The document presents an empirical study on architectural security weaknesses in Industrial Control Systems (ICS), highlighting their critical role in infrastructure like manufacturing and utilities. It analyzes 988 security advisories from ICS-CERT, revealing that 62.86% of vulnerabilities are linked to architectural weaknesses with common issues including improper input validation and authentication flaws. The study emphasizes the necessity for practitioners to adopt improved security tactics, such as isolating ICS devices from untrusted networks and encrypting sensitive data.

1. Danielle Gonzalez ✦ Fawaz Alhenaki ✦ Mehdi Mirakhorli
An Empirical Study based on Disclosed Software Vulnerabilities
Architectural Security Weaknesses
in Industrial Control Systems (ICS)
IEEE International Conference on Software Architecture (ICSA)
Hamburg, Germany March 2019

2. 2
What Are Industrial Control Systems (ICS)?
ICS often support critical infrastructure:
• Manufacturing
• Oil & Gas Production
• Chemical Processing
• Electrical Power Grids
• Transportation
• More!

3. Architecture of Industrial Control Systems (ICS)
Human Machine Interface (HMI)
Engineering
Workstations
Data Historian Supervisory Control & Data
Acquisition (SCADA) Server
Switched Telephone,
Leased Line or Power Line
Based Communication
Radio, microwave,
or cellular
Satellite
Wide area network
Communication
Routers
Control Center
PLC
Field Site 1
RTU
Field Site 2
Wan Card
Modem
IED
Field Site 3
Modem
3
The PLCs, RTUS etc.
communicate with the
SCADA server using
industrial communication
protocols (Fieldbus)
2
HMIs are used by Humans to
configure the plant, troubleshoot
problems, run/stop/update
programs, and recover from failures
3
The Data Historian logs daily operational
data used for analysis & diagnosis
4
Programmable Logic
Controllers (PLCs) & Remote
Terminal Units (RTUs)
connect to sensors & actuators
1

4. 4
Security of Industrial Control Systems
ICS often support critical infrastructure:
• Manufacturing
• Oil & Gas Production
• Chemical Processing
• Electrical Power Grids
• Transportation
• More!
Implications
1. Security is a key concern
2. Attacks can affect national
safety & economics
3. Cannot be easily taken offline
for updates or patches
IEEE
Attacks to ICS infrastructures have exponentially
increased from a few to hundreds per year
Stouffer, Keith, Joe Falco, and Karen Scarfone. "Guide to industrial control systems (ICS) security." NIST special publication 800.82 (2011): 16-16.
Yang, Wen, and Qianchuan Zhao. "Cyber security issues of critical components for industrial control system." Proceedings of 2014 IEEE Chinese Guidance,
Navigation and Control Conference. IEEE, 2014.

5. 5
Examining Architectural Security Weaknesses in ICS
Dataset:
988 Security Advisories mined from the Industrial Control System
Cyber Emergency Response Team (ICS-CERT) repositories
RQ 1: Which ICS Components are Most Vulnerable?
RQ 2: What Percentage of ICS Vulnerabilities had Architectural Root Causes?
RQ 3: What are the Most Common Architectural Weaknesses in ICS?
RQ 4: Which Architectural Tactics are Most Often Compromised in ICS?
Research Questions:

6. 6
Industrial Control System Advisories (ICSA)
ICS vendors maintain advisories to report
security issues in their products
Advisory (ICSA-16-336-06)
OVERVIEW:
Alexey Osipov and Ilya Karpov of Positive Technologies have identified
vulnerabilities in Rockwell Automation’s Allen-Bradley MicroLogix 1100 and
1400 programmable logic controller (PLC) systems. Rockwell Automation has
produced new firmware versions to mitigate some of the vulnerabilities.
AFFECTED PRODUCTS:
1763-L16AWA, Series A and B, Version 14.000 and prior versions;
1763-L16BBB, Series A and B, Version 14.000 and prior versions;
[...]
IMPACT:
Successful exploitation of these vulnerabilities may allow a remote attacker to
gain unauthorized access to affected devices, as well as impact the availability
of affected devices.
VULNERABILITY CHARACTERIZATION:
CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION (CWE-319)
User credentials are sent to the web server in clear text, which may allow an
attacker to discover the credentials if they are able to observe traffic between
the web browser and the server.
EXPLOITABILITY:
These vulnerabilities could be exploited remotely.
[…]
Root
Cause
Common
Weakness
Enumeration
(CWE)
ICS-CERT collects these and
assigns them an ICSA identifier

7. 7
Identifying Vulnerable Components
A manual review process was used to identify ICS products and alternative names/abbreviations
Resources reviewed:
• Architectural documents of existing ICS products
• Reseach papers
• ICS application standards
17 components identified
§ 7 “common”
§ 10 “optional/variants”

8. 8
Component Specification
CommonComponents
Engineering
workstation
Reliable software designed for configuration, maintenance
and diagnostics of the control system applications and
equipment.
Data Historian
(HIST)
A system for logging all data in an ICS environment, this
data might be uses for analysis later.
Human-machine
Interface (HMI)
User interface that allows engineers and operators to
interact with the controller.
Intelligent
Electronic Device
A smart industrial device capable of acquiring data,
communicating with other devices, and automating
industrial processes.
Programmable
Logic Controllers
(PLC)
A solid-state control system often used in assembly lines,
or robotic devices, or activities that require high reliability
control, ease of programming and process fault diagnosis.
RTU (Remote
Terminal Unit)
Used to communicate with remote field equipment. PLCs
with radio communication capabilities are also used in
place of RTUs.
Supervisory
control software
(SCADA)
A system performing control functions used to control
dispersed assets using centralized data acquisition and
supervisory control.
Common
Industrial
Protocol (CIP)
Provides a set of services & messages for control, security,
synchronization, configuration, information that can be
integrated into networks.
Device Type
Manager
A driver-like software that provides an interface for device
configurations, maintenance, diagnostics &
troubleshooting.
Component Specification
CommonComponents
Engineering
workstation
Reliable software designed for configuration, maintenance
and diagnostics of the control system applications and
equipment.
Data Historian
(HIST)
A system for logging all data in an ICS environment, this
data might be uses for analysis later.
Human-machine
Interface (HMI)
User interface that allows engineers and operators to
interact with the controller.
Intelligent
Electronic Device
A smart industrial device capable of acquiring data,
communicating with other devices, and automating
industrial processes.
Programmable
Logic Controllers
(PLC)
A solid-state control system often used in assembly lines,
or robotic devices, or activities that require high reliability
control, ease of programming and process fault diagnosis.
RTU (Remote
Terminal Unit)
Used to communicate with remote field equipment. PLCs
with radio communication capabilities are also used in
place of RTUs.
Supervisory
control software
(SCADA)
A system performing control functions used to control
dispersed assets using centralized data acquisition and
supervisory control.
Common
Industrial
Protocol (CIP)
Provides a set of services & messages for control, security,
synchronization, configuration, information that can be
integrated into networks.
Device Type
Manager
A driver-like software that provides an interface for device
configurations, maintenance, diagnostics &
troubleshooting.
Distributed
Control Systems
(DCS)
SACAD variant, microprocessor based units distributed
functionally & geographically over the plant, situated near
area where control or data gathering functions being
performed.
Distributed
Network Protocol
a widely used protocol in electricity and/or water and
waste water treatment plants with three layers (data link,
Terminal Unit)
with radio communication capabilities are also used in
place of RTUs.
Supervisory
control software
(SCADA)
A system performing control functions used to control
dispersed assets using centralized data acquisition and
supervisory control.
Variation
Common
Industrial
Protocol (CIP)
Provides a set of services & messages for control, security,
synchronization, configuration, information that can be
integrated into networks.
Device Type
Manager
A driver-like software that provides an interface for device
configurations, maintenance, diagnostics &
troubleshooting.
Distributed
Control Systems
(DCS)
SACAD variant, microprocessor based units distributed
functionally & geographically over the plant, situated near
area where control or data gathering functions being
performed.
Distributed
Network Protocol
(DNP3)
a widely used protocol in electricity and/or water and
waste water treatment plants with three layers (data link,
application, and transport layer).
Fieldbus
A digital, serial, multi-drop, two-way data bus between
field equipment,. sensors, transducers, actuators, control
room devices.
Modbus
The de facto ICS communications protocol that uses serial
communications with PLCs.
Object Linking &
Embedding
(OLE) for Process
Control (OPC)
A set of open standards developed to promote
interoperability between disparate field devices,
automation/control, and business systems.
PAC
a "mashup" between a PC and a PLC in that it typically
offers the benefits of both in a single package.
Process Control
System (PCS)
SCADA variant, typically rack-mounted, processes sensor
input, executes control algorithms, and computes actuator
outputs.
Real time OS Operating System
Common Components
Optional / Variant ComponentsICS Components Used in This Study

9. 9
Identifying Vulnerable Components
ICS Component Terms in Dictionary
Programmable Logic
Controllers
Programmable Logic Controllers, PLC, control loop, logic
controller
Distributed Control
Systems
Distributed Control Systems, DCS, digital processor control
system, process manager
Fieldbus Fieldbus, Field Device
Supervisory Control
Software
Supervisory control software, SCADA, supervisory control
and data acquisition
Human-machine Interface
Human-machine Interface, HMI, Human Machine Interface,
Web Interface, operator
Remote Terminal Unit Remote Terminal Units, RTUs, RTU, Remote Terminal Unit
Data Historian
data historian, Operational Historian, HIST, process data
archive, historian
Sample of Component-Term Dictionary
Component-Term DictionaryText Data from Advisories
ICS Component Terms in Dictionary
Programmable Logic
Controllers
Programmable Logic Controllers, PLC, control loop, logic
controller
Distributed Control
Systems
Distributed Control Systems, DCS, digital processor control
system, process manager
Fieldbus Fieldbus, Field Device
Supervisory Control
Software
Supervisory control software, SCADA, supervisory control
and data acquisition
Human-machine Interface
Human-machine Interface, HMI, Human Machine Interface,
Web Interface, operator
Remote Terminal Unit Remote Terminal Units, RTUs, RTU, Remote Terminal Unit
Data Historian
data historian, Operational Historian, HIST, process data
archive, historian
Text Processing Script (Keyword Search)
55.06% of reports
mentioned at least 1 of the
17 components

10. 10
RQ1: Which ICS Components are Most Vulnerable?
Real
tim
e
Variation
Common
Industrial
Protocol (CIP) 13
Device Type
Manager 14
Distributed
Control
Systems 16
DNP3
(Distributed
Network
Protocol) 39
Fieldbus 18
Modbus 31
OPC (OLE for Process
Control) 57 PAC 6
Process Control
System (PCS) 42
Common Components
Engineering
workstation 15
HIST 25
HMI 257 Intelligent
Electronic
device 3
Master
Terminal Unit
(MTU) 8Programmable Logic Controllers
(PLC) 114
RTU (Remote
Terminal Unit)
32
SCADA (Supervisory control software) 212
ICS Component # of Reports
Human-machine Interface (HMI) 257
Supervisory Control Software (SCADA) 212
Programmable Logic Controllers (PLC) 114
OLE for Process Control (OPC) 57
Process Control System (PCS) 42
Distributed Network Protocol (DNP3) 39
Remote Terminal Unit (RTU) 32
Modbus 31
Data Historian (HIST) 25
Building Automation System (BAS) 19
10 Most Vulnerable ICS Components

11. 11
RQ2: What % of ICS Vulnerabilities had an Architectural Root Cause?
https://cwe.mitre.org/data/definitions/1008.html
Santos, J. C. S., Peruma, A., Mirakhorli, M., Galster, M. and Sejfia, A.. "Understanding
Software Vulnerabilities Related to Architectural Security Tactics: An Empirical
Investigation of Chromium, PHP and Thunderbird.". pages 69 - 78. 2017 IEEE
International Conference on Software Architecture (ICSA). 2017.
Common Architectural Weakness Enumeration

12. 12
Identifying ICS Advisories with Architectural Root Causes
Text Data from Advisories
CAWE Mapping
https://cwe.mitre.org/data/definitions/1008.html
RQ2: What % of ICS Vulnerabilities had an Architectural Root Cause?
62.86% (540) of ICS Advisories were
associated with 1 or more architectural
weakness (CAWE)
IDs in the text
were mapped to
the IDs in the
CAWE catalog

