CN104331072A - Information security risk assessment method oriented to typical metallurgy process control system - Google Patents

Abstract

The invention provides an information security risk assessment method oriented to a typical metallurgy process control system and belongs to the technical field of industrial control system information security. The system robustness under different attack modes and policies is analyzed by establishing an attack model under the typical scenes of the metallurgy process, and therefore, the security risk assessment on the typical metallurgy process control system in different attack modes and a failure mode can be realized. Based on the risk theory, the method is used for performing the security risk assessment by use of a random probability algorithm by defining the metallurgy process control system as a physical information fusion system; from the two aspects of the occurrence probability and the influence of attack sources or failure sources, a security assessment method based on risk indexes is developed. Quantitative estimation is performed based on risk indexes; a security incident set is created based on the established physical information fusion model and attack model, and then the security incident set is combined with the calculated robustness assessment indexes for the quantitative estimation, and therefore, the weak security links in the control system can be located conveniently.

Description

A kind of Information Security Risk Assessment Methods towards typical metallurgical technology control system

Technical field

The invention belongs to industrial control system field of information security technology, particularly relate to a kind of Information Security Risk Assessment Methods towards typical metallurgical technology control system.

Background technology

Metallurgy industry is the mainstay industry of Chinese national economy, is the basic industry involved the interests of the state and the people.Robotization and informationalized height merge the development trend becoming metallurgy industry, and the control net system based on Ethernet is widely used.Day by day complicated, senior along with assault means and technology, emerge in an endless stream using industrial control system as the attack of target, as the mixture length industry of complexity, the security situation of metallurgy industry is severeer, is mainly manifested in the following aspects:

(1) technique and net control more complicated.Smelter is typical mixture length type enterprise, and smelter has the typical feature of industrial circle production procedure, comprises continuously and process that mixed discrete, physical change and chemical change mix; Its automaticity is higher, long flow path, and link is many, intercouples between operation, and the automation equipment related to, subsystem are numerous, and impel Control System NetWork topology huger, complexity is high, and security risk is larger.

(2) single devices cost is high.Smelter typical process flow relates to large single devices, and as blast furnace, converter, milling train unit etc., equipment cost is high, once under attack, directly injure physical world, the loss caused even is difficult to estimate, and therefore smelter net control security situation is more serious.

(3) information security management is complicated.Metallurgy industry due to net control scale large, technique coupling ratio is comparatively strong, and secure border is difficult to define; Because it is closely connected with physical world, networked-induced delay, availability, business continuance require higher [7]; Smelter is heavy polluter, and the requirement of energy environment protection to network too increases the complicacy of system information safety management.

(4) attack means is more and more senior, hidden.Conventional metallurgical industry control system, Earlier designs is early than internet, and it needs to adopt special hardware, software and communication protocol, based on availability, reliability in design, does not substantially consider the Communication Security Problem that must consider that interconnects; Utilize industrial control equipment leak, Ethernet protocol defect, commercial Application leak etc., assailant can build more hidden attack passage targetedly, for Stuxnet worm, it takes full advantage of the security breaches that in Iranian Bushire nuclear power station industry control network, Industrial PC and control system exist, for assailant's invasion provides seven hidden passages.

The security risk that above-mentioned factor causes metallurgical technology process control system to face is higher.Metallurgical technology process control system and safety research thereof are a frontier of information security research field, first need to be familiar with metallurgical technology process control system, the risk of next primary study metallurgical technology process control system self and fragility situation, and carry out attacking and defending deduction analysis based on simulated strike scene on this basis, and then control system risk is assessed.Only under the prerequisite fully understanding metallurgical technology process control system risk distribution and formation, the security guarantee measure of ability gradual perfection system.

