Overview of Prioritization Model for National Critical Sectors Protection

ABSTRACT

The national critical sectors are an important sector that should be paramount in maintaining the state security when a cybersecurity incident occurs. The national critical sectors aim to secure facilities, networks, information and physical assets. Protection against national criticality involves protection of both physical and cyber components, where a cyber protection plan must be included in the national defense strategy. This article aims to propose a design of prioritizing models for early detection of cyber incidents as part of managing the incident and protecting the national critical sector.

1. INTRODUCTION

Cyber-attacks or other undesirable cybersecurity incidents can cause disruption to our daily life. The impact of cybersecurity is one of the challenges in public life and even a challenge for the national defense of a state or country, thus it is required to have a cybersecurity strategy to be part of a protection plan program [1] to protect the national assets.

Since World War II, safeguarding national resources and assets have become part of national defense planning. Along with cyberspace development, the national defense's perception has begun to pay attention to securing information and physical-based facilities, networks, and assets [2]. Regner et al. stated that a country must define priorities, objectives, goals, and scope which cover cyberspace, cyber governance, cyber defense, cybersecurity, and cybercrime when designing a national strategy [3].

Important components related to this domain are cyber policy and cyber governance- thatuseful as national instruments to regulate and protect cyberspace. One of the regulations, which is noteworthy as national defense, defines critical sectors that become the most priority.

The definition of critical sectors are a sector group that must be protected as a top priority when an incident occurs because its impact can lead to the collapse of a country. Critical sectors are sectors that have not only strategic infrastructure but also strategic information.

Therefore, it is important to focus on proactive steps to build the resilience ofindividuals, organizations, and countries against security threats such as cybersecurity capacity. One focus area is incident management and response, scoping on responding to the security incident and protecting infrastructure [4]. Enisa [5] stated that the national cybersecurity agencies, who have led the role of protection cybersecurity needed to the critical sectors (they have called it critical infrastructure), aim to provide the support for automated-prioritized handling of incidents affecting. So, the incidents that involve critical network assets are notified automatically, and the handling is prioritized.

Related to the protection infrastructure, NIST develops a framework to identify prioritized, flexible, repeatable, performance- based, and cost-effective approaches, including information security measures and controls. It can be adopted by other organizations [6]. One of the core frameworks is "detect", which makes it possible to indicate events that threaten cybersecurity. Examples of implementation within this function include Anomalies and Events; Security Monitoring; and Detection Processes.

Among the incredible number of events detected by detection tools like security monitoring, the handle response is considered the Service Level Agreement (SLA) management and security management. From a business perspective, the SLA aims to offer agreement between the users and the Service Provider, and it is to establish what is effectively granted in terms of quality [6]. From a defense perspective, SLA means the severity level of response prioritizing incidents that occurred.

The relationship between the national defense strategy in protecting critical sectors with response prioritizing incidents is how to design plans and programs specially made to protect the national critical sector security. A comprehensive design is needed to secure the critical sectors from a cyber perspective.

2. RELATED WORK

In [7], the authors have proposed SLA Mapping to be one part of the design SLA based on workflow management on intrusion tolerance with case cloud computing service. Jusas et al. [8] have proposed a logical filter to attack detection. They have said that the general classification of cyber-attacks includes the stage of the cyber kill chain, type attack, and target attack (object groups, state institutions, economic branches, social, etc.). So, prioritizing an incident must pay attention to them, and the variable related to national cyber defense is the targeted attack. Spring et al. [9] have proposed prioritizing vulnerability response specific to vulnerability categorization that occurs to stakeholders. The national sector's diversity must accommodate the primary function of handling rather than being included in optional features that are difficult to use.

In [10] [11], they have proposed a method to define an alert intrusion detection system's response as severity level selected, which focuses on target anomaly. It gives specific results for each event category when describing suspicious activities one type of suspicious event.

Bernieri et al. [12] have researched decision making methods on intrusion detection as protection tools of critical infrastructure. The method used is based on Analytic Hierarchy Process (AHP). Their experiment identified the highlight of the methodology that they have designed for the decision support.

Wang et al. [13] have proposed risk decision-making theory to prioritize incidents by minimizing the sum of business losses and risks. Imamverdiyev [14], Al-Subhi [15], and Berinjan [16] used Fuzzy decision making to prioritize the incident, but without specific indicators. Another research was conducted by Dileep Kumar Singh [17]. He has implemented multicultural decision making using the ELECTRE method. Research on the priority of incidents was also carried out by Renners et al. since 2017 [18].

