Research on Construction of Critical Information Infrastructure Protection System and Standardization of Vulnerability Management

Abstract

Abstract: In order to solve the confusion of critical information infrastructure operator in vulnerability management, the implementation of the Cyber Security Law of the People's Republic of China and the Regulations on the Security and Protection of critical information infrastructure (Draft for Comments) should be further promoted, and the protection system of critical information infrastructure in China should be established. By systematically analyzing the development history of critical information infrastructure protection at home and abroad, relevant standards of vulnerability management, and frontier theories of vulnerability management of critical information infrastructure, the necessity of standardization of vulnerability management for operators of critical information infrastructure is demonstrated. The vulnerability control management of key information infrastructure is summarized into 5 elements of vulnerability management, asset management, patch management, personnel management and organizational management, and the management model of 5 stages of preparation, planning, execution, monitoring and change. The 5 elements and 5 stages of vulnerability control management are cross-subdivided into 32 work processes. It is suggested to compile a vulnerability management guide standard for vulnerability operators of critical information infrastructure with Chinese characteristics according to this model.

Key words: vulnerability, critical information infrastructure, elimination and control, vulnerability life cycle, vulnerability management

摘要： 为解决关键信息基础设施运营者在漏洞管理工作中的困惑，深化推进《中华人民共和国网络安全法》和《关键信息基础设施安全保护条例（征求意见稿）》的落实工作，构建我国关键信息基础设施保护体系．通过系统分析国内外关键信息基础设施保护发展历程、漏洞管理相关标准、关键信息基础设施漏洞管理前沿理论，论证了关键信息基础设施运营者漏洞管理工作标准化的必要性．将关键信息基础设施漏洞消控管理工作归纳为漏洞管理、资产管理、补丁管理、人员管理、组织管理5要素和准备、规划、执行、监控、变更5阶段的管理模型，漏洞消控管理5要素与5阶段交叉细分为32个工作过程，建议根据此模型编写具有我国特色的关键信息基础设施漏洞运营者漏洞管理指南类标准．

关键词: 漏洞, 关键信息基础设施, 消控, 漏洞生命周期, 漏洞管理

杨一未孙成昊. 关键信息基础设施保护体系建设与漏洞管理标准化研究[J]. 信息安全研究, 2022, 8(1): 62-.

References

中华人民共和国国家互联网信息办公室.中华人民共和国网络安全法 [EB/OL]. (2016-11-07) [2017-06-01]. http://www.cac.gov.cn/2016-11/07/c_1119867116_3.htm

[2] 中华人民共和国国家互联网信息办公室.关键信息基础设施安全保护条例（征求意见稿）[EB/OL]. (2017-07-11)[2020-07-11]. http://www.cac.gov.cn/2017-07/11/c_1121294220.htm

[3] 全国信息安全标准化技术委员会WG7信息安全管理工作组.关键信息基础设施网络安全保护基本要求（征求意见稿）[S/OL]. (2018-06-16)[2019-12-03]. https://www.sohu.com/a/236200532_825373

[4] The White House. Presidential policy directive 21: critical infrastructure security and resilience [EB/OL]. 2014[2020-02-12]. https://xueshu.baidu.com/usercenter/paper/show?paperid=254bc1ecc891a00f8df1fc1512a8043d&site=xueshu_se

[5] National a Rchives Federal Register. Strengthening the cybersecurity of federal networks and critical infrastructure [EB/OL]. (2017-05-11)[2017-05-16]. https://www.federalregister.gov/documents/2017/05/16/2017-10004/strengthening-the-cybersecurity-of-federal-networks-and-critical-infrastructure

[6] Senate - Homeland Security and Governmental Affairs. DHS cyber incident response teams act of 2018 [EB/OL]. (2018-04-12)[2018-07-31]. https://www.congress.gov/bill/115th-congress/senate-bill/3309/text,

[7] Kevin S M, Kim Q, Gregory W A. Framework for improving critical infrastructure cybersecurity [R/OL]. (2014-02-19)[2020-02-10]. https://www.nist.gov/publications/framework-improving-critical-infrastructure-cybersecurity

[8] The White House. National cyber strategy of the United States of America [EB/OL]. 2018-09[2020-08-15]. https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf

[9] Cybersecurity and Infrastructure Security Agency. CISA, DOE, and UK’s NCSC issue guidance on protecting industrial control systems [EB/OL]. (2020-05-22)[2020-06-05]. https://us-cert.cisa.gov/ncas/current-activity/2020/05/22/cisa-doe-and-uks-ncsc-issue-guidance-protecting-industrial-control

[10] 林梓瀚.基于数据治理的欧盟法律体系建构研究[J]. 信息安全研究,2021,7(4):335-341

[11] European Union Agency for Cybersecurity. Baseline security recommendations for IoT (in the context of critical information infrastructures) [EB/OL]. (2017-11-20)[2020-08-15]. https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot

[12] European Union Agency for Cybersecurity. NIS directive COVID19 [EB/OL]. (2018-05-09)[2020-08-15].https://www.enisa.europa.eu/topics/nis-directive?tab=details

[13] The European Parliament and of the Council. Concerning measures for a high common level of security of network and information systems across the Union [EB/OL]. (2016-07-06)[2020-08-15].https://eur-lex.europa.eu/eli/dir/2016/1148/oj

[14] 全国信息安全标准化技术委员会WG7信息安全管理工作组.关键信息基础设施安全控制措施（征求意见稿）[S/OL]. (2020-03-18)[2020-08-15]. https://download.csdn.net/download/qqvsdd/12255412?utm_source=iteye_new

全国信息安全标准化技术委员会WG7信息安全管理工作组.关键信息基础设施安全保障指标体系（报批稿）[S/OL]. [2020-03-18]. https://download.csdn.net/download/qqvsdd/12255378

[16] 全国信息安全标准化技术委员会WG7信息安全管理工作组.关键信息基础设施安全防护能力评价方法（征求意见稿）[S/OL]. (2020-07-09)[2020-08-11]. https://www.cebnet.com.cn/20200811/102681974.html

[17] 全国信息安全标准化技术委员会WG7信息安全管理工作组.关键信息基础设施安全检查评估指南（送审稿）[S/OL]. (2018-04-26)[2020-04-26]. https://download.csdn.net/download/xxywyc/10375848?utm_source=iteye_new

[18] ISO/IEC JTC 1/SC 27 Information Security, Cybersecurity and Privacy Protection. ISO/IEC 30111:2019, Information technology — Security techniques — Vulnerability handling processes [S/OL]. 2019-10[2020-08-20].https://www.iso.org/standard/69725.html

[19] ISO/IEC JTC 1/SC 27 Information Security, Cybersecurity and Privacy Protection. ISO/IEC 29147:2018, Information technology — Security techniques — Vulnerability disclosure [S]. 2018-10[2020-08-20]. https://www.iso.org/standard/72311.html

[20] 中国国家标准化管理委员会.GB/T 30276-2020信息安全技术网络安全漏洞管理规范[S]. 北京：中国标准出版社，2020

[21] Dempsey K, Takamura E, Eavy P, et al. NISTIR 8011 Vol.4, Automation Support for Security Control Assessments: Software Vulnerability Management [S/OL]. 2020-04 [2020-08-20] https://csrc.nist.gov/publications/detail/nistir/8011/vol-4/final

[22] Dempsey K, Eavy P, Moore G. NISTIR 8011 Vol.1, 1Automation Support for Security Control Assessments: Overview [S/OL]. 2017-06 [2020-08-20]. https://csrc.nist.gov/publications/detail/nistir/8011/vol-1/final

[23] Dempsey K, Eavy P, Moore G. NISTIR 8011 Vol.2, Automation Support for Security Control Assessments: Hardware Asset Management [S/OL]. 2017-06 [2020-08-20]. https://csrc.nist.gov/publications/detail/nistir/8011/vol-2/final

[24] Dempsey K, Goren N, Eavy P, et al. NISTIR 8011 Vol.3, Automation Support for Security Control Assessments: Software Asset Management [S/OL]. 2018-12 [2020-08-20]. https://csrc.nist.gov/publications/detail/nistir/8011/vol-3/final

[25] Mell P, Bergeron T, Henning D. SP 800-40 Version 2.0 Creating a Patch and Vulnerability Management Program [S/OL]. 2005-11 [2020-08-20].https://csrc.nist.gov/publications/detail/sp/800-40/version-20/archive/2005-11-16

[26] Souppaya Murugiah, Scarfone Karen. SP 800-40 Rev. 3 Guide to Enterprise Patch Management Technologies [S/OL]. 2013-07 [2020-08-20] https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final

[27] National Cyber Security Centre. Vulnerability management (guidance to help organisations assess and prioritise vulnerabilities) [EB/OL]. (2016-09-23)[2020-09-20].https://www.ncsc.gov.uk/guidance/vulnerability-management

[28] International Telecommunication Union. ITU-TX.1520, Common Vulnerabilities and Exposures [S/OL]. (2014-01-24)[2018-05-10]. https://www.itu.int/rec/T-REC-X.1520-201401-I/en

[29] International Telecommunication Union. ITU-TX.1521, Common Vulnerability Scoring System [S]. (2016-03-23)[ 2018-05-10]. https://www.itu.int/rec/T-REC-X.1521-201603-I/en

[30] International Telecommunication Union. ITU-TX.1524, Common Weakness Enumeration [S]. (2012-03-02)[ 2018-05-10]. https://www.itu.int/rec/T-REC-X.1524-201203-I/en

[31] International Telecommunication Union. ITU-TX.1525, Common Weakness Scoring System [S]. (2015-04-17)[ 2018-05-10] .https://www.itu.int/rec/T-REC-X.1525-201504-I/en

[32] International Telecommunication Union. ITU-TX.1526, Language for the open definition of vulnerabilit-ies and for the assessment of a system state[S]. (2014-01-24)[ 2018-05-10].https://www.itu.int/rec/T-REC-X.1526-201401-I/en

[33] 中国国家标准化管理委员会.GB/T 28458-2020信息安全技术网络安全漏洞标识与描述规范[S]. 北京：中国标准出版社，2020

[34] 中国国家标准化管理委员会.GB/T 30279-2020信息安全技术网络安全漏洞分类分级指南[S]. 北京：中国标准出版社，2020

[35] Cybersecurity and Infrastructure Security Agency. Continuous diagnostics and mitigation (CDM) [EB/OL]. 2012 [2020-09-20].https://www.cisa.gov/cdm

[36] Cybersecurity and Infrastructure Security Agency. Coordinated vulnerability disclosure (CVD) process [EB/OL]. (2019-02-06)[2020-09-20]. https://www.cisa.gov/coordinated-vulnerability-disclosure-process

[37] Cybersecurity and Infrastructure Security Agency. A guide to critical infrastructure security and resilience[EB/OL]. 2019-11[2020-09-20]. https://www.cisa.gov/publication/guide-critical-infrastructure-security-and-resilience

[38] Cybersecurity and Infrastructure Security Agency. The National Cyber Incident Response Plan (NCIRP)[EB/OL]. 2016-12[2020-09-20]. https://us-cert.cisa.gov/ncirp

[39] European Union Agency for Cybersecurity. State of vulnerabilities 2018/2019 - analysis of events in the life of vulnerabilities[R/OL]. (2019-01-14)[2020-09-20].https://www.enisa.europa.eu/publications/technical-reports-on-cybersecurity-situation-the-state-of-cyber-security-vulnerabilities

[40] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 4 vulnerability management [R/OL]. 2016[2020-10-15].https://us-cert.cisa.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-VM.pdf

[41] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 1 asset management version

1.1[R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-AM.pdf

[42] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 2 controls management version 1.1[R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-CM_0.pdf

[43] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 3 configuration and change management [R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-CCM_0.pdf

[44] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 5 incident management [R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-IM_0.pdf

[45] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 6 service continuity management version 1.1[R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-SC_0.pdf

[46] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource cuide volume 7 risk management version 1.1[R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-RM_0.pdf

[47] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 8 external dependencies management version 1.1[R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-EDM_0.pdf

[48] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 9 training and awareness version 1.1[R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-TA_0.pdf

[49] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 10 situational awareness version 1.1[R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-SA_0.pdf

[50] 朱琳, 陆明.信息系统建设者视角下生命周期安全管理研究[J].信息安全研究,2020,6(12):1139-1144

[1]	. Research on Source Code Vulnerability Detection Based on Abstract Syntax Tree Compression Coding [J]. Journal of Information Security Reserach, 2022, 8(1): 35-.
[2]	. The Analysis of National Security Risk in Open Source Software Supply Chain [J]. Journal of Information Security Reserach, 2021, 7(9): 790-794.
[3]	. A Comparative Study of International Vulnerability Equities Process [J]. Journal of Information Security Reserach, 2021, 7(6): 496-502.
[4]	. Research on Web service resource consumption vulnerability detection technolog [J]. Journal of Information Security Reserach, 2021, 7(6): 527-534.
[5]	. Open Source Software Vulnerability DataBase Overview [J]. Journal of Information Security Reserach, 2021, 7(6): 566-574.
[6]	. Research on International Disclosure Policy of Security Vulnerabilities [J]. Journal of Information Security Research, 2021, 7(3): 215-224.
[7]	. the limitation of rasp technology in the protection of critical information infrastructure [J]. Journal of Information Security Research, 2021, 7(3): 250-256.
[8]	. 5G supply chain security risk analysis and countermeasure research [J]. Journal of Information Security Reserach, 2021, 7(12): 1178-.
[9]	（国网湖南省电力有限公司信息通信分公司长沙）. Practical Research of IAST Technology under DevOps Development Model [J]. Journal of Information Security Reserach, 2021, 7(12): 1198-.
[10]	. Intelligent Security Test Platform for Power Metering System [J]. Journal of Information Security Reserach, 2021, 7(11): 1103-.
[11]	. Research and Practice of File Upload Vulnerability [J]. Journal of Information Security Research, 2020, 6(2): 151-158.
[12]	. Overview of Current Situation of Critical Information Infrastructure Security Protection at Home and Abroad [J]. Journal of Information Security Research, 2020, 6(11): 0-0.
[13]	. Information Security Vulnerability Knowledge Base Based on Ontology [J]. Journal of Information Security Research, 2020, 6(10): 0-0.
[14]	. A Survey of Research Work on Critical Information Infrastructure System Security Defense [J]. Journal of Information Security Research, 2020, 6(1): 14-24.
[15]	. Research on 5G Supply Chain Security Under Global Digital Economy Strategic [J]. Journal of Information Security Research, 2020, 6(1): 46-51.