Journal of Convergence for Information Technology (융합정보논문지)

Convergence Society for SMB (중소기업융합학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Probabilistic Vulnerability Assessment of COTS O/S based I&C System

상용 OS기반 제어시스템 확률론적 취약점 평가 방안 연구

  • 엄익채 (한전KDN(주) 보안컨설팅팀)
  • Received : 2019.07.18
  • Accepted : 2019.08.20
  • Published : 2019.08.28
Download PDF
⟨ Previous Next ⟩

Abstract

The purpose of this study is to find out quantitative vulnerability assessment about COTS(Commercial Off The Shelf) O/S based I&C System. This paper analyzed vulnerability's lifecycle and it's impact. this paper is to develop a quantitative assessment of overall cyber security risks and vulnerabilities I&C System by studying the vulnerability analysis and prediction method. The probabilistic vulnerability assessment method proposed in this study suggests a modeling method that enables setting priority of patches, threshold setting of vulnerable size, and attack path in a commercial OS-based measurement control system that is difficult to patch an immediate vulnerability.

본 연구는 즉시 패치가 어려운 상용 운영체제 기반의 계측제어시스템의 취약점 평가 방안 및 시간의 경과에 따른 위험의 크기를 정량적으로 파악하는 것이다. 연구 대상은 상용 OS가 탑재된 계측제어시스템의 취약점 발견과 영향의 크기이다. 연구에서는 즉각 취약점 조치가 힘든 디지털 계측제어시스템의 취약점 분석 및 조치방법을 연구함으로써, 계측제어시스템이 존재하는 핵심기반시설의 전체적인 사이버보안 위험과 취약점을 정량적으로 파악하는 것이다. 본 연구에서 제안한 확률론적 취약점 평가 방안은 즉각적인 취약점 패치가 어려운 상용 운영체제 기반의 계측제어시스템에서 취약점 패치 우선 순위 및 패치가 불 가능시 수용 가능한 취약점의 임계값 설정, 공격 경로에 대한 파악을 가능하게 하는 모델링 방안을 제시한다.

Keywords

JKOHBZ_2019_v9n8_35_f0001.png 이미지

Fig. 1. Vulnerability Patch Process by DHS

JKOHBZ_2019_v9n8_35_f0002.png 이미지

Fig. 2. Structure of Digital I&C System

JKOHBZ_2019_v9n8_35_f0003.png 이미지

Fig. 3. Classification of Quantitative Security Metric

JKOHBZ_2019_v9n8_35_f0004.png 이미지

Fig. 4. Transition Matrix

JKOHBZ_2019_v9n8_35_f0005.png 이미지

Fig. 5. Proposed Probabilistic Vulnerability Assessment Framework

JKOHBZ_2019_v9n8_35_f0006.png 이미지

Fig. 6. Proposed Probabilistic Vulnerability Assessment Process

JKOHBZ_2019_v9n8_35_f0007.png 이미지

Fig. 7. Proposed Predictive modeling Process

JKOHBZ_2019_v9n8_35_f0008.png 이미지

Fig. 8. Proposed modeling's pseudo algorithm

JKOHBZ_2019_v9n8_35_f0009.png 이미지

Fig. 9. Predictive modeling process

JKOHBZ_2019_v9n8_35_f0010.png 이미지

Fig. 10. Case-Initial Attack Graph

JKOHBZ_2019_v9n8_35_f0011.png 이미지

Fig. 11. Case1-Attack Graph combined with VDM

JKOHBZ_2019_v9n8_35_f0012.png 이미지

Fig. 12. Case2-Attack Graph combined with VDM

References

  1. S. Y. Oh. & J. K. Hong. (2018). Vulnerability Case Analysis of Wireless Moving Vehicle. Journal of the Korea convergence society, 9(8), 41-46. DOI : 10.15207/JKCS.2018.9.8.041
  2. J. K. Cho. (2019). Study on Improvement of Vulnerability Diagnosis Items for PC Security Enhancement. Journal of Convergence for information Technology, 9(3), 1-7. DOI : 10.22156/CS4SMB.2019.9.3.001
  3. Recommended Practice for Patch Management of Control Systems. (2008). Department of Homeland Security. (pp. 23-24).
  4. L. S. IS. (2018). Digital I&C System Diagram. LS IS Product. http://www.lsis.com/ko/product/view/P01211
  5. Pubudu et al. (2018). Non-Homogeneous Stochastic Model for Cyber Security Predictions. The Journal of Information Security. (pp. 12-24). DOI : 10.15207/JKCS.2018.9.8.041
  6. Karen Scarfone. (2009). An analysis of CVSS version 2 vulnerability scoring. ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement. (pp. 516-525). DOI : 10.1109/ESEM.2009.5314220
  7. S. M. Rajasooriya & C. P. Tsokos. (2017). Cybersecurity: Nonlinear Stochastic models for Predicting the Exploitability. The Journal of information Security. (pp. 125-140). DOI : 10.4236/jis.2017.82009
  8. P. Ammann. (2002). Scalable, graph-based network vulnerability analysis. Proceedings of the 9th ACM conference on Computer and communications security. (pp. 217-224). DOI : 10.1145/586110.586140
  9. S. Jah. (2002). Two formal analyses of attack graphs. The Proceedings 15th IEEE Computer Security Foundations Workshop. DOI : 10.1109/CSFW.2002.1021806
  10. S. Abraham. & S. Nair. (2014). Cyber Security Analytics: A Stochastic Model for Security Quantification Using Absorbing Markov Chains. Journal of Communications, 9(12), 899-907. DOI : 10.12720/jcm.9.12.899-907
  11. A. Reibman & K. Trivedi. (1998). Numerical transient analysis of markov models. Computer & Operations Research, 15(1), 19-36. DOI : 10.1016/0305-0548(88)90026-3
  12. B. A. Craig. (2002). Estimation of the transition matrix of a discrete time Markov chain. Health Economics, 11(1), 33-42. DOI : 10.1002/hec.654
  13. S. Swapna. (2004). Analysis of Software Fault Removal Policies Using a Non-Homogeneous Continuous Time Markov Chain. Software Quality Journal, 12(3). (pp. 211-230). DOI : 10.1023/B:SQJO.0000034709.63615.8b
  14. A. Andan & S. Munmad. (2005). Verifying continuous time Markov chains. International Conference on Computer Aided Verification. (pp. 269-276). DOI : 10.1007/3-540-61474-5_75
  15. G. Laurent. (2011). Vulnerability Discrimination Using CVSS Framework. 2011 4th IFIP International Conference on New Technologies, Mobility and Security. DOI : 10.1109/NTMS.2011.5720656
  16. S. Roger. (1989). Markov and Markov reward model transient analysis: An overview of numerical approaches. European journal of Operation Research, 40(2). 257-267. DOI : 10.1016/0377-2217(89)90335-4
  17. N. Skku. (2015). Exploitability analysis using predictive cyber security framework. 2015 IEEE 2nd International Conference on Cybernetics. DOI : 10.1109/CYBConf.2015.7175953
  18. J. Y. Kim. (2007). Vulnerability Discovery in Multi version software systems. 10th IEEE High Assurance Systems Engineering Symposium.. DOI : 10.1109/HASE.2007.55