The Cyber Security of Online Automated Environmental Measurements

Kai Rasmus

Master’s thesis November 2020 Technology Master’s Degree Programme in Cyber Security

Description

Author(s) Type of publication Date Rasmus, Kai Master’s thesis November, 2020 Language of publication: English Number of pages Permission for web 80 publication: Yes Title of publication The Cyber Security of Online Automated Environmental Measurements

Degree programme Master ́s Degree Programme in Information Technology, Cyber Security Supervisor(s) Tero Kokkonen, Jari Hautamäki

Assigned by

Abstract Online automatic measurements are a way of doing cost effective environmental monitoring. The systems consist of a network of remote measurement stations connected to a central dissemination service via some form of backbone connection over which the user has no control. It is important to secure such systems because the measurement results may be connected to large business interests. The 12 most important primary and secondary assets related to these systems were identified from the viewpoint of the user. The most important asset was the measurement data itself and data integrity was identified as a separate asset. A list of 32 security controls were listed to secure these assets after the interconnections between the assets were identified. Protocols were introduced to increase the situational awareness and to help against social engineering. The risks related to connecting measurement stations to a central service were quantitatively analyzed using a Monte Carlo model. It was found that the probability of breaching the central service was independent of the number of nodes connected to the service, but depends on the network layout and on how many stations were directly connected to the central service. Cyber security awareness was increased by developing the superhero model for cyber security. In this method cyber security events were taken from popular culture and analyzed in a descriptive way using thematic content analysis. Even though this is subjective and speculative, it could help in raising cyber security awareness which is not at a high enough level even amongst professionals.

Keywords/tags (subjects) Environmental monitoring, online service, quantitative risk assessment, awareness

Miscellaneous (Confidential information)

Description

Tekijä(t) Julkaisun laji Päivämäärä Rasmus, Kai Master’s thesis Marraskuu 2020 Julkaisun kieli Englanti Sivumäärä Verkkojulkaisulupa 80 myönnetty: Kyllä Työn nimi Automaattisten ympäristönmittausasemien kyberturvallisuus

Tutkinto-ohjelma Master ́s Degree Programme in Information Technology, Cyber Security Työn ohjaaja(t)) Tero Kokkonen, Jari Hautamäki Toimeksiantaja(t)

Tiivistelmä Automaattiset ympäristönmittausasemat antavat mahdollisuuden tehdä ympäristön seurantaa kustannustehokkaasti. Järjestelmät koostuvat etämittausasemista, jotka ovat yhteydessä keskuspalveluun jonkin yhteyskäytävän kautta. Loppukäyttäjillä ei ole vaikutusmahdollisuuksia yhteyskäytävään. Ympäristönmittausjärjestelmien suojaus on tärkeää, koska mittaustulokset voivat olla merkittäviä esimerkiksi liike-elämässä sekä tieteellisessä tutkimuksessa. Opinnäytetyössä listattiin kaksitoista näihin asemiin liittyvää ja käyttäjän näkökulmasta tärkeintä voimavaraa tai ominaisuutta. Tärkein näistä on mittaustulokset, etenkin niiden yhtenäisyys. Asemiin liittyvien tärkeiden voimavarojen ja ominaisuuksien väliset yhteydet määriteltiin ja suojattiin sen jälkeen yhteensä 32 suojausmenetelmällä. Opinnäytetyössä kehitettiin hyviä toimintamalleja hyvän tilannekuvan luomiseen ja suojaamaan sosiaaliselta hakkeroinnilta. Mittausasemien liittäminen keskuspalveluun tuo mukanaan riskin, jonka suuruuden laskemiseen käytettiin määrällistä Monte Carlo -mallinnusta. Riskin eli keskupalvelun murtamistodennäköisyyden huomattiin riippuvan mittausasemaverkon muodosta, ja siitä kuinka monta mittausasemaa oli suoraan kiinni keskuspalvelussa. Kuten monilla muillakin aloilla, myös ympäristönmittausalalla henkilöstön tietoturvallisuustietoisuudessa on puutteita. Opinnäytetyössä käytettiin tietoisuuden lisäämiseen populaarikulttuurin tietoturvatapahtumien analysointia. Tapahtumia etsittiin Batman -televisiosarjasta. Analyysin avulla luotiin supersankarimalli tietoturvallisuustietoisuuden lisäämiseksi. Mallin avulla voidaan tehdä tietoturvallisuus kiinnostavaksi ja saada tietoisuus siitä aiempaa helpommin lisääntymään. Avainsanat (subjects)

Ympäristönmittausasema, määrällinen mallinnus, tietoturvatietoisuus

Contents

List of Abbreviations ...... 9

1 Introduction ...... 11 1.1 Online Automatic Environmental Measurements ...... 11

1.2 Comparison to Traditional Measurements ...... 12

1.3 Importance of Online Automatic Measurement Security ...... 13

1.4 The CIA triad ...... 14

1.5 Cyber Security Awareness ...... 14

1.6 Formal Methodology ...... 15

1.7 Layout of this thesis ...... 15

2 Research...... 15 2.1 The Main Research Question: ...... 15

2.2 Methodology ...... 16

2.2.1 Multimethod Research ...... 16

2.2.2 Constructive Methodology ...... 16

2.2.3 Quantitative Methodology ...... 17

2.2.4 Thematic Content Analysis ...... 18

2.3 Research Objectives ...... 18

2.4 Research Design ...... 18

2.5 Ethical Principles and Data Protection ...... 19

3 Theory ...... 20 3.1 Definition of information security ...... 20

3.2 Definitions of Information Security Terms ...... 21

3.2.1 Asset ...... 21

3.2.2 Confidentiality ...... 21

3.2.3 Integrity ...... 22

3.2.4 Availability ...... 22

3.2.5 Authentication ...... 23

3.2.6 Non-repudiation ...... 23

3.2.7 Security Event and Security Incident ...... 24

3.2.8 Physical controls ...... 24

3.2.9 Information Security Management system (ISMS) ...... 24

3.2.10 Cyber Security Awareness ...... 25

3.2.11 Situational Awareness ...... 26

3.3 From Information Security to Cyber security ...... 27

3.4 Cyber Security Frameworks ...... 27

3.5 Intrusion Detection System ...... 29

3.5.1 Anomaly-Based IDS ...... 29

3.5.2 Misuse-Based IDS ...... 29

3.6 Relevant Standards ...... 30

3.6.1 The ISO/IEC 27000 Set of Standards ...... 30

3.6.2 Other Relevant Standards ...... 30

3.7 Risk as an Abstract Entity ...... 31

3.8 Network Attacks ...... 33

3.8.1 Detection ...... 33

3.8.2 Taxonomy ...... 33

3.8.3 Mitigation Controls for Attacks ...... 34

3.8.4 Targetting...... 35

3.8.5 AI Based Attacks in the Future ...... 35

3.9 Monte Carlo modelling ...... 36

4 Description of Research Domain ...... 36 4.1 Introduction to Online Automatic Measurement Stations ...... 36

4.2 Overview of measurement setups ...... 39

4.3 Monte-Carlo Modelling the Risks ...... 42

4.4 Situational Awareness ...... 43

5 Results ...... 44 5.1 Main Results ...... 44

5.2 Identified Main Assets ...... 45

5.3 Threats Related to Online Measurements ...... 47

5.4 Model Results ...... 49

5.5 Backbone Connection Security ...... 52

5.6 Security Controls ...... 53

5.7 IDS Sensor Placement ...... 55

5.8 Authenticating the data connection ...... 56

5.9 Remote Access ...... 57

5.10 Statistical controls ...... 58

5.11 Situational Awareness ...... 61

5.12 Social Engineering ...... 62

5.13 Simple Threat Model of an Online Measurement System ...... 62

6 Discussion ...... 64 6.1 Risk Modelling ...... 64

6.2 Reliability ...... 65

6.3 Need for an Industry Standard for Automatic Measurements ...... 66

6.4 Question of Open Ports on Consumer Machines ...... 66

6.5 Increasing Cyber Security Awareness Using the Superhero Method ...... 67

7 Conclusions ...... 69

Acknowledgements ...... 70

References ...... 71

Appendix 1 Generic server script ...... 78

Appendix 2 The Superhero Method to Increase Cyber Security Awareness ...... 81 A2.1 Introduction ...... 81

A2.2 Important assets ...... 81

A2.2.1 Batman ...... 82

A2.2.2 Robin ...... 83

A2.2.3 The Batcave ...... 83

A2.2.4 The Batphone ...... 84

A2.2.5 The Batmobile ...... 84

A2.2.6 The Atomic Energy Generator...... 85

A2.2.7 The Anti-Crime computer ...... 86

A2.2.8 The mobile version of the Anti-Crime computer ...... 86

A2.3 Identified security events ...... 87

A2.3.1 Spoofing attacks ...... 87

A.2.3.2 Mistaken identity ...... 88

A2.3.3 Denial of Service Attack ...... 89

A2.4 Vulnerabilities ...... 89

A2.5 Threats ...... 90

A2.6 Risks ...... 91

A2.7 The Information Security Management System for the Batcave ...... 92

A2.7.1 The ISMS ...... 92

A2.7.2 Strategic level ...... 93

A2.7.3 Tactical level ...... 94

A2.7.4 Operational level ...... 95

A2.7.5 Business continuation plan ...... 95

A2.8 Implementation of the CSMS ...... 96

A2.8.1 Real-World Batcave ...... 96

A2.8.2 Controls ...... 98

Figures

Figure 1 Constructive methodology creates new knowledge on top of existing knowledge using a combination of theory and practical applications. The new knowledge contributes to the pool of theory and realm of practical applications so the flow of information along the arrows goes in both directions...... 16 Figure 2 Information security according to the core of the NIST framework. The A loop is the normal route and the B route is needed if an anomaly is detected...... 28 Figure 3 Measurement web with many measurement nodes connected to a central service. A breached measurement node is shown in red...... 37 Figure 4 Measurement network in which the nodes are interconnected. The nodes are numbered. The risk related to node i also depends on the risks related to the nodes i+1...... 38 Figure 5 A more complicated measurement network with 20 nodes...... 38 Figure 6 Measurement station using a GPRS call uplink to a receiving server with an in-house data dissemination service. In this example the data dissemination service utilizes a LAMP (Linux, Apache, MySQL, and PHP) setup which is not an unreasonable assumption to make of a real world setup...... 39 Figure 7 Measurement station using a direct GSM data call to a receiving modem with an in-house data dissemination service...... 40 Figure 8 Measurement service connected directly to an internet-based cloud service using the mobile network...... 41 Figure 9 Route from a starting node (node 5) to the central service via a node (node

6). P1 is the probability that a node is breached and P0 is the probability that the central service is breached...... 43 Figure 10 Interconnection of primary and secondary assets according to the notation of Pasquale et al. (2012) when the primary asset is the measurement data...... 46

Figure 11 Ptot as a function of P1 with directly connected nodes (scenario S1)...... 49

Figure 12 Ptot in the network of independent nodes scenario (scenario S2)...... 50

Figure 13 Ptot in the network of dependent nodes scenario but an independent central service (scenario S3) in two different cases with a total number of nodes equal to 10 and 20...... 51

Figure 14 Ptot in the network of dependent nodes scenario and dependent central service (scenario S4) in three different cases with a total number of nodes equal to

10 and 20, and two values of P0 for the n=20 case...... 52 Figure 15 Sensor placement with regard to the breached node 5 and unbreached node 6, and assuming an attack direction going towards the central service...... 55 Figure 16 Calculated hashes from a measurements station with two sensors, a GPS position and intrusion detection. In scenario 1 the intrusion detection has been tripped, in scenario 2 the latitude has changed and in scenario 3 one of the sensors has changed...... 57 Figure 17 Temperature (upper figure) and its standard deviation (lower figure) in the normal situation...... 59 Figure 18 Temperature and its standard deviation in a situation when constant values have been inserted. The inserted values are inside the red rectangle...... 59 Figure 19 Temperature and its standard deviation in a situation in which previous values have been inserted as timeseries. The inserted values are shown within the red rectangle...... 60 Figure 20 Slope of consecutive timeseries...... 60 Figure 21 Measurement locations used in the monitoring of a discharge plume showing how the discharge is not picked up if the sensors are moved from measurement site 1 to measurement site 2. The current is flowing from left to right so measurement site 2 is still within the same water mass as measurement site 1. .. 63

Tables

Table 1 Description of model scenarios...... 43 Table 2 Differences between the OODA-loop and the PDCA-loop ...... 44 Table 3 List of the 12 most important identified assets, together with classifications, for the online automatic environment measurement system from the point of view of the data owner, user or regulator. This is called the customer domain...... 45 Table 4 List of assets with classifications for the online automatic environment measurement system from the point of view of an attacker...... 47 Table 5 The controls related to the asset diagram showing asset interconnections. . 54 Table 6 Controls used to secure against the threats in this simple threat scenario. .. 63

List of Abbreviations

ACL Access Control List AI Artificial Intelligence AME Authentic Message Exchange ANSI American National Standards Institute CIA Confidentiality, Integrity and Availability CSMS Cyber Security Management System CTD Conductivity Temperature Depth DoS Denial of Service attack DDoS Distributed Denial of Service attack f-AME Fast Authentic Message Exchange FMI Finnish Meteorological Institute FTP File Transfer Protocol GDPR General Data Protection Regulation GPS Global Positioning System GPRS General Packet Radio Service GSM Groupe Spécial Mobile or Global System for Mobile Communications HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure ICT Information and Communications Technology IDS Intrusion Detection System IEC International Electrotechnical Commision IOT Internet of Things IP Internet Protocol IPR Immaterial Property Rights ISA International Society of Automation ISMS Information security management system ISO International Organization for Standardization IT Information Technology JAMK Jyväskylä University of Applied Sciences

KHO Finnish Supreme Administrative Court LAMP Linux, Apache, Mysql, PHP -setup NIST National Institute of Standards and Technology OODA Observation Orientation Decision Action PHP PHP: Hypertext Preprocessor PII Personally Identifiable Information

Rman Managed risk

Rtot Total risk SMS Short Message Service SOC Security Operations Center SSH Secure Shell SSL Secure Sockets Layer SYKE Finnish Environment Institute TCA Thematic Content Analysis UPS Uninterruptible Power Source URL Uniform Resource Locator VPN Virtual Private Network WFS Web Feature Service WMS Web Map Service

1 Introduction

1.1 Online Automatic Environmental Measurements

Environmental monitoring produces long time series of measurements and is used to ensure that regulations are followed and permit limits are not exceeded. The information can be used in environmental impact assessment to gain knowledge of the natural state of a system before changes are made. In addition to these, a knowledge of the environment is necessary for basic research needs. Long term time series have an intrinsic valuable and time series gathered now can be invaluable in future research. For example research into climate change effects requires long time series of observations to distinguish long term trends from annual variations.

In Finland, long term environmental monitoring is performed by several governmental and private entities. The Finnish Environmental Institute (SYKE) and the Finnish Meteorological Institute (FMI) both have programs in place that have already span many decades (Niemi, 2009).

Monitoring can be made by observers making observations or by using moored or autonomously moving automatic measurement devices. Research has shown that using automatic measurement devices is cost effective (Lovett et al., 2007). However, Lepistö et al. (2018) point out that automatic measurement networks in Finland are not intended to replace traditional environment sampling.

By connecting the automatic measurement system to the internet it is possible to have an online service that provides information for the real-time monitoring of the environment. This kind of online system is made possible by modern information technology (IT) that provides the connections between measurement devices and central servers, the storage locations for the data and the services that are able to disseminate the data to end users over the internet.

The dissemination of observations is made in real time or near real time over a web page or a machine readable interface which can be a web feature service (WFS), web map service (WMS) or similar. The open data FMI is an example of such a service. It takes the observations from a network of weather stations and then delivers the

12 data through a web portal or a WFS interface (Honkola et al., 2013). The WFS interface can be used to download the data for other products and services meaning that in this context the end user is not necessarily a human but can be another computer. SYKE is responsible for hydrological observations in inland waters. SYKE also has open data interfaces and a portal for the public to download data (Tarvainen & Suomela, 2018).

As with everything connected to the internet, these systems are susceptible to internet-based threats that target vulnerabilities in them. These threats come with risks that can cause loss of data, loss of data availability or loss of data integrity. It is therefore imperative to have some kind of cyber security for these systems to mitigate those risks. The cyber security of online automatic environmental measurements is something that has not been extensively researched and for example Lepistö et al. (2018) does not mention it at all in their project relating to increasing the network of automatic measurement devices.

