Industrial control devices (ICDs) are widely used in many industrial facilities such as petrochemical factories, power generation plants, water treatment plants, and transportation systems. The cyber security of such devices directly affects industrial production, which affects our economic security as well as our national security. This paper describes common cyber security issues in these devices and the root causes of these issues. The effects of cyber attacks are also analyzed for attacks from the information space and the physical space connected to the ICDs. Finally, security evaluation techniques are given including standards, evaluation methods and certifications along with future research challenges.
Luders S. Stuxnet and the impact on accelerator control systems [C]// Proceedings of the 13th Conference on Accelerator and Large Experimental Physics Control Systems. Geneva, Switzerland: JACoW, 2011: 1285-1288.
Kube N, Yoo K, Hoffman D. Automated testing of industrial control devices: The Delphi database [C]// Proceedings of 6th IEEE/ACM International Workshop on Automation of Software Test. New York, USA: Association for Computing Machinery Press, 2011: 71-76.
IEC62443. Security for Industrial Automation and Control Systems[S]. Geneva, Switzerland: International Electrotechnical Commission, 2010.
ICS-CERT. Control system internet accessibility [Z/OL]. (2012-11-20), http://www.cs.unh.edu/~it666/reading_list/ Physical/cert_scada_shodan_alert.pdf.
Florian S, MA Zhengdong, Thomas B, et al.A survey on threats and vulnerabilities in smart metering infrastructures[J]. International Journal of Smart Grid and Clean Energy, 2012, 1(1): 22-28.
Sifferlin A. Wireless medical devices vulnerable to hacking [Z/OL]. (2013-04-22), http://www.toppatch.com/wp-content/uploads/2012/04/2012_Wireless-Medical-Devices-Vulnerable-to-Hacking-_-TIME.pdf.
Radcliffe J. Hacking medical devices for fun and insulin: Breaking the human SCADA system [Z/OL]. (2013-04-30), http://cs.uno.edu/~dbilar/BH-US-2011/materials/Radcliffe/BH_US_11_Radcliffe_Hacking_Medical_Devices_WP.pdf.
National Institute of Standards and Technology. Guide to Industrial Control Systems (ICS) Security[M]. Gaithersburg, USA: NIST, 2011.
Rajkumar R, Lee I, Lui S, et al.Cyber-physical systems: The next computing revolution [C]// Proceedings of 47th Conference on Design Automation Conference. Piscataway, USA: IEEE Press, 2010: 731-736.
ANSI/ISA 99. Security forIndustrial Automation and Control Systems[S]. Research Triangle Park, USA: the International Society of Automation, 2007.
International Instrument User's Association. Process control domain-security requirements for vendors [Z/OL]. (2013-05-22), http://osgug.ucaiug.org/conformity/security/Shared%20Documents/WIB%20M2784%20PCS%20Vendor Security%20v2.pdf.
吴世忠. 信息安全测评认证的十年求索[J]. 信息安全与保密通信, 2007, 1(6): 5-8. WU Shizhong. Decade research of testing, evaluation and certification of information security[J]. Information Security and Communications Privacy, 2007, 1(6): 5-8.
冯登国. 信息安全测评理论与技术专辑前言[J]. 计算机学报, 2009, 32(4): 1-4. FENG Dengguo. The foreword of information security evaluation theory and techniques[J]. Chinese Journal of Computers, 2009, 32(4): 1-4.
ISA Security Compliance Institute. ISA secure embedded device security assurance certification [Z/OL]. (2013-05-11), http://www.isa.org/filestore/asci/isci/ISCI%20ISASecure%20ECSA%20Certification%20brochure.pdf.
Wurldtech Security Inc. Achilles practices certification [Z/OL]. (2013-03-15), http://www.wurldtech.com/product_services/certify_educate/achilles_practices_certification/.