Investment Priority Analysis of ICS Information Security Resources in Smart Mobile IoT Network Environment Using the Analytic Hierarchy Process

+e industrial control system (ICS) inherits the attributes of the traditional information system, but because it has its own characteristics that availability of triad (CIA) of information security should be a top priority, it needs to be set differently from the traditional information security requirements. In response to the issue, TTAK.KO-12.0307 (Standard for Industrial Control System Information Security Requirements) proposed by the National Security Research Institute (NSRI) and established by the Telecommunications Technology Association (TTA) is being used. However, it is difficult to apply security requirements of TTAK.KO-12.0307 uniformly because of the reason that the characteristics of the ICS in each layer are different. +ere is also a limit to invest the security resources with equivalent priority for all requirements and ICS layers. It is still unresolved in the previous research studies which are related to information security resources, for example, Choi (2013), Ko et al. (2013), and Nah et al.’s (2016) studies.+erefore, this study tried to focus on what a top priority of information security requirements by the ICS in each layer is, using the analytic hierarchy process. As a result, we derived that the top priority requirement in the operation layer is “Identification Authentication Access Control,” in the control layer is “Event Response,” and in the field device layer is “Physical Interface Protection” with the highest importance. +e results of this study can be utilized as a guideline for the security strategy and policy design by determining security requirements that should be prioritized in each layer of the ICS.


Introduction
Our society has achieved rapid industrial development based on the use of the industrial control system (ICS) in the core infrastructure such as automated processes, power generation, energy supply, transportation, and smart cities and factories [1]. ICS with closed characteristics (air-gap) from the external network that is completely different from the traditional information systems were considered relatively safe from cyberattacks and did not consider security in system design and deployment. However, in recent years, the ICS has been actively adopting IT technologies [2]. Although the digital transformation of ICSs represents the foundation for resource-efficient and flexible industrial plants, this change increases the attack surface, leading to the emergence of new threats [3]. e convergence of the ICS and the latest IT technology creates more complex problems in the security environment, and the emergence of Internet of things (IoT) technology, in particular, makes the need related security functions (e.g., key management, intrusion detection, access control, privacy protection, and wireless sensor networks security) [4,5] more urgent [6]. IoT technologies such as beacons, for example, may have security vulnerabilities such as spoofing, DoS, and hijacking [7]. Substantial recent investment for the ICS has been directed towards the development of the ICS, that is, relies on the creation of a bridge between digital and physical environments through IoT technologies, as well the ICS itself [8]. In other words, many IoT devices are installed in the field device layer area of the ICS system and are operated based on communication with the control layer. In response, the ICS includes a smart IoT mobile environment that supports IoT-based mobility, so secure computing should be guaranteed. If the ICS is exposed to cyber threats, serious disasters can occur throughout society. In 2010, 1,000 centrifuges were destroyed in an attack on Iran's nuclear facilities using Stuxnet, known as the first malicious code for the ICS, in which the programmable logic controller (PLC), a controller that controls field devices at nuclear facilities, was infected [9]. A lot of research studies on information security of the ICS have been invested, and a lot of efforts have been made to apply relevant security measures since the Stuxnet incident case.
It is necessary to develop and apply exclusive security requirements because the security requirements for the traditional information system are not applicable to the ICS. e biggest differences between the ICS and the information system are the purpose of cyberattacks and the priority of information security triad (CIA). In IT systems, the security is generally defined in terms of three key principles: confidentiality, integrity, and availability (also known as the CIA triad). Confidentiality focuses on ensuring assets are not disclosed to those entities who are not authorized to view it; integrity relates to protecting assets from unauthorized modifications; and availability is defined in terms of making the assets accessible to authorized entities at all permitted times [8]. Availability is known as a top priority and is also the main target of cyberattacks, as the collapse of the ICS could cause great damage. Availability is known as a top priority and is also the main target of cyberattacks, as the collapse of the ICS could cause great damage. In response to the issue, the National Security Research Institute (NSR) proposed Security Requirements for Industrial Control System by defining the features of the ICS, and it was established as a standard (TTAK.KO-12.0307) [10] by the Telecommunications Technology Association (TTA).
However, it is difficult to apply uniformly security requirements of TTAK.KO-12.0307 because the features of the ICS in each layer are different, and security resources are always not enough. In addition, it is still unresolved in the previous research studies which are related to information security resources, for example, Choi [11], Ko et al. [12], and Nah et al. [13]. Choi proposed an appropriate security assessment methodology and a checklist for the ICS, but the checklist does not provide a priority based on the characteristics of the devices; so, it is difficult to determine which areas focus more in terms of security resources. Ko et al. proposed an assessment method for measuring the security threat on smart grid based on the priority, but a limit of their study was the mean time-tocompromise (MTTC) model; they used to determine simply the number of security vulnerabilities that exist on the attack path when calculating an important weight. HoonNah and JungChan suggested the need to establish an ICS security standard same as TTAK.KO-12.0307, but there is no specific discussion of what level of security each component or layer should respond to. So, it is necessary to prioritize and apply security requirements with the standard TTAK. . In particular, the ICS is a huge system divided into layers which are operated by exchanging data with each other. erefore, security requirements priorities should be derived and applied for each layer suitably. For this, the security requirements of TTAK. 0307 are used to analyze the priority of security requirements for each layer in this paper. Based on this, it is intended to help determine where the portion of information security resources investment should be prioritized. e results of this study provide a guideline to avoid uniform security requirements for all layers. Prioritization can be derived through the assessment of security requirements for each layer using the analytic hierarchy process method, thereby contributing to effective investment in information security resources. e results of this study are also expected to be an important contribution to IoT security and privacy protection as well as to the ICS. To discuss this, ICS security and prior research are discussed in Section 2, and the design of the research model to be used for priority analysis using AHP is discussed in Section 3, and empirical analysis conducted based on this is discussed in Section 4. e implications of the analysis results are discussed in Section 5 and finally concluded in Section 6.

