Evaluation and Selection of a Cybersecurity Platform ─ Case of the Power Sector in India
DOI:
https://doi.org/10.31181/dmame712024891Keywords:
Critical infrastructure (CI), Cybersecurity platform, Best-worst method, BWM, COBRA, Best-worst method-improved, BWM-I, Power-grid in IndiaAbstract
Maintaining interconnected infrastructures such as transportation, communication, power grids, and pipeline networks is paramount in emerging economies. One of the critical interruptions is the targeted attacks on the operating cyber-physical systems to disconnect operations, inspection, or monitoring of the system. Therefore, adopting a cybersecurity system (or platform) that provides holistic protection is vital for protecting the integrity of critical infrastructure networks. As such, this research aspires to provide a decision support system for cybersecurity managers or practitioners (in the Indian power sector) to select the best and appropriate platform for protection against cyber-attacks. A three-phase method is adopted. First, a literature search followed by an expert panel discussion identified alternatives (cybersecurity platforms) and selection criteria. Next, a questionnaire was developed. Thirdly, a hybrid Best-Worst Improved and COmprehensive distance-Based RAnking (BWM-I and COBRA) method was proposed and applied to evaluate the cybersecurity platform alternatives. Four alternatives (Cloud-Based Platforms, Web-Based Platforms, Application-Based Platforms, and AI-Based Platforms), six primary criteria, and fifteen unique sub-criteria were identified. Responses were collected from 80 power utility managers on a pan-India basis, ranking "End-to-End Coverage" criteria and the AI-Based platform as best. This approach identified the best cybersecurity platform that, if adopted, can be extended to other critical infrastructures, with an appropriate adjustment in the selection criteria. The study can be helpful to practitioners in evaluating cybersecurity platforms. Furthermore, it addresses a research gap in its application in a developing country like India.
Downloads
References
Kethineni, S. (2020). Cybercrime in India: Laws, Regulations, and Enforcement Mechanisms. The Palgrave Handbook of International Cybercrime and Cyberdeviance, 305-326. https://doi.org/10.1007/978-3-319-78440-3_7
Govt of India's Information Technology Act 2000 (IT Act 2000) (2000) https://en.wikipedia.org/wiki/ Information_Technology_Act,_2000 Accessed 10 October 2023.
Govt of India's The National Crime Records Bureau (NCRB) (2013) https://ncrb.gov.in/en. Accessed 10 October 2023.
Das, S. (2021, December). Adequacy and Limitations of the Information Technology Act in Addressing Cyber-Security Issues of Indian Power Systems. In 2021 9th IEEE International Conference on Power Systems (ICPS) (pp. 1-6). IEEE. https://doi.org/10.1109/ICPS52420.2021.9670395
Kumar, V. A., Pandey, K. K., & Punia, D. K. (2014). Cyber security threats in the power sector: Need for a domain-specific regulatory framework in India. Energy policy, 65, 126-133. https://doi.org/10.1016/j.enpol.2013.10.025
Govt of India's National Cyber Security Policy (2013). https://en.wikipedia.org/wiki/National_Cyber_Security Policy_2013. Accessed 10 October 2023.
Kumar, G., (2019). Cyber Security System and Policy of India: Challenges and Prospects. Soc. Sci, 6(7), 1937-1943.
Casanovas, M., & Aloys Nghiem, A., (2023 Aug). Cybersecurity – is the power system lagging behind? https://www.iea.org/commentaries/cybersecurity-is-the-power-system-lagging-behind. Accessed 10 October 2023.
CEA (Cyber Security In Power Sector) Guidelines, 2021 (2022). https://npti.gov.in/cea-cyber-security-power-sector-guidelines-2021. Accessed 10 October 2023.
Pingol, E. (2021). India Releases Cybersecurity Guidelines for Power Sector. https://www.trendmicro.com/en_us/research/21/j/india-releases-cybersecurity-guidelines-for-power-sector.html Accessed 11 October 2023.
Palleti, V. R., Adepu, S., Mishra, V. K., & Mathur, A. (2021). Cascading effects of cyber-attacks on interconnected critical infrastructure. Cybersecurity, 4(1), 1-19. https://doi.org/10.1186/s42400-021-00071-z
Eduard Kovacs (2022, Nov). Cyberattack Causes Trains to Stop in Denmark. https://www.securityweek.com /cyberattack-causes-trains-stop-denmark. Accessed: 6 October 2023.
Rinaldi, S. M., Peerenboom, J. P., & Kelly, T. K. (2001). Identifying, understanding, and analysing critical infrastructure interdependencies. IEEE control systems magazine, 21(6),11-25. https://doi.org/10.1109/37.969131
Perwej, Y., Abbas, S. Q., Dixit, J. P., Akhtar, N., & Jaiswal, A. K. (2021). A systematic literature review on the cyber security. International Journal of scientific research and management, 9(12), 669-710. https://doi.org/10.18535/ijsrm/v9i12.ec04
Corallo, A., Lazoi, M., & Lezzi, M. (2020). Cybersecurity in the context of industry 4.0: A structured classification of critical assets and business impacts. Computers in Industry, 114, 103165. https://doi.org/10.1016/j.compind.2019.103165
Alp, Ö. (2018). Cybersecurity in Smart City. M. Sc. Thesis. İstanbul Bilgi University, Social Sciences Institute, İstanbul.
Enayaty-Ahangar, F., Albert, L. A., & DuBois, E. (2020). A survey of optimisation models and methods for cyberinfrastructure security. IISE Transactions, 53(2), 182-198. https://doi.org/10.1080/24725854.2020.1781306
Lopez, M. A., Lombardo, J. M., López, M., Alba, C. M., Velasco, S., Braojos, M. A., & Fuentes-García, M. (2020). Intelligent detection and recovery from cyberattacks for small and medium-sized enterprises. https://doi.org/10.9781/ijimai.2020.08.003
Nayyar, S. (2022). What to look for in Machine Learning for Cybersecurity Solutions? https://www.forbes.com/sites/forbestechcouncil/2022/07/14/what-to-look-for-in-machine-learning-for-cyber security-solutions/?sh=d6129f1b21e5. Accessed 28 October 2023.
Arce, D. G. (2020). Cybersecurity and platform competition in the Cloud. Computers & Security, 93, 101774. https://doi.org/10.1016/j.cose.2020.101774
Sterlini, P., Massacci, F., Kadenko, N., Fiebig, T., & van Eeten, M. (2019). Governance challenges for European cybersecurity policies: Stakeholder views. IEEE Security & Privacy, 18(1), 46-54. https://doi.org/10.1109/MSEC.2019.2945309
Dawson, M. (2018). Applying a holistic cybersecurity framework for global IT organisations. Business Information Review, 35(2), 60-67. https://doi.org/10.1177/0266382118773624
Van Kranenburg, R., and Le Gars, G. (2021). The cybersecurity aspects of new entities need a cybernetic, holistic perspective. International Journal of Cyber Forensics and Advanced Threat Investigations, 2(1), 63-68. https://doi.org/10.46386/ijcfati.v2i1.36
Yohanandhan, R. V., Elavarasan, R. M., Pugazhendhi, R., Premkumar, M., Mihet-Popa, L., & Terzija, V. (2021). A holistic review on Cyber-Physical Power System (CPPS) testbeds for secure and sustainable electric power grid–Part–II: Classification, overview and assessment of CPPS testbeds. International Journal of Electrical Power & Energy Systems, 107721. https://doi.org/10.1016/j.ijepes.2021.107721
Ullah, F., Naeem, H., Jabbar, S., Khalid, S., Latif, M. A., Al-Turjman, F., & Mostarda, L. (2019). Cyber security threats detection in the Internet of Things using deep learning approach. IEEE Access, 7, 124379-124389. https://doi.org/10.1109/ACCESS.2019.2937326
