The Journal of Society for e-Business Studies (한국전자거래학회지)

Society for e-Business Studies (한국전자거래학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on ICS/SCADA System Web Vulnerability

제어시스템의 웹 취약점에 대한 현황과 연구

  • Kim, Hee-Hyun (Department of Business Administration, Sangmyung University) ;
  • Yoo, Jinho (Department of Business Administration, Sangmyung University)
  • Received : 2018.11.29
  • Accepted : 2019.02.08
  • Published : 2019.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

In the past, the control system was a closed network that was not connected to the external network. However, in recent years, many cases have been opened to the outside for the convenience of management. Are connected to the Internet, and the number of operating control systems is increasing. As a result, it is obvious that hackers are able to make various attack attempts targeting the control system due to external open, and they are exposed to various security threats and are targeted for attack. Industrial control systems that are open to the outside have most of the remote management ports for web services or remote management, and the expansion of web services through web programs inherits the common web vulnerability as the control system is no exception. In this study, we classify and compare existing web vulnerability items in order to derive the most commonly tried web hacking attacks against control system from the attacker's point of view. I tried to confirm.

과거의 제어 시스템은 외부 네트워크와 연결되지 않은 폐쇄망이라 그 자체로 보안성을 보장 받을 수 있었으나 최근에는 관리의 편이성 등을 위해 외부로 연결시켜 놓은 사례가 많으며, 폐쇄망이라고 주장을 하나 어느 한 접점은 인터넷과 연결되어 있어 운영 중인 제어시스템이 점점 늘어나는 추세이다. 이에 따라 외부 연결로 인해 해커들이 제어시스템을 목표로 다양한 공격 시도를 할 수 있게 되었으며 다양한 보안 위협에 노출되어 공격의 타겟이 되고 있는 실정은 당연한 것이다. 외부에 연결되어 있는 산업제어시스템은 웹서비스 또는 원격 관리를 위한 원격관리 포트가 대부분 연결되어 있으며 웹 프로그램을 통한 웹 서비스의 확대는 제어시스템도 예외는 아니므로 일반적인 웹 취약점을 그대로 상속하고 있다. 본 연구에서는 공격자 입장에서 제어시스템을 대상으로 가장 많이 시도되는 웹 해킹 공격을 도출하기 위해 기존의 웹 취약점 항목을 분류 및 비교하였으며 이를 통해 제어시스템 필수 웹 취약점을 선별하였으며 또한 누락된 취약점이 있는지 검토하고 확인하고 자 하였다.

Keywords

References

  1. 2011 CWE/SANS Top 25.
  2. Han, S. K., A Study on Cyber Threats in Control System Linkage Section, Korea University, 2011.
  3. https://www.kuppingercole.com/blog/williamson/ot-ics-scada-whats-the-difference.
  4. ICS-CERT, https://ics-cert.us-cert.gov.
  5. Kim, K. H., Security Enhancements of Industrial Control System for National Critical Infrastructure, Korea University, 2017
  6. Kim, S. J., A Case Study on the Implementation of a River Water Level Monitoring System using PLC(Programmable Logic Controller) and Public Telecommunication Network, The Journal of Society for e-Business Studies, Vol. 20, No. 4, pp. 1-17, 2015. https://doi.org/10.7838/jsebs.2015.20.4.001
  7. KISA Homepage Vulnerability Assessment and Removal Guide (http://kisa.or.kr)-Home page for developing and operating information system vulnerability diagnosis and removal guide, 2013.
  8. KISA, Analysis of Overseas System based Evaluation Cases and Technology, 2009.
  9. Lim, K. H., A Study on the Present Status and Countermeasures of Control System Security Vulnerabilities, Korea University, 2011.
  10. Ministry of Public Administration and Security, Web Application Development Security Guide 2010.
  11. Ministry of Science and Technology Ministry of Information and Communication Analysis of Technical Vulnerabilities in Information Communication Infrastructure 2017.
  12. Na, J. C. and Cho, H. S., "Classification of industrial control system abnormal behavior in terms of security: 2.1 Industrial control system structure," Journal of Information Security, Vol. 23, No. 2, pp. 329-330, 2013.
  13. NIS 8 Vulnerabilities-2005 National Cyber Safety Center(NCSC).
  14. OWASP/OWASP Top Ten Project 2013, https://www.owasp.org/index.php/Top_10_2013-Top_10.
  15. OWASP/OWASP Top Ten Project 2017, https://www.owasp.org/index.php/Top_10_2017-Top_10.
  16. Park, D. H., A Study on the Improvement of Evaluation Criteria for Control System Management and Physical Vulnerability Analysis, Korea University, 2013.
  17. SANS Top 25(http://cwe.mitre.org/top25/).
  18. Security Administration and E-Government Software Development Security Software Diagnosis Guide 2013. 11, Publication Registration Number 11-1311000-000395-14.
  19. Security Administration, Analysis of Technical Vulnerabilities in Major IT Infrastructure Facilities, 2014.
  20. Software Development Security Guide for Security Administration, E-Government Software Development Managers 2013, Publication Registration Number 11-1311000-000330-10.
  21. Software Development Security Guide for the Ministry of Government Administration and Home Affairs, e-government SW Development Managers 2017. 1, Publication Registration Number 11-1311000-000330-10.
  22. SVC(SCADA Vulnerabilities & Exposures), http://www.critifence.com/sve.