Next Article in Journal
Relational Action Bank with Semantic–Visual Attention for Few-Shot Action Recognition
Previous Article in Journal
Securing Critical User Information over the Internet of Medical Things Platforms Using a Hybrid Cryptography Scheme
Previous Article in Special Issue
Anomalous Vehicle Recognition in Smart Urban Traffic Monitoring as an Edge Service
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Future Internet
Volume 15
Issue 3
10.3390/fi15030100
Review Report
futureinternet-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

A Vulnerability Assessment Approach for Transportation Networks Subjected to Cyber–Physical Attacks

Future Internet 2023, 15(3), 100; https://doi.org/10.3390/fi15030100
by Konstantinos Ntafloukas 1,*, Liliana Pasquale 2, Beatriz Martinez-Pastor 1 and Daniel P. McCrum 1
Reviewer 1: Anonymous
Reviewer 2:
Jaouhar Fattahi
Future Internet 2023, 15(3), 100; https://doi.org/10.3390/fi15030100
Submission received: 30 January 2023 / Revised: 23 February 2023 / Accepted: 27 February 2023 / Published: 28 February 2023
(This article belongs to the Special Issue Security of IoT-Enabled Infrastructures in Smart Cities and Critical Systems)

Round 1

Reviewer 1 Report

 

In this manuscript, the authors propose a vulnerability assessment approach for smart transportation networks subjected to physical and cyber attacks at the sensing layer. They illustrated their approach with a transportation network case study. While this is an interesting and critical topic, the authors should consider the following:

 

  1. The manuscript contains many long, hard to comprehend sentences. Please re-write very long sentences in a more district and straightforward way.

 

  1. The manuscript has several grammar and typos. For instance, on Page 3, in Section 1: (of an IoT enabled transportation infrastructure, necessitates the exploitation of vulnerabilities both in physical space (e.g., lack of CCTV systems), in order the attacker to gain physical proximity to the victimized IoT based WSN, and cyber space (e.g., lack of energy resources of IoT devices) in order the attacker to breach confidentiality, integrity or availability of data.). It should be (…. In order for the attacker….). Moreover, again this is also an example of a very long sentence. Please proofread the manuscript.

 

  1. Some technical background knowledge needs to be briefly illustrated as part of Section 2 or as a separate section after section 2. For instance, the authors need to briefly describe the Bayesian network attack graph (BN) as background knowledge before Section 3.
  2. The manuscript lacks to reference some of the key works in transportation networks security including but not limited to a) Authorization framework for secure cloud assisted connected cars and vehicular internet of things b) Dynamic groups and attribute-based access control for next-generation smart cars, c) Secure V2V and V2I Communication in Intelligent Transportation using Cloudlets, d) An Attribute-Based Access Control for Cloud-Enabled Industrial Smart Vehicles, e) Towards Activity-Centric Access Control for Smart Collaborative Ecosystems

4.     In Section 3.3:

a.     Table 1 needs to be explained more. What are these value represents? For example, the first entry in the first row is Low/1, and the second entry in the first row is Very Low / 0.01–0.20. However, in the text, it is mentioned differently (The rating scale of characteristics level (e.g., Low (1), etc.) and importance index (i.e., Very Low (00.01-0.20), etc.) is shown in Table 1). What is meant by Low/1 in the table and Low(1) in the text?? Why choose this rating scale values in a specific?

 

b.     It is also mentioned that (Therefore, based on the calculation of PI for very vulnerability states, the probability scores should range within the values shown in Table 2) why? What is the justification for mapping these specific ranges of PI to these specific probability score ranges? The authors mentioned that (It is evident that a greater attacker level with a lower control barrier level will result in higher values of PI (i.e., values ranging from two to three) and, subsequently higher range of probability score for a vulnerability state i (i.e., P(i)).) While that sounds true, but still why map these numbers? Is there an equation from which these numbers are derived?

 

5.       In Section 3.3.2:

a.     The authors mentioned that (Table 4 presents the described control barriers (i.e., ???) at physical and cyber space.) I think it is Table 3 instead of Table 4.

b.     The authors mentioned a list of seven cyberspace control barriers. Is this an inclusive list? If yes, the authors need to justify this. If not, the authors need to illustrate why they chose these cyberspace control barriers, among others.

