Abstract
The rapid evolution of industrial components, the paradigm of Industry 4.0, and the new connectivity features introduced by 5G technology all increase the likelihood of cybersecurity incidents. These incidents have to be managed to limit or mitigate their impact, and in most cases, they are a consequence of existing vulnerabilities. This scenario raises the need for a tool that enables a faster (tracking the vulnerability state over time) and more precise (detect root cause) response. The defined Extended Dependency Graph (EDG) model is capable to respond to this need, being able to analyze known vulnerabilities for a given device over time. The EDG model can be applied throughout the entire lifespan of a device to track vulnerabilities, identify new requirements, root causes, and test cases. It also helps prioritize patching activities. This chapter defines the key terms used in vulnerability analysis, as well as the current state of the art of vulnerability analysis in both scientific literature and standards. The EDG model is described in more depth together with its fundamental elements: (1) the directed graph representation of the internal structure of the device, (2) the set of quantitative metrics based on the Common Vulnerability Scoring System (CVSS), and (3) the algorithm to build the EDG for a given device.
Supported by Ikerlan Technology Research Center, Basque Research and Technology Alliance (BRTA).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Version 8.0.6001 of Internet Explorer for its beta update can be represented using version 2.3 of the CPE as cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*
- 2.
References
M. Alenezi, M. Zarour, On the relationship between software complexity and security. Int. J. Softw. Eng. Appl. 11(1) (2020), https://aircconline.com/abstract/ijsea/v11n1/11120ijsea04.html
T. Alves, T. Morris, OpenPLC: an IEC 61,131–3 compliant open source industrial controller for cyber security research. Comput. Secur. 78, 364–379 (2018). https://doi.org/https://doi.org/10.1016/j.cose.2018.07.007, https://www.sciencedirect.com/science/article/pii/S0167404818305388
T.R. Alves, M. Buratto, F.M. de Souza, T.V. Rodrigues, OpenPLC: an open source alternative to automation, in IEEE Global Humanitarian Technology Conference (GHTC 2014), pp. 585–589 (2014). https://doi.org/10.1109/GHTC.2014.6970342, https://ieeexplore.ieee.org/document/6970342
M.A. Amutio, J. Candau, J.A. Mañas, MAGERIT V3.0. Methodology for Information Systems Risk Analysis and Management. Book I – The Method. National Standard, Ministry of Finance and Public Administration, Madrid, Spain (2014)
O. Andreeva, S. Gordeychik, G. Gritsai, O. Kochetova, E. Potseluevskaya, S. Sidorov, A. Timorin, Industrial control systems vulnerabilities statistics. Tech. rep., Kaspersky Lab (March 2016). https://doi.org/10.13140/RG.2.2.15858.66241
P. Arpaia, F. Bonavolontà, A. Cioffi, N. Moccaldi, Reproducibility enhancement by optimized power analysis attacks in vulnerability assessment of IOT transducers. IEEE Trans. Instrum. Meas. 70, 1–8 (2021). https://doi.org/10.1109/TIM.2021.3107610, https://ieeexplore.ieee.org/document/9521880
A. Avizienis, J. Laprie, B. Randell, C. Landwehr, Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secure Comput. 1(1), 11–33 (2004). https://doi.org/10.1109/TDSC.2004.2, https://ieeexplore.ieee.org/document/1335465
M. Ayaz, M. Ammad-Uddin, Z. Sharif, A. Mansour, E.H.M. Aggoune, Internet-of-things (IOT)-based smart agriculture: Toward making the fields talk. IEEE Access 7, 129551–129583 (2019). https://doi.org/10.1109/ACCESS.2019.2932609, https://ieeexplore.ieee.org/document/8784034
N. Benias, A.P. Markopoulos, A review on the readiness level and cyber-security challenges in industry 4.0, in 2017 South Eastern European Design Automation, Computer Engineering, Computer Networks and Social Media Conference (SEEDA-CECNSM) (2017), pp. 1–5. https://doi.org/10.23919/SEEDA-CECNSM.2017.8088234, https://ieeexplore.ieee.org/document/8088234