Atat, R., Liu, L., Wu, J., Li, G., Ye, C., Yang, Y. (2018). Big data meet cyber-physical systems: A panoramic survey. IEEE Access, 6, 73603-73636. https://doi.org/10.1109/ACCESS.2018.2878681
Alamleh, A., Albahri, O. S., Zaidan, A. A., Alamoodi, A. H., Albahri, A. S., Zaidan, B. B., ... & Al-Samarraay, M. S. (2022). Multi-attribute Decision-Making for Intrusion Detection Systems: A Systematic Review. International Journal of Information Technology & Decision Making, 1-48. https://doi.org/10.1142/S021962202230004X
Norem, S., Rice, A.E., Erwin, S., Bridges, R.A., Oesch, S., Weber, B. (2022). A Mathematical Framework for Evaluation of SOAR Tools with Limited Survey Data. In: Computer Security. ESORICS 2021 International Workshops. ESORICS 2021. Lecture Notes in Computer Science, 13106. Springer, Cham. https://doi.org/10.1007/978-3-030-95484-0_32
Agrawal, A., Deep, V., Sharma, P., Mishra, S. (2021). Review of Cybersecurity Post-COVID-19. In: Kumar, N., Tibor, S., Sindhwani, R., Lee, J., Srivastava, P. (eds) Advances in Interdisciplinary Engineering. Lecture Notes in Mechanical Engineering. Springer, Singapore. https://doi.org/10.1007/978-981-15-9956-9_75
Cascavilla, G., Tamburri, D. A., & Van Den Heuvel, W. J. (2021). Cybercrime threat intelligence: A systematic multi-vocal literature review. Computers & Security, 105, 102258. https://doi.org/10.1016/j.cose.2021.102258
Nugraha, I. P. E. D. (2021). A review of the role of modern SOC in cybersecurity operations. Int. J. Current Sci. Res. Rev., 4(5), 408-414. https://doi.org/10.47191/ijcsrr/V4-i5-13
Skoumperdis, M., Vakakis, N., Diamantaki, M., Medentzidis, C. R., Karanassos, D., Ioannidis, D., & Tzovaras, D. (2023). A Novel Self-learning Cybersecurity System for Smart Grids. In Power Systems Cybersecurity: Methods, Concepts, and Best Practices (pp. 337-362). Cham: Springer International Publishing. https://doi.org/10.1007/978-3-031-20360-2_14
Gilchrist, A. (2016). Industry 4.0: the industrial Internet of things. Apress. Bangken, Nonthaburi, Thailand.
Atoum, I., & Otoom, A. (2017). A classification scheme for cybersecurity models. International Journal of Security and Its Application, 11(1), 109-120. https://doi.org/10.14257/ijsia.2017.11.1.10
Jansen, C., & Jeschke, S. (2018). Mitigating risks of digitalisation through managed industrial security services. AI & Society, 33(2), 163-173. https://doi.org/10.1007/s00146-018-0812-1
Lezzi, M., Lazoi, M., & Corallo, A. (2018). Cybersecurity for Industry 4.0 in the current literature: A reference framework. Computers in Industry, 103, 97-110. https://doi.org/10.1016/j.compind.2018.09.004
Flatt, H., Schriegel, S., Jasperneite, J., Trsek, H., & Adamczyk, H. (2016, September). Analysis of the Cyber-Security of industry 4.0 technologies based on RAMI 4.0 and identification of requirements. In 2016 IEEE 21st International Conference on Emerging Technologies and Factory Automation (ETFA) (pp. 1-4). IEEE. https://doi.org/10.1109/ETFA.2016.7733634
Januário, F., Carvalho, C., Cardoso, A., & Gil, P. (2016, October). Security challenges in SCADA systems over Wireless Sensor and Actuator Networks. In 2016 8th International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT) (pp. 363-368). IEEE. https://doi.org/10.1109/ICUMT.2016.7765386
