Risk Assessment tool analysis for Industrial Automation and Control Systems

From its-wiki.no

Jump to: navigation, search

Risk Assessment tool analysis for Industrial Automation and Control Systems

by n.n.
Supervisor(s) Mohammad Mushfiqur Rahman Chowdhury, Judith Rossebø, Josef Noll
Due date 2014/11/01
Status Planned
Problem description: The thesis focuses on the evaluation of tools and methodologies in the area of risk assessment with the aim to evaluate whether the tools/standards/methodologies are suitable for use in the areas of IACS. The thesis will also reach some conclusions on the applicability of selected suitable methodology based on evaluation criteria (if there are suitable ones that exist). If no suitable evaluation criteria exist, thesis will propose such criteria. Additionally, the student is expected to propose modifications to an existing methodology so that it is even more suitable for IACS.

The student will first conduct a state of the art investigation to get an overview over relevant risk assessment methodologies and tools. Based on a set of evaluation criteria, one or more methodologies and tools will be selected for further evaluation and analysis.

The state of the art investigation should include methodologies and best practices developed by the research/academic community, relevant International standards focusing IACS (e.g. ISA99/IEC 62443) as well as generic information security risk assessment or management standards (e.g. ISO 27000 series).In addition to International standards, the thesis will evaluate relevant information security guidelines and best practices proposed by organizations such as NIST, CERTs, ENISA etc. Regional standards such as Norwegian Oil and Gas guidelines (old OLF) should also be studied. While evaluating risk assessment methodologies, the student may propose extensions or modifications to a selected suitable methodology in order to improve the methodology so that it is even more suitable for IACS.

The thesis will identify the most relevant risk assessment tools and will investigate thoroughly the available open source tools. Some of these tools may contain software components to assess risks. While performing the detailed evaluation works, this work will shed lights on how to use these tools and conduct a strength and weakness analysis.

The outcome of the thesis will be a detailed review of standards and tools from risk assessment point of view in the areas of Industrial Automation and Control Systems, and the evaluation of 1-2 specific packages.

Methods and Tools: The tools and methods in this thesis are based on
  • A set of scenario, describing the challenges
  • A list of requirements being extracted from the scenarios
  • A description and evaluation of technologies and tools being candidates for solutions
  • A functional architecture/description of the envisaged system
  • An implementation of the core concepts
  • A demonstration of the solution
  • An evaluation of the solution, including a critical review of the descisions taken earlier
  • Conclusions
  • References
Time schedule - Finalize the reportValues cannot be assigned to inverse properties.
Pre-Knowledge This thesis includes a reasonable amount of programming. The envisaged thesis is based on radio communications, thus expects the user to have followed at least two radio-related courses
Approved Pending by
Keywords Risk analysis, Sensor Security, Sensornett, Industrial Automation, IoTSec

this page was created by Special:FormEdit/Thesis, and can be edited by Special:FormEdit/Thesis/Risk Assessment tool analysis for Industrial Automation and Control Systems

Background and Motivation

The security risk assessment is the the process of identifying risks to operations, assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Security requirements are different in the Industrial Automation and Control Systems (IACS) compared to the conventional IT systems. One of the greatest challenges in improving cybersecurity practices for Industrial Automation and Control Systems is that many of the practices and techniques used for general purpose IT systems are not be applicable for industrial use. In a typical IT system, data confidentiality and integrity are typically the primary concerns. For an IACS, human safety and fault tolerance to prevent loss of life or endangerment of public health or confidence, regulatory compliance, loss of equipment, loss of intellectual property, or lost or damaged products are the primary concerns. The personnel responsible for operating, securing, and maintaining IACS must understand the important link between safety and security. Security threat landscape for IACS is continuously evolving as today’s IACS is moving from stand-alone isolated network towards connected network. Instead of proprietary protocols, IACS is increasingly adapting open and common standards and protocols. As the security for Industrial Automation and Control systems demand different requirements and approaches, traditional risk assessment methodologies may need more investigations before they are being applied in the areas of IACS. Specific International standards have also been proposed targeting the areas of IACS.

This page provides hints on what to include in your master thesis.


Title page, abstract, ...

1. Introduction, containing: short intro into the area, what is happening
1.1 Motivation, containing: what triggered me to write about what I'm writing about
1.2 Methods, containing: which methods are you using, how do you apply them
2. Scenario, optional chapter for explaining some use cases
2.1 user scenario, (bad name, needs something bedre)
2.2 Requirements/Technological challenges
3. State-of-the art/Analysis of technology, structure your content after hardware/SW (or other domains). Describe which technologies might be used to answer the challenges, and how they can answer the challenges
3.1 technology A
3.2 technology B
4. Implementation
4.1 Architecture, functionality
5. Evaluation
6. Conclusions


Red line

Your thesis should have a "red line", which is visible throughout the whole thesis. This means you should mention in the beginning of each chapter how the chapter contributes to the "goals of the thesis".

Use of scientific methods

A thesis follows a standard method:

  • describe the problem (problemstilling)
  • extract the challenges. These challenges should be measurable, e.g. method is too slow to be useful to voice handover.
  • Analyse technology with respect to challenges. Don't write & repeat "everything" from a certain technology, concentrate on those parts (e.g. protocols) which are of importance for your problem


  • Wikipedia is good to use to get an overview on what is happening. But there is not scientific verification of Wikipedia, thus you should use wikipedia only in the introduction of a chapter (if you use text from wikipedia). Use scientific literature for your thesis.
  • Scientific library is "at your hand", you can get there directly from UiO: [[How to get access to IEEE, Springer and other scientific literature -> Unik/UiOLibrary]]
  • I suggest that references to web pages, e.g. OASIS, W3C standards, are given in a footnote. Only if you find white papers or other .pdf documents on a web page then you refer to them in the reference section.

Evaluation of own work

Perform an evaluation of your own work. Revisit the challenges and discuss in how you fulfilled them. Provide alternative solution and discuss what should be done (or what could have been done).