Skip to main content

Vulnerability Assessment Framework Based on In-The-Wild Exploitability for Prioritizing Patch Application in Control System

  • Conference paper
  • First Online:
Information Security Applications (WISA 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14402))

Included in the following conference series:

  • 390 Accesses

Abstract

With the increasing understanding of attackers towards the characteristics of control systems and the growing connectivity with information technology, security incidents targeting control systems are on the rise. The number of vulnerabilities related to these incidents are increasing every year, making it impossible to apply timely patches for all vulnerabilities. The current common vulnerability assessment framework, which is considered the basis for vulnerability patching, has limitations in that it does not consider the weaponization after vulnerability discovery and does not adequately reflect the exploitability in real-world “in-the-wild” environments. Therefore, in this study, we propose an approach to evaluate the in-the-wild exploitability and risk of vulnerabilities occurring in control systems based on publicly available data. To achieve this, we define criteria for classifying attacker skill levels and improve the existing CVSS metrics by introducing new factors for evaluating exploitability and risk. By applying this evaluation approach, we can identify vulnerabilities in control systems that are likely to be exploited in real-world scenarios, enabling prioritized patching and proactive defense against advanced persistent threat (APT) attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Bulut, M.F., et al.: Vulnerability prioritization: an offensive security approach. arXiv preprint arXiv:2206.11182 (2022)

  2. Yang, H., et al.: Better not to use vulnerability’s reference for exploitability prediction. Appl. Sci. 10(7), 2555 (2020)

    Article  Google Scholar 

  3. FIRST CVSS Documentation. https://www.first.org/cvss/specification-document. Accessed 18 June 2023

  4. FIRST EPSS Model. https://www.first.org/epss/model.Accessed 18 June 2023

  5. Jung, B., Li, Y., Bechor, T.: CAVP: a context-aware vulnerability prioritization model. Comput. Secur. 116, 102639 (2022)

    Article  Google Scholar 

  6. Singh, U.K., Joshi, C.: Quantitative security risk evaluation using CVSS metrics by estimation of frequency and maturity of exploit. In: Proceedings of the World Congress on Engineering and Computer Science, vol. 1, pp. 19–21 (2016)

    Google Scholar 

  7. NVD CVE. https://nvd.nist.gov/. Accessed 18 June 2023

  8. NVD CPE. https://nvd.nist.gov/products/cpe. Accessed 18 June 2023

  9. MITRE CWE. https://cwe.mitre.org/. Accessed 18 June 2023

  10. NVD CAPEC. https://capec.mitre.org/. Accessed 18 June 2023

  11. CISA ICS-CERT Advisories. https://www.cisa.gov/uscert/ics/advisories?items_per_page=All. Accessed 18 June 2023

  12. Exploit-DB. https://exploit-db.com. Accessed 18 June 2023

  13. Github. https://github.com/nomi-sec/PoC-in-GitHub/. Accessed 18 June 2023

  14. CISA. https://www.cisa.gov/known-exploited-vulnerabilities-catalog/. Accessed 18 June 2023

  15. CISA. https://www.cisa.gov/uscert/ncas/alerts/. Accessed 18 June 2023

  16. Rapid7. https://rapid7.com/. Accessed 18 June 2023

  17. MITRE. https://www.cve.org/Program Organization/CNA s. Accessed 18 June 2023

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Ieck-Chae Euom .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yoon, SS., Kim, DY., Kim, GG., Euom, IC. (2024). Vulnerability Assessment Framework Based on In-The-Wild Exploitability for Prioritizing Patch Application in Control System. In: Kim, H., Youn, J. (eds) Information Security Applications. WISA 2023. Lecture Notes in Computer Science, vol 14402. Springer, Singapore. https://doi.org/10.1007/978-981-99-8024-6_10

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-8024-6_10

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-8023-9

  • Online ISBN: 978-981-99-8024-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics