• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.5
• /
• pp.1099-1116
• /
• 2019

Industrial control systems(ICS) are widely used in various industrial area and critical infrastructure. To mitigate security threats on ICS, the security assurance test for industrial control devices has been introduced and operating. The test includes testing of the security function of the device itself and testing of communication robustness. In this paper, we describe the security requirements of EDSA, Achilles, and Korea's TTA standard(security requirements for ICS). And also, we analyzed the characteristics of communication robustness test(CRT) of each certification. CRT verifies the device's operation of essential function while transmitting fuzzing and stress packets. Existing test methods are mostly focused on the embedded devices and are difficult to apply to various devices. We propose a method to test communication robustness which reflect the characteristics of control H/W, control S/W, field devices and network devices in ICS. In the future, we will apply the proposed communication robustness test to actual products and present solutions for arising issues.

• Journal of the Korea Convergence Society
• /
• v.7 no.6
• /
• pp.35-41
• /
• 2016

As software is very important, modern men are interesting software quality testing. In this paper, we analyze the Internation standard and Test data, so, we propose the testing method by analysing testing data. We compare ISO/IEC 9126-2 testing model with ISO/IEC 25023 testing model. On the basis of ISO/IEC 25023, we classify the test data and we analyze the difference of International Standard to functionality, reliability, usability, efficiency, maintainability, portability, compatability, and security. By reality 331 testing data, we classify test data, and analyze difference according to sex. We find regression model by functionality, usability and testing date and we prove difference of testing date and the number of error by tester. Also, we prove difference of the number of error in software type.

• Review of KIISC
• /
• v.28 no.6
• /
• pp.63-69
• /
• 2018

방위산업기술보호법의 대상기관인 각 군(軍)은 방위산업기술보호 인식 및 역량 제고를 위한 방위산업기술보호 교육이 필요하다. 방위산업기술 즉 기밀기술정보, 비기밀통제기술정보, 핵심기능(CPI)에 대한 보호조치 등 군(軍) 방위력개선사업 실무절차와 관련된 특징을 고려하여 전력소요제기~운용시험평가~후속양상 구매 배치에 이르는 전(全) 단계에 방위산업기술 보호 지침에 따라 보안조치가 이루어져야 한다. 이러한 보안조치는 교육을 통해 효과가 극대화 된다. 따라서 본 연구는 각 군(軍)의 방위산업기술 보호에 관한 교육의 발전방안을 제시하는데 주안을 두었다.

• Convergence Security Journal
• /
• v.19 no.4
• /
• pp.97-105
• /
• 2019

With the possibility of wireless control of the aircraft by Nicola Tesla, Unmanned Aerial Vehicle(UAV) was mainly used for military and defense purposes with the rapid development through World War I and II. As civilian applications of unmanned aerial vehicles have expanded, they have been used with various services, and attempts have been made to control various environmental changes and risk factors of unmanned aerial vehicles. However, GPS spoofing, Jamming attack and security accidents are occurring due to the communication in the unmaned aerial vehicle system or the security vulnerability of the unmanned aerial vehicle itself. In order to secure introduction of Unmanned aerial vehicle, South Korea has established Unmanned Aerial Vehicle verification system called Airworthiness Certification. However, the existing cerfication system is more focused on test flight, design and structure's safety and reliability. In this paper, we propose a unmanned aerial vehicle system model and propose security functional requirements on unmanned aerial vehicle system in the corresponding system model for secure-introduction of Unmanned Aerial Vehicle. We suggest the development direction of verification technology. From this proposal, future development directions of evaluation and verification technology of Unmanned Aerial Vehicle will be presented.

• Journal of Digital Convergence
• /
• v.19 no.8
• /
• pp.249-255
• /
• 2021

This study proposed a method for determining weights for the eight quality characteristics, such as functionality, reliability, usability, maintainability, portability, efficiency, security, and interoperability, which are suggested by international standards, focusing on software test reports. Currently, the test results for software quality evaluation apply the same weight to 8 quality characteristics to obtain the arithmetic average. Weights for 8 quality characteristics were applied using the results from text analysis, and weights were applied using the results of text analysis of test reports for two products. It was confirmed that the average of test reports according to the weighted quality characteristics was more efficient.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2010.07a
• /
• pp.43-46
• /
• 2010

