Quantifying the Effects of Operational Technology or Industrial Control System based Cybersecurity Controls via CVSS Scoring

Alan Raveling; Yanzhen Qu

doi:10.24018/ejece.2023.7.4.546

Alan Raveling

Yanzhen Qu

Abstract Views
416

Downloads
351

Citations

Share

Submitted May 22, 2023
Published Jul 12, 2023

10.24018/ejece.2023.7.4.546

Abstract viewed = 416 times

Abstract

This paper has examined the application of the Common Vulnerability Scoring System applied to operational technology or industrial control system-based cybersecurity controls and demonstrated that the unique considerations and aspects of these environments are more accurately captured when compared against a traditional IT based evaluation. Multiple business drivers are compelling consumer goods manufacturers to augment and connect their manufacturing systems bringing with it increases in potential for experiencing a cybersecurity incident [1]. While other business verticals are able to utilize cybersecurity standards and control documents tailored for their industry, manufacturers do not have a set of materials that directly correlate to the operational technology environments in which their systems reside [2]. Cybersecurity practitioners face additional challenges in developing an understanding of the severity of the risks within these environments due to the lack of current quantifiable methods of evaluating the risks. The findings from this research provide cybersecurity practitioners with a repeatable and extensible method to derive the operational risk present to an organization due to the technologies and business strategies employed in the pursuit of business objectives.

Keywords: Cybersecurity Controls Consumer Goods Manufacturing Common Vulnerability Scoring System Operational Technology

Downloads

Download data is not yet available.

References

Norrman A, Wieland A. The development of supply chain risk management over time: revisiting Ericsson. International Journal of Physical Distribution & Logistics Management, 2020; 50(6): 641-666.
Google Scholar

Weiss J, Stephens R, Miller N. Changing the Paradigm of Control System Cybersecurity. Computer, 2022; 55(3): 106-116.
Google Scholar

NIST. Framework for Improving Critical Infrastructure Cybersecurity; 2018.
Google Scholar

Forum of Incident Response and Security Teams. Common Vulnerability Scoring System version 3.1; 2021.
Google Scholar

Hepfer M, Powell TC. Make Cybersecurity a Strategic Asset. MIT Sloan Management Review, 2020; 62(1): 40-45
Google Scholar

Falco G, Caldera C, Shrobe H. IIoT Cybersecurity Risk Modeling for SCADA Systems. IEEE Internet of Things Journal, 2018; 5(6): 4486-4495.
Google Scholar

Howland H. CVSS: Ubiquitous and Broken. Digital threats (Print); 2021.
Google Scholar

Walkowski M, Oko J, Sujecki S. Vulnerability Management Models Using a Common Vulnerability Scoring System. Applied Sciences, 2021; 11(18): 8735.
Google Scholar

Figueroa-Lorenzo S, A?orga J, Arrizabalaga S. A Survey of IIoT Protocols: A Measure of Vulnerability Risk Analysis Based on CVSS. ACM computing surveys, 2020; 53(2): 1-53.
Google Scholar

Venkataramanan V, Srivastava A, Hahn A, Zonouz S. Measuring and Enhancing Microgrid Resiliency Against Cyber Threats. IEEE transactions on industry applications, 2019; 55(6): 6303-6312.
Google Scholar

Sonkor MS, Xu X, Prieto SA, De Soto BG. Vulnerability Assessment of Construction Equipment: An Example for an Autonomous Site Monitoring System. IAARC Publications: Waterloo; 2022: p. 283-290.
Google Scholar

Aksu MU, Dilek MH, Tatli EI, Bicakci K, Dirik HI, Demirezen MU, Aykir T. A quantitative CVSS-based cyber security risk assessment methodology for IT systems. In 2017 International Carnahan Conference on Security Technology (ICCST); 2017. https://doi.org/10.1109/ccst.2017.8167819.
Google Scholar

Hughes J, Cybenko G. Quantitative Metrics and Risk Assessment: The Three Tenets Model of Cybersecurity. Technology Innovation Management Review, 2013; 3(8): 15-24.
Google Scholar

Van Devender MS, McDonald JT. A Quantitative Risk Assessment Framework for the Cybersecurity of Networked Medical Devices. Academic Conferences International Limited: Reading; 2023: 402-411.
Google Scholar

Alegria, A.V., et al. Method of Quantitative Analysis of Cybersecurity Risks Focused on Data Security in Financial Institutions. in 2022 17th Iberian Conference on Information Systems and Technologies (CISTI). 2022.
Google Scholar