B.A. Cheikes, D. Waltermire, K. Scarfone, NIST Interagency Report 7695 – Common Platform Enumeration: naming Specification Version 2.3. Nist interagency report, National Institute for Standards and Technology (NIST), Gaithersburg, Maryland (2011). https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=909010
CC: The Common Criteria for Information Technology Security Evaluation – Introduction and General Model. https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf
T.M. Chen, S. Abu-Nimeh, Lessons from Stuxnet. Computer 44(4), 91–93 (2011). https://doi.org/10.1109/MC.2011.115, https://ieeexplore.ieee.org/document/5742014
K. Christidis, M. Devetsikiotis, Blockchains and smart contracts for the internet of things. IEEE Access 4, 2292–2303 (2016). https://doi.org/10.1109/ACCESS.2016.2566339, https://ieeexplore.ieee.org/document/7467408
Common Criteria (CC): Part 3: Security Assurance Components. https://commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf
G. Culot, F. Fattori, M. Podrecca, M. Sartor, Addressing industry 4.0 cybersecurity challenges. IEEE Eng. Manag. Rev. 47(3), 79–86 (2019). https://doi.org/10.1109/EMR.2019.2927559, https://ieeexplore.ieee.org/document/8758411
A. Dimitriadis, J.L. Flores, B. Kulvatunyou, N. Ivezic, I. Mavridis, Ares: automated risk estimation in smart sensor environments. Sensors 20(16) (2020). https://doi.org/10.3390/s20164617, https://www.mdpi.com/1424-8220/20/16/4617
FIRST – global Forum of Incident Response and Security Teams: Common Vulnerability Scoring System (CVSS). https://www.first.org/cvss/
A. Fuller, Z. Fan, C. Day, C. Barlow, Digital twin: Enabling technologies, challenges and open research. IEEE Access 8, 108952–108971 (2020). https://doi.org/10.1109/ACCESS.2020.2998358
I. Garitano, S. Fayyad, J. Noll, Multi-metrics approach for security, privacy and dependability in embedded systems. Wirel. Pers. Commun. (2015). https://doi.org/10.1007/s11277-015-2478-z, https://link.springer.com/article/10.1007%2Fs11277-015-2478-z
G. George, S.M. Thampi, A graph-based security framework for securing industrial IOT networks from vulnerability exploitations. IEEE Access 6, 43586–43601 (2018). https://doi.org/10.1109/ACCESS.2018.2863244, https://ieeexplore.ieee.org/document/8430731
L. Gressl, C. Steger, U. Neffe, Design space exploration for secure IOT devices and cyber-physical systems. ACM Trans. Embed. Comput. Syst. 20(4) (2021). https://doi.org/10.1145/3430372, https://doi.org/10.1145/3430372
M. Gupta, M. Abdelsalam, S. Khorsandroo, S. Mittal, Security and privacy in smart farming: challenges and opportunities. IEEE Access 8, 34564–34584 (2020). https://doi.org/10.1109/ACCESS.2020.2975142, https://ieeexplore.ieee.org/document/9003290
V. Hassija, V. Chamola, V. Saxena, D. Jain, P. Goyal, B. Sikdar, A survey on IOT security: application areas, security threats, and solution architectures. IEEE Access 7, 82721–82743 (2019). https://doi.org/10.1109/ACCESS.2019.2924045, https://ieeexplore.ieee.org/document/8742551
W. He, H. Li, J. Li, Unknown vulnerability risk assessment based on directed graph models: a survey. IEEE Access 7, 168201–168225 (2019). https://doi.org/10.1109/ACCESS.2019.2954092, https://ieeexplore.ieee.org/abstract/document/8906081
J.I. Hejderup, A. Van Deursen, A. Mesbah, In Dependencies We Trust: How vulnerable are dependencies in software modules? Ph.D. thesis, Department of Software Technology, TU Delft (2015). http://resolver.tudelft.nl/uuid:3a15293b-16f6-4e9d-b6a2-f02cd52f1a9e
J. Homer, X. Ou, D. Schmidt, A sound and practical approach to quantifying security risk in enterprise networks. Tech. rep., Kansas State University (2009). https://www.cse.usf.edu/~xou/publications/tr_homer_0809.pdf
