Tag: security

1. What is the specific aspect of GDPR that your case study addresses? This case addresses Article 32 (Security of Processing) and Article 5(1)(f) (Integrity and Confidentiality). The case involved a law firm where a staff member fell victim to a social engineering attack (phishing), allowing a malicious actor to install malware and defraud a client. The core GDPR issue was the data controller’s failure to implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk. Specifically, the firm relied on a cloud email service without enforcing basic industry-standard security settings, such as strong passwords or Multi-Factor Authentication (MFA).

2. How was it resolved? Upon discovering the breach, the firm immediately commissioned a full forensic investigation to determine the root cause and extent of the compromise. Based on the findings, they implemented enhanced technical security measures (specifically enabling MFA) and conducted mandatory cyber security and data protection training for all staff. The DPC concluded the case by requesting updates on these implementations to ensure the risk of reoccurrence was mitigated.

3. If this was your organisation, what steps would you take as an Information Security Manager to mitigate the issue? As an Information Security Manager, I would align our mitigation strategy with ISO/IEC 27001 standards to ensure compliance with GDPR Article 32:

• Implement Technical Controls (ISO 27001 A.9): I would mandate Multi-Factor Authentication (MFA) for all external access, particularly for cloud-based email services. Reliance on passwords alone is no longer considered “appropriate” for protecting sensitive client data.
• Security Awareness Training (ISO 27001 A.7.2.2): I would implement a continuous “phishing simulation” program rather than one-off training. This tests employee resilience to social engineering in real-time.
• Vendor Risk Management: Since the firm used a third-party cloud provider, I would review the shared responsibility model to ensure we are not assuming default settings are secure. We must configure the “tenant” side of the cloud service to meet our specific risk appetite.

References

• Data Protection Commission (2023) Case Studies: May 2018 – May 2023. Available at: https://dataprotection.ie/sites/default/files/uploads/2024-08/DPC-CS-2023-EN-V2.pdf

Based on Jbair, M., Ahmad, B., Maple, C. and Harrison, R. (2022)

1. What are the key elements and interdependencies in a cyber-physical system that must be captured in a comprehensive threat model?

A comprehensive threat model for Cyber-Physical Systems (CPS) must move beyond simple asset lists to capture the dynamic relationships between physical and digital components. Jbair et al. (2022) propose a data model that links ten critical parameters: Threat Actors (insider/outsider), Assets (classified by the Purdue Model), Vulnerabilities, Threats (using STRIDE), and Cyber-Attacks (using ICS ATT&CK tactics).

Critically, these elements are interdependent: a Threat Actor exploits a Vulnerability via specific Tactics, Techniques, and Procedures (TTPs) to manipulate an Asset. The accuracy of the risk analysis depends on capturing these links because the Attack Impact varies depending on the asset’s physical function (e.g., a PLC at Level 1 has a higher safety impact than a workstation at Level 4). Failing to map these interdependencies results in a “siloed” view that misses cascading physical risks.

2. How can threat modelling help identify attack entry points and system vulnerabilities in cyber-physical energy systems?

Threat modelling identifies entry points by mapping the “attack surface” exposed by the convergence of IT and OT (Operational Technology). By utilizing frameworks like ICS ATT&CK, analysts can model specific attack trees—such as a “Man-in-the-Middle” attack on a PLC or a “Denial of Service” on an HMI. This structured approach moves beyond ad-hoc vulnerability scanning to identify complex attack paths where an adversary might pivot from a corporate network (Level 4) to control systems (Level 1).

However, a major challenge is that traditional threat modelling tools are often “static” and do not integrate with the engineering tools used to build CPS. Jbair et al. (2022) highlight that existing methodologies often lack the ability to determine risk severity or provide a roadmap for mitigation, making it difficult to justify security investments to engineering stakeholders.

3. How can scenario-specific metrics and risk assessment methodologies be used to prioritise vulnerabilities?

To effectively prioritize vulnerabilities, organizations must move from qualitative “guesswork” to quantitative metrics. The paper proposes a formulaic approach where Risk (R) is the product of the Attack Vector (AV) and Attack Likelihood (AL) (R = AV \times AL).

• Attack Vector (AV): Calculated using the geometric mean of threat actor skills, threat exposure, and impact severity.
• Attack Likelihood (AL): Derived from historical data of similar attacks in the sector (e.g., assessing if a specific malware strain is trending in the energy sector).

By applying these metrics to a Risk Heat Map, vulnerabilities can be classified from “Very Low” to “Very High.” This allows security teams to automate the generation of Mitigation Controls (such as firmware monitoring or password enforcement) specifically for the highest-risk assets, ensuring that limited resources are targeted where they prevent the most significant physical and digital damage.

References

• Jbair, M., Ahmad, B., Maple, C. and Harrison, R. (2022) ‘Threat modelling for industrial cyber physical systems in the era of smart manufacturing’, Computers in Industry, 137, p. 103611. Available at: https://doi.org/10.1016/j.compind.2022.103611