Thoughts and Practices on Industrial Control System Vulnerability Management

1. Industrial Control Security Vulnerabilities Are a Type of Cybersecurity Vulnerability

Currently, there is no exact definition of industrial control security vulnerabilities internationally or domestically, but there are relatively mature research results regarding the definition of cybersecurity vulnerabilities. For example, China’s national standard “Information Security Technology – Network Security Vulnerability Identification and Description Specification” (GB/T 28458-2020) defines cybersecurity vulnerabilities as “defects or weaknesses in network products and services that may be exploited, arising unintentionally or intentionally during demand analysis, design, implementation, configuration, testing, operation, and maintenance.” The UK National Cyber Security Centre (NCSC) states that “a vulnerability is a weakness in an information system that can be exploited by an attacker to carry out a successful attack. They may arise from defects, functions, or user errors.” The US National Institute of Standards and Technology (NIST) defines vulnerabilities in NISTIR 7298 as “weaknesses in information systems, system security programs, internal controls, or implementations that may be exploited by threat sources.” NIST SP 800-82 emphasizes that industrial control security vulnerabilities are a subset of cybersecurity vulnerabilities, stating that “vulnerabilities refer to weaknesses in information systems (including ICS), system security programs, internal controls, or implementations that may be exploited or triggered by threat sources.” Based on the analysis of the common characteristics of the above definitions, it can be further clarified that industrial control security vulnerabilities may appear throughout the entire lifecycle of ICS and are exploitable, posing a serious threat to ICS security once maliciously exploited.
Different countries have varying definitions of the scope of industrial control security vulnerabilities. The United States includes organizational internal control strategies and procedural vulnerabilities in the category of vulnerabilities, such as lack of security training, absence of ICS operational guidelines, and lack of security audits; while in China, these are typically categorized as weak links in security management and not as vulnerabilities, with only defects or weaknesses related to ICS software, hardware, protocols, etc., being considered industrial control security vulnerabilities.
Overall, industrial control security vulnerabilities refer to information security vulnerabilities existing in industrial control systems (hereinafter referred to as ICS), which are a specific type of cybersecurity vulnerabilities (also known as vulnerabilities/weaknesses).

2. Diverse Classification Methods for Industrial Control Security Vulnerabilities

The classification of vulnerabilities is fundamental to vulnerability research. Industrial control security vulnerabilities have multiple attributes and can be classified from different perspectives.
Firstly, classification can be based on the location of the industrial control security vulnerabilities. System (hardware, firmware, and software) vulnerabilities can be further divided into five categories: architectural and design vulnerabilities (e.g., system design flaws), configuration and maintenance vulnerabilities (e.g., system configuration errors), physical vulnerabilities (e.g., equipment failures), software development vulnerabilities (e.g., improper data validation), and communication and network vulnerabilities (e.g., insecure protocols, firewall configuration errors).
Secondly, vulnerabilities can be classified based on their causes. This can include code issues, processing logic errors, weak passwords, denial of service, and other types.
Thirdly, classification can be based on the products affected by industrial control security vulnerabilities. This can be divided into six categories: vulnerabilities in industrial production control devices, industrial network communication devices, industrial control system protocols, industrial control software systems, industrial production information systems, and industrial network security devices.

3. Characteristics of Industrial Control Security Vulnerabilities

Firstly, there are many inherent vulnerabilities in the system. Traditional ICS operations are conducted in a closed environment, focusing on functionality and reliability rather than security, and they generally lack the ability to prevent various cyberattacks. In the new interconnected application scenarios, ICS has numerous natural security flaws or vulnerabilities, many of which can lead to remote attacks and privilege escalation.
Secondly, the difficulty of patching vulnerabilities is high. Considering factors such as startup debugging costs, system operating costs, and system stability, ICS typically operates continuously for long periods, making it difficult to frequently install patches and repair vulnerabilities. Additionally, the operating system versions used in ICS are often outdated, leading to issues with patch compatibility, resulting in many industrial control security vulnerabilities persisting in industrial production environments for extended periods.
Thirdly, the harm caused by vulnerability exploitation is significant. Currently, exploiting vulnerabilities has become the primary method for criminals to launch cyberattacks. As an important part of critical information infrastructure, once industrial control security vulnerabilities are maliciously exploited, they can not only cause interruptions in industrial production but also endanger national security and affect the livelihood of the people.