J. Homer, S. Zhang, X. Ou, D. Schmidt, Y. Du, S.R. Rajagopalan, A. Singhal, Aggregating vulnerability metrics in enterprise networks using attack graphs. J. Comput. Secur. 21(4), 561–597 (2013). https://doi.org/10.3233/JCS-130475, https://content.iospress.com/articles/journal-of-computer-security/jcs475
J. Hu, S. Guo, X. Kuang, F. Meng, D. Hu, Z. Shi, I-HMM-based multidimensional network security risk assessment. IEEE Access 8, 1431–1442 (2020). https://doi.org/10.1109/ACCESS.2019.2961997, https://ieeexplore.ieee.org/document/8941077
D. Hwang, P. Schaumont, K. Tiri, I. Verbauwhede, Securing embedded systems. IEEE Secur. Priv. 4(2), 40–49 (2006). https://doi.org/10.1109/MSP.2006.51, https://ieeexplore.ieee.org/document/1621059
International Electrotechnical Commission: IEC 62443: Industrial Communication Networks–Network and System Security. Standard, IEC Central Office, Geneva, Switzerland (2010)
International Electrotechnical Commission: IEC 62443: Security for Industrial Automation and Control Systems – Part 4–1: Secure Product Development Lifecycle Requirements. Standard, International Electrotechnical Commission, Geneva, Switzerland (2018)
International Electrotechnical Commission: IEC 62443: Security for Industrial Automation and Control Systems – Part 4–2: Technical Security Requirements for IACS Components. Standard, International Electrotechnical Commission, Geneva, Switzerland (2019). https://www.isa.org/products/ansi-isa-62443-4-1-2018-security-for-industrial-au
ISO: ISO 8601:2019. Data and time – Representation for information interchange – Part 1: Basic rules. International Organization for Standardization, Geneva, Switzerland (2019). https://www.iso.org/standard/70907.html
ISO: ISO/IEC 13335-1:2004 – Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management. International Organization for Standardization, Geneva, Switzerland (2019). https://www.iso.org/standard/70907.html
D. Kleidermacher, M. Kleidermacher, Practical methods for safe and secure software and systems development, in Embedded Systems Security, ed. by D. Kleidermacher, M. Kleidermacher (Newnes, Oxford, 2012). https://doi.org/https://doi.org/10.1016/B978-0-12-386886-2.00001-1, https://www.sciencedirect.com/science/article/pii/B9780123868862000011
R. Langner, Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011). https://doi.org/10.1109/MSP.2011.67
M. Lezzi, M. Lazoi, A. Corallo, Cybersecurity for industry 4.0 in the current literature: a reference framework. Comput. Ind. 103, 97–110 (2018). https://doi.org/https://doi.org/10.1016/j.compind.2018.09.004, https://www.sciencedirect.com/science/article/pii/S0166361518303658
A. Longueira-Romero, R. Iglesias, J.L. Flores, I. Garitano, A novel model for vulnerability analysis through enhanced directed graphs and quantitative metrics. Sensors 22(6) (2022). https://doi.org/10.3390/s22062126, https://www.mdpi.com/1424-8220/22/6/2126
C. Ltd., libssl1.0.0: Trusty (14.04): Ubuntu. https://launchpad.net/ubuntu/trusty/+package/libssl1.0.0/+index
C. Ltd., nodejs: Trusty (14.04): Ubuntu. https://launchpad.net/ubuntu/trusty/+package/nodejs/+index
M. Dekker, C. Karsberg, Guideline on Threats and Assets: Technical guidance on threats and assets in Article 13a. Tech. rep., European Union Agency For Network And Information Security (2015). https://www.enisa.europa.eu/publications/technical-guideline-on-threats-and-assets
P. Marwedel, Embedded systems foundations of cyber-physical systems, and the internet of things, in Embedded System Design (Springer Nature, Switzerland, 2018). https://doi.org/https://doi.org/10.1007/978-3-319-56045-8, https://link.springer.com/book/10.1007%2F978-3-319-56045-8
