Challenges of information security managementin the industrial sector: A systematic review

Shonerly Bustamante  Garcia; Pedro Castañeda; Ciro Rodríguez

doi:10.29019/enfoqueute.1152

Authors

Shonerly Bustamante Garcia National University of San Marcos https://orcid.org/0000-0002-8173-203X
Pedro Castañeda National University of San Marcos https://orcid.org/0000-0003-1865-1293
Ciro Rodríguez National University of San Marcos https://orcid.org/0000-0003-2112-1349

DOI:

https://doi.org/10.29019/enfoqueute.1152

Keywords:

Industrial control systems, supply chain, cybersecurity, critical infrastructures

Abstract

Currently, in the industrial sector, technology can significantly increase productivity and efficiency. However, this advancement also generates multiple challenges related to information security that must be addressed. This systematic review aimed to analyze these challenges in information security management, focusing on three specific aspects: protection models and methodologies, factors that generate vulnerabilities in industrial control systems (ICS), and cyber risks that affect the supply chain. To this end, 45 articles published in journals indexed in databases such as Scopus, EBSCO and ScienceDirect over the last four years were examined. The results indicate that approaches based on Zero Trust, Shapley Additive Explanations (SHAP), Evolutionary Multi-Objective Optimization (EMO) algorithms, and the use of the Industrial Internet of Things (IIoT) offer greater effectiveness in protecting information. In addition, the following were identified as the main vulnerability factors in ICS: excessive connectivity, the use of obsolete operating systems, uncontrolled physical access, incorrect configurations, poor maintenance, cyberattacks, and human error. With regard to the industrial supply chain, the most relevant risks include successful cyberattacks, ransomware, and industrial espionage. In conclusion, security challenges range from interoperability between systems to a shortage of specialized personnel, requiring continuous monitoring and a multidisciplinary strategic approach.

Downloads

Download data is not yet available.

References

[1] C. A. Silva-Giraldo, Y. M. Rueda-Mahecha, and A. M. Moreno-Suarez, “La innovación en las MIPYMES por medio de redes colaborativas y el uso de las TIC,” TECHNO REVIEW, vol. 14, no. 1, pp. 1–13, Feb. 2023. [Online]. Available: Document Link

[2] F. Kitsios, E. Chatzidimitriou, and M. Kamariotou, “The ISO/IEC 27001 Information Security Management Standard: How to Extract Value from Data in the IT Sector,” Sustainability, vol. 15, no. 7, Apr. 2023. [Online]. Available: Document Link

[3] M. Pontoan, J. Sihotang, and E. Lompoliu, “Information Security Analysis of Online Education Management System using ITIL v3,” MATRIK, vol. 22, no. 2, pp. 207–216, Mar. 2023. [Online]. Available: Document Link

[4] D. Tin, R. Hata, F. Granholm, R. G. Ciottone, R. Staynings, and G. R. Ciottone, “Cyberthreats: A primer for healthcare professionals,” Am. J. Emerg. Med., vol. 68, pp. 179–185, Jun. 2023. [Online]. Available: Document Link

[5] B. Coutinho, J. Ferreira, I. Yevseyeva, and V. Basto-Fernandes, “Integrated cybersecurity methodology and supporting tools for healthcare OIS,” Comput. Secur., vol. 129, Jun. 2023. [Online]. Available: Document Link

[6] Kaspersky, “La negligencia de los empleados es ahora tan preocupante para las empresas como las filtraciones de datos,” América Latina, Mar. 21, 2023. [Online]. Available: Document Link

[7] N. Ogbuke, Y. Yusuf, K. Dharma, and B. Mercangoz, “Big data supply chain analytics: ethical, privacy and security challenges,” Prod. Plann. & Control, vol. 33, no. 2-3, pp. 1–16, 2022. [Online]. Available: Document Link

[8] D. Afenu, M. Asiri, and N. Saxena, “ICS Security Validation Based on MITRE ATT&CK,” Electronics, vol. 13, no. 5, pp. 1–18, Mar. 2024. [Online]. Available: Document Link

[9] N. Rawindaran, A. Jayal, E. Prakash, and C. Hewage, “SME perspective overcoming cybersecurity challenges,” Int. J. Inf. Manage. Data Insights, vol. 3, no. 2, p. 100191, Nov. 2023. [Online]. Available: Document Link

[10] M. Figueredo, F. Martins, and B. Stiller, “A framework for cybersecurity projects in SMEs,” Gestão e Projetos, vol. 13, no. 3, pp. 10–37, 2022. [Online]. Available: Document Link

[11] M. Asiri, N. Saxena, R. Gjomemo, and P. Burnap, “Understanding Indicators of Compromise in ICS,” ACM Trans. Cyber-Phys. Syst., vol. 7, no. 2, p. 15, Apr. 2023. [Online]. Available: Document Link

