工业控制系统安全态势感知技术研究

周明; 吕世超; 游建舟; 朱红松; 石志强; 孙利民

引用本文：

周明,吕世超,游建舟,朱红松,石志强,孙利民.工业控制系统安全态势感知技术研究[J].信息安全学报,2022,7(2):101-119 [点击复制]
ZHOU Ming,LV Shichao,YOU Jianzhou,ZHU Hongsong,SHI Zhiqiang,SUN Limin.A Comprehensive Survey of Security Situational Awareness on Industrial Control Systems[J].Journal of Cyber Security,2022,7(2):101-119 [点击复制]

本文已被：浏览 4472次下载 4112次	码上扫一扫！
工业控制系统安全态势感知技术研究
周明^1,2, 吕世超^1,2, 游建舟^1,2, 朱红松^1,2, 石志强^1,2, 孙利民^1,2
0 字体:加大+\|默认\|缩小-
(1.中国科学院信息工程研究所物联网信息安全技术北京市重点实验室北京中国 100093;2.中国科学院大学网络空间安全学院北京中国 100049)

摘要:

工业控制系统(简称工控)是国家关键基础设施的核心, 越来越多的工作开始关注工控系统安全。然而, 这些工作的实际应用场景并不统一, 因此他们取得的成果无法相互借鉴。为了解决这个问题, 在深入研究这些安全技术的基础上, 我们提出了工控系统安全态势感知(Situational Awareness for Industrial Control Systems Security, SA-ICSS)框架, 该框架由态势觉察、态势理解和态势投射三个阶段构成。在态势觉察阶段, 我们首先利用网络测绘和脆弱性发现技术获取完善的目标系统环境要素, 如网络拓扑和漏洞信息; 其次, 我们将入侵检测和入侵诱捕等 5 种设备部署在目标系统中, 以便从控制系统中捕获所有的可疑活动。在态势理解阶段, 我们首先基于结构化威胁信息表达(Structured Threat Information Expression, STIX)标准对目标系统进行本体建模,构建了控制任务间的依赖关系以及控制任务与运行设备的映射关系; 其次, 自动化推理引擎通过学习分析师推理技术, 从可疑活动中识别出攻击意图以及目标系统可能受到的影响。在态势投射阶段, 我们首先利用攻击图、贝叶斯网络和马尔科夫模型从可疑活动中构建攻击模型; 其次, 我们利用现有的威胁评估技术从攻击模型中预测可能发生的攻击事件、可能被感染的设备以及可能存在的零日漏洞。我们阐述了 SA-ICSS 各个阶段的任务范围, 并对其中的关键技术进行了分析与总结。最后, 我们还探讨了 SA-ICSS 待解决的若干问题。

关键词: 工业控制系统安全态势感知本体模型攻击意图影响评估威胁预测

DOI：10.19363/J.cnki.cn10-1380/tn.2022.03.07

投稿时间：2019-08-19修订日期：2019-10-28

基金项目:本课题得到国家重点研发计划(No.2018YFC1201102),国家自然科学基金重点项目(No.U1766215),国家自然科学基金项目(No.61702506)资助。

A Comprehensive Survey of Security Situational Awareness on Industrial Control Systems

ZHOU Ming^1,2, LV Shichao^1,2, YOU Jianzhou^1,2, ZHU Hongsong^1,2, SHI Zhiqiang^1,2, SUN Limin^1,2

(1.Beijing Key Laboratory of IoT Information Security Technology, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China)

Abstract:

Industrial Control Systems (ICS) are the core part of the state critical infrastructure, and more and more works are focusing on the ICS security. However, the results of these works cannot apply to each other since their application situations are not all the same. To solve this problem, we propose a Situational Awareness for Industrial Control Systems Security (SA-ICSS) framework that integrates many security techniques proposed in recent years, and the framework involves three stages: situational perception, situational comprehension, and situational projection. In situational perception stage, we first obtain the full environmental elements from the target control system by using the network scanning and vulnerability discovery techniques, such as network topology and vulnerability information; then we deploy five kinds of security devices such as intrusion detection and intrusion deception systems in the target control system, these devices help us collect potential malicious activities. In situational comprehension stage, we first construct an ontology model for the target control system based on the Structured Threat Information Expression (STIX) standards, which involves the dependency relationship among control tasks and the mapping relationship between control tasks and their corresponding devices; then an automatic reason engine is used to learn reason rules from the security analyzers, and the engine can automatically identify the attack intension and the possible impacts against the target control system. In situational projection stage, we first construct an attack model based on the above malicious activities by using three attack modeling techniques including attack graph, Bayesian attack graph, and Markov model; Once the attack model is built, we use the off-the-shelf threat evaluation techniques to predict the possible results appearing in the future, such as attack events, infected devices, and “0-day” vulnerabilities. In this paper, we elaborate the task scope at each stage of the SA-ICSS and summary the key technologies among these stages. Finally, we discuss five open problems that have not been solved on the SA-ICSS.

Key words: industrial control systems security situational awareness ontology model attack intent impact assessment threat prediction