美国确保工业控制系统安全的做法及对我们的启示

文章介绍了美国确保SCADA系统安全做法的同时,对中国工业控制系统面临的安全风险与威胁,以及进一步完善和强化中国的工业控制系统安全防护进行了探讨。     

A log mining approach for process monitoring in SCADA

SCADA (supervisory control and data acquisition) systems are used for controlling and monitoring industrial processes. We propose a methodology to systematically identify potential process-related threats in SCADA. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the SCADA process. To detect such threats, we propose a semi-automated approach of log processing. We conduct experiments on a real-life water treatment facility. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow.     

基于MODBUS的SCADA系统网络威胁与入侵检测

数据采集与监视控制（SCADA）系统是国家基础设施的重要组成部分,然而近年来SCADA系统一直遭受网络攻击的威胁。在分析SCADA通信协议脆弱性的基础上,描述了23种基于MODBUS的SCADA系统可能面临的网络威胁,这些威胁可分为四大类：信息扫描、响应注入、命令注入以及拒绝服务。利用SCADA系统与物理系统交互的特性,设计了基于协议缺陷和基于系统状态的检测规则。在实验室天然气管道系统的环境下,进行了基于Snort的入侵检测实验,结果验证了入侵检测规则的有效性。     

基于云模型和组合权重的SCADA系统安全风险评估研究

当前数据采集与监控系统(supervisory control and data acquisition, SCADA)系统面临着巨大的安全威胁,对其风险状况进行监测和评估是一项有效的应对措施。为有效处理评估过程中存在的模糊性和随机性问题,将云模型理论引入SCADA系统安全风险评估中,提出了一种基于云模型和组合权重的安全风险评估模型。该模型从SCADA系统的资产、威胁、脆弱性、安全措施4方面构建安全风险评估指标体系,采用最小二乘法求出评估指标的最优组合权重,借助云发生器得到评估指标的云模型数字特征和SCADA系统的综合评估云,然后基于黄金分割率构建标准评估云,同时结合改进的云相似度计算方法得出最终评估结果,最后通过实验验证了模型的有效性和可行性。研究结果表明,该模型能够得到准确的评估结果,与模糊综合评价等方法相比,该评估方法具备更高的可信性,评价效果更好。该方法不仅有助识别SCADA系统的安全风险威胁,而且为其他领域的安全风险评估提供了一定的参考。     

火电厂大型设备故障诊断的数据挖掘方法

针对火电厂大型设备的常见故障 ,提出一种新的诊断方法———数据挖掘方法 .该方法通过建立一个智能化的数据挖掘工具 ,直接从火电厂SCADA系统历史数据库的大量实时数据中获取故障诊断知识进行故障诊断 .数据挖掘工具的核心是 ,采用粗糙集的约简方式 ,将数据库中抽取的故障诊断规则简化为基于最小变量集的决策表 .该方法避免了为诊断故障而附加的专门测试或试验 ,降低了费用 ,同时减少了试验对设备造成的潜在危险 .将这一方法应用于火电厂锅炉的一个复杂故障事例 ,结果表明其诊断的精度在 92 %以上 ,可以满足现场应     

On the use of open-source firewalls in ICS/SCADA systems

ABSTRACT

Firewalls are one of the most widely used security devices to protect a communications network. They help secure it by blocking unwanted traffic from entering or leaving the protected network. Several commercial vendors have extended their firewall capabilities to support SCADA protocols or designed SCADA-specific firewalls. Although open-source firewalls are used successfully in IT networks, their use in SCADA networks has not been properly investigated. In this research we investigate the major open-source firewalls for their use in SCADA networks and identify Linux iptables’ potential as an effective SCADA firewall. Iptables is a powerful open-source firewall solution available as part of most Linux distributions in use today. In general, use of iptables as a network-level firewall for SCADA systems has been limited to basic port and host filtering, without further inspection of control messages. We propose and demonstrate a novel methodology to use iptables as an effective firewall for SCADA systems. This is achieved by utilizing advanced iptables features that allow for dynamic inspection of packet data. It is noteworthy to mention that the proposed solution does not require any modification to the netfilter/iptables framework, making it possible to turn a Linux system into an effective SCADA firewall. The approach has been tested by defining filtering rules for the Modbus TCP protocol and validating its ability to defend against various attacks on the protocol.     

Anomaly Detection in ICS Datasets with Machine Learning Algorithms

An Intrusion Detection System (IDS) provides a front-line defense mechanism for the Industrial Control System (ICS) dedicated to keeping the process operations running continuously for 24 hours in a day and 7 days in a week. A well-known ICS is the Supervisory Control and Data Acquisition (SCADA) system. It supervises the physical process from sensor data and performs remote monitoring control and diagnostic functions in critical infrastructures. The ICS cyber threats are growing at an alarming rate on industrial automation applications. Detection techniques with machine learning algorithms on public datasets, suitable for intrusion detection of cyber-attacks in SCADA systems, as the first line of defense, have been detailed. The machine learning algorithms have been performed with labeled output for prediction classification. The activity traffic between ICS components is analyzed and packet inspection of the dataset is performed for the ICS network. The features of flow-based network traffic are extracted for behavior analysis with port-wise profiling based on the data baseline, and anomaly detection classification and prediction using machine learning algorithms are performed.     

A SCADA testbed for investigating cyber security vulnerabilities in critical infrastructures

Supervisory Control and Data Acquisition (SCADA) systems are widely used in critical infrastructures such as water distribution networks, electricity generation and distribution plants, oil refineries, nuclear plants, and public transportation systems. However, the increased use of standard protocols and interconnectivity has exposed SCADA systems for potential cyber-attacks. In recent years, the cyber-security of SCADA systems has become a hot issue for governments, industrial sectors and academic community. Recently some security solutions have been proposed to secure SCADA systems. However, due to the critical nature of SCADA systems, evaluation of such proposed solutions on real system is im-practical. In this paper, we proposed an easily scalable and reconfigurable virtual SCADA security testbed, which can be used for developing and evaluating SCADA specific security solutions. With Distributed Denial of Service (DDoS) and false data injection attack scenarios, we demonstrated how attackers could disrupt the normal operation of SCADA systems. Experimental results show that, the pro-posed testbed can be effectively used for cyber security assessment and vulner-ability investigation on SCADA systems. One of the outcomes of this work is a labeled dataset, which can be used by researchers in the area of SCADA security.     

Active Security—A proactive approach for computer security systems

Computer systems and especially networking environments are growing and changing very rapidly. Such growth introduces major security risks, as current computer and networking security components are not able to dynamically adopt themselves for the changing needs. Especially the growth of the Internet and electronic commerce have made it necessary to have centralized security policies in place which are enforced by a distributed environment. ‘Active Security’ is the result of a research and development project, introducing a new approach for implementing security systems, being able to automatically respond to new security threats. The focus of this work is encompassing a security infrastructure where multiple components including intrusion detection systems, vulnerability assessment scanners, firewalls and other security devices are able to communicate and respond to changing security threats. Design and implementation of Active Security is based on a public key infrastructure using digital certificates for providing authenticated communication. A number of sites on the Internet have participated during the pilot phase of Active Security protecting their networks. The United States patent titled ‘Active Firewall System and Methodology’ is pending for this architecture.     

Opportunities for computer crime: considering systems risk from a criminological perspective

Systems risk refers to the likelihood that an Information System (IS) is inadequately protected against certain types of damage or loss. While risks are posed by acts of God, hackers and viruses, consideration should also be given to the ‘insider’ threat of dishonest employees, intent on undertaking some form of computer crime. Against this backdrop, a number of researchers have addressed the extent to which security managers are cognizant of the very nature of systems risk. In particular, they note how security practitioners' knowledge of local threats, which form part of such risk, is often fragmented. This shortcoming contributes to situations where risk reducing efforts are often less than effective. Security efforts are further complicated given that the task of managing systems risk requires input from a number of departments including, for example, HR, compliance, IS/IT and physical security. To complement existing research, and also to offer a fresh perspective, this paper addresses systems risk from the offender's perspective. If systems risk entails the likelihood that an IS is inadequately protected, this text considers those conditions, within the organisational context, which offer a criminal opportunity for the offender. To achieve this goal a model known as the ‘Crime-Specific Opportunity Structure’ is advanced. Focusing on the opportunities for computer crime, the model addresses the nature of such opportunities with regards to the organisational context and the threats posed by rogue employees. Drawing on a number of criminological theories, it is believed the model may help inform managers about local threats and, by so doing, enhance safeguard implementation.     

Component-based design for SCADA architecture

Supervisory control and data acquisition (SCADA) software which is suitable to distributed control systems is a demand for system developers because the characteristics of existing SCADA software packages are hard to satisfy the requirements of distributed systems. For the strengths of component-oriented techniques, this paper proposes a component-oriented architecture of SCADA software to satisfy the demand of distributed control systems. Design pattern and OPC (OLE for Process Control) technology are also used to make the openness for the architecture.     

Organizational information security as a complex adaptive system: insights from three agent-based models

The management of information security can be conceptualized as a complex adaptive system because the actions of both insiders and outsiders co-evolve with the organizational environment, thereby leading to the emergence of overall security of informational assets within an organization. Thus, the interactions among individuals and their environments at the micro-level form the overall security posture at the macro-level. Additionally, in this complex environment, security threats evolve constantly, leaving organizations little choice but to evolve alongside those threats or risk losing everything. In order to protect organizational information systems and associated informational assets, managers are forced to adapt to security threats by training employees and by keeping systems and security procedures updated. This research explains how organizational information security can perhaps best be managed as a complex adaptive system (CAS) and models the complexity of IS security risks and organizational responses using agent-based modeling (ABM). We present agent-based models that illustrate simple probabilistic phishing problems as well as models that simulate the organizational security outcomes of complex theoretical security approaches based on general deterrence theory (GDT) and protection motivation theory (PMT).     