He, H., Maple, C., Watson, T., Tiwari, A., Mehnen, J., Jin, Y., & Gabrys, B. (2016, July). The security challenges in the IoT enabled cyber-physical systems and opacities for evolutionary computing & other computational intelligence. In 2016 IEEE congress on evolutionary computation (CEC) (pp. 1015-1021). IEEE. https://doi.org/10.1109/CEC.2016.7743900
Corbò, G., Foglietta, C., Palazzo, C., & Panzieri, S. (2018). Smart behavioural filter for industrial Internet of things. Mobile Networks and Applications, 23(4), 809-816. https://doi.org/10.1007/s11036-017-0882-1
Jansen, C. (2017). Stabilising the industrial system: Managed security services' contribution to cyber-peace. IFAC-PapersOnLine, 50(1), 5155-5160. https://doi.org/10.1016/j.ifacol.2017.08.786
Ren, A., Wu, D., Zhang, W., Terpenny, J., & Liu, P. (2017). Cyber security in smart manufacturing: Survey and challenges. In IIE Annual Conference. Proceedings (pp. 716-721). Institute of Industrial and Systems Engineers (IISE).
Guo, S., & Zhao, H. (2017). Fuzzy best-worst multi-criteria decision-making method and its applications. Knowledge-Based Systems, 121, 23-31. https://doi.org/10.1016/j.knosys.2017.01.010
Rezaei, J. (2016). Best-worst multi-criteria decision-making method: Some properties and a linear model. Omega, 64, 126-130. https://doi.org/10.1016/j.omega.2015.12.001
Liu, S., Chan, F. T., & Ran, W. (2016). Decision-making for the selection of cloud vendor: An improved approach under group decision-making with integrated weights and objective/subjective attributes. Expert Systems with Applications, 55, 37-47. https://doi.org/10.1016/j.eswa.2016.01.059
Mohammadi, M., & Rezaei, J. (2023). Ratio product model: A rank‐preserving normalisation-agnostic multi‐criteria decision‐making method. Journal of Multi‐Criteria Decision Analysis. https://doi.org/10.1002/mcda.1806
Saaty, T.L. (1980), The Analytical Hierarchy Process, McGraw-Hill, New York, NY. https://doi.org/10.21236/ADA214804
Saaty, T. L. (2004). Fundamentals of the analytic network process—Dependence and feedback in decision-making with a single network. Journal of Systems science and Systems engineering, 13, 129-157. https://doi.org/10.1007/s11518-006-0158-y
Emrouznejad, A., & Marra, M. (2017). The state of the art development of AHP (1979-2017): A literature review with a social network analysis. International journal of production research, 55(22), 6653-6675. https://doi.org/10. 1080/00207543.2017.1334976
Ameli, M., Esfandabadi, Z.S., Sadeghi, S., Ranjbari, M., Zanetti, M. C. (2023). COVID-19 and Sustainable Development Goals (SDGs): Scenario analysis through fuzzy cognitive map modeling. Gondwana Research, 114, 138-155. https://doi.org/10.1016/j.gr.2021.12.014
Yazdani, M., Pamucar, D., Erdmann, A., & Toro-Dupouy, L. (2023). Resilient, sustainable investment in digital education technology: A stakeholder-centric decision support model under uncertainty. Technological Forecasting and Social Change, 188, 122282. https://doi.org/10.1016/j.techfore.2022.122282
Deveci, M., Pamucar, D., Gokasar, I., Delen, D., Wu, Q., & Simic, V. (2022). An analytics approach to decision alternative prioritisation for zero-emission zone logistics. Journal of Business Research, 146, 554-570. https://doi.org/10.1016/j.jbusres.2022.03.059
Mou, Q., Xu, Z., & Liao, H. (2016). An intuitionistic fuzzy multiplicative best-worst method for multi-criteria group decision-making. Information Sciences, 374, 224-239. https://doi.org/10.1016/j.ins.2016.08.074
