Next Article in Journal
Robust-Extended Kalman Filter and Long Short-Term Memory Combination to Enhance the Quality of Single Point Positioning
Next Article in Special Issue
A New Concept of Digital Twin Supporting Optimization and Resilience of Factories of the Future
Previous Article in Journal
SoftRec: Multi-Relationship Fused Software Developer Recommendation
Previous Article in Special Issue
Online Intrusion Scenario Discovery and Prediction Based on Hierarchical Temporal Memory (HTM)
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 10
Issue 12
10.3390/app10124334
Review Report
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Cyber Threat Actors for the Factory of the Future

Appl. Sci. 2020, 10(12), 4334; https://doi.org/10.3390/app10124334
by Mirko Sailio 1,*, Outi-Marja Latvala 1 and Alexander Szanto 2
Reviewer 1: Anonymous
Reviewer 2: Anonymous
Reviewer 3:
Radek Fujdiak
Appl. Sci. 2020, 10(12), 4334; https://doi.org/10.3390/app10124334
Submission received: 30 April 2020 / Revised: 4 June 2020 / Accepted: 17 June 2020 / Published: 24 June 2020
(This article belongs to the Special Issue Cyber Factories – Intelligent and Secure Factories of the Future)

Round 1

Reviewer 1 Report

The authors present a survey on threats for industry/factory environments. The study is based on the analysis of several papers and documentation from expert organizations, industry, and national/international organizations.

In general, the paper is well written and well organized. It is easy to follow. The authors have made an effort to compile many information from dispersed (but important) reports dealing with cybersecurity threats other than merely software ones.

Sections 2 and 3 are well described. In section 4, the authors propose a definition for the Factory of the Future. However, there are many contributions in the related literature addressing the challenges for Industry 4.0, which is an equivalent term. Particularly, there are many scientific works addressing cybersecurity in Industry 4.0. I suggest the authors to include this term and specify the differences between FoF and Industry 4.0 (if any). We do not need to create new terms if these are not necessary; by doing so, we facilitate readers the understanding of the paper.

In addition, the properties collaboration, network connectivity, intelligence, and automation are so closely related to each other that it does not seem realistic to limit the relationship among them and the threat actors. For instance, why will a partner not use network connectivity in cyber attacks? In my opinion, section 4.2 is not objective. Maybe authors could include some data of past attacks so that their proposal is not based strongly on assumptions. In Table 2, what do the values mean? In the text it says "The table shows an estimate of the most likely feature of the FoF to be affected by this kind of threat and is ordered so that the most often detected threat is on the top." How is this estimation calculated?

In section 5, it will depend on the organization/industry/expert mission to include or not different cyber threats in their reports. In addition, information about industrial espionage will likely maintain private (for the own economic reasons). So, conclusions about mismatching should be done carefully. Sections 5.1 and 5.2 are interesting.

There are some minor spelling and grammar mistakes.

 

 

 

Author Response

We included Industry 4.0 description, and described how FoF differes (slightly) from I4.0. Term FoF was selected to be used in the paper due to grant considerations.

FoF characteristics (Collaboration, network connectivity, intelligence and flexible automation) were defined better, and their use as tools to clarify considering CTAs. Additionally they are not meant to cover all aspects of FoF. This was made more clear also. Section 4.2, especially table 2 was made clearer, and the origin of the data for the table was made more explicit.

More care was added when discussing conclusions.

Thank you for your excellent feedback.

 

Reviewer 2 Report

The identification of Cyber Threat Actors in section 2 is based on relevant sources and the obtained results are credible. 

The methodology adopted in Section 3 to classify the CTAs is straightforward and the description of their profiles is an interesting read. 

Section 4 directly supports the paper title. We may admit that 3 out of 4 FoF components identified as providing most possibilities for threat actors are common to many other IT emancipated/intensive organizations. The flexible automation is really specific an it should have been analyzed in more detail, in my opinion. Flexible automation is an umbrella concept, but if we address more concrete technical fields such as Supervisory Control and Data Acquisition Systems (SCADA) or Cyber-Physical Systems there are many references about specific cyber threats analysis. As a recent example the paper https://doi.org/10.1007/s11227-019-03028-9 presents a CSA analysis in case of CPS based on VERIS Community Database of cybersecurity incidents. An interesting output of this is that overall the number of internal actors and the number of external actors are roughly equal. 

I suggest to the authors to assess the possibility  to elaborate a bit on the flexible automation component.   

In particular, in Table 2 it is not clear why the threat  assessment operates only with 1 and 0.5 values. 

Other comments:

- in the text, reference numbers placed in square brackets should be inserted before the punctuation (dot or comma), not after;

- the reference style should be checked: the publication year shouldn't be placed after the authors' names, the title shouldn't be enclosed in quotation marks, but the DOI should be included where available;

- if I am not wrong, references [61] and [62] are not cited in the text. 

Author Response

Flexible automation was described with some more depth.

Table 2 and it's explanations were edited to better show the origins of the data, and how the numerical values were decided.

More care was taken with referencing and reference form.

