Ikerlan Technology Research Centre, Basque Research and Technology Alliance (BRTA), 20500 Arrasate, Spain.
Department of Electronics and Computing, Mondragon Unibertsitatea, 20500 Mondragón, Spain.
Sensors (Basel). 2022 Mar 9;22(6):2126. doi: 10.3390/s22062126.
The rapid evolution of industrial components, the paradigm of Industry 4.0, and the new connectivity features introduced by 5G technology all increase the likelihood of cybersecurity incidents. Such incidents are caused by the vulnerabilities present in these components. Designing a secure system is critical, but it is also complex, costly, and an extra factor to manage during the lifespan of the component. This paper presents a model to analyze the known vulnerabilities of industrial components over time. The proposed Extended Dependency Graph (EDG) model is based on two main elements: a directed graph representation of the internal structure of the component, and a set of quantitative metrics based on the Common Vulnerability Scoring System (CVSS). The EDG model can be applied throughout the entire lifespan of a device to track vulnerabilities, identify new requirements, root causes, and test cases. It also helps prioritize patching activities. The model was validated by application to the OpenPLC project. The results reveal that most of the vulnerabilities associated with OpenPLC were related to memory buffer operations and were concentrated in the library. The model was able to determine new requirements and generate test cases from the analysis.
工业组件的快速发展、工业 4.0 范式以及 5G 技术引入的新连接特性都增加了网络安全事件的可能性。这些事件是由这些组件中存在的漏洞引起的。设计一个安全的系统至关重要,但它也很复杂、昂贵,并且在组件的生命周期内是一个额外需要管理的因素。本文提出了一种模型来分析工业组件随时间推移已知的漏洞。所提出的扩展依赖关系图 (EDG) 模型基于两个主要元素:组件内部结构的有向图表示和基于通用漏洞评分系统 (CVSS) 的一组定量指标。EDG 模型可以在设备的整个生命周期内应用,以跟踪漏洞、识别新需求、根本原因和测试用例。它还有助于确定补丁活动的优先级。该模型通过应用于 OpenPLC 项目进行了验证。结果表明,与 OpenPLC 相关的大多数漏洞都与内存缓冲区操作有关,并且集中在库中。该模型能够从分析中确定新的需求并生成测试用例。
