DOI QR코드

DOI QR Code

A study on the cyber security assessment modeling of critical infrastructure

핵심기반시설 사이버 보안 평가 모델링 기법 연구

  • 엄익채 (한전KDN(주) 보안컨설팅팀)
  • Received : 2019.06.28
  • Accepted : 2019.08.20
  • Published : 2019.08.28

Abstract

The purpose of this study is to analyze cyber security risk modeling of critical infrastructure, draw out limitations and improvement measures. This paper analyzed cyber security risk modeling of national critical infrastructure like as electricity sector, nuclear power plant, SCADA. This paper analyzed the 26 precedent research cases of risk modeling in electricity sector, nuclear power plant, SCADA. The latest Critical Infrastructure is digitalized and has a windows operating system. Critical Infrastructure should be operated at all times, it is not possible to patch a vulnerability even though find vulnerability. This paper suggest the advanced cyber security modeling characteristic during the life cycle of the critical infrastructure and can be prevented.

본 연구는 원자력 발전소등의 국가 핵심기반시설에 대한 기존의 사이버 보안 위험 모델링 기법을 분석하고 이의 한계점 및 개선방안을 도출하는데 목적이 있다. 연구 대상은 전력 및 원자력 발전소, SCADA등의 국가 핵심기반시설의 사이버 보안 위험 모델링 기법이다. 연구에서는 SCADA, 전력, 원자력 발전의 사이버 보안 위험 모델링 분야의 총 26편에 대한 선행 연구 사례를 분석하고, 이를 정성적 모델링과 정량적 모델링 기법으로 구분하여 각각의 특징과 한계점에 대해 분석하였다. 최근 핵심기반시설은 디지털화 되어 가는 추세이며 Windows등의 운영체제를 사용하는 시스템들로 구성되어 있지만, 상시 운영되어야 하는 요구사항으로 인해, 취약점이 발견되더라도 패치등을 즉각 행할 수가 없는 특징이 있다. 본 연구에서는 이러한 제약사항들을 감안하여 취약점들이 핵심기반시설의 생명주기동안 어떤 특성으로 전파되고 예방 할 수 있는지에 대한 모델링 기법 방안을 제시하고 있다.

