Catch me if you can: an in-depth study of CVE discovery time and inconsistencies for managing risks in critical infrastructures

Richard J. Thomas; Joseph Gardiner; Tom Chothia; Emmanouil Samanis; Joshua Perrett; Awais Rashid

doi:10.1145/3411498.3419970

Catch me if you can: an in-depth study of CVE discovery time and inconsistencies for managing risks in critical infrastructures

Richard J. Thomas, Joseph Gardiner, Tom Chothia, Emmanouil Samanis, Joshua Perrett, Awais Rashid

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

443 Downloads (Pure)

Abstract

Industrial Control Systems (ICS) are central to the operation of critical national infrastructure (CNI) such as oil and gas, water treatment, power generation and transport systems. Effective risk management to mitigate large-scale disruption to societies and economies depends on both timely information about vulnerabilities and the consistency of this information. The longer the vulnerabilities remain "in the wild" or a lack of consistency in vulnerability reporting, the greater the impact on CNI operators' ability to systematically understand and mitigate the risks. In this paper, we focus on vulnerabilities identified and reported in Siemens ICS devices, which hold the largest share of the market. We undertake an in-depth analysis of 207 CVEs, identifying the time over which vulnerabilities were 'in the wild' before being discovered and advisories issued, and examine issues with the correctness of CVE information. We find that, on average, a vulnerability is 'in the wild' for 5.3 years, and that many CVEs do not correctly reflect and state the affected devices as Common Platform Enumerations (CPEs). Based on our findings, we propose a set of guidelines to improve the reporting and consistency of ICS CVE information.

Original language	English
Title of host publication	CPSIOTSEC'20
Subtitle of host publication	Proceedings of the 2020 Joint Workshop on CPS&IoT Security and Privacy
Publisher	Association for Computing Machinery (ACM)
Pages	49-60
Number of pages	12
ISBN (Print)	9781450380874
DOIs	https://doi.org/10.1145/3411498.3419970
Publication status	Published - 9 Nov 2020
Event	CPSIOTSec: The Joint Workshop on CPS & IoT Security and Privacy - Duration: 9 Nov 2020 → 9 Nov 2020

Conference

Conference	CPSIOTSec: The Joint Workshop on CPS & IoT Security and Privacy
Period	9/11/20 → 9/11/20

Keywords

cps
cyber security
ics security
industrial control systems
operational technology, ot
scada
vulnerabilities

ASJC Scopus subject areas

Computer Networks and Communications

Access to Document

10.1145/3411498.3419970Licence: None: All rights reserved

ThomasR2020CatchAccepted author manuscript, 602 KBLicence: None: All rights reserved

https://dl.acm.org/doi/10.1145/3411498.3419970Licence: None: All rights reserved

Effective Solutions for the NIS Directive - Supply Chain Requirements for Third Party Devices
Chothia, T., Thomas, R. & Easton, J.
1/01/19 → 30/09/21
Project: Other Government Departments

RITICS Catch Me If You Can Dataset
Thomas, R. (Creator), Gardiner, J. (Creator), Chothia, T. (Creator), Rashid, A. (Creator), Samanis, E. (Creator) & Perrett, J. (Creator), University of Birmingham, 8 Oct 2020
DOI: https://doi.org/10.25500/edata.bham.00000548
Dataset

Cite this

Thomas, R. J., Gardiner, J., Chothia, T., Samanis, E., Perrett, J., & Rashid, A. (2020). Catch me if you can: an in-depth study of CVE discovery time and inconsistencies for managing risks in critical infrastructures. In CPSIOTSEC'20: Proceedings of the 2020 Joint Workshop on CPS&IoT Security and Privacy (pp. 49-60). Association for Computing Machinery (ACM). https://doi.org/10.1145/3411498.3419970

@inproceedings{d65f05807f4d4a33aad279c3a4599c69,

title = "Catch me if you can: an in-depth study of CVE discovery time and inconsistencies for managing risks in critical infrastructures",

abstract = "Industrial Control Systems (ICS) are central to the operation of critical national infrastructure (CNI) such as oil and gas, water treatment, power generation and transport systems. Effective risk management to mitigate large-scale disruption to societies and economies depends on both timely information about vulnerabilities and the consistency of this information. The longer the vulnerabilities remain {"}in the wild{"} or a lack of consistency in vulnerability reporting, the greater the impact on CNI operators' ability to systematically understand and mitigate the risks. In this paper, we focus on vulnerabilities identified and reported in Siemens ICS devices, which hold the largest share of the market. We undertake an in-depth analysis of 207 CVEs, identifying the time over which vulnerabilities were 'in the wild' before being discovered and advisories issued, and examine issues with the correctness of CVE information. We find that, on average, a vulnerability is 'in the wild' for 5.3 years, and that many CVEs do not correctly reflect and state the affected devices as Common Platform Enumerations (CPEs). Based on our findings, we propose a set of guidelines to improve the reporting and consistency of ICS CVE information.",

keywords = "cps, cyber security, ics security, industrial control systems, operational technology, ot, scada, vulnerabilities",

author = "Thomas, {Richard J.} and Joseph Gardiner and Tom Chothia and Emmanouil Samanis and Joshua Perrett and Awais Rashid",

year = "2020",

month = nov,

day = "9",

doi = "10.1145/3411498.3419970",

language = "English",

isbn = "9781450380874",

pages = "49--60",

booktitle = "CPSIOTSEC'20",

publisher = "Association for Computing Machinery (ACM)",

address = "United States",

note = "CPSIOTSec: The Joint Workshop on CPS & IoT Security and Privacy ; Conference date: 09-11-2020 Through 09-11-2020",