Automatic measurements do not necessarily have to be online but offline monitoring is also subject to the threats between the measurement device and the receiving service. Only the threats related to the data dissemination service are left out in offline cases.

For the purposes of this study the environment is assumed to be the natural environment encompassing lakes, rivers, seas, the atmosphere, built-up areas and the area surrounding industrial locations. Measurements made inside industrial processes are left outside the scope of this study because they are subject to different standards and are usually located in closed environments.

1.2 Comparison to Traditional Measurements

In traditional sampling an observer needs to go out into the environment and take a sample or make a measurement. They then need to have the sample analyzed and all the results need to be input into a database manually.

If a phenomenon changes faster than the manual sampling rate, then manual sampling may miss those changes. However, automatic measurement devices

13 produce results with a much smaller time resolution and they are therefore able to catch faster changes.

Automatic measurements still need to be checked and calibrated so a need for manual sampling will always remain. Even though automatic measurements are increasing Lepistö et al. (2018) point out that online automatic measurement networks are not intended to replace traditional environment sampling in Finland.

1.3 Importance of Online Automatic Measurement Security

In addition to being of scientific interest, online automatic environment measurements can be related to large business interests. They can therefore be of potential interest to nefarious actors. It is important that the owner of the online automatic environment measurements knows that their information is still confidential and with its integrity intact.

One example of how important environmental measurements are, can be seen in the recent Finnish Supreme Administrative Court (KHO) decision to reject the environmental permit of the proposed paper mill in Kuopio. The court proposed that the environmental effects of the paper mill should be assessed for its whole lifespan of 30 to 40 years (Finnpulp staff, 2019). This case puts a large emphasis on environmental impact assessment now and going into the future. Numerical modelling is vital when looking into the future, but during normal operations, monitoring is the way in which the environmental effects are seen. Modern environment monitoring is effectively done with automatic environmental measurement devices.

Depending on the objectives of an attacker, the online measurement system might not be the ultimate goal, but just a tool that can be used to reach their ultimate goal. It is therefore in the interest of general cyber security and the responsibility of the system owner that the online automatic measurement system be secure. If it is used in an attack on another system it could lead to downtime for the online measurement system as well.

1.4 The CIA triad

The implementation of the terms of the confidentiality, integrity and availability (CIA) triad and the concept of non-repudiation (International Organization for Standardization / International Electrotechnical Commision, 2017), can help in understanding how to secure the measurement systems from online cyber-attacks. Confidentiality is the limiting of information to only authorized entities, integrity is the keeping of information whole and reliable and availability is the keeping of information available as required. Non-repudiation is the inability of a party to deny that something has happened. For example it can mean that two parties exchange information and neither party can deny that the information exchange has taken place (Coffey & Saidha 1996). In information security non-repudiation is taken to mean that no party can deny that a security event has happened. It is formally defined in the ISO 27000 standard as the ability to prove the occurrence of a claimed event or action and its originating entities.

1.5 Cyber Security Awareness

In addition to addressing the concepts in the CIA triad, one of the purposes of the material in this study is to provide a thought-provoking way to look at cyber security within a safe context, with an aim to raise awareness within the public on cyber security issues. There is a need for this because, as an example, cyber security skills were found to be lacking in a study of healthcare professionals (Haukilehto & Hautamäki, 2019). Sometimes putting information at risk is a choice but sometimes the answer “don’t do it” is not viable and then it would be wise to at least have some kind of intrusion detection system in place.

Information is prevalent in almost all aspects of life, from the private lives of people to the big business of corporations. Some of this information is sensitive and needs to be kept secure because of that but it can be argued that securing all information is important. The concepts related to information security can sometimes be hard to understand and therefore attitudes towards securing information can be lax. This can become a problem when users do not realize that their information is in danger and

15 then take oversized risks with it. This is true for online automatic measurement systems as well.

1.6 Formal Methodology

This work will use a multimethod methodology as its formal research methodology. Constructive methodology will be used to find solutions to the cyber security implementation research question together with a quantitative methodology to quantify the risks and probabilities that something happens. Thematic content analysis (TCA) will then be used to see how cyber security awareness can be increased.

1.7 Layout of this thesis

This work starts by defining the research methodologies used and presenting the research design. After this the ethical principles and data protection policy are presented after which the most important concepts related to this field of information security are presented in the theory portion of this study.

After this part, the study of the security of automatic environment measurements will be presented together with some risk and threat modelling. Controls used to secure the automatic measurement systems will then be presented. A discussion of the results will be presented together with some further insight in the discussion part. Finally the main conclusions will be presented.

2 Research

2.1 The Main Research Question:

The main research question in this study therefore becomes: how should the security of online automatic environmental measurements be arranged to make them secure against cyber-attacks?

2.2 Methodology

2.2.1 Multimethod Research

This subject does not lend itself to just one research methodology and so a multimethod approach is required. In the multimethod approach, many methodologies can be used to look at different parts of the research problem.

2.2.2 Constructive Methodology

The first methodology used in this work is constructive methodology. This has been found to be well suited for works in computer sciences (Crnkovic, 2010) and especially when something is being developed. According to Crnkovic (2010) the main idea of constructive methodology is the construction of new knowledge based on existing knowledge that is used in novel ways.

The construction process is described as proceeding through stages that start with defining the problem and advancing to designing a way to obtain a solution to the problem. The final stage is to fill gaps in knowledge by using building blocks made from theory and practical applications to support the whole construct of new knowledge.

Kasanen et al. (1993) envisage a model in which new knowledge comes about through a process going through four blocks: theoretical connection, practical relevance, practical functioning and theoretical contribution. The flow of information from the old to the new knowledge is therefore bidirectional both in the theoretical and practical application domains (Figure 1).

This work is connected to well-established theory indicated by references to previously published works in the relevant fields. The main field of study is the field of information security but with connections to environmental studies as well.

The practical relevance for this study comes from a lack of security in online automatic environmental measurements. The outcome of this study could help the scientific community as a whole even though the objective is not to produce new environmental measurement results.

Some parts of the produced solutions are tested through conceptual tests and this fulfills the practical functioning part of the methodology.

The whole of this work will be made freely available and so hopefully it will be embraced as a part of the pool of knowledge. Therefore it will make a contribution to future work. The hope is that cyber security awareness is increased within communities that are not well versed in it.

2.2.3 Quantitative Methodology

Punch (1998) has defined the quantitative methodology as an empirical method in which the data is presented numerically as numbers. This is in contrast to the qualitative method in which the data is not in the form of numbers. Since risk can be expressed as a number, it can be studied using some kind of quantitative methodology.

The quantitative methodology selected for this study was a Monte Carlo model which was used to calculate risks related to a network of measurement stations. It produces a huge amount of quantitative results that can then be studied analytically and statistically.

2.2.4 Thematic Content Analysis

Data related to cyber security awareness is not necessarily quantitative in nature even though it can be that as well. If it is not numerical and only qualitative, and if it can be divided into themes and treated to a descriptive analysis, then it can be studied using thematic content analysis (TCA) (Anderson, 2007).

As TCA is merely descriptive, it is not enough by itself to fulfill a complete analysis of research findings (Anderson, 2007). However, it is perfect for looking at a quantitative dataset and finding themes which it can then describe.

In this study, the methodology will be used on a dataset of popular culture. Cyber security issues found in it will be described and analyzed. The results will then help in finding new ways to increase cyber security awareness.

2.3 Research Objectives

The main objectives of this research are

 To find robust ways of securing online automatic environmental measurements.  To quantify the risk related to measurement networks.  To show how the results can be used to increase cyber security awareness.

2.4 Research Design

This work will start by looking at the principles behind online automatic measurement stations in a descriptive sense. After this, the main assets, and risks will be looked at and some potential cyber security threats will be identified. As this study will focus on an idealized system, specific vulnerabilities will not be identified or addressed.

Then the risks of interconnected measurement stations will be quantified using Monte Carlo modelling which is probabilistic in nature and well suited to this kind of work.

After this, using the principle of constructive methodology, a cyber security implementation plan for the automatic measurement systems will be constructed using these building blocks together with prior knowledge.

Finally the principle of TCA will be used to find new ways to improve cyber security awareness.

2.5 Ethical Principles and Data Protection

This thesis work follows the ethical principles of the Jyväskylä University of Applied Sciences (JAMK) set out in JAMK staff (2018). The purpose of these guidelines is to ensure that the research produced is of a high scientific quality and a high ethical standard.

This research subject is original. No research permits were required to complete this work and no external funding was solicited or obtained. The author is the owner of the learning process used for this work.

All copyrighted material has been referenced accordingly and used only in a context similar to a review. All references to previous works by other researchers have proper citations attached.

All material used in this thesis related to online automatic environment measurement systems has been obtained from sources in the public domain and no confidences have been breached whilst obtaining it. Only open data sources have been used for the data analysis examples.

The General Data Protection Regulation (GDPR) controls the collection, use and storage of personally identifiable information (PII). Since no interviews were conducted and no personal information was collected, the data driving this thesis does not constitute a register and does not require special data protection protocols. No PII was needed or used to complete this work.

The conclusions of this work are intended to contribute to the common pool of knowledge. They are not intended to benefit any specific interested party but to and to address the security needs of every party working with automatic online measurements. No immaterial property rights (IPR) have been gained.

3 Theory

3.1 Definition of information security

Information security is defined in the ISO/IEC 27000:2017 standard as preservation of confidentiality, integrity and availability of information (International Organization for Standardization / International Electrotechnical Commision, 2017). Confidentiality, integrity and availability together with non-repudiation form the CIA- triad of information security which is at the core of all cyber security management systems.

The implementation of information security controls aims to ensure business continuity and minimize damage by limiting the impacts of security events (Von Solms, 1998). Business cannot continue with broken systems or broken data. Data becomes broken when it loses its confidentiality or integrity, or if it is stolen.

Because information security includes the securing of the underlying technology, the concept of information and communications technology (ICT) security can be thought of as being a part of information security (von Solms & van Niekerk, 2013). Information residing on an IT system cannot be thought of as secure unless the physical system itself is secure (von Solms & van Niekerk, 2013). This form of security starts from physical access control devices on the doors of machine rooms to the security of network devices and servers.

In ICT security the ICT equipment is the asset to be secured and in information security the ICT equipment is a vulnerability and the information is the asset to be secured (von Soms & van Niekerk, 2013).

Industrial standards have been developed to help with the implementation of information security. So for example by implementing the ISO/IEC 27000:2017 set of standards, an organization automatically has governance, risk and compliance within the core of its information security management system (Sanskriti & Astitwa, 2018).

3.2 Definitions of Information Security Terms

3.2.1 Asset

An asset is anything with intrinsic or implied value that is owned. In the context of information security it can be the hardware needed to run the services or store the information, it can be the information itself, it can be the services, it can be a reputation, it can be a process, it can be some kind of intellectual property, it can be the staff needed to run the services or all of these in addition to other possibilities.

Assets can be categorized into primary and secondary classes according to their role and importance in the system. If the core business absolutely requires an asset to be available and functioning then it is a primary asset. If the business is able to function without the asset, even in a slightly degraded state, then the asset can be classified as secondary.

However in their study of adaptive security of smart grids, Pasquale et al. (2012), define primary assets as those that are valued most by an entity and secondary assets are then of secondary value. They also state that it is not only important to define the assets, but also their interconnections and relationships, because secondary assets can be used to attack primary assets. Therefore secondary assets are not secondary in a cyber security sense and need to be secured as well.

Depending on the goal of an attacker, an asset can be either primary or secondary. The secondary asset can be used to attack a primary asset.

3.2.2 Confidentiality

Confidentiality is defined in the ISO/IEC 27000:2017 standard as a property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

To maintain confidentiality, systems that provide access to information have some form of access control so that the individual, entity or process accessing the information is authenticated and their authorization to access the information is checked. The access control can be some form of username and password

22 combination together with a second step, or an SSL-certificate especially if the accessing entity is a process.

Financial institutions use a two-step authentication method to authenticate entities. The open data interface of the Finnish Meteorological Institute (FMI) used to check a user-specific token in the uniform resource locator (URL) before access to information was granted.

Information can also be completely open for everyone to use without authentication. This kind of information can be said to be in the public domain and everybody is authorized to access and use it.

3.2.3 Integrity

Integrity is defined in the ISO/IEC 27000:2017 standard as a property of accuracy and completeness.

The information needs to remain uncorrupted and have a high level of integrity for it to be useful and this is true also for information in the public domain. Technical solutions exist that keep information uncorrupted. Usually they are based on the information residing in several locations simultaneously. If the data does become corrupted for any reason, then a working backup needs to exist and be made available.

Information also needs to remain uncorrupted when it is being transmitted over some kind of network or being transported in some other way. This means that transport protocols need to have some form of error checking. This is something that is inherent to the TCP protocol but not to the UDP protocol.

3.2.4 Availability

Availability is defined in the ISO/IEC 27000:2017 standard as a property of being accessible and usable upon demand by an authorized entity.

The information needs to be available for it to be useful. Data that is kept unavailable is as useful as data that does not exist. Even though the answers to availability questions can be more technical in nature. It is the role of administrators to decide

23 who to make the information available to. High-availability systems, such as the MySQL cluster, are available to keep critical information available in most cases of equipment failure.

3.2.5 Authentication

Authentication is defined in the ISO/IEC 27000:2017 standard as a provision of assurance that a claimed characteristic of an entity is correct.

When entering a username and password combination into a system containing information, a user presents evidence to show that they are entitled to access that information. Authentication is more of an administrative control because some entity somewhere decides who is given access and who is not.

The definition of authorized entities, i.e. the question of who is given access to the information, is more important than deciding which of the other information security characteristics, such as availability or integrity, are applicable (von Solms & van Niekerk, 2013)

3.2.6 Non-repudiation

Non-repudiation is defined in the ISO/IEC 27000:2017 standard as the ability to prove the occurrence of a claimed event or action and its originating entities.

If an information security event occurs, for example an unauthorized entity is able to access information, it is important to firstly notice that the event has occurred, secondly to know the nature of the event and thirdly to find the identity of the entity responsible for the event. The first two terms are most important from a business continuity and the third is important from a law enforcement point of view.

Non-repudiation also has the notion that neither party can deny that something has happened. Therefore it needs to be possible to reliably show the evidence indicating an event. System logs are important in proving the occurrence of an event.

3.2.7 Security Event and Security Incident

The ISO/IEC 27000:2017 standard defines event as the occurrence or change of a particular set of circumstances. According to the definition, an event can also be something not happening.

An information security event is an identified system, service or network state indicating a possible breach of information security. The security event becomes an information security incident when there is a significant probability of information or business loss (International Organization for Standardization / International Electrotechnical Commision, 2017). Incidents can warrant some kind of intervention or other response.

3.2.8 Physical controls

In addition to more technical cyber security controls, information can be kept confidential, uncorrupted and available using administrative policies and physical access controls.

Administrative policies are related to things like password management. They need to be taken into account in making sure that unauthorized entities are unable to access information.

All storage machines and network machines need to be behind some kind of physical access control system such as a mechanical or electronic lock on the door.

Backup power sources and uninterruptible power sources (UPS) provide electricity for servers and network infrastructure in the case of a power failure.

3.2.9 Information Security Management system (ISMS)

The ISO/IEC 27000:2017 vocabulary standard defines the Information Security Management System (ISMS) in a way that it consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets. An ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving information security in an organization to

25 achieve business objectives. It is based on a risk assessment and the risk acceptance levels of an organization designed to effectively treat and manage risks. Analyzing requirements for the protection of information assets and applying appropriate controls to ensure the protection of these information assets contributes to the successful implementation of an ISMS. (International Organization for Standardization / International Electrotechnical Commision, 2017)

The ISMS is a document outlining the main assets, the threats against them, and the risks related to those threats together with the controls and management protocols setup to manage those risks. It does not necessarily describe operational control implementations in detail which are in the more technical cyber security implementation plan.

3.2.10 Cyber Security Awareness

Increasing cyber security awareness within the general public should be in the mind of all cyber security professionals. Educating the public on cyber security issues is necessary for the adoption of good cyber security practices. In a recent review of the impacts of cyber security awareness campaigns Bada et al. (2020 preprint) outlined five factors that affect the effectiveness of awareness campaigns. The first is the professional deployment of the campaigns and the second is the importance of not invoking fear. The last factors are related to providing concrete, attainable steps in improving cyber security and providing training. All of this needs to be done within a suitable cultural context.

