Establishing and perfecting the information security system of industrial control system in China

摘要:

通过分析我国工业控制系统信息安全现状,提出应从健全我国工控系统信息安全标准、发展自主可控检测认证工具集、推进工血控制系统信息安全培训、提供工血控制系统信息安全服务这几个方面入手,建立健全我国工业控制系统信息安全体系,进一步提升我国工控领域信息安全防护水平,以确保关系国家关键基础设施的工控产业安全健康发展。
1工业控制系统脆弱性及其危害
工业控制系统(Industrial Control Systems,ICS )是由各种自动化控制设备以及对实时数据进行采集、监测的过程控制装置共同构成的实现工业基础设施自动化运行、过程控制与监控的业务流程管理和控制系统IM、其层次结构如图1所示。随着工业自动化的发展,传统封闭式系统演变成开放式的网络系统,过程控制和企业信息系统集成,工控系统远程维护日渐普及,无线技术广泛应用以及全球信息大融合,这些特性使得工业控制系统也在不断地发展进步。目前,工业控制系统已广泛应用于炼油、化工、交通、电力、电网、核电、城市燃气供水等各工业领域,成为闰家关键基础设施的重要组成部分,其安全性将直接影响关键基础设施的正常运行。
2010年“震网”病毒事件发生以来,工控领域安全事件频发,一直以来被认为相对封闭、相对专业和相对安全的工业控制系统正在面临着极端个人主义、黑客团体、经济犯罪、恐怖主义甚至是国家级安全威胁,同时,现阶段我国工业控制系统存在策略与流程脆弱性、平台脆弱性、网络脆弱性等问题。如图2所示。这些脆弱性问题而引发的安全事件不仅会导致工控系统性能下降、系统可用性降低、关键控制数据被篡改或丧失、系统失去控制,影响生产安全并导致严重经济损失,而且还有可能会进一步导致人员伤亡、环境灾难等,危及公众生活甚至国家安全[2]。因此,工业控制系统的安全运行是确保国家关键基础设施正常运行的重要基础,是系统全生命周期内始终需要关注的重要指标。
2持续健全我国工控系统信息安全标准
工业控制系统安全防护体系建设离不开相关安全标准体系的支持,国外一些发达国家在工业控制系统信息安全防护领域的标准研究工作幵展较早,进展较快。同际上已建立一些工控系统信息安全方面的国际及国家技术组织标准,包括1SA-99(即1EC62443 )、NERC CIP、NIST:SP800-82、WIBM-2784、IEC 62351等等。
组织也应该从中吸取微博泄密的教训,制定好保密内容的范围,教育好员工哪些内容可以、哪些不可以在论坛、博客和社交网络上张贴。
近年来,随着我国信息安全等级保护政策的推进和实施力度不断加大,国家对工业控制系统信息安全重视程度不断加大,国家重要行业的工控系统信息安全防护建设也取得了长足的进步,研制并逐渐部署了相应的工业控制系统的标准体系,初步建立起了我国等级保护标准体系框架和信息安全标准体系框架,我国近年来工业控制系统信息安全标准建设内容如表1所示[3]。
但从总体上讲,我国工控信息安全防护的标准体系建设仍明显滞后于工业控制系统的建设,同时在防护意识、防护策略、防护机制、法规标准等方面都存在不少问题。因此,建立覆盖工控应用领域、覆盖工控产品生命周期以及覆盖工控系统业务层次的工控信息安全标准体系迫在眉睫,需要从五方面人手:(1 )在国家政策支持引导下,结合我同工控领域信息安全问题和现状,分析工控系统信息安全保障体系建设需求,建立具有针对性的工控信息安全标准体系整体框架。(2)开展重点标准的研制规划,逐步丰富和完善覆盖工控应用领域和产品生命周期的信息安全标准体系。(3)积极跟踪和参与闰际相关标准规范制定,实现与国际认证机构的互认,体现我国工业安全意志。(4)加快推动我同相关标准规范的制定,建立完善的标准体系。(5)加速人才队伍培养,依据标准建设丁.控信息安全检测认证能力。

