Quantitative risk assessment method for information security of SCADA systems

doi:10.16265/j.cnki.issn1003-3033.2019.08.025

Abstract

Abstract: In order to effectively analyze and assess information security risk of SCADA systems and solve the problem of quantifying information security risk which is difficult for traditional methods. Firstly, three elements, threat, vulnerability and assets, were confirmed based on information safety risk evaluation model, and possible threats, vulnerability and assets were obtained through analyzing and deconstructing typical SCADA system structure. Secondly, AHP was used to determine the influence extent of different elements on SCADA systems. Then the judgment matrix and combination weight of the three elements to security risk were studied and threat-vulnerability-asset were combined and compared to obtain relatively quantifiable and comparable risk parameters. Finally, the method was applied to assess information security risk of a typical SCADA system. Results show that AHP has good operability in identifying weak points in system information security, and hierarchical construction can clearly show the internal relationship of a complex SCADA system, the finer the hierarchy is, the more accurate analysis would be, but overelaborate construction may lead to heavy dependence on experts' experience.

Key words: supervisory control and data acquisition (SCADA), information security, quantitative risk assessment, analytic hierarchy process (AHP), vulnerability

CLC Number:

X913.4

XIONG Wenze, JIN Jianghong, TANG Junmei. Quantitative risk assessment method for information security of SCADA systems[J]. China Safety Science Journal, 2019, 29(8): 157-163.

References

[1] BABESHKO E, KHARCHENKO V, GORBENKO A. Applying F(I)mea-technique for SCADA-based industrial control systems dependability assessment and ensuring[C].International Conference on Dependability of Computer Systems. IEEE, 2008: 309–315.
[2] ISA84.00.09-2017, Cybersecurity related to the functional safety lifecycle [S].
[3] 杨肖,杨力,杨子纯. 基于模糊层次分析的工业SCADA安全风险评估方法研究与应用[J]. 计算机应用与软件, 2017, 34(5): 54-60.
YANG Xiao, YANG Li, YANG Zichun. Research and application of industrial SCADA security risk assessment method based on fuzzy AHP[J].Computer Applications and Software,2017,34(5): 54-60.
[4] 黄慧萍,肖世德,梁红琴. 基于AHP和攻防树的SCADA系统安全脆弱性评估[J]. 控制工程, 2018, 25(6): 1 091-1 097.
HUANG Huiping, XIAO Shide, LIANG Hongqin. Vulnerability assessment of cyber security for SCADA systems based on AHP and attack defense tree [J].Control Engineering of China, 2018, 25(6): 1 091-1 097.
[5] ISO/IEC 27005-2018, Information technology - security techniques -information security risk management[S].
[6] 朱克毓. 模糊AHP的无效性与基于几何加权的AHP方法研究[D]. 合肥: 合肥工业大学, 2012.
ZHU Keyu. The study on the invalidity of fuzzy AHP and a weighted geometric method of AHP[D]. Hefei: Hefei University of Technology, 2012.
[7] 杨文涛, 张悦, 徐帅, 等. 城市重特大事故风险管控体系运行测评研究[J]. 中国安全科学学报, 2017, 27(10): 162-167.
YANG Wentao, ZHANG Yue, XU Shuai, et al. Study on assessment of urban safety risks management and control system for preventing particularly serious accidents and major accidents [J]. China Safety Science Journal, 2017, 27(10): 162-167.
[8] 汪圣华, 贾波, 陈文杰, 等. 有限空间作业动态风险评估模型研究与应用[J]. 中国安全科学学报, 2018, 28(8): 87-92.
WANG Shenghua, JIA Bo, CHEN Wenjie, et al. Research on model for assessment of dynamic risk in confined space working and its application [J]. China Safety Science Journal, 2018, 28(8): 87-92.
[9] 秦吉,张翼鹏. 现代统计信息分析技术在安全工程方面的应用:层次分析法原理[J]. 工业安全与防尘, 1999(5): 44-48.
QIN Ji, ZHANG Yipeng. Application of contemporary statistical information analysis method in safety engineering:the principle of AHP[J]. Industrial Safety and Dust Control, 1999(5): 44-48.
[10] 楚胜楠. 电力SCADA系统脆弱性分析与网络安全风险评估研究[D]. 北京: 华北电力大学, 2015.
CHU Shengnan. Vulnerability analysis and risk assessment security in electric power SCADA [D]. Beijing: North China Electric Power University, 2015.
[11] 李博远. 基于故障树和层次分析法的可靠性分配方法研究与系统实现[D]. 合肥: 中国科学技术大学, 2014.
LI Boyuan. Study on FTA and AHP based reliability allocation method[D]. Hefei: University of Science and Technology of China, 2014.
[12] 谢红军,黄杰,沈斌. 基于层次分析法的某型号控制系统可靠性指标分配[J]. 航空兵器, 2013(2): 57-60.
XIE Hongjun, HUANG Jie, SHEN Bin. A type of control system reliability allocation based on AHP [J]. Aero Weaponry, 2013(2): 57-60.
[13] API STD 1164-2004, Pipeline SCADA security [S].

[1]	YUE Rentian, ZHANG Zhibo. Sub-safety state identification of ATC under multi-factor coupling of vulnerability [J]. China Safety Science Journal, 2022, 32(4): 8-14.
[2]	XIN Baoquan, YU Jianliang, DANG Wenyi, BAI Yongzhong,YU Anfeng. Hazard characteristics of multi-component mixtures from perspective of quantitative risk assessment [J]. China Safety Science Journal, 2022, 32(4): 80-85.
[3]	HUANG Jie, ZHANG Xianfeng. Risk assessment of regional violent terrorist attacks in southern Xinjiang [J]. China Safety Science Journal, 2022, 32(2): 192-199.
[4]	XIN Baoquan, DANG Wenyi, YU Jianliang, WANG Xige, YAN Xingqing, LU Wei. Quantitative evaluation method of blast-resistant and defense loads for VCE in petrochemical process [J]. China Safety Science Journal, 2021, 31(9): 113-118.
[5]	LU Qingchang, CUI Xin, XU Biao, LIU Peng, WANG Yan. Vulnerability research of rail transit network under bus connection scenarios [J]. China Safety Science Journal, 2021, 31(8): 141-146.
[6]	WANG Gang, SHANG Luozhen, LIU Xuelin, TANG Li, CHENG Qian. Study on causes of poisoning and asphyxiation in roadway opening by AHP-entropy weight method [J]. China Safety Science Journal, 2021, 31(7): 187-192.
[7]	WU Wei, LUO Xinran, WEI Ming. Vulnerability assessment of runway intrusion risk control network based on SD model [J]. China Safety Science Journal, 2021, 31(4): 41-48.
[8]	YANG Tianzi, WANG Tieli, PENG Hengming, DUAN Hailin. Evaluation on emergency response vulnerability for work safety accidents in small and micro enterprises [J]. China Safety Science Journal, 2021, 31(12): 176-183.
[9]	CAI Mei, WANG Qiuhan. Review of hazard bearing bodies' vulnerability assessment methods in Natech risk management [J]. China Safety Science Journal, 2021, 31(11): 9-17.
[10]	LI Haoran, WANG Ziheng, YANG Qifan, ZHANG Yajun, OUYANG Zuolin. Evolutionary model and risk analysis of metro disaster chain under complex network [J]. China Safety Science Journal, 2021, 31(11): 141-147.
[11]	MAO Ding, WANG Peng, NI Long. Research review on vulnerability of district heating system and its interdependent infrastructure network [J]. China Safety Science Journal, 2021, 31(11): 155-162.
[12]	WU Yaonan, LIN Lei, REN Xinwen, WANG Longting, LIU Zhihui, LIU Zengkai. An improved FMEA method based on logical structure number [J]. China Safety Science Journal, 2021, 31(10): 97-104.
[13]	WU Renbiao, HE Yuxiang, JIA Yunfei. Key personnel risk assessment method based on improved AHP [J]. China Safety Science Journal, 2021, 31(10): 112-118.
[14]	ZHU Guanji, LIU Di, SUN Qiang, ZHOU Zichao. Evaluation on occupational safety adaptability of railway locomotive drivers [J]. China Safety Science Journal, 2020, 30(S1): 64-70.
[15]	LI Tingting, LU Cheng. Railway industry statistical survey system based on safety protection [J]. China Safety Science Journal, 2020, 30(S1): 133-138.