blog/if-california-were-a-country/

Jeffrey, C. (2021, December 14). LOG4J flaw turns into pandemic with over 840,000 attacks initiated within 72 hours. TechSpot. Retrieved January 9, 2022, from https://www.techspot.com/news/92633-hackers-launch-over-840000-attacks-through-log4j-flaw.html

Kaspersky. (2021, April 26). What’s the difference between a virus and a worm? www.kaspersky.com. Retrieved December 16, 2021, from https://www.kaspersky.com/resource-center/threats/computer-viruses-vs-worms

Khodabakhsh, A., Yayilgan, S. Y., Abomhara, M., Istad, M., & Hurzuk, N. (2020). Cyber-risk identification for a digital substation. Proceedings of the 15th International Conference on Availability, Reliability and Security. https://doi.org/10.1145/3407023.3409227

LinkedIn. (2021). Adam Tuzzolino. LinkedIn.com. Retrieved December 10, 2021, from https://www.linkedin.com/in/adam-tuzzolino-40a7596

MITRE. (2020, January 2). ICS attack techniques. Techniques — Attacks ICS. Retrieved January 8, 2022, from https://collaborate.mitre.org/attackics/index.php/All_Techniques

MITRE. (2021a, October 20). T0811 — data from information repositories. Data from Information Repositories — attack ICS. Retrieved January 9, 2022, from https://collaborate.mitre.org/attackics/index.php/Technique/T0811

MITRE. (2021b, October 20). T0885 — Commonly used port. Commonly Used Port — attack ICS. Retrieved January 9, 2022, from https://collaborate.mitre.org/attackics/index.php/Technique/T0885

National Institute of Standards and Technology. (2012). (publication). Guide for conducting risk assessments (SP 800–30, rev. 1) (Ser. Special Publications 800, pp. 1–95). Gaithersburg, MD: US Department of Commerce.

National Institute of Standards and Technology. (2016, December 7). Security content automation protocol. Computer Security Resource Center. Retrieved October 14, 2021, from https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/faqs.

National Institute of Standards and Technology. (2019, July). Glossary. Computer Security Resource Center. Retrieved December 30, 2021, from https://csrc.nist.gov/glossary/

National Institute of Standards and Technology. (2021, December 10). CVE-2021–44228. NVD. Retrieved January 9, 2022, from https://nvd.nist.gov/vuln/detail/CVE-2021-44228 Ocenas, M., Homoliak, I., Hanacek, P., & Malinka, K. (2020).

Security and encryption at modern databases. Proceedings of the 2020 4th International Conference on Cryptography, Security and Privacy, 19–23. https://doi.org/10.1145/3377644.3377662

Office of the Director of National Intelligence. (2021). (rep.). Annual threat assessment of the US intelligence community (pp. 1–27). Washington, DC: US Government.Official Board. (n.d.). Org chart Edison International.

The Official Board. Retrieved December 10, 2021, from https://www.theofficialboard.com/org-chart/edison-international

OWASP. (2021). Attack surface analysis cheat sheet. OWASP Cheat Sheet Series. Retrieved October 14, 2021, from https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html

Radanliev, P., De Roure, D. C., Nicolescu, R., Huth, M., Montalvo, R. M., Cannady, S., & Burnap, P. (2018). Future developments in cyber risk assessment for the internet of things. Computers in Industry, 102, 14–22. https://doi.org/10.1016/j.compind.2018.08.002

Shostack, A. (2014). Threat modeling: designing for security. Wiley.

Spenneberg, R., Bruggemann, M., & Schwartke, H. (2016). PLC-Blaster: a worm living solely in the PLC. Blackhat. Retrieved January 3, 2022, from https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf

Starks, T. (2021, December 7). Cyber incident reporting mandates suffer another Congressional setback. CyberScoop. Retrieved January 9, 2022, from https://www.cyberscoop.com/cyber-incident-reporting-ransomware-payments-congress-ndaa/

Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M., & Hahn, A. (2015). Guide to industrial control systems (ICS) security. NIST Special Publication 800–82, 1–247. https://doi.org/10.6028/nist.sp.800-82r2

Wang, D., & Xu, G. (2020). Research on the detection of network intrusion prevention with SVM based optimization algorithm. Informatica, 44(2). https://doi.org/10.31449/inf.v44i2.3195

Webb, E. L. (2016). The internet of things: cybersecurity, insurance, and the national power grid. Natural Resources & Environment, 30(4), 35–39.

Xiong, W., & Lagerström, R. (2019). Threat modeling — a systematic literature review. Computers & Security, 84, 53–69. https://doi.org/10.1016/j.cose.2019.03.010

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Edwin Covert

Edwin Covert

Cybersecurity, guitar, jazz, bourbon, rye, enterprise security architecture, current trophy husband. CISSP-ISSAP, CISM, CRISC, SCF, PMP at www.edwincovert.com