CN116886329A - Quantitative index optimization method for industrial control system safety - Google Patents

Abstract

The application provides a quantization index optimization method for industrial control system safety, which comprises an initial input step, an attack graph generation step and an industrial control safety index quantization calculation step. The application provides a quantitative index optimization method for industrial control system safety, which optimizes from three aspects of key asset evaluation, vulnerability threat evaluation and attack path quantization. Firstly, optimizing a key asset evaluation calculation method by adopting comprehensive topological structure and service importance information; sorting the optimal allocation of auxiliary protection resources according to the importance degree of the assets; by perfecting the CVSS evaluation framework to optimize the vulnerability threat evaluation method, vulnerability analysts can quantify the vulnerability threat degree according to the magnitude of the vulnerability threat scoring value, and safety protection work can be done in time; and finally, optimizing the attack path quantization calculation process, reducing the time complexity of index operation, and adapting to a large-scale industrial control network.

Description

Quantitative index optimization method for industrial control system safety

Technical Field

The application belongs to the technical field of industrial control system safety evaluation, and particularly relates to a quantitative index optimization method for industrial control system safety.

Background

With the combination of the internet and the industrial control system, the attack on the industrial control system is more and more increased. In order to reduce the influence and loss caused by the attack as much as possible, threat analysts usually perform security analysis on the industrial control system first, collect the topological connection relationship and the equipment related information of the industrial control system, perform attack graph modeling, and then finish the quantitative calculation of the industrial control security index by using the attack graph model. Threat analysts can refer to the calculation result of the industrial control safety index, allocate protection resources in a centralized way to protect key assets, and improve the safety of an industrial control system. Therefore, it is particularly important to provide accurate and efficient safety quantization indexes. The existing quantitative index system construction technology facing the industrial control system safety can be roughly divided into three aspects: key asset assessment, vulnerability threat assessment, attack path quantification.

Key asset assessment: the key asset represents equipment at a core position or bearing a core function in the industrial control network, and once the equipment is attacked by an attacker, the equipment can have a great influence on the normal operation of the industrial control system, so that the ordered operation of a key infrastructure connected with the equipment is destroyed. The existing industrial control system is generally distributed, more and more scattered industrial control assets are difficult to protect all industrial control assets at the same time, and only key assets in the industrial control system can be protected in a targeted manner. Currently, there are three general categories of key asset assessment methods: expert experience assignment method, graph index calculation and combination optimization method. The expert experience method selects key scores of manual labeling equipment, however, the labeling workload is large, and labeled data are difficult to migrate to other industrial control systems; the graph index calculation method quantifies the importance degree of the equipment nodes according to the complexity of the topological connection structure, however, the graph index calculation method only considers the topological structure, does not consider the function of the equipment in an industrial control system, and the calculation result lacks interpretation; the combination optimization method integrates according to the preset evaluation index result, and considered factors are comprehensive, however, the calculation is too complex, the time complexity is high, and the complex industrial control scene is difficult to adapt.

Vulnerability threat assessment: the real-time performance, the reliability and the stability of the system are mainly considered at the beginning of the design of the industrial control system, the safety of the system is not considered enough, the deployed safety equipment is fewer, and the integral protection capability of the industrial control system is weaker. After an attacker initiates an attack by utilizing the loopholes of the industrial control equipment, the attacker can permeate the industrial control system through the connection relation among the equipment to cause abnormal operation of the industrial control system besides influencing the normal work of the attacked equipment. Currently, vulnerability threat assessment of industrial control equipment often needs to comprehensively assess the threat level of the vulnerability through basic score, temporary score and environmental score by means of a universal vulnerability scoring system (Common Vulnerability Scoring System, CVSS). However, environmental scores in CVSS are often assigned through expert experience, so that the environmental score is highly subjective and has poor numerical interpretation. In addition, the generalization of the environmental score is poor, and the situation that the environmental scores of the same equipment are different in different industrial control systems cannot be accurately simulated.

Attack path quantization: the attack path characterizes a finite logic sequence of attack means adopted by an attacker aiming at a specific target. Threat analysis personnel analyze the quantitative calculation of the attack path so as to realize the safety assessment of the industrial control system. The existing attack path quantization methods can be roughly divided into two types: a quantization method based on graph theory indexes and a quantization method based on probability assignment. The quantization method based on graph theory indexes calculates the attack path length, the attack path quantity and the like on the basis of an attack graph model, so that the safety of each industrial control service area can be measured; the quantification method based on probability assignment needs to calculate the probability of an attacker for utilizing the industrial control asset vulnerability by means of an evaluation value obtained by vulnerability threat evaluation, and finally obtains the utilization probability of the whole attack path through probability product calculation. However, the graph theory index-based calculation method is only suitable for industrial control scenes without repeated loopholes in the attack path, if the repeated loopholes exist on the path, the cost of the repeated loopholes used by an attacker can be changed, and finally the total attack cost of the path is changed, so that the calculation result obtained based on the graph theory index is not accurate enough; the evaluation method based on probability assignment calculation adopts a probability product method to represent the importance of an attack path, and when two types of equipment with high attack probability and low attack probability exist on the path at the same time, as the method is the cumulative multiplication of the probability, the result calculated by multiplication is possibly lower, and the conclusion obtained by evaluation of the result can mislead threat analysts to make false safety treatment.

