Abstract
Industrial Control Systems (ICS) are widely deployed in mission critical infrastructures such as manufacturing, energy, and transportation. The mission critical nature of ICS devices poses important security challenges for ICS vendors and asset owners. In particular, the patching of ICS devices is usually deferred to scheduled production outages so as to prevent potential operational disruption of critical systems. Unfortunately, anecdotal evidence suggests that ICS devices are riddled with security vulnerabilities that are not patched in a timely manner, which leaves them vulnerable to exploitation by hackers, nation states, and hacktivist organizations.
In this paper, we present the results from our longitudinal measurement and characterization study of ICS patching behavior. Our study is based on IP scan data collected from Shodan over the duration of three years for more than 500 known industrial ICS protocols and products. Our longitudinal measurements reveal the impact of vulnerability disclosures on ICS patching. Our analysis of more than 100 thousand Internet-exposed ICS devices reveals that about 50% upgrade to newer patched versions within 60 days of a vulnerability disclosure. Based on our measurement and analysis, we further propose a variation of the Bass model to forecast the patching behavior of ICS devices. The evaluation shows that our proposed models have comparable prediction accuracy when contrasted against traditional ARIMA timeseries forecasting models, while requiring less parameters and being amenable to direct physical interpretation.
- R. Anderson and T. Moore. The economics of information security. Science, 314(5799):610--613, 2006.Google ScholarCross Ref
- ANSI/ISA-99.02.01--2009 standard. Security for Industrial Automation and Control Systems Part 2: Establishing an Industrial Automation and Control Systems Security Program. 2009. http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821.Google Scholar
- A. Arora, R. Krishnan, R. Telang, and Y. Yang. An empirical analysis of software vendors' patching behavior: Impact of vulnerability disclosure. ICIS 2006 Proceedings, page 22, 2006.Google Scholar
- F. M. Bass. A new product growth for model consumer durables. Management science, 15(5):215--227, 1969. Google ScholarDigital Library
- G. Box, G. Jenkins, and G. Reinsel. Time series analysis: Forecasting and control. Prentice Hall, 1994. Google ScholarDigital Library
- H. Chen, S. Hariri, R. Breiger, and T. Holt. Identifying SCADA Devices and their Vulnerabilities on the IoT, 2017. SaTC PI Meeting: http://cps-vo.org/node/30557.Google Scholar
- T. F. Coleman and Y. Li. An interior trust region approach for nonlinear minimization subject to bounds. SIAM Journal on optimization, 6(2):418--445, 1996.Google ScholarDigital Library
- D. Dey, A. Lahiri, and G. Zhang. Optimal policies for security patch management. INFORMS Journal on Computing, 27(3):462--477, 2015.Google ScholarDigital Library
- T. Duebendorfer and S. Frei. Web browser security update effectiveness. In International Conference on Critical Information Infrastructures Security, 2009. Google ScholarDigital Library
- Z. Durumeric, J. Kasten, D. Adrian, J. A. Halderman, M. Bailey, F. Li, N. Weaver, J. Amann, J. Beekman, M. Payer, et al. The matter of heartbleed. In ACM IMC, pages 475--488. ACM, 2014. Google ScholarDigital Library
- C. J. Easingwood, V. Mahajan, and E. Muller. A nonuniform influence innovation diffusion model of new product acceptance. Marketing Science, 2(3):273--295, 1983. Google ScholarDigital Library
- X. Feng, Q. Li, H. Wang, and L. Sun. Characterizing industrial control system devices on the internet. In ICNP, pages 1--10. IEEE, 2016.Google Scholar
- J. C. Fisher and R. H. Pry. A simple substitution model of technological change. Technological forecasting and social change, 3:75--88, 1971.Google Scholar
- S. Frei, T. Duebendorfer, and B. Plattner. Firefox (In)Security Update Dynamics Exposed. ACM SIGCOMM CCR, 39:16--22, 2009. Google ScholarDigital Library
- S. Frei, M. May, U. Fiedler, and B. Plattner. Large-Scale Vulnerability Analysis. In ACM SIGCOMM LSAD Workshop, 2006. Google ScholarDigital Library
- P. A. Geroski. Models of technology diffusion. Research policy, 29(4):603--625, 2000.Google ScholarCross Ref
- H. R. Ghaeini and N. O. Tippenhauer. Hamids: Hierarchical monitoring intrusion detection system for industrial control systems. In Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy, pages 103--111. ACM, 2016. Google ScholarDigital Library
- C. Ioannidis, D. Pym, and J. Williams. Information security trade-offs and optimal patching policies. European Journal of Operational Research, 216(2):434--444, 2012.Google ScholarCross Ref
- J. R. Jones. Estimating Software Vulnerabilities. IEEE Security and Privacy, 2007. Google ScholarDigital Library
- W. Kandek. The laws of vulnerabilities 2.0. BlackHat, Las Vegas, NV, USA, 2009.Google Scholar
- F. Khorrami, P. Krishnamurthy, and R. Karri. Cybersecurity for control systems: A process-aware perspective. IEEE Design & Test, 33(5):75--83, 2016.Google ScholarCross Ref
- C. Konstantinou, M. Sazos, and M. Maniatakos. Attacking the smart grid using public information. In Test Symposium (LATS), 2016 17th Latin-American, pages 105--110. IEEE, 2016.Google ScholarCross Ref
- V. Krishnan and K. T. Ulrich. Product development decisions: A review of the literature. Management science, 47(1):1--21, 2001. Google ScholarCross Ref
