Evaluation and Selection of a Cybersecurity Platform ─ Case of the Power Sector in India

Rakesh Verma; Saroj Koul; Ajaygopal KV

doi:10.31181/dmame712024891

Authors

Rakesh Verma Indian Institute of Management Mumbai, Mumbai, India https://orcid.org/0000-0002-3637-7788
Saroj Koul Jindal Global Business School, OP Jindal Global University, NCR, India https://orcid.org/0000-0002-3051-5625
Ajaygopal KV Indian Institute of Management Mumbai, Mumbai, India https://orcid.org/0000-0002-4119-7458

DOI:

https://doi.org/10.31181/dmame712024891

Keywords:

Critical infrastructure (CI), Cybersecurity platform, Best-worst method, BWM, COBRA, Best-worst method-improved, BWM-I, Power-grid in India

Abstract

Maintaining interconnected infrastructures such as transportation, communication, power grids, and pipeline networks is paramount in emerging economies. One of the critical interruptions is the targeted attacks on the operating cyber-physical systems to disconnect operations, inspection, or monitoring of the system. Therefore, adopting a cybersecurity system (or platform) that provides holistic protection is vital for protecting the integrity of critical infrastructure networks. As such, this research aspires to provide a decision support system for cybersecurity managers or practitioners (in the Indian power sector) to select the best and appropriate platform for protection against cyber-attacks. A three-phase method is adopted. First, a literature search followed by an expert panel discussion identified alternatives (cybersecurity platforms) and selection criteria. Next, a questionnaire was developed. Thirdly, a hybrid Best-Worst Improved and COmprehensive distance-Based RAnking (BWM-I and COBRA) method was proposed and applied to evaluate the cybersecurity platform alternatives. Four alternatives (Cloud-Based Platforms, Web-Based Platforms, Application-Based Platforms, and AI-Based Platforms), six primary criteria, and fifteen unique sub-criteria were identified. Responses were collected from 80 power utility managers on a pan-India basis, ranking "End-to-End Coverage" criteria and the AI-Based platform as best. This approach identified the best cybersecurity platform that, if adopted, can be extended to other critical infrastructures, with an appropriate adjustment in the selection criteria. The study can be helpful to practitioners in evaluating cybersecurity platforms. Furthermore, it addresses a research gap in its application in a developing country like India.

Downloads

Download data is not yet available.

References

Kethineni, S. (2020). Cybercrime in India: Laws, Regulations, and Enforcement Mechanisms. The Palgrave Handbook of International Cybercrime and Cyberdeviance, 305-326. https://doi.org/10.1007/978-3-319-78440-3_7

Govt of India's Information Technology Act 2000 (IT Act 2000) (2000) https://en.wikipedia.org/wiki/ Information_Technology_Act,_2000 Accessed 10 October 2023.

Govt of India's The National Crime Records Bureau (NCRB) (2013) https://ncrb.gov.in/en. Accessed 10 October 2023.

Das, S. (2021, December). Adequacy and Limitations of the Information Technology Act in Addressing Cyber-Security Issues of Indian Power Systems. In 2021 9th IEEE International Conference on Power Systems (ICPS) (pp. 1-6). IEEE. https://doi.org/10.1109/ICPS52420.2021.9670395

Kumar, V. A., Pandey, K. K., & Punia, D. K. (2014). Cyber security threats in the power sector: Need for a domain-specific regulatory framework in India. Energy policy, 65, 126-133. https://doi.org/10.1016/j.enpol.2013.10.025

Govt of India's National Cyber Security Policy (2013). https://en.wikipedia.org/wiki/National_Cyber_Security Policy_2013. Accessed 10 October 2023.

Kumar, G., (2019). Cyber Security System and Policy of India: Challenges and Prospects. Soc. Sci, 6(7), 1937-1943.

Casanovas, M., & Aloys Nghiem, A., (2023 Aug). Cybersecurity – is the power system lagging behind? https://www.iea.org/commentaries/cybersecurity-is-the-power-system-lagging-behind. Accessed 10 October 2023.