To sum up: the existing key asset assessment technology combines the problem of unsmooth combination with the industrial control background, and combines the environment where industrial control equipment is located to give a key asset assessment result; the device vulnerability threat assessment is strong in subjectivity and poor in universality, and a vulnerability threat assessment calculation method is optimized by combining surrounding environment information of the device; aiming at the problems of complex attack path quantization calculation and high time cost, the accurate and efficient attack path quantization calculation method is provided. Therefore, the application develops a quantitative index optimization method for industrial control system safety so as to solve the technical problems.

Disclosure of Invention

In order to achieve the above purpose, the application adopts the following technical scheme: the quantitative index optimizing method for the industrial control system safety comprises an initial input step, an attack graph generation step and an industrial control safety index quantitative calculation step;

the attack graph generating step comprises the steps of scanning a system by adopting a vulnerability scanning tool and collecting vulnerability information of industrial control equipment; processing the topological connection relation and the equipment related information by adopting an attack graph generation algorithm to obtain an attack graph containing the topological connection relation, the equipment related information and the industrial control equipment vulnerability information;

the industrial control safety index quantitative calculation step is used for optimizing industrial control safety indexes extracted from the attack graph, wherein the industrial control safety indexes comprise key asset evaluation, vulnerability threat evaluation and attack path measurement;

the key asset assessment is used for optimizing an importance calculation method of the chemical control equipment, and the obtained assessment value is used for guiding the allocation of the protection resources; combining the critical asset evaluation value with the vulnerability triggering position analyzed from the attack graph, adopting a CVSS evaluation calculation method to obtain a vulnerability threat evaluation value, and transmitting the vulnerability threat evaluation value to attack path measurement; the attack path measurement is used for optimizing a calculation method for extracting relevant indexes of the attack path in the attack graph, and supplementing a calculation method for evaluating the real attack path length and the attack path importance of an attacker when repeated vulnerabilities exist in an industrial control environment.

Optionally, in the attack graph generating step, an attack graph is generated by adopting a layout graph algorithm, and the layout graph algorithm comprises the following steps:

step S101: starting;

step S102: inputting related information and topological connection relation of industrial control equipment;

step S103: initializing an entity set E and an operation set A, and adding related information of industrial control equipment into the entity set E;

step S104: judging whether the entity set E comprises an attack target g or not; if yes, go to step S107; if not, executing step S105;

step S105: elements in the entity set E are combined in a reasoning mode according to the vulnerability dependency relationship to obtain an operation set A;

step S106: updating the entity set E according to the operation set A, and executing step S104;

step S107: outputting an attack graph;

step S108: and (5) ending.

Optionally, an attack graph generated by adopting a planning graph algorithm is in a layered structure, the attack graph comprises an entity layer and an operation layer, the entity layer comprises entity layer elements, a set formed by the entity layer elements is defined as an entity set E, and the entity layer elements represent industrial control components capable of executing operations; the operation layer comprises operation layer elements, the set of the operation layer elements is an operation set A, and the operation layer elements represent operations which can be executed by the entity layer elements.

Optionally, the method for evaluating the key asset in the industrial control safety index quantitative calculation step includes the following steps:

step S201: starting;

step S202: inputting an attack graph;

step S203: calculating the input degree and the output degree of the node;

step S204: judging whether non-traversed nodes exist or not; if yes, go to step S203; if not, executing step S205;

step S205: calculating a topology centrality score for the device;

step S206: obtaining importance scores in the equipment business process;

step S207: weighting calculation is carried out on the topology center score of the equipment and the importance score in the equipment business process to obtain an asset importance evaluation value, and the asset importance evaluation value is output;

step S208: and (5) ending.

Optionally, in step S205, a topology centrality score for the device node is calculated according to equation 1.1,

Topo log y_Score(S _i )＝Indegree(S _i )+Out deg ree(S _i ) (1.1)

in formula 1.1, S _i The device node is represented, indecree represents the ingress degree of the device node, and Out deg ree represents the egress degree of the device node;

in step S207, the topology centrality score of the device node and the importance score in the business process are weighted according to formula 1.2:

Critical_assets(S _i )＝w ₁ ×Topology_score(S _i )+w ₂ ×Service_score(S _i ) (1.2)

w in equation 1.2 ₁ 、w ₂ As a weight coefficient, topo log y_score represents a topology centrality Score of a device node, and service_score represents an importance Score of the device node in a business process.

Optionally, the method for evaluating the vulnerability threat in the industrial control safety index quantitative calculation step includes the following steps:

step S301: combining the basic attribute of the vulnerability and the influence calculation generated after the vulnerability is utilized to obtain a basic score;

step S302: combining vulnerability restoration difficulty, alarm confidence and multiplexed vulnerability code maturity condition calculation to obtain temporary scores;

step S303: weighting and calculating the position triggered by the vulnerability and the attribute information of the attacker to obtain an environment score; wherein, the attacker attribute information comprises attack capability, security requirement, attack motivation and the like;

step S304: and adding and calculating the basic score, the temporary score and the environment score to obtain a final CVSS score.

