The Journal of the Korea institute of electronic communication sciences (한국전자통신학회논문지)

Korea Institute of Electronic Communication Science (한국전자통신학회)
권호 표지
DOI QR코드

DOI QR Code

Vulnerability Analysis for Industrial Control System Cyber Security

산업제어시스템의 사이버보안을 위한 취약점 분석

  • Received : 2013.11.11
  • Accepted : 2014.01.13
  • Published : 2014.01.31
Download PDF
⟨ Previous Next ⟩

Abstract

Industrial control system (ICS) is a computer based system which are typically used in nation-wide critical infra-structure facilities such as electrical, gas, water, wastewater, oil and transportation. In addition, ICS is essentially used in industrial application domain to effectively monitor and control the remotely scattered systems. The highly developed information technology (IT) and related network techniques are continually adapted into domains of industrial control system. However, industrial control system is confronted significant side-effects, which ICS is exposed to prevalent cyber threats typically found in IT environments. Therefore, cyber security vulnerabilities and possibilities of cyber incidents are dramatically increased in industrial control system. The vulnerabilities that may be found in typical ICS are grouped into Policy and Procedure, Platform, and Network categories to assist in determining optimal mitigation strategies. The order of these vulnerabilities does not necessarily reflect any priority in terms of likelihood of occurrence or severity of impact. Firstly, corporate security policy can reduce vulnerabilities by mandating conduct such as password usage and maintenance or requirements for connecting modems to ICS. Secondly, platfom vulnerabilities can be mitigated through various security controls, such as OS and application patching, physical access control, and security software. Thirdly, network vulnerabilities can be eliminated or mitigated through various security controls, such as defense-in-depth network design, encrypting network communication, restricting network traffic flows, and providing physical access control for network components.

산업제어시스템(Industrial Control System)은 전력, 가스, 수도, 하수, 오일 및 교통시스템과 같은 국가주요기반시설 및 산업분야에서 원거리에 산재된 시스템의 효과적인 원격모니터링 및 제어를 위해 필수적으로 사용되는 컴퓨터 기반의 시스템을 말한다. 고도로 발전된 IT 및 네트워크 관련 기술들이 산업제어시스템에 적용되어 효율성을 높이는 장점이 있지만, 일반적인 IT 환경에서의 각종 정보시스템이 가지는 사이버보안 취약성 및 사고의 가능성이 증대되는 단점을 가지게 되었다. 산업제어시스템에서 통상적으로 발견되는 취약점은 우선순위, 발생빈도 및 영향의 심각성들과는 무관하게 정책 및 절차, 플랫폼 및 네트워크 등으로 분류된다. 이러한 취약점들은 첫째, 패스워드의 강제 사용등과 같은 보안 정책 및 절차를 적용함으로서 취약점을 경감 시킬 수 있다. 둘째로, 운영체제 및 응용프로그램의 패치 적용, 물리적인 접근제어, 보안프로그램 사용등과 같은 다양한 보안통제를 적용함으로서 취약점을 경감 및 완화 시킬 수 있다. 셋째로, 심층방호개념의 네트워크 설계, 네트워크 통신의 암호화, 네트워크 트래픽 제한, 네트워크 장비에 대한 물리적 접근제어 방법 등과 같은 다양한 보안통제를 적용함으로서 취약점을 제거하거나 완화 시킬 수 있다.

Keywords

References

  1. Y.-T. Cha, B.-H. Cho, and J.-C. Na, "Security Technology Trends and Prospective of Industrial Control System,". KEIT PD Issue Report, vol. 13-6, 2013, pp. 79-100.
  2. N. Falliere, L. O. Murchu, and E. Chien, "Win32.stuxnet Dossier," Symantec Security Response, 2011.
  3. A. Nicholson, S. Webber, S. Dyer, T. Patel, and H. Janicke, "SCADA Security in the light of Cyber- Warfare," Computer & Security, 2012, pp. 418-436.
  4. Y.-H. Chen, "Introduction of Information Security for Industrial Control System," Korea Institute of Information Security and Cryptology, vol. 19, no. 5, 2009, pp. 52-59.
  5. NRC Information Notice 2003-14, "Potential Vulnerability of Plant Computer Network to Worm Infection," Nuclear Regulatory Commission, 2003.
  6. Y.-H. Chen, "Network Design and Architecture for ICS Security", Korea Institute of Information Security and Cryptology, vol. 19, no. 5 2009, pp. 60-67.
  7. NIST SP800-53, "Recommended Security Controls for Federal Information System," National Institute of Standards and Technology, 2009.
  8. NIST SP800-82, "Guide to Industrial Control System Security," National Institute of Standards and Technology, 2011.
  9. W.-S. Seo and M.-S. Jun, "A Direction of Convergence and Security of Smart Grid and Information Communication Network," J. of the Korea Institute of Electronic Communication Sciences, vol. 5, no. 5, 2010, pp. 477-486.
  10. I.-S. Koo, K.-W. Kim, S.-B. Hong, G.-O. Park, and J.-Y. Park, "Digital Asset Analysis Methodology against Cyber Threat to I&C System in NPP," J. of the Korea Institute of Electronic Communication Sciences, vol. 6, no. 6, 2011, pp. 839-847.
  11. C.-H. Yoon, G.-J. Kim, and C.-S. Jang, "Embedded-based Power Monitoring Security Module Design," J. of the Korea Institute of Electronic Communication Sciences, vol. 8, no. 10, 2013, pp. 1485-1490. https://doi.org/10.13067/JKIECS.2013.8.10.1485