Learning From Vulnerabilities - Categorising, Understanding and Detecting Weaknesses in Industrial Control Systems

Richard J. Thomas and Tom Chothia
Submitted to the 6th Workshop On The Security of Industrial Control Systems & of Cyber-Physical Systems (CyberICPS 2020)

Conference Proceeding Paper » Longer Paper »


Compared to many other areas of cyber security, vulnerabilities in industrial control systems (ICS) can be poorly understood. These systems form part of critical national infrastructure, where asset owners may not understand the security landscape and have potentially incorrect security assumptions for these closed source, operational technology (OT) systems. ICS vulnerability reports give useful information about single vulnerabilities, but there is a lack of guidance telling ICS owners what to look for next, or how to find these. In this paper, we analyse 9 years of ICS Advisory vulnerability announcements and we recategorise the vulnerabilities based on the detection methods and tools that could be used to find these weaknesses. We find that 8 categories are enough to cover 95% of the vulnerabilities in the dataset. This provides a guide for ICS owners to the most likely new vulnerabilities they may find in their systems and the best ways to detect them. We validate our proposed vulnerability categories by analysing a further 6 months of ICS Advisory reports, which shows that our categories continue to dominate the reported weaknesses. We further validate our proposed detection methods by applying them to a range of ICS equipment and finding four new critical security vulnerabilities.


This paper will be presented at the 6th Workshop On The Security of Industrial Control Systems & of Cyber-Physical Systems (CyberICPS 2020), in conjunction with ESORICS 2020.


We have published the Datasets that support this publication for the research community to use - please visit our RITICS Datasets GitHub Page.


The paper is available here.

A longer version of the paper with additional figures is available here.