In research method, the thinking of IT information security research is continued to use in the research of current control system safety problem substantially, adopt the theory and means of border defence, focus is placed on the Prevention-Security of industrial control network itself, as industrial fireproof wall, Secure isolation system, flow intruding detection system etc., or adopt post-event alarm mode.But workflow industry business continuance and high real-time, requirement can once risky, and Timeliness coverage also prevents or Timeliness coverage attack, adopts remedial measures, system safety " elasticity " is run, and this needs to carry out assessment to control system security risk and can realize.The simple network security studying control system from the angle of infotech, cannot solve series of theories and the practical problems such as decision model, behavior description, security risk assessment of malicious attack under industrial environment.

The essence of metallurgy industry typical process flow control system is information physical emerging system (CPS), and the computing unit of multidimensional isomery and physical object are highly integrated and mutual in a network environment, constitute the Intelligent complex system that a class is novel.Its security risk assessment technical research needs the angle incision of merging from information physical, from the attack strategies of the angle analysis hacker controlled, set up attacking behavior model and the target of attack model of rationality hacker, and then discovery system weakness, suitable technology is adopted to carry out risk assessment, although have in a large number about research and the discussion of risk assessment all respectively at industrial control field and information security field, but the industrial control system information security risk evaluation of carrying out from information physical fusion angle is still in the starting stage, research for metallurgy industry control system risk assessment technology have not been reported.

Summary of the invention

The object of the invention is to, a kind of Information Security Risk Assessment Methods towards typical metallurgical technology process control system is provided, the control system mathematical model that it merges based on information physical, by setting up the attack model under metallurgical technology flow process typical scene, analyze the system robustness under different attack mode and strategy, and then realize the security risk assessment under different attack mode and failure mode of typical metallurgical technology process control system.The method is from Risk Theory, metallurgical technology process control system is defined as an information physical emerging system, security risk assessment is carried out by random chance method, starting with in the probability occurred from attack source or failure source and two aspects that affect caused, proposes the safety evaluation method based on risk indicator.Quantitative predication carries out based on risk indicator, according to the information physical Fusion Model set up and attack model, builds security incident collection, in conjunction with the robustness evaluation index calculated, carries out accamalating quantity, thus contribute to safe weak link in positioning control system.

For solving the problems of the technologies described above, the present invention realizes by the following technical solutions, and concrete technology step is as follows:

(1) for typical metallurgical technology process control system, carry out the control system mathematical modeling merged based on information physical, the described control system mathematical modeling merged based on information physical, namely based on the hybrid modeling method of Matlab Simulink & Petri-Net-Simulink-Block, wherein, the continuous dynamic model relating to metallurgical technology flow process adopts one group of traditional linear or nonlinear differential equation/state equation to represent, and realizes with Matlab Simulink tool box; Discrete event adopts Petri Net (PN) model to represent, and realize with a Simulink tool box PNL, PN discrete model can be integrated in Simulink block diagram, the wherein main triggering relying on external event of petri Net mold sync state transfer.Expand Petri Net model simultaneously, modeling is carried out to communications network components, carrys out extended model by information model time delay time-constrain, add state synchronized mechanism;

(2) risk identification, described risk identification, namely carries out modeling to typical attack strategy and means, introducing information attack model, by arranging different Prerequisites and path, carrying out system robustness analysis, and calculate robustness evaluation index, from realizing risk identification; Described information attack model, mainly refer to spoofing attack and this two classes common attack pattern of Denial of Service attack, mainly comprise injection, distort, replay, block, eavesdrop, time delay, DoS attack form;

(3) according to risk identification result, definition security incident, generates security incident collection;

(4) risk assessment is carried out to security incident, described security incident risk assessment, namely use random chance method, starting with in the probability occurred from attack source or failure source and consequence two aspects caused, carries out quantitative information safety assessment based on risk indicator to security incident.

(5) if the event that all security incidents are concentrated all has been assessed, then carry out comprehensively to all security incident risk indicators, obtain a comprehensive system information safety risk indicator, for evaluation system information security integral status; If the event that security incident is concentrated also is not assessed complete, then directly go to (4).

