DOCSLIB.ORG

Cyber Security Practices and Challenges at Selected Critical Infrastructures in Ethiopia: Towards Tailoring Cyber Security Framework

Cyber Security Practices and Challenges at Selected Critical Infrastructures in Ethiopia: Towards Tailoring Cyber Security Framework

<p><strong>ADDIS ABABA UNIVERSITY </strong><br><strong>COLLEGE OF NATURAL AND COMPUTATIONAL SCIENCES </strong><br><strong>SCHOOL OF INFORMATION SCIENCE </strong></p><p>CYBER SECURITY PRACTICES AND CHALLENGES AT SELECTED CRITICAL INFRASTRUCTURES IN ETHIOPIA: TOWARDS TAILORING CYBER SECURITY FRAMEWORK </p><p>By <br>TEWODROS GETANEH </p><p>JUNE, 2018 <br>ADDIS ABABA, ETHIOPIA </p><p><strong>ADDIS ABABA UNIVERSITY </strong><br><strong>COLLEGE OF NATURAL AND COMPUTATIONAL SCIENCES </strong><br><strong>SCHOOL OF INFORMATION SCIENCE </strong></p><p>CYBER SECURITY PRACTICES AND CHALLENGES AT SELECTED CRITICAL INFRASTRUCTURES IN ETHIOPIA: TOWARDS TAILORING CYBER SECURITY FRAMEWORK </p><p>A Thesis Submitted to School of Graduate Studies of Addis Ababa University in <br>Partial Fulfillment of the Requirements for the Degree of <br>Master of Science in Information Science </p><p>By: TEWODROS GETANEH </p><p>Advisor: Tebebe Beshah (PhD) <br>JUNE, 2018 <br>Addis Ababa, Ethiopia </p><p><strong>ADDIS ABABA UNIVERSITY </strong><br><strong>COLLEGE OF NATURAL AND COMPUTATIONAL SCIENCE </strong><br><strong>SCHOOL OF INFORMATION SCIENCE </strong></p><p>CYBER SECURITY PRACTICES AND CHALLENGES AT SELECTED CRITICAL INFRASTRUCTURES IN ETHIOPIA: TOWARDS TAILORING CYBER SECURITY FRAMEWORK </p><p>By: Tewodros Getaneh </p><p>Name and signature of Members of the Examining Board </p><p>Tebebe Beshah&nbsp;(PhD) Advisor <br>__________ Signature <br>_________ Date </p><p>Lemma Lenssa&nbsp;(PhD) Examiner <br>___________ Signature <br>__________ Date </p><p>Dereje Teferi Examiner </p><ul style="display: flex;"><li style="flex:1">(PhD) </li><li style="flex:1">__________ </li></ul><p>Signature <br>_________ Date </p><p><strong>Declaration </strong></p><p>This thesis has not previously been accepted for any degree and is not being concurrently submitted in candidature for any degree in any university. </p><p>I declare that the thesis is a result of my own investigation, except where otherwise stated. I have undertaken the study independently with the guidance and support of my research advisor. Other sources are acknowledged by citations giving explicit references. A list of references is appended. </p><p>Signature: ________________________ <br>Tewodros Getaneh </p><p>This thesis has been submitted for examination with my approval as university advisor. </p><p>Advisor’s Signature: ________________________ </p><p>Tebebe Beshah (PhD) </p><p><strong>i | </strong>P a g e </p><p><strong>Dedication </strong></p><p>This work is dedicated to my beloved sister Eleni Getaneh. </p><p><strong>ii | </strong>P a g e </p><p><strong>Acknowledgements </strong></p><p>I would like to thank my research advisor Dr. Tebebe Beshah for his extrovert guidance and support. He has shown me the right path of research and encouraged me to move forward throughout the study. </p><p>I would also like to extend my sincere gratitude to Dr. Andualem Admassie , CEO of Ethio Telecom, for his assistance in time of Data collection. </p><p>I am thankful to Ato Mekonnen Tesfaye, ICT Security Head of Ethiopian Electric Utility for his valuable comments and assistance in time of data collection and review of the tailored framework. Your positive attitude towards the research, heartily assistance and encouragement was my energy to move forward throughout this research. </p><p>I would like to thank Ato FikreSilase Wosen, an ICT Technician at Ethiopian Electric Utility, for his un - reserved cooperation and assistance throughout this research. My heartfelt thanks goes Ato Yeman&nbsp;Gebre Hiwot of Ethio Telecom and to the whole IT security and Network Security&nbsp;staff at Ethio Telecom.&nbsp;This work was not possible without your support and cooperation. </p><p>This study would not have been possible without the help of INSA’s Staff for their cooperation and valuable comments. Last but not least I would like to thank my friend Ato Muluken Belete who encourages me to pursue cyber security and for his valuable assistance in evaluating the tailored framework. My&nbsp;heartfelt thanks goes to Mr. Lee Sung Hoon, Director of World Together Ethiopia, for his assistance and positive cooperation. </p><p><strong>iii | </strong>P a g e </p><p><strong>Table of Contents </strong></p><p><a href="#4_0">Declaration</a><a href="#4_0">..................................................................................................................................................... i </a><a href="#5_0">Dedicatio</a><a href="#5_0">n</a><a href="#5_0">..................................................................................................................................................... ii </a><a href="#6_0">Acknowledgements</a><a href="#6_0">...................................................................................................................................... iii </a><a href="#10_0">List of Tables </a><a href="#10_0">.............................................................................................................................................. vii </a><a href="#11_0">List of Graphs </a><a href="#11_0">............................................................................................................................................ viii </a><a href="#12_0">List of Figure</a><a href="#12_0">s</a><a href="#12_0">.............................................................................................................................................. ix </a><a href="#13_0">List of Acronyms </a><a href="#13_0">.......................................................................................................................................... x </a><a href="#14_0">Abstrac</a><a href="#14_0">t</a><a href="#14_0">........................................................................................................................................................ xi </a><a href="#16_0">CHAPTER ON</a><a href="#16_0">E</a><a href="#16_0">..........................................................................................................................................</a><a href="#16_0">.</a><a href="#16_0">1 </a><a href="#16_1">1. Introduction</a><a href="#16_1">..............................................................................................................................................</a><a href="#16_1">.</a><a href="#16_1">1 </a></p><p><a href="#16_2">1.1 Background .........................................................................................................................................................1 </a><a href="#22_0">1.2 Statement of the Problem ....................................................................................................................................7 </a><a href="#24_0">1.3 Research Questions .............................................................................................................................................9 </a><a href="#25_0">1.4 General objective of the Researc</a><a href="#25_0">h</a><a href="#25_0">.</a><a href="#25_0">....................................................................................................................10 </a><a href="#25_1">1.5 Specific objectives of the Researc</a><a href="#25_1">h</a><a href="#25_1">.</a><a href="#25_1">..................................................................................................................10 </a><a href="#25_2">1.6 Scope and Limitations of the Research .............................................................................................................10 </a><a href="#26_0">1.7 Significance of the Research .............................................................................................................................11 </a><a href="#26_1">1.8 organization of the Thesis .................................................................................................................................11 </a></p><p><a href="#28_0">CHAPTER TWO </a><a href="#28_0">.......................................................................................................................................</a><a href="#28_0">.</a><a href="#28_0">1</a><a href="#28_0">3 </a><a href="#28_1">2. Literature Review and Related Work</a><a href="#28_1">s</a><a href="#28_1">...................................................................................................</a><a href="#28_1">.</a><a href="#28_1">1</a><a href="#28_1">3 </a></p><p><a href="#28_2">2.1 Overvie</a><a href="#28_2">w</a><a href="#28_2">.</a><a href="#28_2">..........................................................................................................................................................13 </a><a href="#28_3">2.2 Computer Security, Information Security and Cyber security ..........................................................................13 </a><a href="#30_0">2.3 Cyber Security Threat Actors............................................................................................................................15 </a><a href="#0_0">2.4 Methods of Cyber Attack ..................................................................................................................................19 </a></p><p><a href="#0_1">2.4.1 Social Engineerin</a><a href="#0_1">g</a><a href="#0_1">....................................................................................................................</a><a href="#0_1">.