Thank You for your excellent feedback

Reviewer 3 Report

Recommendations/Notes:

  • I would advice to avoid strong statements like "FoF are designed without full understanding of their technical (security) nature.".
  • I do not agree that risk assessment (RA) is a tool for reaching maturity level of security. RA just helps to identify risk and support the decission making process.
  • CTA is defined by many standards. NIST for example has the methodological approach to identify actors based on CTI, TIT and TTPs.
  • Correct small typos such as "Threat...security.[1] This"
  • The methodological approach is not correct, i.e., review for NIST is based on one paper NIST SP 800-82r2 from 5/2015. NIST has already many different strategical and technical papers, which focuses on OT/ICS security as well as threat identification, including the TA (i.e., 800-30r1, 800-150, 1800-23 and many other publications). Therefore, there is missing a lot of strategical documents, which should be considered in such a review/survey.
  • I also do not totaly understand the separation of hacktivist, hacker, terrorist, cyber criminal ... the terminology is mixed over the paper. There is "hacker" - white, grey, or black. Hacktivism fall into "grey" category. If we are speaking about the cyber-space thus I would use same terms for "cyber-criminal" (falls in blackhat category) and "cyber-terrorist" (also falls in blackhat in most cases). Thus I would use "cyber terrorist" and "cyber criminal" ... not just "terrorist" as it reflect to the more wide group of ppl (not only in the cyber space). The Fig. 1 should be probably "actor" vs "motivation". However, I do not fully understand the combination "nation-state - nation-state", shouldnt be there "political" ? Last but not least, "malicious actors" contains (based on general definition) all the actors, which conduct malicious actions (thus all the previous categories).
  • Fig. 3 does not include all the actors such as thrill seekers, etc. I do not agree that "thrill seekers" are the small threat of FoF, I do not get from where this statement comes, but many biggest malicious actions in history was made just by thrill seekers, including Kevin Mitnick, c0mrade (Jonathan James), Solo (Gary McKinnon), etc.
  • The tab. 2 methodology is not clear. There is no evidence given, no mathematical model, thus this is just an qualitative (opinion) based assessment, without added higher scientific value. Moreover, categories "malware" includes ransomware and other "MALicious softWARE" (it is same as comparing if operational technology is more often used than modbus protocol).

Author Response

Strong statements, especially those outside discussion were tuned down.

 

We changed the part with -risk assessment required for mature cyber security- to -mature cyber security management-. The "authors" had forgotten to include the "management" word. :)

 

On the reviewers comment: "CTA is defined by many standards. NIST for example has the methodological approach to identify actors based on CTI, TIT and TTPs."
The authors partly disagreed, on basis of:

  1. being unable to find the mentioned NIST methodological approaches to CTA identification.
  2. Definitions of CTA were vague e.g. (NIST-800-150-2dr): "An individual or a group posing a threat." and (ISO27001): "Threats are the actors (insiders and outsiders) and natural events that might cause incidents if they acted on vulnerabilities causing impacts;"

On our view the statement on lack of consensus on CTAs stands true, especially when considering the reports the paper analysed. The statement was however softened, as for example NIST is very consistent in their use of terms.

 

Analysis on NIST publications was widened. Especially helpful was the addition of 800-30 which was added to the analysis. The publications selected for the paper were the most meaningful from FoF point of view. Many other raports and guidelines were analysed, but as they did not offer novel CTAs they were not mentioned.
Text was changed to better reflect this.

 

On the understandability of different actors:
The section 2 of the paper reported the CTAs as the reports found them, or interperted them to be similiar (e.g. cyber criminal and organised crime were just "cyber criminals" on the table)
Section 3 then clarified the CTAs into defined classes.
The paper does not go deeply into the hat color of the CTAs, as in the authors opinion, from risk analysis point of view, gray and white hatters are not threat actors. Only when they do "black hat" stuff they are CTAs.
Figure 1 is only a graphical presentation of which "report actors" (actors found in the reports) are combined into which "defined actor classes" (our CTAs).
Malicious actors do not give any new classification power, as from a risk analysis point of view all intentional threat actors are "malicious actors".
The text was edited to be more clear on this.

 

Figure 3 was modified to be easier to read.
Additional data on thrill seekers was added, and justification that other threat actors have eclipsed the formerly significant actors. While "unicorn" hackers will probably someday again shake the cyber world again, the constant barrage of cyber criminals and nation state actors dwarf their meaning, especially when thinking of risk analysis. Text was changed to reflect this better.

 

Table 2 was edited and origins of it's content was explained more explicitly. Table 2 categories were taken as such from the Enisa report depicting "top threats". The selected values were also explained for better transparency.

 

Thank you for your support in making the paper better

Round 2

Reviewer 1 Report

The authors have improved the paper in this new version. For future works, I strongly recommend to include quantitative data for cyberthreat analysis.

Reviewer 3 Report

The paper was significantly improved. Even so, the paper does not contain high-novel scientific value, this paper work fine as a survey and put together a lot information in very interesting way. Thus, I believe that the paper is suitable for publication and will bring added value for the journal. I recommend to publish it in the current form.

Back to TopTop