Vulnerabilidades de Segurança da Informação na Indústria 4.0: proposição de Critérios para o uso de Análise Multicritério

Rodrigo Silva Sotolani; Isabella de Araújo Cionini Menezes; Napoleão Verardi Galegale; Marcelo Duduchi Feitosa

doi:10.5585/exactaep.2022.21683

Authors

Rodrigo Silva Sotolani Centro Estadual de Educação Tecnológica Paula Souza / São Paulo, SP - Brasil https://orcid.org/0000-0001-8729-8142
Isabella de Araújo Cionini Menezes Centro Estadual de Educação Tecnológica Paula Souza / São Paulo, SP - Brasil https://orcid.org/0000-0001-8413-306X
Napoleão Verardi Galegale Pontifícia Universidade Católica de São Paulo – PUC/SP - São Paulo, SP - Brasil https://orcid.org/0000-0003-2228-9151
Marcelo Duduchi Feitosa Centro Estadual de Educação Tecnológica Paula Souza / São Paulo, SP - Brasil https://orcid.org/0000-0002-0969-4737

DOI:

https://doi.org/10.5585/exactaep.2022.21683

Keywords:

security vulnerability, Industry 4.0, multi-criteria analysis, AHP, information security

Abstract

The progress of Industry 4.0 is increasingly relevant, considering the rise in computer security vulnerabilities and the complexity of prioritizing them in decision-making. There was a research gap on this topic. The article’s objective is to identify criteria in the scientific literature that can be used in a multi-criteria analysis method to prioritize the treatment of security vulnerabilities in Industry 4.0. A method like AHP (Analytic Hierarchy Process is a proposed solution. The methodology was an exploratory review in the SCOPUS and Web of Science databases. The result identified eight criteria and 34 sub-criteria related to the treatment of security vulnerabilities in Industry 4.0. The theoretical contribution goes towards filling the gap in relation to this topic. The practical contribution allows Industry 4.0 organizations to apply the criteria identified in the multi-criteria analysis to address their security vulnerabilities and thus reach better decisions for the delivery of products and services contributing to society. Future research can be conducted through interviews or surveys for professional validation of the criteria found, as well as the practical application of the AHP method.

Downloads

Download data is not yet available.

Author Biographies

Rodrigo Silva Sotolani, Centro Estadual de Educação Tecnológica Paula Souza / São Paulo, SP - Brasil

Analista de Sistemas graduado pela Universidade Federal de Mato Grosso do Sul (UFMS), especialista em Engenharia de Websites pela UFMS e em Gestão e Governança de Tecnologia da Informação pelo SENAC São Paulo. Mestrando em Gestão e Tecnologia em Sistemas Produtivos do Centro Estadual de Educação Tecnológica Paula Souza. Área de atuação: tecnologia da informação, segurança da informação, gestão da tecnologia da informação, gestão de projetos.

Isabella de Araújo Cionini Menezes, Centro Estadual de Educação Tecnológica Paula Souza / São Paulo, SP - Brasil

Graduada em Análise e Desenvolvimento de Sistemas pela Universidade Tecnológica Federal do Paraná (UTFPR), possui MBA em Gestão de Projetos e Processos Organizacionais pelo Centro Paula Souza. Mestranda em Gestão e Tecnologia em Sistemas Produtivos do Centro Estadual de Educação Tecnológica Paula Souza. Área de atuação: Engenharia de software, processos de desenvolvimento e qualidade de software.

Napoleão Verardi Galegale, Pontifícia Universidade Católica de São Paulo – PUC/SP - São Paulo, SP - Brasil

Doutor em Controladoria e Contabilidade.

Marcelo Duduchi Feitosa, Centro Estadual de Educação Tecnológica Paula Souza / São Paulo, SP - Brasil

Doutorado em Psicologia (Psicologia Experimental).

References

Agrawal, A., Alenezi, M., Kumar, R., & Khan, R. A. (2020). A unified fuzzy-based symmetrical multi-criteria decision-making method for evaluating sustainable-security of web applications. Symmetry, 12(3). https://doi.org/10.3390/sym12030448

Agrawal, A., Zarour, M., Alenezi, M., Kumar, R., & Khan, R. A. (2019). Security durability assessment through fuzzy analytic hierarchy process. PeerJ Computer Science, 2019(9). https://doi.org/10.7717/peerj-cs.215

Alcácer, V., & Cruz-Machado, V. (2019). Scanning the Industry 4.0: A Literature Review on Technologies for Manufacturing Systems. In Engineering Science and Technology, an International Journal (Vol. 22, Issue 3, pp. 899–919). Elsevier B.V. https://doi.org/10.1016/j.jestch.2019.01.006

