Skip to main content
SpringerLink
Log in

Vulnerability Management in IIoT-Based Systems: What, Why and How

  • Chapter
  • First Online:
Secure and Trusted Cyber Physical Systems

Part of the book series: Smart Sensors, Measurement and Instrumentation ((SSMI,volume 43))

  • 417 Accesses

Abstract

Industrial Control Systems (ICS) are characterized by large numbers of tightly integrated, interdependent, and heterogeneous components in a network. They act as a base system for safety and mission-critical Industrial Internet of Things (IIoT) applications such as smart grids, nuclear power plants, process control systems and robotics systems. The complex ICS, e.g., Supervisory Control and Data Acquisition (SCADA), consists of many interdependent subsystems. Modern SCADA systems are an amalgam of IIoT and legacy systems. IIoT is essentially a realization of advances in the connectivity of hardware and data networks that SCADA provides. Therefore, modern SCADA has evolved as a use case of IIoT, wherein IIoT improves industrial productivity by analyzing data generated by SCADA systems. The modernization of the SCADA system, standardization of communication protocols and almost ubiquitous interconnectivity courtesy for IIoT has drastically increased the attack surface of the SCADA system. Systematic Vulnerability Management (VM) of these attack surfaces minimizes risks and impacts associated with vulnerability exploitation. In this chapter, we first find the correlation between the IIoT and SCADA systems, followed by security challenges faced by IIoT-based systems. Then we highlight the role of VM in securing the critical systems, followed by the study of the state-of-art approaches for VM. After that, we discuss some future research directions for developing techniques for efficient VM. The chapter underscores the design challenges and research opportunities for efficiently managing the increasing vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    A security patch is applied to the system to fix the vulnerability to prevent successful exploitations.

  2. 2.

    The event logs are the events from OSs, applications or devices and are stored in a single cluster by the operating system. Events logged by the operating system are also called system logs.

References

  1. A.T. Al Ghazo, M. Ibrahim, H. Ren, R. Kumar, A2G2V: automated attack graph generator and visualizer. in Mobile IoT SSP’18, vol. 3 (ACM, Los Angeles, CA, USA, 2018), pp. 1–6. https://doi.org/10.1145/3215466.3215468

  2. M. Almukaynizi, E. Nunes, K. Dharaiya, M. Senguttuvan, J. Shakarian, P. Shakarian, Patch before exploited: an approach to identify targeted software vulnerabilities, in AI in Cybersecurity, ed. by F.S. Leslie (Springer International Publishing, Cham, 2019), pp. 81–113. https://doi.org/10.1007/978-3-319-98842-9_4

  3. T. Alpcan, N. Bambos, Modeling dependencies in security risk management, in 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009) (2009), pp. 113–116

    Google Scholar 

  4. A. Alshawish, H. Risk de Meer, Risk mitigation in electric power systems: where to start? Energy Inform. 2(1), 34 (2019)

    Google Scholar 

  5. P. Ammann, D. Wijesekera, S. Kaushik, Scalable, graph-based network vulnerability analysis, in Proceedings of the 9th ACM Conference on Computer and Communications Security. CCS ’02 (Association for Computing Machinery, Washington, DC, USA, 2002), pp. 217–224. https://doi.org/10.1145/586110.586140

  6. A. Andreu, Operational technology security—A data perspective. Netw. Secur. 1, 8–13 (2020). https://doi.org/10.1016/S1353-4858(20)30008-8

  7. R. Ankele, S. Marksteiner, K. Nahrgang, H. Vallant, Requirements and recommendations for IoT/IIoT models to automate security assurance through threat modelling, security analysis and penetration testing, in Proceedings of the 14th International Conference on Availability, Reliability and Security. ARES ’19 (Association for Computing Machinery, Canterbury, CA, United Kingdom, 2019). https://doi.org/10.1145/3339252.3341482

  8. S.M. Ba, F.O. Catak, E. Gül, Detection of attack-targeted scans from the apache HTTP server access logs. Appl. Comput. Inf. 14(1), 28–36. https://doi.org/10.1016/j.aci.2017.04.002

  9. H. Boyes, B. Hallaq, J. Cunningham, T. Watson, The industrial internet of things (IIoT): an analysis framework. Comput. Ind. 101, 1–12 (2018). https://doi.org/10.1016/j.compind.2018.04.015

