Building an Effective Security Program for Distributed Energy Resources and Systems. Mariana Hentea
is the activity or process, ability or capability, or state whereby information and communication systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation [NICCS 2016].
Cyberspace is a global domain within the information environment consisting of interdependent IT infrastructures, telecommunication networks and computer processing systems, and embedded processors and controllers [CNSSI 4009].
Cyberspace is a global domain within the information environment consisting of interdependent IT infrastructures, telecommunication networks and computer processing systems, and embedded processors and controllers [NISTIR 7298r2].
Cyberspace is the interdependent network of IT infrastructure that includes the Internet, telecommunication networks, computer systems, and embedded processors and controllers [NICCS 2016].
As shown above, we found identical definitions for both terms in these glossaries [CNSSI 4009], [NISTIR 7298r2] and a similar definition for cyberspace in the glossary [NICCS 2016]. While these terms are not defined in [ISO/IEC 27000], [RFC 4949]], the International Telecommunication Union approved the overview of cybersecurity as described in [ITU‐T 2008], which is not really a concise definition.
In common usage, the term cyberspace refers also to the virtual environment of information and interactions between people [WH 2009]. However, a new term, cyber ecosystem, is encompassing more entities. It is defined as the interconnected information infrastructure of interactions among persons, processes, data, and information and communication technologies, along with the environment and conditions that influence those interactions [NICCS 2016].
2.2.2 Understanding Cybersecurity Terms
Cybersecurity is the ability to protect or defend the use of cyberspace from cyber attacks [CNSSI 4009]. Further, a cybersecurity attack is defined as an attack via cyberspace for the purpose of disrupting, disabling, or destroying a computing environment/infrastructure [CNSSI 4009]. However, this definition excludes the possibility of physical attacks, unintentional human errors, and natural disasters that can also disrupt a computing environment/infrastructure. Physical attacks may be realized without using the cyberspace, but still causing harm to cyberspace. Often two definitions are combined into one definition. For example, the cybersecurity definition [CNSSI 4009] is concatenated with another definition (measures taken to protect a computer or computerized system [IT and OT] against unauthorized access or attack) to make the cybersecurity definition provided by the US Department of Energy (DOE) [DOE 2014a].
However, no unique definition for cybersecurity is available across the Internet [Franscella 2013]. As pointed out in [Vacca 2012], no formal accepted definition of cybersecurity currently exists. On the use of cybersecurity versus cyber security, the communities agreed on using the word cybersecurity [Franscella 2013].
Often the cybersecurity is covering all security dimensions from technology to economic and social, legal, law enforcement, human rights, national security, warfare, international stability, intelligence, and other aspects. The widespread use of this term often masks the broad and complex nature of the subject matter [OECD 2015].
When comparing cybersecurity with information security, some people regard these concepts as overlapping, being the same thing [ENISA 2015a]. Others may view information security as focused on protecting specific individual systems and the information within organizations, while cybersecurity is seen as being focused on protecting the infrastructure and networks of critical information infrastructures.
Information security is defined as measures adopted to prevent the unauthorized use, misuse, modification, or denial of use of knowledge, facts, data, or capabilities [Maiwald 2004]. This term is defined in [NISTIR 7298r2] as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. Although this definition may seem more focused (implying security goals such as confidentiality, integrity, and availability), it is still not accurate because protection measures should also provide for non‐repudiation and other attributes of the information.
Although there is no universally accepted nor straightforward definition of cybersecurity or information security [ENISA 2015a], we need to understand the differences among these various definitions and views.
The recommendations of the [OECD 2015] document introduce the concept of digital security risk (see definition in Appendix A) that requires a response fundamentally different in nature from other categories of risk needs to be countered. To that effect, the term cybersecurity and more generally the prefix cyber that helped convey this misleading sense of specificity do not appear in the recommendation. Digital security risk is dynamic in nature. It includes aspects related to the digital and physical environments, the people involved in the activity, and the organizational processes supporting it.
The abundance of definitions for security terms is the result of various aspects and attributes that an interested party may want to emphasize in the definition of a concept. Also, many security‐ and privacy‐related concepts and terms evolved as the security paradigms changed in time, particularly in the way IT security was addressed. Appendix A includes a table showing different definitions for common security terms as provided by known standards and glossaries.
This is an indication of the development of a field where a foundation for defining the basic concepts is still evolving. However, it is necessary to have more consistent definitions among related and dependent terms. An appropriate balance between comprehensive and extended definitions is needed also for promoting terms that are useful to users and general public, not only to security experts and researchers. These terms are needed in communicating, writing, and understanding news and documents dealing with security policies, directives, instructions, and guidance.
Often, the lack of knowledge of the definitions or lack of unique definitions prompts for defining these terms in each industry. For example, DOE published a glossary of concepts including a set of cybersecurity terms in [DOE 2014a]. Several terms are taken from other documents, or they are adapted for the energy sector use. There is a problem when these dictionaries are not continuously updated; when new terms may appear, some terms could become obsolete or be changed in the referenced glossary. Therefore, one solution is to check the definitions and their maintenance status of these terms. The security team needs to agree on the basic terms to avoid language confusion and avoid rolling out ambiguous activities.
Since some security terms do not have common definitions or new updates emerge, we recommend previewing the definition of the most current dictionaries of security terms and concepts as defined by known standard organizations such as the International Organization for Standardization (ISO)/IEC, the Internet Engineering Task Force (IETF), and International Society of Automation (ISA). Often the glossary adopted by an organization may need to be revised. Definitions of related security terms (cybersecurity, threat, vulnerability, asset, countermeasure, exposure, security service, etc.) are also available in published guides maintained by security professionals such as [Harris 2013], [Krutz 2004]. Figure 2.11 shows a visual representation of the relationships among different security concepts (terms). Definitions of the terms are provided in [CC 2.3] (see also Appendix A).
Figure 2.11 Security concepts and relationships.
Source: [CC 2.3]. Public Domain.
In addition, security and privacy concepts have to be understood by users, security designers, and managers; otherwise misunderstanding creates