Exploring Ontologies for Mitigation Selection of Industrial Control System Vulnerabilities

Abstract

Mitigating vulnerabilities in industrial control systems (ICSs) represents a highly complex task. ICSs may contain an abundance of device types, all with unique software and hardware components. Upon discovering vulnerabilities on ICS devices, cyber defenders must determine which mitigations to implement, and which mitigations can apply across multiple vulnerabilities. Cyber defenders need techniques to optimize mitigation selection. This exploratory research paper shows how ontologies, also known as linked-data models, can potentially be used to model ICS devices, vulnerabilities, and mitigations, as well as to identify mitigations that can remediate or mitigate multiple vulnerabilities. Ontologies can be used to reduce the complexity of a cyber defender’s role by allowing for insights to be drawn, especially in the ICS domain. Data are modelled from the Common Platform Enumeration (CPE), the National Vulnerability Database (NVD), standardized list of controls from the National Institute of Standards and Technology (NIST), and ICS Cyber Emergency Response Team (CERT) advisories. Semantic queries provide the techniques for mitigation prioritization. A case study is described for a selected programmable logic controller (PLC), its known vulnerabilities from the NVD, and recommended mitigations from ICS CERT. Overall, this research shows how ontologies can be used to link together existing data sources, to run queries over the linked data, and to allow for new insights to be drawn for mitigation selection.