Abstract
Industrial Control Systems (ICS) are characterized by large numbers of tightly integrated, interdependent, and heterogeneous components in a network. They act as a base system for safety and mission-critical Industrial Internet of Things (IIoT) applications such as smart grids, nuclear power plants, process control systems and robotics systems. The complex ICS, e.g., Supervisory Control and Data Acquisition (SCADA), consists of many interdependent subsystems. Modern SCADA systems are an amalgam of IIoT and legacy systems. IIoT is essentially a realization of advances in the connectivity of hardware and data networks that SCADA provides. Therefore, modern SCADA has evolved as a use case of IIoT, wherein IIoT improves industrial productivity by analyzing data generated by SCADA systems. The modernization of the SCADA system, standardization of communication protocols and almost ubiquitous interconnectivity courtesy for IIoT has drastically increased the attack surface of the SCADA system. Systematic Vulnerability Management (VM) of these attack surfaces minimizes risks and impacts associated with vulnerability exploitation. In this chapter, we first find the correlation between the IIoT and SCADA systems, followed by security challenges faced by IIoT-based systems. Then we highlight the role of VM in securing the critical systems, followed by the study of the state-of-art approaches for VM. After that, we discuss some future research directions for developing techniques for efficient VM. The chapter underscores the design challenges and research opportunities for efficiently managing the increasing vulnerabilities.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A security patch is applied to the system to fix the vulnerability to prevent successful exploitations.
- 2.
The event logs are the events from OSs, applications or devices and are stored in a single cluster by the operating system. Events logged by the operating system are also called system logs.
References
A.T. Al Ghazo, M. Ibrahim, H. Ren, R. Kumar, A2G2V: automated attack graph generator and visualizer. in Mobile IoT SSP’18, vol. 3 (ACM, Los Angeles, CA, USA, 2018), pp. 1–6. https://doi.org/10.1145/3215466.3215468
M. Almukaynizi, E. Nunes, K. Dharaiya, M. Senguttuvan, J. Shakarian, P. Shakarian, Patch before exploited: an approach to identify targeted software vulnerabilities, in AI in Cybersecurity, ed. by F.S. Leslie (Springer International Publishing, Cham, 2019), pp. 81–113. https://doi.org/10.1007/978-3-319-98842-9_4
T. Alpcan, N. Bambos, Modeling dependencies in security risk management, in 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009) (2009), pp. 113–116
A. Alshawish, H. Risk de Meer, Risk mitigation in electric power systems: where to start? Energy Inform. 2(1), 34 (2019)
P. Ammann, D. Wijesekera, S. Kaushik, Scalable, graph-based network vulnerability analysis, in Proceedings of the 9th ACM Conference on Computer and Communications Security. CCS ’02 (Association for Computing Machinery, Washington, DC, USA, 2002), pp. 217–224. https://doi.org/10.1145/586110.586140
A. Andreu, Operational technology security—A data perspective. Netw. Secur. 1, 8–13 (2020). https://doi.org/10.1016/S1353-4858(20)30008-8
R. Ankele, S. Marksteiner, K. Nahrgang, H. Vallant, Requirements and recommendations for IoT/IIoT models to automate security assurance through threat modelling, security analysis and penetration testing, in Proceedings of the 14th International Conference on Availability, Reliability and Security. ARES ’19 (Association for Computing Machinery, Canterbury, CA, United Kingdom, 2019). https://doi.org/10.1145/3339252.3341482
