Dynamic vulnerability severity calculator for industrial control systems
Pages 2655 - 2676
Abstract
The convergence of information and communication technologies has introduced new and advanced capabilities to Industrial Control Systems. However, concurrently, it has heightened their vulnerability to cyber attacks. Consequently, the imperative for new security methods has emerged as a critical need for these organizations to effectively identify and mitigate potential threats. This paper introduces an innovative approach by proposing a dynamic vulnerability severity calculator. Our methodology encompasses the analysis of environmental topology and the effectiveness of deployed security mechanisms, coupled with the utilization of the Common Vulnerability Scoring System framework to adjust detected vulnerabilities based on the specific environment. Moreover, it evaluates the quantity of vulnerabilities and their interdependencies within each asset. Additionally, our approach integrates these factors into a comprehensive Fuzzy Cognitive Map model, incorporating attack paths to holistically assess the overall vulnerability score. To validate the efficacy of our proposed method, we present a relative case study alongside several modified scenarios, demonstrating its effectiveness in practical applications.
References
[1]
Tariq N, Asim M, and Khan FA Securing scada-based critical infrastructures: Challenges and open issues Procedia Comput. Sci. 2019 155 612-617
[2]
Kang D-J, Lee J-J, Kim S-J, and Park J-H Analysis on cyber threats to scada systems, in Transm. Distrib. Conf. Expos.: Asia Pac. 2009 2009 1-4
[3]
Trautman LJ and Ormerod P Industrial cyber vulnerabilities: Lessons from stuxnet and the internet of things Univ. Miami Law Rev. 2018 72 761
[4]
Sönmez FÖ and Kılıç BG A decision support system for optimal selection of enterprise information security preventative actions IEEE Trans. Netw. Serv. Manag. 2021 18 3 3260-3279
[5]
Ren C, Xu Y, Dai B, and Zhang R An integrated transfer learning method for power system dynamic security assessment of unlearned faults with missing data IEEE Trans. Pow. Syst. 2021 36 5 4856-4859
[6]
Linkov I, Anklam E, Collier Z, DiMase D, and Renn O Risk-based standards: Integrating top-down and bottom-up approaches Environ. Syst. Decis. 2014 34 134-137
[7]
Naumov, S., Kabanov, I.: Dynamic framework for assessing cyber security risks in a changing environment. In: Proceedings of the 2016 International Conference on Information Science and Communications Technologies (ICISCT), pp. 1–4. Tashkent, Uzbekistan (2016)
[8]
Cheimonidis P and Rantos K Dynamic risk assessment in cybersecurity: A systematic literature review Future Int. 2023 15 10 324
[9]
The MITRE Corporation, MITRE, https://www.mitre.org/, Accessed on 13/12/2023
[10]
Common Vulnerability Scoring System (CVSS), https://www.first.org/cvss/, Accessed on 13/12/2023
[11]
National Vulnerability Database (NVD), https://nvd.nist.gov/, Accessed on 10/12/2023
[12]
Common Attack Pattern Enumeration and Classification (CAPEC), https://capec.mitre.org/, accessed on January 4, 2024
[13]
Exploit Prediction Scoring System (EPSS), https://www.first.org/epss/, accessed on April 4, 2024
[14]
Walkowski M, Oko J, and Sujecki S Vulnerability Management Models Using a Common Vulnerability Scoring System Appl. Sci. 2021 11 18 8735
[15]
Farris KA, Shah A, Cybenko G, Ganesan R, and Jajodia S Vulcon: A system for vulnerability prioritization, mitigation, and management ACM Trans. Priv. Secur. 2018 21 4 1-28
[16]
Zhang Q, Zhou C, Tian Y-C, Xiong N, Qin Y, and Hu B A fuzzy probability bayesian network approach for dynamic cybersecurity risk assessment in industrial control systems IEEE Trans. Ind. Inf. 2018 14 2497-2506
[17]
Li X, Zhou C, Tian Y-C, Xiong N, and Qin Y Asset-based dynamic impact assessment of cyberattacks for risk analysis in industrial control systems IEEE Trans. Ind. Inf. 2018 14 608-618
[18]
Peng, Y., Huang, K., Tu, W., Zhou, C.: A model-data integrated cyber security risk assessment method for industrial control systems. In: Proceedings of the 2018 IEEE 7th Data Driven Control and Learning Systems Conference (DDCLS), pp. 344–349. Enshi, China (2018)
[19]
Huang, K., Zhou, C., Tian, Y.-C., Tu, W., Peng, Y.: Application of bayesian network to data-driven cyber-security risk assessment in scada networks. In: Proceedings of the 2017 27th International Telecommunication Networks and Applications Conference (ITNAC), pp. 1–6. Melbourne, VIC, Australia (2017)
[20]
Qin Y, Peng Y, Huang K, Zhou C, and Tian Y-C Association analysis-based cybersecurity risk assessment for industrial control systems IEEE Syst. J. 2021 15 1423-1432
[21]
Wu, S., Zhang, Y., Chen, X.: Security assessment of dynamic networks with an approach of integrating semantic reasoning and attack graphs. In: Proceedings of the 2018 IEEE 4th International Conference on Computer and Communications (ICCC), pp. 1166–1174. Chengdu, China, (2018)
[22]
Yan K, Liu X, Lu Y, and Qin F A cyber-physical power system risk assessment model against cyberattacks IEEE Syst. J. 2023 17 2018-2028
[23]
Vasilyev, V., Kirillova, A., Vulfin, A., Nikonov, A.: Cybersecurity Risk Assessment Based on Cognitive Attack Vector Modeling with CVSS Score. In: 2021 International Conference on Information Technology and Nanotechnology (ITNT), pp. 1–6. IEEE, Samara, Russian Federation (2021).
