CN109613899A - A method of the industrial control system security risk assessment based on allocation list - Google Patents

Abstract

The present invention relates to the safe security risk assessment of industrial control system and configuration verification field technical field, in particular to the method for a kind of industrial control system security risk assessment based on allocation list, using following steps: step 1: building kernel scheduling engine, database group, engine library, industry control assets information library are established, industry security Configuration baseline checking tool is formed；Step 2: the database group in step 1 is by industry control agreement, equipment, software database, industry control vulnerability scan, key scan instruction database composition；It is for industrial control equipment, the network equipment, industry control application, service, the component etc. for constituting industrial control system, and the components such as industrial control system information technoloy equipment, operating system, database for generalling use carry out assets detection, configuration security baseline is verified, Hole Detection, realize quickly detection, it was found that loophole, so as to quickly obtain testing result, security risk existing for baseline configuration is found.

Description

A method of the industrial control system security risk assessment based on allocation list

Technical field

The present invention relates to the safe security risk assessment of industrial control system and configuration verification field, are related to a kind of based on configuration The method of the industrial control system security risk assessment of table.

Background technique

Modern industry infrastructure includes electric power, oil and gas, chemical industry, water conservancy, industry manufacture and traffic control etc. Key industry constitutes the important foundation of Chinese national economy, modern society and national security.It is crucial in industrial infrastructure It may cause casualties, serious economic loss, infrastructure using the failure of, system to be destroyed, environmental disaster, jeopardize public affairs All living creatures' work and national security etc..

Industrial control system constitutes the nervous system of modern industry infrastructure.Traditionally, industrial control system is mostly It using the close network of special technology, does not interconnect externally, the information security threats faced do not protrude.Correspondingly, respectively Kind industrial control equipment, application, system, communication protocol are all designed mainly for proprietary enclosed environment.Due to there is no reality Information security threats, industrial automation control system design, realize with deployment during, main indicator be availability, Function, performance, (physics) safety, real-time etc., and need not excessively consider network attack, information security the problems such as.

In recent decades, various industrial control systems just rapidly move towards open, interconnection (packet from closing, isolated system Include and interconnected with traditional IT system), increasingly industry is controlled as the communications infrastructure using Ethernet/IP/TCP network Application layer of the protocol migration processed to ICP/IP protocol stack；Using the various wireless networks including including IWLAN, GPRS etc.；Extensively The commercial operation systems such as the Windows using standard, equipment, software, middleware and various general technologies.Typical industry is automatic Networked control systems, including SCADA (data acquisition analysis system), DCS (dcs), PLC (programmable logic control Device processed) etc., just increasingly becoming open, general and standardization.

Industrial control system is also faced with day while enjoying opening, the progress of interconnection technique bring, efficiency and interests The serious security threat of benefit.Due to the promotion of long-term lacking demand for security, to the network environment using general technologies such as TCP/IP Under be widely present security threat shortage fully realize, the existing industrial control system past design, research and development in do not have almost Have and consider the problems of information security, lacks awareness of safety, management, process, strategy and relevant speciality technology again in deployment, O&M Support, lead in many industrial control systems that there is such or such safety problems, once be not intended to or malicious exploitation, It will result in various serious security incidents.

The practice and exploration of many years is passed through by this department, and countries in the world more or less all have appreciated that and open for industrial control system Open up comprehensive security evaluation, the security threat found out, grasp the potential security risk of industrial control system and faced, facilitate with This pushes each side such as each associated mechanisms of industrial control field, client and manufacturer to participate in, cooperate jointly for starting point, improves and complete It is apt to existing industrial control system, and researches and develops safer, reliable new industrial control system.It can be realized for information technoloy equipment and work Important information technoloy equipment, industrial control equipment, network equipment security configuration situation are analyzed in the safety inspection for controlling device configuration baseline, find base Line configures existing security risk.