13. 13
RQ3: What is the Most Common Architectural Weakness in ICS?
Tactic CAWE Frequency
Validate Inputs CAWE-20 Improper Input Validation 142
Validate Inputs CAWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 75
Authenticate Actors CAWE-287 Improper Authentication 70
Authorize Actors CAWE-284 Improper Access Control 63
Validate Inputs CAWE-352 Cross-Site Request Forgery (CSRF) 45
Authenticate Actors CAWE-798 Use of Hard-coded Credentials 44
Validate Inputs CAWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 37
Authenticate Actors CAWE-259 Use of Hard-coded Password 20
Encrypt Data CAWE-522 Insufficiently Protected Credentials 18
Validate Inputs CAWE-94 Improper Control of Generation of Code ('Code Injection') 17
Authenticate Actors CAWE-306 Missing Authentication for Critical Function 16
Authorize Actors CAWE-434 Unrestricted Upload of File with Dangerous Type 14
Authorize Actors CAWE-269 Improper Privilege Management 13
Encrypt Data CAWE-326 Inadequate Encryption Strength 13
Encrypt Data CAWE-312 Cleartext Storage of Sensitive Information 12
Validate Inputs CAWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 12
Authorize Actors CAWE-285 Improper Authorization 11
Encrypt Data CAWE-319 Cleartext Transmission of Sensitive Information 10
Encrypt Data CAWE-311 Missing Encryption of Sensitive Data 10
Encrypt Data CAWE-256 Unprotected Storage of Credentials 10
26.29%
of reports
with
CAWEs
20 Most Common Architectural Weaknesses in ICS

14. 14
RQ4: Which Architectural Tactic Implementations are
Compromised Most Often in ICS?
Tactic Frequency
Validate Inputs 199
Encrypt Data 104
Authenticate Actors 93
Authorize Actors 73
Limit Access 12
Cross-Cutting 7
Identify Actors 6
Manage User Sessions 6
Verify Message Integrity 4
Audit 1
• We found ICS Advisories associated with 10 of
the 12 Architectural Tactics
• From the 540 ICS Advisories associated with
CAWEs, 3 tactics were compromised most often.
10 Compromised Architectural Tactics

15. 15
How do these findings compare to those for Enterprise Web Applications?
Architectural Weaknesses in ICS
To understand if the top weaknesses were unique to ICS,
we mapped our CAWE findings to the CWEs in the OWASP
Top 10 risks from 2017
4 of our top 20 could
not be mapped,
including our #1
weakness
Improper Input
Validation
OWASP Top 10 ICS Architectural Weaknesses
A1-Injection
• Rank#7: CWE-89 SQL Injection
• Rank#10: CWE-94 Code Injection
• Rank#16: CWE-78 OS Command Injection
A2-Broken Authentication
• Rank#3: CWE-287 Improper Authentication
• Rank#9: CWE-522 Insufficiently Protected
Credentials
• Rank#11: CWE-306 Missing Authentication of
Critical Function
• Rank#20: CWE-256 Unprotected Storage of
Credentials
• Rank#6: CWE-798 Use of Hard-coded
Credentials
• Rank#8: CWE-259 Use of Hard-coded Password
A3-Sensitive Data Exposure
• Rank#15: CWE-312 Cleartext Storage of
Sensitive Info.
• Rank#18: CWE-319 Cleartext Transmission
of Sensitive Info.
• Rank#19: CWE-311 Missing Encryption of
Sensitive Data
A4-XML External Entities (XXE) N/A
A5-Broken Access Control
• Rank#4: CWE-284 Improper Access Control
• Rank#13: CWE-269 Improper Privilege
Management
• Rank#17: CWE-285 Improper Authorization
A6-Security Misconfiguration N/A
A7-Cross-Site Scripting (XSS) • Rank#2: CWE-79 Cross-site Scripting
A8-Insecure Deserialization N/A
A9-Using Vulnerable Components N/A
A10-Insufficient Logging N/A

16. 16
Summary & Implications for Practitioners
Most Vulnerable ICS Components Most Frequently Compromised Architectural Tactics
1. Isolate Control System Devices and/or Systems from Untrusted Networks
2. Sanitize User’s Inputs to ICS Components and Devices
3. Encrypt Sensitive Data
4. Secure ICS Endpoints
5. Follow a Tactic-centric Approach to ICS Security
6. Use a Protected Network Environment for Unpatched Devices
Implications for Practitioners
62.86% (540) of ICS Advisories studied were associated with 1 or more architectural weakness (CAWE)
Most Common Architectural Weaknesses in ICS

17. Danielle Gonzalez ✦ Fawaz Alhenaki ✦ Mehdi Mirakhorli
An Empirical Study based on Disclosed Software Vulnerabilities
Architectural Security Weaknesses
in Industrial Control Systems (ICS)
IEEE International Conference on Software Architecture (ICSA)
Hamburg, Germany March 2019
Questions? Contact dng2551@rit.edu or mxmvse@rit.edu
@dngonza

18. 18
Common Weakness Enumeration
https://cwe.mitre.org
https://cwe.mitre.org/data/definitions/20.html

19. 19
Data Model