Investment Priority Analysis of ICS Information Security Resources in Smart Mobile IoT Network Environment Using the Analytic Hierarchy Process

Abstract

The industrial control system (ICS) inherits the attributes of the traditional information system, but because it has its own characteristics that availability of triad (CIA) of information security should be a top priority, it needs to be set differently from the traditional information security requirements. In response to the issue, TTAK.KO-12.0307 (Standard for Industrial Control System Information Security Requirements) proposed by the National Security Research Institute (NSRI) and established by the Telecommunications Technology Association (TTA) is being used. However, it is difficult to apply security requirements of TTAK.KO-12.0307 uniformly because of the reason that the characteristics of the ICS in each layer are different. There is also a limit to invest the security resources with equivalent priority for all requirements and ICS layers. It is still unresolved in the previous research studies which are related to information security resources, for example, Choi (2013), Ko et al. (2013), and Nah et al.'s (2016) studies. Therefore, this study tried to focus on what a top priority of information security requirements by the ICS in each layer is, using the analytic hierarchy process. As a result, we derived that the top priority requirement in the operation layer is "Identification Authentication Access Control," in the control layer is "Event Response," and in the field device layer is "Physical Interface Protection" with the highest importance. The results of this study can be utilized as a guideline for the security strategy and policy design by determining security requirements that should be prioritized in each layer of the ICS.