S.M. Ba, F.O. Catak, E. Gül, Detection of attack-targeted scans from the apache HTTP server access logs. Appl. Comput. Inf. 14(1), 28–36. https://doi.org/10.1016/j.aci.2017.04.002
H. Boyes, B. Hallaq, J. Cunningham, T. Watson, The industrial internet of things (IIoT): an analysis framework. Comput. Ind. 101, 1–12 (2018). https://doi.org/10.1016/j.compind.2018.04.015
K. Chen, W. Fushuan, C.-L. Tseng, M. Chen, Z. Yang, H. Zhao, H. Shang, A game theory-based approach for vulnerability analysis of a cyber-physical power system. Energies 12(15), 3002 (2019). https://doi.org/10.3390/en12153002
M. Chen, A.X. Zheng, J. Lloyd, M.I. Jordan, E. Brewer, Failure Diagnosis Using Decision Trees (2004), pp. 36–43
Y. Cherdantseva, P. Burnap, A. Blyth, P. Eden, K. Jones, H. Soulsby, K. Stoddart, A review of cyber security risk assessment methods for SCADA systems. Comput. Secur. 56, 1–27 (2016). https://doi.org/10.1016/j.cose.2015.09.009
M. Denis, C. Zena, T. Hayajneh, Penetration testing: concepts, attack methods, and defense strategies, in 2016 IEEE Long Island Systems, Applications and Technology Conference (LISAT) (2016), pp. 1–6. https://doi.org/10.1109/LISAT.2016.7494156
L.L. Dhirani, E. Armstrong, T. Newe, Industrial IoT, cyber threats, and standards landscape: evaluation and roadmap. Sensors 21(11) (2021). https://doi.org/10.3390/s21113901
M. Du, F. Li, G. Zheng, V. Srikumar, DeepLog: anomaly detection and diagnosis from system logs through deep learning, in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. CCS ’17 (Association for Computing Machinery, Dallas, Texas, USA, 2017), pp. 1285–1298. https://doi.org/10.1145/3133956.3134015
K.A. Farris, A. Shah, G. Cybenko, R. Ganesan, S. Jajodia, VULCON: a system for vulnerability prioritization, mitigation, and management. ACM Trans. Priv. Secur. 21(4) (2018). https://doi.org/10.1145/3196884
C. Fruhwirth, T. Mannisto, Improving CVSS-based vulnerability prioritization and response with context information, in 2009 3rd International Symposium on Empirical Software Engineering and Measurement (2009), pp. 535–544. https://doi.org/10.1109/ESEM.2009.5314230
R. Hamper, Software bug bounties and legal risks to security researchers. Ph.D. thesis (2019)
Idaho-National-Laboratory, History of industrial control system cyber incidents (2018). https://www.osti.gov/servlets/purl/1505628. Accessed 04 May 2020
K. Ingols, R. Lippmann, K. Piwowarski, Practical attack graph generation for network defense, in Proceedings of the 22nd Annual Computer Security Applications Conference. ACSAC ’06 (IEEE Computer Society, Washington, DC, USA, 2006), pp. 121–130. https://doi.org/10.1109/ACSAC.2006.39
J. Jacobs, S. Romanosky, I. Adjerid, W. Baker, Improving vulnerability remediation through better exploit prediction. J. Cybersecur. 6(1), tyaa015 (2020). https://doi.org/10.1093/cybsec/tyaa015. https://academic.oup.com/cybersecurity/article-pdf/6/1/tyaa015/33746021/tyaa015.pdf
S. Jajodia, S. Noel, B. O’Berry, Topological analysis of network attack vulnerability, in Managing Cyber Threats: Issues, Approaches, and Challenges. Ed. by Vipin Kumar, Jaideep Srivastava, and Aleksandar Lazarevic (Springer US, Boston, MA, 2005), pp. 247–266. https://doi.org/10.1007/0-387-24230-9_9