Education on cyber security issues is still important even in today’s digital age, because gaps in European cyber education and professional training have been identified (European Cyber Security Organisation, 2018). A study of over 1200 healthcare professionals in Finland showed that cyber security awareness is not sufficient and needs to be increased (Haukilehto & Hautamäki, 2019). People faced with many warnings and complicated advice may abandon all efforts for protection, and not worry about any cyber security dangers (Bada et al., 2020 preprint).

High-information lectures on cyber security have been found to have an impact on behavior (McCrohan et al., 2010) but even a high level of cyber security awareness

26 does not necessarily lead to meaningful implementation of cyber security protective measures (Zwilling et al., 2020). Simple games have been found to have the potential to help educate people in cyber security as found in a study on educating people on password security using an Android application (Scholefield & Shepherd, 2019).

The content of cyber security awareness programs, for example in the programs deployed to children in the United Arab Emirates and studied by Al Shamsi (2019), should include the identification of different online risks. Even though the sample size of that study was very small the results were relatively uniform showing that lectures, videos, games and posters all help to raise the cyber security awareness in children.

Cyber security education needs to start in schools to get young people interested in technology, IT and cyber security topics. For now, we have to address the large skills gap. The cyber security domain can be considered unpopular due to it having a bad culture, high burnout rate, and somewhat limited career perspectives (European Cyber Security Organisation, 2018).

3.2.11 Situational Awareness

Situational Awareness (SA) is knowing what happening in the systems and networks, and what is the status of the most valuable assets. Cyber Security has SA at its core since non-repudiation is a part of the CIA triad. SA gives operators the possibility of knowing about and countering threats as they occur. A formal definition for SA that is useful in this context has been made by Endsley (1987) and states that it is the perception of the elements and environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future. This definition removes SA from the processes used to achieve it. These processes are referred to as situation assessment.

Endsley (1995) states that individuals with good SA are more likely to make good decisions when confronted with a dynamic situation. Good SA will also lead to better interfaces and training programs in future developments. The research concludes that more, not less, human involvement in the decision making process is better and

27 automation can be used on more mundane tasks such as data analysis and integration. (Endsley, 1995)

In his research on SA within the context of a cybersecurity exercise, Lötjönen (2017) identified 56 requirements that need to be met to achieve good SA. These are related to the collection, dissemination and presentation of data to give the participants a good and relevant picture of the situation.

3.3 From Information Security to Cyber security

Information security and cyber security have been used in information security texts almost as synonyms. However, Von Solms and van Niekerk (2013) argue that they are distinct terms. In their view cyber security adds an extra dimension to information security in that humans can be directly adversely affected by a cyber-attack, whereas the effects of a security event regarding information security are indirect. If a human loses all of his information on a cloud platform due to a breach it can be a problem but the human is not directly harmed by the breach.

On the other hand, there are threats that do not fall under the normal definition of information security. Examples of these include cyber bullying (Martin & Rice, 2011), home automation (Jiménez et al., 2011) and cyber terrorism against defined critical infrastructure (Department of Homeland Security, 2019). All of these have consequences which can physically affect humans. In extreme cases the humans can even be killed if they are, for example, locked into their home when the home automation system is compromised, or if the brakes of their vehicle are disabled by hackers.

3.4 Cyber Security Frameworks

A cyber security framework provides the policy guidelines that can be used to secure information systems and develop information security management systems.

A lot of work has been done on developing and maintaining cyber security frameworks by organizations like the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), International Society of

Automation (ISA) and many others. Therefore many cyber security frameworks exist that can be used in the development of the security of an information system. However, these can be overly broad and complicated, like the NIST framework, or too specific and tailored to a certain type of system like the frameworks defined by national governments for their departments and subcontractors. The five core functions of the NIST framework are very useful in developing the information security of an organization. They form a work flow that goes from identification to protection to detection to response to recovery. (National Institute of Standards and Technology, 2018) This is summarized in Figure 2.

The small loop in Figure 2 (loop A) going from Identify to protect to detect and then back to identify, is the loop used in normal operations. When security incident is detected, then the loop needs to branch into loop B going to a response and then a recovery.

As an example of the problems related to existing frameworks, the table listing the changes made from NIST 1.0 to NIST 1.1 has the entry: “Clarified that terms like “compliance” can be confusing and mean something very different to various Framework stakeholders” (National Institute of Standards and Technology, 2018). If a nontechnical word like compliance can cause confusion then there is still work to be done in making frameworks more accessible and usable.

Figure 2 Information security according to the core of the NIST framework. The A loop is the normal route and the B route is needed if an anomaly is detected.

3.5 Intrusion Detection System

3.5.1 Anomaly-Based IDS

An Intrusion Detection System (IDS) is directly related to the concept of non- repudiation because it gives the possibility of noticing that a security event or incident has occurred. The IDS has been reviewed by Chen et al. (2014). Assuming that all organizations will come under attack at some point, then an IDS is an essential part of cyber security management. Chen et al. (2014) compare it to a burglar alarm on a house.

An IDS can be anomaly-based or misuse-based. An anomaly-based IDS compares security events to some known situation which can be considered normal. The IDS therefore requires a certain security baseline on which to base its anomalies. According to Garcio-Teodoro et al. (2009), the architecture of an anomaly-based IDS needs to have blocks containing information and monitoring of events, a database of the events, analysis of events to recognize potentially harmful ones and response functions. The last item is required if the system needs to automatically respond to a harmful event. An anomaly-based IDS can be thwarted by either making the baseline normal look like malicious behavior or make malicious behavior look normal (Tan et al., 2002). The Wazuh security platform is an example of this kind of IDS (Särkisaari, 2020).

3.5.2 Misuse-Based IDS

A misuse-based IDS has knowledge of unacceptable behavior in the system and knowledge of attack patterns, and uses that knowledge to try to detect them. (Kumar and Spafford, 1994)

Misues-based IDS is effective against known attacks but it depends regular updates of attack patterns. It will be unable to detect unknown threats or new threats before the attack patterns have been updated. (Ashoor & Gore, 2011)

3.6 Relevant Standards

3.6.1 The ISO/IEC 27000 Set of Standards

The ISO/IEC 27000:2017-series of information security standards is published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It lists the requirements that an ISMS must fulfill in order to be certified by a certification authority (Disterer, 2013).

The cyber security terms are all defined in the ISO/IEC 27000:2017 standard (International Organization for Standardization / International Electrotechnical Commission, 2017) which is a vocabulary standard for the ISO/IEC 27000:2017 family of standards. The standard is setup in a broad way so that all of the concepts can be implemented at three levels: a physical, personal and organizational level.

Confidentiality, integrity and availability form the CIA triad but modern interconnected business use requires more characteristics to be added to this for information to be truly secure. These are non-repudiation, accountability, authenticity and reliability together with accuracy, utility and possession of information (von Solms & van Niekerk, 2013).

The Information Security Management System (ISMS) is defined in the ISO/IEC 27001:2017 standard.

The ISO/IEC 27002 standard incorporates the first part of the BS 7799 good security management practice standard written in 1995 by the Department of Trade and Industry of the United Kingdom government.

The ISO 27000:2017 set of standards define the Plan Do Check Act (PDCA) loop (Disterer, 2013). This loop can be used in setting up the cyber security of any system.

3.6.2 Other Relevant Standards

The ANSI/ISA-62433 (American National Standards Institute /International Society of Automation, 2020) set of standards describes how to set out the information security of industry automation and control devices. Whilst this set of standards deals with automated devices and control systems, it relates to them in a controlled industrial

31 environment. Automatic environmental measurements are usually made far from any controlled environment and so this set of standards is not entirely relevant to them.

A growing field in the area of computer science is the internet of things (IOT). The ISO/IEC 30141:2018 (International Organization for Standardization / International Electrotechnical Commission, 2018) standard describes the most important characteristics of IOT and produces a useful conceptual model of it. In automatic measurement stations, the flow of information is mostly one-way and the data sizes are usually not overly large. Therefore this standard falls outside the scope of this work but is something that should perhaps be kept in mind and used in future work.

3.7 Risk as an Abstract Entity

The notion of risk involves both uncertainty and the cost of some kind of loss or damage that might be received. In this analysis of risk, the following equation will then be implied (Kaplan and Garrick, 1981):

푅 = 푃 ∙ 퐶 (1) where R is the risk, P is the probability of the risk (uncertainty) and C is the cost. This means that a smaller probability with a higher cost carries the same risk as a higher probability with a lower cost. This equation cannot be used quantitatively because the values of P and C are usually unknown, but this equation can be kept in mind when thinking and managing risks. Eling and Schnell (2016), in their work on insuring against cyber risks, found that there is a lack of quantitative information on risks and little modelling of them. A more robust mathematical treatment of information security risk, and the costs related to them, has been made by for example Maochao and Lei (2019) for largescale interconnected networks of computers.

A result of Eq. (1) is that the change in risk over time, assuming that both the probability and cost are functions of time (i.e. P=P(t) and C=C(t), where t is time) becomes:

푑푅(푡) 푑퐶(푡) 푑푃(푡) = 푃(푡) ∙ + 퐶(푡) ∙ (2) 푑푡 푑푡 푑푡

Eq. (2) is a linear differential equation, one of the solutions of which is

푑퐶(푡) 푑푃(푡) 푅(푡) = 푅(푡 ) + 푃(푡) ∙ 푑푡 + 퐶(푡) ∙ 푑푡 (3) 0 푑푡 푑푡

The time t0 in this case is an arbitrary start time. The second term on the right hand side of the equation is related to the change in cost over time and in this can be due to inflation where the cost increases as the value of money decreases. The third term is the change in probability over time. In the real world this can be attributed to updates in computer systems not being installed and the emergence of new threats related to new vulnerabilities.

In this example cost C has some unit (it can be units of currency) and P is dimensionless as a probability. This means that the unit of risk R is the same as that of cost. Because all risks calculated with these equations have the same unit, they can be summed up to produce a total risk Rtot

푅푡표푡 = ∑푖 푅푖 (4)

This is the quantity that needs to be minimized by developing, utilizing and maintaining some form of information security system. As a formal equation this would be

푅푚푎푛 = min 푅푡표푡 = min ∑푖 푅푖 = ∑푖 min 푅푖 (5) 푖

Rman is the managed risk. Eq (5) clearly shows that to minimize the managed risks, it is vitally important to minimize all the component risks and this is the main role of the information security management system.

Risk can also be defined with regard to a hazard, which is a source of danger or a threat, T, and controls, S, against that danger (Kaplan and Garrick, 1981):

푇 푅 = (6) 푆

By combining Eqs. 1 and 6 it is possible to obtain a kind of “dispersion relation”

푇 = 푃 ∙ 퐶 (7) 푆

This combines the components making up the risk: threats, controls, probability and cost.

3.8 Network Attacks

3.8.1 Detection

Network attacks can be seen as an anomaly in the normal operation of a network and therefore they can be confused with problems related to hardware or software. The purpose of the IDS is to detect network attacks.

The four steps followed by any attacker are information gathering, vulnerability assessment, launching the attack and cleaning up (Hoque et al., 2014). If mitigation controls are effective against the first two then the attacker may not continue to the last steps. The last step is important in the forensic investigation of the attack. If the attacker is successful in their cleanup then the investigation is made much more difficult.

3.8.2 Taxonomy

Different types of network attacks have been reviewed by Hoque et al. (2014). The review provides a comprehensive set of tools for both attackers and defenders for all steps of the attack process (information gathering, vulnerability assessment, launching the attack and cleanup).

The most important classes of attacks and attack launching tools are trojans, denial- of-service (DoS) and distributed-denial-of-service (DDoS), application layer attack tools, packet forging attack tools, fingerprint attack tools and user attack tools. (Hoque et al., 2014)

A Trojan is a malicious program that resides in a system disguised as a friendly and harmless program file. When it is opened or executed, the Trojan is executed with unwanted consequences.

DoS is a commonly found class of attack in which an attacker tries to prevent legitimate and authorized users from using a system and its resources. Some common examples of this class of attack are SYNflooding, smurf, fraggle, jolt, land and ping-of-death. (Hoque et al., 2014)

A DDoS differs from a more simple DoS attack in the amount of resources the attacker is able to unleash on the victim system. A large number of compromised machines on the Internet is used to launch the attack (Chen et al., 2006). The DDoS is a coordinated attempt to deny the availability of the services of the system. The attack can use legitimate service calls but the volume of them coming simultaneously will overload the system. The IP addresses used are legitimate but can also be spoofed (Chen et al., 2006)

Packet forging tools are useful in forging or manipulating packet information with a goal of tricking the system into performing some unauthorized behavior. In an application layer attack, the attacker uses legitimate communication protocol (such as HTTP) requests from authorized network machines to overwhelm an interface on a server.

Fingerprinting tools are used to identify specific features of a network protocol implementation by analyzing its input and output behavior. An example of this is the targeting of Windows computers which have a vulnerability in their network implementation. Fingerprinting, like many attacks, can be automated and so vulnerable machines and exploits for those vulnerabilities can be found automatically.

In a user attack the user tries to elevate his privileges to those of a system administrator. The user can start as a normal legitimately authorized user on a local machine and try to gain the privileges of an administrator, or the user can start from outside the machine and attempt to access it by exploiting its vulnerabilities without having an account on that machine. (Hoque et al., 2014)

3.8.3 Mitigation Controls for Attacks

Many controls to mitigate the different types of attack have been developed. Some of the most relevant ones have been reviewed by (Hoque et al., 2014). As an example in a general sense the mitigation for DDoS attacks hinges on the ability to stop the flow of packets from illegitimate sources whilst not preventing packets from legitimate sources. The cost of the implementation scheme should be low to make it feasible. (Chen et al., 2008)

A model-based mitigation control has been developed by Sridhar and Govindarasu (2014) that is able to detect highly skilled attacks that bypass host-based and network-based attacks (Sridhar and Govindarasu, 2014).

3.8.4 Targetting

If the target of an attack is of special interest to the attacker, it can be targeted by specific, tailored attacks. The attack pattern starts with information gathering to see what kinds of attacks could work. This means that the smallest amount of system information as possible should be visible.

For example the PHP function phpinfo() on some LAMP web servers may sometimes be used and forgotten about. This is dangerous because it reveals a huge amount of system information. This is an example of information being exposed by accident or without thinking about its consequences. Another example is a photograph of a server or operations room which could be of use to targeters.

3.8.5 AI Based Attacks in the Future

Artificial intelligence (AI) and especially deep learning, has many intersections with cyber security. On the one hand, AI can be used to develop systems capable of adapting to new threats as the amount of information increase in size and scope in an accelerating way (Tyugu, 2011). It can also be speculated that AI could be used to breach systems in ways humans cannot. This is something that needs to be kept in mind when developing systems in the future, and when developing security countermeasures.

One interesting aspect of AI is that it itself requires protection. AI systems are tools superior to most tools that have been in use and thus have to be kept from nefarious hands. But more interestingly AI needs to be kept secure so that it is not taught with bad or malicious data (Li, 2018). An example of what happens if this is not the case is when Twitter uses turned a Microsoft AI chatbot into a racist asshole (Hunt, 2016),

The flow of data needs to be secure so that its integrity and confidentiality is kept intact. In this respect the question of securing AI is similar to securing automatic environmental measurement systems.

3.9 Monte Carlo modelling

Quantifying risk is hard due to the nature of the variables involved. Determining cost can be subjective and probabilities require many assumptions need to be made.

In the Monte Carlo modelling approach the set of observations is based on a set of random numbers (Hammersley, 1960). The calculations are repeated enough times to make the errors related to a single observation as small as possible.

Particle tracking and ray-tracing are good candidates for this modelling approach because the interactions follow a known distribution. In this study it will be used to calculate the risks related to connecting a network of measurement devices to a central service.

Monte-Carlo modelling has been used in many fields of natural science and has been used to, for example, calculate radiative transfer in snow (Rasmus & Huttunen, 2009).