[12] B. von, M. Raschke, and F. Teuteberg, “Modelling maximum cyber incident losses of German organisations,” Geneva Papers Risk Insurance, vol. 48, no. 2, pp. 463–501, Apr. 2023. [Online]. Available: Document Link

[13] Ö. Aslan, S. Aktuğ, M. Ozkan-Okay, A. Yilmaz, and E. Akin, “A comprehensive review of cyber security vulnerabilities, threats, attacks, and solutions,” Electronics, vol. 12, no. 6, pp. 1–42, Mar. 2023. [Online]. Available: Document Link

[14] M. Benmalek, “Ransomware on cyber-physical systems: Taxonomies and gaps,” IoT & CPS, vol. 4, pp. 186–202, Jan. 2024. [Online]. Available: Document Link

[15] B. Li, Y. Wu, J. Song, R. Lu, T. Li, and L. Zhao, “DeepFed: Federated Deep Learning for Intrusion Detection in ICS,” IEEE Trans. Ind. Inform., vol. 17, no. 8, pp. 5615–5624, Aug. 2021. [Online]. Available: Document Link

[16] A. Quispe, V. Hinojosa-Ticona, H. Miranda, and C. Sedano, “Serie de Redacción Científica: Revisiones Sistemáticas,” Rev. Cuerpo Médico HNAAA, vol. 14, no. 1, pp. 94–99, Mar. 2021. [Online]. Available: Document Link

[17] J. Sánchez-Meca, “Revisiones sistemáticas y meta-análisis en Educación: un tutorial,” RiiTE, pp. 5–40, Dec. 2022. [Online]. Available: Document Link

[18] A. Corallo, A. Crespino, V. Vecchio, M. Lazoi, and M. Marra, “Understanding and Defining Dark Data for Manufacturing,” IEEE Trans. Eng. Manag., vol. 70, no. 2, pp. 1–13, Feb. 2021. [Online]. Available: Document Link

[19] M. Jbair, B. Ahmad, C. Maple, and R. Harrison, “Threat modelling for industrial cyber physical systems in the era of smart manufacturing,” Comput Ind, vol. 137, pp. 1–14, May 2022. [Online]. Available: Document Link

[20] S. Bahadoripour, H. Karimipour, A. Jahromi, and A. Islam, “An explainable multi-modal model for advanced cyber-attack detection in industrial control systems,” Internet of Things, vol. 25, pp. 1–14, Apr. 2024. [Online]. Available: Document Link

[21] P. Biplob and R. Muzaffar, “Zero-Trust Model for Smart Manufacturing Industry,” Applied Sciences, vol. 13, no. 1, pp. 2–20, Dec. 2023. [Online]. Available: Document Link

[22] I. Khan, M. Keshk, D. Pi, N. Khan, Y. Hossain, and H. Soliman, “Enhancing IIoT networks protection: A robust security model for attack detection in ICS,” Ad Hoc Networks, vol. 134, pp. 1–11, Sep. 2022. [Online]. Available: Document Link

[23] N. Tuptuk and S. Hailes, “Identifying vulnerabilities of ICS using evolutionary multiobjective optimisation,” Comput. Secur., vol. 137, p. 103593, Feb. 2024. [Online]. Available: Document Link

[24] A. Alqudhaibi, M. Albarrak, A. Aloseel, S. Jagtap, and K. Salonitis, “Predicting Cybersecurity Threats in Critical Infrastructure for Industry 4.0,” Sensors, vol. 23, no. 9, pp. 1–17, May 2023. [Online]. Available: Document Link

[25] A. Ayodeji, M. Mohamed, L. Li, A. Di, I. Pierce, and H. Ahmed, “Cyber security in the nuclear industry: A closer look at digital control systems, networks and human factors,” Prog. Nucl. Energy, vol. 161, pp. 1–12, Jul. 2023. [Online]. Available: Document Link

[26] A. Corallo, M. Lazoi, M. Leezi, and A. Luperto, “Cybersecurity awareness in IIoT: A systematic literature review,” Comput. Ind., vol. 137, pp. 1–16, May 2022. [Online]. Available: Document Link

[27] M. Al-Hawawreh, E. Sitnikova, and N. Aboutorab, “X-IIoTID: A Connectivity-Agnostic Intrusion Data Set for IIoT,” IEEE Internet Things J., vol. 9, no. 5, pp. 3962–3977, Mar. 2022. [Online]. Available: Document Link

[28] M. Kravchik and A. Shabtai, “Efficient cyber attack detection in ICS using Lightweight Neural Networks and PCA,” IEEE Trans. Depend. Secure Comput., vol. 19, no. 4, pp. 2179–2197, 2022. [Online]. Available: Document Link

