Skip to main content
SpringerLink
Log in

Vulnerability Detection and Response: Current Status and New Approaches

  • Chapter
  • First Online:
CyberSecurity in a DevOps Environment

  • 279 Accesses

Abstract

The rapid evolution of industrial components, the paradigm of Industry 4.0, and the new connectivity features introduced by 5G technology all increase the likelihood of cybersecurity incidents. These incidents have to be managed to limit or mitigate their impact, and in most cases, they are a consequence of existing vulnerabilities. This scenario raises the need for a tool that enables a faster (tracking the vulnerability state over time) and more precise (detect root cause) response. The defined Extended Dependency Graph (EDG) model is capable to respond to this need, being able to analyze known vulnerabilities for a given device over time. The EDG model can be applied throughout the entire lifespan of a device to track vulnerabilities, identify new requirements, root causes, and test cases. It also helps prioritize patching activities. This chapter defines the key terms used in vulnerability analysis, as well as the current state of the art of vulnerability analysis in both scientific literature and standards. The EDG model is described in more depth together with its fundamental elements: (1) the directed graph representation of the internal structure of the device, (2) the set of quantitative metrics based on the Common Vulnerability Scoring System (CVSS), and (3) the algorithm to build the EDG for a given device.

Supported by Ikerlan Technology Research Center, Basque Research and Technology Alliance (BRTA).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Version 8.0.6001 of Internet Explorer for its beta update can be represented using version 2.3 of the CPE as cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*

  2. 2.

    https://cve.mitre.org/

References

  1. M. Alenezi, M. Zarour, On the relationship between software complexity and security. Int. J. Softw. Eng. Appl. 11(1) (2020), https://aircconline.com/abstract/ijsea/v11n1/11120ijsea04.html

  2. T. Alves, T. Morris, OpenPLC: an IEC 61,131–3 compliant open source industrial controller for cyber security research. Comput. Secur. 78, 364–379 (2018). https://doi.org/https://doi.org/10.1016/j.cose.2018.07.007, https://www.sciencedirect.com/science/article/pii/S0167404818305388

  3. T.R. Alves, M. Buratto, F.M. de Souza, T.V. Rodrigues, OpenPLC: an open source alternative to automation, in IEEE Global Humanitarian Technology Conference (GHTC 2014), pp. 585–589 (2014). https://doi.org/10.1109/GHTC.2014.6970342, https://ieeexplore.ieee.org/document/6970342

  4. M.A. Amutio, J. Candau, J.A. Mañas, MAGERIT V3.0. Methodology for Information Systems Risk Analysis and Management. Book I – The Method. National Standard, Ministry of Finance and Public Administration, Madrid, Spain (2014)

    Google Scholar 

  5. O. Andreeva, S. Gordeychik, G. Gritsai, O. Kochetova, E. Potseluevskaya, S. Sidorov, A. Timorin, Industrial control systems vulnerabilities statistics. Tech. rep., Kaspersky Lab (March 2016). https://doi.org/10.13140/RG.2.2.15858.66241

  6. P. Arpaia, F. Bonavolontà, A. Cioffi, N. Moccaldi, Reproducibility enhancement by optimized power analysis attacks in vulnerability assessment of IOT transducers. IEEE Trans. Instrum. Meas. 70, 1–8 (2021). https://doi.org/10.1109/TIM.2021.3107610, https://ieeexplore.ieee.org/document/9521880

  7. A. Avizienis, J. Laprie, B. Randell, C. Landwehr, Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secure Comput. 1(1), 11–33 (2004). https://doi.org/10.1109/TDSC.2004.2, https://ieeexplore.ieee.org/document/1335465

  8. M. Ayaz, M. Ammad-Uddin, Z. Sharif, A. Mansour, E.H.M. Aggoune, Internet-of-things (IOT)-based smart agriculture: Toward making the fields talk. IEEE Access 7, 129551–129583 (2019). https://doi.org/10.1109/ACCESS.2019.2932609, https://ieeexplore.ieee.org/document/8784034

  9. N. Benias, A.P. Markopoulos, A review on the readiness level and cyber-security challenges in industry 4.0, in 2017 South Eastern European Design Automation, Computer Engineering, Computer Networks and Social Media Conference (SEEDA-CECNSM) (2017), pp. 1–5. https://doi.org/10.23919/SEEDA-CECNSM.2017.8088234, https://ieeexplore.ieee.org/document/8088234

  10. B.A. Cheikes, D. Waltermire, K. Scarfone, NIST Interagency Report 7695 – Common Platform Enumeration: naming Specification Version 2.3. Nist interagency report, National Institute for Standards and Technology (NIST), Gaithersburg, Maryland (2011). https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=909010

