工业控制系统功能安全和信息安全策略优化方法

doi:10.3969/j.issn.1671-1122.2022.11.009

摘要/Abstract

摘要：

针对当前工业控制安全兼容性难以解决的问题，在功能安全与信息安全资源消耗竞争的本质层面上，文章提出支持功能安全与信息安全冲突协商的形式化模型，从数学上刻画工业控制系统安全策略的功能安全程度、信息安全程度、CPU占用和内存占用。文章将这4个数学函数作为衡量安全策略优劣的目标函数进行多目标优化，充分考虑功能安全、信息安全、时间延迟、资源消耗等工业控制系统的关键因素，构建目标函数的参数空间，利用空间间隔挑选出最优策略。文章克服传统的矛盾屏蔽方法只能在不影响功能安全的前提下进行定性配置的局限，为工业控制系统提供一套完整的策略优化方案和算法。模拟实验将策略优化算法应用到列车控制系统中，获取车载列车自动防护（Automatic Train Protection，ATP）系统的最优安全策略方案，实验结果表明，文章提出的安全策略优化方法，可以量化安全策略的优劣，并有效地选取最优安全策略方案，保障工业控制系统安全。

关键词: 信息安全, 功能安全, 时间复杂度, 空间复杂度, 遗传算法

Abstract:

In view of the problem that is difficult to solve in current industrial control security compatibility, at the essential level of the competition between functional safety and information security resource consumption, a formal model supporting the conflict between functional safety and information security is proposed. The functional safety degree, information security degree, CPU occupation, and memory occupation of the security policy of the industrial control system are mathematically described. This paper took four mathematical functions as objective functions to measure the advantages and disadvantages of the security policy for multi-objective optimization. It fully considered the key factors of industrial control systems such as functional safety, information security, time delay, and resource consumption, constructed the parameter space of the objective function, and used the space interval to select the optimal strategy. This paper overcomes the limitation that the traditional contradiction shielding method can only be qualitatively configured without affecting functional safety, and provides a complete set of policy optimization schemes and algorithms for industrial control systems. The strategy optimization algorithm is applied to the train control system to obtain the optimal safety strategy scheme of the Automatic Train Protection (ATP) system.Experimental results show that the security strategy optimization method proposed in this paper can quantify the advantages and disadvantages of security strategies, and effectively select the optimal scheme of security strategy to ensure the security of industrial control systems.

Key words: information security, functional safety, time complexity, space complexity, genetic algorithm

中图分类号:

TP309

宋晶, 刁润, 周杰, 戚建淮. 工业控制系统功能安全和信息安全策略优化方法[J]. 信息网络安全, 2022, 22(11): 68-76.

SONG Jing, DIAO Run, ZHOU Jie, QI Jianhuai. The Optimization Method of Industrial Control System Functional Safety and Information Security Policy[J]. Netinfo Security, 2022, 22(11): 68-76.

