資訊與工控資通安全風險管理機制評估

Evaluation of Information and Industry Security Risk Management Methodology

魏銪志(Yu-Chih Wei)；吳易昇(Yi-Shng Wu)；祝亞琪(Ya-Chi Chu)

工業資訊安全 ； 資訊安全流程 ； 資訊安全 ； Industrial Information Security ； Information Security Process ； Information Security

資訊安全通訊

26卷4期（2020 / 12 / 01）

17 - 33

繁體中文

在物聯網及工業4.0的趨勢下，將IT與OT兩大領域進行結合，然而這也使得資訊安全的事件頻傳，這些事件讓資訊安全不得不成為OT必面對的問題。本研究透過比較OT領域工業系統安全風險管理標準IEC 62443-3-2、IT領域資訊安全ISO/IEC 27005、Risk IT Framework以及NIST SP800-39評估整合型資通安全風險管理方法應關注的重點，針對OT與IT標準中的風險管理流程、關注的粒度、分級方式、風險控制措施及各標準所針對目標分析其異同，提出ISO/IEC 27005對應至IEC 62443-3-2的應用，提供組織OT與IT結合的概念，以降低組織在工業領域的資訊與網路安全風險，減少企業組織因資安事件所帶來的龐大損失，提升資訊安全防護的品質，確保組織資訊與網路的安全，進而使組織能永續經營。

Under the trend of Internet of Things and Industry 4.0, two major fields, IT and OT, are integrated. However, this has also led to frequent information security incidents, and these incidents have made information security an issue that OT must face. This research compares the risk management standard IEC 62443-3-2 for industrial system security in OT domain, ISO/IEC 27005 for information security in IT domain, Risk IT Framework and NIST SP800- 39 to evaluate the key concerns of integrated information security risk management approach, and focuses on the risk management process, granularity of concerns, and classification methods in OT and IT standards. We propose the application of ISO/IEC 27005 to IEC 62443-3-2 to provide organizations with the concept of integrating OT and IT to reduce information and network security risks in industrial areas, reduce the huge losses caused by information security incidents, and improve information security. It also improves the quality of information security protection and ensures the security of organization information and network, thus enabling organizations to operate sustainably.

1. ISO(2018).ISO, ISO 31000: Risk management — Guidelines. 2018..
   連結：
2. Anderson, D.(2017).COSO ERM: Getting risk management right: Strategy and organizational performance are the heart of the updated framework.Internal Auditor,74(5),-38.
3. IEC(2009).IEC, IEC 62443 Security for Industrial Automation and Control Systems. 2009-2018, Internation Electrotechnical Commission..
4. IEC(2010).IEC, IEC 62443-2-1 Industrial communication networks-Network and system security: Establishing an industrial automation and control system security program. 2010, Internation Electrotechnical Commission..
5. IEC(2020).IEC, IEC 62443-3-2 Security for industrial automation and control systems: Security risk assessment for system design. 2020, Internation Electrotechnical Commission..
6. IEC(2018).IEC, IEC 62443-2-2 Security for industrial automation and control systems: IACS protection levels. 2018, International Electrotechnical Commission..
7. IEC(2009).IEC, IEC/TR 62443-3-1 Security Technologies for Industrial Automation and Control Systems. 2009, Internation Electrotechnical Commission..
8. ISACA(2020).ISACA, Risk IT Framework. 2020..
9. ISO/IEC(2018).ISO/IEC, ISO/IEC 27005 Information technology — Security techniques — Information security risk management. 2018, International Organization for Standardization and International Electrotechnical Commission..
10. ISO/IEC(2013).ISO/IEC, ISO/IEC 27001 Information technology — Security techniques — Information security management systems — Requirements. 2013, International Organization for Standardization and International Electrotechnical Commission..
11. NIST(2011).NIST, Special Publication 800-39: Managing Information Security Risk-Organization, Mission, and Information System View. 2011, NIST..
12. 王宏仁. 【臺灣史上最大資安事件】深度剖析台積產線中毒大當機始末 (下) . 2018; https://www.ithome.com.tw/news/125101.
13. 羅正漢. 【2020 十大資安趨勢 3：OT 安全】工控環境正面臨真實發生的資安威脅，勒索軟體來勢洶洶. 2020; https://www.ithome.com.tw/news/135175.

1. 葉錫勳,郭文中,宋明軒(2021)。智慧電網之資訊安全標準的研究分析。資訊安全通訊，27(3)，1-20。