Page 28

Cyber Security

The economic impact of ICS vulnerabilities By Denny Wan and Daniel Marsh

28 | Australian Security Magazine

T

he Common Vulnerability Scoring System (CVSS) is used throughout various industries for scoring vulnerabilities based on several metrics. These metrics focus on confidentiality, integrity and availability, the very well known CIA triad ingrained in the mentality of cybersecurity professionals and extends to maturity and environmental when and where the additional information is required. This allows CVSS to have the scores “weighted” based on organisational nuances and discrepancies. For example, a vulnerability with a CVSS score of 10 may could be lowered based on the temporal and environmental factors such as protected by an air-gapped network. When working in industrial environments the context of vulnerability can be vastly different for ICS vulnerabilities. CVSS does not include an estimation for the potential economic impact from the successful exploitation of a vulnerability. Blindly applying CVSS to any environment without addressing context can result in inappropriate prioritisation and resources and effort being misdirected, leading to potentially disastrous consequences. A remote code execution (RCE) vulnerability is critical for any exposed system, however, in a segmented and isolated environment that the same RCE does not have the required exposure factors. The temporal CVSS scores should help to reduce it slightly, but not necessarily enough to reduce it from the highest score for vulnerabilities in the environment. A high CVSS score does not necessarily mean the vulnerability is

critical to an ICS and treating CVSS like this can result in massive economic loss, including the loss of life. This paper explores some recent research in the scoring of Industrial Control Systems (ICS) vulnerabilities to improve its usability. It extends from the approach in our previous paper titled “A New Approach to ICS Risk Assessment” which applies a business based prioritisation approach to scoping an ICS risk assessment based on cyber risk quantification techniques. The Open Group Factor Analysis of Information Risk (FAIR) Cyber Risk quantification framework is a useful approach for ICS risk professionals to dimension ICS risk in a business language and financial metric, to better explain the business impacts and the remediation prioritisation decisions to the business stakeholders. ICS Security Basics ICS exists to ensure the effective operation of facilities and generally to help in providing manageable services such as water, power, transportation and building management. Any service delivered where the loss of life is considered is acceptable should not be a service being operated and these ICS sectors are aligned with this approach, ensuring a safetyfirst approach is taken to any activities carried out. The first question of ICS security basics should simply be, will this “thing” have a potential to cause loss or harm to life? If yes,

Profile for Asia Pacific Security Magazine

Australian Security Magazine, Issue 1, 2019  

The Australian Security Magazine is the country’s leading government and corporate security magazine. It is distributed free of charge to ma...

Australian Security Magazine, Issue 1, 2019  

The Australian Security Magazine is the country’s leading government and corporate security magazine. It is distributed free of charge to ma...

Profile for apsm