美国关键基础设施安全管理综述

摘要/Abstract

摘要： 近年来，各国纷纷出台政策、法规，将关键基础设施安全提升到国家安全的高度，并开始重视对其网络安全的保护.习近平总书记提出，要努力把我国建设成为网络强国，关键信息基础设施安全保护正是网络强国战略的重要环节.目前，我国正处于关键信息基础设施保护的起步阶段，有必要了解其他国家的做法和经验.作为最早开展关键基础设施网络安全保护的国家，美国在20余年的探索中逐步形成了较为系统的关键基础设施安全管理体系和方法.通过从关键基础设施的识别和认定过程、管理体系、安全要求3方面分析美国对其关键基础设施的保护主要措施和成功经验，为我国关键基础设施保护工作提供参考.

关键词: 关键基础设施, 网络安全, 识别, 管理体系, 安全要求

Abstract: In recent years, Different countries are paying more attention to critical infrastructure security and its cyber defense to the level of national security by developing regulations, laws and standards. As general secretary of the CPC Central Committee and president of China, Xi Jinping proposed efforts to promote innovative development, and work hard to build China into a cyberpower. Critical information infrastructure protection is one of the most important parts of the network strategy. We should learn from other countries, especially developed countries, to secure our critical infrastructure while we are still in the early stage. The United States, as the first country devoting attention to protect critical infrastructure cyber security, has developed a set of critical infrastructure information security policies, measures and supporting works. The study will provide suggestions for our critical infrastructure defense by reviewing American critical infrastructure measures from the perspectives of its identification, management system and security requirement.

Key words: critical infrastructure, cyber security, recognition, management system, security requirement

张弛. 美国关键基础设施安全管理综述[J]. 信息安全研究, 2017, 3(8): 736-746.

参考文献

] Jones A. Critical infrastructure protection [J]. Computer Fraud & Security，2007,12(4): 11-15 [2] 习近平. 在网络安全和信息化工作座谈会上的讲话[EB/OL]. (2016-04-19) [2016-07-01]. http://www.cac.gov.cn/2016-04/25/c_1118731366.htm [3] 左晓栋. 美国网络安全政策二十年[M]. 北京: 电子工业出版社, 2017年 [4] The White House. Presidential decision directive 63: Critical infrastructure protection [EB/OL]. (1998-05-22) [2016-12-20]. https://fas.org/irp/offdocs/pdd/pdd-63.htm [5] DHS. Homeland Security Presidential Directive 7: Critical infrastructure identification, prioritization, and protection [EB/OL]. (2003-12-17) [2017-3-20]. https://www.dhs.gov/homeland-security-presidential-directive-7 [6] 左晓栋. HSPD-7及分析[J]. 信息网络安全.2004(2): 26-29 [7] The White House. Executive Order 13636: Improving critical infrastructure cybersecurity [EB/OL]. (2013-02-19) [2017-05-20]. http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf [8] The White House. Presidential Policy Directive 21: Critical infrastructure security and resilience [EB/OL]. (2013-02-12) [2017-5-20]. https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil [9] OIG. Progress in developing the national asset database [EB/OL]. (2006-06-09)[2017-06-21]. https://www.oig.dhs.gov/assets/Mgmt/OIG_06-40_Jun06.pdf [10] United States Government Accountability Office. Efforts to identify critical infrastructure assets and systems [EB/OL]. (2009-06-30) [2017-07-03]. www.oig.dhs.gov/assets/Mgmt/OIG_09-86_Jun09.pdf [11] U.S. Government Printing Office. Implementing recommendations of the 9/11 commission act of 2007[EB/OL]. (2007-07-25) [2017-07-03]. https://www.congress.gov/110/crpt/hrpt259/CRPT-110hrpt259.pdf [12] DHS. Automated critical asset management system decommission: Frequently asked questions [EB/OL]. [2017-06-20]. https://www.dhs.gov/sites/default/files/publications/ACAMS%20Decommission%20FAQs_508.pdf [13] DHS. Infrastructure protection gateway [EB/OL]. [2017-06-20]. https://www.dhs.gov/ipgateway [14] 刘金瑞. 我国网络关键基础设施立法的基本思路和制度建构[J]. 环球法律评论, 2016 (5) :116-133 [15] 唐旺，宁华. 落实国家网络安全法，识别认定关键信息基础设施[J]. 西安电子科技大学学报(社会科学版), 2016,26 (6) :153-162 [16] 唐旺，宁华，陈星,等. 美国关键基础设施网络安全保护现状[J]. 信息技术与标准化. 2016, (5): 31-35 [17] United States General Accounting Office. Technology assessment: Cybersecurity for critical infrastructure protection [EB/OL]. 2004 [2017-06-20]. http://gaonet.gov/assets/160/157541.pdf [18] United States General Accounting Office. Critical infrastructure protection: DHS leadership needed to enhance cybersecurity [EB/OL]. (2006-09-13) [2017-06-20]. http://www.gao.gov/assets/120/114774.pdf [19] DHS. NPPD at a glance [EB/OL]. 2014[2017-06-20]. https://www.dhs.gov/sites/default/files/publications/nppd-at-a-glance-071614.pdf [20] 贾浩淼，王石. NIST《改进关键基础设施网络安全框架》分析[J]. 信息技术与标准化. 2014(4): 47-50, 73 [21] DHS. National infrastructure protection plan (NIPP) 2006 [EB/OL]. 2006[2017-06-20]. https://www.dhs.gov/xlibrary/assets/NIPP_Plan_noApps.pdf [22] 张骥. 美国政府应急管理中的国家基础设施保护——美国《国家基础设施保护预案》解读[C]//中国突发事件防范与快速处置优秀成果选编.北京:中国灾害防御协会, 2009: 36-38 [23] DHS. Information technology sector-specific plan 2016 [EB/OL]. (2015-03-20) [2017-05-14]. www.dhs.gov/sites/default/files/publications/nipp-ssp-information-technology-2016-508.pdf [24] DHS. National infrastructure protection plan (NIPP) 2013: Partnering for critical infrastructure security and resilience [EB/OL]. [2017-05-14]. https://www.dhs.gov/sites/default/files/publications/national-infrastructure-protection-plan-2013-508.pdf [25] DHS. National infrastructure advisory council [EB/OL]. [2017-06-14]. https://www.dhs.gov/national-infrastructure-advisory-council [26] 许东阳，叶润国，蔡磊. 美国关键基础设施网络威胁信息共享研究[J]. 信息技术与标准化. 2016 (11) :31-34 [27] United States Government Accountability Office. Critical infrastructure protection: Sector-specific agencies need to better measure cybersecurity progress[EB/OL]. (2015-11-19) [2017-07-01]. http://www.gao.gov/assets/680/673779.pdf [28] DHS. Executive collaboration for the nation’s strategic critical infrastructure final report and recommendations [EB/OL]. (2015-03-20) [2017-05-14]. https://www.dhs.gov/sites/default/files/publications/NIAC-CEO-Final-Report-QBM-Draft-508.pdf [29] United States Government Accountability Office. Critical infrastructure protection: DHS has made progress in enhancing critical infrastructure assessments, but additional improvements are needed [EB/OL]. (2016-07-12) [2017-05-14]. http://www.gao.gov/assets/680/678344.pdf

