산업제어시스템 보안성 평가.인증 동향 분석

  • 손경호 (한국인터넷진흥원 정보보호산업단)
  • Published : 2014.10.31

Abstract

본 논문에서는 전력, 가스, 수도, 교통 시스템 등의 국가주요기반시설 및 산업분야에 널리 사용되는 산업제어시스템(ICS;Industrial Control System)에 대한 보안표준 및 보안요구사항을 살펴보고, 이를 충분히 만족하고 정확하게 구현되었음을 시험 평가를 통해 인증하는 평가 인증 체계에 대해 살펴본다. 특히 미국을 중심으로 활발히 진행 중인 ISASecure(R)EDSA 인증 프로그램에 대해 상세히 분석하고, 국내에 이를 적용하기 위한 방안에 대해 제안하고자 한다.

Keywords

References

  1. NIST SP800-82, "Guide to Industrial Control System Security," National Institute of Standards and Technology, 2011.
  2. Y.-T. Cha, B.-H. Cho, and J.-C. Na, "Security Technology Trends and Prospective of Industrial Control System,". KEIT PD Issue Report, vol. 13-6, pp. 79-100, 2013.
  3. Falliere, Nicolas, Liam O. Murchu, and Eric Chien. "W32. stuxnet dossier." White paper, Symantec Corp., Security Response (2011).
  4. A. Nicholson, S. Webber, S. Dyer, T. Patel, and H. Janicke, "SCADA Security in the light of Cyber- Warfare," Computer & Security, pp.418-436, 2012.
  5. ANSI/ISA-99.02.01-2009 standard, Security for Industrial Automation and Control Systems Part 2: Establishing an Industrial Automation and Control Systems Security Program (2009), https://www.isa.org/isa99/
  6. http://isa99.isa.org/ISA99%20Wiki/Home.aspx
  7. A. Nicholson, S. Webber, S. Dyer, T. Patel, and H. Janicke, "SCADA Security in the light of Cyber- Warfare," Computer & Security, pp. 418-436, 2012.
  8. Y.-H. Chen, "Introduction of Information Security for Industrial Control System," Korea Institute of Information Security and Cryptology, vol. 19, no. 5, pp. 52-59, 2009.
  9. W.-S. Seo and M.-S. Jun, "A Direction of Convergence and Security of Smart Grid and Information Communication Network," J. of the Korea Institute of Electronic Communication Sciences, vol. 5, no. 5, pp. 477-486, 2010.
  10. I.-S. Koo, K.-W. Kim, S.-B. Hong, G.-O. Park, and J.-Y. Park, "Digital Asset Analysis Methodology against Cyber Threat to I&C System in NPP," J. of the Korea Institute of Electronic Communication Sciences, vol. 6, no. 6, pp. 839-847, 2011.
  11. [WIB] http://www.wib.nl/
  12. http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
  13. www.nist.gov/smartgrid/upload/nistir-7628_total.pdf
  14. http://webstore.iec.ch
  15. http://www.iso.org/
  16. http://www.iec.ch/smartgrid/standards/
  17. http://standards.ieee.org/
  18. http://cordis.europa.eu/project/rcn/87538_en.html
  19. ISO / IEC), International ISO / IEC Standard 27002:2005 (E), Information Technology-Security Techniques-ode of Practice for Information Security Management, first edition 2005-06-15.
  20. E. Humphreys, "Implementing the ISO / IEC 27001 information security management system standard," Artech House, 2006.
  21. NIST SP800-53, "Recommended Security Controls for Federal Information System," National Institute of Standards and Technology, 2012.
  22. http://www.isasecure.org/ISASecure-Program.aspx
  23. http://www.wurldtech.com
  24. "System Protection Profile-Industrial Control Systems", NIST, Version 1, 2004.04
  25. Wurldtech사의 Achilles Test Platform, http://www.wurldtech.com/product_services/discover_analyze/achilles_test_plaform/
  26. Codenomicon사의 DEFENSICS, http://www.codenomicon.com/defensics/
  27. FFRI사의 Raven for ICS/FFR Raven ES, http://www.ffri.jp/
  28. 일본 정보처리추진기구(IPA), http://www.ipa.go.jp/about/press/20130415.html
  29. 일본, 제어 시스템 보안 센터 (CSSC) http://www.css-center.or.jp