Skip to main content

Vulnerability Modelling for Hybrid Industrial Control System Networks


With the emergence of internet-based devices, the traditional industrial control system (ICS) networks have evolved to co-exist with the conventional IT and internet enabled IoT networks, hence facing various security challenges. The IT industry around the world has widely adopted the common vulnerability scoring system (CVSS) as an industry standard to numerically evaluate the vulnerabilities in software systems. This mathematical score of vulnerabilities is combined with environmental knowledge to determine the vulnerable nodes and attack paths. IoT and ICS systems have unique dynamics and specific functionality as compared to traditional computer networks, and therefore, the legacy cyber security models would not fit these advanced networks. In this paper, we studied the CVSS v3.1 framework’s application to ICS embedded networks and an improved vulnerability framework, named CVSSIoT-ICS, is proposed. CVSSIoT-ICS and CVSS v3.1 are applied to a realistic supply chain hybrid network which consists of IT, IoT, and ICS nodes. This hybrid network is assigned with actual vulnerabilities listed in the national vulnerability database (NVD). The comparison results confirm the effectiveness of CVSSIoT-ICS framework as it is equally applicable to all nodes of a hybrid network and evaluates the vulnerabilities based on the distinct features of each node type.

This is a preview of subscription content, access via your institution.


  1. 1.

    H. Wilsdorf and J. Landels, "Engineering in the Ancient World.", Man, vol. 13, no. 4, p. 681, 1978. Available:

  2. 2.

    D. Bhamare, M. Zolanvari, A. Erbad, R. Jain, K. Khan and N. Meskin, "Cybersecurity for industrial control systems: a survey", computers & security, vol. 89, pp. 101677, 2020. Available:, 2020

  3. 3.

    M. Davis, "Comprehensive Modeling of Industrial Control Systems for Cyber-Security Applications." Order No. 10642514, State University of New York at Binghamton, Ann Arbor, 2017

  4. 4.

    U. Ani, H. He and A. Tiwari, "Review of cybersecurity issues in industrial critical infrastructure: manufacturing in perspective", J. Cyber Security Technol., vol. 1, no. 1, pp. 32–74, 2016. Available:

  5. 5.

    O. A Sergey, G. Gleb, G.O Kochetova," Iindustrial Controll System Vulranabilities Statictics", 2016

  6. 6.

    V. Murthy, "Analysis: Assessing Correlation between CVSS Scores in Vulnerability Disclosures and Patching", Biomed. Instrument. Technol., vol. 54, no. 1, pp. 44–46, 2020. Available:

  7. 7.

    "NVD - CVSS v3.1 Official Support",, 2020. [Online]. Available: [Accessed: 03- Jan- 2020]

  8. 8.

    Symantec Internet Security Threat Report “ISTR Healthcare, vol. 22, April 2017

  9. 9.

    Stouffer, K., Falco, J., Scarfone, K.: Guide to industrial control systems (ICS) security. NIST Special Public. 800(82), 16–16 (2011)

    Google Scholar 

  10. 10.

    Y. Hu, A. Yang, H. Li, Y. Sun and L. Sun, "A survey of intrusion detection on industrial control systems", Int. J. Distrib. Sens. N., vol. 14, no. 8, p. 155014771879461, 2018. Available: [Accessed 8 April 2020]

  11. 11.

    K. Knorr, “Patching our critical infrastructure,” Securing Critical Infrastructures and Critical Control Systems, pp. 190–216, 2013

  12. 12.

    M. StJohn-Green, R. Piggin, J.A. McDermid, R. Oates, “Combined Security and Safety Risk Assessment - What Needs to be Done For ICS and The IOT”. 10th IET System Safety and Cyber-Security Conference 2015

  13. 13.

    A. Ur-Rehman, I. Gondal, J. Kamruzzuman, and A. Jolfaei, “Vulnerability Modelling for Hybrid IT Systems,” IEEE International Conference on Industrial Technology (ICIT), 2019

  14. 14.

    Qin, Y.: Computer network attack modeling and network attack graph study. Adv. Mater. Res. 1079-1080, 816–819 (2014)

    Article  Google Scholar 

  15. 15.

    “Search and statistics,” NVD. [Online]. Available: [Accessed: 02-Jan-2020]

  16. 16.

    D. Wei, Y. Lu, M. Jafari, P. Skare, and K. Rohde, “An integrated security system of protecting Smart Grid against cyber attacks,” Innovative Smart Grid Technologies (ISGT), 2010

  17. 17.

    Knowles, W., Prince, D., Hutchison, D., Ferdinand, J., Disso, P., Jonesb, K.: A survey of cyber security management in industrial control systems. Int. J. Crit. Infrastruct. Prot. 9, 52–80 (2015)

    Article  Google Scholar 

  18. 18.

    S. Kim, W. Jo, and T. Shon, “A Novel Vulnerability Analysis Approach to Generate Fuzzing Test Case in Industrial Control Systems,” IEEE Information Technology, Networking, Electronic and Automation Control Conference, 2016

  19. 19.

    K. Kobara, “Cyber Physical Security for Industrial Control Systems and IoT,” IEICE Transactions on Information and Systems, vol. E99.D, no. 4, pp. 787–795, 2016

  20. 20.

    Busby, J.S., Green, B., Hutchison, D.: Analysis of affordance, time, and adaptation in the assessment of industrial control system Cybersecurity risk. Risk Anal. 37(7), 1298–1314 (2017)

    Article  Google Scholar 

  21. 21.

    Yılmaz, E.N., Gönen, S.: Attack detection/prevention system against cyber attack in industrial control systems. Comput. Secur. 77, 94–105 (2018)

    Article  Google Scholar 

  22. 22.

