Skip to main content

Quantitative Information Security Vulnerability Assessment for Norwegian Critical Infrastructure

  • Conference paper
  • First Online:
Critical Information Infrastructures Security (CRITIS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12332))


A single information security vulnerability exploitation within Norwegian critical infrastructure can have a significant impact on Norwegian society, even causing cascading effects on other countries. Therefore, it is essential to conduct a quantitative vulnerability assessment to secure the weakest link. However, quantifying vulnerabilities to the entire Norwegian critical infrastructure has not been properly conducted in the literature. Defining the sectors responsible for or involved in providing vital functions in Norwegian society as the scope, we propose a methodology of six processes to conduct a quantitative vulnerability assessment by integrating the information from three sources: (1) the regional Internet registry, (2) the banner crawlers, and (3) the vulnerability database. We present and visualize the results of the vulnerability assessment from four different aspects: (1) vulnerability, (2) window of exposure, (3) impact, and (4) exploitability. Based on the results, we can easily identify power supply and transport as the weakest link. Compared to the entire country, the vital societal functions are better secured. Such assessment should be conducted continuously and automatically by specified public authorities to identify, classify, quantify, and prioritize the time-varying vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others


  1. Council of the European Union: Council Directive 2008/114/EC, December 2008.

  2. Departementenes Servicesenter, Informasjonsforvaltning: NOU 2006: 6, April 2006.

  3. Ezell, B.C.: Infrastructure vulnerability assessment model (I-VAM). Risk Anal. Int. J. 27(3), 571–583 (2007)

    Article  Google Scholar 

  4. Genge, B., Enăchescu, C.: ShoVAT: Shodan-based vulnerability assessment tool for internet-facing services. Secur. Commun. Netw. 9(15), 2696–2714 (2016).

    Article  Google Scholar 

  5. Holmgren, J.: A framework for vulnerability assessment of electric power systems. In: Murray, A.T., Grubesic, T.H. (eds.) Critical Infrastructure, pp. 31–55. Springer, Heidelberg (2007).

    Chapter  Google Scholar 

  6. Matherly, J.: Complete guide to Shodan (2015)

    Google Scholar 

  7. Mell, P., Scarfone, K., Romanosky, S.: A Complete Guide to the Common Vulnerability Scoring System Version 2.0 (2007).

  8. Ministry of Health and Care Services, Search Results: De regionale helseforetakene, November 2014.

  9. MITRE Corporation: CVE List, March 2020.

  10. National Institute of Standards and Technology (NIST): Glossary - vulnerability (2020).

  11. National Institute of Standards and Technology (NIST): National Vulnerability Database (NVD) - Statistics Results (2020).

  12. Nettbureau AS: Alle norske strømleverandører (2020).

  13. Norid AS: The registry for Norwegian domain names (2020).

  14. Norwegian directorate for civil protection (DSB): vital functions in society. Technical report (2017).

  15. OECD: Good Governance for Critical Infrastructure Resilience (2019).

  16. RIPE NCC: RIPE Database Text Search (2020).

  17. Shodan: Facet Analysis (2020).

  18. Shodan: Honeypot Or Not? (2020).

Download references


This research is conducted as a part of the CybWin project funded by the Research Council of Norway.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Yi-Ching Liao .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Liao, YC. (2020). Quantitative Information Security Vulnerability Assessment for Norwegian Critical Infrastructure. In: Rashid, A., Popov, P. (eds) Critical Information Infrastructures Security. CRITIS 2020. Lecture Notes in Computer Science(), vol 12332. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-58294-4

  • Online ISBN: 978-3-030-58295-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics