一种工业控制系统漏洞风险评估方法  被引量：9

作　　者：陶耀东 贾新桐[1,2] 吴云坤 TAO Yao-dong;JIA Xin-tong;WU Yun-kun(University of Chinese Academy of Sciences,Beijing 100049,China;Shenyang Institute of Computing Technology Co.Ltd,.CAS,Chinese Academy of Sciences,Shenyang 110168,China;National Joint Engineering Lab for ICS Security of 360ESG,Beijing 100015,China)

机构地区：[1]中国科学院大学,北京100049 [2]中国科学院沈阳计算技术研究所有限公司,沈阳110168 [3]360企业安全集团工业控制系统安全国家地方联合工程实验室,北京100015

出　　处：《小型微型计算机系统》2020年第3期603-609,共7页Journal of Chinese Computer Systems

基　　金：国家重点研发计划网络空间安全重点专项项目(2018YFB0803400)资助.

摘　　要：工业控制系统安全问题日益突出.工控漏洞是攻击者实施破坏的重要切入点.本文提出了一种工控漏洞风险量化评估方法,基于通用漏洞评分系统,将可见性、可控性、漏洞利用目标服役情况等体现工控安全特性的指标纳入量化评估范围.该方法使用改进的工控漏洞风险评估算法,既可以生成工控漏洞的基础评分、生命周期评分,也可以用于安全人员结合实际工控安全场景的具体需求以生成环境评分.经过实例分析与统计分析,说明了本文提出的工业控制系统风险评估方法可以有效地对工控漏洞进行量化评估.将本文提出的方法应用在某工业现场检查工具中,证明了该方法可以显著提高漏洞评分在工控安全防护中的可用性,提升工控安全防护水平.The security problem of industry control system has become increasingly prominent. Industrial vulnerability is an important point for attackers to damage industry control system security. In this paper,a quantitative assessment method of industry control system vulnerability risk is proposed. Based on the common vulnerability scoring system,the indicators of visibility,controllability,vulnerability utilization target service situation and other indicators reflecting industry control security characteristics are included in the quantitative assessment scope. This method uses an improved risk assessment algorithm for industry control system vulnerabilities,which can generate basic and life cycle scores for industry control system vulnerabilities,and also can be used by security experts to generate environmental scores in combination with the specific needs of actual industry control security scenarios. Through case analysis and statistical analysis,it is shown that the risk assessment method proposed in this paper can effectively quantify the industrial control vulnerabilities. The method proposed in this paper is applied to an industrial field inspection tool. It is proved that the method can significantly improve the availability of vulnerability score in industry control system security protection and upgrade the level of industry control system security protection.

关 键 词：工业控制系统 漏洞 风险评估 量化评估 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]