一种轨道列车车载通信系统信息安全风险评估方法

doi:10.3969/j.issn.1673-4440.2024.04.010

铁路通信信号工程技术 ›› 2024, Vol. 21 ›› Issue (4): 57-62,95.DOI: 10.3969/j.issn.1673-4440.2024.04.010

一种轨道列车车载通信系统信息安全风险评估方法

阎士奇

中车青岛四方车辆研究所有限公司，山东青岛 266000

收稿日期:2022-12-01 修回日期:2024-02-06 出版日期:2024-04-25 发布日期:2024-04-25
作者简介:阎士奇（1988—），男，工程师，硕士，主要研究方向：列车网络控制系统研发，邮箱：liamyan1027@163.com。
基金资助:
中车青岛四方车辆研究所有限公司系统研制项目（2021SRI146）

Cyber Security Risk Assessment Approach for Rolling Stock Onboard Communication Systems

Yan Shiqi

CRRC Qingdao Sifang Rolling Stock Research Institute Co., Ltd., Qingdao 266000, China

Received:2022-12-01 Revised:2024-02-06 Online:2024-04-25 Published:2024-04-25

摘要/Abstract

摘要： 提出一种基于通用漏洞评价系统（Common Vulnerability Scoring System, CVSS）的列车车载通信系统信息安全风险评估方法，详细介绍该方法的工作流程，开展缺陷概率评估、缺陷影响评估，得出各系统缺陷的风险范围所对应的信息安全等级，并最终应用到某国外地铁车载通信系统项目的信息安全风险评估活动中，为后续开展系统优化活动以及采取优化措施后的信息安全风险再定位奠定基础。

关键词: 信息安全风险, 缺陷概率和影响评估, CVSS, 列车车载通信系统

Abstract: This paper proposes a cyber security risk assessment methodology for rolling stock onboard communication systems based on the Common Vulnerability Scoring System (CVSS), introduces the workflow of the method in detail, and carries out defect probability and impact assessment, and also derives the cyber security level corresponding to the risk range of each system defect. Finally, it is applied to cyber security risk assessment activities of an overseas metro onboard communication system project, laying a foundation for the subsequent system optimization activities and cyber security risk repositioning after taking optimization measures.

Key words: cyber security threat, defect probability and impact assessment, Common Vulnerability Scoring System (CVSS), rolling stock onboard communication system

中图分类号:

U285.8

阎士奇. 一种轨道列车车载通信系统信息安全风险评估方法[J]. 铁路通信信号工程技术, 2024, 21(4): 57-62,95.

Yan Shiqi. Cyber Security Risk Assessment Approach for Rolling Stock Onboard Communication Systems[J]. Railway Signalling & Communication Engineering, 2024, 21(4): 57-62,95.

