核电行业工业控制系统信息安全风险评估方法研究

Research on Information Security Risk Assessment Method of Industrial Control System in Nuclear Power Industry

核电行业工业控制系统中部分关键系统具有资产组成单一、整体结构简单等现状,当使用传统的以信息资产为对象的定性风险评估方式进行信息安全风险评估时,出现部分关键工业控制系统风险被低估的情况,进而导致难以全面、客观地反映出核电站工业控制系统所面临的信息安全风险。田湾核电站组织专项研究,通过对国内外信息安全领域、工业控制领域以及电力行业的风险评估方法进行整合分析,并结合核电行业设备维修、维护管理方式的特点和特色,最终整合经典的信息安全风险评估方式、可靠性维修管理(RCM)方式以及失效模式及影响分析(FMEA)方法,形成更加适用于核电行业工业控制系统的信息安全风险评估方法。

In nuclear power industry, some of the key industrial control system have the characteristics of simple structure and consisting of a single asset. If using traditional information risk assessment methods which uses information assets as objects,some of the key industrial control system will be undervalued, and it will be difficult to comprehensively and objectively reflect the information security risks faced by the industrial control system in nuclear power industry.Tianwan nuclear power plant organization research group,though systematizing and analyzing the information risk analysis methods for information security, industrial control and power industry and combined with the characteristics of equipment maintenance and maintenance management style of nuclear power industry, integrated the classic information security risk assessment method, the Reliability-Centered Maintenance（RCM） method and Failure Mode and Effects Analysis（FMEA） method. The formation of information security risk assessment method is more suitable for industrial control system in nuclear power industry.