전력산업분야는 스마트그리드 표준체계 및 고도화된 정보통신 인프라의 도입과 보안 그리고 분산전력 등에 대한 신기술 도입에 의해서 급격한 변화기를 맞이하고 있다. 현재 미국과 EU에서는 세계시장을 겨냥해서 스마트그리드의 국제표준화를 주도하고 있으며, 제3세계에서는 전력설비 시장의 지속적 성장이 예상되고 있다. 이에 국내에서도 국제 경쟁력 확보 및 신성장동력 창출을 목표로 연구가 진행 중이다. 전력체계의 운영망과 별개의 시험망 구성이 필요하며, 그 시험망을 통한 검증을 위해 시험망내 표준규격의 통신환경의 설계 및 기능검증은 매우 중요한 요소이다. 본 논문에서는 시험평가망 구성이후 평가를 위해 사용할 수 있는 주요 Component의 설계과정 중의 일부인 IEC 61850기반의 MMS 통신 환경구성 및 기능검증을 위한 연구결과에 대해 설명한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.4
• /
• pp.709-722
• /
• 2022

The recent "Log4j Security Vulnerability Incident" has occurred, and the information system that uses the open source "Log4J" has been exposed to vulnerabilities. The incident brought great vulnerabilities in the information systems of South Korea's major government agencies or companies and global information systems, causing problems with open source vulnerabilities. Despite the advantages of many advantages, the current development paradigm, which is developed using open source, can easily spread software security vulnerabilities, ensuring open source safety and reliability. You need to check the open source. However, open source vulnerability scan tools have various languages and functions. Therefore, the existing software evaluation criteria are ambiguous and it is difficult to evaluate advantages and weaknesses, so this paper has developed a new evaluation criteria for the vulnerability analysis tools of open source

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.6
• /
• pp.1141-1149
• /
• 2020

Most of the industrial control network is an independent closed network, which is operated for a long time after installation, and thus the OS is not updated, so security threats increase and security vulnerabilities exist. The zero-day attack defense must be applied with the latest patch, but in a large-scale industrial network, it requires a higher level of real-time and non-disruptive operation due to the direct handling of physical devices, so a step-by-step approach is required to apply it to a live system. In order to solve this problem, utility-specific patch impact assessment is required for reliable patch application. In this paper, we propose a method to test and safely install the patch using the regression analysis technique and show the proven results. As a patch impact evaluation methodology, the maximum allowance for determining the safety of a patch was derived by classifying test types based on system-specific functions, performance, and behavior before and after applying the patch. Finally, we report the results of case studies applied directly to industrial control networks, the OS patch has been updated while ensuring 99.99% availability.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.6
• /
• pp.77-87
• /
• 2007

It will need a quite long time to replace IPv4 protocol, which currently used, with IPv6 protocol completely, thus we will use both IPv4 and IPv6 together in the Internet during the period. For coexisting protocols, IETF standardized various IPv4/IPv6 transition mechanisms. However, new security problems of IPsec adaptation and IPv6 packet filtering can be raised by tunneling mechanism which mainly used in transition mechanisms. To resolve these problems, we suggested two improved schemes for packet filtering functions, which consists of an inner header filtering scheme and a dedicated filtering scheme for IPv4/IPv6 transition mechanisms. Also we implemented our proposed schemes based on Linux Netfilter framework, and we tested their filtering functions and evaluated experimental performance of our implementation on IPv4/IPv6 transition testbed. These evaluation tests indicated that our improved packet filtering functions can solve packet filtering problems of IPv4/IPv6 transition mechanisms without severely affecting system performance.

• Journal of Korea Society of Industrial Information Systems
• /
• v.12 no.3
• /
• pp.47-59
• /
• 2007

IPv4 NAT, which often used in households or under SOHO environments, is one of the factors that delays IPv6 propagation. As IPv4 NAT does not operate properly under the transition mechanism like ISATAP or 6to4 that acts as IPv6-in-IPv4 tunneling type, Microsoft proposed Teredo in order to resolve this issue. However, tunneling transition mechanism like Teredo has a security problem. That is, being tunneled packets have dual IP headers; general firewall systems apply the filtering rules only to the outer header but not inner header when these packets pass the firewall. Furthermore, attacks using unregistered server and relay can take place in Teredo. To resolve these problems, we propose a new packet filtering mechanism exclusively for Teredo. The proposed packet filtering mechanism was designed and implemented by using Linux Netfilter and ip6tables. Through functional and experimental performance tests, this packet filtering system was found operating properly and solving the Teredo packet filtering problems without serious performance degradation.