Learning from Vulnerabilities - Categorising, Understanding and Detecting Weaknesses in Industrial Control Systems

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Standard

Learning from Vulnerabilities - Categorising, Understanding and Detecting Weaknesses in Industrial Control Systems. / Thomas, Richard J.; Chothia, Tom.

Computer Security - ESORICS 2020 International Workshops, CyberICPS, SECPRE, and ADIoT, 2020, Revised Selected Papers. ed. / Sokratis Katsikas; Frédéric Cuppens; Nora Cuppens; Costas Lambrinoudakis; Christos Kalloniatis; John Mylopoulos; Annie Antón; Stefanos Gritzalis; Weizhi Meng; Steven Furnell. Springer, 2020. p. 100-116 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12501 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

Thomas, RJ & Chothia, T 2020, Learning from Vulnerabilities - Categorising, Understanding and Detecting Weaknesses in Industrial Control Systems. in S Katsikas, F Cuppens, N Cuppens, C Lambrinoudakis, C Kalloniatis, J Mylopoulos, A Antón, S Gritzalis, W Meng & S Furnell (eds), Computer Security - ESORICS 2020 International Workshops, CyberICPS, SECPRE, and ADIoT, 2020, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12501 LNCS, Springer, pp. 100-116, 6th International Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2020, 2nd International Workshop on Security and Privacy Requirements Engineering, SECPRE 2020, and 3rd International Workshop on Attacks and Defenses for Internet-of-Things, ADIoT 2020, held in conjunction with 25th European Symposium on Research in Computer Security, ESORICS 2020, Guildford, United Kingdom, 14/09/20. https://doi.org/10.1007/978-3-030-64330-0_7

APA

Thomas, R. J., & Chothia, T. (2020). Learning from Vulnerabilities - Categorising, Understanding and Detecting Weaknesses in Industrial Control Systems. In S. Katsikas, F. Cuppens, N. Cuppens, C. Lambrinoudakis, C. Kalloniatis, J. Mylopoulos, A. Antón, S. Gritzalis, W. Meng, & S. Furnell (Eds.), Computer Security - ESORICS 2020 International Workshops, CyberICPS, SECPRE, and ADIoT, 2020, Revised Selected Papers (pp. 100-116). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12501 LNCS). Springer. https://doi.org/10.1007/978-3-030-64330-0_7

Vancouver

Thomas RJ, Chothia T. Learning from Vulnerabilities - Categorising, Understanding and Detecting Weaknesses in Industrial Control Systems. In Katsikas S, Cuppens F, Cuppens N, Lambrinoudakis C, Kalloniatis C, Mylopoulos J, Antón A, Gritzalis S, Meng W, Furnell S, editors, Computer Security - ESORICS 2020 International Workshops, CyberICPS, SECPRE, and ADIoT, 2020, Revised Selected Papers. Springer. 2020. p. 100-116. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-030-64330-0_7

Author

Thomas, Richard J. ; Chothia, Tom. / Learning from Vulnerabilities - Categorising, Understanding and Detecting Weaknesses in Industrial Control Systems. Computer Security - ESORICS 2020 International Workshops, CyberICPS, SECPRE, and ADIoT, 2020, Revised Selected Papers. editor / Sokratis Katsikas ; Frédéric Cuppens ; Nora Cuppens ; Costas Lambrinoudakis ; Christos Kalloniatis ; John Mylopoulos ; Annie Antón ; Stefanos Gritzalis ; Weizhi Meng ; Steven Furnell. Springer, 2020. pp. 100-116 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

Bibtex

@inproceedings{d8fdfeb324b4425cb20404cba092c52e,
title = "Learning from Vulnerabilities - Categorising, Understanding and Detecting Weaknesses in Industrial Control Systems",
abstract = "Compared to many other areas of cyber security, vulnerabilities in industrial control systems (ICS) can be poorly understood. These systems form part of critical national infrastructure, where asset owners may not understand the security landscape and have potentially incorrect security assumptions for these closed source, operational technology (OT) systems. ICS vulnerability reports give useful information about single vulnerabilities, but there is a lack of guidance telling ICS owners what to look for next, or how to find these. In this paper, we analyse 9 years of ICS Advisory vulnerability announcements and we recategorise the vulnerabilities based on the detection methods and tools that could be used to find these weaknesses. We find that 8 categories are enough to cover 95% of the vulnerabilities in the dataset. This provides a guide for ICS owners to the most likely new vulnerabilities they may find in their systems and the best ways to detect them. We validate our proposed vulnerability categories by analysing a further 6 months of ICS Advisory reports, which shows that our categories continue to dominate the reported weaknesses. We further validate our proposed detection methods by applying them to a range of ICS equipment and finding four new critical security vulnerabilities.",
author = "Thomas, {Richard J.} and Tom Chothia",
note = "Funding Information: Acknowledgements. Funding for this paper was provided by the National Cyber Security Centre UK (NCSC UK), Research Institute in Trustworthy Inter-Connected Cyber-Physical Systems (RITICS) and the UK Rail Research and Innovation Network (UKRRIN). We thank the Bristol Cyber Security Group for providing access to an additional device for testing. Publisher Copyright: {\textcopyright} 2020, Springer Nature Switzerland AG. Copyright: Copyright 2020 Elsevier B.V., All rights reserved.; 6th International Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2020, 2nd International Workshop on Security and Privacy Requirements Engineering, SECPRE 2020, and 3rd International Workshop on Attacks and Defenses for Internet-of-Things, ADIoT 2020, held in conjunction with 25th European Symposium on Research in Computer Security, ESORICS 2020 ; Conference date: 14-09-2020 Through 18-09-2020",
year = "2020",
month = dec,
day = "17",
doi = "10.1007/978-3-030-64330-0_7",
language = "English",
isbn = "9783030643294",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer",
pages = "100--116",
editor = "Sokratis Katsikas and Fr{\'e}d{\'e}ric Cuppens and Nora Cuppens and Costas Lambrinoudakis and Christos Kalloniatis and John Mylopoulos and Annie Ant{\'o}n and Stefanos Gritzalis and Weizhi Meng and Steven Furnell",
booktitle = "Computer Security - ESORICS 2020 International Workshops, CyberICPS, SECPRE, and ADIoT, 2020, Revised Selected Papers",

