{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,30]],"date-time":"2026-04-30T01:07:20Z","timestamp":1777511240631,"version":"3.51.4"},"reference-count":16,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2023,4,8]],"date-time":"2023-04-08T00:00:00Z","timestamp":1680912000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,4,8]],"date-time":"2023-04-08T00:00:00Z","timestamp":1680912000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Swedish national research Center on Resilient Information and Control Systems"},{"DOI":"10.13039\/501100004270","name":"Royal Institute of Technology","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100004270","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["SN COMPUT. SCI."],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>When protecting the Industrial Control Systems against cyber attacks, it is important to have as much information as possible to allocate defensive resources properly. In this paper we estimate the Time-To-Compromise of different Industrial Control Systems attack techniques by MITRE ATT&amp;CK. The Time-To-Compromise is estimated using an equation that takes into consideration the vulnerability data that exists for a specific asset and category of vulnerability. The vulnerability data is derived from an Industrial Control Systems specific vulnerability dataset. As a result, we present the mapping of the attack techniques to assets and categories of vulnerability, which makes it possible to apply specific vulnerabilities to the technique. We also present the method of how to estimate the Time-To-Compromise of the techniques and finally the values of Time-To-Compromise. After mapping the attack techniques to assets and category of vulnerability we are able to estimate the Time-To-Compromise and discuss its trustworthiness.<\/jats:p>","DOI":"10.1007\/s42979-023-01750-z","type":"journal-article","created":{"date-parts":[[2023,4,8]],"date-time":"2023-04-08T14:02:38Z","timestamp":1680962558000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["Estimating Time-To-Compromise for Industrial Control System Attack Techniques Through Vulnerability Data"],"prefix":"10.1007","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9546-9463","authenticated-orcid":false,"given":"Engla","family":"Rencelj Ling","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mathias","family":"Ekstedt","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2023,4,8]]},"reference":[{"key":"1750_CR1","unstructured":"Micro T. New Critical Infrastructure Facility Hit by Group Behind TRITON (2019). https:\/\/www.trendmicro.com\/vinfo\/pl\/security\/news\/cyber-attacks\/new-critical-infrastructure-facility-hit-by-group-behind-triton Accessed 13 Feb 2023"},{"key":"1750_CR2","unstructured":"Andreeva O, Gordeychik S, Gritsai G, Kochetova O, Potseluevskaya E, Sidorova SI, Timorin AA. Industrial Control Systems Vulnerability Statistics (2017). https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2016\/07\/07190426\/KL_REPORT_ICS_Statistic_vulnerabilities.pdf Accessed 13 Feb 2023"},{"key":"1750_CR3","doi-asserted-by":"publisher","unstructured":"Rencelj Ling E, Ekstedt M. Estimating the Time-To-Compromise of Exploiting Industrial Control System Vulnerabilities. In: Proceedings of the 8th International Conference on Information Systems Security and Privacy - ICISSP, pp. 96\u2013107. SciTePress, Portugal (2022). https:\/\/doi.org\/10.5220\/0010817400003120.INSTICC","DOI":"10.5220\/0010817400003120."},{"key":"1750_CR4","unstructured":"MITRE ATT &CK: ICS Techniques (2022). https:\/\/attack.mitre.org\/techniques\/ics\/ Accessed 13 Feb 2023"},{"key":"1750_CR5","doi-asserted-by":"publisher","first-page":"49","DOI":"10.1007\/978-0-387-36584-8_5","volume-title":"Quality of Protection","author":"MA McQueen","year":"2006","unstructured":"McQueen MA, Boyer WF, Flynn MA, Beitel GA. Time-to-compromise model for cyber risk reduction estimation. In: Gollmann D, Massacci F, Yautsiukhin A, editors. Quality of Protection. Boston, MA: Springer; 2006. p. 49\u201364."},{"key":"1750_CR6","doi-asserted-by":"publisher","unstructured":"Thomas RJ, Chothia T. Learning from vulnerabilities - categorising, understanding and detecting weaknesses in industrial control systems. In: Computer Security. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-64330-0_7","DOI":"10.1007\/978-3-030-64330-0_7"},{"key":"1750_CR7","doi-asserted-by":"publisher","unstructured":"Nzoukou W, Wang L, Jajodia S, Singhal A. A unified framework for measuring a network\u2019s mean time-to-compromise. In: 2013 IEEE 32nd International Symposium on Reliable Distributed Systems, pp. 215\u2013224 (2013). https:\/\/doi.org\/10.1109\/SRDS.2013.30","DOI":"10.1109\/SRDS.2013.30"},{"key":"1750_CR8","doi-asserted-by":"publisher","unstructured":"Zieger A, Freiling F, Kossakowski K. The $$\\beta$$-time-to-compromise metric for practical cyber security risk estimation. In: 2018 11th International Conference on IT Security Incident Management IT Forensics (IMF), pp. 115\u2013133 (2018). https:\/\/doi.org\/10.1109\/IMF.2018.00017","DOI":"10.1109\/IMF.2018.00017"},{"key":"1750_CR9","unstructured":"FIRST: Common Vulnerability Scoring System SIG (2022). https:\/\/www.first.org\/cvss\/ Accessed 13 Feb 2023"},{"issue":"1","key":"1750_CR10","doi-asserted-by":"publisher","first-page":"52","DOI":"10.1109\/MSP.2008.9","volume":"6","author":"DJ Leversage","year":"2008","unstructured":"Leversage DJ, Byres EJ. Estimating a system\u2019s mean time-to-compromise. IEEE Secur Privacy. 2008;6(1):52\u201360. https:\/\/doi.org\/10.1109\/MSP.2008.9.","journal-title":"IEEE Secur Privacy"},{"key":"1750_CR11","doi-asserted-by":"publisher","first-page":"55","DOI":"10.7250\/csimq.2021-26.04","volume":"2021","author":"W Xiong","year":"2021","unstructured":"Xiong W, Hacks S, Robert L. A method for assigning probability distributions in attack simulation languages. Complex Syst Inform Model Q. 2021;2021:55\u201377. https:\/\/doi.org\/10.7250\/csimq.2021-26.04.","journal-title":"Complex Syst Inform Model Q"},{"key":"1750_CR12","unstructured":"Center for Threat Informed Defense: Using MITRE ATT &CK to Describe Vulnerabilities. https:\/\/github.com\/center-for-threat-informed-defense\/attack_to_cve Accessed 13 Feb 2023"},{"key":"1750_CR13","doi-asserted-by":"publisher","unstructured":"Ablon L, Bogart A. Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. RAND Corporation, Santa Monica, CA (2017). https:\/\/doi.org\/10.7249\/RR1751","DOI":"10.7249\/RR1751"},{"key":"1750_CR14","doi-asserted-by":"crossref","unstructured":"Stouffer K, Pillitteri V, Lightman S, Abrams M, Hahn A. Guide to Industrial Control Systems (ICS) Security (2015). https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-82r2.pdf Accessed 13 Feb 2023","DOI":"10.6028\/NIST.SP.800-82r2"},{"key":"1750_CR15","unstructured":"Homeland Security: Common Cybersecurity Vulnerabilities in Industrial Control Systems (2011). https:\/\/www.cisa.gov\/uscert\/sites\/default\/files\/recommended_practices\/DHS_Common_Cybersecurity_Vulnerabilities_ICS_2010.pdf Accessed 13 Feb 2023"},{"key":"1750_CR16","unstructured":"Bromiley M. Think Like a Hacker: Inside the Minds and Methods of Modern Adversaries (2022). https:\/\/s3.us-east-2.amazonaws.com\/s3.bishopfox.com\/prod-1437\/Documents\/Reports\/SANS-Report-Hacker-Survey-2022.pdf Accessed 13 Feb 2023"}],"container-title":["SN Computer Science"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s42979-023-01750-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s42979-023-01750-z\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s42979-023-01750-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,4,30]],"date-time":"2023-04-30T10:25:25Z","timestamp":1682850325000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s42979-023-01750-z"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,4,8]]},"references-count":16,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2023,5]]}},"alternative-id":["1750"],"URL":"https:\/\/doi.org\/10.1007\/s42979-023-01750-z","relation":{},"ISSN":["2661-8907"],"issn-type":[{"value":"2661-8907","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,4,8]]},"assertion":[{"value":"13 October 2022","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"22 February 2023","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"8 April 2023","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}],"article-number":"318"}}