Abstract

Urban critical infrastructure such as electric grids, water networks, and transportation systems are prime targets for cyberattacks. These systems are composed of connected devices which we call the Industrial Internet of Things (IIoT). An attack on urban critical infrastructure IIoT would cause considerable disruption to society. Supervisory control and data acquisition (SCADA) systems are typically used to control IIoT for urban critical infrastructure. Despite the clear need to understand the cyber risk to urban critical infrastructure, there is no data-driven model for evaluating SCADA software risk for IIoT devices. In this paper, we compare non-SCADA and SCADA systems and establish, using cosine similarity tests, that SCADA as a software subclass holds unique risk attributes for IIoT. We then disprove the commonly accepted notion that the common vulnerability scoring system risk metrics of exploitability and impact are not correlated with attack for the SCADA subclass of software. A series of statistical models are developed to identify SCADA risk metrics that can be used to evaluate the risk that a SCADA-related vulnerability is exploited. Based on our findings, we build a customizable SCADA risk prioritization schema that can be used by the security community to better understand SCADA-specific risk. Considering the distinct properties of SCADA systems, a data-driven prioritization schema will help researchers identify security gaps specific to this software subclass that is essential to our society’s operations.

Highlights

  • We reaffirm other scholarly findings that the common vulnerability scoring system (CVSS) risk metrics are not correlated with exploits for all software vulnerabilities; unlike our research colleagues we discover that CVSS risk metrics associated with the software subclass of supervisory control and data acquisition (SCADA) systems are strongly correlated with exploit

  • security operations center (SOC) analysts can cross-check Industrial Internet of Things (IIoT) devices with common vulnerability and exposures (CVEs) and common weakness enumeration (CWEs) that we identified to be most exploited to arrive at their prioritized device list

  • Unique contributions of this paper are significant for security researchers investigating SCADA systems, SCADA IIoT designers and critical infrastructure operators working with IIoT

Read more

Summary

Introduction

C YBERATTACKS can disable Industrial Internet of Things (IIoT) devices responsible for urban critical infrastructure. Urban critical infrastructure includes smart grids, water networks, and transportation systems. In 2015, multiple power substations in Ukraine were compromised resulting in rolling power outages affecting 225 000 people [1]. Ukraine’s supervisory control and data acquisition (SCADA) system that is responsible for controlling the smart grid’s IIoT devices is vast and complicated such that it will be impossible to patch all vulnerabilities throughout the networks.

Objectives
Methods
Findings
Conclusion

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.