  11. CC: The Common Criteria for Information Technology Security Evaluation – Introduction and General Model. https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf

  12. T.M. Chen, S. Abu-Nimeh, Lessons from Stuxnet. Computer 44(4), 91–93 (2011). https://doi.org/10.1109/MC.2011.115, https://ieeexplore.ieee.org/document/5742014

  13. K. Christidis, M. Devetsikiotis, Blockchains and smart contracts for the internet of things. IEEE Access 4, 2292–2303 (2016). https://doi.org/10.1109/ACCESS.2016.2566339, https://ieeexplore.ieee.org/document/7467408

  14. Common Criteria (CC): Part 3: Security Assurance Components. https://commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf

  15. G. Culot, F. Fattori, M. Podrecca, M. Sartor, Addressing industry 4.0 cybersecurity challenges. IEEE Eng. Manag. Rev. 47(3), 79–86 (2019). https://doi.org/10.1109/EMR.2019.2927559, https://ieeexplore.ieee.org/document/8758411

  16. A. Dimitriadis, J.L. Flores, B. Kulvatunyou, N. Ivezic, I. Mavridis, Ares: automated risk estimation in smart sensor environments. Sensors 20(16) (2020). https://doi.org/10.3390/s20164617, https://www.mdpi.com/1424-8220/20/16/4617

  17. FIRST – global Forum of Incident Response and Security Teams: Common Vulnerability Scoring System (CVSS). https://www.first.org/cvss/

  18. A. Fuller, Z. Fan, C. Day, C. Barlow, Digital twin: Enabling technologies, challenges and open research. IEEE Access 8, 108952–108971 (2020). https://doi.org/10.1109/ACCESS.2020.2998358

    Article  Google Scholar 

  19. I. Garitano, S. Fayyad, J. Noll, Multi-metrics approach for security, privacy and dependability in embedded systems. Wirel. Pers. Commun. (2015). https://doi.org/10.1007/s11277-015-2478-z, https://link.springer.com/article/10.1007%2Fs11277-015-2478-z

  20. G. George, S.M. Thampi, A graph-based security framework for securing industrial IOT networks from vulnerability exploitations. IEEE Access 6, 43586–43601 (2018). https://doi.org/10.1109/ACCESS.2018.2863244, https://ieeexplore.ieee.org/document/8430731

  21. L. Gressl, C. Steger, U. Neffe, Design space exploration for secure IOT devices and cyber-physical systems. ACM Trans. Embed. Comput. Syst. 20(4) (2021). https://doi.org/10.1145/3430372, https://doi.org/10.1145/3430372

  22. M. Gupta, M. Abdelsalam, S. Khorsandroo, S. Mittal, Security and privacy in smart farming: challenges and opportunities. IEEE Access 8, 34564–34584 (2020). https://doi.org/10.1109/ACCESS.2020.2975142, https://ieeexplore.ieee.org/document/9003290

  23. V. Hassija, V. Chamola, V. Saxena, D. Jain, P. Goyal, B. Sikdar, A survey on IOT security: application areas, security threats, and solution architectures. IEEE Access 7, 82721–82743 (2019). https://doi.org/10.1109/ACCESS.2019.2924045, https://ieeexplore.ieee.org/document/8742551

  24. W. He, H. Li, J. Li, Unknown vulnerability risk assessment based on directed graph models: a survey. IEEE Access 7, 168201–168225 (2019). https://doi.org/10.1109/ACCESS.2019.2954092, https://ieeexplore.ieee.org/abstract/document/8906081

  25. J.I. Hejderup, A. Van Deursen, A. Mesbah, In Dependencies We Trust: How vulnerable are dependencies in software modules? Ph.D. thesis, Department of Software Technology, TU Delft (2015). http://resolver.tudelft.nl/uuid:3a15293b-16f6-4e9d-b6a2-f02cd52f1a9e

  26. J. Homer, X. Ou, D. Schmidt, A sound and practical approach to quantifying security risk in enterprise networks. Tech. rep., Kansas State University (2009). https://www.cse.usf.edu/~xou/publications/tr_homer_0809.pdf

    Google Scholar 

  27. J. Homer, S. Zhang, X. Ou, D. Schmidt, Y. Du, S.R. Rajagopalan, A. Singhal, Aggregating vulnerability metrics in enterprise networks using attack graphs. J. Comput. Secur. 21(4), 561–597 (2013). https://doi.org/10.3233/JCS-130475, https://content.iospress.com/articles/journal-of-computer-security/jcs475

  28. J. Hu, S. Guo, X. Kuang, F. Meng, D. Hu, Z. Shi, I-HMM-based multidimensional network security risk assessment. IEEE Access 8, 1431–1442 (2020). https://doi.org/10.1109/ACCESS.2019.2961997, https://ieeexplore.ieee.org/document/8941077

  29. D. Hwang, P. Schaumont, K. Tiri, I. Verbauwhede, Securing embedded systems. IEEE Secur. Priv. 4(2), 40–49 (2006). https://doi.org/10.1109/MSP.2006.51, https://ieeexplore.ieee.org/document/1621059

  30. International Electrotechnical Commission: IEC 62443: Industrial Communication Networks–Network and System Security. Standard, IEC Central Office, Geneva, Switzerland (2010)

    Google Scholar 

  31. International Electrotechnical Commission: IEC 62443: Security for Industrial Automation and Control Systems – Part 4–1: Secure Product Development Lifecycle Requirements. Standard, International Electrotechnical Commission, Geneva, Switzerland (2018)

    Google Scholar 

  32. International Electrotechnical Commission: IEC 62443: Security for Industrial Automation and Control Systems – Part 4–2: Technical Security Requirements for IACS Components. Standard, International Electrotechnical Commission, Geneva, Switzerland (2019). https://www.isa.org/products/ansi-isa-62443-4-1-2018-security-for-industrial-au

  33. ISO: ISO 8601:2019. Data and time – Representation for information interchange – Part 1: Basic rules. International Organization for Standardization, Geneva, Switzerland (2019). https://www.iso.org/standard/70907.html

  34. ISO: ISO/IEC 13335-1:2004 – Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management. International Organization for Standardization, Geneva, Switzerland (2019). https://www.iso.org/standard/70907.html

  35. D. Kleidermacher, M. Kleidermacher, Practical methods for safe and secure software and systems development, in Embedded Systems Security, ed. by D. Kleidermacher, M. Kleidermacher (Newnes, Oxford, 2012). https://doi.org/https://doi.org/10.1016/B978-0-12-386886-2.00001-1, https://www.sciencedirect.com/science/article/pii/B9780123868862000011

  36. R. Langner, Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011). https://doi.org/10.1109/MSP.2011.67

    Article  Google Scholar 

  37. M. Lezzi, M. Lazoi, A. Corallo, Cybersecurity for industry 4.0 in the current literature: a reference framework. Comput. Ind. 103, 97–110 (2018). https://doi.org/https://doi.org/10.1016/j.compind.2018.09.004, https://www.sciencedirect.com/science/article/pii/S0166361518303658

  38. A. Longueira-Romero, R. Iglesias, J.L. Flores, I. Garitano, A novel model for vulnerability analysis through enhanced directed graphs and quantitative metrics. Sensors 22(6) (2022). https://doi.org/10.3390/s22062126, https://www.mdpi.com/1424-8220/22/6/2126

  39. C. Ltd., libssl1.0.0: Trusty (14.04): Ubuntu. https://launchpad.net/ubuntu/trusty/+package/libssl1.0.0/+index

  40. C. Ltd., nodejs: Trusty (14.04): Ubuntu. https://launchpad.net/ubuntu/trusty/+package/nodejs/+index

  41. M. Dekker, C. Karsberg, Guideline on Threats and Assets: Technical guidance on threats and assets in Article 13a. Tech. rep., European Union Agency For Network And Information Security (2015). https://www.enisa.europa.eu/publications/technical-guideline-on-threats-and-assets

  42. P. Marwedel, Embedded systems foundations of cyber-physical systems, and the internet of things, in Embedded System Design (Springer Nature, Switzerland, 2018). https://doi.org/https://doi.org/10.1007/978-3-319-56045-8, https://link.springer.com/book/10.1007%2F978-3-319-56045-8

  43. M.C. Parmelee, H. Booth, D. Waltermire, K. Scarfone, NIST Interagency Report 7696 – Common Platform Enumeration: Name Matching Specification Version 2.3. Nist interagency report, National Institute for Standards and Technology (NIST), Gaithersburg, Maryland (2011). https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=909008

  44. A. Mathew, Network slicing in 5G and the security concerns, in 2020 Fourth International Conference on Computing Methodologies and Communication (ICCMC), pp. 75–78 (2020). https://ieeexplore.ieee.org/abstract/document/9076479

  45. W. Matsuda, M. Fujimoto, T. Aoyama, T. Mitsunaga, Cyber security risk assessment on industry 4.0 using ICS testbed with AI and cloud, in 2019 IEEE Conference on Application, Information and Network Security (AINS) (2019), pp. 54–59. https://doi.org/10.1109/AINS47559.2019.8968698, https://ieeexplore.ieee.org/document/8968698

