CN105045251B - The demand analysis of industrial control system functional safety and information security and fusion method - Google Patents

Abstract

The invention discloses a demand analysis and fusion method for industrial control system functional safety and information security, including analyzing assets in the system, clarifying their related attributes, and forming a list of system assets; determining according to the correlation between system assets and hazardous events Possibility of hazardous accidents; determine which hazardous events require further functional safety assurance measures, and then determine the set of functional safety requirements in the system; analyze the inherent vulnerabilities of assets and the information security threats they may face and corresponding protective measures; judge the needs Strengthen the protection of system assets, and then determine the information security protection measures for assets. The protection measures required by all assets form the information security requirement set of the system; coordinate the conflict between the functional security requirement set and the information security requirement set, and obtain the overall security of the system Requirements set: According to the implementation cost of each security measure, combined with the overall cost constraints of the system, optimize the overall security requirements set of the system.

Description

Requirement analysis and fusion method of industrial control system functional safety and information security

technical field

The invention relates to the field of safety control of industrial control systems, and more specifically, to a demand analysis and fusion method for functional safety and information safety of industrial control systems.

Background technique

The industrial control system belongs to the production operation system. It is the brain and central nervous system of the country's key infrastructure and various industrial productions. It is very important to ensure its safe operation. The analysis of industrial control system security protection requirements is the premise and basis for ensuring the safe operation of the system.

In industrial control systems, functional safety is an important aspect of safety control. In the IEC61508 standard, functional safety is mainly aimed at equipment and control systems related to E/E/PE, so as to prevent the controlled object from being damaged when the system fails or fails. / process or other related system that poses an unacceptable risk resulting in economic loss, personal injury or environmental pollution. The wide application of information and communication technology in industrial control systems has greatly reduced the design and maintenance costs of the system and improved the performance of the system, but at the same time it has also introduced information security issues into industrial control systems. Information security has become a security control system for industrial control systems. Another important aspect of . These two kinds of security are not independent and unrelated to each other, but are closely related to each other. From the perspective of security protection, information security protection strategies may increase the risk of system functional security, and functional security measures may also introduce new information security vulnerabilities into the system; to promote each other. Generally speaking, functional security assurance and information security protection have the same overall goal, both to ensure the safe and stable operation of the system, but their specific emphases are different. Functional safety emphasizes that the system does not cause asset loss, casualties or environmental pollution during the operation process, and considers the risks of random system failures and failures to the outside world. Information security emphasizes that malicious attacks do not interfere with the normal operation of the system, and considers the risks generated by malicious intrusion attacks on the system.

The functional safety standard IEC61508 stipulates the functional safety protection steps of industrial control systems, and some standards of IEC62443 that have been formulated now roughly clarify the process of information security protection of industrial control systems. However, most of these standards are considered from one aspect of safety, and the safety-related knowledge involved is relatively professional and the threshold is too high. At present, the research on the functional safety and information security of the integrated industrial control system is mostly focused on distinguishing the concepts and relationships between the two, and no effective solution has been proposed for the analysis and integration of its comprehensive security requirements.

Invention patent application (CN201210186363.X) discloses a "software security requirements analysis method based on system assets", after determining system assets, semi-automatically obtain systematic and authoritative analysis results (including Threats corresponding to assets, attack modes, and CC standard security function components for mitigating threats), and finally complete the security profile specification based on the results. The authorized invention patent (CN201110208744.9) discloses a "level-driven security requirement analysis method", which screens the security function components selected according to the threat according to the level of security requirements proposed by the user for the system, and then the security Requirement analysts consider specific technologies and security strategies, and describe the finally selected security function components as security profile specifications. These patents belong to the field of IT, and only consider information security.

These similarities and differences between functional safety and information security lead to some redundant or contradictory safety requirements when analyzing system safety requirements, which need to be integrated to obtain consistent system safety requirements. At present, there is no set of requirements analysis and fusion methods for the comprehensive functional safety and information security of industrial control systems at home and abroad.

Contents of the invention

The purpose of the present invention is to provide a method for analyzing and integrating functional safety and information security requirements of industrial control systems, which can provide a set of fast, Completely obtain the process of security requirements, reduce the difficulty of developing security requirements, reduce the cost of developing security requirements, and improve the comprehensive security capabilities of the system.

The invention provides a demand analysis and fusion method of functional safety and information safety in an industrial control system, including the following steps;

Step (1) Analyze the assets in the system, clarify their related attributes, and form a list of system assets. The specific process is:

(1.1) Collect, analyze and organize the design documents, description documents and use case diagrams of the system;

(1.2) Analyze the functions, data information, software and hardware resources and personnel involved in the system operation in the system, classify the assets of the system into information assets, software assets, physical assets, services, personnel and intangible assets, and determine the assets Attributes, including: asset name, quantity, location, probability of random failure, possible hazards after asset failure, importance of asset, and inherent vulnerability of asset. The importance of assets can be divided into five levels: very important (VI), important (I), general (GI), unimportant (UI), and very unimportant (VUI). Finally, a system asset list is formed.

Step (2) Based on the system asset list, analyze the hazardous accidents that may be caused by the failure of system assets, evaluate their consequences, and determine the possibility of hazardous accidents according to the correlation between system assets and hazardous events. The specific process is as follows:

(2.1) According to the list of system assets and the hazard accidents that may be caused by each asset, determine the collection of hazard accidents that may occur in the system.

(2.2) Use the fuzzy comprehensive evaluation method to evaluate the consequences of each hazardous accident in the hazardous accident set according to the expert evaluation results.

(2.3) According to the dependencies among system assets, combined with the failure probability of assets, determine the probability that each hazard in the hazard accident set may occur.

Step (3) Based on the analysis results of hazardous accidents, evaluate the potential risks in terms of functional safety, and combine the industry's risk tolerance for the system to determine which hazardous events require further functional safety protection measures, and then determine the protection requirements for functional safety in the system (that is, functional safety requirements), the specific process is:

(3.1) Evaluate the functional safety risks of various hazardous events in combination with the consequences of hazardous accidents and the probability of occurrence;

(3.2) Combined with the response measures for various dangerous events, and according to the functional safety risk level of various dangerous events, judge whether it is necessary to apply corresponding functional safety measures to reduce or eliminate risks;

(3.3) Combine the functional safety guarantees required by the entire system to form the functional safety requirement set R _safety of the system.

Step (4) According to the assets of the system, analyze the inherent vulnerabilities of the assets and the information security threats they may face and the corresponding protective measures. The specific process is:

(4.1) For various assets in the asset inventory, analyze the list of possible threats and all available protection measures based on their inherent vulnerabilities.

(4.2) Analyze the inherent vulnerabilities of assets and possible information security threats. Based on the historical data of the industry, use the data evaluated by experts to judge the probability that various vulnerabilities may be exploited by threats through fuzzy evaluation methods.

In step (5), according to the importance level of the asset and the possibility of its vulnerability being exploited, the fuzzy evaluation method is used to evaluate the information security risk level of the asset, and combined with the information security risk level that the system can withstand, determine the system assets that need to be strengthened. , and then determine the information security protection measures of assets, and the protection measures required by all assets form the information security protection requirements of the system (that is, the information security requirements set). The specific process is as follows:

(5.1) Fuzzify the probability that each vulnerability in the vulnerability list corresponding to the asset may be exploited to obtain the corresponding fuzzy vector.

(5.2) Obtain the degree of importance in the system according to the asset list of the system (as shown in Table 1, divided into three levels), and also fuzzify it to obtain the corresponding fuzzy vector.

(5.3) Classify information security risks according to industry or system requirements, such as "high (HR), medium (MR) and low (LR)".

(5.4) Design the membership degree matrix of the information security risk fuzzy assessment of the system. Then, the risk fuzzy vector of the vulnerability is calculated by combining the fuzzy vector of asset importance and the fuzzy vector of the corresponding vulnerability being exploited. And through the defuzzification of the fuzzy vector, the risk level of the vulnerability is obtained.

(5.5) According to the ability of assets in the system to withstand information security risks, judge whether the vulnerability needs to be protected, and if so, give protective measures.

(5.6) Complete the assessment and protection of all vulnerabilities of all assets according to the above (5.1)-(5.5). Combine the information security protection measures of the whole system to form the information security requirement set R _security of the system.

Step (6), coordinate the conflict between the functional safety requirement set R _safety obtained in the above step (3) and the information security requirement set R _security in step (5), and integrate the two security requirements through a qualitative method to obtain the overall system The security requirements set R _system , the specific process is:

(6.1) Classify the functional safety requirement set and the information security requirement set according to "prevention", "detection" and "response". Prevention requirements refer to the requirements corresponding to preventive measures in functional safety assurance or information security protection; detection requirements refer to the requirements corresponding to real-time detection (fault detection and intrusion detection) in functional safety assurance or information security protection ; Response requirements refer to the corresponding requirements for the system to respond in a targeted manner after detecting problems (faults or intrusions) in functional safety assurance or information security protection.

(6.2) If there is no intersection between the functional safety requirements set and the preventive requirements set in the information security requirements set, it will be directly added to the overall system security requirements set R _system ; if there is an overlap, the prevention requirements for the upper layer will be based on the information security requirements For the prevention requirements of the lower layer, the functional safety requirements shall prevail, and the conflicting requirements shall be removed, and then integrated into the overall system security requirements set R _system .

(6.3) For detection requirements that do not intersect with the functional safety requirements set and information security requirements set, they are directly added to the overall system security requirements set R _system ; As far as possible more comprehensive detection), and then added to the system's overall security requirements set R _system .

(6.4) For the functional safety requirements set and the centralized response requirements of information security requirements, a more refined integration is required. First, analyze the various response requirements in the functional safety requirement set and the information security requirement set, and formulate the conflict resolution strategy for each requirement in turn based on the actual situation of the system. For example, for a safety-critical system, the conflict resolution strategy can be formulated as: "When When there is a conflict between the requirements in the requirements set R _safety-r and R _security-r , the requirements in R _safety-r shall prevail, and the conflicting requirements in R _security-r shall be deleted; the assets involved in the conflicting requirements may also be used Formulate a conflict resolution strategy based on the size of the functional security risks faced and the information security risks; then compare the functional security requirements set and the response requirements in the information security requirements set one by one, and directly add those without conflicts to the overall system security requirements set In the R _system ; if there is a conflict, resolve it according to the established conflict resolution strategy, and then integrate it into the overall system security requirement set R _system . The formulation of the conflict resolution strategy needs to be determined in combination with the specific situation of the response class requirements and the specific application of the system.

