Journal of Information Technology Services (한국IT서비스학회지)

Korea Society of IT Services (한국IT서비스학회)
권호 표지
DOI QR코드

DOI QR Code

Developing a Classification of Vulnerabilities for Smart Factory in SMEs: Focused on Industrial Control Systems

중소기업용 스마트팩토리 보안 취약점 분류체계 개발: 산업제어시스템 중심으로

  • 정재훈 (충북대학교 융합보안학과) ;
  • 김태성 (충북대학교 경영정보학과/보안경제연구소/BK21작업장안전CPS연구단)
  • Received : 2022.03.08
  • Accepted : 2022.10.12
  • Published : 2022.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

The smart factory has spread to small and mid-size enterprises (SMEs) under the leadership of the government. Smart factory consists of a work area, an operation management area, and an industrial control system (ICS) area. However, each site is combined with the IT system for reasons such as the convenience of work. As a result, various breaches could occur due to the weakness of the IT system. This study seeks to discover the items and vulnerabilities that SMEs who have difficulties in information security due to technology limitations, human resources, and budget should first diagnose and check. First, to compare the existing domestic and foreign smart factory vulnerability classification systems and improve the current classification system, the latest smart factory vulnerability information is collected from NVD, CISA, and OWASP. Then, significant keywords are extracted from pre-processing, co-occurrence network analysis is performed, and the relationship between each keyword and vulnerability is discovered. Finally, the improvement points of the classification system are derived by mapping it to the existing classification system. Therefore, configuration and maintenance, communication and network, and software development were the items to be diagnosed and checked first, and vulnerabilities were denial of service (DoS), lack of integrity checking for communications, inadequate authentication, privileges, and access control in software in descending order of importance.

Keywords

References

  1. ADT캡스, 2021년도 상반기 보안 트렌드, 2021.
  2. 김경호, "산업제어시스템 보안", 주간기술동향 1981호, 2021.
  3. 김희현, 유진호, "제어시스템의 웹 취약점에 대한 현황과 연구", 한국전자거래학회지, 제24권, 제2호, 2019, 15-27. https://doi.org/10.7838/JSEBS.2019.24.2.015
  4. 나중찬, 조현숙. "보안측면에서의 산업제어시스템 비정상 행위 분류", 정보보호학회논문지, 제23권, 제2호, 2013, 329-337. https://doi.org/10.13089/JKIISC.2013.23.2.329
  5. 박현애, 김성원, 이환수, "중소기업 기술보호 지원제도의 활성화 방안 연구", 중소기업연구, 제42권, 제1호, 2020, 1-17.
  6. 배병환, "주요국 스마트공장 보안 동향 분석 및 시사점", 주간기술동향 1920호, 2019.
  7. 이송하, 전효정, 김태성, "한국형 스마트팩토리 확산을 위한 사이버보안 위험관리 방안", 한국통신학회논문지, 제43권, 제10호, 2018, 1741-1750.
  8. 이희조, "스마트팩토리 취약성 분석", 2021 차세대 인프라 보안 워크숍, 2021.
  9. 정보통신기술진흥센터, ICT 기술수준조사보고서, 2017.
  10. 정제용, 김용호, Victoria Wang, "한국의 중소기업에 대한 사이버 보안 위협, 거버넌스 방안 및 시사점", 한국산업보안연구, 제10권, 제1호, 2020, 81-109.
  11. 중소기업기술정보진흥원, 중소기업 전략기술로드맵 2021-2023, 2020.
  12. 중소기업연구원, 중소기업 기술보호 지원정책의 현황 및 과제, 2014.
  13. 중소벤처기업부, 스마트공장 보급 2만개 달성, 2021.
  14. 한국인터넷진흥원, 스마트공장 사이버보안 가이드, 2019, 80-82.
  15. 한국정보보호산업협회, 2020년 정보보호 실태조사, 2021.
  16. Ahakonye, L.A.C., C.I. Nwakanma, J.-M. Lee, and D.-S. Kim, "Efficient Classification of Enciphered SCADA Network Traffic in Smart Factory Using Decision Tree Algorithm", IEEE Access, Vol. 9, 2021, 154892-154901. https://doi.org/10.1109/ACCESS.2021.3127560
  17. Ani, U.D., H. He, and A. Tiwari, "Vulnerability-Based Impact Criticality Estimation for Industrial Control Systems", 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), 2020, 1-8.
  18. Chen, Y., X. Lian, D. Yu, S. Lv, S. Hao, and Y. Ma, "Exploring Shodan from the Perspective of Industrial Control Systems", IEEE Access, Vol. 8, 2020, 75359-75369. https://doi.org/10.1109/ACCESS.2020.2988691
  19. Cisco, Cisco Annual Internet Report (2018-2023) White Paper, 2020.
  20. Cybersecurity & Infrastructure Security Agency (CISA), Retrieved Nov. 22, 2021, Available at http://www.cisa.gov/uscert/ics.
  21. Cybint, 15 Alarming Cyber Security Facts and Stats, Retrieved Jun. 22, 2021, Available at http://www.cybintsolutions.com/cyber-security-facts-stats/.
  22. Fortinet, Securing Industrial Control Systems with Fortinet: IEC-62443 Compliance Endto-End Security, 2019.
  23. Gartner, Hype Cycle for Manufacturing Operations Strategy, 2020.
  24. Gensen Web, Retrieved Nov. 18, 2021, Available at http://gensen.dl.itc.u-tokyo.ac.jp/gensenweb_eng.html.
  25. Green, B., D. Prince, J. Busby, and D. Hutchison. "The Impact of Social Engineering on Industrial Control System Security", In Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy (CPS-SPC '15), Association for Computing Machinery, 2015, 23-29.
  26. Hasselquist, D., A. Rawat, and A. Gurtov, "Trends and Detection Avoidance of Internet-Connected Industrial Control Systems", IEEE Access, Vol. 7, 2019, 155504-155512. https://doi.org/10.1109/ACCESS.2019.2948793
  27. Hou, Y., J. Such, and A. Rashid, "Understanding Security Requirements for Industrial Control System Supply Chains", 2019 IEEE/ACM 5th International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS), 2019, 50-53.
  28. KH Coder, Retrieved Nov. 09, 2021, Available at http://khcoder.net/en/.
  29. Khan, S. and S.E. Madnick, "Cybersafety: A System-theoretic Approach to Identify Cybervulnerabilities & Mitigation Requirements in Industrial Control Systems", IEEE Transactions on Dependable and Secure Computing, 2021, doi: 10.1109/TDSC.2021.3093214.
  30. Larkin, R.D., J. Lopez, J.W. Butts, and M.R. Grimaila. "Evaluation of Security Solutions in the SCADA Environment", SIGMIS Database, Vol. 45, , No. 1, 2014, 38-53. https://doi.org/10.1145/2591056.2591060
  31. Lee, T., S. Kim, and K. Kim, "A Research on the Vulnerabilities of PLC using Search Engine," 2019 International Conference on Information and Communication Technology Convergence (ICTC), 2019, 184-188.
  32. Lin, H., A. Slagell, Z. Kalbarczyk, P.W. Sauer, and R.K. Iyer, "Semantic Security Analysis of SCADA Networks to Detect Malicious Control Commands in Power Grids", In Proceedings of the First ACM Workshop on Smart Energy Grid Security (SEGS '13), Association for Computing Machinery, 2013, 29-34.
  33. Luo, Z., F. Zuo, Y. Shen, X. Jiao, W. Chang, and Y. Jiang, "ICS Protocol Fuzzing: Coverage Guided Packet Crack and Generation", 2020 57th ACM/IEEE Design Automation Conference (DAC), 2020, 1-6.
  34. National Vulnerability Database (NVD), Retrieved Oct. 12, 2021, Available at http://nvd.nist.gov/.
  35. NIST, Guide to Industrial Control Systems (ICS) Security, SP800-82 Rev. 2, 2015.
  36. Open Web Application Security Project(OWASP), OWASP Top 10, Retrieved Oct. 12, 2021, Available at http://owasp.org/.
  37. Pospisil, O., P. Blazek, R. Fujdiak, and J. Misurec, "Active Scanning in the Industrial Control Systems", 2021 International Symposium on Computer Science and Intelligent Controls (ISCSIC), 2021, 227-232.
  38. Shahzad, A., S. Musa, A. Aborujilah, and M. Irfan. "Industrial Control Systems(ICSs) Vulnerabilities Analysis and SCADA Security Enhancement Using Testbed Encryption", In Proceedings of the 8th International Conference on Ubiquitous Information Management and Communication (ICUIMC '14), Association for Computing Machinery, Article 7, 2014, 1-6.
  39. Trend Micro Incorporated, The State of Industrial Cybersecurity: Converging IT and OT with People, Process, and Technology, 2021, 4.