Optionally, in step S303, the corrected vulnerability threat score is calculated by using the vulnerability triggered position and the attacker attribute information, and the key asset evaluation value and the corrected vulnerability score are weighted according to formula 1.3, so as to obtain a vulnerability repair sequence:

w ₁ and w ₂ Weight coefficients representing key asset and vulnerability threat scores respectively,

Critical_asset(S _i ) Representing device S _i Is a key asset assessment value of (1),

CVSS(Vul _i ) Represents vulnerability Vul before correction _i Is a vulnerability threat score of (c) for a vulnerability,

dis(Vul _i ) Representing a triggering vulnerability Vul _i The distance between the location of the attack start,

represents vulnerability Vul after vulnerability triggering position information correction _i Is a vulnerability threat score of (c).

Optionally, the method for quantitatively calculating the security measure of the attack path measure in the step of quantitatively calculating the industrial control security index includes the following steps:

step S401: starting;

step S402: inputting an attack graph;

step S403: initializing a vulnerability restoration set;

step S404: judging whether the vulnerability restoration set is an attack graph cut set or not; if not, executing step S405; if yes, go to step S408;

step S405: calculating unit benefits of each attack path;

step S406: finding out the vulnerability Si with the highest threat score on the unit income maximum path;

step S407: adding the vulnerability Si into the vulnerability restoration set, and executing step S404;

step S408: outputting a bug fix set;

step S409: and (5) ending.

Optionally, when there are no duplicate vulnerabilities in the attack path, the attack step is numerically equal to the attack path length;

when there is a duplicate vulnerability on the Attack path, the Attack step is smaller than the Attack path length, the Attack step (attach _step ) The calculation formula of (2) is shown as 1.4:

Attack _step ＝length-θn (1.4)

in the formula, length represents the attack path length;

the value of theta is between 0 and 1, and when the value of theta is 0, the price of the repeated utilization of the vulnerability by an attacker is the same as that of the first utilization; when θ is 1, it means that the attacker does not need to pay extra cost when using the same vulnerability later;

n is related to the occurrence number of repeated vulnerabilities, if a vulnerability appears for the second time in an attack path, the value of n is 1, and the like, if the vulnerability appears for k times repeatedly, the value of n in the kth time is k-1.

Optionally, the security measurement method defines the attack benefit as importance scores of all devices on the attack path, and the calculation formula of the importance scores of the devices is as follows:

wherein: attack _profit Representing the attack income obtained by an attacker after the attacker finishes the attack;

the unit gain for each attack path is calculated using equation 1.6:

wherein: attack _step Indicating that an attacker has completed the attack steps required for an attack.

The application provides a quantitative index optimization method for industrial control system safety, which optimizes from three aspects of key asset evaluation, vulnerability threat evaluation and attack path quantization. Firstly, optimizing a key asset evaluation calculation method by adopting comprehensive topological structure and service importance information; sorting the optimal allocation of auxiliary protection resources according to the importance degree of the assets; by perfecting the CVSS evaluation framework to optimize the vulnerability threat evaluation method, vulnerability analysts can quantify the vulnerability threat degree according to the magnitude of the vulnerability threat scoring value, and safety protection work can be done in time; and finally, optimizing the attack path quantization calculation process, reducing the time complexity of index operation, and adapting to a large-scale industrial control network.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a diagram of an architecture for optimizing industrial control safety index quantization index;

FIG. 2 is a flowchart of an attack graph generation algorithm;

FIG. 3 is a schematic diagram of an industrial control system topology;

FIG. 4 is a key asset assessment flow chart;

FIG. 5 is an evaluation method of vulnerability threat evaluation;

FIG. 6 is a flowchart of a computing vulnerability fix set.

Detailed Description

In order to make the technical problems, technical schemes and beneficial effects to be solved more clear, the application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

The method for optimizing the quantization index for the safety of the industrial control system provided by the embodiment of the application is explained. Referring to fig. 1, the quantization index optimization method for industrial control system security includes an initial input step, an attack graph generation step, an industrial control security index quantization calculation step and an application step.

An initial input step, which is used for transmitting the topological connection relation of the industrial control network and the related information of the industrial control equipment to an attack graph generation step.

And an attack graph generation step, wherein the topology connection relation and the equipment related information are processed by adopting an attack graph generation algorithm to obtain an attack graph containing the topology connection relation and the equipment related information.

And the industrial control safety index quantification calculation step is used for optimizing the industrial control safety index extracted from the attack graph. The industrial control safety index comprises key asset evaluation, vulnerability threat evaluation and attack path measurement.