Algarni AM, Thayananthan V, Malaiya YK. Quantitative Assessment of Cybersecurity Risks for Mitigating Data Breaches in Business Systems. Applied Sciences, 2021; 11(8): 3678.
Google Scholar

Wu D, Ren A, Zhang W, Fan F, Liu P, Fu X, Terpenny JP. Cybersecurity for digital manufacturing. Journal of Manufacturing Systems, 2018; 48: 3-12.
Google Scholar

Culot G, Fattori F, Podrecca M, Sartor M. Addressing Industry 4.0 Cybersecurity Challenges. IEEE Engineering Management Review, 2019; 47(3): 79-86.
Google Scholar

Offermann P, Levina O, Sch?nherr M, Bub U. Outline of a design science research process. ACM; 2009.
Google Scholar

March ST, Storey VC. Design Science In The Information Systems Discipline: An Introduction To The Special Issue On Design Science Research. MIS Quarterly, 2008; 32(4): 725-730.
Google Scholar

Tanveer A, Roopak S, Kuo MMY. Secure Links: Secure-by-Design Communications in IEC 61499 Industrial Control Applications. Cornell University Library; 2021. arXiv.org: Ithaca.
Google Scholar

?liwi?ski M, Piesik E, Mehrizi-Sani A. Designing Control and Protection Systems with Regard to Integrated Functional Safety and Cybersecurity Aspects. Energies (19961073), 2021; 14(8): 2227.
Google Scholar

Reithner I, Papa M, Lueger B, Cato M, Hollerer S, Seemann R. Development and Implementation of a Secure Production Network. Annals of DAAAM & proceedings; 2020: 736.
Google Scholar

Jagtap S, Bader F, Garcia-Garcia G, Trollman H, Fadiji T, Salonitis K. Food Logistics 4.0: Opportunities and Challenges. Logistics, 2020; 5(1).
Google Scholar

Eichensehr KE. The Biden Administration Cracks Down on Ransomware. The American Journal of International Law, 2022; 116(2): 445-451.
Google Scholar

Gaber T, Jazouli YE, Eldesouky E, Ali A. Autonomous Haulage Systems in the Mining Industry: Cybersecurity, Communication and Safety Issues and Challenges. Electronics, 2021; 10(11): 1357.
Google Scholar

Mugarza I, Flores JL, Montero JL. Security Issues and Software Updates Management in the Industrial Internet of Things (IIoT) Era. Sensors, 2020; 20(24): 7160.
Google Scholar

Most read articles by the same author(s)

1 2 > >>

Downloads

PDF

How to Cite

[1]

Raveling, A. and Qu, Y. 2023. Quantifying the Effects of Operational Technology or Industrial Control System based Cybersecurity Controls via CVSS Scoring. European Journal of Electrical Engineering and Computer Science. 7, 4 (Jul. 2023), 1–6. DOI:https://doi.org/10.24018/ejece.2023.7.4.546.

Downloads

Download data is not yet available.

Authors

Alan Raveling

Google Scholar
EJECE Journal

Yanzhen Qu

Google Scholar
EJECE Journal

Issue

Vol. 7 No. 4 (2023)

This work is licensed under a Creative Commons Attribution 4.0 International License.

[1] Norrman A, Wieland A. The development of supply chain risk management over time: revisiting Ericsson. International Journal of Physical Distribution & Logistics Management, 2020; 50(6): 641-666.
Google Scholar

[2] Weiss J, Stephens R, Miller N. Changing the Paradigm of Control System Cybersecurity. Computer, 2022; 55(3): 106-116.
Google Scholar

[3] NIST. Framework for Improving Critical Infrastructure Cybersecurity; 2018.
Google Scholar

[4] Forum of Incident Response and Security Teams. Common Vulnerability Scoring System version 3.1; 2021.
Google Scholar

[5] Hepfer M, Powell TC. Make Cybersecurity a Strategic Asset. MIT Sloan Management Review, 2020; 62(1): 40-45
Google Scholar

[6] Falco G, Caldera C, Shrobe H. IIoT Cybersecurity Risk Modeling for SCADA Systems. IEEE Internet of Things Journal, 2018; 5(6): 4486-4495.
Google Scholar

[7] Howland H. CVSS: Ubiquitous and Broken. Digital threats (Print); 2021.
Google Scholar

[8] Walkowski M, Oko J, Sujecki S. Vulnerability Management Models Using a Common Vulnerability Scoring System. Applied Sciences, 2021; 11(18): 8735.
Google Scholar