M.C. Parmelee, H. Booth, D. Waltermire, K. Scarfone, NIST Interagency Report 7696 – Common Platform Enumeration: Name Matching Specification Version 2.3. Nist interagency report, National Institute for Standards and Technology (NIST), Gaithersburg, Maryland (2011). https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=909008
A. Mathew, Network slicing in 5G and the security concerns, in 2020 Fourth International Conference on Computing Methodologies and Communication (ICCMC), pp. 75–78 (2020). https://ieeexplore.ieee.org/abstract/document/9076479
W. Matsuda, M. Fujimoto, T. Aoyama, T. Mitsunaga, Cyber security risk assessment on industry 4.0 using ICS testbed with AI and cloud, in 2019 IEEE Conference on Application, Information and Network Security (AINS) (2019), pp. 54–59. https://doi.org/10.1109/AINS47559.2019.8968698, https://ieeexplore.ieee.org/document/8968698
S. McLaughlin, C. Konstantinou, X. Wang, L. Davi, A.R. Sadeghi, M. Maniatakos, R. Karri, The cybersecurity landscape in industrial control systems. Proc. IEEE 104(5), 1039–1057 (2016). https://doi.org/10.1109/JPROC.2015.2512235, https://ieeexplore.ieee.org/document/7434576?reload=true&arnumber=7434576
N. Medeiros, N. Ivaki, P. Costa, M. Vieira, Software metrics as indicators of security vulnerabilities, in 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE) (2017), pp. 216–227. https://doi.org/10.1109/ISSRE.2017.11, https://ieeexplore.ieee.org/document/8109088
MITRE Corporation, https://www.mitre.org/
MITRE Corporation: CAPEC – Common Attack Pattern Enumeration and Classification. https://capec.mitre.org/about/glossary.html
MITRE Corporation: CAPEC – Common Attack Pattern Enumeration and Classification. https://capec.mitre.org/
MITRE Corporation: CVE – Common Vulnerabilities and Exposures. https://cve.mitre.org/about/terminology.html
MITRE Corporation: CVE – Common Vulnerability and Exposures. https://cve.mitre.org/index.html
MITRE Corporation: CWE – Common Weakness Enumeration. https://cwe.mitre.org/about/faq.html
MITRE Corporation: CWE – Common Weakness Enumeration. https://cwe.mitre.org/index.html
S. Mumtaz, A. Alsohaily, Z. Pang, A. Rayes, K.F. Tsang, J. Rodriguez, Massive internet of things for industrial applications: addressing wireless IIOT connectivity challenges and ecosystem fragmentation. IEEE Ind. Electron. Mag. 11(1), 28–33 (2017). https://doi.org/10.1109/MIE.2016.2618724, https://ieeexplore.ieee.org/document/7883984
L. MuÑoz-González, D. Sgandurra, M. Barrère, E.C. Lupu, Exact inference techniques for the analysis of bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 16(2), 231–244 (2019). https://doi.org/10.1109/TDSC.2016.2627033, https://ieeexplore.ieee.org/document/7885532
National Institute for Standards and Technology (NIST): CPE – Common Platform Enumeration. https://nvd.nist.gov/products/cpe
National Institute for Standards and Technology (NIST): National Vulnerability Database NVD – Vulnerabilities. https://nvd.nist.gov/vuln/full-listing
National Institute for Standards and Technology (NIST): vulnerability assessment – Glossary | CSRC. https://csrc.nist.gov/glossary/term/vulnerability_assessment
B.B. Nielsen, M.T. Torp, A. Møller, Modular call graph construction for security scanning of node.js applications, in Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. ISSTA 2021 (Association for Computing Machinery, New York, NY, USA, 2021), pp. 29–41. https://doi.org/10.1145/3460319.3464836, https://doi.org/10.1145/3460319.3464836
National Institute for Standards and Technology (NIST). https://www.nist.gov/
NIST – National Institute of Standards and Technology: National Vulnerability database (NVD). https://nvd.nist.gov/
M.O. Ojo, S. Giordano, G. Procissi, I.N. Seitanidis, A review of low-end, middle-end, and high-end IOT devices. IEEE Access 6, 70528–70554 (2018). https://doi.org/10.1109/ACCESS.2018.2879615, https://ieeexplore.ieee.org/document/8528362
D. Papp, Z. Ma, L. Buttyan, Embedded systems security: threats, vulnerabilities, and attack taxonomy, in 2015 13th Annual Conference on Privacy, Security and Trust (PST) (2015), pp. 145–152. https://doi.org/10.1109/PST.2015.7232966, https://ieeexplore.ieee.org/document/7232966
I. Pashchenko, H. Plate, S.E. Ponta, A. Sabetta, F. Massacci, Vulnerable open source dependencies: counting those that matter, in Proceedings of the 12th International Symposium on Empirical Software Engineering and Measurement (ESEM) (2018), https://dl.acm.org/doi/10.1145/3239235.3268920
S.E. Ponta, H. Plate, A. Sabetta, Detection, assessment and mitigation of vulnerabilities in open source dependencies. Empir. Softw. Eng. 25(5), 3175–3215 (2020). https://doi.org/10.1007/s10664-020-09830-x, https://doi.org/10.1007/s10664-020-09830-x
N. Poolsappasit, R. Dewri, I. Ray, Dynamic security risk management using bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61–74 (2012). https://doi.org/10.1109/TDSC.2011.34, https://ieeexplore.ieee.org/document/5936075
O. Qingyu, L. Fang, H. Kai, High-security system primitive for embedded systems, in 2009 International Conference on Multimedia Information Networking and Security, vol. 2 (2009), pp. 319–321. https://doi.org/10.1109/MINES.2009.48, https://ieeexplore.ieee.org/document/5368926
R.E. Sawilla, X. Ou, Identifying critical attack assets in dependency attack graphs, in Computer Security – ESORICS 2008, ed. by S. Jajodia, J. Lopez (Springer, Berlin/Heidelberg, 2008), pp. 18–34. https://link.springer.com/chapter/10.1007/978-3-540-88313-5_2#citeas
K. Shafique, B.A. Khawaja, F. Sabir, S. Qazi, M. Mustaqim, Internet of Things (IoT) for next-generation smart systems: a review of current challenges, future trends and prospects for emerging 5G-IoT scenarios. IEEE Access 8, 23022–23040 (2020). https://doi.org/10.1109/ACCESS.2020.2970118, https://ieeexplore.ieee.org/document/9103025
L. Thames, D. Schaefer (eds.), Cybersecurity for Industry 4.0. Springer International Publishing (2017). https://doi.org/10.1007/978-3-319-50660-9, https://link.springer.com/book/10.1007/978-3-319-50660-9
Thiago Alves: OpenPLC Project. https://www.openplcproject.com/
A. Ustundag, E. Cevikcan, Industry 4.0: Managing The Digital Transformation (Springer International Publishing, 2018). https://doi.org/10.1007%2F978-3-319-57870-5
J. Viega, H. Thompson, The state of embedded-device security (spoiler alert: It’s bad). IEEE Secur. Priv. 10(5), 68–70 (2012). https://doi.org/10.1109/MSP.2012.134, https://ieeexplore.ieee.org/document/6322974?section=abstract
Y. Xin, L. Kong, Z. Liu, Y. Chen, Y. Li, H. Zhu, M. Gao, H. Hou, C. Wang, Machine learning and deep learning methods for cybersecurity. IEEE Access 6, 35365–35381 (2018). https://doi.org/10.1109/ACCESS.2018.2836950, https://ieeexplore.ieee.org/document/8359287
S. Zhang, X. Ou, A. Singhal, J. Homer, An empirical study of a vulnerability metric aggregation method. Tech. rep., Kansas State Univ Manhattan (2011). https://www.cse.usf.edu/~xou/publications/stmacip11.pdf
I. Zografopoulos, J. Ospina, X. Liu, C. Konstantinou, Cyber-physical energy systems security: threat modeling, risk assessment, resources, metrics, and case studies. IEEE Access 9, 29775–29818 (2021). https://doi.org/10.1109/ACCESS.2021.3058403, https://ieeexplore.ieee.org/document/9351954
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Longueira-Romero, Á., Iglesias, R., Flores, J.L., Garitano, I. (2024). Vulnerability Detection and Response: Current Status and New Approaches. In: Sadovykh, A., Truscan, D., Mallouli, W., Cavalli, A.R., Seceleanu, C., Bagnato, A. (eds) CyberSecurity in a DevOps Environment . Springer, Cham. https://doi.org/10.1007/978-3-031-42212-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-42212-6_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-42211-9
Online ISBN: 978-3-031-42212-6
eBook Packages: Computer ScienceComputer Science (R0)