The key asset assessment is used for optimizing an importance degree calculation method of the chemical control equipment, and the assessment result can be used for guiding the allocation of protection resources and protecting the key asset. Specifically, the key asset evaluation can analyze the topology centrality of the nodes of the industrial control equipment through the attack graph, and simultaneously analyze the service importance of the industrial control equipment in the service flow; and carrying out evaluation calculation on the topology centrality and the business importance degree to obtain a key asset evaluation value, and transmitting the key asset evaluation value to vulnerability threat evaluation.

And (3) evaluating the vulnerability threat, optimizing a CVSS evaluation calculation method by combining the key asset evaluation value and the vulnerability triggering position analyzed from the attack graph, obtaining a vulnerability threat evaluation value, and transmitting the vulnerability threat evaluation value to attack path measurement.

The attack path measurement is used for optimizing a calculation method of the attack path related index extracted from the attack graph, and supplements and perfects a calculation method of an evaluation value of the real attack path length and the attack path importance of an attacker when repeated vulnerabilities exist in an industrial control environment. And finding out vulnerabilities with larger threat degrees in the critical paths by calculating the critical paths in the attack graph. After the set of the loopholes is completely repaired, threat analysts can finish attack blocking, and the optimized attack path measurement method can accurately and efficiently find out the set of the loopholes, so that the safety of an industrial control system is guaranteed to the greatest extent.

And an application step, adapting the combined security quantization index of the corresponding scene. Specifically, the key asset assessment applies to the protection of key assets; combining key asset evaluation and vulnerability threat evaluation to be applied to vulnerability repair sequencing; the combination of critical asset assessment, vulnerability threat assessment, and attack path metrics is applied to block the attack path.

Further, in the step of generating the attack graph, the design document of the industrial control system is analyzed, and the related information of the industrial control system equipment and the topological connection relation of the related information are obtained. Based on the obtained related information of the industrial control system equipment and the topological connection relation, a plurality of vulnerability scanning tools are used for scanning the system under the condition that the normal operation of the system is not affected, and vulnerability information is collected. And processing the topological connection relation and the equipment related information by adopting an attack graph generation algorithm to obtain an attack graph containing the topological connection relation, the equipment related information and the industrial control equipment vulnerability information.

An attack graph generated by adopting a planning graph algorithm is in a layered structure, the attack graph comprises an entity layer and an operation layer, the entity layer comprises entity layer elements, a set formed by the entity layer elements is defined as an entity set E, and the entity layer elements represent industrial control components capable of executing operations; the operation layer comprises operation layer elements, the set of the operation layer elements is an operation set A, and the operation layer elements represent operations which can be executed by the entity layer elements.

Specific algorithms for generating attack graphs using a layout graph algorithm, see fig. 2, include the steps of:

step S101: starting;

step S102: inputting related information and topological connection relation of industrial control equipment;

step S103: initializing an entity set E and an operation set A, and adding related information of industrial control equipment into the entity set E;

step S104: judging whether the entity set E comprises an attack target g or not; if yes, go to step S107; if not, executing step S105;

step S105: elements in the entity set E are combined in a reasoning mode according to the vulnerability dependency relationship to obtain an operation set A;

step S106: updating the entity set E according to the operation set A, and executing step S104;

step S107: outputting an attack graph;

step S108: and (5) ending.

In fig. 2, an arrow indicates the execution or result of an action, and an entity layer (entity set E) points to an operation layer (operation set a), indicating that an industrial control component performs a specific operation; the operation layer (operation set a) points to the entity layer (entity set E) and represents the state change of the industrial control component after the operation is performed. Along with the progress of the attack process, the entity layer needs to continuously update the operation state of the industrial control component, and meanwhile, the executable action of the industrial control component is updated at the operation layer of the next layer. The time complexity of the traditional attack graph has an exponential increasing trend along with the linear increase of nodes in the attack graph, and when the industrial control network structure is complex, the effect is poor. The application can quickly complete the generation of the attack graph in polynomial time by adopting the planning graph generation algorithm, and has time advantage compared with the traditional attack graph generation method.

The evaluation method for evaluating the key assets in the industrial control safety index quantitative calculation step, see fig. 4, comprises the following steps:

step S201: starting;

step S202: inputting an attack graph;

step S203: calculating the input degree and the output degree of the node;

step S204: judging whether non-traversed nodes exist or not; if yes, go to step S203; if not, executing step S205;

step S205: calculating a topology centrality score for the device;

step S206: obtaining importance scores in the equipment business process;

step S207: weighting calculation is carried out on the topology center score of the equipment and the importance score in the equipment business process to obtain an asset importance evaluation value, and the asset importance evaluation value is output;

step S208: and (5) ending.

According to the evaluation method for the key asset evaluation, firstly, an attack graph is input, equipment nodes in the attack graph are scanned, and the input degree and the output degree of the nodes are obtained through calculation. Judging whether the non-traversed nodes exist or not, if yes, continuing to scan the equipment nodes in the attack graph, and calculating to obtain the input degree and the output degree of the nodes; if the nodes are all traversed, a topology centrality Score (Topo log y_score) of the device node is calculated according to equation 1.1.

