Advanced Approach to Information Security Management System Model for Industrial Control System

Organizations make use of important information in day-to-day business. Protecting sensitive information is imperative and must be managed. Companies in many parts of the world protect sensitive information using the international standard known as the information security management system (ISMS). ISO 27000 series is the international standard ISMS used to protect confidentiality, integrity, and availability of sensitive information. While an ISMS based on ISO 27000 series has no particular flaws for general information systems, it is unfit to manage sensitive information for industrial control systems (ICSs) because the first priority of industrial control is safety of the system. Therefore, a new information security management system based on confidentiality, integrity, and availability as well as safety is required for ICSs. This new ISMS must be mutually exclusive of an ICS. This paper provides a new paradigm of ISMS for ICSs, which will be shown to be more suitable than the existing ISMS.


Introduction
In general information systems, almost all security groups use the international information security management system (ISMS) standard which is ISO 27000 series. ISO 27000 series focuses on protection of confidentiality, integrity, and availability of information [1][2][3]. This ISMS is appropriate for general information systems, where the main threats are dynamic and variable, like malicious hacking.
However, industrial control systems (ICSs) are different from general information systems. While protection from dynamic, variable threats is important on an ICS, safety is most crucial in industrial control [4][5][6].
When national infrastructures, like nuclear power plants, deploy an ICS, the ICS is evaluated on the basis of safety [7]. In the field, safety is evaluated by IEC 61508 and IEC 61511. IEC 61508 is the international standard for Functional Safety of Electrical-Electronic-Programmable Electronic Safety-Related Systems and IEC 61511 is the technical standard that defines practices in the engineering of systems that ensures safety of an industrial process (see Figure 1).
ISMS is based on confidentiality, integrity, and availability, and the security needs of ICS are not mutually exclusive because the nature of such businesses is different from general information systems. ICS is of significance in the control of national infrastructures. These systems have unquestionable value, and they must be safe [7,8]. For this reason, ICSs require safety first, rather than other ISMS based attributes. In the field, process owners for ICSs in fact follow the safety standards IEC 61508 and IEC 61511.
In short, it should be configured to a new ISMS based on views of confidentiality, integrity, and availability, as well as safety (see Figure 2).
The ISMS is framework which has presented three views which are confidentiality, integrity, and availability to protect information [1]. However, this paper casts doubt on sufficiency for the three views of existing ISMS to protect assets from internal and external threats and vulnerabilities in ICS.
In case of ICS, social impact due to threats and vulnerabilities like hacking, natural disaster, and internal problems for system cannot compare with general information systems and has great damage that brings out severe economic and social dislocation [4,5,8]. Thus, safety becomes the main keyword in ICS.
The requirements of IEC 61511 are based on safety, whereas the requirements and controls of ISO 27001 and Manufacturers and suppliers of devices IEC 61508 NIST SP 800-53 are based on confidentiality, integrity, and availability [7]. When it comes to the safety in ISO 27001 and NIST SP 800-53, it is just a part of availability, so the safety of IEC 61511 is different from the safety of NIST SP 800-53 and ISO 27001. As a result, this paper suggests that safety presented IEC 61511 should be considered as a part of new ISMS with confidentiality, integrity, and availability. The reason is that information in ICSs could be exposed, leaked, or tweaked if internal safety for system is not guaranteed for unexpected environmental changes like fluctuation of temperature and humidity in ICSs and absence of safety from external threats and vulnerabilities like hacking and natural disaster have a great ripple effect socioeconomically [8,9]. Therefore, safety should be acknowledged as essential value in ISMS of equal level with confidentiality, integrity, and availability in ICS.
In order to prove this point, we will compare and analyze security controls or requirements of three international standards, namely, ISO 27001, NIST SP 800-53, and IEC 61511. If the safety requirements of IEC 61511, which is followed by people in the ICS field, barely match the security controls that include 21 requirements of ISO 27001, or the security controls of NIST SP 800-53, the ISMS for ICSs, in its present form, is faulty and ineffective [1,10,11]. This paper will also compare and analyze common security controls of NIST SP 800-53 that were successfully carried out by the South Korea energy group (thermal, gas, nuclear, combined cycle, electricity, and power exchange) using safety requirements of IEC 61511. The reason for using common security controls to compare with requirements of IEC 61511 is that common security controls are sufficient for every ICS, regardless of the specific application. For these reasons, comparing common security controls and safety  Figure 4 [10]. IEC 61511 consists of 3 chapters. The first chapter is called "framework, definitions, system, hardware and software requirements"; the second chapter is called "guidelines for the application of IEC 61511-1"; and the third chapter is called "guidance for the determination of the required safety integrity levels. " The safety requirements of IEC 61511 are divided into five safety parts and the safety parts consist of development, allocation, design, installation, commissioning, validation, operation, modification, and decommissioning for an ICS.