CEA (Cyber Security In Power Sector) Guidelines, 2021 (2022). https://npti.gov.in/cea-cyber-security-power-sector-guidelines-2021. Accessed 10 October 2023.

Pingol, E. (2021). India Releases Cybersecurity Guidelines for Power Sector. https://www.trendmicro.com/en_us/research/21/j/india-releases-cybersecurity-guidelines-for-power-sector.html Accessed 11 October 2023.

Palleti, V. R., Adepu, S., Mishra, V. K., & Mathur, A. (2021). Cascading effects of cyber-attacks on interconnected critical infrastructure. Cybersecurity, 4(1), 1-19. https://doi.org/10.1186/s42400-021-00071-z

Eduard Kovacs (2022, Nov). Cyberattack Causes Trains to Stop in Denmark. https://www.securityweek.com /cyberattack-causes-trains-stop-denmark. Accessed: 6 October 2023.

Rinaldi, S. M., Peerenboom, J. P., & Kelly, T. K. (2001). Identifying, understanding, and analysing critical infrastructure interdependencies. IEEE control systems magazine, 21(6),11-25. https://doi.org/10.1109/37.969131

Perwej, Y., Abbas, S. Q., Dixit, J. P., Akhtar, N., & Jaiswal, A. K. (2021). A systematic literature review on the cyber security. International Journal of scientific research and management, 9(12), 669-710. https://doi.org/10.18535/ijsrm/v9i12.ec04

Corallo, A., Lazoi, M., & Lezzi, M. (2020). Cybersecurity in the context of industry 4.0: A structured classification of critical assets and business impacts. Computers in Industry, 114, 103165. https://doi.org/10.1016/j.compind.2019.103165

Alp, Ö. (2018). Cybersecurity in Smart City. M. Sc. Thesis. İstanbul Bilgi University, Social Sciences Institute, İstanbul.

Enayaty-Ahangar, F., Albert, L. A., & DuBois, E. (2020). A survey of optimisation models and methods for cyberinfrastructure security. IISE Transactions, 53(2), 182-198. https://doi.org/10.1080/24725854.2020.1781306

Lopez, M. A., Lombardo, J. M., López, M., Alba, C. M., Velasco, S., Braojos, M. A., & Fuentes-García, M. (2020). Intelligent detection and recovery from cyberattacks for small and medium-sized enterprises. https://doi.org/10.9781/ijimai.2020.08.003

Nayyar, S. (2022). What to look for in Machine Learning for Cybersecurity Solutions? https://www.forbes.com/sites/forbestechcouncil/2022/07/14/what-to-look-for-in-machine-learning-for-cyber security-solutions/?sh=d6129f1b21e5. Accessed 28 October 2023.

Arce, D. G. (2020). Cybersecurity and platform competition in the Cloud. Computers & Security, 93, 101774. https://doi.org/10.1016/j.cose.2020.101774

Sterlini, P., Massacci, F., Kadenko, N., Fiebig, T., & van Eeten, M. (2019). Governance challenges for European cybersecurity policies: Stakeholder views. IEEE Security & Privacy, 18(1), 46-54. https://doi.org/10.1109/MSEC.2019.2945309

Dawson, M. (2018). Applying a holistic cybersecurity framework for global IT organisations. Business Information Review, 35(2), 60-67. https://doi.org/10.1177/0266382118773624

Van Kranenburg, R., and Le Gars, G. (2021). The cybersecurity aspects of new entities need a cybernetic, holistic perspective. International Journal of Cyber Forensics and Advanced Threat Investigations, 2(1), 63-68. https://doi.org/10.46386/ijcfati.v2i1.36

Yohanandhan, R. V., Elavarasan, R. M., Pugazhendhi, R., Premkumar, M., Mihet-Popa, L., & Terzija, V. (2021). A holistic review on Cyber-Physical Power System (CPPS) testbeds for secure and sustainable electric power grid–Part–II: Classification, overview and assessment of CPPS testbeds. International Journal of Electrical Power & Energy Systems, 107721. https://doi.org/10.1016/j.ijepes.2021.107721

Ullah, F., Naeem, H., Jabbar, S., Khalid, S., Latif, M. A., Al-Turjman, F., & Mostarda, L. (2019). Cyber security threats detection in the Internet of Things using deep learning approach. IEEE Access, 7, 124379-124389. https://doi.org/10.1109/ACCESS.2019.2937326

Atat, R., Liu, L., Wu, J., Li, G., Ye, C., Yang, Y. (2018). Big data meet cyber-physical systems: A panoramic survey. IEEE Access, 6, 73603-73636. https://doi.org/10.1109/ACCESS.2018.2878681

Alamleh, A., Albahri, O. S., Zaidan, A. A., Alamoodi, A. H., Albahri, A. S., Zaidan, B. B., ... & Al-Samarraay, M. S. (2022). Multi-attribute Decision-Making for Intrusion Detection Systems: A Systematic Review. International Journal of Information Technology & Decision Making, 1-48. https://doi.org/10.1142/S021962202230004X

Norem, S., Rice, A.E., Erwin, S., Bridges, R.A., Oesch, S., Weber, B. (2022). A Mathematical Framework for Evaluation of SOAR Tools with Limited Survey Data. In: Computer Security. ESORICS 2021 International Workshops. ESORICS 2021. Lecture Notes in Computer Science, 13106. Springer, Cham. https://doi.org/10.1007/978-3-030-95484-0_32

Agrawal, A., Deep, V., Sharma, P., Mishra, S. (2021). Review of Cybersecurity Post-COVID-19. In: Kumar, N., Tibor, S., Sindhwani, R., Lee, J., Srivastava, P. (eds) Advances in Interdisciplinary Engineering. Lecture Notes in Mechanical Engineering. Springer, Singapore. https://doi.org/10.1007/978-981-15-9956-9_75

Cascavilla, G., Tamburri, D. A., & Van Den Heuvel, W. J. (2021). Cybercrime threat intelligence: A systematic multi-vocal literature review. Computers & Security, 105, 102258. https://doi.org/10.1016/j.cose.2021.102258

Nugraha, I. P. E. D. (2021). A review of the role of modern SOC in cybersecurity operations. Int. J. Current Sci. Res. Rev., 4(5), 408-414. https://doi.org/10.47191/ijcsrr/V4-i5-13

Skoumperdis, M., Vakakis, N., Diamantaki, M., Medentzidis, C. R., Karanassos, D., Ioannidis, D., & Tzovaras, D. (2023). A Novel Self-learning Cybersecurity System for Smart Grids. In Power Systems Cybersecurity: Methods, Concepts, and Best Practices (pp. 337-362). Cham: Springer International Publishing. https://doi.org/10.1007/978-3-031-20360-2_14

Gilchrist, A. (2016). Industry 4.0: the industrial Internet of things. Apress. Bangken, Nonthaburi, Thailand.

Atoum, I., & Otoom, A. (2017). A classification scheme for cybersecurity models. International Journal of Security and Its Application, 11(1), 109-120. https://doi.org/10.14257/ijsia.2017.11.1.10

Jansen, C., & Jeschke, S. (2018). Mitigating risks of digitalisation through managed industrial security services. AI & Society, 33(2), 163-173. https://doi.org/10.1007/s00146-018-0812-1

Lezzi, M., Lazoi, M., & Corallo, A. (2018). Cybersecurity for Industry 4.0 in the current literature: A reference framework. Computers in Industry, 103, 97-110. https://doi.org/10.1016/j.compind.2018.09.004

Flatt, H., Schriegel, S., Jasperneite, J., Trsek, H., & Adamczyk, H. (2016, September). Analysis of the Cyber-Security of industry 4.0 technologies based on RAMI 4.0 and identification of requirements. In 2016 IEEE 21st International Conference on Emerging Technologies and Factory Automation (ETFA) (pp. 1-4). IEEE. https://doi.org/10.1109/ETFA.2016.7733634