[24]
Wang, T., Lv, Q., Hu, B., Sun, D.: CVSS-based Multi-Factor Dynamic Risk Assessment Model for Network System. In: 2020 IEEE 10th International Conference on Electronics Information and Emergency Communication (ICEIEC), pp. 289–294. IEEE, Beijing, China, (2020).
[25]
Vilches, V.M., Gil-Uriarte, E., Ugarte, I.Z., Mendia, G.O., Pisón, R.I., Kirschgens, L.A., Calvo, A.B., Cordero, A.H., Apa, L., Cerrudo, C.: Towards an open standard for assessing the severity of robot security vulnerabilities, the robot vulnerability scoring system (rvss), (2018). arXiv preprint arXiv:1807.10357
[26]
Kurniawan A, Darus MY, Mohd Ariffin MA, Muliono Y, and Pardomuan CR Automation of Quantifying Security Risk Level on Injection Attacks Based on Common Vulnerability Scoring System Metric Pertan. J. Sci. Technol. 2023 31 3 1245-1265
[27]
Ur-Rehman, A., Gondal, I., Kamruzzuman, J., Jolfaei, A.: Vulnerability Modelling for Hybrid IT Systems. In: 2019 IEEE International Conference on Industrial Technology (ICIT), pp. 1186–1191. IEEE, Melbourne, Australia, (2019).
[28]
Purkayastha, S., Goyal, S., Phillips, T., Wu, H., Haakenson, B., Zou, X.: Continuous Security through Integration Testing in an Electronic Health Records System. In: 2020 International Conference on Software Security and Assurance (ICSSA), pp. 26–31. IEEE, Altoona, PA, USA, (2020).
[29]
Franklin, J., Wergin, C., Booth, H.: CVSS implementation guidance, Tech. Rep. NIST IR 7946, National Institute of Standards and Technology (Apr. 2014).
[30]
Stellios I, Kotzanikolaou P, and Grigoriadis C Assessing IoT enabled cyber-physical attack paths against critical systems Comput. & Sec. 2021 107
[31]
Haque, S., Keffeler, M., Atkison, T.: An evolutionary approach of attack graphs and attack trees: A survey of attack modeling. In: Proceedings of the International Conference on Security and Management (SAM), The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp), 224–229. (2017)
[32]
Petrica, G., Axinte, S.-D., Bacivarov, I.C., Firoiu, M., Mihai, I.-C.: Studying cyber security threats to web platforms using attack tree diagrams. In: 2017 9th International Conference on Electronics, Computers and Artificial Intelligence (ECAI), pp. 1–6. IEEE, Targoviste (2017). http://ieeexplore.ieee.org/document/8166456/
[33]
Piotr, et al., ADTool - attack-defense tree tool, https://satoss.uni.lu/members/piotr/adtool/
[34]
Bakhtavar E, Valipour M, Yousefi S, Sadiq R, and Hewage K Fuzzy cognitive maps in systems risk analysis: A comprehensive review Complex & Intell. Syst. 2021 7 621-637
[35]
Fan Z, Tan C, and Li X A hierarchical method for assessing cyber security situation based on ontology and fuzzy cognitive maps Int. J. Inf. Comput. Secur. 2021 14 3–4 242-262
[36]
Papageorgiou EI and Stylios CD Fuzzy cognitive maps, Handbook of Granular Computing 2008 123 755-775
[37]
Nápoles G, Espinosa ML, Grau I, and Vanhoof K Fcm expert: software tool for scenario analysis and pattern classification based on fuzzy cognitive maps Int. J. Artif. Intell. Tools 2018 27 07 1860010
[38]
Boutalis Y, Kottas TL, and Christodoulou M Adaptive estimation of fuzzy cognitive maps with proven stability and parameter convergence IEEE Trans. Fuzzy Syst. 2009 17 4 874-889
[39]
Chandia, R., Gonzalez, J., Kilpatrick, T., Papa, M., Shenoi, S.: Security strategies for scada networks. In: Critical Infrastructure Protection 1, pp. 117–131. Springer (2008)
[40]
Wang, C., Fang, L., Dai, Y.: A simulation environment for scada security analysis and assessment, In: 2010 International Conference on Measuring Technology and Mechatronics Automation, Vol. 1, pp. 342–347. IEEE (2010)
[41]
Fcm expert, https://sites.google.com/view/fcm-expert, accessed on December 18, 2023
[42]
Kosko B Fuzzy cognitive maps Int. J. Man-Mach. Stud. 1986 24 1 65-75
[43]
Basiri A, Behnam N, de Rooij R, Hochstein L, Kosewski L, Reynolds J, and Rosenthal C Chaos engineering IEEE Softw. 2016 33 3 35-41
[44]
Rosenthal C and Jones N Chaos Engineering-System Resiliency in Practice 2020 Newton O’Reilly Media
[45]
