Особливості оцінки ризику в автоматизованих системах керування технологічними процесами
Вантажиться...
Дата
2018
ORCID
DOI
10.20998/2413-4295.2018.16.18
Науковий ступінь
Рівень дисертації
Шифр та назва спеціальності
Рада захисту
Установа захисту
Науковий керівник
Члени комітету
Видавець
НТУ "ХПІ"
Анотація
У даній статті наведено особливості оцінювання ризиків, що виникають при впливі кібератак на автоматизовані системи керування технологічними процесами (АСК ТП). Описані відмінності при оцінці ризиків типових ІТ-систем та АСК ТП. Наведено потенційні наслідки інцидентів у АСК ТП. Проведено аналіз наслідків порушення технологічного процесу в АСК ТП у зв’язку з кібер-інцидентом. Обґрунтовано важливість врахування нецифрових (аналогових) складових АСК ТП при оцінці впливу кібер-інциденту. Проаналізовано важливість врахування розповсюдження впливу на пов’язані системи та процеси.
This paper provides special considerations that organizations have to pay attention for while doing risk assessment. The culture of safety and safety assessments is well established within the majority of the Industrial Control Systems (ICS) user community. Information security risk assessments should be seen as complementary to such assessments though the assessments may use different approaches and cover different areas. Safety assessments are concerned primarily with the physical world. Information security risk assessments primarily look at the digital world. However, in an ICS environment, the physical and the digital are intertwined and significant overlap may occur. It is important that organizations consider all aspects of risk management for safety (e.g., risk framing, risk tolerances), as well as the safety assessment results, when carrying out risk assessments for information security. The personnel responsible for the information security risk assessment must be able to identify and communicate identified risks that could have safety implications. Conversely, the personnel charged with safety assessments must be familiar with the potential physical impacts and their likelihood developed by the information security risk assessment process. This paper describes potentional physical impacts of an ISC incident, shows impact, physical disruption of an ICS process can made. It demonstrates importancy of incorporating non-digital aspects of ICS into impact evaluations, provides main categories of non-digital ICS control component and shows basic considerations when considering the possible mitigation effects of non-digital control mechanisms. Also, this paper considering the propagation of impact to connected systems.
This paper provides special considerations that organizations have to pay attention for while doing risk assessment. The culture of safety and safety assessments is well established within the majority of the Industrial Control Systems (ICS) user community. Information security risk assessments should be seen as complementary to such assessments though the assessments may use different approaches and cover different areas. Safety assessments are concerned primarily with the physical world. Information security risk assessments primarily look at the digital world. However, in an ICS environment, the physical and the digital are intertwined and significant overlap may occur. It is important that organizations consider all aspects of risk management for safety (e.g., risk framing, risk tolerances), as well as the safety assessment results, when carrying out risk assessments for information security. The personnel responsible for the information security risk assessment must be able to identify and communicate identified risks that could have safety implications. Conversely, the personnel charged with safety assessments must be familiar with the potential physical impacts and their likelihood developed by the information security risk assessment process. This paper describes potentional physical impacts of an ISC incident, shows impact, physical disruption of an ICS process can made. It demonstrates importancy of incorporating non-digital aspects of ICS into impact evaluations, provides main categories of non-digital ICS control component and shows basic considerations when considering the possible mitigation effects of non-digital control mechanisms. Also, this paper considering the propagation of impact to connected systems.
Опис
Ключові слова
безпека, інцидент, кібер-інцидент, інформаційні технології, бізнес-система, security, cyber-incident
Бібліографічний опис
Грудзинський Ю. Є. Особливості оцінки ризику в автоматизованих системах керування технологічними процесами / Ю. Є. Грудзинський, А. М. Шулепа // Вісник Національного технічного університету "ХПІ". Серія: Нові рішення в сучасних технологіях = Bulletin of the National Technical University "KhPI". Series: New solutions in modern technology : зб. наук. пр. – Харків : НТУ "ХПІ", 2018. – № 16 (1292). – С. 117-121.