基于攻击关系树和CVSS的安全仪表系统信息安全评估方法研究  

作　　者：郭怡安 Guo Yian(State Key Laboratory of Chemical Safety,Shandong,Qingdao,266104;SINOPEC Research Institute of Safety Engineering Co.,Ltd.,Shandong,Qingdao,266104)

机构地区：[1]化学品安全全国重点实验室,山东青岛266104 [2]中石化安全工程研究院有限公司,山东青岛266104

出　　处：《安全、健康和环境》2023年第10期77-82,共6页Safety Health & Environment

摘　　要：安全仪表系统(SIS)是典型的工业控制过程安全保护系统,其信息安全问题日益凸显,但对SIS的风险量化评估与分析,目前并无系统的解决方案。针对这一现状,提出一种信息安全评估方法,该方法首先收集目标系统中单点资产的数字资产信息并与公开漏洞数据库匹配,利用CVSS取得单点资产安全评价值;再以单点资产为根节点,根据系统单点资产间的物理结构和网络拓扑关系,构建攻击关系树模型;然后进行攻击路径分析,利用贝叶斯网络方法量化攻击发生概率;最后响应于安全评定申请,对检测结果进行风险评级。通过实例计算说明上述方法的具体实施方式,并证明该方法合理可行,应用该方法可对SIS的信息安全风险进行科学评估,寻找系统的薄弱环节,有助于实现对SIS信息安全现状的精准把控。Safety instrumentation system(SIS)is a typical industrial control process safety protection system,and its information security problems are increasingly prominent,but there is no systematic solution to the quantitative risk assessment and analysis of SIS.In view of this situation,an information security assessment method was proposed,which firstly collected the digital asset information of the single point asset in the target system and matched it with the open vulnerability database,and used CVSS to obtain the security assessment value of the single point asset.Taking single point assets as the root node,the attack relationship tree model was constructed according to the physical structure and network topology relationship between single point assets.Then the attack path analysis was carried out,and the probability of attack occurrence was quantified by Bayesian network method.Finally,in response to the application for safety assessment,the test results were rated for risk.The concrete implementation of the above method was illustrated by an example calculation,and it was proved that the method was reasonable and feasible.The application of this method can scientifically assess the information security risks of SIS,find the weak links of the system,and help to realize the accurate control of the status quo of SIS information security.

关 键 词：安全仪表系统 信息安全评估 攻击关系树 通用漏洞评分系统 贝叶斯网络 风险评级 

分 类 号：TH137.52[机械工程—机械制造及自动化]