Topology_Score(S _i )＝Indegree(S _i )+Outdegree(S _i ) (1.1)

In formula 1.1, S _i Representing the device node, indetree representing the ingress of the device node, and Out deg ree representing the egress of the device node.

The importance scores of the equipment nodes in the business process are assigned according to expert experience, and the importance scores are shown in a table 1; finally, obtaining an asset importance evaluation value of the equipment through weighted calculation of the topology centrality score of the equipment node and the importance score in the business process, and completing evaluation of the key assets (Critical assets).

Wherein the topology centrality score of the device node and the importance score in the business process can be weighted according to formula 1.2:

Critical_assets(S _i )＝w ₁ ×Topology_score(S _i )+w ₂ ×Service_score(S _i ) (1.2)

formula (VI)1.2 w ₁ 、w ₂ As a weight coefficient, topo log y_score represents a topology centrality Score of a device node, and service_score represents an importance Score of the device node in a business process.

Based on the formula 1.2, the importance of each device in the industrial control network can be calculated, and the larger the grading value is, the more critical the device is. The protection of equipment in the industrial control network needs to consume certain protection resources, and based on a key asset evaluation technology, important industrial control assets in the network can be calculated and protected.

The assessment method for the vulnerability threat assessment in the industrial control safety index quantitative calculation step is the optimization of the assessment method for the CVSS vulnerability threat assessment, and the CVSS Score comprises a Base Score (Base Score), a temporary Score (Temporal Score) and an environment Score (Environment Score). The basic score represents the characteristics of the vulnerability itself, which are determined after the vulnerability is disclosed, and the basic score is familiar with the vulnerability itself and related to the influence generated after the vulnerability is utilized; the temporary score is a value which changes along with time, and can measure the current utilization difficulty of the current vulnerability and the availability of the repair patch; the environmental score can be adjusted according to the environment in which the device is located, and the situation that data in the device can leak after the vulnerability is triggered is considered. The closer the vulnerability triggering position is to the key asset, the greater the loss that may be incurred to the industrial control system. The evaluation method adds a vulnerability triggering position to the CVSS frame to participate in the calculation of the environmental score. The evaluation method of the optimized vulnerability threat evaluation is shown in fig. 5, and comprises the following steps:

step S301: combining the basic attribute of the vulnerability and the influence calculation generated after the vulnerability is utilized to obtain a basic score;

step S302: combining vulnerability restoration difficulty, alarm confidence and multiplexed vulnerability code maturity condition calculation to obtain temporary scores;

step S303: weighting and calculating the position triggered by the vulnerability and the attribute information of the attacker to obtain an environment score; wherein, the attacker attribute information comprises attack capability, security requirement, attack motivation and the like;

step S304: and adding and calculating the basic score, the temporary score and the environment score to obtain a final CVSS score.

According to the assessment method for the vulnerability threat assessment, vulnerability threat scores of all devices in the industrial control network can be calculated through vulnerability threat assessment, and vulnerability repair sequences can be obtained by sequencing according to the threat scores. Threat analysts can repair equipment vulnerabilities in sequence from large to small threat scores according to the sequencing results. In addition, vulnerability threat assessment can be combined with key asset assessment, vulnerability threat scoring of equipment and importance of the equipment are comprehensively considered, and vulnerabilities with larger threat of key equipment can be repaired preferentially.

In step S303, the corrected vulnerability threat score can be calculated by using the vulnerability triggered position and the attacker attribute information, and the key asset evaluation value and the corrected vulnerability score are calculated by using formula 1.3, and according to the weighted results, a more accurate vulnerability repair sequence is obtained.

w ₁ And w ₂ Weight coefficients representing key asset and vulnerability threat scores, respectively, critical_asset (S _i ) Representing device S _i Is a key asset assessment value of (2), CVSS (Vul) _i ) Represents vulnerability Vul before correction _i Vulnerability threat score, dis (Vul) _i ) Representing a triggering vulnerability Vul _i The distance between the location of the attack start,represents vulnerability Vul after vulnerability triggering position information correction _i Is a vulnerability threat score of (c).

The security measurement method of the attack path measurement optimizes the calculation method of the prior attack path index measurement, and can better simulate the change condition of the actual attack step when the repeated vulnerability exists in the attack path. The attack path metrics comprise attack path indexes including attack path length, attack path number, attack path probability and the like. The attack path length indicates how many steps the attacker needs to take to finish the sequential attack; the number of attack paths indicates how many methods an attacker can finish one attack; the attack path probability represents the size of the probability that an attacker will choose the attack path.

The method for measuring the security of the attack path in the industrial control security index quantification calculation step, see fig. 6, comprises the following steps:

step S401: starting;

step S402: inputting an attack graph;

step S403: initializing a vulnerability restoration set;

step S404: judging whether the vulnerability restoration set is an attack graph cut set or not; if not, executing step S405; if yes, go to step S408;

step S405: calculating unit benefits of each attack path;

step S406: finding out the vulnerability Si with the highest threat score on the unit income maximum path;

step S407: adding the vulnerability Si into the vulnerability restoration set, and executing step S404;

step S408: outputting a bug fix set;

step S409: and (5) ending.

