DOI QR코드

DOI QR Code

보안성 평가 도구 사례 분석 연구

A Study and Analysis on Case Study of Security Evaluation Tool

  • Kim, Hyun-il (Department of Convergence Science, Kongju National University) ;
  • Park, Kyungyun (Department of Convergence Science, Kongju National University) ;
  • Seo, Changho (Department of Convergence Science, Kongju National University) ;
  • Moon, Daesung (Electronics and Telecommunications Research Institute(ETRI))
  • 투고 : 2018.11.12
  • 심사 : 2019.01.20
  • 발행 : 2019.01.28

초록

최근, 산업제어 시스템의 개방화로 인해 민간, 공공 분야 정보시스템에서 구조적 패러다임의 큰 변화가 제안되고 있다. 이에 따라, 기존 정보시스템의 보안 기술 수준으로 대응할 수 없는 미래 주요 기반 시설 제어시스템의 잠재적 사이버 보안 문제가 최근 대두되고 있으며, 이러한 보안 취약점에 대응하기 위해 다양한 기반 시설 제어 시스템 환경에 대해 입체적으로 보안 취약성을 평가할 수 있는 보안 평가 도구가 필요하다. 하지만 현재 국내 사이버 보안 평가 환경은 점검 항목의 대부분이 기술적인 영역에 한정되어 있어 한계점이 존재한다. 이를 극복하기 위해, 미국의 사이버 보안 평가 도구인 CSET(Cyber Security Evaluation Tool)을 국내 다양한 기반 시설의 제어 시스템 환경에 맞게 적용하기 위한 많은 연구가 필요하다. 따라서, 본 논문에서는 기존의 보안 평가 도구를 적용하는 다양한 연구 사례 분석을 통해 국내 원전, 전력 등의 기반 시설에 적용할 방안에 대해 분석하고 앞으로의 연구 방향을 제안한다.

Recently, the liberalization of industrial control systems has been accompanied by a major change in the structural paradigm of information systems in the public and public sectors, and potential cyber security problems in the future major infrastructure control systems that cannot respond to the level of security of existing information systems. To cope with this, a cyber security evaluation tool that can evaluate security vulnerability in three dimensions against various infrastructure control system environment is needed. However, a cyber security evaluation in the domestic environments does not have the concept of the current security status and satisfy settings of the infrastructure. Also, the most of items in that environments have had short-term inspection themselves which makes a limitation by a technical area. In order to overcome this problems, many researches are needed to apply CSET (Cyber Security Evaluation Tool) which is the US cyber security evaluation tool to the control environment of various domestic infrastructure. In this paper, first, we analyze methods to apply to the major domain through the analysis of various case studies on existing security assessement tools. Finally, we discuss future directions.

키워드

DJTJBT_2019_v17n1_347_f0001.png 이미지

Fig. 1. Structure diagram of DCS system

DJTJBT_2019_v17n1_347_f0002.png 이미지

Fig. 2. Overview of the nuclear control system[9]

DJTJBT_2019_v17n1_347_f0003.png 이미지

Fig. 3. Overview of industrial control system in electric power field

DJTJBT_2019_v17n1_347_f0004.png 이미지

Fig. 4. Correlation of RTU and power system

DJTJBT_2019_v17n1_347_f0005.png 이미지

Fig. 5. Mock correlation of RTU and power system

Table 1. Security standard from major infrastructure in the US[5]

DJTJBT_2019_v17n1_347_t0001.png 이미지

Table 2. Examples of industrial control system infringement and corresponding threat agents and alternatives

DJTJBT_2019_v17n1_347_t0002.png 이미지

Table 3. The properties and risks of major infrastructure

DJTJBT_2019_v17n1_347_t0003.png 이미지

Table 4. Risk management for major infrastructure

DJTJBT_2019_v17n1_347_t0004.png 이미지

Table 5. Matrix of risks for major infrastructure[12]

DJTJBT_2019_v17n1_347_t0005.png 이미지

Table 6. Quantificational results for risks of major infrastructure[12]

DJTJBT_2019_v17n1_347_t0006.png 이미지

Table 7. Quantificational results for weakness of major infrastructure[12]

DJTJBT_2019_v17n1_347_t0007.png 이미지

Table 8. Calculation for interruption cost of power system[15]

DJTJBT_2019_v17n1_347_t0008.png 이미지

Table 9. Results of risk estimation considering risk and weakness[12]

DJTJBT_2019_v17n1_347_t0009.png 이미지

참고문헌

  1. HelloT. (2010). Control system publication and security issues. HelloT(Online). http://magazine.hellot.net/magz/article/articleDetail.do?flag=all&showType=showType1&articleId=ARTI_000000000035281&articleAllListSortType=sort_1&page=1&selectYearMonth=201009&subCtgId
  2. G. N. Ericsson. (2010). Cyber security and power system communication-essential parts of a smart grid infrastructure. IEEE Transactions on Power Delivery, 25(3), 1501-1507. https://doi.org/10.1109/TPWRD.2010.2046654
  3. T. H. Woo. (2013). Systems thinking safety analysis: nuclear security assessment of physical protection system in nuclear power plants. Science and Technology of Nuclear Installations, 2013.
  4. Y. Zhang, L. Wang, Y. Xiang & C. W. Ten. (2015). Power system reliability evaluation with SCADA cybersecurity considerations. IEEE Transactions on Smart Grid, 6(4), 1707-1721. https://doi.org/10.1109/TSG.2015.2396994
  5. ICS-CERT. Assessments. CEST Cyber Security Evalutaion Tool. https://ics-certus-cert.gov/Assessments
  6. ICS-CERT. Downloading and Installing CSET. CEST Cyber Security Evalutaion Tool. https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET.
  7. WIKIPEDIA. SCADA. https://en.wikipedia.org/wiki/SCADA
  8. NCS. (2004). Supervisory Control and Data Acquisition (SCADA) Systems.
  9. C. K. Lee. (2004). Design of an Integrated I&C System Daejeon : KAERI.
  10. Y. R. Choi. (2009). Development of IT-based Cyber Security Technology for Nuclear Power Plant. Daejeon: KAERI.
  11. Y. J. Kim, J. H. Lee & J. I. Lim. (2009). A Study on the Secure Plan of Security in SCADA Systems. Journal of the Korea Institute of Information Security & Cryptology, 19(6), 145-152.
  12. D. J. Kang, J. J. Lee, Y. Lee, I. S. Lee & H. K. Kim. (2013). Quantitative Methodology to Assess Cyber Security Risks of SCADA system in Electric Power Industry. Journal of the Korea Institute of Information Security & Cryptology, 23(3), 445-457. https://doi.org/10.13089/JKIISC.2013.23.3.445
  13. H. Kim. (2009). Analysis of Overseas System based Evaluation Cases and Technology. Naju: KISA.
  14. M. Negrete-Pincetic, F. Yoshida & G. Gross. (2009, July). Towards quantifying the impacts of cyber attacks in the competitive electricity market environment. In IEEE Power Tech Conference (pp. 1332-1336).
  15. Korea Electrotechnology Research Institute. (2008). A Study to investigate Industrial Customer Interruption Cost for Power System Planning. Seoul : Korea Electrotechnology Research Institute.