图/表 5

参考文献

[1] CVSS Special Interest Group. Common Vulnerability Scoring System[EB/OL]. (2019-6-30)[2022.12.01]. https://www.first.org/cvss/.
[2] ANSI/ISA. Technical Security Requirements for IACS Components: IEC 62443-4-2[S]. Genève: International Electrotechnical Commission, 2019.
[3] ANSI/ISA. Terminology, Concepts and Models: IEC 62443-1-1[S]. Genève: International Electrotechnical Commission, 2009.
[4] Sánchez-García I D,Mejía J,San Feliu Gilabert T.Cybersecurity Risk Assessment:a Systematic Mapping Review,Proposal,and Validation[J].Applied Sciences,2022,13(1):395.
[5] Wang Jiali,Neil M,Fenton N.A Bayesian Network Approach for Cybersecurity Risk Assessment Implementing and Extending the FAIR Model[J].Computers & Security, 2020(89):101659.
[6] Goel R,Kumar A,Haddow J.PRISM:a Strategic Decision Framework for Cybersecurity Risk Assessment[J].Information & Computer Security,2020,28(4):591-625.
[7] Praerit Garg, Loren Kohnfelder. The STRIDE Threat Model[EB/OL]. (2009-12-11) [2022-12-01]. https://learn.microsoft.com/en-us.
[8]李鹤田，刘云，何德全.信息系统安全风险评估研究综述[J].中国安全科学学报，2006，16（1）：108-113.
Li Hetian, Liu Yun, He Dequan. Review on Study of Risk Evaluation for IT System Security[J]. China Safety Science Journal(CSSJ), 2006, 16(1): 108-113.
[9]赵小军，黄天天，马金鑫.列控系统信息安全风险分析与防护技术探讨[J].铁路通信信号工程技术，2022，19（9）：46-50.
Zhao Xiaojun, Huang Tiantian, Ma Jinxin.Information Security Risk Analysis and Protection Technology of Chinese Train Control System[J]. Railway Signalling & Communication Engineering, 2022, 19(9): 46-50.
[10]宋绍华.铁路信号系统区域边界信息安全风险评估[J].铁路通信信号工程技术，2022，19（4）：38-42.
Song Shaohua. Risk Assessment of Regional Boundary Information Security of Railway Signal Systems[J]. Railway Signalling & Communication Engineering, 2022, 19(4): 38-42.
[11]王锋.CBTC信号系统信息安全问题分析[J].铁路通信信号工程技术，2023，20（1）：95-98，109.
Wang Feng. Information Security Analysis of CBTC Signal System[J]. Railway Signalling& Communication Engineering, 2023, 20(1): 95-98, 109.
[12]张利，姚轶崭，彭建芬，等.基于决策树的智能信息安全风险评估方法[J].清华大学学报(自然科学版)，2011，51（10）：1236-1239.
Zhang Li, Yao Yizhan, Peng Jianfen, et al. Intelligent Information Security Risk Assessment Based on a Decision Tree Algorithm[J]. Journal of Tsinghua University (Science and Technology), 2011, 51(10): 1236-1239.
[13]邝香琦.CBTC系统信息安全风险评估方法研究[D].北京:北京交通大学，2018.
[14]迟蒙超.城市轨道交通列控系统信息安全态势评估方法研究[D].北京:北京交通大学，2021.
[15]许辉.铁路综合视频监控系统网络安全建设的研究[J].铁路通信信号工程技术，2023，20（5）：39-43.
Xu Hui. Research on Cyber-security of Railway Integrated Video Monitoring System[J]. Railway Signalling & Communication Engineering, 2023, 20(5): 39-43.
[16]Von Solms R, Van Niekerk J.From Information Security to Cyber Security[J].Computers and Security, 2013(38):97-102.
[17]Shameli-Sendi A, Aghababaei-Barzegar R, Cheriet M.Taxonomy of Information Security Risk Assessment (ISRA)[J].Computers and Security, 2016, 57(C):14-30.
[18]Susanto H, Almunawar M, Tuan Y.Information Security Management System Standards:a Comparative Study of the Big Five[J].International Journal of Electrical Computer Sciences IJECS-IJENS, 2011, 11(5):23-29.
[19]Northern B, Burks T, Hatcher M, et al.VERCASM-CPS:Vulnerability Analysis and Cyber Risk Assessment for Cyber-Physical Systems[J].Information, 2021, 12(10):408.
[20] Petersen K, Vakkalanka S, Kuzniarz L.Guidelines for Conducting Systematic Mapping Studies in Software Engineering:an Update[J].Information and Software Technology, 2015(64):1-18.
[21]Lee C K.Introduction of a Cyber Security Risk Analysis and Assessment System for Digital I & C Systems in Nuclear Power Plants[J].IFAC Proceedings Volumes, 2013, 46(9):2140-2144.
[22]Cayirci E, Garaga A, De Oliveira A S, et al.A Risk Assessment Model for Selecting Cloud Service Providers[J].Journal of Cloud Computing:Advances,Systems and Applications, 2016, 5(1):64.
[23]Roldán-Molina G, Almache-Cueva M, Silva-Rabadão C, et al.A Comparison of Cybersecurity Risk Analysis Tools[J].Procedia Computer Science, 2017(121):568-575.
[24]Hayes D R,Cappa F.Open-Source Intelligence for Risk Assessment[J].Business Horizons, 2018, 61(5):689-697.

一种轨道列车车载通信系统信息安全风险评估方法

Cyber Security Risk Assessment Approach for Rolling Stock Onboard Communication Systems

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 5

参考文献

相关文章 2

编辑推荐

Metrics

本文评价

[1]	李想, 赵京京. 铁路信号安全数据网网络管理系统优化方案研究[J]. 铁路通信信号工程技术, 2023, 20(12): 26-30,42.
[2]	张乐军. 铁路视频资源联网共享技术方案研究[J]. 铁路通信信号工程技术, 2022, 19(9): 41-45,63.