Research On Industrial Control System Vulnerability Testing And Risk Assessment

Nowadays, network security has become a critical issue to carry out the business. Industrial Control Systems (ICS) are widely used in oil and gas, nuclear industry, transportation, water treatment and other areas of national critical infrastructure, which was originally designed and constructed as an isolated system, among other external networks with no connection. Therefore, ICS rarely suffer from external network attack. With the deepening integration of the industrialization and informatization, industrial control networks and enterprise information network as well as Internet connections become more closely.This means that the fragile industrial network is easily attacked by external network attack..In recent years, there has been continuous attacks of the virus specific ICS " stuxnet","duqu" and "flame", resulting in nuclear facilities and critical infrastructure in some countries, causing enormous damage.These attacks have intensified information security of industrial areas for countries.In this paper, By researching the foreign authority standards and guidelines of ICS information security risk assessment.proposed the ICS information security inspection standards architecture.At the same time, the paper has carried out vulnerability analysis for a typical industrial boiler control system analog system, test the analog system with some common network attack techniques, and completely reproduction of the harsh consequences of the ICS which has been attacked.Test results highlight the enormous risks facing the field of ICS,which also have guidance and explore effect for on strengthening security of industrial control systems.This paper designed an information security risk assessment method based on fuzzy analytic hierarchy for industrial control systems, and creative introduced fuzzy consistent matrix, the method can overcome AHP subjective and repeatedly test for consistency problems.At last, applying the method on risk assessment of a Shanghai petrochemical enterprise control system. The results show that this method can effectively evaluate the importance of the distribution system assets, vulnerability severity distribution and threats faced by the distribution and comprehensive assessment of the risk out of the system, in order to verify the practicality and effectiveness of the proposed method for the next step in the risk management provides a good theoretical basis.