{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,3]],"date-time":"2026-06-03T22:29:30Z","timestamp":1780525770221,"version":"3.54.1"},"reference-count":40,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2019,3,11]],"date-time":"2019-03-11T00:00:00Z","timestamp":1552262400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2019,3,11]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title><jats:p>The common implementation practices of modern industrial control systems (ICS) has left a window wide open to various security vulnerabilities. As the cyber-threat landscape continues to evolve, the ICS and their underlying architecture must be protected to withstand cyber-attacks. This study aims to review several ICS security assessment methodologies to identify an appropriate vulnerability assessment method for the ICS systems that examine both critical physical and cyber systems so as to protect the national critical infrastructure.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title><jats:p>This paper reviews several ICS security assessment methodologies and explores whether the existing methodologies are indeed sufficient to meet the cyber security assessment exercise required to validate the security of electrical power control systems.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Findings<\/jats:title><jats:p>The study showed that most of the examined methodologies seem to concentrate on vulnerability identification and prioritisation techniques, whilst other security techniques received noticeably less attention. The study also showed that the least attention is devoted to patch management process due to the critical nature of the SCADA system. Additionally, this review portrayed that only two security assessment methodologies exhibited absolute fulfilment of all NERC-CIP security requirements, whilst the others only partially fulfilled the essential requirements.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title><jats:p>This paper presents a review and a comparative analysis of several standard SCADA security assessment methodologies and guidelines published by internationally recognised bodies. In addition, it explores the adequacy of the existing methodologies in meeting cyber security assessment practices required for electrical power networks.<\/jats:p><\/jats:sec>","DOI":"10.1108\/ics-04-2018-0048","type":"journal-article","created":{"date-parts":[[2019,2,7]],"date-time":"2019-02-07T10:16:15Z","timestamp":1549534575000},"page":"47-61","source":"Crossref","is-referenced-by-count":34,"title":["A review of security assessment methodologies in industrial control systems"],"prefix":"10.1108","volume":"27","author":[{"given":"Qais Saif","family":"Qassim","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Norziana","family":"Jamil","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Maslina","family":"Daud","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Ahmed","family":"Patel","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Norhamadi","family":"Ja\u2019affar","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"140","reference":[{"key":"key2020092420091439900_ref001","doi-asserted-by":"crossref","first-page":"53","DOI":"10.1016\/j.ijcip.2014.12.002","article-title":"Critical infrastructure protection: requirements and challenges for the 21st century","volume":"8","year":"2015","journal-title":"International Journal of Critical Infrastructure Protection"},{"issue":"3","key":"key2020092420091439900_ref002","doi-asserted-by":"crossref","first-page":"817","DOI":"10.3390\/s18030817","article-title":"Cyber and physical security vulnerability assessment for IoT-based smart homes","volume":"18","year":"2018","journal-title":"Sensors"},{"key":"key2020092420091439900_ref003","first-page":"60","article-title":"A data protection impact assessment methodology for cloud","year":"2016"},{"key":"key2020092420091439900_ref004","unstructured":"American Petroleum Institute (2003), Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, American Petroleum Institute, Washington, DC, available at: www.nrc.gov\/docs\/ML0502\/ML050260624.pdf"},{"key":"key2020092420091439900_ref005","first-page":"366","article-title":"Automatic security assessment of critical cyber-infrastructures","year":"2008"},{"key":"key2020092420091439900_ref006","volume-title":"Guide for Conducting Risk Assessments","year":"2012"},{"key":"key2020092420091439900_ref007","unstructured":"Centre for the Protection of National Infrastructure (CPNI) (2011), \u201cCyber security assessments of industrial control systems: a good practice