A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics

Garitano, Iñaki

dc.rights.license	Attribution 4.0 International	*
dc.contributor.author	Garitano, Iñaki
dc.contributor.other	Longueira-Romero, Angel
dc.contributor.other	Iglesias, Rosa
dc.contributor.other	Flores, José Luis
dc.date.accessioned	2022-07-12T14:59:15Z
dc.date.available	2022-07-12T14:59:15Z
dc.date.issued	2022
dc.identifier.issn	1424-8220	en
dc.identifier.other	https://katalogoa.mondragon.edu/janium-bin/janium_login_opac.pl?find&ficha_no=167549	en
dc.identifier.uri	https://hdl.handle.net/20.500.11984/5635
dc.description.abstract	The rapid evolution of industrial components, the paradigm of Industry 4.0, and the new connectivity features introduced by 5G technology all increase the likelihood of cybersecurity incidents. Such incidents are caused by the vulnerabilities present in these components. Designing a secure system is critical, but it is also complex, costly, and an extra factor to manage during the lifespan of the component. This paper presents a model to analyze the known vulnerabilities of industrial components over time. The proposed Extended Dependency Graph (EDG) model is based on two main elements: a directed graph representation of the internal structure of the component, and a set of quantitative metrics based on the Common Vulnerability Scoring System (CVSS). The EDG model can be applied throughout the entire lifespan of a device to track vulnerabilities, identify new requirements, root causes, and test cases. It also helps prioritize patching activities. The model was validated by application to the OpenPLC project. The results reveal that most of the vulnerabilities associated with OpenPLC were related to memory buffer operations and were concentrated in the libssl library. The model was able to determine new requirements and generate test cases from the analysis.	en
dc.description.sponsorship	Comisión Europea	es
dc.description.sponsorship	Gobierno de España	es
dc.description.sponsorship	Gobierno Vasco	es
dc.language.iso	eng	en
dc.publisher	MDPI	en
dc.rights	© 2022 by the authors. Licensee MDPI	en
dc.rights.uri	http://creativecommons.org/licenses/by/4.0/	*
dc.subject	CPE	es
dc.subject	CVE	es
dc.subject	CVSS	es
dc.subject	CWE	es
dc.subject	CAPEC	es
dc.subject	directed graph	en
dc.subject	IACS	es
dc.subject	cybersecurity	en
dc.subject	vulnerability	en
dc.subject	assessment	en
dc.subject	security metrics	en
dc.subject	IEC 62443	en
dc.subject	OpenPLC	en
dc.title	A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics	en
dcterms.accessRights	http://purl.org/coar/access_right/c_abf2	en
dcterms.source	Sensors	en
local.contributor.group	Análisis de datos y ciberseguridad	es
local.description.peerreviewed	true	en
local.identifier.doi	https://doi.org/10.3390/s22062126	en
local.relation.projectID	info:eu-repo/grantAgreement/EC/H2020/957212/EU/Automated protection and prevention to meet security requirements in DevOps Enviroments/VERIDEVOPS	en
local.relation.projectID	info:eu-repo/grantAgreement/GE/Ayudas Cervera para Centros Tecnológicos CDTI/CER-20191012/ES/Red de Excelencia en Tecnologías de Seguridad y Privacidad/EGIDA	en
local.relation.projectID	info:eu-repo/grantAgreement/GV/Elkartek 2021/KK-2021-00091/CAPV/REal tiME control and embeddeD securitY/REMEDY	en
local.rights.publicationfee	APC	en
local.contributor.otherinstitution	https://ror.org/03hp1m080	es
local.source.details	.Vol. 22. N. 6. N. artículo 2126, 2022	en
oaire.format.mimetype	application/pdf
oaire.file	$DSPACE\assetstore
oaire.resourceType	http://purl.org/coar/resource_type/c_6501	en
oaire.version	http://purl.org/coar/version/c_970fb48d4fbd8a85	en