- 學位論文
工業控制系統的安全事件風險評估
Risk Assessment of Industrial Control System Security Incidents
摘要
隨著工業控制系統的應用範圍由封閉式以本地為範圍的工業環境擴展到與資訊網路相連的開放式長距離的各類智慧化環境的運作,安全機制的不足使得工業控制系的網路成為駭客攻擊的另一種目標,如何整合智慧化環境特性資訊以及由偵測網路安全事件的系統所提供的資訊即時評估各項網路安全事件對智慧化環境的風險,是維護智慧化環境安全運作的重要議題。在本研究中,我們提出一種風險評估的方法,考量資產設備的損害程度、威脅的緊急程度及弱點的嚴重性,建立安全風險評估平台,將偵測到的網路安全事件的風險數值化,讓管理者能夠即時注意到環境中需要被關注的風險事件。我們將方法實作於開源的資安事件管理平台,並以模擬的智慧化環境及相關的攻擊情境進行測試,驗證風險評估方法可行性。
並列摘要
With the use of industrial control system expanding from closed and localized industrial operation environment to open and distant smart application environment, it becomes another security attack target due to insufficient security mechanism available. It is important to develop a risk assessment method which can provide immediate quantitative risk evaluation result based on the characteristics of the environment in concern and security events detected in real time. In this study, we proposed a quantitative risk assessment measure using the damage degree of the impacts, the urgency of the threats and the severity of the vulnerabilities as the constituents. We developed a procedure to establish a risk assessment mechanism for an ICS system. With the risk assessment mechanism, administrators of ICS systems will be able to identify whether there is security risk in the system when a security event is detected.
參考文獻
延伸閱讀
- 劉康弘(2019)。高風險產業中的人為失誤與安全管理〔博士論文,國立清華大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0016-0206202016155464
- 林政憲(2012)。製程安全評估中風險矩陣的效應〔碩士論文,長榮大學〕。華藝線上圖書館。https://doi.org/10.6833/CJCU.2012.00085
- 陳俊瑜、張國基(2007)。高科技產業程風險控制與本質較安全設計應用。化工,54(3),33-48。https://doi.org/10.29803/CE.200706.0005
- 張興容﹔王小群(2002)。淺述工業企業常用的安全評價方法。工業安全衛生,(161),47-53。https://doi.org/10.6311/ISHM.200211_(161).0009
- Chang, G. A. (2002). A Productivity Assessment and Control System for Concurrent Engineering. 中華管理學報, 3(1), 1-26. https://doi.org/10.30053/CHJM.200203.0001