Step (7) According to the implementation cost of each security measure, combined with the overall cost constraints of the system, the overall security requirement set of the system is optimized. The specific process is as follows:

(7.1) Analyze the risk of each security requirement in the overall security requirement set of the system, and list all security measures that can mitigate the risk (that is, measures that can provide the same type of security protection), forming a set of security measures. For each set of security measures, evaluate their implementation costs. The implementation cost of security measures refers to the additional cost that the system needs to pay for the implementation of security measures. Here, it is measured by two indicators of calculation volume and communication volume. The calculation volume cost is obtained by combining expert knowledge and rough estimation. The communication volume cost Refers to the additional number of communication bytes required by security measures, which can be directly determined according to specific security measures.

(7.2) According to the design specifications of the system, obtain the total cost constraints of system security protection (including functional safety and information security), that is, the maximum that the system can pay for functional safety protection and information security protection, including the total calculation cost and Total traffic cost.

(7.3) According to the total cost constraints of the system, combined with the implementation cost of each security measure in each security measure set, optimize the overall security requirement set R _system of the system. (a) First, sort the overall system security requirements set obtained in step (6) from low to high according to the risk level that each requirement responds to. (b) According to the implementation cost of security measures, calculate the total implementation cost of the entire requirement set. If the total cost constraint of system security protection is not exceeded, the optimization process is completed; if the total cost constraint of system security protection is exceeded, continue. (c) First judge whether the requirements in the R _system have been processed. If the processing is completed, it means that under the current system security protection total cost constraints, the system security requirements that meet the system or industry risk level requirements cannot be designed, and the system needs to be modified The total cost constraints of security protection, and then re-design the system security requirements; if it has not been processed, take out a requirement in sequence, and select the security measure that is lower in cost than the security measure selected in the current requirement in the corresponding set of security measures security measures, as a result of this requirement modification, and continue. (d) According to steps (3) and (5), judge whether the modified demand can meet the risk requirements of the corresponding asset, if it can be satisfied, then go to (b); if not, go to (c) .

Compared with the prior art, the invention aims at protecting the functional safety and information safety of the industrial control system, and overcomes the defect that the existing safety requirement analysis method only considers one safety problem when used in the industrial control system. The invention can comprehensively consider functional safety and information security when analyzing the safety requirements of the industrial control system, and carry out the fusion and coordination optimization of the two kinds of security at the demand level, so that the safety requirements can ensure system integration under the premise of meeting the system cost constraints. safety. Expected beneficial effects include:

1. At the demand level, comprehensively considering the functional safety and information security of the industrial control system can ensure the mutual coordination of the two types of security in the system security control, avoid conflicts and redundancy in the overall security requirements of the system, and effectively improve the overall security of the system. Security lays the groundwork.

2. According to the action and impact on the system, classify the functional safety requirements and information security requirements, and use quantitative methods to integrate the same type of security requirements to improve the efficiency of requirements fusion, and at the same time ensure that the requirements are integrated as much as possible Comprehensiveness and accuracy of security requirements.

3. Considering the limited resource cost of the industrial control system, the cost-constrained method is used to further optimize the security requirements of the integrated system to ensure the overall security of the system while meeting the total cost of system security protection.

4. The invention comprehensively utilizes expert data and adopts various practical engineering evaluation methods such as fuzzy evaluation, so that it can be applied to actual industrial control system demand analysis, lowering the threshold of industrial control system security demand analysis and design, and at the same time effectively reducing system development costs .

Description of drawings

Figure 1 shows the requirements analysis and integration process of industrial control system functional safety and information security;

Figure 2(a) is a schematic diagram of the relationship between multiple assets failing simultaneously and causing hazardous accidents;

Figure 2(b) is a schematic diagram of the relationship between multiple independent asset failures causing hazardous accidents;

Figure 2(c) is a schematic diagram of the relationship between multiple asset failures and hazardous accidents caused by the mixture of the two relationships;

Figure 3 is the fusion process of functional safety requirements set and information security requirements set;

Figure 4 is the fusion process of the preventive safety requirements set;

Figure 5 is the fusion process of the detection class security requirement set;

Figure 6. Cost-based optimization process of the system's overall security requirements set.

detailed description

In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention. In addition, the technical features involved in the various embodiments of the present invention described below can be combined with each other as long as they do not constitute a conflict with each other.

Referring to FIG. 1 , the optimized overall system security requirement set in FIG. 1 is the final result to be obtained in the application of the present invention.

The invention relates to a demand analysis and fusion method for functional safety and information safety of an industrial control system. This method can provide a set of rapid and complete process for obtaining security requirements for industrial control system security control and protection (integrated functional security and information security), reduce the difficulty of security requirement development, reduce the cost of security requirement development, and improve the comprehensive security capability of the system. First, analyze the assets of the system, then obtain the functional safety requirements set and information security requirements set of the system respectively, and finally integrate the overall security requirements set of the system, including the following steps:

Step 1: Analyze the assets in the system, clarify their related attributes, and form a list of system assets.

(1) First collect, analyze and organize the design documents, description documents and use case diagrams of the system, and obtain the results of communication and research with relevant system personnel.

(2) Then combine the design documents of the system to classify the assets in the system: assets include specific assets and abstract assets. Assets in industrial control systems can generally be divided into: information assets, software assets, physical assets, services, Six categories of personnel and intangible assets. (a) Information assets include databases and data files, contractual agreements, system files, research information, user manuals, operating or support procedures, arrangements for basic maintenance operations, audit trails, and archived information. (b) Software assets include application software, system software, development tools, utility programs, etc. (c) Physical assets include industrial control system equipment, electronic control equipment, communication equipment, removable media, and other equipment. (d) Services include design, installation, commissioning, operation, maintenance, computing and communication services, public service facilities, etc. (e) Personnel include all personnel involved in the system, mainly considering the qualifications, skills and experience of personnel. (f) Intangible assets refer to the reputation and image of the organizations involved in the system. Finally, find out the various attributes of various assets in the system, including asset names, quantities, locations, dangerous events that may be caused when they fail, inherent vulnerabilities of assets, failure probability, and the importance of assets in the system, and form an asset list . As shown in Table 1, a partial asset list of an industrial control system in an embodiment is given. Among them, the failure probability and importance of each asset are obtained by using expert scoring results, which can be initially set to 0. Hazardous accidents are obtained by analyzing and investigating historical data of industries and systems. Here, only the numbers of hazardous events are given, and specific hazardous events need to be combined The actual system is given.

