Mapping ICS Vulnerabilities: Prioritization and Risk Propagation Analysis with MITRE ATT&CK Framework and Bayesian Belief Networks

Abstract

The introduction of Industry 4.0 and the integration of Information Technology (IT) with Operational Technology (OT) have brought significant advancements to Industrial Control Systems (ICS). With the convergence of IT/OT, ICS not only have to counteract against faults for safety reasons, but also have to encounter new challenges stemming from the security realm with an impact on safety issues. Ensuring the security of ICS has gained importance as any breach can cause disruption in industrial processes, leading to system downtime, production loss, and endangering human lives. Vulnerability assessment has become a crucial aspect of security research in ICS. The MITRE ATT&CK framework is one of the knowledge bases used for vulnerability management. It can be used to map identified vulnerabilities to a specific tactic provided by the framework. This mapping provides organizations with a structured approach focusing on identifying potential entry points for attackers and their progression through the system. The attacker's control of ICS could lead to a safety impact on people, processes, and the environment. This paper uses the mapping as a tool to prioritize the vulnerabilities and attacker's propagation through the network and thus help in building an effective risk propagation network using the Bayesian Belief Network (BBN). The implementation of the methodology is done using a Modular Production System (MPS) as a use case.