Catch Me If You Can: An In-Depth Study of CVE Discovery Time and Inconsistencies for Managing Risks in Critical Infrastructures

Richard Thomas; Joe Gardiner; Tom Chothia; Manolis Samanis; Awais Rashid; Joshua Perrett

doi:10.1145/3411498.3419970

Catch Me If You Can: An In-Depth Study of CVE Discovery Time and Inconsistencies for Managing Risks in Critical Infrastructures

Richard Thomas, Joe Gardiner, Tom Chothia, Manolis Samanis, Awais Rashid, Joshua Perrett

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

9 Citations (Scopus)

999 Downloads (Pure)

Abstract

Industrial Control Systems (ICS) are central to the operation of critical national infrastructure (CNI) such as oil and gas, water treatment, power generation and transport systems. Effective risk management to mitigate large-scale disruption to societies and economies depends on both timely information about vulnerabilities and the consistency of this information. The longer the vulnerabilities remain "in the wild" or a lack of consistency in vulnerability reporting, the greater the impact on CNI operators' ability to systematically understand and mitigate the risks. In this paper, we focus on vulnerabilities identified and reported in Siemens ICS devices, which hold the largest share of the market. We undertake an in-depth analysis of 207 CVEs, identifying the time over which vulnerabilities were 'in the wild' before being discovered and advisories issued, and examine issues with the correctness of CVE information. We find that, on average, a vulnerability is 'in the wild' for 5.3 years, and that many CVEs do not correctly reflect and state the affected devices as Common Platform Enumerations (CPEs). Based on our findings, we propose a set of guidelines to improve the reporting and consistency of ICS CVE information.

Original language	English
Title of host publication	CPSIOTSEC'20
Subtitle of host publication	Proceedings of the 2020 Joint Workshop on CPS&IoT Security and Privacy
Publisher	Association for Computing Machinery (ACM)
Pages	49-60
ISBN (Electronic)	978-1-4503-8087-4
DOIs	https://doi.org/10.1145/3411498.3419970
Publication status	Published - 9 Nov 2020
Event	2020 ACM SIGSAC Conference on Computer and Communications Security - Duration: 9 Nov 2020 → …

Conference

Conference	2020 ACM SIGSAC Conference on Computer and Communications Security
Period	9/11/20 → …

Keywords

Industrial Control Systems
ICS Security
SCADA
Operational Technology, OT
CPS
Cyber Security
Vulnerabilities

Access to Document

10.1145/3411498.3419970

Full-text PDF (accepted author manuscript)
This is the accepted author manuscript (AAM). The final published version (version of record) is available online via ACM at https://doi.org/10.1145/3411498.3419970. Please refer to any applicable terms of use of the publisher.
Accepted author manuscript, 1.15 MB

Handle.net

Persistent link

PETRAS: National Centre of Excellence for IoT Systems Cybersecurity
Rashid, A. (Principal Investigator)
1/01/19 → 31/03/23
Project: Research
DYPOSIT: Dynamic Policies for Shared Cyber-Physical Infrastructures under Attack
Rashid, A. (Principal Investigator)
1/01/18 → 31/10/20
Project: Research

Cite this

Thomas, R., Gardiner, J., Chothia, T., Samanis, M., Rashid, A., & Perrett, J. (2020). Catch Me If You Can: An In-Depth Study of CVE Discovery Time and Inconsistencies for Managing Risks in Critical Infrastructures. In CPSIOTSEC'20: Proceedings of the 2020 Joint Workshop on CPS&IoT Security and Privacy (pp. 49-60). Association for Computing Machinery (ACM). https://doi.org/10.1145/3411498.3419970

@inproceedings{a2d09e2b612142148ee252b7bc4abd7f,

title = "Catch Me If You Can: An In-Depth Study of CVE Discovery Time and Inconsistencies for Managing Risks in Critical Infrastructures",

abstract = "Industrial Control Systems (ICS) are central to the operation of critical national infrastructure (CNI) such as oil and gas, water treatment, power generation and transport systems. Effective risk management to mitigate large-scale disruption to societies and economies depends on both timely information about vulnerabilities and the consistency of this information. The longer the vulnerabilities remain {"}in the wild{"} or a lack of consistency in vulnerability reporting, the greater the impact on CNI operators' ability to systematically understand and mitigate the risks. In this paper, we focus on vulnerabilities identified and reported in Siemens ICS devices, which hold the largest share of the market. We undertake an in-depth analysis of 207 CVEs, identifying the time over which vulnerabilities were 'in the wild' before being discovered and advisories issued, and examine issues with the correctness of CVE information. We find that, on average, a vulnerability is 'in the wild' for 5.3 years, and that many CVEs do not correctly reflect and state the affected devices as Common Platform Enumerations (CPEs). Based on our findings, we propose a set of guidelines to improve the reporting and consistency of ICS CVE information.",

keywords = "Industrial Control Systems, ICS Security, SCADA, Operational Technology, OT, CPS, Cyber Security, Vulnerabilities",

author = "Richard Thomas and Joe Gardiner and Tom Chothia and Manolis Samanis and Awais Rashid and Joshua Perrett",

year = "2020",

month = nov,

day = "9",

doi = "10.1145/3411498.3419970",

language = "English",

pages = "49--60",

booktitle = "CPSIOTSEC'20",

publisher = "Association for Computing Machinery (ACM)",

address = "United States",

note = "2020 ACM SIGSAC Conference on Computer and Communications Security ; Conference date: 09-11-2020",