    Article  Google Scholar 

  10. K. Chen, W. Fushuan, C.-L. Tseng, M. Chen, Z. Yang, H. Zhao, H. Shang, A game theory-based approach for vulnerability analysis of a cyber-physical power system. Energies 12(15), 3002 (2019). https://doi.org/10.3390/en12153002

  11. M. Chen, A.X. Zheng, J. Lloyd, M.I. Jordan, E. Brewer, Failure Diagnosis Using Decision Trees (2004), pp. 36–43

    Google Scholar 

  12. Y. Cherdantseva, P. Burnap, A. Blyth, P. Eden, K. Jones, H. Soulsby, K. Stoddart, A review of cyber security risk assessment methods for SCADA systems. Comput. Secur. 56, 1–27 (2016). https://doi.org/10.1016/j.cose.2015.09.009

    Article  Google Scholar 

  13. M. Denis, C. Zena, T. Hayajneh, Penetration testing: concepts, attack methods, and defense strategies, in 2016 IEEE Long Island Systems, Applications and Technology Conference (LISAT) (2016), pp. 1–6. https://doi.org/10.1109/LISAT.2016.7494156

  14. L.L. Dhirani, E. Armstrong, T. Newe, Industrial IoT, cyber threats, and standards landscape: evaluation and roadmap. Sensors 21(11) (2021). https://doi.org/10.3390/s21113901

  15. M. Du, F. Li, G. Zheng, V. Srikumar, DeepLog: anomaly detection and diagnosis from system logs through deep learning, in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. CCS ’17 (Association for Computing Machinery, Dallas, Texas, USA, 2017), pp. 1285–1298. https://doi.org/10.1145/3133956.3134015

  16. K.A. Farris, A. Shah, G. Cybenko, R. Ganesan, S. Jajodia, VULCON: a system for vulnerability prioritization, mitigation, and management. ACM Trans. Priv. Secur. 21(4) (2018). https://doi.org/10.1145/3196884

  17. C. Fruhwirth, T. Mannisto, Improving CVSS-based vulnerability prioritization and response with context information, in 2009 3rd International Symposium on Empirical Software Engineering and Measurement (2009), pp. 535–544. https://doi.org/10.1109/ESEM.2009.5314230

  18. R. Hamper, Software bug bounties and legal risks to security researchers. Ph.D. thesis (2019)

    Google Scholar 

  19. Idaho-National-Laboratory, History of industrial control system cyber incidents (2018). https://www.osti.gov/servlets/purl/1505628. Accessed 04 May 2020

  20. K. Ingols, R. Lippmann, K. Piwowarski, Practical attack graph generation for network defense, in Proceedings of the 22nd Annual Computer Security Applications Conference. ACSAC ’06 (IEEE Computer Society, Washington, DC, USA, 2006), pp. 121–130. https://doi.org/10.1109/ACSAC.2006.39

  21. J. Jacobs, S. Romanosky, I. Adjerid, W. Baker, Improving vulnerability remediation through better exploit prediction. J. Cybersecur. 6(1), tyaa015 (2020). https://doi.org/10.1093/cybsec/tyaa015. https://academic.oup.com/cybersecurity/article-pdf/6/1/tyaa015/33746021/tyaa015.pdf

  22. S. Jajodia, S. Noel, B. O’Berry, Topological analysis of network attack vulnerability, in Managing Cyber Threats: Issues, Approaches, and Challenges. Ed. by Vipin Kumar, Jaideep Srivastava, and Aleksandar Lazarevic (Springer US, Boston, MA, 2005), pp. 247–266. https://doi.org/10.1007/0-387-24230-9_9

  23. G. Jiang, G. Cybenko, Temporal and spatial distributed event correlation for network security, in Proceedings of the 2004 American Control Conference, vol. 2 (2004), pp. 996–1001. https://doi.org/10.23919/ACC.2004.1386701

  24. G. Kamdem, C. Kamhoua, Y. Lu, S. Shetty, L. Njilla, A Markov game theoritic approach for power grid security, in 2017 IEEE 37th International Conference on Distributed Computing Systems Workshops (ICDCSW) (2004), pp. 139–144. https://doi.org/10.1109/ICDCSW.2017.63

