工业控制系统安全评估流程 i g u th 5 b m o .c 关于绿盟科技 北京神州绿盟信息安全科技股份有限公司（以下简称绿盟科技公司），成立于 2000 年 4 月， 总部位于北京。公司于 2014 年 1 月 29 日在深圳证券交易所创业板上市，证券代码：300369。 绿盟科技在国内设有 40 多个分支机构，为政府、运营商、金融、能源、互联网以及教育、医疗 等行业用户，提供全线网络安全产品、全方位安全解决方案和体系化安全运营服务。公司在美国 硅谷、日本东京、英国伦敦、新加坡设立海外子公司，深入开展全球业务，打造全球网络安全行 业的中国品牌。 u th i g 版权声明 5 b 为避免合作伙伴及客户数据泄露，所有数据在进行分析前都已经过匿名化处理，不会在中 间环节出现泄露，任何与客户有关的具体信息，均不会出现在本报告中。 m o .c 工业控制系统安全评估流程 目录 CONTENTS 目录 1. 综述 ·······································································································································································1 2. 目标定义与系统评定 ············································································································································3 2.1 目标定义······················································································································································································· 4 2.2 系统评定与分类 ·········································································································································································· 5 m o .c 3. 资产评估 ·······························································································································································6 3.1 资产识别与分类 ·········································································································································································· 7 3.2 网络拓扑审查··············································································································································································· 8 3.3 数据流审查··················································································································································································· 8 5 b 3.4 风险资产预筛··············································································································································································· 8 4. 脆弱性评估 ···························································································································································9 u th 4.1 安全策略脆弱性 ········································································································································································ 11 i g 4.2 架构与设计脆弱性 ···································································································································································· 12 4.3 配置与维护脆弱性 ···································································································································································· 12 4.4 物理环境脆弱性 ········································································································································································ 13 4.5 产品开发过程脆弱性 ································································································································································ 14 4.6 通信与配置脆弱性 ···································································································································································· 14 5. 风险场景构建 ·····················································································································································16 5.1 威胁评估····················································································································································································· 17 5.2 攻击向量评估············································································································································································· 18 5.3 威胁事件构建············································································································································································· 19 5.4 风险场景构建············································································································································································· 20 A 工业控制系统安全评估流程 目录 CONTENTS 6. 风险计算与缓解策略 ··········································································································································25 6.1 风险计算····················································