工控组态软件安全隐患研究

Research on Security Risks of Industrial Control Configuration Software

随着计算机网络技术的飞速发展和广泛应用以及工业生产对ICS要求的不断提高,独立环境下的ICS已经不能满足工业生产的需求,网络化的ICS被越来越多的应用到工业生产中来,工业过程与信息化系统的连接越来越紧密。这种紧密的连接使得原本物理隔绝的ICS失去了免遭网络攻击的天然屏障,面临着遭受网络病毒攻击的可能性。作为关系到国计民生的工业控制系统,工业控制系统相关软件在设计过程中主要注重功能的实现,而在安全方面考虑得不多,并且很多工控软件(比如说组态软件)在其开发初期并没有依照严格的软件安全开发规范进行,导致存在不安全的漏洞,这些缺陷被攻击者利用后能够造成系统宕机、敏感数据泄露甚至直接获取系统的操控权。文章着重介绍了工业控制系统组态软件安全性研究,针对组态软件存在的漏洞和隐患的提出相关研究和分析方法,分析软件中存在的预置性后门漏洞、高可利用漏洞等重大安全隐患,为保障工业控制系统的安全提供了保障。

With the rapid development and widespread application of computer network technology and the continuous improvement of ICS requirements in industrial production,ICS with an independent environment has been unable to meet the needs of industrial production.Moreover,networked ICS has been more and more applied into industrial production,and the connection between industrial process and information system is closer and closer.This close connection makes the physically isolated ICS lose the natural barrier against network attacks and face the possibility of being attacked by network viruses.As an industrial control system related to the national economy and people’s livelihood,the design of industrial control system software mainly focuses on the realization of functions,but not much on the safety considerations.Typically,many industrial control software(such as configuration software)has no strict software safety development specificationsin the early stage of development,resulting in unsafe vulnerabilities,These defects can be exploited by the attackers to cause system downtime,sensitive data disclosure and even direct control of the system.This paper mainly introduces the research on the security of configuration software of industrial control system,and proposes relevant research and analysis methods for the vulnerabilities and hidden dangers of configuration software.The analysis of the major security hidden dangers in the software,such as preset back door vulnerabilities,high exploitable vulnerabilities,provides a guarantee for the security of industrial control system.