Information Security of ICS.
e ICS basically inherits many attributes of the traditional IT system. However, in order to derive an information security investment priority, we need to look at a variety of different aspects from the traditional IT system [6]. First, in hardware and software aspects, the IT system operates on a short-term replacement cycle, but the ICS has at least 15 years of long-term replacement cycles generally. e IT system also uses universal operating systems (general-purpose) such as Windows and Linux, but the ICS uses exclusive operating systems. In addition, maintenance and repair, such as system patches, on the ICS are more difficult than traditional IT systems. At last, in network performance aspect, the IT system focuses on overall performance, such as the reliability of responses is important and tolerability exists for some communication delays, but the ICS focuses on real-time responsiveness and is inflexible for communication delays. For risk management objectives, the ICS does not allow the control device to be shut down, and system availability is very important, but the integrity of the data is more important, and some failures can be allowed in the IT system. As a result, the ITsystem can end up with relatively minor economic damage, such as inconvenience or delay, due to cyberattacks or incidents caused by its own defects. However, the ICS could immediately halt operations at industrial sites, leading to human casualties and massive disasters, which could result in huge social and economic damages. is means that among the CIA triad of information security, the traditional IT system should prioritize "Confidentiality" and "Integrity," while the ICS should prioritize "Availability." ese characteristics set the cyberattacker's goals differently. While cyberattacks on the traditional IT system were primarily aimed at leaking classified information, attacks targeting on the ICS are mainly focused on operational paralysis. is is because stopping the ICS will cause great damage. In the 2010 Stuxnet case, the attack was carried out by infecting Siemens PLC to paralyze operations by manipulating the number of rotations of connected centrifuges, and the main objective in subsequent series of major cyberattacks against the ICS was to disrupt normal operations.

