A Harmonized Information Security Taxonomy for Cyber Physical Systems
Round 1
Reviewer 1 Report
The authors analyse well-established taxonomies and propose a harmonized taxonomy applicable to all lifecycle phases of Cyber-Physical Systems. Two real-world scenarios are also used to explain the applicability of the proposed taxonomy. The paper is well written, with a good analysis of the chosen taxonomies, and the methodology followed to reach the proposal is well explained. Most figures enable to present clearly the information, although Figure 12 is a bit confusing. Table 2 has a problem with references to the bibliography. For me, in Table 3 is difficult to understand the relation between the Harmonized taxonomy and the methodology elements, if you could better explain it will be good. On line 517 when explaining the simplified methodology is considered step 14 (Thread Identification and classification), should be interesting to describe what is taxonomy used for the threat classification. I think that the paper could be greatly improved if the authors incorporate also MITRE ATT&CK® for Industrial Control Systems and MITRE D3FEND related taxonomy for attacks and defence approaches.Author Response
Good day,
Thank you for spending the time to review the paper. In response to the comments please see the following:
- I understand the possible confusion in Figure 12 and have updated it with an alternative layout that I hope will be clearer (I am also attaching that layout to this response).
- The references in Table 2 have been corrected.
- The wording explaining Table 3 has been changed and I trust it is clearer now.
- The threat taxonomy used is the one based on the information by Bodungen. I agree that the ATT&CK framework can be used successfully, especially in threat modeling, and D3FEND in risk mitigation. The focus is however specific to intentional and mostly external threats, while the taxonomy aims for a broader, less specific approach. That being said I believe that it can definitely be used in a complementary fashion when applying the taxonomy.
Author Response File: Author Response.docx
Reviewer 2 Report
The paper describes well-established taxonomies that are combined into a single comprehensive and harmonized taxonomy and that allows application throughout the different lifecycle phases. The paper is well structured. The intruction describes the main idea of the research. However Ñ‚he conclusion needs more discussion on the research done. There are many incorect cititaions from http://docslide.net/documents/lightning-protection-5654bada58908.html and http://doi.org/10.1177/0886260512454742
Author Response
Good day,
Thank you for making the time available to review the paper. With regards to the comments, the following changes/comments are applicable:
- The paper presents the initial research results, specifically as it applies to the two case studies. Further research on the applicability is ongoing. The conclusion has been updated to reflect this.
- We have found a problem with the references in Table 2 and this has been corrected. We however cannot find the docslide and doi ones referred to. Can additional information be provided?
The updated document is attached.
Kind regards,
JHJ Pool
Author Response File: Author Response.docx
Reviewer 3 Report
The authors present well-established information security taxonomies that are combined into a single comprehensive and harmonized one and that allows application throughout the different lifecycle phases. The IS taxonomy is used to identify information security gaps through its implementation in an industrial facility. There are some issues that need to be updated such as the size of some figures and tables. Moreover, the authors should reconsider the Abstract section which seems to be too summarized.
Author Response
Good day,
Thank you for making the time available to review the paper. With regards to the comments, the following updates/responses are applicable:
- We have tried to improve the readability of especially the more complex figures (the updated paper is attached).
- The abstract has been expanded slightly, but we are constrained by the space limitation.
Kind regards,
JHJ Pool
Author Response File: Author Response.docx