G. Jiang, G. Cybenko, Temporal and spatial distributed event correlation for network security, in Proceedings of the 2004 American Control Conference, vol. 2 (2004), pp. 996–1001. https://doi.org/10.23919/ACC.2004.1386701
G. Kamdem, C. Kamhoua, Y. Lu, S. Shetty, L. Njilla, A Markov game theoritic approach for power grid security, in 2017 IEEE 37th International Conference on Distributed Computing Systems Workshops (ICDCSW) (2004), pp. 139–144. https://doi.org/10.1109/ICDCSW.2017.63
K. Keshav, S.S. Vijay, D.M. Lourenço, A. Anil Kumar, P. Plapper, Retrofitting of legacy machines in the context of industrial internet of things (IIoT), in 3rd International Conference on Industry 4.0 and Smart Manufacturing on Procedia Computer Science, vol. 200 (2022), pp. 62–70. https://doi.org/10.1016/j.procs.2022.01.205. https://www.sciencedirect.com/science/article/pii/S1877050922002149
M.E. Khan, F. Khan, A comparative study of white box, black box and grey box testing techniques. Int. J. Adv. Comput. Sci. Appl. 3(6) (2012). https://doi.org/10.14569/IJACSA.2012.030603
N. Koroniotis, N. Moustafa, B. Turnbull, F. Schiliro, P. Gauravaram, H. Janicke, A Deep learning-based penetration testing framework for vulnerability identification in internet of things environments (2021). arXiv: 2109.09259 [cs.CR]
R.M. Lee, M.J. Assante, T. Conway, German steel mill cyber attack. Ind. Control Syst. 1–15 (2014)
M. Lehto, Cyber security in aviation, maritime and automotive. Comput. Big Data Transp. 19–32 (2010)
T.C. Lethbridge, J. Diaz-Herrera, R.J. Jr., LeBlanc, J.B. Thompson, Improving software practice through education: challenges and future trends, in 2007 Future of Software Engineering. FOSE ’07 (IEEE Computer Society, USA, 2007), pp 12–28. https://doi.org/10.1109/FOSE.2007.13
Y. Liang, Y. Zhang, H. Xiong, R. Sahoo, Failure prediction in IBM blueGene/L event logs (2007); In Q. Lin, H. Zhang, J.-G. Lou, Y. Zhang, X. Chen, Log clustering based problem identification for online service systems, in Proceedings of the 38th International Conference on Software Engineering Companion. ICSE ’16 (Association for Computing Machinery, Austin, Texas, 2016), pp. 102–111. https://doi.org/10.1145/2889160.2889232
Y. Lu, P. Witherell, A. Jones, Standard connections for IIoT empowered smart manufacturing. Manuf. Lett. 26, 17–20 (2020). https://doi.org/10.1016/j.mfglet.2020.08.006
M. Maurer, David Brumley, Tachyon: tandem execution for efficient live patch testing, in 21st USENIX Security Symposium (USENIX Security 12). (Bellevue, WA, USENIX Association, 2012), pp. 617–630
W. Meng, Y. Liu, Y. Zhu, S. Zhang, D. Pei, Y. Liu, Y. Chen, R. Zhang, S. Tao, P. Sun, R. Zhou, LogAnomaly: unsupervised detection of sequential and quantitative anomalies in unstructured logs, in Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence, IJCAI-19. International Joint Conferences on Artificial Intelligence Organization (2019), pp. 4739–4745. https://doi.org/10.24963/ijcai.2019/658
R.A. Miura-Ko, N. Bambos, SecureRank: a risk-based vulnerability management scheme for computing infrastructures, in 2007 IEEE International Conference on Communications (2007), pp. 1455–1460. https://doi.org/10.1109/ICC.2007.244
M. Moh, S. Pininti, S. Doddapaneni, T.-S. Moh, Detecting web attacks using multi-stage log analysis, in 2016 IEEE 6th International Conference on Advanced Computing (IACC) (2016), pp. 733–738. https://doi.org/10.1109/IACC.2016.141