Uribe TE and Cheung S Automatic analysis of firewall and network intrusion detection system configurations J. Comput. Secur. 2004 15 691-715
[46]
Sharma R, Sibal R, and Sabharwal S Software vulnerability prioritization using vulnerability description Int. J. Syst. Assur. Eng. Manag. 2021 12 1 58-64
[47]
Anjum G and Fraser A Vulnerabilities associated with slow-onset events (soes) of climate change: multi-level analysis in the context of pakistan Curr. Opin. Environ. Sustain. 2021 50 54-63
[48]
Spanos, G., Angelis, L., Toloudis, D.: Assessment of vulnerability severity using text mining. In: Proceedings of the 21st Pan-Hellenic conference on informatics, pp. 1–6 (2017)
[49]
Hellström T Critical infrastructure and systemic vulnerability: Towards a planning framework Saf. Sci. 2007 45 3 415-430
[50]
Lambrinoudakis, C., Gritzalis, S., Xenakis, C., Katsikas, S., Karyda, M., Tsochou, A., Papadatos, K., Rantos, K., Pavlosoglou, Y., Gasparinatos, S., Pantazis, A.: Interoperable EU risk management framework: methodology for and assessment of interoperability among risk management frameworks and methodologies., european Union Agency for Cybersecurity (Publications Office) (2022). https://data.europa.eu/doi/10.2824/07253
[51]
Furnell S, Niekerk JV, and Clarke N The price of patching Comput. Fraud & Secur. 2014 2014 8-13
[52]
Ralston, P., Graham, J., Hieb, J.L.: Cyber security risk assessment for scada and dcs networks. ISA Trans. 46(4), 583–94 (2007).
[53]
Sezer, E.C., Kil, C., Ning, P.: Automated software vulnerability analysis. Cyber Situat. Aware. Issues Res., 201–223 (2010).
[54]
Bullough, B.L., Yanchenko, A.K., Smith, C.L., Zipkin, J.R. : Predicting exploitation of disclosed software vulnerabilities using open-source data. In: Proceedings of the 3rd ACM on International Workshop on Security And Privacy Analytics (2017).
[55]
Beres, Y., Griffin, J.: Optimizing network patching policy decisions. In: IFIP international information security conference, pp. 424–442. Springer Berlin Heidelberg. Berlin (2012).
[56]
Vieira AC, Insua D, and Kosgodagan A Assessing and forecasting cybersecurity impacts Decis. Anal. 2020 17 356-374
[57]
Schechter SE Toward econometric models of the security risk from remote attacks IEEE Secur. Priv. 2005 3 40-44
[58]
Hȩćka-Sadowska A and Łyskawa K Operational cyber risk in the differing business model of insurance companies: the example of poland Wiad. Ubezp. 2022
Recommendations
Estimating Time-To-Compromise for Industrial Control System Attack Techniques Through Vulnerability Data
AbstractWhen protecting the Industrial Control Systems against cyber attacks, it is important to have as much information as possible to allocate defensive resources properly. In this paper we estimate the Time-To-Compromise of different Industrial ...
Poisoning attacks on cyber attack detectors for industrial control systems
SAC '21: Proceedings of the 36th Annual ACM Symposium on Applied ComputingRecently, neural network (NN)-based methods, including autoencoders, have been proposed for the detection of cyber attacks targeting industrial control systems (ICSs). Such detectors are often retrained, using data collected during system operation, to ...
Identifying vulnerabilities of industrial control systems using evolutionary multiobjective optimisation
AbstractIn this paper, we propose a novel methodology to assist in identifying vulnerabilities in real-world complex heterogeneous industrial control systems (ICS) using two Evolutionary Multiobjective Optimisation (EMO) algorithms, NSGA-II and SPEA2. ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
© The Author(s), under exclusive licence to Springer-Verlag GmbH Germany, part of Springer Nature 2024. Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 08 May 2024
Author Tags
Qualifiers
- Research-article
Funding Sources
- This work was partially funded by the Horizon Europe program through the projects “ Reliability, Resilience and Defense Technology for the Grid ” (R2D2)
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 04 Oct 2024
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in