Gupta, P., Anand, S., & Gupta, H. (2017). Developing a roadmap to overcome barriers to energy efficiency in buildings using best worst method. Sustainable Cities and Society, 31, 244-259. https://doi.org/10.1016/j.scs.2017.02.005
Pamučar, D., Stević, Ž., & Sremac, S. (2018). A new model for determining weight coefficients of criteria in MCDM models: Full consistency method (FUCOM). Symmetry, 10(9), 393. https://doi.org/10.3390/sym10090393
Wang, P., Wang, J., Wei, G., Wei, C., & Wei, Y. (2019). The multi-attributive border approximation area comparison (MABAC) for multiple attribute group decision making under 2-tuple linguistic neutrosophic environment. Informatica, 30(4), 799-818. https://doi.org/10.15388/Informatica.2019.230
Hansen, P., & Ombler, F. (2008). A new method for scoring additive multi‐attribute value models using pairwise rankings of alternatives. Journal of Multi‐Criteria Decision Analysis, 15(3‐4), 87-107. https://doi.org/10.1002 /mcda.428
Badi, I., & Ballem, M. (2018). Supplier selection using the rough BWM-MAIRCA model: A case study in pharmaceutical supplying in Libya. Decision Making: Applications in Management and Engineering, 1(2), 16-33. https://doi.org/10.31181/dmame1802016b
Zhou, Y., Zheng, C., Zhou, L., & Chen, H. (2023). Selection of a solar water heater for large-scale group decision-making with hesitant fuzzy linguistic preference relations based on the best-worst method. Applied Intelligence, 53(4), 4462-4482. https://doi.org/10.1007/s10489-022-03688-w
Krstić, M., Agnusdei, G. P., Miglietta, P. P., Tadić, S., & Roso, V. (2022). Applicability of Industry 4.0 Technologies in the Reverse Logistics: A Circular Economy Approach Based on COmprehensive Distance Based RAnking (COBRA) Method. Sustainability, 14(9), 5632. https://doi.org/10.3390/su14095632
Department of Defense Chief Information Officer (2021). Cybersecurity Resource and Reference Guide. https://dodcio.defense.gov/Portals/0/Documents/Library/CSResourceReferenceGuide.pdf. Accessed 27 May 2023.
Department of Defense Chief Information Officer (2022). Department of Defense Zero Trust Reference Architecture. https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf. Accessed 28 April 2023.
Cybersecurity and Infrastructure Security Agency. (2021). Commercial Facilities Sector: Cybersecurity Framework Implementation Guidance. https://www.cisa.gov/sites/default/files/publications/ Commercial_Facilities_Sector_ Cybersecurity_Framework_Implementation_Guidance_FINAL_508.pdf. Accessed 27 April 2023.
Center for Internet Security (CIS) (2023). Vendor Selection Criteria. https://www.cisecurity.org/services /cis-cybermarket/vendor-information/selection-criteria. Accessed 26 April 2023.
Cybersecurity and Infrastructure Security Agency. (2023). Guide to Getting Started with a Cybersecurity Risk Assessment. https://www.cisa.gov/sites/default/files/2023-02/22_1201_safecom_guide_to_cyber security _risk_assessment_508-r1.pdf Accessed 27 April 2023.
U.S. Office of Personnel Management. (2018). Interpretive Guidance for Cybersecurity Positions. https://www.opm.gov/policy-data-oversight/classification-qualifications/reference-materials/interpretive-guidance-for-cybersecurity-positions.pdf. Accessed 5 January 2023.
Taherdoost, H. (2019). What is the best response scale for survey and questionnaire design; review of different lengths of rating scale/attitude scale/Likert scale. Hamed Taherdoost, 1-10.
Likert, R. (1932). A technique for the measurement of attitudes. Archives of psychology, 140, 5-53.