[9] Figueroa-Lorenzo S, A?orga J, Arrizabalaga S. A Survey of IIoT Protocols: A Measure of Vulnerability Risk Analysis Based on CVSS. ACM computing surveys, 2020; 53(2): 1-53.
Google Scholar

[10] Venkataramanan V, Srivastava A, Hahn A, Zonouz S. Measuring and Enhancing Microgrid Resiliency Against Cyber Threats. IEEE transactions on industry applications, 2019; 55(6): 6303-6312.
Google Scholar

[11] Sonkor MS, Xu X, Prieto SA, De Soto BG. Vulnerability Assessment of Construction Equipment: An Example for an Autonomous Site Monitoring System. IAARC Publications: Waterloo; 2022: p. 283-290.
Google Scholar

[12] Aksu MU, Dilek MH, Tatli EI, Bicakci K, Dirik HI, Demirezen MU, Aykir T. A quantitative CVSS-based cyber security risk assessment methodology for IT systems. In 2017 International Carnahan Conference on Security Technology (ICCST); 2017. https://doi.org/10.1109/ccst.2017.8167819.
Google Scholar

[13] Hughes J, Cybenko G. Quantitative Metrics and Risk Assessment: The Three Tenets Model of Cybersecurity. Technology Innovation Management Review, 2013; 3(8): 15-24.
Google Scholar

[14] Van Devender MS, McDonald JT. A Quantitative Risk Assessment Framework for the Cybersecurity of Networked Medical Devices. Academic Conferences International Limited: Reading; 2023: 402-411.
Google Scholar

[15] Alegria, A.V., et al. Method of Quantitative Analysis of Cybersecurity Risks Focused on Data Security in Financial Institutions. in 2022 17th Iberian Conference on Information Systems and Technologies (CISTI). 2022.
Google Scholar

[16] Algarni AM, Thayananthan V, Malaiya YK. Quantitative Assessment of Cybersecurity Risks for Mitigating Data Breaches in Business Systems. Applied Sciences, 2021; 11(8): 3678.
Google Scholar

[17] Wu D, Ren A, Zhang W, Fan F, Liu P, Fu X, Terpenny JP. Cybersecurity for digital manufacturing. Journal of Manufacturing Systems, 2018; 48: 3-12.
Google Scholar

[18] Culot G, Fattori F, Podrecca M, Sartor M. Addressing Industry 4.0 Cybersecurity Challenges. IEEE Engineering Management Review, 2019; 47(3): 79-86.
Google Scholar

[19] Offermann P, Levina O, Sch?nherr M, Bub U. Outline of a design science research process. ACM; 2009.
Google Scholar

[20] March ST, Storey VC. Design Science In The Information Systems Discipline: An Introduction To The Special Issue On Design Science Research. MIS Quarterly, 2008; 32(4): 725-730.
Google Scholar

[21] Tanveer A, Roopak S, Kuo MMY. Secure Links: Secure-by-Design Communications in IEC 61499 Industrial Control Applications. Cornell University Library; 2021. arXiv.org: Ithaca.
Google Scholar

[22] ?liwi?ski M, Piesik E, Mehrizi-Sani A. Designing Control and Protection Systems with Regard to Integrated Functional Safety and Cybersecurity Aspects. Energies (19961073), 2021; 14(8): 2227.
Google Scholar

[23] Reithner I, Papa M, Lueger B, Cato M, Hollerer S, Seemann R. Development and Implementation of a Secure Production Network. Annals of DAAAM & proceedings; 2020: 736.
Google Scholar

[24] Jagtap S, Bader F, Garcia-Garcia G, Trollman H, Fadiji T, Salonitis K. Food Logistics 4.0: Opportunities and Challenges. Logistics, 2020; 5(1).
Google Scholar

[25] Eichensehr KE. The Biden Administration Cracks Down on Ransomware. The American Journal of International Law, 2022; 116(2): 445-451.
Google Scholar

[26] Gaber T, Jazouli YE, Eldesouky E, Ali A. Autonomous Haulage Systems in the Mining Industry: Cybersecurity, Communication and Safety Issues and Challenges. Electronics, 2021; 10(11): 1357.
Google Scholar

[27] Mugarza I, Flores JL, Montero JL. Security Issues and Software Updates Management in the Industrial Internet of Things (IIoT) Era. Sensors, 2020; 20(24): 7160.
Google Scholar

Quantifying the Effects of Operational Technology or Industrial Control System based Cybersecurity Controls via CVSS Scoring

##plugins.themes.bootstrap3.article.sidebar##

##plugins.themes.bootstrap3.article.main##

Downloads

References

Most read articles by the same author(s)