Abstract
Compared to many other areas of cyber security, vulnerabilities in industrial control systems (ICS) can be poorly understood. These systems form part of critical national infrastructure, where asset owners may not understand the security landscape and have potentially incorrect security assumptions for these closed source, operational technology (OT) systems. ICS vulnerability reports give useful information about single vulnerabilities, but there is a lack of guidance telling ICS owners what to look for next, or how to find these. In this paper, we analyse 9 years of ICS Advisory vulnerability announcements and we recategorise the vulnerabilities based on the detection methods and tools that could be used to find these weaknesses. We find that 8 categories are enough to cover 95% of the vulnerabilities in the dataset. This provides a guide for ICS owners to the most likely new vulnerabilities they may find in their systems and the best ways to detect them. We validate our proposed vulnerability categories by analysing a further 6 months of ICS Advisory reports, which shows that our categories continue to dominate the reported weaknesses. We further validate our proposed detection methods by applying them to a range of ICS equipment and finding four new critical security vulnerabilities.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
An example is available at https://us-cert.cisa.gov/ics/advisories/ICSA-17-157-01.
- 3.
Available at https://github.com/uob-ritics/esorics2020-dataset.
- 4.
Exists only in CVSS v3.
- 5.
Of all CVEs categorised, 94% with high availability and integrity impacts were categorised.
- 6.
A full Figure including these individual flows is given in our longer version of this paper.
- 7.
References
Andreeva, O., et al.: Industrial Control Systems Vulnerabilities Statistics. Kaspersky Lab, Report (2016)
Antrobus, R., Green, B., Frey, S., Rashid, A.: The forgotten I in IIoT: a vulnerability scanner for industrial internet of things. IET (2019)
Antrobus, R., Frey, S., Green, B., Rashid, A.: SimaticScan: towards a specialised vulnerability scanner for industrial control systems. In: 4th International Symposium for ICS & SCADA Cyber Security Research (2016)
Beresford, D.: Exploiting Siemens Simatic S7 PLCs. Black Hat USA (2011)
Biham, E., Bitan, S., Carmel, A., Dankner, A., Malin, U., Wool, A.: Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs. Black Hat USA (2019)
Dragos: CRASHOVERRIDE: Analysis of Threat to Electric Grid Operations (2017)
Dragos: 2018 Year in Review - Industrial Controls System Vulnerabilities (2018)
Dragos: 2019 Year in Review - ICS Vulnerabilities (2019)
Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, Symantec Corp., Security Response (2011)
Gonzalez, D., Alhenaki, F., Mirakhorli, M.: Architectural security weaknesses in industrial control systems (ics) an empirical study based on disclosed software vulnerabilities. In: 2019 IEEE International Conference on Software Architecture (ICSA) (2019)
Hankin, C., Chothia, T., M3, P., Popov, P., Rashid, A., Sezer, S.: Availability of Open Source Tool-Sets for CNI-ICS (2018)
Hemsley, K.E., Fisher, E., et al.: History of Industrial Control System Cyber Incidents. Technical report (2018)
Hui, H., McLaughlin, K.: Investigating current PLC security issues regarding Siemens S7 communications and TIA portal. In: 5th International Symposium for ICS & SCADA Cyber Security Research (2018)
Industrial Control Systems Cyber Emergency Response Team: ICS-CERT Annual Assessment Report FY 2016 (2016)
Jiang, Y., Atif, Y., Ding, J.: Cyber-physical systems security based on a cross-linked and correlated vulnerability database. In: Nadjm-Tehrani, S. (ed.) CRITIS 2019. LNCS, vol. 11777, pp. 71–82. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-37670-3_6
Johnson, B., Caban, D., Krotofil, M., Scali, D., Brubaker, N., Glyer, C.: Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruptionto Critical Infrastructure (2017)
Kaspersky ICS CERT: Threat Landscape for Industrial Automation Systems (2019)
Khan, R., Maynard, P., McLaughlin, K., Laverty, D., Sezer, S.: Threat analysis of blackenergy malware for synchrophasor based real-time control and monitoring in smart grid. In: 4th International Symposium for ICS & SCADA Cyber Security Research (2016)
Nelson, T., Chaffin, M.: Common cybersecurity vulnerabilities in industrial control systems. Control Systems Security Program (2011)
Niedermaier, M., et al.: You snooze, you lose: measuring PLC cycle times under attacks. In: 12th USENIX Workshop on Offensive Technologies (WOOT) (2018)
OWASP: OWASP Top 10–2017: The Ten Most Critical Web Application Security Risks (2017)
Acknowledgements
Funding for this paper was provided by the National Cyber Security Centre UK (NCSC UK), Research Institute in Trustworthy Inter-Connected Cyber-Physical Systems (RITICS) and the UK Rail Research and Innovation Network (UKRRIN). We thank the Bristol Cyber Security Group for providing access to an additional device for testing.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Thomas, R.J., Chothia, T. (2020). Learning from Vulnerabilities - Categorising, Understanding and Detecting Weaknesses in Industrial Control Systems. In: Katsikas, S., et al. Computer Security. CyberICPS SECPRE ADIoT 2020 2020 2020. Lecture Notes in Computer Science(), vol 12501. Springer, Cham. https://doi.org/10.1007/978-3-030-64330-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-64330-0_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64329-4
Online ISBN: 978-3-030-64330-0
eBook Packages: Computer ScienceComputer Science (R0)