| 工业网络安全深度防御策略——以西气东输天然气管道SCADA系统网络为例 |
| |
| 引用本文: | 梁怿,王磊,赵廉斌,马健.工业网络安全深度防御策略——以西气东输天然气管道SCADA系统网络为例[J].油气储运,2019(6):692-696. |
| |
| 作者姓名: | 梁怿 王磊 赵廉斌 马健 |
| |
| 作者单位: | 中石油管道有限责任公司西气东输分公司;阳光国际商务有限公司 |
| |
| 摘 要: | 在网络安全形势与挑战日益严峻、复杂的环境下,工业网络传统的单点式防御策略已不能满足当前网络安全形势的需要。基于互联网领域的立体式安全防护理念,根据工业网络防护特性,提出了在工业网络构建深度防御理念的方案:在工控终端部署基于白名单的安全系统,在局域网设置基于最小权限原则的访问控制策略,在网络边界增加缓解威胁的网络安全工具。将该方案应用于西气东输天然气管道SCADA系统网络进行4次渗透测试,经历了 WannaCry、Petya等蠕虫病毒攻击的考验。结果表明:基于深度防御理念的网络安全防护策略能够有效防护来自工业系统外部和内部的攻击,极大提高了 SCADA系统工业网络的安全性与可靠性。
|
| 关 键 词: | 工业网络 网络安全 深度防御 终端防护 局域网防护 边界防护 |
In-depth defense strategy for industrial network security: a case study on the SCADA system network of West-to-East Gas Pipeline |
| |
| LIANG Yi,WANG Lei,ZHAO Lianbin,MA Jian.In-depth defense strategy for industrial network security: a case study on the SCADA system network of West-to-East Gas Pipeline[J].Oil & Gas Storage and Transportation,2019(6):692-696. |
| |
| Authors: | LIANG Yi WANG Lei ZHAO Lianbin MA Jian |
| |
| Institution: | (West-East Gas Pipeline Company, China Petroleum Pipeline Co. Ltd.;Sunshine International Business Co. Ltd.) |
| |
| Abstract: | The traditional single-point defense strategy for industrial networks is not suitable for the current situation of network security as the situations and challenges of network security get severe and complicated increasingly. In this paper, a scheme to construct the concept of defense in depth in the industrial network was proposed according to the particular protection characteristics of industrial network, as well as the concept of three-dimensional security protection in the field of internet. In this scheme, the whitelist-based security system is deployed at the industrial control terminal, the access control policy based on the minimum authority principle is set up in the local area network (LAN), and the tools to alleviate the threats were added at the network boundary. This scheme was applied in the SCADA network system of West-to-East Gas Pipeline, and it experienced 4 penetration tests and the attack of worm viruses, e.g. WannaCry and Petya. It is indicated that the network security protection strategy based on the concept of defense in depth can effectively protect the industrial system from the external and internal attacks and it greatly improves the safety and reliability of industrial SCADA systems. |
| |
| Keywords: | industrial network network security defense in depth terminal protection LAN protection network boundary protection |
| 本文献已被 CNKI 维普 等数据库收录! |