Typical metallurgical technology process control system of the present invention, mainly contain the control system of the critical workflow techniques such as blast furnace, converter, continuous casting, steel rolling, because these typical control system of metallurgical technology flow process are all huger, relate to numerous operations, equipment, production run is continuous and complicated, all belong to extensive information physical emerging system, this existing continuous process has again the mixed color reagent problem of discrete event and information network assembly to be one of the difficult problem in modeling field.The present invention proposes the hybrid modeling method based on Matlab Simulink & Petri-Net-Simulink-Block, wherein, the continuous dynamic model relating to metallurgical technology flow process adopts one group of traditional linear or nonlinear differential equation/state equation to represent, and realizes with Matlab Simulink tool box; Discrete event adopts Petri Net (PN) model to represent, and realize with a Simulink tool box PNL, PN discrete model can be integrated in Simulink block diagram, the wherein main triggering relying on external event of petri Net mold sync state transfer.Expand Petri Net model, by information network model, the model by information assembly in network is introduced, and adds state synchronized mechanism, and the factors such as the time delay because network service causes, loss of data and service quality of analyzing are on the impact of Controlling model simultaneously.

Information attack modeling described in step of the present invention (2), main from spoofing attack and this two classes attack mode of Denial of Service attack, modeling is carried out to typical attack strategy and means, mainly comprises injection, distorts, replays, blocks, eavesdrops, time delay, the attack form such as DoS; Described robust analysis mainly carries out based on robustness evaluation index, and the calculating of robustness evaluation index is from target of attack, and for the mathematical description of target of attack, analytical attack causes the degree of damage of target to quantize this index; If target of attack is measured liking to export, robustness evaluation index is exactly that output under different attack strategies and condition exports loss relative to expection, computing method adopt " worst case " principle, namely under adopting worst case, the extent of damage is measured, and considers some constraint conditions such as implementation strategy, physical fault tolerance simultaneously.The comprehensive robustness evaluation index of system, adopt and calculate the weighting scheme of index under various Prerequisite or failure condition, its computing formula is as follows:

$R_{i\max }=\max \underset{j=1}{\overset{M}{F}}(s_i,a_j,r_i)---\left(1\right)$

$\stackrel{\‾}{R}=\underset{i=1}{\overset{N}{\mathrm{\Σ}}}{k}_i{R}_{i\max }---\left(2\right)$

Wherein, s _irepresent target of attack or faulty target, a _jrepresent the Prerequisite under particular state or failure condition, r _irepresent at the Prerequisite of particular state or failure condition a _junder, target of attack or faulty target s _ithe controling parameters extent of damage, i ∈ [1, N], j ∈ [1, M]; R _imaxrepresent target of attack or faulty target s _irobustness evaluation index under worst case.

K _irepresent each target of attack s _iweighting coefficient, k _iestimate according to this attack probability of happening; represent system synthesis robustness evaluation index.

System robust performance and robustness evaluation index are inversely proportional to, and namely the extent of damage is larger in the worst cases for target of attack, and its robustness is more weak.

Aforesaid towards in the Information Security Risk Assessment Methods of typical metallurgical technology process control system, risk indicator described in step (4), needs quantitatively to hold the probability of security incident generation and the determinative of consequence (order of severity) these two risks.System carrys out classified calculating according to target of attack or faulty target, is therefore that the probability that occurs of security incident and event produce the product of consequence by system risk index definition:

$R(S_i,E,C)=\underset{j}{\mathrm{\Σ}}P\left(E_j\right)\×P(E_j,C_j)---\left(3\right)$

In formula, S _itarget of attack or faulty target; E _jit is the security incident that future time instance t occurs; P (E _j) be security incident E _jthe probability occurred; P (E _j, C _j) be at environmental baseline (namely attacking or failure condition) C _jlower security incident E _jthe consequence produced during generation; R (S _i, E, C) and be risk indicator value.

Wherein, the estimation of security incident probability of happening adopts probability statistics model to estimate.The conditional probability of security incident frequency: hypothetical target system suffers the number of times of security incident to be n at [0, T] in the time period, the average originating rate of security incident is λ, meets n=λ T, and as T → ∞, n → ∞.In order to determine in time t the distribution function of security incident frequency: if only there is once safety event in [0, T], so this security incident Probability p occurred in t depends on the relative size of t and T.Order meet as T → ∞, p → 0.Now, when section t preset time, np is constant.Be designated as " success " if there is once safety event in t, and occur in outside t and be designated as " failure ".Therefore, the probability that k security incident occurs in t obeys binomial probability distribution, and distribution function is:

$p_n\left(k\right)=\frac{n!}{(n-k)!k!}{p}^k{(1-p)}^{n-k}---\left(4\right)$

If classified (m kind) to security incident, type is the average probability of happening of security incident of i is λ _i, so there is k in the hazard event of type i within the t time period _isecondary probability can be expressed as:

$p\left(k_i\right|{\mathrm{\λ}}_i)=\frac{{\left({\mathrm{\λ}}_{i}t\right)}^{k_i}}{k_i!}{e}^{-{\mathrm{\λ}}_{i}t}(k_i=0,...,\∞)---\left(5\right)$

Consequence and the system robustness of attack or generation of losing efficacy are closely connected.Dissimilar risk is also different on system robustness impact, and the consequence of attack or generation of losing efficacy can be defined as the function of robustness evaluation index, that is:

P(E _j,C _j)＝f(R _ij) (6)

In formula, R _ijtarget of attack or faulty target s _iat Prerequisite or the failure condition a of particular state _jdescend and controling parameters extent of damage r _iwhen robustness index.

Aforesaid towards in the Information Security Risk Assessment Methods of typical metallurgical technology process control system, comprehensive system information safety risk indicator described in step (5), be the result after the weighted mean of all security incident risk indicators, weights really normal root distribute according to the order of severity of security incident.

Existing Information Security Evaluation scheme, majority designs according to relatively simple cause and effect transitive relation, do not embody some cardinal rules of information security field, do not embody the inner structure relation of information physical fused controlling system, designed computing method, cannot be reflected reality the concrete condition in the world in computation model and calculating formula, there is certain deviation in the application.

Compared with prior art, the angle that the present invention is merged mutually from information security and physical security, introduces state synchronized mechanism, builds the control system mathematical model merged based on information physical; By the robustness evaluation index of the robustness under analytical calculation Control System NetWork information attack scene and security incident, and carry out information security risk evaluation by random chance method, start with in the probability occurred from attack source or failure source and two aspects that affect caused, quantitative information safety risk estimating method based on risk indicator is proposed, this invention can the safe weak link of positioning system, physically-redundant and safety practice are placed on network weak link, on the basis reducing system cost, control system safe operation can be ensured.

Accompanying drawing explanation

Fig. 1 is typical metallurgical technology process control system information security risk evaluation process flow diagram.

Fig. 2 is typical automation of blast furnace Control system architecture figure.

Fig. 3 is the attack model of metallurgical technology process control system.

Fig. 4 is the block scheme of static stealthy attack.

Fig. 5 is the block scheme of replay attack.

Fig. 6 is the block scheme of concealed attack.

Fig. 7 is the block scheme of dynamic false injection attacks.

Embodiment

Below in conjunction with the drawings and specific embodiments, the present invention is further illustrated.As shown in Figure 1, comprise the following steps:

(1) for typical metallurgical technology process control system, carry out the control system mathematical modeling merged based on information physical, the described control system mathematical modeling merged based on information physical, namely based on the hybrid modeling method of Matlab Simulink & Petri-Net-Simulink-Block, wherein, the continuous dynamic model relating to metallurgical technology flow process adopts one group of traditional linear or nonlinear differential equation/state equation to represent, and realizes with Matlab Simulink tool box; Discrete event adopts Petri Net (PN) model to represent, and realize with a Simulink tool box PNL, PN discrete model can be integrated in Simulink block diagram, the wherein main triggering relying on external event of petri Net mold sync state transfer.Expand Petri Net model simultaneously, modeling is carried out to communications network components, carrys out extended model by information model time delay time-constrain, add state synchronized mechanism;

(2) risk identification, described risk identification, namely carries out modeling to typical attack strategy and means, introducing information attack model, by arranging different Prerequisites and path, carrying out system robustness analysis, and calculate robustness evaluation index, from realizing risk identification; Described information attack model, mainly refer to spoofing attack and this two classes common attack pattern of Denial of Service attack, mainly comprise injection, distort, replay, block, eavesdrop, time delay, DoS attack form;

(3) according to risk identification result, definition security incident, generates security incident collection;

(4) risk assessment is carried out to security incident, described security incident risk assessment, namely use random chance method, starting with in the probability occurred from attack source or failure source and consequence two aspects caused, carries out quantitative information safety assessment based on risk indicator to security incident.