Januário, F., Carvalho, C., Cardoso, A., & Gil, P. (2016, October). Security challenges in SCADA systems over Wireless Sensor and Actuator Networks. In 2016 8th International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT) (pp. 363-368). IEEE. https://doi.org/10.1109/ICUMT.2016.7765386

He, H., Maple, C., Watson, T., Tiwari, A., Mehnen, J., Jin, Y., & Gabrys, B. (2016, July). The security challenges in the IoT enabled cyber-physical systems and opacities for evolutionary computing & other computational intelligence. In 2016 IEEE congress on evolutionary computation (CEC) (pp. 1015-1021). IEEE. https://doi.org/10.1109/CEC.2016.7743900

Corbò, G., Foglietta, C., Palazzo, C., & Panzieri, S. (2018). Smart behavioural filter for industrial Internet of things. Mobile Networks and Applications, 23(4), 809-816. https://doi.org/10.1007/s11036-017-0882-1

Jansen, C. (2017). Stabilising the industrial system: Managed security services' contribution to cyber-peace. IFAC-PapersOnLine, 50(1), 5155-5160. https://doi.org/10.1016/j.ifacol.2017.08.786

Ren, A., Wu, D., Zhang, W., Terpenny, J., & Liu, P. (2017). Cyber security in smart manufacturing: Survey and challenges. In IIE Annual Conference. Proceedings (pp. 716-721). Institute of Industrial and Systems Engineers (IISE).

Guo, S., & Zhao, H. (2017). Fuzzy best-worst multi-criteria decision-making method and its applications. Knowledge-Based Systems, 121, 23-31. https://doi.org/10.1016/j.knosys.2017.01.010

Rezaei, J. (2016). Best-worst multi-criteria decision-making method: Some properties and a linear model. Omega, 64, 126-130. https://doi.org/10.1016/j.omega.2015.12.001

Liu, S., Chan, F. T., & Ran, W. (2016). Decision-making for the selection of cloud vendor: An improved approach under group decision-making with integrated weights and objective/subjective attributes. Expert Systems with Applications, 55, 37-47. https://doi.org/10.1016/j.eswa.2016.01.059

Mohammadi, M., & Rezaei, J. (2023). Ratio product model: A rank‐preserving normalisation-agnostic multi‐criteria decision‐making method. Journal of Multi‐Criteria Decision Analysis. https://doi.org/10.1002/mcda.1806

Saaty, T.L. (1980), The Analytical Hierarchy Process, McGraw-Hill, New York, NY. https://doi.org/10.21236/ADA214804

Saaty, T. L. (2004). Fundamentals of the analytic network process—Dependence and feedback in decision-making with a single network. Journal of Systems science and Systems engineering, 13, 129-157. https://doi.org/10.1007/s11518-006-0158-y

Emrouznejad, A., & Marra, M. (2017). The state of the art development of AHP (1979-2017): A literature review with a social network analysis. International journal of production research, 55(22), 6653-6675. https://doi.org/10. 1080/00207543.2017.1334976

Ameli, M., Esfandabadi, Z.S., Sadeghi, S., Ranjbari, M., Zanetti, M. C. (2023). COVID-19 and Sustainable Development Goals (SDGs): Scenario analysis through fuzzy cognitive map modeling. Gondwana Research, 114, 138-155. https://doi.org/10.1016/j.gr.2021.12.014

Yazdani, M., Pamucar, D., Erdmann, A., & Toro-Dupouy, L. (2023). Resilient, sustainable investment in digital education technology: A stakeholder-centric decision support model under uncertainty. Technological Forecasting and Social Change, 188, 122282. https://doi.org/10.1016/j.techfore.2022.122282

Deveci, M., Pamucar, D., Gokasar, I., Delen, D., Wu, Q., & Simic, V. (2022). An analytics approach to decision alternative prioritisation for zero-emission zone logistics. Journal of Business Research, 146, 554-570. https://doi.org/10.1016/j.jbusres.2022.03.059