guide\u201d, available at: www.ccn-cert.cni.es\/publico\/InfraestructurasCriticaspublico\/CPNI-Guia-SCI.pdf"},{"key":"key2020092420091439900_ref008","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.cose.2015.09.009","article-title":"A review of cyber security risk assessment methods for SCADA systems","volume":"56","year":"2016","journal-title":"Computers and Security"},{"key":"key2020092420091439900_ref009","first-page":"1","article-title":"Vulnerability analysis of network scanning on SCADA systems","volume":"2018","year":"2018","journal-title":"Security and Communication Networks"},{"key":"key2020092420091439900_ref010","first-page":"48","article-title":"Security monitoring for industrial control systems","volume-title":"Lecture Notes in Computer Science","year":"2016","edition":"9588th ed."},{"key":"key2020092420091439900_ref011","first-page":"1","article-title":"VSCADA: a reconfigurable virtual SCADA test-bed for simulating power utility control center operations","volume-title":"2015 IEEE Power and Energy Society General Meeting","year":"2015"},{"key":"key2020092420091439900_ref012","first-page":"1","article-title":"Analysis of cyber security for industrial control systems","volume-title":"International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications (SSIC)","year":"2015"},{"issue":"1","key":"key2020092420091439900_ref013","first-page":"806","article-title":"A systematic review of data protection and privacy preservation schemes for smart grid communications","volume":"38","year":"2018","journal-title":"Sustainable Cities and Society"},{"key":"key2020092420091439900_ref014","first-page":"420","article-title":"The design of ICS testbed based on emulation, physical, and simulation (EPS-ICS testbed)","year":"2013"},{"key":"key2020092420091439900_ref015","unstructured":"Giordano, S. and Gary, T. (2016), \u201cThirteen essential steps to meeting the security challenges of the new EU general data protection regulation\u201d, available at: www.wickhill.com\/uploads\/knowledge_library\/GDPR\/Tenable_Thirteen_Essential_Steps_to_Meeting_GDPR_Security_Challenges.pdf"},{"key":"key2020092420091439900_ref016","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1007\/978-1-4471-6663-4_1","article-title":"Security challenges in smart grid implementation","volume-title":"Smart Grid Security","year":"2015"},{"key":"key2020092420091439900_ref017","first-page":"1","article-title":"Vulnerability assessment for substation automation systems","year":"2011"},{"key":"key2020092420091439900_ref018","unstructured":"Hart, S.V. (2002), \u201cA method to assess the vulnerability of US chemical facilities (Report no. NCJ 195171)\u201d, US Department of Justice, Washington, DC, available at: www.ncjrs.gov\/pdffiles1\/nij\/195171.pdf"},{"key":"key2020092420091439900_ref019","unstructured":"Idaho National Laboratory (2011), \u201cVulnerability analysis of energy delivery control systems (Report no. INL\/EXT-10-18381)\u201d, ID Falls, ID, available at: https:\/\/energy.gov\/sites\/prod\/files\/VulnerabilityAnalysisofEnergyDeliveryControlSystems2011.pdf"},{"issue":"1","key":"key2020092420091439900_ref020","doi-asserted-by":"crossref","first-page":"38","DOI":"10.1145\/2591056.2591060","article-title":"Evaluation of security solutions in the SCADA environment","volume":"45","year":"2014","journal-title":"ACM SIGMIS Database"},{"key":"key2020092420091439900_ref021","first-page":"136","article-title":"False logic attacks on SCADA control system","volume-title":"Proceedings \u2013 2014 Asia-Pacific Services Computing Conference, APSCC 2014","year":"2015"},{"issue":"5","key":"key2020092420091439900_ref022","doi-asserted-by":"crossref","first-page":"1039","DOI":"10.1109\/JPROC.2015.2512235","article-title":"The cybersecurity landscape in industrial control systems","volume":"104","year":"2016","journal-title":"Proceedings of the IEEE"},{"issue":"6","key":"key2020092420091439900_ref023","doi-asserted-by":"crossref","first-page":"1685","DOI":"10.1016\/j.jlp.2013.10.012","article-title":"Security risk assessment methodology for the petroleum and petrochemical industries","volume":"26","year":"2013","journal-title":"Journal of Loss Prevention in the Process Industries"},{"key":"key2020092420091439900_ref024","first-page":"10","article-title":"SCADA security: challenges and solutions","year":"2011"},{"key":"key2020092420091439900_ref025","unstructured":"Parks, R.C. (2007), \u201cGuide to critical infrastructure protection cyber vulnerability assessment (Report no. SAND2007-7328)\u201d, Sandia National Laboratories, Albuquerque, NM, available at: https:\/\/energy.gov\/sites\/prod\/files\/oeprod\/DocumentsandMedia\/26-CIP_CyberAssessmentGuide.pdf"},{"key":"key2020092420091439900_ref026","first-page":"12","article-title":"Cyber assessment methods for SCADA security","volume-title":"15th Annual Joint ISA POWID\/EPRI Controls and Instrumentation Conference","year":"2005"},{"key":"key2020092420091439900_ref027","first-page":"1","article-title":"Security and privacy challenges in industrial internet of things","volume-title":"Proceedings of the 52nd Annual Design Automation Conference on \u2013 DAC \u201915","year":"2015"},{"key":"key2020092420091439900_ref028","doi-asserted-by":"crossref","first-page":"70","DOI":"10.1109\/ICICCS.2016.7542306","article-title":"A review: outrageous cyber warfare","volume-title":"2016 International Conference on Innovation and Challenges in Cyber Security (ICICCS-INBUSH)","year":"2016"},{"key":"key2020092420091439900_ref029","doi-asserted-by":"crossref","first-page":"1375","DOI":"10.1109\/ACCESS.2016.2549047","article-title":"Cloud-assisted IoT-based SCADA systems security: a review of the state of the art and future challenges","volume":"4","year":"2016","journal-title":"IEEE Access"},{"key":"key2020092420091439900_ref030","first-page":"3B3","article-title":"Cyber attack impact on power system blackout","volume-title":"IET Conference on Reliability of Transmission and Distribution Networks (RTDN 2011)","year":"2011"},{"key":"key2020092420091439900_ref031","doi-asserted-by":"crossref","first-page":"30","DOI":"10.1109\/VLSID.2016.153","article-title":"Cyber security of cyber physical systems: cyber threats and defense of critical infrastructures","volume-title":"2016 29th International Conference on VLSI Design and 2016 15th International Conference on Embedded Systems (VLSID)","year":"2016"},{"key":"key2020092420091439900_ref032","first-page":"1","article-title":"A testbed for SCADA cyber security and intrusion detection","volume-title":"2015 International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications (SSIC)","year":"2015"},{"key":"key2020092420091439900_ref033","volume-title":"Guide to Enterprise Patch Management Technologies, National Institute of Standards and Technology (NIST) \u2013 Special Publication 800-40","year":"2013"},{"key":"key2020092420091439900_ref034","doi-asserted-by":"crossref","unstructured":"Stoneburner, G. Goguen, A. and Feringa, A. (2002), \u201cRisk management guide for information technology systems\u201d, Gaithersburg, MD, available at: https:\/\/doi.org\/10.6028\/NIST.SP.800-30","DOI":"10.6028\/NIST.SP.800-30"},{"key":"key2020092420091439900_ref035","article-title":"Guide to industrial control systems (ICS) security recommendations of the national institute of standards and technology","year":"2008"},{"key":"key2020092420091439900_ref036","doi-asserted-by":"crossref","unstructured":"Stouffer, K. Falco, J. and Scarfone, K. (2011), \u201cGuide to industrial control systems (ICS) security, recommendations of the national institute of standards and technology\u201d, Gaithersburg, MD, available at: https:\/\/doi.org\/10.6028\/NIST.SP.800-82","DOI":"10.6028\/NIST.SP.800-82"},{"key":"key2020092420091439900_ref037","unstructured":"Tenable Network Security (2019), available at: www.tenable.com"},{"key":"key2020092420091439900_ref038","article-title":"Vulnerability and risk analysis program: overview of assessment methodology","author":"US Department of Energy","year":"2001"},{"issue":"3","key":"key2020092420091439900_ref039","doi-asserted-by":"crossref","first-page":"450","DOI":"10.1016\/j.clsr.2017.12.004","article-title":"Avoiding the internet of insecure industrial things","volume":"34","year":"2018","journal-title":"Computer Law and Security Review"},{"issue":"1","key":"key2020092420091439900_ref040","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1007\/s11768-016-5123-9","article-title":"A survey on the security of cyber-physical systems","volume":"14","year":"2016","journal-title":"Control Theory and Technology"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2018-0048\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2018-0048\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:51Z","timestamp":1753406571000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/27\/1\/47-61\/112090"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,3,11]]},"references-count":40,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2019,3,11]]}},"alternative-id":["10.1108\/ICS-04-2018-0048"],"URL":"https:\/\/doi.org\/10.1108\/ics-04-2018-0048","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2019,3,11]]}}}