Table 1 Partial asset list of an industrial control system in the embodiment

Step 2: According to the asset list of the system, analyze the hazardous accidents that may be caused by the failure of system assets, evaluate their consequences, and determine the possibility of hazardous accidents according to the relationship between hazardous accidents and assets

(1) According to the list of system assets and the hazard accidents that may be caused by each asset, determine the set of hazard accidents that may occur in the system.

Analyzing the system's asset list and the hazard events involved in the comprehensive system asset list, the system's hazard event set Accident={a ₁ ,...,a _i ,...,a _n }, where a _i (i=1 , 2,...,n) is the i-th hazard event, and n is the total number of hazard events in the system. For the hazard event a _i in the hazard event set, it is represented by a triplet, that is, a _i = (Na _i , Ca _i , Pa _i ), where Na _i is the number of the hazard event a _i , and Ca _i is the occurrence of the hazard event a _i The subsequent consequences are represented by five grades of "Very Serious (VS), Serious (S), General (G), Not Serious (US), Very Not Serious (VUS)", Pa _i is the possibility of hazardous event a _i The probability of , expressed as a percentage.

(2) Use the fuzzy comprehensive evaluation method to evaluate the consequences of each hazardous accident in the hazardous accident set according to the expert evaluation results.

First construct the judgment matrix J as follows:

Where j _xy ·j _yx =1; x, y=1, 2, . . . , n. j _xy indicates the importance of the consequences of a dangerous event a _x relative to a _y , and its evaluation criteria are shown in Table 2 below.

Table 2 Scale table of elements in judgment matrix

After the judgment matrix J is completed, its consistency verification is carried out, and the verification index is

Where λ is the largest characteristic root of the judgment matrix J. The meaning of the consistency index CI is:

●When CI=0, it means there is complete consistency

●When the CI is close to 0, it means that there is a satisfactory consistency

●When CI=1, it means there is no consistency at all

In order to make the evaluation more scientific, multiple groups of scoring results can be used for evaluation, and judgment matrices are respectively constructed to obtain the corresponding consistency indexes CI ₁ , CI ₂ ,..., CI _k , and the random consistency index RI is calculated as follows

Then calculate the consistency ratio CR as follows

Generally, when the consistency ratio CR<0.1, it is considered that the inconsistency corresponding to J is within the allowable range, there is satisfactory consistency, and the consistency test is passed. If CR≥0.1, it is considered that the inconsistency corresponding to J is no longer within the allowable range, and the value of the matrix needs to be reselected until the consistency test is passed.

Calculate the characteristic root of the judgment matrix J that passes the consistency test, and set the characteristic vector of the largest characteristic root as A=(ω ₁ ,ω ₂ ,...,ω _n ), at ω ₁ ,ω ₂ ,... , within the range of the maximum and minimum values of ω _n , the n values are uniformly fuzzified by quintiles, and finally the consequences Ca _i of the hazardous accident a _i are obtained.

(3) According to the dependency relationship between system assets and the failure probability of assets, determine the probability of each hazard in the hazard accident set that may occur.

Calculate the probability that the hazardous event a _i may occur, and analyze the relationship between the hazardous event and the asset based on the system's asset list. This relationship includes: (a) several assets fail simultaneously to cause a certain hazardous Among the assets, as long as one asset fails, a dangerous event will be triggered, (c) a mixture of the first two situations. In the example shown in Figure 2, the probability that the hazard event a _i may occur in case (a) is in is the failure probability of the i-th asset in Figure 2(a); for the situation (b) the probability that the hazardous event a _i may occur is For situation (c) the probability that the hazardous event a _i may occur is

Step 3: Based on the analysis results of hazardous accidents, evaluate the potential risks in terms of functional safety, and combine the industry's risk tolerance for the system to determine which hazardous events require further functional safety protection measures, and then determine the protection requirements for functional safety in the system ( That is, functional safety requirements R _safety )

(1) Combined with the consequences of hazardous accidents and the probability of occurrence, evaluate the functional safety risks of various hazardous events.

The probability of the possible occurrence of hazardous events is graded (generally three, five or seven grades are used), and here we take five grades as an example (HL is very likely to occur, VL is more likely to occur, L is likely to occur, and less likely to occur VUL may occur, and HUL is extremely unlikely to occur), which are generally evenly divided in the interval [0, 1]. Functional safety risks are related to the probability of possible occurrence of hazardous events and their consequences. Functional safety risks are classified into three levels (modified according to industry requirements).

Table 3 Risk Classification

risk level describe h very high risk m moderate risk L has a lower risk

Combined with the possibility after the occurrence of the hazardous event, the risk assessment table is constructed as shown in Table 4 below, and then the functional safety risk level corresponding to the hazardous event is obtained.

Table 4 Risk Level Assessment Form

(2) Combined with the response measures of various dangerous events, according to the functional safety risk level of various dangerous events, judge whether it is necessary to apply corresponding functional safety measures to reduce or eliminate the risk.

According to the industry or system's risk tolerance for hazardous events (for example, the industry requires the system to be higher than L for hazardous events), determine the hazardous events that do not meet the requirements. For the hazard events that do not meet the requirements, select appropriate safety components from the functional safety component library to mitigate functional safety risks.

(3) Combine the functional safety guarantees required by the entire system to form the functional safety requirement set R _safety of the system.

All the functional safety components of the system constitute the functional safety requirements of the system, and the functional safety requirements set R _safety of the system can be obtained.

Step 4: According to the assets of the system, analyze the inherent vulnerabilities of the assets, the information security threats they may face, and the corresponding protective measures.

(1) For various assets in the asset inventory, analyze the list of possible threats and all available protection measures based on their inherent vulnerabilities.

First, collect the vulnerabilities involved in the system to form a vulnerability set V={v ₁ , v ₂ ,...,v _i ,...v _p }, where v _i is the i-th vulnerability, and p is the vulnerability in the vulnerability set the number of .

Then, for each vulnerability in the vulnerability set, its protection measures and threats are analyzed, and the vulnerability is formalized as follows:

v _i = (protectlist _i , pv _i , [threat _i-1 , pv _i-1 ], [threat _i-2 , pv _i-2 ], ..., [threat _ij , pv _ij ], ...)

Among them, protectlist _i is the list of protective measures against vulnerability v _i , pv _i is the probability of vulnerability being exploited, [threat _ij , pv _ij ] are respectively the jth threat faced by vulnerability v _i and the number of vulnerabilities v _i is exploited by threat _ij probability. The list of protective measures and threats are obtained through analysis and research.

(2) Analyze the inherent vulnerabilities of assets and possible information security threats. Based on the historical data of the industry, use the data evaluated by experts to judge the probability that various vulnerabilities may be exploited by threats through fuzzy evaluation methods.

First, analyze the inherent vulnerabilities of assets and possible information security threats, and then use the data evaluated by experts to judge the probability that various vulnerabilities may be exploited by threats based on the historical data of the industry and the fuzzy evaluation method. In the case of a vulnerability with multiple threats, the probability pv _i of exploiting the vulnerability is obtained through the relationship between the multiple threats and the vulnerability, and its calculation method is similar to that shown in Figure 2.

Step 5: According to the importance level of the asset and the possibility of its vulnerability being exploited, use the fuzzy evaluation method to evaluate the information security risk level of the asset, and combine the information security risk level that the system can withstand to determine the system assets that need to be strengthened, and then Determine the information security protection measures for assets, and the protection measures required by all assets form the information security protection requirements of the system (that is, the information security requirement set R _security )

(1) Fuzzify the probability that each vulnerability in the vulnerability list corresponding to the asset may be exploited to obtain the corresponding fuzzy vector.

The probability of exploiting the vulnerability is evenly divided into five levels on the interval [0, 1], which are "very high (VH), high (H), medium (M), low (L), and very low (VL)" , and fuzzy the pv _i to the fuzzy vector

(2) Obtain the degree of importance in the system according to the asset list of the system (as shown in Table 1, it is divided into three levels), and also fuzzify it to obtain the corresponding fuzzy vector.

For assets a _i , evaluate its importance level Ia _i , generally divide them into three levels: important assets (CA), general assets (MA), non-important assets (NCA), and fuzzify them to self-harm The amount of fuzziness of the degree of importance

(3) Classify information security risks according to industry or system requirements, for example, divide into three grades of "high (HR), medium (MR) and low (LR)".

(4) Design the membership degree matrix of the information security risk fuzzy assessment of the system. The general principle is that the more important the asset and the greater the probability of exploiting the vulnerability, the higher the risk level; the less important the asset and the greater the probability of exploiting the vulnerability. The smaller the value, the lower the risk level. It depends on the specific situation of the industry and system. Then, the risk fuzzy vector of the vulnerability is calculated by combining the fuzzy vector of asset importance and the fuzzy vector of the corresponding vulnerability being exploited. And through the defuzzification of the fuzzy vector, the risk level of the vulnerability is obtained.

First, construct the asset importance degree and the extent to which vulnerabilities are exploited The membership degree matrix of fuzzy assessment of information security risk is formed. Table 5 is an example of membership degree matrix of fuzzy assessment of information security risk.

Table 5 Membership degree matrix of information security risk fuzzy assessment

Then, by asset importance and the extent to which vulnerabilities are exploited and the membership degree matrix of information security risk fuzzy assessment to obtain the risk fuzzy vector of asset a _i Defuzzification is carried out according to the principle of maximum membership degree, and the risk level Risk _i of asset a _i is obtained.

(5) According to the ability of assets in the system to withstand information security risks, determine whether the vulnerability needs to be protected, and if so, provide protective measures.

According to the requirements of the industry or system for information security risk level, it is judged whether the assets need to be protected. For the assets that need to be protected, the protection measures are selected from the protection list corresponding to the vulnerabilities.

(6) Form the information security requirement set of the system.

Complete the assessment and protection of all vulnerabilities of all assets according to the sub-steps (1)-(5) above. Combine the information security protection measures of the whole system to form the information security requirement set R _security of the system.

Step 6: Coordinate the conflict between the functional safety requirement set R _safety obtained in the above step 3 and the information security requirement set R _security in step 5, and combine the two security requirements through a qualitative method to obtain the overall system security requirement set R _system , and its process is shown in Figure 3.

