The Bridge - Issue 2, 2023 - 17

Bridging the Gap between Cybersecurity and Reliability for Critical National Infrastructures
Feature
* Access control: The use of CNI systems is restricted to
only authorized employees.
* Privacy compliance: The national critical infrastructure
systems are required to be compliant with the appropriate
laws and regulations related to privacy, such as GDPR,
HIPAA, CCPA, etc.
* Network security: There are network security
measures such as blockchain, cryptography methods
(e.g., symmetric key algorithms, asymmetric key
algorithms, digital signatures, and hash functions),
intrusion prevention systems based on deep learning
models, and firewalls. The symmetric key algorithms
include the Advanced Encryption Standard (AES) and
ChaCha20. The asymmetric key algorithms include the
Rivest-Shamir-Adleman (RSA) algorithm and the Elliptic
Curve Cryptography (ECC) algorithm. Solutions like the
one proposed in [8] could offer an advanced level of
protection for data privacy. These security measures
should be in place to ensure security against cyber threats.
* Physical security: Access to national critical infrastructure
systems should be controlled and protected with the help
of video surveillance cameras and alarms to detect and
deter potential threats.
* Recovery and data backup: CNI systems should have
the most robust data backup and recovery processes to
ensure the availability and integrity of data in the event of
system failure. Two techniques, namely, data replication
and cloud backup, could be used as recovery and data
backup for CNIs. Data replication refers to the creation
of duplicate copies of data in various places, that are
accessible during critical situations.
V. SECURABILITY
Most existing works address security or safety as separate
fields of study, although recently a number of scholars
have tried to fill this gap. The existing co-analysis of safety
and security is approached in two ways: 1) an integrated
strategy and 2) a unified strategy [7]. Unfortunately,
methodologies that incorporate security (and privacy) with
reliability (and safety) are still lacking and are expected to
be introduced in the upcoming years. These methodologies
would also introduce a new research area under the
umbrella term, securability.
Faults and failures can and should be taken into account in
the evaluation of securability because they are components
that have an impact on the system's proper operation.
The idea of security can be found in the triplet of analysis,
prediction, and optimization of system's operation. Using
terms like Mean Time to Attack (MTTA), Mean Time
to Compromise (MTCR), and Mean Time to Recovery
(MTTR), which are based on plans for responding to and
mitigating incidents, we could model the operation of the
system under investigation [5]. Some of the initial steps
in this strategy have already been taken, using patterns
that combine dependability and security as well as attack
prediction with Markov models [6]. The idea of including a
probabilistic model of the behavior of a part (or the whole
system) in terms of tentative failures or errors could provide
a better picture of the system in analysis and a prediction of
tentative future states.
Securability can be used as a metric to show how well a
system can function in accordance with the demands of
the services it is providing by embracing the fundamental
ideas of reliability as described in [4]. This definition is
different from the one proposed several years ago (by
Professor Miroslaw Malek), where the term was used as a
property of a system or service that expresses reliance that
can be placed on a system or service even in the presence
of hostile attacks and other attempts to breach security. In
that approach, Malek was trying to integrate dependability
and security, especially for cloud computing. Securability, as
defined in [4] and also as proposed here, is a holistic metric
to measure or predict the correct operation of a system
incorporating both faults and attacks. When cybersecurity
is incorporated into this reliability analysis, the probability
of failure, misuse for each component must include both
failures and potential attacks.
Figure 3. Types of Cybersecurity Techniques
As presented in Figure 3, the cybersecurity techniques for
CNIs can be categorized into five types: network security
techniques, application security techniques, data security
techniques, identity and access management techniques,
and risk management techniques.
VI. FUTURE DIRECTIONS
There are various subject areas in which future work is
required to deal with cybersecurity and reliability challenges
for CNIs:
* Cyber resilience: Since cyber attacks are increasingly a
serious threat to CNIs, there are ongoing challenges to
enhance their level of cybersecurity, and efforts should be
made to strengthen the cybersecurity of these systems.
HKN.ORG
17

https://hkn.ieee.org/

The Bridge - Issue 2, 2023

Table of Contents for the Digital Edition of The Bridge - Issue 2, 2023