Dynamic Vulnerability Criticality Calculator for Industrial Control Systems

TL;DR

This paper presents a dynamic vulnerability criticality calculator for industrial control systems that assesses vulnerabilities by analyzing topology, security measures, and attack paths using fuzzy cognitive maps, enhancing threat identification.

Contribution

It introduces a novel method combining environmental analysis, vulnerability scoring, and fuzzy cognitive maps to improve security assessment in industrial control systems.

Findings

Effective in identifying critical vulnerabilities

Adapts to environmental changes and security measures

Provides holistic vulnerability scoring

Abstract

The convergence of information and communication technologies has introduced new and advanced capabilities to Industrial Control Systems. However, concurrently, it has heightened their vulnerability to cyber attacks. Consequently, the imperative for new security methods has emerged as a critical need for these organizations to effectively identify and mitigate potential threats. This paper introduces an innovative approach by proposing a dynamic vulnerability criticality calculator. Our methodology encompasses the analysis of environmental topology and the effectiveness of deployed security mechanisms, coupled with the utilization of the Common Vulnerability Scoring System framework to adjust detected vulnerabilities based on the specific environment. Moreover, it evaluates the quantity of vulnerabilities and their interdependencies within each asset. Additionally, our approach integrates these factors into a comprehensive Fuzzy Cognitive Map model, incorporating attack paths to holistically assess the overall vulnerability score. To validate the efficacy of our proposed method, we present a relative case study alongside several modified scenarios, demonstrating its effectiveness in practical applications.