[1]	窦宇宸胡勇. 基于BERT的安全事件命名实体识别研究[J]. 信息安全研究, 2021, 7(3): 242-249.
[2]	杨鹏飞罗奇伟李尧. 数字政府网络安全指数评估体系研究[J]. 信息安全研究, 2021, 7(3): 257-262.
[3]	门嘉平肖扬文马涛. 社会工程学攻击之钓鱼邮件分析[J]. 信息安全研究, 2021, 7(2): 166-170.
[4]	范晓霞周安民郑荣锋李孟铭. 基于深度学习的暗网市场命名实体识别研究[J]. 信息安全研究, 2021, 7(1): 37-43.
[5]	王逸鹤黄亦芃. 面向网络安全防御防护的大数据平台架构研究[J]. 信息安全研究, 2021, 7(1): 75-80.
[6]	胡鹏鹏. 大数据背景下个人生物识别信息的立法保护研究[J]. 信息安全研究, 2020, 6(9): 0-0.
[7]	寇春静刘志娟张弛雷灵光. 中国大陆信息网络安全学术研究的影响力分析[J]. 信息安全研究, 2020, 6(9): 0-0.
[8]	吉梁. 央企商密网分类分域安全防护体系设计与思考[J]. 信息安全研究, 2020, 6(9): 0-0.
[9]	邱勤张滨吕欣. 5G安全需求与标准体系研究[J]. 信息安全研究, 2020, 6(8): 673-679.
[10]	段伟伦韩晓露吕欣李阳. 美国5G安全战略分析及启示[J]. 信息安全研究, 2020, 6(8): 688-693.
[11]	林嘉涛李玉陈海萍. 5G移动通信网络的安全研究[J]. 信息安全研究, 2020, 6(8): 699-704.
[12]	崔枭飞樊晓贺. 新基建浪潮下5G mMTC业务场景安全问题研究[J]. 信息安全研究, 2020, 6(8): 710-715.
[13]	张彦司群冯凤娟. 铁路网络安全测评体系研究[J]. 信息安全研究, 2020, 6(8): 738-743.
[14]	李俊柴海新. 生物特征识别隐私保护研究[J]. 信息安全研究, 2020, 6(7): 589-601.
[15]	张慧王钰成舸向银杉郑方. 基于“声纹＋”的无监督可信身份认证[J]. 信息安全研究, 2020, 6(7): 615-621.