摘要
针对如何进行工业控制系统(ICS)全面客观的风险量化评估与分析,提出了一种新的ICS风险量化评估方法。该方法首先建立系统攻击树与攻击者模型;然后根据ICS的安全特性利用CVSS对攻击树叶子节点进行综合客观的量化,并给出资产价值损失的复数表达式,结合概率风险评估方法分别计算得到攻击序列、目标节点的风险概率与风险值;最后通过攻击者模型综合攻击序列与攻防两端的分析,提取系统最大风险环节与组件。案例分析表明,该方法能减少风险要素量化过程中人为主观因素的影响,得到风险的综合定量描述,并找到系统最大风险环节和最需要防护的组件,从而采取有针对性的防护措施以实现合理高效的风险消除和规避,验证了该方法的有效性与可行性。
In order to quantify the risk of industrial control systems (ICS) and conduct a comprehensive and objective analysis, this paper proposed a new quantitative risk assessment method for ICS. This method first established the attack tree and attacker model. Then it conducted a comprehensive and objective quantification to leaf nodes by CVSS based on the special security needs in ICS, after which calculated the attack sequence and target node' s risk probability and risk values respectively combined with imaginaries expressions of assets value and probabilistic risk assessment techniques. Finally, it analyzed the attack sequence and attack constraint with attacker model, extracting the maximum risk area and system component. Case analysis shows that this method can reduce the influence of subjective factors in the quantization process and get a comprehensive and objective quantitative description of the risks, to carry out rational and efficient risk mitigation and avoidance by finding the maximum risk areas and components that most in need of protection, which demonstrates the validity and feasibility of this method.
作者
王作广
魏强
刘雯雯
Wang Zuoguang Wei Qiang Liu Wenwen(State Key Laboratory of Mathematical Engineering & Advanced Computing, PLA Information Engineering University, Zhengzhou 450000, Chin)
出处
《计算机应用研究》
CSCD
北大核心
2016年第12期3785-3790,共6页
Application Research of Computers
基金
国家"863"计划资助项目(2012AA012902)
关键词
工业控制系统
攻击树
通用漏洞评分系统
风险评估
攻击序列
industrial control systems (ICS)
attack tree
common vulerability scoring system (CVSS)
risk assessment
attack sequence