Literature Review.
e past ICS was recognized as safe by configuring an independent network, but the vulnerability was revealed in a bypass attack by the malicious code. In order to respond, HoonNah and JungChan insisted that comprehensive and systematic security measures are needed to defend themselves in depth from cyberattacks and specifically suggested the need to establish standards for security of the ICS. Particularly important is that they took the same argument as this paper, judging that it is unrealistic to take measures at an equal security level for all vulnerabilities [13]. However, there is a limit to driving their arguments because there is no specific discussion of what level of security each component or layer should respond to.
Since the ICS operates in various environments, including major national infrastructure and social overhead capital facilities, the security assessment and security resource investment are of great importance. erefore, the security assessment of the ICS should be carried out using an objective and feasible inspection process. Choi [11] proposed an appropriate security assessment methodology and checklist for the ICS, taking into account the characteristics of the ICS environment, devices, and operation methods. However, its usefulness could not be verified because there were no examples to verify the proposed methodology, and moreover, the proposed methodology does not provide a checklist that should be prioritized based on the characteristics of the devices; so, it is difficult to determine which areas to focus more on security resources. Ko et al. proposed an assessment method for measuring the security threat on smart grid [12]. In particular, the ICS network has a hierarchical structure, and security sensitivity of the produced data by each layer is different; so, they suggested that it is necessary to make a level as layers with similar data sensitivity into one area. And they used these levels (consumer level, advanced metering infrastructure head end level, and control center level) to prioritize what needs to be protected in that network. ey explained that if protection is relatively unnecessary or if it is difficult for an attacker to access for attack, they can increase efficiency by excluding it from the vulnerability target. eir research can be seen as a previous study of the need investment priorities of information security resource for the ICS to be discussed in this paper. ey used a quantified network model to assess security threats applied to advanced metering infrastructure and validated the security threat assessment for the proposed model using mean-time-to-compromise (MTTC) proposed by Leversage and Byres [14] for the resulting attack scenario. However, there is a limitation that the evaluation method using MTTC does not evaluate the overall security threat to the ICS. is is because MTTC simply determines that the number of security vulnerabilities that exist on the attack path is an important weight.
As such, many methodologies for security assessment are important to effectively respond to security threats for the ICS. Although many studies have been conducted, it is difficult to find a discussion that the security assessment uses the information security standard for the ICS. is is because there has been no definition of specific information security requirements to the ICS. It is also understood that although there are already established ICS information security requirements, there is a lack of discussion on the methodology for applying them to each ICS. erefore, in this paper, we want to provide guidelines for efficient investment of security resources by analyzing the priorities of each layer when using TTAK.KO-12.0307.

Analytic Hierarchy Process Methodology.
In this study, the analytical hierarchy process (AHP) method was used to analyze the investment priority of information security resources in the ICS. e AHP was developed by Tomas in the 1970s as part of the decision-making method through the multiple assessment criteria for multiple alternatives [15]. In general, decision-making problems should be solved by choosing the optimal alternative under multiple criteria, and many existing decision-making problems have been solved using statistical models under controlled assumptions [16]. In addition, decision-making problems often include qualitative criteria, which led to the need to quantify criteria with subjective values [16]. In other words, many other real-world problems involve the need to combine quantitative measures with qualitative concerns [17]. is has the problem of prioritizing ICS information security requirements, depending on the responder with different levels of awareness and expertise of information security. In particular, since a big part of information security relates to qualitative and nonfinancial concerns, traditional economic approaches are severely constrained [17]. Saaty developed the AHP to analyze multicriteria decision problems involving both quantitative and qualitative criteria [17][18][19]. AHP methodology uses the concept of hierarchy to lay out the different elements (purpose, alternatives, and factors) needed to make decisions, thereby providing a more detailed and logical view of the relationship between the different elements [20]. e AHP methodology for performing pairwise comparisons between elements of each layer has been widely used in multidecision-making problems, with two typical advantages: first, weighting between assessment elements can be determined through systematic quantitative procedures. In addition, the choice of optimal alternatives has the advantage of being easier to understand than conventional statistical decisions and being able to use the subjective and objective information of experts comprehensively. Second, it provides indicators to determine the consistency of decision makers (experts). And the analysis procedures are consistent with reasonable decision-making procedures [21].

