Skip to main content

Quantitative Information Security Vulnerability Assessment for Norwegian Critical Infrastructure

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12332)

Abstract

A single information security vulnerability exploitation within Norwegian critical infrastructure can have a significant impact on Norwegian society, even causing cascading effects on other countries. Therefore, it is essential to conduct a quantitative vulnerability assessment to secure the weakest link. However, quantifying vulnerabilities to the entire Norwegian critical infrastructure has not been properly conducted in the literature. Defining the sectors responsible for or involved in providing vital functions in Norwegian society as the scope, we propose a methodology of six processes to conduct a quantitative vulnerability assessment by integrating the information from three sources: (1) the regional Internet registry, (2) the banner crawlers, and (3) the vulnerability database. We present and visualize the results of the vulnerability assessment from four different aspects: (1) vulnerability, (2) window of exposure, (3) impact, and (4) exploitability. Based on the results, we can easily identify power supply and transport as the weakest link. Compared to the entire country, the vital societal functions are better secured. Such assessment should be conducted continuously and automatically by specified public authorities to identify, classify, quantify, and prioritize the time-varying vulnerabilities.

Keywords

  • Critical infrastructure
  • Quantitative information security vulnerability assessment
  • Norway

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-58295-1_3
  • Chapter length: 13 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-58295-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   74.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.

References

  1. Council of the European Union: Council Directive 2008/114/EC, December 2008. http://data.europa.eu/eli/dir/2008/114/oj/eng

  2. Departementenes Servicesenter, Informasjonsforvaltning: NOU 2006: 6, April 2006. https://www.regjeringen.no/no/dokumenter/nou-2006-6/id157408/

  3. Ezell, B.C.: Infrastructure vulnerability assessment model (I-VAM). Risk Anal. Int. J. 27(3), 571–583 (2007)

    CrossRef  Google Scholar 

  4. Genge, B., Enăchescu, C.: ShoVAT: Shodan-based vulnerability assessment tool for internet-facing services. Secur. Commun. Netw. 9(15), 2696–2714 (2016). https://doi.org/10.1002/sec.1262

    CrossRef  Google Scholar 

  5. Holmgren, J.: A framework for vulnerability assessment of electric power systems. In: Murray, A.T., Grubesic, T.H. (eds.) Critical Infrastructure, pp. 31–55. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-68056-7_3

    CrossRef  Google Scholar 

  6. Matherly, J.: Complete guide to Shodan (2015)

    Google Scholar 

  7. Mell, P., Scarfone, K., Romanosky, S.: A Complete Guide to the Common Vulnerability Scoring System Version 2.0 (2007). https://www.first.org/cvss/v2/cvss-v2-guide.pdf

  8. Ministry of Health and Care Services, Search Results: De regionale helseforetakene, November 2014. https://www.regjeringen.no/no/tema/helse-og-omsorg/sykehus/innsikt/nokkeltall-og-fakta---ny/de-regionale-helseforetakene/id528110/

  9. MITRE Corporation: CVE List, March 2020. https://cve.mitre.org/data/downloads/index.html

  10. National Institute of Standards and Technology (NIST): Glossary - vulnerability (2020). https://csrc.nist.gov/glossary/term/vulnerability

  11. National Institute of Standards and Technology (NIST): National Vulnerability Database (NVD) - Statistics Results (2020). https://nvd.nist.gov/vuln/search/statistics?adv_search=false&form_type=basic&results_type=statistics&search_type=all

  12. Nettbureau AS: Alle norske strømleverandører (2020). https://xn--strm-ira.no

  13. Norid AS: The registry for Norwegian domain names (2020). https://www.norid.no/en/domeneoppslag/hvem-har-domenenavnet/

  14. Norwegian directorate for civil protection (DSB): vital functions in society. Technical report (2017). https://www.dsb.no/globalassets/dokumenter/rapporter/kiks-2_januar.pdf

  15. OECD: Good Governance for Critical Infrastructure Resilience (2019). https://doi.org/10.1787/02f0e5a0-en

  16. RIPE NCC: RIPE Database Text Search (2020). https://apps.db.ripe.net/db-web-ui/fulltextsearch

  17. Shodan: Facet Analysis (2020). https://beta.shodan.io/search/facet?query=net%3A0%2F0&facet=vuln.verified

  18. Shodan: Honeypot Or Not? (2020). https://honeyscore.shodan.io/

Download references

Acknowledgments

This research is conducted as a part of the CybWin project funded by the Research Council of Norway.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Yi-Ching Liao .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Liao, YC. (2020). Quantitative Information Security Vulnerability Assessment for Norwegian Critical Infrastructure. In: Rashid, A., Popov, P. (eds) Critical Information Infrastructures Security. CRITIS 2020. Lecture Notes in Computer Science(), vol 12332. Springer, Cham. https://doi.org/10.1007/978-3-030-58295-1_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-58295-1_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-58294-4

  • Online ISBN: 978-3-030-58295-1

  • eBook Packages: Computer ScienceComputer Science (R0)