Summary of the invention

In view of the defects and deficiencies of the prior art, the present invention intends to provide a kind of industrial control systems based on allocation list The method of security risk assessment, it has the long-range and local ability that security configuration inspection is carried out to information technoloy equipment and industrial control equipment, And meets corresponding safety standard, while there is friendly man-machine interface and reporting system, realize that baseline checks the intelligence of work Change, automation.

To achieve the above object, the technical solution adopted by the present invention is that:

A kind of method of industrial control system security risk assessment based on allocation list of the present invention, using following steps:

Step 1: building kernel scheduling engine establishes database group, engine library, industry control assets information library, forms industry peace Full Configuration baseline checking tool；

Step 2: by industry control agreement, equipment, software database, industry control vulnerability scan closes the database group in step 1 Key scanning instruction database composition；

Step 3: the engine library in step 1 is by scanning strategy engine, engine of giving out a contract for a project, acquisition engine, differentiates engine composition；

Step 4: the industry control agreement in step 2, equipment, software database, industry control vulnerability scan, key scan instruction Database provides data source one for kernel scheduling engine；

Step 5: the industry control assets information library in step 1 provides data source two for kernel scheduling engine；

Step 6: the data source one in step 4 and the data source in step 5 two form data source library；

Step 6: kernel scheduling engine checks industrial control equipment/software by giving out a contract for a project engine, and scanning engine comes pair Industrial control equipment/software to be checked, by the data source two in invocation step five, to formulate inspection policy, then acquisition engine The data of the inspection in industrial control equipment/software are acquired, the data being collected into are sent to engine is differentiated, differentiate engine calling step Data source one in four utilizes industry control agreement, equipment, software database, industry control vulnerability scan, key scan director data Library differentiates that engine again send inspection result data to kernel scheduling engine, core tune to differentiate that inspection obtains inspection result data Degree engine again shows inspection result.

Further, the industry security Configuration baseline checking tool in step 1 is adopted by presentation layer, kernel business tier, data Collect layer, external system layer and assessment object layer composition；

Wherein: (1) presentation layer includes assets classes distribution layer, assets loophole distribution layer, task execution maintenance level composition, is led to Assets classes distribution layer, assets loophole distribution layer, task execution maintenance level are crossed, assets can be obtained using tool and close rule analysis knot Fruit, assets leak analysis result and the distribution of the whole network irregularity index；

Wherein: (2) kernel business tier is by task management, asset management, configuration management, loophole verification, points-scoring system, report Management, system administration, knowledge base management composition；

Task management is compared by task configuration, task execution, task merging, task to be formed with manual task；

Asset management is made of assets detection, asset identification, assets protection, asset statistical；

Configuration management is verified by networked devices, verification is locally configured, verifies tactical management, verification analysis statistics forms；

Loophole, which verifies to be reinforced by fragility verification, leak analysis, loophole, to be suggested forming；

Points-scoring system is calculated by code of points management, scoring, scoring statistics forms；

Report management is made of report template management, report Classification Management, report generation management；

System administration with note management, Role Management, system audit, backup and recovery by being formed；

Knowledge base management is made of fingerprint base management, vulnerability database management, assets information library；

Wherein: data collection layer is made of online acquisition and offline acquisition；

Data collection layer is made of the management of acquisition script, collection scheduling management, acquisition protocols management；

Offline acquisition is made of offline acquisition engine management, offline script management, offline results management；

Wherein: (3) assess object layer by industrial control equipment, the network equipment, safety equipment, Web middleware, database and operation System composition；

Wherein: (4) external system layer is made of risk evaluation tool system, asset system, vulnerability information system.

After adopting the above structure, the invention has the following beneficial effects: a kind of industrial control system based on allocation list of the present invention The method of security risk assessment, it is for the application of industrial control equipment, the network equipment, industry control, the service, group for constituting industrial control system The components such as information technoloy equipment, operating system, database that part etc. and industrial control system generally use carry out assets detection, configuration safety Baseline verification, Hole Detection realize quickly detection, find loophole, so as to quickly obtain testing result, discovery baseline configuration Existing security risk.