</a><a href="#0_1">1</a><a href="#0_1">9 </a><a href="#0_2">2.4.2 Denial-of-Service /DoS/</a><a href="#0_2">............................................................................................................</a><a href="#0_2">.</a><a href="#0_2">2</a><a href="#0_2">0 </a><a href="#0_3">2.4.3 Website Defacement </a><a href="#0_3">.................................................................................................................</a><a href="#0_3">.</a><a href="#0_3">2</a><a href="#0_3">1 </a></p><p><strong>iv | </strong>P a g e </p><p><a href="#0_4">2.4.4 Malicious Code </a><a href="#0_4">.........................................................................................................................</a><a href="#0_4">.</a><a href="#0_4">2</a><a href="#0_4">1 </a></p><p><a href="#0_5">2.5 Cyber security in Ethiopi</a><a href="#0_5">a</a><a href="#0_5">.</a><a href="#0_5">................................................................................................................................22 </a></p><p><a href="#0_6">2.5.1 Critical Mass Cyber Security Requirement Standard /CMCSRS/ Version 1.0</a><a href="#0_6">.........................</a><a href="#0_6">.</a><a href="#0_6">2</a><a href="#0_6">4 </a></p><p><a href="#0_5">2.6 Global Cyber Security Initiative........................................................................................................................30 </a></p><p><a href="#0_7">2.6.1 Global Cyber Security Index /GCI/ 2017</a><a href="#0_7">..................................................................................</a><a href="#0_7">.</a><a href="#0_7">3</a><a href="#0_7">0 </a></p><p><a href="#0_5">2.7 NIST Framework...............................................................................................................................................33 </a><a href="#0_2">2.8 Related Work</a><a href="#0_2">s</a><a href="#0_2">.</a><a href="#0_2">..................................................................................................................................................35 </a><a href="#0_8">2.9 Chapter Summary..............................................................................................................................................41 </a></p><p><a href="#0_5">CHAPTER THREE </a><a href="#0_5">...................................................................................................................................</a><a href="#0_5">.</a><a href="#0_5">4</a><a href="#0_5">3 </a><a href="#0_9">Research Methodology </a><a href="#0_9">..............................................................................................................................</a><a href="#0_9">.</a><a href="#0_9">4</a><a href="#0_9">3 </a></p><p><a href="#0_10">3.1 </a><a href="#0_11">3.2 </a><a href="#0_5">3.3 </a><a href="#0_5">3.4 </a><a href="#0_12">3.5 </a><br><a href="#0_10">Overview....................................................................................................................................................43 </a><a href="#0_11">General Approach ......................................................................................................................................43 </a><a href="#0_5">Research Pillars and Sub Pillars.................................................................................................................47 </a><a href="#0_5">Study Populatio</a><a href="#0_5">n</a><a href="#0_5">.</a><a href="#0_5">.......................................................................................................................................49 </a><a href="#0_12">Data Collection Techniques and Procedures..............................................................................................49 </a></p><p><a href="#0_13">Ethiopian Electric Power and Utility </a><a href="#0_13">.................................................................................</a><a href="#0_13">.</a><a href="#0_13">4</a><a href="#0_13">9 </a></p><p><a href="#0_13">3.5.1 </a><a href="#0_14">3.5.2 </a></p><p><a href="#0_14">Ethio Teleco</a><a href="#0_14">m</a><a href="#0_14">....................................................................................................................</a><a href="#0_14">.</a><a href="#0_14">5</a><a href="#0_14">0 </a></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_15">3.6 </a></li><li style="flex:1"><a href="#0_15">Data Analysis and Evaluation Technique ..................................................................................................51 </a></li></ul><p><a href="#0_16">Reliability and Validity Testing .................................................................................................................53 </a><a href="#0_17">Chapter Summary ......................................................................................................................................53 </a><br><a href="#0_16">3.7 </a><a href="#0_17">3.8 </a></p><p><a href="#0_5">CHAPTER FIVE </a><a href="#0_5">.......................................................................................................................................