They determine priority incidents by prioritizing rules with a tree model. In 2019, Renners et al. [19] modelled priority incidents by determining policies that have set rules and derived attributes; this policy is based on adaptive learning. Adaptive learning is used to enable an analyst to formulate feedback on incident responses. In [20] [21], Anuar et al have proposed incident prioritization using the Analytic Hierarchy Process (AHP) method and Risk Index Model. Furthermore, they have made detailed indicators that must be considered in determining priority incidents.

3. PROPOSED APPROACH

Our approach's baseline is first to find a prioritization mechanism for the security monitoring setup that has been researched by the researcher. It will give insights into the expected efficiency of proposed strategies to set up security monitoring. We could propose a design for automatically computing the prioritized result out of SLA mapping from these insights. The proposed prioritization model is illustrated in Fig. 1.

The first focus study defines severity by calculating features for indicator needed, which it could be customized on the feature of security monitoring. The next stage, mapping the sectors, which is defined as the national critical sectors. Then, the decision-making method needs research in-depth applicable to the real environment.

Fig. 1. Prioritization Model

1. Security Monitoring

The security monitoring system is a system used to secure infrastructure, usually using an intrusion detection system. The security monitoring system provides information in the form of logs and activities that occur on the network. Several security monitoring systems offer the anomaly category that an anomaly occurs, and the SLA system is automatically generated.

2. Defining Features Score

The next phase is defining the severity score by calculating features. This method was adopted from a previous research [10], which used this stage to get the score of each variable generated by the monitoring system's features by calculating the features into a formula to determine the response based on the average feature score. Every feature has a type of indicator which is defined by review of some research. In addition, these indicators are classified into 2 types- urgent and critical- which are displayed in TABLE 1 and it is illustrated in

Fig. 2. Each indicator will be calculated by the appropriate formula.

TABLE 1. Indicator Classification

The critical type refers to a comparative state in which one incident is very important because of impacts are the three main attributes that are common in security, such as confidentiality, integrity, and availability (CIA). The Urgent type refers to circumstances where one incident requires a quick response compared to other incidents based on the possibility of threats and vulnerabilities.

Research and experiment have been done for this phase. It shows that the priority setting phase produces more detailed information in defining if the same event is a priority or not due to different feature scores. Priority responses given can differ depending on the most impact on the network so that it is quite sufficient to be applied with the response model.

3. SLA Mapping

The SLA Mapping is a service level agreement that is defining as important and prioritizing the critical sectors. The intension of protecting among the national defense by secure the government's critical sectors is defined. Those sectors list could be

4. Decision-Making Method

The next process is the decision- making method as an algorithm or science method to give a decisive response. The method uses a decision-making algorithm because it does not need a learning process by training data. And lastly, after all the processes above, the result is a response selected as a service level handling incident. So, the incident handler can choose which the incident must be responded.

5. Discussion and Limitation

Each phase of prioritizing design to determine the service level agreement's response is important to determine effectiveness in analyzing a suspicious anomaly found in the monitoring system. Effective incident management provides benefits that allow an incident to be handled quickly under the appropriate time frame and handling process before the incident has a more significant impact. In this way, we can minimize the target's impact, especially national critical sectors, with good management visibility.

The proposed approach's focus is the design to determine the priority response of service level agreement, where the priority response is one of the incident management processes, triage incident. Although during our study, it did not evaluate all stages of the proposed design. However, theoretically and technically, it can be applied to the real environment.

Based on our experiment with sample IDS data attack, it shows that the SLA Mapping is able to prioritize incidents with regard to the impact of the most dangerous intrusion by considering the critical sectors even though the same intrusion occurred in some targets.

4. CONCLUSION AND FUTURE WORK

Prioritizing response service level agreement on the national critical sectors is very important as a national defense firm. The proposed system design is a design based on an analysis of several related works' protection needs and national security. Even though the design experiment has not been entirely carried out, it is hoped that the proposed design could be an alternative in determining security monitoring priorities effectively and on target.

Further research is still required as an in-depth analysis of the specific method used, in terms of the appropriate decision-making method to be implemented in the real security monitoring system.

----------------------------------------------------

Ariani1 and Muhammad Salman2

1,2Electrical Engineering, Universitas Indonesia, Depok, Indonesia

1arianitkj2@gmail.com, 2muhammad.salman@ui.ac.id

5. REFERENCES

1. D. Snyder, J. D. Powers, E. Bodine- Baron, B. Fox, L. Kendrick and M. H. Powell, "Findings and Recommendations," in Improving the Cybersecurity of U.S. Air Force Military Systems Throughout Their Life Cycles, RAND Corporation, p. 42, 2015.
   
   
2. E. NICKOLOV, "Critical Information Infrastructure Protection: Analysis, Evaluation And Expectations," Information & Security, An International Journal, vol. 17, pp. 105-119, 2005.