高流动、高精度、高安全 六安移动建设新型商场无线网络获赞

3大力发展自主可控检测认证工具集
我国工业控制系统信息安全领域长期受到核心技术限制、缺乏专业检测认证工具等诸多因素影响,导致我国重要基础设施面临着严重的安全威胁,因此,突破工控信息安全领域的技术壁垒,研发0主可控的检测认证工具集并与国际接轨势在必行。
在检测认证工具集方面,闰际上是以ISA Secure认证作为工业控制系统领域专业的安全认证标准,它是基于IEC 62443标准系列发展安全认证流程的联盟。ISA Secure认证包含嵌入式设备安全认证(EDSA)、系统安全认证(SSA)和安全开发生命周期认证(SDLA)三个项目。目前,国际上已经获得ISA Secure认证认可的CRT测试工具有芬兰Codenomicon的Defensics、日本FFRI的Raven for ICS以及加拿大Wurldtech的Achilles,国内并没有成熟的检测认证工具产品。发展我国自主可控的检测认证工具集将有助于改变我国工控信息安全领域缺乏核心技术的现状,提高我同工控系统检测发现和探查能力,从而提升我国工控信息安全水平。
检测认证工具集的研发应以“自主可控,安全可靠”作为技术指导思想,从前瞻性研究人手,研究国际先进的安全技术,研究工控领域安全协议栈,建立典型工控模型库、工控信息漏洞库,对工业生产控制系统内部的上位机(PLC)、服务器、网络等资产信息、应ffl软件、服务、开放端口、防火墙、数据库审计等内容进行检测扫描,提供漏洞检测与发现、漏洞风险评估、可视化和漏洞修复建议等功能。通过自主可控检测认证工具集的研发,为我闽工控企业彻底解决生产控制系统内部的信息安全隐患,保证工业生产的安全生产、安全管理。自主可控检测认证工具等研发模型如图3所示。
4快速推进工业控制系统
信息安全培训安全培训为培养高素质工业控制系统信息安全相关人才、提升相关从业人员的专业技术及管理能力提供规范化、科学化的知识体系。我国工业控制系统信息安全培训现状面临着培训主体混杂、未形成规范、培训内容指导性不强、培训基准不够完善以及以传统信息安全为参照物等问题,作为工业控制系统信息安全体系中不可或缺的一环,安全培训也处于亟待重视与完善的位置。
(1 )以“标准”建设“培训基准”:随着工业控制系统信息安全领域国家标准和行业标准体系的不断完善和发展,需要积极主导、参与各类相关标准的研究、编制、监督等工作,建设可供工控安全领域合理、高效、安全发展的文件环境,进而推动工控信息安全培训基准的建设。
(2 )以检测与认证带动安全培训:在自主可控检测认证工具集的基础上,结合工控领域安全评估服务,建设中立性的检测、认证环境,提供国家级的权威检测认证服务,同时为培训业务的开展提供更有指导性、实效性的基础条件。
以标准建设和自主可控检测认证工具为基础,从操作层面、技术层面、认证培训以及职业教育层面建设工业控制系统信息安全培训体系,提升我国工控信息安全领域人员实践操作技术能力和安全技能,加速人才队伍培养,提高用户信息安全意识。
图4丁业控制系统安全模拟仿真实验平台结构图
5全面提供工业控制系统信息安全服务
为提升工控领域信息安全整体服务水平,在不断健全国家相关标准和发展自主可控安全技术体系的基础上,建设工业控制系统安全模拟仿真实验平台服务支撑环境,为行业用户提供定制化的安全评估、安全咨询、安全防护等服务。平台结构如图4所示。
(1)安全评估:研究制定安全评估的流程和方法,建设完备的安全评估体系;针对在役系统进行风险评估,提出整改、防护方案和建议,为相关企、事业单位提供安全评估服务,规范工控系统的安全建设。最终拥有完备的安全评估方法论,为工业控制领域各行业提供专业的安全评估服务;同时建立国内工业控制系统信息安全评估体系。
(2)安全咨询:研究制定安全咨询的流程和方法,建设完备的安全咨询体系;针对产品研发、系统设计,融入信息安全技术,整体提升新建工控系统的安全性。最终拥有完整的安全咨询体系,为各类工业控制领域提供专业的安全咨询服务,逐步建立安全的工业控制系统模型库。
( 3 )安全防护:研发工控领域自主可控的专用信息安全防护产品;全方位、多层次地针对工业控制系统提出信息安全防护解决方案;最终实现工控领域安全防护产品全面国产化;逐步完善自主可控的安全防护解决方案体系。
6总结
工业控制系统是国家关键基础设施的重要组成部分,其信息安全问题长期被忽视,导致信息安全防护力度不够,工控安全情况日益严峻。因此,急需对工控信息安全的整体策略进行调整,重新构建和完善工业控制系统信息安全体系。综上分析可知,只有以发展我国工控领域信息安全标准体系、研究自主可控的检测认证工具集为基础,搭建我同工业控制系统信息安全领域支撑平台,并在此平台上提供安全培训、安全咨询、安全评估以及安全整体防护方案,建立健全我国工业控制系统信息安全体系,全面提升重要领域工业控制系统安全防护水平,才能确保关系国计民生的工控产业健康发展、长治久安。
该文章作者已设置需关注才可以留言
微信扫一扫关注该公众号
Abstract:

