Benchmarking vulnerability assessment tools for enhanced cyber-physical system (CPS) Resiliency

Emma McMahon; Mark Patton; Sagar Samtani; Hsinchun Chen

doi:10.1109/ISI.2018.8587353

Benchmarking vulnerability assessment tools for enhanced cyber-physical system (CPS) Resiliency

Emma McMahon, Mark Patton, Sagar Samtani, Hsinchun Chen

Management Information Systems

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Cyber-Physical Systems (CPSs) are engineered systems seamlessly integrating computational algorithms and physical components. CPS advances offer numerous benefits to domains such as health, transportation, smart homes and manufacturing. Despite these advances, the overall cybersecurity posture of CPS devices remains unclear. In this paper, we provide knowledge on how to improve CPS resiliency by evaluating and comparing the accuracy, and scalability of two popular vulnerability assessment tools, Nessus and OpenVAS. Accuracy and suitability are evaluated with a diverse sample of pre-defined vulnerabilities in Industrial Control Systems (ICS), smart cars, smart home devices, and a smart water system. Scalability is evaluated using a large-scale vulnerability assessment of 1,000 Internet accessible CPS devices found on Shodan, the search engine for the Internet of Things (IoT). Assessment results indicate several CPS devices from major vendors suffer from critical vulnerabilities such as unsupported operating systems, OpenSSH vulnerabilities allowing unauthorized information disclosure, and PHP vulnerabilities susceptible to denial of service attacks.

Original language	English (US)
Title of host publication	2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018
Editors	Dongwon Lee, Ghita Mezzour, Ponnurangam Kumaraguru, Nitesh Saxena
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	100-105
Number of pages	6
ISBN (Electronic)	9781538678480
DOIs	https://doi.org/10.1109/ISI.2018.8587353
State	Published - Dec 24 2018
Event	16th IEEE International Conference on Intelligence and Security Informatics, ISI 2018 - Miami, United States Duration: Nov 9 2018 → Nov 11 2018

Other

Other	16th IEEE International Conference on Intelligence and Security Informatics, ISI 2018
Country	United States
City	Miami
Period	11/9/18 → 11/11/18

Fingerprint

benchmarking

Benchmarking

vulnerability

Scalability

Search engines

Internet

Cyber Physical System

Vulnerability

Assessment tools

Resiliency

Computer systems

Railroad cars

Health

Control systems

control system

search engine

manufacturing

Water

water

health

Keywords

Cybersecurity

ASJC Scopus subject areas

Computer Networks and Communications
Information Systems and Management
Safety, Risk, Reliability and Quality
Communication

Cite this

McMahon, E., Patton, M., Samtani, S., & Chen, H. (2018). Benchmarking vulnerability assessment tools for enhanced cyber-physical system (CPS) Resiliency. In D. Lee, G. Mezzour, P. Kumaraguru, & N. Saxena (Eds.), 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018 (pp. 100-105). [8587353] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ISI.2018.8587353

Benchmarking vulnerability assessment tools for enhanced cyber-physical system (CPS) Resiliency. / McMahon, Emma; Patton, Mark; Samtani, Sagar; Chen, Hsinchun.

2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018. ed. / Dongwon Lee; Ghita Mezzour; Ponnurangam Kumaraguru; Nitesh Saxena. Institute of Electrical and Electronics Engineers Inc., 2018. p. 100-105 8587353.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

McMahon, E, Patton, M, Samtani, S & Chen, H 2018, Benchmarking vulnerability assessment tools for enhanced cyber-physical system (CPS) Resiliency. in D Lee, G Mezzour, P Kumaraguru & N Saxena (eds), 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018., 8587353, Institute of Electrical and Electronics Engineers Inc., pp. 100-105, 16th IEEE International Conference on Intelligence and Security Informatics, ISI 2018, Miami, United States, 11/9/18. https://doi.org/10.1109/ISI.2018.8587353

McMahon E, Patton M, Samtani S, Chen H. Benchmarking vulnerability assessment tools for enhanced cyber-physical system (CPS) Resiliency. In Lee D, Mezzour G, Kumaraguru P, Saxena N, editors, 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018. Institute of Electrical and Electronics Engineers Inc. 2018. p. 100-105. 8587353 https://doi.org/10.1109/ISI.2018.8587353

McMahon, Emma ; Patton, Mark ; Samtani, Sagar ; Chen, Hsinchun. / Benchmarking vulnerability assessment tools for enhanced cyber-physical system (CPS) Resiliency. 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018. editor / Dongwon Lee ; Ghita Mezzour ; Ponnurangam Kumaraguru ; Nitesh Saxena. Institute of Electrical and Electronics Engineers Inc., 2018. pp. 100-105