    A. Laszka, A. Dubey,M. Walker, D. Schmidt, "Providing Privacy, Safety, and Security in IoT-Based Transactive Energy Systems Using Distributed Ledgers" 2017.

  23. 23.

    Zimba, A., Wang, Z., Chen, H.: Multi-stage crypto ransomware attacks: a new emerging cyber threat to critical infrastructure and industrial control systems. ICT Express. 4(1), 14–18 (2018)

    Article  Google Scholar 

  24. 24.

    Ge, Y., Zhang, X., Han, B.: Complex IoT control system modeling from perspectives of environment perception and information security. Mobile N. Appl. 22(4), 683–691 (2017)

    Article  Google Scholar 

  25. 25.

    Farris, I., Taleb, T., Khettab, Y., Song, J.: A survey on emerging SDN and NFV security mechanisms for IoT systems. IEEE Commun. Surv. Tutor. 21(1), 812–837 (2019)

    Article  Google Scholar 

  26. 26.

    Johnson, P., Lagerstrom, R., Ekstedt, M., Franke, U.: Can the common vulnerability scoring system be trusted? A Bayesian analysis. IEEE Trans. Depend. Sec. Comput. 15(6), 1002–1015 (2018)

    Article  Google Scholar 

  27. 27.

    Houmb, S.H., Franqueira, V., Engum, E.A.: Quantifying security risk level from CVSS estimates of frequency and impact. J. Syst. Softw. 83(9), 1622–1634 (September 2010)

    Article  Google Scholar 

  28. 28.

    Singh, U.K., Joshi, C.: Quantitative security risk evaluation using CVSS metrics by estimation of frequency and maturity of exploit. World Congr. Eng. Comput. Sci. 1, 170–175 (2016)

    Google Scholar 

  29. 29.

    J.M. Spring, E. Hatleback, A. Householder, A. Manion, D. Shi, "Towards Improving CVSS" Software Engineering Indtitute CARNEGIE MELLON UNIVERSITY, 2018

  30. 30.

    Yigit, B., Gurb, G., Alagoz, F., Tellenbach, B.: Cost-aware securing of IoT systems using attack graphs. Ad Hoc Networks. 86, 23–35 (2019)

    Article  Google Scholar 

  31. 31.

    S. McLaughlin, C. Konstantinou, X. Wang, L. Davi, A.R. Sadeghi, M. Maniatakos, R. Karri, "The Cybersecurity landscape in industrial control systems," in Proceedings of the IEEE, vol. 104, no. 5, pp. 1039–1057, May 2016

  32. 32.

    M. R. Asghar, Q. Hu, S. Zeadally,"Cybersecurity in industrial control systems: Issues, technologies, and challenges" Computer Networks vol. 165, 24 December 2019, 106946

  33. 33.

    J. Slowik "Evolution of ICS Attacks and the Prospects for Future Disruptive Events" Threat Intelligence Centre Dragos Inc., 2019

  34. 34.

    J. Falco, A. Wavering,F. Proctor, "IT security for industrial control systems. US Department of Commerce", National Institute of Standards and Technology; 2002 Feb 28

  35. 35.

    G. Sabaliauskaite and A. P. Mathur, “Aligning cyber-physical system safety and security,” Complex Systems Design & Management Asia, pp. 41–53, 2015

  36. 36.

    X. Zhou, Z. Xu, L. Wang, K. Chen, C. Chen, and W. Zhang, “Kill Chain for Industrial Control System,” MATEC Web of Conferences, vol. 173, p. 01013, 2018.3

  37. 37.

    M. Frigault, L. Wang, S. Jajodia, and A. Singhal, “Measuring the overall network security by combining CVSS scores based on attack graphs and Bayesian networks,” Network Security Metrics, pp. 1–23, 2017

  38. 38.

    “Vulnerability Details : CVE-2019-14402,” CVE. [Online]. Available: [Accessed: 10-Jan-2020]

  39. 39.

    H. Esquivel-Vargas,M. Caselli, E. Tews, D. Bucur and A. Peter, Ranking building automation and control system components by business continuity impact. In international conference on computer safety, reliability, and security, 2019 (pp. 183-199). Springer

  40. 40.

    G. Bianconi and A.-L. Barabasi, “Competition and multiscaling m evolving networks,” The Structure and Dynamics of Networks, pp. 54–436, 2011

  41. 41.

    Bernabe, J.B., Perez, G.M., Skarmeta Gomez, A.F.: Intercloud trust and security decision support system: an ontology-based approach. J. Grid Computing. 13, 425–456 (2015)

    Article  Google Scholar 

  42. 42.

    Song, S., Hwang, K., Kwok, Y.: Trusted grid computing with security binding and trust integration. J Grid Computing. 3, 53–73 (2005)

    Article  Google Scholar 

  43. 43.

    Aziz, B.: Modelling fine-grained access control policies in grids. J Grid Computing. 14, 477–493 (2016)

    Article  Google Scholar 

  44. 44.

    da Rosa Righi, R., Lehmann, M., Gomes, M.M., Nobre, J.C., da Costa, C.A., Rigo, S.J., Lena, M., Mohr, R.F., de Oliveira, L.R.B.: A survey on global management view: toward combining system monitoring, resource management, and load prediction. J Grid Computing. 17, 473–502 (2019)

    Article  Google Scholar 

Download references


This was done in Internet Commerce Security Lab (ICSL), Federation University. Westpac bank, IBM and ACSC are partner in ICSL.

Author information



Corresponding author

Correspondence to Alireza Jolfaei.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Ur-Rehman, A., Gondal, I., Kamruzzaman, J. et al. Vulnerability Modelling for Hybrid Industrial Control System Networks. J Grid Computing 18, 863–878 (2020).

Download citation


  • Industrial control system
  • Internet of things (IoT)
  • Supply chain
  • Security
  • Vulnerability modelling