国内外工业控制系统信息安全标准研究

信息安全研究 ›› 2016, Vol. 2 ›› Issue (5): 435-441.

国内外工业控制系统信息安全标准研究

邸丽清

中国信息安全测评中心

收稿日期:2016-05-17 出版日期:2016-05-15 发布日期:2016-05-17
通讯作者: 邸丽清
作者简介:博士，副研究员，主要研究方向为工业控制系统信息安全. dilq@itsec.gov.cn

Research on the Domestic and Foreign Standards for ICS Information Security

Received:2016-05-17 Online:2016-05-15 Published:2016-05-17

摘要/Abstract

摘要： 工业控制系统信息安全问题日益突出，工业控制系统信息安全的保障迫切需要完善的标准体系作为支撑，因此针对国内外工业控制系统信息安全标准体系的研究显得尤为重要.首先通过研究国外工业控制系统信息安全相关标准、指南及行业规范，分析其体系框架及安全技术要求，总结了国外标准体系的特点；其次通过分析国内工业控制系统信息安全标准及行业规范的现状和特点，提出了我国目前标准体系研究存在的一些不足，并有针对性地给出相关建议，为进一步完善国内工业控制系统信息安全标准体系提供参考.

Abstract: Industrial control system (ICS) is widely used in various industries in electrical, petrochemical, water treatment, railway and so on. ICS gradually becomes the target of cyberattacks due to the open and important mission of itself. Lots of cyberattack events in recent years, such as "Stuxnet" virus, "Flame" virus and Trojan attack for Ukrainian power grid, have proven that the cyberattack threats for ICS are increasingly upgraded. The perfect ICS information security standards system are urgently needed to build for the information security assurance of ICS as a support. So the research on the domestic and foreign information security standard system for ICS is particularly important. Firstly, the characteristics of foreign standard system are summarized through the study on the technical framework and technical requirements of the foreign ICS information security standards, guidelines and norms. Secondly, the characteristics of the domestic ICS information security standards and norms are analyzed by summarizing the development trends of the domestic ICS information security standards. Finally, some existing deficiencies of the current domestic research on the ICS information security standard system are presented, and some suggestions for the further improving domestic standard system are given.

邸丽清. 国内外工业控制系统信息安全标准研究 [J]. 信息安全研究, 2016, 2(5): 435-441.

参考文献

［1］彭勇, 江常青, 谢丰, 等. 工业控制系统信息安全研究进展［J］. 清华大学学报: 自然科学版, 2012, 52(10): 13961408［2］NIST. SP80082. Guide to Industrial Control System (ICS) Security［S］. Gaithersburg, USA: National Institute of Standards and Technology (NIST), 2014［3］NIST. SP80053. Recommended Security Controls for Federal Information Systems and Organizations［S］. Gaithersburg, USA: National Institute of Standards and Technology (NIST), 2013［4］NIST. National Institute of Standards and Technology (NIST). Framework for Improving Critical Infrastructure Cybersecurity Version 1.0［R］. Gaithersburg, USA: National Institute of Standards and Technology (NIST), 2014［5］IEC. IEC TC 65 WG 10. IEC 62443 Security for Industrial Automation and Control Systems［S］. Geneva, Switzerland: International Electrotechnical Commission (IEC), 2014［6］IEC. IECTR 62210. Power System Control and Associated Communications—Data and Communication Security［S］. Geneva, Switzerland: International Electrotechnical Commission (IEC), 2003［7］IEC. IEC 62351. Data and Communication Security［S］. Geneva, Switzerland: International Electrotechnical Commission (IEC), 2005［8］DHS. Cyber Security Assessments of Industrial Control System［S］. Washington, USA: Department of Homeland Security (DHS), 2010［9］DHS. National Infrastructure Protection Plan［R］. Washington, USA: Department of Homeland Security, 2009［10］API. API Standard 1164. Pipeline SCADA Security Guideline［S］. New York, USA: American Petroleum Institute, 2009［11］AGA. AGA12. Cryptographic Protection of SCADA Communications General Recommendations［S］. Washington, USA: American Gas Association, 2004［12］NRC Regulatory Guide 5. 71. Cyber Security Programs for Nuclear Facilities, Guideline Regulatory［S］. Washington, USA: US Nuclear Regulatory Commission, 2010［13］BAL0010a. Reliability Standards for the Bulk Electric Systems in North America, Regulation［S］. Princeton, USA: North American Electric Reliability Council, 2011［14］高洋, 彭勇, 谢丰. 美国工控安全保障管理的启示［J］. 中国信息安全, 2012, 27(3): 4447［15］熊琦, 竟小伟, 詹峰. 美国石油天然气行业ICS系统信息安全工作综述及对我国的启示［J］. 中国信息安全, 2012, 27(3): 8083［16］ANSIISA99. Manufacturing and Control System Security, Standards and Guidelines［S］. Los Angeles, USA: American National Standards Institute (ANSI)USA International Standards Authority (ISA), 2009［17］Sommestad T, Ericsson G N, Nordlander J. SCADA system cyber securitys comparison of standards［C］ Proc of 2010 IEEE on Power and Energy Society General Meeting. Minneapolis, USA: IEEE Power & Energy Society, 2010: 18［18］欧阳劲松. IEC 62443工控网络与系统信息安全标准综述［J］. 信息技术与标准化, 2012 (3): 2427［19］全国工业过程测量和控制标准化技术委员会(SACTC124)和全国信息安全标准化技术委员会(SACTC260). GBT 30976.1—2014工业控制系统信息安全第1部分: 评估规范［S］. 北京: 中国标准出版社, 2014［20］全国工业过程测量和控制标准化技术委员会(SACTC124)和全国信息安全标准化技术委员会(SACTC260). GBT 30976.2—2014工业控制系统信息安全第2部分: 验收规范［S］. 北京: 中国标准出版社, 2014［21］全国工业过程测量和控制标准化技术委员会(SACTC124). GBT 26333—2010工业控制网络安全风险评估规范［S］. 北京: 中国标准出版社, 2010［22］张敏, 张五一, 韩桂芬, 等. 国内外工业控制系统信息安全标准研究［C］ 第十一届中国标准化论坛论文集. 北京: 中国标准化协会, 2014: 964968［23］梅恪. 中国工控信息安全技术标准体系［J］. 自动化博览, 2014 (11): 5255［24］李航. 建立健全我国工业控制系统信息安全体系［J］. 微型机与应用, 2015, 34(1): 1316［25］许东阳. 国内外工业控制系统信息安全标准及政策法规介绍［J］. 自动化博览, 2013 (1): 3131［26］WIB. Process control domainsecurity requirements for vendors［R］. Hague, Netherlands: WIB, 2006