A host-based security assessment architecture for Industrial Control systems

Abstract

Computerized control systems perform vital functions across many critical infrastructures throughout the nation. These systems can be vulnerable to a variety of attacks leading to devastating consequences like loss of production, interruption in distribution of public utilities and most importantly endangering public safety. This calls for an approach to halt attacks in their tracks before being able to do any harm to these systems. Vulnerability assessment performed on these systems can identify and assess potential vulnerabilities in a control system network, before they are exploited by malicious intruders. An effective vulnerability assessment architecture should assimilate security knowledge from multiple sources to uncover all the vulnerabilities present on a host. Legitimate concerns arise since host-based security scanners typically need to run at administrative privileges, and takes input from external knowledge sources for the analysis making it imperative that the scanner be trustworthy. Intentionally or otherwise, ill-formed input may compromise the scanner and the whole system if the scanner is susceptible to, or carries one or more vulnerability itself. We have implemented the scanning architecture in the context of an enterprise-level security analyzer.The analyzer finds security vulnerabilities present on a host according to the third-party security knowledge specified in Open Vulnerability Assessment Language(OVAL). This paper presents an architecture where a host-based security scanner's code base can be minimized to an extent where its correctness can be verified by adequate vetting. Moreover, the architecture also allows for leveraging third-party security knowledge efficiently and supports various higher-level security analysis.