</a><a href="#0_5">.</a><a href="#0_5">5</a><a href="#0_5">5 </a><a href="#0_9">Data Presentation, Analysis and Discussio</a><a href="#0_9">n</a><a href="#0_9">..............................................................................................</a><a href="#0_9">.</a><a href="#0_9">5</a><a href="#0_9">5 </a></p><p><a href="#0_10">4.1 Overvie</a><a href="#0_10">w</a><a href="#0_10">.</a><a href="#0_10">..........................................................................................................................................................55 </a><a href="#0_18">4.2 Demographic Properties of Respondents ..........................................................................................................56 </a><a href="#0_19">4.3 Cyber Security Challenges at Critical Infrastructures .......................................................................................58 </a><a href="#0_6">4.4 Trends of Growth in Cyber Security Threats ....................................................................................................64 </a><a href="#0_5">4.5 Preparedness to Cyber Security Threats at Critical Infrastructure</a><a href="#0_5">s</a><a href="#0_5">.</a><a href="#0_5">..................................................................68 </a></p><p><a href="#0_20">4.5.1 Preparedness to Detect Cyber Security Threat</a><a href="#0_20">s</a><a href="#0_20">........................................................................</a><a href="#0_20">.</a><a href="#0_20">6</a><a href="#0_20">8 </a><a href="#0_21">4.5.2 Preparedness to Prevent Cyber Security Threats </a><a href="#0_21">......................................................................</a><a href="#0_21">.</a><a href="#0_21">7</a><a href="#0_21">0 </a><a href="#0_22">4.5.3 Preparedness to Respond to Cyber Security Breac</a><a href="#0_22">h</a><a href="#0_22">.................................................................</a><a href="#0_22">.</a><a href="#0_22">7</a><a href="#0_22">1 </a></p><p><a href="#0_23">4.6 Discussion .........................................................................................................................................................74 </a><a href="#0_24">4.7 Cyber Security Practices: Legislations, Policies, Institution and Standard .......................................................77 </a><a href="#0_25">4.8 Chapter Summary..............................................................................................................................................80 </a></p><p><a href="#0_5">CHAPTER SI</a><a href="#0_5">X</a><a href="#0_5">..........................................................................................................................................</a><a href="#0_5">.</a><a href="#0_5">8</a><a href="#0_5">1 </a></p><p><strong>v | </strong>P a g e </p><p><a href="#0_9">The Tailored Cyber Security Framework for Critical Infrastructures</a><a href="#0_9">........................................................</a><a href="#0_9">.</a><a href="#0_9">8</a><a href="#0_9">1 </a></p><p><a href="#0_10">5.1 Overvie</a><a href="#0_10">w</a><a href="#0_10">.</a><a href="#0_10">..........................................................................................................................................................81 </a><a href="#0_26">3.2 </a><a href="#0_27">3.3 </a><a href="#0_5">3.4 </a><br><a href="#0_26">Cyber Security Units and INS</a><a href="#0_26">A</a><a href="#0_26">.</a><a href="#0_26">................................................................................................................85 </a><a href="#0_27">Bags of Existing and Growing Threats ......................................................................................................85 </a><a href="#0_5">Evaluation of the Proposed Framework .....................................................................................................88 </a></p><p><a href="#0_5">Chapter six </a><a href="#0_5">.................................................................................................................................................</a><a href="#0_5">.</a><a href="#0_5">9</a><a href="#0_5">0 </a><a href="#0_9">Conclusion and Recommendations</a><a href="#0_9">............................................................................................................</a><a href="#0_9">.