Al-Mhiqani, M. N., Ahmad, R., Yassin, W., Hassan, A., Zaheera, Z., Abidin, N., Salih, A., & Abdulkareem, H. (2018). Cyber-Security Incidents: A Review Cases in Cyber-Physical Systems. In IJACSA) International Journal of Advanced Computer Science and Applications (Vol. 9, Issue 1). http://dx.doi.org/10.14569/IJACSA.2018.090169

Ani, U. D., He, H., & Tiwari, A. (2019). Human factor security: evaluating the cybersecurity capacity of the industrial workforce. Journal of Systems and Information Technology, 21(1), 2–35. https://doi.org/10.1108/JSIT-02-2018-0028

Ankele, R., Marksteiner, S., Nahrgang, K., & Vallant, H. (2019, August 26). Requirements and recommendations for IoT/IIoT models to automate security assurance through threat modelling, security analysis and penetration testing. ACM International Conference Proceeding Series. https://doi.org/10.1145/3339252.3341482

Annual, C., & Report, I. (2018). White paper Cisco public.

Anuar, N. B., Papadaki, M., Furnell, S., & Clarke, N. (2013). Incident prioritisation using analytic hierarchy process (AHP): Risk Index Model (RIM). Security and Communication Networks, 6(9), 1087–1116. https://doi.org/10.1002/sec.673

Bolbot, V., Theotokatos, G., Boulougouris, E., & Vassalos, D. (2020). A novel cyber-risk assessment method for ship systems. Safety Science, 131. https://doi.org/10.1016/j.ssci.2020.104908

Butun, I., Osterberg, P., & Song, H. (2020). Security of the Internet of Things: Vulnerabilities, Attacks, and Countermeasures. IEEE Communications Surveys and Tutorials, 22(1), 616–644. https://doi.org/10.1109/COMST.2019.2953364

Butun, I., Sari, A., & Osterberg, P. (2019). Security Implications of Fog Computing on the Internet of Things. In 2019 IEEE International Conference on Consumer Electronics (ICCE) (pp. 1-6). IEEE. https://doi.org/10.1109/ICCE.2019.8661909

CISA. (2021, July 20). Significant Historical Cyber-Intrusion Campaigns Targeting ICS. CISA.

de Almeida, P. S. (2019). Indústria 4.0: Princípios básicos, aplicabilidade e implantação. Saraiva Educação.

Dimitriadis, A., Flores, J. L., Kulvatunyou, B., Ivezic, N., & Mavridis, I. (2020). Ares: Automated risk estimation in smart sensor environments. Sensors (Switzerland), 20(16), 1–19. https://doi.org/10.3390/s20164617

Fekete, A., & Rhyner, J. (2020). Sustainable digital transformation of disaster risk—integrating new types of digital social vulnerability and interdependencies with critical infrastructure. Sustainability (Switzerland), 12(22), 1–18.

https://doi.org/10.3390/su12229324

Fernández-Caramés, T. M., & Fraga-Lamas, P. (2020a). Teaching and learning IoT cybersecurity and vulnerability assessment with shodan through practical use cases. Sensors (Switzerland), 20(11). https://doi.org/10.3390/s20113048

Fernández-Caramés, T. M., & Fraga-Lamas, P. (2020b). Use case based blended teaching of IIoT cybersecurity in the industry 4.0 era. Applied Sciences (Switzerland), 10(16). https://doi.org/10.3390/app10165607

Galegale, N. V., Fontes, E. L. G., & Galegale, B. P. (2017). Uma contribuição para a segurança da informação: Um estudo de casos múltiplos com organizações brasileiras. Perspectivas Em Ciencia Da Informacao, 22(3), 75–97. https://doi.org/10.1590/1981-5344/2866

Guglielmetti, F. R., Augusto, F., Marins, S., Antonio, V., & Salomon, P. (2003). Comparação Teórica entre Métodos de Auxílio à Tomada de Decisão por Múltiplos Critérios. Encontro Nacional de Engenharia de Produção, 23. Disponível em: http://www.din.uem.br/sbpo/sbpo2003/pdf/arq0131.pdf

He, H., Maple, C., Watson, T., Tiwari, A., Mehnen, J., Jin, Y., & Gabrys, B. (2016). The Security Challenges in the IoT enabled Cyber-Physical Systems and Opportunities for Evolutionary Computing & Other Computational Intelligence. IEEE Computational Intelligence Society. https://doi.org/10.1109/CEC.2016.7743900

Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, 80(5), 973–993. https://doi.org/10.1016/j.jcss.2014.02.005

Kim, D. W., Choi, J. Y., & Han, K. H. (2020). Risk management-based security evaluation model for telemedicine systems. BMC

Medical Informatics and Decision Making, 20(1). https://doi.org/10.1186/s12911-020-01145-7

Lara, E., Aguilar, L., Sanchez, M. A., & García, J. A. (2020). Lightweight authentication protocol for M2M communications of resource-constrained devices in industrial internet of things. Sensors (Switzerland), 20(2). https://doi.org/10.3390/s20020501

Leite, I. M. S., & Freitas, F. F. T. (2012). Análise Comparativa dos Métodos de Apoio Multicritério a Decisão: AHP, ELECTRE e PROMETHEE. XXXII Encontro Nacional de Engenharia de Produção - ENEGEP. Disponível em http://www.abepro.org.br/biblioteca/enegep2012_TN_STP_162_944_20906.pdf

Liang, F., Hatcher, W. G., Liao, W., Gao, W., & Yu, W. (2019). Machine Learning for Security and the Internet of Things: The Good, the Bad, and the Ugly. IEEE Access, 7, 158126–158147. https://doi.org/10.1109/ACCESS.2019.2948912

Luo, S., Dong, M., Ota, K., Wu, J., & Li, J. (2015). A security assessment mechanism for software-defined networking-based mobile networks. Sensors (Switzerland), 15(12), 31843–31858. https://doi.org/10.3390/s151229887

Marins, C. S., Souza, D. de O., & Barros, M. da S. (2009). O Uso do Método de Análise Hierárquica (AHP) na Tomada de Decisões Gerenciais – Um Estudo de Caso. XLI SBPO. Disponível em http://www.din.uem.br/sbpo/sbpo2009/artigos/55993.pdf

Mendonça Silva, M., Poleto, T., Silva, L. C. E., Henriques De Gusmao, A. P., & Cabral Seixas Costa, A. P. (2016). A grey theory-based approach to big data risk management using FMEA. Mathematical Problems in Engineering, 2016. https://doi.org/10.1155/2016/9175418

Modarresi, A., & Symons, J. (2020). Technological Heterogeneity and Path Diversity in Smart Home Resilience: A Simulation Approach. Procedia Computer Science, 170, 177–186. https://doi.org/10.1016/j.procs.2020.03.023

Mohamed, N., Al-Jaroodi, J., & Jawhar, I. (2020). Cyber–physical systems forensics: Today and tomorrow. Journal of Sensor and Actuator Networks, 9(3). https://doi.org/10.3390/JSAN9030037

Moher, D., Shamseer, L., Clarke, M., Ghersi, D., Liberati, A., Petticrew, M., Shekelle, P., Stewart, L. A., Estarli, M., Barrera, E. S. A., Martínez-Rodríguez, R., Baladia, E., Agüero, S. D., Camacho, S., Buhring, K., Herrero-López, A., Gil-González, D. M., Altman, D. G., Booth, A., Whitlock, E. (2016). Preferred reporting items for systematic review and meta-analysis protocols (PRISMA-P) 2015 statement. Revista Espanola de Nutricion Humana y Dietetica, 20(2), 148–160. https://doi.org/10.1186/2046-4053-4-1

Moraitis, G., Nikolopoulos, D., Bouziotas, D., Lykou, A., Karavokiros, G., & Makropoulos, C. (2020). Quantifying Failure for Critical Water Infrastructures under Cyber-Physical Threats. Journal of Environmental Engineering, 146(9), 04020108. https://doi.org/10.1061/(asce)ee.1943-7870.0001765

Mourtzis, D., Angelopoulos, K., & Zogopoulos, V. (2019). Mapping vulnerabilities in the industrial internet of things landscape. Procedia CIRP, 84, 265–270. https://doi.org/10.1016/j.procir.2019.04.201

Murch, R. S., So, W. K., Buchholz, W. G., Raman, S., & Peccoud, J. (2018). Cyberbiosecurity: An emerging new discipline to help safeguard the bioeconomy. Frontiers in Bioengineering and Biotechnology, 6(APR). https://doi.org/10.3389/fbioe.2018.00039

Pandey, A. K., & Alsolami, F. (n.d.). Malware Analysis in Web Application Security: An Investigation and Suggestion. In IJACSA International Journal of Advanced Computer Science and Applications (Vol. 11, Iss.7). https://dx.doi.org/10.14569/IJACSA.2020.0110725

