Vulnerability Exploitation Risk Assessment Based on Offensive Security Approach

Abstract

Security incidents targeting control systems and the industrial internet of things (IIoT) are on the rise as attackers gain a better understanding of the nature of these systems and their increasing connectivity to information technology (IT). Every year, the number of vulnerabilities associated with these incidents increases, making it impractical to apply timely patches for all of them. The current vulnerability assessments, which are the basis for vulnerability patching, have limitations in that they do not adequately reflect the risk of exploitation in the real world after discovery and do not consider operational technology (OT) and industrial control system (ICS) environments other than IT environments. This study proposes to evaluate exploit risk in real-world environments by considering OT/ICS environments and calculating three metrics, including exploit chain risk, exploit code availability, and exploit use probability based on cyber threat information, including IIoT vulnerability data, used in OT/ICS environments. In addition, we construct exploitation scenarios in a control system environment to prioritize vulnerabilities with a high risk of exploitation based on the three metrics. We show that by assessing the risk of attackers’ intentions and exploited technologies for attacks against IIoT devices in a control system environment, we can provide defenders with comprehensive attack risk information for proactive defense.