Projects per year
Abstract
Industrial Control Systems (ICS) are central to the operation of critical national infrastructure (CNI) such as oil and gas, water treatment, power generation and transport systems. Effective risk management to mitigate large-scale disruption to societies and economies depends on both timely information about vulnerabilities and the consistency of this information. The longer the vulnerabilities remain "in the wild" or a lack of consistency in vulnerability reporting, the greater the impact on CNI operators' ability to systematically understand and mitigate the risks. In this paper, we focus on vulnerabilities identified and reported in Siemens ICS devices, which hold the largest share of the market. We undertake an in-depth analysis of 207 CVEs, identifying the time over which vulnerabilities were 'in the wild' before being discovered and advisories issued, and examine issues with the correctness of CVE information. We find that, on average, a vulnerability is 'in the wild' for 5.3 years, and that many CVEs do not correctly reflect and state the affected devices as Common Platform Enumerations (CPEs). Based on our findings, we propose a set of guidelines to improve the reporting and consistency of ICS CVE information.
Original language | English |
---|---|
Title of host publication | CPSIOTSEC'20 |
Subtitle of host publication | Proceedings of the 2020 Joint Workshop on CPS&IoT Security and Privacy |
Publisher | Association for Computing Machinery (ACM) |
Pages | 49-60 |
Number of pages | 12 |
ISBN (Print) | 9781450380874 |
DOIs | |
Publication status | Published - 9 Nov 2020 |
Event | CPSIOTSec: The Joint Workshop on CPS & IoT Security and Privacy - Duration: 9 Nov 2020 → 9 Nov 2020 |
Conference
Conference | CPSIOTSec: The Joint Workshop on CPS & IoT Security and Privacy |
---|---|
Period | 9/11/20 → 9/11/20 |
Keywords
- cps
- cyber security
- ics security
- industrial control systems
- operational technology, ot
- scada
- vulnerabilities
ASJC Scopus subject areas
- Computer Networks and Communications
Fingerprint
Dive into the research topics of 'Catch me if you can: an in-depth study of CVE discovery time and inconsistencies for managing risks in critical infrastructures'. Together they form a unique fingerprint.Projects
- 1 Finished
-
Effective Solutions for the NIS Directive - Supply Chain Requirements for Third Party Devices
Chothia, T. (Principal Investigator), Thomas, R. (Co-Investigator) & Easton, J. (Co-Investigator)
1/01/19 → 30/09/21
Project: Other Government Departments
Datasets
-
RITICS Catch Me If You Can Dataset
Thomas, R. (Creator), Gardiner, J. (Creator), Chothia, T. (Creator), Rashid, A. (Creator), Samanis, E. (Creator) & Perrett, J. (Creator), University of Birmingham, 8 Oct 2020
DOI: 10.25500/edata.bham.00000548
Dataset