  25. K. Keshav, S.S. Vijay, D.M. Lourenço, A. Anil Kumar, P. Plapper, Retrofitting of legacy machines in the context of industrial internet of things (IIoT), in 3rd International Conference on Industry 4.0 and Smart Manufacturing on Procedia Computer Science, vol. 200 (2022), pp. 62–70. https://doi.org/10.1016/j.procs.2022.01.205. https://www.sciencedirect.com/science/article/pii/S1877050922002149

  26. M.E. Khan, F. Khan, A comparative study of white box, black box and grey box testing techniques. Int. J. Adv. Comput. Sci. Appl. 3(6) (2012). https://doi.org/10.14569/IJACSA.2012.030603

  27. N. Koroniotis, N. Moustafa, B. Turnbull, F. Schiliro, P. Gauravaram, H. Janicke, A Deep learning-based penetration testing framework for vulnerability identification in internet of things environments (2021). arXiv: 2109.09259 [cs.CR]

  28. R.M. Lee, M.J. Assante, T. Conway, German steel mill cyber attack. Ind. Control Syst. 1–15 (2014)

    Google Scholar 

  29. M. Lehto, Cyber security in aviation, maritime and automotive. Comput. Big Data Transp. 19–32 (2010)

    Google Scholar 

  30. T.C. Lethbridge, J. Diaz-Herrera, R.J. Jr., LeBlanc, J.B. Thompson, Improving software practice through education: challenges and future trends, in 2007 Future of Software Engineering. FOSE ’07 (IEEE Computer Society, USA, 2007), pp 12–28. https://doi.org/10.1109/FOSE.2007.13

  31. Y. Liang, Y. Zhang, H. Xiong, R. Sahoo, Failure prediction in IBM blueGene/L event logs (2007); In Q. Lin, H. Zhang, J.-G. Lou, Y. Zhang, X. Chen, Log clustering based problem identification for online service systems, in Proceedings of the 38th International Conference on Software Engineering Companion. ICSE ’16 (Association for Computing Machinery, Austin, Texas, 2016), pp. 102–111. https://doi.org/10.1145/2889160.2889232

  32. Y. Lu, P. Witherell, A. Jones, Standard connections for IIoT empowered smart manufacturing. Manuf. Lett. 26, 17–20 (2020). https://doi.org/10.1016/j.mfglet.2020.08.006

    Article  Google Scholar 

  33. M. Maurer, David Brumley, Tachyon: tandem execution for efficient live patch testing, in 21st USENIX Security Symposium (USENIX Security 12). (Bellevue, WA, USENIX Association, 2012), pp. 617–630

    Google Scholar 

  34. W. Meng, Y. Liu, Y. Zhu, S. Zhang, D. Pei, Y. Liu, Y. Chen, R. Zhang, S. Tao, P. Sun, R. Zhou, LogAnomaly: unsupervised detection of sequential and quantitative anomalies in unstructured logs, in Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence, IJCAI-19. International Joint Conferences on Artificial Intelligence Organization (2019), pp. 4739–4745. https://doi.org/10.24963/ijcai.2019/658

  35. R.A. Miura-Ko, N. Bambos, SecureRank: a risk-based vulnerability management scheme for computing infrastructures, in 2007 IEEE International Conference on Communications (2007), pp. 1455–1460. https://doi.org/10.1109/ICC.2007.244

  36. M. Moh, S. Pininti, S. Doddapaneni, T.-S. Moh, Detecting web attacks using multi-stage log analysis, in 2016 IEEE 6th International Conference on Advanced Computing (IACC) (2016), pp. 733–738. https://doi.org/10.1109/IACC.2016.141

  37. A. Mosteiro-Sanchez, M. Barcelo, J. Astorga, A. Urbieta, End to end secure data exchange in value chains with dynamic policy updates, in CoRR (2022). arXiv: 2201.06335

  38. C. Niesler, S. Surminski, L. Davi, Hera: hotpatching of embedded real-time applications, in 28th Network and Distributed System Security Symposium (NDSS) (2021); NIST, National vulnerability database (2021). https://nvd.nist.gov/