(5) if the event that all security incidents are concentrated all has been assessed, then carry out comprehensively to all security incident risk indicators, obtain a comprehensive system information safety risk indicator, for evaluation system information security integral status; If the event that security incident is concentrated also is not assessed complete, then directly go to (4).

In said method, typical metallurgical technology process control system, mainly contain the control system of the critical workflow techniques such as blast furnace, converter, continuous casting, steel rolling, because these typical control system of metallurgical technology flow process are all huger, relate to numerous operations, equipment, production run is continuous and complicated, and all belong to extensive information physical emerging system, this existing continuous process has again the mixed color reagent problem of discrete event and information network assembly to be one of the difficult problem in modeling field.Automation of blast furnace control system is typical metallurgical technology process control system, is also that typical information physical merges commingled system, is described for this system to method of the present invention.

As shown in Figure 2, high furnace control system mainly comprises Control System of Airheater, blast-furnace body control system, furnace roof and winch control system, Control System for Bag Filter Dust Precipitator, the subsystems such as charging of blast furnace control system, by host computer, the supervisory layers of the composition such as monitoring station, be connected with each sub-control system by Ethernet, the high furnace control system of common formation, mainly comprise mechanical floor (mainly sensor, actuator, instrument, instrument etc.), process control station (mainly DCS controller, programmable logic controller (PLC) PLC, remote-terminal controller RTU etc.), (the mainly data acquisition of Monitoring and Controlling layer, Monitoring and Controlling, man-machine interface etc.), each subsystem is mainly concerned with 2 layers, i.e. mechanical floor, process layer.Modeling process adopts the modular modeling ideology of bottom-up layering, namely at mechanical floor, according to modularization idea, by the modeling respectively of each sub-control system, physical control model is set up according to features such as each subsystem key equipment, annexation, controling parameters, adopt Matlab Simulink to realize, be packaged into subsystem; At process layer, the mainly net control of controller, fieldbus composition, this level relates to control algolithm, trigger event etc., adopts Simulink tool box PNL to carry out; Last supervisory layers is mainly monitored and is sent control command, general generation external event triggers the transfer of petri Net state, modeling is carried out to communications network components simultaneously, comprise router, switch, fieldbus etc., expand Petri Net model by the constraint of information model time delay equal time, add state synchronized mechanism.

Aforesaid towards in the Information Security Risk Assessment Methods of typical metallurgical technology process control system, information attack modeling described in step b, main from spoofing attack and this two classes attack mode of Denial of Service attack, modeling is carried out to typical attack strategy and means, mainly comprises injection, distorts, replays, blocks, eavesdrops, time delay, the attack form such as DoS; Based on the information physical abstract model of metallurgical technology process control system, hacker can be represented the attack of control system Fig. 3.The position (physical object) clearly having showed hacker's offensive attack in figure and the target (information object) of attacking.

A1: to the attack of sensor, causes the result of the error of transmission of sensor; Actuator is attacked, causes the execution result of actuator abnormal, this exception (aperture as with flowmeter monitoring valve) can be monitored by sensor;

A2, A4: to network attack, make communication abnormal;

A3: controller is attacked, output error order;

A5: (not passing through network attack) is attacked to production run, causes productive target to depart from.