@inproceedings{eb81735af2104a4591aa7f813498e6a2,

title = "Benchmarking vulnerability assessment tools for enhanced cyber-physical system (CPS) Resiliency",

abstract = "Cyber-Physical Systems (CPSs) are engineered systems seamlessly integrating computational algorithms and physical components. CPS advances offer numerous benefits to domains such as health, transportation, smart homes and manufacturing. Despite these advances, the overall cybersecurity posture of CPS devices remains unclear. In this paper, we provide knowledge on how to improve CPS resiliency by evaluating and comparing the accuracy, and scalability of two popular vulnerability assessment tools, Nessus and OpenVAS. Accuracy and suitability are evaluated with a diverse sample of pre-defined vulnerabilities in Industrial Control Systems (ICS), smart cars, smart home devices, and a smart water system. Scalability is evaluated using a large-scale vulnerability assessment of 1,000 Internet accessible CPS devices found on Shodan, the search engine for the Internet of Things (IoT). Assessment results indicate several CPS devices from major vendors suffer from critical vulnerabilities such as unsupported operating systems, OpenSSH vulnerabilities allowing unauthorized information disclosure, and PHP vulnerabilities susceptible to denial of service attacks.",

keywords = "Cybersecurity",

author = "Emma McMahon and Mark Patton and Sagar Samtani and Hsinchun Chen",

year = "2018",

month = "12",

day = "24",

doi = "10.1109/ISI.2018.8587353",

language = "English (US)",

pages = "100--105",

editor = "Dongwon Lee and Ghita Mezzour and Ponnurangam Kumaraguru and Nitesh Saxena",

booktitle = "2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - Benchmarking vulnerability assessment tools for enhanced cyber-physical system (CPS) Resiliency

AU - McMahon, Emma

AU - Patton, Mark

AU - Samtani, Sagar

AU - Chen, Hsinchun

PY - 2018/12/24

Y1 - 2018/12/24

N2 - Cyber-Physical Systems (CPSs) are engineered systems seamlessly integrating computational algorithms and physical components. CPS advances offer numerous benefits to domains such as health, transportation, smart homes and manufacturing. Despite these advances, the overall cybersecurity posture of CPS devices remains unclear. In this paper, we provide knowledge on how to improve CPS resiliency by evaluating and comparing the accuracy, and scalability of two popular vulnerability assessment tools, Nessus and OpenVAS. Accuracy and suitability are evaluated with a diverse sample of pre-defined vulnerabilities in Industrial Control Systems (ICS), smart cars, smart home devices, and a smart water system. Scalability is evaluated using a large-scale vulnerability assessment of 1,000 Internet accessible CPS devices found on Shodan, the search engine for the Internet of Things (IoT). Assessment results indicate several CPS devices from major vendors suffer from critical vulnerabilities such as unsupported operating systems, OpenSSH vulnerabilities allowing unauthorized information disclosure, and PHP vulnerabilities susceptible to denial of service attacks.

AB - Cyber-Physical Systems (CPSs) are engineered systems seamlessly integrating computational algorithms and physical components. CPS advances offer numerous benefits to domains such as health, transportation, smart homes and manufacturing. Despite these advances, the overall cybersecurity posture of CPS devices remains unclear. In this paper, we provide knowledge on how to improve CPS resiliency by evaluating and comparing the accuracy, and scalability of two popular vulnerability assessment tools, Nessus and OpenVAS. Accuracy and suitability are evaluated with a diverse sample of pre-defined vulnerabilities in Industrial Control Systems (ICS), smart cars, smart home devices, and a smart water system. Scalability is evaluated using a large-scale vulnerability assessment of 1,000 Internet accessible CPS devices found on Shodan, the search engine for the Internet of Things (IoT). Assessment results indicate several CPS devices from major vendors suffer from critical vulnerabilities such as unsupported operating systems, OpenSSH vulnerabilities allowing unauthorized information disclosure, and PHP vulnerabilities susceptible to denial of service attacks.

KW - Cybersecurity

UR - http://www.scopus.com/inward/record.url?scp=85061051171&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85061051171&partnerID=8YFLogxK

U2 - 10.1109/ISI.2018.8587353

DO - 10.1109/ISI.2018.8587353

M3 - Conference contribution

AN - SCOPUS:85061051171

SP - 100

EP - 105

BT - 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018

A2 - Lee, Dongwon

A2 - Mezzour, Ghita

A2 - Kumaraguru, Ponnurangam

A2 - Saxena, Nitesh

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Access to Document

10.1109/ISI.2018.8587353