{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,2]],"date-time":"2026-02-02T01:27:17Z","timestamp":1769995637933,"version":"3.49.0"},"reference-count":48,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2017,6,13]],"date-time":"2017-06-13T00:00:00Z","timestamp":1497312000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Meas. Anal. Comput. Syst."],"published-print":{"date-parts":[[2017,6,13]]},"abstract":"<jats:p>Industrial Control Systems (ICS) are widely deployed in mission critical infrastructures such as manufacturing, energy, and transportation. The mission critical nature of ICS devices poses important security challenges for ICS vendors and asset owners. In particular, the patching of ICS devices is usually deferred to scheduled production outages so as to prevent potential operational disruption of critical systems. Unfortunately, anecdotal evidence suggests that ICS devices are riddled with security vulnerabilities that are not patched in a timely manner, which leaves them vulnerable to exploitation by hackers, nation states, and hacktivist organizations.<\/jats:p>\n          <jats:p>In this paper, we present the results from our longitudinal measurement and characterization study of ICS patching behavior. Our study is based on IP scan data collected from Shodan over the duration of three years for more than 500 known industrial ICS protocols and products. Our longitudinal measurements reveal the impact of vulnerability disclosures on ICS patching. Our analysis of more than 100 thousand Internet-exposed ICS devices reveals that about 50% upgrade to newer patched versions within 60 days of a vulnerability disclosure. Based on our measurement and analysis, we further propose a variation of the Bass model to forecast the patching behavior of ICS devices. The evaluation shows that our proposed models have comparable prediction accuracy when contrasted against traditional ARIMA timeseries forecasting models, while requiring less parameters and being amenable to direct physical interpretation.<\/jats:p>","DOI":"10.1145\/3084455","type":"journal-article","created":{"date-parts":[[2018,3,23]],"date-time":"2018-03-23T18:28:08Z","timestamp":1521829688000},"page":"1-23","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":22,"title":["Characterizing and Modeling Patching Practices of Industrial Control Systems"],"prefix":"10.1145","volume":"1","author":[{"given":"Brandon","family":"Wang","sequence":"first","affiliation":[{"name":"The University of Iowa, Iowa City, IA, USA"}]},{"given":"Xiaoye","family":"Li","sequence":"additional","affiliation":[{"name":"The University of Iowa, Iowa City, IA, USA"}]},{"given":"Leandro P.","family":"de Aguiar","sequence":"additional","affiliation":[{"name":"Siemens Corporation, Princeton, NJ, USA"}]},{"given":"Daniel S.","family":"Menasche","sequence":"additional","affiliation":[{"name":"Federal University of Rio de Janeiro (UFRJ), Rio de Janeiro, Brazil"}]},{"given":"Zubair","family":"Shafiq","sequence":"additional","affiliation":[{"name":"The University of Iowa, Iowa City, IA, USA"}]}],"member":"320","published-online":{"date-parts":[[2017,6,13]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1126\/science.1130992"},{"key":"e_1_2_1_2_1","unstructured":"ANSI\/ISA-99.02.01--2009 standard. Security for Industrial Automation and Control Systems Part 2: Establishing an Industrial Automation and Control Systems Security Program. 2009. http:\/\/www.isa.org\/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821.  ANSI\/ISA-99.02.01--2009 standard. Security for Industrial Automation and Control Systems Part 2: Establishing an Industrial Automation and Control Systems Security Program. 2009. http:\/\/www.isa.org\/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821."},{"key":"e_1_2_1_3_1","first-page":"22","volume-title":"ICIS 2006 Proceedings","author":"Arora A.","year":"2006"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1287\/mnsc.15.5.215"},{"key":"e_1_2_1_5_1","unstructured":"G.\n       \n      Box G.\n       \n      Jenkins and \n      \n      \n      G.\n       \n      Reinsel\n      \n  \n  . \n  Time series analysis: Forecasting and control\n  . \n  Prentice Hall 1994\n  .   G. Box G. Jenkins and G. Reinsel. Time series analysis: Forecasting and control. Prentice Hall 1994."},{"key":"e_1_2_1_6_1","volume-title":"SaTC PI Meeting: http:\/\/cps-vo.org\/node\/30557","author":"Chen H."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1137\/0806023"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.5555\/3214931.3214934"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.5555\/1880551.1880562"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2663716.2663755"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1287\/mksc.2.3.273"},{"key":"e_1_2_1_12_1","first-page":"1","volume-title":"ICNP","author":"Feng X.","year":"2016"},{"key":"e_1_2_1_13_1","doi-asserted-by":"crossref","unstructured":"J. C. Fisher and R. H. Pry. A simple substitution model of technological change. Technological forecasting and social change 3:75--88 1971.  J. C. Fisher and R. H. Pry. A simple substitution model of technological change. Technological forecasting and social change 3:75--88 1971.","DOI":"10.1016\/S0040-1625(71)80005-7"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1496091.1496094"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/1162666.1162671"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0048-7333(99)00092-X"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2994487.2994492"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.ejor.2011.05.050"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2007.81"},{"key":"e_1_2_1_20_1","volume-title":"BlackHat","author":"Kandek W.","year":"2009"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/MDAT.2016.2594178"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/LATW.2016.7483348"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1287\/mnsc.47.1.1.10668"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/1384529.1375463"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-02700-4_6"},{"key":"e_1_2_1_26_1","doi-asserted-by":"crossref","unstructured":"V. Mahajan E. Muller and F. M. Bass. Diffusion of new products: Empirical generalizations and managerial uses. Marketing Science 14(3) 1995.  V. Mahajan E. Muller and F. M. Bass. Diffusion of new products: Empirical generalizations and managerial uses. Marketing Science 14(3) 1995.","DOI":"10.1287\/mksc.14.3.G79"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-25280-8_8"},{"key":"e_1_2_1_28_1","unstructured":"J. Matherly. Shodan. https:\/\/www.shodan.io.  J. Matherly. Shodan. https:\/\/www.shodan.io."},{"key":"e_1_2_1_29_1","volume-title":"KIACS2017 keynote speak video: https:\/\/livestream.com\/hdmediakw\/events\/7107294\/videos\/151813225","author":"Matherly J."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2009.76"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2015.2512235"},{"key":"e_1_2_1_32_1","first-page":"40","article-title":"Creating a patch and vulnerability management program","volume":"800","author":"Mell P.","year":"2005","journal-title":"NIST Special Publication"},{"key":"e_1_2_1_33_1","unstructured":"P. Mell K. Scarfone and S. Romanosky. A complete guide to the CVSS 2.0 2016. https:\/\/www.first.org\/cvss\/v2\/guide.  P. Mell K. Scarfone and S. Romanosky. A complete guide to the CVSS 2.0 2016. https:\/\/www.first.org\/cvss\/v2\/guide."},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/PST.2016.7906943"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1287\/mnsc.33.9.1069"},{"issue":"2","key":"e_1_2_1_36_1","first-page":"66","article-title":"Evolution of technological generations: the law of capture","volume":"33","author":"Norton J. A.","year":"1992","journal-title":"Sloan Management Review"},{"key":"e_1_2_1_37_1","unstructured":"National Vulnerability Database (NVD). https:\/\/nvd.nist.gov.  National Vulnerability Database (NVD). https:\/\/nvd.nist.gov."},{"key":"e_1_2_1_38_1","unstructured":"Open Source Vulnerability Database. http:\/\/osvdb.org.  Open Source Vulnerability Database. http:\/\/osvdb.org."},{"key":"e_1_2_1_39_1","volume-title":"USENIX WOOT","author":"Pa Y. M. P.","year":"2015"},{"key":"e_1_2_1_40_1","volume-title":"Tech. rep.","author":"Radvanovsky B.","year":"2014"},{"key":"e_1_2_1_41_1","volume-title":"CRC Press","author":"Radvanovsky R.","year":"2016"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1287\/isre.1080.0174"},{"key":"e_1_2_1_43_1","volume-title":"SANS Institute Reading Room","author":"Scott C.","year":"2014"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.5555\/2337223.2337314"},{"key":"e_1_2_1_45_1","first-page":"40","article-title":"Guide to enterprise patch management technologies","volume":"800","author":"Souppaya M.","year":"2013","journal-title":"NIST"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.4304\/jcm.5.1.71-80"},{"key":"e_1_2_1_47_1","unstructured":"Verizon. Verizon 2016 data breach investigations report. www.verizonenterprise.com\/verizon-insights-lab\/dbir\/2016\/ 2016.  Verizon. Verizon 2016 data breach investigations report. www.verizonenterprise.com\/verizon-insights-lab\/dbir\/2016\/ 2016."},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/2590296.2590300"}],"container-title":["Proceedings of the ACM on Measurement and Analysis of Computing Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3084455","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3084455","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T03:30:22Z","timestamp":1750217422000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3084455"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,6,13]]},"references-count":48,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2017,6,13]]}},"alternative-id":["10.1145\/3084455"],"URL":"https:\/\/doi.org\/10.1145\/3084455","relation":{},"ISSN":["2476-1249"],"issn-type":[{"value":"2476-1249","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017,6,13]]},"assertion":[{"value":"2017-06-13","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}