Theoretical according to control system physical modeling, generally in order to simplify modeling difficulty, usually carry out Rational Simplification and approximate to control system physical process, under certain condition, one group of approximately linear model can the physical process of representative system.Continuous process physical modeling generally adopts the differential equation or state equation to realize.According to Theory of Automatic Control, if system is observable, the state of system just can be expressed with one group of real-time measured value, and the setting of sensor is exactly the observation in order to realize system state, and dynamic linear models can describe above-mentioned thought well.Its system equation is as follows:

$E\stackrel{\·}{x}\left(t\right)=\mathrm{Ax}\left(t\right)+\mathrm{Bu}\left(t\right)$

y(t)＝Cx(t)+Du(t) (8)

In formula, matrix E may be unusual, and input Bu and Du is the unknown signaling describing disturbance, can affect physical process.Except the true failure procedure of influential system parts, these Disturbance Model can affect the attack process to information physical system.

Attack (Bu, Du)=(u _x, u _yif) influential system dynamic process, we can be referred to as state and attack, if destroy systematic survey vector, we can be referred to as to export and attack.

We according to different attack strategies, system architecture, parameter E, A, C and total state x, can adopt to attack and design different attacks to (Bu, Du).In addition, suppose the restriction not considering assault behavior computing power, target of attack destroys physical state or measured value.As shown in FIG. 4,5,6, 7, be exactly the block scheme of typical attack.Wherein, Fig. 4 assailant adopts signal to attack Du to destroy measured value y, in this attack strategies, do not consider the dynamic of system; Fig. 5 assailant destroys output, makes fig. 6 assailant adopts the mode of feedback to realize a kind of replay attack; Fig. 7 assailant adopts feedforward strategy to make unstable limit p be in unobservable state.

Described robust analysis mainly carries out based on robustness evaluation index, and the calculating of robustness evaluation index is from target of attack, and for the mathematical description of target of attack, analytical attack causes the degree of damage of target to quantize this index; If target of attack is measured liking to export, robustness evaluation index is exactly that output under different attack strategies and condition exports loss relative to expection, computing method adopt " worst case " principle, namely under adopting worst case, the extent of damage is measured, and considers some constraint conditions such as implementation strategy, physical fault tolerance simultaneously.The comprehensive robustness evaluation index of system, adopt and calculate the weighting scheme of index under various Prerequisite or failure condition, its computing formula is as follows:

$R_{i\max }=\max \underset{j=1}{\overset{M}{F}}(s_i,a_j,r_i)---\left(1\right)$

$\stackrel{\‾}{R}=\underset{i=1}{\overset{N}{\mathrm{\Σ}}}{k}_i{R}_{i\max }---\left(2\right)$

Wherein, s _irepresent target of attack or faulty target, a _jrepresent the Prerequisite under particular state or failure condition, r _irepresent at the Prerequisite of particular state or failure condition a _junder, target of attack or faulty target s _ithe controling parameters extent of damage, i ∈ [1, N], j ∈ [1, M]; R _imaxrepresent target of attack or faulty target s _irobustness evaluation index under worst case.

K _irepresent each target of attack s _iweighting coefficient, k _iestimate according to this attack probability of happening; represent system synthesis robustness evaluation index.

System robust performance and robustness evaluation index are inversely proportional to, and namely the extent of damage is larger in the worst cases for target of attack, and its robustness is more weak.

Aforesaid towards in the Information Security Risk Assessment Methods of typical metallurgical technology process control system, the risk indicator described in steps d, needs quantitatively to hold the probability of security incident generation and the determinative of consequence (order of severity) these two risks.System carrys out classified calculating according to target of attack or faulty target, is therefore that the probability that occurs of security incident and event produce the product of consequence by system risk index definition:

$R(S_i,E,C)=\underset{j}{\mathrm{\Σ}}P\left(E_j\right)\×P(E_j,C_j)---\left(3\right)$

In formula, S _itarget of attack or faulty target; E _jit is the security incident that future time instance t occurs; P (E _j) be security incident E _jthe probability occurred; P (E _j, C _j) be at environmental baseline (namely attacking or failure condition) C _jlower security incident E _jthe consequence produced during generation; R (S _i, E, C) and be risk indicator value.

