• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.2
• /
• pp.347-363
• /
• 2024

As the number of cyberattacks against the National Critical Information Infrastructure (NCII) is steadily increasing, many countries are strengthening the protection of National Critical Information Infrastructure (NCII) through the enactment and revision of related policies and legal systems. Therefore, this paper selects countries such as the United States, the United Kingdom, Japan, Germany, and Australia, which have established National Critical Information Infrastructure (NCII) protection systems, and compares and analyzes the promotion system of each country's National Critical Information Infrastructure (NCII) protection policy. This paper compares the National Critical Information Infrastructure (NCII) protection system of each country with the cybersecurity system and analyzes the promotion structure. Based on the policy model theory, which is a modification of Allison's theory and Nakamura & Smallwood's theory, this paper analyzes the model of each country's promotion system from the perspective of policy-making and policy-execution. The United States, Japan, Germany, and Australia's policy-promotion model is a system-strengthening model in which both policy-making and policy-execution are organized around the protection of the National Critical Information Infrastructure (NCII), while the United Kingdom and South Korea's policy-promotion model is an execution-oriented model that focuses more on policy-execution.

• Journal of information and communication convergence engineering
• /
• v.22 no.2
• /
• pp.121-126
• /
• 2024

In enterprise environments, file owners are often required to share critical files with other users, with encryption-based file delivery systems used to maintain confidentiality. However, important information might be leaked if the cryptokey used for encryption is exposed. To recover confidentiality, the file owner must then re-encrypt and redistribute the file along with its new encryption key, which requires considerable resources. To address this, we propose a key management server that minimizes the distribution of encryption keys when critical files are compromised, with unique encryption keys assigned for each registered user to access critical files. While providing the targeted functions, the server employs a level of system resources comparable to that of legacy digital rights management. Thus, when implemented in an enterprise environment, the proposed server minimizes cryptokey redistribution while maintaining accessibility to critical files in the event of an information breach.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.5
• /
• pp.197-203
• /
• 2011

Personal information protection need to be addressed in terms of enterprise-wide and business issues, not just an information processing issue. Therefore, governance of personal information protection, which stress the importance of top management's roles aud responsibilities for personal information protection, has been noticed as an important agenda to resolve. The paper defines the concept of personal information protection governance and proposes the severn critical success factors (CSFs) for implementing the governance scheme. The proposed CSFs are tested in terms of feasibility and materiality by using the focus group interviews.

• Proceedings of the Korean Information Science Society Conference
• /
• 2000.10a
• /
• pp.486-488
• /
• 2000

본 연구는 정형기법을 사용하여 Safety-Critical System의 개발 방법론을 제시한다. Safety-Critical System의 전체적인 개발 과정을 제시하고 Safety-Critical System 중의 하나인 원자력 발전소 시스템 중 Reactor Protection System(RPS)을 정형 명세(Formal Specification)하고 정형 검증(Formal Verification)하는 과정과 그에 따른 각 과정의 Compliance를 확인하는 예를 든다. 여기서 정형 명세에는 Software Cost Reduction(SCR)이하는 도구가 사용되었고, 정형 검증에는 SPIN이, Compliance를 확인하는 데에는 Prototype Verification System(PVS)를 사용하였다.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.23 no.3
• /
• pp.19-26
• /
• 2023

Critical information infrastructure designations for cloud service providers continue to spread around the world as energy, financial services, health, telecommunications, and transportation sectors move to the cloud. In addition, in the case of Ukraine, the removal of restrictions on the use of cloud for national critical facilities and the rapid transition of critical data to the cloud enabled the country to effectively respond to cyberattacks targeting Russian infrastructure. In Korea, the ISMS-P is operated to implement a systematic and comprehensive information protection management system and to improve the level of information protection and personal information protection management in organizations. Control items considering the cloud environment have been modified and added to the audit of companies. However, due to the different technical levels of clouds between domestic and global, it is not easy to obtain information on the findings of cloud providers such as Microsoft for the training of domestic certification auditors on hyperscale scale. Therefore, this paper analyzes findings in hyperscale clouds and suggests ways to improve cloud-specific control items by considering the compatibility of hyperscale environments with ISO/IEC 27001 and SOC(System and Organization Control) security international standards.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.10 no.2
• /
• pp.857-880
• /
• 2016