</a><a href="#0_9">9</a><a href="#0_9">0 </a></p><p><a href="#0_0">6.1 Conclusion.........................................................................................................................................................90 </a><a href="#0_28">6.2 Recommendations .............................................................................................................................................92 </a><a href="#0_29">6.3 Recommendations for Future Research.............................................................................................................92 </a></p><p><a href="#0_30">References</a><a href="#0_30">..................................................................................................................................................</a><a href="#0_30">.</a><a href="#0_30">9</a><a href="#0_30">4 </a></p><p><strong>vi | </strong>P a g e </p><p><strong>List of Tables </strong></p><p><strong>Pages 41 </strong></p><p>Table 2.1&nbsp;Related Works Table Table 3.1&nbsp;Ethiopian Electric Power utility Study Population Table 3.2&nbsp;Ethio Telecom Study Population </p><p><strong>50 51 </strong></p><p>Table 4.1&nbsp;Response Rate </p><p><strong>55 </strong></p><p>Table 4.2&nbsp;Reliability Statistics of the Questionnaire Table 4.3&nbsp;Educational Status </p><p><strong>56 56 </strong></p><p>Table 4.4&nbsp;Reliability Statistics for Eight Items on challenges of Cyber Security Table 4.5&nbsp;Percentile distribution of Cyber Security challenges Table 4.6&nbsp;Percentile Distribution of Level of Preparedness to Detect Cyber Security <br>Threats </p><p><strong>59 63 70 </strong></p><p>Table 5.1&nbsp;Design Research Guide Line </p><p><strong>83 </strong></p><p><strong>vii | </strong>P a g e </p><p><strong>List of Graphs </strong></p><p><strong>Pages 57 </strong></p><p>Graph 4.1 Graph 4.2 Graph 4.3 Graph 4.4 Graph 4.5 <br>Security certification at critical Infrastructures Years of Experience </p><p><strong>58 </strong></p><p>Trend Level of Preparedness to Prevent Cyber security Threats Level of Preparedness to Respond to Cyber Security Threats Management Team or Executives Understanding towards Cyber security </p><p><strong>71 73 74 </strong></p><p><strong>viii | </strong>P a g e </p><p><strong>List of Figures </strong></p><p><strong>Pages </strong><br><strong>6</strong></p><p>Figure 1.1&nbsp;Global Cyber security Agenda /GCA/ Tree Structure Illustrating all <br>Pillars /Simplified/ <br>Figure 2.1&nbsp;The Relationships between information and Communication security , <br>Information Security and Cyber Security </p><p><strong>15 </strong></p><p>Figure 2.2&nbsp;Cyber Security Strategic Management Model Figure 2.3&nbsp;Capability building Architecture </p><p><strong>26 28 28 29 31 46 48 87 </strong></p><p>Figure 2.4&nbsp;CMCSRS Process&nbsp;Framework Figure 2.5&nbsp;CMCSRS the OPDCA Process Cycle Figure 2.6&nbsp;GCI Pillars and Sub Pillars Figure 3.1&nbsp;Simplified Research Process Figure 3.2&nbsp;The Research Three&nbsp;Pillars and Sub pillars Figure 5.1&nbsp;Graphical Representation of the Tailored Framework for Technical <br>Processes of Cyber Security </p><p><strong>ix | </strong>P a g e </p><p><strong>List of Acronyms </strong></p><p><strong>BYOD BYOA CERT CIs </strong></p><p>Bring Your Own Devices Bring Your Own Applications Computer Emergency and Response Unit Critical Infrastructures </p><p><strong>CMSCRS CSF </strong></p><p>Critical Mass Cyber Security Requirement Standard Cybersecurity Framework </p><p><strong>CSFs CIO </strong></p><p>Cybersecurity Frameworks Chief Information Officer </p><p><strong>CSUs DDoS: DoS: </strong></p><p>Cyber Security&nbsp;Units Distributed Denial of Service Denial of Service </p><p><strong>GCA: GCI: </strong></p><p>Global Cybersecurity Agenda Global Cybersecurity Index </p><p><strong>ICT: </strong></p><p>Information Communication Technology Information Network Security Agency Internet of Things </p><p><strong>INSA: IoTs: IS: </strong></p><p>Information System </p><p><strong>ISS: IT: </strong></p><p>Information Systems Security Information technology </p><p><strong>NIST: UNCTAD: </strong></p><p>National Institute of Standards and Technology United Nations Conference on Trade and Development </p><p><strong>x | </strong>P a g e </p><p><strong>Abstract </strong></p><p>Cyber security is the activity of protecting information and information systems (networks, computers, data centers and applications) with appropriate procedural and technological security measures (Tonge, Kasture and Chaudhari, 2013, p.1). Cyber security threats and breaches are increasing from year to year. A Cyber security breach has the potential to disrupt the proper functioning of nation states. It affects the reputation of organization and erodes customers trust. Cyber security breaches at critical infrastructures can affect the existence of a nation and can disrupt the social, economic and political realm of governments. Critical infrastructures mean any infrastructure vulnerable to information communication network security threats having considerable impact to the social, economic, or political interest of the country. </p>

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    123 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us