Pandey, S., Singh, R. K., Gunasekaran, A., & Kaushik, A. (2020). Cyber security risks in globalized supply chains: conceptual framework. Journal of Global Operations and Strategic Sourcing, 13(1), 103–128. https://doi.org/10.1108/JGOSS-05-2019-0042

Phu, T. N., Dang, K. H., Quoc, D. N., Dai, N. T., & Binh, N. N. (2019). A Novel Framework to Classify Malware in MIPS Architecture-Based IoT Devices. Security and Communication Networks, 2019. https://doi.org/10.1155/2019/4073940

Prislan, K., Mihelič, A., & Bernik, I. (2020). A real-world information security performance assessment using a multidimensional socio-technical approach. PLoS ONE, 15(9 September). https://doi.org/10.1371/journal.pone.0238739

PRODANOV, C. C., & de FREITAS, E. Cesar. (2013). Metodologia do trabalho científico: métodos e técnicas da pesquisa e do trabalho acadêmico (2a). Editora Feevale.

Ratasich, D., Khalid, F., Geissler, F., Grosu, R., Shafique, M., & Bartocci, E. (2019). A Roadmap Toward the Resilient Internet of Things for Cyber-Physical Systems. IEEE Access, 7, 13260–13283. https://doi.org/10.1109/ACCESS.2019.2891969

Russo, P., Caponi, A., Leuti, M., & Bianchi, G. (2019). A web platform for integrated vulnerability assessment and cyber risk management. Information (Switzerland), 10(7). https://doi.org/10.3390/info10070242

Saaty, T. L. (2008). Decision making with the analytic hierarchy process. Int. J. Services Sciences, 1(1), 83–98. http://dx.doi.org/10.1504/IJSSCI.2008.017590

SAATY, T. L. (2014). Toma de decisiones para líderes. RWS Publications.

Samaila, M. G., Sequeiros, J. B. F., Simoes, T., Freire, M. M., & Inacio, P. R. M. (2020). IoT-HarPSecA: A Framework and Roadmap

for Secure Design and Development of Devices and Applications in the IoT Space. IEEE Access, 8, 16462–16494.

https://doi.org/10.1109/ACCESS.2020.2965925

Sha, L., Xiao, F., Chen, W., & Sun, J. (2018). IIoT-SIDefender: Detecting and defense against the sensitive information leakage in industry IoT. World Wide Web, 21(1), 59–88. https://doi.org/10.1007/s11280-017-0459-8

Sommerville, I. (2011). Engenharia de software (Vol. 19). Pearson Education.

Sun, Z., & Liu, M. (2012). Application of Fuzzy AHP Method in the Effect Evaluation of Network Attack. 2nd International Conference on Electronic & Mechanical Engineering and Information Technology. http://dx.doi.org/10.2991/emeit.2012.517

Walker-Roberts, S., Hammoudeh, M., Aldabbas, O., Aydin, M., & Dehghantanha, A. (2020). Threats on the horizon: understanding security threats in the era of cyber-physical systems. Journal of Supercomputing, 76(4), 2643–2664. https://doi.org/10.1007/s11227-019-03028-9

Willing, M., Dresen, C., Haverkamp, U., & Schinzel, S. (2020). Analyzing medical device connectivity and its effect on cyber security in german hospitals. BMC Medical Informatics and Decision Making, 20(1). https://doi.org/10.1186/s12911-020-01259-y

Wollmann, D., Steiner, M. T. A., Vieira, G. E., & Steiner, P. A. (2011). Utilização da técnica AHP para análise da concorrência entre operadoras de planos de saúde. GEPROS Gestão Da Produção, Operações e Sistemas, 6(4), 111–124.

https://doi.org/10.15675/gepros

Yan, X., Fan, Y., Lee, H. H., & Qiu, R. (2020). Research on personal information risk assessment model in smart cities. Tehnicki Vjesnik, 27(5), 1403–1409. https://doi.org/10.17559/TV-20190104101416

Zardari, N. H., Ahmed, K., Shirazi, S. M., & Yusop, Z. bin. (2015). Weighting Methods and their Effects on Multi-Criteria Decision-Making Model Outcomes in Water Resources Management. SPRINGER BRIEFS IN WATER SCIENCE AND TECHNOLOGY. http://dx.doi.org/10.1007/978-3-319-12586-2

Zhou, P., Ang, B. W., & Poh, K. L. (2006). Decision analysis in energy and environmental modeling: An update. Energy, 31(14), 2604–2622. https://doi.org/10.1016/j.energy.2005.10.023