II. Current Status of Industrial Control Security Vulnerability Management

Thoughts and Practices on Industrial Control System Vulnerability Management
In the face of increasingly severe vulnerability situations, China has introduced a series of legal documents in recent years, clarifying the legal basis, organizational structure, and workflow for vulnerability management.

1. Legal Basis for Industrial Control Security Vulnerability Management Continues to Strengthen

The “Cybersecurity Law” lays the legal foundation for industrial control security vulnerability management. The “Cybersecurity Law” is China’s first fundamental law that comprehensively regulates issues related to cybersecurity management, with Chapters 3, 4, and 6 describing the legal responsibilities of network product providers and operators regarding standards formulation, vulnerability management, and security review.
The “Regulations on the Security Protection of Critical Information Infrastructure” provide important legal guarantees for compliance in conducting vulnerability detection for critical information infrastructure. The “Regulations” establish an approval mechanism for vulnerability detection and penetration testing activities for critical information infrastructure, clearly stating that no individual or organization may carry out such activities without approval or authorization, and specifies corresponding penalties.
The “Regulations on the Management of Cybersecurity Vulnerabilities of Network Products” (hereinafter referred to as the “Regulations”) promote the institutionalization, standardization, and legalization of cybersecurity vulnerability management, including industrial control security vulnerabilities. The “Regulations” are a detailed implementation of the specific provisions on vulnerability management in the “Cybersecurity Law,” standardizing behaviors such as vulnerability discovery, reporting, patching, and disclosure, and encouraging various parties to leverage their technical and mechanism advantages to conduct vulnerability discovery, collection, and publication in compliance with regulations, thereby improving the vulnerability management capabilities of relevant parties.

2. The Organizational Structure of Industrial Control Security Vulnerability Management Is Improved and Perfected

The “Regulations” detail the division of responsibilities for vulnerability management among industry supervisory departments, clarifying the security obligations of three types of responsible entities: network product providers, network operators, and organizations or individuals engaged in vulnerability discovery, collection, and publication activities, further improving the organizational structure for vulnerability management.
Industry supervisory departments. In terms of vulnerability supervision and management, the National Internet Information Office is responsible for the overall coordination of cybersecurity vulnerability management for network products; the Ministry of Industry and Information Technology (MIIT) is responsible for the comprehensive governance of cybersecurity vulnerabilities for network products and supervises vulnerabilities in telecommunications and internet industries; and the Ministry of Public Security is responsible for combating illegal activities utilizing cybersecurity vulnerabilities. These three ministries share vulnerability information in real-time, jointly assess and deal with major security vulnerabilities, and maintain a synchronized vulnerability collection platform.
Network product providers and network operators. In the industrial control security vulnerability management system, this mainly includes industrial control product providers, industrial control security manufacturers, and industrial control product operators, whose main responsibility is to repair their own ICS product security vulnerabilities, eliminating vulnerability risks from the source, preventing malicious exploitation, and avoiding security incidents.
Organizations or individuals engaged in the discovery, collection, and publication of cybersecurity vulnerabilities. The “Regulations” require vulnerability collection platforms to be registered with the Ministry of Industry and Information Technology, and encourage organizations or individuals discovering security vulnerabilities to report information to the MIIT’s cybersecurity threat and vulnerability information sharing platform. By incorporating relevant organizations and individuals into the vulnerability management organizational structure, it promotes their greater value under legal and compliant conditions.

3. The Workflow of Industrial Control Security Vulnerability Management Is More Standardized

The “Regulations” comprehensively consider all parties involved and clarify the compliance requirements for different aspects of vulnerability management, further standardizing the workflow of vulnerability management, including industrial control security vulnerabilities.
In terms of vulnerability discovery, network product providers and network operators are required to establish and maintain smooth channels for receiving vulnerability information and to retain logs of received vulnerability information for a specified period.
In terms of vulnerability reporting, network product providers are required to take immediate action and organize verification of vulnerabilities upon discovering or being informed of vulnerabilities in their provided network products, assess the impact of the vulnerabilities, and report relevant vulnerability information to the MIIT’s cybersecurity threat and vulnerability information sharing platform within two days; for vulnerabilities that exist in upstream products or components, they are required to immediately notify the relevant product providers.
In terms of vulnerability patching, network product providers are required to promptly patch vulnerabilities, inform potentially affected product users of the vulnerability risks and patching methods, and provide necessary technical support; network operators are required to promptly verify and patch vulnerabilities they discover or are informed of.
In terms of vulnerability disclosure, requirements regarding vulnerability publication time, vulnerability detail publication requirements, security behavior requirements for utilizing vulnerabilities, requirements for publishing vulnerability exploitation tools, requirements for synchronizing security measures, requirements for vulnerability disclosure during major events, and requirements for providing vulnerability information externally are specified.

III. Practices in Industrial Control Security Vulnerability Management

Thoughts and Practices on Industrial Control System Vulnerability Management
To implement the requirements of the “Regulations,” the MIIT has established a cybersecurity threat and vulnerability information sharing platform. This platform adopts an operational model of “1 main database + N specialized databases,” one of which is the specialized database for industrial control product security vulnerabilities, also known as the National Industrial Information Security Vulnerability Database (CICSVD), which is operated by the National Industrial Information Security Development Research Center. CICSVD currently includes vulnerabilities from over 200 domestic and international industrial control brands such as Siemens, Schneider Electric, and Advantech, involving 34 types of vulnerability causes such as buffer errors, input validation errors, permission issues, and access control problems, playing an important role in supporting vulnerability handling and risk warning.

1. Scope of Industrial Control Security Vulnerability Inclusion

CICSVD focuses on including security vulnerabilities and their solutions related to industrial production control devices, industrial network communication devices, industrial host devices and software, industrial production information systems, and industrial network security devices in industries such as steel, non-ferrous metals, petrochemicals, equipment manufacturing, consumer goods, electronics, national defense, energy, transportation, water conservancy, municipal, and civil nuclear facilities, assisting relevant industrial control product providers and operators in conducting vulnerability patching and emergency response.

2. Full Lifecycle Management of Industrial Control Security Vulnerabilities

The key to implementing vulnerability management is to manage the entire process around the vulnerability lifecycle. Currently, CICSVD mainly conducts closed-loop management of industrial control security vulnerabilities in two phases: vulnerability assessment and inclusion, and vulnerability notification and handling.
(1) Vulnerability Assessment and Inclusion
The vulnerability assessment and inclusion phase involves broadly receiving vulnerabilities and conducting precise analysis and assessment to provide technical support for industrial control product providers in patching vulnerabilities. This includes: 1. In the vulnerability reception stage, receiving vulnerability summaries, affected products, patches, and other vulnerability information; 2. In the vulnerability review stage, removing invalid information such as malicious submissions and duplicate submissions; 3. In the vulnerability reproduction stage, verifying the authenticity of the vulnerability information; 4. In the vulnerability assessment stage, primarily assessing the vulnerability’s hazard level, exploitation difficulty, distribution of affected products in the country, application industries, etc.; 5. In the vulnerability inclusion stage, including the assessed vulnerability information into the database.
(2) Vulnerability Notification and Handling
The vulnerability notification and handling phase involves urging industrial control product providers or operators to promptly carry out vulnerability patching and handling, effectively reducing vulnerability risks. This includes: 1. In the vulnerability notification stage, notifying industrial control product providers or operators of vulnerability information based on the “Regulations” and other laws and regulations, urging them to develop reasonable and effective patch plans for vulnerabilities for which patches or solutions have not been published; 2. In the patch plan review stage, reviewing the feasibility and scientific nature of the patch plan, urging industrial control product providers or operators to promptly adjust the patch plan; 3. In the vulnerability patching stage, urging industrial control product providers or operators to immediately carry out vulnerability patching according to the patch plan and promptly feedback the results of the vulnerability patching. At the same time, CICSVD provides technical services such as security protection and emergency response to support vulnerability patching.

3. Collaborative Construction of an Industrial Control Security Vulnerability Ecosystem

Industrial control security vulnerability management work relies on the joint participation of government departments, vulnerability database operation teams, industrial control product providers, industrial control security manufacturers, industrial control product operators, security researchers, and other organizations and individuals. To fully gather the strengths of the industrial control security industry, promote the formation of a collaborative effort in vulnerability management, and effectively prevent vulnerability risks, CICSVD is focused on building a multi-party participatory and collaborative governance vulnerability ecosystem, which has already achieved certain results.
Utilizing supporting team strengths, continuously enhancing the research capabilities of industrial control security vulnerabilities. To promote the timely discovery, reporting, and effective handling of industrial control security vulnerabilities, CICSVD actively plays a bridging role by selecting supporting teams to guide industrial control security manufacturers, industrial control product providers, industrial control product operators, research institutions, universities, etc., to participate in the construction of the vulnerability database, continuously strengthening the technical capabilities for vulnerability mining, risk assessment, and emergency response.
Exerting the role of group standards to promote industry norms in industrial control security vulnerability management. In response to the current lack of standards for industrial control security vulnerability management, various parties are gathered to jointly promote the development of relevant standards, aiming to enhance vulnerability management levels. For instance, a draft group standard titled “Guidelines for Classifying and Grading Industrial Information Security Vulnerabilities” has been formulated to assist industry enterprises in accurately identifying vulnerability types, assessing vulnerability hazard levels, and developing reasonable and effective industrial control security vulnerability remediation plans.
Establishing a positive incentive mechanism to promote both the quantity and quality of vulnerability submissions. By comprehensively using means such as issuing original vulnerability certificates, establishing a contribution point system for supporting teams, sharing vulnerability information, and issuing honorary certificates as spiritual and honorary incentives, various parties in academia, industry, and research are encouraged to actively participate in the submission and sharing of industrial control security vulnerability information, improving the accuracy and completeness of submitted vulnerability information, and increasing the submission of high-value vulnerability information.

IV. Reflections on Industrial Control Security Vulnerability Management

Thoughts and Practices on Industrial Control System Vulnerability Management
China has made positive progress in the supervision, management, and operation of industrial control security vulnerabilities. However, with the trends of industrial digital transformation accompanied by the expansion of ICS exposure risks and the accelerated iteration and upgrading of attack technologies causing higher vulnerability exploitation risks, industrial control security vulnerabilities, due to their specificity, still face a series of challenges in vulnerability management. In this regard, it is recommended to focus on strengthening industrial control security vulnerability management in the following three areas to enhance the risk prevention capabilities of critical information infrastructure and safeguard national cybersecurity.

1. Establishing and Perfecting a Policy and Standard System for Vulnerability Management

Accelerate the introduction of policy documents such as the implementation measures for vulnerability information reporting, streamline the vulnerability reporting mechanism for industrial control security, and urge industrial control product providers to promptly patch vulnerabilities while guiding and supporting product users in strengthening risk prevention. Continuously reinforce the leading role of standards, leveraging the strengths of government, industry organizations, research institutions, etc., to promote the research and formulation of national standards for classifying and grading industrial control security vulnerabilities and emergency responses, guiding all parties to prioritize timely vulnerability patching and deploy the best protection strategies based on vulnerability assessment results, thereby improving the efficiency of vulnerability remediation and emergency handling. Conduct pilot programs for classifying and grading industrial control security vulnerabilities, enhancing the targeting of vulnerability management at all levels, and exploring the implementation of deadlines for patching high-risk and critical vulnerabilities to effectively improve the vulnerability situation.

2. Strengthening Risk Identification and Monitoring of Industrial Control Security Vulnerabilities

On one hand, in response to the phenomenon of numerous ICS assets in enterprises with many unpatched or difficult-to-patch vulnerabilities, actively leverage the proactive defense capabilities of the industrial control security situational awareness platform by identifying connected ICS assets through proactive monitoring, passive trapping, traffic analysis, etc., conducting vulnerability correlation analysis, monitoring vulnerability exploitation in real-time, and providing timely warnings for security threats to enhance vulnerability risk management capabilities. On the other hand, based on the current low efficiency of identifying industrial control security vulnerabilities in China, explore promoting the compliant and reasonable use of industrial control security vulnerabilities, supporting the development of vulnerability detection and verification tools to improve the identification range, accuracy, and efficiency of known vulnerabilities; support the construction of vulnerability mining models that incorporate various ICS product vulnerability triggering conditions, and develop automated vulnerability mining tools to enhance the identification capabilities for unknown vulnerabilities, backdoor vulnerabilities, and authentication bypass logic vulnerabilities in various ICS devices.

3. Accelerating the Cultivation of an Industrial Control Security Vulnerability Management Ecosystem

On one hand, establish and improve vulnerability reward mechanisms by issuing honorary certificates, publicizing contribution rankings, providing special support, launching reward plans, and hosting offensive and defensive competitions, encouraging research institutions, industry enterprises, and security researchers to engage in compliant industrial control security vulnerability mining, verification, reporting, and remediation, gathering the strengths of government, industry, academia, and research to jointly build a sound ecosystem for industrial control security vulnerability management. On the other hand, actively leverage the role of national-level vulnerability databases such as the National Industrial Information Security Vulnerability Database, continuously improve the management and operation mechanisms of vulnerability databases, establish platforms for managing and exchanging industrial control security vulnerabilities, and facilitate communication and coordination among security researchers, industrial control product providers, and industrial enterprises through information sharing, discussions, personnel training, and technical salons, jointly reinforcing the vulnerability management defense line.
Thoughts and Practices on Industrial Control System Vulnerability Management
About Winut
Thoughts and Practices on Industrial Control System Vulnerability Management

Beijing Winut Technology Co., Ltd. (abbreviated as Winut) is a leader in the domestic industrial control security industry and a company under the Chinese state-owned capital venture fund. With its excellent technological innovation capability, it has become one of the six global companies awarded the ISASecure certification by the International Society of Automation and one of the first national-level specialized and innovative “Little Giant” enterprises.

Winut relies on its pioneering core technology concept of industrial network “white environment” and its independently developed full series of industrial control security products to provide comprehensive lifecycle deep defense solutions and specialized security services for national key industries such as electricity, rail transit, petrochemicals, municipal, tobacco, intelligent manufacturing, and military industry. To date, it has enabled over 4,000 industry clients in China and countries along the “Belt and Road” to achieve secure and compliant operations.

As China’s national team for industrial control security, Winut actively promotes the construction of industrial clusters and the development of ecosystem, leading and participating in the formulation of national and industry standards in the field of industrial control security and the network security assurance work for major events, always committed to protecting the cybersecurity of China’s critical information infrastructure and striving to be a backbone force in building a strong cyber nation!

Thoughts and Practices on Industrial Control System Vulnerability Management

Thoughts and Practices on Industrial Control System Vulnerability Management

Thoughts and Practices on Industrial Control System Vulnerability Management

Thoughts and Practices on Industrial Control System Vulnerability Management

Thoughts and Practices on Industrial Control System Vulnerability Management
Channel Cooperation Consultation: Ms. Chen 15611262709
Manuscript Cooperation: WeChat: shushu12121

Related posts

  1. How to Implement Industrial Internet of Things?
  2. Industrial Control System Information Security Standardization
  3. Detailed Explanation of C++ Smart Pointers: Best Practices for std::unique_ptr and std::shared_ptr
  4. Basic Concepts of Image Processing: Notes and Records
  5. Choosing the Right Embedded Operating System for Your IoT Applications
  6. The Rise of AI Robots in the Electrical Industry: Accelerating the Second Curve of Power Equipment and Industrial Control—2025 Strategy Report for Power Grid and Industrial Control
  7. Understanding the MIPI Standard for Mobile Devices
  8. Scientists Reveal Reward Learning Pathway Mediated by Somatostatin Neurons
  9. Mastering RS485: Data Transmission Basics
  10. Real-Time Pathological Image Analysis System Using Industrial PC
  11. Smart Home Solutions for Studio Apartments
  12. Edge Controllers in the Era of Industrial IoT
  13. Automating Email Sending with Python: Enterprise Solutions
  14. What Does Hacking Historical Databases in Industrial Control Systems Mean?
  15. Installing MariaDB on Raspberry Pi using Docker
  16. Embedding Python in Industrial Control Systems: Device Monitoring and Fault Diagnosis
  17. Why Is My Wi-Fi Signal Poor in a Small Home?
  18. An Overview of Buildroot
  19. fio Read/Write Performance Testing

Leave a Comment