According to the method, the calculated results after the key asset evaluation value and the vulnerability threat evaluation value are optimized are used as the input of attack path quantification, so that the critical path in the industrial control system and the vulnerability with large threat degree on the critical path can be positioned, and after threat analysts repair the vulnerability, the attacker cannot launch attack through the path where the vulnerability is located. The set of the loopholes is defined as a loophole set, and if threat analysts only need to repair all elements in the loophole set to prevent all possible attacks initiated by an attacker, the loophole set is a loophole cut set. The optimized attack path quantification method can efficiently calculate the vulnerability cut set, and the safety of the industrial control system is remarkably improved.

When there are no duplicate vulnerabilities in the attack path, the attack step is numerically equal to the attack path length. When repeated loopholes exist on the attack path, if an attacker touches the deviceThe vulnerability that has been exploited before is sent out, at which point the cost of an attacker exploiting the repeated vulnerability is less than the first exploitation of the vulnerability. Namely, when repeated vulnerabilities exist in the Attack path, the Attack step is smaller than the Attack path length, and the Attack step (attach) is synthesized by combining the above conditions _step ) The calculation formula of (2) is shown as 1.4.

Attack _step ＝length-θn (1.4)

In the formula, length represents the attack path length, the value of theta is between 0 and 1, and when the value of theta is 0, the price of the repeated utilization of the vulnerability by an attacker is the same as that of the first utilization; and when the theta is taken to be 1, the attacker does not need to pay extra cost when the attacker subsequently utilizes the same vulnerability. n is related to the occurrence number of repeated vulnerabilities, if a vulnerability appears for the second time in an attack path, the value of n is 1, and the like, if the vulnerability appears for k times repeatedly, the value of n in the kth time is k-1.

The attacker usually selects paths with fewer attack steps to launch the attack, and the attack paths possibly selected by the attacker can be obtained by calculating the optimized attack steps. The threat analyst can calculate the attack steps of all attack paths in the attack graph, and the fewer the attack steps, the greater the possibility of the attacker to choose, and the threat analyst can repair the loopholes on the attack paths preferentially.

When an attacker completes one attack, all devices on the attack path are attacked. The security metric method defines the attack benefit (atackprofit) as the importance score of all devices on the attack path. The importance score of the device can be obtained in combination with a key asset assessment method, and the calculation formula is shown as 1.5.

By comprehensively considering the attack steps and attack benefits of a single attack path, the preference of an attacker can be accurately guessed, and the attacker often chooses as few attack steps as possible to acquire as much attack benefits as possible. Threat analysts can calculate unit benefits of each attack path by using the formula 1.6, and the larger the unit benefits are, the larger the probability that the attack path is selected by an attacker is indicated, so that vulnerability restoration is preferentially carried out on the path.

By calculating the unit benefits, the attack paths can be ranked according to the unit benefits, and the paths with large unit benefits are preferentially selected for key protection. By combining the vulnerability threat assessment method, threat scores of all equipment vulnerabilities on the attack path can be accurately given, and threat analysts can select vulnerabilities with the largest vulnerability threat scores on the attack path to repair. At this time, since a device vulnerability on the path is repaired, the attack path is already disconnected, and an attacker cannot launch an attack by using the attack path, so that the threat analysis personnel completes the attack interception of the path. Repeating the above process, a set of vulnerability cutsets can be found, all attack paths are cut off, and a flowchart of calculating vulnerability repair sets is shown in fig. 6.

The present application is illustrated by way of example in the industrial control system of fig. 3. In fig. 3, 7 nodes are included, each node represents an industrial control component, and S1, S2 and S3 represent PC hosts; s4, an operator station (denoted as OWS) is responsible for monitoring and operating the production equipment by using the configuration in the industrial control flow; s5, a data acquisition monitoring system (marked as SCADA) is mainly responsible for production data acquisition, production process monitoring and equipment abnormality alarm; s6 and S7 represent programmable logic controllers (recorded as PLC) which are responsible for controlling the underlying devices. All attack paths in the example industrial control system can be found out through a protocol diagram algorithm, and the attack paths are shown in table 1.

Table 1 shows attack paths included in industrial control system

Attack path sequence number	Attack path representation
		Path1	S1→S2
Path2	S1→S3→S4→S6
		Path3	S1→S3→S5→S7

Taking the industrial control system of fig. 3 as an example, it is not difficult to find that the ingress degree of the S3 device node is 1, the egress degree is 2, and then the topology centrality of the S3 node is 3; s3, a PC host is responsible for operating corresponding workflow in the industrial control system, and the service importance is 2. Then weighting and calculating the topology centrality score and the business importance of the node, and supposing the weight coefficient w of the industrial control system ₁ 、w ₂ And (3) respectively taking 0.5 and 0.5, and calculating the comprehensive importance score of S3 to be 2.5, wherein the calculation of other equipment nodes is the same. According to the asset assessment flow of fig. 4, the comprehensive importance scores of all industrial control devices can be calculated, threat analysts can sort the importance scores, the devices and the assets with high protection importance scores can be protected, and the optimal allocation of resources can be completed under the condition of limited protection resources.