Keywords

References

  1. An Overview of Threat and Risk asseessment. (2002). Newyork : SANS.
  2. R. Radvanovsky. & J. Brodsky.(2013). Handbook of SCADA/Control Systems Security. : CRC Press.
  3. E. Byres. & D. Leversage.(2007). Security incidents and trends in SCADA and process industries. The industrial ethernet book, 39, 26. DOI:10.1016/b978-0-12-397189-0.00002-1
  4. T. Gopal. M. Subbaraju. & R. Joshi. (2014). Methodology to articulate the requirements for security In SCADA. fourth international conference on innovative computing technology, 58-60. DOI:10.1109/INTECH.2014.6927744
  5. A. Cardenas. & S. Amin. (2011). Attacks against process control systems: risk assessment, detection, and response. Proceedings of the 6th ACM symposium on information, computer and communications security,. 121-123. DOI:10.1145/1966913.1966959
  6. J. Guan. & J. Hieb. (2011). A digraph model for risk identification and management in SCADA systems. 2011 IEEE international conference on intelligence and security informatics, 53-54. DOI:10.1109/ISI.2011.5983990
  7. L. Durante. & A. Venzano. (2013). Review of security issues in industrial networks. IEEE Trans Industry Information, 35-36. DOI:10.1109/tii.2012.2198666
  8. Y. Y. Haimes. & C. G. Chittester. (2005). A roadmap for quantifying the efficacy of risk management of information security and interdependent SCADA systems. 2005 IEEE international conference on intelligence and security informatics, 72-74. DOI:10.2202/1547-7355.1117
  9. G. Dondossola. & F. Garrone. (2009). Supporting cyber risk assessment of power control systems with experimental data. Power systems conference and exposition, 2, 36-38. DOI:10.1109/PSCE.2009.4840170
  10. F. Baiardi. (2009). Hierarchical, model-based risk management of critical infrastructures. Reliabilty Engineering System Safety journal, 94(9), 1403-1415. DOI:10.1016/j.ress.2009.02.001
  11. M. Warren. (2009). Safeguarding Australia from cyber-terrorism:a proposed cyber-terrorism SCADA risk framework for industry adoption. Australian information warfare and security conference, 23-27. DOI:10.4225/75/57a7f3c09f482
  12. M. Franz. & D. Miller. (2004). The use of attack trees in assessing vulnerabilities in SCADA systems. Proceedings of the international infrastructure survivability workshop, 1, 42-44.
  13. G. Dondossola. & F. Garrone. (2009). Supporting cyber risk assessment of power control systems with experimental data. Power systems conference and exposition, 3, 12-15. DOI:10.1109/PSCE.2009.4840170
  14. J. Szanto. (2011). Cyber risk assessment of power control systems metrics weighed by attack experiments. Power and energy society general journal. 112-116. DOI:10.1109/PES.2011.6039589
  15. Window of exposure a real problem for SCADA systems Recommendations for Europe on SCADA patching.(2013).: ENISA
  16. G. N. Ericsson. (2009). Information security for electric power utilities (EPUs)-CIGR developments on frameworks, risk assessment, and technology. IEEE Trans Power Delivery journal, 24(3), 1174-1181. DOI: 10.1109/tpwrd.2008.2008470
  17. S. Grses. & M. Heisel. (2010). A comparison of security requirements SCADA engineering methods. Requirements of Security Enginering journal, 15(1), 7-40. DOI:10.1007/s00766-009-0092-x
  18. D. Thornton. & J. Dawson. (2012). Security best practices and risk assessment of SCADA and industrial control systems. Proceedings of the 2012 world congress in computer science, computer engineering, and applied computing, 111-114. DOI:10.1109/rusautocon.2018.8501811
  19. R. Folkers. & J. Roberts. (2006). Scenario-based approach to risk analysis in support of cyber security. Proceedings of the 5th international topical meeting on nuclear plant instrumentation controls, and human machine interface technology, 5(3), 293-300. DOI:10.1002/sec.321
  20. R. Filippini. & M. Schimmer. (2012). Risk assessment methodologies for critical infrastructure protection. European Commission Joint Research Centre Institute for the Protection and Security of the Citizen journal, 18, 50-57. DOI:10.1016/j.ijcip.2017.07.001
  21. K. Z. Snow. & D. R. Zaret. (2009). Evaluating the risk of cyber attacks on SCADA systems via Petri net analysis with application to hazardous liquid loading operations. IEEE conference on technologies for homeland security, 154-157. DOI:10.1109/ths.2009.5168093
  22. S. Rudrapattana. & P. Kijsanayothin. (2014). Cyber security analysis of smart grid SCADA systems with game models. Proceedings of the 9th annual cyber and information security research conference, 143-145. DOI:10.1145/2602087.2602089
  23. F. Massacci. & F. Paci. (2013). An experimental comparison of two risk-based security methods. ACM/IEEE international symposium on empirical software engineering and measurement, 182-186. DOI:10.1109/ESEM.2013.29
  24. M. R. Permann. & K. Rohde. (2005). Cyber assessment methods for SCADA security. 15th annual joint ISA POWID/EPRI controls and instrumentation conference., .63-68.
  25. A. Zielstra. (2013). Assessing and improving SCADA security in the dutch drinking water sector. Critical information infrastructure security journal,4(9),124-134. DOI:10.1016/j.ijcip.2011.08.002
  26. A. Krings. & J. Alves. (2012). Risk analysis and probabilistic survivability assessment an assessment approach for power substation hardening. Proceedings of ACM workshop on scientific aspects of cyber terrorism. DOI:10.1109/isgt.2017.8085978
  27. D. Gertman. & R. Folker. (2006). Scenario based approach to risk analysis in support of cyber security. Proceedings of the 5th international topical meeting on nuclear plant instrumentation controls, and human machine interface technology, 5(9),293-300. DOI:10.1002/sec.321
  28. S. Patel. & J. Graham. (2008). Quantitatively assessing the vulnerability of critical information systems. new method for evaluating security enhancements International Journal, 28(9), 483-491. DOI:10.1016/j.ijinfomgt.2008.01.009
  29. M. H. Henry. & R. M. Layer. (2009). Evaluating the risk of cyber attacks on SCADA systems via Petri net analysis with application to hazardous liquid loading operations. IEEE conference on technologies for homeland security. 76-79. DOI:10.1109/ths.2009.5168093
  30. Cyber Security Technical Assesment Methodology: Vulnerability Identification and Mitigation Overview of Threat and Risk asseessment.(2016). Newyork : EPRI.
  31. NEI 13-10 Cyber Security Control Assesment Rev5.(2016). Washington D.C: Nuclear Energy Institute
  32. S. Y. Oh. & J. K. Hong. (2018). Vulnerability Case Analysis of Wireless Moving Vehicle. journal of the Korea convergence society , 9(8), 41-46. DOI:10.15207/JKCS.2018.9.8.041
  33. J. K. Cho. (2019). Study on Improvement of Vulnerability Diagnosis Items for PC Security Enhancement. Journal of Convergence for information Technology, 9(3), 1-7. DOI:10.22156/CS4SMB.2019.9.3.001
  34. O. H. Alhazmi. & Y. K. Malaiya. (2007).Measuring, Analyzing and Predicting Security Vulnerabilities in Software Systems. Computers&Security journal, 26(3), 219-228. DOI:10.1016/j.cose.2006.10.002