SCADA系统信息安全定量风险评估方法  被引量：11

作　　者：熊文泽 靳江红[2] 唐军梅 XIONG Wenze;JIN Jianghong;TANG Junmei(Functional Safety Center,Instrumentation Technology and Economy Institute,Beijing 100055,China;Laboratory of Industrial Explosion Protection,Beijing Municipal Institute of Labor Protection,Beijing 100054,China)

机构地区：[1]机械工业仪器仪表综合技术经济研究所功能安全中心,北京100055 [2]北京市劳动保护科学研究所工业防爆研究室,北京100054

出　　处：《中国安全科学学报》2019年第8期157-163,共7页China Safety Science Journal

基　　金：北京市联合基金资助(L160009);北京市科学技术研究院“创新团队培养计划”项目(IG201701C2)

摘　　要：为有效分析和评估数据采集与监视控制(SCADA)系统的信息安全风险,解决传统评估方法难以量化风险问题,首先根据信息安全风险评估模型,确立威胁、脆弱性和资产3要素,选取典型的SCADA系统进行分析和解构,获取可能存在的威胁、脆弱性和可能受影响的资产;其次采用层次分析法(AHP)确定不同要素对SCADA系统信息安全风险的影响程度;然后研究3要素对信息安全风险的判定矩阵构成和组合权重,对威胁-脆弱性-资产进行有效性组合配对,从而获得相对量化和具有可比性的风险评估值;最后利用该方法定量评估某典型SCADA系统的信息安全风险。结果表明:AHP法可操作性强,可找出系统信息安全的薄弱环节;层次构建可清楚展示原本复杂的SCADA系统内部关系,层次构建得越精细,精度分析越高,但过于精细也存在过分依赖专家经验的问题。In order to effectively analyze and assess information security risk of SCADA systems and solve the problem of quantifying information security risk which is difficult for traditional methods.Firstly,three elements,threat,vulnerability and assets,were confirmed based on information safety risk evaluation model,and possible threats,vulnerability and assets were obtained through analyzing and deconstructing typical SCADA system structure.Secondly,AHP was used to determine the influence extent of different elements on SCADA systems.Then the judgment matrix and combination weight of the three elements to security risk were studied and threat-vulnerability-asset were combined and compared to obtain relatively quantifiable and comparable risk parameters.Finally,the method was applied to assess information security risk of a typical SCADA system.Results show that AHP has good operability in identifying weak points in system information security,and hierarchical construction can clearly show the internal relationship of a complex SCADA system,the finer the hierarchy is,the more accurate analysis would be,but overelaborate construction may lead to heavy dependence on experts’experience.

关 键 词：数据采集与监视控制(SCADA) 信息安全 定量风险评估 层次分析法(AHP) 脆弱性 

分 类 号：X913.4[环境科学与工程—安全科学]