The importance score of S3 is 2.5 through key asset evaluation, CVE-2012-5536 loopholes exist in the equipment S3, the CVSS score of the loopholes is 6.2, the distance between the position of the loophole trigger and the attack starting point S1 is 1, the corrected CVSS score is 6.2, and the importance score and the loophole threat score are weighted and calculated by using a formula 1.3, so that the comprehensive threat value of the loopholes can be obtained. Taking the weight coefficient w ₁ 、w ₂ If the comprehensive threat value is 0.4 and 0.6, the comprehensive threat value of CVE-2012-5536 is 4.72, and other vulnerability calculation processes are similar. Threat analysts may order vulnerabilities according to the calculation results, e.g., according to the wizardThe hypochondriac values are repaired sequentially from large to small.

Three attack paths are obtained by utilizing a planning chart algorithm, evaluation values of a key asset evaluation technology are output, and unit income sequencing results of the three attack paths are as follows in combination with the formula 1.5 and the formula 1.6: path2> Path3> Path1. Therefore, the vulnerability on Path2 is repaired preferentially, and then calculated according to the formula 1.3, the greatest threat degree of the vulnerability CVE-2012-5536 of the equipment S3 is found, and the vulnerability needs to be repaired preferentially, after the threat analyst repairs the vulnerability, the attacker cannot finish the attack by using Path2 and Path3, at this time, the vulnerability with the greatest threat degree on the rest attack Path is calculated again, and the calculation process is similar to the process described above. The vulnerability CVE-2022-31124 of device S2 on Path1 needs to be repaired. At this point, the attacker has not been able to reach the attack through any one attack path, and the vulnerability sets are CVE-2012-5536 and CVE-2022-31124.

The application provides a quantitative index optimization method for industrial control system safety, which starts from an attack graph generation algorithm, quantifies industrial control safety indexes, optimizes, calculates and evaluates the process, combines physical connection information and business importance of equipment, so that threat analysts master the behavior and intention of an attacker from a global angle, and fully knows the current threat situation of the industrial control system. The key asset assessment method is adopted, and is tightly combined with the industrial control business process background; by adopting the vulnerability threat assessment technology, more accurate and reasonable threat assessment values can be given; by adopting the attack path quantization technology, an accurate self-consistent attack path measurement method can be provided.

The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the application.

Claims (10)

1. The quantization index optimization method for industrial control system safety comprises an initial input step and is characterized in that: the method also comprises an attack graph generation step and an industrial control safety index quantification calculation step;

the attack graph generating step comprises the steps of scanning a system by adopting a vulnerability scanning tool and collecting vulnerability information of industrial control equipment; processing the topological connection relation and the equipment related information by adopting an attack graph generation algorithm to obtain an attack graph containing the topological connection relation, the equipment related information and the industrial control equipment vulnerability information;

the industrial control safety index quantitative calculation step is used for optimizing industrial control safety indexes extracted from the attack graph, wherein the industrial control safety indexes comprise key asset evaluation, vulnerability threat evaluation and attack path measurement;

the key asset assessment is used for optimizing an importance calculation method of the chemical control equipment, and the obtained assessment value is used for guiding the allocation of the protection resources; combining the critical asset evaluation value with the vulnerability triggering position analyzed from the attack graph, adopting a CVSS evaluation calculation method to obtain a vulnerability threat evaluation value, and transmitting the vulnerability threat evaluation value to attack path measurement; the attack path measurement is used for optimizing a calculation method for extracting relevant indexes of the attack path in the attack graph, and supplementing a calculation method for evaluating the real attack path length and the attack path importance of an attacker when repeated vulnerabilities exist in an industrial control environment.

2. The quantitative index optimization method for industrial control system security as claimed in claim 1, wherein: the attack graph generating step is to generate an attack graph by adopting a planning graph algorithm, wherein the planning graph algorithm comprises the following steps:

step S101: starting;

step S102: inputting related information and topological connection relation of industrial control equipment;

step S103: initializing an entity set E and an operation set A, and adding related information of industrial control equipment into the entity set E;

step S104: judging whether the entity set E comprises an attack target g or not; if yes, go to step S107; if not, executing step S105;

step S105: elements in the entity set E are combined in a reasoning mode according to the vulnerability dependency relationship to obtain an operation set A;

step S106: updating the entity set E according to the operation set A, and executing step S104;

step S107: outputting an attack graph;

step S108: and (5) ending.

3. The quantitative index optimization method for industrial control system security as claimed in claim 2, wherein: an attack graph generated by adopting a planning graph algorithm is in a layered structure, the attack graph comprises an entity layer and an operation layer, the entity layer comprises entity layer elements, a set formed by the entity layer elements is defined as an entity set E, and the entity layer elements represent industrial control components capable of executing operations; the operation layer comprises operation layer elements, the set of the operation layer elements is an operation set A, and the operation layer elements represent operations which can be executed by the entity layer elements.

