IIoT Cybersecurity Risk Modeling for SCADA Systems

Gregory Falco,Howard Shrobe,Carlos Caldera

doi:10.1109/jiot.2018.2822842

Gregory Falco, Howard Shrobe + Show 1 more

Open Access

https://doi.org/10.1109/jiot.2018.2822842

Copy DOI

Abstract

Urban critical infrastructure such as electric grids, water networks, and transportation systems are prime targets for cyberattacks. These systems are composed of connected devices which we call the Industrial Internet of Things (IIoT). An attack on urban critical infrastructure IIoT would cause considerable disruption to society. Supervisory control and data acquisition (SCADA) systems are typically used to control IIoT for urban critical infrastructure. Despite the clear need to understand the cyber risk to urban critical infrastructure, there is no data-driven model for evaluating SCADA software risk for IIoT devices. In this paper, we compare non-SCADA and SCADA systems and establish, using cosine similarity tests, that SCADA as a software subclass holds unique risk attributes for IIoT. We then disprove the commonly accepted notion that the common vulnerability scoring system risk metrics of exploitability and impact are not correlated with attack for the SCADA subclass of software. A series of statistical models are developed to identify SCADA risk metrics that can be used to evaluate the risk that a SCADA-related vulnerability is exploited. Based on our findings, we build a customizable SCADA risk prioritization schema that can be used by the security community to better understand SCADA-specific risk. Considering the distinct properties of SCADA systems, a data-driven prioritization schema will help researchers identify security gaps specific to this software subclass that is essential to our society’s operations.

Highlights

We reaffirm other scholarly findings that the common vulnerability scoring system (CVSS) risk metrics are not correlated with exploits for all software vulnerabilities; unlike our research colleagues we discover that CVSS risk metrics associated with the software subclass of supervisory control and data acquisition (SCADA) systems are strongly correlated with exploit
security operations center (SOC) analysts can cross-check Industrial Internet of Things (IIoT) devices with common vulnerability and exposures (CVEs) and common weakness enumeration (CWEs) that we identified to be most exploited to arrive at their prioritized device list
Unique contributions of this paper are significant for security researchers investigating SCADA systems, SCADA IIoT designers and critical infrastructure operators working with IIoT

Summary

Introduction

C YBERATTACKS can disable Industrial Internet of Things (IIoT) devices responsible for urban critical infrastructure. Urban critical infrastructure includes smart grids, water networks, and transportation systems. In 2015, multiple power substations in Ukraine were compromised resulting in rolling power outages affecting 225 000 people [1]. Ukraine’s supervisory control and data acquisition (SCADA) system that is responsible for controlling the smart grid’s IIoT devices is vast and complicated such that it will be impossible to patch all vulnerabilities throughout the networks.

Objectives

Methods

Findings

Conclusion