Matching Analysis for Security Controls and Requirements of International Standards
Each part of IEC 61511 has several requirements that include the security controls of NIST SP 800-53 or the security controls of ISO 27001. In order to prove this point, we compare and analyze the security controls/requirements of three international standards, namely ISO 27001, NIST SP 800-53, and IEC 61511, below.   and NIST SP 800-53. The example for list up is presented in Table 1 [1,7].

Result of Matching Analysis for Security Controls and
Requirements of International Standards. In order to find out whether security controls for international standards match, we compare the requirements of IEC 61511 with security controls of NIST SP 800-53 and security controls of ISO 27001.
There are two results based on this comparison. Firstly, the percentage of matching security controls of ISO 27001 with safety requirements of IEC 61511 is 15%. Specifically, the total number of security controls for ISO 27001 is 140 pieces and 21 pieces of these matched with safety requirements of IEC 61511.
Secondly, the percentage of matching security controls for NIST SP 800-53 with safety requirements of IEC 61511 is 16.49%. Specifically, the total number of security controls of NIST SP 800-53 is 194 pieces and 34 pieces of these matched with safety requirements of IEC 61511.
In short, the percentage of matching requirements of IEC 61511, with both security controls of NIST SP 800-53 and security controls of ISO 27001, is quite low. These results mean that ISMS based on ISO 27001 or NIST SP 800-53 is insufficient for a real industrial control system's environment   because the ISMS does not reflect specificity for the nature of ICS. The specificity is safety, which is a core value on the IEC 61511 (see Table 2 and Figure 7).  Table 3.

Extracting Items
This paper presents that the safety has two meanings broadly. The first meaning is safety against external factors like hacking and natural disaster; another is safety against internal factors like internal failure for system. The requirements of IEC 61511 and the requirements of ISO 27001 and NIST SP 800-53 do not present direct requirements against internal and external threats and vulnerabilities to hinder safety in ICS. Instead, requirements of IEC 61511 present safety requirements in each ICS life-cycle types that guarantee safety from the internal and external threats and vulnerabilities, and the safety requirements aim to improve safety for ICS that is core to manage well risk from the internal and external threats and vulnerabilities.

Matching Analysis for Common Security Controls of NIST SP 800-53 in South Korea Energy Industry and Safety Requirements of IEC 61511
Each part of IEC 61511 has several requirements that include the security controls of NIST SP 800-53. In this section, we will not compare and analyze whole security controls of international standards, but instead we will compare and analyze common security controls of NIST SP 800-53 that were successfully carried out by the South Korea energy group (thermal, gas, nuclear, combined cycle, electricity, and The Scientific World Journal 7 The total number of matching security controls for comparison target with safety requirements of IEC 61511 21 32 The percentage of matching security controls for comparison target with safety requirements of IEC 61511 15% 16.49% The safety requirements shall be derived from the allocation of safety instrumented functions and from those requirements identified during safety planning. The need for a factory acceptance testing should be specified during the design phase of a project. Installation and commissioning planning shall define all activities required for installation and commissioning. The planning shall provide the following: (i) the installation and commissioning activities; (ii) the procedures, measures, and techniques to be used for installation and commissioning; (iii) when these activities shall take place; (iv) the persons, departments, and organizations responsible for these activities.
Installation and commissioning planning may be integrated in the overall project planning where appropriate. The validation of the safety instrumented system and its associated safety instrumented functions shall be carried out in accordance with the safety instrumented system validation planning. . . .
Discrepancies between expected behaviour and actual behaviour of the SIS shall be analysed and, where necessary, modifications made such that the required safety is maintained. This shall include monitoring the following: (i) the actions taken following a demand on the system; (ii) the failures of equipment forming part of the SIS established during routine testing or actual demand; (iii) the cause of the demands; (iv) the cause of false trips. The procedures shall include a clear method of identifying and requesting the work to be done and the hazards which may be affected (modification and decommissioning). Modification shall be performed with qualified personnel who have been properly trained. All affected and appropriate personnel should be notified of the change and trained with regard to the change.
power exchange) with safety requirements of IEC 61511. This is because entire security controls of NIST SP 800-53 do not apply to the South Korea energy group.
In order to find out the common security controls from the entire security controls of NIST SP 800-53, we constructed evaluation frame that has security controls of NIST SP 800-53. We asked the South Korea energy group, that is, power exchange, electricity, gas, combined cycle, nuclear, and thermal groups, to fill out a questionnaire [10,11,14] (see Table 4).