- M. Lelarge and J. Bolot. Network externalities and the deployment of security features and protocols in the internet. ACM SIGMETRICS Performance Evaluation Review, 36(1):37--48, 2008. Google ScholarDigital Library
- V. Mahajan, E. Muller, and F. M. Bass. New product diffusion models in marketing: A review and directions for research. In Diffusion of technologies and social behavior, pages 125--177. Springer, 1991.Google ScholarCross Ref
- V. Mahajan, E. Muller, and F. M. Bass. Diffusion of new products: Empirical generalizations and managerial uses. Marketing Science, 14(3), 1995.Google Scholar
- P. Maillé, P. Reichl, and B. Tuffin. Interplay between security providers, consumers, and attackers: a weighted congestion game approach. In International Conference on Decision and Game Theory for Security, pages 67--86. Springer, 2011. Google ScholarDigital Library
- J. Matherly. Shodan. https://www.shodan.io.Google Scholar
- J. Matherly. Simple Security Metric: Internet Connected ICS, 2017. KIACS2017 keynote speak video: https://livestream.com/hdmediakw/events/7107294/videos/151813225.Google Scholar
- P. McDaniel and S. McLaughlin. Security and privacy challenges in the smart grid. IEEE Security and Privacy, 7(3):75--77, 2009. Google ScholarDigital Library
- S. McLaughlin, C. Konstantinou, X. Wang, L. Davi, A.-R. Sadeghi, M. Maniatakos, and R. Karri. The cybersecurity landscape in industrial control systems. Proceedings of the IEEE, 104(5):1039--1057, 2016.Google ScholarCross Ref
- P. Mell, T. Bergeron, and D. Henning. Creating a patch and vulnerability management program. NIST Special Publication, 800:40, 2005.Google Scholar
- P. Mell, K. Scarfone, and S. Romanosky. A complete guide to the CVSS 2.0, 2016. https://www.first.org/cvss/v2/guide.Google Scholar
- A. Mirian, Z. Ma, D. Adrian, M. Tischer, T. Chuenchujit, T. Yardley, R. Berthier, J. Mason, Z. Durumeric, J. A. Halderman, et al. An internet-wide view of ICS devices. In IEEE PST, 2016.Google ScholarCross Ref
- J. A. Norton and F. M. Bass. A diffusion theory model of adoption and substitution for successive generations of high-technology products. Management science, 33(9):1069--1086, 1987.Google ScholarCross Ref
- J. A. Norton and F. M. Bass. Evolution of technological generations: the law of capture. Sloan Management Review, 33(2):66, 1992.Google Scholar
- National Vulnerability Database (NVD). https://nvd.nist.gov.Google Scholar
- Open Source Vulnerability Database. http://osvdb.org.Google Scholar
- Y. M. P. Pa, S. Suzuki, K. Yoshioka, T. Matsumoto, T. Kasama, and C. Rossow. IoTPOT: Analysing the Rise of IoT Compromises . In USENIX WOOT, 2015. Google ScholarDigital Library
- B. Radvanovsky and J. Brodsky. Project SHINE (SHodan INtelligence Extraction). In Tech. rep., 2014.Google Scholar
- R. Radvanovsky and J. Brodsky. Handbook of SCADA/control systems security. CRC Press, 2016. Google ScholarDigital Library
- S. Ransbotham and S. Mitra. Choice and chance: A conceptual model of paths to information security compromise. Information Systems Research, 20(1):121--139, 2009. Google ScholarDigital Library
- C. Scott and R. Carbone. Designing and Implementing a Honeypot for a SCADA Network. SANS Institute Reading Room, 2014.Google Scholar
- M. Shahzad, M. Z. Shafiq, and A. X. Liu. A Large Scale Exploratory Analysis of Software Vulnerability Life Cycles. In International Conference on Software Engineering (ICSE), 2012. Google ScholarDigital Library
- M. Souppaya and K. Scarfone. Guide to enterprise patch management technologies. NIST, 800:40, 2013.Google Scholar
- T. Uemura and T. Dohi. Optimal security patch management policies maximizing system availability. Journal of Communications, 5(1):71--80, 2010.Google ScholarCross Ref
- Verizon. Verizon 2016 data breach investigations report. www.verizonenterprise.com/verizon-insights-lab/dbir/2016/, 2016.Google Scholar
- S. Zhang, X. Zhang, and X. Ou. After we knew it: empirical study and modeling of cost-effectiveness of exploiting prevalent known vulnerabilities across IaaS cloud. In ASIA CCS, 2014. Google ScholarDigital Library
Index Terms
- Characterizing and Modeling Patching Practices of Industrial Control Systems
Recommendations
Characterizing and Modeling Patching Practices of Industrial Control Systems
Performance evaluation reviewIndustrial Control Systems (ICS) are widely deployed in mission critical infrastructures such as manufacturing, energy, and transportation. The mission critical nature of ICS devices poses important security challenges for ICS vendors and asset owners. ...
Characterizing and Modeling Patching Practices of Industrial Control Systems
SIGMETRICS '17 Abstracts: Proceedings of the 2017 ACM SIGMETRICS / International Conference on Measurement and Modeling of Computer SystemsIndustrial Control Systems (ICS) are widely deployed in mission critical infrastructures such as manufacturing, energy, and transportation. The mission critical nature of ICS devices poses important security challenges for ICS vendors and asset owners. ...
Threat Modeling of Cyber-Physical Systems - A Case Study of a Microgrid System
AbstractCyber threat modeling is an analytical process that is used for identifying the potential threats against a system and supporting the selection of security requirements in the early stages of the system development life cycle. Thus, ...
Comments