图/表 8

图1

表1

表2

图2

表3

表4

表5

表6

参考文献 22

[1]	GB/T 22239-2019 Information Security Technology Baseline for Classified Protection of Cybeisecurity[S]. Beijing: China Standard Press, 2019.
	GB/T 22239-2019 信息安全技术网络安全等级保护基本要求[S]. 北京: 中国标准出版社, 2019.
[2]	EAMES D P, MOFFETT J. The Integration of Safety and Security Requirements[C]// Springer. Computer Safety, Reliability and Security. Berlin:Springer, 1999: 468-480.
[3]	NOVAK T, TREVRTL A, PALENSKY P. Common Approach to Functional Safety and System Security in Building Automation and Control Systems[C]// IEEE. 2007 IEEE Conference on Emerging Technologies and Factory Automation (EFTA 2007). New York:IEEE, 2010: 1141-1148.
[4]	KOMECKI A J, ZALEWSKI J. Safety and Security in Industrial Control[C]// ACM. Proceedings of the 6th Annual Workshop on Cyber Security and Information Intelligence Research. New York: ACM, 2010: 1-4.
[5]	WANG Sheng, CHAI Jiwen, TANG Yong, et al. A Correlation Analysis Method of Information Security and Functional Safety: China, CN201911382048. 2[P]. 2020-05-08.
	王胜, 柴继文, 唐勇, 等. 一种信息安全与功能安全关联分析方法:中国, CN201911382048.2[P]. 2020-05-08.
[6]	JIN Jianghong, XIA Qiaoli, MO Changyu. Integration Technology of Functional Safety and Cyber Security for Nuclear Safety Class DCS[J]. Nuclear Power Engineering, 2021, 42(1):100-106.
	靳江红, 夏侨丽, 莫昌瑜. 核安全级DCS功能安全与信息安全权衡技术[J]. 核动力工程, 2021, 42(1): 100-106.
[7]	HU Bowen, ZHOU Chunjie, LIU Lu. Coordination of Functional Safety and Information Security for Intelligent Instrument Based on Fuzzy Multi-Objective Decision[J]. Netinfo Security, 2021, 21(7): 10-16.
	胡博文, 周纯杰, 刘璐. 基于模糊多目标决策的智能仪表功能安全与信息安全融合方法[J]. 信息网络安全, 2021, 21(7): 10-16.
[8]	DEB K, PRATAP A, AGRAWAL S, et al. A Fast and Elitist Multi-Objective Genetic Algorithm: NSGA-II[J]. IEEE Transactions on Evolutionary Computation. 2002, 6(2): 182-197. doi: 10.1109/4235.996017 URL
[9]	COELLO C C A, LAMONT G B, VAN V D A. Evolutionary Algorithms for Solving Multi-Objective Problems(The Second Edition)[M]. New York: Springer, 2002.
[10]	KONAK A, COIT D W, SMITH A E. Multi-Objective Optimization Using Genetic Algorithms: A Tutorial[J]. Reliability Engineering & System Safety, 2006 (1): 992-1007.
[11]	DEB K, SUNDAR J. Reference Point Based Multi-Objective Optimization Using Evolutionary Algorithms[C]// ACM. Proceeding of the Genetic and Evolutionary Computation. New York: ACM, 2006: 635-642.
[12]	AMUSO V J, ENSLIN J. The Strength Pareto Evolutionary Algorithm 2 (SPEA2) Applied to Simultaneous Multi-Mission Waveform Design[C]// IEEE. 2007 International Waveform Diversity and Design Conference. New York: IEEE, 2007: 407-417.
[13]	ZHANG Qingfu, LI Hui. MOEA D: A Multi-Objective Evolutionary Algorithm Based on Decomposition[J]. IEEE Transactions on Evolutionary Computation, 2007, 11(6): 712-731. doi: 10.1109/TEVC.2007.892759 URL
[14]	ZHANG Xingyi, TIAN Ye, JIN Yaochu. A Knee Point-Driven Evolutionary Algorithm for Many-Objective Optimization[J]. IEEE Transactions on Evolutionary Computation, 2015, 19(6): 761-776. doi: 10.1109/TEVC.2014.2378512 URL
[15]	LI Ke, DEB K, ZHANG Qingfu, et al. Efficient Non-Domination Level Update Method for Steady-State Evolutionary Multi-Objective Optimization[J]. IEEE Transactions on Cybernetics, 2017, 47(9): 2838-2849. doi: 10.1109/TCYB.2016.2621008 pmid: 27845681
[16]	IEC 61508-2000 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems[S]. Geneva: IEC, 2000.
[17]	EN 50128-2011 Raulway Application: Software for Railway Control and Protection Systems[S]. Brussels: CENELEC, 2011.
[18]	JIN Jianghong, MO Changyu, LI Gang. Integration Technology of Functional Safety and Cyber Security for Industrial Control System[J]. Industrial Safety and Environmental Protection, 2020, 46(1): 53-60.
	靳江红, 莫昌瑜, 李刚. 工业控制系统功能安全与信息安全一体化防护措施研究[J]. 工业安全与环保, 2020, 46(1): 53-60.
[19]	YAN Fei, TANG Tao. Study on IEC61508 Application in Railway Safety-Related System[J]. Journal of the China Railway Society, 2005, 27(3): 124-128.
	燕飞, 唐涛. IEC61508及其在铁路安全相关系统研制开发中的应用研究[J]. 铁道学报, 2005, 27(3): 124-128.
[20]	WU Shaofeng. Application Research of Signalling Safety Information Transmission Based on the Communication System[D], Beijing: Beijing Jiaotong University, 2006.
	武少峰. 基于通信系统的铁路信号安全信息传输的应用研究[D]. 北京: 北京交通大学, 2006.
[21]	LI Jiayu, YUAN Chunxin. IEC 61508 International Standard for Functional Safety and Safety Analysis[J]. Chinese Railways, 2001, 32(1): 44-45.
	李佳玉, 员春欣. IEC61508功能安全国际标准及安全性分析[J]. 中国铁路, 2001, 32(1):44-45.
[22]	ZHANG Lili. Research and Design of ATP Safety Error Detecting Code and Rules of Operation[D]. Chengdu: Southwest Jiaotong University, 2012.
	张力立. ATP安全错误检测码与运算方法的研究与设计[D]. 成都: 西南交通大学, 2012.

策略名称	安全程度	数据	时间复杂度	空间复杂度
故障自诊断与报警	9	8	n	n
列车过程状态监测	7	8	n	con
防御性编程	5	0	con	con
错误检测码	9	6	nlogn	n
人工智能故障纠正	6	8	n²	n²

策略名称	安全程度	数据	时间复杂度	空间复杂度
病毒防护	7	6	n	n
访问控制	6	3	n²	con
数据加解密	9	6	n²	n²
用户行为监测	6	2	n²	n²
漏洞扫描	4	4	n	n
USB-key	9	1	n	con

策略编号	策略名称	方案1	方案2	方案3	方案4	方案5	方案6	方案7
1	故障自诊断与报警	1	1	1	1	1	1	1
2	列车过程状态监测	1	1	1	1	1	1	1
3	防御性编程	1	1	1	1	1	0	1
4	错误检测码	1	1	1	1	1	1	1
5	人工智能故障纠正	0	0	0	1	0	1	0
6	病毒防护	0	1	1	1	1	1	1
7	访问控制	1	1	1	1	1	1	1
8	数据加解密	1	1	1	0	0	0	1
9	用户行为监测	1	1	0	1	1	1	1
10	漏洞扫描	1	1	1	1	1	1	0
11	USB-key	1	1	1	1	1	1	1

方案编号	${{x}_{1}}$	${{x}_{2}}$	${{x}_{3}}$
1	30	34	137.67
2	30	41	149.67
3	30	35	139.67
4	36	32	205.67
5	30	32	77.67
6	31	32	203.67
7	30	37	141.67

方案编号	$X{}_{1}$	${{X}_{2}}$	${{X}_{3}}$
1	0.83	0.83	0.50
2	0.83	1.00	0.54
3	0.83	0.85	0.50
4	1.00	0.78	0.74
5	0.83	0.78	0.28
6	0.86	0.78	0.73
7	0.83	0.90	0.51