Abstract
With the emergence of internet-based devices, the traditional industrial control system (ICS) networks have evolved to co-exist with the conventional IT and internet enabled IoT networks, hence facing various security challenges. The IT industry around the world has widely adopted the common vulnerability scoring system (CVSS) as an industry standard to numerically evaluate the vulnerabilities in software systems. This mathematical score of vulnerabilities is combined with environmental knowledge to determine the vulnerable nodes and attack paths. IoT and ICS systems have unique dynamics and specific functionality as compared to traditional computer networks, and therefore, the legacy cyber security models would not fit these advanced networks. In this paper, we studied the CVSS v3.1 framework’s application to ICS embedded networks and an improved vulnerability framework, named CVSSIoT-ICS, is proposed. CVSSIoT-ICS and CVSS v3.1 are applied to a realistic supply chain hybrid network which consists of IT, IoT, and ICS nodes. This hybrid network is assigned with actual vulnerabilities listed in the national vulnerability database (NVD). The comparison results confirm the effectiveness of CVSSIoT-ICS framework as it is equally applicable to all nodes of a hybrid network and evaluates the vulnerabilities based on the distinct features of each node type.
Article PDF
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Avoid common mistakes on your manuscript.
References
H. Wilsdorf and J. Landels, "Engineering in the Ancient World.", Man, vol. 13, no. 4, p. 681, 1978. Available: https://doi.org/10.2307/2801269
D. Bhamare, M. Zolanvari, A. Erbad, R. Jain, K. Khan and N. Meskin, "Cybersecurity for industrial control systems: a survey", computers & security, vol. 89, pp. 101677, 2020. Available: https://doi.org/10.1016/j.cose.2019.101677, 2020
M. Davis, "Comprehensive Modeling of Industrial Control Systems for Cyber-Security Applications." Order No. 10642514, State University of New York at Binghamton, Ann Arbor, 2017
U. Ani, H. He and A. Tiwari, "Review of cybersecurity issues in industrial critical infrastructure: manufacturing in perspective", J. Cyber Security Technol., vol. 1, no. 1, pp. 32–74, 2016. Available: https://doi.org/10.1080/23742917.2016.1252211
O. A Sergey, G. Gleb, G.O Kochetova," Iindustrial Controll System Vulranabilities Statictics", 2016
V. Murthy, "Analysis: Assessing Correlation between CVSS Scores in Vulnerability Disclosures and Patching", Biomed. Instrument. Technol., vol. 54, no. 1, pp. 44–46, 2020. Available: https://doi.org/10.2345/0899-8205-54.1.44
"NVD - CVSS v3.1 Official Support", Nvd.nist.gov, 2020. [Online]. Available: https://nvd.nist.gov/General/News/CVSS-v3-1-Official-Support. [Accessed: 03- Jan- 2020]
Symantec Internet Security Threat Report “ISTR Healthcare, vol. 22, April 2017
Stouffer, K., Falco, J., Scarfone, K.: Guide to industrial control systems (ICS) security. NIST Special Public. 800(82), 16–16 (2011)
Y. Hu, A. Yang, H. Li, Y. Sun and L. Sun, "A survey of intrusion detection on industrial control systems", Int. J. Distrib. Sens. N., vol. 14, no. 8, p. 155014771879461, 2018. Available: https://doi.org/10.1177/1550147718794615 [Accessed 8 April 2020]
K. Knorr, “Patching our critical infrastructure,” Securing Critical Infrastructures and Critical Control Systems, pp. 190–216, 2013
M. StJohn-Green, R. Piggin, J.A. McDermid, R. Oates, “Combined Security and Safety Risk Assessment - What Needs to be Done For ICS and The IOT”. 10th IET System Safety and Cyber-Security Conference 2015
A. Ur-Rehman, I. Gondal, J. Kamruzzuman, and A. Jolfaei, “Vulnerability Modelling for Hybrid IT Systems,” IEEE International Conference on Industrial Technology (ICIT), 2019
Qin, Y.: Computer network attack modeling and network attack graph study. Adv. Mater. Res. 1079-1080, 816–819 (2014)
“Search and statistics,” NVD. [Online]. Available: https://nvd.nist.gov/vuln/search. [Accessed: 02-Jan-2020]
D. Wei, Y. Lu, M. Jafari, P. Skare, and K. Rohde, “An integrated security system of protecting Smart Grid against cyber attacks,” Innovative Smart Grid Technologies (ISGT), 2010
Knowles, W., Prince, D., Hutchison, D., Ferdinand, J., Disso, P., Jonesb, K.: A survey of cyber security management in industrial control systems. Int. J. Crit. Infrastruct. Prot. 9, 52–80 (2015)
S. Kim, W. Jo, and T. Shon, “A Novel Vulnerability Analysis Approach to Generate Fuzzing Test Case in Industrial Control Systems,” IEEE Information Technology, Networking, Electronic and Automation Control Conference, 2016
K. Kobara, “Cyber Physical Security for Industrial Control Systems and IoT,” IEICE Transactions on Information and Systems, vol. E99.D, no. 4, pp. 787–795, 2016
