工业控制系统上基于安全域的攻击图生成

删除或更新信息，请邮件至freekaoyan#163.com(#换成@)

清华大学辅仁网/2017-07-07

工业控制系统上基于安全域的攻击图生成

王得金¹(

),江常青²,彭勇²

2. 中国信息安全测评中心, 北京 100085

Attack graph generation method based the security domain on industrial control systems

Dejin WANG¹(

),Changqing JIANG²,Yong PENG²

1. University of International Relations, Beijing 100091, China
2. China Information Technology Security Evaluation Center, Beijing 100085, China

摘要:

HTML
输出: BibTeX | EndNote (RIS) 背景资料

文章导读

摘要将攻击图技术应用于工业控制系统 (ICS), 并基于工业控制系统网络结构特点,简化了攻击图的生成复杂度。该文将工业控制系统作为研究对象,下位机作为攻击目标,依据工业控制系统的层次化结构特点,提出了主机安全域和网络安全域的概念,对系统网络进行安全域划分实现攻击图的分布式生成,并依据划分结果使用攻击模式(remote/local)等要素来降低攻击图的生成复杂度。最后,通过搭建实验测试环境进行验证,实验结果表明本方法将会提高攻击图生成效率并简化攻击图规模。

关键词 ：工业控制系统(ICS),攻击图,安全域,风险评估

Abstract：An attack graph technique is given for industrial control systems (ICS) that simplifies the complexity of the attack graph generation based on the characteristics of the control system network structure. The characteristics of the control system's hierarchical structure were analyzed to develop a host security domain and a network security domain. The network is divided into some security domains so that the attack patterns (remote/local) and other factors can be separated to reduce the complexity of the attack graph generation. Consequently, this method improves the production efficiency and simplifies the attack graph scale. The method is tested in a virtual network environment.

Key words：industrial control systems (ICS)attack graph security domain risk assessment

收稿日期: 2013-12-01 出版日期: 2015-04-16

ZTFLH:

基金资助:

引用本文:

王得金, 江常青, 彭勇. 工业控制系统上基于安全域的攻击图生成[J]. 清华大学学报（自然科学版）, 2014, 54(1): 44-52.
Dejin WANG, Changqing JIANG, Yong PENG. Attack graph generation method based the security domain on industrial control systems. Journal of Tsinghua University(Science and Technology), 2014, 54(1): 44-52.

链接本文:

http://jst.tsinghuajournals.com/CN/或 http://jst.tsinghuajournals.com/CN/Y2014/V54/I1/44

图表:

攻击图元素结构关系图

工控系统典型网络结构图

主机域内状态转移图

网络域内主机域间状态转移图

网络域间状态转移图

主机域内算法逻辑图

网络域内主机域间算法逻辑图

网络域间算法逻辑图

ICS实验测试环境结构图

主机	安装的软件/固件	版本	漏洞
用户PC1	WindowsXP	32位Sp3	CVE-2008-4250 CVE-2008-1083
用户PC2	WindowsXP	32位Sp3	CVE-2008-4250 CVE-2008-1083
用户PC3	Windows 2003	32位Sp3	CVE-2008-4250 CVE-2008-1083
操作员站1	WindowsXP Siemens WinCC	32位Sp2 7.2以下	CVE-2011-4537 CVE-2008-1083
操作员站2	WindowsXP Siemens WinCC	32位Sp2 7.2以下	CVE-2011-4537 CVE-2008-1083
工程师站	WindowsXP Siemens Step7	32位Sp2 8.0 SP1	CVE-2012-3015 CVE-2008-1083
西门PLC	Siemens CP 1604CP1616	固件版本低于2.5.2	CVE-2013-0659
施耐PLC	Quantum140NOE77101 Firmware	4.9及之前版本	CVE-2011-4859

主机安装的应用及其漏洞

漏洞编号	描述
CVE-2008-4250	Windows XP(SP2、 SP3), Windows 2003(SP1、 SP2)存在漏洞,允许攻击者发送特制的RPC请求,达成运行任意代码漏洞。
CVE-2008-1083	Windows XP(SP2), Windows 2003(SP1、 SP2)内核存在漏洞,允许攻击者发送特制的数据包,达成特权提升攻击。
CVE-2011-4537	Siemens WinCC 7.2之前版本上的RegReader ActiveX控件存在缓冲区溢出漏洞,例如会使用在SIMATIC PCS7 8.0 SP1之前版本上,将允许远程攻击者通过超长参数执行任意代码。
CVE-2012-3015	Siemens SIMATIC STEP7 5.5 SP1之前版本的DLL存在加载漏洞,例如用在SIMATIC PCS7 7.1 SP3及之前版本,可以使得远程用户获得特权。
CVE-2013-0659	Siemens CP 1604和CP1616(固件版本低于2.5.2)工业以太网通信模块的调试特性允许远程攻击者通过发送特制的报文达成执行任意代码攻击。
CVE-2011-4859	Schnerder Electric Modicon Quantum以太网模块存在漏洞,允许远程攻击者利用漏洞查看系统配置,执行任意代码等。

漏洞描述

区域	节点数	漏洞数/ 节点	local漏洞数/ remote漏洞数	权限	状态数
2#	3	2	1/1	3	18
3#	3	2	1/1	3	18
4#	2	1	0/1	2	4

各区域中节点、漏洞、权限、状态数量

常规攻击图算法划出状态转移图

基于安全域攻击图算法划出状态转移图

参考文献:

[1]	彭勇, 江常青, 谢丰, 等. 工业控制系统信息安全研究进展 [J]. 清华大学学报: 自然科学版, 2012, 52(10): 1396-1408. PENG Yong, JIANG Changqing, XIE Feng, et al.Industrial control system cyber security research[J]. Journal of Tsinghua University: Science and Technology, 2012, 52(10): 1396-1408. (in chinese).
[2]	Ammann P, Wijesekera D, KaushikS. Scalable, graph-based network vulnerability analysis [C] //Proceedings of the 9th ACM Conference on Computer and Communications Security. New York, USA: Association for Computing Machinery Press, 2002. 217-224.
[3]	胡欣, 孙永林, 王勇军. 一种基于网络安全梯度的攻击图生成并行化方法[J]. 计算机应用与软件, 2011, 28(11): 25-29. HU Xin, SUN Yonglin, WANG Yongjun. A network security grade based attack graph generation parallel approach[J]. Computer Applications and Software, 2011, 28(11): 25-29.
[4]	Swiler L P, Phillips C, Ellis D, et al.Computer-attack graph generation tool [C] //Proceedings of DARPA Information Survivability Conference and Exposition. Anaheim, USA: IEEE Computer Society, 2001: 1307-1321.
[5]	Swiler L P, Phillips C, Gaylor T. A graph-based network-vulnerability analysis system, SAND97-3010/1 [R]. Albuquerque, USA: Sandia National Laboratories, 1998.
[6]	NIST SP800-82. Guide to Industrial Control Systems (ICS) Security[S]. Gaithersburg, USA: National Institute of Standards and Technology (NIST), 2011.
[7]	Ritchey R W, Ammann P. Using model checking to analyze network vulnerabilities [C]// Proceedings of 2000 IEEE Computer Society Symposium on Security and Privacy. Oakland, USA: IEEE Computer Society, 2000: 156-165.
[8]	OU Xinming. A Logic-programming Approach to Network Security Analysis[M]. Princeton, USA: Princeton University, 2005.
[9]	Ralston P A S, Graham J H, Hieb J L. Cyber security risk assessment for SCADA and DCS networks[J]. ISA Transactions, 2007, 46(4): 583-594.
[10]	Byres E J, Franz M, Miller D. The use of attack trees in assessing vulnerabilities in SCADA systems [C]// International Infrastructure Survivability Workshop (IISW'04). Lisbon, Portugal: IEEE, 2004.
[11]	Cheminod M, Bertolotti I C, Durante L, et al.Detecting chains of vulnerabilities in industrial networks[J]. Industrial Informatics, IEEE Transactions on, 2009, 5(2): 181-193.
[12]	Stouffer K, Falco J, Scarfone K. Guide to Industrial Control Systems (ICS) Security, NIST—National Institute of Standard and Technology, 2008, Final Public Draft [Z/OL]. (2013-08-20), http://csrc.nist.gov/publications/drafts/800- 82/draft_sp800-82-fpd.pdf.
[13]	Ten C W, Liu C C, Govindarasu M. Vulnerability assessment of cybersecurity for SCADA systems[J] IEEE Transactions on Power Sytems, 2008, 23(4): 1836-1846.
[14]	David A. Multiple Efforts to Secure Control Systems Are under Way, But Challenges Remain, GAO-07-1036 [R]. Washington DC, USA: US Government Accountability Office (US GAO), 2007.
[15]	NIST SP800-82. Guide to Industrial Control Systems (ICS) Security[S]. Maryland, USA: National Institute of Standard and Technology (NIST), 2003.

[1]	马刚, 杜宇鸽, 荣江, 甘家瑞, 史忠植, 安波. 基于威胁传播的复杂信息系统安全风险评估[J]. 清华大学学报（自然科学版）, 2014, 54(1): 35-43.