  39. Nozomi-Networks, Nozomi-networks (2021)

    Google Scholar 

  40. A. Oprea, Z. Li, T.-F. Yen, S.H. Chin, S. Alrwais, Detection of early-stage enterprise infection by mining large-scale log data, in 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (2015), pp. 45–56. https://doi.org/10.1109/DSN.2015.14

  41. OWASP-community, OWASP top ten (2021). https://owasp.org/www- projecttop-ten/

  42. K. Pei, Z. Gu, B. Saltaformaggio, S. Ma, F. Wang, Z. Zhang, L. Si, X. Zhang, D. Xu, HERCULE: attack story reconstruction via community discovery on correlated log graph, in Proceedings of the 32nd Annual Conference on Computer Security Applications. ACSAC ’16 (Association for Computing Machinery, Los Angeles, California, USA, 2016), pp. 583–595. https://doi.org/10.1145/2991079.2991122

  43. C. Phillips, L.P. Swiler, A graph-based system for network-vulnerability analysis, in Proceedings of the 1998 Workshop on New Security Paradigms. NSPW ’98 (Association for Computing Machinery, Charlottesville, Virginia, USA, 1998), pp. 71–79. https://doi.org/10.1145/310889.310919

  44. Rapid7-community, Working with vulnerabilities (2021). https://docs.rapid7.com/nexpose/working-with-vulnerabilities/. Accessed 13 June 2021

  45. J.R. Reeder, C.T. Hall, Cybersecurity’s pearl harbor moment: lessons learned from the colonial pipeline ransomware attack (2021)

    Google Scholar 

  46. SANS-ICS, Analysis of the cyber attack on the Ukrainian power grid (2016). https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf. Accessed 03 Jan. 2021

  47. D. Shelar, S. Amin, Security assessment of electricity distribution networks under DER node compromises. IEEE Trans. Control of Netw. Syst. 4(1):23–36 (2017)

    Google Scholar 

  48. K. Smith, I. Wilson, The challenges of the internet of things considering industrial control systems, in Privacy, Security And Forensics in The Internet of Things (IoT), ed. by R. Montasari, F. Carroll, I. Mitchell, S. Hara, R. Bolton-King (Springer International Publishing, Cham, 2022), pp. 77–94. https://doi.org/10.1007/978-3-030-91218-5_4

  49. G. Spanos, A. Sioziou, L. Angelis, WIVSS: a new methodology for scoring information systems vulnerabilities, in Proceedings of the 17th Panhellenic Conference on Informatics. PCI ’13 (Association for Computing Machinery, Thessaloniki, Greece, 2013), pp. 83–90. https://doi.org/10.1145/2491845.2491871

  50. Tenable-community, Nessus (2021). https://www.tenable.com/products/nessus. Accessed 13 Oct. 2021

  51. V. Visoottiviseth, P. Akarasiriwong, S. Chaiyasart, S. Chotivatunyu, PENTOS: penetration testing tool for internet of thing devices, in TENCON 2017—2017 IEEE Region 10 Conference (2017), pp. 2279–2284. https://doi.org/10.1109/TENCON.2017.8228241

  52. D. Votipka, R. Stevens, E. Redmiles, J. Hu, M. Mazurek, Hackers versus testers: a comparison of software vulnerability discovery processes, in 2018 IEEE Symposium on Security and Privacy (SP) (2018), pp. 374–391. https://doi.org/10.1109/SP.2018.00003

  53. B. Wang, X. Li, L.P. de Aguiar, D.S. Menasche, Z. Shafiq, Characterizing and modeling patching practices of industrial control systems. Proc. ACM Meas. Anal. Comput. Syst. 1(1). https://doi.org/10.1145/3084455

  54. S.A. Weed, US policy response to cyber attack on SCADA systems supporting critical national infrastructure (2017). https://media.defense.gov/2017/Nov/20/2001846609/-1/-1/0/CPP0007_WEED_SCADA.PDF. Accessed 02 Mar. 2022

  55. Y.S. Wu, B. Foo, Y. Mei, S. Bagchi, Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS, in Proceedings of the 19th Annual Computer Security Applications Conference. ACSAC ’03 (IEEE Computer Society, USA, 2003), p. 234

    Google Scholar 

  56. Q. Xueqiu, S.W. Jia, C. Xia, L. Lv, Automatic generation algorithm of penetration graph in penetration testing, in 2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (2014), pp. 531–537. https://doi.org/10.1109/3PGCIC.2014.104