}

Thomas, RJ, Gardiner, J, Chothia, T, Samanis, E, Perrett, J & Rashid, A 2020, Catch me if you can: an in-depth study of CVE discovery time and inconsistencies for managing risks in critical infrastructures. in CPSIOTSEC'20: Proceedings of the 2020 Joint Workshop on CPS&IoT Security and Privacy. Association for Computing Machinery (ACM), pp. 49-60, CPSIOTSec: The Joint Workshop on CPS & IoT Security and Privacy, 9/11/20. https://doi.org/10.1145/3411498.3419970

Catch me if you can: an in-depth study of CVE discovery time and inconsistencies for managing risks in critical infrastructures. / Thomas, Richard J.; Gardiner, Joseph; Chothia, Tom et al.
CPSIOTSEC'20: Proceedings of the 2020 Joint Workshop on CPS&IoT Security and Privacy. Association for Computing Machinery (ACM), 2020. p. 49-60.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Catch me if you can

T2 - CPSIOTSec: The Joint Workshop on CPS & IoT Security and Privacy

AU - Thomas, Richard J.

AU - Gardiner, Joseph

AU - Chothia, Tom

AU - Samanis, Emmanouil

AU - Perrett, Joshua

AU - Rashid, Awais

PY - 2020/11/9

Y1 - 2020/11/9

N2 - Industrial Control Systems (ICS) are central to the operation of critical national infrastructure (CNI) such as oil and gas, water treatment, power generation and transport systems. Effective risk management to mitigate large-scale disruption to societies and economies depends on both timely information about vulnerabilities and the consistency of this information. The longer the vulnerabilities remain "in the wild" or a lack of consistency in vulnerability reporting, the greater the impact on CNI operators' ability to systematically understand and mitigate the risks. In this paper, we focus on vulnerabilities identified and reported in Siemens ICS devices, which hold the largest share of the market. We undertake an in-depth analysis of 207 CVEs, identifying the time over which vulnerabilities were 'in the wild' before being discovered and advisories issued, and examine issues with the correctness of CVE information. We find that, on average, a vulnerability is 'in the wild' for 5.3 years, and that many CVEs do not correctly reflect and state the affected devices as Common Platform Enumerations (CPEs). Based on our findings, we propose a set of guidelines to improve the reporting and consistency of ICS CVE information.

AB - Industrial Control Systems (ICS) are central to the operation of critical national infrastructure (CNI) such as oil and gas, water treatment, power generation and transport systems. Effective risk management to mitigate large-scale disruption to societies and economies depends on both timely information about vulnerabilities and the consistency of this information. The longer the vulnerabilities remain "in the wild" or a lack of consistency in vulnerability reporting, the greater the impact on CNI operators' ability to systematically understand and mitigate the risks. In this paper, we focus on vulnerabilities identified and reported in Siemens ICS devices, which hold the largest share of the market. We undertake an in-depth analysis of 207 CVEs, identifying the time over which vulnerabilities were 'in the wild' before being discovered and advisories issued, and examine issues with the correctness of CVE information. We find that, on average, a vulnerability is 'in the wild' for 5.3 years, and that many CVEs do not correctly reflect and state the affected devices as Common Platform Enumerations (CPEs). Based on our findings, we propose a set of guidelines to improve the reporting and consistency of ICS CVE information.

KW - cps

KW - cyber security

KW - ics security

KW - industrial control systems

KW - operational technology, ot

KW - scada

KW - vulnerabilities

UR - http://www.scopus.com/inward/record.url?scp=85096851600&partnerID=8YFLogxK

U2 - 10.1145/3411498.3419970

DO - 10.1145/3411498.3419970

M3 - Conference contribution

SN - 9781450380874

SP - 49

EP - 60

BT - CPSIOTSEC'20

PB - Association for Computing Machinery (ACM)

Y2 - 9 November 2020 through 9 November 2020

ER -

Thomas RJ, Gardiner J, Chothia T, Samanis E, Perrett J, Rashid A. Catch me if you can: an in-depth study of CVE discovery time and inconsistencies for managing risks in critical infrastructures. In CPSIOTSEC'20: Proceedings of the 2020 Joint Workshop on CPS&IoT Security and Privacy. Association for Computing Machinery (ACM). 2020. p. 49-60 doi: 10.1145/3411498.3419970

Catch me if you can: an in-depth study of CVE discovery time and inconsistencies for managing risks in critical infrastructures

Abstract

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Projects

Effective Solutions for the NIS Directive - Supply Chain Requirements for Third Party Devices

Datasets

RITICS Catch Me If You Can Dataset

Cite this