摘要
工业控制系统的网络安全风险评估通常受多种不确定性因素的影响,为有效降低评估过程中专家主观因素和其他不确定性因素对评估结果造成的影响,提出一种基于攻击树和层次分析法(Analytic Hierarchy Process,AHP)策略的网络安全风险评估方法,并将其应用于中国列车运行控制系统(Chinese Train Control System,CTCS)的风险评估实践。首先,分析CTCS结构及其安全威胁,并基于安全威胁构建攻击树模型;其次,研究CTCS安全事件的产生机制,基于AHP策略分析安全事件可能导致的损失,将不确定性因素纳入安全事件发生概率的计算,通过安全事件发生概率及其损失计算出CTCS的风险值,当被评估对象为新上线系统或专家评估经验不足时,为降低数据波动引起的评估偏差,计算时去掉安全事件概率的最大值和最小值;最后,基于所提方法开展风险评估试验并进行仿真。结果表明:考虑攻击不确定因子和影响因子,风险评估结果在较低风险至中风险连续区间内的分布率接近100%,相对于未考虑不确定性因素的情况,风险评估结果在连续区间的分布率提升了近15%;去掉安全事件概率的最大值和最小值时,风险评估结果变化幅度更小,收敛于稳定的风险等级。
In industrial control systems,network security risk assessment is usually influenced by various uncertainties.To reduce the impacts of assessment experts' subjective views and other uncertainties on the assessment results,AHP(Analytic Hierarchy Process) is adopted in this paper for network security risk assessment and put into practice of CTCS(China Train Control System).Firstly,the structure and the security threats of the CTCS system are analyzed,and the attack tree model is constructed based on the security threats.Secondly,the generation mechanism of security incidents is studied;possible loss caused by security incidents are analyzed based on the AHP strategy.Uncertain elements are adopted as impact factors to calculate the probability of security incidents.The risk value of CTCS is calculated with security incident probability and security incident loss.When the evaluated object is a newly online system or the expert's evaluation experience is insufficient,in order to reduce the evaluation deviation caused by data fluctuation,the maximum and minimum values of security incident probability are removed during calculation.Finally,experiments and simulations are conducted based on the proposed strategies.The results show that the strategy considering uncertain elements and impact factors leads to a better risk assessment performance,which results in a distribution of 100% of risk assessment result within the range of lower-to medium-risk intervals.Compared with the strategy without considering uncertainties,there is an improvement of 15% in the risk assessment result.When the maximum value and minimum value of security incidents are excluded in the calculation,there is a greater degradation of the change in risk assessment result,converging to a stable risk level.
作者
姚洪磊
刘国梁
解辰辉
杨轶杰
牛温佳
YAO Honglei;LIU Guoliang;XIE Chenhui;YANG Yijie;NIU Wenjia(School of Computer and Information Technology,Beijing Jiaotong University,Beijing 100044,China;Institute of Electronic Computing Technology,China Academy of Railway Sciences Corporation Limited,Beijing 100081,China)
出处
《中国铁道科学》
EI
CAS
CSCD
北大核心
2023年第4期241-250,共10页
China Railway Science
基金
中国国家铁路集团有限公司科技研究开发计划课题(K2022W010)。