  46. S. McLaughlin, C. Konstantinou, X. Wang, L. Davi, A.R. Sadeghi, M. Maniatakos, R. Karri, The cybersecurity landscape in industrial control systems. Proc. IEEE 104(5), 1039–1057 (2016). https://doi.org/10.1109/JPROC.2015.2512235, https://ieeexplore.ieee.org/document/7434576?reload=true&arnumber=7434576

  47. N. Medeiros, N. Ivaki, P. Costa, M. Vieira, Software metrics as indicators of security vulnerabilities, in 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE) (2017), pp. 216–227. https://doi.org/10.1109/ISSRE.2017.11, https://ieeexplore.ieee.org/document/8109088

  48. MITRE Corporation, https://www.mitre.org/

  49. MITRE Corporation: CAPEC – Common Attack Pattern Enumeration and Classification. https://capec.mitre.org/about/glossary.html

  50. MITRE Corporation: CAPEC – Common Attack Pattern Enumeration and Classification. https://capec.mitre.org/

  51. MITRE Corporation: CVE – Common Vulnerabilities and Exposures. https://cve.mitre.org/about/terminology.html

  52. MITRE Corporation: CVE – Common Vulnerability and Exposures. https://cve.mitre.org/index.html

  53. MITRE Corporation: CWE – Common Weakness Enumeration. https://cwe.mitre.org/about/faq.html

  54. MITRE Corporation: CWE – Common Weakness Enumeration. https://cwe.mitre.org/index.html

  55. S. Mumtaz, A. Alsohaily, Z. Pang, A. Rayes, K.F. Tsang, J. Rodriguez, Massive internet of things for industrial applications: addressing wireless IIOT connectivity challenges and ecosystem fragmentation. IEEE Ind. Electron. Mag. 11(1), 28–33 (2017). https://doi.org/10.1109/MIE.2016.2618724, https://ieeexplore.ieee.org/document/7883984

  56. L. MuÑoz-González, D. Sgandurra, M. Barrère, E.C. Lupu, Exact inference techniques for the analysis of bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 16(2), 231–244 (2019). https://doi.org/10.1109/TDSC.2016.2627033, https://ieeexplore.ieee.org/document/7885532

  57. National Institute for Standards and Technology (NIST): CPE – Common Platform Enumeration. https://nvd.nist.gov/products/cpe

  58. National Institute for Standards and Technology (NIST): National Vulnerability Database NVD – Vulnerabilities. https://nvd.nist.gov/vuln/full-listing

  59. National Institute for Standards and Technology (NIST): vulnerability assessment – Glossary | CSRC. https://csrc.nist.gov/glossary/term/vulnerability_assessment

  60. B.B. Nielsen, M.T. Torp, A. Møller, Modular call graph construction for security scanning of node.js applications, in Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. ISSTA 2021 (Association for Computing Machinery, New York, NY, USA, 2021), pp. 29–41. https://doi.org/10.1145/3460319.3464836, https://doi.org/10.1145/3460319.3464836

  61. National Institute for Standards and Technology (NIST). https://www.nist.gov/

  62. NIST – National Institute of Standards and Technology: National Vulnerability database (NVD). https://nvd.nist.gov/

  63. M.O. Ojo, S. Giordano, G. Procissi, I.N. Seitanidis, A review of low-end, middle-end, and high-end IOT devices. IEEE Access 6, 70528–70554 (2018). https://doi.org/10.1109/ACCESS.2018.2879615, https://ieeexplore.ieee.org/document/8528362

  64. D. Papp, Z. Ma, L. Buttyan, Embedded systems security: threats, vulnerabilities, and attack taxonomy, in 2015 13th Annual Conference on Privacy, Security and Trust (PST) (2015), pp. 145–152. https://doi.org/10.1109/PST.2015.7232966, https://ieeexplore.ieee.org/document/7232966

  65. I. Pashchenko, H. Plate, S.E. Ponta, A. Sabetta, F. Massacci, Vulnerable open source dependencies: counting those that matter, in Proceedings of the 12th International Symposium on Empirical Software Engineering and Measurement (ESEM) (2018), https://dl.acm.org/doi/10.1145/3239235.3268920

  66. S.E. Ponta, H. Plate, A. Sabetta, Detection, assessment and mitigation of vulnerabilities in open source dependencies. Empir. Softw. Eng. 25(5), 3175–3215 (2020). https://doi.org/10.1007/s10664-020-09830-x, https://doi.org/10.1007/s10664-020-09830-x