4 Description of Research Domain

4.1 Introduction to Online Automatic Measurement Stations

Environmental measurements can be made directly by an observer utilizing a measurement device or by an automatic measurement station that has the measurement device connected to a datalogger that can have a connection to a server for data retrieval and remote access. The difference between these two methods is in the temporal resolution. Observer based measurements can be made on a scale of 110-6 Hz whilst automatic measurements can be made at 1Hz or higher. Measurements made solely by human observers can sometimes miss phenomena that work on time scales smaller than the observation frequency.

An example of the former is a scientist onboard a research vessel deploying a Conductivity Temperature Depth (CTD) device and storing the results on his computer. The same CTD device can be moored to a buoy with a datalogger and power source and it then becomes an automatic measurement station. If it also has a

37 connection to a data service then the data can be displayed on that service in real time.

The automatic measurement station can be local, such as the Aino float on lake Jyväsjärvi (Kuha et al-, 2016), or regional, such as the wave buoys in the Baltic Sea (Petterson et al. 2012) or really remote, such as the automatic measurement station on the Western Antarctic Ice Shelf (Van den Broeke et al., 2005). The station can also be moving and autonomous. In addition to a single measurement device, the system can be comprised of a network of sensors (e.g. Pham et al., 2020).

The backbone connection to a collecting service then depends on the location of the station and can be a radio link, a Groupe Spécial Mobile link (GSM), AIS or a satellite link. An IoT approach can then be used on top of the backbone connection (e.g. Pham et al., 2020).

Usually there are many measurement stations, which can be called measurement nodes, connected to the central service. This kind of measurement web is shown in Figure (3).

Figure 3 Measurement web with many measurement nodes connected to a central service. A breached measurement node is shown in red.

Figure 4 Measurement network in which the nodes are interconnected. The nodes are numbered. The risk related to node i also depends on the risks related to the nodes i+1.

When more nodes are connected to other nodes and only a relatively few number of them are directly connected to the central service (Figure 4 and Figure 5) then the importance of securing the node-to-node connections becomes apparent.

Figure 5 A more complicated measurement network with 20 nodes.

4.2 Overview of measurement setups

In quickly changing scenarios automatic environmental measurements are most useful when they are disseminated to clients as close to real-time as possible. This requires that the measuring sensor either has a datalogging capability and some kind of connection, or is connected to a datalogger which is connected to a receiving service. Clients can login and then look at or download the information. The dissemination can be via an interface (e.g. WFS), via the http-protocol, via the FTP- protocol or even by e-mail, depending on the requirements of the end user.

The datalogger can be connected to the internet directly and can communicate with a receiving service (Figure 6). In this case the receiving end needs to have a receiving server, a dissemination server and in most cases, a database for data storage. Data management without a database becomes difficult very quickly. The servers need to be secured with a firewall that needs to be able to pass traffic through on at least two ports: one for receiving data and one for data dissemination.

Figure 6 Measurement station using a GPRS call uplink to a receiving server with an in-house data dissemination service. In this example the data dissemination service utilizes a LAMP (Linux, Apache, MySQL, and PHP) setup which is not an unreasonable assumption to make of a real world setup.

This situation changes slightly if the datalogger communicates with the receiving service via a GSM link (modem to modem) (Figure 6). In this case only the data dissemination server needs to be connected to the internet and the firewall needs to have only the data dissemination port open. The GSM link can be replaced with any modem to modem connection such as a satellite link or a radio link. An example of this kind of setup is in the work done by Koskiaho et al. (2010) in the Yläneenjoki river basin in Southwest Finland.

It is also possible to connect the datalogger directly to a cloud based service (Figure 8) that takes care of receiving and disseminating the data. In this situation no in house servers are required and the users connect directly to the cloud based service to access their data. This setup is similar to that found in Pham et al. (2020) which is used for automatic measurement of Secchi depth. Secchi depth is the depth at which a white or black and white disk disappears from view in the water and is a measure of the extinction of light within the water. In the system of Pham et al. (2020), a wireless internet connection is available for a direct connection to the measurement device. The communications for their system are based on the TP-link TL-MR6400 modem which controls the access to the backbone of the wireless connection.

Figure 7 Measurement station using a direct GSM data call to a receiving modem with an in-house data dissemination service.

Figure 8 Measurement service connected directly to an internet-based cloud service using the mobile network.

An extension of the setup of Figure 6 is when the instruments are directly connected to the dissemination service. This arrangement could come about if the datalogger is connected to the internet with a public IP and possibly a fully qualified domain name. The S::can Concube (https://www.hydrospan.cn/en/83.html 20.10.2020) is an example of a logging device that can also disseminate the data using its internal http- server if it is directly connected to the internet.

Figure 8 shows the way in which most modern measurement device vendors arrange their data dissemination. The SYKE EnviCal Manager used in the automatic measurement uncertainty estimation work by Kahiluoto et al. (2019) is an example of this kind of system.

The environmental noise measuring system developed by Cirrus Research Plc is another example of this kind of system but in a hybrid way. In addition to a cloud service It has inbound connections to the computer of the end user (Cirrus Research Plc staff, 2013).

In essence Figures 7 and 8 show the same kind of system. Even if the data collection and dissemination is cloud-based (Figure 8), it is still subject to the same threats and controls as the one that is in-house (Figure 7). The only difference is that the responsibility for the system has changed from the end user to the administrator of the cloud-based system.

4.3 Monte-Carlo Modelling the Risks

The risks related to connecting measurement nodes to a central service are related to the probabilities of the nodes being breached, and the probability that the central service can be breached (Equation 1).

The probability can be calculated using a Monte-Carlo model where a route from a randomly determined starting node to the central service is mapped out and traversed. At each node including the starting node, and at the central service, a random number is generated and compared to a predetermined probability value. If the random number is less than the probability, then the node is marked as breached and the route is traversed to the next node (Figure 9). In the case of the central service, the breach is noted and added to the total number of breaches. If the random number is more than the probability, then the traverse stops.

This process can be repeated many times to gain stable values for the total breach probability, Ptot. This probability is just the ratio of the number of central service breaches compared to the total number of traverses.

푛푏푟푒푎푐ℎ푒푠 푃푡표푡 = (8) 푛푡표푡

For this study the traverse was made 1000000 times for each scenario and combination of values. The variables that can change between the calculations in the scenarios are the probabilities P0 and P1, the number of nodes directly connected to the central service, ndir, and the total number of nodes, n. The probabilities can have values between 0.1 and 1.0. The scenarios are listed in Table 1.

Figure 9 Route from a starting node (node 5) to the central service via a node (node 6). P1 is the probability that a node is breached and P0 is the probability that the central service is breached.

In scenario S3 the probability of a node being breached becomes 1 if any node is breached during a traverse. The value is reset at the beginning of each traverse. In Scenario S4 the probability of the central service being breached is set to 1.0 if any node is breached. In Scenario S2 the values do not change during the traverse-

Table 1 Description of model scenarios.

Scenario n ndir Description S1 10 or 20 N All nodes are directly connected to the central service. S2 10 or 20 1-12 Nodes in a network. The nodes are independent. S3 10 or 20 1-12 Nodes in a network. The nodes are dependent but the central service is independent. S4 10 or 20 1-12 Nodes in a network. The nodes and the central service are dependent.

4.4 Situational Awareness

Situational awareness can be obtained using the Observe Orient Decide Act (OODA) loop in a fast enough way to achieve success (Zager & Zager, 2017). Intervention from a human operator is required.

As the loop starts with observations, the key to success is to have good situational awareness. Sensors must be installed at node locations at their connections to the backbone connection, and inside the nodes to detect events that happen there.

These sensor must then transmit their findings to the IDS at the operator location. If a breach occurs then the operator is able to follow the OODA loop to achieve victory over the attack.

An anomaly-based IDS would be most useful here because a baseline would be easy to make and it would rarely change.

The OODA loop is conceptually similar to the PDCA loop defined in the ISO 27000:2017 set of standards. The two loops are compared in Table 2. The main difference between the two is that the OODA-loop is for good SA and the PDCA-loop is for good information security in general. It could be said that the rate at which the loop is cycled through is faster for the OODA-loop than the PDCA-loop.

Table 2 Differences between the OODA-loop and the PDCA-loop

OODA –loop PDCA –loop Observe Plan Orient Do Decide Check Act Act

5 Results

5.1 Main Results

The diagrams, figures, descriptions and other constructs developed within the constructive methodology are presented in this chapter together with the results from the quantitative analysis of risks. The TCA analysis to help with cyber security awareness is in the discussion section.

The main research question in this study regarded how the cyber security of online automatic environmental measurements should be arranged. It was found that controls were needed for all components of the measurement system and statistical controls were needed for the measurement data results. For a situation in which the measurement nodes are connected directly to the central service, the risk related to

45 connecting the nodes depends on the layout of the network, the probability that the nodes and the central service are breached, and the number of nodes directly connected to the central service.

5.2 Identified Main Assets

The entities that any kind of cyber security system tries to secure are called assets. In the case of online automatic environment measurements the main primary asset from the view of the owners, the public and regulators is the measurement data itself. The acquisition, transport, storage, analysis and dissemination of the data is the reason that the whole system is in existence. Without the data, the measurement setup has nothing but intrinsic value except to an attacker whose ultimate goals are somewhere else. They want to utilize the other assets to launch an attack at something else.

The identified assets and their classifications into the primary and secondary categories according to Pasquale et al. (2012) are shown in Table 3.

Table 3 List of the 12 most important identified assets, together with classifications, for the online automatic environment measurement system from the point of view of the data owner, user or regulator. This is called the customer domain.

Asset Classification Measurement data Primary Measurement data integrity Primary Measurement device Primary Datalogger Primary Backbone connection Primary Data service Primary Database Secondary Analysis service Secondary Quality control Secondary Maintenance service Secondary Server location Secondary Measurement location Secondary

Figure 10 Interconnection of primary and secondary assets according to the notation of Pasquale et al. (2012) when the primary asset is the measurement data.

Primary assets are required to make the system function properly and secondary assets support it and make it function better or give added value. The data service and database assets include all the hardware needed to run it. The location assets refer to the location of servers and measurement devices. These can be an attack source and need to be secured when possible. The maintenance service refers to operators accessing and maintaining the measurement devices and dataloggers. They could be a risk by for example being careless and leave an instrument enclosure open. They are more of a secondary asset than server operators, who can be thought of as being part of the data service itself.

The interconnections between assets shows the primary to secondary relationship in Figure (10) and why it is important to also secure the secondary assets. For example it is possible to reach the measurement data starting from any of the secondary assets.

For the purposes of this study, the data integrity has been considered to be a primary asset that is separate from the data because by attacking the integrity of the measurement data, it is possible to cast doubt on the measurement data itself.

An interesting thought experiment that can be made is to change the point of view to that of an attacker. In this case the primary and secondary asset classifications change (Table 4). This though experiment highlights even more clearly why assets

47 considered secondary also need to be secured. If the measurement data is classified as secondary, it is possibly not considered important, and could easily be destroyed on the way to more important goals.

Table 4 List of assets with classifications for the online automatic environment measurement system from the point of view of an attacker.

Asset Classification Measurement data Secondary Measurement data integrity Secondary Measurement device Secondary Datalogger Secondary Backbone connection Primary Data service Primary Database Primary Analysis service Secondary Quality control Secondary Maintenance service Secondary Server location Secondary Measurement location Secondary

If the interconnections between the assets remain the same (Figure 10) then it is easy to see how the secondary assets lead directly to the backbone connection. If that is the main target of an attacker not interested in the data itself.

5.3 Threats Related to Online Measurements

At first glance it would seem that automatic environment measurements are not nearly interesting enough for people to try to interfere with them. However, in addition to the threats associated with attaching a server to the internet, automatic environment measurements are subject to their own special kinds of threats. If the measurements are related to a business asset, for example a factory, then scenarios can be envisioned in which interference of the measurements could happen. It could be either in the interests of the proponents to interfere with the measurements, for

48 example in the case of a leak, or in the interest of opponents to interfere, for example when an environment permit is up for review.

The interference can occur in several ways: the data could be stolen, the data could be erased, the data could be changed or erroneous data could be fed into the system. In addition to these risks related to the data, DoS is always a real risk. The DoS can affect both the data receiving service and the data dissemination service.

The data can be stolen directly from the sensor, from the datalogger, from the receiving software and finally from the disseminating software. What happens after the client receives the data is not within the scope of this study. Data purging or erasing of data can happen at all of these points if the attacker has access to them.

Modifying the data is possible at the datalogger before the data is transmitted, at the receiving service and whilst it is being stored in the database. The dissemination service should not have the ability to modify the data as it only needs to read the database.

Erroneous data can be fed into the system by hijacking a datalogger and using it to send maliciously altered values into the receiving service. The receiving system can be compromised and used to write false information into the database. The database itself can be compromised and values altered there and the dissemination service can be compromised to feed incorrect results to clients. In some cases it might be possible to hijack the information as it is on its way from the datalogger to the receiving software and then to either steal, erase or modify it. All of this means that is difficult for the receiving software to know whether the data arriving from the measurement station is valid or not.

The network attacks listed in section 3.8 can be directed at either the central service or anyone of the nodes. As this study focuses on an ideal network of measurement nodes, specific vulnerabilities, and threats related to them, cannot be addressed. DoS and DDoS attacks can render either the central service or the measurement network itself unavailable and this needs to be taken into account when doing the technical implementation plan.

The central service is subject to threats coming from the internet and it needs to be properly audited by cyber security professionals. A central service is easy to setup and a simple server script written in Perl is shown in Appendix 1. However, even though it is easy to write programs that can be used as the central service, it is much harder to make them secure against all known threats. The PDCA loop described (Table 2) shows that the central service also needs continuous auditing to keep it safe against new and emerging threats.

5.4 Model Results

The results of the Monte-Carlo modelling show that the probability of breaching the central service coming from the direction of the measurement network, Ptot, depends to some extent on the network configuration, the number of nodes, the number of nodes directly connected to the central service and the probabilities P1, which is the probability that a node is breached, and P0, which is the probability that the central service is breached from a connected measurement node. The used probabilities in all cases are quite large so that the model reaches a steady state fast enough.

When the nodes are all directly connected to the central service (Figure 3) Ptot is found to be independent of the number of nodes, n, (Figure 11) and depends on the two probabilities in the following way:

푃푡표푡 = 푃1 ∙ 푃2 (9)

0,80

0,70

0,60 n=20, P0=0.1 0,50 n=10, P0=0.1

tot 0,40 P n=10, P0=0.2 0,30 n=10, P0=0.4 0,20 n=10, P0=0.6

0,10 n=10, P0=0.8

0,00 0,00 0,20 0,40 0,60 0,80 1,00 1,20

Figure 11 Ptot as a function of P1 with directly connected nodes (scenario S1).

P0=0.1, P1=0.1 0,012

0,010

0,008

tot 0,006 P n=10 0,004 n=20

0,002

0,000 0 2 4 6 8 10 12 14

ndir

Figure 12 Ptot in the network of independent nodes scenario (scenario S2).

Only one chain of events is needed to breach the central service and all the chains are the same because all the nodes are directly connected to it.

In the network of independent nodes scenario (Figure 3 and Figure 4) Ptot depends on the number of nodes directly connected to the central service, ndir, and the total number of nodes, n (Figure 12). In this scenario the nodes are independent so that if one is breached then the others are unaffected. The formal dependency is

푛 푃 = 푑푖푟 푃 ∙ 푃 (10) 푡표푡 푛 1 0

The total probability is directly proportional to the ratio of the nodes directly connected to the central service and the total number of nodes.

P0=0.1, P1=0.1 0,012

0,010

0,008

tot 0,006 P n=10 0,004 n=20

0,002

0,000 0 2 4 6 8 10 12 14

ndir

Figure 13 Ptot in the network of dependent nodes scenario but an independent central service (scenario S3) in two different cases with a total number of nodes equal to 10 and 20.

Ptot in the network of dependent nodes scenario (S3) becomes a function of the number of nodes directly connected to the central service (Figure 13). In this scenario the nodes are dependent so if one is breached then the probability that the others are breached becomes 1.0. This is realistic in cases where the nodes are similar so that a vulnerability in one node exists in all the nodes and can easily be exploited. The central service is however unaffected. In this case the values of Ptot asymptotically approach P0P1 regardless of the value of n.

P1=0.1 0,120

0,100

0,080

tot 0,060 P0=0.1, n=20 P P0=0.4, n=20 0,040 P0=0.1, n=10 0,020

0,000 0 2 4 6 8 10 12 14

ndir

Figure 14 Ptot in the network of dependent nodes scenario and dependent central service (scenario S4) in three different cases with a total number of nodes equal to 10 and 20, and two values of P0 for the n=20 case.

If the central service has the same vulnerability as the nodes, and it can be exploited, then the situation becomes different and the total probability that the central service is breached increases by a factor of 10. This is because the values of Ptot and not in this case asymptotically reach the value of P1 and not P0P1 as the number of nodes directly connected to the central service increases (Figure 14).

5.5 Backbone Connection Security

In these setups there is no control over the security of the backbone connection. Even if the backbone is over a direct radio link it cannot be assumed to be secure. Anyone can listen to the frequency and collect the information. The only way to secure the communication between the measurement station and the receiving software is to encrypt the connection using end-to-end encryption. This does not assume anything about the backbone communications channel. Even though modern channels may be secure today, they may not be secure in the future.

Dolev et al. (2008) have researched the encrypted radio communications over an open network with a potential enemy listening in. They developed an authentic message exchange (AME) called f-AME, where the f stands for fast, in which nodes can communicate with each other without knowledge of a pre-shared key. Over short distances Bluetooth can be used. It is a form of radio communications that

53 relies on a pre-known and pre-shared key that needs to be input into all devices participating in the communication.

Toorani and Beheshti (2008) in their review of GSM network security, find that it is susceptible to many kind of attacks and these are also relevant for 2G (for example GPRS) communications as well.

5.6 Security Controls

The primary and secondary assets together with their interconnections are shown in Figure 10. Each of the connections is a possible route for an attacker to take and so all of them require some kind of security control to mitigate the risk related to them. This is regardless of whether the primary target of the attack is the data itself, or part of the infrastructure.

For example a control between the measurement data and the backbone connection would be some kind of encryption. The controls for the attack vectors are shown in Table 5. There is no reason to distinguish between primary and secondary assets in this case.

The controls in Table 5, can be divided into used protocols, physical controls, intrusion detection, encryption and access control.

Most of these controls do not protect the data integrity at all. Even if all of the controls 1-31 function properly, it is still possible to weaken the data integrity. So a set of controls is needed to secure it. Data integrity has been considered to be a separate asset from the data itself for the purposes of this study.

Table 5 The controls related to the asset diagram showing asset interconnections.

Source Destination Control Maintenance service Datalogger 1. Good maintenance protocol and checklists Maintenance service Measurement device 2. Good protocols and checklists Measurement location Measurement device 3. Physical security: locks 4. Intrusion detection Measurement location Datalogger 5. Physical security 6. Intrusion detection Datalogger Backbone connection 7. Access control 8. Physical security Datalogger Measurement data 9. Physical security 10. Access control 11. Encryption Measurement device Backbone connection 12. Access control 13. Physical security Measurement device Measurement data 14. Physical security 15. Access control 16. Encryption Backbone connection Measurement data 17. Encryption Backbone connection Data service 18. Access control Server location Backbone connection 19. Physical control 20. Access control 21. Intrusion detection Server location Data service 22. Access control 23. Physical control 24. Intrusion detection Data service Measurement data 25. Access control Data service Database 26. Access control Database Measurement data 27. Access control Quality control Data service 28. Access control Quality control Database 29. Access control Data analysis Data service 30. Access control Data analysis Database 31. Access control Data integrity Measurement data 32. Data integrity controls

5.7 IDS Sensor Placement

The asset schematic (Figure 10) is not an attack graph in the sense that it does not show the locations that exploits can be used to gain unauthorized access to the system. Therefore a formal algorithm for the placement of IDS sensors, such as the one developed by Noel and Jajodia (2008) cannot be used directly. Concepts such as network attack paths and the distance from the sensor to the most critical asset are still useful. A signal from a sensor further away from the most critical asset would have a slightly smaller priority than a signal closer to it.

If an anomaly-based IDS is installed in this sensor network system, it would require many sensors to give enough information (Figure 15). For the best picture, it would be good to have sensors both inside and outside a firewall, and in locations where there is a possibility for traffic to go in many directions.

In a real-world setup the lines going to node 6 (Figure 15) would probably only be one line. The node would be connected to the network via one interface. Therefore it would be sufficient to have a sensor inside the node and one just outside the interface.

Figure 15 Sensor placement with regard to the breached node 5 and unbreached node 6, and assuming an attack direction going towards the central service.

5.8 Authenticating the data connection

Scientists using automatic environment measurements may inadvertently bring something malicious into their system because they do not authenticate the data connection sufficiently. Authenticate in this case means that the service knows that the data is legitimate and correct.

To make sure that the measurement station has not been tampered with, the casing can have intrusion detection which can send out an alarm if it senses unauthorized opening. This does not work if the datalogger is not measuring continuously and has been put to sleep between measurements to save electricity. Of course it would be possible to wake the station up in the case that an intrusion is sensed and this would be a prudent course of action. If the datalogger is hibernating the intrusion detection should be designed in such a way that it gives a signal that it has been triggered even after the event has occurred so that the datalogger knows that an event has occurred when it wakes up to make a reading.

Most automatic measuring stations have some kind of knowledge of their position and this is usually based on a Global Positioning System (GPS) based system. The sensor could send out a warning if it finds that its position has changed unexpectedly. This is also useful to operators in the case of a floating buoy which has become unattached from its mooring. The easiest way to change the measurement results is to move the station to a different location that has different water quality parameter values and the datalogger needs to notice this change.

Changing or removing the sensors can change the measurement values. Some of the newest sensors have a digital signature which is known to the datalogger. The datalogger could send out a warning if it senses that the digital signature has changed.

The final safeguard against erroneous data is a good quality control at the receiving end so that unrealistic results are not accepted or are flagged as suspect. This can be done by a human operator or with some kind of artificial intelligence, or a combination of the two.

Figure 16 Calculated hashes from a measurements station with two sensors, a GPS position and intrusion detection. In scenario 1 the intrusion detection has been tripped, in scenario 2 the latitude has changed and in scenario 3 one of the sensors has changed.

One way of authenticating the station is to make a hash with some algorithm, known to the receiving service, of the digital signatures of the sensor, the GPS position within a realistic tolerance, and the signal of the intrusion detection system. The receiving station would accept the data only if it is accompanied by the correct hash.

The hash can be calculated using a modern hashing algorithm which is not easy to crack. An example of hashes calculated using SHA-256 is shown in Figure 7 with a normal case and 3 erroneous scenarios. The hashes produced by the scenarios are not accepted by the receiving software.

For this to work, the hash needs to pre-known by the receiving service. The hashes have to be updated if changes are made to the setup.

5.9 Remote Access

If remote access to the measurement station is required then that needs to be well secured. As an example, maintenance of measurement stations would need remote access if it is not feasible for operators to go to the location.

Automatic measuring stations can come with services for connecting with telnet, SSH or HTTP. If the measurement station has a connection with a public IP-address for remote access it is vulnerable to attacks from the internet side and needs to be secured with a firewall and access control. All non-essential inbound traffic needs to

58 be blocked by the firewall and access should only be granted to connections originating from a location which has been granted permission to connect to the station. Authentication then needs to be done before access is granted.

Another way to have remote access is to let the measurement station initiate the connection. This can be done by either having the station initiate connections on a certain schedule, or by sending the station a message (by e.g. SMS) to command it to initiate a connection. This method then requires the server end to have a service available for the connection. The measurement station needs to be able to differentiate between authorized and unauthorized commands and should always initiate the connection to the same, predetermined place.

5.10 Statistical controls

If all other controls fail and an attacker is able to insert erroneous values into the data stream, then the only way to spot them is to look at the data itself and apply some controls to it directly. To demonstrate this, two controls: a rolling standard deviation and self-correlation are applied to a data stream of real world values.

Timeseries of surface water temperature were obtained for one location were obtained from the Finnish meteorological institute for one location (from merihavainnot.fi). The temperature and its standard deviation shows that the standard deviation is always above a value of 0.1 ⁰C (Figure 17). In this example the standard deviation is calculated for a window of 24h which is rolled across the whole dataset. This control could be applied to the latest data as it arrives into the service.

Figure 17 Temperature (upper figure) and its standard deviation (lower figure) in the normal situation.

Figure 18 Temperature and its standard deviation in a situation when constant values have been inserted. The inserted values are inside the red rectangle.

If a set of constant values are inserted into the data stream then the standard deviation goes to zero during that time (Figure 17). This can be used as a control to distinguish between real and false values within the stream.

When the inserted data is based on previous existing data then the standard deviation no longer goes to zero and does not notice the false values (Figure 19). In this case it is necessary to use some form of self-correlation (or autocorrelation).

Self-correlation happens when a time series is linearly related to a lagged version of itself. Consecutive parts of a time-series can be assumed to be linearly correlated in which case they follow a function of the form:

푋1 = 퐾 ∙ 푋2 + 퐴 (11)

Where X1 and X2 are the two consecutive parts of the timeseries, K is the correlation coefficient between them and A is a constant. X1 and X2 are consecutive timeseries of a length of ∆t. This should be related to the properties of the timeseries. In this example it is approximately 24h.

By looking at the value of K as it is calculated for all segments in the whole timeseries, the false values can be identified (Figure 20).

Figure 19 Temperature and its standard deviation in a situation in which previous values have been inserted as timeseries. The inserted values are shown within the red rectangle.

Figure 20 Slope of consecutive timeseries.

All controls need to be applied simultaneously because the form of the attack cannot be known in advance.

In practice, the inserted data may not be as well defined. In these cases it will be necessary to apply some kind of artificial intelligence to look at the data but this is beyond the scope of this study. Also it must be noted that experienced human operators that know the environment can be well positioned to spot erroneous values.

A study of automatic uncertainty estimation for online measurements has been done by Kahiluoto et al. (2020).

5.11 Situational Awareness

In addition to looking at the data, operators should have a good SA of the technical aspects of measurement system.

Using the OODA loop a set of practices can be setup to achieve good SA. These could be:

1. A set of criteria needs to be made in advance that sensor values need to reach for any kind of action to be necessary. 2. The security events warranting a warning need to be decided in advance. 3. Sensors need to send out warnings if an event has occurred. 4. The operator should inspect the sensors periodically even though they send out warnings. 5. If action is needed then action must be taken. 6. The operator must have the authority to take action. 7. All events and actions must be documented for future review. 8. Documentation of the system and protocols must be kept up to date. 9. A periodic review of the system is needs to be made. 10. Changes to the system must be made if they are found to be necessary.

Using guidelines similar to these, the operator is able to observe an attack, orient himself to making decisions and acting, make the decision and then act upon it in accordance with the OODA-loop.

5.12 Social Engineering

Good protocols need to be put in place to lessen the possibility of human operators compromising the integrity of the system by leaking passwords or giving physical keys to entities not authorized to handle them.

A simple good protocol could be summed up in 3 points:

1. Never give a password to anybody 2. Never ask anybody for their password 3. Only named system administrators have the authority to change passwords.

The same kind of protocol can be used for physical keys.

5.13 Simple Threat Model of an Online Measurement System

Attacking the backbone connection and dissemination is relatively hard and requires expertise. The easiest way to change the results of the measurement station is to take it to another place where the water quality is different.

Let us assume that a monitoring program has been setup to monitor the wastewater discharge into a water body from a factory (Figure 21). The normal flow of water is always from left to right so the monitoring site is located at measurement site 1. If the factory needs to discharge a larger amount of wastewater, or wastewater with a larger concentration of pollutants, than their permit allows, then they could just move the monitoring station to measurement site 2 for the duration of the discharge. The station would still be in the same natural water but it would not be affected by the wastewater plume and therefore it would be difficult for anybody inspecting the incoming measurement results to detect the change. After the discharge event is over, the station could be moved back to the original site. Depending on the motives, the sensors could also be moved from measurement site 2 to measurement site 1 so that the sensors pick up the plume. This could be done if measurement site 2 is close to a sensitive nature reserve and the monitoring is done to protect it. By moving the sensors, opponents of the factory could try to make it look like the factory is affecting the nature reserve, even though it is not, and force it to stop discharging or possibly even to shut down completely.

Figure 21 Measurement locations used in the monitoring of a discharge plume showing how the discharge is not picked up if the sensors are moved from measurement site 1 to measurement site 2. The current is flowing from left to right so measurement site 2 is still within the same water mass as measurement site 1.

The controls described in the previous sections can be used to secure this setup. An overview of how these controls are used is shown in Table 6.

Table 6 Controls used to secure against the threats in this simple threat scenario.

Event Control Description Station moves from site 1 GPS control If the station is moved to another to site2 location without authorization, then the GPS location will change and the calculated hash will change. This will cause the receiving service to discard the data Air values observed Statistical When the station is moved, air values control may be observed. Air values will show up in the data stream as constant values and a statistical control can be used to mitigate against it.

Since this situation does not include of a breach of the system at any level, not at the measurement node level, not at the datalogger level and not at the central service level, the statistical and GPS controls are the only controls that can keep the integrity of the data intact. Even though this attack is simple, it is hard to mitigate the risks related to it.

6 Discussion

6.1 Risk Modelling

The Monte Carlo model results show that when all of the nodes are directly connected to the central service then the probability that the central service is breached is Ptot=P1P0 (Figure 11). This means that only one node needs to be breached to get to the central service, but then that needs to be breached as well. There is no dependence on the total number of nodes.

In the network of independent nodes case, the total probability becomes the same as the total number of directly connected nodes (ndir) reaches the total number of nodes (n). For smaller values of ndir/n the probability of breach is smaller (Figure 12). This means that the risk incurred by the central service increases as the number of direct connections increases. An interconnected network of nodes is more secure than direct connections.

If the nodes are all similar then they may have the same exact vulnerabilities. Therefore if an attacker breaches one, then they are in a position to breach all of them. In this case the total probability reaches the limiting value of P1P0 with a much smaller number of directly connected nodes. In this example this asymptotic value is reached after 5 nodes are directly connected (Figure 13).

It is not unfeasible to assume that the central service may have the same vulnerability as the measurement nodes. Again, in this case an asymptotic value is reached when 5 nodes are directly connected to the central service (Figure 14) but the value reached is not P1P0 but just P1. As the probability of breach for the central service goes to 1 when any of the nodes are breached, it will always be 1 if an attacker comes from the direction of a node because they will have had to first

65 breach a node. When more nodes are connected then there are more possibilities for an attack.

This analysis does not take into account the nature of the connections between the nodes and the central service. If the network is local then the connections can be isolated, but if the measurement nodes are far apart then they will probably be connected via the GSM network or the internet. Also the possibility of breaching the central service without first breaching a node is possible and this possibility will increase the probability of breach for it. The purpose of this analysis is to quantify the risk of connecting measurement nodes to it and calculating the risks related to that.

If an attacker has some kind of prior knowledge of the system, then they would probably initiate the attack on a node directly connected to the central service, or directly on the central service itself. In this case the situation would be returned to that shown in scenario 1.

6.2 Reliability

In addition to the reliability of the measurement results themselves, the reliability of this kind of work is also related to the cyber security implementations themselves. Their reliability depends on the assumptions made regarding the system being studied and also regarding the cyber threat environment it is subject to. If the system has been studied in an improper way, the recommendations may not be totally valid. The same is true if the cyber threats have been under- or overestimated, or the threats have been assumed to come from somewhere when in reality they originate from somewhere completely different.

In this study the automatic measurement systems are simplified but they are based on real-world examples. Therefore the cyber security controls used to secure them can be assumed to also be realistic. The role of human operators has been factored in where necessary increasing the reliability of the analysis.

No assumptions have been made on the source and nature of the cyber-attacks except that they originate from outside the network of sensors and the central service. It is hard to imagine a case where an attack would originate from inside the

66 system without the system having been breached first. One possibility is that the system fails in such a way that the IDS sensors believe it is an attack. This should however lead to human intervention and it is hoped that the human operator would notice that the perceived attack is in fact a false positive.

The IDS sensors positioned around the network are in a crucial role in making the cyber security system reliable. Good reliability of the sensors leads to good SA. If the sensors generate a large number of false positives, or if they fail to recognize real events (a false negative), then they will erode the reliability and not help in achieving good SA.

6.3 Need for an Industry Standard for Automatic Measurements

Automatic environment measurements are important and the results are used in monitoring work, in research and in regulatory works. The confidentiality, integrity and availability of the data is therefore vital for all of these tasks to be accomplished. In addition to this the systems themselves need to be secure so that the infrastructure within them cannot be used to attack the rest of the community.

Industry standards for cyber security in different fields exist. One such standard is the standard for the cyber security of industrial automation and control systems (ISA 62443).

An industry standard for the cyber security of automatic environmental measurements would help in the development of robust methods to secure them and would also help vendors realize that cyber security is important and it is incumbent on them to incorporate security into their products.

6.4 Question of Open Ports on Consumer Machines

If a vendor produces a device which is able to connect to a computer via an open port, this computer should be within the sphere of influence of an administrator with some knowledge of cyber security concepts.

All open internet ports on a computer are potentially cyber security risks. Especially as cyber-attacks are becoming more complex. If a breach of a system used for the

67 online automatic measurement system is breached on a consumer computer, then all of the user information is potentially compromised, and the computer could be used for other attacks. One such use is being part of a DDoS attack.

The most secure systems are ones with air gaps between the system and the internet. In the case of measurement systems that would mean that the device is connected to a computer which is not connected to anything else. If the risk of losing data due to a cyber-attack is too great, because the data is too sensitive for example, then this is the only way to mitigate that risk.

The question of how much risk having open ports on consumer systems is, is something that could be taken up in future studies.

6.5 Increasing Cyber Security Awareness Using the Superhero Method

For any industry standard or any ISMS to be implemented in an effective way, then operators need to be made aware that cyber security is important. Previous studies (e.g. by Haukilehto & Hautamäki 2019) have shown that non-professionals in the field of cyber security can be lacking in cyber security skills.

One more exciting way of increasing cyber security awareness is to look at and highlighting cyber security in popular culture. By taking cyber security out of its technical framework, it is possible to look at it directly. Illustrative examples can help the learning of difficult concepts (Rawson et al., 2015).

Cyber security needs and failures can be seen in almost all of popular culture. By identifying these problems and thinking about solutions to them, and then trying to relate those solutions to real-world problems, everyman with no cyber security skills can increase these skills.

This approach is called the superhero approach to cyber security awareness. One example of this approach is to look at the 1960’s television series Batman and identify cyber security events in that. A few examples of that are shown here but a broader description of this is given in Appendix 2.

In season 1 episode 3 (“Fine Feathered Finks”) of the series. Batman inadvertently takes a bugging device, designed by a master criminal called The Penguin, concealed

68 within an umbrella (The Batbrella) into the Batcave, the secret underground lair of Batman. The Penguin is then able to listen in to Batman and Robin speculating on the subject, location and method of what would be The Penguin’s next crime. To counter this vulnerability, Batman would need to monitor outgoing radio signals to catch this kind of eavesdropping and to also implement a form of Intrusion Detection System that detects bugging devices.

This kind of intrusion detection technology exists in Gotham City, the city in which Batman operates, because The Penguin utilizes it in his umbrella factory (K. G. Bird Umbrellas). Bruce Wayne, Batman’s mild mannered millionaire playboy alter ego, is caught by it when he tries to plant a listening device in The Penguin’s office. The bug he tried to install was disguised to look like a small insect but the IDS detected it remotely before it was able to activate.

There is a direct telephone hotline between Wayne Manor, the home of Bruce Wayne, and the Gotham City Police Department which Commissioner Gordon, the police commissioner, can use to call Batman directly. Apparently the commissioner does not know where the hotline goes because the identity of Batman is not known to the police. There is a security weakness in the hotline security which is evident in season 1 episode 1 (“Hi Diddle Riddle”) when The Riddler is able to call the mobile Batphone in the Batmobile directly to taunt Batman. This means that the hotline is insecure and Batman should have some form of authentication protocol in place to ensure the identity of the caller and make sure that it is in fact Commissioner Gordon of the Gotham City Police Department. The Joker has a version of this kind of security protocol in place when his henchmen call him. In season 1 episode 15 (“The Joker Goes to School”) he requires that his accomplice Suzy give the correct sign before giving her the correct counter-sign. This gives them some more confidence in the identity of the person that they are talking with.

This superhero-based cyber security topic is largely subjective and even slightly speculative to some extent, but it can be useful from a cyber security awareness point of view. Metaphors from popular culture can be used as learning aids. Scholefeld and Shepherd (2019) found that games were useful in increasing CA and the approach in this study follows a similar philosophy. This topic should be researched in more detail and more rigorously in future studies.

7 Conclusions

Automatic measurements are the main way in which environmental impacts are monitored on a constant basis. The systems consist of a remote measurement station which has measurement sensors attached, some form of backbone connection and a service that collects and disseminates the data.

The purpose of this study was to look at securing online automatic environment measurement systems against cyber security attacks. According to the main results, controls were needed for all components of the measurement system and statistical controls were needed for the measurement data results themselves. If the measurement nodes are connected directly to the central service, the risk related to connecting the nodes depends on the layout of the network, the probability that the nodes and the central service are breached, and the number of nodes directly connected to the central service.

The 12 most important assets were identified for the system and these were classified into primary and secondary assets from the point of view of the user or owner. The most important asset was the measurement data itself and data integrity was taken to be a separate asset from the data. A list of 32 controls were listed to secure these assets after the interconnections between the assets were identified. Protocols were introduced to increase the situational awareness and to help against social engineering.

It was found that the classification of primary and secondary assets changed when the point of view was changed to that of an attacker not interested in the data but in some other part of the system like the backbone connection. This means that it is important to also properly secure the secondary assets.

Risks were quantified for a network of interconnected nodes using a Monte Carlo model and the most important variables were found to be the probability that a single node is compromised and the number of nodes directly connected to the system.

A simple threat model was made to highlight how these controls work together to mitigate cyber security based risks in automatic environment measurement systems.

Even though the threat modelled was simple, it was found that not all of the cyber security controls could mitigate against it. The location change of the station was observed with the GPS control and the data integrity was found to rely more on statistical controls.

Acknowledgements

I thank JAMK for letting me work on this interesting subject in an exciting way. I also thank my supervisor Tero Kokkonen for his comments. I also want to thank my peers and family who have read all or parts of this work and given valuable input. Good times.

References

Anderson, R. (2007). Thematic content analysis (TCA). Descriptive presentation of qualitative data, 1-4.

American National Standards Institute / International Society of Automation (2020). Security for industrial automation and control systems Part 3-3: System security requirements and security levels. ANSI/ISA-62443

Al Shamsi, A. A. (2019). Effectiveness of Cyber Security Awareness Program for young children: A Case Study in UAE. International Journal of Information Technology and Language Studies, 3(2).

Ashoor, A. S., & Gore, S. (2011). Importance of intrusion detection system (IDS). International Journal of Scientific and Engineering Research, 2(1), 1-4.

Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security awareness campaigns: Why do they fail to change behaviour? arXiv preprint arXiv:1901.02672.

Chen, Y., Das, S., Dhar, P., El-Saddik, A., & Nayak, A. (2008). Detecting and Preventing IP-spoofed Distributed DoS Attacks. IJ Network Security, 7(1), 69-80.

Chen, T. M., Blasco, J., Alzubi, J., & Alzubi, O. (2014). Intrusion detection. Engineering & Technology Reference, 1.

Cirrus Research Plc staff, (2013). Noise-hub2 software user manual, Cirrus Research Plc, edition 2, 2013.

Coffey, T., & Saidha, P. (1996). Non-repudiation with mandatory proof of receipt. ACM SIGCOMM Computer Communication Review, 26(1), 6-17.

Crnkovic, G. D. (2010). Constructive research and info-computational knowledge generation. In Model-Based Reasoning in Science and Technology (pp. 359-380). Springer, Berlin, Heidelberg.

Department of Homeland Security, (2019). Critical infrastructure. Washington, DC: Department of Homeland Security. https://www.dhs.gov/cisa/critical-infrastructure- sectors. (11.10.2020)

Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for information security management. Journal of Information Security, 4, 92-100 doi: http://dx.doi.org/10.4236/jis.2013.42011

Dolev, S., Gilbert, S., Guerraoui, R., & Newport, C. (2008). Secure communication over radio channels. In Proceedings of the twenty-seventh ACM symposium on Principles of distributed computing (pp. 105-114).

Endsley, M.R. (1987). SAGAT: A methodology for the measurement of situation awareness (NOR DOC 87-83). Hawthorne, CA: Northrop Corp.

Endsley, M. (1995). Toward a Theory of Situation Awareness in Dynamic Systems. Human Factors Journal 37(1), 32-64. Human Factors: The Journal of the Human Factors and Ergonomics Society. 37. 32-64. 10.1518/001872095779049543.

Eling, M., & Schnell, W. (2016). What do we know about cyber risk and cyber risk insurance? The Journal of Risk Finance, 17(6), 474-491.

European Cyber Security Organisation, (2018 March). Gaps in European Cyber Education and Professional Training, March 2018. https://www.ecs- org.eu/documents/publications/5bf7e01bf3ed0.pdf (29.9.2020)

Finnpulp staff, (2019, December 20). Finnpulp: “We are dismayed by the decision of the Supreme Administrative Court to reject the environmental permit” https://www.finnpulp.fi/en/2019/12/20/finnpulp-we-are-dismayed-by-the-decision- of-the-supreme-administrative-court-to-reject-the-environmental-permit/

Garcia-Teodoro, P., Diaz-Verdejo, J., Maciá-Fernández, G., & Vázquez, E. (2009). Anomaly-based network intrusion detection: Techniques, systems and challenges. computers & security, 28(1-2), 18-28.

Hammersley, J. M. (1960). Monte Carlo methods for solving multivariable problems. Annals of the New York Academy of Sciences, 86(3), 844-874.

Haukilehto, T., & Hautamäki, J. (2019). Survey of Cyber Security Awareness in Health, Social Services and Regional Government in South Ostrobothnia, Finland. In Internet of Things, Smart Spaces, and Next Generation Networks and Systems (pp. 455-466). Springer, Cham.

Honkola, M. L., Kukkurainen, N., Saukkonen, L., Petäjä, A., Karasjärvi, J., Riihisaari, T., Tervo, R., Visa, M., Hyrkkänen, J., & Ruuhela, R. (2013). The Finnish Meteorological Institute: final report for the open data project. Finnish Meteorological Institute Reports, 2013(6).

Hoque, N., Bhuyan, M. H., Baishya, R. C., Bhattacharyya, D. K., & Kalita, J. K. (2014). Network attacks: Taxonomy, tools and systems. Journal of Network and Computer Applications, 40, 307-324.

Hunt E. (2016 March 23). Tay, Microsoft's AI chatbot, gets a crash course in racism from Twitter. The Guardian, https://www.theguardian.com/technology/2016/mar/24/tay-microsofts-ai-chatbot- gets-a-crash-course-in-racism-from-twitter?CMP=twt_a-technology_b-gdntech, 17.11.2020

International Standards Organization / International Electrotechnical Commision (2017). Information technology. Security techniques. Information security management systems. Overview and vocabulary ISO/IEC 27000:2017

International Standards Organization / International Electrotechnical Commision (2018). Internet of Things (IoT) – Reference Architecture. ISO/IEC 30141:2018

JAMK staff (2018), Ethical Principles for JAMK University of Applied Sciences Approved by the Student Affairs Board on 11 December 2018

Jiménez, M., Sánchez, P., Rosique, F., Á́lvarez, B., and Iborra, A., (2011). A tool for facilitating the teaching of smart home applications. Computing Applications in Engineering Education 2011. doi:http://dx.doi.org/10.1002/cae.20521.

Kahiluoto, J., Hirvonen, J., & Näykki, T. (2019). Automatic real-time uncertainty estimation for online measurements: a case study on water turbidity. Environmental monitoring and assessment, 191(5), 259.

Kaplan, S., & Garrick, B. J. (1981). On the quantitative definition of risk. Risk analysis, 1(1), 11-27.

Kasanen, E., Lukka, K., Siitonen, A. (1993). The constructive approach in management accounting research. Journal of Management Accounting Research, 241–264.

Koskiaho, J., Lepistö, A., Tattari, S., & Kirkkala, T. (2010). On-line measurements provide more accurate estimates of nutrient loading: a case of the Yläneenjoki river basin, southwest Finland. Water Science and Technology, 62(1), 115-122.

Kuha J., Palomäki A., Keskinen T. & Karjalainen J. (2016). Negligible effect of hypolimnetic oxygenation on the trophic state of Lake Jyväsjärvi, Finland. Limnologica 58: 1–6.

Kumar, S., & Spafford, E. H. (1994). A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference, 11-21.

Lepistö, A., Kallio, K., Pitkänen, H., Raateoja, M., Röman, E., Seppälä, J., Suomela, J., Tarvainen, M. & Tattari, S. (2018). Jatkuvatoimisten vedenlaatuasemian valtakunnallinen verkosto – toteuttamissuunnitelma. Suomen ympäristökeskuksen raporteja 32.

Li, J. H. (2018). Cyber security meets artificial intelligence: A survey. Frontiers of Information Technology & Electronic Engineering, 19(12), 1462-1474.

Lovett, G. M., Burns, D. A., Driscoll, C. T., Jenkins, J. C., Mitchell, M. J., Rustad, L., Shanley, J. B., Likens, G. E. & Haeuber, R. (2007). Who needs environmental monitoring?. Frontiers in Ecology and the Environment, 5(5), 253-260.

Lötjönen, J. (2017). Requirement Specification for Cyber Security Situational Awareness. Master’s thesis, JAMK University of Applied Sciences http://urn.fi/URN:NBN:fi:amk-2017121320954

Maochao X. & Lei H. (2019). Cybersecurity Insurance: Modeling and Pricing, North American Actuarial Journal, 23:2, 220-249, DOI: 10.1080/10920277.2019.1566076

Martin, N., and Rice, J. (2011). Cybercrime: understanding and addressing the concerns of stakeholders. Computers & Security 30:803-814.

McCrohan, K. F., Engel, K., & Harvey, J. W. (2010). Influence of awareness and training on cyber security. Journal of internet Commerce, 9(1), 23-41.

Toorani M., & Shirazi. A.A.B., (2008). Solutions to the GSM Security Weaknesses. In Proceedings of the 2008 The Second International Conference on Next Generation Mobile Applications, Services, and Technologies (NGMAST ’08). IEEE Computer Society, USA, 576–581. DOI:https://doi.org/10.1109/NGMAST.2008.88

National Institute of Standards and Technology (2018). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 2018.

Niemi, J. (2009). Environmental monitoring in Finland 2009-2012. The Finnish Environment, 12:2019.

Noel, S., & Jajodia, S. (2008). Optimal ids sensor placement and alert prioritization using attack graphs. Journal of Network and Systems Management, 16(3), 259-275.

Pasquale, L., Salehie, M., Ali, R., Omoronyia, I., & Nuseibeh, B. (2012). On the role of primary and secondary assets in adaptive security: An application in smart grids. In 2012 7th International Symposium on Software Engineering for Adaptive and Self- Managing Systems (SEAMS) (pp. 165-170). IEEE.

Pettersson, H., Lindow, H., & Brüning, T. (2012). Wave climate in the Baltic Sea 2012. HELCOM Baltic Sea Environment Fact Sheets.

Pham, T. N., Ho, A. P. H., Nguyen, T. V., Nguyen, H. M., Truong, N. H., Huynh, N. D., & Nguyen, T. H. (2020). Development of a Solar-Powered IoT-Based Instrument for Automatic Measurement of Water Clarity. Sensors, 20(7), 2051. doi:10.3390/s20072051

Punch, K. F. (1998).Introduction to Social Research: Quantitative & Qualitative Approaches.London: Sage

Rasmus, K., & Huttunen, O. (2009) Evaluating the diffuse attenuation coefficient of dry snow by using an artificial light source. Boreal Environment Research 14: 971–980

Rawson, K. A., Thomas, R. C., and Jacoby, L. L., (2015). The power of examples: illustrative examples enhance conceptual learning of declarative concepts. Educational Psychology Review, 27(3), 483-504.

Sanskriti, C., & Astitwa, B. (2018). Significance of ISO/IEC 27001 in the Implementation of Governance, Risk and Compliance. International Journal of Scientific Research in Network Security and Communication. 6(2).

Särkisaari, T. (2020) Wazuh SOC-ympäristössä Linux-näkyvyyden lisäämiseen. (In Finnish)

Scholefield, S., Shepherd L.A. (2019). Gamification Techniques for Raising Cyber Security Awareness. HCI International 2019. Florida, USA (arXiv preprint available https://arxiv.org/abs/1903.08454).

Simmons, C., Ellis, C., Shiva, S., Dasgupta, D., & Wu, Q. (2014). AVOIDIT: A cyber attack taxonomy. In 9th Annual Symposium on Information Assurance (ASIA’14) (pp. 2-12).

Tan, K. M., Killourhy, K. S., & Maxion, R. A. (2002). Undermining an anomaly-based intrusion detection system using common exploits. In International Workshop on Recent Advances in Intrusion Detection (pp. 54-73). Springer, Berlin, Heidelberg.

Tarvainen M & Suomela J. (2018). VESIMITTARI - reaaliaikaista tietoa jokien vedenlaadusta ja kuormi-tuksesta. Vesitalous 4. p 25-27. (in Finnish)

Tyugu, E. (2011). Artificial intelligence in cyber defense. In 2011 3rd International Conference on Cyber Conflict (pp. 1-11). IEEE.

Van den Broeke, M., Reijmer, C., Van As, D., Van de Wal, R., & Oerlemans, J. (2005). Seasonal cycles of Antarctic surface energy balance from automatic weather stations. Annals of Glaciology, 41, 131-139.

Von Solms, R. (1998). Information security management (3): the code of practice for information security management (BS 7799). Information Management & Computer Security 6(5):224-225.

Von Solms, R. & van Niekerk, J. (2013). From information security to cyber security. Computers & Security 38:97-102.

Zager, R., & Zager, J. (2017). OODA loops in cyberspace: A new cyber-defense model. Journal Article| October, 20(11), 33pm.

Zwilling, M., Klien, G., Lesjak, D., Wiechetek, Ł., Cetin, F., & Basim, H. N. (2020). Cyber Security Awareness, Knowledge and Behavior: A Comparative Study. Journal of Computer Information Systems, 1-16.

Appendix 1 Generic server script

Here a simple server script written in Perl is presented that listens to a port and writes information it receives to a file. This simple script potentially has many security issues and should not be used in a production environment.

#!/usr/bin/perl -w use IO::Socket; use strict; use warnings;

$SIG{INT} = \&signal_handler_one; $SIG{TERM} = \&signal_handler_one;

# Filename for writing my $filename = '/var/data/data.txt';

# use port 23456 as default my $port = shift || 23456; my $proto = getprotobyname('tcp'); my $server = "192.168.0.222"; # Host of IP running the server open(FH, '>>', $filename) or die $!; print FH "Environment data\n"; close(FH);

# Create a socket and make it reusable socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "Cannot open socket $!\n"; setsockopt(SOCKET, SOL_SOCKET, SO_REUSEADDR, 1) or die "Can't set socket option to SO_REUSEADDR $!\n";

# Bind to a port and then listen bind( SOCKET, pack_sockaddr_in($port, inet_aton($server))) or die "Cannot bind to port $port! \n"; listen(SOCKET, 5) or die "listen: $!"; open(FH, '>>', $filename) or die $!; print FH "SERVER started on port $port\n"; close(FH);

# Accepting an incoming connection while (1) { accept(NEW_SOCKET, SOCKET); while(){ open(FH, '>>', $filename) or die $!;

print FH $_; close(FH);

} close NEW_SOCKET; } sub signal_handler_one{ open(FH, '>>', $filename) or die $!; print FH "SERVER stopped!\n"; close(FH); exit(); }

One example of a security issue with this script is that it does not reset the environment variables. Even though this script does not call external programs, it is good Perl programming practice to reset the environment. If an attacker has changed the environment it can cause problems such as loss of configuration files.

Appendix 2 The Superhero Method to Increase Cyber Security Awareness

A2.1 Introduction

The Batman of the 1960’s television series uses 1960’s technology or a fictional extrapolation of that. So why would Batman even consider modern cyber security concepts? Even though this study can be seen as a thought experiment which is technology independent, the premise that as time has gone on, 1960’s Batman has upgraded to modern 4G communications can be used. Also it can be assumed that the Gotham City Police Department has started a program in which its vendors and collaborators need to have some kind of compliance with a cyber security standard such as ISO/IEC 27001 which defines an information security management system. In this thinking Batman would be wise to develop and implement an ISMS for his operation.

Using the analysis on cyber security provided by von Solms and van Niekerk (2013), the Batcave does in fact require some form of information security management system because the effects of a security breach go beyond the loss or corruption of information to the possibility of real harm, or even death, of Batman and his sidekick Robin.

A2.2 Important assets

All management systems start with the definition of the most important assets that need to be secured. In the case of the Batcave, these are listed in Table A1 and they have been divided into primary and secondary assets. Primary assets are people and assets related to the core business without which the work would become more difficult or even impossible. On the other hand the secondary assets can be lost without causing undue suffering to the core business. The core business of Batman is fighting crime and especially the super villains that constantly pop up in Gotham City. Therefore the most important primary assets are Batman and Robin, the Batcave and the Batmobile.

Table A1 List of the main assets within the Batcave

Asset Primary or secondary Batman’s secret identity Primary Batman Primary Robin’s secret identity Primary Robin Primary The Batcave Primary The Batmobile Primary Alfred the faithful butler Primary The Batphone “The hotline” Secondary The Anti-Crime Computer (with Secondary Interdigital batsorter) The Mobile Crime computer Secondary Hyper-spectrographic analyzer Secondary Giant lighted lucite map of Gotham City Secondary

Batman has a plethora of gadgets that he deploys in his crime fighting endeavors and all of these can be thought of as being secondary assets. Some of these have been included in Table 1.

A2.2.1 Batman

Batman, The Caped Crusader and half of The Dynamic Duo, is the crime fighting alter ego of millionaire playboy Bruce Wayne. Batman has no super powers except for his high intelligence and keen attention to detail. In fact Robin remarks that “Behind our masks we are perfectly ordinary people” in season 1 episode 9 (“Zelda the Great”). The secret identity of Batman is an asset that needs to be kept secret at all costs and the possible unmasking of Batman is a plot point in many episodes. One example of this is in season 1 episode 5 (“The Joker Is Wild”) when Batman and Robin are defeated by the Joker’s sneezing powder and are in danger of being unmasked.

A2.2.2 Robin

Richard “Dick” Grayson, also known as Robin, The Boy Wonder, is the other half of The Dynamic Duo. He is the adopted son of Bruce Wayne and lives with him in Wayne Manor. He is a high school student and is seen to attend Woodrow Roosevelt High School (season 1 episode 15 “The Joker Goes to School”). He is also of high intelligence and is instrumental in solving puzzles and riddles. The paternal love shown by Batman towards Robin causes him to sacrifice himself in situations where there exists an existential danger to them. An example of this is in season 1 episode 8 (“Rats Like Cheese”) when both Batman and Robin are caught by Mr. Freeze and he tries to freeze them. Batman forces Robin to stay in an area of warmth with room for only one person, whilst subjecting himself to the freezing environment of Mr. Freeze’s habitation. Batman is only saved because he thought to wear his “special super thermal b-long underwear”.

A2.2.3 The Batcave

The Batcave is the secret underground lair of Batman and Robin. It is situated below Wayne Manor which is the home of Bruce Wayne. When Bruce and Dick need to enter the Batcave, they throw a switch inside a bust of Shakespeare located on Bruce Wayne’s desk. This opens a bookcase behind which are two sliding poles: one for Bruce and one for Dick. Whilst sliding down to the Batcave, the Dynamic Duo change into their crime fighting outfits that disguise their identity. The mechanism by which this is accomplished is not shown.

The Batcave also has an external vehicle entrance that is used by Batman’s vehicles. This is located behind some bushes next to the road to Gotham City at the 14 mile marker. There is a retractable barricade in front of the entrance to further make unauthorized entrance more difficult. However it seems that Batman does not take any other precautions to make sure that his use of the entrance is not observed by nefarious persons.

The Batcave holds some of Batman’s other important assets like the Batmobile, its energy source the Atomic Energy Generator, the Anti-Crime Computer and other resources Batman uses in his crime fighting endeavours. The Batcave is also fitted

84 with an Anti-Crime Auxiliary Generator (seen in season 1 episode 16 “He Meets His Match, the Grisly Ghoul”) to make the Batcave impervious to Gotham City’s many power outages.

A2.2.4 The Batphone

The Batphone is a direct hotline between the Batcave and the Gotham City Police Department and it first seen in the first episode of season 1 (“Hi Diddle Riddle”). It terminates in the office of Commissioner Gordon at the Gotham City Police Headquarters with the other end on Bruce Wayne’s desk in Wayne Manor. Commissioner Gordon of the Gotham City Police Department uses it to inform Batman that a super villain is on the loose and that the police are not able to deal with him. The end result of the phone call is that Batman goes to see the Commissioner at the Gotham City Police Headquarters.

There is also a mobile version of the Batphone in the Batmobile which can also be used to summon Batman. This has the ability to patch other calls onto the same line.

If the Gotham City Police Department is unable to get into contact with Batman on the Batphone, they need to signal their need of him with the Batsignal. This is a spotlight with a silhouette of a Bat which can be projected onto clouds. Unfortunately this method of communications is only usable during the hours of darkness.

A2.2.5 The Batmobile

Batman’s main mode of transport is his car, which is nuclear-powered and connected to the Atomic Energy Generator when it is in the Batcave. To facilitate speedy entrance and exit, the Batmobile sits on a rotating turntable so that Batman can drive it straight into the Batcave and then straight out again.

The Batmobile has a remote surveillance device called the Bat-Scope for optical remote surveillance. It has a mobile hotline that the Gotham City Police Department can use to try to contact Batman when he is away from the Batcave. This has some kind of security vulnerability which The Joker is able to use to call Batman (season 1 episode 1 “Hi Diddle Riddle”).

The Bat-Ray projector can be used to shutdown the ignition of criminal vehicles thus making them possible to catch. However, when this is known, criminals can use it to lure Batman into a trap. This happened in season 1 episode 2 (“Smack in the Middle”) when The Riddler knew that Batman would deploy the Bat-Ray projector and so he was able to get Batman to take his female accomplice Molly, disguised as Robin, into the Batcave.

The Detect-a-Scope on the Batmogile can be used to lead Batman to the location of a homing signal coming from, for example, Robin. In season 1 episode 9 (“Zelda the Great”) Batman and Robin make a fake emerald “The Star of Samarkand” to trap the thief Zelda. The emerald is hollow and contains a tiny super-powered homing beacon which Batman and Robin can follow from the Batmobile.

There are many performance enhancing features on the Batmobile, such as a parachute that can be deployed using the Emergency Bat-Turn lever. This causes the Batmobile to quickly slow down so that a fast 180° turn can be made.

The Batmobile is fitted with some security features. It has an Anti-Theft activator masked as a start button that when pressed causes fireworks to shoot from its exhausts. This of course assumes that the evil villain trying to steal the Batmobile tries to start it up using this bogus start button. In season 1 episode 1 (“Hi Diddle Riddle”) the riddler does exactly that.

Also the Batmobile is impervious to attempts at lighting it on fire because it has an Anti-fire activator which engages when the reading on the Batostat (a kind of thermostat) reaches a critical level. This is an example of a physical control.

A2.2.6 The Atomic Energy Generator

The atomic energy generator is located in the Batcave and is the energy source for Batman’s vehicle, the Batmobile. Even though it is inherently dangerous and has a sign saying “Atomic pile, keep off, super high, high voltage” it can be safely operated within the confines of the Batcave, and it even has a safety lock that can be deployed when maintenance needs to be done on it.

In season 1 episode 2 (“Smack in the Middle”) Molly, the female accomplice of The Riddler, climbs the atomic energy generator whilst trying to escape from Batman.

She then falls into it and is killed thus showing the dangers inherent in the energy generator.

A2.2.7 The Anti-Crime computer

The Anti-Crime Computer, which is sometimes also referred to as the Batcomputer (e.g. in season 1 episode 14 “Batman Stands Pat”), is introduced in the very first episode (season 1 episode 1 “Hi Diddle Riddle”). It is located in the Batcave and is used by Batman to analyze data and make forecasts about future crimes. It is also called the U.S. and Canada Crime Computer.

The computer has, for example, a database called “Gotham City plans and views” which Batman uses to view plans of a hotel where a famous movie star is staying in (season 1 episode 4 “The Penguin’s a Jinx”).

An example of the use of the anti-criminal computer as a forecasting device is seen in season 1 episode 7 (“Instant Freeze”) when its Interdigital Batsorter is used to show the most valuable diamonds and their locations. This information is then used to forecast where Mr. Freeze will strike next.

It is also able to do voice analysis using its Anti-Crime Voice Analyzer to compare voice samples to those in a voice file. This method was used to find out that the chief cheerleader of Woodrow Roosevelt High School was in fact part of The Joker’s gang (season 1 episode 16 “He Meets His Match, the Grisly Ghoul).

As series is from 1960’s it has attitudes towards technology that reflect that period. In season 1 episode 11 (“A Riddle a Day Keeps the Riddler Away”) Robin tries to look up the royal Mushroom Club on the Gotham City Plans and Views-database of the Anti-Crime computer but Batman says that there are somethings that can be done the old fashioned way by looking it up in the good old telephone book. Robin says that he must be getting lazy. This attitude towards computers can be behind the weak security protocols in the Batcave.

A2.2.8 The mobile version of the Anti-Crime computer

The mobile version of the Anti-Crime Computer is situated in the boot of the Batmobile and is connected to the Anti-Crime Computer in the Batcave via an

87 automatic radiolink (presented in season 1 episode 2 “Smack in the Middle”). Batman is able to use the mobile version to do all the same kinds of data analysis as he would do with the main computer in the Batcave. It therefore works as a kind of terminal for the Anti-Crime Computer in the Batcave. For example in season 1 episode 2 (“Smack in the Middle”) Batman uses it to find a captured Robin by juxtaposing a recording of a phone call, made by Robin from captivity containing background subway noise, with the subway schedule of Gotham City. Based on this information, the computer was then able to tell Batman where Robin was located.

The existence of the automatic radiolink between the mobile and Batcave Anti-Crime Computers means that the Anti-Crime Computer in the Batcave is not isolated from the outside world and there is a route into it from outside. Therefore it should be subject to all the necessary controls that all servers need. These include, but are not limited to, firewalls, updated software, only having necessary ports and services open, access control and an IDS.

A2.3 Identified security events

A2.3.1 Spoofing attacks

In a spoofing attack an entity successfully identifies as another by falsifying data, for example authentication data, and thus gaining something that they are not entitled to. In the Batman series, Batman is subjected to numerous spoofing attacks and is usually only saved by his intellect, his almost superhuman perception and his keen eye for detail. This is the control that is used to mitigate the risks associated to this kind of threat.

In season 1 episode 2 (“Smack in the Middle”), Batman takes Molly, the henchwoman of The Riddler, into the Batcave because she has been disguised to look like Robin and she is also wearing Robin’s homing beacon. The Riddler has therefore perpetrated a successful spoofing attack against Batman. Batman however notices small imperfections left over from the masking procedure used on Molly and deduces that she is not in fact Robin.

Another example is found in season 1 episode 3 (“Fine Feathered Finks”) in which Batman inadvertently takes a bugging device, designed by The Penguin, concealed within an umbrella (The Batbrella) into the Batcave. The Penguin is then able to listen in to Batman and Robin speculating on the subject, location and method of what would be The Penguin’s next crime. Batman would need to monitor outgoing radio signals to catch this kind of eavesdropping and to also implement a form of Intrusion Detection System that detects bugging devices. This kind of technology exists in Gotham City because The Penguin utilizes it in his umbrella factory (K. G. Bird Umbrellas) and Bruce Wayne is caught by it when he tries to plant a listening device. The bug he tried to install was disguised to look like a small insect.

A.2.3.2 Mistaken identity

There seems to be in a inherent security problem with the Batphone protocol used by Batman and the Gotham City Police Department. In season 1 episode 7 (“Instant Freeze”), Alfred the butler answers the hotline directly by saying “I’ll call him sir” without confirming the identity of the caller. He simply assumes that as the hotline has been setup to connect the Batcave directly to the Gotham City Police Department, the caller must be Commissioner Gordon. This happens again in season 1 episode 11 (“A Riddle a Day Keeps the Riddler Away”) and commissioner Gordon also becomes guilty of this in season 1 episode 12 (“When the Rat’s Away the Mice Will Play”) when he answers the Batphone at the Gotham City Police Department with “Batman, you’re alive!”. There are more examples of this weak protocol throughout the series. For example in season 1 episode 13 (“The Thirteenth Hat”) Batman answers the mobile Batphone by saying “Yes commissioner”.

