Visible to the public Architectural Security Weaknesses in Industrial Control Systems (ICS) an Empirical Study Based on Disclosed Software Vulnerabilities

TitleArchitectural Security Weaknesses in Industrial Control Systems (ICS) an Empirical Study Based on Disclosed Software Vulnerabilities
Publication TypeConference Paper
Year of Publication2019
AuthorsGonzalez, D., Alhenaki, F., Mirakhorli, M.
Conference Name2019 IEEE International Conference on Software Architecture (ICSA)
Keywordsarchitectural root cause, authorisation, common architectural security weaknesses, common security architectural weaknesses, component-based architectures, Computer architecture, control systems, data acquisition, data mining, disclosed software vulnerabilities, Human Behavior, human factors, human-machine interfaces, ICS systems, improper input validation, industrial automation, industrial control, industrial control systems, integrated circuits, Internet, Metrics, PLC, policy-based governance, pubcrawl, resilience, SCADA configuration, SCADA systems, security, security of data, security weaknesses, Software, supervisory control

Industrial control systems (ICS) are systems used in critical infrastructures for supervisory control, data acquisition, and industrial automation. ICS systems have complex, component-based architectures with many different hardware, software, and human factors interacting in real time. Despite the importance of security concerns in industrial control systems, there has not been a comprehensive study that examined common security architectural weaknesses in this domain. Therefore, this paper presents the first in-depth analysis of 988 vulnerability advisory reports for Industrial Control Systems developed by 277 vendors. We performed a detailed analysis of the vulnerability reports to measure which components of ICS have been affected the most by known vulnerabilities, which security tactics were affected most often in ICS and what are the common architectural security weaknesses in these systems. Our key findings were: (1) Human-Machine Interfaces, SCADA configurations, and PLCs were the most affected components, (2) 62.86% of vulnerability disclosures in ICS had an architectural root cause, (3) the most common architectural weaknesses were "Improper Input Validation", followed by "Im-proper Neutralization of Input During Web Page Generation" and "Improper Authentication", and (4) most tactic-related vulnerabilities were related to the tactics "Validate Inputs", "Authenticate Actors" and "Authorize Actors".

Citation Keygonzalez_architectural_2019