Research And Implementation Of Information Security Assessment System For Industrial Control System

With the rapid development of industrialization and informatization,ICS(industrial control system)products are increasingly using information technology-based protocols and software and hardware.It is widely used in electric power,metallurgy,security,water conservancy,chemical industry,transportation and large manufacturing industries.Initially designed to be isolated,industrial control systems are increasingly connected to public networks such as the Internet.Trojans,viruses,and other threats are also spreading to the industrial control system,such as " Stuxnet"," Worm.Win32.Flame ",the production department in some countries and the huge damage to the critical infrastructure,so you should attach importance to information security of the ICS.However,the research on ICS information security at home and abroad has just begun in recent years.Especially in China,the ICS information security assessment model and methods are not mature enough.Due to the lack of historical data and low objectivity,the quantification model of ICS security assessment is difficult to implement.In addition,at present,there are very few evaluation systems with quantitative analysis of ICS information security in China.According to the above problems,this paper analysis the domestic and foreign standards in the field of ICS security: NIST SP-80082 standard(industrial control system security guide),GB/T 20984-2007 standard(information security evaluation specification)and the industrial control system information safety protection guide,combine AHP(analytic hierarchy process)and the method of questionnaire survey construct ICS information security evaluation model.In addition,in order to make the evaluation result more accurate,Delphi method is introduced in the process of using AHP,which reducessubjective factors to a certain extent.Then,according to the integration principles of security assessment and information management,simplicity and practicality,we realized the established evaluation model and assessment.The ICS information security assessment system with recording,evaluation,analysis,output and help functions was designed and developed.In addition,the developed system was used for a certain steel company.An ICS information security evaluation was performed on a control system,the target system's security level was obtained,and the feasibility and practicability of the evaluation system were verified.