Due to an increasing number of cyberattacks globally, cybersecurity has become a crucial part of national security in many countries. In particular, the Digital Pearl Harbor has become a real and aggressive security threat, and is considered to be a global issue that can introduce instability to the dynamics of international security. Against this context, the cyberattacks that targeted nuclear power plants (NPPs) in the Republic of Korea triggered concerns regarding the potential effects of cyber terror on critical infrastructure protection (CIP), making it a new security threat to society. Thus, in an attempt to establish measures that strengthen CIP from a cybersecurity perspective, we perform a case study on the cyber-terror attacks that targeted the Korea Hydro & Nuclear Power Co., Ltd. In order to fully appreciate the actual effects of cyber threats on critical infrastructure (CI), and to determine the challenges faced when responding to these threats, we examine factual relationships between the cyberattacks and their responses, and we perform analyses of the characteristics of the cyberattack under consideration. Moreover, we examine the significance of the event considering international norms, while applying the Tallinn Manual. Based on our analyses, we discuss implications for the cybersecurity of CI in South Korea, after which we propose a framework for strengthening cybersecurity in order to protect CI. Then, we discuss the direction of national policies.

• ETRI Journal
• /
• v.37 no.2
• /
• pp.369-379
• /
• 2015

Fault management of virtualized network environments using user-driven network provisioning systems (NPSs) is crucial for guaranteeing seamless virtual network services irrespective of physical infrastructure impairment. The network service interface (NSI) of the Open Grid Forum reflects the need for a common standard management API for the reservation and provisioning of user-driven virtual circuits (VCs) across global networks. NSI-based NPSs (that is, network service agents) can be used to compose user-driven VCs for mission-critical applications in a dynamic multi-domain. In this article, we first attempt to outline the design issues and challenges faced when attempting to provide mission-critical applications using dynamic VCs with a protection that is both user-driven and trustworthy in a dynamic multi-domain environment, to motivate work in this area of research. We also survey representative works that address inter-domain VC protection and qualitatively evaluate them and current NSI against the issues and challenges.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.10
• /
• pp.4995-5014
• /
• 2018

As the area covered by the CPS grows wider, agencies such as public institutions and critical infrastructure are collectively measuring and evaluating information security capabilities. Currently, these methods of measuring information security are a concrete method of recommendation in related standards. However, the security controls used in these methods are lacking in connectivity, causing silo effect. In order to solve this problem, there has been an attempt to study the information security management system in terms of maturity. However, to the best of our knowledge, no research has considered the specific definitions of each level that measures organizational security maturity or specific methods and criteria for constructing such levels. This study developed an information security maturity model that can measure and manage the information security capability of critical infrastructure based on information provided by an expert critical infrastructure information protection group. The proposed model is simulated using the thermal power sector in critical infrastructure of the Republic of Korea to confirm the possibility of its application to the field and derive core security processes and goals that constitute infrastructure security maturity. The findings will be useful for future research or practical application of infrastructure ISMSs.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.1
• /
• pp.163-176
• /
• 2017

Recently, the critical infrastructure is changing from the existing closed environment to an open environment, and it is becoming a new target of cyber-threats by expanding into cyberspace. In addition, due to the development of information and communications technology(ICT), the interdependence among critical infrastructure is increasing. Previous studies ranged from trend investigation and policy discussions to protection, but separate studies on the diagnosis of the current status and appropriateness judgment for efficient policy implementation were not performed. Therefore, this study compares and analyzes three international indicators that measure the level of cyber security in each country in order to build a new index to measure the level of cyber security of critical infrastructure in the USA, Japan, UK, Germany, Norway, and Korea. It is hoped that this study will serve as a basis for expanding Korean influence and building trust among countries in future cyberspace.

• The Journal of Korea Institute of Information, Electronics, and Communication Technology
• /
• v.4 no.3
• /
• pp.217-224
• /
• 2011

This paper proposes DDPT(Dynamic Data Protection Technique) which solves the problem of private information exposure occurring in a dynamic database environment. The DDPT in this paper generates the MAG(Multi-Attribute Generalization) rules using multi-attributes generalization algorithm, and the EC(equivalence class) satisfying the k-anonymity according to the MAG rules. Whenever data is changed, it reconstructs the EC according to the MAC rules, and protects the identification exposure which is caused by the EC change. Also, it measures the information loss rates of the EC which satisfies the ${\ell}$-diversity. It keeps data accuracy by selecting the EC which is less than critical value and enhances private information protection.