Through the analysis of the status of information security system of China’s industrial control, put forward our country should perfect the industrial control system information security standards, the development of self controlled certification tool set, to advance the work of blood detection control system of information security training, the work of blood control system of information security service in these aspects, establish and improve China’s industrial control system information security system. To further enhance China’s information security protection level of industrial areas, to ensure the healthy development of the industrial industry safety critical national infrastructure.
1 vulnerability and hazard of industrial control systems
Industrial control system (Industrial Control Systems, ICS) is composed of a variety of automation control equipment and the real-time data collection, monitoring the process control device together to achieve industrial infrastructure operation automation, process control and monitoring of business process management and control system of IM and its structure as shown in figure 1. With the development of industrial automation, the traditional closed system evolved into a network open system, process control and integration of enterprise information system, control system of remote maintenance is the growing popularity of wireless technology and the wide application of global information integration, these features make the industrial control system is also progress. At present, the industrial control system has been widely used in oil refining, chemical, transportation, electricity, power, nuclear power, city gas and water supply industries, has become an important part of the socialist key infrastructure, the normal operation of its security will directly affect the critical infrastructure.
科技大佬和特朗普会面:给市场释放什么信息?
Since the 2010 earthquake network virus incident, security incidents frequent industrial areas, has been considered relatively closed, the relative professional and the relative safety of the industrial control system is faced with extreme individualism, hacker groups, economic crime, terrorism and national security threats, at the same time, there are strategies and processes of vulnerability, platform vulnerability, vulnerability issues such as China’s industrial control system at the present stage. As shown in figure 2. The vulnerability caused by security incidents will not only cause loss of control of industrial control system, decreased performance of the system reduces the availability of key control data tampering or loss, affect the production safety system, and causes serious economic losses, but also may lead to further casualties and environmental disaster, endangering public life and even national security [2]. Therefore, the safe operation of industrial control system is an important foundation to ensure the normal operation of the national critical infrastructure, and is an important indicator of the whole life cycle of the system.
2 continue to improve China’s industrial control system information security standards
The construction of the industrial control system security protection system cannot do without the support of the relevant safety standards system, some developed countries in the standard research and development of industrial control system in information security field early, rapid progress. On the occasion of the establishment of a number of industrial control system information security international and national technical standards, including 1SA-99 (ie 1EC62443), NERC CIP, NIST:SP800-82, WIBM-2784, IEC 62351, etc..