(1) The functional safety requirement set R _safety and the information security requirement set R _securiy are classified according to "prevention", "detection" and "response".

According to the impact of security requirements (including functional safety requirements and information security requirements) on the system, the two requirement sets R _safety and R _security are divided into three categories: prevention requirements, detection requirements and response requirements, that is, functional safety prevention Class requirements set R _safety-p , functional safety detection requirements set R _safety-d , functional safety response requirements set R _safety-r , information security prevention requirements set R _security-p , information security detection requirements set R _{security- d} . Information security response class requirements set R _security-r . There may be redundant information and conflicts in the same type of requirements in the two security requirements sets, and different types of requirements are independent of each other. Therefore, the requirements of the same type in the two security requirements sets are fused,

(2) Integrate the functional safety requirements set and the preventive requirements of the information security requirements set.

As for the preventive requirement sets R _safety-p and R _security-p , it is the safety requirement that preventive measures are set in advance to protect the system. In industrial control systems, information security is generally introduced downward from the information level to the on-site control level. Functional safety generally spreads from the inside of the system to the bottom layer, and then affects the physical system, resulting in property loss, casualties or environmental damage. The preventive measures of information security are generally concentrated in the upper information processing layer, and the preventive measures of functional safety are generally concentrated in the lower real-time control layer and physical system, with fewer conflicts. The fusion process of the functional safety prevention requirements set R _safety-p and the information security prevention requirements set R _security-p is shown in Figure 4, specifically: take a requirement from the prevention requirements set in R _safety-p , and in turn Compare with each requirement in R _security-p : if there is no conflict and redundancy, add this requirement to the overall system security requirement set R _system ; if there is a conflict, check the position of the protection point, if it is in the information If it is at the field control level or the physical system, then this requirement is added to the overall system security requirement set R _system , and the corresponding conflicting requirements of R _security-p are deleted; if there is redundancy, also This requirement is discarded. Step by step until R _safety-p is an empty set, and then add the remaining requirements in R _security-p to the overall system security requirement set R _system .

(3) Integrate the detection requirements of the functional safety requirements set and the information security requirements set.

For the detection requirements sets R _safety-d and R _security-d , in industrial control systems, the general impact on the system is mainly reflected in the occupation of system resources. In addition, detection requirements generally do not have conflicting requirements. More is the redundancy of detection items. Therefore, the fusion of R _safety-d and R _security-d is mainly to eliminate redundant information. The process is shown in Figure 5, specifically: take a requirement from R _safety-d and sequentially match it with the requirements in R _security-d For comparison, if there is no redundant information, add this requirement to the overall system security requirement set R _system ; otherwise, combine these two requirements into one requirement, and then add it to the system overall security requirement set R _system . Until R _safety-d is an empty set, then add the remaining requirements in R _security-d to the overall system security requirement set R _system .

(4) Integrate the functional safety requirements set and the response requirements of the information security requirements set.

For the response-type requirement sets R _safety-r and R _security-r , in industrial control systems, the behavior of the system will generally be directly changed to deal with failures or attacks. The two requirement sets R _safety-r and R _security-r Since the class requirements all take actions on the system, in the fusion process, the main problem is to solve the conflict of requirements. At the same time, the actions generated after the realization of such requirements have the greatest impact on the system. Conflicting functional security responses and information security responses not only fail to complete their own security tasks, but may also have serious impacts on the system. Therefore, more sophisticated design is required. Fusion program. First, combine the actual situation of the industry and the system to formulate the basic strategy for conflict resolution in the fusion process. For example, for safety-critical systems, the conflict resolution strategy can be formulated as: "When the requirements set R _safety-r and R _security-r When there are conflicting requirements, the requirements in R _safety-r shall prevail, and the conflicting requirements in R _security-r shall be deleted." It is also possible to use the functional safety risk faced by the assets involved in the conflicting requirements and the information security risk to develop a conflict resolution strategy. Then, take out the requirements from R _safety-r and compare them with the requirements in R _security-r in turn. If there is any conflict, use the pre-established strategy to solve it, and then add the fused requirements to the overall system security requirements set R _system ; If there is no conflict, directly add the requirement to the overall system security requirement set R _system . Until R _safety-r is an empty set, then add the remaining requirements in R _security-r to the overall system security requirement set R _system .

Step 7: According to the implementation cost of each security measure, combined with the overall cost constraints of the system, optimize the overall security requirement set of the system.

In the industrial control system, its security protection (including functional security and information security protection) is not as good as possible. In the stage of security requirement design, security protection is constrained by the total cost of security protection allocated by the system. Therefore, after obtaining the overall security requirement set of the system through the above six steps, it is necessary to optimize the requirement set according to the overall cost constraints of the system's security protection to obtain the overall security requirement set of the system under the premise of meeting the cost constraints.

(1) Analyze all security requirements and evaluate their implementation costs.

Before optimization, it is first necessary to analyze the risk of each security requirement in the overall system security requirements set, and list all security measures that can mitigate the risk (that is, measures that can provide the same type of security protection), forming a class of security measures gather. For each set of security measures, evaluate their implementation costs. The implementation cost of security measures refers to the additional cost that the system needs to pay for the implementation of security measures. Here, it is measured by two indicators of calculation volume and communication volume. Measures require an additional increase in the number of communication bytes, which can be directly determined according to specific security measures.

(2) Obtain the total cost constraint of system security requirement design.

Then, according to the design specifications of the system, the total cost constraints of system security protection (including functional safety and information security) are obtained, that is, the maximum that the system can pay for functional safety protection and information security protection, including the total cost of calculation and the total communication cost.