Petrudi, S. H. H., Ghomi, H., & Mazaheriasad, M. (2022). An Integrated Fuzzy Delphi and Best Worst Method (BWM) for performance measurement in higher education. Decision Analytics Journal, 4, 100121. https://doi.org/10.1016/j.dajour.2022.100121
Khan, S. A., Gupta, H., Gunasekaran, A., Mubarik, M. S., & Lawal, J. (2023). A hybrid multi‐criteria decision‐making approach to evaluate interrelationships and impacts of supply chain performance factors on pharmaceutical industry. Journal of Multi‐Criteria Decision Analysis, 30(1-2), 62-90. https://doi.org/10.1002/mcda.1800
Wind, Y., & Saaty, T. L. (1980). Marketing applications of the analytic hierarchy process. Management Science, 26(7), 641-658. https://doi.org/10.1287/mnsc.26.7.641
Pamučar, D., Ecer, F., Cirovic, G., & Arlasheedi, M. A. (2020). Application of improved best worst method (BWM) in real-world problems. Mathematics, 8(8), 1342. https://doi.org/10.3390/math8081342
Lai, L. L., Zhang, H. T., Lai, C. S., Xu, F. Y., & Mishra, S. (2013, July). Investigation on july 2012 indian blackout. In 2013 International Conference on Machine Learning and Cybernetics (Vol. 1, pp. 92-97). IEEE. DOI: 10.1109/ICMLC.2013.6890450 https://doi.org/10.1109/ICMLC.2013.6890450
Boeding, M., Boswell, K., Hempel, M., Sharif, H., Lopez Jr, J., & Perumalla, K. (2022). Survey of Cybersecurity Governance, Threats, and Countermeasures for the Power Grid. Energies, 15(22), 8692. https://doi.org/10.3390/en15228692
ur Rehman, O., Ali, Y., & Sabir, M. (2022). Risk assessment and mitigation for electric power sectors: A developing country's perspective. International Journal of Critical Infrastructure Protection, 36, 100507. https://doi.org/10.1016/j.ijcip.2021.100507
Jarmakiewicz, J., Parobczak, K., & Maślanka, K. (2017). Cybersecurity protection for power grid control infrastructures. International Journal of Critical Infrastructure Protection, 18, 20-33. https://doi.org/10.1016/j.ijcip.2017.07.002
Randall, R. G., & Allen, S. (2021). Cybersecurity professionals information sharing sources and networks in the US electrical power industry. International Journal of Critical Infrastructure Protection, 34, 100454. https://doi.org/10.1016/j.ijcip.2021.100454
Stouffer, K., Falco, J., & Scarfone, K. (2011). Guide to industrial control systems (ICS) security. NIST special publication, 800(82), 1-16.
Butwall, M., Ranka, P., & Shah, S. (2019). Python in the field of data science: a review. International Journal of Computer Applications, 178(49), 20-24. https://doi.org/10.5120/ijca2019919404
Wirkuttis, N., & Klein, H. (2017). Artificial intelligence in cybersecurity. Cyber, Intelligence, and Security, 1(1), 103-119.
Atkinson, J., Miorelli, S., & Ljungmark, C. (2022, April). Benefits of AI-Based Cybersecurity Tools for De-Manning Existing Offshore Platforms. In Offshore Technology Conference. OnePetro. https://doi.org/10.4043/31766-MS
Dash, B., Ansari, M. F., Sharma, P., & Ali, A. (2022). Threats and Opportunities with AI-based Cyber Security Intrusion Detection: A Review. International Journal of Software Engineering & Applications (IJSEA), 13(5). https://doi.org/10.5121/ijsea.2022.13502
Leszczyna, R., & Leszczyna, R. (2019). Cost of cybersecurity management. Cybersecurity in the Electricity Sector: Managing Critical Infrastructure, 127-147. https://doi.org/10.1007/978-3-030-19538-0_5
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2023 Decision Making: Applications in Management and Engineering
This work is licensed under a Creative Commons Attribution 4.0 International License.