国家网信办发布《国家网络空间安全战略》 提出捍卫网络空间主权…

In recent years, with China’s level of protection of information security policy to promote and implement efforts continue to increase the state of the industrial control system information security increasing importance degree, the industrial control system information security construction is the important industry of a country has made considerable progress, and gradually developed the deployment of the standard system of industrial control system of the corresponding initial establishment the Chinese classified protection standard system framework and information security standard system framework, in China in recent years, the industrial control system construction information security standards are shown in Table 1 [3].
But generally speaking, the construction of standard system for information security protection of China’s industrial is still lagging behind in the industrial control system, while the protection awareness and protection strategy, protection mechanism, regulations and standards etc. there are many problems. Therefore, the establishment of coverage, coverage of industrial applications in the field of industrial product life cycle and industrial control system covering the business level of industrial information security standard system is imminent, starting from the five aspects: (1) in support of the national policy guidance, combined with my information security problems and the status quo of industrial areas, the construction requirements of industrial control system of information security system to build a targeted industrial information security standard system framework. (2) carry out the development of key standards, and gradually enrich and improve the coverage of industrial applications and product life cycle information security standards system. (3) actively follow and participate in international standards related to intercalated formulation, implementation and international certification body recognition, reflects China’s industrial safety will. (4) speed up the formulation of relevant standards and standards, establish and improve the standard system. (5) accelerate the training of qualified personnel, according to the standards of the construction of information security testing and certification.
3 vigorously develop self controlled testing certification tool set
China’s industrial control system in the field of information security has long been the core technology limitations, the lack of professional certification tool detection and many other factors, resulting in important infrastructure in China is facing a serious security threat, therefore, the technical barriers to industrial breakthrough in the field of information security, testing and certification tools developed 0 main controlled set and with international standards is imperative.
In the testing and certification tool sets, as intercalated is based on ISA Secure authentication as the safety certification standard industrial control system in the field of professional, it is the standard of IEC 62443 series development safety certification process based on alliance. ISA Secure certification includes embedded device security certification (EDSA), system security certification (SSA) and security development life cycle certification (SDLA) three projects. At present, the international ISA has obtained Secure certification and accreditation CRT testing tools is Finland Codenomicon Defensics, Raven for and ICS Japan FFRI Achilles Wurldtech Canada, domestic and no mature product certification testing tools. Current situation of the development of China’s independent certification testing tool controlled set will help to change the industrial field of information security in our country lack of core technology, improve the detection ability I found with industrial control system and exploration, so as to enhance the level of China’s industrial security.
R & D certification testing tool set should be self controlled, safe and reliable technology as the guiding ideology, from the prospective investigation, research on security of international advanced technology, research field of industrial security protocol stack, a typical industrial control information model database, vulnerability database, computer of industrial production in the control system (PLC) server, network, information, assets such as FFL software, services, open ports, firewall, database audit content scan, provide vulnerability detection and risk assessment, vulnerability discovery, visualization and vulnerability repair suggestion function. Through the research and development of the self controlled testing tool set, we can completely solve the information security hidden trouble in the production control system, and ensure the safe production and safety management of industrial production. Self controlled testing tools such as authentication and development model shown in figure 3.
4 rapid industrial control system
Information security training safety training for the training of high-quality industrial control system information security related personnel, improve the professional and technical personnel and management capabilities to provide a standardized and scientific knowledge system. China’s industrial control status of the information security training system facing the training subject, has not formed the hybrid specification, training content, training guidance is not strong base is not perfect enough and the problem of reference to traditional information security, as the industrial control system information security system and the indispensable part of safety training is also important and perfect location.
(1) to standard construction training base: with the industrial control standard system of national standards in the field of information security industry and continuous improvement and development, need to actively lead and participate in various standards of supervision, establishment, work for the construction of industrial safety reasonable, efficient and safe development of the file environment then, to promote the construction of industrial information security training base.
(2) led to safety training testing and certification: Based on self controlled authentication detection tool set, combined with industrial safety assessment services, testing, certification of environmental construction of neutrality, to provide authoritative testing and certification services to the national level, at the same time to carry out training for business to provide basic conditions and effectiveness and more guidance.
The standard construction and self controlled authentication based detection tools, from the operational level, technical level, education level and occupation certification training and construction of industrial control system security training information system, improve China’s industrial information security personnel practice technical ability and safety skills, accelerate personnel training, improve user awareness of information security.
Fig. 4 the structure of the simulation platform for safety simulation of the control system
5 provide information security services for industrial control systems
In order to improve the overall service level of information security in the field of industrial control, constantly improve the relevant national standards and the development of self-control technology security system, the construction of industrial control system security simulation experiment platform service supporting environment, provide security assessment, security consulting, safety protection and other customized services for industry users. Platform structure as shown in figure 4.
(1) safety assessment process and methods for establishing safety assessment, construction safety evaluation system for complete; risk assessment in service system, put forward rectification and protection schemes and suggestions, provide safety assessment services for related enterprises and institutions, the construction safety specification for industrial control systems. Finally, it has a complete safety evaluation methodology, and provides professional safety assessment services for the industry in the field of industrial control.
(2) Security Advisory: process and methods for establishing security consulting, construction safety consulting system; design for product development, system integration, information security technology, to enhance the overall safety of the new industrial control system. Finally, we have a complete safety consulting system, provide professional security consulting services for all kinds of industrial control field, and gradually establish a safe industrial control system model library.
(3) safety protection: special information security product development industrial area of self-control; all levels of information security protection solutions for industrial control system; realize industrial area security products comprehensive localization; gradually improve the safety self controlled solution system.
6 Summary
Industrial control system is an important part of the national key infrastructure, the information security problem has long been ignored, resulting in insufficient information security protection, industrial security is increasingly grim. Therefore, it is urgent to adjust the overall strategy of industrial information security, and reconstruct and perfect the information security system of industrial control system. In the analysis, only to detect certification tool development research of self controlled industrial areas of information security standard system in our country, the set theory, I build with industrial control system in the field of information security support platform, and this platform offers safety training, safety consulting, safety assessment and safety protection of the overall plan, establish and improve China’s industrial the control system of information security system, to enhance the important field of industrial control system security protection level, to ensure the healthy development of industry, industrial relationship beneficial to the people’s livelihood of long period of stability.
The author of the article has set up the need to be able to leave a message
Sweep the concern of the public, WeChat

网络打印机的安全引发重视,或成黑客攻击目标,黑客不仅可以远程连接到网络打印机,打印广告等等,进而浪费掉耗材,还可以窃取打印、复制、扫描和传真的文档,甚至将向打印机植木马,当跳板攻击内网……

猜您喜欢

互联网云端服务与个人隐私保护相悖吗
网络信息安全好歌曲
面向全体员工的OHSAS18001体系在线培训课程问世
吃蔬菜常见的十个误区
INTERVALUES4 ICIAF
金融服务行业要加强员工安全意识培训