Detailed description of the invention

Fig. 1 is topological frame construction drawing of the invention；

Fig. 2 is risk assessment tool system architecture diagram of the invention；

Fig. 3 is the topological diagram of the deployment way of the invention between industrial control system equipment；

Fig. 4 is the topological diagram of the degree of risk detection of desired asset of the invention；

Fig. 5 is the topological diagram of loophole discovery detection of the invention；

Fig. 6 is the flow diagram of industry control loophole discovery of the invention；

Fig. 7 is the flow diagram of quick assets discovery of the invention.

Specific embodiment

The present invention will be further described below with reference to the drawings.

As shown in Figure 1, a kind of method of industrial control system security risk assessment based on allocation list of the present invention, uses Following steps:

Step 1: building kernel scheduling engine establishes database group, engine library, industry control assets information library, forms industry peace Full Configuration baseline checking tool；

Step 2: by industry control agreement, equipment, software database, industry control vulnerability scan closes the database group in step 1 Key scanning instruction database composition；

Step 3: the engine library in step 1 is by scanning strategy engine, engine of giving out a contract for a project, acquisition engine, differentiates engine composition；

Step 4: the industry control agreement in step 2, equipment, software database, industry control vulnerability scan, key scan instruction Database provides data source one for kernel scheduling engine；

Step 5: the industry control assets information library in step 1 provides data source two for kernel scheduling engine；

Step 6: the data source one in step 4 and the data source in step 5 two form data source library；

Step 6: kernel scheduling engine checks industrial control equipment/software by giving out a contract for a project engine, and scanning engine comes pair Industrial control equipment/software to be checked, by the data source two in invocation step five, to formulate inspection policy, then acquisition engine The data of the inspection in industrial control equipment/software are acquired, the data being collected into are sent to engine is differentiated, differentiate engine calling step Data source one in four utilizes industry control agreement, equipment, software database, industry control vulnerability scan, key scan director data Library differentiates that engine again send inspection result data to kernel scheduling engine, core tune to differentiate that inspection obtains inspection result data Degree engine again shows inspection result.

Further, as shown in Fig. 2, the industry security Configuration baseline checking tool in step 1 is by presentation layer, core industry Business layer, data collection layer, external system layer and assessment object layer composition；

Wherein: (1) presentation layer includes assets classes distribution layer, assets loophole distribution layer, task execution maintenance level composition, is led to Assets classes distribution layer, assets loophole distribution layer, task execution maintenance level are crossed, assets can be obtained using tool and close rule analysis knot Fruit, assets leak analysis result and the distribution of the whole network irregularity index；

Wherein: (2) kernel business tier is by task management, asset management, configuration management, loophole verification, points-scoring system, report Management, system administration, knowledge base management composition；

Task management is compared by task configuration, task execution, task merging, task to be formed with manual task；

Asset management is made of assets detection, asset identification, assets protection, asset statistical；

Configuration management is verified by networked devices, verification is locally configured, verifies tactical management, verification analysis statistics forms；

Loophole, which verifies to be reinforced by fragility verification, leak analysis, loophole, to be suggested forming；

Points-scoring system is calculated by code of points management, scoring, scoring statistics forms；

Report management is made of report template management, report Classification Management, report generation management；

System administration with note management, Role Management, system audit, backup and recovery by being formed；

Knowledge base management is made of fingerprint base management, vulnerability database management, assets information library；

Wherein: data collection layer is made of online acquisition and offline acquisition；

Data collection layer is made of the management of acquisition script, collection scheduling management, acquisition protocols management；

Offline acquisition is made of offline acquisition engine management, offline script management, offline results management；

Wherein: (3) assess object layer by industrial control equipment, the network equipment, safety equipment, Web middleware, database and operation System composition；

Wherein: (4) external system layer is made of risk evaluation tool system, asset system, vulnerability information system.

The present invention has through long-range and local mode to components such as industrial control equipment, information technoloy equipment, the network equipment, industry control applications Carry out the ability of security configuration inspection, can security configuration and security breaches in inspection system, and comply fully with corresponding peace Full specification and the existing device configuration code requirement of best security practices, while there is friendly man-machine interface and report abundant System fully achieves intelligence, the automation of safety inspection work.