Wherein, the estimation of security incident probability of happening adopts probability statistics model to estimate.The conditional probability of security incident frequency: hypothetical target system suffers the number of times of security incident to be n at [0, T] in the time period, the average originating rate of security incident is λ, meets n=λ T, and as T → ∞, n → ∞.In order to determine in time t the distribution function of security incident frequency: if only there is once safety event in [0, T], so this security incident Probability p occurred in t depends on the relative size of t and T.Order meet as T → ∞, p → 0.Now, when section t preset time, np is constant.Be designated as " success " if there is once safety event in t, and occur in outside t and be designated as " failure ".Therefore, the probability that k security incident occurs in t obeys binomial probability distribution, and distribution function is:

$p_n\left(k\right)=\frac{n!}{(n-k)!k!}{p}^k{(1-p)}^{n-k}---\left(4\right)$

If classified (m kind) to security incident, type is the average probability of happening of security incident of i is λ _i, so there is k in the hazard event of type i within the t time period _isecondary probability can be expressed as:

$p\left(k_i\right|{\mathrm{\λ}}_i)=\frac{{\left({\mathrm{\λ}}_{i}t\right)}^{k_i}}{k_i!}{e}^{-{\mathrm{\λ}}_{i}t}(k_i=0,...,\∞)---\left(5\right)$

Consequence and the system robustness of attack or generation of losing efficacy are closely connected.Dissimilar risk is also different on system robustness impact, and the consequence of attack or generation of losing efficacy can be defined as the function of robustness evaluation index, that is:

P(E _j,C _j)＝f(R _ij) (6)

In formula, R _ijtarget of attack or faulty target s _iat Prerequisite or the failure condition a of particular state _jdescend and controling parameters extent of damage r _iwhen robustness index.

Aforesaid towards in the Information Security Risk Assessment Methods of typical metallurgical technology process control system, comprehensive system information safety risk indicator described in step e, be the result after the weighted mean of all security incident risk indicators, weights really normal root distribute according to the order of severity of security incident.

Claims (6)

1., towards an Information Security Risk Assessment Methods for typical metallurgical technology control system, it is characterized in that, comprise the following steps:

(1) for typical metallurgical technology process control system, carry out the control system mathematical modeling merged based on information physical, namely based on the hybrid modeling method of Matlab Simulink & Petri-Net-Simulink-Block, wherein, the continuous dynamic model relating to metallurgical technology flow process adopts one group of traditional linear or nonlinear differential equation/state equation to represent, and realizes with Matlab Simulink tool box; Discrete event adopts Petri Net (PN) model to represent, and realize with a Simulink tool box PNL, PN discrete model can be integrated in Simulink block diagram, the wherein main triggering relying on external event of petri Net mold sync state transfer.Expand Petri Net model simultaneously, modeling is carried out to communications network components, carrys out extended model by information model time delay time-constrain, add state synchronized mechanism;

(2) risk identification, described risk identification, namely carries out modeling to typical attack strategy and means, introducing information attack model, by arranging different Prerequisites and path, carrying out system robustness analysis, and calculate robustness evaluation index, from realizing risk identification; Described information attack model, mainly refer to spoofing attack and this two classes common attack pattern of Denial of Service attack, mainly comprise injection, distort, replay, block, eavesdrop, time delay, DoS attack form;

(3) according to risk identification result, definition security incident, generates security incident collection;

(4) risk assessment is carried out to security incident, described security incident risk assessment, namely use random chance method, starting with in the probability occurred from attack source or failure source and consequence two aspects caused, carries out quantitative information safety assessment based on risk indicator to security incident.

(5) if the event that all security incidents are concentrated all has been assessed, then carry out comprehensively to all security incident risk indicators, obtain a comprehensive system information safety risk indicator, for evaluation system information security integral status; The event concentrated when security incident is not also assessed complete, then directly go to (4).