4. The quantitative index optimization method for industrial control system security as claimed in claim 1, wherein: the assessment method for key asset assessment in the industrial control safety index quantitative calculation step comprises the following steps:

step S201: starting;

step S202: inputting an attack graph;

step S203: calculating the input degree and the output degree of the node;

step S204: judging whether non-traversed nodes exist or not; if yes, go to step S203; if not, executing step S205;

step S205: calculating a topology centrality score for the device;

step S206: obtaining importance scores in the equipment business process;

step S207: weighting calculation is carried out on the topology center score of the equipment and the importance score in the equipment business process to obtain an asset importance evaluation value, and the asset importance evaluation value is output;

step S208: and (5) ending.

5. The quantitative index optimization method for industrial control system security as claimed in claim 4, wherein: in step S205, a topology centrality score for the device node is calculated according to equation 1.1,

Topology_Score(S _i )＝Indegree(S _i )+Out degree(S _i ) (1.1)

in formula 1.1, S _i The device node is represented, indecree represents the ingress degree of the device node, and Out deg ree represents the egress degree of the device node;

in step S207, the topology centrality score of the device node and the importance score in the business process are weighted according to formula 1.2:

Critical_assets(S _i )＝w ₁ ×Topo logy_score(S _i )+w ₂ ×Service_score(S _i ) (1.2)

w in equation 1.2 ₁ 、w ₂ As a weight coefficient, topo log_score represents a topology centrality Score of a device node, and service_score represents an importance Score of the device node in a business process.

6. The quantitative index optimization method for industrial control system security as claimed in claim 1, wherein: the assessment method for vulnerability threat assessment in the industrial control safety index quantitative calculation step comprises the following steps:

step S301: combining the basic attribute of the vulnerability and the influence calculation generated after the vulnerability is utilized to obtain a basic score;

step S302: combining vulnerability restoration difficulty, alarm confidence and multiplexed vulnerability code maturity condition calculation to obtain temporary scores;

step S303: weighting and calculating the position triggered by the vulnerability and the attribute information of the attacker to obtain an environment score; wherein, the attacker attribute information comprises attack capability, security requirement, attack motivation and the like;

step S304: and adding and calculating the basic score, the temporary score and the environment score to obtain a final CVSS score.

7. The quantitative index optimization method for industrial control system security as claimed in claim 6, wherein: in step S303, the corrected vulnerability threat score is calculated by using the vulnerability triggered position and the attacker attribute information, and the key asset evaluation value and the corrected vulnerability score are weighted according to formula 1.3, so as to obtain a vulnerability repair sequence:

w ₁ and w ₂ Weight coefficients representing key asset and vulnerability threat scores respectively,

Critical_asset(S _i ) Representing device S _i Is a key asset assessment value of (1),

CVSS(Vul _i ) Represents vulnerability Vul before correction _i Is a vulnerability threat score of (c) for a vulnerability,

dis(Vul _i ) Representing a triggering vulnerability Vul _i The distance between the location of the attack start,

represents vulnerability Vul after vulnerability triggering position information correction _i Is a vulnerability threat score of (c).

8. The quantitative index optimization method for industrial control system security as claimed in claim 1, wherein: the security measurement method for the attack path measurement in the industrial control security index quantitative calculation step comprises the following steps:

step S401: starting;

step S402: inputting an attack graph;

step S403: initializing a vulnerability restoration set;

step S404: judging whether the vulnerability restoration set is an attack graph cut set or not; if not, executing step S405; if yes, go to step S408;

step S405: calculating unit benefits of each attack path;

step S406: finding out the vulnerability Si with the highest threat score on the unit income maximum path;

step S407: adding the vulnerability Si into the vulnerability restoration set, and executing step S404;

step S408: outputting a bug fix set;

step S409: and (5) ending.

9. The quantitative index optimization method for industrial control system security as claimed in claim 8, wherein:

when no repeated loopholes exist in the attack path, the attack step is equal to the attack path length in value;

when there is a duplicate vulnerability on the Attack path, the Attack step is smaller than the Attack path length, the Attack step (attach _step ) The calculation formula of (2) is shown as 1.4:

Attack _step ＝length-θn (1.4)

in the formula, length represents the attack path length;

the value of theta is between 0 and 1, and when the value of theta is 0, the price of the repeated utilization of the vulnerability by an attacker is the same as that of the first utilization; when θ is 1, it means that the attacker does not need to pay extra cost when using the same vulnerability later;

n is related to the occurrence number of repeated vulnerabilities, if a vulnerability appears for the second time in an attack path, the value of n is 1, and the like, if the vulnerability appears for k times repeatedly, the value of n in the kth time is k-1.

10. The quantitative index optimization method for industrial control system security as claimed in claim 8, wherein: the security measurement method defines the attack benefit as the importance scores of all devices on the attack path, and the calculation formula of the importance scores of the devices is as follows:

wherein: attack _profit Representing the attack income obtained by an attacker after the attacker finishes the attack;

the unit gain for each attack path is calculated using equation 1.6:

wherein: attack _step Indicating that an attacker has completed the attack steps required for an attack.