Present invention support is commented based on IEC62443, the system integrity security evaluation of ISA Secure EDSA, functional safety Estimate equal risk assessment function.

For the present invention by the way of remote access, network is reachable, connects existing network, is not any of network and repairs Change, typical industrial control system can be covered, deployment way is as shown in Fig. 3.

The present invention is suitable for autonomous assessment, third party assesses, higher level checks junior, product access is checked and accepted, daily O&M The scenes such as inspection, are greatly improved working efficiency, and provide strong technical support for industrial control system Security Construction.

As shown in figure 4, in the use of the present invention, user input desired asset be added assets, matched using industry security Baseline checking tool is set to carry out assets detection, asset identification, assets protection, asset statistical by asset management, it is then sharp Networked devices verification is carried out with configuration management, and verification is locally configured, verifies tactical management, verifies analysis statistics, it is subsequently sharp With task management module, the configuration of Lai Jinhang task forms newly-built task, by task execution, according to system according to preseting Industry control baseline checks template, logs in desired asset, acquires the information such as configuration to be checked, checks the database in template with industry control baseline Data in group are compared item by item, are weighted scoring to result according to preset weight, are obtained the risk journey of desired asset Degree, is then obtained matching result, is scored using points-scoring system, and final result is used report output.

As shown in figure 5, detecting in the present invention for loophole, specific practice is as follows: using industry security Configuration baseline Checking tool establishes newly-built task by asset management, is guiding with loophole inspection, then passes through appointing in task management again Business configuration configures IP/ Asset Allocation, port configuration, product type/producer to realize, with then carrying out task again, to target The detection of industry control assets reuses loophole and verifies progress leak analysis, points-scoring system is recycled to score loophole result data, Pass through report output final result.

As shown in fig. 6, the function that the discovery of industry control loophole is realized is by calling fingerprint recognition engines etc. to give in the present invention The loophole of industry control target device, and report to user.User, which clicks, executes vulnerability scanner.Fingerprint recognition engines are called first Fingerprinting analysis is carried out, continuous access database, which checks whether fingerprint recognition engines execute, later terminates.If engine is Execution terminates, and stops constantly access database and checks program, update database tasks state, illustrates that the task call engine executes Terminate.After state updates, the data loading insertion loophole of needs is obtained from the tables such as loophole task list and fingerprint results table In scanning result table.User can obtain data from the table, to check scanning result.

As shown in fig. 7, in the present invention, for assets discovery feature, using following operation: being swept using the network of tool Retouch-quickly assets discovery needs the function realized is to find out the equipment in network, and identify to it by scanning network. The most crucial step of network sweep in the present invention is exactly according to network protocol sending and receiving data packet, and whole process can be divided into four Point, it is detecting host, port scan, service identification, system identification respectively according to sequencing, the work that this four part is done is got over It is more careful to come, behind based on each step requires the result of front.During detecting host, scanning end is to being scanned IP send data packet, if the IP has response, just illustrate equipment representated by the IP exist.

Port scan is to determine the step of which port the host of survival opened after detecting host completion.Port In scanning process, scanner program is attempted to establish the link with the particular port of destination host, if it is possible to it is successfully established link, then That is to say, bright destination host has opened corresponding port

It is on the one hand crucial under the historical background based on China's industrial repositioning upgrading and " two change depth integration " in the present invention The industrial control system of infrastructure industry is in the closed state of " information island " for a long time, and system Construction thinking generally weighs The light safety of business even gives no thought to the network information security；The reaching its maturity of another aspect smart machine, management level and letter The promotion of breathization level requires industrial control network directly or indirectly to access internet from many levels again.In current shape Under gesture, effective security protection provided for the key industry control system of basic facility industry, just must have pointedly Comprehensive security risk assessment is carried out to various industrial control systems.Use the industrial control system Information Security Risk of the design Assessment tool can be widely for industrial control equipment, the network equipment, industry control application (software), the clothes for constituting industrial control system The components such as information technoloy equipment, operating system, database that business, component etc. and industrial control system generally use carry out assets detection, configuration Security baseline verification, Hole Detection.

