Journal of Society for e-Business Studies

In the past, the control system was a closed network that was not connected to the external network. However, in recent years, many cases have been opened to the outside for the convenience of management. Are connected to the Internet, and the number of operating control systems is increasing.
As a result, it is obvious that hackers are able to make various attack attempts targeting the control system due to external open, and they are exposed to various security threats and are targeted for attack. Industrial control systems that are open to the outside have most of the remote management ports for web services or remote management, and the expansion of web services through web programs inherits the common web vulnerability as the control system is no exception.
In this study, we classify and compare existing web vulnerability items in order to derive the most commonly tried web hacking attacks against control system from the attacker 's point of view. I tried to confirm.

2011 CWE/SANS Top 25.

Han, S. K., A Study on Cyber ​​Threats in Control System Linkage Section, Korea University, 2011.

https://www.kuppingercole.com/blog/williamson/ot-ics-scada-whats-the-difference.

ICS-CERT, https://ics-cert.us-cert.gov.

Kim, K. H., Security Enhancements of Industrial Control System for National Critical Infrastructure, Korea University, 2017

Kim, S. J., A Case Study on the Implementation of a River Water Level Monitoring System using PLC(Programmable Logic Controller) and Public Telecommunication Network, The Journal of Society for e-Business Studies, Vol. 20, No. 4, pp. 1-17, 2015.

KISA Homepage Vulnerability Assessment and Removal Guide (http://kisa.or.kr)-Home page for developing and operating information system vulnerability diagnosis and removal guide, 2013.

KISA, Analysis of Overseas System based Evaluation Cases and Technology, 2009.

Lim, K. H., A Study on the Present Status and Countermeasures of Control System Security Vulnerabilities, Korea University, 2011.

Ministry of Public Administration and Security, Web Application Development Security Guide 2010.

Ministry of Science and Technology Ministry of Information and Communication Analysis of Technical Vulnerabilities in Information Communication Infrastructure 2017.

Na, J. C. and Cho, H. S., “Classification of industrial control system abnormal behavior in terms of security: 2.1 Industrial control system structure,” Journal of Information Security, Vol. 23, No. 2, pp. 329-330, 2013.

NIS 8 Vulnerabilities-2005 National Cyber ​​Safety Center(NCSC).

OWASP/OWASP Top Ten Project 2013, https://www.owasp.org/index.php/Top_10_2013-Top_10.

OWASP/OWASP Top Ten Project 2017, https://www.owasp.org/index.php/Top_10_2017-Top_10.

Park, D. H., A Study on the Improvement of Evaluation Criteria for Control System Management and Physical Vulnerability Analysis, Korea University, 2013.

SANS Top 25(http://cwe.mitre.org/top25/).

Security Administration and E-Government Software Development Security Software Diagnosis Guide 2013. 11, Publication Registration Number 11-1311000-000395-14.

Security Administration, Analysis of Technical Vulnerabilities in Major IT Infrastructure Facilities, 2014.

Software Development Security Guide for Security Administration, E-Government Software Development Managers 2013, Publication Registration Number 11-1311000-000330-10.

Software Development Security Guide for the Ministry of Government Administration and Home Affairs, e-government SW Development Managers 2017. 1, Publication Registration Number 11-1311000-000330-10.

SVC(SCADA Vulnerabilities & Exposures), http://www.critifence.com/sve.