Analysis Model
Design. In order to analyze the relative investments priorities of information security resource in the ICS, this study has established assessment criteria based on the Mobile Information Systems classification divided in ICS information security requirements (TTAK.KO-12.0307) of TTA. However, the method of prioritizing information security investment for the entire ICS has a wide range of coverage, and there is ambiguity in the selection of priorities. erefore, it is desirable to perform an analysis of the investment priorities of information security resources by classifying the ICS into each layer.
ere are several definitions for layers in the ICS. Irfan Ahmed et al. suggested that information security of ICS/ supervisory control and data acquisition (SCADA) should be classified into six layers, based on connectivity between components in the system and connectivity between other networks, such as the system network and the Internet [22]. However, it is difficult to use it as an analysis model because it does not include field devices such as sensors and actuators, and wired and wireless devices are not considered.
On the other hand, TTAK.KO-12.0307 presents the "Security Reference Model" to define the information security requirements of the ICS and is divided into 3 layers which consisted of the "Operation Layer," "Control Layer," and "Field Device Layer" (Figure 1). e "Operation Layer" uses the data received from the control layer to monitor the status of the field devices or send control commands, including engineering workstation (EWS) and human-machine interface (HMI) [10].
e "Control Layer" is responsible for transferring the measured and collected data from the field devices to the operation layer. And the layer is also responsible for controlling the field devices with command from the operation layer, including the PLC, distributed control system (DCS), and remote terminal unit (RTU) [10]. e "Field Device Layer" includes a field device used to measure, collect, and control status data, such as sensors and actuators, and the field device is connected to the control layer by wired and wireless networks or by serial cables [10]. e priority assessment criteria of this paper are based on the classification of TTAK.KO-12.0307.
However, some of information security requirements of TTAK.KO-12.0307 were merged because there were many assessment criteria to be used as the AHP method. en "Identification Certification" and "Access Control" were merged among security functions on hierarchy I, and "Transmission Data Protection" and "Stored Data Protection" were merged in the same way. Finally, the analysis model to be used for priority assessment is shown in Figure 2.
TTAK.KO-12.0307 set different assessment criteria for the operation layer and control/field device layer. So, there were also two models for investment priority of information security resource analysis. Figure 2 was used in the operation layer, and Figure 3 was used in the control layer and field device layer. Table 1 shows the assessment criteria and its descriptions in TTAK.KO-12.0307.

Analysis Method and Tool.
e analysis of this study uses the AHP, a hierarchical decision analysis method, but also provides a description of each assessment criteria to help the survey respondents understand. In the AHP analysis method, it is very important to ensure objectivity and expertise in response.
e AHP survey was conducted by selecting researchers, practical experts, and a professor related to the ICS, cyber physics system (CPS), and SCADA system. ey are affiliated in National Security Research Institute, Electronics and Telecommunications Research Institute (these 2 are governmentbased research institutes), Incheon International Airport, Naonwork, OnSecurity, Coontec (these 4 are corporations related on ICS information security), and Ajou University.
e assessment criteria were based on TTAK.KO-12.0307 as described above, but there is only one assessment criterion in the network robustness section of the "Operation Layer;" so, the pairwise comparison was not conducted (Figure 2). In addition, as discussed above, "Identification·Authentication" and "Access Control," which are classified as the security functions section, were set by merging into "Identi-fication·Authentication·Access Control" due to similarity in content. In the same way, "Transmission Data Protection" and "Stored Data Protection" were also set by merging into "Data Protection." Finally, the survey was conducted by setting up 3 assessment criteria in hierarchy I and 10 assessment criteria in hierarchy II (but 8 assessment criteria for the "Operating Layer") ( Table 1).

Verification Consistency of Survey Responses.
e AHP survey of this study was conducted for a month from December 2019 to January 2020 and was conducted on industry, academia, and research experts related to information security of the ICS. ere are a few of discussions regarding the appropriate sample size in order to carry out the AHP analysis. Melillo and Pecchia insisted that smaller sample size is required in case of equally important alternative [23]. e reliability of AHP results is more relevant to the respondents' expertise rather than the number of response samples. In this study, the experts responded to the survey in the field of information security of the ICS with at least more than five years of related experience. A total of 19 experts were surveyed, and 19 responses were collected. AHP analysis of response data used the DRESS tool.
e AHP analysis method determines consistency index (CI) of the response to ensure reliability of the analysis results. Due to the characteristic of the pairwise comparison, the lower the CI, the more consistent it is, which is related to the respondents' expertise. Generally, responses with a CI value of 10% or less are considered consistent. In this study, 4 surveys with a CI value of 0.1 or higher were excluded from the results analysis, so only 15 responses were used for the analysis.

