A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics

by   Ángel Longueira-Romero, et al.

Industrial components are of high importance because they control critical infrastructures that form the lifeline of modern societies. However, the rapid evolution of industrial components, together with the new paradigm of Industry 4.0, and the new connectivity features that will be introduced by the 5G technology, all increase the likelihood of security incidents. These incidents are caused by the vulnerabilities present in these devices. In addition, although international standards define tasks to assess vulnerabilities, they do not specify any particular method. Having a secure design is important, but is also complex, costly, and an extra factor to manage during the lifespan of the device. This paper presents a model to analyze the known vulnerabilities of industrial components over time. The proposed model is based on two main elements: a directed graph representation of the internal structure of the component, and a set of quantitative metrics that are based on international security standards; such as, the Common Vulnerability Scoring System (CVSS). This model is applied throughout the entire lifespan of a device to track vulnerabilities, identify new requirements, root causes, and test cases. The proposed model also helps to prioritize patching activities. To test its potential, the proposed model is applied to the OpenPLC project. The results show that most of the root causes of these vulnerabilities are related to memory buffer operations and are concentrated in the libssl library. Consequently, new requirements and test cases were generated from the obtained data.


page 1

page 2

page 3

page 4

page 6

page 8

page 11

page 14


FieldFuzz: Enabling vulnerability discovery in Industrial Control Systems supply chain using stateful system-level fuzzing

With the advent of the fourth industrial revolution, Programmable Logic ...

One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware

Currently, the development of IoT firmware heavily depends on third-part...

The Global State of Security in Industrial Control Systems: An Empirical Analysis of Vulnerabilities around the World

Operational Technology (OT)-networks and -devices, i.e. all components u...

InSpectre: Breaking and Fixing Microarchitectural Vulnerabilities by Formal Analysis

The recent Spectre attacks has demonstrated the fundamental insecurity o...

Digital Twin for Secure Semiconductor Lifecycle Management: Prospects and Applications

The expansive globalization of the semiconductor supply chain has introd...

Vulnerability Assessment of Industrial Control System with an Improved CVSS

Cyberattacks on industrial control systems (ICS) have been drawing atten...

Please sign up or login with your details

Forgot password? Click here to reset