信息安全标准体系研究
|
摘要
随着工控系统信息安全事件日趋增多,核电厂数字化仪控系统的信息安全也逐渐受到重视,已经成为核安全的重要组成部分。信息安全标准是信息安全工作的重要依据。因此,开展信息安全标准研究是核电厂数字化仪控系统信息安全工作的基础。从核电厂数字化仪控系统的特点出发,分别对国内标准、美联邦导则标准和国际电工委员会标准三个体系进行对比分析,介绍了工控系统和核设施信息系统信息安全标准的体系结构和总体要求,总结了三个标准体系各自的优缺点,并分别给出了标准在工程应用的参考建议。最后,对核电厂数字化仪控系统参考的国内外主流信息安全标准进行了总结分析,从工程应用的角度提出了标准的使用方法,为核电厂DCS信息安全研究提供了重要参考。
With the increasing number of information security incidents in industrial control systems,the information security of digital instrument control systems in nuclear power plants is also gradually gaining importance; and has been the important part of nuclear safety.The information security standards are the important basis for information security work.Therefore,the research on information security standards is the foundation of information security works on DCS system of nuclear power plant.Starting from the characteristics of the digital instrument control system of nuclear power plants,comparative analysis of domestic standards,US federal guidelines and international electrotechnical commission standards are performed respectively.The architecture and general requirements of the information security standards for industrial control systems and nuclear facility information systems are introduced,and the advantages and disadvantages of each of the three standard systems are summarized,as well as the reference recommendations for standards in engineering applications are given.Finally,the domestic and international mainstream information security standards referenced by the digital instrument control system of nuclear power plants are summarized and analyzed.From the perspective of engineering application,the use method of the standards is proposed,which provides an important reference for the information security research of DCS system in nuclear power plants.
With the increasing number of information security incidents in industrial control systems,the information security of digital instrument control systems in nuclear power plants is also gradually gaining importance; and has been the important part of nuclear safety.The information security standards are the important basis for information security work.Therefore,the research on information security standards is the foundation of information security works on DCS system of nuclear power plant.Starting from the characteristics of the digital instrument control system of nuclear power plants,comparative analysis of domestic standards,US federal guidelines and international electrotechnical commission standards are performed respectively.The architecture and general requirements of the information security standards for industrial control systems and nuclear facility information systems are introduced,and the advantages and disadvantages of each of the three standard systems are summarized,as well as the reference recommendations for standards in engineering applications are given.Finally,the domestic and international mainstream information security standards referenced by the digital instrument control system of nuclear power plants are summarized and analyzed.From the perspective of engineering application,the use method of the standards is proposed,which provides an important reference for the information security research of DCS system in nuclear power plants.
引文
[1]全国信息安全标准化委员会.计算机信息系统安全等级保护划分准则:GB 17859[S].1999.
[2]全国信息安全标准化委员会.信息系统安全管理要求:GB/T20269[S].2006.
[3]全国信息安全标准化委员会.信息系统通用安全技术要求:GB/T20271[S].2006.
[4]全国信息安全标准化委员会.信息安全技术网络基础安全技术要求:GBT 20270[S].2006.
[5]全国信息安全标准化委员会.信息安全技术操作系统安全技术要求:GB/T20272[S].2006.
[6]全国信息安全标准化委员会.信息安全技术数据库管理系统安全技术要求:GB/T20273[S].2006.
[7]全国信息安全标准化委员会.信息系统安全等级保护实施指南:GB/T25058[S].2010.
[8]全国信息安全标准化委员会.信息系统安全保护等级定级指南:GB/T22240[S].2008.
[9]全国信息安全标准化委员会.信息系统安全等级保护基本要求:GB/T22239[S].2008.
[10]全国信息安全标准化委员会.信息安全技术信息系统安全等级保护测评要求:GB/T28448[S].2012.
[11]全国信息安全标准化委员会.信息安全技术信息系统安全等级保护测评过程指南:GB/T28449[S].2012.
