융합정보논문지 (Journal of Convergence for Information Technology)

중소기업융합학회 (Convergence Society for SMB)
권호 표지
DOI QR코드

DOI QR Code

상용 OS기반 제어시스템 확률론적 취약점 평가 방안 연구

A Study on the Probabilistic Vulnerability Assessment of COTS O/S based I&C System

  • 엄익채 (한전KDN(주) 보안컨설팅팀)
  • 투고 : 2019.07.18
  • 심사 : 2019.08.20
  • 발행 : 2019.08.28
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

본 연구는 즉시 패치가 어려운 상용 운영체제 기반의 계측제어시스템의 취약점 평가 방안 및 시간의 경과에 따른 위험의 크기를 정량적으로 파악하는 것이다. 연구 대상은 상용 OS가 탑재된 계측제어시스템의 취약점 발견과 영향의 크기이다. 연구에서는 즉각 취약점 조치가 힘든 디지털 계측제어시스템의 취약점 분석 및 조치방법을 연구함으로써, 계측제어시스템이 존재하는 핵심기반시설의 전체적인 사이버보안 위험과 취약점을 정량적으로 파악하는 것이다. 본 연구에서 제안한 확률론적 취약점 평가 방안은 즉각적인 취약점 패치가 어려운 상용 운영체제 기반의 계측제어시스템에서 취약점 패치 우선 순위 및 패치가 불 가능시 수용 가능한 취약점의 임계값 설정, 공격 경로에 대한 파악을 가능하게 하는 모델링 방안을 제시한다.

The purpose of this study is to find out quantitative vulnerability assessment about COTS(Commercial Off The Shelf) O/S based I&C System. This paper analyzed vulnerability's lifecycle and it's impact. this paper is to develop a quantitative assessment of overall cyber security risks and vulnerabilities I&C System by studying the vulnerability analysis and prediction method. The probabilistic vulnerability assessment method proposed in this study suggests a modeling method that enables setting priority of patches, threshold setting of vulnerable size, and attack path in a commercial OS-based measurement control system that is difficult to patch an immediate vulnerability.

키워드

JKOHBZ_2019_v9n8_35_f0001.png 이미지

Fig. 1. Vulnerability Patch Process by DHS

JKOHBZ_2019_v9n8_35_f0002.png 이미지

Fig. 2. Structure of Digital I&C System

JKOHBZ_2019_v9n8_35_f0003.png 이미지

Fig. 3. Classification of Quantitative Security Metric

JKOHBZ_2019_v9n8_35_f0004.png 이미지

Fig. 4. Transition Matrix

JKOHBZ_2019_v9n8_35_f0005.png 이미지

Fig. 5. Proposed Probabilistic Vulnerability Assessment Framework

JKOHBZ_2019_v9n8_35_f0006.png 이미지

Fig. 6. Proposed Probabilistic Vulnerability Assessment Process

JKOHBZ_2019_v9n8_35_f0007.png 이미지

Fig. 7. Proposed Predictive modeling Process

JKOHBZ_2019_v9n8_35_f0008.png 이미지

Fig. 8. Proposed modeling's pseudo algorithm

JKOHBZ_2019_v9n8_35_f0009.png 이미지

Fig. 9. Predictive modeling process

JKOHBZ_2019_v9n8_35_f0010.png 이미지

Fig. 10. Case-Initial Attack Graph

JKOHBZ_2019_v9n8_35_f0011.png 이미지

Fig. 11. Case1-Attack Graph combined with VDM

JKOHBZ_2019_v9n8_35_f0012.png 이미지

Fig. 12. Case2-Attack Graph combined with VDM

참고문헌

  1. S. Y. Oh. & J. K. Hong. (2018). Vulnerability Case Analysis of Wireless Moving Vehicle. Journal of the Korea convergence society, 9(8), 41-46. DOI : 10.15207/JKCS.2018.9.8.041
  2. J. K. Cho. (2019). Study on Improvement of Vulnerability Diagnosis Items for PC Security Enhancement. Journal of Convergence for information Technology, 9(3), 1-7. DOI : 10.22156/CS4SMB.2019.9.3.001
  3. Recommended Practice for Patch Management of Control Systems. (2008). Department of Homeland Security. (pp. 23-24).
  4. L. S. IS. (2018). Digital I&C System Diagram. LS IS Product. http://www.lsis.com/ko/product/view/P01211
  5. Pubudu et al. (2018). Non-Homogeneous Stochastic Model for Cyber Security Predictions. The Journal of Information Security. (pp. 12-24). DOI : 10.15207/JKCS.2018.9.8.041
  6. Karen Scarfone. (2009). An analysis of CVSS version 2 vulnerability scoring. ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement. (pp. 516-525). DOI : 10.1109/ESEM.2009.5314220
  7. S. M. Rajasooriya & C. P. Tsokos. (2017). Cybersecurity: Nonlinear Stochastic models for Predicting the Exploitability. The Journal of information Security. (pp. 125-140). DOI : 10.4236/jis.2017.82009
  8. P. Ammann. (2002). Scalable, graph-based network vulnerability analysis. Proceedings of the 9th ACM conference on Computer and communications security. (pp. 217-224). DOI : 10.1145/586110.586140
  9. S. Jah. (2002). Two formal analyses of attack graphs. The Proceedings 15th IEEE Computer Security Foundations Workshop. DOI : 10.1109/CSFW.2002.1021806
  10. S. Abraham. & S. Nair. (2014). Cyber Security Analytics: A Stochastic Model for Security Quantification Using Absorbing Markov Chains. Journal of Communications, 9(12), 899-907. DOI : 10.12720/jcm.9.12.899-907
  11. A. Reibman & K. Trivedi. (1998). Numerical transient analysis of markov models. Computer & Operations Research, 15(1), 19-36. DOI : 10.1016/0305-0548(88)90026-3
  12. B. A. Craig. (2002). Estimation of the transition matrix of a discrete time Markov chain. Health Economics, 11(1), 33-42. DOI : 10.1002/hec.654
  13. S. Swapna. (2004). Analysis of Software Fault Removal Policies Using a Non-Homogeneous Continuous Time Markov Chain. Software Quality Journal, 12(3). (pp. 211-230). DOI : 10.1023/B:SQJO.0000034709.63615.8b
  14. A. Andan & S. Munmad. (2005). Verifying continuous time Markov chains. International Conference on Computer Aided Verification. (pp. 269-276). DOI : 10.1007/3-540-61474-5_75
  15. G. Laurent. (2011). Vulnerability Discrimination Using CVSS Framework. 2011 4th IFIP International Conference on New Technologies, Mobility and Security. DOI : 10.1109/NTMS.2011.5720656
  16. S. Roger. (1989). Markov and Markov reward model transient analysis: An overview of numerical approaches. European journal of Operation Research, 40(2). 257-267. DOI : 10.1016/0377-2217(89)90335-4
  17. N. Skku. (2015). Exploitability analysis using predictive cyber security framework. 2015 IEEE 2nd International Conference on Cybernetics. DOI : 10.1109/CYBConf.2015.7175953
  18. J. Y. Kim. (2007). Vulnerability Discovery in Multi version software systems. 10th IEEE High Assurance Systems Engineering Symposium.. DOI : 10.1109/HASE.2007.55