}

RIS

TY - GEN

T1 - Learning from Vulnerabilities - Categorising, Understanding and Detecting Weaknesses in Industrial Control Systems

AU - Thomas, Richard J.

AU - Chothia, Tom

N1 - Funding Information: Acknowledgements. Funding for this paper was provided by the National Cyber Security Centre UK (NCSC UK), Research Institute in Trustworthy Inter-Connected Cyber-Physical Systems (RITICS) and the UK Rail Research and Innovation Network (UKRRIN). We thank the Bristol Cyber Security Group for providing access to an additional device for testing. Publisher Copyright: © 2020, Springer Nature Switzerland AG. Copyright: Copyright 2020 Elsevier B.V., All rights reserved.

PY - 2020/12/17

Y1 - 2020/12/17

N2 - Compared to many other areas of cyber security, vulnerabilities in industrial control systems (ICS) can be poorly understood. These systems form part of critical national infrastructure, where asset owners may not understand the security landscape and have potentially incorrect security assumptions for these closed source, operational technology (OT) systems. ICS vulnerability reports give useful information about single vulnerabilities, but there is a lack of guidance telling ICS owners what to look for next, or how to find these. In this paper, we analyse 9 years of ICS Advisory vulnerability announcements and we recategorise the vulnerabilities based on the detection methods and tools that could be used to find these weaknesses. We find that 8 categories are enough to cover 95% of the vulnerabilities in the dataset. This provides a guide for ICS owners to the most likely new vulnerabilities they may find in their systems and the best ways to detect them. We validate our proposed vulnerability categories by analysing a further 6 months of ICS Advisory reports, which shows that our categories continue to dominate the reported weaknesses. We further validate our proposed detection methods by applying them to a range of ICS equipment and finding four new critical security vulnerabilities.

AB - Compared to many other areas of cyber security, vulnerabilities in industrial control systems (ICS) can be poorly understood. These systems form part of critical national infrastructure, where asset owners may not understand the security landscape and have potentially incorrect security assumptions for these closed source, operational technology (OT) systems. ICS vulnerability reports give useful information about single vulnerabilities, but there is a lack of guidance telling ICS owners what to look for next, or how to find these. In this paper, we analyse 9 years of ICS Advisory vulnerability announcements and we recategorise the vulnerabilities based on the detection methods and tools that could be used to find these weaknesses. We find that 8 categories are enough to cover 95% of the vulnerabilities in the dataset. This provides a guide for ICS owners to the most likely new vulnerabilities they may find in their systems and the best ways to detect them. We validate our proposed vulnerability categories by analysing a further 6 months of ICS Advisory reports, which shows that our categories continue to dominate the reported weaknesses. We further validate our proposed detection methods by applying them to a range of ICS equipment and finding four new critical security vulnerabilities.

UR - http://www.scopus.com/inward/record.url?scp=85098274969&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-64330-0_7

DO - 10.1007/978-3-030-64330-0_7

M3 - Conference contribution

AN - SCOPUS:85098274969

SN - 9783030643294

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 100

EP - 116

BT - Computer Security - ESORICS 2020 International Workshops, CyberICPS, SECPRE, and ADIoT, 2020, Revised Selected Papers

A2 - Katsikas, Sokratis

A2 - Cuppens, Frédéric

A2 - Cuppens, Nora

A2 - Lambrinoudakis, Costas

A2 - Kalloniatis, Christos

A2 - Mylopoulos, John

A2 - Antón, Annie

A2 - Gritzalis, Stefanos

A2 - Meng, Weizhi

A2 - Furnell, Steven

PB - Springer

T2 - 6th International Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2020, 2nd International Workshop on Security and Privacy Requirements Engineering, SECPRE 2020, and 3rd International Workshop on Attacks and Defenses for Internet-of-Things, ADIoT 2020, held in conjunction with 25th European Symposium on Research in Computer Security, ESORICS 2020

Y2 - 14 September 2020 through 18 September 2020

ER -