[12]全国信息安全标准化委员会.工业控制系统信息安全:GB/T30976[S].2014.
[13]全国信息安全标准化委员会.工业自动化和控制系统网络安全:GB/T33009[S].2016.
[14]U.S.nuclear regulatory commission.Requirements for security programmes for computer-based systems:RG 5.71[S].2010.
[15]U.S.nuclear regulatory commission.Criteria for use of computers in safety systems of nuclear power plants:RG1.152[S].2006.
[16]National institute of standards and technology.Recommended security control for federal information system and organization:NISTSP800-53[S].2009.
[17]National institute of standards and technology.Guide to industrial control systems(ICS)security:NIST SP800-82[S].2011.
[18]U.S.nuclear regulatory commission.Protection of digital computer and communication systems and networks:10 CFR 73.54[S].2010.
[19]International electrotechnical commission.Industrial communication networks.Network and system security:IEC 62443[S],2013.
[20]International electrotechnical commission.Nuclear power plantsInstrumentation and control for systems important to safety-general requirements for systems:IEC 61513[S].2001.
[21]International electrotechnical commission.Nuclear power plantsInstrumentation and control systems-Requirements for security programmes for computer-based systems:IEC 62645[S].2014.
[22]International electrotechnical commission.Requirement for coordinating safety and cybersecurity:IEC62859[S].2016.
[2]全国信息安全标准化委员会.信息系统安全管理要求:GB/T20269[S].2006.
[3]全国信息安全标准化委员会.信息系统通用安全技术要求:GB/T20271[S].2006.
[4]全国信息安全标准化委员会.信息安全技术网络基础安全技术要求:GBT 20270[S].2006.
[5]全国信息安全标准化委员会.信息安全技术操作系统安全技术要求:GB/T20272[S].2006.
[6]全国信息安全标准化委员会.信息安全技术数据库管理系统安全技术要求:GB/T20273[S].2006.
[7]全国信息安全标准化委员会.信息系统安全等级保护实施指南:GB/T25058[S].2010.
[8]全国信息安全标准化委员会.信息系统安全保护等级定级指南:GB/T22240[S].2008.
[9]全国信息安全标准化委员会.信息系统安全等级保护基本要求:GB/T22239[S].2008.
[10]全国信息安全标准化委员会.信息安全技术信息系统安全等级保护测评要求:GB/T28448[S].2012.
[11]全国信息安全标准化委员会.信息安全技术信息系统安全等级保护测评过程指南:GB/T28449[S].2012.
[12]全国信息安全标准化委员会.工业控制系统信息安全:GB/T30976[S].2014.
[13]全国信息安全标准化委员会.工业自动化和控制系统网络安全:GB/T33009[S].2016.
[14]U.S.nuclear regulatory commission.Requirements for security programmes for computer-based systems:RG 5.71[S].2010.
[15]U.S.nuclear regulatory commission.Criteria for use of computers in safety systems of nuclear power plants:RG1.152[S].2006.
[16]National institute of standards and technology.Recommended security control for federal information system and organization:NISTSP800-53[S].2009.
[17]National institute of standards and technology.Guide to industrial control systems(ICS)security:NIST SP800-82[S].2011.
[18]U.S.nuclear regulatory commission.Protection of digital computer and communication systems and networks:10 CFR 73.54[S].2010.
[19]International electrotechnical commission.Industrial communication networks.Network and system security:IEC 62443[S],2013.
[20]International electrotechnical commission.Nuclear power plantsInstrumentation and control for systems important to safety-general requirements for systems:IEC 61513[S].2001.
[21]International electrotechnical commission.Nuclear power plantsInstrumentation and control systems-Requirements for security programmes for computer-based systems:IEC 62645[S].2014.
[22]International electrotechnical commission.Requirement for coordinating safety and cybersecurity:IEC62859[S].2016.