工业控制系统信息安全新趋势

doi:10.3969/j.issn.1671-1122.2015.01.002

信息网络安全 ›› 2015, Vol. 15 ›› Issue (1): 6-11.doi: 10.3969/j.issn.1671-1122.2015.01.002

工业控制系统信息安全新趋势

王小山^1,², 杨安^1,², 石志强¹(), 孙利民¹

1.中国科学院信息工程研究所,北京100093
2.中国科学院大学,北京 100049

收稿日期:2014-10-10 出版日期:2015-01-10 发布日期:2015-07-05
作者简介:
作者简介：王小山（1986-）,男,山西,博士研究生,主要研究方向：工业控制系统信息安全、物理层安全;杨安（1988-）,男,河北,博士研究生,主要研究方向：工业控制系统信息安全;石志强（1970-）,男,重庆,博士,正研级高工,主要研究方向：工业控制系统安全、网络与系统安全;孙利民（1966-）,男,河南,博士,研究员,主要研究方向：物联网及其安全。
基金资助:
国家自然科学基金面上项目[61402475];中国科学院国防科技创新基金项目重点基金[CXJJ-14-Z68];中国科学院信息工程研究所前瞻项目[Y4Z0033102]

New Trend of Information Security in Industrial Control Systems

WANG Xiao-shan^1,², YANG An^1,², SHI Zhi-qiang¹(), SUN Li-min¹

1. Institute of Information Engineering, CAS, Beijing 100093, China
2.University of Chinese Academy of Sciences, Beijing 100049, China

Received:2014-10-10 Online:2015-01-10 Published:2015-07-05

摘要/Abstract

摘要：

随着科学技术的高速发展,工业化与信息化的不断融合,工业控制系统越来越多采用标准、通用的通信协议和软硬件系统,并且以各种方式接入互联网,从而打破了这些系统原有的封闭性和专用性,造成病毒、木马等安全威胁向工控领域迅速扩散。工业控制系统所面临的信息安全问题日益严重,而且呈现出诸多与传统IT系统不同的特点。为了简要介绍目前工控安全研究领域的新趋势和新成果,文章首先从工业控制系统的定义和三层结构出发,引出了工控系统的安全问题,利用详实的数据阐述了该安全问题的分布特点和发展趋势。接下来,文章从学术研究的角度,重点介绍了工业控制系统信息安全领域的专门国际会议ICS-CSR。通过比较已经举办过的两届ICS-CSR会议所收录的论文,就攻击者与攻击途径、网络攻击的检测与响应、系统安全建模与脆弱性分析,以及工控安全的社会-技术性等多个重要问题进行了详细的讨论,总结了工控安全研究中的主要问题、思路、方法和结论,阐述了该领域的当前态势和未来方向。最后,文章提出了纵深防御的安全理念,并以此为指导,构建了由边界系统、防御系统、防危系统等三部分组成的综合防御体系,旨在为工业控制系统提供全方位、多层次、完整生命周期的保护。

关键词: 工业控制系统, 信息安全, 访问控制, 社会-技术性, 纵深防御

Abstract:

With the rapid development of science and technology and the continuous fusion of industrialization and informatization, industrial control systems (ICSs) are more and more adopting standard, universal communication protocols and software/hardware systems, and being connected to the Internet in various manners. It breaks the original closure and exclusiveness of these systems, and causes security threats (such as viruses and trojans) to spread promptly into the field of industrial control. ICSs are encountered with increasingly serious information security threats that show different features from those of traditional IT systems. To briefly introduce the new trends and achievements in the field of ICS security research today, this paper presents the definition and 3-level architecture of ICSs, brings in the problem of ICS security, and elaborates the distribution and tendency of the security problem by detailed data. After that, this paper focuses on introducing the international conference ICS-CSR that is dedicated to the field of ICS information security from the viewpoint of academic research. By comparing the papers collected in the first and second ICS-CSR conferences, this paper investigates in detail on the issues of attackers and attack vectors, detection and response of cyber attacks, security modeling and vulnerability analysis of systems, and the socio-technical nature of ICSs, summarizes the main problems, ideas, approaches and conclusions in the research of ICS security, and presents the current situation and future direction of this field. Finally, this paper proposes the security concept of defense-in-depth, according to which a comprehensive defending system composed of boundary system, protection system and safety system is established aiming to provide ICSs with omni-directional, multi-layered and whole life-circle protection.

Key words: industrial control system, information security, access control, socio-technical, defense-in-deep

中图分类号:

TP309

王小山, 杨安, 石志强, 孙利民. 工业控制系统信息安全新趋势[J]. 信息网络安全, 2015, 15(1): 6-11.

WANG Xiao-shan, YANG An, SHI Zhi-qiang, SUN Li-min. New Trend of Information Security in Industrial Control Systems[J]. Netinfo Security, 2015, 15(1): 6-11.