工业控制系统关键组件安全风险综述

随着现代信息技术与通信技术的快速发展,工业控制（简称“工控”）系统已经成为国家关键基础设施的重要组成部分,其安全性关系到国家的战略安全和社会稳定。现代工控系统与互联网越来越紧密的联系,一方面促进了工控技术的快速进步,另一方面为其带来了巨大安全问题。自“震网”病毒事件之后,针对工控系统的攻击事件频发,给全球生产企业造成了巨大经济损失,甚至对很多国家和地区的社会稳定与安全造成重大影响,引起人们对工控系统安全的极大关注。现代工控系统中自动化设备品类和专有协议种类繁多、数据流复杂且发展迅速等,导致对工控关键组件安全的综述难度很大,现有与此相关的综述性文献较少,且大多较为陈旧、论述不全面。针对上述问题,介绍了当前工控系统的主流体系结构和相关组件。阐述并分析了关键工控组件中存在的安全漏洞及潜在的威胁,并重点针对数据采集与监视控制（SCADA）中的控制中心、可编程逻辑控制器、现场设备的攻击方法进行归纳、总结,对近几年文献中实施攻击的前提条件、攻击的对象、攻击的实施步骤及其危害性进行了归纳与分析,并从可用性、完整性和机密性的角度对针对工控网络的攻击进行了分类。给出了针对工控系统攻击的可能发展趋势。     

Data security in terminalized system

The use of terminalised systems has increased vulnerability and threats in banking services. Some of the risks will be discussed in this paper. Protection through the use of an access system is described in detail. Protection of cards and telecommunication system is also described. As conclusion, there are some suggestions on how to lower the risks in a terminalised EDP system.     

High tech criminal threats to the national information infrastructure

National information infrastructure (NII), vital to the nation's security and economic stability, comprises both physical and electronic infrastructures. Information and communications technologies (ICT) form the backbone of many aspects of the NII and reliance on ICT has created many new risks. Cyberthreats are becoming more sophisticated with the blending of once distinct types of attack into more damaging forms. This paper examines the technology-related risks associated with the NII and provides examples of existing incidents and areas in which new threats might emerge. To be able to mitigate these risks, it remains crucial to understand infrastructure interdependencies and to establish public-private partnerships to ensure that weaknesses in systems are not able to be exploited.     

工业控制SCADA系统的信息安全防护体系研究

SCADA的安全性已引起了广泛的关注,文章首先介绍了工业控制SCADA系统面临的主要信息安全风险;然后提出了基于总体安全策略、安全技术体系、安全管理体系、安全服务体系和安全基础设施的SCADA安全防护体系,能有效保障SCADA系统的安全运行。     

The cyber threat landscape: Challenges and future research directions

Cyber threats are becoming more sophisticated with the blending of once distinct types of attack into more damaging forms. Increased variety and volume of attacks is inevitable given the desire of financially and criminally-motivated actors to obtain personal and confidential information, as highlighted in this paper. We describe how the Routine Activity Theory can be applied to mitigate these risks by reducing the opportunities for cyber crime to occur, making cyber crime more difficult to commit and by increasing the risks of detection and punishment associated with committing cyber crime. Potential research questions are also identified.     

Proactive management of distributed organisational computing: Prevention always pays, doesn't it?

Organisations have eagerly adopted the new opportunities provided by distributed computing technology. These opportunities have also created new dependency on the technology and threats of technical problems. Information technology (IT) management has to choose its position towards these new technical risks. Should the problems be prevented proactively in advance or settled reactively afterwards? This paper draws conclusions from an action research case study aimed at proactive versus reactive end-user support. Between 1994 and 1997 one of the business units in Nokia Telecommunications required a new approach for its distributed information systems (IS) to facilitate rapid organisational growth. The distributed IS and its end-user support were established and organised during a 30-month re-engineering process. These results provide a new view to the dependencies between business processes and IT. The new distributed IT has become, often insidiously, a necessity for vital business processes. Therefore, risk management should be adopted as a standard tool for IS management to identify such dependencies. Proactive actions should be aimed at those areas where IT-related business risks are identified. Proactivity should be supplemented by reactive support to provide daily assistance for the end-users.     

开放性SCADA系统中的资源分层管理策略

传统的监控与数据采集（SCADA）系统一般运行在封闭的环境中,外部条件、输入数据量、资源的配置与分配方法一般都是预先已知的,并且在运行过程中很少改变。当前对于SCADA系统的开放性要求越来越高,外部条件、输入数据以及资源利用经常动态变化。针对这一趋势,提出在开放性SCADA系统中的资源分层管理策略,讨论带宽分配策略和处理器利用率,并利用一个实例对策略进行评估。