Operating system, database, the network equipment in the design covering industrial control system；Engineer in networked devices It stands, operator station, HMI, PLC, DCS, PCS, SCADA, opc server, industrial switch etc.；Support Siemens, Schneider, sieve The asset identification and detecting function of the mainstreams industry control such as Ke Weier manufacturer's typical case's networked devices or system.

The above description is only a preferred embodiment of the present invention, thus it is all according to the configuration described in the scope of the patent application of the present invention, The equivalent change or modification that feature and principle are done, is included in the scope of the patent application of the present invention.

Claims (2)

1. a kind of method of the industrial control system security risk assessment based on allocation list, it is characterised in that: use following steps:

Step 1: building kernel scheduling engine establishes database group, engine library, industry control assets information library, forms industry security and matches Set baseline checking tool；

Step 2: database group in step 1 is swept by industry control agreement, equipment, software database, industry control vulnerability scan, key Retouch instruction database composition；

Step 3: the engine library in step 1 is by scanning strategy engine, engine of giving out a contract for a project, acquisition engine, differentiates engine composition；

Step 4: the industry control agreement in step 2, equipment, software database, industry control vulnerability scan, key scan director data Library provides data source one for kernel scheduling engine；

Step 5: the industry control assets information library in step 1 provides data source two for kernel scheduling engine；

Step 6: the data source one in step 4 and the data source in step 5 two form data source library；

Step 6: kernel scheduling engine checks that scanning engine comes to be checked to industrial control equipment/software by giving out a contract for a project engine Industrial control equipment/the software looked into, by the data source two in invocation step five, to formulate inspection policy, then acquisition engine is adopted The data being collected into are sent to engine is differentiated, are differentiated in engine calling step 4 by the data for collecting the inspection in industrial control equipment/software Data source one, using industry control agreement, equipment, software database, industry control vulnerability scan, key scan instruction database comes Differentiate that inspection obtains inspection result data, differentiates that engine again send inspection result data to kernel scheduling engine, kernel scheduling draws It holds up and again shows inspection result.

2. a kind of method of industrial control system security risk assessment based on allocation list according to claim 1, feature exist In: the industry security Configuration baseline checking tool in step 1 is by presentation layer, kernel business tier, data collection layer, external system Layer and assessment object layer composition；

Wherein: (1) presentation layer includes assets classes distribution layer, assets loophole distribution layer, task execution maintenance level composition, passes through money Produce classification distribution layer, assets loophole distribution layer, task execution maintenance level, using tool can obtain assets close rule analysis as a result, Assets leak analysis result and the distribution of the whole network irregularity index；

Wherein: (2) kernel business tier is by task management, asset management, configuration management, loophole verification, points-scoring system, report pipe Reason, system administration, knowledge base management composition；

Task management is compared by task configuration, task execution, task merging, task to be formed with manual task；

Asset management is made of assets detection, asset identification, assets protection, asset statistical；

Configuration management is verified by networked devices, verification is locally configured, verifies tactical management, verification analysis statistics forms；

Loophole, which verifies to be reinforced by fragility verification, leak analysis, loophole, to be suggested forming；

Points-scoring system is calculated by code of points management, scoring, scoring statistics forms；

Report management is made of report template management, report Classification Management, report generation management；

System administration with note management, Role Management, system audit, backup and recovery by being formed；

Knowledge base management is made of fingerprint base management, vulnerability database management, assets information library；

Wherein: data collection layer is made of online acquisition and offline acquisition；

Data collection layer is made of the management of acquisition script, collection scheduling management, acquisition protocols management；

Offline acquisition is made of offline acquisition engine management, offline script management, offline results management；

Wherein: (3) assess object layer by industrial control equipment, the network equipment, safety equipment, Web middleware, database and operating system Composition；

Wherein: (4) external system layer is made of risk evaluation tool system, asset system, vulnerability information system.