SCADA系统信息安全定量风险评估方法

doi:10.16265/j.cnki.issn1003-3033.2019.08.025

中国安全科学学报 ›› 2019, Vol. 29 ›› Issue (8): 157-163.doi: 10.16265/j.cnki.issn1003-3033.2019.08.025

SCADA系统信息安全定量风险评估方法

熊文泽¹ 高级工程师, 靳江红^**2 研究员, 唐军梅² 高级工程师

1 机械工业仪器仪表综合技术经济研究所功能安全中心,北京 100055;
2 北京市劳动保护科学研究所工业防爆研究室,北京 100054

收稿日期:2019-04-23 修回日期:2019-06-20 发布日期:2020-10-21
通讯作者: ** 靳江红(1974—),女,河北石家庄人,博士,研究员,主要从事安全控制系统的功能安全与信息安全方面的研究。E-mail:kathy_jinjh@126.com。
作者简介:熊文泽 (1986—),男,四川渠县人,硕士,高级工程师,主要从事系统可靠性、功能安全和信息安全技术研究。E-mail:xwz@instrnet.com。
基金资助:
北京市联合基金资助(L160009);北京市科学技术研究院“创新团队培养计划”项目(IG201701C2)。

Quantitative risk assessment method for information security of SCADA systems

XIONG Wenze¹, JIN Jianghong², TANG Junmei²

1 Functional Safety Center, Instrumentation Technology and Economy Institute, Beijing 100055, China;
2 Laboratory of Industrial Explosion Protection, Beijing Municipal Institute of Labor Protection, Beijing 100054, China

Received:2019-04-23 Revised:2019-06-20 Published:2020-10-21

摘要/Abstract

摘要： 为有效分析和评估数据采集与监视控制(SCADA)系统的信息安全风险,解决传统评估方法难以量化风险问题,首先根据信息安全风险评估模型,确立威胁、脆弱性和资产3要素,选取典型的SCADA系统进行分析和解构,获取可能存在的威胁、脆弱性和可能受影响的资产;其次采用层次分析法(AHP)确定不同要素对SCADA系统信息安全风险的影响程度;然后研究3要素对信息安全风险的判定矩阵构成和组合权重,对威胁-脆弱性-资产进行有效性组合配对,从而获得相对量化和具有可比性的风险评估值;最后利用该方法定量评估某典型SCADA系统的信息安全风险。结果表明:AHP法可操作性强,可找出系统信息安全的薄弱环节;层次构建可清楚展示原本复杂的SCADA系统内部关系,层次构建得越精细,精度分析越高,但过于精细也存在过分依赖专家经验的问题。

关键词: 数据采集与监视控制(SCADA), 信息安全, 定量风险评估, 层次分析法(AHP), 脆弱性

Abstract: In order to effectively analyze and assess information security risk of SCADA systems and solve the problem of quantifying information security risk which is difficult for traditional methods. Firstly, three elements, threat, vulnerability and assets, were confirmed based on information safety risk evaluation model, and possible threats, vulnerability and assets were obtained through analyzing and deconstructing typical SCADA system structure. Secondly, AHP was used to determine the influence extent of different elements on SCADA systems. Then the judgment matrix and combination weight of the three elements to security risk were studied and threat-vulnerability-asset were combined and compared to obtain relatively quantifiable and comparable risk parameters. Finally, the method was applied to assess information security risk of a typical SCADA system. Results show that AHP has good operability in identifying weak points in system information security, and hierarchical construction can clearly show the internal relationship of a complex SCADA system, the finer the hierarchy is, the more accurate analysis would be, but overelaborate construction may lead to heavy dependence on experts' experience.

Key words: supervisory control and data acquisition (SCADA), information security, quantitative risk assessment, analytic hierarchy process (AHP), vulnerability

中图分类号:

X913.4

熊文泽, 靳江红, 唐军梅. SCADA系统信息安全定量风险评估方法[J]. 中国安全科学学报, 2019, 29(8): 157-163.

XIONG Wenze, JIN Jianghong, TANG Junmei. Quantitative risk assessment method for information security of SCADA systems[J]. China Safety Science Journal, 2019, 29(8): 157-163.

参考文献

[1] BABESHKO E, KHARCHENKO V, GORBENKO A. Applying F(I)mea-technique for SCADA-based industrial control systems dependability assessment and ensuring[C].International Conference on Dependability of Computer Systems. IEEE, 2008: 309–315.
[2] ISA84.00.09-2017, Cybersecurity related to the functional safety lifecycle [S].
[3] 杨肖,杨力,杨子纯. 基于模糊层次分析的工业SCADA安全风险评估方法研究与应用[J]. 计算机应用与软件, 2017, 34(5): 54-60.
YANG Xiao, YANG Li, YANG Zichun. Research and application of industrial SCADA security risk assessment method based on fuzzy AHP[J].Computer Applications and Software,2017,34(5): 54-60.
[4] 黄慧萍,肖世德,梁红琴. 基于AHP和攻防树的SCADA系统安全脆弱性评估[J]. 控制工程, 2018, 25(6): 1 091-1 097.
HUANG Huiping, XIAO Shide, LIANG Hongqin. Vulnerability assessment of cyber security for SCADA systems based on AHP and attack defense tree [J].Control Engineering of China, 2018, 25(6): 1 091-1 097.
[5] ISO/IEC 27005-2018, Information technology - security techniques -information security risk management[S].
[6] 朱克毓. 模糊AHP的无效性与基于几何加权的AHP方法研究[D]. 合肥: 合肥工业大学, 2012.
ZHU Keyu. The study on the invalidity of fuzzy AHP and a weighted geometric method of AHP[D]. Hefei: Hefei University of Technology, 2012.
[7] 杨文涛, 张悦, 徐帅, 等. 城市重特大事故风险管控体系运行测评研究[J]. 中国安全科学学报, 2017, 27(10): 162-167.
YANG Wentao, ZHANG Yue, XU Shuai, et al. Study on assessment of urban safety risks management and control system for preventing particularly serious accidents and major accidents [J]. China Safety Science Journal, 2017, 27(10): 162-167.
[8] 汪圣华, 贾波, 陈文杰, 等. 有限空间作业动态风险评估模型研究与应用[J]. 中国安全科学学报, 2018, 28(8): 87-92.
WANG Shenghua, JIA Bo, CHEN Wenjie, et al. Research on model for assessment of dynamic risk in confined space working and its application [J]. China Safety Science Journal, 2018, 28(8): 87-92.
[9] 秦吉,张翼鹏. 现代统计信息分析技术在安全工程方面的应用:层次分析法原理[J]. 工业安全与防尘, 1999(5): 44-48.
QIN Ji, ZHANG Yipeng. Application of contemporary statistical information analysis method in safety engineering:the principle of AHP[J]. Industrial Safety and Dust Control, 1999(5): 44-48.
[10] 楚胜楠. 电力SCADA系统脆弱性分析与网络安全风险评估研究[D]. 北京: 华北电力大学, 2015.
CHU Shengnan. Vulnerability analysis and risk assessment security in electric power SCADA [D]. Beijing: North China Electric Power University, 2015.
[11] 李博远. 基于故障树和层次分析法的可靠性分配方法研究与系统实现[D]. 合肥: 中国科学技术大学, 2014.
LI Boyuan. Study on FTA and AHP based reliability allocation method[D]. Hefei: University of Science and Technology of China, 2014.
[12] 谢红军,黄杰,沈斌. 基于层次分析法的某型号控制系统可靠性指标分配[J]. 航空兵器, 2013(2): 57-60.
XIE Hongjun, HUANG Jie, SHEN Bin. A type of control system reliability allocation based on AHP [J]. Aero Weaponry, 2013(2): 57-60.
[13] API STD 1164-2004, Pipeline SCADA security [S].

[1]	岳仁田, 张知波. 脆弱性多因素耦合作用下空管亚安全态识别[J]. 中国安全科学学报, 2022, 32(4): 8-14.
[2]	辛保泉, 喻健良, 党文义, 白永忠, 于安峰. 定量风险评估视域下的多组分混合物危险特性[J]. 中国安全科学学报, 2022, 32(4): 80-85.
[3]	熊钰, 孔德中, 杨胜利, 吴桂义, 左宇军, 程占博. 大倾角工作面煤壁稳定性的云模型综合辨识[J]. 中国安全科学学报, 2022, 32(3): 144-151.
[4]	黄杰, 张显峰. 以南疆为例的区域暴恐袭击风险评估^*[J]. 中国安全科学学报, 2022, 32(2): 192-199.
[5]	辛保泉, 党文义, 喻健良, 王溪舸, 闫兴清, 卢卫. 石化过程蒸气云爆炸抗爆设防荷载定量评估方法^*[J]. 中国安全科学学报, 2021, 31(9): 113-118.
[6]	路庆昌, 崔欣, 徐标, 刘鹏, 王琰. 公交接驳场景下轨道交通网络脆弱性研究^*[J]. 中国安全科学学报, 2021, 31(8): 141-146.
[7]	王刚, 商荦真, 刘学麟, 唐礼, 程前. 采用AHP-熵权法的巷道启封中毒窒息致因研究^*[J]. 中国安全科学学报, 2021, 31(7): 187-192.
[8]	吴维讲师, 罗欣然, 魏明. 基于SD模型的跑道侵入风控网络脆弱性分析[J]. 中国安全科学学报, 2021, 31(4): 41-48.
[9]	刘大山, 陈晓春, 多英全, 师立晨. 化工园区地震Na-Tech事件快速风险评估方法[J]. 中国安全科学学报, 2021, 31(2): 127-134.
[10]	杨天姿, 王铁骊, 彭恒明, 段海林. 小微企业生产安全事故应急脆弱性评价^*[J]. 中国安全科学学报, 2021, 31(12): 176-183.
[11]	蔡玫, 王秋寒. Natech风险管理中的承灾体脆弱性评估方法综述^*[J]. 中国安全科学学报, 2021, 31(11): 9-17.
[12]	李浩然, 王子恒, 杨起帆, 张亚君, 欧阳作林. 复杂网络下地铁灾害链演化模型与风险分析^*[J]. 中国安全科学学报, 2021, 31(11): 141-147.
[13]	毛丁, 王芃, 倪龙. 供热及其关联基础设施网络脆弱性研究综述^*[J]. 中国安全科学学报, 2021, 31(11): 155-162.
[14]	吴耀男, 林雷, 任新温, 王龙庭, 刘志慧, 刘增凯. 一种基于逻辑结构数的改进型FMEA方法^*[J]. 中国安全科学学报, 2021, 31(10): 97-104.
[15]	吴仁彪, 何宇翔, 贾云飞. 基于改进层次分析法的重点人员风险评价方法^*[J]. 中国安全科学学报, 2021, 31(10): 112-118.

SCADA系统信息安全定量风险评估方法

Quantitative risk assessment method for information security of SCADA systems

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价