[29] M. Rahman, T. Wuest, and M. Shafae, “Manufacturing cybersecurity threat attributes and countermeasures,” J. Manuf. Syst., vol. 68, pp. 196–208, Jun. 2023. [Online]. Available: Document Link

[30] J. Hajda, R. Jakuszewski, and S. Ogonowski, “Security Challenges in Industry 4.0 PLC Systems,” Applied Sciences, vol. 11, no. 21, pp. 1–26, Oct. 2021. [Online]. Available: Document Link

[31] M. Nankya, R. Chataut, and R. Akl, “Securing ICS: Components, Cyber Threats, and ML-Driven Defense Strategies,” Sensors, vol. 23, no. 21, pp. 1–41, Oct. 2023. [Online]. Available: Document Link

[32] A. Clim, A. Toma, R. Zota, and R. Constantinescu, “The Need for Cybersecurity in Industry 4.0 and Smart Cities,” Sensors, vol. 23, no. 1, pp. 1–20, Dec. 2022. [Online]. Available: Document Link

[33] V. Pedreira, D. Barros, and P. Pinto, “A Review of attacks, vulnerabilities, and defenses in Industry 4.0,” Sensors, vol. 21, no. 15, p. 5189, Jul. 2021. [Online]. Available: Document Link

[34] J.-P. Yaacoub, H. Noura, O. Salman, and A. Chehab, “Robotics cybersecurity: vulnerabilities, attacks, countermeasures, and recommendations,” Int. J. Inf. Secur., vol. 21, no. 1, pp. 115–158, Mar. 2021. [Online]. Available: Document Link

[35] M. Iaiani, A. Tugnoli, S. Bonvicini, and V. Cozzani, “Analysis of Cybersecurity-related Incidents in the Process Industry,” Reliab. Eng. Syst. Saf., vol. 209, p. 107485, May 2021. [Online]. Available: Document Link

[36] N. Chowdhury, E. Nystad, K. Reegård, and V. Gkioulos, “Cybersecurity training in Norwegian Critical Infrastructure Companies,” Int. J. Safety Secur. Eng., vol. 12, no. 3, pp. 299–310, Jun. 2022. [Online]. Available: Document Link

[37] S. Saniuk, D. Caganova, and A. Saniuk, “Knowledge and Skills of Industrial Employees for Industry 4.0 Implementation,” Mobile Netw. Appl., vol. 28, no. 1, pp. 220–230, Feb. 2023. [Online]. Available: Document Link

[38] F. García, Í. Donoso, A. Flores, C. Pon, V. Flores, and R. Martínez-Peláez, “Examining cybersecurity culture in Leon city organizations,” Rev. chil. ing., vol. 32, pp. 1–16, 2024. [Online]. Available: Document Link

[39] T. Sawik, “A linear model for optimal cybersecurity investment in Industry 4.0 supply chains,” Int. J. Prod. Res., vol. 60, no. 4, pp. 1–91, Feb. 2022. [Online]. Available: Document Link

[40] Y. Qin, Y. Kaixing, C. Zhou, and Y.-C. Tian, “Association Analysis-Based Cybersecurity Risk Assessment for ICS,” IEEE Syst. J., vol. 15, no. 1, pp. 1423–1432, Mar. 2021. [Online]. Available: Document Link

[41] L. Dhirani, E. Armstrong, and T. Newe, “Industrial IoT, Cyber Threats, and Standards Landscape: Evaluation and Roadmap,” Sensors, vol. 21, no. 11, pp. 1–30, Jun. 2021. [Online]. Available: Document Link

[42] M. Gazzan and F. Sheldon, “Opportunities for Early Detection and Prediction of Ransomware Attacks against ICS,” Future Internet, vol. 15, no. 4, pp. 1–18, Apr. 2023. [Online]. Available: Document Link

[43] P. Phillips and G. Pohl, “Industrial espionage: window of opportunity,” Inf. Secur. J.: A Global Perspective, pp. 1–14, Jul. 2024. [Online]. Available: Document Link

[44] R.-C. Härting, L. Bühler, K. Winter, and A. Gugel, “The threat of industrial espionage for SMEs in digitalization,” Procedia Comput. Sci., vol. 207, pp. 2940–2949, Jan. 2022. [Online]. Available: Document Link

[45] M. Ibiyemi and D. Olutimehin, “Cybersecurity in supply chains: Addressing emerging threats with strategic measures,” Int. J. Manag. & Entrepreneurship Res., vol. 6, no. 6, pp. 2042–2047, Jun. 2024. [Online]. Available: Document Link