Mou, Q., Xu, Z., & Liao, H. (2016). An intuitionistic fuzzy multiplicative best-worst method for multi-criteria group decision-making. Information Sciences, 374, 224-239. https://doi.org/10.1016/j.ins.2016.08.074

Gupta, P., Anand, S., & Gupta, H. (2017). Developing a roadmap to overcome barriers to energy efficiency in buildings using best worst method. Sustainable Cities and Society, 31, 244-259. https://doi.org/10.1016/j.scs.2017.02.005

Pamučar, D., Stević, Ž., & Sremac, S. (2018). A new model for determining weight coefficients of criteria in MCDM models: Full consistency method (FUCOM). Symmetry, 10(9), 393. https://doi.org/10.3390/sym10090393

Wang, P., Wang, J., Wei, G., Wei, C., & Wei, Y. (2019). The multi-attributive border approximation area comparison (MABAC) for multiple attribute group decision making under 2-tuple linguistic neutrosophic environment. Informatica, 30(4), 799-818. https://doi.org/10.15388/Informatica.2019.230

Hansen, P., & Ombler, F. (2008). A new method for scoring additive multi‐attribute value models using pairwise rankings of alternatives. Journal of Multi‐Criteria Decision Analysis, 15(3‐4), 87-107. https://doi.org/10.1002 /mcda.428

Badi, I., & Ballem, M. (2018). Supplier selection using the rough BWM-MAIRCA model: A case study in pharmaceutical supplying in Libya. Decision Making: Applications in Management and Engineering, 1(2), 16-33. https://doi.org/10.31181/dmame1802016b

Zhou, Y., Zheng, C., Zhou, L., & Chen, H. (2023). Selection of a solar water heater for large-scale group decision-making with hesitant fuzzy linguistic preference relations based on the best-worst method. Applied Intelligence, 53(4), 4462-4482. https://doi.org/10.1007/s10489-022-03688-w

Krstić, M., Agnusdei, G. P., Miglietta, P. P., Tadić, S., & Roso, V. (2022). Applicability of Industry 4.0 Technologies in the Reverse Logistics: A Circular Economy Approach Based on COmprehensive Distance Based RAnking (COBRA) Method. Sustainability, 14(9), 5632. https://doi.org/10.3390/su14095632

Department of Defense Chief Information Officer (2021). Cybersecurity Resource and Reference Guide. https://dodcio.defense.gov/Portals/0/Documents/Library/CSResourceReferenceGuide.pdf. Accessed 27 May 2023.

Department of Defense Chief Information Officer (2022). Department of Defense Zero Trust Reference Architecture. https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf. Accessed 28 April 2023.

Cybersecurity and Infrastructure Security Agency. (2021). Commercial Facilities Sector: Cybersecurity Framework Implementation Guidance. https://www.cisa.gov/sites/default/files/publications/ Commercial_Facilities_Sector_ Cybersecurity_Framework_Implementation_Guidance_FINAL_508.pdf. Accessed 27 April 2023.

Center for Internet Security (CIS) (2023). Vendor Selection Criteria. https://www.cisecurity.org/services /cis-cybermarket/vendor-information/selection-criteria. Accessed 26 April 2023.

Cybersecurity and Infrastructure Security Agency. (2023). Guide to Getting Started with a Cybersecurity Risk Assessment. https://www.cisa.gov/sites/default/files/2023-02/22_1201_safecom_guide_to_cyber security _risk_assessment_508-r1.pdf Accessed 27 April 2023.

U.S. Office of Personnel Management. (2018). Interpretive Guidance for Cybersecurity Positions. https://www.opm.gov/policy-data-oversight/classification-qualifications/reference-materials/interpretive-guidance-for-cybersecurity-positions.pdf. Accessed 5 January 2023.

Taherdoost, H. (2019). What is the best response scale for survey and questionnaire design; review of different lengths of rating scale/attitude scale/Likert scale. Hamed Taherdoost, 1-10.

