A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics

The rapid evolution of industrial components, the paradigm of Industry 4.0, and the new connectivity features introduced by 5G technology all increase the likelihood of cybersecurity incidents. Such incidents are caused by the vulnerabilities present in these components. Designing a secure system is...

Full description

Saved in:
Bibliographic Details
Published inSensors (Basel, Switzerland) Vol. 22; no. 6; p. 2126
Main Authors Longueira-Romero, Ángel, Iglesias, Rosa, Flores, Jose Luis, Garitano, Iñaki
Format Journal Article
LanguageEnglish
Published Switzerland MDPI AG 09.03.2022
MDPI
Subjects
Automation
Benchmarking
CAPEC
Computer networks
Computer Security
Connectivity
CPE
CVE
CVSS
CWE
Cybersecurity
Data encryption
directed graph
Graph theory
Graphical representations
Internet of Things
Life span
Network security
Probability
Product development
Software
CWE
OpenPLC
CVE
security metrics
directed graph
CPE
IACS
CVSS
vulnerability assessment
cybersecurity
CAPEC
IEC 62443
Online AccessGet full text

Cover

More Information
Summary:The rapid evolution of industrial components, the paradigm of Industry 4.0, and the new connectivity features introduced by 5G technology all increase the likelihood of cybersecurity incidents. Such incidents are caused by the vulnerabilities present in these components. Designing a secure system is critical, but it is also complex, costly, and an extra factor to manage during the lifespan of the component. This paper presents a model to analyze the known vulnerabilities of industrial components over time. The proposed Extended Dependency Graph (EDG) model is based on two main elements: a directed graph representation of the internal structure of the component, and a set of quantitative metrics based on the Common Vulnerability Scoring System (CVSS). The EDG model can be applied throughout the entire lifespan of a device to track vulnerabilities, identify new requirements, root causes, and test cases. It also helps prioritize patching activities. The model was validated by application to the OpenPLC project. The results reveal that most of the vulnerabilities associated with OpenPLC were related to memory buffer operations and were concentrated in the library. The model was able to determine new requirements and generate test cases from the analysis.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 23
ISSN:1424-8220
1424-8220
DOI:10.3390/s22062126