AHP Analysis Result
In this study, the results of AHP analysis were divided into the "Operation Layer," "Control Layer," and "Field Device Layer" for the investment priority of information security resources in the ICS.

Operation Layer.
e AHP results for the analysis of investment priority of information security resource by the "Operation Layer" of the ICS are as follows.
An analysis result of the priority on hierarchy I showed that "Security Functions" was the highest priority with an importance 0.371, "Service Continuity" was the second priority with an importance 0.358, and "Network Robustness" was the third priority with an importance 0.271 (Table 2).
In "Security Functions" section, which was ranked the highest priority in hierarchy I, "Identification·Authentication· Access Control" was the highest priority with an importance 0.291, "Security Function Management" was the second priority

Mobile Information Systems
with an importance 0.195, and "Data Protection" was the third priority with an importance 0.194, followed by "State Management" and "Security Audit" in order (Table 3). In "Service Continuity" section, which was ranked the second priority in hierarchy I, "Event Response" was the highest priority with an importance 0.534 and "Resource Availability" was the second priority with an importance 0.466. In "Network Robustness" section, which was ranked the third priority in hierarchy I, there is only one assessment criterion, which is the "Fuzzing Test" in the sector, so the pairwise comparison survey was not   (1) In case of the order of the field in packets is changed, (2) in case of a part of the field in packets is cut, (3) in case of the field size in packets is different, (4) in case of the fixed value of the field in packets is different, and (5) in case of the value of the field in packets is not within the valid range [10]. As a result of the priority pairwise comparison of all criteria in the "Operation Layer" of the ICS, "Identi-fication·Authentication·Access Control" was the highest priority with an importance 0.171, "Event Response" was the second priority with an importance 0.168, and "Resource Availability" was the third priority with an importance 0.122, followed by "Security Function Management," "State Management," "Data Protection," "Fuzzing Test," and "Security Audit" in order (Table 4).

Control Layer.
e AHP results for the analysis of investment priority of information security resource by the "Control Layer" of the ICS are as follows.
An analysis result of the priority on hierarchy I showed that "Service Continuity" was the highest priority with an importance 0.439, "Network Robustness" was the second priority with an importance 0.281, and "Security Functions" was the third priority with an importance 0.280 (Table 2).
In "Service Continuity" section, which was ranked the highest priority in hierarchy I, "Physical Interface Protection" was the highest priority with an importance 0.362, "Resource Availability" was the second priority with an importance 0.336, and "Event Response" was the third priority with an importance 0.302 (Table 5). In "Network Robustness" section, which was ranked the second priority in hierarchy I, the "Fuzzing Test" was the highest priority with an importance 0.510, and the "Stress Test" was the second priority with an importance 0.490. In "Security Functions" section, which was ranked the third priority in hierarchy I, "Identification·Authentication·Access Control" was the highest priority with an importance 0.256, "State Management" was the second priority with an importance 0.215, and "Security Function Management" was the third priority with an importance 0.203, followed by "Data Protection" and "Security Audit" in order.
As a result of the priority pairwise comparison of all criteria in the "Control Layer" of the ICS, "Event Response" was the highest priority with an importance 0.128, "Resource Availability" was the second priority with an importance 0.122, and "Identification·Authentication·Access Control" was the third priority with an importance 0.119, followed by the "State Management," "Physical Interface Protection," "Security Function Management," "Data Protection," "Stress Test," "Security Audit," and "Fuzzing Test" in order (Table 6).

Field Device Layer.
e AHP results for the analysis of investment priority of information security resource by the "Field Device Layer" of the ICS are as follows.
An analysis result of the priority on hierarchy I showed that "Service Continuity" was the highest priority with an importance of 0.463, "Security Functions" was the second priority with an importance 0.279, and "Network Robustness" was the third priority with an importance 0.258 (Table 2).
In "Service Continuity" section, which was ranked the highest priority in hierarchy I, "Physical Interface Protection" was the highest priority with an importance 0.375, "Event Response" was the second priority with an importance 0.333, and "Resource Availability" was the third priority with an importance 0.292 (Table 7). In "Security Functions" section, which was ranked the second priority in hierarchy I, "State Management" was the highest priority  Mobile Information Systems 7 with an importance 0.256, and the "Identi-fication·Authentication·Access Control" was the second priority with an importance 0.490, followed by "Security Function Management" and "Security Audit" in order. In "Network Robustness" section, which was ranked the third priority in hierarchy I, "Network Robustness" was the     Mobile Information Systems highest priority with an importance 0.527, and the "Fuzzing Test" was the second priority with an importance 0.473. As a result of the priority pairwise comparison of all criteria in the "Field Device Layer" of the ICS, "Physical Interface Protection" was the highest priority with an importance 0.159, "Identification·Authentication·Access Control" was the second priority with an importance 0.118, and "Resource Availability" was the third priority with an importance 0.110, followed by the "Data Protection," "Data Protection," "State Management," "Security Function Management," "Stress Test," "Fuzzing Test," and "Security Audit" in order (Table 8).

Implications.
It is difficult to deploy effective resources in applying the uniform security requirements because the ICS has a wide range of areas and, above all, different characteristics of each layer. In this study, it was intended to avoid applying the uniform security requirements for ICS and to contribute to the effective investment in information security resources by deriving the priority of security requirements for each layer on the ICS.
As a result of analyzing the priority of assessment criteria for each layer using AHP, "Identification Authentication Access Control" was the most important security requirement that should be prioritized on the "Operation Layer." is emphasizes that these criteria are the most important to prepare for information security from the risks of social engineering attacks or exposure due to user carelessness, mainly because the operation layer has a lot of user access. "Event Response" was the most important security requirement that should be prioritized on the "Control Layer." is emphasizes the need for various events in the control layer to be properly handled in order for the service to continue to operate. Because "Event Response" is an item that requires realtime identification of the status of devices, systems, and networks and is responsive in the event of various failures. "Physical Interface Protection" was the most important security requirement that should be prioritized on the "Field Device Layer." e "Field Device Layer" has a variety of devices, including sensors and actuators, and is an important layer of control over end-point devices using industrial ethernet or wireless IoT networks, requiring a high-level protection from the physical interface accessible to this layer (Table 9).
On the contrary, it is also necessary to point out the commonly lowest assessment criteria for investment priority of information security resources for the ICS. "Security Audit" was analyzed with the lowest importance in the "Operation Layer" and "Field Device Layer." In terms of investment of information security resources, "Security Audit" performs audits by creating audit log for major events and encrypting the log data, mainly as part of longterm security functions rather than real-time response or service continuity, so "Security Audit" can be analyzed as  In summary, we have successfully derived security investment priorities using AHP techniques and TTAK.KO-12.0307 standards for ICS information security priorities that have not been addressed in our previous research. e biggest advantage of this result is that it can be used as a guideline when establishing ICS security policies. In addition, the results of this study contribute significantly to the effective distribution of information security resources that were not addressed in previous studies (Table 10).

Conclusion and Further Research
e ICS inherits the attributes of the traditional information system, but because it has its own characteristics such as availability and continuity, it needs to be set differently from the information security requirements of the traditional information system. For appropriate information security requirements and assessment on the ICS, TTAK.KO-12.0307 proposed by the NSR and established by the TTA is being used.
In this study, the priorities of assessment criteria by hierarchy were analyzed to enhance the efficiency of investment in information security resources on the ICS. ere are many difficulties in operating an industrial control system to establish security policies for all the requirements set forth in the standards. erefore, the results of this study can be used to design security strategies and policies by selecting the security elements that should be relatively prioritized for each layer in the operation of the industrial control system. It can also be used as a guideline for determining the investment priority of security resources to the ICS that are currently in operation or are being redesigned. However, in the course of carrying out this study, experts who responded to the survey commented on whether TTAK.KO-12.0307 standard, which was used as assessment criteria, was suitable for the security requirements, so it will remain a future research.

Data Availability
e data used to support the findings of the study are available at Security Requirements for Industrial Control System (TTAK.KO-12.0307) and Telecommunication Technology Association http://www.tta.or.kr/data/ weeklyNoticeView.jsp?pk_num�5621.

Conflicts of Interest
e authors declare that they have no conflicts of interest.  [12] Ko et al. [13] Hoon Nah and Na [11] TTAK. KO