工业网络安全深度防御策略——以西气东输天然气管道SCADA系统网络为例  被引量:13

In-depth defense strategy for industrial network security: a case study on the SCADA system network of West-to-East Gas Pipeline

在线阅读下载全文

作  者:梁怿 王磊 赵廉斌 马健 LIANG Yi;WANG Lei;ZHAO Lianbin;MA Jian(West-East Gas Pipeline Company, China Petroleum Pipeline Co. Ltd.;Sunshine International Business Co. Ltd.)

机构地区:[1]中石油管道有限责任公司西气东输分公司 [2]阳光国际商务有限公司

出  处:《油气储运》2019年第6期692-696,共5页Oil & Gas Storage and Transportation

摘  要:在网络安全形势与挑战日益严峻、复杂的环境下,工业网络传统的单点式防御策略已不能满足当前网络安全形势的需要。基于互联网领域的立体式安全防护理念,根据工业网络防护特性,提出了在工业网络构建深度防御理念的方案:在工控终端部署基于白名单的安全系统,在局域网设置基于最小权限原则的访问控制策略,在网络边界增加缓解威胁的网络安全工具。将该方案应用于西气东输天然气管道SCADA系统网络进行4次渗透测试,经历了 WannaCry、Petya等蠕虫病毒攻击的考验。结果表明:基于深度防御理念的网络安全防护策略能够有效防护来自工业系统外部和内部的攻击,极大提高了 SCADA系统工业网络的安全性与可靠性。The traditional single-point defense strategy for industrial networks is not suitable for the current situation of network security as the situations and challenges of network security get severe and complicated increasingly. In this paper, a scheme to construct the concept of defense in depth in the industrial network was proposed according to the particular protection characteristics of industrial network, as well as the concept of three-dimensional security protection in the field of internet. In this scheme, the whitelist-based security system is deployed at the industrial control terminal, the access control policy based on the minimum authority principle is set up in the local area network (LAN), and the tools to alleviate the threats were added at the network boundary. This scheme was applied in the SCADA network system of West-to-East Gas Pipeline, and it experienced 4 penetration tests and the attack of worm viruses, e.g. WannaCry and Petya. It is indicated that the network security protection strategy based on the concept of defense in depth can effectively protect the industrial system from the external and internal attacks and it greatly improves the safety and reliability of industrial SCADA systems.

关 键 词:工业网络 网络安全 深度防御 终端防护 局域网防护 边界防护 

分 类 号:TP393[自动化与计算机技术—计算机应用技术]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象