An attacker could utilize this weak protocol to summon Bruce Wayne to the hotline. Even though the hotline is assumed secure, its security cannot be guaranteed. Batman does not control both ends of the hotline and some form of backbone connection (a telephone line in this case) also exists which he does not have control over.

The weakness of the hotline security is evident in season 1 episode 1 (“Hi Diddle Riddle”) when The Riddler is able to call the mobile Batphone in the Batmobile directly to taunt Batman. This means that the hotline is insecure and Batman should

89 have some form of authentication protocol in place to ensure the identity of the caller and make sure that it is in fact Commissioner Gordon of the Gotham City Police Department. The Joker has a version of this kind of security protocol in place when his henchmen call him. In season 1 episode 15 (“The Joker Goes to School”) he requires that his accomplice Suzy give the correct sign before giving her the correct counter-sign. This gives them some more confidence in the identity of the person that they are talking with.

Even though both Batman and Robin wear homing devices, there is no way of knowing that the correct homing device is connected to the correct person. In season 1 episode 2 (“Smack in the Middle”) Molly, the henchwoman of The Riddler, uses the homing device of Robin to lure Batman into a trap. The Bat Homing Transmitters can also be placed on objects to be tracked, for example a hat in season 1 episode 14 (“Batman Stands Pat”). However they are susceptible to being found, which also happens to the one in the hat, and they can then be used to lure Batman and Robin into a trap. The Dynamic Duo have no way of knowing whether the homing transmitters have been compromised.

A2.3.3 Denial of Service Attack

In season 1 episode 7 (“Instant Freeze”) Mr. Freeze unleashes many of his henchmen on Gotham City disguised as Batman. This makes it impossible for the Gotham City Police Department to know for sure which the real Batman is and therefore his help is harder to get.

This comes about because Batman has no secure way of proving his identity and so he is vulnerable to identity theft. Some kind of secure certificate would help him in this regard. In episode

A2.4 Vulnerabilities

Several vulnerabilities have been identified in Batman’s operation. Batman is vulnerable to a sort of social engineering in which his paternal instincts towards Robin, and his high ethical code of conduct, can be used to compromise him.

In their operation, Batman and Robin are constantly vulnerable to physical attack from super villains. The physical attacks can come at any time and in any form and can involve gas, poisons, explosives, mesmerizing rays, plaster, freezing temperatures and many other weapons. The Dynamic Duo survive due to their physical fitness, their intellect and their partnership. Securing Batman’s operation against physical attacks is beyond the scope of this study.

Batman and Robin are constantly vulnerable to being unmasked. Losing their secret identity has been close in many cases and they have only just managed to evade unmasking. Batman is also vulnerable to identity theft because he has no way of securely proving his identity. It is easy for villains to impersonate him.

The Batcave is vulnerable to penetration by Trojans and spoofing attacks because there does not seem to be any kind of IDS in place to detect an attack. There are however some physical controls in place to restrict and prevent unauthorized entry.

The hotline between the Batcave and the Gotham City Police Department is vulnerable. It is evident that an exploit for this vulnerability is available and has been used by The Riddler.

The automatic radio link between the Batmobile and the Batcave is vulnerable to eavesdropping. It is unclear if it is encrypted and what controls are in place at the server end in the Batcave to prevent unauthorized access.

Wayne Manor as a normal residential building is vulnerable to penetration and this actually happened in season 1 episode 4 (“The Penguin’s a Jinx”) when The Penguin and his henchmen were waiting in Wayne Manor to make a hostage swap and direct an attack on Batman.

Batman’s paraphernalia and especially his special utility belt, containing tools like the Bat-a-Rang which is a kind of grappling hook, are vulnerable to being physically stolen. The gadgets can then be used against him or in the perpetration of a crime.

A2.5 Threats

The threat environment in which Batman operates is not overly complicated. Batman’s business is fighting crime and this is something that super villains and their

91 henchmen do not appreciate. They direct attacks at Batman and Robin, and their total operation. In most cases the threats are not coming from unknown attackers and usually the attacker is known before any kind of attack is started. Also there are rarely cases in which multiple perpetrators are attacking at the same time.

Batman is threatened by super villains like The Riddler, who taunts Batman with riddles, Mr Freeze, who is forced to live in a temperature of 50 below and The Penguin, Zelda the Great, The Joker and The Mad Hatter

It is worth noting that the situation that Batman faces is different from that which organizations face in the real world. In the real world the attackers rarely trumpet their intentions beforehand, also this has happened and there may be more than one attack going on at any given time. Good intelligence is of course important and a knowledge of the prevailing threat environment helps the organization counter the threats.

Batman, despite his secret identity, does not run a covert operation. He always works in a predictable way, has a high sense of duty, has paternal instincts towards Robin and has a high ethical code. He believes that all people, even super villains, have some good in them and they can turn away from their life of crime. An example of this is seen in season 1 episode 7 (“Instant Freeze”) in which Batman tells Mr. Freeze that he can be saved by the use of modern medicine. Batman also has a weak spot for good looking ladies.

All of these facts can compromise Batman’s operation and this has nearly happened in several cases when Robin is in danger. This means that super villains can observe Batman and target his weaknesses.

A2.6 Risks

The threats directed towards Batman carry real risks with them. Some of the risks are real and tangible, such as losing their life if they lose a fight with a super villain. This risk has a low probability (due to Batman’s skill and fighting prowess) but an extremely high cost.

If the anti-criminal computer is compromised, the attacker will be able to access all of Batman’s databases related to Gotham City and possibly alter or delete them. The attacker will also be able to use all of the analytic tools available to Batman. This risk can be thought to have a medium high probability and a high cost.

If the Batmobile is compromised then Batman will lose his main mode of transport. This risk has a low probability and a low cost. The attacker could even cause the Batmobile to crash causing Batman or Robin injury or even death. This risk has a low probability but a high cost.

If Wayne Manor is compromised it could lead to the unmasking of Batman and cause him to lose his secret identity. Batman could be unmasked in other ways as well and all of them carry the same risk. If this risk materializes it could have severe legal and financial repercussions for Bruce Wayne. The cost of this risk is high but it has a low probability.

If Batman’s paraphernalia are stolen then his operation will be made harder but not impossible. Therefore this risk carries such a low cost that it can actually have quite a high probability to be meaningful.

If the Batphone is compromised then the Gotham City Police Department will not be able to contact Batman directly. They fortunately have a backup way of signal their need for his help in the form of the Batsignal. This risk carries a high probability but a low cost.

A2.7 The Information Security Management System for the Batcave

A2.7.1 The ISMS

An ISMS can be used to improve the management of information security in an organization. With good management and with knowledge of the threats and risks, comes better information security. Even though some threats are unknown, they can be mitigated by having generic robust security protocols in place.

An ISMS can help with business continuation in the case that something does happen. If the risks related to the operation are large, such as is the case with Batman and his crime-fighting operation, then it is inevitable that at some point a

93 security event of some kind will occur, and it can possibly be severe. Even though the goal of any operation is to have zero security incidents, this is a fantasy in most cases. A good ISMS will have protocols in place to deal with incidents small and large and ensure that the business will continue in all cases.

The ISMS will also help with non-repudiation because it details how the operation is monitored for security events and how the events are logged, and how the logs are secured to retain their integrity.

In his operation Batman has identified the threats against it and the risks inherent to those threats. After the risks have been identified, the ones that need controls to mitigate them are listed together with their controls. Monitoring is put in place to ensure that the controls are working. Risk management is a continuous process because the threat environment is constantly evolving.

A2.7.2 Strategic level

On a strategic level, the ISMS gives the philosophies behind the information security management of an organization. For the operation of the Batcave the strategic thinking would ensure the continuous capability of Batman’s crime fighting in quickly changing scenarios. The information security protocols need to be strict enough to secure the most important assets in the Batcave from the largest risks, but not so strict as to hamper Batman in his operations.

The strategic level of the document identifies that the Batcave and its contents, the Batmobile and its connection to the Batcave, the Batphone hotline and other connections to the Gotham City Police Department and the secret identities of Batman and Robin are the most important assets to be secured.

The strategic level can be written so that it ensures compliance with all necessary rules and regulations in effect, and addresses the question of compliance with required standards. 1960’s Batman has a private operation which works in good cooperation with the Gotham City Police Department. If the Gotham City Police Department would start to require an audit of Batman’s operation, to ensure standards compliance, then the audit would be based on the ISMS.

A2.7.3 Tactical level

On a tactical level the document goes into more detail on the specific controls needed to secure the important primary assets and the secondary assets. This part of the document can also identify the people whose responsibility it is implement these controls. In the Batcave scenario, Batman functions as the Chief Information Security Officer (CISO) and it is therefore his responsibility to ensure that all of the people follow the rules and protocols set out in the ISMS.

The tactical level would address the need to improve the physical security of the Batcave. Both the entrance from Wayne Manor, and the vehicle entrance on the road to Gotham City have weak security which can be easily breached. The Wayne Manor entrance switch located inside a bust of Shakespeare needs to have authentication: either voice activation, a retina scan or a password of some sort or a combination of these. Authentication needs to be setup for Alfred the butler, Bruce and Dick. User management needs to be delegated to ensure new users can be added or users can have their access revoked. A person needs to be assigned this task and in this case it could be given to Alfred the Butler since he is seen to take care of other equipment within the Batcave.

Securing the vehicle entrance is harder because it needs to be used at high speeds. Sensors need to be setup so that only the Batmobile, and Batman’s possible other vehicles, are able to have the entrance open automatically. This also needs a person assigned to maintain the access control lists (ACL) and Alfred the butler is again the logical person to do this.

The information security controls set out in this level are a firewall between the Batcave and the outside world which only allows traffic coming from known and authenticated sources to have access to the Batcave and its resources. As there are no publicly available services running on servers in the Batcave, this kind of strict rule is sufficient. In fact, the only outside connections are coming from the homing transmitters, the Batmobile and the Gotham City Police Department. The firewall should look at outgoing traffic as well, because a malicious device, or piece of software, could try to contact the outside world and it can be then either blocked at the firewall, or logged and the destination could be used to find the villain behind it.

The Batcave needs an intrusion detection system (IDS) to identify cases in which the Batcave is breached. Documented cases include a bug that was brought in by Batman and a case in which he brought a villainous person disguised as a friendly person into the Batcave. Sensors for the IDS should be placed on both sides of the firewall and in strategic locations within the Batcave. One of them should be close to the Anti-Crime Computer since this would be the obvious first asset to be contacted after a breach of the Batcave has occurred.

In addition to a firewall, some kind of malware detection is needed on all computers in the Batcave. Also computers should be connected to the Anti-Crime computer only when necessary and only when they have been deemed free of malware.

The controls set out in the tactical portion of the ISMS are not all technical in nature. The Batphone security problems do not necessarily need a technical solution. Of course encryption would be useful but the same result can be obtained by using a code and limiting the scope of the conversations. The conversations on the Batphone are usually short with little information conveyed and most often result in a summoning of Batman to the Gotham City Police Department. A security protocol that requires the person calling and the person answering to know a predetermined passphrase or answer to a security question needs to be put in place to ensure that Commisioner Gordon is authenticated at the Gotham City Police Department, and Alfred the butler, Batman and Robin at Wayne Manor, or when they use the mobile Batphone.

A2.7.4 Operational level

The ISMS usually does not give details on an operational level. At this level the document would, as an example, describe what kind of firewall is being used and what the specific firewall rules are. The operational level is addressed in a separate ISMS implementation plan.

A2.7.5 Business continuation plan

If Batman is killed or otherwise incapacitated, his operation can be continued by his sidekick Robin and this ensures his business continuity. Batman’s operation will

96 sustain a large blow if Robin is killed or incapacitated, but his business can still continue if Batman is able to overcome his grief and continue it.

In the case of the Batcave being overrun or destroyed, Batman needs to have a secondary backup location from which to continue his operation. This needs to have an energy source for the Batmobile and some version of the Anti-Crime Computer. Working backups are also essential in this scenario.

If the Anti-Crime computer is compromised leaving all databases also exposed, Batman needs to know about it and have evidence that that is in fact the case. This is the notion of non-repudiation in a real case. To continue his operation he also needs to have a working backup of all the databases which is as up to date as possible. He also needs to have a machine that can be used as the Anti-Crime Computer if the primary Anti-Crime computer is destroyed or is being analyzed by the cyber-crime department of the Gotham City Police Department.

Because the Batcave is below Wayne Manor, it is possible that it will survive and remain functional in the case of the manor being destroyed. However, Batman needs to have a secondary location available if the Batcave is made unusable.

Batmans’s paraphernalia are secondary assets to his operation and therefore he should be able to continue with business as usual if he loses them. However he needs to have some kind of plan for replacing them quickly if they are stolen or destroyed. To some extent the same can be said of the Batmobile but there is more of an urgency to replace it because it is Batman’s main mode of transportation.

If the Batphone is compromised then the Gotham City Police Department needs to resort to using the Batsignal. During day time they perhaps need to find some other way of communicating and this could be via some radio link or mobile telephone.

A2.8 Implementation of the CSMS

A2.8.1 Real-World Batcave

As it is impossible to build an exact version of the working environment of 1960’s Batman because the technology used is based on science fiction, this implementation plan is based on a fictional modernized version of Batman’s operation. The assets

97 and implemented controls are based on modern technology that is available in the real world.

The topology for the real world Batcave using modern technology is relatively simple (Figure A1) consisting of a local area network (LAN) in the Batcave with remote connections coming from the Batmobile, Batman and Robin. The only other external connection comes into the Batcave from the Gotham City Police Department via the Batphone hotline.

No assumptions can be made of the security of the backbone connection. The connections passing along it must be encrypted from the originating end to the receiving end.

Linux based servers are the most versatile for Batman’s Anti-Crime computers and all other computers he uses for analysis. The database can be based on MySQL and can reside on the Anti-Crime Computers or an external server. Again Linux would be an obvious choice for this. A cluster of servers would ensure high availability.

Figure A1 Network topology of a fictional real-world Batcave using modern technology.

A2.8.2 Controls

Batman, and to some extent Robin, have good perception, an almost superhuman intelligence and a keen attention to detail. However these traits are not enough to totally secure The Batcave.

A firewall is required to secure the local network inside the Batcave from attacks originating from the outside world. This can be based on the third generation Palo Alto firewall. Parkki (2019) has studied the use of the Palo Alto PA5060 firewall for use in an educational environment.

For nonrepudiation and monitoring purposes, the Batcave requires an IDS system which consists of sensors and a local logging and analysis service. Särkisaari (2020) studied the benefits of using Wazuh in a Linux environment. He found that Wazuh requires time to setup its baseline as it reacts to many different kinds of incidents and it needs to know what is normal. Wazuh is not an IDS per se but a Security Operations Center (SOC). Sensors should be located inside and outside the firewall and in front of all of the servers in the Local Area Network (LAN). Wazuh would then also take care of event management by storing details of events triggered at the sensors.

A virtual private network (VPN) is required to enable external connections for Batman, Robin and The Batmobile when they are located outside the Batcave. This can be based on OpenVPN which can then reside on a Linux server behind the firewall. OpenVPN is a certificate based VPN service with encryption.

The authentication protocol for the Batphone and mobile Batphone has been nonexistent and an exploit has been available to hijack it. The authentication could be based on predetermined codes and digital certificates. Even though there are security problems with the GSM network, normal telephones could be useful here if the scope of the conversation is kept limited. A video call could be used to get a better idea of the identity of the caller even though this is not foolproof.

Batman and Robin could use GPS-based homing devices that transmit their locations over the VPN connection to the Batcave. To ensure that the correct person is holding

99 the homing device, some kind of digital fingerprint is needed. This can be based on biometric factors.

The Batmobile already has some physical security in the form of its anti-theft device but this is easy to overcome. However, it needs immobilization to be truly secure. The automatic link between the mobile Anti-Crime Computer in the boot of the car should also be based on the VPN connection to the Batcave. The boot itself also needs to be as physically secure as possible to prevent unauthorized use of the computer.