Analysis of Exploitable Vulnerability Sequences in Industrial Networked Systems: A Proof of Concepts

Software vulnerabilities can affect the security of any computer and industrial networked systems are no exception. Information about known vulnerabilities and possible countermeasures is being collected and published since several years, however the methodical introduction of changes and/or software patches in many industrial networks is not always possible, so that some known flaws can be left untreated as they are not considered harmful in principle. Unfortunately, a suitable combination (sequence) of vulnerabilitieswhich are not dangerouswhen considered as insulated, can provide undesired attack paths tomalicious users. This paper deals with the automated discovery of such sequences of known vulnerabilities in industrial scenarios by leveraging an analysis framework already developed for the verification of access control policies in realworld systems.