摘要
随着《信息安全技术信息系统安全等级保护基本要求》(GB/T 22239-2019)的发布,工业控制系统信息安全问题越来越受到人们的重视。发电厂在传统的数字化堆场改造过程中,常常忽略了工控网络安全这个问题,通常认为网络隔离就安全了。然而事实并非如此。以数字化堆场中的斗轮机通信改造项目为例,简述了工业控制系统网络信息安全的当前形势和现状,分析了斗轮机改造过程中存在的网络安全隐患。针对这次斗轮机通信网络改造过程中发现的问题,进行了一次模拟渗透测试,发现了斗轮机通信系统存在的安全风险,验证了系统存在的风险和漏洞。根据《信息安全技术信息系统安全等级保护基本要求》(GB/T 22239-2019),提出了相应的安全防护建议。经过渗透测试,系统的安全性得到提高。但是工控网络安全体系的建设仍然任重道远。
With the release of the“Basic Requirements for the Security Level Protection of Information Security Technology Information Systems”(GB/T 22239-2019),the information security issues of industrial control systems have received more and more attention.In the process of digital yard reconstruction,the problem of industrial control network security is often neglected.It is generally considered that network isolation is safe,but this is not the case.Takeing the bucket turbine communication transformation project in the digital yard as an example,the current situation of network information security of industrial control system is briefly introduced,and the network security risks existing in the process of bucket turbine transformation are analysed.Aiming at the problems found in the process of the reconstruction of the fighting turbine communication network,a simulation penetration test was carried out,and the safety risks of the turbine communication system were found,and the risks and vulnerabilities of the system were verified.According to the“Information Security Technology Information System Security Level Protection Basic Requirements”(GB/T 22239-2019),the corresponding security protection recommendations are proposed.Through penetration test,the security of the system is improved.But the construction of industrial control network security system is still a long-term,arduous task.
作者
闫怀超
YAN Huaichao(Shanghai Institute of Process Automation & Instrumentation Co. ,Ltd. ,Shanghai 200233,China)
出处
《自动化仪表》
CAS
2020年第6期13-16,共4页
Process Automation Instrumentation
基金
上海市2018年度“科技创新行动计划”高新技术领域基金资助项目(18511106000)
2018年工信部工业互联网创新发展工程“典型行业工业互联网企业级集中化安全监督测平台建设”基金资助项目。
关键词
渗透测试
网络安全
工业控制系统
斗轮机
等级保护
无线通信
数字化堆场
安全防护
Penetration testing
Cyber security
Industrial control systems
Bucket turbines
Grade protection
Wireless communication
Digital yard
Security protection