图/表 7

图1

图2

图3

表1

表2

图4

图5

参考文献 14

[1]	北京神州绿盟信息安全科技股份有限公司. 2013工业控制系统及其安全性研究报告[EB/OL]., 2014-10-10.
[2]	ICS-CERT. ICS-CERT Monitor October/November/December2012[EB/OL]., 2014-10-10.
[3]	ICS-CERT. ICS-CERT Monitor April/May/June2013[EB/OL]. , 2014-10-10.
[4]	Michael Robinson.The SCADA threat landscape[C]// Proceedings of 1st International Symposium for ICS &SCADA Cyber Security Research, 2013:33-41.
[5]	Yasakethu S.L.P., Jiang J. Intrusion detection via machine learning for SCADA system protection[C]// Proceedings of 1st International Symposium for ICS &SCADA Cyber Security Research, 2013:101-105.
[6]	Provos N.A virtual honeypot framework[C]// Proceedings of the 13th Conference on USENIX Security Symposium, 2004:1-14.
[7]	Paul Baecher, Markus Koetter, Thorsten Holz, et al.The Nepenthes platform: An efficient approach to collect malware[C]//Proceedings of 9th International Symposium on Recent Advances in Intrusion Detection (RAID 2006), 2006:165-184.
[8]	Nepenthes Development Team. Dionaea[EB/OL]. , 2011-05-15.
[9]	Kieran McLaughlin, Sakir Sezer, Paul Smith, et al. PRECYSE: Cyber-attack detection and response for industrial control systems[C]// Proceedings of the 2nd International Symposium for ICS &SCADA Cyber Security Research, 2014:67-71.
[10]	Laurens Lemaire, Jorn Lapon, Bart De Decker, et al.A SysML extension for security analysis of industrial control systems [C]//Proceedings of the 2nd International Symposium for ICS &SCADA Cyber Security Research, 2014: 1-9.
[11]	Robert Oates, Fran Thom, Graham Herries.Security-aware, model-based systems engineering with SysML[C]// Proceedings of the 1st International Symposium for ICS &SCADA Cyber Security Research, 2013:78-87.
[12]	Ivan Cibrario Bertolotti, Luca Durante, Tingting Hu, et al.A Model for the Analysis of Security Policies in Industrial Networks[C]// Proceedings of the 1st International Symposium for ICS &SCADA Cyber Security Research, 2013: 66-77.
[13]	Andrew John Charles Blyth. Role logic and its application to the analysis of process control systems from the Socio—Technical system perspective [C]//Proceedings of the 1st International Symposium for ICS &SCADA Cyber Security Research, 2013:42-47.
[14]	Benjamin Green, Daniel Prince, Utz Roedig, et al.Socio-Technical security analysis of industrial control systems (ICS)[C]//Proceedings of the 2nd International Symposium for ICS & SCADA Cyber Security Research, 2014:10-14.

[1]	王巍, 胡永涛, 刘清涛, 王凯崙. 铁路运行环境下ERT可信根实体的软件化技术研究[J]. 信息网络安全, 2024, 24(5): 794-801.
[2]	颜海龙, 王树兰. 基于国产密码技术的不动产登记集成办事平台设计与实现[J]. 信息网络安全, 2024, 24(2): 303-308.
[3]	周权, 陈民辉, 卫凯俊, 郑玉龙. 基于SM9的属性加密的区块链访问控制方案[J]. 信息网络安全, 2023, 23(9): 37-46.
[4]	石润华, 谢晨露. 云边缘环境中基于属性加密的可验证EMR外包解决方案[J]. 信息网络安全, 2023, 23(7): 9-21.
[5]	谢盈, 曾竹, 胡巍, 丁旭阳. 一种虚假数据注入攻击检测与补偿方法[J]. 信息网络安全, 2023, 23(6): 22-33.
[6]	张晓旭, 石润华. EHR系统中一种验证外包加密数据正确性的访问控制方案[J]. 信息网络安全, 2023, 23(5): 85-94.
[7]	朱怡昕, 苗张旺, 甘静鸿, 马存庆. 基于细粒度访问控制的勒索软件防御系统设计[J]. 信息网络安全, 2023, 23(10): 31-38.
[8]	胡艺, 佘堃. 基于区块链和智能合约的双链车联网系统[J]. 信息网络安全, 2022, 22(8): 26-35.
[9]	顾兆军, 刘婷婷, 高冰, 隋翯. 基于GAN-Cross的工控系统类不平衡数据异常检测[J]. 信息网络安全, 2022, 22(8): 81-89.
[10]	王健, 黄俊. 基于智能合约的日志安全存储与公平访问方法[J]. 信息网络安全, 2022, 22(7): 27-36.
[11]	于克辰, 郭莉, 阴宏伟, 燕雪松. 面向数据中心场景的基于区块链与博弈论的高价值数据共享模型[J]. 信息网络安全, 2022, 22(6): 73-85.
[12]	郭宝霞, 王佳慧, 马利民, 张伟. 基于零信任的敏感数据动态访问控制模型研究[J]. 信息网络安全, 2022, 22(6): 86-93.
[13]	刘嘉微, 马兆丰, 王姝爽, 罗守山. 基于区块链的隐私信用数据受限共享技术研究[J]. 信息网络安全, 2022, 22(5): 54-63.
[14]	李莉, 李泽群, 李雪梅, 史国振. 基于交叉耦合电路的物理不可克隆函数FPGA实现[J]. 信息网络安全, 2022, 22(3): 53-61.
[15]	徐茹枝, 吕畅冉, 龙燕, 刘远彬. 工业控制系统高隐蔽性数据攻击防御方法研究[J]. 信息网络安全, 2022, 22(12): 34-46.

工业控制系统信息安全新趋势

New Trend of Information Security in Industrial Control Systems

RichHTML

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 14

相关文章 15

编辑推荐

Metrics

本文评价