  67. N. Poolsappasit, R. Dewri, I. Ray, Dynamic security risk management using bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61–74 (2012). https://doi.org/10.1109/TDSC.2011.34, https://ieeexplore.ieee.org/document/5936075

  68. O. Qingyu, L. Fang, H. Kai, High-security system primitive for embedded systems, in 2009 International Conference on Multimedia Information Networking and Security, vol. 2 (2009), pp. 319–321. https://doi.org/10.1109/MINES.2009.48, https://ieeexplore.ieee.org/document/5368926

  69. R.E. Sawilla, X. Ou, Identifying critical attack assets in dependency attack graphs, in Computer Security – ESORICS 2008, ed. by S. Jajodia, J. Lopez (Springer, Berlin/Heidelberg, 2008), pp. 18–34. https://link.springer.com/chapter/10.1007/978-3-540-88313-5_2#citeas

    Chapter  Google Scholar 

  70. K. Shafique, B.A. Khawaja, F. Sabir, S. Qazi, M. Mustaqim, Internet of Things (IoT) for next-generation smart systems: a review of current challenges, future trends and prospects for emerging 5G-IoT scenarios. IEEE Access 8, 23022–23040 (2020). https://doi.org/10.1109/ACCESS.2020.2970118, https://ieeexplore.ieee.org/document/9103025

  71. L. Thames, D. Schaefer (eds.), Cybersecurity for Industry 4.0. Springer International Publishing (2017). https://doi.org/10.1007/978-3-319-50660-9, https://link.springer.com/book/10.1007/978-3-319-50660-9

  72. Thiago Alves: OpenPLC Project. https://www.openplcproject.com/

  73. A. Ustundag, E. Cevikcan, Industry 4.0: Managing The Digital Transformation (Springer International Publishing, 2018). https://doi.org/10.1007%2F978-3-319-57870-5

  74. J. Viega, H. Thompson, The state of embedded-device security (spoiler alert: It’s bad). IEEE Secur. Priv. 10(5), 68–70 (2012). https://doi.org/10.1109/MSP.2012.134, https://ieeexplore.ieee.org/document/6322974?section=abstract

  75. Y. Xin, L. Kong, Z. Liu, Y. Chen, Y. Li, H. Zhu, M. Gao, H. Hou, C. Wang, Machine learning and deep learning methods for cybersecurity. IEEE Access 6, 35365–35381 (2018). https://doi.org/10.1109/ACCESS.2018.2836950, https://ieeexplore.ieee.org/document/8359287

  76. S. Zhang, X. Ou, A. Singhal, J. Homer, An empirical study of a vulnerability metric aggregation method. Tech. rep., Kansas State Univ Manhattan (2011). https://www.cse.usf.edu/~xou/publications/stmacip11.pdf

    Google Scholar 

  77. I. Zografopoulos, J. Ospina, X. Liu, C. Konstantinou, Cyber-physical energy systems security: threat modeling, risk assessment, resources, metrics, and case studies. IEEE Access 9, 29775–29818 (2021). https://doi.org/10.1109/ACCESS.2021.3058403, https://ieeexplore.ieee.org/document/9351954

Download references

Author information

Authors and Affiliations

  1. Ikerlan Technology Research Centre, Arrasate, Spain

    Ángel Longueira-Romero, Rosa Iglesias & Jose Luis Flores

  2. Mondragon Unibertsitatea, Arrasate, Spain

    Iñaki Garitano

Authors
  1. Ángel Longueira-Romero
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rosa Iglesias
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jose Luis Flores
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Iñaki Garitano
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ángel Longueira-Romero .

Editor information

Editors and Affiliations

  1. SOFTEAM, Ivry-sur-Seine, France

    Andrey Sadovykh

  2. Information Technologies, Åbo Akademi University, Turku, Finland

    Dragos Truscan

  3. Montimage, Paris, France

    Wissam Mallouli

  4. Montimage, Paris, France

    Ana Rosa Cavalli

  5. Mälardalen University, Västerås, Sweden

    Cristina Seceleanu

  6. SOFTEAM, Ivry-sur-Seine, France

    Alessandra Bagnato

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Longueira-Romero, Á., Iglesias, R., Flores, J.L., Garitano, I. (2024). Vulnerability Detection and Response: Current Status and New Approaches. In: Sadovykh, A., Truscan, D., Mallouli, W., Cavalli, A.R., Seceleanu, C., Bagnato, A. (eds) CyberSecurity in a DevOps Environment . Springer, Cham. https://doi.org/10.1007/978-3-031-42212-6_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-42212-6_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-42211-9

  • Online ISBN: 978-3-031-42212-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation