Quantitative Information Security Vulnerability Assessment for Norwegian Critical Infrastructure

Abstract

A single information security vulnerability exploitation within Norwegian critical infrastructure can have a significant impact on Norwegian society, even causing cascading effects on other countries. Therefore, it is essential to conduct a quantitative vulnerability assessment to secure the weakest link. However, quantifying vulnerabilities to the entire Norwegian critical infrastructure has not been properly conducted in the literature. Defining the sectors responsible for or involved in providing vital functions in Norwegian society as the scope, we propose a methodology of six processes to conduct a quantitative vulnerability assessment by integrating the information from three sources: (1) the regional Internet registry, (2) the banner crawlers, and (3) the vulnerability database. We present and visualize the results of the vulnerability assessment from four different aspects: (1) vulnerability, (2) window of exposure, (3) impact, and (4) exploitability. Based on the results, we can easily identify power supply and transport as the weakest link. Compared to the entire country, the vital societal functions are better secured. Such assessment should be conducted continuously and automatically by specified public authorities to identify, classify, quantify, and prioritize the time-varying vulnerabilities.