A. Mosteiro-Sanchez, M. Barcelo, J. Astorga, A. Urbieta, End to end secure data exchange in value chains with dynamic policy updates, in CoRR (2022). arXiv: 2201.06335
C. Niesler, S. Surminski, L. Davi, Hera: hotpatching of embedded real-time applications, in 28th Network and Distributed System Security Symposium (NDSS) (2021); NIST, National vulnerability database (2021). https://nvd.nist.gov/
Nozomi-Networks, Nozomi-networks (2021)
A. Oprea, Z. Li, T.-F. Yen, S.H. Chin, S. Alrwais, Detection of early-stage enterprise infection by mining large-scale log data, in 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (2015), pp. 45–56. https://doi.org/10.1109/DSN.2015.14
OWASP-community, OWASP top ten (2021). https://owasp.org/www- projecttop-ten/
K. Pei, Z. Gu, B. Saltaformaggio, S. Ma, F. Wang, Z. Zhang, L. Si, X. Zhang, D. Xu, HERCULE: attack story reconstruction via community discovery on correlated log graph, in Proceedings of the 32nd Annual Conference on Computer Security Applications. ACSAC ’16 (Association for Computing Machinery, Los Angeles, California, USA, 2016), pp. 583–595. https://doi.org/10.1145/2991079.2991122
C. Phillips, L.P. Swiler, A graph-based system for network-vulnerability analysis, in Proceedings of the 1998 Workshop on New Security Paradigms. NSPW ’98 (Association for Computing Machinery, Charlottesville, Virginia, USA, 1998), pp. 71–79. https://doi.org/10.1145/310889.310919
Rapid7-community, Working with vulnerabilities (2021). https://docs.rapid7.com/nexpose/working-with-vulnerabilities/. Accessed 13 June 2021
J.R. Reeder, C.T. Hall, Cybersecurity’s pearl harbor moment: lessons learned from the colonial pipeline ransomware attack (2021)
SANS-ICS, Analysis of the cyber attack on the Ukrainian power grid (2016). https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf. Accessed 03 Jan. 2021
D. Shelar, S. Amin, Security assessment of electricity distribution networks under DER node compromises. IEEE Trans. Control of Netw. Syst. 4(1):23–36 (2017)
K. Smith, I. Wilson, The challenges of the internet of things considering industrial control systems, in Privacy, Security And Forensics in The Internet of Things (IoT), ed. by R. Montasari, F. Carroll, I. Mitchell, S. Hara, R. Bolton-King (Springer International Publishing, Cham, 2022), pp. 77–94. https://doi.org/10.1007/978-3-030-91218-5_4
G. Spanos, A. Sioziou, L. Angelis, WIVSS: a new methodology for scoring information systems vulnerabilities, in Proceedings of the 17th Panhellenic Conference on Informatics. PCI ’13 (Association for Computing Machinery, Thessaloniki, Greece, 2013), pp. 83–90. https://doi.org/10.1145/2491845.2491871
Tenable-community, Nessus (2021). https://www.tenable.com/products/nessus. Accessed 13 Oct. 2021
V. Visoottiviseth, P. Akarasiriwong, S. Chaiyasart, S. Chotivatunyu, PENTOS: penetration testing tool for internet of thing devices, in TENCON 2017—2017 IEEE Region 10 Conference (2017), pp. 2279–2284. https://doi.org/10.1109/TENCON.2017.8228241
D. Votipka, R. Stevens, E. Redmiles, J. Hu, M. Mazurek, Hackers versus testers: a comparison of software vulnerability discovery processes, in 2018 IEEE Symposium on Security and Privacy (SP) (2018), pp. 374–391. https://doi.org/10.1109/SP.2018.00003
B. Wang, X. Li, L.P. de Aguiar, D.S. Menasche, Z. Shafiq, Characterizing and modeling patching practices of industrial control systems. Proc. ACM Meas. Anal. Comput. Syst. 1(1). https://doi.org/10.1145/3084455
