Modelling language for cyber security incident handling for critical infrastructures

Cyber security incident handling is a consistent methodology with which to ensure overall business continuity. However, specifically handling incidents for critical information infrastructures is challenging owing to the inherent complexity and evolving nature of the threat. Despite the number of co...

Descripción completa

Detalles Bibliográficos
Autores: Mouratidis, Haralambos, Islam, SK Hafizul, Santos-Olmo Parra, Antonio, Sánchez Crespo, Luis Enrique, Ismail, Umar Mukhtar
Tipo de recurso: artículo
Fecha de publicación:2023
País:España
Institución:Universidad de Castilla-La Mancha
Repositorio:RUIdeRA. Repositorio Institucional de la UCLM
OAI Identifier:oai:ruidera.uclm.es:10578/36443
Acceso en línea:https://doi.org/10.1016/j.cose.2023.103139
https://hdl.handle.net/10578/36443
Access Level:acceso abierto
Palabra clave:Critical infrastructure
Meta-modelIncident response
Cyber incident
Cyber course of action
Cyber threat intelligence
Security requirements
Descripción
Sumario:Cyber security incident handling is a consistent methodology with which to ensure overall business continuity. However, specifically handling incidents for critical information infrastructures is challenging owing to the inherent complexity and evolving nature of the threat. Despite the number of contributions made to cyber incident handling, there is little evidence of literature that focuses on modelling activities that will enhance developers’ abilities to model incident handling processes and activities according to different views. Modelling languages of this nature should integrate essential concepts and a descriptive implementation process in order to enable developers to analyse, represent and reason about the crucial incident handling efforts required to support critical information infrastructures. The aim of this paper is, as part of the CyberSANE EU project, to develop a Cyber Incident Handling Modelling Language (CIHML) that focuses explicitly on modelling incident handling in the context of a critical information infrastructure. The work is innovative in its approach because it consolidates concepts from various domains such as security requirements, forensics, threat intelligence, critical infrastructures and cyber incident handling. The approach will allow the phases of the incident handling lifecycle to be modelled from three different views (critical information infrastructures, threat and risk analysis, and incident response). An implementation process is also proposed, which will serve as a comprehensive guide for developers in order to create these modelling views. Finally, CIHML is evaluated using a real-life scenario from the CyberSANE project to demonstrate its applicability. The incident observed had a severe impact on the overall business continuity of the context studied. The results obtained from the study show that CIHML can help critical information infrastructure operators to identify, evaluate, represent and model cyber incidents in critical information systems, in addition to providing the support required to determine the response strategies needed in order to mitigate these cyber-attacks.