 

 

 

6.     In Section 4:

a.     The authors mentioned:

 (following the second activity (i.e., see Figure 2, Division of cyber-physical attack scenario into vulnerability states in physical and cyber space) the attacker i should infiltrate into the physical sensing area of critical transportation infrastructure, where the ZigBee enabled network locates, by overcoming the physical control barriers (i.e., physical space) that relies on the exploitation of vulnerabilities, either operating both or one of them, of nontechnological or human operation (i.e., State A, VA) (i.e., see Table 4) and technological operation (i.e., State B, VB) ).

This is a very long statement. Accordingly, it is difficult to comprehend. Please re-write it more straightforwardly.

 

Moreover, in the same long statement the authors mentioned that:

 (…..either operating both or one of them, of non technological or human operator (State A)…, and technological operation (State B) ).

Since you mentioned that either operating both or one of them (which are state A and state B), why then, in Figure 5, is there a logical AND between them to reach state C? Why not logical OR, since again you mention (either operating both or one of them).

 

7.     In Section 4.1:

a.     In the case study, did you assume that the attacker characteristics level per vulnerability state that was illustrated in Table 4 is the same for all the transportation nodes? If yes, why? Does not that also depend on the node itself and the type of technology it uses other than the Zigbee technology? In other words, although all the devices in this use case are “Zigbee” devices, cannot key management in Zigbee devices be affected by other security factors that may vary from device to device? If you assumed that the attacker characteristics level is the same for all of the eight devices for some reason (simplicity, for example). It would be best if you made this assumption clear.

 

Author Response

Please see the attachment

Author Response File: Author Response.docx

Reviewer 2 Report

This paper proposes a probabilistic approach for assessing the vulnerabilities of transport networks exposed to cyber-physical attacks.

The probabilistic approach is straightforward and classical. The authors need to demonstrate their contribution compared to similar probalistic methods that exist in the state of the art to tackle the same problem and those used by MITRE ATT&CK™ framework, for example.

The discussion does not consider several recent works in the same transport domain, and in similar areas. It should be enriched by comparing the results of their method with the results of these works.

Figures 1, 2, 3, 4 and 5 are to be enlarged.

Some sentences are written carelessly, such as the conclusion (well-wellbeing?).

Make sure that the references are written in the standards of scientific papers.

Author Response

Please see the attachment

Author Response File: Author Response.docx

Reviewer 3 Report

The paper is well-written but it seems it is very similar to this work from the same authors because the abstract and content have significant overlapping.

Applied Sciences | Free Full-Text | A Cyber-Physical Risk Assessment Approach for Internet of Things Enabled Transportation Infrastructure (mdpi.com)

Can you elaborate more on the difference? Maybe you need to put some table to differentiate between both of your works.

Some of the PI ratio's parameters are very subjective and it is not easy to quantify. Are you following some industrial standard to do it or not?

The approach is good but it may not be practical to be implemented or can be used to deploy security measures in the transportation network.

 

Author Response

Please see the attachment

Author Response File: Author Response.docx

Round 2

Reviewer 1 Report

This revision addressed all of my concerns raised in the original manuscript. Overall, there are substantial changes to the original version, and author have careful answered the reviews. It is suggested that the camera -ready manuscript must be thoroughly proof-read.

Author Response

Dear reviewer,

Thank you for your comments.  The manuscript has been edited by the main supervisor who is a native English speaker. 

Reviewer 2 Report

The paper has evolved well compared to the original version. I think it should be considered for acceptance.

Author Response

Dear reviewer,

Thank you for your comments. 

Reviewer 3 Report

Thank you for your effort to address my review, but I still want to give minor comments.

- After the update, it seems the paper become very lengthy, but I am not sure which one can be optimized.

- Is there any data, source code, or video demo of your experiment that can be shared, so that the reader can easily follow or reproduce your work?

 

Author Response

Please see the attachment

Author Response File: Author Response.docx

Back to TopTop