变电监控系统网络安全威胁指标研究综述与展望

Review and prospect on cyber threat indicators of substation monitoring system

网络安全威胁指标(cyber threat indicators,CTIs)是描述或识别网络空间安全威胁所必需的信息,有效表征和刻画攻击行为的CTIs是保障网络安全的基础。与通用信息系统相比,变电监控系统所需应对攻击的强度和能力水平有显著差异,掌握有专业知识的有组织攻击可以通过供应链攻击等方式潜入生产控制区,因为能够突破身份权限管理限制,并不一定会引起安全告警。因此,沿用通用信息系统的CTIs难以准确检测针对变电监控系统定向设计的高隐蔽性网络攻击。为此,首先综述通用信息系统的传统CTIs;然后分析既有结合变电监控系统特点设计的CTIs。在此基础上,针对高隐蔽性安全威胁检测难题,利用变电监控系统的各业务系统按确定流程规则执行业务、一次系统状态以及二次系统通信与告警间具有强耦合性的特点,对基于合规性的变电站CTIs提取设计进行展望,有望准确刻画不触发告警但违反业务规则的高隐蔽性安全威胁,为进一步提高安全防护能力奠定基础。

Cyber threat indicators(CTIs)refer to the information necessary to describe or identify cybersecurity threats in cyberspace.Effective CTIs that represent and depict attack behaviors are the foundation for ensuring cybersecurity.Compared with general information systems,the intensity and capability level of attacks that substation monitoring and control systems need to address exhibit significant differences.Organized attacks carried out by individuals with professional knowledge can infiltrate production control areas through supply chain attacks,bypass identity and access management restrictions,and may not necessarily trigger security alerts.Therefore,using CTIs designed for general information systems is inadequate for accurately detecting highly concealed cyber attacks specifically targeted at substation monitoring and control systems.To address this,the traditional CTIs of general information systems are first summarized,and then the existing CTIs designed in conjunction with the characteristics of substation monitoring and control systems are analyzed.Based on this,in response to the challenge of detecting highly concealed security threats,the design and extraction of substation-based CTIs focusing on compliance are anticipated,considering aspects such as the execution of tasks by various business systems in the substation monitoring and control system according to established process rules,and the strong coupling between the primary system status and the communication and alerting of the secondary system.This approach is expected to accurately characterize highly concealed security threats that do not trigger alerts but violate business rules,laying the groundwork for further enhancing security protection capabilities.