| 1. |
- Jiang, Yuning, 1993-, et al.
(author)
-
A Semantic Framework With Humans in the Loop for Vulnerability-Assessment in Cyber-Physical Production Systems
- 2020
-
In: Risks and Security of Internet and Systems. - Cham : Springer. - 9783030415679 - 9783030415686 ; , s. 128-143
-
Conference paper (peer-reviewed)abstract
- Criticalmanufacturingprocessesinsmartnetworkedsystems such as Cyber-Physical Production Systems (CPPSs) typically require guaranteed quality-of-service performances, which is supported by cyber- security management. Currently, most existing vulnerability-assessment techniques mostly rely on only the security department due to limited communication between di↵erent working groups. This poses a limitation to the security management of CPPSs, as malicious operations may use new exploits that occur between successive analysis milestones or across departmental managerial boundaries. Thus, it is important to study and analyse CPPS networks’ security, in terms of vulnerability analysis that accounts for humans in the production process loop, to prevent potential threats to infiltrate through cross-layer gaps and to reduce the magnitude of their impact. We propose a semantic framework that supports the col- laboration between di↵erent actors in the production process, to improve situation awareness for cyberthreats prevention. Stakeholders with dif- ferent expertise are contributing to vulnerability assessment, which can be further combined with attack-scenario analysis to provide more prac- tical analysis. In doing so, we show through a case study evaluation how our proposed framework leverages crucial relationships between vulner- abilities, threats and attacks, in order to narrow further the risk-window induced by discoverable vulnerabilities.
|
|
| 2. |
- Jiang, Yuning, 1993-, et al.
(author)
-
An Approach to Discover and Assess Vulnerability Severity Automatically in Cyber-Physical Systems
- 2020
-
In: Proceedings of the 13th International Conference on Security of Information and Networks. - New York, NY, USA : Association for Computing Machinery (ACM). - 9781450387514
-
Conference paper (peer-reviewed)abstract
- Current vulnerability scoring mechanisms in complex cyber-physical systems (CPSs) face challenges induced by the proliferation of both component versions and recurring scoring-mechanism versions. Different data-repository sources like National Vulnerability Database (NVD), vendor websites as well as third party security tool analysers (e.g. ICS CERT and VulDB) may provide conflicting severity scores. We propose a machine-learning pipeline mechanism to compute vulnerability severity scores automatically. This method also discovers score correlations from established sources to infer and enhance the severity consistency of reported vulnerabilities. To evaluate our approach, we show through a CPS-based case study how our proposed scoring system automatically synthesises accurate scores for some vulnerability instances, to support remediation decision-making processes. In this case study, we also analyse the characteristics of CPS vulnerability instances.
|
|