2. method according to claim 1, it is characterized in that, the robustness evaluation index described in step (2), its computing method are from target of attack, for the mathematical description of target of attack, analytical attack causes the degree of damage of target to quantize this index; When target of attack is measured liking to export, robustness evaluation index is exactly that output under different attack strategies and condition exports loss relative to expection, computing method adopt " worst case " principle, namely under adopting worst case, the extent of damage is measured, and considers some implementation strategies, physical fault tolerance constraint condition simultaneously; The comprehensive robustness evaluation index of system, adopt and calculate the weighting scheme of index under various Prerequisite or failure condition, its computing formula is as follows:

$R_{i\max }=\max \underset{j=1}{\overset{M}{F}}(s_i,a_j,r_i)$

$\stackrel{\‾}{R}=\underset{i=1}{\overset{N}{\mathrm{\Σ}}}{k}_i{R}_{i\max }$

Wherein, s _irepresent target of attack or faulty target, a _jrepresent the Prerequisite under particular state or failure condition, r _irepresent at the Prerequisite of particular state or failure condition a _junder, target of attack or faulty target s _ithe controling parameters extent of damage, i ∈ [1, N], j ∈ [1, M]; R _imaxrepresent target of attack or faulty target s _irobustness evaluation index under worst case;

K _irepresent each target of attack s _iweighting coefficient, k _iestimate according to this attack probability of happening; represent system synthesis robustness evaluation index;

System robust performance and robustness evaluation index are inversely proportional to, and namely the extent of damage is larger in the worst cases for target of attack, and its robustness is more weak.

3. method according to claim 1, is characterized in that, the risk indicator described in step (4), needs quantitatively to hold the probability of security incident generation and the determinative of these two risks of consequence; System carrys out classified calculating according to target of attack or faulty target, is that the probability that occurs of security incident and event produce the product of consequence by system risk index definition:

$R(S_i,E,C)=\underset{j}{\mathrm{\Σ}}P\left(E_j\right)\×P(E_j,C_j)---\left(3\right)$

In formula, S _itarget of attack or faulty target; E _jit is the security incident that future time instance t occurs; P (E _j) be security incident E _jthe probability occurred; P (E _j, C _j) be at environmental baseline (namely attacking or failure condition) C _jlower security incident E _jthe consequence produced during generation; R (S _i, E, C) and be risk indicator value.

4. method according to claim 3, is characterized in that, described security incident probability of happening adopts probability statistics model to estimate,

The conditional probability of security incident frequency: hypothetical target system suffers the number of times of security incident to be n at [0, T] in the time period, the average originating rate of security incident is λ, meets n=λ T, and as T → ∞, n → ∞.In order to determine in time t the distribution function of security incident frequency: if only there is once safety event in [0, T], so this security incident Probability p occurred in t depends on the relative size of t and T.Order meet as T → ∞, p → 0; Now, when section t preset time, np is constant; Be designated as " success " when there is once safety event in t, and occur in outside t and be designated as " failure "; The probability that k security incident occurs in t obeys binomial probability distribution, and distribution function is:

$p_n\left(k\right)=\frac{n!}{(n-k)!k!}{p}^k{(1-p)}^{n-k}---\left(4\right)$

If carry out classification m kind to security incident, type is the average probability of happening of security incident of i is λ _i, so there is k in the hazard event of type i within the t time period _isecondary probability can be expressed as:

$p\left(k_i\right|{\mathrm{\λ}}_i)=\frac{{\left({\mathrm{\λ}}_{i}t\right)}^{k_i}}{k_i!}{e}^{-{\mathrm{\λ}}_{i}t}(k_i=0,...,\∞)---\left(5\right).$

5. method according to claim 3, is characterized in that, the consequence of described attack or generation of losing efficacy can be defined as the function of robustness evaluation index, that is:

P(E _j,C _j)＝f(R _ij)

In formula, R _ijtarget of attack or faulty target s _iat Prerequisite or the failure condition a of particular state _jdescend and controling parameters extent of damage r _iwhen robustness index.

6. method according to claim 1, it is characterized in that, comprehensive system information safety risk indicator described in step (5) is the result after the weighted mean of all security incident risk indicators, and weights really normal root distribute according to the order of severity of security incident.