The Data Gathering to Find Out Common Security Controls of NIST SP 800-53 in South Korea Energy Industry.
In order to gather data, we drew up an evaluation sheet for the security controls based on the NIST Special Publication 800-53 that includes security guidance and recommends security controls for ICSs [15][16][17][18].
The evaluation sheet is shown in Figure 8. Answers for each item are classified as yes, no, partial, and N/A. Developers, operators of energy management system, and process owners filled up the questionnaire.

The Result for Common Security Controls of NIST SP 800-53 in South Korea Energy Industry.
We compared and analyzed the current security controls status for the South Korea energy group (thermal, gas, nuclear, combined cycle, electricity, and power exchange) and then collected a common security controls mean, that is, controls for every South Korea group to carry out successfully. The common security controls are as show in Table 5.   requirements of IEC 61511 with common security controls of NIST SP 800-53 due to the nature of the standard. The standard generalizes requirements, while the value for common security controls of NIST SP 800-53 compare well enough with the safety requirements of IEC 61511 (see Table 6). It is difficult to match common security controls of NIST SP 800-53 with safety requirements of IEC 61511 perfectly; however, the safety requirements of IEC 61511 match with common security controls. In other words, it is not hard to include safety as an ICS attribute.

Results of Matching Analysis for Common Security Controls of NIST SP 800-53 in South Korea Energy Groups and
The Scientific World Journal 9 Access control Account management AC-2 The organization manages information system accounts, including identifying account types. 10 MP-5.c The organization restricts the activities associated with transport of such media to authorized personnel. 10 The Scientific World Journal Physical and environmental protection Physical access authorizations PE-2 The organization develops and keeps a current list of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible).

12
Monitoring physical access PE-6.a The organization monitors physical access to the information system to identify and respond to physical security incidents.
14 Visitor control PE-7 The organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides, other than areas designated as publicly accessible.

15
Emergency shutoff PE-10 The organization provides the capability of shutting off power to the information system, or individual system components, in emergency situations.

16
Emergency lighting PE-12 The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

17
Fire protection PE-13 The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source. 18 Temperature and humidity controls PE-14 The organization maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]. 19 Water damage protection PE-15 The organization protects the information system from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly, and known to key personnel.
20 Location of information system Components PE-18 The organization positions information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.

21
System and communications protection Denial of service protection SC-5 The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list].

22
Boundary protection SC-7.a The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. 23 SC-7.b The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. The point of this paper is that the safety emphasized on IEC 61511 can reflect information security management system for ICS.

Conclusions
This paper presented two methodologies to prove that a new information security management system based on confidentiality, integrity, availability, and safety is required on the industrial control system.
The first methodology was analysis of matching security controls with international standards. From the first methodology, it was seen that the percentage of matching between the requirements of IEC 61511, the security controls of NIST SP 800-53, and the security controls of ISO 27001 is very low. These results mean that ISMS based on ISO 27001 or NIST SP 800-53 is insufficient to make for real ICSs because the ISMS does not reflect specificity of the nature of ICSs (see Figure 9).
The second methodology involved analysis of matching of the common security controls of NIST SP 800-53 that were successfully carried out by the South Korea energy group (thermal, gas, nuclear, combined cycle, electricity, and power exchange) with the safety requirements of IEC 61511. These results showed that it is difficult to match common security controls of NIST SP 800-53 in South Korea with safety requirements of IEC 61511 perfectly. However, the safety requirements of IEC 61511 match reasonably well with common security controls. In other words, it is not hard for safety to be included in an industrial control system.
The ICS is different from a general information system and an ISMS based on confidentiality, integrity, and availability never achieves mutually exclusive security policy for an ICS.
Just as integrity is significant for finance and confidentiality is significant for manufacturing, safety is significant for ICSs [3,5,6]. This paper proves that safety is very significant for ICSs, and safety should be included in an ISMS based on confidentiality, integrity, and availability of information.
In brief, a new ISMS based on confidentiality, integrity, and availability as well as safety is required in ICSs. This new information security management system is mutually exclusive to the nature of industrial control system.
We expect that the performance of information security for ICSs will be improved through our work.