Vol. 9 4, 2019 p 458-466


Article name, authors, abstract and keyword


Organizing the monitoring of vulnerabilities in the CPCS software and hardware

Tatyana V. Khozyainova a, Ivan A. Shechev a, Dmitry . Kobzev b, Zakhar S. Bengart a, Elvina G. Kutlubaeva a

a Industrial Automation CentreBranch of Transneft Upper Volga, JSC, 4a Komsomolskoe Shosse, Nizhny Novgorod, 603950, Russian Federation
b Transneft, 4, bldg 2, Presnenskaya Embankment, Moscow, 123112, Russian Federation

DOI: 10.28999/2541-9595-2019-9-4-458-466

Abstract: The approach to organizing the monitoring of vulnerabilities in software and hardware of Computerized Process Control Systems (CPCS) for Transneft subsidiaries facilities is considered. The developed process allows you to: 1) determine the data contents necessary for a qualified description of the vulnerability and deciding on how to respond to it; 2) identify the ways to obtain reliable data about the operating software; 3) develop a balanced set of vulnerability data sources, which allows to receive the most comprehensive vulnerability data in a timely manner and track changes in vulnerability characteristics; 4) formulate the rules for determining the current vulnerability based on the values of its characteristics correlated with the threat model.
In implementing the monitoring process, an information system was developed that allows to account vulnerabilities and track changes in their characteristics, to develop consolidated reporting and to accompany the process of creating technical information security service bulletins.

Keywords: computerized process control systems, software, cyberattack, vulnerability, information system.

For citation:
Khozyainova T. V., Shechev I. A., Kobzev D. ., Bengart Z. S., Kutlubaeva E. G. Organizing the monitoring of vulnerabilities in the CPCS software and hardware. Nauka i tehnologii truboprovodnogo transporta nefti i nefteproduktovScience &Technologies: Oil and Oil Products Pipeline Transportation. 2019;9(4):458466.

[1] Cyberattacks on critical infrastructure: myth or reality? Jet Info: electronic journal. 2017. No. 3−4 [accessed 2019 February 27]. http://www.jetinfo.ru/stati/kiberataki-na-kriticheskuyu-infrastrukturu-mif-ili-realnost. (In Russ.)
[2] ICS Security: 2017 in review. Positive Technologies website [accessed 2019 February 27]. https://www.ptsecurity.com/wwen/analytics/ics-security-2017/
[3] Windows lifecycle fact sheet − Windows Help Microsoft Support [accessed 2019 February 27]. https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet.
[4] NVD website [accessed 2019 February 27]. https://nvd.nist.gov/
[5] Common Vulnerabilities and Exposures website [accessed 2019 March 04]. https://cve.mitre.org/
[6] CVE Numbering Authorities. Common Vulnerabilities and Exposures website [accessed 2019 March 04]. https://cve.mitre.org/cve/cna.html.
[7] Mell P., Scarfone K., Romanosky S. A Complete Guide to the Common Vulnerability Scoring System Version 2.0 [accessed 2019 March 04]. https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=51198.
[8] Common Vulnerability Scoring System v3.0: Specification Document (v1.8). FIRST.org website [accessed 2019 March 04]. https://www.first.org/cvss/v3.0/cvss-v30-specification_v1.9.pdf.
[9] IBM X-Force Exchange website [accessed 2019 March 04]. https://www.ibm.com/security/xforce.
[10] VULDB − The Crowd-Based Vulnerability Database [accessed 2019 March 04]. https://vuldb.com/
[11] Industrial Control Systems. The Cybersecurity and Infrastructure Security Agency website [accessed 2019 March 05]. https://ics-cert.us-cert.gov/
[12] FSTECs Data Bank of Information Security Threats [accessed 2019 March 05]. https://bdu.fstec.ru/ (In Russ.)
[13] Vulnerabilities and Threats. Positive Technologies website [accessed 2019 March 05]. https://www.ptsecurity.com/ru-ru/research/threatscape/ (In Russ.)
[14] Vulnerability Database. Cybersecurity Help website [accessed 2019 March 05]. https://www.cybersecurity-help.cz/vdb/
[15] Anti-Malware − Information Security for Professionals: website [accessed 2019 March 05]. https://www.anti-malware.ru. (In Russ.)
[16] SecurityLab.ru: Data Portal [accessed 2019 March 05]. https://www.securitylab.ru/vulnerability/ (In Russ.)
[17] Threatpost − Information Security News: website [accessed 2019 March 05]. https://threatpost.ru/ (In Russ.)
[18] Gregory-Brown B. Securing Industrial Control Systems 2017. SANS Institute, 2017 [accessed 2019 March 06]. https://www.sans.org/reading-room/whitepapers/ICS/securing-industrial-control-systems-2017-37860.
[19] Davidenko O. N., Badanin D. N., Kobzev D. A. Assessment method for information security threats in industrial control systems (ICS). Nauka i tehnologii truboprovodnogo transporta nefti i nefteproduktovScience & Technologies: Oil and Oil Products Pipeline Transportation. 2016(4):84−91. (In Russ.)
[20] Industrial Vulnerability Scoring System (IVSS). ICS security R&D projects by Clint Bodungen [accessed 2019 March 06]. http://securingics.com/IVSS/IVSS.html.
[21] OWASP Risk Rating Methodology. OWASP Foundation website [accessed 2019 March 06]. https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology.
[22] CVSS Scores in Tenable Plugins. Tenable Community website [accessed 2019 March 06]. https://community.tenable.com/s/article/CVSS-Scores-in-Tenable-Plugins.
[23] NVD CVE Json Feed. NIST Computer Security Resource Center website [accessed 2019 March 06]. https://csrc.nist.gov/schema/nvd/feed/1.0/nvd_cve_feed_json_1.0.schema.