Abstract
With the increasing understanding of attackers towards the characteristics of control systems and the growing connectivity with information technology, security incidents targeting control systems are on the rise. The number of vulnerabilities related to these incidents are increasing every year, making it impossible to apply timely patches for all vulnerabilities. The current common vulnerability assessment framework, which is considered the basis for vulnerability patching, has limitations in that it does not consider the weaponization after vulnerability discovery and does not adequately reflect the exploitability in real-world “in-the-wild” environments. Therefore, in this study, we propose an approach to evaluate the in-the-wild exploitability and risk of vulnerabilities occurring in control systems based on publicly available data. To achieve this, we define criteria for classifying attacker skill levels and improve the existing CVSS metrics by introducing new factors for evaluating exploitability and risk. By applying this evaluation approach, we can identify vulnerabilities in control systems that are likely to be exploited in real-world scenarios, enabling prioritized patching and proactive defense against advanced persistent threat (APT) attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Bulut, M.F., et al.: Vulnerability prioritization: an offensive security approach. arXiv preprint arXiv:2206.11182 (2022)
Yang, H., et al.: Better not to use vulnerability’s reference for exploitability prediction. Appl. Sci. 10(7), 2555 (2020)
FIRST CVSS Documentation. https://www.first.org/cvss/specification-document. Accessed 18 June 2023
FIRST EPSS Model. https://www.first.org/epss/model.Accessed 18 June 2023
Jung, B., Li, Y., Bechor, T.: CAVP: a context-aware vulnerability prioritization model. Comput. Secur. 116, 102639 (2022)
Singh, U.K., Joshi, C.: Quantitative security risk evaluation using CVSS metrics by estimation of frequency and maturity of exploit. In: Proceedings of the World Congress on Engineering and Computer Science, vol. 1, pp. 19–21 (2016)
NVD CVE. https://nvd.nist.gov/. Accessed 18 June 2023
NVD CPE. https://nvd.nist.gov/products/cpe. Accessed 18 June 2023
MITRE CWE. https://cwe.mitre.org/. Accessed 18 June 2023
NVD CAPEC. https://capec.mitre.org/. Accessed 18 June 2023
CISA ICS-CERT Advisories. https://www.cisa.gov/uscert/ics/advisories?items_per_page=All. Accessed 18 June 2023
Exploit-DB. https://exploit-db.com. Accessed 18 June 2023
Github. https://github.com/nomi-sec/PoC-in-GitHub/. Accessed 18 June 2023
CISA. https://www.cisa.gov/known-exploited-vulnerabilities-catalog/. Accessed 18 June 2023
CISA. https://www.cisa.gov/uscert/ncas/alerts/. Accessed 18 June 2023
Rapid7. https://rapid7.com/. Accessed 18 June 2023
MITRE. https://www.cve.org/Program Organization/CNA s. Accessed 18 June 2023
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Yoon, SS., Kim, DY., Kim, GG., Euom, IC. (2024). Vulnerability Assessment Framework Based on In-The-Wild Exploitability for Prioritizing Patch Application in Control System. In: Kim, H., Youn, J. (eds) Information Security Applications. WISA 2023. Lecture Notes in Computer Science, vol 14402. Springer, Singapore. https://doi.org/10.1007/978-981-99-8024-6_10
Download citation
DOI: https://doi.org/10.1007/978-981-99-8024-6_10
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8023-9
Online ISBN: 978-981-99-8024-6
eBook Packages: Computer ScienceComputer Science (R0)