}

Thomas, R, Gardiner, J, Chothia, T, Samanis, M , Rashid, A & Perrett, J 2020, Catch Me If You Can: An In-Depth Study of CVE Discovery Time and Inconsistencies for Managing Risks in Critical Infrastructures. in CPSIOTSEC'20: Proceedings of the 2020 Joint Workshop on CPS&IoT Security and Privacy. Association for Computing Machinery (ACM), pp. 49-60, 2020 ACM SIGSAC Conference on Computer and Communications Security, 9/11/20. https://doi.org/10.1145/3411498.3419970

Catch Me If You Can: An In-Depth Study of CVE Discovery Time and Inconsistencies for Managing Risks in Critical Infrastructures. / Thomas, Richard; Gardiner, Joe; Chothia, Tom et al.
CPSIOTSEC'20: Proceedings of the 2020 Joint Workshop on CPS&IoT Security and Privacy. Association for Computing Machinery (ACM), 2020. p. 49-60.

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

TY - GEN

T1 - Catch Me If You Can

T2 - 2020 ACM SIGSAC Conference on Computer and Communications Security

AU - Thomas, Richard

AU - Gardiner, Joe

AU - Chothia, Tom

AU - Samanis, Manolis

AU - Rashid, Awais

AU - Perrett, Joshua

PY - 2020/11/9

Y1 - 2020/11/9

N2 - Industrial Control Systems (ICS) are central to the operation of critical national infrastructure (CNI) such as oil and gas, water treatment, power generation and transport systems. Effective risk management to mitigate large-scale disruption to societies and economies depends on both timely information about vulnerabilities and the consistency of this information. The longer the vulnerabilities remain "in the wild" or a lack of consistency in vulnerability reporting, the greater the impact on CNI operators' ability to systematically understand and mitigate the risks. In this paper, we focus on vulnerabilities identified and reported in Siemens ICS devices, which hold the largest share of the market. We undertake an in-depth analysis of 207 CVEs, identifying the time over which vulnerabilities were 'in the wild' before being discovered and advisories issued, and examine issues with the correctness of CVE information. We find that, on average, a vulnerability is 'in the wild' for 5.3 years, and that many CVEs do not correctly reflect and state the affected devices as Common Platform Enumerations (CPEs). Based on our findings, we propose a set of guidelines to improve the reporting and consistency of ICS CVE information.

AB - Industrial Control Systems (ICS) are central to the operation of critical national infrastructure (CNI) such as oil and gas, water treatment, power generation and transport systems. Effective risk management to mitigate large-scale disruption to societies and economies depends on both timely information about vulnerabilities and the consistency of this information. The longer the vulnerabilities remain "in the wild" or a lack of consistency in vulnerability reporting, the greater the impact on CNI operators' ability to systematically understand and mitigate the risks. In this paper, we focus on vulnerabilities identified and reported in Siemens ICS devices, which hold the largest share of the market. We undertake an in-depth analysis of 207 CVEs, identifying the time over which vulnerabilities were 'in the wild' before being discovered and advisories issued, and examine issues with the correctness of CVE information. We find that, on average, a vulnerability is 'in the wild' for 5.3 years, and that many CVEs do not correctly reflect and state the affected devices as Common Platform Enumerations (CPEs). Based on our findings, we propose a set of guidelines to improve the reporting and consistency of ICS CVE information.

KW - Industrial Control Systems

KW - ICS Security

KW - SCADA

KW - Operational Technology, OT

KW - CPS

KW - Cyber Security

KW - Vulnerabilities

U2 - 10.1145/3411498.3419970

DO - 10.1145/3411498.3419970

M3 - Conference Contribution (Conference Proceeding)

SP - 49

EP - 60

BT - CPSIOTSEC'20

PB - Association for Computing Machinery (ACM)

Y2 - 9 November 2020

ER -

Catch Me If You Can: An In-Depth Study of CVE Discovery Time and Inconsistencies for Managing Risks in Critical Infrastructures

Abstract

Conference

Keywords

Access to Document

Handle.net

Fingerprint

Projects

PETRAS: National Centre of Excellence for IoT Systems Cybersecurity

DYPOSIT: Dynamic Policies for Shared Cyber-Physical Infrastructures under Attack

Cite this