(3) Optimize the overall security requirement set of the system.

The specific optimization process of the system's overall security requirement set is shown in Figure 6. The specific process is as follows: (a) First, the system's overall security requirement set obtained in step (6) is adjusted from low to low according to the risk level of each requirement. to high sort. (b) According to the implementation cost of security measures, calculate the total implementation cost of the entire requirement set. If the total cost constraint of system security protection is not exceeded, the optimization process is completed; if the total cost constraint of system security protection is exceeded, continue. (c) First judge whether the requirements in the R _system have been processed. If the processing is completed, it means that under the current system security protection total cost constraints, the system security requirements that meet the system or industry risk level requirements cannot be designed, and the system needs to be modified The total cost constraints of security protection, and then re-design the system security requirements; if it has not been processed, take out a requirement in sequence, and select the security measure that is lower in cost than the security measure selected in the current requirement in the corresponding set of security measures security measures, as a result of this requirement modification, and continue. (d) According to steps 3 and 5, it is judged whether the modified demand can meet the risk requirements of the corresponding asset, and if it can be satisfied, then jump to (b); if not, then jump to (c).

Finally, the optimized overall system security requirement set R _system is obtained, that is, the system security requirement set that integrates functional security requirements and information security requirements and satisfies system cost constraints.

It is easy for those skilled in the art to understand that the above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention, All should be included within the protection scope of the present invention.

Claims (10)

1. A requirement analysis and fusion method of industrial control system functional safety and information security, characterized in that, the method comprises the steps of: (1) Analyze the assets in the system, clarify their related attributes, and form a list of system assets; (2) Based on the system asset list, analyze the hazardous accidents that may be caused by the failure of system assets, evaluate their consequences, and determine the possibility of hazardous accidents according to the correlation between system assets and hazardous events; (3) Based on the analysis results of hazardous accidents, evaluate the potential risks in terms of functional safety, and combine the industry's risk tolerance for the system to determine which hazardous events require further functional safety protection measures, and then determine the set of functional safety requirements in the system; (4) According to the assets of the system, analyze the inherent vulnerabilities of the assets and the information security threats they may face and the corresponding protective measures; (5) According to the importance level of the assets and the possibility of their vulnerabilities being exploited, the fuzzy evaluation method is used to evaluate the information security risk level of the assets, combined with the information security risk level that the system can withstand, to judge the system assets that need to be strengthened, and then Determine the information security protection measures for assets, and the protection measures required by all assets form the information security requirements set of the system; (6) Coordinate the conflict between the functional security requirement set obtained in step (3) and the information security requirement set in step (5), and combine the two security requirements by a qualitative method to obtain the overall security requirement set of the system; (7) According to the implementation cost of each security measure, combined with the overall cost constraints of the system, optimize the overall security requirement set of the system. The specific process is as follows: (7.1) Analyze the risk of each security requirement in the overall security requirement set of the system, list all the security measures that can mitigate the risk, and form a set of security measures; for each set of security measures, evaluate its implementation cost; (7.2) According to the design specifications of the system, obtain the total cost constraint of the system's security protection, that is, the maximum that the system can pay for functional security and information security protection, including the total calculation cost and the total communication cost; (7.3) According to the total cost constraints of the system, combined with the implementation cost of each security measure in each security measure set, optimize the overall security requirement set of the system: (7.3.1) First, sort the overall system security requirements set obtained in step (6) from low to high according to the risk level that each requirement addresses; (7.3.2) According to the implementation cost of security measures, calculate the total implementation cost of the entire requirement set. If the total cost constraint of system security protection is not exceeded, the optimization process is completed; if the total cost constraint of system security protection is exceeded, continue; (7.3.3) First judge whether the requirements of the system's overall security requirements concentration have been processed. If they have been processed, it means that under the current total cost constraints of system security protection, it is impossible to design a system security that meets the requirements of the system or industry risk level. requirements, the total cost constraints of system security protection need to be modified, and then the system security requirements design needs to be re-designed; Security measures with lower cost of security measures, as a result of the modification of this requirement, and continue; (7.3.4) According to steps (3) and (5), judge whether the modified demand can meet the risk requirements of the corresponding assets. If it can be satisfied, then go to (7.3.2); if not, go to to (7.3.3). 2. The demand analysis and fusion method of industrial control system functional safety and information security as claimed in claim 1, characterized in that, said step (2) specifically comprises: (2.1) According to the list of system assets and the possible hazards caused by each asset, determine the set of possible hazards in the system; (2.2) Use the fuzzy comprehensive evaluation method to evaluate the consequences of each hazardous accident in the hazardous accident set according to the expert evaluation results; (2.3) According to the dependencies among system assets, combined with the failure probability of assets, determine the probability that each hazard in the hazard accident set may occur. 3. The demand analysis and fusion method of industrial control system functional safety and information security as claimed in claim 1 or 2, characterized in that, said step (3) specifically comprises: (3.1) Evaluate the functional safety risks of various hazardous events in combination with the consequences of hazardous accidents and the probability of occurrence; (3.2) Combined with the response measures for various dangerous events, and according to the functional safety risk level of various dangerous events, judge whether it is necessary to apply corresponding functional safety measures to reduce or eliminate risks; (3.3) Integrate the functional safety guarantees required by the entire system to form a functional safety requirement set for the system. 4. The demand analysis and fusion method of industrial control system functional safety and information security as claimed in claim 1 or 2, characterized in that, said step (4) specifically comprises: (4.1) For each asset in the asset list, analyze the list of possible threats and all available protection measures based on their inherent vulnerabilities; (4.2) Analyze the inherent vulnerabilities of assets and possible information security threats. Based on the historical data of the industry, use the data evaluated by experts to judge the probability that various vulnerabilities may be exploited by threats through fuzzy evaluation methods. 5. The demand analysis and fusion method of industrial control system functional safety and information security as claimed in claim 1 or 2, characterized in that, said step (5) specifically comprises: (5.1) Fuzz the probability that each vulnerability in the vulnerability list corresponding to the asset may be exploited to obtain the corresponding fuzzy vector; (5.2) Obtain the degree of importance in the system according to the asset list of the system, and also fuzzify it to obtain the corresponding fuzzy vector; (5.3) Classify information security risks according to industry or system requirements; (5.4) Design the membership matrix of the information security risk fuzzy assessment of the system; combine the fuzzy vector of asset importance and the fuzzy vector of the possibility of exploiting the corresponding vulnerability to calculate the risk fuzzy vector of the vulnerability; and defuzzify the fuzzy vector Calculate the risk level of the vulnerability; (5.5) According to the ability of assets in the system to withstand information security risks, determine whether the vulnerability needs to be protected, and if so, provide protective measures; (5.6) Complete the assessment and protection of all vulnerabilities of all assets according to the above (5.1)-(5.5); integrate the information security protection measures of the entire system to form the information security requirements set of the system. 6. The demand analysis and fusion method of industrial control system functional safety and information security as claimed in claim 1 or 2, wherein said step (6) specifically comprises: (6.1) Classify the functional safety requirement set and the information security requirement set according to prevention, detection and response; prevention requirements refer to the requirements corresponding to the measures that play a preventive role in functional safety assurance or information security protection; Detection requirements refer to the corresponding requirements for real-time detection in functional security or information security protection; response requirements refer to the corresponding requirements for the system to respond in a targeted manner after detecting problems in functional security or information security protection ; (6.2) If there is no intersection between the functional safety requirements set and the preventive requirements in the information security requirements set, it will be directly added to the overall system security requirements set; The prevention requirements of the lower layer are based on the functional safety requirements, and the conflicting requirements are removed, and then integrated into the overall security requirements of the system; (6.3) For detection requirements that do not cross between the functional safety requirements set and the information security requirements set, they are directly added to the overall system security requirements set; for detection requirements that do overlap, they are merged in the way of union, and then added to the system Concentration of overall security requirements; (6.4) For the functional safety requirement set and information security requirement set and response requirements, analyze the various response requirements in the functional safety requirement set and information security requirement set, and formulate the conflict resolution strategy for each requirement in turn in combination with the actual situation of the system. 7. The demand analysis and fusion method of industrial control system functional safety and information security as claimed in claim 1 or 2, wherein said step (1) specifically comprises: (1.1) Collect, analyze and organize the design documents, description documents and use case diagrams of the system; (1.2) Analyze the functions, data information, software and hardware resources and personnel involved in the system operation in the system, classify the assets of the system into information assets, software assets, physical assets, services, personnel and intangible assets, and determine the assets Attributes, including: asset name, quantity, location, random failure probability, possible hazards after asset failure, asset importance, and inherent vulnerabilities of assets; the importance of assets is divided into very important, important, general, and unimportant , very unimportant five grades, and finally form a systematic asset list. 8. The requirement analysis and fusion method of industrial control system functional safety and information security as claimed in claim 7, is characterized in that, in described step (1.2): Information assets include databases and data files, contract agreements, system files, research information, user manuals, operating or support procedures, arrangements for basic maintenance, audit trails, and archived information; software assets include application software, system software, development tools, utility procedures; physical assets include industrial control system equipment, electronic control equipment, and communication equipment; removable media; services include design, installation, commissioning, operation, maintenance, computing and communication services, and public service facilities; personnel include all personnel involved in the system, and consider The qualifications, skills and experience of personnel; intangible assets refer to the reputation and image of the organizations involved in the system. 9. The demand analysis and fusion method of industrial control system functional safety and information security as claimed in claim 2, characterized in that, said step (2.3) specifically comprises: Calculate the probability of hazardous events a _i that may occur, and analyze the relationship between hazardous events and assets based on the system's asset list, including: (2.3.1) Several assets fail at the same time to cause a certain hazardous accident, the probability that the hazardous event a _i may occur is in is the failure probability of the jth asset, and j takes the value of 1, 2 or 3; (2.3.2) Among several assets, as long as one asset fails, a dangerous event will be triggered, and the probability that the dangerous event a _i may occur is (2.3.3) The mixture of the first two situations, the probability that the hazardous event a _i may occur is 10. The demand analysis and fusion method of industrial control system functional safety and information security as claimed in claim 6, characterized in that, said step (6.4) specifically comprises: For safety-critical systems, formulate a conflict resolution strategy as follows: "When there is a conflict between the requirements in the response class requirements set R _safety-r and R _security-r , the requirements in R _safety-r shall prevail, and the requirements in R _security-r shall be deleted. Conflicting needs”; Or formulate a conflict resolution strategy based on the size of the functional security risks faced by the assets involved in the conflicting requirements and the information security risks; then compare the functional security requirements set and the response requirements in the information security requirements set one by one, and there is no conflict directly added into the overall system security requirement set; if there is a conflict, resolve it according to the established conflict resolution strategy, and then integrate it into the overall system security requirement set.