Likert, R. (1932). A technique for the measurement of attitudes. Archives of psychology, 140, 5-53.

Petrudi, S. H. H., Ghomi, H., & Mazaheriasad, M. (2022). An Integrated Fuzzy Delphi and Best Worst Method (BWM) for performance measurement in higher education. Decision Analytics Journal, 4, 100121. https://doi.org/10.1016/j.dajour.2022.100121

Khan, S. A., Gupta, H., Gunasekaran, A., Mubarik, M. S., & Lawal, J. (2023). A hybrid multi‐criteria decision‐making approach to evaluate interrelationships and impacts of supply chain performance factors on pharmaceutical industry. Journal of Multi‐Criteria Decision Analysis, 30(1-2), 62-90. https://doi.org/10.1002/mcda.1800

Wind, Y., & Saaty, T. L. (1980). Marketing applications of the analytic hierarchy process. Management Science, 26(7), 641-658. https://doi.org/10.1287/mnsc.26.7.641

Pamučar, D., Ecer, F., Cirovic, G., & Arlasheedi, M. A. (2020). Application of improved best worst method (BWM) in real-world problems. Mathematics, 8(8), 1342. https://doi.org/10.3390/math8081342

Lai, L. L., Zhang, H. T., Lai, C. S., Xu, F. Y., & Mishra, S. (2013, July). Investigation on july 2012 indian blackout. In 2013 International Conference on Machine Learning and Cybernetics (Vol. 1, pp. 92-97). IEEE. DOI: 10.1109/ICMLC.2013.6890450 https://doi.org/10.1109/ICMLC.2013.6890450

Boeding, M., Boswell, K., Hempel, M., Sharif, H., Lopez Jr, J., & Perumalla, K. (2022). Survey of Cybersecurity Governance, Threats, and Countermeasures for the Power Grid. Energies, 15(22), 8692. https://doi.org/10.3390/en15228692

ur Rehman, O., Ali, Y., & Sabir, M. (2022). Risk assessment and mitigation for electric power sectors: A developing country's perspective. International Journal of Critical Infrastructure Protection, 36, 100507. https://doi.org/10.1016/j.ijcip.2021.100507

Jarmakiewicz, J., Parobczak, K., & Maślanka, K. (2017). Cybersecurity protection for power grid control infrastructures. International Journal of Critical Infrastructure Protection, 18, 20-33. https://doi.org/10.1016/j.ijcip.2017.07.002

Randall, R. G., & Allen, S. (2021). Cybersecurity professionals information sharing sources and networks in the US electrical power industry. International Journal of Critical Infrastructure Protection, 34, 100454. https://doi.org/10.1016/j.ijcip.2021.100454

Stouffer, K., Falco, J., & Scarfone, K. (2011). Guide to industrial control systems (ICS) security. NIST special publication, 800(82), 1-16.

Butwall, M., Ranka, P., & Shah, S. (2019). Python in the field of data science: a review. International Journal of Computer Applications, 178(49), 20-24. https://doi.org/10.5120/ijca2019919404

Wirkuttis, N., & Klein, H. (2017). Artificial intelligence in cybersecurity. Cyber, Intelligence, and Security, 1(1), 103-119.

Atkinson, J., Miorelli, S., & Ljungmark, C. (2022, April). Benefits of AI-Based Cybersecurity Tools for De-Manning Existing Offshore Platforms. In Offshore Technology Conference. OnePetro. https://doi.org/10.4043/31766-MS

Dash, B., Ansari, M. F., Sharma, P., & Ali, A. (2022). Threats and Opportunities with AI-based Cyber Security Intrusion Detection: A Review. International Journal of Software Engineering & Applications (IJSEA), 13(5). https://doi.org/10.5121/ijsea.2022.13502

Leszczyna, R., & Leszczyna, R. (2019). Cost of cybersecurity management. Cybersecurity in the Electricity Sector: Managing Critical Infrastructure, 127-147. https://doi.org/10.1007/978-3-030-19538-0_5