Busby, J.S., Green, B., Hutchison, D.: Analysis of affordance, time, and adaptation in the assessment of industrial control system Cybersecurity risk. Risk Anal. 37(7), 1298–1314 (2017)
Yılmaz, E.N., Gönen, S.: Attack detection/prevention system against cyber attack in industrial control systems. Comput. Secur. 77, 94–105 (2018)
A. Laszka, A. Dubey,M. Walker, D. Schmidt, "Providing Privacy, Safety, and Security in IoT-Based Transactive Energy Systems Using Distributed Ledgers" 2017. https://doi.org/10.1145/3131542.3131562
Zimba, A., Wang, Z., Chen, H.: Multi-stage crypto ransomware attacks: a new emerging cyber threat to critical infrastructure and industrial control systems. ICT Express. 4(1), 14–18 (2018)
Ge, Y., Zhang, X., Han, B.: Complex IoT control system modeling from perspectives of environment perception and information security. Mobile N. Appl. 22(4), 683–691 (2017)
Farris, I., Taleb, T., Khettab, Y., Song, J.: A survey on emerging SDN and NFV security mechanisms for IoT systems. IEEE Commun. Surv. Tutor. 21(1), 812–837 (2019)
Johnson, P., Lagerstrom, R., Ekstedt, M., Franke, U.: Can the common vulnerability scoring system be trusted? A Bayesian analysis. IEEE Trans. Depend. Sec. Comput. 15(6), 1002–1015 (2018)
Houmb, S.H., Franqueira, V., Engum, E.A.: Quantifying security risk level from CVSS estimates of frequency and impact. J. Syst. Softw. 83(9), 1622–1634 (September 2010)
Singh, U.K., Joshi, C.: Quantitative security risk evaluation using CVSS metrics by estimation of frequency and maturity of exploit. World Congr. Eng. Comput. Sci. 1, 170–175 (2016)
J.M. Spring, E. Hatleback, A. Householder, A. Manion, D. Shi, "Towards Improving CVSS" Software Engineering Indtitute CARNEGIE MELLON UNIVERSITY, 2018
Yigit, B., Gurb, G., Alagoz, F., Tellenbach, B.: Cost-aware securing of IoT systems using attack graphs. Ad Hoc Networks. 86, 23–35 (2019)
S. McLaughlin, C. Konstantinou, X. Wang, L. Davi, A.R. Sadeghi, M. Maniatakos, R. Karri, "The Cybersecurity landscape in industrial control systems," in Proceedings of the IEEE, vol. 104, no. 5, pp. 1039–1057, May 2016
M. R. Asghar, Q. Hu, S. Zeadally,"Cybersecurity in industrial control systems: Issues, technologies, and challenges" Computer Networks vol. 165, 24 December 2019, 106946
J. Slowik "Evolution of ICS Attacks and the Prospects for Future Disruptive Events" Threat Intelligence Centre Dragos Inc., 2019
J. Falco, A. Wavering,F. Proctor, "IT security for industrial control systems. US Department of Commerce", National Institute of Standards and Technology; 2002 Feb 28
G. Sabaliauskaite and A. P. Mathur, “Aligning cyber-physical system safety and security,” Complex Systems Design & Management Asia, pp. 41–53, 2015
X. Zhou, Z. Xu, L. Wang, K. Chen, C. Chen, and W. Zhang, “Kill Chain for Industrial Control System,” MATEC Web of Conferences, vol. 173, p. 01013, 2018.3
M. Frigault, L. Wang, S. Jajodia, and A. Singhal, “Measuring the overall network security by combining CVSS scores based on attack graphs and Bayesian networks,” Network Security Metrics, pp. 1–23, 2017
“Vulnerability Details : CVE-2019-14402,” CVE. [Online]. Available: https://www.cvedetails.com/cve/CVE-2019-14402/. [Accessed: 10-Jan-2020]
H. Esquivel-Vargas,M. Caselli, E. Tews, D. Bucur and A. Peter, Ranking building automation and control system components by business continuity impact. In international conference on computer safety, reliability, and security, 2019 (pp. 183-199). Springer
G. Bianconi and A.-L. Barabasi, “Competition and multiscaling m evolving networks,” The Structure and Dynamics of Networks, pp. 54–436, 2011
Bernabe, J.B., Perez, G.M., Skarmeta Gomez, A.F.: Intercloud trust and security decision support system: an ontology-based approach. J. Grid Computing. 13, 425–456 (2015)
Song, S., Hwang, K., Kwok, Y.: Trusted grid computing with security binding and trust integration. J Grid Computing. 3, 53–73 (2005)
Aziz, B.: Modelling fine-grained access control policies in grids. J Grid Computing. 14, 477–493 (2016)
da Rosa Righi, R., Lehmann, M., Gomes, M.M., Nobre, J.C., da Costa, C.A., Rigo, S.J., Lena, M., Mohr, R.F., de Oliveira, L.R.B.: A survey on global management view: toward combining system monitoring, resource management, and load prediction. J Grid Computing. 17, 473–502 (2019)
Acknowledgements
This was done in Internet Commerce Security Lab (ICSL), Federation University. Westpac bank, IBM and ACSC are partner in ICSL.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Ur-Rehman, A., Gondal, I., Kamruzzaman, J. et al. Vulnerability Modelling for Hybrid Industrial Control System Networks. J Grid Computing 18, 863–878 (2020). https://doi.org/10.1007/s10723-020-09528-w
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10723-020-09528-w