S.A. Weed, US policy response to cyber attack on SCADA systems supporting critical national infrastructure (2017). https://media.defense.gov/2017/Nov/20/2001846609/-1/-1/0/CPP0007_WEED_SCADA.PDF. Accessed 02 Mar. 2022
Y.S. Wu, B. Foo, Y. Mei, S. Bagchi, Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS, in Proceedings of the 19th Annual Computer Security Applications Conference. ACSAC ’03 (IEEE Computer Society, USA, 2003), p. 234
Q. Xueqiu, S.W. Jia, C. Xia, L. Lv, Automatic generation algorithm of penetration graph in penetration testing, in 2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (2014), pp. 531–537. https://doi.org/10.1109/3PGCIC.2014.104
G. Yadav, P. Gauravaram, A.K. Jindal, SmartPatch: a patch prioritization framework for SCADA chain in smart grid, in Proceedings of the 26th Annual International Conference on Mobile Computing and Networking. MobiCom ’20 (Association for Computing Machinery, London, United Kingdom, 2020). https://doi.org/10.1145/3372224.3418162
G. Yadav, P. Gauravaram, A.K. Jindal, K. Paul, SmartPatch: a patch prioritization framework. Comput. Ind. 137, 103595 (2022). https://doi.org/10.1016/j.compind.2021.103595. https://www.sciencedirect.com/science/article/pii/S0166361521002025
G. Yadav, K. Paul, PatchRank: ordering updates for SCADA systems, in 2019 24th IEEE International Conference on Emerging Technologies and Factory Automation (IEEE ETFA) (2022). https://doi.org/10.1109/ETFA.2019.8869110
G. Yadav, K. Paul, Architecture and security of SCADA systems: a review. Int. J. Critic. Infrastr. Protect. 34, 100433 (2021). https://doi.org/10.1016/j.ijcip.2021.100433. https://www.sciencedirect.com/science/article/pii/S1874548221000251
G. Yadav, K. Paul, Global monitor using spatiotemporally correlated local monitors, in 2021 IEEE 20th International Symposium on Network Computing and Applications (NCA) (2021), pp. 1–10. https://doi.org/10.1109/NCA53618.2021.9685330
G. Yadav, K. Paul, A. Allakany, K. Okamura, IoT-PEN: a penetration testing framework for IoT, in 2020 International Conference on Information Networking (ICOIN) (2020a), pp. 196–201. https://doi.org/10.1109/ICOIN48656.2020.9016445
G. Yadav, K. Paul, A. Allakany, K. Okamura, IoT-PEN: an E2E penetration testing framework for IoT. J. Inf. Process. 28, 633–642 (2020b). https://doi.org/10.2197/ipsjjip.28.633.
T.-F. Yen, A. Oprea, K. Onarlioglu, T. Leetham, W. Robertson, A. Juels, E. Kirda, Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks, in Proceedings of the 29th Annual Computer Security Applications Conference. ACSAC ’13 (Association for Computing Machinery, New Orleans, Louisiana, USA, 2013), pp. 199–208
X. Zhang, Y. Xu, Q. Lin, B. Qiao, H. Zhang, Y. Dang, C. Xie, X. Yang, Q. Cheng, Z. Li, J. Chen, X. He, R. Yao, J.-G. Lou, M. Chintalapati, F. Shen, D. Zhang, Robust log-based anomaly detection on unstable log data, in ESEC/FSE 2019. Tallinn, Estonia: Association for Computing Machinery (2019), pp. 807–817. https://doi.org/10.1145/3338906.3338931
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Yadav, G., Paul, K., Gauravaram, P. (2022). Vulnerability Management in IIoT-Based Systems: What, Why and How. In: Pal, S., Jadidi, Z., Foo, E. (eds) Secure and Trusted Cyber Physical Systems. Smart Sensors, Measurement and Instrumentation, vol 43. Springer, Cham. https://doi.org/10.1007/978-3-031-08270-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-08270-2_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-08269-6
Online ISBN: 978-3-031-08270-2
eBook Packages: Computer ScienceComputer Science (R0)