  57. G. Yadav, P. Gauravaram, A.K. Jindal, SmartPatch: a patch prioritization framework for SCADA chain in smart grid, in Proceedings of the 26th Annual International Conference on Mobile Computing and Networking. MobiCom ’20 (Association for Computing Machinery, London, United Kingdom, 2020). https://doi.org/10.1145/3372224.3418162

  58. G. Yadav, P. Gauravaram, A.K. Jindal, K. Paul, SmartPatch: a patch prioritization framework. Comput. Ind. 137, 103595 (2022). https://doi.org/10.1016/j.compind.2021.103595. https://www.sciencedirect.com/science/article/pii/S0166361521002025

  59. G. Yadav, K. Paul, PatchRank: ordering updates for SCADA systems, in 2019 24th IEEE International Conference on Emerging Technologies and Factory Automation (IEEE ETFA) (2022). https://doi.org/10.1109/ETFA.2019.8869110

  60. G. Yadav, K. Paul, Architecture and security of SCADA systems: a review. Int. J. Critic. Infrastr. Protect. 34, 100433 (2021). https://doi.org/10.1016/j.ijcip.2021.100433. https://www.sciencedirect.com/science/article/pii/S1874548221000251

  61. G. Yadav, K. Paul, Global monitor using spatiotemporally correlated local monitors, in 2021 IEEE 20th International Symposium on Network Computing and Applications (NCA) (2021), pp. 1–10. https://doi.org/10.1109/NCA53618.2021.9685330

  62. G. Yadav, K. Paul, A. Allakany, K. Okamura, IoT-PEN: a penetration testing framework for IoT, in 2020 International Conference on Information Networking (ICOIN) (2020a), pp. 196–201. https://doi.org/10.1109/ICOIN48656.2020.9016445

  63. G. Yadav, K. Paul, A. Allakany, K. Okamura, IoT-PEN: an E2E penetration testing framework for IoT. J. Inf. Process. 28, 633–642 (2020b). https://doi.org/10.2197/ipsjjip.28.633.

  64. T.-F. Yen, A. Oprea, K. Onarlioglu, T. Leetham, W. Robertson, A. Juels, E. Kirda, Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks, in Proceedings of the 29th Annual Computer Security Applications Conference. ACSAC ’13 (Association for Computing Machinery, New Orleans, Louisiana, USA, 2013), pp. 199–208

    Google Scholar 

  65. X. Zhang, Y. Xu, Q. Lin, B. Qiao, H. Zhang, Y. Dang, C. Xie, X. Yang, Q. Cheng, Z. Li, J. Chen, X. He, R. Yao, J.-G. Lou, M. Chintalapati, F. Shen, D. Zhang, Robust log-based anomaly detection on unstable log data, in ESEC/FSE 2019. Tallinn, Estonia: Association for Computing Machinery (2019), pp. 807–817. https://doi.org/10.1145/3338906.3338931

Download references

Author information

Authors and Affiliations

  1. Indian Institute of Technology Delhi, New Delhi, India

    Geeta Yadav & Kolin Paul

  2. Tata Consultancy Services (TCS), Brisbane, Australia

    Praveen Gauravaram

Authors
  1. Geeta Yadav
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kolin Paul
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Praveen Gauravaram
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Geeta Yadav .

Editor information

Editors and Affiliations

  1. School of Computer Science, Queensland University of Technology, Brisbane, QLD, Australia

    Shantanu Pal

  2. School of Information and Communication Technology, Griffith University, Gold Coast, QLD, Australia

    Zahra Jadidi

  3. School of Information and Communication Technology, Griffith University, Gold Coast, QLD, Australia

    Ernest Foo

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Yadav, G., Paul, K., Gauravaram, P. (2022). Vulnerability Management in IIoT-Based Systems: What, Why and How. In: Pal, S., Jadidi, Z., Foo, E. (eds) Secure and Trusted Cyber Physical Systems. Smart Sensors, Measurement and Instrumentation, vol 43. Springer, Cham. https://doi.org/10.1007/978-3-031-08270-2_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-08270-2_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-08269-6

  • Online ISBN: 978-3-031-08270-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation