Guide To Industrial Control System (ICS) Security Systems Securityã€NIST SP.800 82R2】ã€JPCERTå’Œè¨

Guide%20to%20Industrial%20Control%20Systems%20(ICS)%20Security%E3%80%90NIST%20SP.800-82R2%E3%80%91%E3%80%90JPCERT%E5%92%8C%E8%A8

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 490 [warning: Documents this large are best viewed by clicking the View PDF Link!]

NIST Special Publication 800-82
Revision 2
Guide to Industrial Control
Systems (ICS) Security
Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS),
and Other Control System Configurations such as Programmable Logic Controllers (PLC)
Keith Stouffer
Victoria Pillitteri
Suzanne Lightman
Marshall Abrams
Adam Hahn
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-82r2
邦訳:
一般社団法人 JPCERT コーディãƒãƒ¼ã‚·ãƒ§ãƒ³ã‚»ãƒ³ã‚¿ãƒ¼
Japan Computer Emergency
Response Team Coordination
Center
é›»å­ç½²å者 : Japan Computer Emergency Response
Team Coordination Center
DN : c=JP, st=Tokyo, l=Chiyoda-ku,
email=office@jpcert.or.jp, o=Japan Computer
Emergency Response Team Coordination Center,
cn=Japan Computer Emergency Response Team
Coordination Center
日付 : 2016.04.12 09:20:04 +09'00'
NIST SP800-82
第2版
産業用制御システム(ICS)
セキュリティガイド
SCADAã€DCSã€PLC ãã®ä»–ã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ è¨­å®š
Keith Stouffer
Victoria Pillitteri
Suzanne Lightman
Marshall Abrams
Adam Hahn
本出版物ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã‹ã‚‰ç„¡æ–™ã§å…¥æ‰‹å¯èƒ½ï¼š
http://dx.doi.org/10.6028/NIST.SP.800-82r2
NIST Special Publication 800-82
Revision 2
Guide to Industrial Control Systems
(ICS) Security
Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and
other control system configurations such as Programmable Logic Controllers (PLC)
Keith Stouffer
Intelligent Systems Division
Engineering Laboratory
Victoria Pillitteri
Suzanne Lightman
Computer Security Division
Information Technology Laboratory
Marshall Abrams
The MITRE Corporation
Adam Hahn
Washington State University
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-82r2
May 2015
U.S. Department of Commerce
Penny Pritzker, Secretary
National Institute of Standards and Technology
Willie May, Under Secretary of Commerce for Standards and Technology and Director
NISTSP800-82
第2版
産業用制御システム(ICS)
セキュリティガイド
SCADAã€DCSã€PLCã€ãã®ä»–ã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®è¨­å®š
Keith Stouffer
エンジニアリング研究所(EL)
インテリジェントシステム ディビジョン
Victoria Pillitteri
Suzanne Lightman
情報技術研究所(ITL)
コンピュータセキュリティディビジョン
Marshall Abrams
MITRE 社
Adam Hahn
ワシントン州立大学
本出版物ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã‹ã‚‰ç„¡æ–™ã§å…¥æ‰‹å¯èƒ½ï¼š
http://dx.doi.org/10.6028/NIST.SP.800-82r2
2015 年5月
米国商務çœ
長官 Penny Pritzker
商務çœæ¨™æº–技術担当次官
米国国立標準技術研究所 所長
Willie May
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
v
Authority
This publication has been developed by NIST to further its statutory responsibilities under the Federal
Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3541 et seq., Public Law (P.L.)
113-283. NIST is responsible for developing information security standards and guidelines, including
minimum requirements for federal information systems, but such standards and guidelines shall not apply
to national security systems without the express approval of appropriate federal officials exercising policy
authority over such systems. This guideline is consistent with the requirements of the Office of
Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as
analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided
in Circular A-130, Appendix III, Security of Federal Automated Information Resources.
Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and
binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these
guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce,
Director of the OMB, or any other federal official. This publication may be used by nongovernmental
organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would,
however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-82, Revision 2 Natl. Inst.
Stand. Technol. Spec. Publ. 800-82, Rev. 2, 247 pages (May 2015)
This publication is available free of charge from
:http://dx.doi.org/10.6028/NIST.SP.800-82r2
CODEN: NSPUE2
Certain commercial entities, equipment, or materials may be identified in this document in order to describe
an experimental procedure or concept adequately. Such identification is not intended to imply
recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or
equipment are necessarily the best available for the purpose.
There may be references in this publication to other publications currently under development by NIST in
accordance with its assigned statutory responsibilities. The information in this publication, including
concepts and methodologies, may be used by federal agencies even before the completion of such
companion publications. Thus, until each publication is completed, current requirements, guidelines, and
procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may
wish to closely follow the development of these new publications by NIST.
Organizations are encouraged to review all draft publications during public comment periods and provide
feedback to NIST. All NIST Computer Security Division publications, other than the ones noted above, are
available at http://csrc.nist.gov/publications.
Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
Electronic Mail: nist800-82rev2comments@nist.gov
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
vi
本文書ã«ã¤ã„ã¦
本出版物ã¯ã€2014 年連邦情報セキュリティ近代化法(FISMA)44 U.S.C. § 3541 åŠã³ä¸€èˆ¬æ³•
(P.L.)113-283 ã«åŸºã¥ãã€ç±³å›½å›½ç«‹æ¨™æº–技術研究所(NIST)ãŒãã®æ³•çš„責務をé‚è¡Œã™ã‚‹ãŸã‚ã«
作æˆã—ãŸã€‚
NIST ã¯ã€é€£é‚¦æƒ…報システムã®æœ€ä½Žé™ã®è¦ä»¶äº‹é …ã‚’å«ã‚“ã æƒ…報セキュリティ標準åŠã³ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤
ンを作æˆã™ã‚‹è²¬å‹™ãŒã‚ã‚‹ãŒã€ã“ã®ã‚ˆã†ãªæ¨™æº–åŠã³ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã¯ã€å›½å®¶å®‰å…¨ä¿éšœã«ä¿‚ã‚るシステ
ムã«ãŠã„ã¦ã¯ã€é€£é‚¦å½“å±€ã«ã‚ˆã‚‹å½“該システムã«å¯¾ã™ã‚‹ãƒãƒªã‚·ãƒ¼æ¨©é™ã‚’行使ã™ã‚‹æ˜Žç¤ºçš„承èªãŒãªã‘
ã‚Œã°é©ç”¨ã•ã‚Œãªã„。本ガイドラインã¯ã€è¡Œæ”¿ç®¡ç†äºˆç®—局(OMBï¼‰é€šé” A-130ã€8b(3)æ¡ã€ã€Œæ”¿åºœ
機関情報システムã®ä¿å…¨ã€ï¼ˆé€šé” A-130 付録 IV「主è¦æ¡æ–‡ã®åˆ†æžã€ã«è¨˜è¼‰ï¼‰ã®è¦ä»¶ã«ä¸€è‡´ã™ã‚‹ã€‚
補足情報ã¯ã€é€šé” A-130 付録 III「連邦自動化情報リソースã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã€ã«è¨˜è¼‰ã•ã‚Œã¦ã„る。
本出版物ã®ã„ã‹ãªã‚‹è¨˜è¿°ã‚‚ã€å•†å‹™é•·å®˜ã®æ³•çš„権é™ã«ã‚ˆã‚Šé€£é‚¦æ”¿åºœæ©Ÿé–¢ã«é©ç”¨ã•ã‚Œã‚‹æ¨™æº–åŠã³ã‚¬ã‚¤
ドラインをå¦å®šã™ã‚‹ã‚‚ã®ã§ã¯ãªã„。ã¾ãŸã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã¯ã€å•†å‹™é•·å®˜ã€è¡Œæ”¿ç®¡ç†äºˆç®—局長官ã€ã¾ãŸ
ã¯ãã®ä»–連邦当局ã®æ—¢å­˜ã®æ¨©é™ã«å¤‰æ›´ã‚’加ãˆãŸã‚Šã€ä»£æ›¿ã™ã‚‹ã‚‚ã®ã¨è§£é‡ˆã—ã¦ã¯ãªã‚‰ãªã„。
本出版物ã¯ã€æ”¿åºœä»¥å¤–ã®çµ„ç¹”ãŒä»»æ„ã«ä½¿ç”¨ã™ã‚‹ã“ã¨ãŒã§ãã€ç±³å›½ã«ãŠã‘る著作権ã®å¯¾è±¡ã¨ãªã‚‰ãª
ã„ãŒã€NIST ã¯è‘—作権ã®å¸°å±žã‚’明記ã™ã‚‹ã“ã¨ã«æ„Ÿè¬ã™ã‚‹ã€‚
米国国立標準技術研究所(NIST)SP800-82 第2版ã€
Natl. Inst. Stand. Technol. Spec. Publ. 800-82, Rev. 2, 247 ページ(2015 年5月)
本出版物ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã‹ã‚‰å…¥æ‰‹å¯èƒ½(ç„¡æ–™)
:http://dx.doi.org/10.6028/NIST.SP.800-82r2
CODEN:NSPUE2
本文書ã§ã¯ã€ç‰¹å®šã•ã‚Œã‚‹å–¶åˆ©å›£ä½“åã€è£…ç½®åˆã¯è³‡æ–™ã¯ã€å®Ÿé¨“çš„ãªæ‰‹é †åˆã¯æ¦‚念をé©åˆ‡ã«èª¬æ˜Žã™ã‚‹ãŸ
ã‚ã®ã‚‚ã®ã§ã‚る。ã—ãŸãŒã£ã¦ã€NIST ã«ã‚ˆã‚‹æŽ¨å¥¨ã‚„ä¿è¨¼ã™ã‚‹ã‚‚ã®ã§ã¯ãªãã€å½“該営利団体ã€è£…ç½®åˆ
ã¯è³‡æ–™ãŒã€ãã®ç›®çš„ã«é–¢ã—ã¦å¾—られる最良ã®ã‚‚ã®ã§ã‚ã‚‹ã“ã¨ã‚’æ„味ã™ã‚‹ã‚‚ã®ã§ã‚‚ãªã„。
本出版物ã§ã¯ã€NIST ãŒãã®è² è¨—ã•ã‚ŒãŸæ³•çš„責務ã«å¾“ã£ã¦ç¾åœ¨ä½œæˆä¸­ã®ä»–ã®å‡ºç‰ˆç‰©ã‚’å‚ç…§ã™ã‚‹å ´åˆ
ãŒã‚る。本出版物ã®æ¦‚念や方法論をå«ã‚€æƒ…å ±ã¯ã€å‰è¿°ã®é–¢é€£å‡ºç‰ˆç‰©ã®å®Œæˆå‰ã§ã‚ã£ã¦ã‚‚ã€é€£é‚¦æ”¿åºœ
æ©Ÿé–¢ãŒä½¿ç”¨ã™ã‚‹å ´åˆãŒã‚る。よã£ã¦ã€å„出版物ãŒå®Œæˆã™ã‚‹ã¾ã§ã¯ã€ç¾åœ¨ã®å¿…é ˆè¦ä»¶ã€ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³
åŠã³æ‰‹é †ãŒå­˜åœ¨ã™ã‚‹å ´åˆã€ãれらã¯å¼•ã続ã有効ã§ã‚る。連邦政府機関ã¯è¨ˆç”»ä½œæˆã¨ç§»è¡Œã®ç›®çš„ã¨
ã—ã¦ã€NIST ã«ã‚ˆã‚‹ã“れら新è¦å‡ºç‰ˆç‰©ã®ä½œæˆçŠ¶æ³ã‚’確èªã•ã‚ŒãŸã„。
å„組織ã¯ã€ãƒ‘ブリックコメントã®å…¬å‹ŸæœŸé–“中ã«ã€å…¨ã¦ã®å…¬é–‹ãƒ‰ãƒ©ãƒ•ãƒˆæ–‡æ›¸ã‚’閲覧ã—ã€ã‚³ãƒ¡ãƒ³ãƒˆã‚’ NIST
ã«æ示ã•ã‚ŒãŸã„。全ã¦ã® NIST コンピュータセキュリティディビジョンã®å‡ºç‰ˆç‰©ã¯ã€ä¸Šè¨˜ã®ã‚‚ã®
を除ãã€
http://csrc.nist.gov/publications
ã‹ã‚‰å…¥æ‰‹ã§ãる。
本出版物ã«é–¢ã™ã‚‹æ„見ã¯ã€ä»¥ä¸‹ã®å®›å…ˆã«æ出ã•ã‚ŒãŸã„。
Attn:Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
é›»å­ãƒ¡ãƒ¼ãƒ«ï¼šnist800-82rev2comments@nist.gov
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
vii
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analyses to advance the development and productive use of
information technology. ITL’s responsibilities include the development of management, administrative,
technical, and physical standards and guidelines for the cost-effective security and privacy of other than
national security-related information in federal information systems. The Special Publication 800-series
reports on ITL’s research, guidelines, and outreach efforts in information system security, and its
collaborative activities with industry, government, and academic organizations.
Abstract
This document provides guidance on how to secure Industrial Control Systems (ICS), including
Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and
other control system configurations such as Programmable Logic Controllers (PLC), while addressing their
unique performance, reliability, and safety requirements. The document provides an overview of ICS and
typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides
recommended security countermeasures to mitigate the associated risks.
Keywords
Computer security; distributed control systems (DCS); industrial control systems (ICS); information
security; network security; programmable logic controllers (PLC); risk management; security controls;
supervisory control and data acquisition (SCADA) systems
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
viii
コンピュータシステム技術ã«é–¢ã™ã‚‹ãƒ¬ãƒãƒ¼ãƒˆ
米国国立標準技術研究所(NIST)ã®æƒ…報技術研究所(ITL)ã¯ã€å›½ã®è¨ˆæ¸¬åŠã³åŸºæº–インフラã«é–¢
ã™ã‚‹æŠ€è¡“的統率を図るã“ã¨ã«ã‚ˆã‚Šã€ç±³å›½ã®çµŒæ¸ˆãƒ»å…¬å…±ç¦ç¥‰ã‚’促進ã—ã¦ã„る。ITL ã¯è©¦é¨“ã€è©¦é¨“法ã€
基準データã€æ¦‚念ã®å®Ÿè¨¼åŠã³æŠ€è¡“解æžã®é–‹ç™ºã‚’進ã‚ã€æƒ…報技術ã®é–‹ç™ºã¨ç”Ÿç”£çš„利用を促進ã—ã¦ã„
る。ITL ã®è²¬å‹™ã«ã¯ã€é€£é‚¦æƒ…報システムã«ãŠã‘る国ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é–¢é€£æƒ…報以外ã®ã€è²»ç”¨åŠ¹æžœã®
高ã„セキュリティåŠã³ãƒ—ライãƒã‚·ãƒ¼ã«é–¢ã™ã‚‹é‹å–¶ã€ç®¡ç†ã€æŠ€è¡“åŠã³ç‰©ç†çš„基準・ガイドラインã®
作æˆãŒå«ã¾ã‚Œã‚‹ã€‚SP800 シリーズã¯ã€ITL ã®ç ”究ã€ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³åŠã³æƒ…報システムセキュリティ
ã«ãŠã‘る公共ç¦ç¥‰ã«å‘ã‘ãŸå–組並ã³ã«ç”£å®˜å­¦ã¨ã®é€£æºã«é–¢ã™ã‚‹å ±å‘Šæ›¸ã§ã‚る。
抄録
本文書ã¯ã€SCADAã€DCSã€PLC ãã®ä»–ã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ è¨­å®šã‚’å«ã‚€ç”£æ¥­ç”¨åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ï¼ˆICS)ã®
ä¿å…¨æ–¹æ³•ã«é–¢ã™ã‚‹ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã§ã‚ã‚Šã€ãã®ç‹¬ç‰¹ãªæ€§èƒ½ãƒ»ä¿¡é ¼æ€§ãƒ»å®‰å…¨æ€§è¦ä»¶ã«ã¤ã„ã¦å–り上ã’る。
ICS ã®æ¦‚è¦ã¨å…¸åž‹çš„ãªã‚·ã‚¹ãƒ†ãƒ ãƒˆãƒãƒ­ã‚¸ãƒ¼ã‚’è¿°ã¹ã€ã“れらシステムã¸ã®ä¸€èˆ¬çš„ãªè„…å¨ã¨è„†å¼±æ€§ã‚’
明らã‹ã«ã—ã€é–¢ä¿‚ã™ã‚‹ãƒªã‚¹ã‚¯ã‚’減らã™ãŸã‚ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã«ã¤ã„ã¦æ言ã™ã‚‹ã€‚
キーワード
コンピュータセキュリティã€DCSã€ICSã€æƒ…報セキュリティã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã€
PLCã€ãƒªã‚¹ã‚¯ç®¡ç†ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã€SCADA
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
ix
Acknowledgments for Revision 2
The authors gratefully acknowledge and appreciate the significant contributions from individuals and
organizations in the public and private sectors, whose thoughtful and constructive comments improved the
overall quality, thoroughness, and usefulness of this publication. A special acknowledgement to Lisa Kaiser,
Department of Homeland Security, the Department of Homeland Security Industrial Control System Joint
Working Group (ICSJWG), and Office of the Deputy Undersecretary of Defense for Installations and
Environment, Business Enterprise Integration Directorate staff, Daryl Haegley and Michael Chipley, for
their exceptional contributions to this publication.
Acknowledgments for Previous Versions
The original authors, Keith Stouffer, Joe Falco, and Karen Scarfone of NIST, wish to thank their colleagues
who reviewed drafts of the original version of the document and contributed to its technical content. The
authors would particularly like to acknowledge Tim Grance, Ron Ross, Stu Katzke, and Freemon Johnson
of NIST for their keen and insightful assistance throughout the development of the document. The authors
also gratefully acknowledge and appreciate the many contributions from the public and private sectors
whose thoughtful and constructive comments improved the quality and usefulness of the publication. The
authors would particularly like to thank the members of ISA99. The authors would also like to thank the
UK National Centre for the Protection of National Infrastructure (CPNI)) for allowing portions of the Good
Practice Guide on Firewall Deployment for SCADA and Process Control Network to be used in the
document as well as ISA for allowing portions of the ISA-62443 Standards to be used in the document.
Note to Readers
This document is the second revision to NIST SP 800-82, Guide to Industrial Control Systems (ICS)
Security. Updates in this revision include:
Updates to ICS threats and vulnerabilities.
Updates to ICS risk management, recommended practices, and architectures.
Updates to current activities in ICS security.
Updates to security capabilities and tools for ICS.
Additional alignment with other ICS security standards and guidelines.
New tailoring guidance for NIST SP 800-53, Revision 4 security controls including the
introduction of overlays.
An ICS overlay for NIST SP 800-53, Revision 4 security controls that provides tailored security
control baselines for Low, Moderate, and High impact ICS.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
x
第2版ã«é–¢ã™ã‚‹è¬è¾ž
本文書ã®è‘—者らã¯ã€å®˜æ°‘ã®å€‹äººåŠã³çµ„ç¹”ã‹ã‚‰å¤šå¤§ã®è²¢çŒ®ãŒã‚ã£ãŸã“ã¨ã‚’èªã‚ã€ã“ã“ã«è¬æ„を表ã™
る。ãã®ç¤ºå”†ã«å¯Œã¿å»ºè¨­çš„ãªæ„見ã«ã‚ˆã‚Šã€æœ¬å‡ºç‰ˆç‰©ã®å…¨ä½“çš„ãªè³ªã€åŒ…括性åŠã³æœ‰ç”¨æ€§ãŒå‘上ã—ãŸã€‚
特㫠Lisa Kaiser(国土安全ä¿éšœçœï¼‰ã€å›½åœŸå®‰å…¨ä¿éšœçœã® Industrial Control System Joint Working
Group (ICSJWG)åŠã³ Office of the Deputy Undersecretary of Defense for Installations and Environmentã€
Business Enterprise Integration Directorate ã®è·å“¡ã€Daryl Haegley åŠã³ Michael Chipley ã«å¯¾ã—ã¦ã€ã
ã‚Œãžã‚Œã®ç‰¹åˆ¥ãªè²¢çŒ®ã«è¬è¾žã‚’表ã™ã‚‹ã‚‚ã®ã§ã‚る。
旧版ã«é–¢ã™ã‚‹è¬è¾ž
旧版ã®è‘—者ã§ã‚ã‚‹ NIST ã®Keith Stoufferã€Joe Falco åŠã³ Karen Scarfone ã¯ã€æœ¬æ–‡æ›¸ã®åŽŸæ¡ˆã‚’精査
ã—ã€ãã®æŠ€è¡“的内容ã«å¯„与ã—ãŸåŒåƒšè«¸æ°ã«è¬æ„を表ã™ã‚‹ã€‚著者ã¯ç‰¹ã«ã€NIST ã®Tim Granceã€Ron
Rossã€Stu Katzke åŠã³ Freemon Johnson ã«å¯¾ã—ã€æ–‡æ›¸ã®ä½œæˆå…¨èˆ¬ã«ã‚ãŸã‚Šé‹­ã„洞察を与ãˆã¦ãã‚ŒãŸ
ã“ã¨ã«è¬æ„を表ã™ã‚‹ã€‚ã¾ãŸã€å®˜æ°‘ã‹ã‚‰å¤šå¤§ã®è²¢çŒ®ãŒã‚ã‚Šã€ç¤ºå”†ã«å¯Œã¿å»ºè¨­çš„ãªæ„見ã«ã‚ˆã‚Šå‡ºç‰ˆç‰©
ã®è³ªã¨æœ‰ç”¨æ€§ãŒå‘上ã—ãŸã“ã¨ã«ã‚‚è¬æ„を表ã™ã‚‹ã€‚ã¨ã‚Šã‚ã‘ ISA99 ã®ãƒ¡ãƒ³ãƒãƒ¼ã«ã¯æ„Ÿè¬ã—ã¦ã„る。
ã¾ãŸã€ŒSCADA åŠã³ãƒ—ロセス制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã«ä¿‚ã‚‹é©æ­£è¦ç¯„ガイドã€ã®ä¸€
部を本文書ã§åˆ©ç”¨ã•ã›ã¦ãã‚ŒãŸè‹±å›½ã‚¤ãƒ³ãƒ•ãƒ©ã‚¹ãƒˆãƒ©ã‚¯ãƒãƒ£é˜²è­·ã‚»ãƒ³ã‚¿ãƒ¼ï¼ˆCPNI)åŠã³ ISA-
62443 è¦æ ¼ã‚’åŒæ§˜ã«åˆ©ç”¨ã•ã›ã¦ãれ㟠ISA ã«å¯¾ã—ã¦ã‚‚ã€è¬æ„を表ã™ã‚‹ã€‚
読者ã¸ã®æ³¨è¨˜
本文書㯠NIST SP 800-82「Guide to Industrial Control Systems (ICS) Security(産業用制御システム
セキュリティガイドã€ã®ç¬¬ 2版ã§ã‚る。更新内容ã¯ä»¥ä¸‹ã®ã¨ãŠã‚Šã€‚
ICS ã®è„…å¨ã¨è„†å¼±æ€§ã«é–¢ã™ã‚‹æ”¹è¨‚
ICS リスク管ç†ã€æŽ¨å¥¨è¦ç¯„ãŠã‚ˆã³ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã«é–¢ã™ã‚‹æ”¹è¨‚
ICS セキュリティã«ãŠã‘ã‚‹ç¾åœ¨ã®æ´»å‹•ã«é–¢ã™ã‚‹æ”¹è¨‚
ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ€§èƒ½ã¨ãƒ„ールã«é–¢ã™ã‚‹æ”¹è¨‚
ä»–ã® ICS セキュリティ基準ãŠã‚ˆã³ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã¨ã®è£œè¶³èª¿æ•´
オーãƒãƒ¼ãƒ¬ã‚¤ã®ç´¹ä»‹ã‚’å«ã‚€ NIST SP 800-53 ã®æ–°ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ç¬¬ 4版セキュリティ対策
低・中・高インパクト ICS ã«åˆã£ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ç­–ã®ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã‚’与ãˆã¦ã„
ã‚‹NIST SP 800-53 第4版ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ç­–ã«å¯¾å¿œã—㟠ICS オーãƒãƒ¼ãƒ¬ã‚¤
本文書ã¯ã€è‹±èªžç‰ˆã®åŽŸå…¸ã«æ²¿ã£ã¦å¯¾è¨³ã™ã‚‹ã‚ˆã†åŠªã‚ã¦ã„ã¾ã™ãŒã€å®Œå…¨æ€§ã€æ­£ç¢ºæ€§ã‚’
ä¿è¨¼ã™ã‚‹ã‚‚ã®ã§ã¯ã‚ã‚Šã¾ã›ã‚“。本文書ã«è¨˜è¼‰ã•ã‚Œã¦ã„る情報より生ã˜ã‚‹æ失ã¾ãŸã¯
æ害ã«å¯¾ã—ã¦ã€JPCERT/CC ã¯è²¬ä»»ã‚’è² ã†ã‚‚ã®ã§ã¯ã‚ã‚Šã¾ã›ã‚“。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
xi
Table of Contents
Executive Summary .............................................................................................................................. 1
エグゼクティブサマリー ......................................................................................................................... 2
1. Introduction ..................................................................................................................................... 9
1.1 Purpose and Scope ................................................................................................................................... 9
1.2 Audience ................................................................................................................................................... 9
1. ã¯ã˜ã‚ã« .......................................................................................................................................... 10
1.1 目的åŠã³é©ç”¨ç¯„囲 ................................................................................................................................. 10
1.2 対象者 ................................................................................................................................................... 10
1.3 Document Structure ................................................................................................................................ 11
1.3 文書ã®æ§‹æˆ ............................................................................................................................................ 12
2. Overview of Industrial Control Systems .................................................................................... 13
2.1 Evolution of Industrial Control Systems ................................................................................................... 13
2. 産業用制御システムã®æ¦‚è¦............................................................................................................. 14
2.1 産業用制御システムã®é€²åŒ– ................................................................................................................... 14
2.2 ICS Industrial Sectors and Their Interdependencies ............................................................................... 15
2.2.1 Manufacturing Industries ............................................................................................................. 15
2.2.2 Distribution Industries .................................................................................................................. 15
2.2.3 Differences between Manufacturing and Distribution ICS ............................................................ 15
2.2.4 ICS and Critical Infrastructure Interdependencies ....................................................................... 15
2.2 ICS ã®ç”£æ¥­éƒ¨é–€ã¨ãã®ç›¸äº’ä¾å­˜æ€§ ......................................................................................................... 16
2.2.1 製造業界 .................................................................................................................................... 16
2.2.2 é…é€æ¥­ç•Œ .................................................................................................................................... 16
2.2.3 製造 ICS ã¨é…é€ ICS ã®ç›¸é• ...................................................................................................... 16
2.2.4 ICS ã¨é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®ç›¸äº’ä¾å­˜æ€§ ............................................................................................. 16
2.3 ICS Operation and Components ............................................................................................................. 17
2.3 ICS ã®æ“作åŠã³ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆ ............................................................................................................ 18
2.3.1 ICS System Design Considerations ............................................................................................. 19
2.3.1 ICS ã®ã‚·ã‚¹ãƒ†ãƒ è¨­è¨ˆä¸Šã®è€ƒæ…®äº‹é … ............................................................................................. 20
2.3.2 SCADA Systems .......................................................................................................................... 21
2.3.2 SCADA ...................................................................................................................................... 22
2.3.3 Distributed Control Systems ........................................................................................................ 31
2.3.3 分散制御システム ..................................................................................................................... 32
2.3.4 Programmable Logic Controller Based Topologies...................................................................... 35
2.3.4 プログラムå¯èƒ½è«–ç†ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ãƒ™ãƒ¼ã‚¹ã®ãƒˆãƒãƒ­ã‚¸ãƒ¼ ............................................................ 36
2.4 Comparing ICS and IT Systems Security ................................................................................................ 39
2.4 ICS システム㨠IT システムã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ¯”較.................................................................................. 40
2.5 Other Types of Control Systems ............................................................................................................. 45
2.5 別種ã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ  ............................................................................................................................. 46
3. ICS Risk Management and Assessment..................................................................................... 49
3.1 Risk Management ................................................................................................................................... 49
3. ICS ã®ãƒªã‚¹ã‚¯ç®¡ç†ã¨ãƒªã‚¹ã‚¯è©•ä¾¡ ...................................................................................................... 50
3.1 ãƒªã‚¹ã‚¯ç®¡ç† ............................................................................................................................................ 50
3.2 Introduction to the Risk Management Process ........................................................................................ 51
3.2 リスク管ç†ãƒ—ロセスã®ç´¹ä»‹ ................................................................................................................... 52
3.3 Special Considerations for Doing an ICS Risk Assessment .................................................................... 55
3.3.1 Safety within an ICS Information Security Risk Assessment ....................................................... 55
3.3 ICS リスク評価ã®å®Ÿæ–½ã«éš›ã—ã¦ã®ç‰¹åˆ¥ãªè€ƒæ…®äº‹é … ............................................................................... 56
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
xii
3.3.1 ICS 情報セキュリティリスク評価ã«ãŠã‘る安全性 .................................................................... 56
3.3.2 Potential Physical Impacts of an ICS Incident ............................................................................. 57
3.3.3 Impact of Physical Disruption of an ICS Process ......................................................................... 57
3.3.2 ICS インシデントã«ã‚ˆã‚‹ç‰©ç†çš„影響ã®å¯èƒ½æ€§ ........................................................................... 58
3.3.3 ICS プロセスã®ç‰©ç†çš„中断ã«ã‚ˆã‚‹å½±éŸ¿ ...................................................................................... 58
3.3.4 Incorporating Non-digital Aspects of ICS into Impact Evaluations ............................................... 59
3.3.4 ICS ã®éžãƒ‡ã‚¸ã‚¿ãƒ«é¢ã‚’影響評価ã«å«ã‚ã‚‹ .................................................................................. 60
3.3.5 Incorporating the Impact of Safety Systems ................................................................................ 61
3.3.6 Considering the Propagation of Impact to Connected Systems ................................................... 61
3.3.5 安全システムã®å½±éŸ¿ã‚’å«ã‚ã‚‹.................................................................................................... 62
3.3.6 接続システムã¸ã®å½±éŸ¿æ³¢åŠã«å¯¾ã™ã‚‹è€ƒæ…® .................................................................................. 62
4. ICS Security Program Development and Deployment .............................................................. 63
4. ICS セキュリティプログラムã®é–‹ç™ºåŠã³å±•é–‹ ................................................................................ 64
4.1 Business Case for Security ..................................................................................................................... 65
4.1.1 Benefits ................................................................................................................................................ 65
4.1 セキュリティã®äº‹æ¥­äº‹ä¾‹ ...................................................................................................................... 66
4.1.1 便益 ................................................................................................................................................... 66
4.1.2 Potential Consequences .............................................................................................................. 67
4.1.2 生ã˜å¾—ã‚‹çµæžœ............................................................................................................................. 68
4.1.3 Resources for Building Business Case ........................................................................................ 69
4.1.4 Presenting the Business Case to Leadership .............................................................................. 69
4.1.3 事業事例作æˆã®ãŸã‚ã®ãƒªã‚½ãƒ¼ã‚¹ ................................................................................................ 70
4.1.4 事業事例を組織ã®é•·ã«æ示ã™ã‚‹ ................................................................................................ 70
4.2 Build and Train a Cross-Functional Team ............................................................................................... 71
4.3 Define Charter and Scope ....................................................................................................................... 71
4.2 機能横断ãƒãƒ¼ãƒ ã®çµ„æˆãƒ»æ•™è‚²è¨“ç·´ ........................................................................................................ 72
4.3 憲章åŠã³é©ç”¨ç¯„囲ã®æ˜Žç¢ºåŒ– ................................................................................................................... 72
4.4 Define ICS-specific Security Policies and Procedures ............................................................................ 73
4.5 Implement an ICS Security Risk Management Framework ..................................................................... 73
4.4 ICS 固有ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã®æ˜Žç¢ºåŒ– ............................................................................ 74
4.5 ICS セキュリティリスク管ç†ä½“制ã®å®Ÿè¡Œ.............................................................................................. 74
4.5.1 Categorize ICS Systems and Networks Assets ........................................................................... 75
4.5.2 Select ICS Security Controls ....................................................................................................... 75
4.5.1 ICS システムã¨ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯è³‡ç”£ã®åˆ†é¡ž .................................................................................. 76
4.5.2 ICS セキュリティ管ç†ã®é¸æŠž .................................................................................................... 76
4.5.3 Perform Risk Assessment ........................................................................................................... 77
4.5.4 Implement the Security Controls .................................................................................................. 77
4.5.3 リスク評価実施 ......................................................................................................................... 78
4.5.4 セキュリティ管ç†ã®å®Ÿè£… ........................................................................................................... 78
5. ICS Security Architecture ............................................................................................................ 79
5.1 Network Segmentation and Segregation ................................................................................................. 79
5. ICS セキュリティアーキテクãƒãƒ£ .................................................................................................. 80
5.1 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®åˆ†å‰²ã¨åˆ†é›¢ ................................................................................................................... 80
5.2 Boundary Protection ................................................................................................................................ 83
5.2 境界ã®ä¿è­· .............................................................................................................................................. 84
5.3 Firewalls .................................................................................................................................................. 85
5.3 ファイアウォール ................................................................................................................................. 86
5.4 Logically Separated Control Network ...................................................................................................... 89
5.4 è«–ç†çš„ã«åˆ†é›¢ã•ã‚ŒãŸåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ ................................................................................................. 90
5.5 Network Segregation ............................................................................................................................... 91
5.5.1 Dual-Homed Computer/Dual Network Interface Cards (NIC) ...................................................... 91
5.5.2 Firewall between Corporate Network and Control Network ......................................................... 91
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
xiii
5.5 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®åˆ†é›¢ ............................................................................................................................. 92
5.5.1 デュアルホームドコンピュータ/デュアルãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã‚«ãƒ¼ãƒ‰ï¼ˆNIC) .......... 92
5.5.2 ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«.................................................. 92
5.5.3 Firewall and Router between Corporate Network and Control Network ....................................... 95
5.5.3 ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¨ãƒ«ãƒ¼ã‚¿ ...................................... 96
5.5.4 Firewall with DMZ between Corporate Network and Control Network ......................................... 97
5.5.4 ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã® DMZ 付ãファイアウォール ................................. 98
5.5.5 Paired Firewalls between Corporate Network and Control Network .......................................... 101
5.5.5 ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ãƒšã‚¢ãƒ¼ãƒ‰ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ« ................................. 102
5.5.6 Network Segregation Summary ................................................................................................. 103
5.6 Recommended Defense-in-Depth Architecture ..................................................................................... 103
5.5.6 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åˆ†é›¢ã®ã¾ã¨ã‚ ..................................................................................................... 104
5.6 推奨多層防御アーキテクãƒãƒ£ ............................................................................................................. 104
5.7 General Firewall Policies for ICS ........................................................................................................... 105
5.7 ICS ã®å…¨èˆ¬çš„ファイアウォールãƒãƒªã‚·ãƒ¼............................................................................................ 106
5.8 Recommended Firewall Rules for Specific Services ............................................................................. 109
5.8 特定サービスã®æŽ¨å¥¨ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ãƒ«ãƒ¼ãƒ« .................................................................................... 110
5.8.1 Domain Name System (DNS) .................................................................................................... 111
5.8.2 Hypertext Transfer Protocol (HTTP) .......................................................................................... 111
5.8.3 FTP and Trivial File Transfer Protocol (TFTP) ........................................................................... 111
5.8.4 Telnet ......................................................................................................................................... 111
5.8.1 領域åシステム(DNS) ........................................................................................................ 112
5.8.2 ãƒã‚¤ãƒ‘ーテキスト転é€ãƒ—ロトコル(HTTP) .......................................................................... 112
5.8.3 FTP åŠã³ãƒˆãƒªãƒ“アルファイル転é€ãƒ—ロトコル(TFTP) ........................................................ 112
5.8.4 テルãƒãƒƒãƒˆï¼ˆTelnet) ............................................................................................................. 112
5.8.5 Dynamic Host Configuration Protocol (DHCP)........................................................................... 113
5.8.6 Secure Shell (SSH) .................................................................................................................... 113
5.8.7 Simple Object Access Protocol (SOAP) .................................................................................... 113
5.8.8 Simple Mail Transfer Protocol (SMTP) ...................................................................................... 113
5.8.9 Simple Network Management Protocol (SNMP) ........................................................................ 113
5.8.5 動的ホスト構æˆãƒ—ロトコル(DHCP) .................................................................................... 114
5.8.6 セキュアシェル(SSH) ........................................................................................................... 114
5.8.7 シンプルオブジェクトアクセスプロトコル(SOAP) ........................................................... 114
5.8.8 シンプルメール転é€ãƒ—ロトコル(SMTP) ............................................................................. 114
5.8.9 シンプルãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç®¡ç†ãƒ—ロトコル(SNMP) .................................................................. 114
5.8.10 Distributed Component Object Model (DCOM) ........................................................................ 115
5.8.11 SCADA and Industrial Protocols .............................................................................................. 115
5.9 Network Address Translation (NAT) ...................................................................................................... 115
5.8.10 分散コンãƒãƒ¼ãƒãƒ³ãƒˆã‚ªãƒ–ジェクトモデル(DCOM) ............................................................ 116
5.8.11 SCADA åŠã³ç”£æ¥­ç”¨ãƒ—ロトコル ............................................................................................. 116
5.9 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ‰ãƒ¬ã‚¹å¤‰æ›ï¼ˆNAT) .................................................................................................. 116
5.10 Specific ICS Firewall Issues ................................................................................................................ 117
5.10.1 Data Historians ........................................................................................................................ 117
5.10.2 Remote Support Access .......................................................................................................... 117
5.10.3 Multicast Traffic ........................................................................................................................ 117
5.10 ICS ファイアウォール固有ã®å•é¡Œ .................................................................................................... 118
5.10.1 データヒストリアン .............................................................................................................. 118
5.10.2 é éš”サãƒãƒ¼ãƒˆã‚·ã‚¹ãƒ†ãƒ  .......................................................................................................... 118
5.10.3 マルãƒã‚­ãƒ£ã‚¹ãƒˆãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯................................................................................................ 118
5.11 Unidirectional Gateways ..................................................................................................................... 119
5.12 Single Points of Failure ....................................................................................................................... 119
5.13 Redundancy and Fault Tolerance ...................................................................................................... 119
5.11 å˜æ–¹å‘性ゲートウェイ ...................................................................................................................... 120
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
xiv
5.12 å˜ä¸€éšœå®³ç‚¹ ........................................................................................................................................ 120
5.13 冗長性ã¨ãƒ•ã‚©ãƒ¼ãƒ«ãƒˆãƒˆãƒ¬ãƒ©ãƒ³ã‚¹ ....................................................................................................... 120
5.14 Preventing Man-in-the-Middle Attacks ................................................................................................ 121
5.14 人ãŒä»‹åœ¨ã™ã‚‹æ”»æ’ƒã®é˜²æ­¢ .................................................................................................................. 122
5.15 Authentication and Authorization ......................................................................................................... 125
5.15 èªè¨¼ã¨æ¨©é™ä»˜ä¸Ž ................................................................................................................................ 126
5.15.1 ICS Implementation Considerations ................................................................................................. 127
5.16 Monitoring, Logging, and Auditing ....................................................................................................... 127
5.17 Incident Detection, Response, and System Recovery ........................................................................ 127
5.15.1 ICS 実装上ã®è€ƒæ…®äº‹é … ........................................................................................................... 128
5.16 監視ã€ãƒ­ã‚®ãƒ³ã‚°åŠã³ç›£æŸ» .................................................................................................................. 128
5.17 インシデント検知ã€å¯¾å¿œåŠã³ã‚·ã‚¹ãƒ†ãƒ å¾©æ—§ ...................................................................................... 128
6. Applying Security Controls to ICS ........................................................................................... 129
6.1 Executing the Risk Management Framework Tasks for Industrial Control Systems ............................. 129
6. ICS ã¸ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®é©ç”¨ ...................................................................................... 130
6.1 産業用制御システム用リスク管ç†ä½“制ã®å®Ÿæ–½ .................................................................................... 130
6.1.1 Step 1: Categorize Information System ..................................................................................... 131
6.1.1 手順 1:情報システムã®åˆ†é¡ž .................................................................................................. 132
6.1.2 Step 2: Select Security Controls ................................................................................................ 135
6.1.2 手順 2:セキュリティ対策ã®é¸æŠž ........................................................................................... 136
6.1.3 Step 3: Implement Security Controls ......................................................................................... 137
6.1.4 Step 4: Assess Security Controls............................................................................................... 137
6.1.5 Step 5: Authorize Information System ....................................................................................... 137
6.1.3 手順 3:セキュリティ対策ã®å®Ÿè£… ........................................................................................... 138
6.1.4 手順 4:セキュリティ対策ã®è©•ä¾¡ ........................................................................................... 138
6.1.5 手順 5:情報システムã®è¨±å¯ .................................................................................................. 138
6.1.6 Step 6: Monitor Security Controls .............................................................................................. 139
6.2 Guidance on the Application of Security Controls to ICS ...................................................................... 139
6.1.6 手順 6:セキュリティ対策ã®ç›£è¦– ........................................................................................... 140
6.2 ICS ã¸ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®é©ç”¨ã«ä¿‚るガイダンス .......................................................................... 140
6.2.1 Access Control........................................................................................................................... 143
6.2.1 アクセス制御........................................................................................................................... 144
6.2.2 Awareness and Training ............................................................................................................ 153
6.2.3 Audit and Accountability ............................................................................................................ 153
6.2.2 æ„è­˜åŠã³è¨“ç·´........................................................................................................................... 154
6.2.3 監査åŠã³èª¬æ˜Žè²¬ä»» ................................................................................................................... 154
6.2.4 Security Assessment and Authorization .................................................................................... 157
6.2.5 Configuration Management ....................................................................................................... 157
6.2.4 セキュリティ評価åŠã³æ¨©é™ä»˜ä¸Ž .............................................................................................. 158
6.2.5 構æˆç®¡ç† .................................................................................................................................. 158
6.2.6 Contingency Planning ................................................................................................................ 159
6.2.6 ä¸æ¸¬äº‹æ…‹è¨ˆç”»........................................................................................................................... 160
6.2.7 Identification and Authentication ................................................................................................ 165
6.2.7 識別åŠã³èªè¨¼........................................................................................................................... 166
6.2.8 Incident Response ..................................................................................................................... 177
6.2.8 インシデント対応 ................................................................................................................... 178
6.2.9 Maintenance .............................................................................................................................. 181
6.2.10 Media Protection ...................................................................................................................... 181
6.2.9 ä¿å®ˆ ......................................................................................................................................... 182
6.2.10 メデイアä¿è­·......................................................................................................................... 182
6.2.11 Physical and Environmental Protection ................................................................................... 183
6.2.11 物ç†ç’°å¢ƒä¸Šã®ä¿è­·ï¼ˆPE) ..................................................................................................... 184
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
xv
6.2.12 Planning ................................................................................................................................... 189
6.2.12 プランニング......................................................................................................................... 190
6.2.13 Personnel Security ................................................................................................................... 191
6.2.13 人員ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ .............................................................................................................. 192
6.2.14 Risk Assessment ..................................................................................................................... 193
6.2.15 System and Services Acquisition ............................................................................................. 193
6.2.14 リスク評価 ............................................................................................................................ 194
6.2.15 システムåŠã³ã‚µãƒ¼ãƒ“スã®å–å¾—................................................................................................ 194
6.2.16 System and Communications Protection ................................................................................. 195
6.2.16 システムåŠã³é€šä¿¡ä¿è­· .......................................................................................................... 196
6.2.16.1 Encryption ............................................................................................................................. 197
6.2.16.1 æš—å·åŒ– ................................................................................................................................ 198
6.2.17 System and Information Integrity ............................................................................................. 203
6.2.17 システムåŠã³æƒ…å ±ã®ä¿å…¨ ....................................................................................................... 204
6.2.18 Program Management ............................................................................................................. 209
6.2.19 Privacy Controls ....................................................................................................................... 209
6.2.18 ãƒ—ãƒ­ã‚°ãƒ©ãƒ ç®¡ç† ..................................................................................................................... 210
6.2.19 プライãƒã‚·ãƒ¼ç®¡ç† ................................................................................................................. 210
List of Apendix
Appendix A—Acronyms and Abbreviations ......................................................................................................... 213
付録 A 頭字語åŠã³ç•¥èªž ..................................................................................................................................... 214
Appendix B—Glossary of Terms ......................................................................................................................... 219
付録 B 用語集 .................................................................................................................................................... 220
Appendix C—Threat Sources, Vulnerabilities, and Incidents .............................................................................. 255
付録 C è„…å¨æºã€è„†å¼±æ€§åŠã³ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆ ........................................................................................................ 256
Appendix D—Current Activities in Industrial Control System Security ................................................................. 283
付録 D 産業用制御システムセキュリティã«ãŠã‘ã‚‹ç¾åœ¨ã®æ´»å‹• ....................................................................... 284
Appendix E—ICS Security Capabilities and Tools ............................................................................................... 315
付録 E ICS セキュリティ機能åŠã³ãƒ„ール ......................................................................................................... 316
Appendix F—References .................................................................................................................................... 323
Appendix G—ICS Overlay ................................................................................................................................... 341
付録 G ICS オーãƒãƒ¼ãƒ¬ã‚¤ ................................................................................................................................. 342
List of Figure
Figure 2-1. ICS Operation ..................................................................................................................................... 19
図2-1.ICS ã®å‹•ä½œ .................................................................................................................................................. 20
Figure 2-2. SCADA System General Layout ......................................................................................................... 23
図2-2.SCADA ã®å…¨èˆ¬ãƒ¬ã‚¤ã‚¢ã‚¦ãƒˆ .......................................................................................................................... 24
Figure 2-3. Basic SCADA Communication Topologies .......................................................................................... 25
図2-3. 基本的 SCADA 通信トãƒãƒ­ã‚¸ãƒ¼ .............................................................................................................. 26
Figure 2-4. Large SCADA Communication Topology ............................................................................................ 27
図2-4. 大è¦æ¨¡ SCADA 通信トãƒãƒ­ã‚¸ãƒ¼ .............................................................................................................. 28
Figure 2-5. SCADA System Implementation Example (Distribution Monitoring and Control) ................................ 29
図2-5. SCADA ã®å®Ÿè£…例(分散監視・制御) ..................................................................................................... 30
Figure 2-6. SCADA System Implementation Example (Rail Monitoring and Control) ............................................ 31
図2-6. SCADA ã®å®Ÿè£…例(列車監視・制御) ....................................................................................................... 32
Figure 2-7. DCS Implementation Example ............................................................................................................ 35
図2-7.DCS ã®å®Ÿè£…例 ............................................................................................................................................. 36
Figure 2-8. PLC Control System Implementation Example ................................................................................... 37
図2-8. PLC 制御システムã®å®Ÿè£…例 ....................................................................................................................... 38
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
xvi
Figure 3-1. Risk Management Process Applied Across the Tiers .......................................................................... 51
図3-1.全段階ã«ã¾ãŸãŒã‚‹ãƒªã‚¹ã‚¯ç®¡ç†ãƒ—ロセス ....................................................................................................... 52
Figure 5-1. Firewall between Corporate Network and Control Network ................................................................. 93
図5-1.ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ« ................................................................... 94
Figure 5-2. Firewall and Router between Corporate Network and Control Network .............................................. 95
図5-2.ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¨ãƒ«ãƒ¼ã‚¿ ..................................................... 96
Figure 5-3. Firewall with DMZ between Corporate Network and Control Network ................................................. 97
図5-3.ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã® DMZ 付ãファイアウォール ................................................... 98
Figure 5-4. Paired Firewalls between Corporate Network and Control Network .................................................. 101
図5-4.ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ãƒšã‚¢ãƒ¼ãƒ‰ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ« ................................................... 102
Figure 5-5. CSSP Recommended Defense-In-Depth Architecture ...................................................................... 105
図5-5.CSSP ã®æŽ¨å¥¨å¤šå±¤é˜²å¾¡ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ ..................................................................................................... 106
Figure 6-1. Risk Management Framework Tasls ................................................................................................. 131
図6-1.リスク管ç†ä½“制業務 .................................................................................................................................. 132
Figure C-1. ICS-CERT Reported Incidents by Year ............................................................................................ 275
図C-1. ICS-CERT ã«å±Šå‡ºã®ã‚ã£ãŸå¹´åº¦åˆ¥ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆä»¶æ•° .............................................................................. 276
Figure G-1 Detailed Overlay Control Specifications Illustrated ............................................................................ 365
図G-1 詳細オーãƒãƒ¼ãƒ¬ã‚¤ç®¡ç†ä»•æ§˜ã®èª¬æ˜Ž ........................................................................................................... 366
List of Tables
Table 2-1. Summary of IT System and ICS Differences ........................................................................................ 43
表2-1.IT システム㨠ICS ã®ç›¸é•ç‚¹ ........................................................................................................................ 44
Table 3-1. Categories of Non-Digital ICS Control Components ............................................................................. 59
表3-1. éžãƒ‡ã‚¸ã‚¿ãƒ« ICS 制御コンãƒãƒ¼ãƒãƒ³ãƒˆã®ã‚«ãƒ†ã‚´ãƒªãƒ¼ .................................................................................... 60
Table 6-1. Possible Definitions for ICS Impact Levels Based on ISA99 .............................................................. 133
表6-1. ISA99 ã«åŸºã¥ã ICS 影響レベルã®å®šç¾© .................................................................................................... 134
Table 6-2. Possible Definitions for ICS Impact Levels Based on Product Produced, Industry and Security
Concerns ............................................................................................................................................................. 135
表6-2. 生産物ã€ç”£æ¥­åŠã³ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é–¢å¿ƒäº‹ã«åŸºã¥ã ICS ã¸ã®å½±éŸ¿ãƒ¬ãƒ™ãƒ«ã®å®šç¾© .......................................... 136
Table C-1. Threats to ICS .................................................................................................................................... 255
表C-1. ICS ã®è„…å¨ ............................................................................................................................................... 256
Table C-2. Policy and Procedure Vulnerabilities and Predisposing Conditions ................................................... 261
表C-2. ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ ..................................................................................... 262
Table C-3. Architecture and Design Vulnerabilities and Predisposing Conditions ............................................... 265
Table C-4. Configuration and Maintenance Vulnerabilities and Predisposing Conditions ................................... 265
表C-3.アーキテクãƒãƒ£åŠã³è¨­è¨ˆä¸Šã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ ........................................................................ 266
表C-4.構æˆåŠã³ä¿å®ˆä¸Šã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ .......................................................................................... 266
Table C-5. Physical Vulnerabilities and Predisposing Conditions ........................................................................ 269
表C-5.物ç†çš„脆弱性åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ ............................................................................................................ 270
Table C-6. Software Development Vulnerabilities and Predisposing Conditions ................................................. 271
Table C-7. Communication and Network Configuration Vulnerabilities and Predisposing Conditions ................. 271
表C-6.ソフトウエア開発上ã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ ................................................................................... 272
表C-7.通信åŠã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æ§‹æˆä¸Šã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ .................................................................... 272
Table C-8. Example Adversarial Incidents ........................................................................................................... 273
表C-8. 攻撃インシデントã®ä¾‹ ............................................................................................................................ 274
Table G-1 Security Control Baselines .................................................................................................................. 345
表G-1 セキュリティ管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ ............................................................................................................ 346
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
1
Executive Summary
This document provides guidance for establishing secure industrial control systems (ICS). These ICS,
which include supervisory control and data acquisition (SCADA) systems, distributed control systems
(DCS), and other control system configurations such as Programmable Logic Controllers (PLC) are often
found in the industrial control sectors. ICS are typically used in industries such as electric, water and
wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and
beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods.) SCADA systems
are generally used to control dispersed assets using centralized data acquisition and supervisory control.
DCS are generally used to control production systems within a local area such as a factory using
supervisory and regulatory control. PLCs are generally used for discrete control for specific applications
and generally provide regulatory control. These control systems are vital to the operation of the U.S. critical
infrastructures that are often highly interconnected and mutually dependent systems. It is important to note
that approximately 90 percent of the nation's critical infrastructures are privately owned and operated.
Federal agencies also operate many of the ICS mentioned above; other examples include air traffic control
and materials handling (e.g., Postal Service mail handling.) This document provides an overview of these
ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and
provides recommended security countermeasures to mitigate the associated risks.
Initially, ICS had little resemblance to traditional information technology (IT) systems in that ICS were
isolated systems running proprietary control protocols using specialized hardware and software. Many ICS
components were in physically secured areas and the components were not connected to IT networks or
systems. Widely available, low-cost Internet Protocol (IP) devices are now replacing proprietary solutions,
which increases the possibility of cybersecurity vulnerabilities and incidents. As ICS are adopting IT
solutions to promote corporate business systems connectivity and remote access capabilities, and are being
designed and implemented using industry standard computers, operating systems (OS) and network
protocols, they are starting to resemble IT systems. This integration supports new IT capabilities, but it
provides significantly less isolation for ICS from the outside world than predecessor systems, creating a
greater need to secure these systems. The increasing use of wireless networking places ICS
implementations at greater risk from adversaries who are in relatively close physical proximity but do not
have direct physical access to the equipment. While security solutions have been designed to deal with
these security issues in typical IT systems, special precautions must be taken when introducing these same
solutions to ICS environments. In some cases, new security solutions are needed that are tailored to the ICS
environment.
Although some characteristics are similar, ICS also have characteristics that differ from traditional
information processing systems. Many of these differences stem from the fact that logic executing in ICS
has a direct effect on the physical world. Some of these characteristics include significant risk to the health
and safety of human lives and serious damage to the environment, as well as serious financial issues such
as production losses, negative impact to a nation’s economy, and compromise of proprietary information.
ICS have unique performance and reliability requirements and often use operating systems and applications
that may be considered unconventional to typical IT personnel. Furthermore, the goals of safety and
efficiency sometimes conflict with security in the design and operation of control systems.
ICS cybersecurity programs should always be part of broader ICS safety and reliability programs at both
industrial sites and enterprise cybersecurity programs, because cybersecurity is essential to the safe and
reliable operation of modern industrial processes. Threats to control systems can come from numerous
sources, including hostile governments, terrorist groups, disgruntled employees, malicious intruders,
complexities, accidents, and natural disasters as well as malicious or accidental actions by insiders. ICS
security objectives typically follow the priority of availability and integrity, followed by confidentiality.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
2
エグゼクティブサマリー
本文書ã¯ã€ã‚»ã‚­ãƒ¥ã‚¢ãªç”£æ¥­ç”¨åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ï¼ˆICS)を構築ã™ã‚‹ãŸã‚ã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã¨ãªã‚‹ã€‚SCADAã€
DCSã€PLC ãã®ä»–ã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ è¨­å®šã‚’å«ã‚“ã ã“れら ICS ã¯ã€ç”£æ¥­ç”¨åˆ¶å¾¡æ¥­ç•Œã«ã‚ˆã見られる。ICS
ã¯ä¸€èˆ¬çš„ã«é›»æ°—ã€ä¸Šä¸‹æ°´ã€çŸ³æ²¹ãƒ»ã‚¬ã‚¹ã€è¼¸é€ã€åŒ–å­¦ã€åŒ»è–¬å“ã€ãƒ‘ルプ・製紙ã€é£Ÿå“・飲料åŠã³çµ„立製
造(自動車ã€èˆªç©ºå®‡å®™ã€è€ä¹…消費財等)業界ã§åˆ©ç”¨ã•ã‚Œã¦ã„る。SCADA ã¯ã€é›†ä¸­ãƒ‡ãƒ¼ã‚¿å–得監視制
御ã«ã‚ˆã‚Šã€åˆ†æ•£åŒ–ã•ã‚ŒãŸè³‡ç”£ã‚’制御ã™ã‚‹ãŸã‚ã«ã€é€šå¸¸ä½¿ç”¨ã™ã‚‹ã€‚DCS ã¯ã€ãƒ­ãƒ¼ã‚«ãƒ«ã‚¨ãƒªã‚¢å†…ã«ã‚ã‚‹å·¥
å ´ç­‰ã®ç”Ÿç”£ã‚·ã‚¹ãƒ†ãƒ ã‚’ã€ç›£è¦–・è¦åˆ¶åˆ¶å¾¡ã«ã‚ˆã‚Šåˆ¶å¾¡ã™ã‚‹ãŸã‚ã«ã€é€šå¸¸ä½¿ç”¨ã™ã‚‹ã€‚PLC ã¯ã€ç‰¹æ®Šç”¨é€”ã§
ã®é›¢æ•£åˆ¶å¾¡ã«é€šå¸¸ä½¿ç”¨ã—ã€è¦åˆ¶åˆ¶å¾¡ã‚’通常行ã†ã€‚ã“ã®ã‚ˆã†ãªåˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã¯ã€é«˜åº¦ã«é€£æºãƒ»ç›¸äº’ä¾å­˜
ã—ãŸã‚·ã‚¹ãƒ†ãƒ ã¨ãªã‚‹ã€ç±³å›½ã®é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®é‹å–¶ã«ç·Šè¦ãªå½¹å‰²ã‚’æžœãŸã—ã¦ã„る。国ã®é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®
ãŠã‚ˆã 90%ã¯ã€ç§ä¼æ¥­ãŒä¿æœ‰ã—é‹å–¶ã—ã¦ã„る点ã«æ³¨æ„ã™ã¹ãã§ã‚る。連邦政府機関もå‰è¿°ã® ICS ã®å¤š
ãã‚’é‹å–¶ã—ã¦ã„ã‚‹ãŒã€ãã®ã»ã‹ã«ã‚‚航空交通管制や物æµå‡¦ç†ï¼ˆéƒµä¾¿ç‰©ã®å–扱等)ãªã©ãŒã‚る。本文書
ã§ã¯ã“ã®ã‚ˆã†ãª ICS ã®æ¦‚è¦åŠã³ä¸€èˆ¬çš„ãªã‚·ã‚¹ãƒ†ãƒ ãƒˆãƒãƒ­ã‚¸ãƒ¼ã«ã¤ã„ã¦ç¤ºã—ã€ã‚·ã‚¹ãƒ†ãƒ ã«ã¨ã£ã¦ã®ä¸€èˆ¬
çš„ãªè„…å¨ã¨è„†å¼±æ€§ã‚’特定ã—ã€é–¢é€£ãƒªã‚¹ã‚¯ã‚’低減ã™ã‚‹ãŸã‚ã®æŽ¨å¥¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã‚’æ示ã™ã‚‹ã€‚
åˆæœŸã® ICS ã¯ã€ç‰¹æ®Šãªãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã¨ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã‚’使用ã—ã¦å°‚用制御プロトコルを実行ã™ã‚‹éš”絶ã•
ã‚ŒãŸã‚·ã‚¹ãƒ†ãƒ ã ã£ãŸãŸã‚ã€å¾“æ¥ã®æƒ…報技術(IT)システムã¨ã¯é¡žä¼¼ç‚¹ãŒã»ã¨ã‚“ã©ãªã‹ã£ãŸã€‚ICS コン
ãƒãƒ¼ãƒãƒ³ãƒˆã®å¤šãã¯ç‰©ç†çš„ã«å®‰å…¨ãªã‚¨ãƒªã‚¢å†…ã«ç½®ã‹ã‚Œã€IT ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚„システムã«æŽ¥ç¶šã•ã‚Œã¦ã„ãª
ã‹ã£ãŸã€‚昨今ã€åºƒã利用å¯èƒ½ãªä½Žã‚³ã‚¹ãƒˆã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆãƒ—ロトコル(IP)デãƒã‚¤ã‚¹ãŒå°‚用ソリュー
ションã«å–ã£ã¦ä»£ã‚ã‚Šã¤ã¤ã‚ã‚‹ã“ã¨ã‹ã‚‰ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®è„†å¼±æ€§ã‚„インシデントãŒç”Ÿã˜ã‚‹è“‹
然性ãŒé«˜ã¾ã£ã¦ã„る。ICS ã¯IT ソリューションを採用ã—ã¦ã€ä¼æ¥­ãƒ“ジãƒã‚¹ã‚·ã‚¹ãƒ†ãƒ ã¸ã®æŽ¥ç¶šæ€§ã‚„リモ
ートアクセス能力を高ã‚ã€ã¾ãŸã€æ¥­ç•Œæ¨™æº–コンピュータã€ã‚ªãƒšãƒ¬ãƒ¼ãƒ†ã‚£ãƒ³ã‚°ã‚·ã‚¹ãƒ†ãƒ ï¼ˆOS)åŠã³ãƒãƒƒ
トワークプロトコルを使用ã—ã¦è¨­è¨ˆãƒ»å®Ÿè£…ã•ã‚Œã‚‹ã‚ˆã†ã«ãªã£ã¦ã„る。ã“ã®ãŸã‚ ICS ã¯æ¬¡ç¬¬ã« IT シス
テムã¨é¡žä¼¼æ€§ã‚’æŒã¤ã‚ˆã†ã«ãªã£ã¦ããŸã€‚ã“ã®ã‚ˆã†ãªçµ±åˆåŒ–ã¯æ–°ãŸãª IT 能力をサãƒãƒ¼ãƒˆã™ã‚‹ãŒã€ãã‚Œ
以å‰ã®ã‚·ã‚¹ãƒ†ãƒ ã«æ¯”ã¹ã‚‹ã¨ã€å¤–ç•Œã‹ã‚‰ã®éš”絶性ãŒæ ¼æ®µã«åŠ£ã‚‹ãŸã‚ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®å¿…è¦æ€§ãŒå¢—ã™ã€‚ワ
イヤレスãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®åˆ©ç”¨åº¦ãŒé«˜ã¾ã‚‹ã«ã¤ã‚Œã¦ã€ç‰©ç†çš„ã«è¿‘ã„場所ã«ã„ã‚‹ãŒã€è£…å‚™å“ã¸ã®ç›´æŽ¥çš„ãª
物ç†çš„アクセスã¯ã§ããªã„外敵ã«ã‚ˆã‚‹ ICS 実装リスクãŒå¢—大ã™ã‚‹ã€‚セキュリティソリューションã¯ã€
一般的㪠IT システムã«ãŠã‘るセキュリティå•é¡Œã‚’扱ã†ã‚ˆã†ã«ã§ãã¦ã„ã‚‹ã®ã§ã€ICS 環境ã«æŒã¡è¾¼ã‚€å ´
åˆã«ã¯ç‰¹åˆ¥ãªæ³¨æ„ãŒæ¬ ã‹ã›ãªã„。場åˆã«ã‚ˆã£ã¦ã¯ã€ãã® ICS 環境ã«ç‰¹åŒ–ã—ãŸæ–°ã—ã„セキュリティソリ
ューションãŒå¿…è¦ã¨ãªã‚‹ã€‚
ã„ãã¤ã‹ã®ç‰¹å¾´ã¯ä¼¼ã¦ã„ã¦ã‚‚ã€ICS ã«ã¯å¾“æ¥ã®æƒ…報処ç†ã‚·ã‚¹ãƒ†ãƒ ã¨ã¯ç•°ãªã‚‹ç‰¹å¾´ã‚‚ã‚る。ãã†ã—ãŸé•
ã„ã®å¤šãã¯ã€ICS ã§å®Ÿè¡Œã•ã‚Œã‚‹è«–ç†ãŒå®Ÿä¸–ç•Œã«ç›´æŽ¥çš„ãªå½±éŸ¿ã‚’åŠã¼ã™ã¨ã„ã†äº‹å®Ÿã‹ã‚‰ç”Ÿã˜ãŸã‚‚ã®ã§ã‚
る。ãã†ã—ãŸç‰¹æ€§ã®ä¸­ã«ã¯ã€äººã®å¥åº·ã‚„安全ã«å¯¾ã™ã‚‹æ·±åˆ»ãªãƒªã‚¹ã‚¯ã€é‡å¤§ãªç’°å¢ƒç ´å£Šã®ã»ã‹ã€ç”Ÿç”£é‡
低減ã€å›½å®¶çµŒæ¸ˆã¸ã®æ‚ªå½±éŸ¿ã€ç§˜å¯†æƒ…å ±ã®æ¼æ´©ã¨ã„ã£ãŸé‡å¤§ãªè²¡å‹™å•é¡Œã‚‚å«ã¾ã‚Œã¦ã„る。ICS ã®æ€§èƒ½åŠ
ã³ä¿¡é ¼æ€§è¦ä»¶ã¯ç‹¬ç‰¹ã§ã€æ™®é€šã® IT 関係者ã«ã¯å¥‡ç•°ã«è¦‹ãˆã‚‹ OS やアプリケーションを使用ã™ã‚‹ã“ã¨ãŒ
多ã„。更ã«å®‰å…¨æ€§ã¨åŠ¹çŽ‡æ€§ã®ç›®æ¨™ã¯ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®è¨­è¨ˆãƒ»é‹ç”¨ä¸Šã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¨ç«¶åˆã™ã‚‹å ´åˆãŒ
ã‚る。
サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¯ã€ç¾ä»£ã®ç”£æ¥­å·¥ç¨‹ã‚’安全ã‹ã¤é«˜ã„信頼性をもã£ã¦é‹ç”¨ã™ã‚‹ä¸Šã§ä¸å¯æ¬ ã§ã‚ã‚‹
ã“ã¨ã‹ã‚‰ã€ICS サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ—ログラムã¯ã€ç”£æ¥­ç¾å ´ã«ãŠã„ã¦ã‚‚ä¼æ¥­ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
プログラムã«ãŠã„ã¦ã‚‚ã€å¸¸ã«ã‚ˆã‚Šåºƒç¯„㪠ICS ã®å®‰å…¨æ€§ãƒ»ä¿¡é ¼æ€§ãƒ—ログラムã®ä¸€éƒ¨ã¨ãªã‚‹ã¹ãã§ã‚る。
制御システムã«å¯¾ã™ã‚‹è„…å¨ã®æºã¯å¤šå²ã«ã‚ãŸã‚Šã€æ•µæ„ã‚’æŒã¤æ”¿åºœã€ãƒ†ãƒ­ãƒªã‚¹ãƒˆã‚°ãƒ«ãƒ¼ãƒ—ã€ä¸æº€ã‚’抱ã„
ãŸå¾“業員ã€æ‚ªæ„ã‚’æŒã¤ä¾µå…¥è€…ã€è¤‡é›‘性ã€äº‹æ•…ã€è‡ªç„¶ç½å®³ã€å†…部関係者ã®æ„図的åˆã¯å¶ç™ºçš„行為等ãŒã‚
る。ICS セキュリティã®ç›®çš„ã¯ã€ä¸€èˆ¬çš„ã«å¯ç”¨æ€§ã¨å®Œå…¨æ€§ã‚’優先事項ã¨ã—ã€æ©Ÿå¯†æ€§ãŒãã‚Œã«ç¶šã。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
3
Possible incidents an ICS may face include the following:
 Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.
 Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable,
or shut down equipment, create environmental impacts, and/or endanger human life.
 Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause
the operators to initiate inappropriate actions, which could have various negative effects.
 ICS software or configuration settings modified, or ICS software infected with malware, which could
have various negative effects.
 Interference with the operation of equipment protection systems, which could endanger costly and
difficult-to-replace equipment.
 Interference with the operation of safety systems, which could endanger human life.
Major security objectives for an ICS implementation should include the following:
 Restricting logical access to the ICS network and network activity. This may include using
unidirectional gateways, a demilitarized zone (DMZ) network architecture with firewalls to prevent
network traffic from passing directly between the corporate and ICS networks, and having separate
authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS
should also use a network topology that has multiple layers, with the most critical communications
occurring in the most secure and reliable layer.
 Restricting physical access to the ICS network and devices. Unauthorized physical access to
components could cause serious disruption of the ICS’s functionality. A combination of physical
access controls should be used, such as locks, card readers, and/or guards.
 Protecting individual ICS components from exploitation. This includes deploying security patches
in as expeditious a manner as possible, after testing them under field conditions; disabling all unused
ports and services and assuring that they remain disabled; restricting ICS user privileges to only those
that are required for each person’s role; tracking and monitoring audit trails; and using security
controls such as antivirus software and file integrity checking software where technically feasible to
prevent, deter, detect, and mitigate malware.
 Restricting unauthorized modification of data. This includes data that is in transit (at least across
the network boundaries) and at rest.
 Detecting security events and incidents. Detecting security events, which have not yet escalated into
incidents, can help defenders break the attack chain before attackers attain their objectives. This
includes the capability to detect failed ICS components, unavailable services, and exhausted resources
that are important to provide proper and safe functioning of the ICS.
 Maintaining functionality during adverse conditions. This involves designing the ICS so that each
critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a
manner that does not generate unnecessary traffic on the ICS or other networks, or does not cause
another problem elsewhere, such as a cascading event. The ICS should also allow for graceful
degradation such as moving from "normal operation" with full automation to "emergency operation"
with operators more involved and less automation to "manual operation" with no automation.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
4
ICS ãŒç›´é¢ã—得るインシデントã«ã¯æ¬¡ã®ã‚ˆã†ãªã‚‚ã®ãŒã‚る。
 ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯çµŒç”±æƒ…å ±ã®é®æ–­åˆã¯é…延。ICS ã®é‹ç”¨ä¸­æ–­ã«è‡³ã‚Šã‹ã­ãªã„。
 命令ã€ã‚³ãƒžãƒ³ãƒ‰åˆã¯ã‚¢ãƒ©ãƒ¼ãƒ é–¾å€¤ã®ç„¡æ–­å¤‰æ›´ã€‚装備å“ã®éšœå®³ã€æ•…障若ã—ãã¯é®æ–­ã€ç’°å¢ƒã¸ã®
影響åˆã¯äººå‘½ã¸ã®å±é™ºã‚’生ã˜ã‹ã­ãªã„。
 無断変更ã®éš è”½åˆã¯æ“作員ã«èª¤æ“作を行ã‚ã›ã‚‹ã“ã¨ã‚’目的ã¨ã—ãŸã€ã‚·ã‚¹ãƒ†ãƒ ã‚ªãƒšãƒ¬ãƒ¼ã‚¿ã¸ã®
誤情報é€é”。様々ãªæ‚ªå½±éŸ¿ã‚’生ã˜ã‹ã­ãªã„。
 ICS ソフトウエア若ã—ãã¯è¨­å®šã®å¤‰æ›´åˆã¯ ICS ソフトウエアã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢æ„ŸæŸ“。様々ãªæ‚ªå½±
響を生ã˜ã‹ã­ãªã„。
 装備å“ä¿è­·è£…ç½®ã¨ã®å¹²æ¸‰ã€‚高é¡ã§æ›è£…困難ãªè£…å‚™å“ã‚’å±é™ºçŠ¶æ…‹ã«ç½®ãã‹ã­ãªã„。
 安全装置ã®é‹ç”¨ã«å¯¾ã™ã‚‹å¹²æ¸‰ã€‚人命をå±é™ºã«ã•ã‚‰ã—ã‹ã­ãªã„。
ICS 実装ã®ä¸»ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä¸Šã®é”æˆç›®æ¨™ã«ã¯ä»¥ä¸‹ã‚’å«ã‚ã‚‹ã¹ãã ã€‚
 ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã®è«–ç†çš„ãªã‚¢ã‚¯ã‚»ã‚¹ã¨ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®æ´»å‹•ã®åˆ¶é™ã€‚ã“ã‚Œã«ã¯ä¼æ¥­ãƒãƒƒ
トワークã¨ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ç›´æŽ¥çš„ãªãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’防止ã—ã€ä¼æ¥­ãƒãƒƒ
トワークåŠã³ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ¦ãƒ¼ã‚¶å‘ã‘ã«ã€ç‹¬ç«‹ã—ãŸèªè¨¼ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã¨èªè¨¼æƒ…報をæŒã¤
一方å‘性ゲートウェイã€éžæ­¦è£…地帯(DMZ)ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ä»˜ããƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ¼ã‚­
テクãƒãƒ£ã®åˆ©ç”¨ãŒå«ã¾ã‚Œã‚‹ã€‚ã¾ãŸ ICS ã¯ã€æœ€ã‚‚セキュアã§ä¿¡é ¼æ€§ã®é«˜ã„レイヤーã§æœ€é‡è¦
通信を行ã†ã€ãƒžãƒ«ãƒãƒ¬ã‚¤ãƒ¤ãƒ¼ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆãƒãƒ­ã‚¸ãƒ¼ã‚’利用ã™ã¹ãã§ã‚る。
 ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åŠã³ãƒ‡ãƒã‚¤ã‚¹ã¸ã®ç‰©ç†çš„アクセス制é™ã€‚コンãƒãƒ¼ãƒãƒ³ãƒˆã¸ã®ä¸æ­£ãªç‰©ç†ã‚¢
クセスã¯ã€ICS ã®æ©Ÿèƒ½ã«é‡å¤§ãªä¸­æ–­ã‚’ã‚‚ãŸã‚‰ã—ã‹ã­ãªã„。施錠ã€ã‚«ãƒ¼ãƒ‰ãƒªãƒ¼ãƒ€ãƒ¼ã€è­¦å‚™å“¡ç­‰
ã®ç‰©ç†ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ã‚’併用ã™ã¹ãã§ã‚る。
 個々㮠ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã®æ‚ªç”¨é˜²æ­¢ã€‚ã“ã‚Œã«ã¯æ¬¡ã®å†…容ãŒå«ã¾ã‚Œã‚‹ã€‚セキュリティパッãƒ
をフィールドæ¡ä»¶ä¸‹ã§è©¦é¨“後ã€ã§ãã‚‹ã ã‘迅速ã«å±•é–‹ã™ã‚‹ã€‚使用ã—ã¦ã„ãªã„ãƒãƒ¼ãƒˆåŠã³ã‚µãƒ¼
ビスを全ã¦ä½¿ç”¨ä¸èƒ½ã«ã—ã€ä½¿ç”¨ä¸èƒ½çŠ¶æ…‹ãŒä¿ãŸã‚Œã‚‹ã‚ˆã†ã«ã™ã‚‹ã€‚ICS ユーザ権é™ã®ä»˜ä¸Žã‚’ã€
役割上必è¦ã¨ã™ã‚‹äººå“¡ã«é™å®šã™ã‚‹ã€‚監査証跡ã®è¿½è·¡åŠã³ç›£è¦–。技術的ã«å®Ÿè¡Œå¯èƒ½ãªå ´åˆã€ã‚¢
ンãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã‚„ファイル整åˆæ€§ç¢ºèªã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ç­‰ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ã‚’利用
ã—ã€ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã‚’予防・抑止・検出・緩和ã™ã‚‹ã€‚
 データã®ç„¡æ–­å¤‰æ›´åˆ¶é™ã€‚ã“ã‚Œã«ã¯é€ä¿¡ä¸­ã®ãƒ‡ãƒ¼ã‚¿ï¼ˆå°‘ãªãã¨ã‚‚ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å¢ƒç•Œã‚’越ãˆãŸã‚‚
ã®ï¼‰åŠã³é™æ­¢ãƒ‡ãƒ¼ã‚¿ãŒå«ã¾ã‚Œã‚‹ã€‚
 セキュリティ上ã®ã‚¤ãƒ™ãƒ³ãƒˆåŠã³ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®æ¤œå‡ºã€‚ã¾ã ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã«ã¯è‡³ã‚‰ãªã„セキュ
リティイベントを検出ã§ãã‚Œã°ã€é˜²å¾¡å´ã¯ã€æ”»æ’ƒå´ã®ç›®çš„é”æˆå‰ã«æ”»æ’ƒé€£éŽ–ã‚’æ–­ã¡åˆ‡ã‚‹ã“ã¨
ãŒã§ãる。ã“ã‚Œã«ã¯ ICS ãŒé©æ­£ã‹ã¤å®‰å…¨ãªæ©Ÿèƒ½ã‚’発æ®ã™ã‚‹ä¸Šã§é‡è¦ãªã€ICS コンãƒãƒ¼ãƒãƒ³ãƒˆ
ã®éšœå®³ã€ä½¿ç”¨ä¸èƒ½ã®ã‚µãƒ¼ãƒ“スåŠã³æž¯æ¸‡ã—ãŸãƒªã‚½ãƒ¼ã‚¹ã‚’検出ã™ã‚‹èƒ½åŠ›ãŒå«ã¾ã‚Œã‚‹ã€‚
 悪æ¡ä»¶ä¸‹ã§ã®æ©Ÿèƒ½ä¿æŒã€‚ã“ã‚Œã«ã¯å„é‡è¦ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã«å†—長性をæŒãŸã›ã‚‹ ICS 設計ãŒé–¢ä¿‚
ã—ã¦ãる。ã¾ãŸã€ã‚るコンãƒãƒ¼ãƒãƒ³ãƒˆã«éšœå®³ãŒå‡ºãŸå ´åˆã§ã‚‚ã€ICS ãã®ä»–ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«
ä¸è¦ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’生ã˜ã•ã›ãšã€é€£éŽ–イベントãªã©åˆ¥ã®å•é¡Œã‚’派生ã•ã›ã¦ã¯ãªã‚‰ãªã„。ã¾
ãŸICS ã¯ã€æ©Ÿèƒ½ãŒä½Žä¸‹ã™ã‚‹å ´åˆã§ã‚ã£ã¦ã‚‚ã€å…¨è‡ªå‹•ã®ã€Œæ­£å¸¸é‹è»¢ã€ã‹ã‚‰æ“作員も加ã‚ã£ãŸ
åŠè‡ªå‹•ã®ã€Œç·Šæ€¥é‹è»¢ã€ã¸ã€æ¬¡ã„ã§å®Œå…¨ãªã€Œæ‰‹å‹•é‹è»¢ã€ã¸ã¨æ©Ÿèƒ½ãŒå¾ã€…ã«ä½Žä¸‹ã™ã‚‹ã‚°ãƒ¬ãƒ¼ã‚¹ãƒ•
ルデグラデーションã«ãªã£ã¦ã„ã‚‹ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
5
 Restoring the system after an incident. Incidents are inevitable and an incident response plan is
essential. A major characteristic of a good security program is how quickly the system can be
recovered after an incident has occurred.
To properly address security in an ICS, it is essential for a cross-functional cybersecurity team to share
their varied domain knowledge and experience to evaluate and mitigate risk to the ICS. The cybersecurity
team should consist of a member of the organization’s IT staff, control engineer, control system operator,
network and system security expert, a member of the management staff, and a member of the physical
security department at a minimum. For continuity and completeness, the cybersecurity team should consult
with the control system vendor and/or system integrator as well. The cybersecurity team should coordinate
closely with site management (e.g., facility superintendent) and the company’s Chief Information Officer
(CIO) or Chief Security Officer (CSO), who in turn, accepts complete responsibility and accountability for
the cybersecurity of the ICS, and for any safety incidents, reliability incidents, or equipment damage caused
directly or indirectly by cyber incidents. An effective cybersecurity program for an ICS should apply a
strategy known as “defense-in-depth,†layering security mechanisms such that the impact of a failure in any
one mechanism is minimized. Organizations should not rely on “security by obscurity.â€
In a typical ICS this means a defense-in-depth strategy that includes:
 Developing security policies, procedures, training and educational material that applies specifically to
the ICS.
 Considering ICS security policies and procedures based on the Homeland Security Advisory System
Threat Level, deploying increasingly heightened security postures as the Threat Level increases.
 Addressing security throughout the lifecycle of the ICS from architecture design to procurement to
installation to maintenance to decommissioning.
 Implementing a network topology for the ICS that has multiple layers, with the most critical
communications occurring in the most secure and reliable layer.
 Providing logical separation between the corporate and ICS networks (e.g., stateful inspection
firewall(s) between the networks, unidirectional gateways).
 Employing a DMZ network architecture (i.e., prevent direct traffic between the corporate and ICS
networks).
 Ensuring that critical components are redundant and are on redundant networks.
 Designing critical systems for graceful degradation (fault tolerant) to prevent catastrophic cascading
events.
 Disabling unused ports and services on ICS devices after testing to assure this will not impact ICS
operation.
 Restricting physical access to the ICS network and devices.
 Restricting ICS user privileges to only those that are required to perform each person’s job (i.e.,
establishing role-based access control and configuring each role based on the principle of least
privilege).
 Using separate authentication mechanisms and credentials for users of the ICS network and the
corporate network (i.e., ICS network accounts do not use corporate network user accounts).
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
6
 インシデント後ã®ã‚·ã‚¹ãƒ†ãƒ å¾©æ—§ã€‚インシデントã¯é¿ã‘られãªã„ã®ã§ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆå¯¾å‡¦è¨ˆç”»
ãŒä¸å¯æ¬ ã¨ãªã‚‹ã€‚優れãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ—ログラムã®ä¸»è¦ãªç‰¹å¾´ã¯ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆç™ºç”Ÿå¾Œã€ã‚·
ステムをã©ã‚Œã ã‘迅速ã«å¾©æ—§ã§ãã‚‹ã‹ã¨ã„ã†ç‚¹ã«ã‚る。
ICS ã«ãŠã„ã¦ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’é©æ­£ã«ç¢ºä¿ã™ã‚‹ã«ã¯ã€æ©Ÿèƒ½æ¨ªæ–­åž‹ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒ¼ãƒ ãŒå¤š
様ãªåˆ†é‡Žã®çŸ¥è­˜ãƒ»çµŒé¨“を共有ã—åˆã„ã€ICS ã®ãƒªã‚¹ã‚¯ã‚’評価・緩和ã™ã‚‹ã“ã¨ãŒä¸å¯æ¬ ã¨ãªã‚‹ã€‚サイ
ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒ¼ãƒ ã®æ§‹æˆã¯ã€æœ€ä½Žã§ã‚‚組織㮠IT è¦å“¡ã€åˆ¶å¾¡ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã‚ª
ペレータã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åŠã³ã‚·ã‚¹ãƒ†ãƒ ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å°‚門員ã€çµŒå–¶ã«é–¢ã‚ã‚‹è¦å“¡åŠã³ç‰©ç†çš„セキュ
リティ部門è¦å“¡ã¨ã™ã¹ãã§ã‚る。継続性ã¨å®Œå…¨æ€§ã‚’確ä¿ã™ã‚‹ãŸã‚ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒ¼ãƒ 
ã¯ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®ãƒ™ãƒ³ãƒ€ãƒ¼ã‚„システムインテグレータã¨ã‚‚å”è­°ã™ã¹ãã§ã‚る。ã¾ãŸç¾å ´ç®¡ç†è€…
(施設責任者等)ã®ã»ã‹ã€ICS ã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã€å®‰å…¨ä¸Šã®ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã€ä¿¡é ¼æ€§ä¸Šã®ã‚¤
ンシデントåˆã¯ã‚µã‚¤ãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã«ã‚ˆã‚Šç›´æŽ¥ãƒ»é–“接ã«ç”Ÿã˜ãŸè£…å‚™å“ã®æ害ã«å…¨è²¬ä»»ã‚’è² ã†ä¼
業ã®æœ€é«˜æƒ…報責任者(CIO)åˆã¯æœ€é«˜ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è²¬ä»»è€…(CSO)ã¨ã‚‚密接ã«é€£æºã‚’å–ã‚‹ã¹ãã§
ã‚る。ICS ã®åŠ¹æžœçš„ãªã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ—ログラムã¯ã€Œå¤šå±¤é˜²å¾¡ï¼ˆdefense-in-depth)ã€ã¨ã—
ã¦çŸ¥ã‚‰ã‚Œã‚‹æˆ¦ç•¥ã€ã¤ã¾ã‚Šã€ã‚るメカニズムã®éšœå®³ã®å½±éŸ¿ãŒæœ€å°é™ã«é£Ÿã„æ­¢ã‚られるã€ãƒ¬ã‚¤ãƒ¤ãƒªãƒ³
グセキュリティメカニズムをé©ç”¨ã™ã¹ãã§ã‚る。組織ã¯ã€Œæ›–昧ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã€ã«ä¾å­˜ã™ã¹ãã§
ãªã„。
ã“ã®ã“ã¨ã¯ã€ä¸€èˆ¬çš„㪠ICS ã§ã¯ä»¥ä¸‹ã®å†…容をå«ã‚“ã å¤šå±¤é˜²å¾¡æˆ¦ç•¥ã‚’æ„味ã™ã‚‹ã€‚
 ICS ã«ç‰¹åŒ–ã—ã¦é©ç”¨ã•ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã€æ‰‹é †åŠã³æ•™è‚²è¨“練資料ã®ä½œæˆ
 国土安全ä¿éšœã‚¢ãƒ‰ãƒã‚¤ã‚¶ãƒªãƒ¼ã‚·ã‚¹ãƒ†ãƒ è„…å¨ãƒ¬ãƒ™ãƒ«ã«åŸºã¥ã ICS セキュリティãƒãƒªã‚·ãƒ¼åŠã³æ‰‹
é †ã®æ¤œè¨Žã€è„…å¨ãƒ¬ãƒ™ãƒ«ã®ä¸Šæ˜‡ã«è¿½éšã—ã¦æ®µéšŽçš„ã«é«˜ã¾ã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ…‹å‹¢ã®ä¿æŒ
 アーキテクãƒãƒ£è¨­è¨ˆã‹ã‚‰èª¿é”ã€è¨­ç½®ã€ä¿å®ˆã€å»ƒæ£„ã¾ã§ã€ICS ã®å…¨ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«ã‚’通ã˜ãŸã‚»
キュリティã®è€ƒæ…®
 最もセキュアã§ä¿¡é ¼æ€§ã®é«˜ã„レイヤーã§æœ€é‡è¦é€šä¿¡ã‚’è¡Œã†ã€ãƒžãƒ«ãƒãƒ¬ã‚¤ãƒ¤ãƒ¼ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼
クトãƒãƒ­ã‚¸ãƒ¼ã®å®Ÿè£…
 ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®è«–ç†çš„分割(ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“や一方å‘性ゲートウ
ェイ間ã®ã‚¹ãƒ†ãƒ¼ãƒˆãƒ•ãƒ«ã‚¤ãƒ³ã‚¹ãƒšã‚¯ã‚·ãƒ§ãƒ³ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ãªã©ï¼‰
 DMZ ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã®æŽ¡ç”¨ï¼ˆä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ç›´æŽ¥
トラフィックを防止)
 é‡è¦ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã®å†—長化ã¨å†—長性ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã§ã®ä½¿ç”¨
 壊滅的ãªé€£éŽ–イベントを防ãグレースフルデグラデーション(フォールトトレラント)を備
ãˆãŸé‡è¦ã‚·ã‚¹ãƒ†ãƒ ã®è¨­è¨ˆ
 ICS ã®é‹ç”¨ã«å½±éŸ¿ãŒãªã„ã“ã¨ã‚’検証ã—ãŸä¸Šã§ã€ICS デãƒã‚¤ã‚¹ä¸Šã®ä¸ä½¿ç”¨ãƒãƒ¼ãƒˆåŠã³ã‚µãƒ¼ãƒ“ス
を使用ä¸èƒ½ã«ã™ã‚‹ã“ã¨
 ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åŠã³ãƒ‡ãƒã‚¤ã‚¹ã¸ã®ç‰©ç†çš„アクセス制é™ã€‚
 å„人ã®æ¥­å‹™ã‚’è¡Œã†ãŸã‚ã«å¿…è¦ãª ICS ユーザ権é™ã«é™å®šã—ãŸã€æ¨©é™ã®ä»˜ä¸Žï¼ˆå½¹å‰²ã«åŸºã¥ãアク
セス制御ã¨æœ€å°æ¨©é™åŽŸå‰‡ã«åŸºã¥ã役割構æˆï¼‰
 ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åŠã³ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ¦ãƒ¼ã‚¶å‘ã‘ã®ç‹¬ç«‹ã—ãŸèªè¨¼ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã¨èªè¨¼æƒ…å ±ã®
使用(ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã«ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ¦ãƒ¼ã‚¶ã®ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã‚’使用ã—ãªã„)
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
7
 Using modern technology, such as smart cards for Personal Identity Verification (PIV).
 Implementing security controls such as intrusion detection software, antivirus software and file
integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the
introduction, exposure, and propagation of malicious software to, within, and from the ICS.
 Applying security techniques such as encryption and/or cryptographic hashes to ICS data storage and
communications where determined appropriate.
 Expeditiously deploying security patches after testing all patches under field conditions on a test
system if possible, before installation on the ICS.
 Tracking and monitoring audit trails on critical areas of the ICS.
 Employing reliable and secure network protocols and services where feasible.
The National Institute of Standards and Technology (NIST), in cooperation with the public and private
sector ICS community, has developed specific guidance on the application of the security controls in NIST
Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal Information
Systems and Organizations [22], to ICS.
While many controls in Appendix F of NIST SP 800-53 are applicable to ICS as written, many controls
require ICS-specific interpretation and/or augmentation by adding one or more of the following to the
control:
 ICS Supplemental Guidance provides organizations with additional information on the
application of the security controls and control enhancements in Appendix F of NIST SP 800-53
to ICS and the environments in which these specialized systems operate. The Supplemental
Guidance also provides information as to why a particular security control or control
enhancement may not be applicable in some ICS environments and may be a candidate for
tailoring (i.e., the application of scoping guidance and/or compensating controls). ICS
Supplemental Guidance does not replace the original Supplemental Guidance in Appendix F of
NIST SP 800-53.
 ICS Enhancements (one or more) that provide enhancement augmentations to the original control
that may be required for some ICS.
 ICS Enhancement Supplemental Guidance that provides guidance on how the control
enhancement applies, or does not apply, in ICS environments.
The most successful method for securing an ICS is to gather industry recommended practices and engage in
a proactive, collaborative effort between management, the controls engineer and operator, the IT
organization, and a trusted automation advisor. This team should draw upon the wealth of information
available from ongoing federal government, industry groups, vendor and standards organizational activities
listed in Appendix D—.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
8
 身分証明(PIV)用スマートカードãªã©æœ€æ–°æŠ€è¡“ã®ä½¿ç”¨
 技術的ã«å®Ÿè¡Œå¯èƒ½ãªå ´åˆã€ICS ã«å…¥ã‚‹ã€ICS ã‹ã‚‰å‡ºã‚‹ã€ãŠã‚ˆã³ ICS 内ã«ã‚るマルウエアã®å°Ž
入・æ›éœ²ãƒ»ä¼æ’­ã‚’予防・抑止・検出・緩和ã™ã‚‹ãŸã‚ã®ä¾µå…¥æ¤œçŸ¥ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã€ã‚¢ãƒ³ãƒã‚¦ã‚¤ãƒ«
スソフトウエアã€ãƒ•ã‚¡ã‚¤ãƒ«æ•´åˆæ€§ç¢ºèªã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ç­‰ã«ã‚ˆã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†
 é©å½“ã§ã‚ã‚Œã°ã€ICS データストレージåŠã³é€šä¿¡ã¸ã®æš—å·åŒ–åˆã¯æš—å·å­¦çš„ãƒãƒƒã‚·ãƒ¥ç­‰ã‚»ã‚­ãƒ¥ãƒª
ティ技術ã®é©ç”¨
 ICS ã¸ã®ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«å‰ã«å¯èƒ½ã§ã‚ã‚Œã°ã€ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰æ¡ä»¶ä¸‹ã§è©¦é¨“装置ã«ã‚ˆã‚Šæ¤œè¨¼ã—ãŸã‚»ã‚­
ュリティパッãƒã®è¿…速ãªå±•é–‹
 ICSé‡è¦é ˜åŸŸã§ã®ç›£æŸ»è¨¼è·¡ã®è¿½è·¡åŠã³ç›£è¦–
 実行å¯èƒ½ãªã‚‰ä¿¡é ¼æ€§ã®é«˜ã„セキュアãªãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ—ロトコルåŠã³ã‚µãƒ¼ãƒ“スã®æŽ¡ç”¨
米国標準技術局(NIST)ã¯å®˜æ°‘ ICS å…±åŒä½“ã®å”力を得ã¦ã€NISTSP(SP)800-53 第4版『連邦情
報システム・組織ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ»ãƒ—ライãƒã‚·ãƒ¼ç®¡ç†ã€[22]ã«è¨˜è¼‰ã•ã‚Œã‚‹ ICS ã¸ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
管ç†ã®é©ç”¨ã«é–¢ã—ã¦ã€å…·ä½“çš„ãªã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã‚’作æˆã—ãŸã€‚
NIST SP 800-53 ã®ä»˜éŒ² Fã«è¨˜è¼‰ã•ã‚Œã‚‹åˆ¶å¾¡ã®å¤šãã¯ã€è¨˜è¿°ã©ãŠã‚Š ICS ã«é©ç”¨å¯èƒ½ã§ã¯ã‚ã‚‹ãŒã€å¤§
抵㯠ICS 特有ã®è§£é‡ˆãŒå¿…è¦ã§ã€ä»¥ä¸‹ã«ç¤ºã™ã‚‚ã®ã‚’å°‘ãªãã¨ã‚‚ 1ã¤è¿½åŠ ã™ã‚‹å¿…è¦ãŒã‚る。
 ICS 補足ガイダンス。NIST SP 800-53 ã®ä»˜éŒ² Fã«è¨˜è¼‰ã•ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†åŠã³
管ç†æ‹¡å¼µã‚’ã€ICS åŠã³ã“れら専用システムã®å®Ÿè¡Œç’°å¢ƒã«é©ç”¨ã™ã‚‹ãŸã‚ã®è£œè¶³æƒ…報を
示ã™ã€‚ã¾ãŸã€ICS 環境ã«ã‚ˆã£ã¦ã¯ç‰¹å®šã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ã‚„管ç†æ‹¡å¼µãŒé©ç”¨ã§ããšã€
調整ãŒå¿…è¦ã¨ãªã‚‹ç†ç”±ã«ã¤ã„ã¦ã‚‚示ã™ï¼ˆã‚¹ã‚³ãƒ¼ãƒ”ングガイダンスåˆã¯è£œå®Œåˆ¶å¾¡ã®é©
用)。ICS 補足ガイダンスã¯ã€NIST SP 800-53 ã®ä»˜éŒ² Fã«ã‚るオリジナルã®è£œè¶³ã‚¬
イダンスã«ä»£ã‚ã‚‹ã‚‚ã®ã§ã¯ãªã„。
 ICS 拡張(1ã¤åˆã¯è¤‡æ•°ï¼‰ã€‚ICSã«ã‚ˆã£ã¦ã¯å¿…è¦ã¨ãªã‚‹å…ƒã€…ã®åˆ¶å¾¡ã«æ‹¡å¼µã‚’加
ãˆã‚‹ã€‚
 ICS 拡張補足ガイダンス。ICS 環境ã«ãŠã„ã¦ç®¡ç†æ‹¡å¼µé©ç”¨ã®å¯å¦ã«ã¤ã„ã¦
示ã™ã€‚
ICS
ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç¢ºä¿ã«æœ€ã‚‚æˆæžœã®ä¸ŠãŒã‚‹æ–¹æ³•ã¯ã€æ¥­ç•Œã®æŽ¨å¥¨è¦ç¯„ã‚’è“„ç©ã—ã€å¹¹éƒ¨ã€åˆ¶å¾¡ã‚¨ãƒ³
ジニアåŠã³æ“作員ã€IT 組織並ã³ã«ä¿¡ç”¨ã®ãŠã‘るオートメーションアドãƒã‚¤ã‚¶ãƒ¼é–“ã§ã€ç©æ¥µçš„ã«å”
調ã—ã¦å–り組むã“ã¨ã§ã‚る。ã“ã®ãƒãƒ¼ãƒ ã¯ã€é€£é‚¦æ”¿åºœã€æ¥­ç•Œã‚°ãƒ«ãƒ¼ãƒ—ã€ãƒ™ãƒ³ãƒ€ãƒ¼åŠã³ä»˜éŒ² Dã«æŽ²
載ã•ã‚Œã¦ã„ã‚‹è¦æ ¼å›£ä½“ã‹ã‚‰ã®è±Šå¯Œãªæƒ…報を利用ã™ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
9
1. Introduction
1.1 Purpose and Scope
The purpose of this document is to provide guidance for
securing industrial control systems (ICS), including
supervisory control and data acquisition (SCADA)
systems, distributed control systems (DCS), and other
systems performing control functions. The document
provides a notional overview of ICS, reviews typical
system topologies and architectures, identifies known
threats and vulnerabilities to these systems, and provides
recommended security countermeasures to mitigate the
associated risks. Additionally, it presents an ICS-tailored
security control overlay, based on NIST SP 800-53 Rev. 4
[22], to provide a customization of controls as they apply
to the unique characteristics of the ICS domain. The body
of the document provides context for the overlay, but the
overlay is intended to stand alone.
ICS are found in many industries such as electric, water
and wastewater, oil and natural gas, chemical,
pharmaceutical, pulp and paper, food and beverage, and
discrete manufacturing (e.g., automotive, aerospace, and
durable goods). Because there are many different types of
ICS with varying levels of potential risk and impact, the
document provides a list of many different methods and
techniques for securing ICS. The document should not be
used purely as a checklist to secure a specific system.
Readers are encouraged to perform a risk-based
assessment on their systems and to tailor the
recommended guidelines and solutions to meet their
specific security, business and operational requirements.
The range of applicability of the basic concepts for
securing control systems presented in this document
continues to expand.
1.2 Audience
This document covers details specific to ICS. Readers of
this document should be acquainted with general computer
security concepts, and communication protocols such as
those used in networking. The document is technical in
nature; however, it provides the necessary background to
understand the topics that are discussed.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
10
1. ã¯ã˜ã‚ã«
1.1 目的åŠã³é©ç”¨ç¯„囲
本文書ã®ç›®çš„ã¯ã€ç”£æ¥­ç”¨åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ï¼ˆICS)ã®ã‚»
キュリティを確ä¿ã™ã‚‹ãŸã‚ã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã‚’示ã™ã“
ã¨ã«ã‚ã‚Šã€ICS ã«ã¯ SCADAã€DCSã€ãã®ä»–ã®åˆ¶å¾¡
システムãŒå«ã¾ã‚Œã‚‹ã€‚本文書ã§ã¯ã“ã®ã‚ˆã†ãª ICS
ã®æ¦‚念ã«ã¤ã„ã¦æ¦‚è¦ã‚’示ã—ã€ä¸€èˆ¬çš„ãªã‚·ã‚¹ãƒ†ãƒ ãƒˆ
ãƒãƒ­ã‚¸ãƒ¼ã¨ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã«ã¤ã„ã¦è€ƒå¯Ÿã—ã€ã‚·ã‚¹
テムã«å¯¾ã™ã‚‹æ—¢çŸ¥ã®è„…å¨ã¨è„†å¼±æ€§ã‚’特定ã—ã€é–¢é€£
リスクを低減ã™ã‚‹ãŸã‚ã®æŽ¨å¥¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã‚’
æ示ã™ã‚‹ã€‚ã¾ãŸã€NIST SP 800-53 改訂 4 [22]ã«
従ã„ã€ICS å‘ã‘ã«èª¿æ•´ã•ã‚ŒãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
管ç†ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã‚’æ示ã—ã€ç®¡ç†ã‚’ ICS 領域
ã®ç‹¬ç‰¹ãªç‰¹å¾´ã«é©ç”¨ã™ã‚‹éš›ã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã«ã¤ã„
ã¦ç¤ºã™ã€‚
文書ã¯ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã®å†…容をæ示ã™ã‚‹ãŒã€ã‚ªãƒ¼ãƒ
ーレイã¯ãれ自体ãŒç‹¬ç«‹ã—ãŸã‚‚ã®ã§ã‚る。
ICS ã¯é›»æ°—ã€ä¸Šä¸‹æ°´ã€çŸ³æ²¹ãƒ»ã‚¬ã‚¹ã€åŒ–å­¦ã€åŒ»è–¬å“ã€
パルプ・製紙ã€é£Ÿå“・飲料åŠã³çµ„立製造(自動車ã€
航空宇宙ã€è€ä¹…消費財等)業界ã§åˆ©ç”¨ã•ã‚Œã¦ã„る。
リスクレベルやãã®å½±éŸ¿ãŒä¸€æ§˜ã§ãªã„種々㮠ICS
ãŒã‚ã‚‹ãŸã‚ã€æœ¬æ–‡æ›¸ã§ã¯ ICS セキュリティã®æ–¹æ³•
ã¨æŠ€è¡“ã®ãƒªã‚¹ãƒˆã‚’示ã™ã€‚本文書ã¯ã€ç‰¹å®šã®ã‚·ã‚¹ãƒ†
ムセキュリティを確ä¿ã™ã‚‹ãŸã‚ã®å˜ãªã‚‹ãƒã‚§ãƒƒã‚¯
リストã¨ã—ã¦ä½¿ç”¨ã™ã¹ãã§ãªã„。
読者ã¯ã€ä½¿ç”¨ã—ã¦ã„るシステムã«é–¢ã—ã¦ã€ãƒªã‚¹ã‚¯
ã«ç«‹è„šã—ãŸè©•ä¾¡ã‚’è¡Œã„ã€æŽ¨å¥¨ã•ã‚Œã¦ã„るガイドラ
インåŠã³ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã‚’固有ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã€
業務ãŠã‚ˆã³é‹ç”¨ä¸Šã®è¦ä»¶ã«åˆã†ã‚ˆã†ã«èª¿æ•´ã™ã¹ã
ã§ã‚る。本文書ã«ç¤ºã•ã‚Œã‚‹åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®ã‚»ã‚­ãƒ¥
リティ確ä¿ã«é–¢ã™ã‚‹åŸºæœ¬æ¦‚念ã®é©ç”¨ç¯„囲ã¯ã€ä»Šå¾Œ
も引ã続ã拡大ã™ã‚‹ã€‚
1.2 対象者
本文書ã«ã¯ ICS ã«ç‰¹æœ‰ã®è©³ç´°ãªäº‹é …ãŒç¶²ç¾…ã•ã‚Œã¦
ã„る。読者ã¯ã€ä¸€èˆ¬çš„ãªã‚³ãƒ³ãƒ”ュータセキュリテ
ィ概念ãŠã‚ˆã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ä½¿ç”¨ã•ã‚Œã‚‹é€šä¿¡ãƒ—ロ
トコルã«é€šã˜ã¦ã„ã‚‹ã¹ãã§ã‚る。本文書ã®å†…容ã¯ã€
ãã®æ€§è³ªä¸ŠæŠ€è¡“çš„ã§ã¯ã‚ã‚‹ãŒã€è¨˜è¿°ã•ã‚Œã¦ã„ã‚‹è«–
題をç†è§£ã™ã‚‹ãŸã‚ã«å¿…è¦ãªèƒŒæ™¯ã‚’ã‚‚æ示ã™ã‚‹ã€‚
13636
米国ã®å›½å®¶åŠã³çµŒæ¸ˆå®‰å…¨ä¿éšœã¯ã€é«˜ã„
信頼性をもã£ã¦é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ãŒæ©Ÿèƒ½ã™
ã‚‹ã“ã¨ã«ã‹ã‹ã£ã¦ãŠã‚Šã€å¤§çµ±é ˜å‘½ä»¤
13636「é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã‚¹ãƒˆãƒ©ã‚¯ãƒãƒ£ã®
サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ”¹å–„ã€[82]ã¯
NIST ã«å¯¾ã—ã¦ã€é–¢ä¿‚者ã¨å”åƒã—ã€é‡è¦
インフラã¸ã®ã‚µã‚¤ãƒãƒ¼ãƒªã‚¹ã‚¯ã‚’減らã™
ãŸã‚ã®è‡ªç™ºçš„枠組ã¿ï¼ˆãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼
ク)を構築ã™ã‚‹ã‚ˆã†å‘½ã˜ã¦ã„る。サイ
ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯
(CSF)[83]ã¯è¦æ ¼ã€ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³åŠã³
最良è¦ç¯„ã‹ã‚‰ãªã‚Šã€é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®ä¿
護を促進ã™ã‚‹ã€‚ã“ã®ãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯
ã¯ã€å„ªå…ˆçš„ã§æŸ”軟性ãŒã‚ã‚Šã€å復å¯èƒ½
ã§ãƒ‘フォーマンス本ä½ã®ã€è²»ç”¨åŠ¹æžœã®
高ã„å–組ã«ã‚ˆã‚Šã€é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®æ‰€æœ‰
者åŠã³é‹ç”¨è€…ãŒä¼æ¥­ç§˜å¯†ã€å€‹äººæƒ…å ±åŠ
ã³äººæ¨©ã‚’ä¿è­·ã—ã¤ã¤ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥
リティ関連リスクを管ç†ã§ãるよã†ã«
支æ´ã™ã‚‹ã€‚最åˆã® CSFã¯2014 å¹´2月
ã«ç™ºè¡¨ã•ã‚Œã€å¤šæ§˜ãªéƒ¨é–€ã‚„種々ã®é‹ç”¨
環境ã«é©ç”¨ã§ãã‚‹ã ã‘ã®æŸ”軟性を備ãˆ
ãŸã€å›½å®¶ãƒ¬ãƒ™ãƒ«ã®ãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯ã¨ãª
ã£ãŸã€‚ã“ã® CSF ã¯ã€é–¢ä¿‚者ã‹ã‚‰ã®æƒ…å ±
を基ã«ä½œæˆã•ã‚Œã€å¤šç¨®å¤šæ§˜ãªéƒ¨é–€ã«ãŠ
ã‘る既存業務ãŒã€ã“ã®ãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯
内ã§åˆ©ç”¨ã§ãるよã†ã«ã—ãŸã€‚
産業用制御システムã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥
リティè¦æ ¼ã€ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³åŠã³è¦ç¯„ã‚’
活用ã—ã¦ã€çµ„ç¹”ã®ãƒªã‚¹ã‚¯ç®¡ç†ãƒ—ログラ
ムã¨ã®é–¢ä¿‚㧠CSF ã®æ©Ÿèƒ½ã‚’検討ã™ã‚‹ã“
ã¨ãŒã§ãる。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
11
The intended audience is varied and includes the following:
 Control engineers, integrators, and architects who design or implement secure ICS.
 System administrators, engineers, and other information technology (IT) professionals who administer,
patch, or secure ICS.
 Security consultants who perform security assessments and penetration testing of ICS.
 Managers who are responsible for ICS.
 Senior management who are trying to understand implications and consequences as they justify and
apply an ICS cybersecurity program to help mitigate impacts to business functionality.
 Researchers and analysts who are trying to understand the unique security needs of ICS.
 Vendors that are developing products that will be deployed as part of an ICS.
1.3 Document Structure
The remainder of this guide is divided into the following major sections:
 Section 2 provides an overview of ICS including a comparison between ICS and IT systems.
 Section 3 provides a discussion of ICS risk management and assessment.
 Section 4 provides an overview of the development and deployment of an ICS security program to
mitigate the risk of the vulnerabilities identified in Appendix C.
 Section 5 provides recommendations for integrating security into network architectures typically
found in ICS, with an emphasis on network segregation practices.
 Section 6 provides a summary of the management, operational, and technical controls identified in
NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and
Organizations, and provides initial guidance on how these security controls apply to ICS.
The guide also contains several appendices with supporting material, as follows:
 Appendix A— provides a list of acronyms and abbreviations used in this document.
 Appendix B— provides a glossary of terms used in this document.
 Appendix C— provides a list of ICS threats, vulnerabilities and incidents.
 Appendix D— provides a list of ICS security activities.
 Appendix E— provides a list of ICS security capabilities and tools
 Appendix F— provides a list of references used in the development of this document.
 Appendix G— provides an ICS overlay, listing security controls, enhancements, and supplemental
guidance that apply specifically to ICS.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
12
所期ã®å¯¾è±¡ã¯å¤šå²ã«ã‚ãŸã‚‹ãŒã€ä»¥ä¸‹ã‚’å«ã‚€ã€‚
 セキュア㪠ICS ã®è¨­è¨ˆåˆã¯å®Ÿè£…ã«é–¢ã‚る制御エンジニアã€ã‚¤ãƒ³ãƒ†ã‚°ãƒ¬ãƒ¼ã‚¿åŠã³è¨­è¨ˆè€…
 ICS ã®ç®¡ç†ã€ãƒ‘ッãƒã¾ãŸã¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«æºã‚るシステム管ç†è€…ã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãã®ä»– IT å°‚é–€
å“¡
 ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è©•ä¾¡åŠã³ãƒšãƒãƒˆãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãƒ»ãƒ†ã‚¹ãƒˆã‚’è¡Œã†ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚³ãƒ³ã‚µãƒ«ã‚¿ãƒ³ãƒˆ
 ICS 担当幹部
 事業機能ã¸ã®å½±éŸ¿ã‚’ç·©å’Œã™ã‚‹ ICS サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ—ログラムã®æ‰¿èªãƒ»é©ç”¨ã‚’è¡Œã†éš›ã«ã€
ãã®æ„味ã¨çµæžœã®ç†è§£ã«åŠªã‚る上級管ç†è·
 ICS 独特ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ‹ãƒ¼ã‚ºã®ç†è§£ã«åŠªã‚る研究者åŠã³ã‚¢ãƒŠãƒªã‚¹ãƒˆ
 ICS ã®ä¸€éƒ¨ã¨ã—ã¦å±•é–‹ã•ã‚Œã‚‹è£½å“ã®é–‹ç™ºã«å½“ãŸã‚‹ãƒ™ãƒ³ãƒ€ãƒ¼
1.3 文書ã®æ§‹æˆ
本ガイドã®ã“れ以é™ã®éƒ¨åˆ†ã¯ã€ä»¥ä¸‹ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã«å¤§åˆ¥ã•ã‚Œã‚‹ã€‚
 セクション 2:ICS システム㨠IT システムã®æ¯”較等ã€ICS ã®æ¦‚è¦ã‚’示ã™ã€‚
 セクション 3:ICS ã®ãƒªã‚¹ã‚¯ç®¡ç†ã¨ãƒªã‚¹ã‚¯è©•ä¾¡ã«ã¤ã„ã¦èª¬æ˜Žã™ã‚‹ã€‚
 セクション 4:付録 Cã§æ˜Žã‚‰ã‹ã«ã•ã‚Œã¦ã„る脆弱性リスクを緩和ã™ã‚‹ã€ICS セキュリティプ
ログラムã®é–‹ç™ºãƒ»å±•é–‹ã«ã¤ã„ã¦æ¦‚è¦ã‚’示ã™ã€‚
 セクション 5:ICS ã®ä¸€èˆ¬çš„ãªãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã«ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’組ã¿è¾¼ã‚€ä¸Šã§
ã®æŽ¨å¥¨äº‹é …を示ã™ã€‚特ã«ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯éš”離è¦ç¯„ã«ã¤ã„ã¦ç‰¹ç­†ã™ã‚‹ã€‚
 セクション 6:NISTSP800-53『連邦情報システム・組織ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ»ãƒ—ライãƒã‚·ãƒ¼ç®¡
ç†ã€ã«å®šã‚る管ç†ãƒ»é‹ç”¨ãƒ»æŠ€è¡“制御をã¨ã‚Šã¾ã¨ã‚ã€ã“ã®ã‚ˆã†ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ã‚’ ICS ã«
é©ç”¨ã™ã‚‹æ–¹æ³•ã«ã¤ã„ã¦åˆæœŸã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã‚’示ã™ã€‚
ã¾ãŸæœ¬ã‚¬ã‚¤ãƒ‰ã«ã¯ã€è£œè¶³è³‡æ–™ã‚’æä¾›ã™ã‚‹ä»¥ä¸‹ã®ä»˜éŒ²ã‚‚å«ã¾ã‚Œã‚‹ã€‚
 付録 A—本書ã§ä½¿ç”¨ã™ã‚‹é ­å­—語åŠã³ç•¥èªžã®ãƒªã‚¹ãƒˆ
 付録 B—本書ã§ä½¿ç”¨ã™ã‚‹ç”¨èªžé›†
 付録 C—ICS ã®è„…å¨ã€è„†å¼±æ€§åŠã³ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆãƒªã‚¹ãƒˆ
 付録 D—ICS セキュリティ活動リスト
 付録 E—ICS セキュリティ能力・ツールリスト
 付録 F—本書ã®ä½œæˆæ™‚ã«ä½¿ç”¨ã—ãŸå‚考文献リスト
 付録 G—ICS ã«ç‰¹åŒ–ã—ã¦é©ç”¨ã•ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ã€æ‹¡å¼µåŠã³è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ãƒªã‚¹ãƒˆã‚’掲
載ã—㟠ICS オーãƒãƒ¼ãƒ¬ã‚¤
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
13
2. Overview of Industrial Control Systems
Industrial control system (ICS) is a general term that encompasses several types of control systems,
including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS),
and other control system configurations such as Programmable Logic Controllers (PLC) often found in the
industrial sectors and critical infrastructures. An ICS consists of combinations of control components (e.g.,
electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g.,
manufacturing, transportation of matter or energy). The part of the system primarily concerned with
producing the output is referred to as the process. The control part of the system includes the specification
of the desired output or performance. Control can be fully automated or may include a human in the loop.
Systems can be configured to operate open-loop, closed-loop, and manual mode. In open-loop control
systems the output is controlled by established settings. In closed-loop control systems, the output has an
effect on the input in such a way as to maintain the desired objective. In manual mode the system is
controlled completely by humans. The part of the system primarily concerned with maintaining
conformance with specifications is referred to as the controller (or control). A typical ICS may contain
numerous control loops, Human Machine Interfaces (HMIs), and remote diagnostics and maintenance tools
built using an array of network protocols. ICS control industrial processes are typically used in electrical,
water and wastewater, oil and natural gas, chemical, transportation, pharmaceutical, pulp and paper, food
and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods) industries.
ICS are critical to the operation of the U.S. critical infrastructures that are often highly interconnected and
mutually dependent systems. It is important to note that approximately 85 percent of the nation's critical
infrastructures are privately owned and operated1. Federal agencies also operate many of the industrial
processes mentioned above as well as air traffic control. This section provides an overview of SCADA,
DCS, and PLC systems, including typical topologies and components. Several diagrams are presented to
depict the network topology, connections, components, and protocols typically found on each system to
facilitate the understanding of these systems. These examples only attempt to identify notional topology
concepts. Actual implementations of ICS may be hybrids that blur the line between DCS and SCADA
systems. Note that the diagrams in this section do not focus on securing ICS. Security architecture and
security controls are discussed in Section 5 and Section 6 of this document respectively.
2.1 Evolution of Industrial Control Systems
Many of today’s ICS evolved from the insertion of IT capabilities into existing physical systems, often
replacing or supplementing physical control mechanisms. For example, embedded digital controls replaced
analog mechanical controls in rotating machines and engines. Improvements in cost-and performance have
encouraged this evolution, resulting in many of today’s “smart†technologies such as the smart electric grid,
smart transportation, smart buildings, and smart manufacturing. While this increases the connectivity and
criticality of these systems, it also creates a greater need for their adaptability, resilience, safety, and
security.
Engineering of ICS continues to evolve to provide new capabilities while maintaining the typical long
lifecycles of these systems. The introduction of IT capabilities into physical systems presents emergent
behavior that has security implications. Engineering models and analysis are evolving to address these
emergent properties including safety, security, privacy, and environmental impact interdependencies.
1 http://www.dhs.gov/critical-infrastructure-sector-partnerships (last updated April 2014)
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
14
2. 産業用制御システムã®æ¦‚è¦
産業用制御システム(ICS)ã¨ã¯ã€æ•°ç¨®ã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã‚’包括ã—ãŸæ±Žç”¨çš„ãªç”¨èªžã§ã€ã“ã‚Œã«ã¯å„
種産業部門やé‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã§ä½¿ç”¨ã•ã‚Œã¦ã„ã‚‹ SCADAã€DCSã€PLCã€ãã®ä»–ã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®è¨­
定ãŒå«ã¾ã‚Œã‚‹ã€‚ICS ã¯ç”£æ¥­ä¸Šã®ç›®çš„(物å“やエãƒãƒ«ã‚®ãƒ¼ã®ç”Ÿç”£ãƒ»è¼¸é€ç­‰ï¼‰ã‚’é”æˆã™ã‚‹ãŸã‚ã«ä½µç”¨
ã•ã‚Œã‚‹åˆ¶å¾¡ç”¨ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆï¼ˆé›»æ°—・機械・油圧・空気等)ãŒçµ„ã¿åˆã‚ã•ã£ã¦æ§‹æˆã•ã‚Œã¦ã„る。
特ã«å‡ºåŠ›ã‚’産ã¿å‡ºã™ã‚·ã‚¹ãƒ†ãƒ ã®ä¸€éƒ¨ã‚’プロセスã¨å‘¼ã¶ã€‚システムã®åˆ¶å¾¡éƒ¨åˆ†ã«ã¯ã€æ‰€æœŸã®å‡ºåŠ›åˆ
ã¯ãƒ‘フォーマンスã®ä»•æ§˜ãŒå«ã¾ã‚Œã‚‹ã€‚制御ã¯å®Œå…¨è‡ªå‹•åŒ–ãŒå¯èƒ½ã§ã€ãƒ«ãƒ¼ãƒ—中ã«äººé–“ãŒå«ã¾ã‚Œã‚‹å ´
åˆã‚‚ã‚る。システムã¯ã‚ªãƒ¼ãƒ—ンループã€ã‚¯ãƒ­ãƒ¼ã‚ºãƒ‰ãƒ«ãƒ¼ãƒ—åŠã³æ‰‹å‹•ãƒ¢ãƒ¼ãƒ‰ã®ã„ãšã‚Œã«ã‚‚設定å¯èƒ½
ã§ã‚る。オープンループ制御システムã§ã¯ã€å‡ºåŠ›ã¯è¨­å®šã—ãŸå†…容ã«å¾“ã£ã¦åˆ¶å¾¡ã•ã‚Œã‚‹ã€‚クローズ
ドループ制御システムã§ã¯ã€æ‰€æœŸã®ç›®çš„を維æŒã™ã‚‹ã‚ˆã†ã«ã€å‡ºåŠ›ãŒå…¥åŠ›ã«å½±éŸ¿ã‚’åŠã¼ã™ã€‚手動モ
ードã§ã¯ã€äººé–“ãŒå…¨é¢çš„ã«ã‚·ã‚¹ãƒ†ãƒ ã‚’制御ã™ã‚‹ã€‚特ã«ä»•æ§˜ã‚’維æŒã—よã†ã¨ã™ã‚‹ã‚·ã‚¹ãƒ†ãƒ ã®ä¸€éƒ¨ã‚’
コントローラ(åˆã¯åˆ¶å¾¡ï¼‰ã¨å‘¼ã¶ã€‚一般的㪠ICS ã«ã¯ã€å¤šæ§˜ãªãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ—ロトコルを使用ã—
ã¦æ§‹ç¯‰ã•ã‚ŒãŸç¨®ã€…ã®åˆ¶å¾¡ãƒ«ãƒ¼ãƒ—ã€ãƒžãƒ³ãƒžã‚·ãƒ³ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ï¼ˆHMI)åŠã³ãƒªãƒ¢ãƒ¼ãƒˆè¨ºæ–­ä¿å®ˆãƒ„ー
ルãŒå«ã¾ã‚Œã‚‹ã€‚ICS ã®åˆ¶å¾¡ç”¨ç”£æ¥­ãƒ—ロセスã¯ã€ä¸€èˆ¬ã«é›»æ°—ã€ä¸Šä¸‹æ°´ã€çŸ³æ²¹ã€å¤©ç„¶ã‚¬ã‚¹ã€åŒ–å­¦ã€è¼¸
é€ã€åŒ»è–¬å“ã€ãƒ‘ルプ・製紙ã€é£Ÿå“・飲料åŠã³çµ„立製造(自動車ã€èˆªç©ºå®‡å®™ã€è€ä¹…消費財等)業界
ã§åˆ©ç”¨ã•ã‚Œã¦ã„る。
ICS ã¯ã€é«˜åº¦ã«é€£æºãƒ»ç›¸äº’ä¾å­˜ã—ãŸã‚·ã‚¹ãƒ†ãƒ ã¨ãªã‚‹å ´åˆãŒå¤šã„ã€ç±³å›½ã®é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®é‹å–¶ã«ç·Š
è¦ãªå½¹å‰²ã‚’æžœãŸã—ã¦ã„る。国ã®é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®ãŠã‚ˆã 85%ã¯ã€ç§ä¼æ¥­ãŒä¿æœ‰ã—é‹å–¶ã—ã¦ã„る点ã«
注æ„ã™ã¹ãã§ã‚る。2連邦政府機関ã¯ã€ä¸Šè¨˜ã®ç”£æ¥­ç”¨ãƒ—ロセスã®ã»ã‹èˆªç©ºäº¤é€šç®¡åˆ¶ã§ã‚‚多ãã®ç”£
業用プロセスをé‹ç”¨ã—ã¦ã„る。ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã¯ã€ä¸€èˆ¬çš„ãªãƒˆãƒãƒ­ã‚¸ãƒ¼ã‚„コンãƒãƒ¼ãƒãƒ³ãƒˆã‚’å«
ã‚ã€SCADAã€DCS åŠã³ PLC システムã«ã¤ã„ã¦æ¦‚è¦ã‚’示ã™ã€‚ã“れらシステムã«å¯¾ã™ã‚‹ç†è§£ã‚’容易
ã«ã™ã‚‹ãŸã‚ã€å„システムã®ä¸€èˆ¬çš„ãªãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆãƒãƒ­ã‚¸ãƒ¼ã€æŽ¥ç¶šã€ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆåŠã³ãƒ—ロト
コルを図示ã™ã‚‹ã€‚ã“ã®ã‚ˆã†ãªä¾‹ã¯ã€å˜ã«æŠ½è±¡çš„ãªãƒˆãƒãƒ­ã‚¸ãƒ¼æ¦‚念を明らã‹ã«ã™ã‚‹ãŸã‚ã®ã‚‚ã®ã§ã‚
る。ICS ã®å®Ÿéš›ã®å®Ÿè£…ã¯ãƒã‚¤ãƒ–リッドã§ã€DCS ã¨SCADA ã®å¢ƒç•ŒãŒæ›–昧ã§ã‚る。本セクションã®
図ã¯ã€ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«ç‰¹åŒ–ã—ãŸã‚‚ã®ã§ã¯ãªã„。セキュリティアーキテクãƒãƒ£åŠã³ã‚»ã‚­ãƒ¥ãƒª
ティ管ç†ã«ã¤ã„ã¦ã¯ã€ã‚»ã‚¯ã‚·ãƒ§ãƒ³ 5ã¨ã‚»ã‚¯ã‚·ãƒ§ãƒ³ 6ã§å–り上ã’る。
2.1 産業用制御システムã®é€²åŒ–
今日㮠ICS ã®å¤šãã¯ã€IT 能力を既存ã®ç‰©ç†ã‚·ã‚¹ãƒ†ãƒ ã«æŒ¿å…¥ã—ãŸã¨ã“ã‚ã‹ã‚‰é€²åŒ–ã—ã¦ãŠã‚Šã€ç‰©ç†åˆ¶
御メカニズムã«ä»£ã‚ã‚‹ã‚‚ã®ã‚„補完ã™ã‚‹ã‚‚ã®ãŒå¤šã„。例ãˆã°ã€çµ„込デジタル制御ã¯ã€å›žè»¢å¼æ©Ÿæ¢°ã‚„
エンジンã®ã‚¢ãƒŠãƒ­ã‚°å¼æ©Ÿæ¢°åˆ¶å¾¡ã«å–ã£ã¦ä»£ã‚ã£ãŸã€‚コストパフォーマンスã®æ”¹å–„ãŒã“ã®é€²åŒ–を促
ã—ã€ã‚¹ãƒžãƒ¼ãƒˆé…電網ã€ã‚¹ãƒžãƒ¼ãƒˆè¼¸é€ã€ã‚¹ãƒžãƒ¼ãƒˆå»ºè¨­ã€ã‚¹ãƒ‘ート製造等ã€ä»Šæ—¥ã®ã€Œã‚¹ãƒžãƒ¼ãƒˆã€ãƒ†ã‚¯
ノロジーをもãŸã‚‰ã—ãŸã€‚ã“ã‚Œã«ã‚ˆã‚Šã€ã“れらシステムã®æŽ¥ç¶šæ€§ã‚„é‡è¦æ€§ãŒå¢—ã—ãŸã ã‘ã§ãªãã€ã
ã®é©å¿œæ€§ã€å›žå¾©åŠ›ã€å®‰å…¨æ€§åŠã³ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«å¯¾ã™ã‚‹å¤šå¤§ãªéœ€è¦ã‚’も創出ã—ãŸã€‚
ICS ã®ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°ã¯å¼•ã続ã進化ã—ã¦ãŠã‚Šã€æ–°ãŸãªèƒ½åŠ›ã‚’付与ã™ã‚‹ä¸€æ–¹ã€ã“れらシステム
ã®æ¦‚ã—ã¦é•·ã„ライフサイクルを維æŒã—ã¦ã„る。IT 能力を物ç†ã‚·ã‚¹ãƒ†ãƒ ã«å°Žå…¥ã™ã‚‹ã“ã¨ã¯ã€ã‚»ã‚­ãƒ¥
リティ上ã®æ„味をæŒã¤æ–°ãŸãªè¡Œå‹•ã¨ãªã£ã¦ã„る。エンジニアリングモデルåŠã³åˆ†æžã¯é€²åŒ–ã®é€”上
ã«ã‚ã‚Šã€å®‰å…¨æ€§ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã€ãƒ—ライãƒã‚·ãƒ¼ã€ç’°å¢ƒå½±éŸ¿ã¨ã„ã£ãŸç›¸äº’ä¾å­˜æ€§ã®ã‚ã‚‹æ–°ãŸãªå±žæ€§
ã‚’å–り上ã’るよã†ã«ãªã£ã¦ã„る。
2 http://www.dhs.gov/critical-infrastructure-sector-partnerships (最終更新 2014 年4月)
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
15
2.2 ICS Industrial Sectors and Their Interdependencies
Control systems are used in many different industrial sectors and critical infrastructures, including
manufacturing, distribution, and transportation.
2.2.1 Manufacturing Industries
Manufacturing presents a large and diverse industrial sector with many different processes, which can be
categorized into process-based and discrete-based manufacturing.
The process-based manufacturing industries typically utilize two main processes [1]:
 Continuous Manufacturing Processes. These processes run continuously, often with transitions to
make different grades of a product. Typical continuous manufacturing processes include fuel or steam
flow in a power plant, petroleum in a refinery, and distillation in a chemical plant.
 Batch Manufacturing Processes. These processes have distinct processing steps, conducted on a
quantity of material. There is a distinct start and end step to a batch process with the possibility of
brief steady state operations during intermediate steps. Typical batch manufacturing processes include
food manufacturing.
The discrete-based manufacturing industries typically conduct a series of steps on a single device to create
the end product. Electronic and mechanical parts assembly and parts machining are typical examples of this
type of industry.
Both process-based and discrete-based industries utilize the same types of control systems, sensors, and
networks. Some facilities are a hybrid of discrete and process-based manufacturing.
2.2.2 Distribution Industries
ICS are used to control geographically dispersed assets, often scattered over thousands of square kilometers,
including distribution systems such as water distribution and wastewater collection systems, agricultural
irrigation systems, oil and natural gas pipelines, electrical power grids, and railway transportation systems.
2.2.3 Differences between Manufacturing and Distribution ICS
While control systems used in manufacturing and distribution industries are very similar in operation, they
are different in some aspects. Manufacturing industries are usually located within a confined factory or
plant-centric area, when compared to geographically dispersed distribution industries. Communications in
manufacturing industries are usually performed using local area network (LAN) technologies that are
typically more reliable and high speed as compared to the long-distance communication wide-area
networks (WAN) and wireless/RF (radio frequency) technologies used by distribution industries. The ICS
used in distribution industries are designed to handle long-distance communication challenges such as
delays and data loss posed by the various communication media used. The security controls may differ
among network types.
2.2.4 ICS and Critical Infrastructure Interdependencies
The U.S. critical infrastructure is often referred to as a “system of systems†because of the
interdependencies that exist between its various industrial sectors as well as interconnections between
business partners [8] [9]. Critical infrastructures are highly interconnected and mutually dependent in
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
16
2.2 ICS ã®ç”£æ¥­éƒ¨é–€ã¨ãã®ç›¸äº’ä¾å­˜æ€§
制御システムã¯è£½é€ ã€ç‰©æµã€è¼¸é€ç­‰ã€ç¨®ã€…ã®ç”£æ¥­éƒ¨é–€ã§ä½¿ç”¨ã•ã‚Œã€é‡è¦ãªã‚¤ãƒ³ãƒ•ãƒ©ã¨ãªã£ã¦ã„る。
2.2.1 製造業界
一å£ã«è£½é€ ã¨ã„ã£ã¦ã‚‚ã€å¤šç¨®å¤šæ§˜ãªéƒ¨é–€ã«æ§˜ã€…ãªãƒ—ロセスãŒã‚ã‚Šã€ãƒ—ロセス主体ã®è£½é€ ã¨çµ„立主
体ã®è£½é€ ã«å¤§åˆ¥ã•ã‚Œã‚‹ã€‚
プロセス主体ã®è£½é€ æ¥­ç•Œã¯ã€ä¸€èˆ¬çš„ã«æ¬¡ã® 2ã¤ã®ä¸»è¦ãƒ—ロセスを利用ã™ã‚‹[1]。
 継続製造プロセス。継続的ã«å®Ÿæ–½ã•ã‚Œã‚‹ãƒ—ロセスã§ã€ã‚°ãƒ¬ãƒ¼ãƒ‰ãŒç•°ãªã‚‹å˜ä¸€ã®è£½å“ã«ç§»è¡Œã™
ã‚‹ã“ã¨ãŒå¤šã„。一般的ãªç¶™ç¶šè£½é€ ãƒ—ロセスã«ã¯ã€ç™ºé›»æ‰€ã®ç‡ƒæ–™ã‚„蒸気ã®æµã‚Œã€è£½æ²¹æ‰€ã®çŸ³æ²¹ã€
化学プラントã®è’¸ç•™æ¶²ãŒå«ã¾ã‚Œã‚‹ã€‚
 ãƒãƒƒãƒè£½é€ ãƒ—ロセス。大é‡ã®è³‡æã«å¯¾ã—ã¦ã€æ˜Žç¢ºã«åˆ†ã‹ã‚ŒãŸã‚¹ãƒ†ãƒƒãƒ—ã‹ã‚‰ãªã‚‹ã€‚ãƒãƒƒãƒãƒ—ロ
セスã«ã¯æ˜Žç¢ºãªé–‹å§‹ã‚¹ãƒ†ãƒƒãƒ—ã¨çµ‚了ステップãŒã‚ã‚Šã€ãã®ä¸­é–“ã«ãŠã„ã¦ã¯çŸ­ã„定常状態ã®æ¥­
å‹™ãŒè¡Œã‚れる場åˆãŒã‚る。一般的ãªãƒãƒƒãƒè£½é€ ãƒ—ロセスã«ã¯é£Ÿå“製造ãŒå«ã¾ã‚Œã‚‹ã€‚
組立主体ã®è£½é€ æ¥­ç•Œã¯ã€ä¸€èˆ¬ã«å˜ä¸€ã®ãƒ‡ãƒã‚¤ã‚¹ã§ä¸€é€£ã®ã‚¹ãƒ†ãƒƒãƒ—を実行ã—ã€æœ€çµ‚製å“を生ã¿å‡ºã™ã€‚
é›»å­éƒ¨å“・機械部å“ã®çµ„立や部å“ã®å·¥ä½œãªã©ã¯ãã®å…¸åž‹ã§ã‚る。
プロセス主体ã®æ¥­ç•Œã‚‚組立主体ã®æ¥­ç•Œã‚‚ã€åŒç¨®ã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã€ã‚»ãƒ³ã‚µåŠã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’使用
ã™ã‚‹ã€‚施設ã«ã‚ˆã£ã¦ã¯ã€ä¸¡æ–¹ã®è£½é€ ã‚’åŒæ™‚ã«è¡Œã†æ‰€ã‚‚ã‚る。
2.2.2 é…é€æ¥­ç•Œ
ICS ã¯åœ°ç†çš„ã«åˆ†æ•£ã—ãŸè³‡ç”£ã®ç®¡ç†ã«ä½¿ç”¨ã•ã‚Œã€ã¨ãã«ã¯ç¯„囲ãŒæ•°åƒã‚­ãƒ­å¹³ç±³ã«ã‚‚ãªã‚‹ã“ã¨ãŒã‚
る。例ãˆã°ä¸Šä¸‹æ°´é“ã€çŒæ¼‘ã€çŸ³æ²¹ãƒ»å¤©ç„¶ã‚¬ã‚¹ãƒ‘イプラインã€é€é›»ç¶²ã€é‰„é“ç­‰ã§ã‚る。
2.2.3 製造 ICS ã¨é…é€ ICS ã®ç›¸é•
製造業界ã¨é…é€æ¥­ç•Œã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®æ¥­å‹™ã¯ã¨ã¦ã‚‚よãä¼¼ã¦ã„ã‚‹ãŒã€ç•°ãªã‚‹é¢ã‚‚ã„ãã¤ã‹ã‚る。
製造業界ã¯ã€é€šå¸¸é–‰éŽ–ã•ã‚ŒãŸå·¥å ´ã‚„プラント中心ã®é ˜åŸŸå†…ã«ã‚ã‚‹ã®ã«å¯¾ã—ã€é…é€æ¥­ç•Œã¯åœ°ç†çš„ã«
分散ã—ã¦ã„る。製造業界ã®é€šä¿¡ã¯ LAN を利用ã—ã¦é€šå¸¸è¡Œã‚れる。ã“ã‚Œã¯é…é€æ¥­ç•ŒãŒåˆ©ç”¨ã™ã‚‹é•·è·
離㮠WAN åŠã³ç„¡ç·š RF 技術ã«æ¯”ã¹ã¦ã€ä¸€èˆ¬ã«ä¿¡é ¼æ€§ã‚‚速度ã«ã‚‚優れる。é…é€æ¥­ç•Œã® ICS ã¯ã€åˆ©ç”¨
ã™ã‚‹ç¨®ã€…ã®é€šä¿¡ãƒ¡ãƒ‡ã‚£ã‚¢ã«èµ·å› ã™ã‚‹é…延やデータ喪失ã¨ã„ã£ãŸé•·è·é›¢é€šä¿¡ã®è«¸å•é¡Œã«å¯¾å‡¦ã§ãã‚‹
よã†ã«è¨­è¨ˆã•ã‚Œã‚‹ã€‚セキュリティ管ç†ã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ç¨®é¡žã«å¿œã˜ã¦ç•°ãªã‚‹ã€‚
2.2.4 ICS ã¨é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®ç›¸äº’ä¾å­˜æ€§
米国ã®é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã¯ã€ã‚ˆã「複数ã®ã‚·ã‚¹ãƒ†ãƒ ã‹ã‚‰ãªã‚‹ã‚·ã‚¹ãƒ†ãƒ ã€ã¨å‘¼ã°ã‚Œã‚‹ãŒã€ç†ç”±ã¯å¤šç¨®å¤š
様ãªæ¥­ç•Œãƒ»éƒ¨é–€ãŒç›¸äº’ã«ä¾å­˜ã—åˆã„ã€ãƒ“ジãƒã‚¹ãƒ‘ートナーåŒå£«ãŒç›¸äº’ã«é–¢ã‚ã‚Šåˆã£ã¦ã„ã‚‹ã‹ã‚‰ã§
ã‚ã‚‹[8] [9]。é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã¯ã€ç‰©ç†çš„ã«ã‚‚多数ã®æƒ…報・通信技術é¢ã§ã‚‚ã€é«˜åº¦ã«ç›¸äº’連æºã—ã€
複雑ã«ç›¸äº’ä¾å­˜ã—åˆã£ã¦ã„る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
17
complex ways, both physically and through a host of information and communications technologies. An
incident in one infrastructure can directly and indirectly affect other infrastructures through cascading and
escalating failures.
Both the electrical power transmission and distribution grid industries use geographically distributed
SCADA control technology to operate highly interconnected and dynamic systems consisting of thousands
of public and private utilities and rural cooperatives for supplying electricity to end users. Some SCADA
systems monitor and control electricity distribution by collecting data from and issuing commands to
geographically remote field control stations from a centralized location. SCADA systems are also used to
monitor and control water, oil and natural gas distribution, including pipelines, ships, trucks, and rail
systems, as well as wastewater collection systems.
SCADA systems and DCS are often networked together. This is the case for electric power control centers
and electric power generation facilities. Although the electric power generation facility operation is
controlled by a DCS, the DCS must communicate with the SCADA system to coordinate production output
with transmission and distribution demands.
Electric power is often thought to be one of the most prevalent sources of disruptions of interdependent
critical infrastructures. As an example, a cascading failure can be initiated by a disruption of the microwave
communications network used for an electric power transmission SCADA system. The lack of monitoring
and control capabilities could cause a large generating unit to be taken offline, an event that would lead to
loss of power at a transmission substation. This loss could cause a major imbalance, triggering a cascading
failure across the power grid. This could result in large area blackouts that could potentially affect oil and
natural gas production, refinery operations, water treatment systems, wastewater collection systems, and
pipeline transport systems that rely on the grid for electric power.
2.3 ICS Operation and Components
The basic operation of an ICS is shown in Figure 2-1 [2]. Some critical processes may also include safety
systems. Key components include the following:
A typical ICS contains numerous control loops, human interfaces, and remote diagnostics and maintenance
tools built using an array of network protocols on layered network architectures. A control loop utilizes
sensors, actuators, and controllers (e.g., PLCs) to manipulate some controlled process. A sensor is a device
that produces a measurement of some physical property and then sends this information as controlled
variables to the controller. The controller interprets the signals and generates corresponding manipulated
variables, based on a control algorithm and target set points, which it transmits to the actuators. Actuators
such as control valves, breakers, switches, and motors are used to directly manipulate the controlled
process based on commands from the controller.
Operators and engineers use human interfaces to monitor and configure set points, control algorithms, and
to adjust and establish parameters in the controller. The human interface also displays process status
information and historical information. Diagnostics and maintenance utilities are used to prevent, identify,
and recover from abnormal operation or failures.
Sometimes these control loops are nested and/or cascading –whereby the set point for one loop is based on
the process variable determined by another loop. Supervisory-level loops and lower-level loops operate
continuously over the duration of a process with cycle times ranging on the order of milliseconds to
minutes.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
18
ã‚るインフラã®ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã¯ã€é€£éŽ–や障害ã®ã‚¨ã‚¹ã‚«ãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ã‚’通ã˜ã¦ã€ä»–ã®ã‚¤ãƒ³ãƒ•ãƒ©ã«ã‚‚ç›´
接・間接ã«å½±éŸ¿ã‚’åŠã¼ã™ã€‚
é€é›»ãƒ»é…電業界ã§ã¯ã€ã„ãšã‚Œã‚‚地ç†çš„分散 SCADA 制御技術を使用ã—ã¦ã€ã‚¨ãƒ³ãƒ‰ãƒ¦ãƒ¼ã‚¶ã«é›»æ°—ã‚’ä¾›
給ã™ã‚‹ãŸã‚ã«ã€æ•°åƒã‚‚ã®å®˜æ°‘公共事業者åŠã³åœ°æ–¹å”åŒçµ„åˆã‹ã‚‰ãªã‚‹ã€é«˜åº¦ã«ç›¸äº’連æºã—ãŸå‹•çš„ã‚·
ステムをé‹ç”¨ã—ã¦ã„る。é éš”制御ステーションã«å¯¾ã—ã¦ä¸€ã‹æ‰€ã‹ã‚‰ã‚³ãƒžãƒ³ãƒ‰ã‚’発行ã—ã¦ãƒ‡ãƒ¼ã‚¿ã‚’
åŽé›†ã—ã€é…電を監視・制御ã—ã¦ã„ã‚‹ SCADA ã‚‚ã‚る。ã¾ãŸãƒ‘イプラインã€èˆ¹èˆ¶ã€ãƒˆãƒ©ãƒƒã‚¯ã€é‰„é“ã€
下水é“ç­‰ã€æ°´ãƒ»çŸ³æ²¹ãƒ»å¤©ç„¶ã‚¬ã‚¹ã®é…é€ã‚’監視・制御ã™ã‚‹ SCADA ã‚‚ã‚る。
SCADA ã¨DCS ã¯ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åŒ–ã•ã‚Œã¦ã„ã‚‹ã“ã¨ãŒå¤šã„。電力制御センターã¨ç™ºé›»æ–½è¨­ãŒãã®ä¸€ä¾‹
ã§ã‚る。発電施設㯠DCS ã§åˆ¶å¾¡ã•ã‚Œã‚‹ãŒã€DCS ã¯SCADA ã¨é€šä¿¡ã‚’è¡Œã„ã€é€é›»ãƒ»é…電需è¦ã«å¿œã˜ã¦
生産出力を調整ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。
電力ã¯ã€ç›¸äº’ä¾å­˜ã—åˆã£ãŸé‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®å´©å£Šã‚’ã‚‚ãŸã‚‰ã™ã€æœ€ã‚‚æ™®åŠã—ãŸã‚½ãƒ¼ã‚¹ã®ä¸€ã¤ã¨è€ƒãˆã‚‰
ã‚Œã¦ã„る。一例ã¨ã—ã¦ã€é€é›» SCADA 用ã®ãƒžã‚¤ã‚¯ãƒ­æ³¢é€šä¿¡ç¶²ãŒå´©å£Šã™ã‚Œã°ã€é€£éŽ–障害ã®å¼•ã金ã¨ãª
り得る。監視・制御能力ã®æ¬ å¦‚ã¯ã€å¤§åž‹ç™ºé›»è£…置をオフラインã«ã—ã€å¤‰é›»æ‰€ã®é›»åŠ›å–ªå¤±ã«è‡³ã‚Šã‹
ã­ãªã„。ã“ã†ã—ãŸå–ªå¤±ã«ã‚ˆã‚Šå¤§ããªä¸å‡è¡¡ãŒç”Ÿã˜ã€é›»åŠ›ç¶²å…¨ä½“ã®é€£éŽ–障害ã®å¼•ã金ã¨ãªã‚‹ã€‚ãã®
çµæžœåºƒåŸŸåœé›»ãŒç”Ÿã˜ã€é›»åŠ›ç¶²ã«ä¾å­˜ã™ã‚‹çŸ³æ²¹ãƒ»å¤©ç„¶ã‚¬ã‚¹ç”Ÿç”£ã€è£½æ²¹æ‰€æ¥­å‹™ã€æ°´å‡¦ç†ã‚·ã‚¹ãƒ†ãƒ ã€ä¸‹
æ°´é“åŠã³ãƒ‘イプラインæ¬é€ã‚·ã‚¹ãƒ†ãƒ ã«ã‚‚影響ãŒå‡ºã‚ˆã†ã€‚
2.3 ICS ã®æ“作åŠã³ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆ
ICS ã®åŸºæœ¬æ“作を図 2-1 ã«ç¤ºã™[2]。é‡è¦ãƒ—ロセスã«ã‚ˆã£ã¦ã¯ã€å®‰å…¨ã‚·ã‚¹ãƒ†ãƒ ã‚’å«ã‚ã‚‹ã‚‚ã®ã‚‚ã‚
る。キーコンãƒãƒ¼ãƒãƒ³ãƒˆã¯ä»¥ä¸‹ã®ã¨ãŠã‚Šã€‚
一般的㪠ICS ã«ã¯æ•°å¤šãã®åˆ¶å¾¡ãƒ«ãƒ¼ãƒ—ã€ãƒ’ューマンインタフェースã®ã»ã‹ã€ãƒ¬ã‚¤ãƒ¤ãƒ¼ãƒ‰ãƒãƒƒãƒˆãƒ¯
ークアーキテクãƒãƒ£ãƒ¼ã®å¤šæ§˜ãªãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ—ロトコルを利用ã—ã¦ä½œæˆã—ãŸãƒªãƒ¢ãƒ¼ãƒˆè¨ºæ–­ãƒ»ä¿å®ˆ
ツールãŒå«ã¾ã‚Œã‚‹ã€‚制御ループã¯ã‚»ãƒ³ã‚µã€ã‚¢ã‚¯ãƒãƒ¥ã‚¨ãƒ¼ã‚¿åŠã³ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ï¼ˆPLC 等)を使用ã—
ã¦ã€åˆ¶å¾¡ãƒ—ロセスã®ã„ãã¤ã‹ã‚’æ“作ã™ã‚‹ã€‚センサã¯ç‰¹å®šã®ç‰©ç†ç‰¹æ€§ã‚’計測ã—ã€ãã®æƒ…報を制御変
æ•°ã¨ã—ã¦ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã«é€ä¿¡ã™ã‚‹ãƒ‡ãƒã‚¤ã‚¹ã§ã‚る。コントローラã¯ä¿¡å·ã‚’解釈ã—ã€åˆ¶å¾¡ã‚¢ãƒ«ã‚´ãƒª
ズムã¨ç›®æ¨™è¨­å®šç‚¹ã‚’基ã«å¯¾å¿œã™ã‚‹æ“作変数を生æˆã—ã€ã‚¢ã‚¯ãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã«é€ä¿¡ã™ã‚‹ã€‚アクãƒãƒ¥ã‚¨ãƒ¼
ã‚¿ã¯ãƒãƒ«ãƒ–ã€ãƒ–レーカã€ã‚¹ã‚¤ãƒƒãƒã€ãƒ¢ãƒ¼ã‚¿ç­‰ã®ã“ã¨ã§ã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã‹ã‚‰ã®ã‚³ãƒžãƒ³ãƒ‰ã«å¾“ã£ã¦åˆ¶
御プロセスを直接æ“作ã™ã‚‹ã€‚
æ“作員åŠã³ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã¯ãƒ’ューマンインタフェースを利用ã—ã€è¨­å®šç‚¹ã€åˆ¶å¾¡ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã‚’監
視・設定ã—ã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã®ãƒ‘ラメータを調整・設定ã™ã‚‹ã€‚
ã¾ãŸãƒ’ューマンインタフェースã¯ãƒ—ロセスã®ã‚¹ãƒ†ãƒ¼ã‚¿ã‚¹æƒ…å ±åŠã³å±¥æ­´æƒ…報を表示ã™ã‚‹ã€‚診断・ä¿
守ユーティリティã¯ã€ç•°å¸¸æ“作や障害ã®é˜²æ­¢ã€ç‰¹å®šåŠã³å›žå¾©ã«åˆ©ç”¨ã•ã‚Œã‚‹ã€‚
ã“ã®ã‚ˆã†ãªåˆ¶å¾¡ãƒ«ãƒ¼ãƒ—ã¯ãƒã‚¹ãƒˆã‚„カスケードã«ãªã£ã¦ã„ã‚‹ã“ã¨ãŒã‚ã‚Šã€ãã®å ´åˆã€ã‚るループã®
設定点ã¯åˆ¥ã®ãƒ«ãƒ¼ãƒ—ã«ã‚ˆã‚Šæ±ºã¾ã‚‹ãƒ—ロセス変数ã«ä¾å­˜ã™ã‚‹ã€‚監視レベルã®ãƒ«ãƒ¼ãƒ—ã¨ä½Žãƒ¬ãƒ™ãƒ«ãƒ«ãƒ¼
プ㯠1ã¤ã®ãƒ—ロセス中継続的ã«æ©Ÿèƒ½ã—ã€ã‚µã‚¤ã‚¯ãƒ«æ™‚é–“ã¯ãƒŸãƒªç§’ã‹ã‚‰åˆ†å˜ä½ã¾ã§ã¨ãªã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
19
Figure 2-1. ICS Operation
To support subsequent discussions, this section defines key ICS components that are used in control and
networking. Some of these components can be described generically for use in SCADA systems, DCS and
PLCs, while others are unique to one. The Glossary of Terms in Appendix B— contains a more detailed
listing of control and networking components. Additionally, Figure 2-5 and Figure 2-6 show SCADA
implementation examples; Figure 2-7 shows a DCS implementation example and Figure 2-8 shows a PLC
implementation example that incorporates these components.
2.3.1 ICS System Design Considerations
While Section 2.3 introduced the basic components of an ICS, the design of an ICS, including whether a
SCADA, DCS, or PLC-based topologies are used depends on many factors. This section identifies key
factors that drive design decisions regarding the control, communication, reliability, and redundancy
properties of the ICS. Because these factors heavily influence the design of the ICS, they will also help
determine the security needs of the system.
 Control Timing Requirements. ICS processes have a wide range of time-related requirements,
including very high speed, consistency, regularity, and synchronization. Humans may not be able to
reliably and consistently meet these requirements; automated controllers may be necessary. Some
systems may require the computation to be performed as close to the sensor and actuators as possible
to reduce communication latency and perform necessary control actions on time.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
20
図2-1.ICS ã®å‹•ä½œ
以後ã®èª¬æ˜Žã®ä¾¿å®œä¸Šã€ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã¯åˆ¶å¾¡åŠã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ä½¿ç”¨ã™ã‚‹ ICS ã®ã‚­ãƒ¼ã‚³ãƒ³ãƒãƒ¼
ãƒãƒ³ãƒˆã«ã¤ã„ã¦æ˜Žã‚‰ã‹ã«ã™ã‚‹ã€‚SCADAã€DCS åŠã³ PLC ã§æ±Žç”¨çš„ã«ç”¨ã„ã‚‹ã‚‚ã®ã‚‚ã‚ã‚Œã°ã€ã©ã‚Œã‹ 1
ã¤ã«ç‰¹åŒ–ã—ã¦ã„ã‚‹ã‚‚ã®ã‚‚ã‚る。付録 Bã®ç”¨èªžé›†ã«ã¯ã€åˆ¶å¾¡ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆåŠã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚³ãƒ³
ãƒãƒ¼ãƒãƒ³ãƒˆã®è©³ç´°ãªãƒªã‚¹ãƒˆãŒã‚る。ã¾ãŸå›³ 2-5 ã¨å›³ 2-6 ã«ã¯ SCADAã€å›³ 2-7 ã«ã¯ DCSã€å›³ 2-8 ã«
ã¯PLC ã®å®Ÿè£…例ãŒãã‚Œãžã‚Œç¤ºã•ã‚Œã€ã“れらコンãƒãƒ¼ãƒãƒ³ãƒˆãŒçµ„ã¿è¾¼ã¾ã‚Œã¦ã„る。
2.3.1 ICS ã®ã‚·ã‚¹ãƒ†ãƒ è¨­è¨ˆä¸Šã®è€ƒæ…®äº‹é …
セクション 2.3 ã«ã¯ ICS ã®åŸºæœ¬ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã€ICS ã®è¨­è¨ˆãŒç´¹ä»‹ã•ã‚Œã¦ãŠã‚Šã€SCADAã€DCSã€
PLC ã®ã„ãšã‚Œã«åŸºã¥ãトãƒãƒ­ã‚¸ãƒ¼ã‚’使用ã™ã¹ãã‹ã¯ã€å¤šãã®è¦å› ã«ä¾å­˜ã™ã‚‹ç‚¹ã‚‚説明ã•ã‚Œã¦ã„る。
ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã¯ã€ICS ã®åˆ¶å¾¡ã€é€šä¿¡ã€ä¿¡é ¼æ€§åŠã³å†—長特性ã«é–¢ã™ã‚‹è¨­è¨ˆä¸Šã®é‡è¦è¦å› ã‚’明ら
ã‹ã«ã™ã‚‹ã€‚ãã†ã—ãŸè¦å› ã¯ ICS ã®è¨­è¨ˆã«å¤§ãã影響ã™ã‚‹ãŸã‚ã€ã‚·ã‚¹ãƒ†ãƒ ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£éœ€è¦ã‚’判
定ã™ã‚‹ä¸Šã§ã‚‚役立ã¤ã€‚
 制御ã®ã‚¿ã‚¤ãƒŸãƒ³ã‚°è¦ä»¶ã€‚ICS ã®ãƒ—ロセスã«ã¯ã€é«˜é€Ÿæ€§ã€ä¸€è²«æ€§ã€è¦å‰‡æ€§ã€åŒæœŸæ€§ç­‰ã€åºƒç¯„ãª
時間関連ã®è¦ä»¶ãŒã‚る。人間ã¯ã“ã†ã—ãŸè¦ä»¶ã«å¯¾ã—ã¦ã€é«˜ã„信頼性ã¨ä¸€è²«æ€§ã‚’ã‚‚ã£ã¦å¿œãˆã‚‹
ã“ã¨ã¯ã§ããªã„ãŸã‚ã€è‡ªå‹•ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ãŒå¿…è¦ã¨ãªã‚‹ã€‚システムã«ã‚ˆã£ã¦ã¯ã€é€šä¿¡ã®å¾…ã¡æ™‚
間を短縮ã—ã€å¿…è¦ãªåˆ¶å¾¡å‹•ä½œã‚’時間ã©ãŠã‚Šã«è¡Œã†ãŸã‚ã€ã‚»ãƒ³ã‚µã¨ã‚¢ã‚¯ãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã‚’ã§ãã‚‹ã 
ã‘è¿‘ã¥ã‘ã¦è¨ˆç®—ã‚’è¡Œã†å¿…è¦ãŒç”Ÿã˜ã‚‹ã€‚
ヒューマン・マシン
インタフェース(HMI) リモート診断・ä¿å®ˆ
設定点ã€åˆ¶å¾¡ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã€
パラメータ制約ã€
プロセスデータ
æ“作変数
アクãƒãƒ¥ã‚¨ãƒ¼ã‚¿
プロセス入力
コントローラ
制御ã•ã‚ŒãŸãƒ—ロセス
妨害
制御変数
センサ
プロセス出力
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
21
 Geographic Distribution. Systems have varying degrees of distribution, ranging from a small system
(e.g., local PLC-controlled process) to large, distributed systems (e.g., oil pipelines, electric power
grid). Greater distribution typically implies a need for wide area (e.g., leased lines, circuit switching,
and packet switching) and mobile communication.
 Hierarchy. Supervisory control is used to provide a central location that can aggregate data from
multiple locations to support control decisions based on the current state of the system. Often a
hierarchical/centralized control is used to provide human operators with a comprehensive view of the
entire system.
 Control Complexity. Often control functions can be performed by simple controllers and preset
algorithms. However, more complex systems (e.g., air traffic control) require human operators to
ensure that all control actions are appropriate to meet the larger objectives of the system.
 Availability. The system’s availability (i.e., reliability) requirements are also an important factor in
design. Systems with strong availability/up-time requirements may require more redundancy or
alternate implementations across all communication and control.
 Impact of Failures. The failure of a control function could incur substantially different impacts across
domains. Systems with greater impacts often require the ability to continue operations through
redundant controls, or the ability to operate in a degraded state. The design needs to address these
requirements.
 Safety. The system’s safety requirements area also an important factor in design. Systems must be
able to detect unsafe conditions and trigger actions to reduce unsafe conditions to safe ones. In most
safety-critical operations, human oversight and control of a potentially dangerous process is an
essential part of the safety system.
2.3.2 SCADA Systems
SCADA systems are used to control dispersed assets where centralized data acquisition is as important as
control [3] [4]. These systems are used in distribution systems such as water distribution and wastewater
collection systems, oil and natural gas pipelines, electrical utility transmission and distribution systems, and
rail and other public transportation systems. SCADA systems integrate data acquisition systems with data
transmission systems and HMI software to provide a centralized monitoring and control system for
numerous process inputs and outputs. SCADA systems are designed to collect field information, transfer it
to a central computer facility, and display the information to the operator graphically or textually, thereby
allowing the operator to monitor or control an entire system from a central location in near real time. Based
on the sophistication and setup of the individual system, control of any individual system, operation, or task
can be automatic, or it can be performed by operator commands.
Typical hardware includes a control server placed at a control center, communications equipment (e.g.,
radio, telephone line, cable, or satellite), and one or more geographically distributed field sites consisting of
Remote Terminal Units (RTUs) and/or PLCs, which controls actuators and/or monitors sensors. The
control server stores and processes the information from RTU inputs and outputs, while the RTU or PLC
controls the local process. The communications hardware allows the transfer of information and data back
and forth between the control server and the RTUs or PLCs. The software is programmed to tell the system
what and when to monitor, what parameter ranges are acceptable, and what response to initiate when
parameters change outside acceptable values. An Intelligent Electronic Device (IED), such as a protective
relay, may communicate directly to the control server, or a local RTU may poll the IEDs to collect the data
and pass it to the control server. IEDs provide a direct interface to control and monitor equipment and
sensors. IEDs may be directly polled and controlled by the control server and in most
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
22
 地ç†çš„ãªåˆ†æ•£ã€‚システムã®åˆ†æ•£ã®ç¨‹åº¦ã¯ã€å°è¦æ¨¡ãªã‚·ã‚¹ãƒ†ãƒ ï¼ˆãƒ­ãƒ¼ã‚«ãƒ« PLC 制御プロセス
等)ã‹ã‚‰å¤§è¦æ¨¡ãªåˆ†æ•£ã‚·ã‚¹ãƒ†ãƒ ï¼ˆçŸ³æ²¹ãƒ‘イプラインã€é›»åŠ›ç¶²ç­‰ï¼‰ã¾ã§å¤šå²ã«ã‚ãŸã‚‹ã€‚分散ã®
程度ãŒå¤§ãããªã‚Œã°ã€é€šå¸¸åºƒåŸŸã«ãªã‚Šï¼ˆå›žç·šãƒªãƒ¼ã‚¹ã€å›žè·¯åˆ‡æ›¿ã€ãƒ‘ケット切替等)ã€ç§»å‹•é€š
ä¿¡ãŒå¿…è¦ã¨ãªã‚‹ã€‚
 階層。監視制御を利用ã—ã¦ã€è¤‡æ•°æ‰€åœ¨åœ°ã®ãƒ‡ãƒ¼ã‚¿ã‚’一ã‹æ‰€ã‹ã‚‰åŽé›†ã—ã€ã‚·ã‚¹ãƒ†ãƒ ã®ç¾çŠ¶ã«åŸº
ã¥ã„ã¦åˆ¶å¾¡ã®æ±ºå®šã«å½¹ç«‹ã¦ã‚‹ã“ã¨ãŒã§ãる。階層・集中管ç†ã‚’利用ã—ã¦ã€ã‚·ã‚¹ãƒ†ãƒ å…¨ä½“を包
括的ã«è¦‹ãªãŒã‚‰äººé–“ãŒæ“作を行ã†ã“ã¨ãŒå¤šã„。
 制御ã®è¤‡é›‘性。制御ã¯å˜ç´”ãªã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã¨ãƒ—リセットアルゴリズムã§è¡Œã‚れるã“ã¨ãŒå¤šã„。
ã—ã‹ã—ã€ã‚ˆã‚Šè¤‡é›‘ãªã‚·ã‚¹ãƒ†ãƒ ï¼ˆèˆªç©ºäº¤é€šç®¡åˆ¶ç­‰ï¼‰ã§ã¯ã€å…¨ã¦ã®åˆ¶å¾¡è¡Œç‚ºãŒé©æ­£ã§ã€ã‚ˆã‚Šå¤§ã
ãªã‚·ã‚¹ãƒ†ãƒ ç›®æ¨™ã«åˆè‡´ã•ã›ã‚‹ãŸã‚ã€æ“作員ãŒå¿…è¦ã¨ãªã‚‹ã€‚
 å¯ç”¨æ€§ã€‚システムã®å¯ç”¨æ€§ï¼ˆã™ãªã‚ã¡ä¿¡é ¼æ€§ï¼‰è¦ä»¶ã‚‚ã€è¨­è¨ˆã«ãŠã‘ã‚‹é‡è¦è¦å› ã¨ãªã‚‹ã€‚高ã„
å¯ç”¨æ€§/アップタイムè¦ä»¶ã‚’æŒã£ãŸã‚·ã‚¹ãƒ†ãƒ ã«ã¯ã€é€šä¿¡åŠã³åˆ¶å¾¡å…¨èˆ¬ã‚’通ã˜ã¦ã„ã£ãã†ã®å†—é•·
性や代替実装ãŒå¿…è¦ã¨ãªã‚‹ã€‚
 障害ã®å½±éŸ¿ã€‚制御機能ã®éšœå®³ã¯ã€ã‹ãªã‚Šå¤šæ§˜ãªå½±éŸ¿ã‚’全領域ã«ã‚‚ãŸã‚‰ã—ã‹ã­ãªã„。影響度ã®
大ãã„システムã«ã¯ã€å†—長制御や退化状態ã§ã®é‹ç”¨èƒ½åŠ›ã‚’通ã˜ã¦ã€é‹ç”¨ã‚’継続ã™ã‚‹èƒ½åŠ›ãŒæ±‚
ã‚られるã“ã¨ãŒå¤šã„。設計ã§ã¯ãã†ã—ãŸè¦ä»¶ã‚’考慮ã«å…¥ã‚Œã‚‹å¿…è¦ãŒã‚る。
 安全性。システムã®å®‰å…¨æ€§è¦ä»¶ã‚‚設計ã®é‡è¦è¦ç´ ã¨ãªã‚‹ã€‚ä¸å®‰å…¨çŠ¶æ…‹ã‚’検知ã—ã¦ã€å®‰å…¨çŠ¶æ…‹
ã«è¿‘ã¥ã‘ã‚‹ã“ã¨ãŒæ±‚ã‚られる。最も安全性ãŒæ±‚ã‚られるé‹ç”¨ã§ã¯ã€æ½œåœ¨çš„ã«å±é™ºãªãƒ—ロセス
ã«å¯¾ã™ã‚‹äººé–“ã®ç›£è¦–・制御ãŒå®‰å…¨æ€§ã‚·ã‚¹ãƒ†ãƒ ã®ä¸å¯æ¬ éƒ¨åˆ†ã¨ãªã‚‹ã€‚
2.3.2 SCADA
SCADA ã¯ã€é›†ä¸­ãƒ‡ãƒ¼ã‚¿å–å¾—ãŒåˆ¶å¾¡ã¨åŒæ§˜ã«é‡è¦ãªå ´åˆã«ã€åˆ†æ•£åŒ–ã•ã‚ŒãŸè³‡ç”£ã‚’制御ã™ã‚‹ãŸã‚ã«ä½¿
用ã™ã‚‹[3] [4]。上下水é“ã€çŸ³æ²¹ãƒ»å¤©ç„¶ã‚¬ã‚¹ãƒ‘イプラインã€é€é›»ãƒ»é…電システムã€é‰„é“ãã®ä»–ã®
公共輸é€ã¨ã„ã£ãŸé…é€ã‚·ã‚¹ãƒ†ãƒ ã«ä½¿ç”¨ã•ã‚Œã¦ã„る。SCADA ã¯ã€ãƒ‡ãƒ¼ã‚¿å–得システムをデータé€ä¿¡
システムãŠã‚ˆã³ HMI ソフトウエアã¨çµ±åˆã—ã€å¤šæ•°ã®ãƒ—ロセスã®ã‚¤ãƒ³ãƒ—ットã¨ã‚¢ã‚¦ãƒˆãƒ—ットã®ãŸã‚
ã®é›†ä¸­çš„監視・制御システムã¨ãªã‚‹ã€‚SCADA ã¯ã€ç¾å ´ã®æƒ…報をåŽé›†ã—ã¦ä¸­å¤®ã‚³ãƒ³ãƒ”ュータ施設ã¸
転é€ã—ã€æƒ…報を図形やテキスト形å¼ã§æ“作員ã«è¡¨ç¤ºã—ã€ã‚·ã‚¹ãƒ†ãƒ å…¨ä½“ã‚’ã»ã¨ã‚“ã©ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ ã«
一ã‹æ‰€ã‹ã‚‰ç›£è¦–・制御ã§ãるよã†ã«ã™ã‚‹ã€‚個々ã®ã‚·ã‚¹ãƒ†ãƒ ã‚’洗練化ã—ã¦è¨­å®šã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€
個々ã®ã‚·ã‚¹ãƒ†ãƒ ã€å‹•ä½œåˆã¯ã‚¿ã‚¹ã‚¯ã‚’自動化ã—ãŸã‚Šã€ã‚ªãƒšãƒ¬ãƒ¼ã‚¿ã®ã‚³ãƒžãƒ³ãƒ‰ã§å®Ÿè¡Œã—ãŸã‚Šã™ã‚‹ã“ã¨
ãŒã§ãる。
一般的ãªãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã¨ã—ã¦ã¯ã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«ã‚»ãƒ³ã‚¿ãƒ¼ã«è¨­ç½®ã•ã‚ŒãŸã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«ã‚µãƒ¼ãƒã€é€šä¿¡
装置(無線ã€é›»è©±å›žç·šã€ã‚±ãƒ¼ãƒ–ルã€ã‚µãƒ†ãƒ©ã‚¤ãƒˆç­‰ï¼‰ã®ã»ã‹ã€é éš”端末装置(RTU)åˆã¯ PLC ã§æ§‹
æˆã•ã‚ŒãŸï¼‘ã‹æ‰€åˆã¯è¤‡æ•°ã®åœ°ç†çš„ã«åˆ†æ•£ã•ã‚ŒãŸç¾å ´ãŒå«ã¾ã‚Œã€ã‚¢ã‚¯ãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã‚„センサを監視ã™
る。コントロールサーãƒã¯ã€RTU ã®å…¥å‡ºåŠ›æƒ…報をä¿å­˜ãƒ»å‡¦ç†ã—ã€RTU åˆã¯ PLC ã¯ãƒ­ãƒ¼ã‚«ãƒ«ãƒ—ロセ
スを制御ã™ã‚‹ã€‚通信ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã¯ã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«ã‚µãƒ¼ãƒã¨ RTU åˆã¯ PLC é–“ã®æƒ…報転é€ã¨ãƒ‡ãƒ¼ã‚¿
ã®é€å—信を実ç¾ã™ã‚‹ã€‚ソフトウエアã¯ãƒ—ログラムå¯èƒ½ã§ã€ç›£è¦–対象ã¨æ™‚期ã€å—入れられるパラメ
ータã®ç¯„囲ã€ãƒ‘ラメータãŒç¯„囲を逸脱ã—ãŸå ´åˆã«å–ã‚‹ã¹ã対処を決定ã™ã‚‹ã€‚ä¿è­·ãƒªãƒ¬ãƒ¼ç­‰ã®ã‚¤ãƒ³
テリジェント電å­ãƒ‡ãƒã‚¤ã‚¹ï¼ˆIED)ãŒç›´æŽ¥ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«ã‚µãƒ¼ãƒã¨é€šä¿¡ã‚’è¡Œã†ã‹ã€ãƒ­ãƒ¼ã‚«ãƒ« RTU ãŒ
IED ã«ãƒãƒ¼ãƒªãƒ³ã‚°ã—ã¦ãƒ‡ãƒ¼ã‚¿ã‚’åŽé›†ã—ã€ãれをコントロールサーãƒã«æ¸¡ã™ã€‚IED ã¯ã€è£…å‚™å“åŠã³
センサã®åˆ¶å¾¡ãƒ»ç›£è¦–ã®ç›´æŽ¥çš„ãªã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã¨ãªã‚‹ã€‚ã¾ãŸã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«ã‚µãƒ¼ãƒã‹ã‚‰ç›´æŽ¥ãƒãƒ¼ãƒª
ングã¨åˆ¶å¾¡ã‚’å—ã‘ã€ã»ã¨ã‚“ã©ã®å ´åˆã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«ã‚»ãƒ³ã‚¿ãƒ¼ã‹ã‚‰ç›´æŽ¥æŒ‡ç¤ºã‚’å—ã‘ãšã« IED ã‚’æ“作
ã™ã‚‹ãƒ­ãƒ¼ã‚«ãƒ«ãƒ—ログラミングを有ã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
23
cases have local programming that allows for the IED to act without direct instructions from the control
center. SCADA systems are usually designed to be fault-tolerant systems with significant redundancy built
into the system. Redundancy may not be a sufficient countermeasure in the face of malicious attack.
Figure 2-2 shows the components and general configuration of a SCADA system. The control center
houses a control server and the communications routers. Other control center components include the HMI,
engineering workstations, and the data historian, which are all connected by a LAN. The control center
collects and logs information gathered by the field sites, displays information to the HMI, and may generate
actions based upon detected events. The control center is also responsible for centralized alarming, trend
analyses, and reporting. The field site performs local control of actuators and monitors sensors (Note that
sensors and actuators are only shown in Figure 2-5). Field sites are often equipped with a remote access
capability to allow operators to perform remote diagnostics and repairs usually over a separate dial up
modem or WAN connection. Standard and proprietary communication protocols running over serial and
network communications are used to transport information between the control center and field sites using
telemetry techniques such as telephone line, cable, fiber, and radio frequency such as broadcast, microwave
and satellite.
SCADA communication topologies vary among implementations. The various topologies used, including
point-to-point, series, series-star, and multi-drop [5], are shown in Figure 2-3.
Point-to-point is functionally the simplest type; however, it is expensive because of the individual channels
needed for each connection. In a series configuration, the number of channels used is reduced; however,
channel sharing has an impact on the efficiency and complexity of SCADA operations. Similarly, the
series-star and multi-drop configurations’ use of one channel per device results in decreased efficiency and
increased system complexity.
Figure 2-2. SCADA System General Layout
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
24
通常ã€SCADA ã¯ã€ãƒ•ã‚©ãƒ¼ãƒ«ãƒˆãƒˆãƒ¬ãƒ©ãƒ³ãƒˆã‚·ã‚¹ãƒ†ãƒ ã§ã€ç›¸å½“ã®å†—長性ãŒçµ„è¾¼ã¾ã‚Œã¦ã„る。冗長性
ã¯ã€æ‚ªæ„ã‚る攻撃ã«å¯¾ã—ã¦ã¯å分ãªå¯¾ç­–ã«ãªã‚Šå¾—ãªã„ã“ã¨ãŒã‚る。
図2-2 ã¯SCADA ã®ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã¨å…¨ä½“構æˆã‚’示ã™ã€‚コントロールセンターã«ã¯ã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«
サーãƒã¨é€šä¿¡ãƒ«ãƒ¼ã‚¿ãŒè¨­ç½®ã•ã‚Œã‚‹ã€‚コントロールセンターã®ãã®ä»–ã®ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã«ã¯ HMIã€
エンジニアリングワークステーションåŠã³ãƒ‡ãƒ¼ã‚¿ãƒ’ストリアンãŒå«ã¾ã‚Œã€ã¿ãª LAN ã§ç¹‹ãŒã£ã¦ã„
る。コントロールセンターã¯ã€ç¾å ´ã‚µã‚¤ãƒˆãŒåŽé›†ã—ãŸæƒ…報をåŽé›†ãƒ»è¨˜éŒ²ã—ã€HMI ã«è¡¨ç¤ºã—ã€æ¤œçŸ¥
ã—ãŸã‚¤ãƒ™ãƒ³ãƒˆã«å¿œã˜ã¦ã‚¢ã‚¯ã‚·ãƒ§ãƒ³ã‚’生æˆã™ã‚‹ã€‚ã¾ãŸé›†ä¸­ã‚¢ãƒ©ãƒ¼ãƒ ã€ãƒˆãƒ¬ãƒ³ãƒ‰åˆ†æžåŠã³å ±å‘Šã‚‚担当
ã™ã‚‹ã€‚ç¾å ´ã‚µã‚¤ãƒˆã¯ã‚¢ã‚¯ãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã®ãƒ­ãƒ¼ã‚«ãƒ«åˆ¶å¾¡ã‚’è¡Œã„ã€ã‚»ãƒ³ã‚µã‚’監視ã™ã‚‹ï¼ˆã‚»ãƒ³ã‚µåŠã³ã‚¢ã‚¯
ãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã¯å›³ 2-5 ã«ã®ã¿ç¤ºã•ã‚Œã‚‹ï¼‰ã€‚ç¾å ´ã‚µã‚¤ãƒˆã¯ã€æ“作員ãŒãƒªãƒ¢ãƒ¼ãƒˆè¨ºæ–­ã‚„ä¿®ç†ã‚’è¡Œãˆã‚‹ã‚ˆ
ã†ã«ãƒªãƒ¢ãƒ¼ãƒˆã‚¢ã‚¯ã‚»ã‚¹èƒ½åŠ›ã‚’å‚™ãˆãŸã‚‚ã®ãŒå¤šãã€é€šå¸¸ã¯ç‹¬ç«‹ã—ãŸãƒ€ã‚¤ã‚¢ãƒ«ã‚¢ãƒƒãƒ—モデムや WAN 接
続を利用ã—ã¦ã„る。シリアル通信åŠã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é€šä¿¡ã§ä½¿ç”¨ã™ã‚‹æ¨™æº–プロトコルåŠã³å°‚用プロ
トコルã¯ã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«ã‚»ãƒ³ã‚¿ãƒ¼ã¨ç¾å ´ã‚µã‚¤ãƒˆé–“ã§ã®æƒ…報通信ã«åˆ©ç”¨ã•ã‚Œã€ã“ã®é€šä¿¡ã¯ã€é›»è©±å›ž
ç·šã€ã‚±ãƒ¼ãƒ–ルã€ãƒ•ã‚¡ã‚¤ãƒãƒ¼ã€ç„¡ç·šå‘¨æ³¢æ•°ï¼ˆãƒ–ロードキャストã€ãƒžã‚¤ã‚¯ãƒ­æ³¢ã€ã‚µãƒ†ãƒ©ã‚¤ãƒˆç­‰ï¼‰ã¨ã„
ã£ãŸãƒ†ãƒ¬ãƒ¡ãƒˆãƒªæŠ€è¡“を利用ã—ã¦è¡Œã†ã€‚
SCADA 通信トãƒãƒ­ã‚¸ãƒ¼ã¯ã€å®Ÿè£…ã«ã‚ˆã£ã¦æ§˜ã€…ã«ç•°ãªã£ã¦ã„る。2地点間ã€ã‚·ãƒªãƒ¼ã‚ºã€ã‚·ãƒªãƒ¼ã‚ºã‚¹
ターã€ãƒžãƒ«ãƒãƒ‰ãƒ­ãƒƒãƒ—[5]ç­‰ã®ã€åˆ©ç”¨ã•ã‚Œã‚‹æ§˜ã€…ãªãƒˆãƒãƒ­ã‚¸ãƒ¼ã‚’図 2-3 ã«ç¤ºã™ã€‚
2地点間ã¯æ©Ÿèƒ½çš„ã«æœ€ã‚‚å˜ç´”ã§ã‚ã‚‹ãŒã€æŽ¥ç¶šã”ã¨ã«ãã‚Œãžã‚Œã®ãƒãƒ£ãƒ³ãƒãƒ«ãŒå¿…è¦ã§ã‚ã‚‹ã“ã¨ã‹ã‚‰
コスト高ã«ãªã‚‹ã€‚シリーズ構æˆã§ã¯ã€ãƒãƒ£ãƒ³ãƒãƒ«æ•°ãŒå°‘ãªãã¦ã™ã‚€ãŒã€ãƒãƒ£ãƒ³ãƒãƒ«ã‚’共有ã™ã‚‹ãŸ
ã‚ã€SCADA ã®å‹•ä½œã®åŠ¹çŽ‡ã¨è¤‡é›‘ã•ã«å½±éŸ¿ã™ã‚‹ã€‚
åŒæ§˜ã«ã‚·ãƒªãƒ¼ã‚ºã‚¹ã‚¿ãƒ¼åŠã³ãƒžãƒ«ãƒãƒ‰ãƒ­ãƒƒãƒ—構æˆã§ã¯ã€ãƒ‡ãƒã‚¤ã‚¹ã”ã¨ã« 1ãƒãƒ£ãƒ³ãƒãƒ«ã‚’使用ã™ã‚‹ãŸ
ã‚ã€åŠ¹çŽ‡ãŒä½Žä¸‹ã—ã€ã‚·ã‚¹ãƒ†ãƒ ãŒè¤‡é›‘ã«ãªã‚‹ã€‚
図2-2.SCADA ã®å…¨èˆ¬ãƒ¬ã‚¤ã‚¢ã‚¦ãƒˆ
コントロール
センター
HMI
エンジニアリング
ワークステーション
データ
ヒストリアン
制御サーãƒ
(
SCADA-MTU
)
通信ルータ
切替電話ã€ãƒªãƒ¼ã‚¹
回線åˆã¯é›»åŠ›ç·š
利用通信
マイクロ波無線
åˆã¯ã‚»ãƒ«ãƒ©ãƒ¼
衛星
WAN
ç¾å ´ã‚µã‚¤ãƒˆ 1
モデム PLC
ç¾å ´ã‚µã‚¤ãƒˆ 2
WAN カード IED
モデム RTU
ç¾å ´ã‚µã‚¤ãƒˆ 3
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
25
The four basic topologies Figure 2-3 can be further augmented using dedicated devices to manage
communication exchanges as well as message switching and buffering. Large SCADA systems containing
hundreds of RTUs often employee a sub-control server to alleviate the burden on the primary server. This
type of topology is shown in Figure 2-4.
Figure 2-5 shows an example of a SCADA system implementation. This particular SCADA system consists
of a primary control center and three field sites. A second backup control center provides redundancy in the
event of a primary control center malfunction. Point-to-point connections are used for all control center to
field site communications, with two connections using radio telemetry. The third field site is local to the
control center and uses the WAN for communications. A regional control center resides above the primary
control center for a higher level of supervisory control. The corporate network has access to all control
centers through the WAN, and field sites can be accessed remotely for troubleshooting and maintenance
operations. The primary control center polls field devices for data at defined intervals (e.g., 5 seconds, 60
seconds) and can send new set points to a field device as required. In addition to polling and issuing high-
level commands, the control server also watches for priority interrupts coming from field site alarm
systems.
Figure 2-3. Basic SCADA Communication Topologies
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
26
図2-3 ã®4ã¤ã®åŸºæœ¬ãƒˆãƒãƒ­ã‚¸ãƒ¼ã¯ã€å°‚用デãƒã‚¤ã‚¹ã‚’使用ã—ã¦æ›´ã«å¢—ã‚„ã—ã€é€šä¿¡äº¤æ›ã€ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸
切替ã€ãƒãƒƒãƒ•ã‚¡ãƒªãƒ³ã‚°ã‚’管ç†ã™ã‚‹ã“ã¨ãŒã§ãる。数百㮠RTU ã‚’æŒã¤å¤§è¦æ¨¡ SCADA ã¯ã€ã‚µãƒ–コ
ントロールサーãƒã‚’採用ã—ã€ãƒ—ライマリサーãƒã®è² è·ã‚’軽減ã—ã¦ã„ã‚‹ã“ã¨ãŒå¤šã„。ã“ã®ç¨®ã®ãƒˆãƒ
ロジーã¯å›³ 2-4 ã«ç¤ºã™ã€‚
図2-5 ã¯SCADA ã®å®Ÿè£…例ã§ã‚る。ã“ã®ç‰¹æ®Šãª SCADA ã¯ã€ãƒ—ライマリコントロールセンター㨠3ã¤
ã®ç¾å ´ã‚µã‚¤ãƒˆã§æ§‹æˆã•ã‚Œã‚‹ã€‚2番目ã®ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—コントロールセンターã¯ã€ãƒ—ライマリコント
ロールセンターãŒä¸å…·åˆã‚’èµ·ã“ã—ã¦ã„ã‚‹å ´åˆã«å†—長性を発æ®ã™ã‚‹ã€‚2地点間接続ã¯ã€å…¨ã¦ã®ã‚³ãƒ³
トロールセンターã¨ç¾å ´ã‚µã‚¤ãƒˆé–“ã®é€šä¿¡ã«ä½¿ç”¨ã—ã€ç„¡ç·šãƒ†ãƒ¬ãƒ¡ãƒˆãƒªã«ã‚ˆã‚‹æŽ¥ç¶šãŒ 2ã¤ã«ãªã£ã¦ã„
る。3番目ã®ç¾å ´ã‚µã‚¤ãƒˆã¯ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«ã‚»ãƒ³ã‚¿ãƒ¼ã«å¯¾ã—ã¦ãƒ­ãƒ¼ã‚«ãƒ«ã§ã€WAN 接続を利用ã™ã‚‹ã€‚地
域コントロールセンターã¯ãƒ—ライマリコントロールセンターã®ä¸Šä½ã«ã‚ã‚Šã€ã‚ˆã‚Šé«˜ä½ã®ç›£è¦–制御
ã‚’è¡Œã†ã€‚ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯ WAN 経由ã§ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«ã‚»ãƒ³ã‚¿ãƒ¼ã«ã‚¢ã‚¯ã‚»ã‚¹ã—ã€ç¾å ´ã‚µã‚¤ãƒˆã¯ã€ãƒª
モートアクセスã«ã‚ˆã‚Šãƒˆãƒ©ãƒ–ルシューティングã¨ä¿å®ˆä½œæ¥­ã‚’è¡Œãˆã‚‹ã‚ˆã†ã«ãªã£ã¦ã„る。プライマ
リコントロールセンターã¯ã€æŒ‡å®šã•ã‚ŒãŸé–“隔(5秒ã€60 秒等)ã§ç¾å ´ã®ãƒ‡ãƒã‚¤ã‚¹ã«ãƒ‡ãƒ¼ã‚¿ã®ãƒãƒ¼
リングを行ã„ã€å¿…è¦ã«å¿œã˜ã¦æ–°ãŸãªè¨­å®šç‚¹ã‚’ç¾å ´ã®ãƒ‡ãƒã‚¤ã‚¹ã«é€ä¿¡ã™ã‚‹ã€‚ãƒãƒ¼ãƒªãƒ³ã‚°ã¨ãƒã‚¤ãƒ¬ãƒ™
ルコマンドã®ç™ºè¡Œã«åŠ ãˆã¦ã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«ã‚µãƒ¼ãƒã¯ã€ç¾å ´ã‚µã‚¤ãƒˆã®ã‚¢ãƒ©ãƒ¼ãƒ ã‚·ã‚¹ãƒ†ãƒ ã‹ã‚‰é€ã‚‰ã‚Œ
る優先中断ã®ç›£è¦–ã‚‚è¡Œã†ã€‚
図2-3. 基本的 SCADA 通信トãƒãƒ­ã‚¸ãƒ¼
コントロールセンター
ç¾å ´ã‚µã‚¤ãƒˆ
モデム
モデム
モデム
モデム
モデム
モデム
モデム
モデム モデム モデム
モデム
モデム
モデム
モデム
モデム
モデム
SCADA サーãƒ
(MTU)
2地点間
RTU/PLC
RTU/PLC RTU/PLC
RTU/PLC
RTU/PLC
RTU/PLC
RTU/PLC RTU/PLC RTU/PLC
シリーズ
シリーズスター
マルãƒãƒ‰ãƒ­ãƒƒãƒ—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
27
Figure 2-4. Large SCADA Communication Topology
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
28
図2-4. 大è¦æ¨¡ SCADA 通信トãƒãƒ­ã‚¸ãƒ¼
コントロールセンター
ç¾å ´ã‚µã‚¤ãƒˆ
モデム モデム
モデム
モデム
モデム
SCADA サーãƒ
(MTU)
多数ã®ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰è£…ç½®
多数ã®é éš”ステーション
中間 SCADA
SCADA
サーãƒ
(サブ MTU)
モデム サブ
SCADA
サーãƒ
(サブ MTU)
モデム
モデム
モデム
モデム
モデム
モデム
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
29
Figure 2-5. SCADA System Implementation Example (Distribution Monitoring and Control)
Figure 2-6 shows an example implementation for rail monitoring and control. This example includes a rail
control center that houses the SCADA system and three sections of a rail system. The SCADA system polls
the rail sections for information such as the status of the trains, signal systems, traction electrification
systems, and ticket vending machines. This information is also fed to operator consoles at the HMI station
within the rail control center. The SCADA system also monitors operator inputs at the rail control center
and disperses high-level operator commands to the rail section components. In addition, the SCADA
system monitors conditions at the individual rail sections and issues commands based on these conditions
(e.g., stopping a train to prevent it from entering an area that has been determined to be flooded or occupied
by another train based on condition monitoring).
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
30
図2-5. SCADA ã®å®Ÿè£…例(分散監視・制御)
図2-6 ã¯ã€é‰„é“監視・制御ã®å®Ÿè£…例ã§ã‚る。ã“ã®ä¾‹ã§ã¯ã€SCADA ã¨é‰„é“システム㮠3セクション
を有ã™ã‚‹é‰„é“制御センターãŒå«ã¾ã‚Œã‚‹ã€‚SCADA ã¯é‰„é“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã«å¯¾ã—ã€åˆ—車ã®çŠ¶æ…‹ã€ä¿¡å·è£…
ç½®ã€ç‰½å¼•å¸¯é›»è£…ç½®ã€ä¹—車券販売機等ã®æƒ…å ±ã®ãƒãƒ¼ãƒªãƒ³ã‚°ã‚’è¡Œã†ã€‚ã“ã®æƒ…å ±ã¯ã€é‰„é“制御センター
内ã«ã‚ã‚‹ HMI ステーションã®æ“作員コンソールã«ã‚‚供給ã•ã‚Œã‚‹ã€‚ã¾ãŸ SCADA ã¯ã€é‰„é“制御センタ
ーã«ãŠã‘ã‚‹æ“作員ã®å…¥åŠ›æƒ…報も監視ã—ã€ä¸Šä½ã®æ“作員コマンドを鉄é“セクションコンãƒãƒ¼ãƒãƒ³ãƒˆ
ã«ç™ºè¡Œã™ã‚‹ã€‚加ãˆã¦ã€å€‹ã€…ã®é‰„é“セクションã«ãŠã‘る状態を監視ã—ã€ãã‚Œã«å¿œã˜ã¦ã‚³ãƒžãƒ³ãƒ‰ã‚’発
è¡Œã™ã‚‹ï¼ˆçŠ¶æ…‹ç›£è¦–ã«åŸºã¥ãã€æ´ªæ°´ã¨åˆ¤å®šã•ã‚Œã‚‹åœ°åŒºã‚„ã»ã‹ã®åˆ—車ãŒã„る地区ã«é€²å…¥ã—ãªã„よã†ã«
列車をåœæ­¢ã•ã›ã‚‹ãªã©ï¼‰ã€‚
ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—コントロールセンター
データヒストリアン
プリンタ
HMI ステーション
ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
シリアルベース
無線通信
プライマリコントロールセンター
エンジニアリングワー
クステーション
モデム
WAN
Card
地域コントロールセンター
制御サーãƒ
(SCADA-MTU)
モデム
é éš”
ステーション
ãƒãƒ«ãƒ– ãƒãƒ³ãƒ—
レベル
センサ
æµé‡
センサ
圧力
センサ
リモートアクセス
モデム コンピュータ
制御サーãƒ
(SCADA-MTU)
HMI ステーション
é éš”
ステーション
ãƒãƒ«ãƒ– ãƒãƒ³ãƒ—
レベル
センサ
æµé‡
センサ
圧力
センサ
é éš”
ステーション
ãƒãƒ«ãƒ– ãƒãƒ³ãƒ—
レベル
センサ
æµé‡
センサ
圧力
センサ
モデム
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
31
Figure 2-6. SCADA System Implementation Example (Rail Monitoring and Control)
2.3.3 Distributed Control Systems
DCS are used to control production systems within the same geographic location for industries such as oil
refineries, water and wastewater treatment, electric power generation plants, chemical manufacturing plants,
automotive production, and pharmaceutical processing facilities. These systems are usually process control
or discrete part control systems.
DCS are integrated as a control architecture containing a supervisory level of control overseeing multiple,
integrated sub-systems that are responsible for controlling the details of a localized process. A DCS uses a
centralized supervisory control loop to mediate a group of localized controllers that share the overall tasks
of carrying out an entire production process [6]. Product and process control are usually achieved by
deploying feedback or feedforward control loops whereby key product and/or process conditions are
automatically maintained around a desired set point. To accomplish the desired product and/or process
tolerance around a specified set point, specific process controllers, or more capable PLCs, are employed in
the field and are tuned to provide the desired tolerance as well as the rate of self-correction during process
upsets. By modularizing the production system, a DCS reduces the impact of a single fault on the
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
32
図2-6. SCADA ã®å®Ÿè£…例(列車監視・制御)
2.3.3 分散制御システム
DCS ã¯åœ°ç†çš„ã«åŒã˜å ´æ‰€ã«ã‚る生産システムã®åˆ¶å¾¡ã«ä½¿ç”¨ã•ã‚Œã€çŸ³æ²¹ç²¾è£½ã€ä¸Šä¸‹æ°´é“処ç†ã€ç™ºé›»
所ã€åŒ–学プラントã€è‡ªå‹•è»Šç”Ÿç”£ã€åŒ»è–¬å“処ç†æ–½è¨­ç­‰ãŒå«ã¾ã‚Œã‚‹ã€‚ã“ã®ã‚ˆã†ãªã‚·ã‚¹ãƒ†ãƒ ã¯ã€é€šå¸¸ãƒ—
ロセス制御システムや個別部å“制御システムã§ã‚る。
DCS ã¯ã€å±€åœ¨ãƒ—ロセスã®ç´°éƒ¨ã‚’制御ã™ã‚‹è¤‡æ•°ã®çµ±åˆã‚µãƒ–システムã«å¯¾ã™ã‚‹ã€ç›£è¦–レベルã§ã®åˆ¶å¾¡
ã‚’å«ã‚ãŸåˆ¶å¾¡ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã¨ã—ã¦çµ±åˆã•ã‚Œã‚‹ã€‚DCS ã¯é›†ä¸­ç›£è¦–・制御ループを利用ã—ã¦ã€ç”Ÿç”£
プロセス全体ã®å®Ÿè¡Œã«é–¢ã‚る全タスクを共有ã™ã‚‹å±€åœ¨ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã® 1グループを仲介ã™ã‚‹[6]。
製å“・プロセス制御ã¯ã€é€šå¸¸ãƒ•ã‚£ãƒ¼ãƒ‰ãƒãƒƒã‚¯/フィードフォワード制御ループを展開ã—ã¦è¡Œã„ã€
é‡è¦ãªè£½å“やプロセスã®çŠ¶æ…‹ã¯ã€æ‰€æœ›ã®è¨­å®šç‚¹ä»˜è¿‘ã«è‡ªå‹•çš„ã«ä¿ãŸã‚Œã‚‹ã€‚所望ã®è£½å“やプロセス
ã®è¨±å®¹èª¤å·®ã‚’指定ã•ã‚ŒãŸè¨­å®šç‚¹ä»˜è¿‘ã«ä¿ã¤ãŸã‚ã€ç‰¹æ®Šãƒ—ロセスコントローラåˆã¯ã‚ˆã‚Šé«˜æ€§èƒ½ã®
PLC ã‚’ç¾å ´ã«æŽ¡ç”¨ã—ã¦èª¿æ•´ã—ã€ãƒ—ロセスä¸èª¿æ™‚ã«æ‰€æœ›ã®è¨±å®¹èª¤å·®å†…ã«åŽã¾ã‚‹ã‚ˆã†ã«ã—ãŸã‚Šã€è‡ªå·±
補正率を設定ã—ãŸã‚Šã—ã¦ã„る。生産システムをモジュール化ã™ã‚‹ã“ã¨ã§ã€DCS ã¯ã€å˜ä¸€ã®éšœå®³ãŒ
システム全体ã«ä¸Žãˆã‚‹å½±éŸ¿ã‚’減らã™ã€‚
鉄é“コントロールセンター
LAN
データヒストリアン HMI ステーション ä¼æ¥­ãƒ¯ãƒ¼ã‚¯ã‚¹ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³
制御サーãƒ
SCADA MTU
プリンタ
ルータ
リング型トãƒãƒ­ã‚¸ãƒ¼
鉄é“セクション 1
Hub
沿線制御列車
ä¿¡å·ç™ºä¿¡
牽引帯電サブ
ステーション
鉄é“電力
列車
給電(地元
電力会社)
牽引帯電
監視制御
鉄é“セクション 2
Hub
沿線制御列車
ä¿¡å·ç™ºä¿¡
牽引帯電サブ
ステーション
鉄é“電力
列車
給電(地元
電力会社)
牽引帯電
監視制御
鉄é“セクション 3
Hub
沿線制御列車
ä¿¡å·ç™ºä¿¡
牽引帯電サブ
ステーション
鉄é“電力
列車
給電(地元
電力会社)
牽引帯電
監視制御
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
33
overall system. In many modern systems, the DCS is interfaced with the corporate network to give business
operations a view of production.
An example implementation showing the components and general configuration of a DCS is depicted in
Figure 2-7. This DCS encompasses an entire facility from the bottom-level production processes up to the
corporate or enterprise layer. In this example, a supervisory controller (control server) communicates to its
subordinates via a control network. The supervisor sends set points to and requests data from the distributed
field controllers. The distributed controllers control their process actuators based on control server
commands and sensor feedback from process sensors.
Figure 2-7 gives examples of low-level controllers found on a DCS system. The field control devices
shown include a PLC, a process controller, a single loop controller, and a machine controller. The single
loop controller interfaces sensors and actuators using point-to-point wiring, while the other three field
devices incorporate fieldbus networks to interface with process sensors and actuators. Fieldbus networks
eliminate the need for point-to-point wiring between a controller and individual field sensors and actuators.
Additionally, a fieldbus allows greater functionality beyond control, including field device diagnostics, and
can accomplish control algorithms within the fieldbus, thereby avoiding signal routing back to the PLC for
every control operation. Standard industrial communication protocols designed by industry groups such as
Modbus and Fieldbus [7] are often used on control networks and fieldbus networks.
In addition to the supervisory-level and field-level control loops, intermediate levels of control may also
exist. For example, in the case of a DCS controlling a discrete part manufacturing facility, there could be an
intermediate level supervisor for each cell within the plant. This supervisor would encompass a
manufacturing cell containing a machine controller that processes a part and a robot controller that handles
raw stock and final products. There could be several of these cells that manage field-level controllers under
the main DCS supervisory control loop.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
34
最近ã®ã‚·ã‚¹ãƒ†ãƒ ã«ã¯ã€DCS ã¨ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã‚’確ä¿ã—ã¦ã€äº‹æ¥­æ¥­å‹™ã«ç”Ÿç”£çš„
ãªè¦³ç‚¹ã‚’付与ã—ã¦ã„ã‚‹ã‚‚ã®ãŒå°‘ãªããªã„。
図2-7 ã¯ã€ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã¨ DCS ã®ä¸€èˆ¬çš„ãªæ§‹æˆã®ä¾‹ã‚’示ã™ã€‚ã“ã® DCS ã§ã¯ã€ç”Ÿç”£ãƒ—ロセスã®åº•
辺ã‹ã‚‰ä¼æ¥­å±¤ã«è‡³ã‚‹å…¨ã¦ã®æ–½è¨­ãŒåŽã‚られã¦ã„る。ã“ã®ä¾‹ã§ã¯ã€ç›£è¦–コントローラ(制御サー
ãƒï¼‰ãŒåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’介ã—ã¦ã€å¾“属層ã¨é€šä¿¡ã‚’è¡Œã†ã‚ˆã†ã«ãªã£ã¦ã„る。スーパーãƒã‚¤ã‚¶ã¯ã€
分散フィールドコントローラã¸ã®è¨­å®šç‚¹ã¨ãã“ã‹ã‚‰ã®è¦æ±‚ã‚’é€ä¿¡ã™ã‚‹ã€‚分散コントローラã¯ã€åˆ¶
御サーãƒã®ã‚³ãƒžãƒ³ãƒ‰åŠã³ãƒ—ロセスセンサã‹ã‚‰ã®ã‚»ãƒ³ã‚µãƒ•ã‚£ãƒ¼ãƒ‰ãƒãƒƒã‚¯ã‚’基ã«ã€ãƒ—ロセスアクãƒãƒ¥
エータを制御ã™ã‚‹ã€‚
図2-7 ã¯ã€DCS システムã«è¦‹ã‚‰ã‚Œã‚‹ä½Žãƒ¬ãƒ™ãƒ«ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã®ä¾‹ã§ã‚る。フィールドコントローラ
デãƒã‚¤ã‚¹ã«ã¯ã€PLCã€ãƒ—ロセスコントローラã€å˜ä¸€ãƒ«ãƒ¼ãƒ—コントローラåŠã³ãƒžã‚·ãƒ³ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©
ãŒé…ç½®ã•ã‚Œã¦ã„る。å˜ä¸€ãƒ«ãƒ¼ãƒ—コントローラã¯ã€2地点間é…ç·šã«ã‚ˆã‚Šã‚»ãƒ³ã‚µã¨ã‚¢ã‚¯ãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã®
インタフェースã¨ãªã‚Šã€ãれ以外㮠3種類ã®ãƒ‡ãƒã‚¤ã‚¹ã¯ã€ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒã‚¹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’使用ã—
ã¦ã€ãƒ—ロセスセンサã¨ã‚¢ã‚¯ãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã®ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã‚’確ä¿ã—ã¦ã„る。フィールドãƒã‚¹ãƒãƒƒãƒˆ
ワークã«ã¯ã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã¨å€‹ã€…ã®ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ã‚»ãƒ³ã‚µã‚„アクãƒãƒ¥ã‚¨ãƒ¼ã‚¿é–“ã® 2地点間é…ç·šãŒä¸è¦
ã§ã‚る。ã¾ãŸãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒã‚¹ã¯ã€ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒ‡ãƒã‚¤ã‚¹ã®è¨ºæ–­ãªã©ã€åˆ¶å¾¡ä»¥ä¸Šã®æ©Ÿèƒ½ã‚’発æ®ã™ã‚‹ã»
ã‹ã€ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒã‚¹å†…ã§åˆ¶å¾¡ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã‚’実ç¾ã—ã€åˆ¶å¾¡æ“作ã®ãŸã³ã«ä¿¡å·ã‚’ PLC ã«è¿”ã™å¿…è¦ãŒ
ãªã„。制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚„フィールドãƒã‚¹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ã¯ã€Modbus and Fieldbus [7]ç­‰ã®æ¥­
界グループãŒè¨­è¨ˆã—ãŸæ¨™æº–çš„ãªé€šä¿¡ãƒ—ロトコルãŒå¤šç”¨ã•ã‚Œã‚‹ã€‚
監視レベルåŠã³ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒ¬ãƒ™ãƒ«ã§ã®åˆ¶å¾¡ãƒ«ãƒ¼ãƒ—ã®ã»ã‹ã«ã€ä¸­é–“レベルã®åˆ¶å¾¡ã‚‚ã‚る。例ãˆã°ã€
部å“組立製造施設を制御ã™ã‚‹ DCS ã®å ´åˆã€ãƒ—ラント内ã®ã‚»ãƒ«ã”ã¨ã«ä¸­é–“レベルã®ã‚¹ãƒ¼ãƒ‘ーãƒã‚¤ã‚¶
ã‚’é…ç½®ã™ã‚‹ã“ã¨ãŒã‚る。ã“ã®ã‚¹ãƒ¼ãƒ‘ーãƒã‚¤ã‚¶ã¯è£½é€ ã‚»ãƒ«ã‚’包å«ã—ã€è£½é€ ã‚»ãƒ«ã«ã¯ï¼ˆéƒ¨å“を処ç†ã™
る)マシンコントローラã¨ï¼ˆåŽŸæ–™åœ¨åº«ã¨æœ€çµ‚製å“を扱ã†ï¼‰ãƒ­ãƒœãƒƒãƒˆã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ãŒå«ã¾ã‚Œã‚‹ã€‚ã“
ã®ã‚ˆã†ãªã‚»ãƒ«ãŒã„ãã¤ã‹ã‚ã‚‹ã‚‚ã®ã‚‚ã‚ã‚Šã€å„セルã¯ãƒ¡ã‚¤ãƒ³ DCS 監視制御ループã®ä¸‹ã§ã€ãƒ•ã‚£ãƒ¼ãƒ«
ドレベルã®ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã‚’管ç†ã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
35
Figure 2-7. DCS Implementation Example
2.3.4 Programmable Logic Controller Based Topologies
PLCs are used in both SCADA and DCS systems as the control components of an overall hierarchical
system to provide local management of processes through feedback control as described in the sections
above. In the case of SCADA systems, they may provide the same functionality of RTUs. When used in
DCS, PLCs are implemented as local controllers within a supervisory control scheme.
In addition to PLC usage in SCADA and DCS, PLCs are also implemented as the primary controller in
smaller control system configurations to provide operational control of discrete processes such as
automobile assembly lines and power plant soot blower controls These topologies differ from SCADA and
DCS in that they generally lack a central control server and HMI and, therefore, primarily provide closed-
loop control without direct human involvement. PLCs have a user-programmable memory for storing
instructions for the purpose of implementing specific functions such as I/O control, logic, timing, counting,
three mode proportional-integral-derivative (PID) control, communication, arithmetic, and data and file
processing.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
36
図2-7.DCS ã®å®Ÿè£…例
2.3.4 プログラムå¯èƒ½è«–ç†ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ãƒ™ãƒ¼ã‚¹ã®ãƒˆãƒãƒ­ã‚¸ãƒ¼
PLC ã¯SCADA ã¨DCS ã®ä¸¡ã‚·ã‚¹ãƒ†ãƒ ã«ãŠã„ã¦ã€éšŽå±¤ã‚·ã‚¹ãƒ†ãƒ å…¨ä½“ã®åˆ¶å¾¡ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã¨ã—ã¦ä½¿ç”¨
ã•ã‚Œã€å‰è¿°ã®ã¨ãŠã‚Šã€ãƒ•ã‚£ãƒ¼ãƒ‰ãƒãƒƒã‚¯åˆ¶å¾¡ã‚’通ã˜ã¦ãƒ—ロセスã®ãƒ­ãƒ¼ã‚«ãƒ«ç®¡ç†ã‚’è¡Œã†ã€‚SCADA ã®å ´
åˆã€RTU ã¨åŒæ§˜ã®æ©Ÿèƒ½ã‚’発æ®ã™ã‚‹ã€‚DCS ã§ä½¿ç”¨ã•ã‚Œã‚‹å ´åˆã€PLC ã¯ç›£è¦–・制御ã«ãŠã‘るローカル
コントローラã¨ã—ã¦å®Ÿè£…ã•ã‚Œã‚‹ã€‚
SCADA ã¨DCS ã§ä½¿ç”¨ã•ã‚Œã‚‹ã»ã‹ã€PLC ã¯ã‚ˆã‚Šå°è¦æ¨¡ã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ æ§‹æˆã«ãŠã‘るプライマリコン
トローラã¨ã—ã¦ã‚‚利用ã•ã‚Œã€è‡ªå‹•è»Šçµ„立ライン等ã®çµ„立プロセスや発電所ã®ç…¤ç…™ãƒ–ロアーã®åˆ¶å¾¡
ãªã©ã€æ“作を制御ã™ã‚‹ã€‚SCADA ã‚„DCS ã¨ã®ãƒˆãƒãƒ­ã‚¸ãƒ¼ã®é•ã„ã¯ã€ä¸€èˆ¬ã«ä¸­å¤®åˆ¶å¾¡ã‚µãƒ¼ãƒã¨ HMI ãŒ
ãªã„ã“ã¨ã§ã€ãã®ãŸã‚人間ã®ç›´æŽ¥çš„ãªä»‹åœ¨ãªã—ã«ã€ä¸»ã«ã‚¯ãƒ­ãƒ¼ã‚ºãƒ‰ãƒ«ãƒ¼ãƒ—制御を行ã£ã¦ã„る。
PLC ã«ã¯ãƒ¦ãƒ¼ã‚¶ãŒãƒ—ログラムå¯èƒ½ãªãƒ¡ãƒ¢ãƒªãŒã‚ã‚Šã€I/O 制御ã€è«–ç†ã€ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã€ã‚«ã‚¦ãƒ³ãƒˆã€æ¯”
例・ç©åˆ†ãƒ»å¾®åˆ†ï¼ˆPID)3モード制御ã€é€šä¿¡ã€æ¼”ç®—ã€ãƒ‡ãƒ¼ã‚¿ã‚„ファイルã®å‡¦ç†ç­‰ã®å…·ä½“çš„ãªæ©Ÿèƒ½
を実装ã™ã‚‹ãŸã‚ã®å‘½ä»¤ã‚’æ ¼ç´ã™ã‚‹ã€‚
ワークステーション
プリンタ
アプリケーション
サーãƒ
業務用クライアント
/サーム無線デãƒã‚¤ã‚¹
モデム
分散
プラント
インターãƒãƒƒãƒˆ
/WAN
ä¼æ¥­ã®å¤–部世界
冗長制御サーãƒ
制御サームメイン HMI
ローカルコントロール
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
データヒストリアン ä¼æ¥­ãƒ¯ãƒ¼ã‚¯ã‚¹ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³
監視レベル
生産実行システム(MES)ã€ç®¡ç†
情報システム(MIS)ã€ä¼æ¥­è³‡æºè¨ˆ
画(ERP)システムã¸
監視レベル
HMI
マシン
コントローラ
プログラマブル論ç†
コントローラ(
PLC
)
モデム
モデム
モータ モータ
サーボ駆動
サーボ駆動
サーボ駆動
ソレノイドãƒãƒ«ãƒ– AC 駆動
è«–ç†åˆ¶å¾¡
モーション制御
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
圧力センサ
圧力
レギュレータ
モータ
タワー点ç¯
æ„Ÿå…‰
å¯å¤‰å‘¨æ³¢æ•°é§†å‹•
DC
サーボ
駆動
近接センサ
フィールドãƒã‚¹
センサ アクãƒãƒ¥ã‚¨ãƒ¼ã‚¿
モデム モデム
プロセス
コントローラ
ソレノイド
ãƒãƒ«ãƒ–
サーボãƒãƒ«ãƒ–
温度センサ
圧力レギュレータ
圧力センサ
リモートアクセス
コンピュータ
モデム
å˜ãƒ«ãƒ¼ãƒ—
コントローラ
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
37
Figure 2-8 shows control of a manufacturing process being performed by a PLC over a fieldbus network.
The PLC is accessible via a programming interface located on an engineering workstation, and data is
stored in a data historian, all connected on a LAN.
Figure 2-8. PLC Control System Implementation Example
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
38
図2-8 ã¯ã€ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒã‚¹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯çµŒç”±ã§ PLC ãŒå®Ÿæ–½ã™ã‚‹è£½é€ ãƒ—ロセス制御を示ã™ã€‚
PLC ã«ã¯ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°ãƒ¯ãƒ¼ã‚¯ã‚¹ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³ä¸Šã®ãƒ—ログラミングインタフェースを介ã—ã¦ã‚¢ã‚¯
セスã§ãã€ãƒ‡ãƒ¼ã‚¿ã¯ãƒ’ストリアンã«ä¿ç®¡ã•ã‚Œã€å…¨ã¦ LAN ã§æŽ¥ç¶šã•ã‚Œã¦ã„る。
図2-8. PLC 制御システムã®å®Ÿè£…例
フィールドãƒã‚¹
PLC
モデム
AC
駆動
タワー点ç¯
æ„Ÿå…‰
å¯å¤‰å‘¨æ³¢æ•°é§†å‹•
DC
サーボ
駆動
近接センサ
LAN
データヒストリアン
エンジニアリング
ワークステーション
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
39
2.4 Comparing ICS and IT Systems Security
ICS control the physical world and IT systems manage data. ICS have many characteristics that differ from
traditional IT systems, including different risks and priorities. Some of these include significant risk to the
health and safety of human lives, serious damage to the environment, and financial issues such as
production losses, and negative impact to a nation’s economy. ICS have different performance and
reliability requirements, and also use operating systems and applications that may be considered
unconventional in a typical IT network environment. Security protections must be implemented in a way
that maintains system integrity during normal operations as well as during times of cyber attack [17].
Initially, ICS had little resemblance to IT systems in that ICS were isolated systems running proprietary
control protocols using specialized hardware and software. Widely available, low-cost Ethernet and
Internet Protocol (IP) devices are now replacing the older proprietary technologies, which increases the
possibility of cybersecurity vulnerabilities and incidents. As ICS are adopting IT solutions to promote
corporate connectivity and remote access capabilities, and are being designed and implemented using
industry standard computers, operating systems (OS) and network protocols, they are starting to resemble
IT systems. This integration supports new IT capabilities, but it provides significantly less isolation for ICS
from the outside world than predecessor systems, creating a greater need to secure these systems. While
security solutions have been designed to deal with these security issues in typical IT systems, special
precautions must be taken when introducing these same solutions to ICS environments. In some cases, new
security solutions are needed that are tailored to the ICS environment.
The environments in which ICS and IT systems operate are constantly changing. The environments of
operation include, but are not limited to: the threat space; vulnerabilities; missions/business functions;
mission/business processes; enterprise and information security architectures; information technologies;
personnel; facilities; supply chain relationships; organizational governance/culture;
procurement/acquisition processes; organizational policies/procedures; organizational assumptions,
constraints, risk tolerance, and priorities/trade-offs).
The following lists some special considerations when considering security for ICS:
 Timeliness and Performance Requirements. ICS are generally time-critical, with the criterion for
acceptable levels of delay and jitter dictated by the individual installation. Some systems require
reliable, deterministic responses. High throughput is typically not essential to ICS. In contrast, IT
systems typically require high throughput, and they can typically withstand some level of delay and
jitter. For some ICS, automated response time or system response to human interaction is very critical.
Some ICS are built on real-time operating systems (RTOS), where real-time refers to timeliness
requirements. The units of real-time are very application dependent and must be explicitly stated.
 Availability Requirements. Many ICS processes are continuous in nature. Unexpected outages of
systems that control industrial processes are not acceptable. Outages often must be planned and
scheduled days or weeks in advance. Exhaustive pre-deployment testing is essential to ensure high
availability (i.e., reliability) for the ICS. Control systems often cannot be easily stopped and started
without affecting production. In some cases, the products being produced or equipment being used is
more important than the information being relayed. Therefore, the use of typical IT strategies such as
rebooting a component, are usually not acceptable solutions due to the adverse impact on the
requirements for high availability, reliability and maintainability of the ICS. Some ICS employ
redundant components, often running in parallel, to provide continuity when primary components are
unavailable.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
40
2.4 ICS システム㨠IT システムã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ¯”較
ICS ã¯ç‰©ç†çš„世界を制御ã—ã€IT システムã¯ãƒ‡ãƒ¼ã‚¿ã‚’管ç†ã™ã‚‹ã€‚ICS ã¯å¾“æ¥ã® IT システムã¨ã¯ç•°
ãªã‚‹ç‰¹å¾´ãŒå¤šãã€ãƒªã‚¹ã‚¯ã‚‚優先度も異ãªã‚‹ã€‚中ã«ã¯äººã®å¥åº·ã‚„安全ã«å¤§ããªãƒªã‚¹ã‚¯ã¨ãªã‚Šã€ç’°å¢ƒ
ã‚’æãªã„ã€ç”Ÿç”£å–ªå¤±ç­‰ã®è²¡æ”¿å•é¡Œã¨ãªã‚Šã€å›½å®¶çµŒæ¸ˆã«æ‚ªå½±éŸ¿ã‚’åŠã¼ã™ã‚‚ã®ã‚‚ã‚る。ICS ã®æ€§èƒ½åŠ
ã³ä¿¡é ¼æ€§è¦ä»¶ã¯ç•°ãªã£ã¦ãŠã‚Šã€æ™®é€šã® IT ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç’°å¢ƒã§ã¯å¥‡ç•°ã«è¦‹ãˆã‚‹ OS やアプリケーシ
ョンを使用ã™ã‚‹ã€‚セキュリティã®ä¿è­·ã¯ã€æ­£å¸¸é‹ç”¨æ™‚ã«ã‚‚サイãƒãƒ¼æ”»æ’ƒã®éš›ã«ã‚‚システムä¿å…¨ã‚’
維æŒã§ãるよã†ã«å®Ÿè£…ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。[17]
å½“åˆ ICS ã¯ã€ç‰¹æ®Šãªãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã¨ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã‚’使用ã—ã¦å°‚用制御プロトコルを実行ã™ã‚‹éš”絶
ã•ã‚ŒãŸã‚·ã‚¹ãƒ†ãƒ ã ã£ãŸãŸã‚ã€IT システムã¨ã¯é¡žä¼¼ç‚¹ãŒã»ã¨ã‚“ã©ãªã‹ã£ãŸã€‚昨今ã€åºƒã利用å¯èƒ½
ãªä½Žã‚³ã‚¹ãƒˆã®ã‚¤ãƒ¼ã‚µãƒãƒƒãƒˆã‚„インターãƒãƒƒãƒˆãƒ—ロトコル(IP)デãƒã‚¤ã‚¹ãŒæ—§å¼ã®å°‚用技術ã«å–ã£
ã¦ä»£ã‚ã‚Šã¤ã¤ã‚ã‚‹ã“ã¨ã‹ã‚‰ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®è„†å¼±æ€§ã‚„インシデントãŒç”Ÿã˜ã‚‹è“‹ç„¶æ€§ãŒé«˜
ã¾ã£ã¦ã„る。ICS ã¯IT ソリューションを採用ã—ã¦ã€ä¼æ¥­ã®æŽ¥ç¶šæ€§ã‚„リモートアクセス能力を促
進ã—ã¦ãŠã‚Šã€ã¾ãŸã€æ¥­ç•Œæ¨™æº–コンピュータã€ã‚ªãƒšãƒ¬ãƒ¼ãƒ†ã‚£ãƒ³ã‚°ã‚·ã‚¹ãƒ†ãƒ ï¼ˆOS)åŠã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
プロトコルを使用ã™ã‚‹ã‚ˆã†ã«è¨­è¨ˆãƒ»å®Ÿè£…ã•ã‚Œã‚‹ã‚ˆã†ã«ãªã£ã¦ã„る。ã“ã®ãŸã‚ ICS ã¯æ¬¡ç¬¬ã« IT ã‚·
ステムã¨é¡žä¼¼æ€§ã‚’æŒã¤ã‚ˆã†ã«ãªã£ã¦ããŸã€‚ã“ã®ã‚ˆã†ãªçµ±åˆåŒ–ã¯æ–°ãŸãª IT 能力をサãƒãƒ¼ãƒˆã™ã‚‹ãŒã€
ãれ以å‰ã®ã‚·ã‚¹ãƒ†ãƒ ã«æ¯”ã¹ã‚‹ã¨ã€å¤–ç•Œã‹ã‚‰ã®éš”絶性ãŒæ ¼æ®µã«åŠ£ã‚‹ãŸã‚ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®å¿…è¦æ€§ãŒ
増ã™ã€‚
セキュリティソリューションã¯ã€ä¸€èˆ¬çš„㪠IT システムã«ãŠã‘るセキュリティå•é¡Œã‚’扱ã†ã‚ˆã†ã«
ã§ãã¦ã„ã‚‹ãŒã€ã“ã†ã—ãŸåŒã˜ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã‚’ ICS 環境ã«æŒã¡è¾¼ã‚€å ´åˆã«ã¯ç‰¹åˆ¥ãªæ³¨æ„ãŒæ¬ ã‹ã›
ãªã„。場åˆã«ã‚ˆã£ã¦ã¯ã€ãã® ICS 環境ã«ç‰¹åŒ–ã—ãŸæ–°ã—ã„セキュリティソリューションãŒå¿…è¦ã¨ãª
る。
ICS システム㨠IT システムã®å‹•ä½œç’°å¢ƒã¯çµ¶ãˆãšå¤‰åŒ–ã—ã¦ã„る。例ãˆã°ã€è„…å¨ç©ºé–“ã€è„†å¼±æ€§ã€ä»»
務・ビジãƒã‚¹æ©Ÿèƒ½ã€ä»»å‹™ãƒ»ãƒ“ジãƒã‚¹ãƒ—ロセスã€ä¼æ¥­ãƒ»æƒ…報セキュリティアーキテクãƒãƒ£ã€æƒ…報技
è¡“ã€äººäº‹ã€æ–½è¨­ã€ã‚µãƒ—ライãƒã‚§ãƒ¼ãƒ³ã®é–¢ä¿‚ã€çµ„ç¹”ã®ã‚¬ãƒãƒŠãƒ³ã‚¹/カルãƒãƒ£ãƒ¼ã€èª¿é”・å–得プロセ
スã€çµ„ç¹”ã®æ–¹é‡ãƒ»æ‰‹é †ã€çµ„ç¹”ã®å‰æ事項ã€åˆ¶ç´„ã€ãƒªã‚¹ã‚¯è¨±å®¹åº¦ã€å„ªå…ˆåº¦/トレードオフ等ãŒã‚る。
ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’検討ã™ã‚‹éš›ã®ç‰¹åˆ¥ãªè€ƒæ…®äº‹é …を以下ã«åˆ—挙ã™ã‚‹ã€‚
 é©æ™‚性è¦ä»¶ã¨æ€§èƒ½è¦ä»¶ã€‚ICS ã¯ç·Šæ€¥ã‚’è¦ã™ã‚‹ã‚‚ã®ãŒå¤šãã€é…延やジッターã®è¨±å®¹åº¦åŸºæº–ãŒ
個々ã®è£…ç½®ã«å¿œã˜ã¦å®šã‚られã¦ã„る。信頼性ã®é«˜ã„決定論的応答を求ã‚るシステムもã‚る。
高ã„スループットã¯ä¸€èˆ¬ã« ICS ã«ã¯å¿…é ˆã§ãªã„。å対㫠IT システムã§ã¯é€šå¸¸ã€é«˜ã„スループ
ットãŒæ±‚ã‚られã€ã‚る程度ã®é…延やジッターã¯è¨±å®¹ã•ã‚Œã‚‹ã€‚ã‚る種㮠ICS ã§ã¯ã€äººã®ç›¸äº’作
用ã«å¯¾ã™ã‚‹è‡ªå‹•å¿œç­”時間やシステム応答ã¯éžå¸¸ã«é‡è¦ã¨ãªã‚‹ã€‚リアルタイムオペレーティン
グシステム(RTOS)上ã«æ§‹ç¯‰ã•ã‚Œã‚‹ ICS ã‚‚ã‚ã‚Šã€ã“ã“ã§ã„ã†ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ ãŒé©æ™‚性è¦ä»¶ã¨
ãªã‚‹ã€‚リアルタイムã®å˜ä½ã¯ã‚¢ãƒ—リケーションã«ä¾å­˜ã—ã€æ˜Žç¤ºçš„ã«ç¤ºã™å¿…è¦ãŒã‚る。
 å¯ç”¨æ€§è¦ä»¶ã€‚ICS プロセスã®å¤šãã¯ã€ãã®æ€§è³ªä¸Šç¶™ç¶šçš„ã§ã‚る。産業プロセスを制御ã—ã¦ã„
るシステムã®äºˆå®šå¤–ã®åœæ­¢ã¯å—ã‘入れられるもã®ã§ã¯ãªã„。åœæ­¢ã®å¤šãã¯ã€æ•°æ—¥åˆã¯æ•°é€±é–“
å‰ã«ã‚らã‹ã˜ã‚計画・予定ã•ã‚ŒãŸã‚‚ã®ã§ãªã‘ã‚Œã°ãªã‚‰ãªã„。ICS ã®é«˜ã„å¯ç”¨æ€§ï¼ˆã™ãªã‚ã¡ä¿¡
頼性)を確ä¿ã™ã‚‹ã«ã¯ã€å¾¹åº•çš„ãªå±•é–‹å‰è©¦é¨“ã®å®Ÿæ–½ãŒä¸å¯æ¬ ã¨ãªã‚‹ã€‚生産ã«å½±éŸ¿ã‚’åŠã¼ã™ã“
ã¨ãªãã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®åœæ­¢ãƒ»é–‹å§‹ã‚’容易ã«å®Ÿè¡Œã§ãã‚‹ã“ã¨ã¯å°‘ãªã„。生産中ã®è£½å“や使用
中ã®è£…å‚™å“ã®æ–¹ãŒã€ä¼é”ã™ã‚‹æƒ…報よりもé‡è¦ã¨ã„ã†ã‚±ãƒ¼ã‚¹ã‚‚ã‚る。ã—ãŸãŒã£ã¦ã€ã‚³ãƒ³ãƒãƒ¼ãƒ
ントã®ãƒªãƒ–ートã¨ã„ã£ãŸä¸€èˆ¬çš„㪠IT 戦略ã®åˆ©ç”¨ã¯ã€ICS ã®é«˜ã„å¯ç”¨æ€§ãƒ»ä¿¡é ¼æ€§ãƒ»ä¿å®ˆæ€§è¦ä»¶
ã«æ‚ªå½±éŸ¿ã‚’åŠã¼ã™ãŸã‚ã€é€šå¸¸å—ã‘入れられる解決策ã¨ã¯ãªã‚‰ãªã„。ICS ã§ã¯å†—長コンãƒãƒ¼ãƒ
ントを採用ã—ã¦åŒæ™‚é‹ç”¨ã™ã‚‹ã“ã¨ãŒå¤šãã€ãƒ—ライマリコンãƒãƒ¼ãƒãƒ³ãƒˆãŒåˆ©ç”¨ã§ããªã„å ´åˆã®
継続性を確ä¿ã—ã¦ã„る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
41
 Risk Management Requirements. In a typical IT system, data confidentiality and integrity are
typically the primary concerns. For an ICS, human safety and fault tolerance to prevent loss of life or
endangerment of public health or confidence, regulatory compliance, loss of equipment, loss of
intellectual property, or lost or damaged products are the primary concerns. The personnel responsible
for operating, securing, and maintaining ICS must understand the important link between safety and
security. Any security measure that impairs safety is unacceptable.
 Physical Effects. ICS field devices (e.g., PLC, operator station, DCS controller) are directly
responsible for controlling physical processes. ICS can have very complex interactions with physical
processes and consequences in the ICS domain that can manifest in physical events. Understanding
these potential physical effects often requires communication between experts in control systems and
in the particular physical domain.
 System Operation. ICS operating systems (OS) and control networks are often quite different from IT
counterparts, requiring different skill sets, experience, and levels of expertise. Control networks are
typically managed by control engineers, not IT personnel. Assumptions that differences are not
significant can have disastrous consequences on system operations.
 Resource Constraints. ICS and their real time OSs are often resource-constrained systems that do not
include typical contemporary IT security capabilities. Legacy systems are often lacking resources
common on modern IT systems. Many systems may not have desired features including encryption
capabilities, error logging, and password protection. Indiscriminate use of IT security practices in ICS
may cause availability and timing disruptions. There may not be computing resources available on ICS
components to retrofit these systems with current security capabilities. Adding resources or features
may not be possible.
 Communications. Communication protocols and media used by ICS environments for field device
control and intra-processor communication are typically different from most IT environments, and
may be proprietary.
 Change Management. Change management is paramount to maintaining the integrity of both IT and
control systems. Unpatched software represents one of the greatest vulnerabilities to a system.
Software updates on IT systems, including security patches, are typically applied in a timely fashion
based on appropriate security policy and procedures. In addition, these procedures are often automated
using server-based tools. Software updates on ICS cannot always be implemented on a timely basis.
These updates need to be thoroughly tested by both the vendor of the industrial control application and
the end user of the application before being implemented. Additionally, the ICS owner must plan and
schedule ICS outages days/weeks in advance. The ICS may also require revalidation as part of the
update process. Another issue is that many ICS utilize older versions of operating systems that are no
longer supported by the vendor. Consequently, available patches may not be applicable. Change
management is also applicable to hardware and firmware. The change management process, when
applied to ICS, requires careful assessment by ICS experts (e.g., control engineers) working in
conjunction with security and IT personnel.
 Managed Support. Typical IT systems allow for diversified support styles, perhaps supporting
disparate but interconnected technology architectures. For ICS, service support is sometimes via a
single vendor, which may not have a diversified and interoperable support solution from another
vendor. In some instances, third-party security solutions are not allowed due to ICS vendor license and
service agreements, and loss of service support can occur if third party applications are installed
without vendor acknowledgement or approval.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
42
 リスク管ç†è¦ä»¶ã€‚一般的㪠IT システムã§ã¯ã€é€šå¸¸ãƒ‡ãƒ¼ã‚¿ã®æ©Ÿå¯†æ€§ã¨ä¿å…¨ãŒä¸»è¦é–¢å¿ƒäº‹ã¨ãªã‚‹ã€‚
ICS ã§ã¯ã€äººå‘½ã®å–ªå¤±ã€å…¬è¡†è¡›ç”Ÿãƒ»å›½æ°‘ã®ä¿¡é ¼ã®å±æ©Ÿã€éµæ³•ã€è£…å‚™å“ã®æ失ã€çŸ¥çš„財産ã®æ
失ã€è£½å“ã®æ害を防止ã™ã‚‹ãŸã‚ã®äººçš„安全性ã¨ãƒ•ã‚©ãƒ¼ãƒ«ãƒˆãƒˆãƒ¬ãƒ©ãƒ³ã‚¹ãŒä¸»è¦é–¢å¿ƒäº‹ã§ã‚る。
ICS ã®é‹ç”¨ãƒ»ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ»ä¿å®ˆæ‹…当者ã¯ã€å®‰å…¨æ€§ã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®é‡è¦ãªé–¢ä¿‚ã‚’ç†è§£ã—ãª
ã‘ã‚Œã°ãªã‚‰ãªã„。ã„ã‹ãªã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã‚‚ã€å®‰å…¨æ€§ã‚’阻害ã™ã‚‹ã®ã§ã‚ã‚Œã°å—ã‘入れられ
ãªã„。
 物ç†çš„影響。ICS ã®ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒ‡ãƒã‚¤ã‚¹ï¼ˆPLCã€ã‚ªãƒšãƒ¬ãƒ¼ã‚¿ã‚¹ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³ã€DCS コントロー
ラ等)ã¯ã€ç‰©ç†çš„プロセスを直接制御ã—ã¦ã„る。ICS ã¨ç‰©ç†çš„プロセスã¨ã®ç›¸äº’作用ã¯æ¥µã‚
ã¦è¤‡é›‘ã§ã€ICS 領域ã«ãŠã‘ã‚‹çµæžœã¯ç‰©ç†çš„イベントã¨ã—ã¦æ˜Žã‚‰ã‹ã«ãªã‚‹ã€‚ã“ã®ã‚ˆã†ãªç‰©ç†çš„
影響をç†è§£ã™ã‚‹ã«ã¯ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®å°‚門員ã¨ç‰¹å®šã®ç‰©ç†çš„領域ã®å°‚門員åŒå£«ã®ã‚³ãƒŸãƒ¥ãƒ‹ã‚±
ーションãŒå¿…è¦ã¨ãªã‚‹å ´åˆãŒå¤šã„。
 システムé‹ç”¨ã€‚ICS ã®OS ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯ã€IT ã®å ´åˆã¨å…¨ãç•°ãªã‚‹ã“ã¨ãŒå¤šãã€æ±‚ã‚
られるスキルã€çµŒé¨“ã€å°‚門知識レベルも異ãªã‚‹ã€‚制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯ã€é€šå¸¸ã€IT è·å“¡ã§ã¯ãª
ã制御エンジニアãŒç®¡ç†ã—ã¦ã„る。大ããªé•ã„ã¯ãªã„ã¨ã„ã†èªè­˜ã§ã„ã‚‹ã¨ã€ã‚·ã‚¹ãƒ†ãƒ é‹ç”¨ã«
悲惨ãªçµæžœã‚’æ‹›ãã‹ã­ãªã„。
 リソースã®åˆ¶ç´„。ICS ã¨ãã®ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ  OS ã¯ãƒªã‚½ãƒ¼ã‚¹åˆ¶ç´„ã®ã‚るシステムã§ã‚ã‚‹ã“ã¨ãŒå¤š
ãã€ã“ã‚Œã«ã¯æœ€è¿‘ã®ä¸€èˆ¬çš„ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ©Ÿèƒ½ã¯å«ã¾ã‚Œãªã„。レガシーシステムã«ã¯ã€æœ€è¿‘
ã®IT システムã¨å…±é€šã®ãƒªã‚½ãƒ¼ã‚¹ãŒãªã„。暗å·åŒ–機能ã€ã‚¨ãƒ©ãƒ¼ãƒ­ã‚°ã€ãƒ‘スワードä¿è­·ã¨ã„ã£ãŸ
望ã¾ã—ã„機能ãŒä»˜ã„ã¦ã„ãªã„システムも多ã„。ICS ã«ãŠã‘ã‚‹ IT セキュリティã®è¦ç¯„を見境ãª
ã使用ã™ã‚‹ã¨ã€å¯ç”¨æ€§ã‚„タイミングã«å•é¡ŒãŒèµ·ãã‹ã­ãªã„。ã“ã®ã‚ˆã†ãªã‚·ã‚¹ãƒ†ãƒ ã«ç¾è¡Œã®ã‚»
キュリティ機能を付与ã—ã€ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã«åˆ©ç”¨ã§ãるコンピューティングリソースã¯
ãªã„ã§ã‚ã‚ã†ã€‚リソースや機能ã®è¿½åŠ ã¯ã§ããªã„。
 通信。フィールドデãƒã‚¤ã‚¹ã®åˆ¶å¾¡ã‚„プロセッサ内通信用㫠ICS 環境ã§ä½¿ç”¨ã•ã‚Œã‚‹é€šä¿¡ãƒ—ロト
コルåŠã³ãƒ¡ãƒ‡ã‚£ã‚¢ã¯ã€å¤§æŠµã® IT 環境ã¨ã¯ç•°ãªã‚Šå°‚用ã®ã‚‚ã®ãŒå¤šã„。
 管ç†å¤‰æ›´ã€‚管ç†å¤‰æ›´ã¯ IT システムã¨åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®ä¿å…¨ã«è‚è¦ã§ã‚る。パッãƒã‚’当ã¦ã¦ã„ãª
ã„ソフトウエアã¯ã€ã‚·ã‚¹ãƒ†ãƒ ã«ã¨ã£ã¦æœ€ã‚‚脆弱ãªç‚¹ã® 1ã¤ã¨ãªã‚‹ã€‚IT システムã«ãŠã‘るセキ
ュリティパッãƒç­‰ã®ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢æ›´æ–°ã¯ã€é©æ­£ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã¨æ‰‹é †ã«å¾“ã£ã¦ã€ã‚¿
イムリーã«è¡Œã‚れる。ã¾ãŸã“ã†ã—ãŸæ‰‹é †ã¯ã€ã‚µãƒ¼ãƒãƒ™ãƒ¼ã‚¹ã®ãƒ„ールを使用ã—ã¦è‡ªå‹•åŒ–ã•ã‚Œã¦
ã„ã‚‹å ´åˆãŒå¤šã„。ICS ã§ã®ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢æ›´æ–°ã¯ã€å¿…ãšã—もタイムリーã«è¡Œã‚れるã‚ã‘ã§ã¯ãª
ã„。更新ã®å®Ÿè¡Œå‰ã«ã€ç”£æ¥­ç”¨åˆ¶å¾¡ã‚¢ãƒ—リケーションベンダーã¨ã‚¢ãƒ—リケーションã®ã‚¨ãƒ³ãƒ‰ãƒ¦
ーザåŒæ–¹ã«ã‚ˆã‚‹å¾¹åº•çš„ãªè©¦é¨“ãŒå¿…è¦ã¨ãªã‚‹ã€‚ã¾ãŸ ICS 所有者ã¯æ•°æ—¥ã‹ã‚‰æ•°é€±é–“å‰ã«ã€ã‚らã‹
ã˜ã‚åœæ­¢ã®è¨ˆç”»ãƒ»äºˆå®šã‚’ç«‹ã¦ãªã‘ã‚Œã°ãªã‚‰ãªã„。ã¾ãŸæ›´æ–°ãƒ—ロセスã®ä¸€ç’°ã¨ã—ã¦ã€å†æ¤œè¨¼ã‚‚
å¿…è¦ã¨ãªã‚‹ã€‚別ã®å•é¡Œã¨ã—ã¦ã€ãƒ™ãƒ³ãƒ€ãƒ¼ãŒã‚µãƒãƒ¼ãƒˆã‚’打ã¡åˆ‡ã£ãŸ OS ã®æ—§ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚’使用
ã™ã‚‹ ICS ãŒå¤šã„ã“ã¨ãŒæŒ™ã’られる。ãã®çµæžœã€å…¥æ‰‹å¯èƒ½ãªãƒ‘ッãƒãŒé©ç”¨ã§ããªã„ã“ã¨ã«ãªã‚‹ã€‚
管ç†å¤‰æ›´ã¯ã€ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã‚„ファームウエアã«ã‚‚当ã¦ã¯ã¾ã‚‹ã€‚変更管ç†ã®ãƒ—ロセスを ICS ã«
é©ç”¨ã™ã‚‹å ´åˆã¯ã€ICS 専門員(制御エンジニア等)ãŒã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è·å“¡ã‚„ IT è·å“¡ã¨é€£æºã—ã¦ã€
æ…Žé‡ã«è©•ä¾¡ã‚’è¡Œã†å¿…è¦ãŒã‚る。
 管ç†ã‚µãƒãƒ¼ãƒˆã€‚一般的㪠IT システムã§ã¯ç¨®ã€…ã®ã‚µãƒãƒ¼ãƒˆã‚¹ã‚¿ã‚¤ãƒ«ãŒèªã‚られã€ç•°ãªã£ã¦ã¯ã„
ã¦ã‚‚相互連接ã—ãŸæŠ€è¡“アーキテクãƒãƒ£ã‚’サãƒãƒ¼ãƒˆã—ã¦ã„る。ICS ã§ã¯ã€ã‚µãƒ¼ãƒ“スサãƒãƒ¼ãƒˆã‚’
ベンダー1社ãŒæ‹…当ã—ã€ã»ã‹ã®ãƒ™ãƒ³ãƒ€ãƒ¼ã‹ã‚‰ã®å¤šæ§˜ã§ç›¸äº’é‹ç”¨æ€§ã®ã‚るサãƒãƒ¼ãƒˆã‚½ãƒªãƒ¥ãƒ¼ã‚·
ョンãŒå¾—られãªã„ã“ã¨ãŒã‚る。ã¾ãŸ ICS ベンダーã®ãƒ©ã‚¤ã‚»ãƒ³ã‚¹ãƒ»ã‚µãƒ¼ãƒ“ス契約ã«ã‚ˆã‚Šã€ã‚µãƒ¼
ドパーティã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ãŒèªã‚られãªã„å ´åˆã‚‚ã‚ã‚Šã€ãƒ™ãƒ³ãƒ€ãƒ¼ã®è¨±å¯ã‚’å¾—
ãšã«ã‚µãƒ¼ãƒ‰ãƒ‘ーティã®ã‚¢ãƒ—リケーションをインストールã™ã‚‹ã¨ã€ã‚µãƒ¼ãƒ“スサãƒãƒ¼ãƒˆãŒè§£ç´„ã«
ãªã‚‹ã“ã¨ã‚‚ã‚り得る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
43
 Component Lifetime. Typical IT components have a lifetime on the order of 3 to 5 years, with
brevity due to the quick evolution of technology. For ICS where technology has been developed in
many cases for very specific use and implementation, the lifetime of the deployed technology is often
in the order of 10 to 15 years and sometimes longer.
 Component Location. Most IT components and some ICS are located in business and commercial
facilities physically accessible by local transportation. Remote locations may be utilized for backup
facilities. Distributed ICS components may be isolated, remote, and require extensive transportation
effort to reach. Component location also needs to consider necessary physical and environmental
security measures.
Table 2-1 summarizes some of the typical differences between IT systems and ICS.
Table 2-1. Summary of IT System and ICS Differences
Category
Information Technology System
Industrial Control System
Performance
Requirements
Non-real-time
Response must be consistent
High throughput is demanded
High delay and jitter may be
acceptable
Less critical emergency
interaction
Tightly restricted access control
can be implemented to the degree
necessary for security
Real-time
Response is time-critical
Modest throughput is acceptable
High delay and/or jitter is not acceptable
Response to human and other emergency interaction
is critical
Access to ICS should be strictly controlled, but should
not hamper or interfere with human-machine
interaction
Availability
(Reliability)
Requirements
Responses such as rebooting are
acceptable
Availability deficiencies can often
be tolerated, depending on the
system’s operational requirements
Responses such as rebooting may not be acceptable
because of process availability requirements
Availability requirements may necessitate redundant
systems
Outages must be planned and scheduled days/weeks
in advance
High availability requires exhaustive pre-deployment
testing
Risk Management
Requirements
Manage data
Data confidentiality and integrity is
paramount
Fault tolerance is less important –
momentary downtime is not a
major risk
Major risk impact is delay of
business operations
Control physical world
Human safety is paramount, followed by protection of
the process
Fault tolerance is essential, even momentary
downtime may not be acceptable
Major risk impacts are regulatory non-compliance,
environmental impacts, loss of life, equipment, or
production
System Operation Systems are designed for use with
typical operating systems
Upgrades are straightforward with
the availability of automated
deployment tools
Differing and possibly proprietary operating systems,
often without security capabilities built in
Software changes must be carefully made, usually by
software vendors, because of the specialized control
algorithms and perhaps modified hardware and
software involved
Resource
Constraints
Systems are specified with
enough resources to support the
addition of third-party applications
such as security solutions
Systems are designed to support the intended
industrial process and may not have enough memory
and computing resources to support the addition of
security capabilities
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
44
 コンãƒãƒ¼ãƒãƒ³ãƒˆã®å¯¿å‘½ã€‚一般㫠IT コンãƒãƒ¼ãƒãƒ³ãƒˆã®å¯¿å‘½ã¯ 3~5å¹´ã§ã€æŠ€è¡“進歩ã®é€Ÿã•ã‹ã‚‰
短命ã§ã‚る。多ãã®å ´åˆã€æ¥µã‚ã¦ç‰¹æ®Šãªä½¿ç”¨ã¨å®Ÿè£…を目指ã—ã¦æŠ€è¡“開発ã•ã‚ŒãŸ ICS ã§ã¯ã€å¯¿
命㯠10~15 å¹´ã§ã€å ´åˆã«ã‚ˆã£ã¦ã¯ãれ以上ã«ãªã‚‹ã€‚
 コンãƒãƒ¼ãƒãƒ³ãƒˆã®æ‰€åœ¨å ´æ‰€ã€‚ã»ã¨ã‚“ã©ã® IT コンãƒãƒ¼ãƒãƒ³ãƒˆåŠã³ã‚る種㮠ICS コンãƒãƒ¼ãƒãƒ³ãƒˆ
ã¯ã€åœ°å…ƒã®äº¤é€šæ©Ÿé–¢ã‚’利用ã—ã¦ç‰©ç†çš„ã«ç«‹å…¥å¯èƒ½ãªäº‹æ¥­ãƒ»å•†ç”¨æ–½è¨­ã«ç½®ã‹ã‚Œã¦ã„る。é éš”地
ã¯ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—施設ã¨ã—ã¦ä½¿ç”¨ã•ã‚Œã‚‹ã€‚分散 ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã¯éš”絶ã•ã‚Œã€é›¢ã‚Œã¦ã„ã‚‹ãŸ
ã‚ã€äº¤é€šã«ã‹ãªã‚Šã®åŠ´åŠ›ãŒå¿…è¦ã¨ãªã‚‹ã€‚ã¾ãŸã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã®æ‰€åœ¨å ´æ‰€ã¯ã€ç‰©ç†çš„・環境的
セキュリティ対策も考慮ã™ã‚‹å¿…è¦ãŒã‚る。
表2-1 ã¯ã€IT システム㨠ICS ã¨ã®ä¸€èˆ¬çš„ãªç›¸é•ã‚’å–ã‚Šã¾ã¨ã‚ãŸã‚‚ã®ã§ã‚る。
表2-1.IT システム㨠ICS ã®ç›¸é•ç‚¹
カテゴリ
情報(
IT
)システム
産業用制御システム(
ICS
)
性能è¦ä»¶ リアルタイムä¸è¦
応答ã¯ä¸€è²«ã—ã¦ã„ã‚‹ã“ã¨
ãƒã‚¤ã‚¹ãƒ«ãƒ¼ãƒ—ット必須
大ããªé…延ã¨ã‚¸ãƒƒã‚¿ãƒ¼ã¯è¨±å®¹
é‡è¦ãªç·Šæ€¥ç›¸äº’作用ãŒå°‘ãªã„ã“ã¨
セキュリティã«å¿…è¦ãªç¨‹åº¦ã«åŽ³æ ¼
ãªã‚¢ã‚¯ã‚»ã‚¹åˆ¶é™ã‚’実装ã§ãã‚‹ã“ã¨
リアルタイム
応答ã¯ç·Šæ€¥ã‚’è¦ã™ã‚‹
中程度ã®ã‚¹ãƒ«ãƒ¼ãƒ—ットã§å¯
大ããªé…延やジッターã¯ä¸å¯
人ãã®ä»–ã®ç·Šæ€¥ç›¸äº’作用ã¸ã®å¿œç­”ãŒé‡è¦
ICS ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã¯åŽ³é‡ã«åˆ¶é™ã•ã‚Œã‚‹ãŒã€ãƒžãƒ³
マシンインタフェースを阻害・干渉ã—ãªã„
å¯ç”¨æ€§ï¼ˆä¿¡é ¼
性)用件
リブート等ã®å¿œç­”ã¯å¯
å¯ç”¨æ€§ã®æ¬ ç‚¹ã¯ã‚·ã‚¹ãƒ†ãƒ ã®é‹ç”¨è¦
件ã«å¿œã˜ã¦è¨±å®¹ã•ã‚Œã‚‹ã“ã¨ãŒå¤šã„
プロセスã®å¯ç”¨æ€§è¦ä»¶ã«ã‚ˆã‚Šãƒªãƒ–ート等ã®å¿œç­”
ã¯ä¸å¯
å¯ç”¨æ€§è¦ä»¶ã‹ã‚‰å†—長システムãŒå¿…è¦ã¨ãªã‚‹å ´åˆ
ã‚ã‚Š
åœæ­¢ã¯æ•°æ—¥åˆã¯æ•°é€±é–“å‰ã«ã‚らã‹ã˜ã‚計画・予
定
高å¯ç”¨æ€§è¦ä»¶ã«ã‚ˆã‚Šå¾¹åº•çš„ãªå±•é–‹å‰è©¦é¨“ãŒå¿…è¦
リスク管ç†è¦ä»¶ データを管ç†
データã®æ©Ÿå¯†æ€§ã¨ä¿å…¨ãŒè‚è¦
フォールトトレランスã¯ã•ã»ã©é‡
è¦ã§ãªã„(瞬時ã®ãƒ€ã‚¦ãƒ³ã‚¿ã‚¤ãƒ ã¯
é‡å¤§ãƒªã‚¹ã‚¯ã§ãªã„)
é‡å¤§ãªãƒªã‚¹ã‚¯å½±éŸ¿ã¯æ¥­å‹™ã®é…延
物ç†ä¸–ç•Œã®åˆ¶å¾¡
人ã®å®‰å…¨ãŒè‚è¦ã€ãƒ—ロセスã®ä¿è­·ã¯ãã®æ¬¡
フォールトトレランスãŒä¸å¯æ¬ ã€çž¬æ™‚ã®ãƒ€ã‚¦ãƒ³
タイムもä¸å¯
é‡å¤§ãªãƒªã‚¹ã‚¯å½±éŸ¿ã¯æ³•ä»¤ä¸å±¥è¡Œã€ç’°å¢ƒã¸ã®å½±
響ã€äººå‘½ãƒ»è£…å‚™å“・生産喪失
システムé‹ç”¨ システムã¯ä¸€èˆ¬çš„ OS 上ã§ä½¿ç”¨
アップグレードã¯è‡ªå‹•å±•é–‹ãƒ„ール
を利用ã™ã‚‹ã®ã§å®¹æ˜“
ã¾ã¡ã¾ã¡ã§å°‚用㮠OS を使用ã™ã‚‹å ´åˆã‚ã‚Šã€ã‚»ã‚­
ュリティ機能ã¯ãªã„ã“ã¨ãŒå¤šã„
専用制御アルゴリズムã¨ä¿®æ­£æ¸ˆã¿ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢/
ソフトウエアãŒé–¢ä¿‚ã™ã‚‹ãŸã‚ã€ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢å¤‰
æ›´ã¯æ…Žé‡ã‚’è¦ã—ã€é€šå¸¸ãƒ™ãƒ³ãƒ€ãƒ¼ãŒæ‹…当
リソースã®åˆ¶ç´„ システムã¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚½ãƒªãƒ¥ãƒ¼
ション等ã®è¿½åŠ ã‚µãƒ¼ãƒ‰ãƒ‘ーティア
プリケーションã«å¯¾å¿œã™ã‚‹å分ãª
リソースをé©ç”¨
システムã¯æ‰€æœŸã®ç”£æ¥­ãƒ—ロセスã«å¯¾å¿œã™ã‚‹ã‚ˆã†
ã«ã§ãã¦ãŠã‚Šã€è¿½åŠ ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ©Ÿèƒ½ã«å¯¾å¿œã™
ã‚‹å分ãªãƒ¡ãƒ¢ãƒªã‚„演算リソースã¯ãªã„
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
45
Category
Information Technology System
Industrial Control System
Communications Standard communications
protocols
Primarily wired networks with
some localized wireless
capabilities
Typical IT networking practices
Many proprietary and standard communication
protocols
Several types of communications media used
including dedicated wire and wireless (radio and
satellite)
Networks are complex and sometimes require the
expertise of control engineers
Change
Management
Software changes are applied in a
timely fashion in the presence of
good security policy and
procedures. The procedures are
often automated.
Software changes must be thoroughly tested and
deployed incrementally throughout a system to ensure
that the integrity of the control system is maintained.
ICS outages often must be planned and scheduled
days/weeks in advance. ICS may use OSs that are no
longer supported
Managed Support
Allow for diversified support styles
Service support is usually via a single vendor
Component
Lifetime
Lifetime on the order of 3 to 5
years
Lifetime on the order of 10 to 15 years
Components
Location
Components are usually local and
easy to access
Components can be isolated, remote, and require
extensive physical effort to gain access to them
In summary, the operational and risk differences between ICS and IT systems create the need for increased
sophistication in applying cybersecurity and operational strategies. A cross-functional team of control
engineers, control system operators and IT security professionals needs to work closely to understand the
possible implications of the installation, operation, and maintenance of security solutions in conjunction
with control system operation. IT professionals working with ICS need to understand the reliability impacts
of information security technologies before deployment. Some of the OSs and applications running on ICS
may not operate correctly with commercial-off-the-shelf (COTS) IT cybersecurity solutions because of
specialized ICS environment architectures.
2.5 Other Types of Control Systems
Although this guide provides guidance for securing ICS, other types of control systems share similar
characteristics and many of the recommendations from this guide are applicable and could be used as a
reference to protect such systems against cybersecurity threats. For example, although many building,
transportation, medical, security and logistics systems use different protocols, ports and services, and are
configured and operate in different modes than ICS, they share similar characteristics to traditional ICS
[18]. Examples of some of these systems and protocols include:
Other Types of Control Systems
 Advanced Metering Infrastructure.
 Building Automation Systems.
 Building Management Control Systems.
 Closed-Circuit Television (CCTV) Surveillance Systems.
 CO2 Monitoring.
 Digital Signage Systems.
 Digital Video Management Systems.
 Electronic Security Systems.
 Emergency Management Systems.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
46
カテゴリ 情報(IT)システム 産業用制御システム(ICS)
通信 標準通信プロトコル
プライマリ有線ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§å±€
所的ã«ç„¡ç·šæ©Ÿèƒ½ã‚ã‚Š
一般的 IT ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯è¦ç¯„
多数ã®å°‚用・標準通信プロトコル
専用有線・無線(無線åŠã³ã‚µãƒ†ãƒ©ã‚¤ãƒˆï¼‰ã‚’å«ã‚€
数種ã®é€šä¿¡ãƒ¡ãƒ‡ã‚£ã‚¢ã‚’利用
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯è¤‡é›‘ã§ã€åˆ¶å¾¡ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã®å°‚é–€
知識を必è¦ã¨ã™ã‚‹ã“ã¨ã‚ã‚Š
管ç†å¤‰æ›´ ソフトウエア変更ã¯è‰¯å¥½ãªã‚»ã‚­ãƒ¥
リティãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †ã«å¾“ã„タイ
ムリーã«å®Ÿæ–½ã€‚手順ã¯è‡ªå‹•åŒ–ã•ã‚Œ
ã¦ã„ã‚‹ã“ã¨ãŒå¤šã„。
ソフトウエア変更ã¯ã€ã‚·ã‚¹ãƒ†ãƒ å…¨ä½“を通ã˜ã¦å¾¹
底的ã«è©¦é¨“・展開ã—ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ãŒä¿å…¨ã•ã‚Œ
るよã†ã«ã™ã‚‹ã€‚ICS åœæ­¢ã®å¤šãã¯ã€æ•°æ—¥åˆã¯æ•°é€±
é–“å‰ã«ã‚らã‹ã˜ã‚計画・予定ãŒå¿…è¦ã€‚サãƒãƒ¼ãƒˆ
ãŒçµ‚了ã—㟠OS を使用ã—ã¦ã„ã‚‹å ´åˆã‚ã‚Š
管ç†ã‚µãƒãƒ¼ãƒˆ 多様ãªã‚µãƒãƒ¼ãƒˆã‚¹ã‚¿ã‚¤ãƒ«ã‚ã‚Š サービスサãƒãƒ¼ãƒˆã¯é€šå¸¸ 1業者ã®ã¿
コンãƒãƒ¼ãƒãƒ³ãƒˆ
ã®å¯¿å‘½
3年~5年 10 年~15 年
コンãƒãƒ¼ãƒãƒ³ãƒˆ
ã®æ‰€åœ¨å ´æ‰€
通常ローカル所在ã§ã€ã‚¢ã‚¯ã‚»ã‚¹ãŒ
容易
コンãƒãƒ¼ãƒãƒ³ãƒˆã¯éš”絶ã•ã‚ŒãŸé éš”地ã«ã‚ã‚Šã€ã‚¢
クセスã«ã¯ã‹ãªã‚Šã®ç‰©ç†çš„労力ãŒå¿…è¦
è¦ç´„ã™ã‚‹ã¨ã€ICS システム㨠IT システム間ã«ã¯ã€é‹ç”¨åŠã³ãƒªã‚¹ã‚¯ã®é•ã„ãŒã‚ã‚‹ã“ã¨ã‹ã‚‰ã€æ´—ç·´
ã•ã‚ŒãŸã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¨é‹ç”¨æˆ¦ç•¥ã‚’é©ç”¨ã™ã‚‹å¿…è¦ãŒç”Ÿã˜ã‚‹ã€‚制御エンジニアã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†
ムæ“作員åŠã³ IT セキュリティ専門員ã‹ã‚‰ãªã‚‹æ©Ÿèƒ½æ¨ªæ–­ãƒãƒ¼ãƒ ã¯ã€ç·Šå¯†ã«é€£æºã—ã¦ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†
ィソリューションã®å°Žå…¥ã€é‹ç”¨åŠã³ä¿å®ˆãŒã‚‚ãŸã‚‰ã—å¾—ã‚‹æ„味をã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®é‹ç”¨ã¨ã®å…¼ã­åˆ
ã„ã§ç†è§£ã™ã‚‹å¿…è¦ãŒã‚る。ICS ã§ä½œæ¥­ã‚’行ㆠIT 専門員ã¯å±•é–‹å‰ã«ã€æƒ…報セキュリティ技術ã®ä¿¡
頼性影響ã«ã¤ã„ã¦ç†è§£ã—ã¦ãŠãå¿…è¦ãŒã‚る。ICS 上ã§å®Ÿè¡Œã™ã‚‹ OS やアプリケーションã®ä¸­ã«ã¯ã€
特殊㪠ICS 環境アーキテクãƒãƒ£ã«èµ·å› ã—ã¦ã€æ°‘生(COTS)IT サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚½ãƒªãƒ¥ãƒ¼ã‚·
ョンã®æ­£å¸¸ãªå‹•ä½œãŒã§ããªã„ã‚‚ã®ã‚‚ã‚る。
2.5 別種ã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ 
本書ã§ã¯ ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’確ä¿ã™ã‚‹ãŸã‚ã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã‚’示ã™ãŒã€åˆ¥ç¨®ã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã§ã‚‚å…±
通ã®ç‰¹å¾´ãŒã‚ã‚Šã€æœ¬æ›¸ã®æŽ¨å¥¨äº‹é …ã®å¤šãã¯é©ç”¨å¯èƒ½ã§ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è„…å¨ã‹ã‚‰ãã†ã—ãŸ
システムをä¿è­·ã™ã‚‹éš›ã®å‚考書ã¨ã—ã¦æ´»ç”¨å¯èƒ½ã§ã‚る。例ãˆã°ã€ãƒ“ルã€è¼¸é€ã€åŒ»ç™‚ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†
ã‚£ã€ãƒ­ã‚¸ã‚¹ãƒ†ã‚£ãƒƒã‚¯ç­‰ã®ã‚·ã‚¹ãƒ†ãƒ ã®å¤šãã¯ä½¿ç”¨ã™ã‚‹ãƒ—ロトコルã€ãƒãƒ¼ãƒˆåŠã³ã‚µãƒ¼ãƒ“スãŒç•°ãªã‚Šã€
ICS ã¨ã¯ç•°ãªã‚‹ãƒ¢ãƒ¼ãƒ‰ã§è¨­å®šã•ã‚Œé‹ç”¨ã•ã‚Œã¦ã„ã‚‹ãŒã€ä¼çµ±çš„㪠ICS ã¨å…±é€šã®ç‰¹å¾´ã‚’æŒã£ã¦ã„ã‚‹
[18]。ãã†ã—ãŸã‚·ã‚¹ãƒ†ãƒ ã‚„プロトコルã®ä¾‹ã‚’以下ã«ç¤ºã™ã€‚
別種ã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ 
 最新計é‡ã‚¤ãƒ³ãƒ•ãƒ©ã‚¹ãƒˆãƒ©ã‚¯ãƒãƒ£
 ビルオートメーションシステム
 ビル管ç†åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ 
 CCTV サーベイランスシステム
 CO2 監視
 デジタル標識システム
 デジタルビデオ管ç†ã‚·ã‚¹ãƒ†ãƒ 
 é›»å­ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚·ã‚¹ãƒ†ãƒ 
 緊急管ç†ã‚·ã‚¹ãƒ†ãƒ 
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
47
 Energy Management Systems.
 Exterior Lighting Control Systems.
 Fire Alarm Systems.
 Fire Sprinkler Systems.
 Interior Lighting Control Systems.
 Intrusion Detection Systems.
 Physical Access Control Systems.
 Public Safety/Land Mobile Radios.
 Renewable Energy Geothermal Systems.
 Renewable Energy Photo Voltaic Systems.
 Shade Control Systems.
 Smoke and Purge Systems.
 Vertical Transport System (Elevators and Escalators).
 Laboratory Instrument Control Systems.
 Laboratory Information Management Systems (LIMS).
Protocols/Ports and Services
 Modbus: Master/Slave - Port 502.
 BACnet3: Master/Slave - Port 47808.
 LonWorks/LonTalk4: Peer to Peer - Port 1679.
 DNP3: Master/Slave – Port 19999 when using Transport Layer Security (TLS), Port 20000 when not
using TLS.
 IEEE 802.x - Peer to Peer.
 ZigBee - Peer to Peer.
 Bluetooth – Master/Slave.
The security controls provided in Appendix G— of this guide are general and flexible enough be used to
evaluate other types of control systems, but subject matter experts should review the controls and tailor
them as appropriate to address the uniqueness of other types of control systems. There is no “one size fits
all,†and the risks may not be the same, even within a particular group. For example, a building has many
different sub-systems such as building automation, fire alarm, physical access control, digital signage,
CCTV, etc. Critical life safety systems such as the fire alarm and physical access control systems may drive
the impact level to be a “High,†while the other systems will usually be “Low.†An organization might
decide to evaluate each sub-system individually, or decide to use an aggregated approach. The control
systems evaluation should be coupled to the Business Impact, Contingency Plan, and Incident Response
Plan to ensure organizational critical functions and operations can be recovered and restored as defined by
the organizations Recovery Time Objectives.
3 http://www.bacnet.org/
4 http://en.wikipedia.org/wiki/LonWorks
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
48
 エãƒãƒ«ã‚®ãƒ¼ç®¡ç†ã‚·ã‚¹ãƒ†ãƒ 
 è¡—ç¯åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ 
 ç«ç½å ±çŸ¥ã‚·ã‚¹ãƒ†ãƒ 
 消ç«ç”¨ã‚¹ãƒ—リンクラーシステム
 屋内ç¯åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ 
 侵入検知システム
 物ç†çš„立入管ç†ã‚·ã‚¹ãƒ†ãƒ 
 公衆安全/陸上移動無線
 å†ç”Ÿã‚¨ãƒãƒ«ã‚®ãƒ¼åœ°ç†±ã‚·ã‚¹ãƒ†ãƒ 
 å†ç”Ÿã‚¨ãƒãƒ«ã‚®ãƒ¼å¤ªé™½å…‰ç™ºé›»ã‚·ã‚¹ãƒ†ãƒ 
 シェード制御システム
 排煙システム
 鉛直輸é€ã‚·ã‚¹ãƒ†ãƒ ï¼ˆã‚¨ãƒ¬ãƒ™ãƒ¼ã‚¿/エスカレータ)
 実験室計器制御システム
 実験室情報管ç†ã‚·ã‚¹ãƒ†ãƒ ï¼ˆLIMS)
プロトコル/ãƒãƒ¼ãƒˆåŠã³ã‚µãƒ¼ãƒ“ス
 Modbus:マスター/スレーブ - ãƒãƒ¼ãƒˆ 502
 BACnet5:マスター/スレーブ - ãƒãƒ¼ãƒˆ 47808
 LonWorks/LonTalk6ピアツーピア - ãƒãƒ¼ãƒˆ 1679
 DNP3:トランスãƒãƒ¼ãƒˆå±¤ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ï¼ˆTLS)使用時マスター/スレーブ – ãƒãƒ¼ãƒˆ 19999
TLS ä¸ä½¿ç”¨æ™‚ãƒãƒ¼ãƒˆ 20000
 IEEE 802.x - ピアツーピア
 ZigBee - ピアツーピア.
 Bluetooth – マスター/スレーブ
本書ã®ä»˜éŒ² Gã«è¨˜è¼‰ã•ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ã¯ã€ä¸€èˆ¬çš„ã§æŸ”軟性ãŒã‚ã‚‹ãŸã‚ã€åˆ¥ç¨®ã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†
ムã®è©•ä¾¡ã«ã‚‚利用ã§ãã‚‹ãŒã€ãã‚Œãžã‚Œã®ä¸»é¡Œã®å°‚門家ã¯ãã®åˆ¶å¾¡ã‚’精査ã—ã€è¦ã™ã‚Œã°èª¿æ•´ã‚’加ãˆ
ã¦ã€åˆ¥ç¨®ã‚·ã‚¹ãƒ†ãƒ ã®ç‹¬è‡ªæ€§ã‚’検討ã™ã¹ãã§ã‚る。特定ã®ã‚°ãƒ«ãƒ¼ãƒ—内ã§ã‚ã£ã¦ã‚‚ã€å…¨ã¦ã«é©åˆã™ã‚‹
「フリーサイズã€ã®ã‚ˆã†ãªã‚‚ã®ã¯å­˜åœ¨ã›ãšã€ãƒªã‚¹ã‚¯ã‚‚åŒã˜ã§ã¯ãªã„。例ãˆã°ã€ãƒ“ルã«ã¯ãƒ“ルオー
トメーションã€ç«ç½å ±çŸ¥å™¨ã€ç‰©ç†çš„立入管ç†ã€ãƒ‡ã‚¸ã‚¿ãƒ«æ¨™è­˜ã€CCTV ç­‰ã®å¤šç¨®å¤šæ§˜ãªã‚µãƒ–システ
ムãŒå­˜åœ¨ã™ã‚‹ã€‚ç«ç½å ±çŸ¥å™¨ã‚„物ç†çš„立入管ç†ã‚·ã‚¹ãƒ†ãƒ ã®ã‚ˆã†ãªé‡è¦ãªç”Ÿå‘½å®‰å…¨ã‚·ã‚¹ãƒ†ãƒ ã¯ã€å½±éŸ¿
レベルを「高ã€ã¨ã™ã¹ãã§ã€ãã®ä»–ã®ã‚·ã‚¹ãƒ†ãƒ ã¯é€šå¸¸ã€Œä½Žã€ã¨ãªã‚ã†ã€‚組織ã¯ãã‚Œãžã‚Œã®ã‚µãƒ–ã‚·
ステムã®å€‹åˆ¥è©•ä¾¡ã‚’è¡Œã†ã‚ˆã†æ±ºå®šã—ã€ã‚ã‚‹ã„ã¯é›†ç´„çš„ãªã‚¢ãƒ—ローãƒã‚’å–ã‚‹ã“ã¨ã‚’決定ã§ãよã†ã€‚
制御システムã®è©•ä¾¡ã¯ã€äº‹æ¥­å½±éŸ¿ä¸æ¸¬äº‹æ…‹è¨ˆç”»ã‚„インシデント対応計画ã®ä¸€éƒ¨ã«å«ã‚ã¦ã€çµ„ç¹”ã®
é‡è¦æ©Ÿèƒ½ã‚’確ä¿ã™ã‚Œã°ã€çµ„ç¹”ã®ç›®æ¨™å¾©æ—§æ™‚é–“ã©ãŠã‚Šã«æ¥­å‹™ã‚’回復・復旧ã™ã‚‹ã“ã¨ãŒã§ãる。
5 http://www.bacnet.org/
6 http://en.wikipedia.org/wiki/LonWorks
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
49
3. ICS Risk Management and Assessment
3.1 Risk Management
Organizations manage risk every day in meeting their business objectives. These risks may include
financial risk, risk of equipment failure, and personnel safety risk, to name just a few. Organizations must
develop processes to evaluate the risks associated with their business and to decide how to deal with those
risks based on organizational priorities and both internal and external constraints. This management of risk
is conducted as an interactive, ongoing process as part of normal operations. Organizations that use ICS
have historically managed risk through good practices in safety and engineering. Safety assessments are
well established in most sectors and are often incorporated into regulatory requirements. Information
security risk management is an added dimension that can be complementary. The risk management process
and framework outlined in this section can be applied to any risk assessment including both safety and
information security.
A risk management process should be employed throughout an organization, using a three-tiered approach
to address risk at the (i) organization level; (ii) mission/business process level; and (iii) information system
level (IT and ICS). The risk management process is carried out seamlessly across the three tiers with the
overall objective of continuous improvement in the organization’s risk-related activities and effective inter-
tier and intra-tier communication among all stakeholders having a shared interest in the mission/business
success of the organization.
This section focuses primarily on ICS considerations at the information system level, however, it is
important to note that the risk management activities, information, and artifacts at each tier impact and
inform the other tiers. Section 6 extends the concepts presented here to the control family level and
provides ICS-specific recommendations to augment security control families. Throughout the following
discussion of risk management, ICS considerations will be highlighted and the impact that these
considerations have on the risk management process will be discussed.
For more information on multi-tiered risk management and the risk management process, refer to NIST
Special Publication 800-39, Managing Information Security Risk: Organization, Mission and Information
System View [20]. NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk Management
Framework to Federal Information Systems: A Security Life Cycle Approach [21], provides guidelines for
applying the Risk Management Framework to federal information systems to include conducting the
activities of security categorization,7 security control selection and implementation, security control
assessment, information system authorization,8 and security control monitoring. NIST Special Publication
800-30, Guide for Conducting Risk Assessments, provides a step-by-step process for organizations on: (i)
how to prepare for risk assessments; (ii) how to conduct risk assessments; (iii) how to communicate risk
assessment results to key organizational personnel; and (iv) how to maintain the risk assessments over time
[79].
7 FIPS 199 provides security categorization guidance for non-national security systems [15]. CNSS Instruction 1253 provides similar guidance for national security systems.
8 Security authorization is the official management decision given by a senior organizational official to
authorize operation of an information system and to explicitly accept the risk to organizational operations
and assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon
set of security controls.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
50
3. ICS ã®ãƒªã‚¹ã‚¯ç®¡ç†ã¨ãƒªã‚¹ã‚¯è©•ä¾¡
3.1 リスク管ç†
組織ã¯ã€ãã®äº‹æ¥­ç›®çš„ã‚’é”æˆã™ã‚‹ãŸã‚ã€æ—¥ã€…リスクを管ç†ã—ã¦ã„る。ãã†ã—ãŸãƒªã‚¹ã‚¯ã«ã¯è²¡æ”¿ä¸Š
ã®ãƒªã‚¹ã‚¯ã€è£…å‚™å“障害ã«ã‚ˆã‚‹ãƒªã‚¹ã‚¯ã€äººã®å®‰å…¨ã«é–¢ã™ã‚‹ãƒªã‚¹ã‚¯ãªã©ãŒã‚る。組織ã¯ãƒ—ロセスを策
定ã—ã¦ã€äº‹æ¥­ã«é–¢ä¿‚ã™ã‚‹ãƒªã‚¹ã‚¯ã‚’評価ã—ã€çµ„ç¹”ã®å„ªå…ˆäº‹é …や組織内外ã®åˆ¶ç´„事項を基ã«ã€ãƒªã‚¹ã‚¯
ã¸ã®å¯¾å‡¦æ³•ã‚’決定ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。ã“ã®ãƒªã‚¹ã‚¯ç®¡ç†ã¯ã€æ­£è¦æ¥­å‹™ã®ä¸€ç’°ã¨ã—ã¦ã€ç›¸äº’作用的
ãªç¾è¡Œãƒ—ロセスã¨ã—ã¦å®Ÿæ–½ã•ã‚Œã‚‹ã€‚ICS を使用ã™ã‚‹çµ„ç¹”ã¯æ­´å²çš„ã«ã€å®‰å…¨æ€§ã¨ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°
ã«ãŠã‘る優良è¦ç¯„を通ã˜ã¦ã€ãƒªã‚¹ã‚¯ã‚’管ç†ã—ã¦ããŸã€‚安全性評価ã¯ã»ã¨ã‚“ã©ã®éƒ¨é–€ã§ç¢ºç«‹ã•ã‚Œã¦
ãŠã‚Šã€è¦åˆ¶ä¸Šã®è¦ä»¶ã«ç››ã‚Šè¾¼ã¾ã‚Œã¦ã„ã‚‹ã“ã¨ãŒå¤šã„。情報セキュリティã®ãƒªã‚¹ã‚¯ç®¡ç†ã¯ã€è£œè¶³çš„
ãªä»˜åŠ çš„次元ã®ã‚‚ã®ã§ã‚る。ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ç•¥è¿°ã™ã‚‹ãƒªã‚¹ã‚¯ç®¡ç†ã®ãƒ—ロセスã¨æž çµ„ã¿ã¯ã€å®‰å…¨
性åŠã³æƒ…報セキュリティをå«ã‚€ã‚らゆるリスク評価ã«å¿œç”¨ã§ãる。
リスク管ç†ã®ãƒ—ロセスã¯ã€çµ„織全体を通ã˜ã¦ã€(1)組織レベルã€(2)任務/事業プロセスレベルã€(3)
情報システムレベル(IT åŠã³ ICS)ã€ã¨ã„ㆠ3段構ãˆã®ã‚¢ãƒ—ローãƒã§æŽ¡ç”¨ã™ã¹ãã§ã‚る。リスク
管ç†ãƒ—ロセスã¯ã€çµ„ç¹”ã®ä»»å‹™/事業ã«å…±é€šã®é–¢å¿ƒã‚’抱ã関係者間ã«ãŠã„ã¦ã€çµ„ç¹”ã®ãƒªã‚¹ã‚¯é–¢é€£æ´»
å‹•åŠã³å„段階間・å„段階内ã®åŠ¹æžœçš„ãªé€šä¿¡ã‚’絶ãˆãšæ”¹å–„ã™ã‚‹ã¨ã„ã†å…¨ä½“çš„ãªç›®çš„ã‚’æŒã£ã¦ã€3ã¤
ã®æ®µéšŽã«ã‚ãŸã£ã¦ã‚·ãƒ¼ãƒ ãƒ¬ã‚¹ã«è¡Œã‚れる。
ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã¯ä¸»ã«ã€æƒ…報システムレベルã§ã® ICS ã®è€ƒæ…®äº‹é …ã«æ³¨ç›®ã™ã‚‹ãŒã€å„段階ã«ãŠã‘
るリスク管ç†æ´»å‹•ã€æƒ…å ±åŠã³æ‰€ç”£ãŒã€ä»–ã®æ®µéšŽã«å½±éŸ¿ã¨æƒ…報をもãŸã‚‰ã™ã“ã¨ã«æ³¨æ„ã™ã¹ãã§ã‚る。
セクション 6ã§ã¯ã€ã“ã“ã§ç´¹ä»‹ã™ã‚‹æ¦‚念を更ã«åˆ¶å¾¡ç³»åˆ—レベルã«æ‹¡å¼µã—ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–系列
を増やã™ãŸã‚ã® ICS 特有ã®æŽ¨å¥¨äº‹é …ã‚’æ示ã™ã‚‹ã€‚ã“れ以é™ã®ãƒªã‚¹ã‚¯ç®¡ç†ã«é–¢ã™ã‚‹è«–議を通ã˜ã¦ã€
ICS ã®è€ƒæ…®äº‹é …ã«ã¤ã„ã¦ç‰¹ç­†ã—ã€ãã†ã—ãŸè€ƒæ…®äº‹é …ãŒãƒªã‚¹ã‚¯ç®¡ç†ãƒ—ロセスã«åŠã¼ã™å½±éŸ¿ã«ã¤ã„ã¦
考察ã™ã‚‹ã€‚
多段階リスク管ç†ã¨ãƒªã‚¹ã‚¯ç®¡ç†ãƒ—ロセスã®è©³ç´°ã«ã¤ã„ã¦ã¯ã€NISTSP800-39『情報セキュリティリ
スクã®ç®¡ç†ï¼šçµ„ç¹”ã€ä»»å‹™åŠã³æƒ…報システム概説ã€[20]ã‚’å‚ç…§ã®ã“ã¨ã€‚NISTSP800-37 改訂 1『連邦
情報システムã¸ã®ãƒªã‚¹ã‚¯ç®¡ç†ä½“ç³»é©ç”¨ã‚¬ã‚¤ãƒ‰ï¼šã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«ã‚¢ãƒ—ローãƒã€[21]ã¯ã€
リスク管ç†ä½“系を連邦情報システムã«é©ç”¨ã™ã‚‹éš›ã®ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã¨ãªã‚‹ã‚‚ã®ã§ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£åŒº
分9ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ã®é¸æŠžãƒ»å®Ÿè£…ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ã®è©•ä¾¡ã€æƒ…報システムã®èªå¯ 10åŠã³ã‚»
キュリティ管ç†ã®ç›£è¦–ã¨ã„ã£ãŸè«¸æ´»å‹•ã®å®Ÿæ–½è¦é ˜ãŒç››ã‚Šè¾¼ã¾ã‚Œã¦ã„る。NISTSP800-30『リスク評
価ガイドã€ã¯ã€(1)リスク評価ã®æº–å‚™è¦é ˜ã€(2) リスク評価ã®å®Ÿæ–½è¦é ˜ã€(3)組織è¦äººã¸ã®ãƒªã‚¹ã‚¯è©•
価çµæžœã®ä¼é”è¦é ˜ã€(4) リスク評価ã®çµŒæ™‚的維æŒè¦é ˜ã«ã¤ã„ã¦ã€çµ„ç¹”ã®ãƒ—ロセスを段階別ã«èª¬æ˜Ž
ã—ã¦ã„ã‚‹[79]。
9 FIPS 199 ã¯ã€å›½ä»¥å¤–ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚·ã‚¹ãƒ†ãƒ ã«é–¢ã™ã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£åŒºåˆ†ã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã¨ãªã‚‹[15]。CNSS 命令 1253 ã¯ã€å›½
ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚·ã‚¹ãƒ†ãƒ ã«é–¢ã™ã‚‹åŒç¨®ã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã€‚
10 セキュリティèªå¯ã¯ã€çµ„ç¹”ã®é«˜å®˜ã«ã‚ˆã‚‹å…¬çš„ãªç®¡ç†æ±ºå®šã§ã€æƒ…報システムã®é‹ç”¨ã‚’èªå¯ã—ã€çµ„ç¹”ã®é‹å–¶ãƒ»è³‡ç”£ã€å€‹äººã€ä»–ã®
組織åŠã³å›½å®¶ã«å¯¾ã™ã‚‹ãƒªã‚¹ã‚¯ã‚’ã€åˆæ„ã•ã‚ŒãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®å®Ÿè£…ã«åŸºã¥ã„ã¦ã€æ˜Žç¤ºçš„ã«è¨±å®¹ã™ã‚‹ã‚‚ã®ã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
51
3.2 Introduction to the Risk Management Process
As shown in Figure 3-1, the risk management process has four components: framing, assessing, responding
and monitoring. These activities are interdependent and often occur simultaneously within an organization.
For example, the results of the monitoring component will feed into the framing component. As the
environment in which organizations operate is always changing, risk management must be a continuous
process where all components have on-going activities. It is important to remember that these components
apply to the management of any risk whether information security, physical security, safety or financial.
Figure 3-1. Risk Management Process Applied Across the Tiers
The framing component in the risk management process consists of developing a framework for the risk
management decisions to be made. The level of risk that an organization is willing to accept is its risk
tolerance [21, p.6].
The framing component should include review of existing documentation, such as prior risk assessments.
There may be related activities; such as community wide disaster management planning that also should be
considered since they impact the requirements that a risk assessment must consider.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
52
3.2 リスク管ç†ãƒ—ロセスã®ç´¹ä»‹
図3-1 ã«ç¤ºã™ã‚ˆã†ã«ã€ãƒªã‚¹ã‚¯ç®¡ç†ãƒ—ロセスã«ã¯ã€æ§‹æƒ³ã€è©•ä¾¡ã€å¯¾å¿œã€ç›£è¦–ã® 4ã¤ã®è¦ç´ ãŒã‚る。
ã“れら諸活動ã¯ç›¸äº’ä¾å­˜ã—ã¦ãŠã‚Šã€åŒã˜çµ„織内ã§åŒæ™‚ã«ç”Ÿã˜ã‚‹ã“ã¨ãŒå¤šã„。例ãˆã°ã€ç›£è¦–ã®çµ
æžœãŒæ§‹æƒ³ã«å映ã•ã‚Œã‚‹ã€‚組織ãŒç½®ã‹ã‚ŒãŸç’°å¢ƒã¯çµ¶ãˆãšå¤‰åŒ–ã—ã¦ã„ã‚‹ãŸã‚ã€ãƒªã‚¹ã‚¯ç®¡ç†ã¯ç¶™ç¶šçš„
ãªãƒ—ロセスã§ã€4ã¤ã®è¦ç´ ãŒã©ã‚Œã‚‚進行中ã§ãªã‘ã‚Œã°ãªã‚‰ãªã„。å„è¦ç´ ã¯ã€æƒ…報セキュリティã€
物ç†çš„セキュリティã€å®‰å…¨ã€è²¡æ”¿ã®åˆ¥ã‚’å•ã‚ãšã€ã‚らゆるリスクã®ç®¡ç†ã«å½“ã¦ã¯ã¾ã‚‹ã“ã¨ã‚’銘
記ã™ã‚‹ã®ã¯è‚è¦ã§ã‚る。
図3-1.全段階ã«ã¾ãŸãŒã‚‹ãƒªã‚¹ã‚¯ç®¡ç†ãƒ—ロセス
リスク管ç†ãƒ—ロセスã«ãŠã‘る構想ã¯ã€ä¸‹ã™ã¹ãリスク管ç†ä¸Šã®æ±ºå®šã«é–¢ã™ã‚‹ä½“系を策定ã™ã‚‹ã“
ã¨ã«ã‚る。組織ãŒå—ã‘入れられるリスクレベルãŒãƒªã‚¹ã‚¯ãƒˆãƒ¬ãƒ©ãƒ³ã‚¹ã§ã‚ã‚‹[21, p.6]。
ã“ã®æ§‹æƒ³ã«ã¯ã€ä»¥å‰ã®ãƒªã‚¹ã‚¯è©•ä¾¡æ›¸ãªã©æ—¢å­˜æ–‡æ›¸ã®ç²¾æŸ»ã‚’å«ã‚ã‚‹ã¹ãã§ã‚る。関連活動もã‚ã‚Š
得よã†ã€‚例ãˆã°ã€å…±åŒä½“内ã®ç½å®³ç®¡ç†è¨ˆç”»ãªã©ã‚‚ã€ãƒªã‚¹ã‚¯è©•ä¾¡ã§æ¤œè¨Žã‚’è¦ã™ã‚‹è«¸è¦ä»¶ã«å½±éŸ¿ã™
ã‚‹ãŸã‚ã€è€ƒæ…®ã«å«ã‚ã‚‹ã¹ãã§ã‚る。
評価
監視
構想
対応
段階
1 –
組織
段階
2 –
任務
/
事業プロセス
段階
3 –
情報システム
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
53
ICS-specific Recommendations and Guidance
For operators of ICS, safety is the major consideration that directly affects decisions on how systems are
engineered and operated. Safety can be defined as “freedom from conditions that can cause death, injury,
occupational illness, damage to or loss of equipment or property, or damage to the environment.â€116 Part of
the framing component for an ICS organization is determining how these requirements interact with
information security. For example, if safety requirements conflict with good security practice, how will the
organization decide between the two priorities? Most ICS operators would answer that safety is the main
consideration – the framing component makes such assumptions explicit so that there is agreement
throughout the process and the organization.
Another major concern for ICS operators is the availability of services provided by the ICS. The ICS may
be part of critical infrastructure (for example, water or power systems), where there is a significant need for
continuous and reliable operations. As a result, ICS may have strict requirements for availability or for
recovery. Such assumptions should be developed and stated in the framing component. Otherwise, the
organization may make risk decisions that result in unintended consequences on those who depend on the
services provided.
The physical operating environment is another aspect of risk framing that organizations should consider
when working with ICS. ICS often have specific environmental requirements (e.g., a manufacturing
process may require precise temperature), or they may be tied to their physical environment for operations.
Such requirements and constraints should be explicitly stated in the framing component so that the risks
arising from these constraints can be identified and considered.
Assessing risk requires that organizations identify their threats and vulnerabilities, the harm that such
threats and vulnerabilities may cause the organization and the likelihood that adverse events arising from
those threats and vulnerabilities may actually occur.
ICS-specific Recommendations and Guidance
The DHS National Cybersecurity & Communications Integration Center (NCCIC)12 serves as a centralized
location where operational elements involved in cybersecurity and communications reliance are
coordinated and integrated. The Industrial Control Systems Cyber Emergency Response Team (ICS-
CERT)13 collaborates with international and private sector Computer Emergency Response Teams
(CERTs) to share control systems-related security incidents and mitigation measures. ICS-CERT works to
reduce risks within and across all critical infrastructure sectors by partnering with law enforcement
agencies and the intelligence community and coordinating efforts among Federal, state, local, and tribal
governments and control systems owners, operators, and vendors.
When assessing the potential impact to an organization’s mission from a potential ICS incident, it is
important to incorporate the effect on the physical process/system, impact on dependent systems/processes,
and impact on the physical environment among other possibilities. In addition, the potential impact on
safety should always be considered.
11 MIL-STD-882E,
Standard Practice – System Safety
, Department of Defense (DoD), May 11, 2012,
https://acc.dau.mil/CommunityBrowser.aspx?id=683694
12 http://www.dhs.gov/about-national-cybersecurity-communications-integration-center
13 https://ics-cert.us-cert.gov/
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
54
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
ICS æ“作員ã«ã¨ã£ã¦å®‰å…¨ã¯ã€ã‚·ã‚¹ãƒ†ãƒ ã®è¨ˆç”»ãƒ»å®Ÿè¡Œè¦é ˜ã®æ±ºå®šã«ç›´æŽ¥å½±éŸ¿ã™ã‚‹é‡å¤§è€ƒæ…®äº‹é …ã§ã‚
る。安全ã¯ã€Œæ­»äº¡ã€è² å‚·ã€è·æ¥­ç—…ã€è£…å‚™å“・資産ã®æ害・喪失ã€ç’°å¢ƒç ´å£Šã‚’生ã˜ã‚‹çŠ¶æ…‹ã‹ã‚‰å…ã‚Œ
ã¦ã„ã‚‹ã“ã¨ã€ã¨å®šç¾©ã§ãã‚‹ 14。ICS 組織ã®æ§‹æƒ³éƒ¨åˆ†ã¯ã€ã“ã®ã‚ˆã†ãªè¦ä»¶ã¨æƒ…報セキュリティã¨ã®
相互作用è¦é ˜ã‚’判定ã™ã‚‹ã“ã¨ã«ã‚る。例ãˆã°ã€å®‰å…¨è¦ä»¶ãŒã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®é©æ­£è¦ç¯„ã¨ç›¸å®¹ã‚Œãªã„
å ´åˆã€çµ„織㯠2ã¤ã®å„ªå…ˆèª²é¡Œã®é–“ã§ã©ã®ã‚ˆã†ãªæ±ºå®šã‚’è¡Œã†ã®ã‹ã€‚大方㮠ICS æ“作員ã¯ã€å®‰å…¨ãŒä¸»
è¦ãªè€ƒæ…®äº‹é …ã ã¨ç­”ãˆã‚ˆã†ã€‚構想ã¯ã€ã“ã®ã‚ˆã†ãªå‰æ事項を明確ã«ã—ã¦ã€ãƒ—ロセスã¨çµ„織全体を
通ã˜ã¦åˆæ„ã‚’å½¢æˆã™ã‚‹ã€‚
ICS æ“作員ã«ã¨ã£ã¦ã€ã‚‚ㆠ1ã¤ã®é‡å¤§é–¢å¿ƒäº‹é …ã¯ã€ICS ãŒæä¾›ã™ã‚‹ã‚µãƒ¼ãƒ“スã®å¯ç”¨æ€§ã§ã‚る。ICS
ã¯é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®ä¸€éƒ¨ã§ã‚ã‚‹ã“ã¨ãŒã‚り(例ãˆã°æ°´é“や電気システム)ã€ãã®å ´åˆã€ç¶™ç¶šçš„ã§ä¿¡
頼性ã®é«˜ã„é‹ç”¨ã«å¯¾ã™ã‚‹éœ€è¦ã¯æ¥µã‚ã¦å¤§ãã„。ãã®çµæžœã€ICS ã¯å¯ç”¨æ€§ã¨å›žå¾©ã«å¯¾ã™ã‚‹è¦ä»¶ãŒåŽ³
æ ¼ã«ãªã‚‹ã€‚ã“ã†ã—ãŸå‰æ事項を策定ã—ã€æ§‹æƒ³ã«è¨˜è¼‰ã™ã¹ãã§ã‚る。ãã†ã—ãªã„ã¨ã€çµ„ç¹”ã¯ãƒªã‚¹ã‚¯
ã®ã‚る決定を下ã—ã€ãã‚ŒãŒå…ƒã§ã€æä¾›ã•ã‚Œã‚‹ã‚µãƒ¼ãƒ“スã«ä¾å­˜ã—ã¦ã„る人々ã«æ€ã‚ã¬çµæžœã‚’ã‚‚ãŸã‚‰
ã™ã“ã¨ã«ãªã‚‹ã€‚
物ç†çš„動作環境ã¯ã€ICS を使用ã™ã‚‹å ´åˆã«çµ„ç¹”ãŒè€ƒæ…®ã™ã¹ãã€ã‚‚ㆠ1ã¤ã®é¢ã§ã‚る。ICS ã«ã¯ç‰¹
殊ãªç’°å¢ƒè¦ä»¶ãŒå¤šã(製造プロセスã§ã®æ­£ç¢ºãªæ¸©åº¦è¦ä»¶ãªã©ï¼‰ã€ç‰©ç†çš„ãªå‹•ä½œç’°å¢ƒã«æ‹˜æŸã•ã‚Œã¦
ã„ã‚‹ã“ã¨ã‚‚ã‚る。ã“ã†ã—ãŸè¦ä»¶ã‚„制約事項も構想ã«æ˜Žè¨˜ã—ã€åˆ¶ç´„事項ã‹ã‚‰ç”Ÿã˜ã‚‹ãƒªã‚¹ã‚¯ã‚’特定
ã—ã€é…æ…®ã§ãるよã†ã«ã™ã¹ãã§ã‚る。
リスクを評価ã™ã‚‹éš›ã«ã¯ã€çµ„ç¹”ã®è„…å¨ã¨è„†å¼±æ€§ã€ãã‚Œã«ã‚ˆã£ã¦çµ„ç¹”ãŒè¢«ã‚‹æ害ã€ãã†ã—ãŸè„…å¨ã¨
脆弱性ã«ã‚ˆã‚Šã‚‚ãŸã‚‰ã•ã‚Œã‚‹æœ‰å®³äº‹è±¡ãŒå®Ÿéš›ã«ç”Ÿã˜ã‚‹å…¬ç®—を明らã‹ã«ã™ã‚‹ã“ã¨ãŒå¿…è¦ã¨ãªã‚‹ã€‚
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
DHS 国家サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é€šä¿¡çµ±åˆã‚»ãƒ³ã‚¿ãƒ¼(NCCIC)15ã¯é›†ä¸­æ‰€åœ¨åœ°ã¨ã—ã¦æ©Ÿèƒ½ã—ã€ã‚µã‚¤ãƒ
ーセキュリティã¨é€šä¿¡ã®ä¿¡é ¼æ€§ã«é–¢ã‚ã‚‹é‹ç”¨è¦ç´ ã¯ãã“ã§èª¿æ•´ã•ã‚Œã€çµ±åˆåŒ–ã•ã‚Œã¦ã„る。産業用
制御システムサイãƒãƒ¼ç·Šæ€¥å¯¾å¿œãƒãƒ¼ãƒ (ICS-CERT)16ã¯ã€æµ·å¤–åŠã³æ°‘é–“ã®ã‚³ãƒ³ãƒ”ュータ緊急対応ãƒ
ーム(CERT)ã¨é€£æºã—ã¦ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ é–¢é€£ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã¨ç·©å’Œå¯¾ç­–を共有ã—ã¦
ã„る。ICS-CERT ã¯è¡Œæ”¿å½“局や情報組織ã¨ã®é€£æºã€é€£é‚¦ãƒ»å·žãƒ»åœ°æ–¹ãƒ»è«¸éƒ¨æ—自治体ã®ã»ã‹åˆ¶å¾¡ã‚·
ステム所有者やベンダーã¨ã®å”åƒã‚’通ã˜ã¦ã€ã‚らゆるé‡è¦ã‚¤ãƒ³ãƒ•ãƒ©éƒ¨é–€ã«é–¢ã‚るリスク削減ã«åŠª
ã‚ã¦ã„る。
ICS インシデントãŒç”Ÿã˜ãŸå ´åˆã«çµ„ç¹”ã®ä»»å‹™ã«åŠã¶å½±éŸ¿åº¦ã‚’評価ã™ã‚‹éš›ã€ã¨ã‚Šã‚ã‘物ç†çš„プロセ
ス/システムã¸ã®å½±éŸ¿ã€å¾“属システム/プロセスã¸ã®å½±éŸ¿åŠã³ç‰©ç†çš„環境ã¸ã®å½±éŸ¿ã‚’å«ã‚ã‚‹ã“ã¨ãŒ
è‚è¦ã§ã‚る。加ãˆã¦ã€å®‰å…¨æ€§ã«ä¸Žãˆå¾—る影響を常ã«è€ƒæ…®ã«å…¥ã‚Œã‚‹ã¹ãã§ã‚る。
14 MIL-STD-882E,
Standard Practice – System Safety
, 国防ç·çœ (DoD), May 11, 2012,
https://acc.dau.mil/CommunityBrowser.aspx?id=683694
15 http://www.dhs.gov/about-national-cybersecurity-communications-integration-center
16 https://ics-cert.us-cert.gov/
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
55
The responding component is based on the concept of a consistent organization-wide response to the
identification of risk. Response to identification of risk (as opposed to the response to an incident) requires
that organizations first identify possible courses of actions to address risk, evaluate those possibilities in
light of the organization’s risk tolerance and other considerations determined during the framing step, and
choose the best alternative for the organization. The response component includes the implementation of
the chosen course of action to address the identified risk: acceptance, avoidance, mitigation, sharing,
transfer, or any combination of those options17.
ICS-specific Recommendations and Guidance
For ICS, available risk responses may be constrained by system requirements, potential adverse impact on
operations, or even regulatory compliance regimes. An example of risk sharing is when utilities enter into
agreements to “loan†line workers in an emergency, which reduces the duration of the effect of an incident
to acceptable levels.
Monitoring is the fourth component of the risk management activities. Organizations must monitor risk on
an on-going basis including: the implementation of chosen risk management strategies; the changes in the
environment that may affect the risk calculation; and, the effectiveness and efficiency of risk reduction
activities. The activities in the monitoring component impact all the other components.
3.3 Special Considerations for Doing an ICS Risk Assessment
The nature of ICS means that when an organization does a risk assessment, there may be additional
considerations that do not exist when doing a risk assessment of a traditional IT system. Because the impact
of a cyber incident in an ICS may include both physical and digital effects, risk assessments need to
incorporate those potential effects. This section will provide a more in-depth examination of the following:
 Impacts on safety and use of safety assessments.
 Physical impact of a cyber incident on an ICS, including the larger physical environment; effect on the
process controlled, and the physical effect on the ICS itself.
 The consequences for risk assessments of non-digital control components within an ICS.
3.3.1 Safety within an ICS Information Security Risk Assessment
The culture of safety and safety assessments is well established within the majority of the ICS user
community. Information security risk assessments should be seen as complementary to such assessments
though the assessments may use different approaches and cover different areas. Safety assessments are
concerned primarily with the physical world. Information security risk assessments primarily look at the
digital world. However, in an ICS environment, the physical and the digital are intertwined and significant
overlap may occur.
It is important that organizations consider all aspects of risk management for safety (e.g., risk framing, risk
tolerances), as well as the safety assessment results, when carrying out risk assessments for information
security. The personnel responsible for the information security risk assessment must be able
17 For additional information on accepting, avoiding, mitigating, sharing, or transferring risk, refer to NIST
Special Publication 800-39 [20].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
56
対応ã¯ã€çµ„織全体を通ã˜ã¦é¦–尾一貫ã—ãŸå½¢ã§ãƒªã‚¹ã‚¯ã®ç‰¹å®šã«å–り組むã¨ã„ã†è€ƒãˆæ–¹ã«åŸºã¥ã„ã¦ã„
る。リスクã®ç‰¹å®šã¸ã®å¯¾å¿œã¯ï¼ˆã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã¸ã®å¯¾å¿œã¨ã¯ç•°ãªã‚Šï¼‰ã€ã¾ãšãƒªã‚¹ã‚¯ã«å¯¾ã—ã¦çµ„ç¹”ãŒ
å–り得る行動方é‡ã‚’見極ã‚ã€æ§‹æƒ³ã‚¹ãƒ†ãƒƒãƒ—ã§åˆ¤å®šã•ã‚ŒãŸçµ„ç¹”ã®ãƒªã‚¹ã‚¯ãƒˆãƒ¬ãƒ©ãƒ³ã‚¹ãã®ä»–ã®è€ƒæ…®äº‹
é …ã«ç…§ã‚‰ã—ã¦ã€å–ã‚Šå¾—ã‚‹å„行動方é‡ã‚’評価ã—ã€æœ€å–„ç­–ã‚’é¸æŠžã™ã‚‹ã“ã¨ãŒæ±‚ã‚られる。対応ã«ã¯ã€
é¸å®šã—ãŸè¡Œå‹•æ–¹é‡ã‚’実行ã—ã¦ã€ç‰¹å®šæ¸ˆã¿ã®ãƒªã‚¹ã‚¯ã«å¯¾å‡¦ã™ã‚‹ã“ã¨ãŒå«ã¾ã‚Œã€ãã‚Œã«ã¯å—容ã€å›žé¿ã€
ç·©å’Œã€å…±æœ‰ã€è»¢å«åˆã¯ã“れらã®çµ„åˆã›ãŒã‚ã‚‹ 18。
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
ICS ã§ã¯ã€åˆ©ç”¨ã§ãるリスク対応ã¯ã‚·ã‚¹ãƒ†ãƒ è¦ä»¶ã€é‹ç”¨ã«æ‚ªå½±éŸ¿ãŒå‡ºã‚‹å¯èƒ½æ€§åˆã¯è¦åˆ¶ã¸ã®ã‚³ãƒ³
プライアンス形態ã«ã‚ˆã‚Šåˆ¶ç´„ã•ã‚Œã‚‹å ´åˆãŒã‚る。リスク共有ã®ä¸€ä¾‹ã¨ã—ã¦ã€ç·Šæ€¥æ™‚ã«å…¬å…±ä¼æ¥­ãŒ
労åƒè€…を「出å‘ã•ã›ã‚‹ã€å¥‘ç´„ã‚’ç· çµã—ã€ãã‚Œã«ã‚ˆã£ã¦ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®å½±éŸ¿æœŸé–“ãŒå—容レベルã¾ã§
短縮ã•ã‚Œã‚‹ã‚±ãƒ¼ã‚¹ãŒæŒ™ã’られる。
監視ã¯ãƒªã‚¹ã‚¯ç®¡ç†ã® 4番目ã®è¦ç´ ã¨ãªã‚‹ã€‚組織ã¯ãƒªã‚¹ã‚¯ã‚’継続的ã«ç›£è¦–ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„ãŒã€
ãã‚Œã«ã¯é¸å®šã—ãŸãƒªã‚¹ã‚¯ç®¡ç†æˆ¦ç•¥ã®å®Ÿè¡Œã€ãƒªã‚¹ã‚¯ç®—定ã«å½±éŸ¿ã™ã‚‹ç’°å¢ƒã®å¤‰åŒ–åŠã³ãƒªã‚¹ã‚¯å‰Šæ¸›æ´»å‹•
ã®åŠ¹æžœãƒ»åŠ¹çŽ‡ãŒå«ã¾ã‚Œã‚‹ã€‚監視ã«ãŠã‘る諸活動ã¯ä»–ã®å…¨ã¦ã®è¦ç´ ã«å½±éŸ¿ã™ã‚‹ã€‚
3.3 ICS リスク評価ã®å®Ÿæ–½ã«éš›ã—ã¦ã®ç‰¹åˆ¥ãªè€ƒæ…®äº‹é …
ICS ã®æ€§è³ªä¸Šã€çµ„ç¹”ãŒãƒªã‚¹ã‚¯è©•ä¾¡ã‚’è¡Œã†éš›ã«ã¯ã€åœ¨æ¥ã® IT システムã®ãƒªã‚¹ã‚¯è©•ä¾¡å®Ÿæ–½æ™‚ã«ã¯å­˜åœ¨
ã—ãªã„補足的ãªè€ƒæ…®äº‹é …ãŒã‚ã‚Šå¾—ã‚‹ã“ã¨ã§ã‚る。ICS ã«ãŠã‘るサイãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®å½±éŸ¿ã«ã¯ã€
物ç†çš„影響ã¨ãƒ‡ã‚¸ã‚¿ãƒ«åŠ¹æžœã®ä¸¡æ–¹ãŒã‚ã‚‹ãŸã‚ã€ãƒªã‚¹ã‚¯è©•ä¾¡ã«ã¯ã“ã®ã‚ˆã†ãªå½±éŸ¿ã®å¯èƒ½æ€§ã‚’å«ã‚ã‚‹
å¿…è¦ãŒã‚る。ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã¯ã€ä»¥ä¸‹ã«ã¤ã„ã¦æ›´ã«æ·±ã考察ã™ã‚‹ã€‚
 安全性ã¸ã®å½±éŸ¿åŠã³å®‰å…¨æ€§è©•ä¾¡ã®ä½¿ç”¨
 サイãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆãŒ ICS ã«ä¸Žãˆã‚‹å½±éŸ¿ã€‚ã“ã‚Œã«ã¯ã‚ˆã‚Šå¤§è¦æ¨¡ãªç‰©ç†ç’°å¢ƒã€ç®¡ç†ã•ã‚Œã‚‹ãƒ—
ロセスã¸ã®å½±éŸ¿åŠã³ ICS ãã®ã‚‚ã®ã¸ã®ç‰©ç†çš„影響ãŒå«ã¾ã‚Œã‚‹ã€‚
 ICS 内ã®éžãƒ‡ã‚¸ã‚¿ãƒ«åˆ¶å¾¡ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆãƒªã‚¹ã‚¯è©•ä¾¡çµæžœ
3.3.1 ICS 情報セキュリティリスク評価ã«ãŠã‘る安全性
大部分㮠ICS ユーザ共åŒç¤¾ä¼šã§ã¯ã€å®‰å…¨æ€§ã‚„安全性評価ã®æ–‡åŒ–ãŒå®šç€ã—ã¦ã„る。情報セキュリテ
ィリスク評価ã¯ã€ç¨®ã€…ã®ã‚¢ãƒ—ローãƒã‚’利用ã—様々ãªåˆ†é‡Žã‚’対象ã¨ã—ã¦ã¯ã„ã‚‹ãŒã€ã‚ãã¾ã§ã‚‚安全
性評価ã®è£œå®Œã¨è¦‹ãªã™ã¹ãã§ã‚る。安全性評価ã¯ã€ä¸»ã«ç‰©ç†çš„ãªä¸–界を対象ã«ã—ã¦ã„る。情報セ
キュリティリスク評価ã§ã¯ã€ä¸»ã«ãƒ‡ã‚¸ã‚¿ãƒ«ä¸–ç•ŒãŒé–¢å¿ƒã®å¯¾è±¡ã¨ãªã‚‹ã€‚ã—ã‹ã— ICS 環境ã§ã¯ã€ç‰©ç†
世界もデジタル世界も互ã„ã«å…¥ã‚Šçµ„ã‚“ã§ã€ã‹ãªã‚Šé‡ãªã‚Šåˆã£ã¦ã„ã‚‹å ´åˆã‚‚ã‚る。
情報セキュリティã®ãƒªã‚¹ã‚¯è©•ä¾¡ã‚’è¡Œã†å ´åˆã€çµ„ç¹”ã¯ã€å®‰å…¨ã«é–¢ã™ã‚‹ãƒªã‚¹ã‚¯ç®¡ç†ã®ã‚らゆるé¢ï¼ˆãƒª
スクã®æ§‹æƒ³ã€ãƒªã‚¹ã‚¯ãƒˆãƒ¬ãƒ©ãƒ³ã‚¹ç­‰ï¼‰ã®ã»ã‹ã€å®‰å…¨æ€§è©•ä¾¡ã®çµæžœã‚’考慮ã«å…¥ã‚Œã‚‹ã“ã¨ãŒè‚è¦ã§ã‚る。
情報セキュリティリスク評価担当者ã¯ã€
18 リスクã®å—容ã€å›žé¿ã€ç·©å’Œã€å…±æœ‰åˆã¯è»¢å«ã®è©³ç´°ã¯ NIST 特別出版物 800-39 [20]ã‚’å‚ç…§ã®ã“ã¨ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
57
to identify and communicate identified risks that could have safety implications. Conversely, the personnel
charged with safety assessments must be familiar with the potential physical impacts and their likelihood
developed by the information security risk assessment process.
3.3.2 Potential Physical Impacts of an ICS Incident
Evaluating the potential physical damage from a cyber incident should incorporate: i) how an incident
could manipulate the operation of sensors and actuators to impact the physical environment; ii) what
redundant controls exist in the ICS to prevent an impact; and iii) how a physical incident could emerge
based on these conditions. A physical impact could negatively impact the surrounding world through
multiple means, including the release of hazardous materials (e.g., pollution, crude oil), damaging kinetic
forces (e.g., explosions), and exposure to energy sources (e.g., electricity, steam). The physical incident
could negatively impact the ICS and supporting infrastructure, the various processes performed by the ICS,
or the larger physical environment. An evaluation of the potential physical impacts should include all parts
of an ICS, beginning with evaluating the potential impacts on the set of sensor and actuators. Each of these
domains will be further explored below.
Evaluating the impact of a cyber incident on the physical environment should focus on potential damage to
human safety, the natural environment, and other critical infrastructures. Human safety impacts should be
evaluated based on whether injury, disease, or death is possible from a malfunction of the ICS. This should
incorporate any previously performed safety impact assessments performed by the organization regarding
both employees and the general public. Environmental impacts also may need to be addressed. This
analysis should incorporate any available environmental impact assessments performed by the organization
to determine how an incident could impact natural resources and wildlife over the short or long term. In
addition, it should be noted that ICS may not be located within a single, controlled location and can be
distributed over a wide physical area and exposed to uncontrolled environments. Finally, the impact on the
physical environment should explore the extent to which an incident could damage infrastructures external
to the ICS (e.g., electric generation/delivery, transportation infrastructures, and water services).
3.3.3 Impact of Physical Disruption of an ICS Process
In addition to the impact on the physical environment, the risk assessment should also evaluate potential
effects to the physical process performed by the ICS under consideration, as well as other systems. An
incident that impacts the ICS and disrupts the dependent process may cause cascading impacts into other
related ICS processes and the general public’s dependence on the resulting products and services. Impact to
related ICS processes could include both systems and processes within the organization (e.g., a
manufacturing process that depends on the process controlled by the system under consideration) or
systems and processes external to the organization (e.g., a utility selling generated energy to a nearby plant).
A cyber incident can also negatively impact the physical ICS under consideration. This type of impact
primarily includes the physical infrastructure of the plant (e.g., tanks, valves, motors), along with both the
digital and non-digital control mechanisms (e.g., cables, PLCs, pressure gauge). Damage to the ICS or
physical plant may cause either short or long term outages depending on the degree of the incident. An
example of a cyber incident impacting the ICS is the Stuxnet malware, which caused physical damage to
the centrifuges as well as disrupting dependent processes.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
58
特定ã•ã‚ŒãŸãƒªã‚¹ã‚¯ã§å®‰å…¨ä¸Šã®æ„味ãŒã‚ã‚‹ã‚‚ã®ã‚’明らã‹ã«ã—ã¦ã€ä¼é”ã§ããªã‘ã‚Œã°ãªã‚‰ãªã„。å対
ã«å®‰å…¨æ€§è©•ä¾¡æ‹…当者ã¯ã€æƒ…報セキュリティリスク評価プロセスã«ã‚ˆã‚Šç™ºç”Ÿã™ã‚‹å¯èƒ½æ€§ã®ã‚る物ç†
的影響ã¨ãã®å…¬ç®—ã«ã¤ã„ã¦ç²¾é€šã—ã¦ã„ãªã‘ã‚Œã°ãªã‚‰ãªã„。
3.3.2 ICS インシデントã«ã‚ˆã‚‹ç‰©ç†çš„影響ã®å¯èƒ½æ€§
サイãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã«ã‚ˆã‚Šç”Ÿã˜å¾—る物ç†çš„æ害ã®è©•ä¾¡ã«ã¯æ¬¡ã®ã‚‚ã®ãŒå«ã¾ã‚Œã‚‹ã€‚(1)インシデン
トãŒã‚»ãƒ³ã‚µåŠã³ã‚¢ã‚¯ãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã®å‹•ä½œã‚’ã©ã®ã‚ˆã†ã«æ“作ã—ã¦ç‰©ç†çš„環境ã«å½±éŸ¿ã‚’åŠã¼ã™ã‹ã€‚(2)å½±
響を防ããŸã‚ã®ã©ã®ã‚ˆã†ãªå†—長制御㌠ICS ã«ã‚ã‚‹ã‹ã€‚(3)ã“ã®ã‚ˆã†ãªæ¡ä»¶ä¸‹ã§ç‰©ç†çš„インシデント
ã¯ã©ã®ã‚ˆã†ã«ç”Ÿã˜ã‚‹ã‹ã€‚物ç†çš„影響ã¯å‘¨å›²ã®ä¸–ç•Œã«æ§˜ã€…ãªæ‰‹æ®µã§æ‚ªå½±éŸ¿ã‚’åŠã¼ã—ã‹ã­ãªã„ãŒã€ã
ã‚Œã«ã¯å±é™ºç‰©ã®æ”¾å‡ºï¼ˆæ±šæŸ“ã€åŽŸæ²¹ç­‰ï¼‰ã€é‹å‹•åŠ›ã«ã‚ˆã‚‹æ傷(爆発等)ã€ã‚¨ãƒãƒ«ã‚®ãƒ¼æºã¸ã®æ›éœ²
(電気ã€è’¸æ°—等)ãªã©ãŒã‚る。物ç†çš„インシデントã¯ã€ICS åŠã³æ”¯æ´ã‚¤ãƒ³ãƒ•ãƒ©ã€ICS ãŒå®Ÿæ–½ã™ã‚‹
多様ãªãƒ—ロセスåˆã¯ã‚ˆã‚Šå¤§è¦æ¨¡ã®ç‰©ç†ç’°å¢ƒã«æ‚ªå½±éŸ¿ã‚’与ãˆã‹ã­ãªã„。å¯èƒ½æ€§ã®ã‚る物ç†çš„影響ã®
評価ã«ã¯ ICS ã®ã‚らゆる部分をå«ã‚ã€ã¾ãšã‚»ãƒ³ã‚µãƒ»ã‚¢ã‚¯ãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã‚»ãƒƒãƒˆã¸ã®å½±éŸ¿ã®å¯èƒ½æ€§ã‹ã‚‰
開始ã™ã¹ãã§ã‚る。ã“れら領域ã®å„部分ã«ã¤ã„ã¦ã¯è©³ã—ã後述ã™ã‚‹ã€‚
物ç†ç’°å¢ƒã«ä¸Žãˆã‚‹ã‚µã‚¤ãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®å½±éŸ¿è©•ä¾¡ã¯ã€äººçš„安全ã€è‡ªç„¶ç’°å¢ƒãã®ä»–é‡è¦ã‚¤ãƒ³ãƒ•
ラã«ä¸Žãˆå¾—ã‚‹æ害をé‡è¦–ã™ã¹ãã§ã‚る。人的安全ã¸ã®å½±éŸ¿ã¯ã€ICS ã®éšœå®³ã‹ã‚‰è² å‚·ãƒ»ç–¾ç—…・死
亡ãŒç”Ÿã˜ã‚‹ã‹å¦ã‹ã‚’基ã«è©•ä¾¡ã™ã¹ãã§ã‚る。ã“ã‚Œã«ã¯ä»¥å‰çµ„ç¹”ãŒå¾“業員ã¨ä¸€èˆ¬å›½æ°‘ã«é–¢ã—ã¦å®Ÿ
æ–½ã—ãŸå®‰å…¨æ€§å½±éŸ¿è©•ä¾¡ã‚‚å«ã‚ã‚‹ã¹ãã§ã‚る。環境影響もå–り上ã’ã‚‹å¿…è¦ãŒã‚ã‚ã†ã€‚ã“ã®åˆ†æžã«
ã¯ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆãŒçŸ­æœŸçš„・長期的ã«å¤©ç„¶è³‡æºã‚„野生生物ã«ä¸Žãˆã‚‹å½±éŸ¿ã‚’判定ã™ã‚‹ãŸã‚ã«çµ„ç¹”
ãŒå®Ÿæ–½ã—ãŸç’°å¢ƒå½±éŸ¿è©•ä¾¡ã‚‚ã€åˆ©ç”¨ã§ãã‚Œã°å«ã‚ã‚‹ã¹ãã§ã‚る。加ãˆã¦ã€ICS ã¯ç®¡ç†ã•ã‚ŒãŸä¸€ã‹
所ã«é…ç½®ã•ã‚Œã¦ãŠã‚‰ãšã€åºƒç¯„ãªåœ°åŸŸã«åˆ†æ•£ã—ã€ç®¡ç†ã•ã‚Œã¦ã„ãªã„環境ã«æ›ã•ã‚Œã¦ã„ã‚‹å ´åˆãŒã‚
ã‚‹ã“ã¨ã«ã‚‚ç•™æ„ã™ã¹ãã§ã‚る。最後ã«ã€ç‰©ç†ç’°å¢ƒã¸ã®å½±éŸ¿ã¯ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆãŒ ICS ã®å¤–部ã«ã‚
るインフラã«ã©ã®ç¨‹åº¦ã®æ害を与ãˆã‚‹ã‹ã‚’調査ã™ã¹ãã§ã‚る(発電・é€é›»ã€è¼¸é€ã‚¤ãƒ³ãƒ•ãƒ©ã€æ°´
é“事業等)。
3.3.3 ICS プロセスã®ç‰©ç†çš„中断ã«ã‚ˆã‚‹å½±éŸ¿
物ç†ç’°å¢ƒã¸ã®å½±éŸ¿ã«åŠ ãˆã¦ã€ãƒªã‚¹ã‚¯è©•ä¾¡ã§ã¯ ICS ãŒå®Ÿè¡Œã™ã‚‹è€ƒæ…®å¯¾è±¡ã®ç‰©ç†ãƒ—ロセスã¨ä»–ã®ã‚·
ステムã¸ã®å½±éŸ¿ã‚‚評価ã™ã¹ãã§ã‚る。
ICS ã«å½±éŸ¿ã‚’与ãˆå¾“属プロセスを中断ã•ã›ã‚‹ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã¯ã€ä»–ã® ICS 関連プロセスやãã“ã‹
ら生ã˜ã‚‹è£½å“・サービスã«ä¾å­˜ã—ã¦ã„る国民ã«ã‚‚連鎖的ãªå½±éŸ¿ã‚’åŠã¼ã—ã‹ã­ãªã„。関連 ICS プ
ロセスã¸ã®å½±éŸ¿ã«ã¯ã€çµ„織内ã®ã‚·ã‚¹ãƒ†ãƒ åŠã³ãƒ—ロセス(考慮中ã®ã‚·ã‚¹ãƒ†ãƒ ã«åˆ¶å¾¡ã•ã‚Œã‚‹ãƒ—ロセ
スã«ä¾å­˜ã—ã¦ã„る製造プロセス等)åˆã¯çµ„織外ã®ã‚·ã‚¹ãƒ†ãƒ åŠã³ãƒ—ロセス(生産ã—ãŸã‚¨ãƒãƒ«ã‚®ãƒ¼
を近隣ã®ãƒ—ラントã«å£²ã‚‹å…¬å…±äº‹æ¥­ä½“等)ãŒå«ã¾ã‚Œå¾—る。
サイãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã¯ã€è€ƒæ…®ä¸­ã®ç‰©ç†çš„ ICS ã«ã‚‚悪影響を与ãˆã‚‹ã€‚ã“ã®ç¨®ã®å½±éŸ¿ã«ã¯ä¸»ã¨ã—
ã¦ãƒ—ラントã®ç‰©ç†çš„インフラ(タンクã€ãƒãƒ«ãƒ–ã€ãƒ¢ãƒ¼ã‚¿ç­‰ï¼‰ã‚„デジタル/éžãƒ‡ã‚¸ã‚¿ãƒ«åˆ¶å¾¡ãƒ¡ã‚«
ニズム(ケーブルã€PLCã€åœ§åŠ›ã‚²ãƒ¼ã‚¸ç­‰ï¼‰ãŒå«ã¾ã‚Œã‚‹ã€‚ICS や物ç†çš„プラントã¸ã®æ害ã¯ã€ã‚¤ãƒ³
シデントã®ç¨‹åº¦ã«å¿œã˜ã¦çŸ­æœŸåˆã¯é•·æœŸã®åœæ­¢ã«è‡³ã‚Šã‹ã­ãªã„。ICS ã«å½±éŸ¿ã™ã‚‹ã‚µã‚¤ãƒãƒ¼ã‚¤ãƒ³ã‚·
デントã®ä¸€ä¾‹ã¨ã—㦠Stuxnet マルウエアãŒã‚ã‚Šã€é å¿ƒåˆ†é›¢æ©Ÿã‚’物ç†çš„ã«æå‚·ã—ã€å¾“属プロセス
を中断ã•ã›ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
59
3.3.4 Incorporating Non-digital Aspects of ICS into Impact Evaluations
The impacts on the ICS cannot be adequately determined by focusing only on the digital aspects of the
system, as there are often non-digital mechanisms available that provide fault tolerance and prevent the ICS
from acting outside of acceptable parameters. Therefore, these mechanisms may help reduce any negative
impact that a digital incident on the ICS might have and must be incorporated into the risk assessment
process. For example, ICS often have non-digital control mechanisms that can prevent the ICS from
operating outside of a safe boundary, and thereby limit the impact of an attack (e.g., a mechanical relief
pressure valve). In addition, analog mechanisms (e.g., meters, alarms) can be used to observe the physical
system state to provide operators with reliable data if digital readings are unavailable or corrupted. Table 3-
1 provides a categorization of non-digital control mechanisms that could be available to reduce the impact
of an ICS incident.
Table 3-1. Categories of Non-Digital ICS Control Components
System Type
Description
Analog Displays or Alarms Non-digital mechanisms that measure and display the state of the physical system
(e.g., temperature, pressure, voltage, current) and can provide the operator with
accurate information in situations when digital displays are unavailable or
corrupted. The information may be provided to the operator on some non-digital
display (e.g., thermometers, pressure gauges) and through audible alarms.
Manual Control
Mechanisms
Manual control mechanisms (e.g., manual valve controls, physical breaker
switches) provide operators with the ability to manually control an actuator without
relying on the digital control system. This ensures that an actuator can be
controlled even if the control system is unavailable or compromised.
Analog Control Systems
Analog control systems use non-digital sensors and actuators to monitor and
control a physical process. These may be able to prevent the physical process
from entering an undesired state in situations when the digital control system is
unavailable or corrupted. Analog controls include devices such as regulators,
governors, and electromechanical relays.
Determination of the potential impact that a cyber incident may have on the ICS should incorporate
analysis of all non-digital control mechanisms and the extent to which they can mitigate potential negative
impacts to the ICS. There are multiple considerations when considering the possible mitigation effects of
non-digital control mechanisms, such as:
 Non-digital control mechanisms may require additional time and human involvement to perform
necessary monitoring or control functions and these efforts may be substantial. For example, such
mechanisms may require operators to travel to a remote site to perform certain control functions. Such
mechanisms may also depend on human response times, which may be slower than automated
controls.
 Manual and analog systems may not provide monitoring or control capabilities with the same degree
of accuracy and reliability as the digital control system. This may present risk if the primary control
system is unavailable or corrupted due to reduced quality, safety, or efficiency of the system. For
example, a digital/numeric protection relay provides more accuracy and reliable detection of faults
than analog/static relays, therefore, the system maybe more likely to exhibit a spurious relay tripping
if the digital relays are not available.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
60
3.3.4 ICS ã®éžãƒ‡ã‚¸ã‚¿ãƒ«é¢ã‚’影響評価ã«å«ã‚ã‚‹
フォールトトレランスを発æ®ã—ã€ICS ãŒè¨±å®¹ãƒ‘ラメータを逸脱ã—ãªã„よã†ã«é˜²æ­¢ã§ãã‚‹éžãƒ‡ã‚¸
タルメカニズムも利用ã§ãã‚‹ã®ã§ã€ã‚·ã‚¹ãƒ†ãƒ ã®ãƒ‡ã‚¸ã‚¿ãƒ«é¢ã«ã®ã¿æ³¨ç›®ã—ã¦ã„ã‚‹ã¨ã€ICS ã¸ã®å½±
響をé©æ­£ã«åˆ¤å®šã™ã‚‹ã“ã¨ãŒã§ããªã„。ã—ãŸãŒã£ã¦ã€ã“ã®ã‚ˆã†ãªãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã¯ã€ICS 上ã®ãƒ‡ã‚¸ã‚¿
ルインシデントã«èµ·å› ã™ã‚‹æ‚ªå½±éŸ¿ã‚’減らã™ãŸã‚ã€ãƒªã‚¹ã‚¯è©•ä¾¡ãƒ—ロセスã«çµ„ã¿è¾¼ã‚€å¿…è¦ãŒã‚る。
例ãˆã°ã€ICS ã«ã¯éžãƒ‡ã‚¸ã‚¿ãƒ«åˆ¶å¾¡ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’æŒã¤ã‚‚ã®ãŒå¤šãã€ICS ãŒå®‰å…¨é™ç•Œã‚’超ãˆãªã„よã†
ã«ã—ã¦ã€æ”»æ’ƒã®å½±éŸ¿ã‚’制é™ã—ã¦ã„る(機械å¼ã®åœ§åŠ›ãƒªãƒªãƒ¼ãƒ•ãƒãƒ«ãƒ–等)。ã¾ãŸã‚¢ãƒŠãƒ­ã‚°ãƒ¡ã‚«ãƒ‹
ズム(メータã€ã‚¢ãƒ©ãƒ¼ãƒ ç­‰ï¼‰ã‚’使用ã—ã¦ã€ã‚·ã‚¹ãƒ†ãƒ ã®ç‰©ç†çš„ãªçŠ¶æ…‹ã‚’観察ã—ã€ãƒ‡ã‚¸ã‚¿ãƒ«è¡¨ç¤ºã®
利用ä¸èƒ½ãƒ»ä¸­æ–­æ™‚ã«ã€ä¿¡é ¼ã§ãるデータをæ“作員ã«æ示ã™ã‚‹ã“ã¨ãŒã§ãる。表 3-1 ã¯ã€ICS イ
ンシデントã®å½±éŸ¿ã‚’減らã›ã‚‹éžãƒ‡ã‚¸ã‚¿ãƒ«åˆ¶å¾¡ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã®åŒºåˆ†ã§ã‚る。
表3-1. éžãƒ‡ã‚¸ã‚¿ãƒ« ICS 制御コンãƒãƒ¼ãƒãƒ³ãƒˆã®ã‚«ãƒ†ã‚´ãƒªãƒ¼
システムã®ç¨®é¡ž
内容
アナログディスプレイåˆã¯
アラーム
物ç†çš„システムã®çŠ¶æ…‹ï¼ˆæ¸©åº¦ã€åœ§åŠ›ã€é›»åœ§ã€é›»æµç­‰ï¼‰ã‚’計測・表示ã—ã€ãƒ‡ã‚¸ã‚¿ãƒ«ãƒ‡
ィスプレイã®åˆ©ç”¨ä¸èƒ½ãƒ»ä¸­æ–­æ™‚ã«æ­£ç¢ºãªçŠ¶æ³æƒ…報をæ“作員ã«æä¾›ã§ãã‚‹éžãƒ‡ã‚¸ã‚¿ãƒ«
メカニズム。情報ã¯éžãƒ‡ã‚¸ã‚¿ãƒ«ãƒ‡ã‚£ã‚¹ãƒ—レイ(温度計ã€åœ§åŠ›è¨ˆç­‰ï¼‰ã‚„音声アラーム
ã«ã‚ˆã‚Šæ“作員ã«æä¾›ã™ã‚‹ã€‚
手動制御メカニズム 手動制御メカニズム(手動ãƒãƒ«ãƒ–制御ã€ç‰©ç†çš„ブレーカスイッãƒç­‰ï¼‰ãŒã‚ã‚Œã°ã€æ“
作員ã¯ãƒ‡ã‚¸ã‚¿ãƒ«åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã«ä¾å­˜ã™ã‚‹ã“ã¨ãªãアクãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã‚’手ã§æ“作ã§ã
る。ã“ã®ãŸã‚制御システムãŒåˆ©ç”¨ä¸èƒ½ãƒ»ä¸èª¿ã§ã‚‚アクãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã‚’制御ã§ãる。
アナログ制御システム
アナログ制御システムã¯éžãƒ‡ã‚¸ã‚¿ãƒ«ã‚»ãƒ³ã‚µã¨ã‚¢ã‚¯ãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã‚’使用ã—ã¦ã€ç‰©ç†ãƒ—ロ
セスを監視・制御ã™ã‚‹ã€‚ã“ã®ãŸã‚デジタル制御システムãŒåˆ©ç”¨ä¸èƒ½ãƒ»ä¸­æ–­æ™‚ã§ã‚‚ã€
物ç†ãƒ—ロセスãŒå¥½ã¾ã—ããªã„状態ã«é™¥ã‚‰ãªã„ã§ã™ã‚€ã€‚アナログ制御ã«ã¯ãƒ¬ã‚®ãƒ¥ãƒ¬ãƒ¼
ã‚¿ã€ã‚¬ãƒãƒŠãƒ¼ã€é›»å­æ©Ÿæ¢°å¼ãƒªãƒ¬ãƒ¼ç­‰ã®ãƒ‡ãƒã‚¤ã‚¹ãŒã‚る。
サイãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆãŒ ICS ã«ä¸Žãˆå¾—る影響度ã®åˆ¤å®šã«ã¯ã€å…¨ã¦ã®éžãƒ‡ã‚¸ã‚¿ãƒ«åˆ¶å¾¡ãƒ¡ã‚«ãƒ‹ã‚º
ムã®åˆ†æžã¨ã€ãれら㌠ICS ã¸ã®æ‚ªå½±éŸ¿ã‚’ç·©å’Œã§ãる程度も盛り込むã¹ãã§ã‚る。éžãƒ‡ã‚¸ã‚¿ãƒ«
制御メカニズムã«ã‚ˆã‚‹ã“ã®ã‚ˆã†ãªç·©å’ŒåŠ¹æžœã‚’検討ã™ã‚‹éš›ã«ã¯ã€æ¬¡ã®ã‚ˆã†ãªè€ƒæ…®äº‹é …ãŒã‚る。
 éžãƒ‡ã‚¸ã‚¿ãƒ«åˆ¶å¾¡ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ãŒå¿…è¦ãªç›£è¦–åˆã¯åˆ¶å¾¡æ©Ÿèƒ½ã‚’発æ®ã™ã‚‹ã«ã¯ã€ä½™åˆ†ã®æ™‚é–“ã¨äººã®é–¢
与ãŒä¸å¯æ¬ ã§ã€ãã‚ŒãŒã‹ãªã‚Šã®ç¨‹åº¦ã«ãªã‚‹ã“ã¨ã‚‚ã‚る。例ãˆã°ã€æ“作員ãŒé æ–¹ã®ç¾å ´ã¾ã§å‡º
å‘ã„ã¦ã€ã‚る種ã®åˆ¶å¾¡ã‚’è¡Œã‚ãªã‘ã‚Œã°ãªã‚‰ãªã„å ´åˆãŒã‚る。ã¾ãŸäººã«ã‚ˆã‚‹å¯¾å¿œæ™‚é–“ã‚‚ã‹ã‹ã‚‹
ãŸã‚ã€è‡ªå‹•åˆ¶å¾¡ã«æ¯”ã¹ã‚‹ã¨é…ããªã‚‹ã€‚
 手動åŠã³ã‚¢ãƒŠãƒ­ã‚°ã‚·ã‚¹ãƒ†ãƒ ã®ç›£è¦–åˆã¯åˆ¶å¾¡èƒ½åŠ›ã¯ã€ãƒ‡ã‚¸ã‚¿ãƒ«åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã»ã©ã®ç²¾åº¦ã‚„ä¿¡é ¼
性ã«ã¯åŠã°ãªã„ã“ã¨ãŒã‚る。システムã®å“質ã€å®‰å…¨æ€§åˆã¯åŠ¹çŽ‡ãŒä½Žä¸‹ã—ã¦ã€ãƒ—ライマリ制御
システムãŒåˆ©ç”¨ä¸èƒ½ã‚„中断ã«ãªã£ãŸå ´åˆã«ã€ã“ã‚Œã¯ãƒªã‚¹ã‚¯ã¨ãªã‚Šå¾—る。例ãˆã°ã€ãƒ‡ã‚¸ã‚¿ãƒ«/æ•°
値ä¿è­·ãƒªãƒ¬ãƒ¼ã¯ã€ã‚¢ãƒŠãƒ­ã‚°/スタティックリレーよりも障害検知精度や信頼性ãŒé«˜ã„ã®ã§ã€ãƒ‡
ジタルリレーãŒåˆ©ç”¨ã§ããªã„ã¨ã€ã‚·ã‚¹ãƒ†ãƒ ã¯ãƒªãƒ¬ãƒ¼ã®ç–‘似トリップãŒç”Ÿã˜ã‚„ã™ããªã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
61
3.3.5 Incorporating the Impact of Safety Systems
Safety systems may also reduce the impact of a cyber incident to the ICS. Safety systems are often
deployed to perform specific monitoring and control functions to ensure the safety of people, the
environment, process, and ICS. While these systems are traditionally implemented to be fully redundant
with respect to the primary ICS, they may not provide complete redundancy from cyber incidents,
specifically from a sophisticated attacker. The impact of the implemented security controls on the safety
system should be evaluated to determine that they do not negatively impact the system.
3.3.6 Considering the Propagation of Impact to Connected Systems
Evaluating the impact of an incident must also incorporate how the impact from the ICS could propagate to
a connected ICS or physical system. An ICS may be interconnected with other systems, such that failures in
one system or process can easily cascade to other systems either within or external to the organization.
Impact propagation could occur due to both physical and logical dependencies. Proper communication of
the results of risk assessments to the operators of connected or interdependent systems and processes is one
way to mitigate such impacts.
Logical damage to an interconnected ICS could occur if the cyber incident propagated to the connected
control systems. An example could be if a virus or worm propagated to a connected ICS and then impacted
that system. Physical damage could also propagate to other interconnected ICS. If an incident impacts the
physical environment of an ICS, it may also impact other related physical domains. For example, the
impact could result in a physical hazard which degrades nearby physical environments. Additionally, the
impact could also degrade the common shared dependencies (e.g., power supply), or result in a shortage of
material needed for a later stage in an industrial process.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
62
3.3.5 安全システムã®å½±éŸ¿ã‚’å«ã‚ã‚‹
安全システムã§ã¯ã€ICS ã«ä¸Žãˆã‚‹ã‚µã‚¤ãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®å½±éŸ¿ã‚‚減る。安全システムã¯äººãƒ»ç’°
境・プロセス・ICS ã®å®‰å…¨ã‚’確ä¿ã™ã‚‹ãŸã‚ã«ã€ç‰¹æ®Šãªç›£è¦–・制御機能用ã«å±•é–‹ã•ã‚Œã‚‹ã“ã¨ãŒå¤š
ã„。ãã†ã—ãŸã‚·ã‚¹ãƒ†ãƒ ã§ã¯ã€ãƒ—ライマリ ICS ã«é–¢ã—ã¦ã¯å¾“æ¥å®Œå…¨ãªå†—長性ãŒç¢ºä¿ã•ã‚Œã¦ã„ã‚‹
一方ã€ç‰¹ã«å·§å¦™ãªæ”»æ’ƒè€…ã‹ã‚‰ã®ã‚µã‚¤ãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã«é–¢ã—ã¦ã¯å®Œå…¨ãªå†—長性ãŒãªã„。実装
ã•ã‚ŒãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ãŒå®‰å…¨ã‚·ã‚¹ãƒ†ãƒ ã«ä¸Žãˆã‚‹å½±éŸ¿ã®è©•ä¾¡ã¯ã€ã‚·ã‚¹ãƒ†ãƒ ã¸ã®æ‚ªå½±éŸ¿ã®æœ‰ç„¡
を判定ã™ã¹ãã§ã‚る。
3.3.6 接続システムã¸ã®å½±éŸ¿æ³¢åŠã«å¯¾ã™ã‚‹è€ƒæ…®
インシデントã®å½±éŸ¿ã‚’評価ã™ã‚‹éš›ã«ã¯ã€ICS ã‹ã‚‰ã®å½±éŸ¿ãŒã€æŽ¥ç¶šã•ã‚ŒãŸåˆ¥ã® ICS や物ç†çš„システ
ムã«ã©ã®ç¨‹åº¦æ³¢åŠã™ã‚‹ã‹ã¨ã„ã†ç‚¹ã‚‚å«ã‚ãªã‘ã‚Œã°ãªã‚‰ãªã„。1ã¤ã® ICS ã¯ã€ã„ãã¤ã‹ã®ã‚·ã‚¹ãƒ†ãƒ 
ã¨é€£æŽ¥ã•ã‚Œã¦ã„ã‚‹å ´åˆãŒã‚ã‚Šã€ã‚るシステムåˆã¯ãƒ—ロセスã®éšœå®³ãŒçµ„織内外ã®ä»–ã®ã‚·ã‚¹ãƒ†ãƒ ã«å®¹
易ã«é€£éŽ–ã™ã‚‹ã“ã¨ãŒã‚る。影響ã®æ³¢åŠã¯ã€ç‰©ç†çš„従属関係ã¨è«–ç†çš„従属関係ã®åŒæ–¹ã«èµ·å› ã—ã¦ç”Ÿ
ã˜å¾—る。ã“ã†ã—ãŸå½±éŸ¿ã‚’ç·©å’Œã™ã‚‹ 1ã¤ã®æ–¹æ³•ã¯ã€ãƒªã‚¹ã‚¯è©•ä¾¡ã®çµæžœã‚’連接åˆã¯ç›¸äº’ä¾å­˜ã™ã‚‹ã‚·ã‚¹
テムåŠã³ãƒ—ロセスã®æ“作員ã«é©åˆ‡ã«ä¼ãˆã‚‹ã“ã¨ã§ã‚る。
連接 ICS ã®è«–ç†çš„æ害ã¯ã€ã‚µã‚¤ãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆãŒé€£æŽ¥åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã«æ³¢åŠã—ãŸå ´åˆã«ç”Ÿã˜å¾—る。
ウイルスやワームãŒé€£æŽ¥ ICS ã«æ³¢åŠã—ã€æ¬¡ã„ã§ã‚·ã‚¹ãƒ†ãƒ ã«å½±éŸ¿ã‚’与ãˆã‚‹å ´åˆãŒãã®ä¸€ä¾‹ã§ã‚る。
物ç†çš„æ害も別ã®é€£æŽ¥ ICS ã«æ³¢åŠã—得る。ã‚るインシデント㌠ICS ã®ç‰©ç†ç’°å¢ƒã«å½±éŸ¿ã™ã‚‹å ´åˆã€
ä»–ã®é–¢é€£ç‰©ç†é ˜åŸŸã«ã‚‚影響をåŠã¼ã—得る。例ãˆã°ã€å½±éŸ¿ã«ã‚ˆã‚Šç‰©ç†çš„å±å®³ãŒç”Ÿã˜ã€ãã‚ŒãŒéš£æŽ¥ã®
物ç†ç’°å¢ƒã‚’劣化ã•ã›ã‚‹å ´åˆãŒãã®ä¸€ä¾‹ã§ã‚る。
ã¾ãŸå½±éŸ¿ã¯å…±é€šçš„ãªå…±æœ‰å¾“属関係(電æºç­‰ï¼‰ã‚’も劣化ã•ã›ã€ç”£æ¥­ãƒ—ロセスã®å¾Œç¶šæ®µéšŽã§å¿…è¦ã¨ãª
る資æã«ä¸è¶³ã‚’ããŸã™äº‹æ…‹ã«ã‚‚ãªã‚Šå¾—る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
63
4. ICS Security Program Development and Deployment
Section 2 addresses critical operational differences between ICS and IT systems, and Section 3 addresses
risk management. This section combines these two concerns by addressing how organizations should
develop and deploy an ICS security program. ICS security plans and programs should be consistent and
integrated with existing IT security experience, programs, and practices, but must account for the specific
requirements and characteristics of ICS technologies and environments. Organizations should review and
update their ICS security plans and programs regularly to reflect changes in technologies, operations,
standards, and regulations, as well as the security needs of specific facilities.
This section provides an overview of the development and deployment of an ICS security program. Section
4.1 describes how to establish a business case for an ICS security program, including suggested content for
the business case. Sections 4.2 through 4.5 discuss the development of a comprehensive ICS security
program and provide information on several major steps in deploying the program. Information on specific
security controls that might be implemented as part of the security program is provided in Section 6.
Effectively integrating security into an ICS requires defining and executing a comprehensive program that
addresses all aspects of security, ranging from identifying objectives to day-to-day operation and ongoing
auditing for compliance and improvement. An ICS information security manager with appropriate scope,
responsibility, and authority must be identified. This section describes the basic process for developing a
security program, including the following:
 Develop a business case for security.
 Build and train a cross-functional team.
 Define charter and scope.
 Define specific ICS policies and procedures.
 Implement an ICS Security Risk Management Framework.
o Define and inventory ICS assets.
o Develop security plan for ICS Systems.
o Perform a risk assessment.
o Define the mitigation controls.
 Provide training and raise security awareness for ICS staff.
More detailed information on the various steps is provided in ISA-62443-2-1 Security for Industrial
Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security
Program [34].
The commitment to a security program begins at the top. Senior management must demonstrate a clear
commitment to information security. Information security is a business responsibility shared by all
members of the enterprise and especially by leading members of the business, process, and management
teams. Information security programs with adequate funding and visible, top-level support from
organization leaders are more likely to achieve compliance, function more smoothly, and have greater
success than programs that lack that support.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
64
4. ICS セキュリティプログラムã®é–‹ç™ºåŠã³å±•é–‹
セクション 2ã§ã¯ ICS システム㨠IT システムã®é‹ç”¨ä¸Šã®å¤§ããªé•ã„ã‚’ã€ã‚»ã‚¯ã‚·ãƒ§ãƒ³ 3ã§ã¯ãƒªã‚¹
ク管ç†ã«ã¤ã„ã¦å–り上ã’ãŸã€‚ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã¯ã€çµ„ç¹”ã¯ã„ã‹ã« ICS セキュリティプログラムを
策定ã—ã¦å±•é–‹ã™ã¹ãã‹ã«ã¤ã„ã¦è€ƒå¯Ÿã—ã€ã“れら 2ã¤ã®é–¢å¿ƒäº‹ã‚’関連ã¥ã‘る。ICS セキュリティã®
計画åŠã³ãƒ—ログラムã¯é¦–尾一貫ã—ã€æ—¢å­˜ã® IT セキュリティ経験・プログラム・è¦ç¯„ã¨ä¸€ä½“化ã—
ã¦ã„ã‚‹ã¹ãã§ã‚ã‚‹ãŒã€ICS 技術・環境ã®ç‰¹æ®Šè¦ä»¶åŠã³ç‰¹æ€§ã‚’å–り上ã’ã¦ã„ãªã‘ã‚Œã°ãªã‚‰ãªã„。組
ç¹”ã¯ã€ICS セキュリティã®è¨ˆç”»åŠã³ãƒ—ログラムを定期的ã«è¦‹ç›´ã—ã¦æ›´æ–°ã—ã€æŠ€è¡“・é‹ç”¨ãƒ»è¦æ ¼ãƒ»
è¦å‰‡ã®å¤‰æ›´ç‚¹ã®ã»ã‹ã€ç‰¹æ®Šæ–½è¨­ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£éœ€è¦ã‚’å映ã™ã¹ãã§ã‚る。
ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã¯ã€ICS セキュリティプログラムã®é–‹ç™ºåŠã³å±•é–‹ã«ã¤ã„ã¦æ¦‚説ã™ã‚‹ã€‚セクショ
ン4.1 ã§ã¯ã€ICS セキュリティプログラムã«é–¢ã™ã‚‹äº‹æ¥­ã®ã€å†…容案もå«ã‚ãŸæ§‹ç¯‰ä¾‹ã«ã¤ã„ã¦ç¤ºã™ã€‚
4.2~4.5 ã§ã¯ã€åŒ…括的㪠ICS セキュリティプログラムã®é–‹ç™ºã«ã¤ã„ã¦å–上ã’ã€ãれを展開ã™ã‚‹ãŸ
ã‚ã®å¤§ã¾ã‹ãªæ‰‹é †ã‚’ã„ãã¤ã‹ç¤ºã™ã€‚セキュリティプログラムã®ä¸€ç’°ã¨ã—ã¦å®Ÿè£…ã•ã‚Œã‚‹ç‰¹å®šã®ã‚»ã‚­
ュリティ管ç†ã«ã¤ã„ã¦ã¯ã€ã‚»ã‚¯ã‚·ãƒ§ãƒ³ 6ã§å–り上ã’る。
ICS ã«ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’効果的ã«çµ„ã¿è¾¼ã‚€ã«ã¯ã€æ—¥å¸¸æ¥­å‹™ã®ç›®çš„ã‹ã‚‰ã‚³ãƒ³ãƒ—ライアンス・改善ã«é–¢
ã™ã‚‹ç›£æŸ»ã¾ã§ã€å¤šå²ã«ã‚ãŸã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®ã‚らゆるé¢ã‚’網羅ã—ãŸåŒ…括的ãªãƒ—ログラムを設計ã—
ã¦å®Ÿè¡Œã™ã‚‹ã“ã¨ãŒå¿…è¦ã¨ãªã‚‹ã€‚é©æ­£ãªç¯„囲ã€è²¬ä»»åŠã³æ¨©é™ã‚’有ã™ã‚‹ ICS 情報セキュリティ管ç†è€…
を明確ã«ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã¯ã€ä»¥ä¸‹ã‚’å«ã‚€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ—ログラム開発ã«
é–¢ã™ã‚‹åŸºæœ¬ãƒ—ロセスã«ã¤ã„ã¦èª¬æ˜Žã™ã‚‹ã€‚
 セキュリティã®ãƒ“ジãƒã‚¹äº‹ä¾‹ä½œæˆ
 機能横断ãƒãƒ¼ãƒ ã®çµ„æˆãƒ»æ•™è‚²è¨“ç·´
 憲章åŠã³é©ç”¨ç¯„囲ã®æ˜Žç¢ºåŒ–
 具体的㪠ICS ã®æ–¹é‡åŠã³æ‰‹é †ã®æ˜Žç¢ºåŒ–
 ICS セキュリティリスク管ç†ä½“制ã®å®Ÿè¡Œ
o ICS 資産ã®ç‰¹å®šåŠã³æ˜Žç´°åŒ–
o ICS システムセキュリティ計画策定
o リスク評価実施
o 緩和対策ã®æ˜Žç¢ºåŒ–
 ICS スタッフã®è¨“ç·´åŠã³ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ„è­˜ã®å¼·åŒ–
種々ã®æ‰‹é †ã«é–¢ã™ã‚‹è©³ç´°ã¯ã€ISA-62443-2-1『工業オートメーション制御システムã®ã‚»ã‚­ãƒ¥ãƒªãƒ†
ィ:工業オートメーション制御システムセキュリティプログラムã®æ§‹ç¯‰ã€[34]ã«è¨˜è¼‰ã•ã‚Œã¦ã„る。
セキュリティプログラムã¸ã®å¯¾å¿œã¯çµ„ç¹”ã®ãƒˆãƒƒãƒ—ã‹ã‚‰å§‹ã¾ã‚‹ã€‚上級管ç†è€…ã¯ã€æƒ…報セキュリティ
ã¸ã®æ˜Žç¢ºãªå¯¾å¿œã‚’明らã‹ã«ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。情報セキュリティã¯ä¼æ¥­ã®å…¨ç¤¾å“¡ãŒå…±æœ‰ã—ã¦ã„
る仕事上ã®è²¬å‹™ã§ã‚ã‚‹ãŒã€ç‰¹ã«äº‹æ¥­ã€ãƒ—ロセスåŠã³ç®¡ç†ãƒãƒ¼ãƒ ã®æŒ‡å°Žè€…ã¯ãã†è¨€ãˆã‚‹ã€‚å分ãªè³‡
金ãŒã‚ã¦ãŒã‚ã‚Œã€çµ„ç¹”ã®ãƒˆãƒƒãƒ—レベルã®å¯è¦–化ã•ã‚ŒãŸæ”¯æ´ã‚’å—ã‘ãŸæƒ…報セキュリティプログラム
ã¯ã€ãã‚ŒãŒå¾—られãªã„プログラムã«æ¯”ã¹ã¦ã€ã‚³ãƒ³ãƒ—ライアンスをé”æˆã—ã€ã‚ˆã‚Šã‚¹ãƒ ãƒ¼ã‚ºã«æ©Ÿèƒ½ã—ã€
より大ããªæˆåŠŸã¨ãªã‚‹å…¬ç®—ãŒé«˜ããªã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
65
Whenever a new system is being designed and installed, it is imperative to take the time to address security
throughout the lifecycle, from architecture to procurement to installation to maintenance to
decommissioning. There are serious risks in deploying systems to production based on the assumption that
they will be secured later. If there is insufficient time and resources to secure the system properly before
deployment, it is unlikely that there will be sufficient time and resources later to address security.
Designing and implementing a new system is quite rare. It is much more common to improve, expand, or
update an existing system. Everything in this section, indeed in this document, applies to managing the risk
of existing ICS. Building an ICS Security Program and applying it to existing systems is much more
complex and challenging.
4.1 Business Case for Security
The first step in implementing an information security program for ICS is to develop a compelling business
case for the unique needs of the organization. The business case should capture the business concerns of
senior management while being founded in the experience of those who are already dealing with many of
the same risks. The business case provides the business impact and financial justification for creating an
integrated information security program. It should include detailed information about the following:
 Benefits, including improved control system reliability and availability, of creating an integrated
security program.
 Prioritized potential costs and damage scenarios if an information security program for the ICS is not
implemented.
 High-level overview of the process required to implement, operate, monitor, review, maintain, and
improve the information security program.
 Costs and resources required to develop, implement and maintain the security program.
Before presenting the business case to management, there should be a well-thought-out and developed
security implementation and cost plan. For example, simply requesting a firewall is insufficient.
4.1.1 Benefits
Responsible risk management policy mandates that the threat to the ICS should be measured and monitored
to protect the interests of employees, the public, shareholders, customers, vendors, society, and the nation.
Risk analysis enables costs and benefits to be weighed so that informed decisions can be made on
protective actions. In addition to reducing risks, exercising due-diligence and displaying responsibility also
helps organizations by:
 Improving control system safety, reliability and availability.
 Improving employee morale, loyalty, and retention.
 Reducing community concerns.
 Increasing investor confidence.
 Reducing legal liabilities.
 Meeting regulatory requirements.
 Enhancing the corporate image and reputation.
 Helping with insurance coverage and cost.
 Improving investor and banking relations.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
66
æ–°ã—ã„システムを設計・導入ã™ã‚‹å ´åˆã¯å¸¸ã«ã€ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã‹ã‚‰èª¿é”ã€å°Žå…¥ã€ä¿å®ˆã€å»ƒæ£„ã«è‡³
ã‚‹ã¾ã§ã€ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«å…¨ä½“を見通ã—ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«ã¤ã„ã¦è€ƒå¯Ÿã™ã‚‹æ™‚é–“ã‚’å–り分ã‘ã‚‹ã“ã¨ãŒ
è‚è¦ã§ã‚る。セキュリティã¯å¾Œã§è€ƒãˆã‚‹ã¨ã„ã£ãŸæƒ³å®šã«åŸºã¥ã„ã¦ã€ã‚·ã‚¹ãƒ†ãƒ ã‚’生産ç¾å ´ã«å±•é–‹ã™
ã‚‹ã“ã¨ã«ã¯é‡å¤§ãªãƒªã‚¹ã‚¯ãŒã‚る。展開å‰ã«ã‚·ã‚¹ãƒ†ãƒ ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’ã—ã£ã‹ã‚Šç¢ºä¿ã™ã‚‹ãŸã‚ã®æ™‚é–“
ã¨ãƒªã‚½ãƒ¼ã‚¹ãŒãªã‘ã‚Œã°ã€å±•é–‹å¾Œã«ãれを見ã„ã ã™ã“ã¨ãªã©ãŠã¼ã¤ã‹ãªã„。
æ–°è¦ã«ã‚·ã‚¹ãƒ†ãƒ ã‚’設計ã—ã¦å®Ÿè£…ã™ã‚‹ã“ã¨ã¯ã¾ã‚Œã§ã‚る。既存ã®ã‚·ã‚¹ãƒ†ãƒ ã‚’改良ã€æ‹¡å¼µåˆã¯æ›´æ–°
ã™ã‚‹å ´åˆãŒã¯ã‚‹ã‹ã«å¤šã„。ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã®å…¨ã¦ã€ã¨ã„ã†ã‚ˆã‚Šã‚‚本書ã®å…¨ã¦ã®éƒ¨åˆ†ãŒã€æ—¢å­˜
ICS ã®ãƒªã‚¹ã‚¯ç®¡ç†ã«è©²å½“ã™ã‚‹ã€‚ICS セキュリティプログラムを構築ã—ã¦ã€æ—¢å­˜ã‚·ã‚¹ãƒ†ãƒ ã«é©ç”¨
ã™ã‚‹ã®ã¯ã¯ã‚‹ã‹ã«è¤‡é›‘ã§èª²é¡ŒãŒå¤šã„。
4.1 セキュリティã®äº‹æ¥­äº‹ä¾‹
ICS ã®æƒ…報セキュリティプログラムを実装ã™ã‚‹ç¬¬ 1ステップã¯ã€çµ„織特有ã®ãƒ‹ãƒ¼ã‚ºã«å¯¾å¿œã—ãŸ
強力ãªäº‹æ¥­äº‹ä¾‹ã‚’作æˆã™ã‚‹ã“ã¨ã§ã‚る。事業事例ã¯ã€åŒæ§˜ã®ãƒªã‚¹ã‚¯ã‚’多分ã«æ‰±ã£ãŸã“ã¨ãŒã‚
る者ã®éŽåŽ»ã®çµŒé¨“ã«æ ¹ã–ã—ã¤ã¤ã‚‚ã€ä¸Šç´šç®¡ç†è€…ã®äº‹æ¥­ã¸ã®é–¢å¿ƒäº‹ã‚’ã¨ã‚‰ãˆã¦ã„ã‚‹ã¹ãã§ã‚る。
事業事例ã¯ã€çµ±åˆæƒ…報セキュリティプログラムを作æˆã™ã‚‹ä¸Šã§ã€äº‹æ¥­ã¸ã®å½±éŸ¿ã‚’与ãˆã€è³‡é‡‘
拠出ã®ç†ç”±ã¨ãªã‚‹ã€‚以下ã«é–¢ã™ã‚‹è©³ç´°ãªæƒ…報を網羅ã™ã¹ãã§ã‚る。
 制御システムã®ä¿¡é ¼æ€§ãƒ»å¯ç”¨æ€§ã®å‘上ãªã©ã€çµ±åˆã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ—ログラムを作æˆã™ã‚‹ã“ã¨ã«
より得られる便益
 ICS ã®æƒ…報セキュリティプログラムを実装ã—ãªã„å ´åˆã«ç”Ÿã˜å¾—る優先経費åŠã³æ害
 情報セキュリティプログラムã®å®Ÿè£…・é‹ç”¨ãƒ»ç›£è¦–・見直ã—・ä¿å®ˆãƒ»æ”¹å–„ã«è¦ã™ã‚‹ãƒ—ロセスã®ã€
高レベルã®æ¦‚è¦
 セキュリティプログラムã®é–‹ç™ºãƒ»å®Ÿè£…・ä¿å®ˆã«è¦ã™ã‚‹çµŒè²»åŠã³ãƒªã‚½ãƒ¼ã‚¹
事業事例を経営陣ã«æ示ã™ã‚‹å‰ã«ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®å®Ÿè£…・経費計画を慎é‡ã«ç·´ã‚Šä¸Šã’ã¦ä½œæˆ
ã™ã¹ãã§ã‚る。例ãˆã°ã€å˜ã«ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚’è¦æ±‚ã™ã‚‹ã ã‘ã§ã¯ä¸å分ã§ã‚る。
4.1.1 便益
ã—ã£ã‹ã‚Šã—ãŸãƒªã‚¹ã‚¯ç®¡ç†æ–¹é‡ã¯ã€ICS ã«å¯¾ã™ã‚‹è„…å¨ã‚’計測・監視ã—ã¦ã€å¾“業員・国民・株主・顧
客・ベンダー・社会・国ã®åˆ©ç›Šã‚’守るã“ã¨ã‚’義務ã¥ã‘ã¦ã„る。リスク分æžã«ã‚ˆã‚Šã‚³ã‚¹ãƒˆ/便益ã®
比較考é‡ã‚’è¡Œã†ã“ã¨ãŒã§ãã€æƒ…報を基ã«ä¿è­·å¯¾ç­–ã«é–¢ã™ã‚‹æ±ºå®šã‚’下ã™ã“ã¨ãŒã§ãる。リスク削減
ã«åŠ ãˆã€ä»¥ä¸‹ã«å¯¾ã™ã‚‹å½“然ã®åŠªåŠ›åŠã³è²¬ä»»ã‚’示ã™ã“ã¨ãŒçµ„ç¹”ã®ç›Šã¨ãªã‚‹ã€‚
 制御システムã®å®‰å…¨æ€§ãƒ»ä¿¡é ¼æ€§ãƒ»å¯ç”¨æ€§ã®å‘上
 従業員ã®å£«æ°—・忠誠心・勤続æ„欲ã®å‘上
 å…±åŒä½“懸念事項ã®ç·©å’Œ
 投資家ã®ä¿¡é ¼æ„Ÿã®å¢—å¼·
 法的責任ã®è»½æ¸›
 法的è¦ä»¶ã®éµå®ˆ
 ä¼æ¥­ã‚¤ãƒ¡ãƒ¼ã‚¸ãƒ»å声ã®æ‹¡å¤§
 ä¿é™ºé‡‘・経費ã«ã‚ˆã‚‹æ•‘済
 投資家・銀行ã¨ã®é–¢ä¿‚改善
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
67
A strong safety and information security management program is fundamental to a sustainable business
model.
Improved control systems security and control system specific security policies can potentially enhance
control system reliability and availability. This also includes minimizing unintentional control system
information security impacts from inappropriate testing, policies, and misconfigured systems.
4.1.2 Potential Consequences
The importance of secure systems should be further emphasized as business reliance on interconnectivity
increases. Denial of Service (DoS) attacks and malware (e.g., worms, viruses) have become all too
common and have already impacted ICS. Cyber attacks can have significant physical and consequential
impacts. Risk management is addressed in Section 3. The major categories of impacts are as follows:
 Physical Impacts. Physical impacts encompass the set of direct consequences of ICS failure. The
potential effects of paramount importance include personal injury and loss of life. Other effects
include the loss of property (including data) and potential damage to the environment.
 Economic Impacts. Economic impacts are a second-order effect from physical impacts ensuing from
an ICS incident. Physical impacts could result in repercussions to system operations, which in turn
inflict a greater economic loss on the facility, organization, or others dependent on the ICS.
Unavailability of critical infrastructure (e.g., electrical power, transportation) can have economic
impact far beyond the systems sustaining direct and physical damage These effects could negatively
impact the local, regional, national, or possibly global economy.
 Social Impacts. Another second-order effect, the consequence from the loss of national or public
confidence in an organization, is many times overlooked. It is, however, a very real consequence that
could result from an ICS incident.
The program to control such risks is addressed in Section 3. Note that items in this list are not independent.
In fact, one can lead to another. For example, release of hazardous material can lead to injury or death.
Examples of potential consequences of an ICS incident are listed below:
 Impact on national security—facilitate an act of terrorism.
 Reduction or loss of production at one site or multiple sites simultaneously.
 Injury or death of employees.
 Injury or death of persons in the community.
 Damage to equipment.
 Release, diversion, or theft of hazardous materials.
 Environmental damage.
 Violation of regulatory requirements.
 Product contamination.
 Criminal or civil legal liabilities.
 Loss of proprietary or confidential information.
 Loss of brand image or customer confidence.
Undesirable incidents of any sort detract from the value of an organization, but safety and security incidents
can have longer-term negative impacts than other types of incidents on all stakeholders—employees,
shareholders, customers, and the communities in which an organization operates.
The list of potential business consequences needs to be prioritized to focus on the particular business
consequences that senior management will find the most compelling. The highest priority items shown in
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
68
ビジãƒã‚¹ãƒ¢ãƒ‡ãƒ«ã‚’æŒç¶šã•ã›ã‚‹ã«ã¯ã€ã—ã£ã‹ã‚Šã—ãŸå®‰å…¨æ€§ãƒ»æƒ…報セキュリティ管ç†ãƒ—ログラム
ãŒä¸å¯æ¬ ã§ã‚る。
制御システムã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£åŠã³åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ç‰¹æœ‰ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ–¹é‡ã‚’改善ã™ã‚Œã°ã€åˆ¶å¾¡ã‚·ã‚¹
テムã®ä¿¡é ¼æ€§ãƒ»å¯ç”¨æ€§ã‚’å‘上ã•ã›å¾—る。ã“ã‚Œã«ã¯ä¸é©åˆ‡ãªè©¦é¨“ã€æ–¹é‡åŠã³èª¤è¨­å®šã•ã‚ŒãŸã‚·ã‚¹ãƒ†ãƒ 
ã‹ã‚‰ç”Ÿã˜ã‚‹ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ æƒ…報セキュリティã¸ã®æƒ³å®šå¤–ã®å½±éŸ¿ã‚’極力抑ãˆã‚‹ã“ã¨ãŒå«ã¾ã‚Œã‚‹ã€‚
4.1.2 生ã˜å¾—ã‚‹çµæžœ
セキュアãªã‚·ã‚¹ãƒ†ãƒ ãŒé‡è¦ãªã“ã¨ã¯ã€äº‹æ¥­ãŒç›¸äº’接続ã«ã¾ã™ã¾ã™ä¾å­˜ã™ã‚‹ã‚ˆã†ã«ãªã£ã¦ã„ã‚‹ã“ã¨
ã‹ã‚‰ã‚‚明らã‹ã§ã‚る。サービス妨害(DoS)攻撃やマルウエア(ワームã€ã‚¦ã‚¤ãƒ«ã‚¹ç­‰ï¼‰ã®å­˜åœ¨ã¯
常態ã«ãªã£ã¦ãŠã‚Šã€ICS ã«ã‚‚影響ãŒåŠã‚“ã§ã„る。サイãƒãƒ¼æ”»æ’ƒã¯ç‰©ç†çš„ãªå½±éŸ¿ã‚„æ³¢åŠçš„ãªå½±éŸ¿ãŒ
大ãã„。リスク管ç†ã«ã¤ã„ã¦ã¯ã‚»ã‚¯ã‚·ãƒ§ãƒ³ 3ã§å–り上ã’る。影響ã¯ä»¥ä¸‹ã®ã‚ˆã†ã«å¤§åˆ¥ã•ã‚Œã‚‹ã€‚
 物ç†çš„影響。ã“ã‚Œã«ã¯ ICS 障害ã«ã‚ˆã‚‹ç›´æŽ¥ã®çµæžœãŒå«ã¾ã‚Œã‚‹ã€‚最悪ã®çµæžœã¨ã—ã¦äººã®è² å‚·ã‚„
死亡ãŒç”Ÿã˜å¾—る。ãã®ã»ã‹è³‡ç”£ã®å–ªå¤±ï¼ˆãƒ‡ãƒ¼ã‚¿ç­‰ï¼‰ã‚„環境破壊等ãŒã‚る。
 経済的影響。ã“れ㯠ICS インシデントã«èµ·å› ã™ã‚‹ç‰©ç†çš„影響ã‹ã‚‰æ´¾ç”Ÿã™ã‚‹äºŒæ¬¡çš„影響ã§ã€ã‚·
ステムé‹ç”¨ã«å½±éŸ¿ã‚’åŠã¼ã—ã€ãã®çµæžœæ–½è¨­ã€çµ„ç¹”ãã®ä»– ICS ã«ä¾å­˜ã™ã‚‹ã‚‚ã®ã«å¯¾ã—ã€æ›´ã«å¤§
ããªçµŒæ¸ˆçš„æ失をもãŸã‚‰ã™ã€‚é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ï¼ˆé›»åŠ›ã€è¼¸é€ç­‰ï¼‰ãŒåˆ©ç”¨ä¸èƒ½ã«ãªã‚‹ã¨ã€ã‚·ã‚¹ãƒ†ãƒ 
ã®ç›´æŽ¥ã®ç‰©ç†çš„æ害をã¯ã‚‹ã‹ã«è¶ŠãˆãŸçµŒæ¸ˆçš„影響ãŒç”Ÿã˜ã‚‹ã€‚ãã®çµæžœã€åœ°å…ƒã€åœ°åŸŸã€å›½å®¶ã€
ã•ã‚‰ã«ã¯ä¸–界経済ã«æ‚ªå½±éŸ¿ãŒåŠã³ã‹ã­ãªã„。

社会的影響。ã“ã‚Œã¯åˆ¥ã®äºŒæ¬¡çš„影響ã§ã€çµ„ç¹”ã«å¯¾ã™ã‚‹å›½æ°‘ã®ä¿¡é ¼æ„ŸãŒå¤±ã‚れるçµæžœç”Ÿã˜ã‚‹ãŒã€
見éŽã”ã—ã«ã•ã‚ŒãŒã¡ã§ã‚る。ã—ã‹ã—ã€ICS インシデントã‹ã‚‰ç”Ÿã˜ã‚‹å®Ÿã«ç¾å®Ÿçš„ãªçµæžœã§ã‚る。
ã“ã®ã‚ˆã†ãªãƒªã‚¹ã‚¯ã‚’管ç†ã™ã‚‹ãŸã‚ã®ãƒ—ログラムã«ã¤ã„ã¦ã¯ã‚»ã‚¯ã‚·ãƒ§ãƒ³ 3ã§å–り上ã’る。ã“ã®
リスト中ã®é …ç›®ã¯ãã‚Œãžã‚ŒãŒç‹¬ç«‹ã—ã¦ã„ã‚‹ã®ã§ã¯ãªã„。むã—ã‚ã€ã‚ã‚‹ã‚‚ã®ãŒåˆ¥ã®ã‚‚ã®ã‚’å°Žã
ã“ã¨ãŒã‚る。例ãˆã°ã€å±é™ºç‰©ã®æ”¾å‡ºã¯è² å‚·ã‚„死亡事故ã«ã¤ãªãŒã‚‹ã€‚ICS インシデントã‹ã‚‰ç”Ÿã˜
å¾—ã‚‹çµæžœã‚’以下ã«ä¾‹ç¤ºã™ã‚‹ã€‚
 国家安全ä¿éšœã¸ã®å½±éŸ¿â€”テロ行為を助長ã™ã‚‹
 1ã‹æ‰€åˆã¯è¤‡æ•°åŒæ™‚サイトã«ãŠã‘る生産ã®æ¸›å°‘・喪失
 従業員ã®è² å‚·ãƒ»æ­»äº¡
 å…±åŒä½“構æˆå“¡ã®è² å‚·ãƒ»æ­»äº¡
 装備å“ã®æ害
 å±é™ºç‰©ã®æ”¾å‡ºãƒ»æµç”¨ãƒ»ç›—難
 環境破壊
 法的è¦ä»¶ã®ä¾µå®³
 製å“ã®æ±šæŸ“
 刑法åˆã¯æ°‘法上ã®è²¬ä»»
 専有・秘密情報ã®å–ªå¤±
 ブランドイメージ・顧客ã®ä¿¡ç”¨ã®å–ªå¤±
ã©ã®ã‚ˆã†ãªç¨®é¡žã®ã‚‚ã®ã§ã‚ã‚Œã€æœ›ã¾ã—ããªã„インシデントã¯çµ„ç¹”ã®ä¾¡å€¤ã‚’減ã˜ã‚‹ãŒã€å®‰å…¨ã‚„
セキュリティãŒé–¢ä¿‚ã™ã‚‹ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã¯ã€ãれ以外ã®ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã«æ¯”ã¹ã¦ã€ã‚ˆã‚Šé•·æœŸçš„ãª
悪影響を従業員ã€æ ªä¸»ã€é¡§å®¢åŠã³çµ„ç¹”ãŒå±žã™ã‚‹å…±åŒä½“ã‚’å«ã‚ãŸå…¨ã¦ã®é–¢ä¿‚者ã«æŠ•ã’ã‹ã‘る。
å¯èƒ½æ€§ã®ã‚る事業çµæžœã®ãƒªã‚¹ãƒˆã‹ã‚‰ã€äº‹æ¥­çµæžœã®å„ªå…ˆåº¦ã‚’検討ã—ã€ä¸Šç´šç®¡ç†è€…ãŒç‰¹ã«å½±éŸ¿åº¦ãŒ
大ãã„ã¨æ€ãˆã‚‹ã‚‚ã®ã«æ³¨åŠ›ã™ã‚‹å¿…è¦ãŒã‚る。優先的ãªäº‹æ¥­çµæžœãƒªã‚¹ãƒˆã®æœ€å„ªå…ˆé …目を
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
69
the list of prioritized business consequences should be evaluated to obtain an estimate of the annual
business impact, preferably but not necessarily in financial terms.
The Sarbanes-Oxley Act requires corporate leaders to sign off on compliance with information accuracy
and protection of corporate information.19 Also, the demonstration of due diligence is required by most
internal and external audit firms to satisfy shareholders and other organization stakeholders. By
implementing a comprehensive information security program, management is exercising due diligence.
4.1.3 Resources for Building Business Case
Significant resources for information to help form a business case can be found in external resources in
other organizations in similar lines of business–either individually or in information sharing exchanges,
trade and standards organizations, consulting firms–and internal resources in related risk management
programs or engineering and operations. External organizations can often provide useful tips as to what
factors most strongly influenced management to support their efforts and what resources within their
organizations proved most helpful. For different industries, these factors may be different, but there may be
similarities in the roles that other risk management specialists can play. Appendix D— provides a list and
short description of some of the current activities in ICS security.
Internal resources in related risk management efforts (e.g., information security, health, safety and
environmental risk, physical security, business continuity) can provide tremendous assistance based on
their experience with related incidents in the organization. This information is helpful from the standpoint
of prioritizing threats and estimating business impact. These resources can also provide insight into which
managers are focused on dealing with which risks and, thus, which managers might be the most appropriate
or receptive to serving as a champion. Internal resources in control systems engineering and operations can
provide insight into the details of how control systems are deployed within the organization, such as the
following:
 How networks are typically partitioned and segregated.
 What remote access connections are generally employed.
 How high-risk control systems or safety instrumented systems are typically designed.
 What security countermeasures are commonly used.
4.1.4 Presenting the Business Case to Leadership
Section 3 describes a three-tiered approach that addresses risk at the: (i) organization level; (ii)
mission/business process level; and (iii) information system level. The risk management process is carried
out seamlessly across the three tiers with the overall objective of continuous improvement in the
organization’s risk-related activities and effective inter-tier and intra-tier communication among all
stakeholders having a shared interest in the mission/business success of the organization.
It is critical for the success of the ICS security program that organization level management buy into and
participate in the ICS security program. Tier 1 organization level management that encompasses both IT
and ICS operations has the perspective and authority to understand and take responsibility for the risks.
The Tier 1 business leadership will be responsible for approving and driving information security policies,
assigning security roles and responsibilities, and implementing the information security program across the
organization. Funding for the entire program can usually be done in phases. While some
19 More information on the Sarbanes-Oxley Act, and a copy of the act itself, can be found at
http://www.sec.gov/about/laws.shtml.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
70
評価ã—ã¦ã€å¹´é–“事業影響見ç©ã‚’作æˆã™ã¹ãã§ã‚る。見ç©ã¯è²¡å‹™çš„ãªè¦³ç‚¹ã‹ã‚‰è¡Œã†ã®ãŒæœ›ã¾ã—ã„
ãŒã€ç¾©å‹™ã§ã¯ãªã„。
Sarbanes-Oxley 法ã¯ã€æƒ…å ±ã®æ­£ç¢ºæ€§ã¨ä¼æ¥­æƒ…å ± 20ã®ä¿è­·éµå®ˆã«é–¢ã—ã¦ã€ä¼æ¥­è²¬ä»»è€…ã«ç½²åを義
å‹™ã¥ã‘ã¦ã„る。ã¾ãŸã»ã¨ã‚“ã©ã®å†…外監査法人ã«å¯¾ã—ã¦ã€ç„¶ã‚‹ã¹ã努力を傾注ã—ã¦æ ªä¸»ãã®ä»–組
織関係者を満足ã•ã›ã‚‹ã‚ˆã†æ±‚ã‚ã¦ã„る。包括的情報セキュリティプログラムを施行ã™ã‚‹ã“ã¨ã§ã€
経営陣ã¯ã—ã‹ã‚‹ã¹ã努力を傾注ã—ã¦ã„ã‚‹ã“ã¨ã«ãªã‚‹ã€‚
4.1.3 事業事例作æˆã®ãŸã‚ã®ãƒªã‚½ãƒ¼ã‚¹
事業事例ã®æ§‹ç¯‰ã«å½¹ç«‹ã¤ã‹ãªã‚Šã®ãƒªã‚½ãƒ¼ã‚¹ãŒå¤–部åŒæ¥­çµ„ç¹”ã®ãƒªã‚½ãƒ¼ã‚¹ã«ã‚る。例ãˆã°å€‹ã€…ã®ä¼æ¥­ã€
åˆã¯æƒ…報共有交æ›ã€å–引組織åŠã³è¦æ ¼çµ„ç¹”ã€ã‚³ãƒ³ã‚µãƒ«ã‚¿ãƒ³ãƒˆä¼æ¥­ãªã©ã®ã»ã‹ã€é–¢é€£ãƒªã‚¹ã‚¯ç®¡ç†ãƒ—
ログラムやエンジニアリングã€æ¥­å‹™ã¨ã„ã£ãŸå†…部リソースã‹ã‚‰ã‚‚利用ã§ãる。外部組織ã¯ã€çµŒå–¶
陣ã®å–組ã«æœ€ã‚‚大ããªå½±éŸ¿ã‚’与ãˆã‚‹è¦å› ã«ã¤ã„ã¦ã€ã¾ãŸçµ„織内ã®ã©ã®ãƒªã‚½ãƒ¼ã‚¹ãŒæœ€ã‚‚役立ã£ãŸã‹
ã¨ã„ã£ãŸç‚¹ã«é–¢ã—ã¦ã€æœ‰ç”¨ãªãƒ’ントを与ãˆã¦ãれるã“ã¨ãŒå¤šã„。業界ãŒç•°ãªã‚Œã°ãã†ã—ãŸè¦å› ã‚‚
ç•°ãªã‚‹ãŒã€ä»–ã®ãƒªã‚¹ã‚¯ç®¡ç†æ‹…当者ãŒæžœãŸã™å½¹å‰²ã«ã¯å…±é€šç‚¹ã‚‚ã‚る。付録 Dã«ã¯ã€ICS セキュリテ
ã‚£ã«ãŠã‘ã‚‹ç¾åœ¨ã®æ´»å‹•ã®ã„ãã¤ã‹ã‚’ç°¡å˜ã«ç´¹ä»‹ã—ãŸãƒªã‚¹ãƒˆãŒã‚る。
関係ã™ã‚‹ãƒªã‚¹ã‚¯ç®¡ç†ã®å–組(情報セキュリティã€è¡›ç”Ÿã€å®‰å…¨ãƒ»ç’°å¢ƒãƒªã‚¹ã‚¯ã€ç‰©ç†çš„セキュリティã€
事業継続等)ã«ãŠã‘る内部リソースã¯ã€çµ„ç¹”ã®é–¢é€£ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã§ã®çµŒé¨“を基ã«ã€å¤§ããªåŠ©ã‘ã¨
ãªã‚‹ã€‚ã“ã®æƒ…å ±ã¯ã€è„…å¨ã®å„ªå…ˆä»˜ã‘ã¨äº‹æ¥­å½±éŸ¿ã®è¦‹ç©ã®è¦³ç‚¹ã‹ã‚‰å½¹ç«‹ã¤ã€‚ã“ã†ã—ãŸãƒªã‚½ãƒ¼ã‚¹ã‚’æ´»
用ã™ã‚Œã°ã€ã©ã®ç®¡ç†è€…ãŒã©ã®ãƒªã‚¹ã‚¯ã«å¯¾å¿œã—ã¦ã„ã‚‹ã‹ã€ã¾ãŸã©ã®ç®¡ç†è€…ãŒæŽ¨é€²è€…ã¨ã—ã¦ç›¸å¿œã—ã„
ã‹ã€å¯¾å¿œåŠ›ãŒã‚ã‚‹ã‹ã‚’判断ã™ã‚‹ã“ã¨ãŒã§ãよã†ã€‚制御システムエンジニアリング業務ã®å†…部リソ
ースを活用ã™ã‚Œã°ã€ä»¥ä¸‹ã®ã‚ˆã†ãªã€çµ„ç¹”ã¸ã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®è©³ç´°ãªå±•é–‹æ–¹æ³•ã‚’判断ã™ã‚‹ã“ã¨ãŒã§
ãる。
é›»å­ãƒ¡ãƒ¼ãƒ«
 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ä¸€èˆ¬çš„ãªåŒºç”»ãƒ»åˆ†å‰²æ–¹æ³•
 一般的ã«æŽ¡ç”¨ã™ã‚‹ãƒªãƒ¢ãƒ¼ãƒˆã‚¢ã‚¯ã‚»ã‚¹æŽ¥ç¶š
 高リスク制御システムåˆã¯å®‰å…¨è¨ˆè£…システムã®ä¸€èˆ¬çš„設計
 共通的ã«ä½¿ç”¨ã™ã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–
4.1.4 事業事例を組織ã®é•·ã«æ示ã™ã‚‹
セクション 3ã§ã¯æ¬¡ã® 3レベルã§ã®ãƒªã‚¹ã‚¯ã«å¯¾å¿œã™ã‚‹ 3段階ã®å–組ã«ã¤ã„ã¦èª¬æ˜Žã—ãŸã€‚(1)組
織レベルã€ï¼ˆ2)任務・事業プロセスレベルã€(3)情報システムレベル。リスク管ç†ãƒ—ロセスã¯ã€
組織ã®ä»»å‹™ãƒ»äº‹æ¥­ã®æˆåŠŸã«å…±é€šã®é–¢å¿ƒã‚’抱ã関係者間ã«ãŠã„ã¦ã€çµ„ç¹”ã®ãƒªã‚¹ã‚¯é–¢é€£æ´»å‹•åŠã³å„段
階間・å„段階内ã®åŠ¹æžœçš„ãªã‚³ãƒŸãƒ¥ãƒ‹ã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã‚’絶ãˆãšæ”¹å–„ã™ã‚‹ã¨ã„ã†å…¨ä½“çš„ãªç›®çš„ã‚’æŒã£ã¦ã€
3ã¤ã®æ®µéšŽã«ã‚ãŸã£ã¦ã‚·ãƒ¼ãƒ ãƒ¬ã‚¹ã«è¡Œã‚れる。
ICS セキュリティプログラムをæˆåŠŸã•ã›ã‚‹ã«ã¯çµ„織レベルã§çµŒå–¶é™£ãŒåŒãƒ—ログラムã«ç´å¾—ã—ã¦ã€
å‚加ã™ã‚‹ã“ã¨ãŒè‚è¦ã§ã‚る。IT åŠã³ ICS 業務åŒæ–¹ã‚’包å«ã™ã‚‹ç¬¬ 1段階ã®çµ„織レベル経営陣ã«ã¯ã€
リスクをç†è§£ã—責任を引ãå—ã‘る見通ã—ã¨æ¨©é™ãŒã‚る。
第1段階ã®äº‹æ¥­ã®ãƒªãƒ¼ãƒ€ãƒ¼ã¯ã€æƒ…報セキュリティãƒãƒªã‚·ãƒ¼ã‚’承èªãƒ»æŽ¨é€²ã—ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®å½¹å‰²
ã¨è²¬ä»»ã‚’付与ã—ã€æƒ…報セキュリティプログラムを組織全体ã«ã‚ãŸã£ã¦å®Ÿè¡Œã™ã‚‹è²¬å‹™ã‚’è² ã†ã€‚プロ
グラム全体ã¸ã®è³‡é‡‘拠出ã¯ã€é€šå¸¸ãƒ•ã‚§ãƒ¼ã‚ºã”ã¨ã«è¡Œã†ã€‚
20 Sarbanes-Oxley 法ã®è©³ç´°åŠã³å…¥æ‰‹ã¯æ¬¡ã® URL ã‚’å‚ç…§ã®ã“ã¨ã€‚http://www.sec.gov/about/laws.shtml.
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
71
funding may be required to start the information security activity, additional funding can be obtained later
as the security vulnerabilities and needs of the program are better understood and additional strategies are
developed. Additionally, the costs (both direct and indirect) should be considered for retrofitting the ICS
for security vs. addressing security to begin with.
Often, a good approach to obtain management buy-in to address the problem is to ground the business case
in a successful actual third-party example. The business case should present to management that the other
organization had the same problem and then present that they found a solution and how they solved it. This
will often prompt management to ask what the solution is and how it might be applicable to their
organization.
4.2 Build and Train a Cross-Functional Team
It is essential for a cross-functional information security team to share their varied domain knowledge and
experience to evaluate and mitigate risk in the ICS. At a minimum, the information security team should
consist of a member of the organization’s IT staff, a control engineer, a control system operator, security
subject matter experts, and a member of the enterprise risk management staff. Security knowledge and
skills should include network architecture and design, security processes and practices, and secure
infrastructure design and operation. Contemporary thinking that both safety and security are emergent
properties of connected systems with digital control suggests including a safety expert. For continuity and
completeness, the information security team should also include the control system vendor and/or system
integrator.
The information security team should report directly to the information security manager at the
mission/business process or organization tier, who in turn reports to the mission/business process manager
(e.g., facility superintendent) or enterprise information security manager (e.g., the company’s CIO/CSO),
respectively. Ultimate authority and responsibility rests in the Tier 1 risk executive function that provides a
comprehensive, organization-wide approach to risk management. The risk executive function works with
the top management to accept a level of residual risk and accountability for the information security of the
ICS. Management level accountability will help ensure an ongoing commitment to information security
efforts.
While the control engineers will play a large role in securing the ICS, they will not be able to do so without
collaboration and support from both the IT department and management. IT often has years of security
experience, much of which is applicable to ICS. As the cultures of control engineering and IT are often
significantly different, their integration will be essential for the development of a collaborative security
design and operation.
4.3 Define Charter and Scope
The information security manager should establish policy that defines the guiding charter of the
information security organization and the roles, responsibilities, and accountabilities of system owners,
mission/business process managers, and users. The information security manager should decide upon and
document the objective of the security program, the business organizations affected, all the computer
systems and networks involved, the budget and resources required, and the division of responsibilities. The
scope can also address business, training, audit, legal, and regulatory requirements, as well as timetables
and responsibilities. The guiding charter of the information security organization is a constituent of the
information security architecture which is part of the enterprise architecture, as discussed in Section 3.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
72
情報セキュリティ活動を開始ã™ã‚‹ã¨ãã«ã‚る程度ã®è³‡é‡‘ãŒã„ã‚‹ãŒã€è¿½åŠ è³‡é‡‘ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
ã®è„†å¼±æ€§ã¨ãƒ—ログラムã®å¿…è¦æ€§ãŒã‚ˆã‚Šæ˜Žç¢ºã«ãªã‚Šã€è¿½åŠ æˆ¦ç•¥ã‚’策定ã—ãŸå¾Œã§å¾—ã‚‹ã“ã¨ãŒã§ãる。
ã¾ãŸã‚³ã‚¹ãƒˆï¼ˆç›´æŽ¥è²»ãƒ»é–“接費)ã¯ã€ICS ã¸ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å®Ÿè£…ã¨é–‹å§‹æ™‚ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¨ã‚’考
æ…®ã—ã¦æ±ºã‚ã‚‹ã¹ãã§ã‚る。
経営陣ãŒå•é¡Œã«é–¢ã‚るよã†ã«ã™ã‚‹ãŸã‚ã®å–組ã¨ã—ã¦ã€äº‹æ¥­äº‹ä¾‹ã‚’æˆåŠŸã—ãŸç¬¬ä¸‰è€…ã®å®Ÿä¾‹ã«å€£ã†
ã¨ä¸Šæ‰‹ãè¡Œãã“ã¨ãŒå¤šã„。事業事例ã¯çµŒå–¶é™£ã«å¯¾ã—ã€ä»–ã®çµ„ç¹”ã§ã‚‚åŒã˜å•é¡Œã‚’抱ãˆãŸã“ã¨ã€è§£
決策を見ã„ã ã—ã€ã„ã‹ã«è§£æ±ºã—ãŸã‹ã‚’示ã™ã¹ãã§ã‚る。ãã†ã™ã‚‹ã“ã¨ã§çµŒå–¶é™£ã¯ã€ãã®è§£æ±ºç­–
ã¯ä½•ã‹ã€è‡ªåˆ†ãŸã¡ã®çµ„ç¹”ã«ã©ã†å¿œç”¨ã§ãã‚‹ã®ã‹ã€å•ã†ã“ã¨ãŒã§ãるよã†ã«ãªã‚‹ã€‚
4.2 機能横断ãƒãƒ¼ãƒ ã®çµ„æˆãƒ»æ•™è‚²è¨“ç·´
機能横断型情報セキュリティãƒãƒ¼ãƒ ãŒå¤šæ§˜ãªåˆ†é‡Žã®çŸ¥è­˜ãƒ»çµŒé¨“を共有ã—åˆã„ã€ICS ã®ãƒªã‚¹ã‚¯ã‚’
評価・緩和ã™ã‚‹ã“ã¨ãŒä¸å¯æ¬ ã¨ãªã‚‹ã€‚情報セキュリティãƒãƒ¼ãƒ ã®æ§‹æˆã¯ã€å°‘ãªãã¨ã‚‚組織㮠IT
è·å“¡ã€åˆ¶å¾¡ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ æ“作員ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å•é¡Œæ‹…当者åŠã³ä¼æ¥­ã®ãƒªã‚¹ã‚¯ç®¡ç†
è·å“¡ã‚’å«ã‚ã‚‹ã¹ãã§ã‚る。セキュリティã®çŸ¥è­˜ãƒ»ã‚¹ã‚­ãƒ«ã«ã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ãƒ»
設計ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ—ロセス・è¦ç¯„åŠã³ã‚»ã‚­ãƒ¥ã‚¢ãªã‚¤ãƒ³ãƒ•ãƒ©ãƒ»æ¥­å‹™ã‚’å«ã‚ã‚‹ã¹ãã§ã‚る。安全
ã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¯ãƒ‡ã‚¸ã‚¿ãƒ«åˆ¶å¾¡ã‚’å‚™ãˆãŸæŽ¥ç¶šã‚·ã‚¹ãƒ†ãƒ ã®æ–°ã—ã„特徴ã§ã‚ã‚‹ã¨ã„ã†æœ€è¿‘ã®è€ƒãˆæ–¹
ã«ã¯ã€å®‰å…¨ã®ã‚¨ã‚­ã‚¹ãƒ‘ートをå«ã‚ã‚‹ã“ã¨ãŒç¤ºå”†ã•ã‚Œã¦ã„る。継続性ã¨å®Œå…¨æ€§ã‚’確ä¿ã™ã‚‹ãŸã‚ã€
情報セキュリティãƒãƒ¼ãƒ ã«ã¯ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®ãƒ™ãƒ³ãƒ€ãƒ¼ã‚„システムインテグレータをもå«ã‚ã‚‹
ã¹ãã§ã‚る。
情報セキュリティãƒãƒ¼ãƒ ã«ã¯ã€ä»»å‹™ãƒ»äº‹æ¥­ãƒ—ロセスåˆã¯çµ„織レベルã®æƒ…報セキュリティ管ç†
者ã«ç›´æŽ¥å ±å‘Šã‚’上ã’ã‚‹ã¹ãã§ã€æ¬¡ã„ã§åŒç®¡ç†è€…ã¯ãã‚Œãžã‚Œã€ä»»å‹™ãƒ»äº‹æ¥­ãƒ—ロセス管ç†è€…(施
設監ç£ç­‰ï¼‰åˆã¯ä¼æ¥­æƒ…報セキュリティ管ç†è€…(CIO/CSO 等)ã«å ±å‘Šã™ã‚‹ã€‚最終的ãªæ¨©é™ã¨è²¬ä»»
ã¯ã€ãƒªã‚¹ã‚¯ç®¡ç†ã«å¯¾ã—ã¦å…¨ä½“çš„ã€çµ„織全体ã«ã‚ãŸã‚‹å–組を行ã†ã€ç¬¬ 1段階ã«ãŠã‘るリスク担
当役員ã«ã‚る。リスク担当役員ã¯ã€çµŒå–¶ã®ãƒˆãƒƒãƒ—ã¨é€£æºã—ã¦ã€ICS ã®æƒ…報セキュリティã«é–¢ã™
る残りã®ãƒªã‚¹ã‚¯ãƒ¬ãƒ™ãƒ«ã¨èª¬æ˜Žè²¬ä»»ã‚’å—ã‘入れる。経営陣レベルã®èª¬æ˜Žè²¬ä»»ã¯ã€æƒ…報セキュリ
ティã¸ã®å–組ã«å¯¾ã—ã¦è¡Œã‚ã‚Œã¦ã„る姿勢を確固ãŸã‚‹ã‚‚ã®ã«ã™ã‚‹ã®ã«å½¹ç«‹ã¤ã€‚
制御エンジニア㯠ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç¢ºä¿ã«å¤§ããªå½¹å‰²ã‚’æžœãŸã™ãŒã€IT 部門ã¨çµŒå–¶é™£ã‹ã‚‰ã®å”
力・支æ´ãŒãªã‘ã‚Œã°å‹™ã¾ã‚‰ãªã„。IT ã«ãŠã‘るセキュリティã®çµŒé¨“ã¯æ•°å¹´ã«åŠã¶ã“ã¨ãŒå¤šã„ãŒã€
ãã®å¤§éƒ¨åˆ†ã¯ ICS ã«ã‚‚応用ã§ãる。制御エンジニア㨠IT ã®æ–‡åŒ–ã¯ãã‚Œãžã‚Œå¤§ããç•°ãªã‚‹ãŒã€
å”力的ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®è¨­è¨ˆãƒ»å®Ÿæ–½ã‚’完æˆã™ã‚‹ã«ã¯ä¸¡è€…ã®ä¸€ä½“化ãŒä¸å¯æ¬ ã¨ãªã‚‹ã€‚
4.3 憲章åŠã³é©ç”¨ç¯„囲ã®æ˜Žç¢ºåŒ–
情報セキュリティ管ç†è€…ã¯ã€æƒ…報セキュリティã®çµ„ç¹”ã€ã‚·ã‚¹ãƒ†ãƒ æ‰€æœ‰è€…ã€ä»»å‹™ãƒ»äº‹æ¥­ãƒ—ロセス
管ç†è€…åŠã³ãƒ¦ãƒ¼ã‚¶ã®å½¹å‰²ãƒ»è²¬ä»»ãƒ»èª¬æ˜Žè²¬ä»»ã‚’明確ã«ã—ãŸã€æŒ‡é‡ã¨ãªã‚‹æ†²ç« ã‚’定ã‚ã‚‹ã¹ãã§ã‚る。
情報セキュリティ管ç†è€…ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ—ログラムã®ç›®çš„ã€å½±éŸ¿ã‚’å—ã‘る事業組織ã€é–¢ä¿‚ã™
ã‚‹å…¨ã¦ã®ã‚³ãƒ³ãƒ”ュータシステムã¨ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã€å¿…è¦ãªäºˆç®—ã¨ãƒªã‚½ãƒ¼ã‚¹åŠã³è²¬ä»»ã®åˆ†æ‹…を明ら
ã‹ã«ã—ã¦ã€æ–‡æ›¸åŒ–ã™ã¹ãã§ã‚る。
ã¾ãŸã“ã‚Œã«ã¯äº‹æ¥­ã€è¨“ç·´ã€ç›£æŸ»ã€æ³•çš„è¦ä»¶åŠã³äºˆå®šè¡¨ã¨è²¬ä»»ã‚‚å«ã¾ã‚Œã‚‹ã€‚情報セキュリティ
組織ã®æŒ‡é‡ã¨ãªã‚‹æ†²ç« ã¯ã€ã‚»ã‚¯ã‚·ãƒ§ãƒ³ 3ã§èª¬æ˜Žã—ãŸä¼æ¥­ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã®ä¸€éƒ¨ã‚’ãªã™æƒ…報セ
キュリティアーキテクãƒãƒ£ã‚’構æˆã™ã‚‹è¦ç´ ã¨ãªã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
73
There may already be an information security program in place or being developed for the organization’s
IT business systems. The ICS information security manager should identify which existing practices to
leverage and which practices are specific to the control system. In the long run, it will be easier to get
positive results if the team can share resources with others in the organization that have similar objectives.
4.4 Define ICS-specific Security Policies and Procedures
Policies and procedures are at the root of every successful security program. Wherever possible, ICS-
specific security policies and procedures should be integrated with existing operational/management
policies and procedures. Policies and procedures help to ensure that security protection is both consistent
and current to protect against evolving threats. Appendix C cites a lack of security policy as an important
vulnerability. Appendix G—, the ICS overlay, contains many ICS information security policy
recommendations. After an information security risk analysis has been performed, the information security
manager should examine existing security policies to see if they adequately address the risks to the ICS. If
needed, existing policies should be revised or new policies created.
As discussed in Section 3, Tier 1 management is responsible for developing and communicating the risk
tolerance of the organization–the level of risk the organization is willing to accept–which allows the
information security manager to determine the level of risk mitigation that should be taken to reduce
residual risk to acceptable levels. The development of the security policies should be based on a risk
assessment that will set the security priorities and goals for the organization so that the risks posed by the
threats are mitigated sufficiently. Procedures that support the policies need to be developed so that the
policies are implemented fully and properly for the ICS. Security procedures should be documented, tested,
and updated periodically in response to policy, technology, and threat changes.
4.5 Implement an ICS Security Risk Management Framework
From an abstract viewpoint, the management of ICS risks is another risk added to the list of risks
confronting an organization (e.g., financial, safety, IT, environmental). In each case, managers with
responsibility for the mission or business process establish and conduct a risk management program in
coordination with top management’s risk executive function. NIST Special Publication 800-39, Managing
Information Security Risk–Organization, Mission, and Information System View [20], is the foundation of
such a risk management program. Just like the other mission/business process areas, the personnel
concerned with ICS apply their specialized subject matter knowledge to establishing and conducting ICS
security risk management and to communicating with enterprise management to support effective risk
management across all the enterprise. NIST Special Publication 800-37, Guide for Applying the Risk
Management Framework to Federal Information Systems [21], introduces the risk management framework
which addresses the process of implementing the framework. The following sections summarize this
process and apply the RMF to an ICS environment.
The RMF process includes a set of well-defined risk-related tasks that are to be carried out by selected
individuals or groups within well-defined organizational roles (e.g., risk executive [function], authorizing
official, authorizing official designated representative, chief information officer, senior information security
officer, enterprise architect, information security architect, information owner/steward, information system
owner, common control provider, information system security officer, and security control assessor). Many
risk management roles have counterpart roles defined in the routine system development life cycle
processes. RMF tasks are executed concurrently with or as part of system development life cycle processes,
taking into account appropriate dependencies.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
74
æ—¢ã«çµ„織㮠IT 事業システムã«é–¢ã™ã‚‹æƒ…報セキュリティプログラムãŒæ–½è¡Œã•ã‚Œã¦ã„ã‚‹ã‹ã€ä½œæˆä¸­
ã¨ã„ã†å ´åˆã‚‚ã‚る。ICS 情報セキュリティ管ç†è€…ã¯ã€æ—¢å­˜ã®è¦ç¯„ã§æ´»ç”¨ã§ãã‚‹ã‚‚ã®ã¨ã€åˆ¶å¾¡ã‚·
ステムã«å›ºæœ‰ã®è¦ç¯„ã¨ã‚’特定ã™ã¹ãã§ã‚る。長ã„ç›®ã§è¦‹ã‚Œã°ã€çµ„ç¹”ã§åŒæ§˜ã®ç›®çš„ã‚’æŒã£ãŸãƒãƒ¼
ムåŒå£«ãŒãƒªã‚½ãƒ¼ã‚¹ã‚’共有ã—åˆã†ã“ã¨ã§ã€ã‚ˆã„çµæžœãŒå¾—ã‚„ã™ããªã‚‹ã€‚
4.4 ICS 固有ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã®æ˜Žç¢ºåŒ–
ãƒãƒªã‚·ãƒ¼ã¨æ‰‹é †ã¯ã€ã‚らゆるセキュリティプログラムをæˆåŠŸã«å°Žãè¦ã§ã‚る。å¯èƒ½ã§ã‚ã‚Œã°ã€
ICS 固有ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã¨æ‰‹é †ã‚’既存ã®æ¥­å‹™/管ç†ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã¨ä¸€ä½“化ã™ã¹ã
ã§ã‚る。ãƒãƒªã‚·ãƒ¼ã¨æ‰‹é †ã¯ã€é€²åŒ–ã™ã‚‹è„…å¨ã«å¯¾ã—ã¦ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä¿è­·ã‚’一貫性ã¨æœ€æ–°æ€§ã‚’
å‚™ãˆãŸã‚‚ã®ã«ã™ã‚‹ä¸Šã§å½¹ç«‹ã¤ã€‚付録 Cã«ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã®æ¬ å¦‚ã‚’é‡å¤§ãªè„†å¼±æ€§ã¨
ã—ã¦è¨€åŠã—ã¦ã„る。付録 Gã®ICS オーãƒãƒ¼ãƒ¬ã‚¤ã«ã¯ã€æ•°ã€…ã® ICS 情報セキュリティãƒãƒªã‚·ãƒ¼
ã«é–¢ã™ã‚‹æŽ¨å¥¨äº‹é …ãŒå«ã¾ã‚Œã¦ã„る。情報セキュリティã®ãƒªã‚¹ã‚¯åˆ†æžã‚’実施後ã€æƒ…報セキュリ
ティ管ç†è€…ã¯æ—¢å­˜ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã‚’検証ã—ã€ICS ã¸ã®ãƒªã‚¹ã‚¯ãŒã—ã£ã‹ã‚Šå–り上ã’られ
ã¦ã„ã‚‹ã‹ç¢ºèªã™ã¹ãã§ã‚る。必è¦ã§ã‚ã‚Œã°ã€æ—¢å­˜ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã‚’改正ã™ã‚‹ã‹ã€ä½œ
ã‚Šç›´ã™ã¹ãã§ã‚る。
セクション 3ã§è¿°ã¹ãŸã¨ãŠã‚Šã€ç¬¬ 1段階ã®çµŒå–¶é™£ã¯çµ„ç¹”ã®ãƒªã‚¹ã‚¯ãƒˆãƒ¬ãƒ©ãƒ³ã‚¹ã‚’策定ã—ã¦ä¼é”ã™
る責任を有ã™ã‚‹ã€‚リスクトレランスã¨ã¯çµ„ç¹”ãŒå—ã‘入れå¯èƒ½ãªãƒ¬ãƒ™ãƒ«ã®ãƒªã‚¹ã‚¯ã‚’ã„ã„ã€ã“れを
基ã«æƒ…報セキュリティ管ç†è€…ã¯ã€æ®‹ã‚Šã®ãƒªã‚¹ã‚¯ã‚’å—容レベルã«ã¾ã§ç·©å’Œã™ã‚‹ãŸã‚ã®ãƒªã‚¹ã‚¯ãƒ¬ãƒ™
ル緩和策を決ã‚ã‚‹ã“ã¨ãŒã§ãる。セキュリティãƒãƒªã‚·ãƒ¼ã®ç­–定ã¯ã€ãƒªã‚¹ã‚¯è©•ä¾¡ã«åŸºã¥ããŒã€ãƒª
スク評価ã¯çµ„ç¹”ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å„ªå…ˆåº¦ã¨ç›®æ¨™ã‚’設定ã—ã€è„…å¨ãŒã‚‚ãŸã‚‰ã™ãƒªã‚¹ã‚¯ã‚’å分緩和ã§ã
るよã†ã«ã™ã‚‹ã€‚ãƒãƒªã‚·ãƒ¼ã‚’支ãˆã‚‹æ‰‹é †ã¯ã€ãƒãƒªã‚·ãƒ¼ãŒ ICS ã«å¯¾ã—ã¦å分ã‹ã¤é©æ­£ã«å®Ÿæ–½ã§ãã‚‹
よã†ã«ç­–定ã™ã‚‹å¿…è¦ãŒã‚る。セキュリティ手順ã¯ãƒãƒªã‚·ãƒ¼ã€æŠ€è¡“åŠã³è„…å¨ã®å¤‰åŒ–ã«å¯¾å¿œã—ã¦ã€
文書化ã—ã€æ¤œè¨¼ã—ã€å®šæœŸçš„ã«æ›´æ–°ã™ã¹ãã§ã‚る。
4.5 ICS セキュリティリスク管ç†ä½“制ã®å®Ÿè¡Œ
抽象的ãªã¨ã‚‰ãˆæ–¹ã‚’ã™ã‚Œã°ã€ICS リスクã®ç®¡ç†ã¯ã€çµ„ç¹”ãŒç›´é¢ã™ã‚‹ãƒªã‚¹ã‚¯ãƒªã‚¹ãƒˆï¼ˆè²¡æ”¿ã€å®‰å…¨ã€
ITã€ç’°å¢ƒç­‰ï¼‰ã«è¿½åŠ ã•ã‚ŒãŸä»˜åŠ çš„リスクã¨ã„ãˆã‚‹ã€‚ã„ãšã‚Œã®å ´åˆã‚‚ã€ä»»å‹™ã‚„事業プロセスã«è²¬
任を有ã™ã‚‹ç®¡ç†è€…ã¯ã€çµŒå–¶ãƒˆãƒƒãƒ—ã®ãƒªã‚¹ã‚¯æ‹…当役員ã¨å”調ã—ã¦ã€ãƒªã‚¹ã‚¯ç®¡ç†ãƒ—ログラムを策定
ã—実行ã™ã‚‹ã€‚NIST 特別出版物 800-39『情報セキュリティリスクã®ç®¡ç†ï¼çµ„ç¹”ã€ä»»å‹™ãŠã‚ˆã³æƒ…
報システムã®ç²¾æŸ»ã€[20]ã¯ã€ã“ã®ã‚ˆã†ãªãƒªã‚¹ã‚¯ç®¡ç†ãƒ—ログラムã®åŸºæœ¬ã§ã‚る。他ã®ä»»å‹™ãƒ»äº‹æ¥­
プロセス分野ã¨åŒæ§˜ã€ICS ã«é–¢ã‚る人員ã¯ãã‚Œãžã‚Œã®å°‚門知識をã€ICS セキュリティリスク管
ç†ã®ç­–定やã€ä¼æ¥­çµŒå–¶é™£ã¨é€£æºã—ã¦å…¨ç¤¾çš„ã‹ã¤åŠ¹æžœçš„ãªãƒªã‚¹ã‚¯ç®¡ç†ã®æ”¯æ´ã«é©ç”¨ã™ã‚‹ã€‚NIST 特
別出版物 800-37『連邦情報システムã«ãƒªã‚¹ã‚¯ç®¡ç†ä½“制をé©ç”¨ã™ã‚‹ãŸã‚ã®ã‚¬ã‚¤ãƒ‰ã€ [21]ã¯ã€ãƒª
スク管ç†ä½“制ã«ã¤ã„ã¦èª¬æ˜Žã—ã€ä½“制構築プロセスをå–り上ã’ã¦ã„る。続ãセクションã§ã¯ã€ã“
ã®ãƒ—ロセスをè¦ç´„ã—ã€ICS 環境ã¸ã®ãƒªã‚¹ã‚¯ç®¡ç†ä½“制(RMF)ã®é©ç”¨ã‚’説明ã™ã‚‹ã€‚
RMF プロセスã«ã¯ã€æ˜Žç¢ºåŒ–ã•ã‚ŒãŸçµ„織的役割(リスク担当役員ã€è¨±å¯æ¨©è€…ã€è¨±å¯æ¨©è€…ãŒæŒ‡åã—
ãŸä»£è¡¨è€…ã€æœ€é«˜æƒ…報責任者ã€æƒ…報セキュリティ主任ã€ä¼æ¥­è¨­è¨ˆè€…ã€æƒ…報セキュリティ設計者ã€
情報所有者/執事ã€æƒ…報システム所有者ã€å…±é€šåˆ¶å¾¡ãƒ—ロãƒã‚¤ãƒ€ã€æƒ…報システムセキュリティ担
当者ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†æŸ»å®šè€…等)ã®ç¯„囲内ã§é¸ã°ã‚ŒãŸå€‹äººã‚„グループãŒé‚è¡Œã™ã¹ãã€æ˜Žç¢ºåŒ–
ã•ã‚ŒãŸãƒªã‚¹ã‚¯é–¢é€£ä½œæ¥­ãŒå«ã¾ã‚Œã¦ã„る。リスク管ç†ä¸Šã®å½¹å‰²ã®å¤šãã«ã¯ã€æ’常的ãªã‚·ã‚¹ãƒ†ãƒ é–‹
発ライフサイクルプロセスã§æ˜Žã‚‰ã‹ã«ã•ã‚Œã¦ã„ã‚‹ã‚‚ã®ã«ç›¸å½“ã™ã‚‹å½¹å‰²ãŒå«ã¾ã‚Œã‚‹ã€‚RMF 作業ã¯ã€
é©æ­£ãªç›¸äº’ä¾å­˜ã‚’考慮ã«å…¥ã‚ŒãŸä¸Šã§ã€ã‚·ã‚¹ãƒ†ãƒ é–‹ç™ºãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«ãƒ—ロセスã¨åŒæ™‚ã«ã€åˆã¯ã
ã®ä¸€éƒ¨ã¨ã—ã¦å®Ÿæ–½ã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
75
Organizations may also wish to consult ISA-62443-2-1, Security for Industrial Automation and Control
Systems: Establishing an Industrial Automation and Control Systems Security Program, which describes
another view of the elements contained in a cybersecurity management system for use in the industrial
automation and control systems environment [34]. It provides guidance on how to meet the requirements
described for each element. Sections 4 through 6 correspond most closely to NIST SP 800-39; other
sections correspond to other NIST Special Publications and to the ICS overlay in Appendix G— of this
document. All of these guidance documents recognize that one size does not fit all; rather, domain
knowledge should be applied in tailoring or adapting the guidance to the specific organization.
4.5.1 Categorize ICS Systems and Networks Assets
The information security team should define, inventory, and categorize the applications and computer
systems within the ICS, as well as the networks within and interfacing to the ICS. The focus should be on
systems rather than just devices, and should include PLCs, DCS, SCADA, and instrument-based systems
that use a monitoring device such as an HMI. Assets that use a routable protocol or are dial-up accessible
should be documented. The team should review and update the ICS asset list annually and after each asset
addition or removal.
There are several commercial enterprise IT inventory tools that can identify and document all hardware and
software resident on a network. Care must be taken before using these tools to identify ICS assets; teams
should first conduct an assessment of how these tools work and what impact they might have on the
connected control equipment. Tool evaluation may include testing in similar, non-production control
system environments to ensure that the tools do not adversely impact the production systems. Impact could
be due to the nature of the information or the volume of network traffic. While this impact may be
acceptable in IT systems, it may not be acceptable in an ICS.
An automated management system for inventory (e.g., Computerized Maintenance Management System
(CMMS), Computer Aided Facility Management System (CAFM), Building Information Model (BIM),
Geospatial Information System (GIS), Construction-Operations Building information exchange data
(COBie, Building Automation Management information exchange (BAMie), Sustainment Management
Systems (SMS) Builder) allows an organization to keep an accurate account of what is on the system for
security reasons and budgetary reasons as well.
4.5.2 Select ICS Security Controls
The security controls selected based on the security categorization of the ICS are documented in the
security plan to provide an overview of the security requirements for the ICS information security program
and describes the security controls in place or planned for meeting those requirements. The development of
security plans is addressed in NIST Special Publication 800-18 Revision 1, Guide for Developing Security
Plans for Federal Information Systems [19]. The security plan can be one document, or it can be the set of
all documents addressing the security concerns for a system and the plans for countering these concerns. In
addition to security controls, NIST Special Publication 800-53 Revision 4, Security and Privacy Controls
for Federal Information Systems and Organizations [20], provides a set of information security program
management (PM) controls that are typically implemented at the organization level and not directed at
individual organizational information systems. This section addresses how an organization establishes and
carries out these program management controls.
The successful implementation of security controls for organizational information systems depends on the
successful implementation of organization-wide program management controls. The manner in which
organizations implement the program management controls depends on specific organizational
characteristics including, for example, the size, complexity, and mission/business requirements of the
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
76
ISA-62443-2-1『産業オートメーションåŠã³åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ï¼šç”£æ¥­ã‚ªãƒ¼ãƒˆãƒ¡ãƒ¼ã‚·
ョンåŠã³åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ—ログラムã®æ§‹ç¯‰ã€[34]ã¯ã€ç”£æ¥­ã‚ªãƒ¼ãƒˆãƒ¡ãƒ¼ã‚·ãƒ§ãƒ³åŠã³
制御システム環境用ã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ã‚·ã‚¹ãƒ†ãƒ ã«å¯¾ã™ã‚‹åˆ¥ã®è¦‹æ–¹ã‚’紹介ã—ã¦ãŠã‚Šã€
å‚考ã«ã™ã‚‹ã“ã¨ãŒã§ãよã†ã€‚è¦ç´ ã”ã¨ã«è¦ä»¶ã‚’満足ã™ã‚‹ãŸã‚ã®æ–¹æ³•ã«ã¤ã„ã¦ã€æŒ‡é‡ãŒè¨˜è¼‰ã•ã‚Œ
ã¦ã„る。セクション 4~6ã¯NIST SP 800-39 ã«ã»ã¼å¯¾å¿œã—ã¦ãŠã‚Šã€ä»–ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã¯ãれ以外
ã®NIST 特別出版物åŠã³æœ¬æ›¸ä»˜éŒ² Gã®ICS オーãƒãƒ¼ãƒ¬ã‚¤ã«å¯¾å¿œã—ã¦ã„る。ã“れらガイダンス文
書ã¯ã©ã‚Œã‚‚ã¿ãªã€ä¸€ã¤ã®ã‚µã‚¤ã‚ºã§å…¨ã¦ã«ãƒ•ã‚£ãƒƒãƒˆã™ã‚‹ã‚ˆã†ãªã‚‚ã®ã¯ãªã„ã¨è¿°ã¹ã¦ã„る。むã—ã‚ã€
ã‚る分野ã®çŸ¥è¦‹ã‚’応用ã—ã¦ã€ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã‚’特定ã®çµ„ç¹”ã«é©å¿œã•ã›ã‚‹ã¹ãã§ã‚る。
4.5.1 ICS システムã¨ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯è³‡ç”£ã®åˆ†é¡ž
情報セキュリティãƒãƒ¼ãƒ ã¯ã€ICS 内ã®ã‚¢ãƒ—リケーションåŠã³ã‚³ãƒ³ãƒ”ュータシステム並ã³ã« ICS
内åŠã³ ICS ã¨é€£æŽ¥ã™ã‚‹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’定義ã—ã€ç›®éŒ²ã‚’作æˆã—ã€åˆ†é¡žã™ã¹ãã§ã‚る。デãƒã‚¤ã‚¹ã®
ã¿ãªã‚‰ãšã‚·ã‚¹ãƒ†ãƒ ã«é…æ…®ã—ã€PLCsã€DCSã€SCADAã€ãã®ä»– HMI ç­‰ã®ç›£è¦–デãƒã‚¤ã‚¹ã‚’使用ã™ã‚‹è¨ˆå™¨
主体ã®ã‚·ã‚¹ãƒ†ãƒ ã‚‚å«ã‚ã‚‹ã¹ãã§ã‚る。ルーティングプロトコルを使用ã™ã‚‹è³‡ç”£ã‚„ダイアルアッ
プã§ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹è³‡ç”£ã¯æ–‡æ›¸åŒ–ã™ã¹ãã§ã‚る。ãƒãƒ¼ãƒ ã¯ ICS 資産リストを年ã«ä¸€åº¦ã€ã¾ãŸè¿½åŠ 
や削除ãŒã‚ã‚‹ãŸã³ã«è¦‹ç›´ã—ã¦æ›´æ–°ã™ã¹ãã§ã‚る。
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«å¸¸é§ã—ã¦ã„ã‚‹å…¨ã¦ã®ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢/ソフトウエアを識別ã—ã¦è¨˜éŒ²ã§ãã‚‹ã€å¸‚販
ã®ä¼æ¥­ IT インベントリーツールãŒã„ãã¤ã‹ã‚る。ãã†ã—ãŸãƒ„ールを使用ã—㦠ICS 資産を識別
ã™ã‚‹å‰ã«æ³¨æ„ãŒå¿…è¦ã¨ãªã‚‹ã€‚ãƒãƒ¼ãƒ ã¯ã¾ãšãƒ„ールã®åƒãã¨ã€æŽ¥ç¶šã•ã‚ŒãŸåˆ¶å¾¡è£…å‚™å“ã«åŠã¶å½±
響を調ã¹ã‚‹ã¹ãã§ã‚る。ツールを評価ã™ã‚‹ã«ã¯ã€é¡žä¼¼ã®éžç”Ÿç”£ç’°å¢ƒã«ãŠã‘る試験を行ã„ã€ç”Ÿ
産システムã«ã¯æ‚ªå½±éŸ¿ãŒãªã„ã“ã¨ã‚’確èªã™ã‚‹ã¨ã‚ˆã„。影響ã¯ã€æƒ…å ±ã®æ€§è³ªã‚„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆ
ラフィックé‡ã«èµ·å› ã™ã‚‹ã“ã¨ãŒã‚る。ãã†ã—ãŸå½±éŸ¿ã¯ IT システムã§ã¯è¨±å®¹ã§ãã¦ã‚‚ã€ICS ã§
ã¯å—ã‘入れられãªã„ã“ã¨ãŒã‚る。
インベントリー用自動管ç†ã‚·ã‚¹ãƒ†ãƒ ï¼ˆã‚³ãƒ³ãƒ”ュータä¿å®ˆç®¡ç†ã‚·ã‚¹ãƒ†ãƒ [CMMS]ã€ã‚³ãƒ³ãƒ”ュータæ´
用施設管ç†ã‚·ã‚¹ãƒ†ãƒ [CAFM]ã€ãƒ“ル情報モデル[BIM]ã€åœ°ç†ç©ºé–“情報システム[GIS]ã€å»ºè¨­ä½œæ¥­ãƒ“
ル情報交æ›ãƒ‡ãƒ¼ã‚¿[COBie]ã€ãƒ“ルオートメーション管ç†æƒ…報交æ›[BAMie]ã€æŒç¶šç®¡ç†ã‚·ã‚¹ãƒ†ãƒ 
[SMS]ビルダー等)ã¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç›®çš„ã¨äºˆç®—目的ã§ã‚·ã‚¹ãƒ†ãƒ ä¸Šã«ã‚ã‚‹ã‚‚ã®ã‚’正確ã«æŠŠæ¡ã™ã‚‹
ã“ã¨ãŒã§ãる。
4.5.2 ICS セキュリティ管ç†ã®é¸æŠž
ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£åˆ†é¡žã«å¾“ã£ã¦é¸æŠžã—ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¨ˆç”»æ›¸ã«è¨˜éŒ²ã•
ã‚Œã€ICS 情報セキュリティプログラムã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ä»¶ã®æ¦‚è¦ã‚’示ã—ã€è¦ä»¶ã‚’éµå®ˆã™ã‚‹ãŸã‚
ã«æ–½è¡Œä¸­åˆã¯è¨ˆç”»ä¸­ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ã«ã¤ã„ã¦èª¬æ˜Žã‚’与ãˆã‚‹ã€‚セキュリティ計画書ã®ä½œæˆã«
ã¤ã„ã¦ã¯ã€NIST 特別出版物 800-18 改訂第 1版『連邦情報システム用セキュリティ計画書ã®ä½œ
æˆã‚¬ã‚¤ãƒ‰ã€[19]ã§å–り上ã’られã¦ã„る。セキュリティ計画書ã¯ä¸€å†Šã®æ–‡æ›¸ã§ã‚‚よãã€ã‚·ã‚¹ãƒ†ãƒ 
ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä¸Šã®èª²é¡Œã¨ãã®å¯¾å‡¦è¨ˆç”»ã‚’åŽã‚ãŸå…¨æ–‡æ›¸ã®ä¸€éƒ¨ã§ã‚ã£ã¦ã‚‚よã„。セキュリティ
管ç†ã«åŠ ãˆã¦ã€NIST 特別出版物 800-53 改訂第 4版『連邦情報システム・組織用セキュリテ
ィ・プライãƒã‚·ãƒ¼ç®¡ç†ã€[20]ã«ã¯ã€ä¸€èˆ¬ã«çµ„織レベルã§å®Ÿè£…ã•ã‚Œã€å€‹ã€…ã®çµ„織情報システムã«
ã¯ãªã„情報セキュリティプログラム管ç†ï¼ˆPM)制御ã«ã¤ã„ã¦å–り上ã’られã¦ã„る。ã“ã®ã‚»ã‚¯ã‚·
ョンã§ã¯ã€ãƒ—ログラム管ç†åˆ¶å¾¡ã®æ§‹ç¯‰åŠã³å®Ÿæ–½è¦é ˜ã«ã¤ã„ã¦å–り上ã’る。
組織ã®æƒ…報システム用セキュリティ管ç†ã‚’首尾よã実装ã§ãã‚‹ã‹ã©ã†ã‹ã¯ã€çµ„織全体ã«ã‚ãŸã‚‹
プログラム管ç†åˆ¶å¾¡ã‚’首尾よã実装ã§ãã‚‹ã‹ã©ã†ã‹ã«ã‹ã‹ã£ã¦ã„る。プログラム管ç†åˆ¶å¾¡ã®å®Ÿ
装方法ã¯ã€ãã‚Œãžã‚Œã®ä¼æ¥­ã®è¦æ¨¡ã€è¤‡é›‘性ã€ä»»å‹™ãƒ»äº‹æ¥­è¦ä»¶ã¨ã„ã£ãŸä¼æ¥­ã®æ€§æ ¼ã«å·¦å³ã•ã‚Œã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
77
respective organizations. The program management controls complement the security controls and focus on
the programmatic, organization-wide information security requirements that are independent of any
particular information system and are essential for managing information security programs. Organizations
document program management controls in the information security program plan. The organization-wide
information security program plan supplements the individual security plans developed for each
organizational information system. Together, the security plans for the individual information systems and
the information security program cover the totality of security controls employed by the organization.
4.5.3 Perform Risk Assessment
Because every organization has a limited set of resources, organizations should assess the impacts to
organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals,
other organizations, and the Nation (e.g., using FIPS 199 [15] or a more granular approach). As discussed
in Section 3, organizations can experience the consequences/impact of adverse events at the individual ICS
system level (e.g., failing to perform as required), at the mission/business process level (e.g., failing to fully
meet mission/business objectives), and at the organizational level (e.g., failing to comply with legal or
regulatory requirements, damaging reputation or relationships, or undermining long-term viability). An
adverse event can have multiple consequences and different types of impact, at different levels, and in
different time frames. NIST SP 800-53 [22] and the ICS overlay in Appendix G— incorporate baseline
security controls that derive from this determination of impact.
The organization may perform a detailed risk assessment for the highest impact systems and assessments
for lower impact systems as deemed prudent and as resources allow. The risk assessment will help identify
any weaknesses that contribute to information security risks and mitigation approaches to reduce the risks.
Risk assessments are conducted multiple times during a system’s life cycle. The focus and level of detail
varies according to the system’s maturity.
4.5.4 Implement the Security Controls
Organizations should analyze the detailed risk assessment and the impacts to organizational operations (i.e.,
mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the
Nation, and prioritize selection of mitigation controls. Organizations should focus on mitigating risk with
the greatest potential impact. Security control implementation is consistent with the organization’s
enterprise architecture and information security architecture.
The controls to mitigate a specific risk may vary among types of systems. For example, user authentication
controls might be different for ICS than for corporate payroll systems and e-commerce systems. The ICS
information security manager should document and communicate the selected controls, along with the
procedures for using the controls. Some risks may be identified that can be mitigated by “quick fixâ€
solutions—low-cost, high-value practices that can significantly reduce risk. Examples of these solutions are
restricting Internet access and eliminating email access on operator control stations or consoles.
Organizations should identify, evaluate, and implement suitable quick fix solutions as soon as possible to
reduce security risks and achieve rapid benefits. The Department of Energy (DOE) has a “21 Steps to
Improve Cyber Security of SCADA Networks†[33] document that could be used as a starting point to
outline specific actions to increase the security of SCADA systems and other ICS.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
78
プログラム管ç†åˆ¶å¾¡ã¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ã‚’補完ã™ã‚‹ã‚‚ã®ã§ã€ç‰¹å®šã®æƒ…報システムã‹ã‚‰ç‹¬ç«‹ã—ãŸã€
情報セキュリティプログラムã®ç®¡ç†ã«ä¸å¯æ¬ ãªã€ãƒ—ログラムã«å¾“ã£ãŸå…¨çµ„織的情報セキュリティ
è¦ä»¶ã«ç„¦ç‚¹ã‚’当ã¦ã¦ã„る。
組織ã¯ã€ãƒ—ログラム管ç†åˆ¶å¾¡ã‚’情報セキュリティプログラム計画書ã®ä¸­ã«è¨˜è¼‰ã™ã‚‹ã€‚全組織的
情報セキュリティプログラム計画書ã¯ã€å„組織ã®æƒ…報システム用個別セキュリティ計画書を補
完ã™ã‚‹ã€‚åŒæ™‚ã«å€‹ã€…ã®æƒ…報システム用セキュリティ計画書ã¨æƒ…報セキュリティプログラムã¯ã€
組織ãŒæŽ¡ç”¨ã™ã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ã‚’全体的ã«ç¶²ç¾…ã™ã‚‹ã€‚
4.5.3 リスク評価実施
ã©ã®çµ„ç¹”ã«ã‚‚ã‚る程度ã®ãƒªã‚½ãƒ¼ã‚¹ãŒã‚ã‚‹ãŸã‚ã€çµ„ç¹”ã¯çµ„織業務ã¸ã®å½±éŸ¿ï¼ˆä»»å‹™ã€æ©Ÿèƒ½ã€ã‚¤ãƒ¡ãƒ¼
ジã€è©•åˆ¤ç­‰ï¼‰ã€çµ„ç¹”ã®è³‡ç”£ã€å€‹äººã€ä»–ã®çµ„織や国ã«å¯¾ã™ã‚‹å½±éŸ¿ã‚’評価ã™ã¹ãã§ã‚ã‚‹
(FIPS199[15]ãã®ä»–ã®ã‚¢ãƒ—ローãƒã‚’使用)。セクション 3ã§èª¬æ˜Žã—ãŸã‚ˆã†ã«ã€çµ„ç¹”ã¯å€‹ã€…ã®
ICS システムレベルã§ï¼ˆè¦ä»¶ä¸å±¥è¡Œç­‰ï¼‰ã€ä»»å‹™ãƒ»äº‹æ¥­ãƒ—ロセスレベルã§ï¼ˆä»»å‹™ãƒ»äº‹æ¥­ç›®çš„ã®ä¸
完全ãªé‚行等)ã€çµ„織レベルã§ï¼ˆæ³•çš„è¦ä»¶ã®ä¸å±¥è¡Œã€è©•åˆ¤ãƒ»é–¢ä¿‚ã®æ¯€æã€é•·æœŸçš„実ç¾æ€§ã®é˜»å®³
等)ã€æœ‰å®³äº‹è±¡ã®çµæžœãƒ»å½±éŸ¿ã‚’被るã“ã¨ãŒã‚る。有害事象ãŒã‚‚ãŸã‚‰ã™çµæžœã¯ç¨®ã€…ã‚ã‚Šã€å¤šæ§˜ãª
影響ãŒæ§˜ã€…ãªãƒ¬ãƒ™ãƒ«ã‚„時間帯ã§ç”Ÿã˜ã‚‹ã“ã¨ãŒã‚る。NIST SP 800-53[22]åŠã³ä»˜éŒ² Gã®ICS オー
ãƒãƒ¼ãƒ¬ã‚¤ã«ã¯ã€ã“ã®å½±éŸ¿åˆ¤å®šã‹ã‚‰å¾—ãŸåŸºæœ¬ã¨ãªã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ãŒå–り上ã’られã¦ã„る。
組織ã¯é©åˆ‡ã¨è€ƒãˆã‚‰ã‚Œã‚‹å ´åˆã€ãƒªã‚½ãƒ¼ã‚¹ã®è¨±ã™ç¯„囲ã§ã€æœ€å¤§ã®å½±éŸ¿ã‚’å—ã‘るシステムã«ã¯è©³ç´°
ãªãƒªã‚¹ã‚¯è©•ä¾¡ã‚’è¡Œã„ã€æ¯”較的影響ã®å°‘ãªã„システムã«ã‚‚評価を行ã†ã“ã¨ãŒã§ãる。リスク評価
ã¯ã€æƒ…報セキュリティã®ãƒªã‚¹ã‚¯ã«å¯„与ã™ã‚‹å¼±ç‚¹ã¨ã€ãƒªã‚¹ã‚¯ç·©å’Œç­–を見極ã‚ã‚‹ã®ã«å½¹ç«‹ã¤ã€‚リス
ク評価ã¯ã‚·ã‚¹ãƒ†ãƒ ã®ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«æœŸé–“中ã€ä½•åº¦ã‚‚è¡Œã†ã€‚é‡ç‚¹ã¨è©³ç´°ãƒ¬ãƒ™ãƒ«ã¯ã‚·ã‚¹ãƒ†ãƒ ã®å®Œæˆ
度ã«å¿œã˜ã¦ç•°ãªã‚‹ã€‚
4.5.4 セキュリティ管ç†ã®å®Ÿè£…
組織ã¯è©³ç´°ãªãƒªã‚¹ã‚¯è©•ä¾¡ã¨ã€çµ„織業務(任務ã€æ©Ÿèƒ½ã€ã‚¤ãƒ¡ãƒ¼ã‚¸ã€è©•åˆ¤ç­‰ï¼‰ã€çµ„織資産ã€å€‹äººã€
ä»–ã®çµ„織や国ã«å¯¾ã™ã‚‹å½±éŸ¿ã‚’分æžã—ã€ç·©å’Œç­–ã®é¸å®šã‚’優先付ã‘ã™ã¹ãã§ã‚る。ã¾ãŸæœ€å¤§ã®å½±
響ãŒã‚ã‚Šãã†ãªãƒªã‚¹ã‚¯ã®ç·©å’Œã«æ³¨åŠ›ã™ã¹ãã§ã‚る。セキュリティ管ç†ã®å®Ÿè£…ã¯ã€çµ„ç¹”ã®ä¼æ¥­
アーキテクãƒãƒ£åŠã³æƒ…報セキュリティアーキテクãƒãƒ£ã¨æ•´åˆã™ã‚‹ã€‚
特定ã®ãƒªã‚¹ã‚¯ã®ç·©å’Œç­–ã¯ã€ã‚·ã‚¹ãƒ†ãƒ ã®ç¨®é¡žã«å¿œã˜ã¦ç•°ãªã‚‹ã€‚例ãˆã°ã€ICS ã§ã®ãƒ¦ãƒ¼ã‚¶èªè¨¼ç®¡ç†
ã¯ã€ä¼æ¥­ã®çµ¦ä¸Žæ”¯æ‰•ã‚·ã‚¹ãƒ†ãƒ ã‚„ eコマースシステムã¨ã¯ç•°ãªã‚‹ã€‚ICS 情報セキュリティ管ç†è€…
ã¯ã€é¸ã‚“ã å¯¾ç­–ã¨ãã®ä½¿ç”¨æ‰‹é †ã«ã¤ã„ã¦è¨˜éŒ²ã—ã€ä¼é”ã™ã¹ãã§ã‚る。「迅速補修ã€ã‚½ãƒªãƒ¥ãƒ¼ã‚·
ョンã€ã¤ã¾ã‚Šãƒªã‚¹ã‚¯ã‚’大幅ã«æ¸›ã‚‰ã›ã‚‹ä½Žã‚³ã‚¹ãƒˆã§é«˜ä¾¡å€¤ãªè¦ç¯„ã«ã‚ˆã‚Šç·©å’Œå¯èƒ½ãªãƒªã‚¹ã‚¯ãŒæ˜Žã‚‰
ã‹ã«ãªã‚‹ã“ã¨ãŒã‚る。ã“ã†ã—ãŸã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã®ä¾‹ã¨ã—ã¦ã€æ“作員制御ステーションやコンソ
ールã¸ã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã‚¢ã‚¯ã‚»ã‚¹ã®åˆ¶é™ã€é›»å­ãƒ¡ãƒ¼ãƒ«ã‚¢ã‚¯ã‚»ã‚¹ã®æŽ’除ãªã©ãŒã‚る。組織ã¯ã‚»ã‚­
ュリティリスクを減らã—ã€ã™ãã«ä¾¿ç›ŠãŒå¾—られるよã†ã«ã€é©æ­£ãªè¿…速補修策ã®è­˜åˆ¥ãƒ»è©•ä¾¡ãƒ»å®Ÿ
装をå¯åŠçš„速やã‹ã«è¡Œã†ã¹ãã§ã‚る。エãƒãƒ«ã‚®ãƒ¼çœï¼ˆDOE)ã«ã¯ã€ŽSCADA ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ã‚µã‚¤ãƒ
ーセキュリティを改善ã™ã‚‹ 21 ã®ã‚¹ãƒ†ãƒƒãƒ—ã€[33]ãŒã‚ã‚Šã€SCADA システムãã®ä»– ICS ã®å…·ä½“çš„ã‚»
キュリティå‘上策を考ãˆã‚‹ã‚¹ã‚¿ãƒ¼ãƒ†ã‚£ãƒ³ã‚°ãƒã‚¤ãƒ³ãƒˆã¨ã—ã¦ä½¿ç”¨ã™ã‚‹ã“ã¨ãŒã§ãる。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
79
5. ICS Security Architecture
When designing a network architecture for an ICS deployment, it is usually recommended to separate the
ICS network from the corporate network. The nature of network traffic on these two networks is different:
Internet access, FTP, email, and remote access will typically be permitted on the corporate network but
should not be allowed on the ICS network. Rigorous change control procedures for network equipment,
configuration, and software changes may not be in place on the corporate network. If ICS network traffic is
carried on the corporate network, it could be intercepted or be subjected to DoS or Man-in-the-Middle
attacks [5.14]. By having separate networks, security and performance problems on the corporate network
should not be able to affect the ICS network.
Practical considerations, such as cost of ICS installation or maintaining a homogenous network
infrastructure, often mean that a connection is required between the ICS and corporate networks. This
connection is a significant security risk and should be protected by boundary protection devices. If the
networks must be connected, it is strongly recommended that only minimal (single if possible) connections
be allowed and that the connection is through a firewall and a DMZ. A DMZ is a separate network segment
that connects directly to the firewall. Servers containing the data from the ICS that needs to be accessed
from the corporate network are put on this network segment. Only these systems should be accessible from
the corporate network. With any external connections, the minimum access should be permitted through the
firewall, including opening only the ports required for specific communication. The following sections
elaborate on these architectural considerations. The ICS-CERT recommended practices working group
provides additional guidance as recommended practices21.
5.1 Network Segmentation and Segregation
This section addresses partitioning the ICS into security domains and separating the ICS from other
networks, such as the corporate network, and presents illustrative security architecture. Operational risk
analysis should be performed to determine critical parts of each ICS network and operation and help define
what parts of the ICS need to be segmented. Network segmentation involves partitioning the network into
smaller networks. For example, one large ICS network is partitioned into multiple ICS networks, where the
partitioning is based on factors such as management authority, uniform policy and level of trust, functional
criticality, and amount of communications traffic that crosses the domain boundary. Network segmentation
and segregation is one of the most effective architectural concepts that an organization can implement to
protect its ICS. Segmentation establishes security domains, or enclaves, that are typically defined as being
managed by the same authority, enforcing the same policy, and having a uniform level of trust.
Segmentation can minimize the method and level of access to sensitive information, ICS communication
and equipment configuration, and can make it significantly more difficult for a malicious cyber adversary
and can contain the effects of non-malicious errors and accidents. A practical consideration in defining a
security domain is the amount of communications traffic that crosses the domain boundary, because
domain protection typically involves examining boundary traffic and determining whether it is permitted.
The aim of network segmentation and segregation is to minimize access to sensitive information for those
systems and people who don’t need it, while ensuring that the organization can continue to operate
effectively. This can be achieved using a number of techniques and technologies depending on the
network’s architecture and configuration.
21 ICS-CERT recommended practices may be found at http://ics-cert.us-cert.gov/Recommended-Practices.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
80
5. ICS セキュリティアーキテクãƒãƒ£
ICS 展開ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã‚’設計ã™ã‚‹éš›ã«ã¯ã€ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼
クã‹ã‚‰åˆ‡ã‚Šé›¢ã™ã“ã¨ãŒå¸¸ã«æŽ¨å¥¨ã•ã‚Œã‚‹ã€‚両者ã«ãŠã‘ã‚‹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã®æ€§è³ªã¯ç•°ãªã‚‹ã€‚
ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ã¯ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã‚¢ã‚¯ã‚»ã‚¹ã€FTPã€é›»å­ãƒ¡ãƒ¼ãƒ«åŠã³ãƒªãƒ¢ãƒ¼ãƒˆã‚¢ã‚¯ã‚»ã‚¹ãŒé€šå¸¸
許å¯ã•ã‚Œã¦ã„ã‚‹ãŒã€ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ã¯è¨±å¯ã™ã¹ãã§ãªã„。ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯è£…å‚™å“ã€æ§‹æˆåŠã³ã‚½
フトウエア変更ã«é–¢ã™ã‚‹åŽ³æ ¼ãªå¤‰æ›´ç®¡ç†æ‰‹é †ã¯ã€ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ã¯å®Ÿæ–½ã•ã‚Œãªã„。ICS ãƒãƒƒ
トワークをä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ä¸€ç·’ã«ã™ã‚‹ã¨ã€å‚å—ã•ã‚ŒãŸã‚Š DoS や人ãŒä»‹åœ¨ã™ã‚‹æ”»æ’ƒã«ã•ã‚‰ã•
ã‚Œã‹ã­ãªã„[5.14]。ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’切り離ã™ã“ã¨ã§ã€ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®æ€§èƒ½ã‚„å•é¡ŒãŒç”Ÿã˜ã¦ã‚‚ã€
ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«ã¯å½±éŸ¿ãŒåŠã°ãªã„。
ICS ã®è¨­ç½®ã‚³ã‚¹ãƒˆã‚„å‡è³ªãªãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¤ãƒ³ãƒ•ãƒ©ã®ä¿å®ˆã‚³ã‚¹ãƒˆã¨ã„ã£ãŸç¾å®Ÿçš„ãªè€ƒæ…®ã®çµæžœã€
ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’接続ã™ã‚‹ã“ã¨ãŒã‚ˆãã‚る。ã“ã®ã‚ˆã†ãªæŽ¥ç¶šã«ã¯å¤§ããªã‚»
キュリティリスクãŒã‚ã‚Šã€å¢ƒç•Œä¿è­·ãƒ‡ãƒã‚¤ã‚¹ã§ä¿è­·ã™ã¹ãã§ã‚る。両ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’接続ã™ã‚‹å ´
åˆã€æŽ¥ç¶šã‚’最å°é™ï¼ˆå¯èƒ½ãªã‚‰ã‚·ãƒ³ã‚°ãƒ«ï¼‰ã«ã¨ã©ã‚ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¨ DMZ を設ã‘ã‚‹ã“ã¨ãŒå¼·
ã推奨ã•ã‚Œã‚‹ã€‚DMZ ã¯åˆ¥å€‹ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚°ãƒ¡ãƒ³ãƒˆã§ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã«ç›´æŽ¥æŽ¥ç¶šã•ã‚Œã‚‹ã€‚
ICS ã‹ã‚‰ã®ãƒ‡ãƒ¼ã‚¿ã‚’æŒã£ã¦ã„るサーãƒã§ã€ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰æŽ¥ç¶šã™ã‚‹ã‚‚ã®ã«ã¤ã„ã¦ã¯ã€ã“ã®
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚°ãƒ¡ãƒ³ãƒˆã«ç½®ã。ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰æŽ¥ç¶šå¯èƒ½ãªã®ã¯ã€ã“ã®ã‚ˆã†ãªã‚·ã‚¹ãƒ†ãƒ ã®
ã¿ã¨ã™ã¹ãã§ã‚る。ã©ã®ã‚ˆã†ãªå¤–部接続ã§ã‚ã‚Œã€æœ€å°é™ã®ã‚¢ã‚¯ã‚»ã‚¹ã®ã¿ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«çµŒç”±ã§
許å¯ã—ã€ç‰¹å®šã®æŽ¥ç¶šã«å¿…è¦ãªãƒãƒ¼ãƒˆã®ã¿é–‹æ”¾ã™ã¹ãã§ã‚る。続ãセクションã§ã¯ã€ã“ã®ã‚ˆã†ãªã‚¢
ーキテクãƒãƒ£ä¸Šã®è€ƒæ…®äº‹é …を詳ã—ãå–り上ã’る。ICS-CERT 推奨è¦ç¯„作業グループã¯ã€æŽ¨å¥¨è¦ç¯„
ã¨ã—ã¦ä»˜åŠ çš„ãªã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã‚’æä¾›ã—ã¦ã„る。22
5.1 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®åˆ†å‰²ã¨åˆ†é›¢
ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã¯ã€ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é ˜åŸŸã¸ã®åŒºç”»åŒ–ã¨ã€ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç­‰ä»–ã®ãƒãƒƒãƒˆãƒ¯
ークã‹ã‚‰ã® ICS ã®åˆ†é›¢ã«ã¤ã„ã¦èª¬æ˜Žã—ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã®ä¾‹ã‚’示ã™ã€‚業務上ã®ãƒªã‚¹
ク分æžã‚’実施ã—ã€å„ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åŠã³æ¥­å‹™ã®é‡è¦éƒ¨åˆ†ã‚’判別ã—ã€åˆ†å‰²ã™ã¹ã ICS 部ä½ã®æ˜Žç¢º
化を支æ´ã™ã‚‹ã€‚ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®åˆ†å‰²ã«ã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’よりå°ã•ã„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«åŒºç”»ã™ã‚‹ã“
ã¨ãŒå«ã¾ã‚Œã‚‹ã€‚例ãˆã°ã€å¤§ã㪠ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’複数㮠ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«åŒºç”»åŒ–ã™ã‚‹ãŒã€åŒº
ç”»ã¯çµŒå–¶é™£ã®æ¨©é™ã€çµ±ä¸€çš„ãªãƒãƒªã‚·ãƒ¼åŠã³ä¿¡é ¼ãƒ¬ãƒ™ãƒ«ã€æ©Ÿèƒ½ä¸Šã®é‡è¦åº¦ã€é ˜åŸŸå¢ƒç•Œã‚’越ãˆã‚‹é€šä¿¡
トラフィックé‡ã¨ã„ã£ãŸè¦å› ã‚’基ã«ã™ã‚‹ã€‚ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®åˆ†å‰²ã¨åˆ†é›¢ã¯ã€çµ„ç¹”ãŒãã® ICS 防護ã®
ãŸã‚ã«å®Ÿè£…ã§ãる最も効果的ãªã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£æ¦‚念㮠1ã¤ã§ã‚る。分割ã«ã‚ˆã£ã¦ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¢
ーキテクãƒãƒ£é ˜åŸŸã€ã¤ã¾ã‚Šé£›ã³åœ°ãŒã§ãã‚‹ãŒã€ã“ã‚Œã¯åŒã˜ãƒãƒªã‚·ãƒ¼ã‚’施行ã—ã€çµ±ä¸€ã•ã‚ŒãŸä¿¡é ¼ãƒ¬
ベルをæŒã¤åŒä¸€ã®æ¨©é™ã«ã‚ˆã‚Šç®¡ç†ã•ã‚Œã‚‹ã‚‚ã®ã¨ã€ä¸€èˆ¬ã«å®šç¾©ã•ã‚Œã¦ã„る。分割ã«ã‚ˆã‚Šè¦æ³¨æ„情報ã€
ICS 通信ã€åŠã³è£…å‚™å“設定ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹æ–¹æ³•ã‚„レベルを最å°é™ã«æŠ‘ãˆã€æ‚ªæ„ã‚るサイãƒãƒ¼æ”»æ’ƒã‚’
è‘—ã—ã困難ã«ã—ã€æ‚ªæ„ã«ã‚ˆã‚‰ãªã„éŽèª¤ã‚„事故ã®å½±éŸ¿ã‚’å°ã˜è¾¼ã‚ã‚‹ã“ã¨ãŒã§ãる。セキュリティ領
域を明確ã«ã™ã‚‹éš›ã®ç¾å®Ÿçš„ãªè€ƒæ…®äº‹é …ã¨ã—ã¦ã€é ˜åŸŸå¢ƒç•Œã‚’越ãˆã‚‹é€šä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯é‡ãŒã‚る。ã¨
ã„ã†ã®ã¯ã€é ˜åŸŸã®ä¿è­·ã«ã¯ã€é€šå¸¸å¢ƒç•Œãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã®æ¤œè¨¼ã¨è¨±å¯ã®æœ‰ç„¡ã«å¯¾ã™ã‚‹åˆ¤å®šãŒé–¢ä¿‚ã—ã¦
ã„ã‚‹ã‹ã‚‰ã§ã‚る。
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åˆ†å‰²ãƒ»åˆ†é›¢ã®ä¸»çœ¼ã¯ã€å¿…è¦ã¨ã—ã¦ã„ãªã„システムや人ãŒè¦æ³¨æ„情報ã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹
ã®ã‚’最å°é™ã«æŠ‘ãˆã‚‹ä¸€æ–¹ã§ã€çµ„ç¹”ã®å††æ»‘ãªæ¥­å‹™é‚行を確ä¿ã™ã‚‹ã“ã¨ã«ã‚る。ã“ã‚Œã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼
クアーキテクãƒãƒ£åŠã³æ§‹æˆã«å¿œã˜ã¦ã€ç¨®ã€…ã®æŠ€æ³•ã‚„技術を駆使ã™ã‚‹ã“ã¨ã§é”æˆã•ã‚Œã‚‹ã€‚
22 ICS-CERT 推奨ã®è¦ç¯„ã«ã¤ã„ã¦ã¯ã€å³è¨˜ã®ãƒšãƒ¼ã‚¸ã‚’å‚ç…§ã®ã“ã¨ã€‚http://ics-cert.us-cert.gov/Recommended-Practices.
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
81
Traditionally, network segmentation and segregation is implemented at the gateway between domains. ICS
environments often have multiple well-defined domains, such as operational LANs, control LANs, and
operational DMZs, as well as gateways to non-ICS and less trustworthy domains such as the Internet and
the corporate LANs. When insider attacks, social engineering, mobile devices, and other vulnerabilities and
predisposing conditions discussed in Appendix C— are considered, protecting domain gateways is prudent
and worth considering.
Network segregation involves developing and enforcing a ruleset controlling which communications are
permitted through the boundary. Rules typically are based on source and destination identity and the type or
content of the data being transferred.
When implementing network segmentation and segregation correctly you are minimizing the method and
level of access to sensitive information. This can be achieved using a variety of technologies and methods.
Depending on the architecture and configuration of your network, some of the common technologies and
methods used include:
 Logical network separation enforced by encryption or network device-enforced partitioning.
o Virtual Local Area Networks (VLANS).
o Encrypted Virtual Private Networks (VPNs) use cryptographic mechanisms to separate traffic
combined on one network.
o Unidirectional gateways restrict communications between connections to a single direction,
therefore, segmenting the network.
 Physical network separation to completely prevent any interconnectivity of traffic between domains.
 Network traffic filtering which can utilize a variety of technologies at various network layers to
enforce security requirements and domains.
o Network layer filtering that restricts which systems are able to communicate with others on the
network based on IP and route information.
o Stateâ€based filtering that restricts which systems are able to communicate with others on the
network based on their intended function or current state of operation.
o Port and/or protocol level filtering that restricts the number and type of services that each system
can use to communicate with others on the network.
o Application filtering that commonly filters the content of communications between systems at the
application layer. This includes application-level firewalls, proxies, and content-based filter.
Some vendors are making products to filter ICS protocols at the application level which they market as
ICS firewalls.
Regardless of the technology chosen to implement network segmentation and segregation, there are four
common themes that implement the concept of defense-in-depth by providing for good network
segmentation and segregation:
 Apply technologies at more than just the network layer. Each system and network should be
segmented and segregated, where possible, from the data link layer up to and including the application
layer.
 Use the principles of least privilege and needâ€toâ€know. If a system doesn’t need to communicate
with another system, it should not be allowed to. If a system needs to talk only to another system on a
specific port or protocol and nothing else–or it needs to transfer a limited set of labeled or fixed-
format data, it should be restricted as such.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
82
従æ¥ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®åˆ†å‰²ãƒ»åˆ†é›¢ã¯ã€é ˜åŸŸé–“ã®ã‚²ãƒ¼ãƒˆã‚¦ã‚§ã‚¤ã«å®Ÿè£…ã•ã‚Œã‚‹ã€‚ICS 環境ã¯ã€æ¥­å‹™ç”¨
LANã€ç®¡ç†ç”¨ LANã€æ¥­å‹™ç”¨ DMZã€éž ICS ã¸ã®ã‚²ãƒ¼ãƒˆã‚¦ã‚§ã‚¤ã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã€ä¼æ¥­ LAN 等信頼性
ã®ä½Žã„領域ã¸ã®ã‚²ãƒ¼ãƒˆã‚¦ã‚§ã‚¤ã¨ã„ã£ãŸã€æ˜Žç¢ºã«å®šç¾©ã•ã‚ŒãŸè¤‡æ•°ã®é ˜åŸŸã‚’æŒã¤ã‚‚ã®ãŒå¤šã„。付録
Cã§å–り上ã’られã¦ã„るインサイダー攻撃ã€ã‚½ãƒ¼ã‚·ãƒ£ãƒ«ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°ã€ãƒ¢ãƒã‚¤ãƒ«ãƒ‡ãƒã‚¤ã‚¹
ãã®ä»–ã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ã«ã¤ã„ã¦æ¤œè¨Žã™ã‚‹å ´åˆã€é ˜åŸŸã‚²ãƒ¼ãƒˆã‚¦ã‚§ã‚¤ã‚’防護ã™ã‚‹ã“ã¨
ã¯å …実ã§ã‚ã‚Šã€æ¤œè¨Žã«å€¤ã™ã‚‹ã€‚
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®åˆ†å‰²ã«ã¯ã€å¢ƒç•Œã‚’越ãˆã¦ã‚‚よã„通信を管ç†ã™ã‚‹è¦å‰‡ã‚’策定ã—ã€å®Ÿè¡Œã™ã‚‹ã“ã¨ãŒ
å«ã¾ã‚Œã‚‹ã€‚è¦å‰‡ã¯ã€é€ä¿¡ãƒ‡ãƒ¼ã‚¿ã®ç™ºä¿¡å…ƒãƒ»ç€ä¿¡å…ˆ IDã€ç¨®é¡žåˆã¯å†…容を基ã«ã™ã‚‹ã€‚
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®åˆ†å‰²ãƒ»åˆ†é›¢ã‚’é©æ­£ã«å®Ÿè£…ã™ã‚Œã°ã€è¦æ³¨æ„情報ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹æ–¹æ³•ã‚„レベルを最å°
é™ã«æŠ‘ãˆã‚‹ã“ã¨ã«ãªã‚‹ã€‚ã“ã‚Œã¯å¤šæ§˜ãªæŠ€è¡“や方法を用ã„ã‚‹ã“ã¨ã§å®Ÿç¾ã™ã‚‹ã€‚ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ã‚¢
ーキテクãƒãƒ£åŠã³æ§‹æˆã«å¿œã˜ã¦ã€å…±é€šã«ç”¨ã„られる技術・方法ã¨ã—ã¦æ¬¡ã®ã‚ˆã†ãªã‚‚ã®ãŒã‚る。
 æš—å·åŒ–åˆã¯ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒã‚¤ã‚¹ã«ã‚ˆã‚‹åŒºç”»åŒ–ã«ã‚ˆã‚Šå®Ÿè¡Œã•ã‚Œã‚‹è«–ç†ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åˆ†é›¢
o 仮想 LAN(VLANS)
o æš—å·åŒ–仮想プライベートãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ï¼ˆVPNs)ã¯æš—å·ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’使用ã—ã¦ã€
ã‚ã‚‹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã®çµåˆã‚’分離ã™ã‚‹
o å˜æ–¹å‘ゲートウェイã¯æŽ¥ç¶šç‚¹é–“ã®é€šä¿¡ã‚’一方å‘ã«åˆ¶é™ã—ã¦ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’分割
ã™ã‚‹
 物ç†çš„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åˆ†é›¢ã¯é ˜åŸŸé–“ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã®ç›¸äº’連接を全ã¦é˜²æ­¢ã™ã‚‹
 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ãƒ•ã‚£ãƒ«ã‚¿ãƒªãƒ³ã‚°ã¯å¤šæ§˜ãªæŠ€è¡“を種々ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å±¤ã§ä½¿ç”¨ã—ã€
セキュリティè¦ä»¶åŠã³é ˜åŸŸã‚’施行ã™ã‚‹
o ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å±¤ãƒ•ã‚£ãƒ«ã‚¿ãƒªãƒ³ã‚°ã¯ã€IP åŠã³ãƒ«ãƒ¼ãƒˆæƒ…報を基ã«ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®
ä»–ã®ã‚·ã‚¹ãƒ†ãƒ ã¨äº¤ä¿¡å¯èƒ½ãªã‚·ã‚¹ãƒ†ãƒ ã‚’制é™ã™ã‚‹
o 状態ベースフィルタリングã¯ã€ç›®çš„ã¨ã™ã‚‹æ©Ÿèƒ½ã‚„動作ã®ç¾çŠ¶ã‚’基ã«ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
上ã®ä»–ã®ã‚·ã‚¹ãƒ†ãƒ ã¨äº¤ä¿¡å¯èƒ½ãªã‚·ã‚¹ãƒ†ãƒ ã‚’制é™ã™ã‚‹
o ãƒãƒ¼ãƒˆåˆã¯ãƒ—ロトコルレベルフィルタリングã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®ä»–ã®ã‚·ã‚¹ãƒ†
ムã¨äº¤ä¿¡ã™ã‚‹ãŸã‚ã«ã‚·ã‚¹ãƒ†ãƒ ãŒä½¿ç”¨ã§ãるサービスã®æ•°ã¨ç¨®é¡žã‚’制é™ã™ã‚‹
o アプリケーションフィルタリングã¯é€šå¸¸ã€ã‚·ã‚¹ãƒ†ãƒ é–“ã®äº¤ä¿¡å†…容をアプリケーシ
ョン層ã§ãƒ•ã‚£ãƒ«ã‚¿ãƒªãƒ³ã‚°ã™ã‚‹ã€‚アプリケーションレベルã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã€ãƒ—
ロキシåŠã³ã‚³ãƒ³ãƒ†ãƒ³ãƒ„ベースã®ãƒ•ã‚£ãƒ«ã‚¿ãƒ¼ãŒå«ã¾ã‚Œã‚‹ã€‚
ベンダーã«ã‚ˆã£ã¦ã¯ã€è£½å“㌠ICS プロトコルをアプリケーションレベルã§ãƒ•ã‚£ãƒ«ã‚¿ãƒªãƒ³ã‚°ã™
るよã†ã«ãªã£ã¦ãŠã‚Šã€ã“れを ICS ファイアウォールã¨ã—ã¦è²©å£²ã—ã¦ã„る。
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åˆ†å‰²ãƒ»åˆ†é›¢ã®ãŸã‚ã«é¸ã‚“ã æŠ€è¡“ã¨ã¯ã‹ã‹ã‚ã‚Šãªãã€è‰¯å¥½ãªãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åˆ†å‰²ãƒ»
分離を具備ã™ã‚‹ã“ã¨ã§ã€å¤šå±¤é˜²å¾¡æ¦‚念を実装ã™ã‚‹æ¬¡ã® 4ã¤ã®å…±é€šçš„ãªãƒ†ãƒ¼ãƒžãŒã‚る。
 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å±¤ä»¥å¤–ã«ã‚‚技術をé©ç”¨ã™ã‚‹ã€‚å¯èƒ½ã§ã‚ã‚Œã°ã€ãƒ‡ãƒ¼ã‚¿ãƒªãƒ³ã‚¯å±¤ã‹ã‚‰ã‚¢ãƒ—リケーシ
ョン層ã¾ã§ã‚·ã‚¹ãƒ†ãƒ ã”ã¨ã«ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã”ã¨ã«åˆ†å‰²ãƒ»åˆ†é›¢ã™ã¹ãã§ã‚る。
 最å°æ¨©é™ã®åŽŸå‰‡ã¨çŸ¥ã‚‹å¿…è¦ã®åŽŸå‰‡ã‚’é©ç”¨ã™ã‚‹ã€‚ä»–ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®é€šä¿¡ãŒä¸è¦ã§ã‚ã‚Œã°ã€ä¸è¨±
å¯ã¨ã™ã¹ãã§ã‚る。他ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ç‰¹å®šã®ãƒãƒ¼ãƒˆã‚„プロトコルã§ã®ã¿äº¤ä¿¡ã™ã‚‹å ´åˆã€åˆã¯é™
定ã•ã‚ŒãŸãƒ©ãƒ™ãƒ«ã®ãƒ‡ãƒ¼ã‚¿ã‚»ãƒƒãƒˆã‚„固定様å¼ã®ãƒ‡ãƒ¼ã‚¿ã®ã¿ã‚’é€ä¿¡ã™ã‚‹å ´åˆã€ãã®ã‚ˆã†ã«åˆ¶é™ã™
ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
83
 Separate information and infrastructure based on security requirements. This may include using
different hardware or platforms based on different threat and risk environments in which each system
or network segment operates. The most critical components require more strict isolation from other
components. In addition to network separation, the use of virtualization could be employed to
accomplish the required isolation.
 Implement whitelisting23 instead of blacklisting; that is, grant access to the known good, rather than
denying access to the known bad. The set of applications that run in ICS is essentially static, making
whitelisting more practical. This will also improve an organization’s capacity to analyze log files.
5.2 Boundary Protection
Boundary protection devices control the flow of information between interconnected security domains to
protect the ICS against malicious cyber adversaries and non-malicious errors and accidents. Transferring
information between systems representing different security domains with different security policies
introduces risk that such transfers violate one or more domain security policies. Boundary protection
devices are key components of specific architectural solutions that enforce specific security policies.
Organizations can isolate ICS and business system components performing different missions and/or
business functions. Such isolation limits unauthorized information flows among system components and
also provides the opportunity to deploy greater levels of protection for selected components. Separating
system components with boundary protection mechanisms provides the capability for increased protection
of individual components and more effective control of information flows between those components.
Boundary protection controls include gateways, routers, firewalls, guards, network-based malicious code
analysis and virtualization systems, intrusion detection systems (networked and host-based), encrypted
tunnels, managed interfaces, mail gateways, and unidirectional gateways (e.g., data diodes). Boundary
protection devices determine whether data transfer is permitted, often by examining the data or associated
metadata.
Network and ICS security architects must decide which domains are to be permitted direct communication,
the policies governing permitted communication, the devices to be used to enforce the policy, and the
topology for provisioning and implementing these decisions, which are typically based on the trust
relationship between domains. Trust involves the degree of control that the organization has over the
external domain (e.g., another domain in the same organization, a contracted service provider, the Internet).
Boundary protection devices are arranged in accordance with organizational security architecture. A
common architectural construct is the demilitarized zones (DMZ), a host or network segment inserted as a
“neutral zone†between security domains. Its purpose is to enforce the ICS domain’s information security
policy for external information exchange and to provide external domains with restricted access while
shielding the ICS domain from outside threats.
Additional architectural considerations and functions that can be performed by boundary protection devices
for inter-domain communications include:
23 A whitelist is a list or register of those that are being provided a particular privilege, service, mobility,
access or recognition. Only those on the list will be accepted, approved or recognized (i.e., permitted).
Whitelisting is the reverse of blacklisting, the practice of identifying those that are denied, unrecognized,
or ostracized (i.e., prohibited).
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
84
 セキュリティè¦ä»¶ã«åŸºã¥ãã€æƒ…å ±ã¨ã‚¤ãƒ³ãƒ•ãƒ©ã‚’分離ã™ã‚‹ã€‚ã“ã‚Œã«ã¯ã€ç¨®ã€…ã®è„…å¨ã‚„å„システ
ムåˆã¯ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚°ãƒ¡ãƒ³ãƒˆãŒå‹•ä½œã™ã‚‹ãƒªã‚¹ã‚¯ç’°å¢ƒã«å¾“ã£ã¦ã€ç•°ãªã‚‹ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã‚„プラ
ットホームを使用ã™ã‚‹ã“ã¨ãŒå«ã¾ã‚Œã‚‹ã€‚最é‡è¦ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã¯ã€ä»–ã®ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã‹ã‚‰
より厳格ã«åˆ†é›¢ã™ã‚‹å¿…è¦ãŒã‚る。ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®åˆ†é›¢ã«åŠ ãˆã¦ã€å¿…è¦ãªåˆ†é›¢ã‚’実ç¾ã™ã‚‹ãŸã‚
ã«ä»®æƒ³åŒ–を用ã„ã‚‹ã“ã¨ãŒã§ãる。
 ブラックリストã§ã¯ãªãホワイトリスト 24を実行ã™ã‚‹ã€‚ã¤ã¾ã‚Šã€æ—¢çŸ¥ã®æ‚ªã«ã‚¢ã‚¯ã‚»ã‚¹ã‚’æ‹’å¦
ã™ã‚‹ã®ã§ã¯ãªãã€æ—¢çŸ¥ã®è‰¯ã«ã‚¢ã‚¯ã‚»ã‚¹ã‚’許å¯ã™ã‚‹ã€‚ICS ã§å®Ÿè¡Œã™ã‚‹ã‚¢ãƒ—リケーションセット
ã¯åŸºæœ¬çš„ã«é™çš„ã§ã‚ã‚‹ãŸã‚ã€ãƒ›ãƒ¯ã‚¤ãƒˆãƒªã‚¹ãƒˆãŒã‚ˆã‚Šç¾å®Ÿçš„ã§ã‚る。ã“ã‚Œã«ã‚ˆã‚Šçµ„ç¹”ã®ãƒ­ã‚°ãƒ•
ァイル分æžèƒ½åŠ›ã‚‚å‘上ã™ã‚‹ã€‚
5.2 境界ã®ä¿è­·
境界ã®ä¿è­·ãƒ‡ãƒã‚¤ã‚¹ã¯ã€é€£æŽ¥ã•ã‚ŒãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é ˜åŸŸé–“ã®æƒ…å ±ã®æµã‚Œã‚’制御ã—ã€ICS を悪æ„ã‚ã‚‹
サイãƒãƒ¼æ”»æ’ƒã‚„悪æ„ã®ãªã„éŽèª¤ãƒ»äº‹æ•…ã‹ã‚‰ä¿è­·ã™ã‚‹ã€‚別ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã‚’æŒã£ãŸã‚»ã‚­ãƒ¥
リティ領域ã®ç•°ãªã‚‹ã‚·ã‚¹ãƒ†ãƒ é–“ã§æƒ…å ±é€ä¿¡ã™ã‚‹ã“ã¨ã¯ã€é ˜åŸŸã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã‚’å°‘ãªãã¨
も一ã¤ã¯çŠ¯ã™ã¨ã„ã†ãƒªã‚¹ã‚¯ãŒæŒã¡è¾¼ã¾ã‚Œã‚‹ã€‚境界ä¿è­·ãƒ‡ãƒã‚¤ã‚¹ã¯ã€ç‰¹å®šã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼
を施行ã™ã‚‹ç‰¹å®šã®ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã®é‡è¦ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã§ã‚る。
組織㯠ICS ã¨ã€åˆ¥ã®ä»»å‹™ã‚„事業機能を果ãŸã—ã¦ã„る事業システムコンãƒãƒ¼ãƒãƒ³ãƒˆã‚’分離ã™ã‚‹ã“ã¨
ãŒã§ãる。分離ã™ã‚‹ã“ã¨ã§ã€ã‚·ã‚¹ãƒ†ãƒ ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆé–“ã®æœªè¨±å¯æƒ…å ±ã®æµã‚Œã‚’制é™ã—ã€é¸å®šã—ãŸ
コンãƒãƒ¼ãƒãƒ³ãƒˆã«ã‚ˆã‚Šé«˜ãƒ¬ãƒ™ãƒ«ã®ä¿è­·ã‚’与ãˆã‚‹ã€‚境界ä¿è­·ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’å‚™ãˆãŸã‚·ã‚¹ãƒ†ãƒ ã‚³ãƒ³ãƒãƒ¼
ãƒãƒ³ãƒˆã‚’分離ã™ã‚‹ã“ã¨ã§ã€å€‹ã€…ã®ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã®ä¿è­·èƒ½åŠ›ãŒå‘上ã—ã€ã“れらコンãƒãƒ¼ãƒãƒ³ãƒˆé–“
ã®æƒ…å ±ã®æµã‚Œã‚’より効果的ã«åˆ¶å¾¡ã™ã‚‹ã“ã¨ãŒã§ãる。
境界ä¿è­·åˆ¶å¾¡ã«ã¯ã€ã‚²ãƒ¼ãƒˆã‚¦ã‚§ã‚¤ã€ãƒ«ãƒ¼ã‚¿ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã€ã‚¬ãƒ¼ãƒ‰ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ™ãƒ¼ã‚¹ã®
悪æ„ã‚るコード解æžãƒ»ä»®æƒ³åŒ–システムã€ä¾µå…¥æ¤œçŸ¥ã‚·ã‚¹ãƒ†ãƒ ï¼ˆãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åŠã³ãƒ›ã‚¹ãƒˆãƒ™ãƒ¼ã‚¹ï¼‰ã€
æš—å·åŒ–トンãƒãƒ«ã€ç®¡ç†ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã€ãƒ¡ãƒ¼ãƒ«ã‚²ãƒ¼ãƒˆã‚¦ã‚§ã‚¤åŠã³å˜æ–¹å‘ゲートウェイ(データダ
イオード等)ãŒå«ã¾ã‚Œã‚‹ã€‚境界ä¿è­·ãƒ‡ãƒã‚¤ã‚¹ã¯ã€ãƒ‡ãƒ¼ã‚¿åˆã¯é–¢é€£ãƒ¡ã‚¿ãƒ‡ãƒ¼ã‚¿ã‚’検証ã™ã‚‹ã“ã¨ã§ã€
データé€ä¿¡ãŒè¨±å¯ã•ã‚Œã¦ã„ã‚‹ã‹ã©ã†ã‹ã‚’判定ã™ã‚‹ã€‚
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åŠã³ ICS セキュリティã®è¨­è¨ˆè€…ã¯ã€ç›´æŽ¥äº¤ä¿¡ã‚’許å¯ã™ã¹ã領域ã€è¨±å¯ã•ã‚ŒãŸäº¤ä¿¡ã‚’
統制ã™ã‚‹ãƒãƒªã‚·ãƒ¼ã€ãƒãƒªã‚·ãƒ¼ã®å®Ÿè¡Œç”¨ãƒ‡ãƒã‚¤ã‚¹ã‚’決定ã—ã€é€šå¸¸ã€ãƒ‰ãƒ¡ã‚¤ãƒ³é–“ã®ä¿¡é ¼é–¢ä¿‚を基ã«ã—
ãŸã€ã“ã®ã‚ˆã†ãªæ±ºå®šã®æº–備・実装トãƒãƒ­ã‚¸ãƒ¼ã‚‚決定ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。信頼ã«ã¯ã€çµ„ç¹”ãŒå¤–部
領域(åŒã˜çµ„織内ã®åˆ¥é ˜åŸŸã€å§”託サービスプロãƒã‚¤ãƒ€ã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆç­‰ï¼‰ã«å¯¾ã—ã¦æœ‰ã™ã‚‹åˆ¶å¾¡
ã®ç¨‹åº¦ãŒé–¢ä¿‚ã™ã‚‹ã€‚
境界ä¿è­·ãƒ‡ãƒã‚¤ã‚¹ã¯ã€çµ„ç¹”ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã«å¾“ã£ã¦é…ç½®ã™ã‚‹ã€‚共通的ãªã‚¢ãƒ¼ã‚­ãƒ†
クãƒãƒ£æ§‹æˆã¯ã€éžæ­¦è£…地帯(DMZ)ã€ãƒ›ã‚¹ãƒˆåˆã¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é ˜åŸŸé–“ã«ã€Œä¸­ç«‹åœ°å¸¯ã€ã¨ã—ã¦æŒ¿
å…¥ã•ã‚ŒãŸãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚°ãƒ¡ãƒ³ãƒˆã¨ãªã‚‹ã€‚目的ã¯ã€å¤–部ã¨ã®æƒ…報交æ›ç”¨ ICS 領域情報セキュリテ
ã‚£ãƒãƒªã‚·ãƒ¼ã‚’施行ã—ã€ICS 領域を外部脅å¨ã‹ã‚‰ã‚·ãƒ¼ãƒ«ãƒ‰ã—ã¤ã¤ã€å¤–部領域ã«ã‚¢ã‚¯ã‚»ã‚¹åˆ¶é™ã‚’課ã™
ã‚‹ã“ã¨ã«ã‚る。
領域間交信用境界ä¿è­·ãƒ‡ãƒã‚¤ã‚¹ã«ã‚ˆã‚Šå®Ÿæ–½å¯èƒ½ãªä»˜åŠ çš„ãªã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã®è€ƒæ…®äº‹é …åŠã³æ©Ÿèƒ½ã«
ã¯æ¬¡ã®ã‚‚ã®ãŒã‚る。
24 ホワイトリストã¨ã¯ã€ç‰¹å®šã®æ¨©é™ã€ã‚µãƒ¼ãƒ“スã€ç§»å‹•ã€ã‚¢ã‚¯ã‚»ã‚¹åˆã¯èªè­˜ã‚’付与ã•ã‚ŒãŸäººå“¡ã®ç™»éŒ²ãƒªã‚¹ãƒˆã‚’ã„ã†ã€‚リストã«
掲載ã•ã‚Œã¦ã„る者ã®ã¿ãŒå—容ã€æ‰¿èªåˆã¯èªè­˜ï¼ˆè¨±å¯ï¼‰ã•ã‚Œã‚‹ã€‚ホワイトリストã¯ãƒ–ラックリストã®å対ã§ã€å¾Œè€…ã¯æ‹’å¦ã€
éžèªè­˜åˆã¯è¿½æ”¾ï¼ˆç¦æ­¢ï¼‰ã•ã‚ŒãŸè€…を識別ã™ã‚‹ã“ã¨ã‚’ã„ã†ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
85
 Denying communications traffic by default and allowing communications traffic by exception (i.e.,
deny all, permit by exception). A deny-all, permit-by-exception communications traffic policy ensures
that only those connections which are approved are allowed. This is known as a white-listing policy.
 Implementing proxy servers that act as an intermediary for external domains’ requesting information
system resources (e.g., files, connections, or services) from the ICS domain. External requests
established through an initial connection to the proxy server are evaluated to manage complexity and
to provide additional protection by limiting direct connectivity.
 Preventing the unauthorized exfiltration of information. Techniques include, for example, deep packet
inspection firewalls and XML gateways. These devices verify adherence to protocol formats and
specification at the application layer and serve to identify vulnerabilities that cannot be detected by
devices operating at the network or transport layers. The limited number of formats, especially the
prohibition of free form text in email, eases the use of such techniques at ICS boundaries.
 Only allowing communication between authorized and authenticated source and destinations address
pairs by one or more of the organization, system, application, and individual.
 Extending the DMZ concept to other separate subnetworks is useful, for example, in isolating ICS to
prevent adversaries from discovering the analysis and forensics techniques of organizations.
 Enforcing physical access control to limit authorized access to ICS components.
 Concealing network addresses of ICS components from discovery (e.g., network address not
published or entered in domain name systems), requiring prior knowledge for access.
 Disabling control and troubleshooting services and protocols, especially those employing broadcast
messaging, which can facilitate network exploration.
 Configuring boundary protection devices to fail in a predetermined state. Preferred failure states for
ICS involve balancing multiple factors including safety and security.
 Configuring security domains with separate network addresses (i.e., as disjoint subnets).
 Disabling feedback (e.g., non-verbose mode) to senders when there is a failure in protocol validation
format to prevent adversaries from obtaining information.
 Implementing one-way data flow, especially between different security domains.
 Establishing passive monitoring of ICS networks to actively detect anomalous communications and
provide alerts.
5.3 Firewalls
Network firewalls are devices or systems that control the flow of network traffic between networks
employing differing security postures. In most modern applications, firewalls and firewall environments are
discussed in the context of Internet connectivity and the UDP/IP protocol suite. However, firewalls have
applicability in network environments that do not include or require Internet connectivity. For example,
many corporate networks employ firewalls to restrict connectivity to and from internal networks servicing
more sensitive functions, such as the accounting or human resource departments. Firewalls can
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
86
 デフォルトã§é€šä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’拒絶ã—ã€ä¾‹å¤–çš„ã«é€šä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’許å¯ã™ã‚‹ï¼ˆå…¨ã¦æ‹’絶
ã—ã€ä¾‹å¤–ã®ã¿è¨±å¯ï¼‰ã€‚å…¨ã¦æ‹’絶ã€ä¾‹å¤–ã®ã¿è¨±å¯ã®é€šä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ãƒãƒªã‚·ãƒ¼ã¯ã€æ‰¿èªæ¸ˆã¿ã®
接続ã ã‘ãŒè¨±å¯ã•ã‚Œã‚‹ã‚ˆã†ã«ã™ã‚‹ã€‚ã“ã‚Œã¯ãƒ›ãƒ¯ã‚¤ãƒˆãƒªã‚¹ãƒˆãƒãƒªã‚·ãƒ¼ã¨ã—ã¦çŸ¥ã‚‰ã‚Œã¦ã„る。
 プロキシサーãƒã‚’実装ã—ã€å¤–部領域ã‹ã‚‰ ICS 領域ã¸ã®æƒ…報システムリソース(ファイルã€æŽ¥
続ã€ã‚µãƒ¼ãƒ“ス等)è¦æ±‚を仲介ã•ã›ã‚‹ã€‚プロキシサーãƒã¸ã®æœ€åˆã®æŽ¥ç¶šã‚’通ã˜ã¦ç¢ºç«‹ã•ã‚Œã‚‹å¤–
部è¦æ±‚ã¯ã€è¤‡é›‘性を管ç†ã—ã€ç›´æŽ¥æŽ¥ç¶šã‚’制é™ã™ã‚‹ã“ã¨ã§ä»˜åŠ çš„ãªä¿è­·ã‚’与ãˆã‚‹ãŸã‚ã«è©•ä¾¡ã‚’
å—ã‘る。
 許å¯ã•ã‚Œã¦ã„ãªã„情報ãŒã™ã‚ŠæŠœã‘ã‚‹ã“ã¨ã‚’防止ã™ã‚‹ã€‚例ãˆã°ã€ãƒ‡ã‚£ãƒ¼ãƒ—パケットインスペク
ションファイアウォールã€XMLã€ã‚²ãƒ¼ãƒˆã‚¦ã‚§ã‚¤ç­‰ã®æŠ€è¡“ãŒã‚る。ã“れらデãƒã‚¤ã‚¹ã¯ã€ãƒ—ロ
トコル形å¼ã¨ä»•æ§˜ã®æ•´åˆæ€§ã‚’アプリケーション層ã§æ¤œè¨¼ã—ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å±¤ã‚„トランスãƒãƒ¼
ト層ã§å‹•ä½œã™ã‚‹ãƒ‡ãƒã‚¤ã‚¹ã«ã¯æ¤œå‡ºã§ããªã„脆弱性を特定ã™ã‚‹ã€‚å½¢å¼ã®æ•°ãŒé™å®šã•ã‚Œã¦ãŠã‚Šã€
特ã«é›»å­ãƒ¡ãƒ¼ãƒ«ã«ãŠã‘る自由フォーマットã¯ç¦ã˜ã‚‰ã‚Œã¦ã„ã‚‹ãŸã‚ã€ã“ã®ã‚ˆã†ãªæŠ€è¡“ã‚’ ICS
境界ã§ä½¿ç”¨ã™ã‚‹ã®ã¯å®¹æ˜“ã§ã‚る。
 組織ã€ã‚·ã‚¹ãƒ†ãƒ ã€ã‚¢ãƒ—リケーションåŠã³å€‹äººã® 1ã¤åˆã¯è¤‡æ•°ã®æ‰¿èªãƒ»èªè¨¼æ¸ˆã¿ã‚½ãƒ¼ã‚¹ã¨å®›å…ˆ
アドレスã®ãƒšã‚¢é–“ã§ã®ã¿äº¤ä¿¡ã‚’許å¯ã™ã‚‹ã€‚
 DMZ ã®æ¦‚念をã»ã‹ã®åˆ†é›¢ã‚µãƒ–ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«æ‹¡å¼µã™ã‚‹ã®ã¯æœ‰ç”¨ã§ã€ä¾‹ãˆã°ã€ICS を隔離ã™
ã‚‹éš›ã«ã€æ”»æ’ƒå´ãŒçµ„ç¹”ã®åˆ†æžã‚„æœæŸ»æŠ€è¡“を見ã„ã ã›ãªã„よã†ã«ã§ãる。
 物ç†çš„アクセス制御を実施ã—ã¦ã€ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã¸ã®ã‚¢ã‚¯ã‚»ã‚¹è¨±å¯ã‚’制é™ã™ã‚‹ã€‚
 ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒåˆ†ã‹ã‚‰ãªã„よã†ã«éš è”½ã—(公開ã—ãªã„ã€ãƒ‰ãƒ¡
インåシステムã«å…¥ã‚Œãªã„ãªã©ï¼‰ã€äº‹å‰ã®çŸ¥è­˜ãŒãªã‘ã‚Œã°ã‚¢ã‚¯ã‚»ã‚¹ã§ããªã„よã†ã«ã™ã‚‹ã€‚
 管ç†ã‚µãƒ¼ãƒ“スã€ãƒˆãƒ©ãƒ–ルシューティングサービスåŠã³ãƒ—ロトコルを使用ä¸èƒ½ã«ã™ã‚‹ã€‚特ã«ãƒ
ットワーク探査ãŒå®¹æ˜“ã«ã§ãるブロードキャストメッセージを使用ã—ã¦ã„ã‚‹ã‚‚ã®ã«ã¤ã„ã¦è¨€
ãˆã‚‹ã€‚
 境界ä¿è­·ãƒ‡ãƒã‚¤ã‚¹ãŒæ±ºã‚られãŸçŠ¶æ…‹ã§æ©Ÿèƒ½ã—ãªããªã‚‹ã‚ˆã†ã«è¨­å®šã™ã‚‹ã€‚ICS ã«å¯¾ã™ã‚‹æ•…æ„ã®
機能ä¸èƒ½çŠ¶æ…‹ã¯ã€å®‰å…¨æ€§ã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç­‰ç¨®ã€…ã®è¦å› é–“ã§ãƒãƒ©ãƒ³ã‚¹ã‚’å–ã‚‹ã“ã¨ãŒé–¢ä¿‚ã™ã‚‹ã€‚
 セキュリティ領域ã«ç‹¬ç«‹ã—ãŸãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’設定ã™ã‚‹ï¼ˆå…¨ã別ã®ã‚µãƒ–ãƒãƒƒãƒˆç­‰ï¼‰ã€‚
 プロトコルã®å¦¥å½“性検証形å¼ã«ä¸å‚™ãŒã‚ã‚‹å ´åˆã€é€ä¿¡å´ã«ãƒ•ã‚£ãƒ¼ãƒ‰ãƒãƒƒã‚¯ã‚’é€ã‚‰ãªã„(éžå†—
長モード等)よã†ã«ã—ã¦ã€æ”»æ’ƒå´ãŒæƒ…報を得られãªãã™ã‚‹ã€‚
 å˜æ–¹å‘ã®ãƒ‡ãƒ¼ã‚¿ãƒ•ãƒ­ãƒ¼ã‚’特ã«åˆ¥ã€…ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é ˜åŸŸé–“ã«å®Ÿè£…ã™ã‚‹ã€‚
 ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’パッシブ監視ã—ã¦ã€ç•°å¸¸äº¤ä¿¡ã‚’ç©æ¥µçš„ã«æ¤œå‡ºã—ã€ã‚¢ãƒ©ãƒ¼ãƒˆã‚’発ã™ã‚‹ã€‚
5.3 ファイアウォール
ファイアウォールã¯ã€åˆ¥ã€…ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£çŠ¶æ…‹ã«ã‚ã‚‹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã§ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆãƒ©ãƒ•
ィックã®æµã‚Œã‚’制御ã™ã‚‹ãƒ‡ãƒã‚¤ã‚¹åˆã¯ã‚·ã‚¹ãƒ†ãƒ ã®ã“ã¨ã§ã‚る。ã»ã¨ã‚“ã©ã®æ–°ã—ã„アプリケーシ
ョンã§ã¯ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«åŠã³ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ç’°å¢ƒã¯ã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆæŽ¥ç¶šã‚„ UDP/IP プ
ロトコルスイーツã¨ã®é–¢ä¿‚ã§è¨€åŠã•ã‚Œã‚‹ã€‚ãŸã ã—ファイアウォールã¯ã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆæŽ¥ç¶šã‚’
å«ã¾ãªã„ã€åˆã¯å¿…è¦ã¨ã—ãªã„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç’°å¢ƒã«ã‚‚é©ç”¨å¯èƒ½ã§ã‚る。例ãˆã°ã€å¤šãã®ä¼æ¥­ãƒãƒƒ
トワークã§ã¯ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚’使用ã—ã¦ã€ä¼šè¨ˆã‚„人事部門等ã€ç§˜åŒ¿ã‚’è¦ã™ã‚‹æ©Ÿèƒ½ã‚’æžœãŸã™ç¤¾
内ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã®æŽ¥ç¶šã‚’制é™ã—ã¦ã„る。更ã«ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ã€
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
87
further restrict ICS inter-subnetwork communications between functional security subnets and devices. By
employing firewalls to control connectivity to these areas, an organization can prevent unauthorized access
to the respective systems and resources within the more sensitive areas. There are three general classes of
firewalls:
 Packet Filtering Firewalls. The most basic type of firewall is called a packet filter. Packet filter
firewalls are essentially routing devices that include access control functionality for system addresses
and communication sessions. The access control is governed by a set of directives collectively referred
to as a rule set. In their most basic form, packet filters operate at layer 3 (network) of the Open
Systems Interconnection (OSI), ISO/IEC 7498 model. This type of firewall checks basic information
in each packet, such as IP addresses, against a set of criteria before forwarding the packet. Depending
on the packet and the criteria, the firewall can drop the packet, forward it, or send a message to the
originator. This type of firewall can offer a high level of security, but could result in overhead and
delay impacts on network performance.
 Stateful Inspection Firewalls. Stateful inspection firewalls are packet filters that incorporate added
awareness of the OSI model data at layer 4 (transport). Stateful inspection firewalls filter packets at
the network layer, determine whether session packets are legitimate, and evaluate the contents of
packets at the transport layer (e.g., TCP, UDP) as well. Stateful inspection keeps track of active
sessions and uses that information to determine if packets should be forwarded or blocked. It offers a
high level of security and good performance, but it may be more expensive and complex to administer.
Additional rule sets for ICS applications may be required.
 Application-Proxy Gateway Firewalls. This class of firewalls examines packets at the application
layer and filters traffic based on specific application rules, such as specified applications (e.g.,
browsers) or protocols (e.g., FTP). Firewalls of this type can be very effective in preventing attacks on
the remote access and configuration services provided by ICS components. They offer a high level of
security, but could have overhead and delay impacts on network performance, which can be
unacceptable in an ICS environment. NIST SP 800-41 Revision 1, Guidelines on Firewalls and
Firewall Policy [85], provides general guidance for the selection of firewalls and the firewall policies.
In an ICS environment, firewalls are most often deployed between the ICS network and the corporate
network [34]. Properly configured, they can greatly restrict undesired access to and from control system
host computers and controllers, thereby improving security. They can also potentially improve a control
network’s responsiveness by removing non-essential traffic from the network. When properly designed,
configured, and maintained, dedicated hardware firewalls can contribute significantly to increasing the
security of today’s ICS environments.
Firewalls provide several tools to enforce a security policy that cannot be accomplished locally on the
current set of process control devices available in the market, including the ability to:
 Block all communications with the exception of specifically enabled communications between devices
on the unprotected LAN and protected ICS networks. Blocking can be based on, for example, source
and destination IP address pairs, services, ports, state of the connection, and specified applications or
protocols supported by the firewall. Blocking can occur on both inbound and outbound packets, which
is helpful in limiting high-risk communications such as email.
 Enforce secure authentication of all users seeking to gain access to the ICS network. There is
flexibility to employ varying protection levels of authentication methods including simple passwords,
complex passwords, multi-factor authentication technologies, tokens, biometrics and smart cards.
Select the particular method based upon the vulnerability of the ICS network to be protected, rather
than using the method that is available at the device level.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
88
機能的ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚µãƒ–ãƒãƒƒãƒˆã¨ãƒ‡ãƒã‚¤ã‚¹é–“ã® ICS サブãƒãƒƒãƒˆé–“交信を制é™ã™ã‚‹ã€‚ファイアウ
ォールを採用ã—ã¦ã“ã†ã—ãŸã‚¨ãƒªã‚¢ã¸ã®æŽ¥ç¶šã‚’管ç†ã™ã‚Œã°ã€çµ„ç¹”ã¯ã‚ˆã‚Šæ©Ÿå¯†åº¦ã®é«˜ã„エリア内ã®ã‚·
ステムやリソースã¸ã®ä¸æ­£ã‚¢ã‚¯ã‚»ã‚¹ã‚’防止ã§ãる。ファイアウォールã¯æ¬¡ã® 3ã¤ã«å¤§åˆ¥ã§ãる。
 パケットフィルタリングファイアウォール。最もベーシックãªã‚¿ã‚¤ãƒ—ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ãŒ
パケットフィルタã¨å‘¼ã°ã‚Œã‚‹ã€‚パケットフィルタファイアウォールã¯ã€åŸºæœ¬çš„ã«ãƒ«ãƒ¼ãƒ†ã‚£ãƒ³
グデãƒã‚¤ã‚¹ã§ã€ã‚·ã‚¹ãƒ†ãƒ ã‚¢ãƒ‰ãƒ¬ã‚¹ã¨äº¤ä¿¡ã‚»ãƒƒã‚·ãƒ§ãƒ³ã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡æ©Ÿèƒ½ã‚’æŒã¤ã€‚アクセス制
御ã¯ã€ãƒ«ãƒ¼ãƒ«ã‚»ãƒƒãƒˆã¨ç·ç§°ã•ã‚Œã‚‹ä¸€å¼ã®æŒ‡ä»¤ã«ã‚ˆã‚Šåˆ¶å¾¡ã•ã‚Œã‚‹ã€‚最もベーシックãªå½¢æ…‹ã§ã¯ã€
パケットフィルタ㯠ISO/IEC 7498 モデルã€ã‚ªãƒ¼ãƒ—ンシステム連接(OSI)ã®ãƒ¬ã‚¤ãƒ¤ãƒ¼3(ãƒ
ットワーク)ã§å‹•ä½œã™ã‚‹ã€‚ã“ã®ã‚¿ã‚¤ãƒ—ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ã€ãƒ‘ケットを転é€ã™ã‚‹å‰ã«ã€å„
パケット中㮠IP アドレス等ã®åŸºæœ¬æƒ…報を基準ã«ç…§ã‚‰ã—ã¦ãƒã‚§ãƒƒã‚¯ã™ã‚‹ã€‚パケットã¨åŸºæº–ã«
å¿œã˜ã¦ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ãƒ‘ケットã®ãƒ‰ãƒ­ãƒƒãƒ—や転é€ã‚’è¡Œã†ã»ã‹ã€ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã‚’発信者ã«
é€ã‚‹ã€‚ã“ã®ã‚¿ã‚¤ãƒ—ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®ãƒ¬ãƒ™ãƒ«ã¯é«˜ã„ãŒã€ã‚ªãƒ¼ãƒãƒ¼ãƒ˜ãƒƒãƒ‰
ã‚„é…延を生ã˜ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‘フォーマンスã«å½±éŸ¿ã‚’与ãˆã‚‹ã“ã¨ãŒã‚る。
 ステートフルインスペクションファイアウォール。ã“れ㯠OSI モデルデータã®è¿½åŠ æ³¨æ„事項
をレイヤー4(トランスãƒãƒ¼ãƒˆï¼‰ã«çµ„ã¿è¾¼ã‚“ã ãƒ‘ケットフィルタã§ã‚る。パケットをãƒãƒƒãƒˆ
ワークレイヤーã§ãƒ•ã‚£ãƒ«ã‚¿ãƒªãƒ³ã‚°ã—ã€ã‚»ãƒƒã‚·ãƒ§ãƒ³ãƒ‘ケットã®é©æ ¼æ€§ã‚’判定ã—ã€ãƒ‘ケット内容
をトランスãƒãƒ¼ãƒˆãƒ¬ã‚¤ãƒ¤ãƒ¼ï¼ˆTCPã€UDP 等)ã§ã‚‚評価ã™ã‚‹ã€‚ステートフルインスペクショ
ンã¯ã‚¢ã‚¯ãƒ†ã‚£ãƒ–セッションを追跡ã—ã€ãã®æƒ…報を基ã«ãƒ‘ケットã®è»¢é€åˆã¯ãƒ–ロックを判定ã™
る。セキュリティã®ãƒ¬ãƒ™ãƒ«ã¯é«˜ãパフォーマンスも良好ã§ã‚ã‚‹ãŒã€é«˜ä¾¡ã§ç®¡ç†è€…ã«ã¨ã£ã¦è¤‡
雑ã¨ãªã‚‹ã€‚ICS アプリケーションã®ä»˜åŠ çš„ãªãƒ«ãƒ¼ãƒ«ã‚»ãƒƒãƒˆãŒå¿…è¦ã«ãªã‚‹ã“ã¨ã‚‚ã‚る。
 アプリケーション・プロキシゲートウェイファイアウォール。ã“ã®ã‚¯ãƒ©ã‚¹ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼
ルã¯ã€ãƒ‘ケットをアプリケーション層ã§æ¤œè¨¼ã—ã€ç‰¹å®šã®ã‚¢ãƒ—リケーション(ブラウザー等)
やプロトコル(FTP 等)ã¨ã„ã£ãŸç‰¹å®šã‚¢ãƒ—リケーションルールã«å¾“ã£ã¦ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’フィ
ルタリングã™ã‚‹ã€‚ã“ã®ã‚¿ã‚¤ãƒ—ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ã€ãƒªãƒ¢ãƒ¼ãƒˆã‚¢ã‚¯ã‚»ã‚¹ã‚„ICS コンãƒãƒ¼ãƒ
ントãŒæä¾›ã™ã‚‹è¨­å®šã‚µãƒ¼ãƒ“スã«å¯¾ã™ã‚‹æ”»æ’ƒã®äºˆé˜²ã«æ¥µã‚ã¦åŠ¹æžœãŒã‚る。セキュリティã®ãƒ¬ãƒ™
ルã¯é«˜ã„ãŒã€ã‚ªãƒ¼ãƒãƒ¼ãƒ˜ãƒƒãƒ‰ã‚„é…延を生ã˜ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‘フォーマンスã«å½±éŸ¿ã‚’与ãˆã‚‹ã“
ã¨ãŒã‚ã‚‹ãŸã‚ã€ICS 環境ã§ã¯å—ã‘入れられãªã„å ´åˆãŒã‚る。NIST SP800-41 改訂第 1版『フ
ァイアウォールåŠã³ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ãƒãƒªã‚·ãƒ¼ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã€[85]ã«ã¯ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«
åŠã³ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ãƒãƒªã‚·ãƒ¼ã‚’é¸å®šã™ã‚‹ãŸã‚ã®ä¸€èˆ¬çš„ガイダンスãŒã‚る。
ICS 環境ã§ã¯ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã«å¤šç”¨ã•ã‚Œã¦ã„ã‚‹
[34]。正ã—ã設定ã™ã‚Œã°ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®ãƒ›ã‚¹ãƒˆã‚³ãƒ³ãƒ”ュータã¨ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©é–“ã®ä¸æ­£ã‚¢ã‚¯ã‚»
スを著ã—ã制é™ã—ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’改善ã™ã‚‹ã€‚ã¾ãŸä¸è¦ãªãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰é™¤
去ã™ã‚‹ãŸã‚ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®å¿œç­”感度を改善ã™ã‚‹ã“ã¨ã‚‚ã‚る。設計・設定・ä¿å®ˆãŒé©æ­£ã§
ã‚ã‚Œã°ã€å°‚用ã®ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ã€ä»Šæ—¥ã® ICS 環境ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å‘上ã«å¤§ã
ã貢献ã™ã‚‹ã€‚
ファイアウォールã¯ã„ãã¤ã‹ãƒ„ールをæä¾›ã—ã¦ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã‚’施行ã™ã‚‹ãŒã€ãã®ã‚ˆã†
ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã¯ã€ç¾åœ¨å…¥æ‰‹å¯èƒ½ãªå¸‚販ã®ãƒ—ロセス制御デãƒã‚¤ã‚¹ã«å¯¾ã—ã¦ãƒ­ãƒ¼ã‚«ãƒ«ã§
実ç¾ã§ããªã„ã‚‚ã®ã§ã‚ã‚Šã€æ¬¡ã®ã‚ˆã†ãªæ©Ÿèƒ½ã‚’有ã™ã‚‹ã€‚
 ä¿è­·ã•ã‚Œã¦ã„ãªã„ LAN 上ã®ãƒ‡ãƒã‚¤ã‚¹ã¨ä¿è­·ã•ã‚ŒãŸ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®ãƒ‡ãƒã‚¤ã‚¹é–“ã§ç‰¹ã«
許å¯ã•ã‚ŒãŸã‚‚ã®ã‚’除ãã€å…¨ã¦ã®äº¤ä¿¡ã‚’ブロックã™ã‚‹ã€‚ブロックã¯ã‚½ãƒ¼ã‚¹åŠã³å®›å…ˆã® IP アド
レスペアã€ã‚µãƒ¼ãƒ“スã€ãƒãƒ¼ãƒˆã€æŽ¥ç¶šçŠ¶æ…‹ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ãŒè¨±å¯ã™ã‚‹ç‰¹å®šã®ã‚¢ãƒ—リケーシ
ョンåˆã¯ãƒ—ロトコルã«å¾“ã£ã¦è¡Œã†ã€‚ブロックã¯ç€ä¿¡ãƒ‘ケットã§ã‚‚é€ä¿¡ãƒ‘ケットã§ã‚‚生ã˜ã‚‹ãŒã€
ã“れ㯠eメール等ã®é«˜ãƒªã‚¹ã‚¯é€šä¿¡ã‚’制é™ã™ã‚‹ä¸Šã§å½¹ç«‹ã¤ã€‚
 ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«ã‚¢ã‚¯ã‚»ã‚¹ã—よã†ã¨ã™ã‚‹å…¨ã¦ã®ãƒ¦ãƒ¼ã‚¶èªè¨¼ã‚’セキュアã«ã™ã‚‹ã€‚èªè¨¼æ–¹æ³•ã«
ã¯å˜ç´”ãªãƒ‘スワードã€è¤‡é›‘ãªãƒ‘スワードã€è¤‡åˆè¦ç´ èªè¨¼æŠ€è¡“ã€ãƒˆãƒ¼ã‚¯ãƒ³ã€ç”Ÿç‰©è¨ˆæ¸¬å­¦ã€ã‚¹ãƒž
ートカード等ãŒã‚ã‚Šã€ç¨®ã€…ã®ä¿è­·ãƒ¬ãƒ™ãƒ«ã‚’柔軟ã«æŽ¡ç”¨ã§ãる。
デãƒã‚¤ã‚¹ãƒ¬ãƒ™ãƒ«ã§åˆ©ç”¨ã§ãる方法を使用ã™ã‚‹ã®ã§ã¯ãªãã€ä¿è­·ã™ã¹ã ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®
脆弱性を基ã«ã€ç‰¹å®šã®æ–¹æ³•ã‚’é¸å®šã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
89
 Enforce destination authorization. Users can be restricted and allowed to reach only the nodes on the
control network necessary for their job function. This reduces the potential of users intentionally or
accidentally gaining access to and control of devices for which they are not authorized, but adds to the
complexity for on-the-job-training or cross-training employees.
 Record information flow for traffic monitoring, analysis, and intrusion detection.
 Permit the ICS to implement operational policies appropriate to the ICS but that might not be
appropriate in an IT network, such as prohibition of less secure communications like email, and
permitted use of easy-to-remember usernames and group passwords.
 Be designed with documented and minimal (single if possible) connections that permit the ICS
network to be severed from the corporate network, should that decision be made, in times of serious
cyber incidents.
Other possible deployments include using either host-based firewalls or small standalone hardware
firewalls in front of, or running on, individual control devices. Using firewalls on an individual device basis
can create significant management overhead, especially in change management of firewall configurations,
however this practice will also simplify individual configuration rulesets.
There are several issues that must be addressed when deploying firewalls in ICS environments, particularly
the following:
 The possible addition of delay to control system communications.
 The lack of experience in the design of rule sets suitable for industrial applications. Firewalls used to
protect control systems should be configured so they do not permit either incoming or outgoing traffic
by default. The default configuration should be modified only when it is necessary to permit
connections to or from trusted systems to perform authorized ICS functions.
Firewalls require ongoing support, maintenance, and backup. Rule sets need to be reviewed to make sure
that they are providing adequate protection in light of ever-changing security threats. System capabilities
(e.g., storage space for firewall logs) should be monitored to make sure that the firewall is performing its
data collection tasks and can be depended upon in the event of a security violation. Real-time monitoring of
firewalls and other security sensors is required to rapidly detect and initiate response to cyber incidents.
5.4 Logically Separated Control Network
The ICS network should, at a minimum, be logically separated from the corporate network on physically
separate network devices. Based on the ICS network configuration, additional separation needs to be
considered for Safety Instrumented Systems and Security Systems (e.g., physical monitoring and access
controls, doors, gates, cameras, VoIP, access card readers) that are often either part of the ICS network or
utilize the same communications infrastructure for remote sites. When enterprise connectivity is required:
 There should be documented and minimal (single if possible) access points between the ICS network
and the corporate network. Redundant (i.e., backup) access points, if present, must be documented.
 A stateful firewall between the ICS network and corporate network should be configured to deny all
traffic except that which is explicitly authorized.
 The firewall rules should at a minimum provide source and destination filtering (i.e., filter on media
access control [MAC] address), in addition to TCP and User Datagram Protocol (UDP) port filtering
and Internet Control Message Protocol (ICMP) type and code filtering.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
90
 宛先ã®è¨±å¯ã€‚ユーザã¯ã€è‡ªåˆ†ã®æ¥­å‹™ã«å¿…è¦ãªåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®ãƒŽãƒ¼ãƒ‰ã«ã—ã‹åˆ°é”ã§ããª
ã„よã†ã«åˆ¶é™ã‚’å—ã‘る。ã“ã‚Œã«ã‚ˆã‚Šãƒ¦ãƒ¼ã‚¶ãŒã€è¨±å¯ã•ã‚Œã¦ã„ãªã„デãƒã‚¤ã‚¹ã«ã€æ•…æ„åˆã¯å¶ç„¶
ã«ã‚¢ã‚¯ã‚»ã‚¹ã—ã¦åˆ¶å¾¡ã‚’è¡Œã†å¯èƒ½æ€§ã¯æ¸›ã‚‹ãŒã€OJT や交差訓練中ã®å¾“業員ã«ã¯è¤‡é›‘ã•ãŒå¢—ã™ã€‚
 トラフィック監視ã€è§£æžåŠã³ä¾µå…¥æ¤œçŸ¥ã®ãŸã‚ã®æƒ…å ±ã®æµã‚Œã®è¨˜éŒ²ã€‚
 IT ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«ã¯é©åˆã—ãªã„ãŒã€ICS ã«ã¯é©åˆã™ã‚‹æ¥­å‹™ãƒãƒªã‚·ãƒ¼ã‚’ ICS ãŒå®Ÿæ–½ã™ã‚‹ã“ã¨ã‚’
許å¯ã™ã‚‹ã€‚例ãˆã°é›»å­ãƒ¡ãƒ¼ãƒ«ç­‰ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®ä½Žã„通信ã€è¦šãˆã‚„ã™ã„ユーザåやグループ
パスワードã®ä½¿ç”¨ã‚’ç¦æ­¢ã™ã‚‹ãªã©ã€‚
 深刻ãªã‚µã‚¤ãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®éš›ã«æ±ºå®šãŒã‚ã‚Œã°ã€ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹
ら切断ã§ãã‚‹ã€æ–‡æ›¸åŒ–ã•ã‚ŒãŸæœ€ä½Žé™ã®ï¼ˆã§ãれ㰠1ã¤ã®ã¿ï¼‰æŽ¥ç¶šã«ã™ã‚‹ã€‚
ãã®ä»–å¯èƒ½ãªå±•é–‹ã¨ã—ã¦ã¯ã€ãƒ›ã‚¹ãƒˆãƒ™ãƒ¼ã‚¹ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚„ã€å°åž‹ã®ã‚¹ã‚¿ãƒ³ãƒ‰ã‚¢ãƒ­ãƒ¼ãƒ³ãƒ
ードウエアファイアウォールを個々ã®åˆ¶å¾¡ãƒ‡ãƒã‚¤ã‚¹ã®å‰é¢ã«åˆã¯ãã†ã—ãŸãƒ‡ãƒã‚¤ã‚¹ä¸Šã«é…ç½®ã—
ã¦ä½¿ç”¨ã™ã‚‹æ¡ˆã‚‚ã‚る。個々ã®ãƒ‡ãƒã‚¤ã‚¹ã«ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚’使用ã™ã‚‹ã¨ã€ç‰¹ã«ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼
ル設定ã®äº¤æ›ç®¡ç†ã«ã€ã‹ãªã‚Šã®ç®¡ç†ã‚ªãƒ¼ãƒãƒ¼ãƒ˜ãƒƒãƒ‰ãŒç”Ÿã˜ã‚‹ãŒã€å€‹ã€…ã®è¨­å®šãƒ«ãƒ¼ãƒ«ã‚»ãƒƒãƒˆã‚’ç°¡
素化ã™ã‚‹ã“ã¨ã«ã‚‚ãªã‚‹ã€‚
ICS 環境ã«ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚’展開ã™ã‚‹éš›ã«ã¯ã€ç‰¹ã«æ¬¡ã®ã‚ˆã†ãªè€ƒæ…®ã™ã¹ãå•é¡ŒãŒã„ãã¤ã‹ã‚
る。
 制御システムã®é€šä¿¡ã«é…延ãŒåŠ ã‚ã‚‹å¯èƒ½æ€§
 産業用途ã«åˆã£ãŸãƒ«ãƒ¼ãƒ«ã‚»ãƒƒãƒˆã®è€ƒæ¡ˆã«ãŠã‘る経験ã®æ¬ å¦‚。制御システムã®ä¿è­·ã«ä½¿ç”¨ã™ã‚‹
ファイアウォールã®è¨­å®šã¯ã€ç€ä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚‚é€ä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚‚デフォルトã§è¨±å¯ã—ãª
ã„よã†ã«ã™ã¹ãã§ã‚る。デフォルト設定ã®å¤‰æ›´ã¯ã€ä¿¡é ¼ã•ã‚Œã¦ã„るシステムã¨ã®æŽ¥ç¶šã‚’許å¯
ã—ã¦ã€è¨±å¯ã•ã‚ŒãŸ ICS 機能を実施ã™ã‚‹å¿…è¦ãŒã‚ã‚‹å ´åˆã®ã¿ã«ã™ã¹ãã§ã‚る。
ファイアウォールã¯ã€çµ¶ãˆãšã‚µãƒãƒ¼ãƒˆãƒ»ä¿å®ˆãƒ»ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã‚’å¿…è¦ã¨ã™ã‚‹ã€‚絶ãˆãšå¤‰åŒ–ã™ã‚‹è„…
å¨ã¨ã„ã†è¦³ç‚¹ã‹ã‚‰ã€ã—ã£ã‹ã‚Šä¿è­·ã‚’確ä¿ã§ãるよã†ã«ã€ãƒ«ãƒ¼ãƒ«ã‚»ãƒƒãƒˆã‚’見直ã™å¿…è¦ãŒã‚る。シ
ステムã®èƒ½åŠ›ï¼ˆãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ãƒ­ã‚°ã®ã‚¹ãƒˆãƒ¬ãƒ¼ã‚¸å®¹é‡ç­‰ï¼‰ã‚’監視ã—ã¦ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ãŒ
データåŽé›†ä½œæ¥­ã‚’続行ã§ãるよã†ã«ã—ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é•å事態ãŒç”Ÿã˜ã¦ã‚‚信頼性ãŒä¿ãŸã‚Œã‚‹ã‚ˆ
ã†ã«ã™ã¹ãã§ã‚る。ファイアウォールãã®ä»–ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚»ãƒ³ã‚µã¯ã€ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ ã§ç›£è¦–ã—ã€
サイãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã‚’検知ã—ã¦å³å¿œã§ãるよã†ã«ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。
5.4 è«–ç†çš„ã«åˆ†é›¢ã•ã‚ŒãŸåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
å°‘ãªãã¨ã‚‚ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯ã€ç‰©ç†çš„ã«åˆ†é›¢ã•ã‚ŒãŸãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒã‚¤ã‚¹ä¸Šã®ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼
クã‹ã‚‰ã€è«–ç†çš„ã«åˆ†é›¢ã•ã‚Œã¦ã„ã‚‹ã¹ãã§ã‚る。ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯è¨­å®šã‚’基ã«ã€ä»˜åŠ çš„ãªåˆ†é›¢ã‚’安
全計装システムã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚·ã‚¹ãƒ†ãƒ ï¼ˆç‰©ç†çš„監視アクセス制御ã€ãƒ‰ã‚¢ã€ã‚²ãƒ¼ãƒˆã€ã‚«ãƒ¡ãƒ©ã€
VoIPã€ç«‹å…¥ã‚«ãƒ¼ãƒ‰ãƒªãƒ¼ãƒ€ãƒ¼ç­‰ï¼‰å‘ã‘ã«æ¤œè¨Žã™ã‚‹å¿…è¦ãŒã‚る。ã“れらシステムã¯ã€ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼
クã®ä¸€éƒ¨ã‚’ãªã™ã‹ã€åŒã˜é€šä¿¡ã‚¤ãƒ³ãƒ•ãƒ©ã‚’é éš”サイト用ã«ä½¿ç”¨ã—ã¦ã„ã‚‹ã“ã¨ãŒå¤šã„。ä¼æ¥­ã®æŽ¥ç¶šãŒ
å¿…è¦ãªå ´åˆã€
 文書化ã•ã‚ŒãŸæœ€ä½Žé™ã®ï¼ˆã§ãれ㰠1ã¤ã®ã¿ï¼‰ã‚¢ã‚¯ã‚»ã‚¹ãƒã‚¤ãƒ³ãƒˆãŒ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ä¼æ¥­ãƒ
ットワーク間ã«ã‚ã‚‹ã¹ãã§ã‚る。冗長(ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—)アクセスãƒã‚¤ãƒ³ãƒˆãŒã‚ã‚Œã°ã€æ–‡æ›¸åŒ–
ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。
 ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ã‚¹ãƒ†ãƒ¼ãƒˆãƒ•ãƒ«ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ã€æ˜Žç¤ºçš„ã«è¨±å¯
ã•ã‚ŒãŸã‚‚ã®ä»¥å¤–ã€ä¸€åˆ‡ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’拒絶ã™ã‚‹ã‚ˆã†ã«è¨­å®šã™ã‚‹ã€‚
 TCP åŠã³ãƒ¦ãƒ¼ã‚¶ãƒ‡ãƒ¼ã‚¿ã‚°ãƒ©ãƒ ãƒ—ロトコル(UDP)ãƒãƒ¼ãƒˆãƒ•ã‚£ãƒ«ã‚¿ãƒªãƒ³ã‚°ã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆåˆ¶
御メッセージプロトコル(ICMP)タイプ・コードフィルタリングã«åŠ ãˆã¦ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©
ールルールã¯å°‘ãªãã¨ã‚‚ソースåŠã³å®›å…ˆãƒ•ã‚£ãƒ«ã‚¿ãƒªãƒ³ã‚°ï¼ˆãƒ¡ãƒ‡ã‚£ã‚¢ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡[MAC]アド
レスã§ã®ãƒ•ã‚£ãƒ«ã‚¿ãƒªãƒ³ã‚°ï¼‰ã‚’è¡Œã†ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
91
An acceptable approach to enabling communication between an ICS network and a corporate network is to
implement an intermediate DMZ network. The DMZ should be connected to the firewall such that specific
(restricted) communication may occur between only the corporate network and the DMZ, and the ICS
network and the DMZ. The corporate network and the ICS network should not communicate directly with
each other. This approach is described in Sections 5.5.4 and 5.5.5. Additional security may be obtained by
implementing a Virtual Private Network (VPN) between the ICS and external networks.
5.5 Network Segregation
ICS networks and corporate networks can be segregated to enhance cybersecurity using different
architectures. This section describes several possible architectures and explains the advantages and
disadvantages of each. Please note that the intent of the diagrams in Section 5.5 is to show the placement of
firewalls to segregate the network. Not all devices that would be typically found on the control network or
corporate network are shown. Section 5.6 provides guidance on a recommended defense-in-depth
architecture.
5.5.1 Dual-Homed Computer/Dual Network Interface Cards (NIC)
Dual-homed computers can pass network traffic from one network to another. A computer without proper
security controls could pose additional threats. To prevent this, no systems other than firewalls should be
configured as dual-homed to span both the control and corporate networks. All connections between the
control network and the corporate network should be through a firewall. This configuration provides no
security improvement and should not be used to bridge networks (e.g., ICS and corporate networks).
5.5.2 Firewall between Corporate Network and Control Network
By introducing a simple two-port firewall between the corporate and control networks, as shown in Figure
5-1, a significant security improvement can be achieved. Properly configured, a firewall significantly
reduces the chance of a successful external attack on the control network.
Unfortunately, two issues still remain with this design. First, if the data historian resides on the corporate
network, the firewall must allow the data historian to communicate with the control devices on the control
network. A packet originating from a malicious or incorrectly configured host on the corporate network
(appearing to be the data historian) would be forwarded to individual PLCs/DCS.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
92
ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®äº¤ä¿¡ã‚’å¯èƒ½ã«ã™ã‚‹å—ã‘入れられるアプローãƒã¯ã€ä¸­é–“
DMZ ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’実装ã™ã‚‹ã“ã¨ã§ã‚る。DMZ ã¯ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã«æŽ¥ç¶šã•ã‚Œã€ä¼æ¥­ãƒãƒƒãƒˆãƒ¯
ーク㨠DMZ é–“åŠã³ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ DMZ é–“ã§ã®ã¿ç‰¹å®šã®ï¼ˆåˆ¶é™ã•ã‚ŒãŸï¼‰äº¤ä¿¡ãŒç”Ÿã˜ã‚‹ã‚ˆã†
ã«ã™ã‚‹ã€‚ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã§ã¯ç›´æŽ¥äº¤ä¿¡ãŒç”Ÿã˜ãªã„よã†ã«ã™ã¹ãã§ã‚る。
ã“ã®ã‚¢ãƒ—ローãƒã¯ã‚»ã‚¯ã‚·ãƒ§ãƒ³ 5.5.4 åŠã³ 5.5.5 ã§èª¬æ˜Žã™ã‚‹ã€‚VPN ã‚’ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨å¤–部ãƒãƒƒãƒˆ
ワーク間ã«å®Ÿè£…ã™ã‚Œã°ã€æ›´ã«ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãŒé«˜ã¾ã‚‹ã€‚
5.5 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®åˆ†é›¢
ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’分離ã—ã€åˆ¥ã€…ã®ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã‚’使用ã—ã¦ã‚µã‚¤ãƒãƒ¼ã‚»
キュリティを高ã‚ã‚‹ã“ã¨ãŒã§ãる。ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã¯ã€ã„ãã¤ã‹å¯èƒ½ãªã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã«ã¤
ã„ã¦å–り上ã’ã€ãã‚Œãžã‚Œã®åˆ©ç‚¹ãƒ»æ¬ ç‚¹ã‚’説明ã™ã‚‹ã€‚セクション 5.5 ã®å›³ã®æ„図ã¯ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦
ォールã®é…ç½®ã«ã‚ˆã‚‹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®åˆ†é›¢ã‚’示ã™ã“ã¨ã«ã‚る点ã«ç•™æ„ã•ã‚ŒãŸã„。制御ãƒãƒƒãƒˆãƒ¯ãƒ¼
クやä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã«é€šå¸¸ã‚るデãƒã‚¤ã‚¹ãŒã€å¿…ãšã—ã‚‚å…¨ã¦ç¤ºã•ã‚Œã¦ã„ãªã„。セクション
5.6 ã§ã¯ã€æŽ¨å¥¨ã•ã‚Œã‚‹å¤šå±¤é˜²å¾¡ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã‚’示ã™ã€‚
5.5.1 デュアルホームドコンピュータ/デュアルãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã‚«ãƒ¼ãƒ‰
(NIC)
デュアルホームドコンピュータã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’ã‚ã‚‹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰åˆ¥ã®ãƒ
ットワークã¸é€šéŽã•ã›ã‚‹ã€‚ã—ã£ã‹ã‚Šã—ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®ãªã„コンピュータã§ã¯ã€è„…å¨ãŒå¢—
加ã™ã‚‹ã€‚ã“れを防ãã«ã¯ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ã‚‚ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ã‚‚ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ä»¥
外ã®ã‚·ã‚¹ãƒ†ãƒ ã‚’デュアルホームドã«è¨­å®šã™ã‚‹ã“ã¨ã§ã‚る。制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼
ク間ã®å…¨ã¦ã®æŽ¥ç¶šã¯ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«çµŒç”±ã¨ã™ã¹ãã§ã‚る。ã“ã®è¨­å®šã§ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãŒå‘上
ã™ã‚‹ã“ã¨ã¯ãªãã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ãƒ–リッジã«ä½¿ç”¨ã™ã¹ãã§ãªã„(ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ä¼æ¥­ãƒ
ットワーク等)。
5.5.2 ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«
図5-1 ã®ã‚ˆã†ã«ã€ä¸¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã«å˜ç´”㪠2ãƒãƒ¼ãƒˆãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚’設置ã™ã‚‹ã“ã¨ã§ã€ã‹
ãªã‚Šã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãŒå‘上ã™ã‚‹ã€‚é©æ­£ã«è¨­å®šã™ã‚Œã°ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«å¯¾
ã™ã‚‹å¤–部攻撃ãŒæˆåŠŸã™ã‚‹å¯èƒ½æ€§ã‚’大幅ã«æ¸›ã‚‰ã™ã€‚
残念ãªãŒã‚‰ã“ã®è¨­è¨ˆã«ã¯ 2ã¤ã®å•é¡ŒãŒã‚る。ã¾ãšã€ãƒ‡ãƒ¼ã‚¿ãƒ’ストリアンãŒä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«
常é§ã—ã¦ã„ã‚‹å ´åˆã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ã€ãƒ‡ãƒ¼ã‚¿ãƒ’ストリアンãŒåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®åˆ¶å¾¡ãƒ‡
ãƒã‚¤ã‚¹ã¨äº¤ä¿¡ã™ã‚‹ã®ã‚’許å¯ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。悪æ„ã‚るホストやä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®è¨­å®š
ã«ä¸å‚™ãŒã‚る(データヒストリアンã®ã‚ˆã†ã«è¦‹ãˆã‚‹ï¼‰ãƒ›ã‚¹ãƒˆã‹ã‚‰ã®ãƒ‘ケットã¯ã€å€‹ã€…ã®
PLCs/DCS ã«è»¢é€ã•ã‚Œã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
93
Figure 5-1. Firewall between Corporate Network and Control Network
If the data historian resides on the control network, a firewall rule must exist that allows all hosts from the
enterprise to communicate with the historian. Typically, this communication occurs at the application layer
as Structured Query Language (SQL) or Hypertext Transfer Protocol (HTTP) requests. Flaws in the
historian’s application layer code could result in a compromised historian. Once the historian is
compromised, the remaining nodes on the control network are vulnerable to a worm propagating or an
interactive attack.
Another issue with having a simple firewall between the networks is that spoofed packets can be
constructed that can affect the control network, potentially permitting covert data to be tunneled in allowed
protocols. For example, if HTTP packets are allowed through the firewall, then Trojan horse software
accidentally introduced on an HMI or control network laptop could be controlled by a remote entity and
send data (such as captured passwords) to that entity, disguised as legitimate traffic.
In summary, while this architecture is a significant improvement over a non-segregated network, it requires
the use of firewall rules that allow direct communications between the corporate network and control
network devices. This can result in possible security breaches if not very carefully designed and monitored
[35].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
94
図5-1.ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«
データヒストリアンãŒåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã«å¸¸é§ã—ã¦ã„ã‚‹å ´åˆã€å…¨ã¦ã®ãƒ›ã‚¹ãƒˆãŒä¼æ¥­å´ã‹ã‚‰ãƒ’ス
トリアンã«é€šä¿¡ã§ãるファイアウォールè¦å‰‡ãŒãªã‘ã‚Œã°ãªã‚‰ãªã„。一般ã«ã“ã®é€šä¿¡ã¯ã€SQL åˆã¯
HTTP è¦æ±‚ã¨ã—ã¦ã‚¢ãƒ—リケーション層ã§ç”Ÿã˜ã‚‹ã€‚ヒストリアンã®ã‚¢ãƒ—リケーション層コードã«ä¸
å‚™ãŒã‚ã‚‹ã¨ã€ãƒ’ストリアンã®æ©Ÿèƒ½ãŒä½Žä¸‹ã™ã‚‹ã€‚ãã†ãªã‚‹ã¨ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®æ®‹ã‚Šã®ãƒŽãƒ¼ãƒ‰ãŒ
ワームã®ä¼æ’­ã‚„インタラクティブ攻撃ã«å¯¾ã—ã¦è„†å¼±ã«ãªã‚‹ã€‚
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã«å˜ç´”ファイアウォールを設置ã™ã‚‹ã‚‚ã†ä¸€ã¤ã®å•é¡Œç‚¹ã¯ã€ãªã‚Šã™ã¾ã—パケットãŒ
生æˆã•ã‚Œã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«å½±éŸ¿ã‚’åŠã¼ã—ã€ç§˜å¯†ãƒ‡ãƒ¼ã‚¿ãŒè¨±å¯ã•ã‚ŒãŸãƒ—ロトコルã§ãƒˆãƒ³ãƒãƒ«ã•
れるå¯èƒ½æ€§ãŒã‚る。例ãˆã° HTTP パケットã®é€šéŽãŒãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‹ã‚‰è¨±å¯ã•ã‚Œã‚‹ã¨ã€HMI ã‚„
制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ©ãƒƒãƒ—トップã«å¶ç„¶å…¥ã‚Šè¾¼ã‚“ã ãƒˆãƒ­ã‚¤ã®æœ¨é¦¬ãŒå¤–部団体ã«é éš”æ“作ã•ã‚Œã€æ­£å¸¸
ãªãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’装ã£ã¦ã€ãƒ‡ãƒ¼ã‚¿ï¼ˆæ•æ‰ã—ãŸãƒ‘スワード等)ãŒå½“該団体ã«é€ä¿¡ã•ã‚Œã‚‹ã“ã¨ã«ãªã‚‹ã€‚
ã¾ã¨ã‚ã¨ã—ã¦ã€ã“ã®ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã¯éžåˆ†é›¢ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’ã‹ãªã‚Šæ”¹å–„ã™ã‚‹ä¸€æ–¹ã§ã€ä¼æ¥­ãƒãƒƒãƒˆ
ワークデãƒã‚¤ã‚¹ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒã‚¤ã‚¹é–“ã®ç›´æŽ¥äº¤ä¿¡ã‚’許å¯ã™ã‚‹ã¨ã„ã†ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«è¦
則を使用ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。ãã®çµæžœã€è¨­è¨ˆã¨ç›£è¦–ã‚’ã‹ãªã‚Šæ…Žé‡ã«è¡Œã‚ãªã„ã¨ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
侵害ãŒç”Ÿã˜ã‚‹ã“ã¨ã«ãªã‚‹ã€‚
ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
ワークステーション
アプリケーション
サーãƒ
データ
ヒストリアン
インターãƒãƒƒãƒˆ/WAN
プリンタ
ルータ
ファイアウォール
制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
ファイアウォール
PLC PLC
制御サーãƒ
ä¼æ¥­/外界
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
95
5.5.3 Firewall and Router between Corporate Network and Control Network
A slightly more sophisticated design, shown in Figure 5-2, is the use of a router/firewall combination. The
router sits in front of the firewall and offers basic packet filtering services, while the firewall handles the
more complex issues using either stateful inspection or proxy techniques. This type of design is very
popular in Internet-facing firewalls because it allows the faster router to handle the bulk of the incoming
packets, especially in the case of DoS attacks, and reduces the load on the firewall. It also offers improved
defense-in-depth because there are two different devices an adversary must bypass [35].
Figure 5-2. Firewall and Router between Corporate Network and Control Network
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
96
5.5.3 ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¨ãƒ«ãƒ¼ã‚¿
図5-2 ã¯ã‚„ã‚„æ´—ç·´ã•ã‚ŒãŸè¨­è¨ˆã§ã€ãƒ«ãƒ¼ã‚¿ã¨ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚’併用ã—ã¦ã„る。ルータをファイア
ウォールã®å‰é¢ã«æ®ãˆã€ãƒ‘ケットã®åŸºæœ¬çš„フィルタリングを行ã‚ã›ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ã‚¹ãƒ†ãƒ¼
トフルインスペクションåˆã¯ãƒ—ロキシ技術を用ã„ã¦ã‚ˆã‚Šè¤‡é›‘ãªå•é¡Œã®å‡¦ç†ã«å½“ãŸã‚‰ã›ã‚‹ã€‚ã“ã®ç¨®
ã®è¨­è¨ˆã¯ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã«é¢ã—ãŸãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã§ã¯ã”ã一般的ã§ã‚ã‚‹ãŒã€ã‚ˆã‚Šé«˜é€Ÿãªãƒ«ãƒ¼ã‚¿
ã«å¤§é‡ã®ç€ä¿¡ãƒ‘ケットを処ç†ã•ã›ã¦ã€ç‰¹ã« DoS 攻撃ã®å ´åˆã«å‚™ãˆã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¸ã®è² è·
を減らã™ãŸã‚ã§ã‚る。ã¾ãŸæ”»æ’ƒå´ã¯ 2種ã®ãƒ‡ãƒã‚¤ã‚¹ã‚’通éŽã—ãªã‘ã‚Œã°ãªã‚‰ãªã„ãŸã‚ã€å¤šå±¤é˜²å¾¡ã‚‚
改善ã•ã‚Œã‚‹[35]。
図5-2.ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¨ãƒ«ãƒ¼ã‚¿
ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
ワークステーション
アプリケーション
サーãƒ
データ
ヒストリアン
インターãƒãƒƒãƒˆ/WAN
プリンタ
ルータ
ファイアウォール
制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
ルータ
PLC
PLC
制御サーãƒ
ä¼æ¥­/外界
ファイアウォール
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
97
5.5.4 Firewall with DMZ between Corporate Network and Control Network
A significant improvement is the use of firewalls with the ability to establish a DMZ between the corporate
and control networks. Each DMZ holds one or more critical components, such as the data historian, the
wireless access point, or remote and third party access systems. In effect, the use of a DMZ-capable
firewall allows the creation of an intermediate network.
Creating a DMZ requires that the firewall offer three or more interfaces, rather than the typical public and
private interfaces. One of the interfaces is connected to the corporate network, the second to the control
network, and the remaining interfaces to the shared or insecure devices such as the data historian server or
wireless access points on the DMZ network. Implementing continuous ingress and egress traffic monitoring
on the DMZ is recommended. Additionally, firewall rulesets that only permit connections between the
control network and DMZ that are initiated by control network devices are recommended. Figure 5-3
provides an example of this architecture.
Figure 5-3. Firewall with DMZ between Corporate Network and Control Network
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
98
5.5.4 ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã® DMZ 付ãファイアウォール
ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã« DMZ を設置ã§ãるファイアウォールを使用ã™ã‚Œã°ã€
ã‹ãªã‚Šã®æ”¹å–„ã¨ãªã‚‹ã€‚å„ DMZ ã¯ãƒ‡ãƒ¼ã‚¿ãƒ’ストリアンã€ãƒ¯ã‚¤ã‚¢ãƒ¬ã‚¹ã‚¢ã‚¯ã‚»ã‚¹ãƒã‚¤ãƒ³ãƒˆã€ãƒªãƒ¢ãƒ¼ãƒˆ
アクセスシステムã€ã‚µãƒ¼ãƒ‰ãƒ‘ーティアクセスシステム等ã€1個åˆã¯è¤‡æ•°ã®é‡è¦ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆ
を有ã™ã‚‹ã€‚実際㫠DMZ 能力ã®ã‚るファイアウォールを使用ã™ã‚Œã°ã€ä¸­é–“ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãŒæ§‹ç¯‰ã§
ãる。
DMZ を設置ã™ã‚‹ã«ã¯ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ãŒé€šå¸¸ã®ãƒ‘ブリック・プライベートインタフェースã§
ã¯ãªãã€3ã¤ä»¥ä¸Šã®ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã‚’å‚™ãˆã¦ã„ã‚‹ã“ã¨ãŒå¿…é ˆã¨ãªã‚‹ã€‚ãã® 1ã¤ã¯ä¼æ¥­ãƒãƒƒãƒˆãƒ¯
ークã«æŽ¥ç¶šã•ã‚Œã€2ã¤ç›®ã¯åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«ã€ãれ以外ã®ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã¯ãƒ‡ãƒ¼ã‚¿ãƒ’ストリ
アンサーãƒã‚„ DMZ ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®ãƒ¯ã‚¤ã‚¢ãƒ¬ã‚¹ã‚¢ã‚¯ã‚»ã‚¹ãƒã‚¤ãƒ³ãƒˆç­‰ã€å…±æœ‰åˆã¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®
低ã„デãƒã‚¤ã‚¹ã«æŽ¥ç¶šã•ã‚Œã‚‹ã€‚DMZ ã®ç€ä¿¡ãƒ»é€ä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’連続的ã«ç›£è¦–ã§ãるよã†ã«å®Ÿè£…
ã™ã‚‹ã“ã¨ãŒè–¦ã‚られる。ã¾ãŸãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ãƒ«ãƒ¼ãƒ«ã‚»ãƒƒãƒˆã¯ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒã‚¤ã‚¹ãŒ
開始ã—ãŸã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ DMZ é–“ã®æŽ¥ç¶šã‚’許å¯ã™ã‚‹ã‚‚ã®ãŒæŽ¨å¥¨ã•ã‚Œã‚‹ã€‚
図5-3 ã«ã“ã®ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã®ä¾‹ã‚’示ã™ã€‚
図5-3.ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã® DMZ 付ãファイアウォール
ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
ワークステーション
アプリケーション
サーãƒ
データヒストリアン
インターãƒãƒƒãƒˆ/WAN
プリンタ
ルータ
ファイアウォール
制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
制御サーãƒ
ä¼æ¥­/外界
ファイアウォール
データサーãƒ
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
99
By placing corporate-accessible components in the DMZ, no direct communication paths are required from
the corporate network to the control network; each path effectively ends in the DMZ. Most firewalls can
allow for multiple DMZs, and can specify what type of traffic may be forwarded between zones. As Figure
5-3 shows, the firewall can block arbitrary packets from the corporate network from entering the control
network, and can also regulate traffic from the other network zones including the control network. With
well-planned rule sets, a clear separation can be maintained between the control network and other
networks, with little or no traffic passing directly between the corporate and control networks.
If a patch management server, an antivirus server, or other security server is to be used for the control
network, it should be located directly on the DMZ. Both functions could reside on a single server. Having
patch management and antivirus management dedicated to the control network allows for controlled and
secure updates that can be tailored for the unique needs of the ICS environment. It may also be helpful if
the antivirus product chosen for ICS protection is not the same as the antivirus product used for the
corporate network. For example, if a malware incident occurs and one antivirus product cannot detect or
stop the malware, it is somewhat likely that another product may have that capability.
The primary security risk in this type of architecture is that if a computer in the DMZ is compromised, then
it can be used to launch an attack against the control network via application traffic permitted from the
DMZ to the control network. This risk can be greatly reduced if a concerted effort is made to harden and
actively patch the servers in the DMZ and if the firewall ruleset permits only connections between the
control network and DMZ that are initiated by control network devices. Other concerns with this
architecture are the added complexity and the potential increased cost of firewalls with several ports. For
more critical systems, however, the improved security should more than offset these disadvantages [35].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
100
ä¼æ¥­å´ã‹ã‚‰ã‚¢ã‚¯ã‚»ã‚¹å¯èƒ½ãªã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã‚’ DMZ 内ã«é…ç½®ã™ã‚‹ã“ã¨ã§ã€ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰
制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã®ç›´æŽ¥çš„ãªé€šä¿¡çµŒè·¯ã¯ä¸è¦ã¨ãªã‚Šã€å„経路㯠DMZ ã§ã™ã£ãり完çµã™ã‚‹ã€‚複
æ•°ã® DMZ ã‚’å‚™ãˆãŸãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚‚多ãã€ã‚¾ãƒ¼ãƒ³é–“ã§è»¢é€ãŒè¨±ã•ã‚Œã‚‹ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã®ç¨®é¡žã‚’
指定ã§ãるよã†ã«ãªã£ã¦ã„る。図 5-3 ã«ç¤ºã•ã‚Œã‚‹ã‚ˆã†ã«ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ã€ä¼æ¥­ãƒãƒƒãƒˆãƒ¯
ークã‹ã‚‰æ¥ãŸä¸å®šã®ãƒ‘ケットãŒåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«é€²å…¥ã™ã‚‹ã®ã‚’ブロックã—ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼
クもå«ã‚ãŸä»–ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¾ãƒ¼ãƒ³ã‹ã‚‰æ¥ãŸãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã®è¦åˆ¶ã‚‚è¡Œã†ã€‚よã計画ã•ã‚ŒãŸãƒ«ãƒ¼
ルセットをæŒã¤ã“ã¨ã§ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ä»–ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®æ˜Žç¢ºãªåˆ†é›¢ãŒå¯èƒ½ã«ãªã‚Šã€
ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã«ã¯ã»ã¨ã‚“ã©åˆã¯å…¨ãトラフィックãŒå¾€æ¥ã—ãªã„よã†
ã«ãªã‚‹ã€‚
制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«ãƒ‘ッãƒç®¡ç†ã‚µãƒ¼ãƒã€ã‚¢ãƒ³ãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚µãƒ¼ãƒãã®ä»–ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ サーãƒ
を使用ã™ã‚‹å ´åˆã€ç›´æŽ¥ DMZ ã«é…ç½®ã™ã¹ãã§ã‚る。ã„ãšã‚Œã®æ©Ÿèƒ½ã‚‚ 1ã¤ã®ã‚µãƒ¼ãƒã«å¸¸é§ã§ãる。
制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å°‚用ã®ãƒ‘ッãƒç®¡ç†åŠã³ã‚¢ãƒ³ãƒã‚¦ã‚¤ãƒ«ã‚¹ç®¡ç†ã‚’æŒã¦ã°ã€ICS 環境特有ã®ãƒ‹ãƒ¼ã‚º
ã«ãƒ•ã‚£ãƒƒãƒˆã™ã‚‹åˆ¶å¾¡ã•ã‚ŒãŸã‚»ã‚­ãƒ¥ã‚¢ãªæ›´æ–°ãŒå¯èƒ½ã«ãªã‚‹ã€‚ã¾ãŸã€ICS ã®ä¿è­·ç”¨ã«é¸å®šã—ãŸã‚¢ãƒ³
ãƒã‚¦ã‚¤ãƒ«ã‚¹è£½å“ã¨ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç”¨ã®è£½å“ãŒé•ã£ã¦ã„ã‚Œã°ã€ã“れも役立ã¤ã€‚例ãˆã°ã€ãƒžãƒ«ã‚¦
エアインシデントãŒèµ·ãã¦ã€ã‚るアンãƒã‚¦ã‚¤ãƒ«ã‚¹è£½å“ã§ã¯æ¤œçŸ¥ãƒ»åœæ­¢ä¸èƒ½ã ã£ãŸã¨ã—ã¦ã‚‚ã€åˆ¥
ã®è£½å“ã«ãã®èƒ½åŠ›ãŒã‚ã‚‹å ´åˆã‚‚ã‚る。
ã“ã®ç¨®ã®ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã«ãŠã‘る主ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒªã‚¹ã‚¯ã¯ã€DMZ ã§ã‚るコンピュータã®æ€§èƒ½
ãŒä½Žä¸‹ã—ãŸå ´åˆã«ã€ãれを利用ã—ã¦ã€DMZ ã‹ã‚‰åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸è¨±å¯ã•ã‚Œã¦ã„るアプリケー
ショントラフィック経由ã§ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã®æ”»æ’ƒã‚’発動ã™ã‚‹ã“ã¨ã§ã‚る。DMZ 内ã®ã‚µãƒ¼
ãƒã®æŠ—è€æ€§ã‚’高ã‚ç©æ¥µçš„ã«ãƒ‘ッãƒã‚’当ã¦ã‚‹å–組をã—ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã®ãƒ«ãƒ¼ãƒ«ã‚»ãƒƒãƒˆãŒã€åˆ¶
御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒã‚¤ã‚¹ãŒé–‹å§‹ã—ãŸã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ DMZ é–“ã®æŽ¥ç¶šã ã‘を許å¯ã™ã‚‹ã‚ˆã†ã«
ã™ã‚Œã°ã€ã“ã®ãƒªã‚¹ã‚¯ã¯è‘—ã—ã減る。ã“ã®ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã«é–¢ã™ã‚‹ãã®ä»–ã®æ‡¸å¿µææ–™ã¨ã—ã¦ã¯ã€
複雑ã•ãŒå¢—ã™ã“ã¨ã¨ã€è¤‡æ•°ã®ãƒãƒ¼ãƒˆã‚’æŒã¤ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ãŒã‚³ã‚¹ãƒˆé«˜ã«ãªã‚‹ã“ã¨ã§ã‚る。ã—
ã‹ã—ã€ã‚ˆã‚Šé‡è¦ãªã‚·ã‚¹ãƒ†ãƒ ã§ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®å‘上ã¯ã“ã†ã—ãŸæ¬ ç‚¹ã‚’補ã£ã¦ä½™ã‚Šã‚ã‚‹[35]。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
101
5.5.5 Paired Firewalls between Corporate Network and Control Network
A variation on the firewall with a DMZ solution is to use a pair of firewalls positioned between the
corporate and ICS networks, as shown in Figure 5-4. Common servers such as the data historian are
situated between the firewalls in a DMZ-like network zone sometimes referred to as a Manufacturing
Execution System (MES) layer. As in the architectures described previously, the first firewall blocks
arbitrary packets from proceeding to the control network or the shared historians. The second firewall can
prevent unwanted traffic from a compromised server from entering the control network, and prevent control
network traffic from impacting the shared servers.
Figure 5-4. Paired Firewalls between Corporate Network and Control Network
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
102
5.5.5 ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ãƒšã‚¢ãƒ¼ãƒ‰ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«
DMZ 付ãファイアウォールソリューションã®ãƒãƒªã‚¨ãƒ¼ã‚·ãƒ§ãƒ³ã¨ã—ã¦ã€å›³ 5-4 ã«ç¤ºã™ã‚ˆã†ã«ã€ãƒ•
ァイアウォールをペアã«ã—ã¦ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã«é…ç½®ã™ã‚‹æ–¹æ³•ãŒã‚る。デ
ータヒストリアンã®ã‚ˆã†ãªå…±é€šã‚µãƒ¼ãƒã¯ã€ç”Ÿç”£å®Ÿæ–½ã‚·ã‚¹ãƒ†ãƒ ï¼ˆMES)レイヤーã¨å‘¼ã°ã‚Œã‚‹ DMZ
ã«ä¼¼ãŸãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¾ãƒ¼ãƒ³å†…ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¨ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã®é–“ã«é…ç½®ã•ã‚Œã‚‹ã€‚å‰è¿°ã®
アーキテクãƒãƒ£ã¨åŒæ§˜ã€æœ€åˆã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ã€ä¸å®šã®ãƒ‘ケットãŒåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚„共有
ヒストリアンã¸è¡Œã‹ãªã„よã†ã«ãƒ–ロックã™ã‚‹ã€‚2番目ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ã€æ€§èƒ½ãŒä½Žä¸‹ã—ãŸã‚µ
ーãƒã‹ã‚‰ã®ä¸è¦ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ãŒåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸é€²å…¥ã—ãªã„よã†ã«ã—ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆ
ラフィックãŒå…±æœ‰ã‚µãƒ¼ãƒã«å½±éŸ¿ã—ãªã„よã†ã«ã™ã‚‹ã€‚
図5-4.ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ãƒšã‚¢ãƒ¼ãƒ‰ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«
ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
ワークステーション
アプリケーション
サーãƒ
データヒストリアン
インターãƒãƒƒãƒˆ/WAN
プリンタ
ルータ
ファイアウォール
制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
制御サーãƒ
ä¼æ¥­/外界
ファイアウォール
データサーãƒ
ファイアウォール
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
103
If firewalls from two different manufacturers are used, then this solution may offer an advantage. It also
allows the control group and the IT group to have clearly separated device responsibility because each can
manage a firewall on its own, if the decision is made within the organization to do so. The primary
disadvantage with two-firewall architectures is the increased cost and management complexity. For
environments with stringent security requirements or the need for clear management separation, this
architecture has some strong advantages.
5.5.6 Network Segregation Summary
In summary, dual-homed computers generally not provide suitable isolation between control networks and
corporate networks. The two-zone solutions (no DMZ) are not recommended because they provide only
weak protection. If used, they should only be deployed with extreme care. The most secure, manageable,
and scalable control network and corporate network segregation architectures are typically based on a
system with at least three zones, incorporating one or more DMZs.
5.6 Recommended Defense-in-Depth Architecture
A single security product, technology or solution cannot adequately protect an ICS by itself. A multiple
layer strategy involving two (or more) different overlapping security mechanisms, a technique also known
as defense-in-depth, is desired so that the impact of a failure in any one mechanism is minimized. A
defense-in-depth architecture strategy includes the use of firewalls, the creation of demilitarized zones,
intrusion detection capabilities along with effective security policies, training programs, incident response
mechanisms and physical security. In addition, an effective defense-in-depth strategy requires a thorough
understanding of possible attack vectors on an ICS. These include:
 Backdoors and holes in network perimeter.
 Vulnerabilities in common protocols.
 Attacks on field devices.
 Database attacks.
 Communications hijacking and ‘man-in-the-middle’ attacks.
 Spoofing attacks.
 Attacks on privileged and/or shared accounts.
Figure 5-5 shows an ICS defense-in-depth architecture strategy that has been developed by the DHS
Control Systems Security Program (CSSP) NCCIC/ICS-CERT Recommended Practices committee25 as
described in the Control Systems Cyber Security: Defense in Depth Strategies [36] document. Additional
supporting documents that cover specific issues and associated mitigations are also included on the site.
The Control Systems Cyber Security: Defense in Depth Strategies document provides guidance and
direction for developing defense-in-depth architecture strategies for organizations that use control system
networks while maintaining a multi-tiered information architecture that requires:
 Maintenance of various field devices, telemetry collection, and/or industrial-level process systems.
 Access to facilities via remote data link or modem.
 Public facing services for customer or corporate operations.
25 Information on the CSSP Recommended Practices is located at http://ics-cert.us-cert.gov/Recommended-
Practices
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
104
ç•°ãªã‚‹äºŒã¤ã®ãƒ¡ãƒ¼ã‚«ãƒ¼ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚’併用ã™ã‚‹ã¨ã€ã“ã®ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã«ã¯åˆ©ç‚¹ãŒã‚る。
ã¾ãŸåˆ¶å¾¡ã‚°ãƒ«ãƒ¼ãƒ—åŠã³ IT グループã®ãƒ‡ãƒã‚¤ã‚¹æ‹…当区分を明確ã«ã§ãる。ç†ç”±ã¯ã€çµ„ç¹”ã®æ±ºå®šãŒ
下ã•ã‚Œã‚Œã°ã€ãã‚Œãžã‚ŒãŒè‡ªåˆ†ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚’管ç†ã§ãã‚‹ã‹ã‚‰ã§ã‚る。二é‡ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼
ルアーキテクãƒãƒ£ã®ä¸»ãªæ¬ ç‚¹ã¯ã€ã‚³ã‚¹ãƒˆé«˜ã«ãªã‚Šç®¡ç†ãŒè¤‡é›‘ã«ãªã‚‹ã“ã¨ã§ã‚る。厳格ãªã‚»ã‚­ãƒ¥ãƒª
ティè¦ä»¶ã®ã‚る環境や明確ãªç®¡ç†ã®åˆ†é›¢ãŒæ±‚ã‚られる状æ³ã§ã¯ã€ã“ã®ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã¯å¤§ããªåˆ©
点ãŒã‚る。
5.5.6 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åˆ†é›¢ã®ã¾ã¨ã‚
ã¾ã¨ã‚ã¨ã—ã¦ã€ç·ã˜ã¦äºŒé‡ãƒ›ãƒ¼ãƒ ã‚³ãƒ³ãƒ”ュータã¯ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®åˆ†
離をã—ã£ã‹ã‚Šè¡Œãˆã‚‹ã‚‚ã®ã§ã¯ãªã„。2ゾーンソリューション(DMZ ãªã—)ã¯ã€ä¿è­·ã«å¼±ç‚¹ãŒã‚ã‚‹
ãŸã‚推奨ã§ããªã„。使用ã™ã‚‹å ´åˆã¯ã€ç´°å¿ƒã®æ³¨æ„を払ã£ã¦å±•é–‹ã™ã¹ãã§ã‚る。制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
ã¨ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’分離ã™ã‚‹ãŸã‚ã®æœ€ã‚‚セキュアã§ã€ç®¡ç†ã—ã‚„ã™ã„スケーラブルãªåˆ†é›¢ã‚¢ãƒ¼ã‚­
テクãƒãƒ£ã¯ã€é€šå¸¸ 1ã¤åˆã¯è¤‡æ•°ã® DMZ ã‚’æŒã£ãŸæœ€ä½Ž3ã¤ã®ã‚¾ãƒ¼ãƒ³ã‚’有ã™ã‚‹ã‚·ã‚¹ãƒ†ãƒ ã‚’基調ã¨ã™
る。
5.6 推奨多層防御アーキテクãƒãƒ£
å˜ä¸€ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è£½å“ã€æŠ€è¡“åˆã¯ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã®ã¿ã§ ICS ã‚’ã—ã£ã‹ã‚Šä¿è­·ã™ã‚‹ã“ã¨ã¯ä¸å¯èƒ½
ã§ã‚る。多層防御技術ã¨ã—ã¦ã‚‚知られã¦ã„ã‚‹ 2ã¤ä»¥ä¸Šã®ç•°ç¨®é‡ç•³ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’用ã„
るマルãƒãƒ¬ã‚¤ãƒ¤ãƒ¼æˆ¦ç•¥ã¯ã€1ã¤ã®ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã«éšœå®³ãŒå‡ºã¦ã‚‚ã€ãã®å½±éŸ¿ã‚’最å°ã«é£Ÿã„æ­¢ã‚られる
ãŸã‚望ã¾ã—ã„。多層防御アーキテクãƒãƒ£æˆ¦ç•¥ã«ã¯ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã®ä½¿ç”¨ã€éžæ­¦è£…地帯ã€ä¾µå…¥
検知機能ã€åŠ¹æžœçš„ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã€è¨“練計画ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆå¯¾å¿œãƒ¡ã‚«ãƒ‹ã‚ºãƒ åŠã³ç‰©ç†çš„
セキュリティã®æ§‹ç¯‰ãŒå«ã¾ã‚Œã‚‹ã€‚加ãˆã¦ã€åŠ¹æžœçš„ãªå¤šå±¤é˜²å¾¡æˆ¦ç•¥ã‚’講ã˜ã‚‹ã«ã¯ã€ICS ã«å¯¾ã—ã¦æ”»
æ’ƒå¯èƒ½ãªãƒ™ã‚¯ã‚¿ãƒ¼ã‚’å分ã«ç†è§£ã™ã‚‹ã“ã¨ãŒæ±‚ã‚られる。ã“ã‚Œã«ã¯ä»¥ä¸‹ãŒå«ã¾ã‚Œã‚‹ã€‚
 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å‘¨è¾ºã®ãƒãƒƒã‚¯ãƒ‰ã‚¢åŠã³ãƒ›ãƒ¼ãƒ«
 共通プロトコルã®è„†å¼±æ€§
 フィールドデãƒã‚¤ã‚¹ã«å¯¾ã™ã‚‹æ”»æ’ƒ
 データベースã«å¯¾ã™ã‚‹æ”»æ’ƒ
 通信ãƒã‚¤ã‚¸ãƒ£ãƒƒã‚¯åŠã³ã€ŒäººãŒä»‹åœ¨ã™ã‚‹ã€æ”»æ’ƒ
 ãªã‚Šã™ã¾ã—攻撃
 権é™ã‚¢ã‚«ã‚¦ãƒ³ãƒˆåˆã¯å…±é€šã‚¢ã‚«ã‚¦ãƒ³ãƒˆã«å¯¾ã™ã‚‹æ”»æ’ƒ
図5-5 ã¯ã€ã€Žåˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ï¼šå¤šå±¤é˜²å¾¡æˆ¦ç•¥ã€[36]ã«è¨˜è¿°ã•ã‚Œã¦ã„ã‚‹ DHS
制御システムセキュリティプログラム(CSSP) /ICS-CERT 推奨è¦ç¯„委員会 26ã«ã‚ˆã‚Šé–‹ç™ºã•ã‚ŒãŸã€
ICS ã®å¤šå±¤é˜²å¾¡ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£æˆ¦ç•¥ã‚’示ã™ã€‚具体的ãªå•é¡Œç‚¹ã‚„関連緩和策ã«é–¢ã™ã‚‹ä»˜åŠ çš„ãªæ ¹æ‹ 
文書もサイトã«ã‚る。
『制御システムã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ï¼šå¤šå±¤é˜²å¾¡æˆ¦ç•¥ã€ã«ã¯ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’使
用ã—ã€ä»¥ä¸‹ã‚’å¿…è¦ã¨ã™ã‚‹å¤šæ®µéšŽæƒ…報アーキテクãƒãƒ£ã‚’維æŒã—ã¦ã„る組織å‘ã‘ã«ã€å¤šå±¤é˜²å¾¡ã‚¢ãƒ¼ã‚­
テクãƒãƒ£æˆ¦ç•¥ã‚’策定ã™ã‚‹ãŸã‚ã®æŒ‡é‡ã¨æŒ‡ç¤ºãŒè¨˜è¼‰ã•ã‚Œã¦ã„る。
 種々ã®ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒ‡ãƒã‚¤ã‚¹ã€ãƒ†ãƒ¬ãƒ¡ãƒˆãƒªåŽé›†åˆã¯ç”£æ¥­ãƒ¬ãƒ™ãƒ«ãƒ—ロセスシステムã®ä¿å®ˆ
 é éš”データリンクやモデム経由ã«ã‚ˆã‚‹æ–½è¨­ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹
 顧客・ä¼æ¥­æ¥­å‹™ç”¨å…¬å…±ã‚µãƒ¼ãƒ“ス
26 CSSP 推奨è¦ç¯„ã«é–¢ã™ã‚‹æƒ…å ±ã¯æ¬¡ã® URL ã‹ã‚‰å…¥æ‰‹ã§ãる。http://ics-cert.us-cert.gov/Recommended-Practices
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
105
This strategy includes firewalls, the use of demilitarized zones and intrusion detection capabilities
throughout the ICS architecture. The use of several demilitarized zones in Figure 5-5 provides the added
capability to separate functionalities and access privileges and has proved to be very effective in protecting
large architectures comprised of networks with different operational mandates. Intrusion detection
deployments apply different rule-sets and signatures unique to each domain being monitored.
Figure 5-5. CSSP Recommended Defense-In-Depth Architecture
5.7 General Firewall Policies for ICS
Once the defense-in-depth architecture is in place, the work of determining exactly what traffic should be
allowed through the firewalls begins. Configuring the firewalls to deny all except for the traffic absolutely
required for business needs is every organization’s basic premise, but the reality is much more difficult.
Exactly what does “absolutely required for business†mean and what are the security impacts of allowing
that traffic through? For example, many organizations considered allowing SQL traffic through the firewall
as required for business for many data historian servers. Unfortunately, the SQL vulnerability was also the
target for the Slammer worm [Table C-8. Example Adversarial Incidents]. Many important protocols used
in the industrial world, such as HTTP, FTP, OPC/DCOM, EtherNet/IP, and Modbus/TCP, have significant
security vulnerabilities.
The remaining material in this section summarizes some of the key points from the Centre for the
Protection of National Infrastructure’s (CPNI) Firewall Deployment for SCADA and Process Control
Networks: Good Practice Guide [35].
When installing a single two-port firewall without a DMZ for shared servers (i.e., the architecture described
in Section 5.5.2), particular care needs to be taken with the rule design. At a minimum, all rules
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
106
ã“ã®æˆ¦ç•¥ã«ã¯ã€ICS アーキテクãƒãƒ£å…¨ä½“を通ã—ã¦ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã€éžæ­¦è£…地帯åŠã³ä¾µå…¥æ¤œçŸ¥
機能ã®ä½¿ç”¨ãŒå«ã¾ã‚Œã‚‹ã€‚図 5-5 ã®è¤‡æ•°éžæ­¦è£…地帯ã®ä½¿ç”¨ã¯ã€æ©Ÿèƒ½ã¨ã‚¢ã‚¯ã‚»ã‚¹æ¨©é™ã‚’分ã‘ã‚‹ãŸã‚ã®
付加的ãªå¯¾ç­–ã§ã€ç¨®ã€…ã®æ¥­å‹™ã‚’æ‹…ã†è¤‡æ•°ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰ãªã‚‹å¤§è¦æ¨¡ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã®ä¿è­·ã«éž
常ã«åŠ¹æžœã®ã‚ã‚‹ã“ã¨ãŒåˆ†ã‹ã£ã¦ã„る。侵入検知ã®å±•é–‹ã¯ã€åˆ¥ã€…ã®ãƒ«ãƒ¼ãƒ«ã‚»ãƒƒãƒˆã¨ç›£è¦–ã™ã‚‹é ˜åŸŸã”
ã¨ã«ä¸€æ„ã®ç½²åã‚’é©ç”¨ã™ã‚‹ã€‚
図5-5.CSSP ã®æŽ¨å¥¨å¤šå±¤é˜²å¾¡ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£
5.7 ICS ã®å…¨èˆ¬çš„ファイアウォールãƒãƒªã‚·ãƒ¼
多層防御アーキテクãƒãƒ£ã‚’施行ã—ãŸãªã‚‰ã€æ¬¡ã«ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã§è¨±å¯ã™ã‚‹ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’明確
ã«æ±ºã‚る作業ãŒå§‹ã¾ã‚‹ã€‚事業ã«çµ¶å¯¾å¿…è¦ãªãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ä»¥å¤–ã¯å…¨ã¦æ‹’絶ã™ã‚‹ã‚ˆã†ã«ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©
ールを設定ã™ã‚‹ã“ã¨ã¯ã€ã©ã®ä¼æ¥­ã§ã‚‚基本ã§ã‚ã‚‹ãŒã€ç¾å®Ÿã¯ã¯ã‚‹ã‹ã«é›£ã—ã„。
「事業ã«çµ¶å¯¾å¿…è¦ã€ã¨ã¯ä½•ã‚’æ„味ã™ã‚‹ã®ã‹ã€ãã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’通éŽã•ã›ã‚‹ã¨ã©ã‚“ãªã‚»ã‚­ãƒ¥ãƒªãƒ†
ィ上ã®å½±éŸ¿ãŒå‡ºã‚‹ã®ã‹ã€‚例ãˆã°ã€å¤šãã®çµ„ç¹”ã§ã¯ã€äº‹æ¥­ä¸Šå¤šæ•°ã®ãƒ‡ãƒ¼ã‚¿ãƒ’ストリアンサーãƒã«å¿…
è¦ãªã“ã¨ã‹ã‚‰ã€SQL トラフィックã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«é€šéŽã‚’検討ã—ãŸã€‚残念ãªãŒã‚‰ã€SQL ã®è„†å¼±
性もスラマーワームã®æ¨™çš„ã ã£ãŸ[表C-8.攻撃インシデントã®ä¾‹]。HTTPã€FTPã€OPC/DCOMã€
EtherNet/IPã€Modbus/TCP ç­‰ã€ç”£æ¥­ç•Œã§ä½¿ç”¨ã•ã‚Œã¦ã„ã‚‹é‡è¦ãƒ—ロトコルã®å¤šãã«ã¯ã€å¤§ããªã‚»ã‚­
ュリティ上ã®è„†å¼±æ€§ãŒã‚る。
ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã®æ®‹ã‚Šã®éƒ¨åˆ†ã§ã¯ã€å›½å®¶ã‚¤ãƒ³ãƒ•ãƒ©ä¿è­·ã‚»ãƒ³ã‚¿ãƒ¼ï¼ˆCPNI)ã®ã€ŽSCADA åŠã³ãƒ—ロセ
ス制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç”¨ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«å±•é–‹ï¼šé©æ­£è¦ç¯„ガイドã€[35]ã‹ã‚‰é‡è¦ãƒã‚¤ãƒ³ãƒˆã‚’ã„ãã¤
ã‹è¦ç´„ã™ã‚‹ã€‚
共有サーãƒï¼ˆã‚»ã‚¯ã‚·ãƒ§ãƒ³ 5.5.2 ã®ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ç­‰ï¼‰ç”¨ã« DMZ ãªã—ã®å˜ä¸€ 2ãƒãƒ¼ãƒˆãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©
ールを設置ã™ã‚‹å ´åˆã€ãƒ«ãƒ¼ãƒ«ã®æ¤œè¨Žã«ã¯ç‰¹ã«æ³¨æ„ã‚’è¦ã™ã‚‹ã€‚å°‘ãªãã¨ã‚‚ã©ã®ãƒ«ãƒ¼ãƒ«ã‚‚
ワイアレスアクセスãƒã‚¤ãƒ³ãƒˆ
外部通信インフラ
コントローラ
/RTU/PLC/IED
フィールド共通ãƒã‚¹
フィールドã®å ´æ‰€
電話通信ファイア
ウォール
CS PBX
CS
モデムプール
ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—制御
センター
é éš”事業ピア
インターãƒãƒƒãƒˆ
制御システム
フィールドデ
ãƒã‚¤ã‚¹
通信インタ
フェース
インフラ
専用共通経路
データ
å–得サーãƒ
アプリケーショ
ンサーãƒ
ヒストリアン
データベースサ
ーãƒ
設定サーãƒ
HMI
コンピュータ
エンジニアリング
ワークステーション
制御システム
LAN
外部事業通信
サーãƒ
WWW
サーãƒ
DB/
ヒストリアン
セキュリティ
サーãƒ
èªè¨¼ã‚µãƒ¼ãƒ
事業共通
DMZ
Web
サーãƒ
DMZ
DB DMZ
セキュリティ DMZ
èªè¨¼ DMZ
ä¼æ¥­
LAN
事業サーãƒ
事業ワーク
ステーション
Web
アプリケー
ションサーãƒ
e
メール
サーãƒ
FTP
サーãƒ
ワイアレス
アクセス
ãƒã‚¤ãƒ³ãƒˆ
èªè¨¼ã‚µãƒ¼ãƒ
Web
サーãƒ
DNS
サーãƒ
DNS DMZ
e
メール
DMZ
Web
サーãƒ
DMZ
FTP DMZ
èªè¨¼
DMZ
ワイヤレス
DMZ
IDS
センサ
電話通信ファイア
ウォール
CS
ファイア
ウォール
外部
VPN
アクセス
ä¼æ¥­
PBX
ä¼æ¥­ãƒ¢ãƒ‡ãƒ 
プール
ä¼æ¥­
ファイアウォール
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
107
should be stateful rules that are both IP address and port (application) specific. The address portion of the
rules should restrict incoming traffic to a very small set of shared devices (e.g., the data historian) on the
control network from a controlled set of addresses on the corporate network. Allowing any IP addresses on
the corporate network to access servers inside the control network is not recommended. In addition, the
allowed ports should be carefully restricted to relatively secure protocols such as Hypertext Transfer
Protocol Secure (HTTPS). Allowing HTTP, FTP, or other unsecured protocols to cross the firewall is a
security risk due to the potential for traffic sniffing and modification. Rules should be added to deny hosts
outside the control network from initiating connections with hosts on the control network. Rules should
only allow devices internal to the control network the ability to establish connections outside the control
network.
On the other hand, if the DMZ architecture is being used, then it is possible to configure the system so that
no traffic will go directly between the corporate network and the control network. With a few special
exceptions (noted below), all traffic from either side can terminate at the servers in the DMZ. This allows
more flexibility in the protocols allowed through the firewall. For example, Modbus/TCP might be used to
communicate from the PLCs to the data historian, while HTTP might be used for communication between
the historian and enterprise clients. Both protocols are inherently insecure, yet in this case they can be used
safely because neither actually crosses between the two networks. An extension to this concept is the idea
of using “disjoint†protocols in all control network to corporate network communications. That is, if a
protocol is allowed between the control network and DMZ, then it is explicitly not allowed between the
DMZ and corporate network. This design greatly reduces the chance of a worm such as Slammer actually
making its way into the control network, because the worm would have to use two different exploits over
two different protocols.
One area of considerable variation in practice is the control of outbound traffic from the control network,
which could represent a significant risk if unmanaged. One example is Trojan horse software that uses
HTTP tunneling to exploit poorly defined outbound rules. Thus, it is important that outbound rules be as
stringent as inbound rules.
Example outbound rules include:
 Outbound traffic through the control network firewall should be limited to essential communications
only and should be limited to authorized traffic originating from DMZ servers.
 All outbound traffic from the control network to the corporate network should be source and
destination-restricted by service and port.
In addition to these rules, the firewall should be configured with outbound filtering to stop forged IP
packets from leaving the control network or the DMZ. In practice this is achieved by checking the source
IP addresses of outgoing packets against the firewall’s respective network interface address. The intent is to
prevent the control network from being the source of spoofed (i.e., forged) communications, which are
often used in DoS attacks. Thus, the firewalls should be configured to forward IP packets only if those
packets have a correct source IP address for the control network or DMZ networks. Finally, Internet access
by devices on the control network should be strongly discouraged.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
108
IP アドレスã¨ãƒãƒ¼ãƒˆï¼ˆã‚¢ãƒ—リケーション)ã«å›ºæœ‰ã®ã‚¹ãƒ†ãƒ¼ãƒˆãƒ•ãƒ«ãƒ«ãƒ¼ãƒ«ã«ã™ã¹ãã§ã‚る。ルー
ルã®ã‚¢ãƒ‰ãƒ¬ã‚¹éƒ¨ä½ã¯ã€ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ç®¡ç†ã•ã‚ŒãŸã‚¢ãƒ‰ãƒ¬ã‚¹ã‚»ãƒƒãƒˆã‹ã‚‰æ¥ãŸãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’ã€
制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®ã”ãå°ã‚»ãƒƒãƒˆã®å…±æœ‰ãƒ‡ãƒã‚¤ã‚¹ï¼ˆãƒ‡ãƒ¼ã‚¿ãƒ’ストリアン等)ã«é™å®šã™ã‚‹ã€‚ä¼
業ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã® IP アドレスãŒåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å†…ã®ã‚µãƒ¼ãƒã«ã‚¢ã‚¯ã‚»ã‚¹ã§ãるよã†ã«ã™ã‚‹ã®
ã¯è–¦ã‚られãªã„。ã¾ãŸã€è¨±å¯ã—ãŸãƒãƒ¼ãƒˆã¯ç”¨å¿ƒã®ãŸã‚ã€HTTPS ç­‰ã®æ¯”較的セキュアãªãƒ—ロトコ
ルã«é™å®šã™ã¹ãã§ã‚る。HTTPã€FTP ãã®ä»–セキュアã§ãªã„プロトコルãŒãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚’越
ãˆã‚‹ã®ã¯ã€ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã®ã‚¹ãƒ‹ãƒƒãƒ•ã‚£ãƒ³ã‚°ã‚„変更ã®ãŠãã‚ŒãŒã‚ã‚‹ãŸã‚ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒªã‚¹ã‚¯ã¨
ãªã‚‹ã€‚制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å¤–ã®ãƒ›ã‚¹ãƒˆãŒåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®ãƒ›ã‚¹ãƒˆã«æŽ¥ç¶šã§ããªã„よã†ã«ãƒ«ãƒ¼
ルを追加ã™ã¹ãã§ã‚る。制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å†…ã®ãƒ‡ãƒã‚¤ã‚¹ã ã‘ãŒåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®å¤–ã«æŽ¥ç¶šã§
ãるルールã«ã™ã¹ãã§ã‚る。
å対ã«ã€DMZ アーキテクãƒãƒ£ã‚’使用ã—ã¦ã„ã‚‹å ´åˆã¯ã€ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ãŒä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã§ç›´æŽ¥å¾€æ¥ã—ãªã„よã†ã«ã‚·ã‚¹ãƒ†ãƒ è¨­å®šã™ã‚‹ã“ã¨ãŒã§ãる。特別ãªå ´åˆã‚’除ã„ã¦
(下記å‚照)ã€ã„ãšã‚Œã®å´ã‹ã‚‰ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚‚ DMZ 内ã®ã‚µãƒ¼ãƒã§çµ‚了ã™ã‚‹ã“ã¨ã¯ã§ããªã„。
ã“ã‚Œã«ã‚ˆã‚Šãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚’通éŽå¯èƒ½ãªãƒ—ロトコルã®æŸ”軟性ãŒå‘上ã™ã‚‹ã€‚例ãˆã°ã€PLCs ã‹
らデータヒストリアンã¸ã®é€šä¿¡ã« Modbus/TCP を使用ã—ã€HTTP ã¯ãƒ’ストリアンã¨ä¼æ¥­ã‚¯ãƒ©ã‚¤ã‚¢
ント間ã®é€šä¿¡ã«ä½¿ç”¨ã§ãる。ã©ã¡ã‚‰ã®ãƒ—ロトコルも本æ¥ã‚»ã‚­ãƒ¥ã‚¢ã§ã¯ãªã„ãŒã€ã“ã®å ´åˆã¯ 2ã¤
ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’越ãˆã‚‹ã“ã¨ãŒãªã„ãŸã‚ã€å®‰å…¨ã«ä½¿ç”¨ã§ãる。ã“ã®æ¦‚念を敷è¡ã—ãŸã‚‚ã®ãŒã€Œåˆ¥
種ã€ãƒ—ロトコルを全ã¦ã®åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é€šä¿¡ã«ä½¿ç”¨ã™ã‚‹ã¨ã„ã†è€ƒãˆæ–¹ã§
ã‚る。ã¤ã¾ã‚Šã€ã‚るプロトコルを制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ DMZ é–“ã§è¨±å¯ã™ã‚‹ãŒã€DMZ ã¨ä¼æ¥­ãƒãƒƒãƒˆ
ワーク間ã§ã¯æ˜Žç¤ºçš„ã«è¨±å¯ã—ãªã„ã¨ã„ã†ã‚‚ã®ã§ã‚る。ã“ã®è¨­è¨ˆã¯ã‚¹ãƒ©ãƒžãƒ¼ã®ã‚ˆã†ãªãƒ¯ãƒ¼ãƒ ãŒåˆ¶
御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«ä¾µå…¥ã™ã‚‹æ©Ÿä¼šã‚’è‘—ã—ã減ã˜ã‚‹ãŒã€ãã‚Œã¯ã“ã®ãƒ¯ãƒ¼ãƒ ãŒ 2種類ã®ãƒ—ロトコルを
利用ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„ã‹ã‚‰ã§ã‚る。
ã‹ãªã‚Šã®ãƒãƒªã‚¨ãƒ¼ã‚·ãƒ§ãƒ³ãŒã‚ã‚‹ã®ãŒåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰ã®é€ä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã®åˆ¶å¾¡ã§ã€ç®¡ç†
ãŒè¡Œã届ã‹ãªã„ã¨å¤§ããªãƒªã‚¹ã‚¯ã¨ãªã‚‹ã€‚ãã®ä¸€ä¾‹ãŒãƒˆãƒ­ã‚¤ã®æœ¨é¦¬ã§ã€HTTP トンãƒãƒªãƒ³ã‚°ã‚’使ã„ã€
定義ã«ä¸å‚™ãŒã‚ã‚‹é€ä¿¡ãƒ«ãƒ¼ãƒ«ã‚’欺ã。ã—ãŸãŒã£ã¦ã€é€ä¿¡ãƒ«ãƒ¼ãƒ«ã¯ç€ä¿¡ãƒ«ãƒ¼ãƒ«åŒæ§˜ã«åŽ³æ ¼ã§ãªã‘
ã‚Œã°ãªã‚‰ãªã„。
以下ã¯é€ä¿¡ãƒ«ãƒ¼ãƒ«ã®ä¾‹ã§ã‚る。
 制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚’越ãˆã‚‹é€ä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã¯ã€ä¸å¯æ¬ ãªé€ä¿¡ã®ã¿ã«é™å®šã—ã€
ã¾ãŸ DMZ サーãƒã‹ã‚‰ã®è¨±å¯ã•ã‚ŒãŸãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã®ã¿ã«é™å®šã™ã¹ãã§ã‚る。
 制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰ä¼æ¥­ãƒãƒƒã‚¯ãƒ¯ãƒ¼ã‚¯ã¸ã®å…¨ã¦ã®é€ä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã¯ã€ã‚µãƒ¼ãƒ“スã¨ãƒãƒ¼ãƒˆ
ã«ã‚ˆã‚Šã‚½ãƒ¼ã‚¹åŠã³å®›å…ˆåˆ¶é™ã‚’設ã‘ã‚‹ã¹ãã§ã‚る。
ã“れらã®ãƒ«ãƒ¼ãƒ«ã«åŠ ãˆã¦ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã®è¨­å®šã¯é€ä¿¡ãƒ•ã‚£ãƒ«ã‚¿ã‚’ã‹ã‘ã¦ã€å½ã® IP パケット
ãŒåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚„ DMZ ã‹ã‚‰å¤–ã«å‡ºãªã„よã†ã«ã™ã¹ãã§ã‚る。実際ã«ã¯ã€é€ä¿¡ãƒ‘ケットã®ã‚½
ース IP アドレスをã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã®å„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã‚¢ãƒ‰ãƒ¬ã‚¹ã«ç…§ã‚‰ã—ã¦ãƒ
ェックã™ã‚‹ã“ã¨ã§ã“れを行ã£ã¦ã„る。目的ã¯ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãŒæ¬ºçžžï¼ˆæ“¬ä¼¼ï¼‰é€šä¿¡ã®ã‚½ãƒ¼ã‚¹ã«
ãªã‚‰ãªã„よã†ã«ã™ã‚‹ã“ã¨ã§ã‚る。ã“れ㯠DoS 攻撃ã§å¤šç”¨ã•ã‚Œã‚‹ã€‚ã“ã®ã‚ˆã†ã«ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«
ã¯ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚„ DMZ ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã® IP アドレスãŒæ­£ã—ã„å ´åˆã«ã®ã¿ã€IP パケットを転
é€ã™ã‚‹ã‚ˆã†ã«è¨­å®šã™ã¹ãã§ã‚る。最後ã«ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®ãƒ‡ãƒã‚¤ã‚¹ã«ã‚ˆã‚‹ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆ
アクセスã¯ã€æ˜¯éžã¨ã‚‚ã‚„ã‚ã‚‹ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
109
In summary, the following should be considered as recommended practice for general firewall rule sets:
 The base rule set should be deny all, permit none.
 Ports and services between the control network environment and the corporate network should be
enabled and permissions granted on a specific case-by-case basis. There should be a documented
business justification with risk analysis and a responsible person for each permitted incoming or
outgoing data flow.
 All “permit†rules should be both IP address and TCP/UDP port specific, and stateful if appropriate.
 All rules should restrict traffic to a specific IP address or range of addresses.
 Traffic should be prevented from transiting directly from the control network to the corporate network.
All traffic should terminate in the DMZ.
 Any protocol allowed between the control network and DMZ should explicitly NOT be allowed
between the DMZ and corporate networks (and vice-versa).
 All outbound traffic from the control network to the corporate network should be source and
destination-restricted by service and port.
 Outbound packets from the control network or DMZ should be allowed only if those packets have a
correct source IP address that is assigned to the control network or DMZ devices.
 Control network devices should not be allowed to access the Internet.
 Control networks should not be directly connected to the Internet, even if protected via a firewall.
 All firewall management traffic should be carried on either a separate, secured management network
(e.g., out of band) or over an encrypted network with multi-factor authentication. Traffic should also
be restricted by IP address to specific management stations.
 All firewall policies should be tested periodically.
 All firewalls should be backed up immediately prior to commissioning.
These should be considered only as guidelines. A careful assessment of each control environment is
required before implementing any firewall rule sets.
5.8 Recommended Firewall Rules for Specific Services
Beside the general rules described above, it is difficult to outline all-purpose rules for specific protocols.
The needs and recommended practices vary significantly between industries for any given protocol and
should be analyzed on an organization-by-organization basis. The Industrial Automation Open Networking
Association (IAONA) offers a template for conducting such an analysis [37], assessing each of the
protocols commonly found in industrial environments in terms of function, security risk, worst case impact,
and suggested measures. Some of the key points from the IAONA document are summarized in this section.
The reader is advised to consult this document directly when developing rule sets.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
110
ã¾ã¨ã‚ã¨ã—ã¦ã€å…¨èˆ¬çš„ãªãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã®ãƒ«ãƒ¼ãƒ«ã‚»ãƒƒãƒˆç”¨æŽ¨å¥¨è¦ç¯„ã¨ã—ã¦ã€æ¬¡ã®ç‚¹ã‚’考慮ã™ã¹
ãã§ã‚る。
 ルールセットã®åŸºæœ¬ã¯å…¨ã¦æ‹’絶ã€ä½•ã‚‚許å¯ã—ãªã„ã§ã‚る。
 制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç’°å¢ƒã¨ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ãƒãƒ¼ãƒˆåŠã³ã‚µãƒ¼ãƒ“スを使用å¯èƒ½ã«ã—ã€è¨±å¯ã¯
ケースãƒã‚¤ã‚±ãƒ¼ã‚¹ã§ä¸Žãˆã‚‹ã¹ãã§ã‚る。ã“れらを事業ç†ç”±æ›¸ã¨ã—ã¦æ–‡æ›¸åŒ–ã—ã€ãƒªã‚¹ã‚¯åˆ†æžåŠ
ã³è¨±å¯ã—ãŸç€ä¿¡ãƒ»é€ä¿¡ãƒ‡ãƒ¼ã‚¿ãƒ•ãƒ­ãƒ¼ã®è²¬ä»»è€…ã¨ã¨ã‚‚ã«è¨˜éŒ²ã™ã‚‹ã€‚
 å…¨ã¦ã€Œè¨±å¯ã€ãƒ«ãƒ¼ãƒ«ã¯ã€IP アドレスåŠã³ TCP/UDP ãƒãƒ¼ãƒˆå›ºæœ‰ã«ã—ã€å¿…è¦ãªã‚‰ã‚¹ãƒ†ãƒ¼ãƒˆãƒ•ãƒ«
ã¨ã™ã‚‹ã€‚
 å…¨ã¦ã®ãƒ«ãƒ¼ãƒ«ã¯ã€ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’特定㮠IP アドレスåˆã¯ã‚¢ãƒ‰ãƒ¬ã‚¹ç¯„囲ã«é™å®šã™ã¹ãã§ã‚る。
 トラフィックã¯ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ç›´æŽ¥é€ä¿¡ã•ã‚Œãªã„よã†ã«ã™ã¹ã
ã§ã‚る。全ã¦ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã¯ DMZ ã§çµ‚了ã™ã¹ãã§ã‚る。
 制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ DMZ é–“ã§è¨±å¯ã•ã‚ŒãŸãƒ—ロトコルã¯ã€DMZ ã¨ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“(ãã®
逆方å‘も)ã§ã¯æ˜Žç¤ºçš„ã«è¨±å¯ã—ãªã„よã†ã«ã™ã¹ãã§ã‚る。
 制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰ä¼æ¥­ãƒãƒƒã‚¯ãƒ¯ãƒ¼ã‚¯ã¸ã®å…¨ã¦ã®é€ä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã¯ã€ã‚µãƒ¼ãƒ“スã¨ãƒãƒ¼ãƒˆ
ã«ã‚ˆã‚Šã‚½ãƒ¼ã‚¹åŠã³å®›å…ˆåˆ¶é™ã‚’設ã‘ã‚‹ã¹ãã§ã‚る。
 制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åˆã¯ DMZ ã‹ã‚‰ã®é€ä¿¡ãƒ‘ケットã¯ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åˆã¯ DMZ デãƒã‚¤ã‚¹
ã«å‰²ã‚Šå½“ã¦ã‚‰ã‚ŒãŸã‚½ãƒ¼ã‚¹ IP アドレスãŒæ­£ã—ã„å ´åˆã«ã®ã¿è¨±å¯ã™ã¹ãã§ã‚る。
 制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒã‚¤ã‚¹ã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã‚¢ã‚¯ã‚»ã‚¹ã¯è¨±å¯ã™ã¹ãã§ãªã„。
 制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã§ä¿è­·ã•ã‚Œã¦ã„ã¦ã‚‚ã€ç›´æŽ¥ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã«æŽ¥ç¶šã™
ã¹ãã§ãªã„。
 å…¨ã¦ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ç®¡ç†ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã¯ã€åˆ¥å€‹ã®ã€ã‚»ã‚­ãƒ¥ã‚¢ç®¡ç†ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ï¼ˆãƒãƒ³ãƒ‰
外等)åˆã¯å¤šè¦ç´ èªè¨¼ã‚’å‚™ãˆãŸæš—å·åŒ–ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ç¶šãã¹ãã§ã‚る。ã¾ãŸãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã¯ã€
IP アドレスã«ã‚ˆã‚Šç‰¹å®šã®ç®¡ç†ã‚¹ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³ã«é™å®šã™ã¹ãã§ã‚る。
 å…¨ã¦ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ãƒãƒªã‚·ãƒ¼ã¯ã€å®šæœŸçš„ã«æ¤œè¨¼ã™ã¹ãã§ã‚る。
 å…¨ã¦ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ã€è©¦é‹è»¢ã‚’è¡Œã†ç›´å‰ã«ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã™ã¹ãã§ã‚る。
以上ã¯ã‚ãã¾ã§ã‚‚指é‡ã¨ã—ã¦æ¤œè¨Žã™ã¹ãã‚‚ã®ã§ã‚る。ファイアウォールルールセットを実施
ã™ã‚‹å‰ã«ã€å„制御環境を慎é‡ã«è©•ä¾¡ã™ã‚‹å¿…è¦ãŒã‚る。
5.8 特定サービスã®æŽ¨å¥¨ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ãƒ«ãƒ¼ãƒ«
上記ã®å…¨èˆ¬ãƒ«ãƒ¼ãƒ«ã«åŠ ãˆã¦ã€ç‰¹å®šã®ãƒ—ロトコル用ã«æ±Žç”¨çš„ãªãƒ«ãƒ¼ãƒ«ã‚’決ã‚ã‚‹ã®ã¯é›£ã—ã„。特定ã®
プロトコルã«é–¢ã™ã‚‹ãƒ‹ãƒ¼ã‚ºã¨æŽ¨å¥¨è¦ç¯„ã¯ã€æ¥­ç•Œã«ã‚ˆã£ã¦ã¾ã¡ã¾ã¡ã§ã€çµ„ç¹”ã”ã¨ã«åˆ†æžã™ã¹ãã§ã‚
る。産業オートメーションオープンãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚­ãƒ³ã‚°å”会(IAONA)ã¯ã€ã“ã®ã‚ˆã†ãªåˆ†æžã‚’è¡Œ
ã†ãŸã‚ã®ã²ãªå½¢ã‚’æä¾›ã—ã¦ãŠã‚Š[37]ã€ç”£æ¥­ç’°å¢ƒã§ä½¿ç”¨ã™ã‚‹ä¸€èˆ¬çš„ãªãƒ—ロトコルを機能ã€ã‚»ã‚­ãƒ¥ãƒª
ティリスクã€æœ€æ‚ªäº‹æ…‹ã®å½±éŸ¿åŠã³å¯¾ç­–ã®è¦³ç‚¹ã‹ã‚‰å€‹åˆ¥ã«è©•ä¾¡ã—ã¦ã„る。IAONA 文書ã®é‡è¦ç‚¹ã®
ã„ãã¤ã‹ã‚’è¦ç´„ã—ãŸã‚‚ã®ã‚’ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§å–り上ã’る。読者ã¯ã€ãƒ«ãƒ¼ãƒ«ã‚»ãƒƒãƒˆã‚’策定ã™ã‚‹éš›ã«
直接ã“ã®æ–‡æ›¸ã‚’調ã¹ã‚‹ã‚ˆã†æŽ¨å¥¨ã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
111
5.8.1 Domain Name System (DNS)
Domain Name System (DNS) is primarily used to translate between domain names and IP addresses. For
example, a DNS could map a domain name such as control.com to an IP address such as 192.168.1.1. Most
Internet services rely heavily on DNS, but its use on the control network is relatively rare at this time. In
most cases there is little reason to allow DNS requests out of the control network to the corporate network
and no reason to allow DNS requests into the control network. DNS requests from the control network to
DMZ should be addressed on a case-by-case basis. Local DNS or the use of host files is recommended.
5.8.2 Hypertext Transfer Protocol (HTTP)
HTTP is the protocol underlying Web browsing services on the Internet. Like DNS, it is critical to most
Internet services. It is seeing increasing use on the plant floor as well as an all-purpose query tool.
Unfortunately, it has little inherent security, and many HTTP applications have vulnerabilities that can be
exploited. HTTP can be a transport mechanism for many manually performed attacks and automated
worms.
In general, HTTP should not be allowed to cross from the public/corporate to the control network.
If web-based technologies are absolutely required, the following best practices should be applied:
 Control access to web-based services on the physical or network layer using white-listing;
 Apply access control to both source and destination;
 Implement authorization to access the service on the application layer (instead of physical or network-
layer checks);
 Implement service using only the necessary technologies (e.g., scripts are used only if they are
required);
 Check service according to known application security practices;
 Log all attempts of service usage ; and
 Use HTTPS rather than HTTP, and only for specific authorized devices.
5.8.3 FTP and Trivial File Transfer Protocol (TFTP)
FTP and Trivial File Transfer Protocol (TFTP) are used for transferring files between devices. They are
implemented on almost every platform including many SCADA systems, DCS, PLCs, and RTUs, because
they are very well known and use minimum processing power. Unfortunately, neither protocol was created
with security in mind; for FTP, the login password is not encrypted, and for TFTP, no login is required at
all. Furthermore, some FTP implementations have a history of buffer overflow vulnerabilities. As a result,
all TFTP communications should be blocked, while FTP communications should be allowed for outbound
sessions only or if secured with additional token-based multi-factor authentication and an encrypted tunnel.
More secure protocols, such as Secure FTP (SFTP) or Secure Copy (SCP), should be employed whenever
possible.
5.8.4 Telnet
The telnet protocol defines an interactive, text-based communications session between a client and a host. It
is used mainly for remote login and simple control services to systems with limited resources or to systems
with limited needs for security. It is a severe security risk because all telnet traffic, including passwords, is
unencrypted, and it can allow a remote individual considerable control over a device. It is recommended to
use the Secure Shell (SSH) protocol [5.8.6] for remote administration. Inbound telnet
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
112
5.8.1 領域åシステム(DNS)
領域åシステム(DNS)ã¯ã€ä¸»ã¨ã—ã¦é ˜åŸŸå㨠IP アドレス間ã®ç¿»è¨³ã«ä½¿ç”¨ã™ã‚‹ã€‚例ãˆã°ã€DNS
ã¯
control.com
ã¨ã„ã†é ˜åŸŸåã‚’
192.168.1.1
ã¨ã„ㆠIP アドレスã¨ã—ã¦ãƒžãƒƒãƒ—ã™ã‚‹ã€‚
大抵ã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã‚µãƒ¼ãƒ“ス㯠DNS ã«å¤§ããä¾å­˜ã—ã¦ã„ã‚‹ãŒã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ã®ä½¿ç”¨ã¯
今ã®ã¨ã“ã‚比較的少ãªã„。ã»ã¨ã‚“ã©ã®å ´åˆã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã® DNS
è¦æ±‚を許å¯ã™ã‚‹ç†ç”±ã¯ãªãã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã® DNS è¦æ±‚を許å¯ã™ã‚‹ç†ç”±ã‚‚ãªã„。制御ãƒãƒƒ
トワークã‹ã‚‰ DMZ ã¸ã® DNS è¦æ±‚ã¯ã€ã‚±ãƒ¼ã‚¹ãƒã‚¤ã‚±ãƒ¼ã‚¹ã§æ‰±ã†ã¹ãã§ã‚る。ローカル DNS やホ
ストファイルã®ä½¿ç”¨ãŒæŽ¨å¥¨ã•ã‚Œã‚‹ã€‚
5.8.2 ãƒã‚¤ãƒ‘ーテキスト転é€ãƒ—ロトコル(HTTP)
HTTP ã¯ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆä¸Šã® Web 閲覧サービスプロトコルã§ã‚る。DNS ã¨åŒæ§˜ã€ã»ã¨ã‚“ã©ã®ã‚¤ãƒ³
ターãƒãƒƒãƒˆã‚µãƒ¼ãƒ“スã«ã¨ã£ã¦é‡è¦ã§ã‚る。プラントã®ç¾å ´ã‚„汎用クエリツールã§ã®ä½¿ç”¨ãŒå¢—ãˆ
ã¦ã„る。
残念ãªãŒã‚‰ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãŒã—ã£ã‹ã‚Šã—ã¦ãŠã‚‰ãšã€HTTP アプリケーションã®å¤šãã«ã¯æ‚ªç”¨ã•ã‚Œã‚‹
脆弱性ãŒã‚る。HTTP ã¯ã€æ‰‹å‹•æ”»æ’ƒã‚„自動ワームã®å¤šãã§é€ä¿¡ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã«ãªã‚‹ã€‚
ç·ã˜ã¦ HTTP ã¯ã€å…¬é–‹/ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸å…¥ã‚Œã‚‹ã¹ãã§ãªã„。ウ
ェブベース技術ãŒã©ã†ã—ã¦ã‚‚å¿…è¦ã¨ãªã‚‹å ´åˆã€æ¬¡ã®ã‚ˆã†ãªæœ€è‰¯è¦ç¯„ã‚’é©ç”¨ã™ã¹ãã§ã‚る。
 ホワイトリストを使用ã™ã‚‹ç‰©ç†çš„åˆã¯ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ¬ã‚¤ãƒ¤ãƒ¼ä¸Šã®ã‚¦ã‚§ãƒ–ベースサービスã¸ã®
制御アクセス
 ソースåŠã³å®›å…ˆã®åŒæ–¹ã«ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ã‚’é©ç”¨
 アプリケーション層ã®ã‚µãƒ¼ãƒ“スã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’許å¯ï¼ˆç‰©ç†çš„åˆã¯ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ¬ã‚¤ãƒ¤ãƒ¼ãƒã‚§
ックã§ãªã)
 必須技術ã®ã¿ã‚’使用ã—ã¦ã‚µãƒ¼ãƒ“スを実装(スクリプトã¯å¿…è¦ãªå ´åˆã®ã¿ä½¿ç”¨ï¼‰
 既知ã®ã‚¢ãƒ—リケーションセキュリティè¦ç¯„ã«å¾“ã£ã¦ã‚µãƒ¼ãƒ“スをãƒã‚§ãƒƒã‚¯
 サービスを利用ã—よã†ã¨ã™ã‚‹è©¦ã¿ã‚’å…¨ã¦è¨˜éŒ²
 HTTP ã®ä»£ã‚ã‚Šã« HTTPS を使用ã—ã€è¨±å¯ã•ã‚ŒãŸç‰¹å®šãƒ‡ãƒã‚¤ã‚¹ã®ã¿ã¨ã™ã‚‹
5.8.3 FTP åŠã³ãƒˆãƒªãƒ“アルファイル転é€ãƒ—ロトコル(TFTP)
FTP ã¨TFTP ã¯ãƒ‡ãƒã‚¤ã‚¹é–“ã§ã®ãƒ•ã‚¡ã‚¤ãƒ«ã®ã‚„ã‚Šå–ã‚Šã«ä½¿ã‚れる。知å度ãŒé«˜ãã€å‡¦ç†ãƒ‘ワーãŒæœ€
å°ã§æ¸ˆã‚€ãŸã‚ã€SCADA システムã€DCSã€PLCsã€RTUs ç­‰ã»ã¨ã‚“ã©å…¨ã¦ã®ãƒ—ラットホームã«å®Ÿè£…
ã•ã‚Œã¦ã„る。残念ãªãŒã‚‰ã€ã©ã‚Œã‚‚セキュリティを考ãˆã¦ä½œã‚‰ã‚Œã¦ã¯ã„ãªã„。FTP ã®ãƒ­ã‚°ã‚¤ãƒ³ãƒ‘ス
ワードã¯æš—å·åŒ–ã•ã‚Œã¦ãŠã‚‰ãšã€TFTP ã§ã¯ãƒ­ã‚°ã‚¤ãƒ³ã®å¿…è¦ã•ãˆãªã„。更ã«å®Ÿè£…ã•ã‚ŒãŸ FTP ã«ã‚ˆã£
ã¦ã¯ã€ãƒãƒƒãƒ•ã‚¡ãŒã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒ­ãƒ¼ã™ã‚‹ã¨ã„ã†è„†å¼±æ€§ã‚‚ã‚ã£ãŸã€‚ãã®çµæžœã€TFTP 通信ã¯å…¨ã¦ãƒ–ロ
ックã™ã¹ãã§ã€FTP 通信ã«ã¤ã„ã¦ã¯é€ä¿¡ã‚»ãƒƒã‚·ãƒ§ãƒ³ã®ã¿ã€åˆã¯ä»˜åŠ çš„ãªãƒˆãƒ¼ã‚¯ãƒ³ãƒ™ãƒ¼ã‚¹ã®å¤šè¦ç´ 
èªè¨¼åŠã³æš—å·åŒ–トンãƒãƒ«ã§ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’確ä¿ã—ãŸã‚‚ã®ã®ã¿è¨±å¯ã™ã¹ãã§ã‚る。å¯èƒ½ã§ã‚ã‚Œã°å¸¸
ã«ã€ã‚»ã‚­ãƒ¥ã‚¢ FTP(SFTP)やセキュアコピーã¨ã„ã£ãŸã‚ˆã‚Šã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®é«˜ã„プロトコルを採
用ã™ã¹ãã§ã‚る。
5.8.4 テルãƒãƒƒãƒˆï¼ˆTelnet)
テルãƒãƒƒãƒˆãƒ—ロトコルã¯ã€ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã¨ãƒ›ã‚¹ãƒˆé–“ã®ã‚¤ãƒ³ã‚¿ãƒ©ã‚¯ãƒ†ã‚£ãƒ–ãªãƒ†ã‚­ã‚¹ãƒˆãƒ™ãƒ¼ã‚¹ã®é€šä¿¡
セッションを定義ã™ã‚‹ã€‚主ã«ãƒªã‚½ãƒ¼ã‚¹ã®é™ã‚‰ã‚ŒãŸã‚·ã‚¹ãƒ†ãƒ ã‚„セキュリティ需è¦ã®ä½Žã„システムã¸
ã®é éš”ログインåŠã³å˜ç´”ãªç®¡ç†ã‚µãƒ¼ãƒ“ス用ã«ä½¿ç”¨ã•ã‚Œã‚‹ã€‚å…¨ã¦ã®ãƒ†ãƒ«ãƒãƒƒãƒˆãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã¯ãƒ‘ス
ワードもå«ã‚ã¦æš—å·åŒ–ã•ã‚Œã¦ã„ãªã„ãŸã‚ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒªã‚¹ã‚¯ã¯é‡å¤§ã§ã€é éš”地ã«ã„る個人ãŒãƒ‡
ãƒã‚¤ã‚¹ã‚’ã‹ãªã‚Šã®ç¨‹åº¦åˆ¶å¾¡ã§ãã¦ã—ã¾ã†ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
113
sessions from the corporate to the control network should be prohibited unless secured with token-based
multi-factor authentication and an encrypted tunnel. Outbound telnet sessions should be allowed only over
encrypted tunnels (e.g., VPN) to specific authorized devices.
5.8.5 Dynamic Host Configuration Protocol (DHCP)
DHCP is used on IP networks for dynamically distributing network configuration parameters, such as IP
addresses for interfaces and services. The base DHCP includes no mechanism for authenticating servers
and clients. Rogue DHCP servers can provide incorrect information to clients. Unauthorized clients can
gain access to server and cause exhaustion of available resources (e.g., IP addresses). To prevent this, it is
recommended to use static configuration instead of dynamic address allocation, which should be the typical
configuration for ICS devices. If dynamic allocation is necessary, it is recommended to enable DHCP
snooping to defend against rogue DHCP servers, Address Resolution Protocol (ARP) and IP spoofing. The
DHCP servers should be placed in the same network segment as configured equipment (e.g., on the router).
DHCP relaying is not recommended.
5.8.6 Secure Shell (SSH)
SSH allows remote access to a device. It provides secure authentication and authorization based on
cryptography. If remote access is required to the control network, SSH is recommended as the alternative to
telnet, rlogin, rsh, rcp and other insecure remote access tools.
5.8.7 Simple Object Access Protocol (SOAP)
SOAP is an XML-based format syntax to exchange messages. Traffic flows related to SOAP-based
services should be controlled at the firewall between corporate and ICS network segments. If these services
are necessary, deep-packet inspection and/or application layer firewalls should be used to restrict the
contents of messages.
5.8.8 Simple Mail Transfer Protocol (SMTP)
SMTP is the primary email transfer protocol on the Internet. Email messages often contain malware, so
inbound email should not be allowed to any control network device. Outbound SMTP mail messages from
the control network to the corporate network are acceptable to send alert messages.
5.8.9 Simple Network Management Protocol (SNMP)
SNMP is used to provide network management services between a central management console and
network devices such as routers, printers, and PLCs. Although SNMP is an extremely useful service for
maintaining a network, it is very weak in security. Versions 1 and 2 of SNMP use unencrypted passwords
to both read and configure devices (including devices such as PLCs), and in many cases the passwords are
well known and cannot be changed. Version 3 is considerably more secure but is still limited in use. SNMP
V1 & V2 commands both to and from the control network should be prohibited unless they are over a
separate, secured management network, whereas SNMP V3 commands may be able to be sent to the ICS
using the security features inherent to V3.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
114
é éš”管ç†ã«ã¯ã‚»ã‚­ãƒ¥ã‚¢ã‚·ã‚§ãƒ«ï¼ˆSSH)プロトコル[5.8.6]を使用ã™ã‚‹ã‚ˆã†æŽ¨å¥¨ã™ã‚‹ã€‚ä¼æ¥­ãƒãƒƒãƒˆãƒ¯
ークã‹ã‚‰åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã®ç€ä¿¡ãƒ†ãƒ«ãƒãƒƒãƒˆã‚»ãƒƒã‚·ãƒ§ãƒ³ã¯ã€ãƒˆãƒ¼ã‚¯ãƒ³ãƒ™ãƒ¼ã‚¹ã®å¤šè¦ç´ èªè¨¼åŠã³
æš—å·åŒ–トンãƒãƒ«ã§ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãŒç¢ºä¿ã•ã‚Œã¦ã„ãªã‘ã‚Œã°ã€ç¦æ­¢ã™ã¹ãã§ã‚る。é€ä¿¡ãƒ†ãƒ«ãƒãƒƒãƒˆã¯ã€
許å¯ã•ã‚ŒãŸç‰¹å®šã®ãƒ‡ãƒã‚¤ã‚¹ã«å¯¾ã—ã¦ã€æš—å·åŒ–トンãƒãƒ«ï¼ˆVPN 等)ã§ã®ã¿è¨±å¯ã™ã¹ãã§ã‚る。
5.8.5 動的ホスト構æˆãƒ—ロトコル(DHCP)
DHCP ã¯ã€ä¾‹ãˆã° IP アドレスをインタフェースやサービスã¸å‰²ã‚Šå½“ã¦ã‚‹ãªã©ã€IP ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
上ã§ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æ§‹æˆãƒ‘ラメータを動的ã«å‰²ã‚Šå½“ã¦ã‚‹ã¨ãã«ä½¿ç”¨ã™ã‚‹ã€‚基本的㪠DHCP ã«ã¯ã‚µãƒ¼
ãƒã¨ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã®èªè¨¼ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ãŒãªã„。ローグ DHCP サーãƒã¯ä¸æ­£ç¢ºãªæƒ…報をクライアント
ã«æä¾›ã™ã‚‹ã€‚未許å¯ã®ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆãŒã‚µãƒ¼ãƒã«ã‚¢ã‚¯ã‚»ã‚¹ã—ã¦ã€åˆ©ç”¨å¯èƒ½ãªãƒªã‚½ãƒ¼ã‚¹ï¼ˆIP アドレス
等)を枯渇ã•ã›ã‚‹ã“ã¨ãŒã‚る。ã“れを防ãã«ã¯ã€å‹•çš„ãªã‚¢ãƒ‰ãƒ¬ã‚¹å‰²å½“ã§ã¯ãªãé™çš„構æˆã«ã™ã‚‹ã“
ã¨ãŒæŽ¨å¥¨ã•ã‚Œã€ICS デãƒã‚¤ã‚¹ã§ã¯ã“ã‚ŒãŒä¸€èˆ¬çš„ãªæ§‹æˆã¨ãªã‚‹ã¹ãã§ã‚る。動的割当ãŒå¿…è¦ãªå ´åˆã€
DHCP スヌーピングを使用å¯èƒ½ã«ã—ã€ãƒ­ãƒ¼ã‚° DHCPã€ã‚¢ãƒ‰ãƒ¬ã‚¹è§£æ±ºãƒ—ロトコル(ARP)åŠã³IP è©
称を防止ã™ã‚‹ã“ã¨ãŒæŽ¨å¥¨ã•ã‚Œã‚‹ã€‚DHCP サーãƒã¯ã€æ§‹æˆè£…å‚™å“ã¨åŒã˜ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚°ãƒ¡ãƒ³ãƒˆ
(ルータ上等)内ã«é…ç½®ã™ã¹ãã§ã‚る。DHCP リレーã¯æŽ¨å¥¨ã§ããªã„。
5.8.6 セキュアシェル(SSH)
SSH ã¯ãƒ‡ãƒã‚¤ã‚¹ã¸ã®ãƒªãƒ¢ãƒ¼ãƒˆã‚¢ã‚¯ã‚»ã‚¹ã‚’å¯èƒ½ã«ã™ã‚‹ã€‚セキュアãªèªè¨¼ã‚’è¡Œã„ã€æš—å·æ³•ã«åŸºã¥ã„ã¦
許å¯ã‚’与ãˆã‚‹ã€‚制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã®ãƒªãƒ¢ãƒ¼ãƒˆã‚¢ã‚¯ã‚»ã‚¹ãŒå¿…è¦ãªå ´åˆã€ãƒ†ãƒ«ãƒãƒƒãƒˆã€rログインã€
rshã€rcp ãã®ä»–ã®ã‚»ã‚­ãƒ¥ã‚¢ã§ãªã„リモートアクセスツールã«ä»£ãˆã¦ SSH ã®ä½¿ç”¨ãŒæŽ¨å¥¨ã•ã‚Œã‚‹ã€‚
5.8.7 シンプルオブジェクトアクセスプロトコル(SOAP)
SOAP ã¯ã€ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸äº¤æ›ç”¨ã® XML ベース形å¼ã®ã‚·ãƒ³ã‚¿ãƒƒã‚¯ã‚¹ã§ã‚る。SOAP ベースサービスã«
関連ã—ãŸãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ãƒ•ãƒ­ãƒ¼ã¯ã€ä¼æ¥­åŠã³ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚°ãƒ¡ãƒ³ãƒˆé–“ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã§
制御ã™ã¹ãã§ã‚る。ã“ã®ã‚ˆã†ãªã‚µãƒ¼ãƒ“スãŒå¿…è¦ãªå ´åˆã€ãƒ‡ã‚£ãƒ¼ãƒ—パケットインスペクションåˆã¯
アプリケーション層ファイアウォールを使用ã—ã¦ã€ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸å†…容を制é™ã™ã¹ãã§ã‚る。
5.8.8 シンプルメール転é€ãƒ—ロトコル(SMTP)
SMTP ã¯ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã§ã®ä¸»è¦ãªé›»å­ãƒ¡ãƒ¼ãƒ«è»¢é€ãƒ—ロトコルã§ã‚る。電å­ãƒ¡ãƒ¼ãƒ«ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã«
ã¯ãƒžãƒ«ã‚¦ã‚¨ã‚¢ãŒå«ã¾ã‚Œã¦ã„ã‚‹ã“ã¨ãŒå¤šã„ãŸã‚ã€ç€ä¿¡é›»å­ãƒ¡ãƒ¼ãƒ«ã¯ã€ã„ã‹ãªã‚‹åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡
ãƒã‚¤ã‚¹ã«ã‚‚é”ã™ã‚‹ã¹ãã§ãªã„。制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã®é€ä¿¡ SMTP メールメ
ッセージã¯ã€ã‚¢ãƒ©ãƒ¼ãƒˆãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã®é€ä¿¡æ™‚ã«è¨±å¯ã•ã‚Œã‚‹ã€‚
5.8.9 シンプルãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç®¡ç†ãƒ—ロトコル(SNMP)
SNMP ã¯ã€ä¸­å¤®ç®¡ç†ã‚³ãƒ³ã‚½ãƒ¼ãƒ«ã¨ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒã‚¤ã‚¹ï¼ˆãƒ«ãƒ¼ã‚¿ã€ãƒ—リンタã€PLCs 等)間ã®ãƒãƒƒ
トワーク管ç†ã‚µãƒ¼ãƒ“スをæä¾›ã™ã‚‹ãŸã‚ã«ä½¿ç”¨ã™ã‚‹ã€‚SNMP ã¯ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ä¿å®ˆã«ã¯æ¥µã‚ã¦ä¾¿åˆ©
ãªã‚µãƒ¼ãƒ“スã§ã‚ã‚‹ãŒã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãŒæ¥µã‚ã¦å¼±ã„。SNMP ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ 1ã¨2ã§ã¯ã€èª­å–りもデ
ãƒã‚¤ã‚¹ï¼ˆPLCs 等)設定も暗å·åŒ–ã•ã‚Œã¦ã„ãªã„パスワードを使用ã—ã¦ãŠã‚Šã€å¤šãã®å ´åˆãƒ‘スワー
ドãŒã‚ˆã知られã¦ãŠã‚Šã€å¤‰æ›´ãŒã§ããªã„。ãƒãƒ¼ã‚¸ãƒ§ãƒ³ 3ã§ã¯ã‹ãªã‚Šã‚»ã‚­ãƒ¥ã‚¢ã«ãªã£ã¦ã„ã‚‹ãŒã€
使用ã•ã‚Œã¦ã„ã‚‹æ•°ã¯å°‘ãªã„。
制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ã® SNMP ãƒãƒ¼ã‚¸ãƒ§ãƒ³ 1ã¨2ã®ã‚³ãƒžãƒ³ãƒ‰ã¯ã€åˆ¥å€‹ã®ã‚»ã‚­ãƒ¥ã‚¢ãªç®¡ç†ãƒãƒƒãƒˆãƒ¯ãƒ¼
ク以外ã§ã¯ç¦æ­¢ã¨ã™ã¹ãã§ã€ãƒãƒ¼ã‚¸ãƒ§ãƒ³ 3ã®ã‚³ãƒžãƒ³ãƒ‰ã¯å›ºæœ‰ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ©Ÿèƒ½ã‚’使用ã—㦠ICS
ã«é€ä¿¡ã§ãる。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
115
5.8.10 Distributed Component Object Model (DCOM)
DCOM is the underlying protocol for OLE for Process Control (OPC). It utilizes Microsoft’s Remote
Procedure Call (RPC) service which, when not patched, has many vulnerabilities. These vulnerabilities
were the basis for the Blaster worm27 exploits. In addition, OPC, which utilizes DCOM, dynamically opens
a wide range of ports (1024 to 65535) that can be extremely difficult to filter at the firewall. This protocol
should only be allowed between control network and DMZ networks and explicitly blocked between the
DMZ and corporate network. Also, users are advised to restrict the port ranges used by making registry
modifications on devices using DCOM.
5.8.11 SCADA and Industrial Protocols
SCADA and industrial protocols, such as Modbus/TCP, EtherNet/IP, IEC 61850, ICCP and DNP328, are
critical for communications to most control devices. Unfortunately, many of these protocols were designed
without security built in and do not typically require any authentication to remotely execute commands on a
control device. These protocols should only be allowed within the control network and not allowed to cross
into the corporate network.
5.9 Network Address Translation (NAT)
Network address translation (NAT) is a service where IP addresses used on one side of a network device
can be mapped to a different set on the other side on an as-needed basis. It was originally designed for IP
address reduction purposes so that an organization with a large number of devices that occasionally needed
Internet access could get by with a smaller set of assigned Internet addresses.
To do this, most NAT implementations rely on the premise that not every internal device is actively
communicating with external hosts at a given moment. The firewall is configured to have a limited number
of outwardly visible IP addresses. When an internal host seeks to communicate with an external host, the
firewall remaps the internal IP address and port to one of the currently unused, more limited, public IP
addresses, effectively concentrating outgoing traffic into fewer IP addresses. The firewall must track the
state of each connection and how each private internal IP address and source port was remapped onto an
outwardly visible IP address/port pair. When returning traffic reaches the firewall, the mapping is reversed
and the packets forwarded to the proper internal host.
For example, a control network device may need to establish a connection with an external, non-control
network host (for instance, to send a critical alert email). NAT allows the internal IP address of the
initiating control network host to be replaced by the firewall; subsequent return traffic packets are
remapped back to the internal IP address and sent to the appropriate control network device. More
specifically, if the control network is assigned the private subnet 192.168.1.xxx and the Internet network
expects the device to use the corporate assigned addresses in the range 192.6.yyy.zzz, then a NAT firewall
will substitute (and track) a 192.6.yyy.zzz source address into every outbound IP packet generated by a
control network device.
Producer-consumer protocols, such as EtherNet/IP and Foundation Fieldbus, are particularly troublesome
because NAT does not support the multicast-based traffic that these protocols need to offer their full
services.
27 http://en.wikipedia.org/wiki/Blaster_%28computer_worm%29
28 15 IEEE 1815-2012,
IEEE Standard for Electric Power Systems Communications—Distributed Network Protocol
(DNP3)
,) incorporates DNP3 Secure Authentication version 5 (DNP3-SAv5) which provides strong application
layer authentication with remote security credential management. See
https://standards.ieee.org/findstds/standard/1815-2012.html.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
116
5.8.10 分散コンãƒãƒ¼ãƒãƒ³ãƒˆã‚ªãƒ–ジェクトモデル(DCOM)
DCOM ã¯ãƒ—ロセス制御用 OLE(OPC)ã®åŸºæœ¬ãƒ—ロトコルã§ã‚る。マイクロソフトã®é éš”手続ã
呼ã³å‡ºã—(RPC)サービスを使用ã™ã‚‹ãŒã€ã“ã‚Œã¯ãƒ‘ッãƒã‚’当ã¦ãªã„ã¨è„†å¼±æ€§ãŒå¤šã„。ã“ã®ã‚ˆã†ãª
脆弱性ã¯ã€ãƒ–ラスターワーム 29ã®æ¨™çš„ã¨ãªã£ãŸã€‚ã¾ãŸ DCOM を利用ã™ã‚‹ OPC ã¯ã€å¤šæ§˜ãªãƒãƒ¼ãƒˆ
ã‚’å‹•çš„ã«é–‹ããŸã‚(1024~65535)ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã§ã®ãƒ•ã‚£ãƒ«ã‚¿ãƒªãƒ³ã‚°ãŒæ¥µã‚ã¦å›°é›£ã¨ãªã‚‹ã€‚
ã“ã®ãƒ—ロトコルã¯ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ DMZ é–“ã§ã®ã¿è¨±å¯ã™ã¹ãã§ã€DMZ ã¨ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
é–“ã§ã¯æ˜Žç¤ºçš„ã«ãƒ–ロックã™ã¹ãã§ã‚る。ã¾ãŸãƒ¦ãƒ¼ã‚¶ã¯ã€DCOM 使用デãƒã‚¤ã‚¹ã®ãƒ¬ã‚¸ã‚¹ãƒˆãƒªå¤‰æ›´
時ã«ä½¿ç”¨ã™ã‚‹ãƒãƒ¼ãƒˆã®ç¯„囲をé™å®šã™ã‚‹ã®ãŒã‚ˆã„。
5.8.11 SCADA åŠã³ç”£æ¥­ç”¨ãƒ—ロトコル
Modbus/TCPã€EtherNet/IPã€IEC 61850ã€ICCPã€DNP330等㮠SCADA åŠã³ç”£æ¥­ç”¨ãƒ—ロトコルã¯ã€ã»
ã¨ã‚“ã©ã®åˆ¶å¾¡ãƒ‡ãƒã‚¤ã‚¹ã¸ã®é€šä¿¡ã«ã¨ã£ã¦è‚è¦ã§ã‚る。残念ãªãŒã‚‰ã“れらã®ãƒ—ロトコルã®å¤šãã¯ã€
セキュリティを考慮ã«å…¥ã‚Œãšã«è¨­è¨ˆã•ã‚Œã¦ãŠã‚Šã€åˆ¶å¾¡ãƒ‡ãƒã‚¤ã‚¹ä¸Šã§ã‚³ãƒžãƒ³ãƒ‰ã‚’é éš”実行ã™ã‚‹éš›ã«ã€
通常èªè¨¼ã‚’å¿…è¦ã¨ã—ãªã„。ã“ã®ã‚ˆã†ãªãƒ—ロトコルã¯åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å†…ã§ã®ã¿è¨±å¯ã—ã€ä¼æ¥­ãƒãƒƒ
トワークã¸ã®é€²å…¥ã¯è¨±å¯ã™ã¹ãã§ãªã„。
5.9 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ‰ãƒ¬ã‚¹å¤‰æ›ï¼ˆNAT)
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ‰ãƒ¬ã‚¹å¤‰æ›ï¼ˆNAT)サービスã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒã‚¤ã‚¹ã®ä¸€æ–¹ã®å´ã§ä½¿ç”¨ã—ã¦ã„
ã‚‹IP アドレスをã€å¿…è¦ã®éƒ½åº¦ã€ä»–æ–¹ã®å´ã«ãƒžãƒƒãƒ—ã™ã‚‹ã€‚元々ã®è¨­è¨ˆç›®çš„ã¯ã€æ™‚々インターãƒãƒƒ
トアクセスãŒå¿…è¦ã¨ãªã‚‹å¤šé‡ã®ãƒ‡ãƒã‚¤ã‚¹ã‚’æ“ã™ã‚‹çµ„ç¹”ãŒã€å°‘æ•°ã®å‰²å½“インターãƒãƒƒãƒˆã‚¢ãƒ‰ãƒ¬ã‚¹ã§
済むよã†ã« IP アドレスを減らã™ã“ã¨ã«ã‚ã£ãŸã€‚
ãã®ãŸã‚ã»ã¨ã‚“ã©ã® NAT 実装ã§ã¯ã€å…¨ã¦ã®ç¤¾å†…デãƒã‚¤ã‚¹ãŒã€ã‚る瞬間ã«å¤–部ホストã¨æ´»ç™ºã«äº¤
ä¿¡ã™ã‚‹ã‚ã‘ã§ã¯ãªã„ã¨ã„ã†å‰æã«ç«‹ã£ã¦ã„る。ファイアウォールã®è¨­å®šã¯ã€å¤–部ã‹ã‚‰è¦‹ãˆã‚‹ IP
アドレスã®æ•°ãŒé™å®šã•ã‚Œã‚‹ã‚ˆã†ã«è¡Œã†ã€‚社内ホストãŒç¤¾å¤–ホストã¨äº¤ä¿¡ã™ã‚‹éš›ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼
ルã¯ã€å†…部 IP アドレスã¨ãƒãƒ¼ãƒˆã‚’ç¾åœ¨ä½¿ç”¨ã—ã¦ã„ãªã„æ›´ã«é™å®šã•ã‚ŒãŸãƒ‘ブリック IP アドレスã«
リマップã—ã€é€ä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’より少数㮠IP アドレスã«åŠ¹æžœçš„ã«é›†çµã•ã›ã‚‹ã€‚ファイアウォ
ールã¯ã€ãã‚Œãžã‚Œã®æŽ¥ç¶šã®çŠ¶æ…‹ã¨ã€å„プライベート内部 IP アドレスåŠã³ã‚½ãƒ¼ã‚¹ãƒãƒ¼ãƒˆãŒã€å¤–部
ã‹ã‚‰è¦‹ãˆã‚‹ IP アドレス/ãƒãƒ¼ãƒˆã®ãƒšã‚¢ã«ã©ã†ãƒªãƒžãƒƒãƒ—ã•ã‚ŒãŸã‹ã‚’追跡ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。戻り
トラフィックãŒãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã«é”ã™ã‚‹ã¨ã€ãƒžãƒƒãƒ”ングãŒå転ã—ã€ãƒ‘ケットãŒæ­£ã—ã„社内ホス
トã«è»¢é€ã•ã‚Œã‚‹ã€‚
例ãˆã°ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒã‚¤ã‚¹ã¯ã€å¤–部ã®éžåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ›ã‚¹ãƒˆã¨æŽ¥ç¶šã‚’確立ã™ã‚‹å¿…è¦
ãŒç”Ÿã˜ã‚‹ã“ã¨ãŒã‚る(é‡è¦ã‚¢ãƒ©ãƒ¼ãƒˆé›»å­ãƒ¡ãƒ¼ãƒ«ã®é€ä¿¡ãªã©ï¼‰ã€‚NAT ã¯ã€é–‹å§‹åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
ホストã®å†…部 IP アドレスãŒãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã«ã‚ˆã‚Šç½®æ›ã•ã‚Œã‚‹ã‚ˆã†ã«ã—ã€ãã®å¾Œã®æˆ»ã‚Šãƒˆãƒ©ãƒ•
ィックパケットã¯ã€å†…部 IP アドレスã«ãƒªãƒžãƒƒãƒ—ã•ã‚Œã€æ­£ã—ã„制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒã‚¤ã‚¹ã«é€ã‚‰
れる。具体的ã«è¨€ã†ã¨ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«ãƒ—ライベートサブãƒãƒƒãƒˆ 192.168.1.xxx ãŒå‰²ã‚Šå½“ã¦
られã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯ãƒ‡ãƒã‚¤ã‚¹ãŒ 192.6.yyy.zzz ã®ç¯„囲ã®ä¼æ¥­å‰²å½“アドレスを使用
ã™ã‚‹ã‚ˆã†ã«äºˆæƒ³ã—ã¦ã„ã‚‹ã¨ã™ã‚‹ã€‚ãã®å ´åˆã€NAT ファイアウォールã¯ã€192.6.yyy.zzz ソースアド
レスをã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒã‚¤ã‚¹ãŒç”Ÿæˆã™ã‚‹å…¨ã¦ã®ç™ºä¿¡ IP パケットã«ç½®æ›ï¼ˆã—ã¦è¿½è·¡ï¼‰ã™ã‚‹ã€‚
EtherNet/IP ã‚„Foundation Fieldbus ã¨ã„ã£ãŸç”Ÿç”£è€…・消費者プロトコルã¯ã€ã¨ã‚Šã‚ã‘å•é¡ŒãŒå¤šã„。
ã¨ã„ã†ã®ã¯ã€ã“れらã®ãƒ—ロトコルãŒå分ãªã‚µãƒ¼ãƒ“スをæä¾›ã™ã‚‹ãŸã‚ã«å¿…è¦ã¨ã™ã‚‹ãƒžãƒ«ãƒã‚­ãƒ£ã‚¹ãƒˆ
ベースã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã« NAT ãŒå¯¾å¿œã—ã¦ã„ãªã„ã‹ã‚‰ã§ã‚る。
29 http://en.wikipedia.org/wiki/Blaster_%28computer_worm%29
30 IEEE 1815-2012『電力システム通信用 IEEE è¦æ ¼-分散ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ—ロトコル(DNP3)ã€ã¯ã€DNP3 セキュアèªè¨¼ãƒãƒ¼ã‚¸
ョン 5(DNP3-SAv5)を組ã¿è¾¼ã‚“ã§ãŠã‚Šã€é éš”セキュリティ信頼性管ç†ã«å¼·åŠ›ãªã‚¢ãƒ—リケーション層èªè¨¼ã‚’付与ã™ã‚‹ã€‚次
ã®URL ã‚’å‚ç…§ã®ã“ã¨ã€‚https://standards.ieee.org/findstds/standard/1815-2012.html.
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
117
In general, while NAT offers some distinct advantages, its impact on the actual industrial protocols and
configuration should be assessed carefully before it is deployed. Furthermore, certain protocols are
specifically broken by NAT because of the lack of direct addressing. For example, OPC requires special
third-party tunneling software to work with NAT.
5.10 Specific ICS Firewall Issues
In addition to the issues with firewalls and ICS already discussed, there are some additional problems that
need to be examined in more detail. The rest of this section discusses three specific areas of concern: the
placement of data historians, remote access for ICS support, and multicast traffic.
5.10.1 Data Historians
The existence of shared control network/corporate network servers such as data historians and asset
management servers can have a significant impact on firewall design and configuration. In three-zone
systems the placement of these servers in a DMZ is relatively straightforward, but in two-zone designs the
issues become complex. Placing the historian on the corporate side of the firewall means that a number of
insecure protocols, such as Modbus/TCP or DCOM, must be allowed through the firewall and that every
control device reporting to the historian is exposed to the corporate side of the network. On the other hand,
putting the historian on the control network side means other equally questionable protocols, such as HTTP
or SQL, must be allowed through the firewall, and there is now a server accessible to nearly everyone in the
organization sitting on the control network.
In general, the best solution is to avoid two-zone systems (no DMZ) and use a three-zone design, placing
the data collector in the control network and the historian component in the DMZ.
5.10.2 Remote Support Access
Another issue for ICS firewall design is user and/or vendor remote access into the control network. Any
users accessing the control network from remote networks should be required to authenticate using an
appropriately strong mechanism such as token-based authentication. While it is possible for the controls
group to set up their own remote access system with multi-factor authentication on the DMZ, in most
organizations it is typically more efficient to use existing systems set up by the IT department. In this case a
connection through the firewall from the IT remote access server is needed.
Remote support personnel connecting over the Internet or via dialup modems should use an encrypted
protocol, such as running a corporate VPN connection client, application server, or secure HTTP access,
and authenticate using a strong mechanism, such as a token based multi-factor authentication scheme, in
order to connect to the general corporate network. Once connected, they should be required to authenticate
a second time at the control network firewall using a strong mechanism, such as a token based multi-factor
authentication scheme, to gain access to the control network. Proxy servers can also provide additional
capabilities for securing remote support access.
5.10.3 Multicast Traffic
Most industrial producer-consumer (or publisher-subscriber) protocols operating over Ethernet, such as
EtherNet/IP and Foundation Fieldbus HSE, are IP multicast-based. The first advantage of IP multicasting is
network efficiency; by not repeating the data transmission to the multiple destinations, a significant
reduction in network load can occur. The second advantage is that the sending host need not be concerned
with knowing every IP address of every destination host listening for the broadcast information. The third,
and perhaps most important for industrial control purposes, is that a single multicast message offers
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
118
全体ã¨ã—ã¦ã€NAT ã«ã¯ã„ãã¤ã‹æ˜Žç¢ºãªåˆ©ç‚¹ãŒã‚ã‚‹ãŒã€å±•é–‹ã™ã‚‹ã«å…ˆç«‹ã£ã¦ã€å®Ÿéš›ã®ç”£æ¥­ç”¨ãƒ—ロ
トコルåŠã³æ§‹æˆã«ä¸Žãˆã‚‹å½±éŸ¿ã‚’æ…Žé‡ã«è©•ä¾¡ã™ã¹ãã§ã‚る。更ã«ç‰¹å®šã®ãƒ—ロトコルã¯ã€ç›´æŽ¥ã®ã‚¢ãƒ‰
レッシングãŒãªã„ãŸã‚ã€NAT ã«ã‚ˆã‚Šç ´å£Šã•ã‚Œã‚‹ã€‚例ãˆã° OPC ã¯ã€NAT ã¨å…±ç”¨ã™ã‚‹ãŸã‚ã«ã¯ã‚µãƒ¼
ドパーティã®ç‰¹æ®Šãƒˆãƒ³ãƒãƒªãƒ³ã‚°ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ãŒå¿…é ˆã¨ãªã‚‹ã€‚
5.10 ICS ファイアウォール固有ã®å•é¡Œ
ã“ã‚Œã¾ã§è¦‹ã¦ããŸãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¨ ICS ã«é–¢ã‚ã‚‹å•é¡Œã«åŠ ãˆã¦ã€æ›´ã«è©³ã—ã考察ã™ã¹ãå•é¡Œã‚‚
ã‚る。ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã®æ®‹ã‚Šã®éƒ¨åˆ†ã§ã¯ã€ãƒ‡ãƒ¼ã‚¿ãƒ’ストリアンã®é…ç½®ã€ICS サãƒãƒ¼ãƒˆã®ãŸã‚ã®ãƒª
モートアクセスã€ãƒžãƒ«ãƒã‚­ãƒ£ã‚¹ãƒˆãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã¨ã„ㆠ3ã¤ã®ç‰¹å®šåˆ†é‡Žã«ã¤ã„ã¦è€ƒå¯Ÿã™ã‚‹ã€‚
5.10.1 データヒストリアン
データヒストリアンや資産管ç†ã‚µãƒ¼ãƒã¨ã„ã£ãŸå…±æœ‰åˆ¶å¾¡/ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚µãƒ¼ãƒã®å­˜åœ¨ã¯ã€ãƒ•
ァイアウォールã®è¨­è¨ˆã‚„構æˆã«å¤§ããªå½±éŸ¿ã‚’åŠã¼ã™ã“ã¨ãŒã‚る。3ゾーンシステムã§ã¯ã€ã“れら
サーãƒã‚’ DMZ ã«é…ç½®ã™ã‚‹ã®ã¯æ¯”較的å˜ç´”明快ã ãŒã€2ゾーン設計ã§ã¯å•é¡ŒãŒè¤‡é›‘ã«ãªã‚‹ã€‚ヒス
トリアンをファイアウォールã®ä¼æ¥­å´ã«ç½®ãã¨ã„ã†ã“ã¨ã¯ã€Modbus/TCP ã‚„DCOM ã¨ã„ã£ãŸã‚»ã‚­
ュアã§ãªã„多数ã®ãƒ—ロトコルãŒãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã«å…¥ã‚‹ã®ã‚’許ã™ã“ã¨ã«ãªã‚Šã€ãƒ’ストリアンã®ä¸‹
ã«ã‚ã‚‹å…¨ã¦ã®åˆ¶å¾¡ãƒ‡ãƒã‚¤ã‚¹ãŒãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ä¼æ¥­å´ã«ã•ã‚‰ã•ã‚Œã‚‹ã“ã¨ã«ãªã‚‹ã€‚å対ã«ã€ãƒ’ストリ
アンを制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å´ã«ç½®ã‘ã°ã€HTTP ã‚„SQL ã¨ã„ã£ãŸåŒæ§˜ã«å•é¡Œã®å¤šã„プロトコルãŒãƒ•ã‚¡
イアウォールã«å…¥ã‚‹ã®ã‚’許ã™ã“ã¨ã«ãªã‚Šã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã«ã‚るサーãƒã«ã€çµ„ç¹”ã®ã»ã¼å…¨å“¡
ãŒã‚¢ã‚¯ã‚»ã‚¹ã§ãã‚‹ã“ã¨ã«ãªã£ã¦ã—ã¾ã†ã€‚
ç·ã˜ã¦æœ€å–„ã®ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã¯ã€2ゾーンシステム(DMZ ãªã—)をé¿ã‘㦠3ゾーンシステムを使
用ã—ã€ãƒ‡ãƒ¼ã‚¿ã‚³ãƒ¬ã‚¯ã‚¿ã¯åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å†…ã«ã€ãƒ’ストリアンコンãƒãƒ¼ãƒãƒ³ãƒˆã¯ DMZ 内ã«é…ç½®
ã™ã‚‹ã“ã¨ã§ã‚る。
5.10.2 é éš”サãƒãƒ¼ãƒˆã‚·ã‚¹ãƒ†ãƒ 
ICS ファイアウォール設計ã®åˆ¥ã®å•é¡Œã¯ã€ãƒ¦ãƒ¼ã‚¶åˆã¯ãƒ™ãƒ³ãƒ€ãƒ¼ãŒåˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«ãƒªãƒ¢ãƒ¼ãƒˆã‚¢
クセスã™ã‚‹ã“ã¨ã§ã‚る。é éš”ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ãƒ¦ãƒ¼ã‚¶ã¯ã€ãƒˆãƒ¼
クンベースèªè¨¼ç­‰ã®å¼·åŠ›ãªãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’使用ã—ã¦ã€èªè¨¼ã‚’義務ã¥ã‘ã‚‹ã¹ãã§ã‚る。制御グループ
ãŒDMZ ã«å¤šè¦ç´ èªè¨¼æ©Ÿèƒ½ã®ä»˜ã„ãŸç‹¬è‡ªã®ãƒªãƒ¢ãƒ¼ãƒˆã‚¢ã‚¯ã‚»ã‚¹ã‚·ã‚¹ãƒ†ãƒ ã‚’設置ã™ã‚‹ã®ã¯å¯èƒ½ã§ã‚ã‚‹
ãŒã€ã»ã¨ã‚“ã©ã®çµ„ç¹”ã§ã¯ã€IT 部門ãŒè¨­ç½®ã—ãŸæ—¢å­˜ã‚·ã‚¹ãƒ†ãƒ ã‚’利用ã™ã‚‹æ–¹ãŒåŠ¹çŽ‡çš„ã§ã‚る。ãã®å ´
åˆã€IT リモートアクセスサーãƒã‹ã‚‰ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚’経由ã™ã‚‹æŽ¥ç¶šãŒå¿…è¦ã¨ãªã‚‹ã€‚
インターãƒãƒƒãƒˆåˆã¯ãƒ€ã‚¤ã‚¢ãƒ«ã‚¢ãƒƒãƒ—モデム経由ã§æŽ¥ç¶šã™ã‚‹é éš”サãƒãƒ¼ãƒˆè¦å“¡ã¯ã€ä¼æ¥­ VPN 接続
クライアントã€ã‚¢ãƒ—リケーションサーãƒã€ã‚»ã‚­ãƒ¥ã‚¢ HTTP アクセス等を実行ã™ã‚‹æš—å·ãƒ—ロトコル
を使用ã—ã€æ±Žç”¨ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ãŸã‚ã€ãƒˆãƒ¼ã‚¯ãƒ³ãƒ™ãƒ¼ã‚¹å¤šè¦ç´ èªè¨¼ç­‰ã®å¼·åŠ›ãªãƒ¡
カニズムを使用ã—ã¦èªè¨¼ã‚’è¡Œã†ã¹ãã§ã‚る。接続ã—ãŸãªã‚‰ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«
ã«ãŠã„ã¦ã€ãƒˆãƒ¼ã‚¯ãƒ³ãƒ™ãƒ¼ã‚¹å¤šè¦ç´ èªè¨¼ç­‰ã®å¼·åŠ›ãªãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’使用ã—ã¦å†åº¦èªè¨¼ã‚’求ã‚ã¦ã‹ã‚‰ã€
制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’許å¯ã™ã¹ãã§ã‚る。プロキシサーãƒã‚‚é éš”サãƒãƒ¼ãƒˆã‚¢ã‚¯ã‚»ã‚¹ã®
セキュリティを更ã«å‘上ã•ã›ã‚‹ã€‚
5.10.3 マルãƒã‚­ãƒ£ã‚¹ãƒˆãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯
EtherNet/IP ã‚„Foundation Fieldbus HSE ãªã©ã‚¤ãƒ¼ã‚µãƒãƒƒãƒˆä¸Šã§æ©Ÿèƒ½ã™ã‚‹ã»ã¨ã‚“ã©ã®ç”Ÿç”£è€…・消費者
(åˆã¯ç™ºè¡Œè€…・購読者)プロトコル㯠IP マルãƒã‚­ãƒ£ã‚¹ãƒˆãƒ™ãƒ¼ã‚¹ã§ã‚る。IP マルãƒã‚­ãƒ£ã‚¹ãƒ†ã‚£ãƒ³
ã‚°ã®æœ€å¤§ã®åˆ©ç‚¹ã¯ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åŠ¹çŽ‡ã«ã‚る。データé€ä¿¡ã‚’複数ã®å®›å…ˆã«ç¹°ã‚Šè¿”ã™å¿…è¦ãŒãªã„ãŸã‚ã€
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯è² è·ãŒè‘—ã—ã減る。2ã¤ç›®ã®åˆ©ç‚¹ã¯ã€é€ä¿¡ãƒ›ã‚¹ãƒˆãŒã€ãƒ–ロードキャスト情報をリス
ニングã—ã¦ã„ã‚‹å…¨ã¦ã®å®›å…ˆãƒ›ã‚¹ãƒˆã® IP アドレスを知る必è¦ãŒãªã„ã“ã¨ã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
119
far better capabilities for time synchronization between multiple control devices than multiple unicast
messages.
If the source and destinations of a multicast packet are connected with no intervening routers or firewalls
between them, the multicast transmission is relatively seamless. However, if the source and destinations are
not on the same LAN, forwarding the multicast messages to a destination becomes more complicated. To
solve the problem of multicast message routing, hosts need to join (or leave) a group by informing the
multicast router on their network of the relevant group ID through the use of the Internet Group
Management Protocol (IGMP). Multicast routers subsequently know of the members of multicast groups
on their network and can decide whether or not to forward a received multicast message onto their network.
A multicast routing protocol is also required. From a firewall administration perspective, monitoring and
filtering IGMP traffic becomes another series of rule sets to manage, adding to the complexity of the
firewall.
Another firewall issue related to multicasting is the use of NAT. A firewall performing NAT that receives a
multicast packet from an external host has no reverse mapping for which internal group ID should receive
the data. If IGMP-aware, it could broadcast it to every group ID it knows about, because one of them will
be correct, but this could cause serious issues if an unintended control packet were broadcast to a critical
node. The safest action for the firewall to take is to drop the packet. Thus, multicasting is generally
considered NAT-unfriendly.
5.11 Unidirectional Gateways
Hardware-enforced unidirectional gateways (e.g., data diodes) are increasingly deployed at the boundary
between ICS and IT networks, as well as between Safety Instrumented System networks and control
networks. Unidirectional gateways are a combination of hardware and software. The hardware permits data
to flow from one network to another, but is physically unable to send any information at all back into the
source network. The software replicates databases and emulates protocol servers and devices.
5.12 Single Points of Failure
Single points of failure can exist at any level of the ANSI/ISO stack. An example is PLC control of safety
interlocks. Because security is usually being added to the ICS environment, an evaluation should be done to
identify potential failure points and a risk assessment done to evaluate each point’s exposure. Remediation
methods can then be postulated and evaluated and a “risk versus reward†determination made and design
and implementation done.
5.13 Redundancy and Fault Tolerance
ICS components or networks that are classified as critical to the organization have high availability
requirements. One method of achieving high availability is through the use of redundancy. Additionally, if
a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS, or does
not cause another problem elsewhere, such as a cascading event.
The control system should have the ability to execute an appropriate fail-safe process upon the loss of
communications with the ICS or the loss of the ICS itself. The organization should define what "loss of
communications" means (e.g., 500 milliseconds, 5 seconds, 5 minutes, etc. without communications). The
organization should then, based on potential consequences, define the appropriate fail-safe process for their
industry.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
120
3ã¤ç›®ã¯ã€ãŠãらã産業用制御目的ã§ã¯æœ€ã‚‚é‡è¦ã¨æ€ã‚れるãŒã€è¤‡æ•°åˆ¶å¾¡ãƒ‡ãƒã‚¤ã‚¹é–“ã®æ™‚é–“åŒæœŸã«
ã¨ã£ã¦ã€1ã¤ã®ãƒžãƒ«ãƒã‚­ãƒ£ã‚¹ãƒˆãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã®æ–¹ãŒè¤‡æ•°ã®ãƒ¦ãƒ‹ã‚­ãƒ£ã‚¹ãƒˆãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã‚ˆã‚Šã‚‚ã¯ã‚‹ã‹ã«å„ª
ã‚Œã¦ã„ã‚‹ã“ã¨ã§ã‚る。
マルãƒã‚­ãƒ£ã‚¹ãƒˆãƒ‘ケットã®ã‚½ãƒ¼ã‚¹ã¨å®›å…ˆãŒä»²ä»‹ãƒ«ãƒ¼ã‚¿ã‚„ファイアウォールãªã—ã§æŽ¥ç¶šã•ã‚Œã¦ã„ã‚‹å ´
åˆã€ãƒžãƒ«ãƒã‚­ãƒ£ã‚¹ãƒˆé€ä¿¡ã¯ç›¸å¯¾çš„ã«ã‚·ãƒ¼ãƒ ãƒ¬ã‚¹ã§ã‚る。ãŸã ã—ã€ã‚½ãƒ¼ã‚¹ã¨å®›å…ˆãŒåŒã˜ LAN 上ã«ãª
ã„å ´åˆã€ãƒžãƒ«ãƒã‚­ãƒ£ã‚¹ãƒˆãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã®å®›å…ˆè»¢é€ã¯è¤‡é›‘ã«ãªã‚‹ã€‚マルãƒã‚­ãƒ£ã‚¹ãƒˆãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ãƒ«ãƒ¼ãƒ†ã‚£
ングã®å•é¡Œã‚’解決ã™ã‚‹ã«ã¯ã€å„ホスト㌠1ã¤ã®ã‚°ãƒ«ãƒ¼ãƒ—ã«åŠ å…¥ï¼ˆåˆã¯é›¢è„±ï¼‰ã™ã‚‹ã“ã¨ã§ã‚る。ã“ã‚Œ
ã‚’è¡Œã†ã«å„ホストã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®ãƒžãƒ«ãƒã‚­ãƒ£ã‚¹ãƒˆãƒ«ãƒ¼ã‚¿ã«ã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã‚°ãƒ«ãƒ¼ãƒ—管ç†ãƒ—ロ
トコル(IGMP)を介ã—ã¦ã€å½“該グループ ID を通知ã™ã‚‹ã€‚å„マルãƒã‚­ãƒ£ã‚¹ãƒˆãƒ«ãƒ¼ã‚¿ã¯ã€ãã‚Œãžã‚Œã®
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®ãƒžãƒ«ãƒã‚­ãƒ£ã‚¹ãƒˆã‚°ãƒ«ãƒ¼ãƒ—メンãƒãƒ¼ã«ã¤ã„ã¦çŸ¥ã‚Šã€å—ä¿¡ã—ãŸãƒžãƒ«ãƒã‚­ãƒ£ã‚¹ãƒˆãƒ¡ãƒƒã‚»
ージをãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«è»¢é€ã™ã‚‹ã‹ã©ã†ã‹ã‚’決定ã™ã‚‹ã€‚マルãƒã‚­ãƒ£ã‚¹ãƒˆãƒ«ãƒ¼ãƒ†ã‚£ãƒ³ã‚°ãƒ—ロトコルも必
è¦ã¨ãªã‚‹ã€‚ファイアウォール管ç†ã®è¦³ç‚¹ã‹ã‚‰ã™ã‚Œã°ã€IGMP トラフィックã®ç›£è¦–åŠã³ãƒ•ã‚£ãƒ«ã‚¿ãƒªãƒ³
ã‚°ã¯ã€ç®¡ç†ã™ã¹ã別ã®ãƒ«ãƒ¼ãƒ«ã‚»ãƒƒãƒˆã¨ãªã‚Šã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚’ã„ã£ãã†è¤‡é›‘ã«ã™ã‚‹ã€‚
マルãƒã‚­ãƒ£ã‚¹ãƒ†ã‚£ãƒ³ã‚°ã«é–¢é€£ã—ãŸåˆ¥ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã®å•é¡Œã¯ NAT ã®ä½¿ç”¨ã§ã‚る。NAT を実行
ã™ã‚‹ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã§ã€å¤–部ホストã‹ã‚‰ã®ãƒžãƒ«ãƒã‚­ãƒ£ã‚¹ãƒˆãƒ‘ケットをå—ä¿¡ã™ã‚‹ã‚‚ã®ã«ã¯ãƒªãƒãƒ¼ã‚¹
マッピングãŒãªãã€ã“ã‚Œã«ã¤ã„ã¦ã¯å†…部グループ ID ãŒãƒ‡ãƒ¼ã‚¿ã‚’å—ä¿¡ã™ã¹ãã§ã‚る。IGMP ãŒèªè­˜ã—
ã¦ã„ã‚Œã°ã€æ—¢çŸ¥ã®ã‚°ãƒ«ãƒ¼ãƒ— ID å…¨ã¦ã«ãƒ–ロードキャストã™ã‚‹ã€‚ãã®ç†ç”±ã¯ã€ãã®ã†ã¡ã® 1ã¤ãŒæ­£ã—ã
ã¦ã‚‚ã€æ„図ã—ãªã„制御パケットãŒé‡è¦ãƒŽãƒ¼ãƒ‰ã«ãƒ–ロードキャストã•ã‚Œã‚‹ã¨ã€å¤§ããªå•é¡Œã«ãªã‚‹å¯èƒ½
性ãŒã‚ã‚‹ã‹ã‚‰ã§ã‚る。ファイアウォールãŒå–り得る最も安全ãªç­–ã¯ã€ãƒ‘ケットをドロップã™ã‚‹ã“ã¨
ã§ã‚る。よã£ã¦ã€ãƒžãƒ«ãƒã‚­ãƒ£ã‚¹ãƒ†ã‚£ãƒ³ã‚°ã¯ç·ã˜ã¦ NAT ã¨ç›¸æ€§ãŒæ‚ªã„ã¨ã¿ãªã•ã‚Œã‚‹ã€‚
5.11 å˜æ–¹å‘性ゲートウェイ
ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã§å¼·åˆ¶ã™ã‚‹å˜æ–¹å‘性ゲートウェイ(データダイオード等)ã¯ã€ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨
IT ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã‚„ã€å®‰å…¨è¨ˆè£…システムãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®å¢ƒç•Œã«ã¾ã™ã¾ã™å±•
é–‹ã•ã‚Œã‚‹ã‚ˆã†ã«ãªã£ã¦ããŸã€‚å˜æ–¹å‘性ゲートウェイã¯ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã¨ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã‚’組ã¿åˆã‚ã›
ãŸã‚‚ã®ã§ã‚る。ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã¯ãƒ‡ãƒ¼ã‚¿ãŒä¸€æ–¹ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰ä»–æ–¹ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸æµã‚Œã‚‹ã®
を許å¯ã™ã‚‹ãŒã€ã‚½ãƒ¼ã‚¹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«æƒ…報を返ã™ã“ã¨ã¯ç‰©ç†çš„ã«ä¸å¯èƒ½ã§ã‚る。ソフトウエアã¯
データベースを複製ã—ã¦ã€ãƒ—ロトコルサーãƒåŠã³ãƒ‡ãƒã‚¤ã‚¹ã‚’エミュレートã™ã‚‹ã€‚
5.12 å˜ä¸€éšœå®³ç‚¹
å˜ä¸€éšœå®³ç‚¹ã¯ã€ANSI/ISO スタックã®ã©ã®ãƒ¬ãƒ™ãƒ«ã«ã‚‚ã‚る。一例ã¯å®‰å…¨ã‚¤ãƒ³ã‚¿ãƒ¼ãƒ­ãƒƒã‚¯ã® PLC 制
御ã§ã‚る。セキュリティã¯é€šå¸¸ ICS 環境ã«è¿½åŠ ã•ã‚Œã¦ã„ãã‚‚ã®ãªã®ã§ã€è©•ä¾¡ã‚’è¡Œã£ã¦éšœå®³ã¨ãªã‚Š
得る点を明らã‹ã«ã—ã€ãƒªã‚¹ã‚¯è©•ä¾¡ã‚’è¡Œã£ã¦å„点ã®ã‚¨ã‚¯ã‚¹ãƒãƒ¼ã‚¸ãƒ£ã‚’査定ã™ã‚‹ã€‚
次ã„ã§å¯¾å‡¦æ–¹æ³•ã‚’想定ã—ã¦è©•ä¾¡ã—ã€ã€Œãƒªã‚¹ã‚¯å¯¾å ±é…¬ã€ã‚’判定ã—ã€è¨­è¨ˆãƒ»å®Ÿè£…ã‚’è¡Œã†ã€‚
5.13 冗長性ã¨ãƒ•ã‚©ãƒ¼ãƒ«ãƒˆãƒˆãƒ¬ãƒ©ãƒ³ã‚¹
組織ã«ã¨ã£ã¦é‡è¦ã¨åˆ†é¡žã•ã‚Œã‚‹ ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã‚„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«ã¯ã€é«˜ã„å¯ç”¨æ€§è¦ä»¶ãŒèª²ã•
れる。高ã„å¯ç”¨æ€§ã‚’実ç¾ã™ã‚‹ 1ã¤ã®æ–¹æ³•ã¯ã€å†—長性ã®åˆ©ç”¨ã§ã‚る。ã¾ãŸã€ã‚るコンãƒãƒ¼ãƒãƒ³ãƒˆã«
障害ãŒå‡ºãŸå ´åˆã§ã‚‚ã€ICS ã«ä¸è¦ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’生ã˜ã•ã›ãšã€é€£éŽ–イベントãªã©åˆ¥ã®å•é¡Œã‚’æ´¾
生ã•ã›ã¦ã¯ãªã‚‰ãªã„。
制御システムã¯ã€ICS ã¨ã®é€šä¿¡å–ªå¤±æ™‚åˆã¯ ICS ãã®ã‚‚ã®ã®å–ªå¤±æ™‚ã«ã€é©åˆ‡ãªãƒ•ã‚§ãƒ¼ãƒ«ã‚»ãƒ¼ãƒ•ãƒ—ロ
セスを実行ã§ãる能力を備ãˆã¦ã„ã‚‹ã¹ãã§ã‚る。組織ã¯ã€Œé€šä¿¡å–ªå¤±ã€ã®æ„味を明らã‹ã«ã™ã¹ãã§
ã‚る(通信途絶㧠500 ミリ秒ã€5秒ã€5分等)。次ã„ã§ç”Ÿã˜å¾—ã‚‹çµæžœã‚’基ã«ã€ç”£æ¥­ç”¨ã®é©æ­£ãªãƒ•
ェールセーフプロセスを明らã‹ã«ã™ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
121
Backups should be performed using the “backup-in-depth†approach, with layers of backups (e.g., local,
facility, disaster) that are time-sequenced such that rapid recent local backups are available for immediate
use and secure backups are available to recover from a massive security incident. A mixture of
backup/restore approaches and storage methods should be used to ensure that backups are rigorously
produced, securely stored, and appropriately accessible for restoration.
5.14 Preventing Man-in-the-Middle Attacks
A man-in-the-middle attack requires knowledge of the protocol being manipulated. The Address Resolution
Protocol (ARP) man-in-the-middle attack is a popular method for an adversary to gain access to the
network flow of information on a target system. This is performed by attacking the network ARP cache
tables of the controller and the workstation machines. Using the compromised computer on the control
network, the adversary poisons the ARP tables on each host and informs them that they must route all their
traffic through a specific IP and hardware address (i.e., the adversary’s machine). By manipulating the ARP
tables, the adversary can insert their machine between the two target machines and/or devices.
The ARP man-in-the-middle attack works by initiating gratuitous ARP commands to confuse each host (i.e.,
ARP poisoning). These ARP commands cause each of the two target hosts to use the MAC address of the
adversary as the address for the other target host. When a successful man-in-the-middle attack is performed,
the hosts on each side of the attack are unaware that their network data is taking a different route through
the adversary’s computer.
Once an adversary has successfully inserted their machine into the information stream, they now have full
control over the data communications and could carry out several types of attacks. One possible attack
method is the replay attack. In its simplest form, captured data from the control/HMI is modified to
instantiate activity when received by the device controller. Captured data reflecting normal operations in
the ICS could be played back to the operator as required. This would cause the operator’s HMI to appear to
be normal and the attack will go unobserved. During this replay attack the adversary could continue to send
commands to the controller and/or field devices to cause an undesirable event while the operator is unaware
of the true state of the system.
Another attack that could be carried out with the man-in-the-middle attack is sending false messages to the
operator, and could take the form of a false negative or a false positive. This may cause the operator to take
an action, such as flipping a breaker, when it is not required, or it may cause the operator to think
everything is fine and not take an action when an action is required. The adversary could send commands to
the operator’s console indicating a system change, and when the operator follows normal procedures and
attempts to correct the problem, the operator’s action could cause an undesirable event. There are variations
of the modification and replay of control data which could impact the operations of the system.
Protocol manipulation and the man-in-the-middle attack are among the most popular ways to manipulate
insecure protocols, such as those found in control systems. However, there are mitigation techniques [38]
that can be applied to secure the systems through MAC address locking, static tables, encryption,
authentication, and monitoring.
 MAC Address Locking - The ARP man-in-the-middle attack requires the adversary to be connected
to the local network or have control of a local computer on the network. Port security, also called
MAC address locking, is one method to secure the physical connection at the end of each port on a
network switch. High-end corporate class network switches usually have some kind of option for
MAC address locking. MAC address locking is very effective against a rogue individual looking to
physically plug into the internal network. Without port security, any open network jack on the wall
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
122
ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã¯ã€Œå¤šå±¤ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã€ã‚¢ãƒ—ローãƒã«ã‚ˆã‚Šã€æ™‚系列順ã«ãªã£ãŸãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—層(ロ
ーカルã€æ–½è¨­ã€ç½å®³ç­‰ï¼‰ã«å¯¾ã—ã¦å®Ÿæ–½ã—ã€æ€¥é€Ÿã«è¡Œã‚ã‚ŒãŸæœ€è¿‘ã®ãƒ­ãƒ¼ã‚«ãƒ«ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ãŒã™ãã«
使用ã§ãるよã†ã«ã—ã€ã‚»ã‚­ãƒ¥ã‚¢ãªãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ãŒå¤§è¦æ¨¡ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã‹ã‚‰å¾©å¸°ã™
ã‚‹éš›ã«åˆ©ç”¨ã§ãるよã†ã«ã™ã‚‹ã€‚ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—/復元ã¨ã‚¹ãƒˆãƒ¬ãƒ¼ã‚¸æ³•ã¨ã‚’併用ã—ã¦ã€ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—
ãŒåŽ³æ ¼ã«ä½œæˆã•ã‚Œã€å®‰å…¨ã«ä¿ç®¡ã•ã‚Œã€é©åˆ‡ã«å¾©å…ƒã§ãるよã†ã«ã™ã‚‹ã€‚
5.14 人ãŒä»‹åœ¨ã™ã‚‹æ”»æ’ƒã®é˜²æ­¢
人ãŒä»‹åœ¨ã™ã‚‹æ”»æ’ƒã¯ã€æ“作 中ã®ãƒ—ロトコルã«å¯¾ã™ã‚‹çŸ¥è­˜ãŒå¿…é ˆã¨ãªã‚‹ã€‚宛先解決プロトコル
(ARP)ã®äººãŒä»‹åœ¨ã™ã‚‹æ”»æ’ƒã¯ã€æ”»æ’ƒå´ãŒæ¨™çš„システム上ã®æƒ…å ±ã®æµã‚Œã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ãŸã‚ã®
よãã‚る方法ã§ã‚る。ã“れを行ã†ã«ã¯ã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©åŠã³ãƒ¯ãƒ¼ã‚¯ã‚¹ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³ãƒžã‚·ãƒ³ã®ãƒãƒƒ
トワーク ARP キャッシュテーブルを攻撃ã™ã‚‹ã€‚制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®æ€§èƒ½ãŒä½Žä¸‹ã—ãŸã‚³ãƒ³ãƒ”
ュータを利用ã—ã¦ã€æ”»æ’ƒå´ã¯å„ホスト上㮠ARP テーブルを攻ã‚ã€å…¨ã¦ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’特定
ã®IP åŠã³ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã‚¢ãƒ‰ãƒ¬ã‚¹ï¼ˆæ”»æ’ƒå´ã®ãƒžã‚·ãƒ³ï¼‰ã«é€ã‚‹ã‚ˆã†æŒ‡ç¤ºã™ã‚‹ã€‚攻撃å´ã¯ ARP テー
ブルをæ“作ã—ã¦ã€2å°ã®æ¨™çš„マシン間åˆã¯ãƒ‡ãƒã‚¤ã‚¹é–“ã«è‡ªã‚‰ã®ãƒžã‚·ãƒ³ã‚’挿入ã™ã‚‹ã€‚
ARP ã®äººãŒä»‹åœ¨ã™ã‚‹æ”»æ’ƒã¯ã€ä½™è¨ˆãª ARP コマンドを発行ã—ã¦ã€å„ホストを混乱ã•ã›ã‚‹ã“ã¨ã§æ©Ÿ
能ã™ã‚‹ï¼ˆARP ãƒã‚¤ã‚ºãƒ‹ãƒ³ã‚°ï¼‰ã€‚ã“ã®ã‚ˆã†ãª ARP コマンドã¯ã€2å°ã®æ¨™çš„ホストã®ãŠã®ãŠã®ã«ã€
攻撃å´ã® MAC アドレスを他ã®æ¨™çš„ホスト用ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã¨ã—ã¦ä½¿ç”¨ã™ã‚‹ã‚ˆã†ã«ä»•å‘ã‘る。人ãŒä»‹
在ã™ã‚‹æ”»æ’ƒãŒæˆåŠŸã™ã‚‹ã¨ã€æ”»æ’ƒã®ä¸¡å´ã®ãƒ›ã‚¹ãƒˆãŒæ°—ã¥ã‹ãªã„ã†ã¡ã«ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒ¼ã‚¿ãŒåˆ¥
経路をãŸã©ã£ã¦æ”»æ’ƒå´ã®ã‚³ãƒ³ãƒ”ュータã«æµã‚Œã‚‹ã€‚
攻撃å´ãŒè‡ªã‚‰ã®ãƒžã‚·ãƒ³ã‚’首尾よã情報経路ã«æŒ¿å…¥ã™ã‚‹ã¨ã€ãƒ‡ãƒ¼ã‚¿é€šä¿¡ã‚’å…¨é¢çš„ã«åˆ¶å¾¡ã§ãã€
種々ã®æ”»æ’ƒã‚’仕掛ã‘られるよã†ã«ãªã‚‹ã€‚ãã® 1ã¤ãŒãƒªãƒ—レー攻撃ã§ã‚る。最もå˜ç´”ãªå½¢æ…‹ã¯ã€
制御/HMI ã‹ã‚‰æ•æ‰ã—ãŸãƒ‡ãƒ¼ã‚¿ã‚’改変ã—ã¦ã€ãƒ‡ãƒã‚¤ã‚¹ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ãŒã“れをå—ä¿¡ã—ãŸã¨ãã«è¡Œå‹•
ã‚’èµ·ã“ã™ã‚ˆã†ã«ã™ã‚‹ã‚‚ã®ã§ã‚る。ICS ã«ãŠã‘る正常ãªæ¥­å‹™ã‚’å映ã—ãŸæ•æ‰ãƒ‡ãƒ¼ã‚¿ã¯ã€å¿…è¦ã«å¿œ
ã˜ã¦æ“作員ã«ãƒ—レイãƒãƒƒã‚¯ã•ã‚Œã‚‹ã€‚ã“ã‚Œã«ã‚ˆã‚Šæ“作員㮠HMI ã¯è¦‹ã‹ã‘上正常ã«è¦‹ãˆã€æ”»æ’ƒã¯ç™º
覚ã—ãªã„。ã“ã®ãƒªãƒ—レー攻撃中ã«ã€æ”»æ’ƒå´ã¯ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©åˆã¯ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒ‡ãƒã‚¤ã‚¹ã«ã‚³ãƒžãƒ³ãƒ‰
ã‚’é€ã‚Šç¶šã‘ã€æœ‰å®³äº‹è±¡ã‚’生ã˜ã•ã›ã‚‹ã“ã¨ãŒã§ãã‚‹ãŒã€æ“作員ã¯ã‚·ã‚¹ãƒ†ãƒ ã®å®Ÿæƒ…ã«æ°—ã¥ã‹ãªã„。
人ãŒä»‹åœ¨ã™ã‚‹æ”»æ’ƒã®åˆ¥ã®ã‚‚ã®ã¨ã—ã¦ã€å½ã®ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã‚’æ“作員ã«é€ã‚Šã€æ“¬ä¼¼é™°æ€§åˆã¯æ“¬ä¼¼é™½æ€§
ã®å½¢æ…‹ã‚’å–ã‚‹ã‚‚ã®ãŒã‚る。ã“ã®ãŸã‚æ“作員ã¯ã€ãƒ–レーカーをè½ã¨ã™ã¨ã„ã£ãŸä¸è¦ãªå¯¾å¿œã‚’å–ã£
ãŸã‚Šã€é€†ã«å¿…è¦ãªå¯¾å¿œã‚’å–らãªã‘ã‚Œã°ãªã‚‰ãªã„ã®ã«ã€å…¨ã¦è‰¯å¥½ã¨æ€ã„込んã§ä½•ã‚‚ã—ãªã„ã¨ã„ã£
ãŸã“ã¨ãŒç”Ÿã˜ã‚‹ã€‚攻撃å´ã¯æ“作員ã®ã‚³ãƒ³ã‚½ãƒ¼ãƒ«ã«ã€ã‚·ã‚¹ãƒ†ãƒ ã®å¤‰æ›´ã‚’示ã™ã‚³ãƒžãƒ³ãƒ‰ã‚’é€ã‚Šã€æ“
作員ãŒé€šå¸¸æ‰‹é †ã«å¾“ã£ã¦å•é¡Œã‚’修正ã—よã†ã¨ã™ã‚‹ã¨ã€ãã‚ŒãŒå…ƒã§æœ‰å®³äº‹è±¡ãŒç™ºç”Ÿã™ã‚‹ã€‚システ
ムã®å‹•ä½œã«å½±éŸ¿ã™ã‚‹åˆ¶å¾¡ãƒ‡ãƒ¼ã‚¿ã®å¤‰æ›´åŠã³ãƒªãƒ—レーã«ã¯ç¨®ã€…ã®ãƒãƒªã‚¨ãƒ¼ã‚·ãƒ§ãƒ³ãŒã‚る。
プロトコルæ“作ã¨äººãŒä»‹åœ¨ã™ã‚‹æ”»æ’ƒã¯ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã§è¦‹ã‚‰ã‚Œã‚‹ã‚‚ã®ã®ã†ã¡ã€ã‚»ã‚­ãƒ¥ã‚¢ã§ãªã„プ
ロトコルをæ“作ã™ã‚‹æ–¹æ³•ã¨ã—ã¦æœ€ã‚‚よã使用ã•ã‚Œã‚‹æ–¹æ³•ã® 1ã¤ã§ã‚る。ã—ã‹ã— MAC アドレスロ
ックã€ã‚¹ã‚¿ãƒ†ã‚£ãƒƒã‚¯ãƒ†ãƒ¼ãƒ–ルã€æš—å·åŒ–ã€èªè¨¼åŠã³ç›£è¦–を通ã˜ã¦ã€ã‚·ã‚¹ãƒ†ãƒ ã‚’セキュアã«ã™ã‚‹ãŸã‚
ã®ç·©å’ŒæŠ€è¡“ãŒã‚ã‚‹[38]。
 MAC アドレスロック - ARP ã®äººãŒä»‹åœ¨ã™ã‚‹æ”»æ’ƒã§ã¯ã€æ”»æ’ƒå´ãŒãƒ­ãƒ¼ã‚«ãƒ«ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«æŽ¥
続ã—ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®ãƒ­ãƒ¼ã‚«ãƒ«ã‚³ãƒ³ãƒ”ュータを制御ã™ã‚‹ã“ã¨ãŒå¿…è¦ã¨ãªã‚‹ã€‚MAC アドレ
スロックã¨ã‚‚呼ã°ã‚Œã‚‹ãƒãƒ¼ãƒˆã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¹ã‚¤ãƒƒãƒä¸Šã®å„ãƒãƒ¼ãƒˆç«¯ã«ãŠã‘
る物ç†çš„接続をセキュアã«ã™ã‚‹æ–¹æ³•ã§ã‚る。ãƒã‚¤ã‚¨ãƒ³ãƒ‰ä¼æ¥­ã‚¯ãƒ©ã‚¹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¹ã‚¤ãƒƒãƒã«
ã¯ã€é€šå¸¸ MAC アドレスロック用ã®ã‚ªãƒ—ションãŒã„ãã¤ã‹ç”¨æ„ã•ã‚Œã¦ã„る。MAC アドレス
ロックã¯ã€å†…部ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã®ç‰©ç†çš„プラグインを目論む個人ã«å¯¾ã—ã¦æ¥µã‚ã¦æœ‰åŠ¹ã§ã‚る。
ãƒãƒ¼ãƒˆã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãŒãªã„å ´åˆã€å£é¢ã®ã‚ªãƒ¼ãƒ—ンãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¸ãƒ£ãƒƒã‚¯ã‚’利用ã—ã¦ã€
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
123
could be used as an avenue onto the corporate network. Port security locks a specific MAC address to
a specific port on a managed switch. If the MAC address does not match, the communication link is
disabled and the intruder will not be able to achieve their goal. Some of the more advanced switches
have an auto resetting option, which will reset the security measure if the original MAC is returned to
the port.
Although port security is not attacker proof, it does add a layer of added security to the physical
network. It also protects the local network from employees plugging un-patched and out-of-date
systems onto the protected network. This reduces the number of target computers a remote adversary
can access. These security measures not only protect against attacks from external networks but
provide added physical protection as well.
 Static Tables – An ICS network that stays relatively static could attempt to implement statically coded
ARP tables. Most operating systems have the capability to statically code all of the MAC addresses
into the ARP table on each computer. Statically coding the ARP tables on each computer prevents the
adversary from changing them by sending ARP reply packets to the victim computer. While this
technique is not feasible on a large and/or dynamic corporate network, the limited number of hosts on
an ICS network could be effectively protected this way.
 Encryption - As a longer-term solution, systems should be designed to include encryption between
devices in order to make it very difficult to reverse engineer protocols and forge packets on control
system networks. Encrypting the communications between devices would make it nearly impossible to
perform this attack. Protocols that provide strong authentication also provide resilience to man-in-the-
middle attacks. The impact of encryption on network and operational performance needs to be
considered.
 Authentication - Protocols with strong authentication provide resilience to man-in-the-middle attacks.
 Monitoring - Monitoring for ARP poisoning provides an added layer of defense. There are several
programs available (e.g., ARPwatch) that can monitor for changing MAC addresses through the ARP
packets.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
124
ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ä¾µå…¥ã™ã‚‹ã“ã¨ãŒã§ãる。ãƒãƒ¼ãƒˆã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¯ã€ç®¡ç†ã•ã‚ŒãŸã‚¹ã‚¤ãƒƒãƒ
上ã®ç‰¹å®šãƒãƒ¼ãƒˆã«ç‰¹å®š MAC アドレスをロックã™ã‚‹ã€‚MAC アドレスãŒåˆã‚ãªã„ã¨ã€é€šä¿¡ãƒªãƒ³
クãŒä½¿ç”¨ä¸èƒ½ã«ãªã‚Šã€ä¾µå…¥è€…ã¯ç›®çš„ã‚’é”ã™ã‚‹ã“ã¨ãŒã§ããªã„。より進化ã—ãŸã‚¹ã‚¤ãƒƒãƒã§ã¯ã€
自動リセットオプションãŒã‚ã‚Šã€å…ƒã® MAC ãŒãƒãƒ¼ãƒˆã«æˆ»ã‚‹ã¨ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ãŒãƒªã‚»ãƒƒ
トã•ã‚Œã‚‹ã‚ˆã†ã«ãªã£ã¦ã„る。
ãƒãƒ¼ãƒˆã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¯ã€æ”»æ’ƒã‚’寄ã›ä»˜ã‘ãªã„ã‚ã‘ã§ã¯ãªã„ãŒã€ç‰©ç†ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«ã‚»ã‚­ãƒ¥
リティã®ãƒ¬ã‚¤ãƒ¤ãƒ¼ã‚’追加ã™ã‚‹ã‚‚ã®ã¨ãªã‚‹ã€‚ã¾ãŸå¾“業員ãŒãƒ‘ッãƒã®å½“ãŸã£ã¦ã„ãªã„æ—§å¼ã‚·ã‚¹
テムã§ã€ä¿è­·ã•ã‚ŒãŸãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«æŽ¥ç¶šã—ãŸå ´åˆã«ã€ãƒ­ãƒ¼ã‚«ãƒ«ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’ä¿è­·ã™ã‚‹ã€‚
ã“ã‚Œã«ã‚ˆã‚Šé éš”攻撃ã§ã‚¢ã‚¯ã‚»ã‚¹ã§ãる標的コンピュータã®æ•°ãŒæ¸›ã‚‹ã€‚ã“ã†ã—ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†
ィ対策ã¯ã€å¤–部ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰ã®æ”»æ’ƒã‹ã‚‰ä¿è­·ã™ã‚‹ã ã‘ã§ãªãã€ç‰©ç†çš„ä¿è­·ã‚’増やã™ã“
ã¨ã«ã‚‚ãªã‚‹ã€‚
 スタティックテーブル - 比較的é™çš„㪠ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯ã€é™çš„ã«ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ã•ã‚ŒãŸ ARP
テーブルを実装ã—よã†ã¨ã™ã‚‹ã€‚ã»ã¨ã‚“ã©ã® OS ã«ã¯ã€å…¨ã¦ã® MAC アドレスをå„コンピュー
ã‚¿ã® ARP テーブルã«é™çš„ã«ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ã™ã‚‹èƒ½åŠ›ãŒå‚™ã‚ã£ã¦ã„る。å„コンピュータ㮠ARP
テーブルã¸ã®é™çš„コーディングを行ã†ã“ã¨ã«ã‚ˆã‚Šã€æ”»æ’ƒå´ã¯ã€ARP リプライパケットを標
的コンピュータã«é€ä¿¡ã—ã¦ã€ãƒ†ãƒ¼ãƒ–ルを変更ã™ã‚‹ã“ã¨ãŒã§ããªããªã‚‹ã€‚ã“ã®æŠ€è¡“ã¯ã€å¤§è¦æ¨¡
ãªåˆã¯å‹•çš„ãªä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ã¯å®Ÿç¾ã§ããªã„ãŒã€ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®é™å®šçš„ãªæ•°ã®ãƒ›
ストãªã‚‰ã€ã“ã®æ–¹æ³•ã§æœ‰åŠ¹ã«ä¿è­·ã§ãる。
 æš—å·åŒ– - より長期的ãªã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã¨ã—ã¦ã€ãƒ—ロトコルã®ãƒªãƒãƒ¼ã‚¹ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°ã‚„制
御システムãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®ãƒ‘ケットã®å½é€ ã‚’困難ã«ã™ã‚‹ãŸã‚ã€ãƒ‡ãƒã‚¤ã‚¹é–“ã®æš—å·åŒ–を設計
ã«å«ã‚ã‚‹ã¹ãã§ã‚る。デãƒã‚¤ã‚¹é–“ã®é€šä¿¡ã‚’æš—å·åŒ–ã™ã‚Œã°ã€ã“ã®æ”»æ’ƒãŒã»ã¼ä¸å¯èƒ½ã«ãªã‚‹ã€‚å¼·
力ãªèªè¨¼ã‚’è¡Œã†ãƒ—ロトコルã¯ã€äººãŒä»‹åœ¨ã™ã‚‹æ”»æ’ƒã«å¯¾ã™ã‚‹æŸ”軟性も付与ã™ã‚‹ã€‚æš—å·åŒ–ã«ã‚ˆã‚‹
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚„業務パフォーマンスã¸ã®å½±éŸ¿ã‚’検討ã™ã‚‹å¿…è¦ãŒã‚る。
 èªè¨¼ - 強力ãªèªè¨¼ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’æŒã¤ãƒ—ロトコルã¯ã€äººãŒä»‹åœ¨ã™ã‚‹æ”»æ’ƒã«å¯¾ã™ã‚‹æŸ”軟性を付与
ã™ã‚‹ã€‚
 監視 - ARP ãƒã‚¤ã‚ºãƒ‹ãƒ³ã‚°ã®ç›£è¦–ã«ã‚ˆã‚Šé˜²å¾¡å±¤ãŒåŽšããªã‚‹ã€‚ARP パケットã®ä¸­ã§çµ¶ãˆãšå¤‰åŒ–ã™
ã‚‹MAC アドレスを監視ã§ãるプログラムãŒã„ãã¤ã‹ã‚る(ARP ウォッãƒç­‰ï¼‰ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
125
5.15 Authentication and Authorization
An ICS may contain a large number of systems, each of which must be accessed by a variety of users.
Performing the authentication and authorization of these users presents a challenge to the ICS. Managing
these user’s accounts can be problematic as employees are added, removed, and as their roles change. As
the number of systems and users grow, the process of managing these accounts becomes more complicated.
The authentication of a user or system is the process of verifying the claimed identity. Authorization, the
process of granting the user access privileges, is determined by applying policy rules to the authenticated
identity and other relevant information31. Authorization is enforced by some access control mechanism.
The authentication process can be used to control access to both systems (e.g. HMIs, field devices, SCADA
servers) and networks (e.g., remote substations LANs).
Authentication and authorization can be performed either in a distributed or centralized approach. With
distributed authentication and authorization, every system performs these steps on their own. Each system
is responsible for storing its own set of user accounts, credentials, and roles and performing the
identification and authentication of the user. This approach typically does not require any additional
infrastructure. However, this approach is problematic in that it does not scale well as the size of the system
increases. For example, if a user leaves the organization, the corresponding user account must be removed
from each system individually.
In contrast to the distributed approach, centralized authentication and authorization systems are commonly
used to manage larger number of users and accounts. A centralized approach utilizes some central
authentication system (e.g., Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP) to
store all accounts and manage the authentication and authorization of all individuals and systems. An
authentication protocol (e.g., Kerberos, RADIUS, TACACS+) is then used to communicate data between
the authentication server and the system performing authentication.
While a centralized approach provides substantially improved scalability, it also presents numerous
additional concerns that may impact its use in ICS environments. The following considerations apply:
 Authentication servers create a single system that is responsible for managing all system accounts and
must be highly secured.
 The authentications server system requires high availability because its failure may prevent users from
authenticating to a system during an emergency. Redundancy may be required.
 Some clients may cache user credentials locally to ensure that users can still be authenticated in the
absence of the server. Caching may only be available for users that have recently authenticated.
Caching also introduces complications for revocation.
 Networks used to support the authentication protocol must be reliable and secure to ensure
authentication attempts are not hindered.
31 In general, authorization to perform a set of operations is determined by evaluating attributes associated
with the subject, object, requested operations, and, in some cases, environment conditions against policy,
rules, or relationships that describe the allowable operations for a given set of attributes. For further
information see NIST SP 800-162,
Guide to Attribute Based Access Control (ABAC) Definition and
Considerations
, at http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
126
5.15 èªè¨¼ã¨æ¨©é™ä»˜ä¸Ž
ICS ã«ã¯å¤šæ•°ã®ã‚·ã‚¹ãƒ†ãƒ ãŒå«ã¾ã‚Œã‚‹å ´åˆãŒã‚ã‚Šã€å¤šç¨®å¤šæ§˜ãªãƒ¦ãƒ¼ã‚¶ãŒãã‚Œãžã‚Œã«ã‚¢ã‚¯ã‚»ã‚¹ã§ã
ãªã‘ã‚Œã°ãªã‚‰ãªã„。ã“れらユーザã®èªè¨¼ã¨è¨±å¯ã‚’è¡Œã†ã®ã¯ ICS ã«ã¨ã£ã¦é‡è·ã¨ãªã‚‹ã€‚従業員ã®
追加ã€å‰Šé™¤ã¨å½¹å‰²ã®å¤‰åŒ–ã«ä¼´ã„ã€ãƒ¦ãƒ¼ã‚¶ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã®ç®¡ç†ãŒç…©é›‘ã«ãªã‚‹ã€‚システムã¨ãƒ¦ãƒ¼ã‚¶ã®
æ•°ãŒå¢—ãˆã‚‹ã«ã¤ã‚Œã¦ã€ã‚¢ã‚«ã‚¦ãƒ³ãƒˆç®¡ç†ã®ãƒ—ロセスãŒã©ã‚“ã©ã‚“複雑化ã™ã‚‹ã€‚
ユーザåˆã¯ã‚·ã‚¹ãƒ†ãƒ ã®è¨±å¯ã¯ã€ãã‚Œãžã‚ŒãŒä¸»å¼µã™ã‚‹ ID を検証ã™ã‚‹ãƒ—ロセスã§ã‚る。権é™ä»˜ä¸Ž
ã¯ã€ãƒ¦ãƒ¼ã‚¶ã«ã‚¢ã‚¯ã‚»ã‚¹æ¨©ã‚’与ãˆã‚‹ãƒ—ロセスã§ã€æ¨©é™ã‚’å—ã‘ã‚‹ ID ãã®ä»–関連情報 32ã«ãƒãƒªã‚·ãƒ¼
è¦å‰‡ã‚’é©ç”¨ã—ã¦åˆ¤å®šã•ã‚Œã‚‹ã€‚権é™ä»˜ä¸Žã¯ä½•ã‚‰ã‹ã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã«ã‚ˆã‚Šå®Ÿè¡Œã•ã‚Œã‚‹ã€‚
権é™ä»˜ä¸Žãƒ—ロセスを利用ã—ã¦ã€ã‚·ã‚¹ãƒ†ãƒ ï¼ˆHMIsã€ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒ‡ãƒã‚¤ã‚¹ã€SCADA サーãƒç­‰ï¼‰ã¨ãƒ
ットワーク(é éš”サブステーション LAN 等)ã®ä¸¡æ–¹ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’制御ã§ãる。
èªè¨¼ã¨æ¨©é™ä»˜ä¸Žã¯ã€åˆ†æ•£ã‚¢ãƒ—ローãƒã§ã‚‚集中アプローãƒã§ã‚‚è¡Œã†ã“ã¨ãŒã§ãる。分散èªè¨¼ãƒ»æ¨©
é™ä»˜ä¸Žã‚’利用ã™ã‚‹ã¨ã€å„システムãŒã“れらã®æ‰‹é †ã‚’独自ã«è¡Œã†ã€‚å„システムã¯ãã‚Œãžã‚Œã®è²¬ä»»
ã§ãƒ¦ãƒ¼ã‚¶ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã€èªè¨¼æƒ…å ±åŠã³å½¹å‰²ã‚’ä¿ç®¡ã—ã€ãƒ¦ãƒ¼ã‚¶ã®è­˜åˆ¥ã¨æ¨©é™ä»˜ä¸Žã‚’è¡Œã†ã€‚通常ã€ã“
ã®ã‚¢ãƒ—ローãƒã«ã¯ã»ã‹ã®ã‚¤ãƒ³ãƒ•ãƒ©ãŒä¸è¦ã§ã‚る。ãŸã ã—ã€ã‚·ã‚¹ãƒ†ãƒ ã®å¢—大ã«ä¼´ã†ã‚¹ã‚±ãƒ¼ãƒ©ãƒ“リ
ティã«å•é¡ŒãŒã‚る。例ãˆã°ã€ã‚るユーザãŒé€€ç¤¾ã—ãŸå ´åˆã€ãƒ¦ãƒ¼ã‚¶ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã‚’ãã‚Œãžã‚Œã®ã‚·ã‚¹
テムã‹ã‚‰å‰Šé™¤ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。
分散アプローãƒã¨ã¯å¯¾ç…§çš„ã«ã€é›†ä¸­èªè¨¼ãƒ»æ¨©é™ä»˜ä¸Žã‚·ã‚¹ãƒ†ãƒ ã¯ã€ä¸€èˆ¬ã«ã‚ˆã‚Šå¤§è¦æ¨¡ãªãƒ¦ãƒ¼ã‚¶
åŠã³ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã®ç®¡ç†ã«ä½¿ç”¨ã•ã‚Œã‚‹ã€‚集中アプローãƒã¯ç‰¹å®šã®ä¸­å¤®èªè¨¼ã‚·ã‚¹ãƒ†ãƒ ï¼ˆMicrosoft
Active Directory〠Lightweight Directory Access Protocol[LDAP]等)を使用ã—ã¦å…¨ã¦ã®
アカウントをä¿ç®¡ã—ã€å…¨ãƒ¦ãƒ¼ã‚¶ãƒ»å…¨ã‚·ã‚¹ãƒ†ãƒ ã®èªè¨¼ã¨æ¨©é™ä»˜ä¸Žã‚’管ç†ã™ã‚‹ã€‚次ã„ã§æ¨©é™ä»˜ä¸Ž
プロトコル(Kerberosã€RADIUSã€TACACS+等)を使用ã—ã¦èªè¨¼ã‚µãƒ¼ãƒã¨èªè¨¼å®Ÿæ–½ã‚·ã‚¹ãƒ†ãƒ é–“ã§
データ通信を行ã†ã€‚
集中アプローãƒã§ã¯ã‚¹ã‚±ãƒ¼ãƒ©ãƒ“リティãŒã‹ãªã‚Šå‘上ã™ã‚‹åé¢ã€ICS 環境ã§ä½¿ç”¨ã—ãŸå ´åˆã®å½±éŸ¿
ã«ã¤ã„ã¦ã¯ä¸å®‰ãŒå¤šã„。次ã®ã‚ˆã†ãªè¦è€ƒæ…®äº‹é …ãŒã‚る。
 èªè¨¼ã‚µãƒ¼ãƒãŒå˜ä¸€ã‚·ã‚¹ãƒ†ãƒ ã‚’創出ã—ã€ã“ã‚ŒãŒå…¨ã¦ã®ã‚·ã‚¹ãƒ†ãƒ ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã‚’管ç†ã—ã€é«˜åº¦ã«ã‚»
キュアã§ãªã‘ã‚Œã°ãªã‚‰ãªã„。
 èªè¨¼ã‚µãƒ¼ãƒã‚·ã‚¹ãƒ†ãƒ ã¯ã€æ•…éšœã™ã‚‹ã¨ç·Šæ€¥æ™‚ã§ã‚‚ユーザã¯ã‚·ã‚¹ãƒ†ãƒ èªè¨¼ãŒã§ããªããªã‚‹ãŸã‚ã€
高ã„å¯ç”¨æ€§ãŒæ±‚ã‚られる。冗長性ãŒå¿…è¦ã¨ãªã‚ã†ã€‚
 クライアントã«ã‚ˆã£ã¦ã¯ã€ãƒ¦ãƒ¼ã‚¶ã®èªè¨¼æƒ…報をローカルã§ã‚­ãƒ£ãƒƒã‚·ãƒ¥ã—ã€ã‚µãƒ¼ãƒãŒãªãã¦ã‚‚
ユーザãŒèªè¨¼ã§ãるよã†ã«ã—ã¦ã„る。キャッシングã¯ã€æœ€è¿‘èªè¨¼ã—ãŸãƒ¦ãƒ¼ã‚¶ã«ã—ã‹åˆ©ç”¨ã§ã
ãªã„。キャッシングã¯å–消も複雑ã«ã™ã‚‹ã€‚
 èªè¨¼ãƒ—ロトコルをサãƒãƒ¼ãƒˆã™ã‚‹ãŸã‚ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯ä¿¡é ¼æ€§ãŒé«˜ãセキュアã§ã€èªè¨¼ã®è©¦ã¿
ãŒå¦¨ã’られãªã„よã†ã«ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。
32 ç·ã˜ã¦ä¸€é€£ã®æ“作をã™ã‚‹ãŸã‚ã®æ¨©é™ä»˜ä¸Žã¯ã€ä¸»ä½“ã€å¯¾è±¡ã€æ±‚ã‚ã¦ã„ã‚‹æ“作内容ã«é–¢ä¿‚ã™ã‚‹å±žæ€§ã‚’評価ã—ã¦åˆ¤å®šã™ã‚‹ãŒã€å ´
åˆã«ã‚ˆã£ã¦ã¯ã€ç‰¹å®šã®å±žæ€§ã«é–¢ã—ã¦è¨±å¯ã™ã‚‹æ“作内容をè¦å®šã—ãŸãƒãƒªã‚·ãƒ¼ã€è¦å‰‡åˆã¯é–¢ä¿‚ã«ç…§ã‚‰ã—ã¦ã€ç’°å¢ƒæ¡ä»¶ã‚’評価ã—
判定ã™ã‚‹ã€‚詳細ã¯æ¬¡ã® URL ã«ã‚ã‚‹ NIST SP 800-162『属性ã«åŸºã¥ãアクセス制御(ABAC)定義åŠã³è€ƒæ…®ã€ã‚’å‚ç…§ã®ã“ã¨ã€‚
http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
127
5.15.1 ICS Implementation Considerations
While centralized authentication and authorization servers are commonly used in an IT environment, there
are many challenges to integrating them into ICS. While authentication servers and protocols integrate with
many commodity IT products (e.g., Microsoft Windows, Linux, Oracle), often ICS may utilize their own
application-specific accounts and authentication mechanisms that were not designed to interface with third
party servers and protocols. This limits the adoption of such mechanism in an ICS environment. Older
network devices and most field devices do not support any mechanisms to integrated with a centralized
authentication system.
5.16 Monitoring, Logging, and Auditing
The security architecture of an ICS must also incorporate mechanisms to monitor, log, and audit activities
occurring on various systems and networks. Monitoring, logging, and auditing activities are imperative to
understanding the current state of the ICS, validating that the system is operating as intended, and that no
policy violations or cyber incidents have hindered the operation of the system. Network security monitoring
is valuable to characterize the normal state of the ICS, and can provide indications of compromised systems
when signature-based technologies fail. Additionally, strong system monitoring, logging, and auditing is
necessary to troubleshoot and perform any necessary forensic analysis of the system33.
5.17 Incident Detection, Response, and System Recovery
Incidents are inevitable and incident detection, response, and system recovery plans are essential. Major
characteristics of a good security program are how soon after an incident has occurred that the incident can
be detected and how quickly a system can be recovered after an incident has been detected. Incident
response in ICS is closely aligned to disaster recovery, specifically to address the stringent uptime
requirements of ICS. Incident Responders must be trained for ICS-specific scenarios, as normal methods
of recovering IT systems may not apply to ICS.
33 For further information see NIST SP 800-94,
Guide to Intrusion Detection and Prevention Systems (IDPS)
[55].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
128
5.15.1 ICS 実装上ã®è€ƒæ…®äº‹é …
集中èªè¨¼ã‚µãƒ¼ãƒåŠã³é›†ä¸­æ¨©é™ä»˜ä¸Žã‚µãƒ¼ãƒã¯ã€IT 環境ã§ã¯æ™®é€šã«åˆ©ç”¨ã•ã‚Œã¦ã„ã‚‹ãŒã€ICS ã«ä¸¡è€…ã‚’
組ã¿è¾¼ã‚€ã®ã¯å•é¡ŒãŒå¤šã„。èªè¨¼ã‚µãƒ¼ãƒåŠã³ãƒ—ロトコルã¯å¤šãã®å¸‚販 IT 製å“(Microsoft Windowsã€
Linuxã€Oracle 等)を組ã¿è¾¼ã‚€ãŒã€ICS ã§ã¯ç‹¬è‡ªã®ã‚¢ãƒ—リケーション固有ã®ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã¨èªè¨¼ãƒ¡ã‚«
ニズムを使用ã™ã‚‹ã“ã¨ãŒå¤šãã€ãれらã¯ã‚µãƒ¼ãƒ‰ãƒ‘ーティã®ã‚µãƒ¼ãƒåŠã³ãƒ—ロトコルã¨é€£æºã™ã‚‹ã‚ˆã†
ã«ã¯ã§ãã¦ã„ãªã„。ãã®ãŸã‚ ICS 環境ã§ã¯ãã†ã—ãŸãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã®æŽ¡ç”¨ã«é™ç•ŒãŒã‚る。旧型ã®ãƒãƒƒ
トワークデãƒã‚¤ã‚¹ã‚„ã»ã¨ã‚“ã©ã®ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒ‡ãƒã‚¤ã‚¹ã¯ã€é›†ä¸­èªè¨¼ã‚·ã‚¹ãƒ†ãƒ ã«çµ„ã¿è¾¼ã‚るメカニズ
ムã«å¯¾å¿œã—ã¦ã„ãªã„。
5.16 監視ã€ãƒ­ã‚®ãƒ³ã‚°åŠã³ç›£æŸ»
ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã«ã¯ã€ç¨®ã€…システムやãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’監視ã€ãƒ­ã‚°åŠã³ç›£æŸ»ã§
ãるメカニズムãŒçµ„ã¿è¾¼ã¾ã‚Œã¦ã„ãªã‘ã‚Œã°ãªã‚‰ãªã„。監視ã€ãƒ­ã‚®ãƒ³ã‚°åŠã³ç›£æŸ»æ´»å‹•ã¯ ICS ã®ç¾çŠ¶
ã‚’ç†è§£ã—ã€ã‚·ã‚¹ãƒ†ãƒ ãŒäºˆå®šã©ãŠã‚Šç¨¼åƒã—ã¦ã„ã‚‹ã‹æ¤œè¨¼ã—ã€ã‚·ã‚¹ãƒ†ãƒ ã®å‹•ä½œã‚’妨害ã™ã‚‹ã‚ˆã†ãªãƒãƒª
シーé•åやサイãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆãŒãªã„ã“ã¨ã‚’検証ã™ã‚‹ãŸã‚ã«ä¸å¯æ¬ ã§ã‚る。ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚­
ュリティ監視ã¯ã€ICS ã®æ­£å¸¸çŠ¶æ…‹ã®ç‰¹å¾´ã‚’明確化ã™ã‚‹ãŸã‚ã«è²´é‡ã§ã€ç½²åベースã®æŠ€è¡“ã«éšœå®³ãŒ
出ãŸã¨ãã«ã€ã‚·ã‚¹ãƒ†ãƒ æ€§èƒ½ãŒä½Žä¸‹ã—ãŸå…†å€™ã‚’æ示ã§ãる。ã¾ãŸã€ãƒˆãƒ©ãƒ–ルシューティングを行ã„ã€
システム 34ã®å¿…è¦ãªèª¿æŸ»åˆ†æžã‚’è¡Œã†ã«ã¯ã€å¼·åŠ›ãªã‚·ã‚¹ãƒ†ãƒ ç›£è¦–ã€ãƒ­ã‚®ãƒ³ã‚°åŠã³ç›£æŸ»ãŒå¿…è¦ã§ã‚る。
5.17 インシデント検知ã€å¯¾å¿œåŠã³ã‚·ã‚¹ãƒ†ãƒ å¾©æ—§
インシデントã¯é¿ã‘られãªã„ã®ã§ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆæ¤œçŸ¥ã€å¯¾å¿œåŠã³ã‚·ã‚¹ãƒ†ãƒ å¾©æ—§è¨ˆç”»ãŒä¸å¯æ¬ ã¨ãª
る。優秀ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ—ログラムã®ä¸»ãªç‰¹å¾´ã¯ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆç™ºç”Ÿæ™‚ã«ã„ã‹ã«ç´ æ—©ã検知ã—ã€
検知後ã„ã‹ã«è¿…速ã«ã‚·ã‚¹ãƒ†ãƒ ã‚’復旧ã§ãã‚‹ã‹ã«ã‚る。ICS ã«ãŠã‘るインシデント対応ã¯ã€ç½å®³å¾©
æ—§ã¨å¯†æŽ¥ã«é€£æºã—ã€ç‰¹ã« ICS ã®åŽ³æ ¼ãªã‚¢ãƒƒãƒ—タイムè¦ä»¶ã«ã¤ã„ã¦æ¤œè¨Žã™ã‚‹ã€‚IT システムã®é€šå¸¸ã®
復旧方法㯠ICS ã«ã¯å½“ã¦ã¯ã¾ã‚‰ãªã„ãŸã‚ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆå¯¾å¿œè€…ã®è¨“ç·´ã¯ã€ICS 固有ã®ã‚·ãƒŠãƒªã‚ªã«
沿ã£ã¦å®Ÿæ–½ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。
34 詳細㯠NIST SP 800-94『侵入検知防止システム(IDPS)ã€[55]ã‚’å‚ç…§ã®ã“ã¨ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
129
6. Applying Security Controls to ICS
A single security product or technology cannot adequately protect an ICS. Securing an ICS is based on a
combination of effective security policies and a properly configured set of security controls. The selection
and implementation of security controls to apply to an ICS can have major implications on the operations,
so it is critical to consider:
 Which security controls are needed to adequately mitigate risk to an acceptable level that supports the
organizational missions and business functions?
 Have the selected security controls been implemented or is there a realistic implementation plan in
place?
 What is the required level of assurance that the selected security controls are implemented correctly,
operating as intended, and producing a desired outcome?
As identified in Section 3, the questions should be answered in the context of an effective, organization-
wide risk management process and cybersecurity strategy that identifies, mitigates (as necessary), and
continuously monitors risks to its ICS. An effective cybersecurity strategy for an ICS should apply defense-
in-depth, a technique of layering security mechanisms so that the impact of a failure in any one mechanism
is minimized. Use of such a strategy is explored within the security control discussions and their
applications to ICS that follow.
6.1 Executing the Risk Management Framework Tasks for Industrial Control
Systems
The following describes the process of applying the Risk Management Framework (RMF) to ICS. The
process includes a brief description of each activity and identifies supporting NIST documents. The
following steps, while shown sequentially, can be implemented in a different order to be consistent with
established management and system development life cycle processes [21].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
130
6. ICS ã¸ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®é©ç”¨
å˜ä¸€ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è£½å“や技術ã§ã¯ã€ICS ã‚’ã—ã£ã‹ã‚Šä¿è­·ã™ã‚‹ã“ã¨ã¯ã§ããªã„。ICS ã®ã‚»ã‚­ãƒ¥ãƒª
ティ確ä¿ã¯ã€æœ‰åŠ¹ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã¨æ§‹æˆã®è¡Œã届ã„ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–を基調ã¨ã™ã‚‹ã€‚
ICS ã«é©ç”¨ã™ã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®é¸å®šã¨å®Ÿè£…ã¯ã€æ¥­å‹™ã¨å¯†æŽ¥ãªé–¢ä¿‚ã‚’æŒã¤ãŸã‚ã€ä»¥ä¸‹ã«ã¤ã„ã¦
良ã検討ã™ã‚‹ã“ã¨ãŒè‚è¦ã§ã‚る。
 リスクを許容ã§ãるレベルã¾ã§ç·©å’Œã—ã€çµ„ç¹”ã®ä»»å‹™ã¨äº‹æ¥­æ©Ÿèƒ½ã‚’支æ´ã§ãるよã†ã«ã™ã‚‹ã«ã¯
ã©ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ãŒå¿…è¦ã‹ã€‚
 é¸å®šã—ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã¯å®Ÿè¡Œã•ã‚ŒãŸã‹ã€ãã‚Œã¨ã‚‚ç¾å®Ÿçš„ãªå®Ÿè¡Œè¨ˆç”»ãŒã‚ã‚‹ã‹ã€‚
 é¸å®šã—ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–を予定ã©ãŠã‚Šæ­£ã—ã実行ã—ã€æ‰€æœŸã®çµæžœã‚’å¾—ã‚‹ã«ã¯ã©ã®ç¨‹åº¦ã®ä¿
証レベルãŒå¿…è¦ã‹ã€‚
セクション 3ã§æ˜Žç¢ºã«ã—ãŸã‚ˆã†ã«ã€ä¸Šè¨˜ã®è³ªå•ã«å¯¾ã™ã‚‹ç­”ãˆã¯ã€æœ‰åŠ¹ãªçµ„織全体ã®ãƒªã‚¹ã‚¯ç®¡ç†ãƒ—
ロセスã¨ã€çµ„織㮠ICS リスクを特定ã—ã€å¿…è¦ã«å¿œã˜ã¦ç·©å’Œã—ã€ç¶™ç¶šçš„ã«ç›£è¦–ã™ã‚‹ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥
リティ戦略ã«ç…§ã‚‰ã—ã¦æ示ã•ã‚Œã‚‹ã¹ãã§ã‚る。ICS ã®åŠ¹æžœçš„ãªã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æˆ¦ç•¥ã¯ã€å¤š
層防御ã¨ã—ã¦çŸ¥ã‚‰ã‚Œã‚‹ãƒ¬ã‚¤ãƒ¤ãƒªãƒ³ã‚°ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ¡ã‚«ãƒ‹ã‚ºãƒ æŠ€è¡“ã‚’é©ç”¨ã—ã€ã‚るメカニズムã®éšœ
害ã®å½±éŸ¿ãŒæœ€å°é™ã«é£Ÿã„æ­¢ã‚られるよã†ã«ã™ã¹ãã§ã‚る。ã“ã®ã‚ˆã†ãªæˆ¦ç•¥ã®ä½¿ç”¨ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†
ィ管ç†ã«é–¢ã™ã‚‹è­°è«–ã¨ãã®å¾Œã® ICS ã¸ã®é©ç”¨ã®ä¸­ã§ç­–定ã•ã‚Œã‚‹ã€‚
6.1 産業用制御システム用リスク管ç†ä½“制ã®å®Ÿæ–½
リスク管ç†ä½“制(RMF)を ICS ã«é©ç”¨ã™ã‚‹ãŸã‚ã®ãƒ—ロセスを以下ã«è¨˜è¿°ã™ã‚‹ã€‚ãã‚Œãžã‚Œã®æ´»å‹•ã«
対ã™ã‚‹æ¦‚è¦ã¨ NIST ã®æ ¹æ‹ æ–‡æ›¸ã‚’示ã™ã€‚手順を順番ã«ç¤ºã™ãŒã€ç­–定ã•ã‚ŒãŸç®¡ç†ãƒ»ã‚·ã‚¹ãƒ†ãƒ é–‹ç™ºãƒ©
イフサイクルプロセス[21]ã«å¾“ã£ã¦ã€é †åºã‚’変ãˆã¦å®Ÿæ–½ã—ã¦ã‚‚ã‹ã¾ã‚ãªã„。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
131
Figure 6-1. Risk Management Framework Tasls
6.1.1 Step 1: Categorize Information System
The first activity in the RMF is to categorize the information and information system according to potential
impact of loss. For each information type and information system under consideration, the three FISMA-
defined security objectives—confidentiality, integrity, and availability—are associated with one of three
levels of potential impact should there be a breach of security. It is important to remember that for an ICS,
availability is generally the greatest concern.
The standards and guidance for this categorization process can be found in FIPS 199 [15] and NIST SP
800-60 [25], respectively. NIST is in the process of updating NIST SP 800-60 to provide additional
guidance on the categorization of ICS.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
132
図6-1.リスク管ç†ä½“制業務
6.1.1 手順 1:情報システムã®åˆ†é¡ž
RMF ã®ç¬¬ 1æ­©ã¯ã€å–ªå¤±æ™‚ã®å½±éŸ¿ã«å¿œã˜ã¦ã€æƒ…å ±ã¨æƒ…報システムを分類ã™ã‚‹ã“ã¨ã§ã‚る。検討中
ã®æƒ…å ±ã®ç¨®é¡žã¨æƒ…報システムã”ã¨ã«ã€FISMA ã®å®šç¾©ã«ã‚ˆã‚‹æ©Ÿå¯†æ€§ãƒ»å®Œå…¨æ€§ãƒ»å¯ç”¨æ€§ã¨ã„ㆠ3ã¤
ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç›®æ¨™ãŒã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é•åãŒã‚ã£ãŸå ´åˆã® 3レベルã®ã†ã¡ã®ã„ãšã‚Œã‹ã«é–¢é€£ã¥ã‘
られる。ICS ã§ã¯ç·ã˜ã¦å¯ç”¨æ€§ãŒæœ€å¤§ã®é–¢å¿ƒäº‹ã¨ãªã‚‹ç‚¹ã‚’銘記ã™ã‚‹ã®ã¯è‚è¦ã§ã‚る。
ã“ã®åˆ†é¡žãƒ—ロセスã®åŸºæº–ã¨ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã¯ã€ãã‚Œãžã‚Œ FIPS 199[15]㨠NIST SP 800-60 [25]ã«ã‚る。
NIST ã§ã¯ NIST SP 800-60 を改訂中ã§ã€ICS ã®åˆ†é¡žã«é–¢ã™ã‚‹è£œè¶³çš„ãªã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã‚’æä¾›ã™ã‚‹äºˆå®š
ã§ã‚る。
アーキテクãƒãƒ£ã®èª¬æ˜Ž
アーキテクãƒãƒ£åŸºæº–モデルセグ
メントåŠã³ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³
アーキテクãƒãƒ£ä»»å‹™ãƒ»äº‹æ¥­ãƒ—ロ
セス情報システムã®å¢ƒç•Œ
組織ã®å…¥åŠ›
法律ã€æŒ‡ç¤ºæ›¸ã€ãƒãƒªã‚·ãƒ¼
ガイダンスã®æˆ¦ç•¥çš„目標・目標優
先順ä½åŠã³ãƒªã‚½ãƒ¼ã‚¹å¯ç”¨æ€§ã‚µãƒ—ラ
イ
ãƒã‚§ãƒ¼ãƒ³ã«å¯¾ã™ã‚‹è€ƒæ…®äº‹é …
手順
1
:
情報システムã®åˆ†é¡ž
手順
6
:
セキュリティ対策ã®ç›£è¦–
手順
5
:
情報システムã®è¨±å¯
手順
4
:
セキュリティ対策ã®è©•ä¾¡
手順
3
:
セキュリティ対策ã®å®Ÿæ–½
手順
2
:
セキュリティ対策ã®é¸å®š
リスク
管ç†ä½“制
プロセスã®æ¦‚è¦
開始点
å¿…è¦ã«å¿œã˜ã¦ç¹°ã‚Šè¿”ã™
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
133
The following ICS example is taken from FIPS 199 [15]:
ICS-specific Recommendations and Guidance
A power plant contains a SCADA system controlling the distribution of electric power for a large military
installation. The SCADA system contains both real-time sensor data and routine administrative
information. The management at the power plant determines that: (i) for the sensor data being acquired by
the SCADA system, there is no potential impact from a loss of confidentiality, a high potential impact from
a loss of integrity, and a high potential impact from a loss of availability; and (ii) for the administrative
information being processed by the system, there is a low potential impact from a loss of confidentiality, a
low potential impact from a loss of integrity, and a low potential impact from a loss of availability. The
resulting security categories, SC, of these information types are expressed as:
SC sensor data = {(confidentiality, NA), (integrity, HIGH), (availability, HIGH)},
and
SC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}.
The resulting security category of the information system is initially expressed as:
SC SCADA system = {(confidentiality, LOW), (integrity, HIGH), (availability, HIGH)},
representing the high water mark or maximum potential impact values for each security objective from the
information types resident on the SCADA system. The management at the power plant chooses to increase
the potential impact from a loss of confidentiality from low to moderate, reflecting a more realistic view of
the potential impact on the information system should there be a security breach due to the unauthorized
disclosure of system-level information or processing functions. The final security category of the
information system is expressed as:
SC SCADA system = {(confidentiality, MODERATE), (integrity, HIGH), (availability, HIGH)}.
FIPS 199 specifies that information systems be categorized as low-impact, moderate-impact, or high-
impact for the security objectives of confidentiality, integrity, and availability. Possible definitions for low,
moderate, and high levels of security based on impact for ICS based on ISA99 are provided in Table 6-1.
Possible definitions for ICS impact levels based on product produced, industry and security concerns are
provided in Table 6-2.
Table 6-1. Possible Definitions for ICS Impact Levels Based on ISA99
Impact Category
Low-Impact
Moderate-Impact
High-Impact
Injury Cuts, bruises requiring
first aid
Requires hospitalization Loss of life or limb
Financial Loss
$1,000
$100,000
Millions
Environmental Release Temporary damage Lasting damage Permanent damage, off-
site damage
Interruption of
Production
Minutes Days Weeks
Public Image
Temporary damage
Lasting damage
Permanent damage
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
134
以下㮠ICS ã®ä¾‹ã¯ã€FIPS 199[15]ã‹ã‚‰æŠœç²‹ã—ãŸã‚‚ã®ã§ã‚る。
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
ã‚る発電所ã«ã¯ã€å¤§è¦æ¨¡è»äº‹æ–½è¨­ã¸ã®é…電を制御ã™ã‚‹ SCADA システムãŒè¨­ç½®ã•ã‚Œã¦ã„る。
SCADA システムã«ã¯ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ ã‚»ãƒ³ã‚µãƒ‡ãƒ¼ã‚¿ã¨å®šå¸¸ã®ç®¡ç†æƒ…å ±ãŒå«ã¾ã‚Œã‚‹ã€‚発電所ã®çµŒå–¶é™£
ã¯ä»¥ä¸‹ã®ã¨ãŠã‚Šåˆ¤å®šã—ã¦ã„る。(1)SCADA システムã§å–å¾—ã™ã‚‹ã‚»ãƒ³ã‚µãƒ‡ãƒ¼ã‚¿ã«ã¤ã„ã¦ã¯ã€æ©Ÿå¯†
性ãŒå¤±ã‚ã‚Œã¦ã‚‚影響ã¯ãªãã€å®Œå…¨æ€§ãŒå¤±ã‚れるã¨ã‹ãªã‚Šã®å½±éŸ¿ãŒã‚ã‚Šã€å¯ç”¨æ€§ãŒå¤±ã‚れるã¨ã‹ãª
ã‚Šã®å½±éŸ¿ãŒã‚る。(2)システムãŒå‡¦ç†ã™ã‚‹ç®¡ç†æƒ…å ±ã«ã¤ã„ã¦ã¯ã€æ©Ÿå¯†æ€§ãŒå¤±ã‚ã‚Œã¦ã‚‚影響ã¯å°‘
ãªãã€å®Œå…¨æ€§ãŒå¤±ã‚ã‚Œã¦ã‚‚影響ã¯å°‘ãªãã€å¯ç”¨æ€§ãŒå¤±ã‚ã‚Œã¦ã‚‚影響ã¯å°‘ãªã„。ã“ã®ã‚ˆã†ãªæƒ…å ±ã®
種類ã«åŸºã¥ãçµæžœã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£åˆ†é¡žï¼ˆSC)ã¯æ¬¡ã®å¼ã§è¡¨ã™ã“ã¨ãŒã§ãる。
SC センサデータ = {(機密性ã€NA), (完全性, HIGH), (å¯ç”¨æ€§, HIGH)}ã€ã¾ãŸ
SC 管ç†æƒ…å ± = {(機密性ã€LOW), (完全性, LOW), (å¯ç”¨æ€§, LOW)}。
情報システムã«åŸºã¥ãセキュリティ分類ã¯å½“åˆ
SC SCADA システム = {(機密性ã€LOW), (完全性, HIGH), (å¯ç”¨æ€§, HIGH)}ã§ã€
SCADA システムã«å¸¸é§ã™ã‚‹æƒ…å ±ã®ç¨®é¡žã«åŸºã¥ãセキュリティ目標ã”ã¨ã®å½±éŸ¿å€¤ã¯ã€å¤§åˆã¯æœ€å¤§
影響度を示ã—ã¦ã„る。発電所ã®çµŒå–¶é™£ã®é¸æŠžã¯ã€æ©Ÿå¯†æ€§ãŒå¤±ã‚ã‚ŒãŸã¨ãã®å½±éŸ¿åº¦ã‚’低ã‹ã‚‰ä¸­ã«ã—ã€
万一システムレベルåˆã¯å‡¦ç†æ©Ÿèƒ½ã®æ¼æ´©ã«ã‚ˆã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é•åãŒç”Ÿã˜ãŸéš›ã«ã€æƒ…報システムã¸
ã®å½±éŸ¿ã‚’よりç¾å®Ÿçš„ã«ã¨ã‚‰ãˆã‚‹ã‚ˆã†ã«ã—ãŸã€‚最終的ãªæƒ…報システムã«åŸºã¥ãセキュリティ分類ã¯
SC SCADA システム = {(信頼性ã€MODERATE), (完全性, HIGH), (å¯ç”¨æ€§, HIGH)}ã¨ãªã£ãŸã€‚
FIPS 199 ã§ã¯ã€æ©Ÿå¯†æ€§ãƒ»å®Œå…¨æ€§ãƒ»å¯ç”¨æ€§ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç›®æ¨™ã«é–¢ã™ã‚‹æƒ…報システムã®åˆ†é¡žã‚’低影
響度ã€ä¸­å½±éŸ¿åº¦ã€é«˜å½±éŸ¿åº¦ã¨å®šã‚ã¦ã„る。 ISA99 ã«å¾“ã£ãŸ ICS ã¸ã®å½±éŸ¿ã«åŸºã¥ã„ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
レベル低・中・高ã®å®šç¾©ã‚’表 6-1 ã«ç¤ºã™ã€‚生産物ã€ç”£æ¥­åŠã³ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é–¢å¿ƒäº‹ã«åŸºã¥ã„㟠ICS
ã¸ã®å½±éŸ¿ãƒ¬ãƒ™ãƒ«ã®å®šç¾©ã‚’表 6-2 ã«ç¤ºã™ã€‚
表6-1. ISA99 ã«åŸºã¥ã ICS 影響レベルã®å®šç¾©
影響度分類
低
中
高
è² å‚· 応急処置をè¦ã™ã‚‹åˆ‡ã‚Š
å‚·ã€æ‰“æ’²
入院ãŒå¿…è¦ ç”Ÿå‘½ãƒ»å››è‚¢ã®å–ªå¤±
金銭的喪失 $1,000 $100,000 数百万
環境放出 一時的ダメージ 長期的ダメージ 永続的ダメージã€ç¾
場外ã®ãƒ€ãƒ¡ãƒ¼ã‚¸
生産中断 分 日 週
国民ã®ã‚¤ãƒ¡ãƒ¼ã‚¸ 一時的ダメージ 長期的ダメージ 永続的ダメージ
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
135
Table 6-2. Possible Definitions for ICS Impact Levels Based on Product Produced, Industry and
Security Concerns
Impact Category
Low-Impact
Moderate-Impact
High-Impact
Product Produced ï½¥ Non-hazardous
materials or products
ï½¥ Non-ingested
consumer products
ï½¥ Some hazardous
products or steps
during production
ï½¥ High amount of
proprietary
information
ï½¥ Critical infrastructure (e.g.,
electricity)
ï½¥ Hazardous materials
ï½¥ Ingested products
Industry Examples ï½¥ Plastic injection
molding
ï½¥ Warehouse
applications
ï½¥ Automotive metal
industries
ï½¥ Pulp and paper
ï½¥ Semiconductors
ï½¥ Utilities
ï½¥ Petrochemical
ï½¥ Food and beverage
ï½¥ Pharmaceutical
Security Concerns ï½¥ Protection against
minor injuries
ï½¥ Ensuring uptime
ï½¥ Protection against
moderate injuries
ï½¥ Ensuring uptime
ï½¥ Capital investment
ï½¥ Protection against major
injuries/loss of life
ï½¥ Ensuring uptime
ï½¥ Capital investment
ï½¥ Trade secrets
ï½¥ Ensuring basic social services
ï½¥
Regulatory compliance
6.1.2 Step 2: Select Security Controls
This framework activity includes the initial selection of minimum security controls planned or in place to
protect the information system based on a set of requirements. FIPS 200 documents a set of minimum-
security requirements covering 18 security-related areas with regard to protecting the confidentiality,
integrity, and availability of federal information systems and the information processed, stored, and
transmitted by those systems [16]. Additional information on each of the 18 security control families is in
Section 6.2.
The baseline controls are the starting point for the security control selection process and chosen based on
the security category and associate impact level of information systems determined in Step 1.
To address the need for developing community-wide and specialized sets of security controls for
information systems and organizations, the concept of overlays is introduced. An overlay is a fully
specified set of security controls, control enhancements, and supplemental guidance derived from the
application of tailoring guidance to security control baselines described in NIST SP 800-53.
In general, overlays are intended to reduce the need for ad hoc tailoring of baselines by organizations
through the selection of a set of controls and control enhancements that more closely correspond to
common circumstances, situations, and/or conditions. However, the use of overlays does not in any way
preclude organizations from performing further tailoring (i.e., overlays can also be subject to tailoring) to
reflect organization-specific needs, assumptions, or constraints. For further information on creating
overlays, refer to SP 800-53, Section 3.3 and Appendix I.
Appendix G— includes an ICS-specific overlay of applicable NIST SP 800-53 controls that provide
tailored baselines for low-impact, moderate-impact, and high-impact ICS. These tailored baselines can be
utilized as starting specifications and recommendations that can be applied to specific ICS by responsible
personnel. As discussed in earlier sections, the use of an overlay does not in any way preclude
organizations from performing further tailoring to add or remove controls and control enhancements (i.e.,
overlays can also be subject to tailoring) to reflect organization-specific needs, assumptions, or constraints.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
136
表6-2. 生産物ã€ç”£æ¥­åŠã³ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é–¢å¿ƒäº‹ã«åŸºã¥ã ICS ã¸ã®å½±éŸ¿ãƒ¬ãƒ™ãƒ«ã®å®šç¾©
カテゴリ
低
中
高
生産物 • å±é™ºç‰©ãƒ»ç”£ç‰©ä»¥
外
• éžæ‘‚å–型消費
財
• 生産時ã«ã‚る程度ã®å±
険産物・手順
• 多é‡ã®å°‚有情報
• é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ï¼ˆé›»æ°—
等)
• å±é™ºç‰©
• æ‘‚å–型産物
産業例 • プラスãƒãƒƒ
ク射出æˆå½¢
• 倉庫ア
プリ
• 車両金属業界
• パルプ製紙
• åŠå°Žä½“
• 公共事業
• 石油化学
• 食å“飲料
• 薬剤
セキュリティ
関心事
• 軽傷予防
• 稼åƒç¢ºä¿
• 中程度ã®è² å‚·äºˆ
防
• 稼åƒç¢ºä¿
• 資本投資
• é‡å‚·ãƒ»æ­»äº¡äºˆé˜²
• 稼åƒç¢ºä¿
• 資本投資
• å–引上ã®ç§˜å¯†
• 基本的社会ç¦ç¥‰ã®ç¢º
ä¿
•
法令éµå®ˆ
6.1.2 手順 2:セキュリティ対策ã®é¸æŠž
ã“ã®æž çµ„ã§ã®æ´»å‹•ã«ã¯ã€ä¸€é€£ã®è¦ä»¶ã«åŸºã¥ã情報システムをä¿è­·ã™ã‚‹ãŸã‚ã®è¨ˆç”»ä¸­åˆã¯å®Ÿæ–½ä¸­
ã®æœ€ä½Žé™ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®åˆæœŸé¸æŠžã‚’è¡Œã†ã“ã¨ãŒå«ã¾ã‚Œã‚‹ã€‚FIPS200 ã«ã¯ã€18 ã®ã‚»ã‚­ãƒ¥ãƒª
ティ関連分野を網羅ã—ãŸä¸€é€£ã®æœ€ä½Žã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ä»¶ãŒè¨˜éŒ²ã•ã‚Œã¦ãŠã‚Šã€é€£é‚¦æƒ…報システムã®
機密性・完全性・å¯ç”¨æ€§ã®ä¿è­·ã‚„ã€ã“れらシステムãŒå‡¦ç†ãƒ»ä¿ç®¡ãƒ»é€ä¿¡ã™ã‚‹æƒ…å ±ã«ã¤ã„ã¦å–ã‚Š
上ã’られã¦ã„ã‚‹[16]。18 ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–分野ã«é–¢ã™ã‚‹ä»˜åŠ çš„ãªæƒ…å ±ã¯ã‚»ã‚¯ã‚·ãƒ§ãƒ³ 6.2 ã§å–
り上ã’る。
ベースライン制御ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–é¸å®šãƒ—ロセスã®é–‹å§‹ç‚¹ã¨ãªã‚Šã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£åˆ†é¡žã¨æ‰‹
é †1ã§åˆ¤å®šã•ã‚ŒãŸæƒ…報システムã®å½±éŸ¿åº¦ã«åŸºã¥ã„ã¦é¸æŠžã•ã‚Œã‚‹ã€‚
情報システムåŠã³çµ„ç¹”å‘ã‘ã«ã€å…±åŒä½“全体ã®å°‚用セキュリティ対策を策定ã™ã‚‹å¿…è¦ã‹ã‚‰ã€ã‚ª
ーãƒãƒ¼ãƒ¬ã‚¤æ¦‚念ãŒå°Žå…¥ã•ã‚Œã¦ã„る。オーãƒãƒ¼ãƒ¬ã‚¤ã¯ã€å®Œå…¨ã«ç‰¹åŒ–ã—ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã€ç®¡
ç†æ‹¡å¼µåŠã³è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã§ã€NIST SP 800-53 ã«è¨˜è¼‰ã•ã‚Œã¦ã„るセキュリティ対策ベースラ
イン用ガイダンスã‹ã‚‰ç”Ÿã˜ãŸã‚‚ã®ã§ã‚る。
一般ã«ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã¯ã€å…±é€šçš„ãªç’°å¢ƒã€çŠ¶æ³ãƒ»çŠ¶æ…‹ã«ç·Šå¯†ã«å¯¾å¿œã—ãŸä¸€é€£ã®åˆ¶å¾¡ãƒ»åˆ¶å¾¡æ‹¡å¼µã‚’
é¸æŠžã™ã‚‹ã“ã¨ã§ã€çµ„ç¹”ã«ã‚ˆã‚‹ãã®å ´ã—ã®ãŽã®ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³èª¿æ•´ã®å¿…è¦æ€§ã‚’減らã™ã“ã¨ãŒç›®çš„ã§
ã‚る。ãŸã ã—オーãƒãƒ¼ãƒ¬ã‚¤ã‚’利用ã—ã¦ã‚‚ã€çµ„織固有ã®å¿…è¦ãƒ»å‰æ・制約ã«å¯¾å¿œã™ã‚‹ãŸã‚ã€ãã‚Œ
以上ã®èª¿æ•´ãŒå…¨ãä¸è¦ã«ãªã‚‹ã‚ã‘ã§ã¯ãªã„(ã¤ã¾ã‚Šã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã¯èª¿æ•´å¯èƒ½ï¼‰ã€‚オーãƒãƒ¼ãƒ¬ã‚¤
ã®ä½œæˆã«ã¤ã„ã¦ã¯ã€SP 800-53 ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ 3.3 ã¨ä»˜éŒ² Iã‚’å‚ç…§ã®ã“ã¨ã€‚
付録 Gã«ã¯ã€ä»˜éŒ² Gã«ã¯ã€ä½Žãƒ»ä¸­ãƒ»é«˜å½±éŸ¿åº¦ ICS ã«èª¿æ•´æ¸ˆã¿ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã‚’示ã—ãŸã€è©²å½“ã™ã‚‹
NIST SP 800-53 制御ã®å›ºæœ‰ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ãŒå«ã¾ã‚Œã¦ã„る。 ã“れら調整済ã¿ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã¯ã€
責任者ãŒå›ºæœ‰ã® ICS ã«é©ç”¨å¯èƒ½ãªå½“åˆã®ä»•æ§˜æ›¸åŠã³æŽ¨å¥¨äº‹é …ã¨ã—ã¦åˆ©ç”¨ã§ãる。å‰è¿°ã®é€šã‚Šã€
オーãƒãƒ¼ãƒ¬ã‚¤ã‚’利用ã—ã¦ã‚‚ã€çµ„織固有ã®å¿…è¦ãƒ»å‰æ・制約ã«å¯¾å¿œã™ã‚‹ãŸã‚ã€ãれ以上ã®èª¿æ•´ã‚’
加ãˆã¦ã€åˆ¶å¾¡ãƒ»åˆ¶å¾¡æ‹¡å¼µã®è¿½åŠ ãƒ»å‰Šé™¤ã‚’è¡Œã†ã‚ˆã†ãªèª¿æ•´ãŒå…¨ãä¸è¦ã«ãªã‚‹ã‚ã‘ã§ã¯ãªã„(ã¤ã¾
りオーãƒãƒ¼ãƒ¬ã‚¤ã¯èª¿æ•´å¯èƒ½ï¼‰ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
137
Additionally, ICS owners can take advantage of the ability to tailor the initial baselines presented in the
Appendix G— Overlay when it is not possible or feasible to implement specific security controls contained
in the baselines. However, all tailoring activity should, as its primary goal, focus on meeting the intent of
the original security controls whenever possible or feasible. For example, in situations where the ICS
cannot support, or the organization determines it is not advisable to implement particular security controls
or control enhancements in an ICS (e.g., performance, safety, or reliability are adversely impacted), the
organization provides a complete and convincing rationale for how the selected compensating controls
provide an equivalent security capability or level of protection for the ICS and why the related baseline
security controls could not be employed. If the ICS cannot support the use of automated mechanisms, the
organization employs non-automated mechanisms or procedures as compensating controls in accordance
with the general tailoring guidance in Section 3.3 of NIST SP 800-53. Compensating controls are not
exceptions or waivers to the baseline controls; rather, they are alternative safeguards and countermeasures
employed within the ICS that accomplish the intent of the original security controls that could not be
effectively employed. Organizational decisions on the use of compensating controls are documented in the
security plan for the ICS.
6.1.3 Step 3: Implement Security Controls
This activity involves the implementation of security controls in new or legacy information systems. The
security control selection process described in this section can be applied to ICS from two different
perspectives: (i) new development; and (ii) legacy.
For new development systems, the security control selection process is applied from a requirements
definition perspective since the systems do not yet exist and organizations are conducting initial security
categorizations. The security controls included in the security plans for the information systems serve as a
security specification and are expected to be incorporated into the systems during the development and
implementation phases of the system development life cycle.
In contrast, for legacy information systems, the security control selection process is applied from a gap
analysis perspective when organizations are anticipating significant changes to the systems (e.g., during
major upgrades, modifications, or outsourcing). Since the information systems already exist, organizations
in all likelihood have completed the security categorization and security control selection processes
resulting in the establishment of previously agreed-upon security controls in the respective security plans
and the implementation of those controls within the information systems.
6.1.4 Step 4: Assess Security Controls
This activity determines the extent to which the security controls in the information system are effective in
their application. NIST SP 800-53A provides guidance for assessing security controls initially selected
from NIST SP 800-53 to ensure that they are implemented correctly, operating as intended, and producing
the desired outcome with respect to meeting the security requirements of the system. To accomplish this,
NIST SP 800-53A provides expectations based on assurance requirements defined in NIST SP 800-53 for
characterizing the expectations of security assessments by FIPS 199 impact level.
6.1.5 Step 5: Authorize Information System
This activity results in a management decision to authorize the operation of an information system and to
explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of
an agreed-upon set of security controls.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
138
ã¾ãŸ ICS 所有者ã¯ã€ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã«å«ã¾ã‚Œã‚‹ç‰¹å®šã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®å®Ÿæ–½ãŒä¸å¯èƒ½ã®å ´åˆã€ä»˜
録Gã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ç¤ºã•ã‚Œã‚‹å½“åˆãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã®èª¿æ•´æ©Ÿèƒ½ã‚’利用ã™ã‚‹ã“ã¨ãŒã§ãる。ãŸã ã—å…¨
ã¦ã®èª¿æ•´æ´»å‹•ã¯ãã®ä¸»ãŸã‚‹ç›®æ¨™ã¨ã—ã¦ã€å¯èƒ½ãªå ´åˆã«ã¯å¿…ãšå…ƒã€…ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®æ„図ã«å¾“
ã†ã‚ˆã†ã«ã™ã¹ãã§ã‚る。例ãˆã°ã€ICS ãŒå¯¾å¿œã—ã¦ã„ãªã„å ´åˆã€åˆã¯ç‰¹å®šã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–や管
ç†æ‹¡å¼µã‚’ ICS ã§å®Ÿæ–½ã™ã‚‹ã®ãŒå¾—ç­–ã§ãªã„ã¨åˆ¤æ–­ã™ã‚‹å ´åˆï¼ˆãƒ‘フォーマンスã€å®‰å…¨æ€§ã€ä¿¡é ¼æ€§ãŒä½Ž
下ã™ã‚‹ãªã©ï¼‰ã€çµ„ç¹”ã¯ã€ä»£ã‚ã‚Šã«é¸ã‚“ã ç®¡ç†ç­–ãŒã©ã®ã‚ˆã†ã« ICS ã«åŒç­‰ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£èƒ½åŠ›ã‚„ä¿
護レベルを発æ®ã™ã‚‹ã‹ã€ãªãœãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–を採用ã§ããªã„ã‹ã«ã¤ã„ã¦ã€å分ç´
å¾—ã®ã„ã根拠を示ã™ã€‚ICS ãŒè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã®ä½¿ç”¨ã«å¯¾å¿œã—ã¦ã„ãªã„å ´åˆã€NIST SP 800-53 セク
ション 3.3.ã®ä¸€èˆ¬çš„調整ガイダンスã«å¾“ã„ã€çµ„ç¹”ã¯éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚„手順を代替管ç†ã¨ã—ã¦æŽ¡
用ã™ã‚‹ã€‚
代替管ç†ã¯ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ç®¡ç†ã®ä¾‹å¤–や放棄ã§ã¯ãªãã€ä»£æ›¿ã®å®‰å…¨ç­–åŠã³å¯¾ç­–ã¨ã—㦠ICS 内ã§æŽ¡
用ã•ã‚Œã€æœ‰åŠ¹åˆ©ç”¨ã§ããªã„元々ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®ç›®çš„ã‚’æžœãŸã™ã€‚代替管ç†ã‚’利用ã™ã‚‹çµ„ç¹”
ã®æ±ºå®šã¯ã€ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¨ˆç”»æ›¸ã«è¨˜éŒ²ã™ã‚‹ã€‚
6.1.3 手順 3:セキュリティ対策ã®å®Ÿè£…
ã“ã®æ´»å‹•ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã‚’æ–°è¦åˆã¯ãƒ¬ã‚¬ã‚·ãƒ¼æƒ…報システムã«å®Ÿè£…ã™ã‚‹ã“ã¨ãŒé–¢ä¿‚ã™ã‚‹ã€‚
ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§èª¬æ˜Žã™ã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–é¸å®šãƒ—ロセスã¯ã€ï¼ˆ1)新è¦é–‹ç™ºã€ï¼ˆ2)レガシー
ã¨ã„ㆠ2ã¤ã®è¦³ç‚¹ã‹ã‚‰ ICS ã«é©ç”¨ã™ã‚‹ã“ã¨ãŒã§ãる。
æ–°è¦é–‹ç™ºã‚·ã‚¹ãƒ†ãƒ ã§ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–é¸å®šãƒ—ロセスã¯ã€ã‚·ã‚¹ãƒ†ãƒ ã¯ã¾ã å­˜åœ¨ã—ã¦ãŠã‚‰ãšã€
組織ã¯æœ€åˆã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£åˆ†é¡žã‚’実施ã—ã¤ã¤ã‚ã‚‹ãŸã‚ã€è¦ä»¶å®šç¾©ã®è¦³ç‚¹ã‹ã‚‰é©ç”¨ã•ã‚Œã‚‹ã€‚情報
システムã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¨ˆç”»æ›¸ã«å«ã¾ã‚ŒãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä»•æ§˜æ›¸ã¨ãªã‚‹ã‚‚
ã®ã§ã€ã‚·ã‚¹ãƒ†ãƒ é–‹ç™ºãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«æ®µéšŽã§ã€ã‚·ã‚¹ãƒ†ãƒ ã«çµ„ã¿è¾¼ã¾ã‚Œã‚‹ã“ã¨ãŒæœŸå¾…ã•ã‚Œã‚‹ã€‚
対照的ã«ãƒ¬ã‚¬ã‚·ãƒ¼æƒ…報システムã§ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®é¸å®šãƒ—ロセスã¯ã€çµ„ç¹”ãŒã‹ãªã‚Šã®
システム変更を予期ã™ã‚‹å ´åˆï¼ˆå¤§ãŒã‹ã‚Šãªæ›´æ–°ã€å¤‰æ›´ã€å¤–注等)ã€æ ¼å·®åˆ†æžã®è¦³ç‚¹ã‹ã‚‰é©ç”¨
ã•ã‚Œã‚‹ã€‚情報システムã¯æ—¢ã«å­˜åœ¨ã—ã¦ã„ã‚‹ãŸã‚組織ã¯ã‚らゆる蓋然性ã«ãŠã„ã¦ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
ã®åˆ†é¡žã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–é¸å®šãƒ—ロセスを実施済ã¿ã§ã‚ã‚Šã€å„セキュリティ計画書ã®ä¸­ã§åˆ
æ„済ã¿ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ãŒç­–定ã•ã‚Œã€ãれらãŒæƒ…報システムã§å®Ÿè£…ã•ã‚Œã¦ã„る。
6.1.4 手順 4:セキュリティ対策ã®è©•ä¾¡
ã“ã®æ´»å‹•ã¯ã€æƒ…報システム中ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ãŒã€ãã‚Œãžã‚Œã®ç”¨é€”ã«ãŠã„ã¦ã©ã‚Œã»ã©æœ‰åŠ¹ã§
ã‚ã‚‹ã‹ã‚’判定ã™ã‚‹ã€‚NIST SP 800-53A ã§ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã‚’é©æ­£ã«å®Ÿè£…ã—ã€äºˆå®šã©ãŠã‚Šã«
動作ã•ã›ã€ã‚·ã‚¹ãƒ†ãƒ ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ä»¶ã«ã‹ãªã£ãŸæ‰€æœŸã®çµæžœã‚’å¾—ã‚‹ãŸã‚ã€NIST SP 800-53 ã‹
らé¸ã‚“ã ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–を評価ã™ã‚‹ãŸã‚ã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ãŒç¤ºã•ã‚Œã¦ã„る。ã“れを実ç¾ã™ã‚‹ãŸã‚ã€
NIST SP 800-53A ã«ã¯ã€FIPS199 ã®å½±éŸ¿ãƒ¬ãƒ™ãƒ«ã«å¾“ã£ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è©•ä¾¡äºˆæƒ³ã‚’特徴付ã‘ã‚‹ã€
NIST SP 800-53 ã§å®šç¾©ã•ã‚ŒãŸä¿è¨¼è¦ä»¶ã«åŸºã¥ã„ãŸæœŸå¾…ã«ã¤ã„ã¦è¨˜è¿°ã•ã‚Œã¦ã„る。
6.1.5 手順 5:情報システムã®è¨±å¯
ã“ã®æ´»å‹•ã®çµæžœãŒçµŒå–¶é™£ã®æ±ºå®šã¨ãªã‚Šã€æƒ…報システムã®ç¨¼åƒã‚’許å¯ã—ã€åˆæ„ã•ã‚ŒãŸã‚»ã‚­ãƒ¥ãƒªãƒ†
ィ対策ã®å®Ÿè£…を基調ã¨ã—ã¦ã€çµ„織業務・資産・人員ã¸ã®ãƒªã‚¹ã‚¯ã‚’明示的ã«å—ã‘入れるã“ã¨ã«ãª
る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
139
6.1.6 Step 6: Monitor Security Controls
This activity continuously tracks changes to the information system that may affect security controls and
assesses control effectiveness. NIST SP 800-137 provides guidance on information security continuous
monitoring [21].
6.2 Guidance on the Application of Security Controls to ICS
Because today’s ICS are often a combination of legacy systems, often with a planned life span of twenty to
thirty years, or a hybrid of legacy systems augmented with newer hardware and software that are
interconnected to other systems, it is often difficult or infeasible to apply some of the security controls
contained in NIST SP 800-53. While many controls in Appendix F of NIST SP 800-53 are applicable to
ICS as written, several controls did require ICS-specific interpretation and/or augmentation. Appendix I of
NIST SP 800-53 provides an example overlay template and additional information on each section of the
overlay.
The NIST SP 800-53 controls are organized into 18 families; each family contains security controls related
to the general security topic of the family. Security controls may involve aspects of policy, oversight,
supervision, manual processes, actions by individuals, or automated mechanisms implemented by
information systems/devices. The 18 security-related areas discussed in the following sections are:
 Access Control (AC): the process of granting or denying specific requests for obtaining and using
information and related information processing services for physical access to areas within the
information system environment.
 Awareness and Training (AT): policies and procedures to ensure that all information system users
are given appropriate security training relative to their usage of the system and that accurate training
records are maintained.
 Audit and Accountability (AU): independent review and examination of records and activities to
assess the adequacy of system controls, to ensure compliance with established policies and operational
procedures, and to recommend necessary changes in controls, policies, or procedures.
 Security Assessment and Authorization (CA): assurance that the specified controls are implemented
correctly, operating as intended, and producing the desired outcome.
 Contingency Planning (CP): policies and procedures designed to maintain or restore business
operations, including computer operations, possibly at an alternate location, in the event of
emergencies, system failures, or disaster.
 Configuration Management (CM): policies and procedures for controlling modifications to
hardware, firmware, software, and documentation to ensure the information system is protected
against improper modifications prior to, during, and after system implementation.
 Identification and Authentication (IA): the process of verifying the identity of a user, process, or
device, through the use of specific credentials (e.g., passwords, tokens, biometrics), as a prerequisite
for granting access to resources in an IT system.
 Incident Response (IR): policies and procedures pertaining to incident response training, testing,
handling, monitoring, reporting, and support services.
 Maintenance (MA): policies and procedures to manage all maintenance aspects of an information
system.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
140
6.1.6 手順 6:セキュリティ対策ã®ç›£è¦–
ã“ã®æ´»å‹•ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã«å½±éŸ¿ã™ã‚‹æƒ…報システムã®å¤‰æ›´ã‚’追跡ã—ã€ç®¡ç†ã®åŠ¹æžœæ€§ã‚’è©•
価ã™ã‚‹ã€‚NIST SP 800-137 ã«ã€æƒ…報セキュリティã®å¸¸ç¶šç›£è¦–ã«ä¿‚るガイダンスãŒã‚ã‚‹[21]。
6.2 ICS ã¸ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®é©ç”¨ã«ä¿‚るガイダンス
今日㮠ICS ã¯ã€äºˆæƒ³å¯¿å‘½ãŒ 20~30 å¹´ã®ãƒ¬ã‚¬ã‚·ãƒ¼ã‚·ã‚¹ãƒ†ãƒ ã€ä»–ã®ã‚·ã‚¹ãƒ†ãƒ ã¸é€£æŽ¥ã•ã‚ŒãŸæ¯”較的
æ–°ã—ã„ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢/ソフトウエアã§å¼·åŒ–ã•ã‚ŒãŸãƒ¬ã‚¬ã‚·ãƒ¼ã‚·ã‚¹ãƒ†ãƒ ã‚’併用ã—ã¦ã„ã‚‹ãŸã‚ã€NIST
SP 800-53 ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã‚’é©ç”¨ã™ã‚‹ã®ã¯å›°é›£åˆã¯ä¸å¯èƒ½ãªå ´åˆãŒå¤šã„。NIST SP 800-53
ã®ä»˜éŒ² Fã«è¨˜è¼‰ã•ã‚Œã‚‹ç®¡ç†ç­–ã®å¤šãã¯ã€è¨˜è¿°ã©ãŠã‚Š ICS ã«é©ç”¨å¯èƒ½ã§ã¯ã‚ã‚‹ãŒã€ICS 特有ã®è§£
釈や補強ãŒå¿…è¦ãªã‚‚ã®ã‚‚å°‘ãªããªã„。NIST SP 800-53 ã®ä»˜éŒ² Iã«ã¯ã€ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ãƒ†ãƒ³ãƒ—レ
ートã®ä¾‹ã‚„ã€ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã®å„セクションã«é–¢ã™ã‚‹è£œè¶³æƒ…報もã‚る。
NIST SP 800-53 ã®ç®¡ç†ç­–㯠18 ã®åˆ†é‡Žã«ã¾ã¨ã‚られã€å„分野ã¯ãã‚Œãžã‚Œã®å…¨èˆ¬çš„セキュリティ
テーマã«é–¢ä¿‚ã—ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã«ã¤ã„ã¦å–り上ã’ã¦ã„る。セキュリティ対策ã«ã¯ãƒãƒªã‚·ãƒ¼ã€
指導ã€ç›£ç£ã€æ‰‹å‹•ãƒ—ロセスã€å€‹äººã®è¡Œå‹•ã€æƒ…報システム/デãƒã‚¤ã‚¹ãŒå®Ÿè£…ã™ã‚‹è‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ 
ã®æ§˜ç›¸ãŒå«ã¾ã‚Œã‚ˆã†ã€‚続ãセクションã§èª¬æ˜Žã™ã‚‹ 18 ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é–¢é€£åˆ†é‡Žã¯ä»¥ä¸‹ã®ã¨ãŠã‚Šã€‚
 アクセス制御(AC):情報システム環境中ã®ã‚¨ãƒªã‚¢ã«ç‰©ç†çš„ã«ã‚¢ã‚¯ã‚»ã‚¹ã—ã¦ã€æƒ…å ±åŠã³é–¢
連情報処ç†ã‚µãƒ¼ãƒ“スをå–得・利用ã™ã‚‹ãŸã‚ã®æ˜Žç¤ºçš„è¦æ±‚を許å¯ã™ã‚‹ã‹æ‹’絶ã™ã‚‹ã‹ã¨ã„ã†ãƒ—ロ
セス。
 æ„è­˜åŠã³è¨“練(AT):全ã¦ã®æƒ…報システムユーザãŒã‚·ã‚¹ãƒ†ãƒ åˆ©ç”¨ã«é–¢ã™ã‚‹é©æ­£ãªã‚»ã‚­ãƒ¥ãƒª
ティ訓練をå—ã‘ã€æ­£ç¢ºãªè¨“練記録をä¿æŒã™ã‚‹ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã€‚
 監査åŠã³èª¬æ˜Žè²¬ä»»ï¼ˆAU):システム制御ã®å¦¥å½“性を評価ã—ã€è¦å®šã®ãƒãƒªã‚·ãƒ¼åŠã³æ¥­å‹™æ‰‹é †
ã‚’éµå®ˆã•ã›ã€åˆ¶å¾¡ãƒ»ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †ã«å¿…è¦ãªå¤‰æ›´ã‚’推奨ã™ã‚‹ãŸã‚ã®è¨˜éŒ²åŠã³æ´»å‹•ã«å¯¾ã™ã‚‹ç‹¬
ç«‹ã®å¯©æŸ»ãƒ»æ¤œè¨¼ã€‚
 セキュリティ評価åŠã³æ¨©é™ä»˜ä¸Žï¼ˆCA):指定ã®åˆ¶å¾¡ã‚’予定ã©ãŠã‚Šæ­£ã—ã実行ã—ã€æ‰€æœŸã®çµ
果を得るãŸã‚ã®ä¿è¨¼ã€‚
 ä¸æ¸¬äº‹æ…‹è¨ˆç”»ï¼ˆCP):緊急時・システム障害時・ç½å®³æ™‚ã«ä»£æ›¿åœ°ãªã©ã§ã‚³ãƒ³ãƒ”ュータをæ“
作ã™ã‚‹ãªã©ã€æ¥­å‹™ã‚’維æŒãƒ»å¾©æ—§ã™ã‚‹ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã€‚
 構æˆç®¡ç†ï¼ˆCM):ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ãƒ»ãƒ•ã‚¡ãƒ¼ãƒ ã‚¦ã‚¨ã‚¢ãƒ»ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ãƒ»æ–‡æ›¸ã¸ã®å¤‰æ›´ã‚’管ç†ã—ã€
システム実装å‰ãƒ»ä¸­ãƒ»å¾Œã®ä¸é©åˆ‡ãªæ”¹å¤‰ã‹ã‚‰æƒ…報システムをä¿è­·ã™ã‚‹ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹
順。
 識別åŠã³èªè¨¼ï¼ˆIA):IT システム中ã®ãƒªã‚½ãƒ¼ã‚¹ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹è¨±å¯ã®å‰æã¨ã—ã¦ã€ç‰¹å®šã®èª
証情報(パスワードã€ãƒˆãƒ¼ã‚¯ãƒ³ã€ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªã‚¯ã‚¹ç­‰ï¼‰ã«ã‚ˆã‚‹ãƒ¦ãƒ¼ã‚¶ãƒ»ãƒ—ロセス・デãƒã‚¤ã‚¹
ã®ID を検証ã™ã‚‹ãƒ—ロセス。
 インシデント対応(IR):インシデント対応訓練・試験・処ç†ãƒ»ç›£è¦–・報告・支æ´ã‚µãƒ¼ãƒ“ス
ã«ä¿‚ã‚‹ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã€‚
 ä¿å®ˆï¼ˆMA):情報システムã®ã‚らゆるä¿å®ˆé¢ã‚’管ç†ã™ã‚‹ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
141
 Media Protection (MP): policies and procedures to ensure secure handling of media. Controls cover
access, labeling, storage, transport, sanitization, destruction, and disposal.
 Physical and Environmental Protection (PE): policies and procedures addressing physical,
transmission, and display access control as well as environmental controls for conditioning (e.g.,
temperature, humidity) and emergency provisions (e.g., shutdown, power, lighting, fire protection).
 Planning (PL): development and maintenance of a plan to address information system security by
performing assessments, specifying and implementing security controls, assigning security levels, and
responding to incidents.
 Personnel Security (PS): policies and procedures for personnel position categorization, screening,
transfer, penalty, and termination; also addresses third-party personnel security.
 Risk Assessment (RA): the process of identifying risks to operations, assets, or individuals by
determining the probability of occurrence, the resulting impact, and additional security controls that
would mitigate this impact.
 System and Services Acquisition (SA): allocation of resources for information system security to be
maintained throughout the systems life cycle and the development of acquisition policies based on risk
assessment results including requirements, design criteria, test procedures, and associated
documentation.
 System and Communications Protection (SC): mechanisms for protecting both system and data
transmission components.
 System and Information Integrity (SI): policies and procedures to protect information systems and
their data from design flaws and data modification using functionality verification, data integrity
checking, intrusion detection, malicious code detection, and security alert and advisory controls.
 Program Management (PM): provides security controls at the organizational rather than the
information-system level.
Additionally, Appendix J of NIST SP 800-53 Rev. 4 includes a catalog of Privacy Controls. Privacy
controls are the administrative, technical, and physical safeguards employed within organizations to protect
and ensure the proper handling of personally identifiable information (PII).35 The 8 privacy control families
are each aligned with the Fair Information Practice Principles (FIPPS),36 which are designed to build public
trust in an organization’s privacy practices and to help organizations avoid tangible costs and intangible
damages stemming from privacy incidents.
35 OMB Memorandum 07-16 defines PII as “information which can be used to distinguish or trace an individual’s
identity such as their name, social security number, biometric records, etc., alone, or when combined with
other personal or identifying information which is linked or linkable to a specific individual, such as date
and place of birth, mother’s maiden name, etc.†[86]. OMB Memorandum 10-22 reaffirmed this definition [87].
NIST Special Publication 800-122 defines PII as “any information about an individual [that is] maintained
by an agency, including: (i) any information that can be used to distinguish or trace an individual‘s
identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric
records; and (ii) any other information that is linked or linkable to an individual, such as medical,
educational, financial, and employment information†[88].
36 The FIPPs are widely accepted in the United States and internationally as a general framework for privacy
and are reflected in other federal and international laws and policies. In a number of organizations, FIPPs
serve as the basis for analyzing privacy risks and determining appropriate mitigation strategies. The
Federal Enterprise Architecture Security and Privacy Profile (FEA-SPP) also provided information and
materials in development of the privacy controls [89].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
142
 メデイアä¿è­·ï¼ˆMP):メデイアã®ã‚»ã‚­ãƒ¥ã‚¢ãªå–扱ã„ã‚’è¡Œã†ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã€‚管ç†
ç­–ã¯ã€ã‚¢ã‚¯ã‚»ã‚¹ãƒ»ãƒ©ãƒ™ãƒ«ãƒ»ã‚¹ãƒˆãƒ¬ãƒ¼ã‚¸ãƒ»è¼¸é€ãƒ»ã‚µãƒ‹ã‚¿ã‚¤ã‚ºãƒ»ç ´æ£„・廃棄を対象ã¨ã™ã‚‹ã€‚
 物ç†ç’°å¢ƒä¸Šã®ä¿è­·ï¼ˆPE):調節(温度ã€æ¹¿åº¦ç­‰ï¼‰åŠã³ç·Šæ€¥è£…置(切断ã€é›»åŠ›ã€ç…§æ˜Žã€é˜²ç«
等)ã®ç‰©ç†çš„ã€é€ä¿¡ã€è¡¨ç¤ºã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡åŠã³ç’°å¢ƒåˆ¶å¾¡ã«é–¢ã™ã‚‹ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã€‚
 プランニング(PL)。評価ã®å®Ÿæ–½ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ã®æŒ‡å®šãƒ»å®Ÿæ–½ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ¬ãƒ™ãƒ«
ã®å‰²å½“åŠã³ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆå¯¾å¿œã«ã‚ˆã‚‹ã€æƒ…報システムセキュリティã«é–¢ã™ã‚‹è¨ˆç”»æ›¸ã®ä½œæˆãƒ»ç¶­
æŒã€‚
 人員ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ï¼ˆPS):人員ã®é…置分類ã€é¸æŠœã€è»¢å±žã€ç½°å‰‡åŠã³çµ‚了ã«é–¢ã™ã‚‹ãƒãƒªã‚·ãƒ¼
åŠã³æ‰‹é †ã§ã€ã‚µãƒ¼ãƒ‰ãƒ‘ーティè·å“¡ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚‚å«ã‚る。
 リスク評価(RA):発生確率ã€ãã®å½±éŸ¿ã€å½±éŸ¿ã‚’ç·©å’Œã™ã‚‹ãŸã‚ã®ä»˜åŠ çš„セキュリティ対策
ã®åˆ¤å®šã‚’通ã˜ãŸæ¥­å‹™ãƒ»è³‡ç”£ãƒ»äººå“¡ã«å¯¾ã™ã‚‹ãƒªã‚¹ã‚¯è­˜åˆ¥ãƒ—ロセス。
 システムåŠã³ã‚µãƒ¼ãƒ“スã®å–得(SA):システムã®ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«æœŸé–“を通ã˜ã¦ç¶­æŒã™ã¹ã
情報システムセキュリティã«å¯¾ã™ã‚‹ãƒªã‚½ãƒ¼ã‚¹å‰²å½“ã¨ã€è¦ä»¶ãƒ»è¨­è¨ˆåŸºæº–・試験手順・関連文書
ã‚’å«ã‚ãŸãƒªã‚¹ã‚¯è©•ä¾¡çµæžœã«åŸºã¥ãå–å¾—ãƒãƒªã‚·ãƒ¼ç­–定。
 システムåŠã³é€šä¿¡ä¿è­·ï¼ˆSC):システムã¨ãƒ‡ãƒ¼ã‚¿é€ä¿¡ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã¨ã‚’ä¿è­·ã™ã‚‹ãŸã‚ã®
メカニズム。
 システムåŠã³æƒ…å ±ã®ä¿å…¨ï¼ˆSI):機能検証・データä¿å…¨ãƒã‚§ãƒƒã‚¯ãƒ»ä¾µå…¥æ¤œçŸ¥ãƒ»æ‚ªè³ªã‚³ãƒ¼ãƒ‰æ¤œ
知・セキュリティアラート勧告管ç†ã‚’使用ã—ã€è¨­è¨ˆã®æ¬ é™¥ã‚„データ改変ã‹ã‚‰æƒ…報システムや
データをä¿è­·ã™ã‚‹ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã€‚
 プログラム管ç†ï¼ˆPM):情報システムレベルã§ã¯ãªã組織レベルã§ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã‚’
è¡Œã†ã€‚
以上ã«åŠ ãˆã¦ã€NIST SP 800-53 改訂第 4版ã®ä»˜éŒ² Jã«ã¯ãƒ—ライãƒã‚·ãƒ¼ç®¡ç†ç­–ã®ã‚«ã‚¿ãƒ­ã‚°ãŒæŽ²è¼‰ã•
ã‚Œã¦ã„る。プライãƒã‚·ãƒ¼ç®¡ç†ç­–ã¯ã€å€‹äººã‚’特定å¯èƒ½ãªæƒ…報(PII)ã«å¯¾ã™ã‚‹ä¿è­·ã¨é©æ­£ãªå–扱を
確ä¿ã™ã‚‹ãŸã‚ã«çµ„織内ã§æŽ¡ç”¨ã•ã‚Œã‚‹ç®¡ç†ä¸Šã®æŠ€è¡“的・物ç†çš„安全対策ã§ã‚る。37プライãƒã‚·ãƒ¼ç®¡
ç†ã® 8分野ãŒãã‚Œãžã‚Œå…¬æ­£æƒ…å ±è¦ç¯„原則(FIPPS)ã«æ•´åˆã—ã¦ãŠã‚Šã€38組織ã®ãƒ—ライãƒã‚·ãƒ¼è¦ç¯„
ã«å¯¾ã™ã‚‹å›½æ°‘ã®ä¿¡é ¼ã‚’醸æˆã—ã€ãƒ—ライãƒã‚·ãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã‹ã‚‰ç”Ÿã˜ã‚‹æœ‰å½¢ã®çµŒè²»ã‚„ç„¡å½¢ã®æ害ã®
回é¿ã‚’目指ã—ã¦ã„る。
37 OMB 覚書 07-16 ã¯PII を「æ°åã€ç¤¾ä¼šä¿éšœç•ªå·ã€ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯è¨˜éŒ²ç­‰ã‚’å˜ç‹¬ã§ã€åˆã¯èª•ç”Ÿæ—¥ã€å‡ºç”Ÿåœ°ã€
æ¯è¦ªã®æ—§å§“等特定ã®å€‹äººã«çµã³ã¤ãã‹çµã³ã¤ã‘られるãã®ä»–ã®å€‹äººè‹¥ã—ãã¯ã¯èº«åˆ†æƒ…å ±ã¨çµ„ã¿åˆã‚ã›ã¦ã€å€‹
人ã®èº«åˆ†ã‚’判別åˆã¯è¿½è·¡ã§ãる情報ã€ã¨å®šç¾©ã—ã¦ã„ã‚‹[86]。OMB 覚書 10-22 ã¯ã“ã®å®šç¾©ã‚’追èªã—ã¦ã„ã‚‹[87]。
NIST SP800-122 ã¯PII を「ã‚ã‚‹æ©Ÿé–¢ãŒä¿æŒã—ã¦ã„る個人ã«é–¢ã™ã‚‹æƒ…å ±ã§ã€ï¼ˆ1)æ°åã€ç¤¾ä¼šä¿éšœç•ªå·ã€èª•
生日ã€å‡ºç”Ÿåœ°ã€æ¯è¦ªã®æ—§å§“ã€ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯è¨˜éŒ²ç­‰ã€å€‹äººã®èº«åˆ†ã‚’判別åˆã¯è¿½è·¡ã§ãる情報åŠã³ï¼ˆ2)医
療ã€æ•™è‚²ã€è²¡æ”¿ã€å°±æ¥­æƒ…報等ã€å€‹äººã«çµã³ã¤ãã‹çµã³ã¤ã‘られるãã®ä»–ã®æƒ…å ±ã€ã¨å®šç¾©ã—ã¦ã„ã‚‹[88]。
38 FIPPs ã¯ã€ä¸€èˆ¬çš„ãªãƒ—ライãƒã‚·ãƒ¼åŸºç›¤ã¨ã—ã¦ã€ç±³å›½ã§ã‚‚世界的ã«ã‚‚広ãå—ã‘入れられã¦ãŠã‚Šã€ä»–ã®é€£é‚¦åŠã³
世界的法律やãƒãƒªã‚·ãƒ¼ã«å映ã•ã‚Œã¦ã„る。FIPPs ã¯ã€å¤šãã®çµ„ç¹”ã§ãƒ—ライãƒã‚·ãƒ¼ãƒªã‚¹ã‚¯ã®åˆ†æžã‚„é©åˆ‡ãªç·©å’Œ
策判定時ã®æ ¹æ‹ ã¨ãªã£ã¦ã„る。連邦ä¼æ¥­ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ—ライãƒã‚·ãƒ¼ãƒ—ロファイル(FEA-
SPP)ã«ã‚‚プライãƒã‚·ãƒ¼ç®¡ç†ã‚’策定ã™ã‚‹ãŸã‚ã®æƒ…報や資料ãŒç¤ºã•ã‚Œã¦ã„ã‚‹[89]。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
143
Sections 6.2.1 through 6.2.19 introduce each of the SP 800-53 control families and privacy controls,
provide background information on the control family, as well as any ICS guidance and implementation
considerations for ICS owners. ICS-specific recommendations and guidance, if available, is provided in an
outlined box for each section. Much of the ICS-specific guidance was derived from ISA-62443 [34] and the
EPRI report: Supervisory Control and Data Acquisition (SCADA) Systems Security Guide [62].
6.2.1 Access Control
The security controls that fall within the NIST SP 800-53 Access Control (AC) family provide policies and
procedures for specifying the use of system resources by only authorized users, programs, processes, or
other systems. This family specifies controls for managing information system accounts, including
establishing, activating, modifying, reviewing, disabling, and removing accounts. Controls cover access
and flow enforcement issues such as separation of duties, least privilege, unsuccessful login attempts,
system use notification, previous logon notification, concurrent session control, session lock, and session
termination. There are also controls to address the use of portable and remote devices and personally owned
information systems to access the information system as well as the use of remote access capabilities and
the implementation of wireless technologies. Access can take several forms, including viewing, using, and
altering specific data or device functions.
Supplemental guidance for the AC controls can be found in the following documents:
 NIST SP 800-63 provides guidance on remote electronic authentication [53].
 NIST SP 800-48 provides guidance on wireless network security with particular emphasis on the IEEE
802.11b and Bluetooth standards 0.
 NIST SP 800-97 provides guidance on IEEE 802.11i wireless network security [64].
 FIPS 201 provides requirements for the personal identity verification of federal employees and
contractors [65].
 NIST SP 800-96 provides guidance on PIV card to reader interoperability [66].
 NIST SP 800-73 provides guidance on interfaces for personal identity verification [49].
 NIST SP 800-76 provides guidance on biometrics for personal identity verification [50].
 NIST SP 800-78 provides guidance on cryptographic algorithms and key sizes for personal identity
verification [67].
If the new federal Personal Identity Verification (PIV) is used as an identification token, the access control
system should conform to the requirements of FIPS 201 and NIST SP 800-73 and employ either
cryptographic verification or biometric verification. When token-based access control employs
cryptographic verification, the access control system should conform to the requirements of NIST SP 800-
78. When token-based access control employs biometric verification, the access control system should
conform to the requirements of NIST SP 800-76.
Access control technologies are filter and blocking technologies designed to direct and regulate the flow of
information between devices or systems once authorization has been determined. The following sections
present several access control technologies and their use with ICS.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
144
セクション 6.2.1~6.2.19 ã§ã¯ã€SP 800-53 ã®ãã‚Œãžã‚Œã®ç®¡ç†åˆ†é‡Žã¨ãƒ—ライãƒã‚·ãƒ¼ç®¡ç†ãŒç¤ºã•ã‚Œã€
制御分野ã®èƒŒæ™¯æƒ…å ±ã®ã»ã‹ã€ICS 所有者å‘ã‘ã® ICS ガイダンスã¨å®Ÿè£…上ã®è€ƒæ…®äº‹é …ãŒèª¬æ˜Žã•ã‚Œã¦
ã„る。ICS 固有ã®æŽ¨å¥¨äº‹é …ã¨ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ãŒåˆ©ç”¨å¯èƒ½ãªå ´åˆã¯ã€å„セクションã®å›²ã¿ã«ç¤ºã•ã‚Œã‚‹ã€‚
ICS 固有ã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã¯å¤§åŠãŒ ISA-62443 [34]ã¨EPRI 報告書『SCADA システムセキュリティガ
イドã€[62]を基ã«ã—ã¦ã„る。
6.2.1 アクセス制御
NIST SP 800-53 ã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ï¼ˆAC)ファミリã«é–¢ã™ã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã«ã¯ã€è¨±å¯ã•ã‚ŒãŸãƒ¦
ーザã€ãƒ—ログラムã€ãƒ—ロセスãã®ä»–システムã®ã¿ã«ã‚ˆã‚‹ã‚·ã‚¹ãƒ†ãƒ ãƒªã‚½ãƒ¼ã‚¹ã®åˆ©ç”¨ã«ã¤ã„ã¦è¦å®š
ã™ã‚‹ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ãŒç¤ºã•ã‚Œã¦ã„る。ã“ã®ãƒ•ã‚¡ãƒŸãƒªã¯ã€ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã®è¨­å®šãƒ»ä½¿ç”¨é–‹
始・変更・見直ã—・使用ç¦æ­¢ãƒ»å‰Šé™¤ç­‰ã€æƒ…報システムã®ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã‚’管ç†ã™ã‚‹ãŸã‚ã®æ–¹æ³•ã‚’è¦
定ã™ã‚‹ã€‚管ç†ç­–ã¯ã€ä»»å‹™ã®åˆ‡ã‚Šåˆ†ã‘ã€æœ€ä½Žç‰¹æ¨©ã€ãƒ­ã‚°ã‚¤ãƒ³ã®å¤±æ•—ã€ã‚·ã‚¹ãƒ†ãƒ åˆ©ç”¨é€šçŸ¥ã€ä»¥å‰ã®
ログオン通知ã€ä¸¦è¡Œã‚»ãƒƒã‚·ãƒ§ãƒ³ç®¡ç†ã€ã‚»ãƒƒã‚·ãƒ§ãƒ³ãƒ­ãƒƒã‚¯ã€ã‚»ãƒƒã‚·ãƒ§ãƒ³çµ‚了等ã€ã‚¢ã‚¯ã‚»ã‚¹ã¨ãƒ•ãƒ­
ーã®å®Ÿè¡Œå•é¡Œã‚’網羅ã—ã¦ã„る。ã¾ãŸãƒãƒ¼ã‚¿ãƒ–ルデãƒã‚¤ã‚¹ã€é éš”デãƒã‚¤ã‚¹åŠã³å€‹äººä¿æœ‰ã®æƒ…報シ
ステムã«ã‚ˆã‚‹æƒ…報システムã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã®ã»ã‹ã€ãƒªãƒ¢ãƒ¼ãƒˆã‚¢ã‚¯ã‚»ã‚¹æ©Ÿèƒ½ã‚„ワイヤレス技術ã®å®Ÿ
装ã«é–¢ã™ã‚‹ç®¡ç†ç­–ã‚‚å–り上ã’ã¦ã„る。アクセスã«ã¯é–²è¦§ã€ä½¿ç”¨ã€ç‰¹å®šãƒ‡ãƒ¼ã‚¿ã‚„デãƒã‚¤ã‚¹æ©Ÿèƒ½ã®
変更ã¨ã„ã£ãŸã„ãã¤ã‹ã®å½¢æ…‹ãŒã‚る。
AC 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-63:é éš”é›»å­èªè¨¼ã«ä¿‚るガイダンス[53]
 NIST SP 800-48:IEEE 802.11b åŠã³ Bluetooth è¦æ ¼ 0ã‚’é‡ç‚¹ã¨ã—ãŸãƒ¯ã‚¤ãƒ¤ãƒ¬ã‚¹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»
キュリティã«ä¿‚るガイダンス
 NIST SP 800-97:IEEE 802.11i ワイヤレスãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«ä¿‚るガイダンス[64]
 FIPS 201:連邦è·å“¡åŠã³å¥‘約従業員ã®å€‹äººèº«å…ƒç¢ºèªã«ä¿‚ã‚‹è¦ä»¶[65]
 NIST SP 800-96:PIV カードã¨ãƒªãƒ¼ãƒ€ãƒ¼ã®ç›¸äº’é‹ç”¨ã«ä¿‚るガイダンス[66]
 NIST SP 800-73:個人身元確èªã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã«ä¿‚るガイダンス[49]
 NIST SP 800-76:個人身元確èªãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªã‚¯ã‚¹ã«ä¿‚るガイダンス[50]
 NIST SP 800-78:個人身元確èªã®æš—å·ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ åŠã³ã‚­ãƒ¼ã‚µã‚¤ã‚ºã«ä¿‚るガイダンス[67]
æ–°ã—ã„連邦個人身元確èªï¼ˆPIV)を識別トークンã¨ã—ã¦ä½¿ç”¨ã—ã¦ã„ã‚‹å ´åˆã€ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ã‚·ã‚¹
テム㯠FIPS 201 åŠã³ NIST SP 800-73 ã®è¦ä»¶ã«å¾“ã„ã€æš—å·ç¢ºèªåˆã¯ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯ç¢ºèªã‚’
採用ã™ã¹ãã§ã‚る。トークンベースã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ãŒæš—å·ç¢ºèªã‚’採用ã—ã¦ã„ã‚‹å ´åˆã€ã‚¢ã‚¯ã‚»
ス制御システム㯠NIST SP 800-78 ã®è¦ä»¶ã«å¾“ã†ã¹ãã§ã‚る。トークンベースã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡
ãŒãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯ç¢ºèªã‚’採用ã—ã¦ã„ã‚‹å ´åˆã€ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã¯ NIST SP 800-76 ã®è¦
件ã«å¾“ã†ã¹ãã§ã‚る。
アクセス制御技術ã¯ã€æ¨©é™ä»˜ä¸Žã®ç¢ºå®šå¾Œã«ã€ãƒ‡ãƒã‚¤ã‚¹é–“åˆã¯ã‚·ã‚¹ãƒ†ãƒ é–“ã§ã®æƒ…å ±ã®æµã‚Œã‚’è¦
制ã™ã‚‹ãŸã‚ã®ãƒ•ã‚£ãƒ«ã‚¿ã¨ãƒ–ロック技術ã§ã‚る。続ãセクションã§ã¯ã€ã„ãã¤ã‹ã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶
御技術㨠ICS ã§ã®ä½¿ç”¨ã«ã¤ã„ã¦ç¤ºã™ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
145
6.2.1.1 Role-based Access Control (RBAC)
RBAC is a technology that has the potential to reduce the complexity and cost of security administration in
networks with large numbers of intelligent devices. Under RBAC, security administration is simplified
through the use of roles, hierarchies, and constraints to organize user access levels. RBAC reduces costs
within an organization because it accepts that employees change roles and responsibilities more frequently
than the duties within roles and responsibilities.
ICS-specific Recommendations and Guidance
RBAC can be used to provide a uniform means to manage access to ICS devices while reducing the cost of
maintaining individual device access levels and minimizing errors. RBAC should be used to restrict ICS
user privileges to only those that are required to perform each person’s job (i.e., configuring each role
based on the principle of least privilege). The level of access can take several forms, including viewing,
using, and altering specific ICS data or device functions.
RBAC tools can set, modify, or remove authorizations in applications, but they do not replace the
authorization mechanism; they do not check and authenticate users every time a user wants to access an
application. RBAC tools offer interfaces to authorization mechanisms for most current platforms in the IT
arena. However, legacy ICS systems or specialized ICS equipment may require development of specialized
interface software. This issue is a large problem for ICS that use a number of proprietary operating systems
or customized operating system implementations and interfaces.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
146
6.2.1.1 役割ã«åŸºã¥ãアクセス制御(RBAC)
RBAC ã¯ã€å¤šæ•°ã®ã‚¤ãƒ³ãƒ†ãƒªã‚¸ã‚§ãƒ³ã‚¹ãƒ‡ãƒã‚¤ã‚¹ã‚’使用ã—ãŸãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®è¤‡é›‘ã•ã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
対策コストを減らã›ã‚‹æŠ€è¡“ã§ã‚る。RBAC ã®ä¸‹ã§ã¯ã€å½¹å‰²ã€éšŽå±¤åŠã³ãƒ¦ãƒ¼ã‚¶ã‚¢ã‚¯ã‚»ã‚¹ãƒ¬ãƒ™ãƒ«ç®¡
ç†ã®åˆ¶ç´„を利用ã—ã¦ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ãŒç°¡ç´ åŒ–ã•ã‚Œã‚‹ã€‚RBAC ã§ã¯ã€å¾“業員ã®å½¹å‰²ãƒ»è²¬ä»»å†…
ã§ã®ä»»å‹™å¤‰æ›´ã‚ˆã‚Šã‚‚ã€å½¹å‰²ãƒ»è²¬ä»»ã®å¤‰æ›´ã‚’より頻ç¹ã«å—ã‘入れるã®ã§ã€çµ„織内ã®ã‚³ã‚¹ãƒˆãŒæ¸›
る。
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
RBAC を利用ã™ã‚Œã°ã€å€‹ã€…ã®ãƒ‡ãƒã‚¤ã‚¹ã‚¢ã‚¯ã‚»ã‚¹ãƒ¬ãƒ™ãƒ«ã®ç¶­æŒã«è¦ã™ã‚‹ã‚³ã‚¹ãƒˆã‚’減らã—ã€ã‚¨ãƒ©ãƒ¼ã‚’
最å°é™ã«æŠ‘ãˆã¤ã¤ã€ICS デãƒã‚¤ã‚¹ã¸ã®ä¸€æ§˜ã®ã‚¢ã‚¯ã‚»ã‚¹ç®¡ç†æ‰‹æ®µã‚’æä¾›ã§ãる。ICS ユーザ権é™ã®
付与を業務上必è¦ã¨ã™ã‚‹äººå“¡ã«é™å®šã™ã‚‹ãŸã‚ã« RBAC を利用ã™ã¹ãã§ã‚る(最å°æ¨©é™åŽŸå‰‡ã«åŸºã¥
ã役割構æˆï¼‰ã€‚アクセスレベルã«ã¯é–²è¦§ã€ä½¿ç”¨ã€ç‰¹å®š ICS データやデãƒã‚¤ã‚¹æ©Ÿèƒ½ã®å¤‰æ›´ã¨ã„ã£ãŸ
ã„ãã¤ã‹ã®å½¢æ…‹ãŒã‚る。
RBAC ツールã¯ã€ã‚¢ãƒ—リケーションã«ãŠã‘る権é™ä»˜ä¸Žã‚’設定・変更・削除ã§ãã‚‹ãŒã€æ¨©é™ä»˜ä¸Žãƒ¡
カニズムã®ä»£è¡Œã¯ã—ãªã„。ã¤ã¾ã‚Šã€ãƒ¦ãƒ¼ã‚¶ãŒã‚¢ãƒ—リケーションã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’求ã‚ã‚‹ãŸã³ã«ã€ãƒ
ェックやèªè¨¼ã‚’è¡Œã†ã“ã¨ã¯ãªã„。RBAC ツールã¯ã€IT 分野ã«ãŠã‘ã‚‹ã»ã¨ã‚“ã©ã®ç¾è¡Œãƒ—ラットホー
ムå‘ã‘ã«ã€æ¨©é™ä»˜ä¸Žãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã®ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã‚’æä¾›ã—ã¦ã„る。ãŸã ã—レガシーICS システム
や特殊 ICS 装備å“ã«ã¯ã€ç‰¹æ®Šã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®é–‹ç™ºãŒå¿…è¦ã¨ãªã‚‹å ´åˆãŒã‚る。ã“ã®
å•é¡Œã¯ã€å¤šæ•°ã®ç‹¬è‡ª OS やカスタム OS ã®å®Ÿè£…åŠã³ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã‚’利用ã—ã¦ã„ã‚‹ ICS ã§å¤§ããª
å•é¡Œã¨ãªã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
147
6.2.1.2 Web Servers
Web and Internet technologies are being added to a wide variety of ICS products because they make
information more accessible and products more user-friendly and easier to configure remotely. However,
they may also add cyber risks and create new security vulnerabilities that need to be addressed.
ICS-specific Recommendations and Guidance
SCADA and historian software vendors typically provide Web servers as a product option so that users
outside the control room can access ICS information. In many cases, software components such as ActiveX
controls or Java applets must be installed or downloaded onto each client machine accessing the Web
server. Some products, such as PLCs and other control devices, are available with embedded Web, FTP,
and email servers to make them easier to configure remotely and allow them to generate email notifications
and reports when certain conditions occur. When feasible, use HTTPS rather than HTTP, use SFTP or SCP
rather than FTP, block inbound FTP and email traffic, etc. Security appliances (or gateways) are beginning
to appear with application proxies able to examine Web, FTP, and email traffic to block attacks and prevent
downloading of ActiveX® controls or Java® applets.
Unless there is substantial benefit to connecting ICSs to the Internet, the systems are best left not
connected.
6.2.1.3 Virtual Local Area Network (VLAN)
VLANs divide physical networks into smaller logical networks to increase performance, improve
manageability, and simplify network design. VLANs are achieved through configuration of Ethernet
switches. Each VLAN consists of a single broadcast domain that isolates traffic from other VLANs. Just as
replacing hubs with switches reduces collisions, using VLANs limits the broadcast traffic, as well as
allowing logical subnets to span multiple physical locations. There are two categories of VLANs:
 Static, often referred to as port-based, where switch ports are assigned to a VLAN so that it is
transparent to the end user.
 Dynamic, where an end device negotiates VLAN characteristics with the switch or determines the
VLAN based on the IP or hardware addresses.
Although more than one IP subnet may coexist on the same VLAN, the general recommendation is to use a
one-to-one relationship between subnets and VLANs. This practice requires the use of a router or multi-
layer switch to join multiple VLANs. Many routers and firewalls support tagged frames so that a single
physical interface can be used to route between multiple logical networks.
VLANs are not typically deployed to address host or network vulnerabilities in the way that firewalls or
IDS are deployed. However, when properly configured, VLANs do allow switches to enforce security
policies and segregate traffic at the Ethernet layer. Properly segmented networks can also mitigate the risks
of broadcast storms that may result from port scanning or worm activity.
Switches have been susceptible to attacks such as MAC spoofing, table overflows, and attacks against the
spanning tree protocols, depending on the device and its configuration. VLAN hopping, the ability for an
attack to inject frames to unauthorized ports, has been demonstrated using switch spoofing or double-
encapsulated frames. These attacks cannot be conducted remotely and require local physical access to the
switch. A variety of features such as MAC address filtering, port-based authentication using IEEE 802.1x,
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
148
6.2.1.2 ウェブサーãƒ
ウェブ技術åŠã³ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆæŠ€è¡“ã¯ã€æƒ…å ±ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ãŒä¾¿åˆ©ã«ãªã‚Šã€ãƒ¦ãƒ¼ã‚¶ã«ã¨ã£ã¦è£½å“
ãŒä½¿ã„ã‚„ã™ããªã‚Šã€é éš”設定ãŒå®¹æ˜“ã«ãªã‚‹ãŸã‚ã€å¤šç¨®å¤šæ§˜ãª ICS 製å“ã«è¿½åŠ ã•ã‚Œã‚‹ã‚ˆã†ã«ãªã£
ã¦ã„る。ã—ã‹ã—サイãƒãƒ¼ãƒªã‚¹ã‚¯ã‚‚高ã¾ã‚Šã€æ–°ãŸãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä¸Šã®è„†å¼±æ€§ãŒç”Ÿã˜ã€å¯¾å¿œãŒå¿…è¦
ã¨ãªã‚‹ã€‚
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
SCADA やヒストリアンソフトウエアã®ãƒ™ãƒ³ãƒ€ãƒ¼ã¯ã€é€šå¸¸ã€ã‚¦ã‚§ãƒ–サーãƒã‚’製å“オプション㮠1ã¤ã¨ã—ã¦æ
ä¾›ã—ã€åˆ¶å¾¡å®¤ã®å¤–ã«ã„るユーザ㌠ICS 情報ã«ã‚¢ã‚¯ã‚»ã‚¹ã§ãるよã†ã«ã—ã¦ã„る。多ãã®å ´åˆã€ActiveX コント
ロールや Java アプレットã¨ã„ã£ãŸã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã‚’ã€ã‚¦ã‚§ãƒ–サーãƒã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³
トマシンã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«åˆã¯ãƒ€ã‚¦ãƒ³ãƒ­ãƒ¼ãƒ‰ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。PLC ãã®ä»–ã®åˆ¶å¾¡ãƒ‡ãƒã‚¤ã‚¹ç­‰ã®è£½å“ã«ã¯ã€
ウェブサーãƒã€FTP サーãƒåŠã³é›»å­ãƒ¡ãƒ¼ãƒ«ã‚µãƒ¼ãƒãŒçµ„ã¿è¾¼ã¾ã‚Œã¦ãŠã‚Šã€é éš”設定ãŒå®¹æ˜“ã§ã€ç‰¹å®šã®äº‹æ…‹ãŒç”Ÿ
ã˜ãŸå ´åˆã«ã¯ã€é›»å­ãƒ¡ãƒ¼ãƒ«é€šçŸ¥ã‚„レãƒãƒ¼ãƒˆã‚’生æˆã§ãるよã†ã«ãªã£ã¦ã„る。å¯èƒ½ã§ã‚れ㰠HTTP ã§ã¯ãªã
HTTPS ã‚’ã€FTP ã§ã¯ãªã SFTP åˆã¯ SCP を使用ã—ã€ç€ä¿¡ FTP ã‚„é›»å­ãƒ¡ãƒ¼ãƒ«ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ç­‰ã¯ãƒ–ロックã™ã‚‹ã€‚
ウェブã€FTP åŠã³é›»å­ãƒ¡ãƒ¼ãƒ«ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’検査ã—ã¦ã€æ”»æ’ƒã‚’ブロックã—ã€ActiveX®コントロールや Java®
アプレットã®ãƒ€ã‚¦ãƒ³ãƒ­ãƒ¼ãƒ‰ã‚’防止ã§ãるセキュリティ装置(åˆã¯ã‚²ãƒ¼ãƒˆã‚¦ã‚§ã‚¤ï¼‰ã®ä»˜ã„ãŸã‚¢ãƒ—リケーション
プロキシãŒå‡ºå§‹ã‚ã¦ã„る。
ICS
をインターãƒãƒƒãƒˆæŽ¥ç¶šã™ã‚‹ã“ã¨ã®ç›¸å½“ã®åˆ©ç›ŠãŒãªã„ã‹ãŽã‚Šã€ã‚·ã‚¹ãƒ†ãƒ ã‚’éžæŽ¥ç¶šã¨ã™ã‚‹ã®ãŒæœ€å–„ã§ã‚る。
6.2.1.3 仮想 LAN(VLAN)
VLAN ã¯ã€ç‰©ç†ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’よりå°ã•ãªè«–ç†ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«åˆ†å‰²ã—ã€ãƒ‘フォーマンスã¨ç®¡ç†
性を改善ã—ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯è¨­è¨ˆã‚’簡素化ã™ã‚‹ã€‚VLAN ã¯Ethernet スイッãƒã®è¨­å®šã«ã‚ˆã‚Šå®Ÿç¾ã™
ã‚‹ã€‚å„ VLAN ã¯ã€ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’ä»–ã® VLAN ã‹ã‚‰éš”離ã™ã‚‹å˜ä¸€ã®ãƒ–ロードキャスト領域ã§æ§‹æˆã•
れる。ãƒãƒ–をスイッãƒã«ä»£ãˆã‚‹ã¨ç«¶åˆãŒæ¸›ã‚‹ã‚ˆã†ã«ã€VLAN を使用ã™ã‚Œã°ãƒ–ロードキャストト
ラフィックãŒåˆ¶é™ã•ã‚Œã€è«–ç†ã‚µãƒ–ãƒãƒƒãƒˆãŒè¤‡æ•°ã®ç‰©ç†çš„ãªå ´æ‰€ã«ã¾ãŸãŒã‚‹ã‚ˆã†ã«ã§ãる。VLAN
ã«ã¯æ¬¡ã® 2種類ãŒã‚る。
 é™çš„ VLAN:ãƒãƒ¼ãƒˆãƒ™ãƒ¼ã‚¹ã¨å‘¼ã°ã‚Œã‚‹ã“ã¨ãŒå¤šãã€ã‚¹ã‚¤ãƒƒãƒãƒãƒ¼ãƒˆãŒ VLAN ã«å‰²ã‚Šå½“ã¦ã‚‰
ã‚Œã€ã‚¨ãƒ³ãƒ‰ãƒ¦ãƒ¼ã‚¶ã«é€éŽã§ã‚る。
 å‹•çš„ VLAN:エンドデãƒã‚¤ã‚¹ãŒã‚¹ã‚¤ãƒƒãƒã¨ VLAN 特性ã«ã¤ã„ã¦ãƒã‚´ã‚·ã‚¨ãƒ¼ãƒˆã™ã‚‹ã‹ã€IP ã‚¢
ドレスåˆã¯ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã‚¢ãƒ‰ãƒ¬ã‚¹ã«åŸºã¥ã„㦠VLAN を判定ã™ã‚‹ã€‚
複数㮠IP サブãƒãƒƒãƒˆãŒåŒã˜ VLAN 上ã«å…±å­˜ã™ã‚‹ãŒã€ã‚µãƒ–ãƒãƒƒãƒˆã¨ VLAN é–“ã§ä¸€å¯¾ä¸€ã®é–¢ä¿‚を利
用ã™ã‚‹ã“ã¨ãŒä¸€èˆ¬çš„ã«æŽ¨å¥¨ã•ã‚Œã‚‹ã€‚ã“ã®è¦ç¯„ã«ã¯ã€è¤‡æ•° VLAN ã«è·æ‹…ã™ã‚‹ãŸã‚ã®ãƒ«ãƒ¼ã‚¿åˆã¯ãƒž
ルãƒãƒ¬ã‚¤ãƒ¤ãƒ¼ã‚¹ã‚¤ãƒƒãƒãŒå¿…é ˆã¨ãªã‚‹ã€‚ルータやファイアウォールã®å¤šãã¯ã€ã‚¿ã‚°ä»˜ãフレーム
ã«å¯¾å¿œã—ã¦ãŠã‚Šã€1ã¤ã®ç‰©ç†ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã‚’利用ã—ã¦ã€è¤‡æ•°ã®è«–ç†ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã§çµŒè·¯æŒ‡
定ã™ã‚‹ã“ã¨ãŒã§ãる。
VLAN ã¯ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚„ IDS ã¨åŒã˜ã‚ˆã†ãªå±•é–‹æ–¹æ³•ã§ã€ãƒ›ã‚¹ãƒˆã‚„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®è„†å¼±æ€§
ã«å¯¾å‡¦ã™ã‚‹ãŸã‚ã«å±•é–‹ã•ã‚Œã‚‹ã“ã¨ã¯ã‚ã¾ã‚Šãªã„。ã—ã‹ã—æ­£ã—ã設定ã™ã‚‹ã¨ã€VLAN ã¯ã‚¹ã‚¤ãƒƒãƒ
ãŒæŽ¥ç¶šãƒãƒªã‚·ãƒ¼ã‚’施行ã—ã€ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’ Ethernet 層ã§åˆ†é›¢ã™ã‚‹ã“ã¨ãŒã§ãる。ã—ã£ã‹ã‚Šåˆ†
離ã•ã‚ŒãŸãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯ã€ãƒãƒ¼ãƒˆã‚¹ã‚­ãƒ£ãƒ‹ãƒ³ã‚°ã‚„ワームã«ã‚ˆã‚Šç”Ÿã˜ã‚‹ãƒ–ロードキャストストー
ムã®ãƒªã‚¹ã‚¯ã‚’ç·©å’Œã§ãる。
スイッãƒã¯ã€ãƒ‡ãƒã‚¤ã‚¹ã¨ãã®è¨­å®šã«å¿œã˜ã¦ã€MAC å½è£…ã€ãƒ†ãƒ¼ãƒ–ルオーãƒãƒ¼ãƒ•ãƒ­ãƒ¼ã€ã‚¹ãƒ‘ニング
ツリープロトコル攻撃等ã®æ”»æ’ƒã«å¼±ã„。攻撃å´ãŒãƒ•ãƒ¬ãƒ¼ãƒ ã‚’未許å¯ãƒãƒ¼ãƒˆã«æ³¨å…¥ã™ã‚‹ VLAN ホッ
ピングã¯ã€ã‚¹ã‚¤ãƒƒãƒå½è£…や二é‡ã‚«ãƒ—セルフレームを使用ã™ã‚‹ã“ã¨ãŒåˆ†ã‹ã£ã¦ã„る。ã“ã®ã‚ˆã†ãª
攻撃ã¯é éš”æ“作ãŒã§ããšã€ã‚¹ã‚¤ãƒƒãƒã¸ã®ãƒ­ãƒ¼ã‚«ãƒ«ã®ç‰©ç†ã‚¢ã‚¯ã‚»ã‚¹ãŒå¿…è¦ã¨ãªã‚‹ã€‚MAC アドレス
フィルタリングã€IEEE 802.1
x
を利用ã—ãŸãƒãƒ¼ãƒˆãƒ™ãƒ¼ã‚¹ã®èªè¨¼ç­‰ã®å¤šæ§˜ãªæ©Ÿèƒ½ã‚„ã€
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
149
and specific vendor recommended practices can be used to mitigate these attacks, depending on the device
and implementation.
ICS-specific Recommendations and Guidance
VLANs have been effectively deployed in ICS networks, with each automation cell assigned to a single
VLAN to limit unnecessary traffic flooding and allow network devices on the same VLAN to span multiple
switches [34].
6.2.1.4 Dial-up Modems
ICS systems have stringent reliability and availability requirements. When there is a need to troubleshoot
and repair, the technical resources may not be physically located at the control room or facility. Therefore,
ICS often use modems to enable vendors, system integrators, or control engineers maintaining the system
to dial in and diagnose, repair, configure, and perform maintenance on the network or component. While
this allows easy access for authorized personnel, if the dial-up modems are not properly secured, they can
also provide backdoor entries for unauthorized use.
Dial-up often uses remote control software that gives the remote user powerful (administrative or root)
access to the target system. Such software usually has security options that should be carefully reviewed
and configured.
ICS-specific Recommendations and Guidance
 Consider using callback systems when dial-up modems are installed in an ICS. This ensures that a
dialer is an authorized user by having the modem establish the working connection based on the
dialer’s information and a callback number stored in the ICS approved authorized user list.
 Ensure that default passwords have been changed and strong passwords are in place for each modem.
 Physically identify modems in use to the control room operators.
 Configure remote control software to use unique user names and passwords, strong authentication,
encryption if determined appropriate, and audit logs. Use of this software by remote users should be
monitored on an almost real-time frequency.
 If feasible, disconnect modems when not in use or consider automating this disconnection process by
having modems disconnect after being on for a given amount of time. It should be noted that
sometimes modem connections are part of the legal support service agreement with the vendor (e.g.,
24x7 support with 15 minute response time). Personnel should be aware that disconnecting/removing
the modems may require that contracts be renegotiated.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
150
ベンダーãŒæŽ¨å¥¨ã™ã‚‹ç‰¹å®šã®è¦ç¯„を利用ã—ã¦ã€ãƒ‡ãƒã‚¤ã‚¹ã‚„実装ã«å¿œã˜ã¦ã€ã“ã†ã—ãŸæ”»æ’ƒã‚’ç·©å’Œã§ã
る。
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
VLAN ã¯ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«æœ‰åŠ¹ã«å±•é–‹ã•ã‚Œã¦ãŠã‚Šã€å„オートメーションセルを 1ã¤ã® VLAN ã«
割り当ã¦ã¦ä¸è¦ãªãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã®æ´ªæ°´ã‚’制é™ã—ã€åŒã˜ VLAN 上ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒã‚¤ã‚¹ãŒè¤‡æ•°
スイッãƒã«ã¾ãŸãŒã‚‹ã‚ˆã†ã«ã—ã¦ã„ã‚‹
[34]
。
6.2.1.4 ダイアルアップモデム
ICS システムã®ä¿¡é ¼æ€§åŠã³å¯ç”¨æ€§ã«ã¯åŽ³æ ¼ãªè¦ä»¶ãŒèª²ã•ã‚Œã‚‹ã€‚トラブルシューティングや修ç†
ãŒå¿…è¦ã¨ãªã‚‹å ´åˆã€åˆ¶å¾¡å®¤ã‚„制御施設ã«æŠ€è¡“リソースãŒç‰©ç†çš„ã«å­˜åœ¨ã—ãªã„ã“ã¨ã‚‚ã‚る。
よã£ã¦ ICS ã§ã¯ã€ã‚·ã‚¹ãƒ†ãƒ ä¿å®ˆã‚’担当ã™ã‚‹ãƒ™ãƒ³ãƒ€ãƒ¼ã€ã‚·ã‚¹ãƒ†ãƒ ã‚¤ãƒ³ãƒ†ã‚°ãƒ¬ãƒ¼ã‚¿åˆã¯åˆ¶å¾¡ã‚¨ãƒ³
ジニアãŒãƒ¢ãƒ‡ãƒ ã‚’使用ã—ã¦ãƒ€ã‚¤ã‚¢ãƒ«ã‚¤ãƒ³ã—ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚„構æˆã®è¨ºæ–­ã€ä¿®ç†ã€è¨­å®šåŠã³ä¿
守を行ãˆã‚‹ã‚ˆã†ã«ã™ã‚‹ã“ã¨ãŒå¤šã„。ãã†ã™ã‚‹ã“ã¨ã§æ¨©é™ã‚’与ãˆã‚‰ã‚ŒãŸè·å“¡ã®ã‚¢ã‚¯ã‚»ã‚¹ãŒå®¹æ˜“
ã«ãªã‚‹åé¢ã€ãƒ€ã‚¤ã‚¢ãƒ«ã‚¢ãƒƒãƒ—モデムã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãŒã—ã£ã‹ã‚Šç¢ºä¿ã•ã‚Œã¦ã„ãªã„ã¨ã€ä¸æ­£ä½¿
用をもãã‚ã‚€ãƒãƒƒã‚¯ãƒ‰ã‚¢ä¾µå…¥ã‚’許ã™ã“ã¨ã«ã‚‚ãªã‚Šã‹ã­ãªã„。
ダイアルアップã§ã¯ã€é éš”ユーザã«ç›®æ¨™ã‚·ã‚¹ãƒ†ãƒ ã¸ã®ä¸Šä½ï¼ˆç®¡ç†è€…åˆã¯ root)アクセス権を与
ãˆã‚‹é éš”制御ソフトウエアを使用ã™ã‚‹ã“ã¨ãŒå¤šã„。通常ã“ã®ã‚ˆã†ãªã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã«ã¯ã€æ…Žé‡ã«
精査ã—ã¦è¨­å®šã™ã¹ãセキュリティオプションãŒä»˜ã„ã¦ã„る。
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
 ICS ã«ãƒ€ã‚¤ã‚¢ãƒ«ã‚¢ãƒƒãƒ—モデムãŒè¨­ç½®ã•ã‚Œã¦ã„ã‚‹å ´åˆã€ã‚³ãƒ¼ãƒ«ãƒãƒƒã‚¯ã‚·ã‚¹ãƒ†ãƒ ã®åˆ©ç”¨ã‚’検討ã™
る。ã“れを利用ã™ã‚‹ã¨ã€ãƒ¢ãƒ‡ãƒ ã¯ ICS ãŒèªå¯ã—ãŸèªå®šãƒ¦ãƒ¼ã‚¶ãƒªã‚¹ãƒˆã«ä¿å­˜ã•ã‚Œã¦ã„る発呼
者情報ã¨ã‚³ãƒ¼ãƒ«ãƒãƒƒã‚¯ç•ªå·ã‚’基ã«æœ‰åŠ¹ãªæŽ¥ç¶šã‚’確立ã™ã‚‹ãŸã‚ã€ç™ºå‘¼è€…ã¯ç¢ºå®Ÿã«èªå®šãƒ¦ãƒ¼ã‚¶ã¨
ãªã‚‹ã€‚
 モデムã”ã¨ã«å¿…ãšãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã®ãƒ‘スワードを変更ã—ã€å¼·åŠ›ãªãƒ‘スワードを設定ã™ã‚‹ã€‚
 使用中ã®å„モデムãŒåˆ¶å¾¡å®¤ã‚ªãƒšãƒ¬ãƒ¼ã‚¿ã«ç‰©ç†çš„ã«è­˜åˆ¥ã§ãるよã†ã«ã™ã‚‹ã€‚
 é éš”制御ソフトウエアを設定ã—ã€ä¸€æ„ã®ãƒ¦ãƒ¼ã‚¶åã¨ãƒ‘スワードã€å¼·åŠ›ãªèªè¨¼ã€å¿…è¦ã§ã‚ã‚Œã°
æš—å·åŒ–ã€ç›£æŸ»ãƒ­ã‚°ã‚’使用ã§ãるよã†ã«ã™ã‚‹ã€‚é éš”ユーザã«ã‚ˆã‚‹æœ¬ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®ä½¿ç”¨ã‚’ã€ã»
ã¼ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ ã§ç›£è¦–ã™ã¹ãã§ã‚る。
 å¯èƒ½ã§ã‚ã‚Œã°ä¸ä½¿ç”¨æ™‚ã«ã¯ãƒ¢ãƒ‡ãƒ ã‚’切断ã™ã‚‹ã‹ã€ä¸€å®šæ™‚間オンã«ãªã£ã¦ã„ã‚‹å ´åˆã«ã¯ã‚ªãƒ•ã«
ã™ã‚‹ã‚ˆã†ãªåˆ‡æ–­ãƒ—ロセスã®è‡ªå‹•åŒ–を検討ã™ã‚‹ã€‚モデム接続ã¯ã€ãƒ™ãƒ³ãƒ€ãƒ¼ã¨ã®æ³•çš„ãªã‚µãƒãƒ¼ãƒˆ
サービス契約ã®ä¸€éƒ¨ã«å«ã¾ã‚Œã¦ã„ã‚‹å ´åˆã‚‚ã‚る点を銘記ã™ã¹ãã§ã‚る(15 分対応ã§ã®å¹´ä¸­
無休サãƒãƒ¼ãƒˆãªã©ï¼‰ã€‚è·å“¡ã¯ã€ãƒ¢ãƒ‡ãƒ ã®åˆ‡æ–­ã‚„撤去を行ã†ã«ã¯ã€å¥‘約上å”è­°ãŒå¿…è¦ã¨ãªã‚‹ã“
ã¨ã‚’èªè­˜ã™ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
151
6.2.1.5 Wireless
The use of wireless within an ICS is a risk-based decision that has to be determined by the organization.
Generally, wireless LANs should only be deployed where health, safety, environmental, and financial
implications are low. NIST SP 800-48 and SP 800-97 provide guidance on wireless network security.
ICS-specific Recommendations and Guidance
Wireless LANs
 Prior to installation, a wireless survey should be performed to determine antenna location and strength
to minimize exposure of the wireless network. The survey should take into account the fact that
attackers can use powerful directional antennas, which extend the effective range of a wireless LAN
beyond the expected standard range. Faraday cages and other methods are also available to minimize
exposure of the wireless network outside of the designated areas.
 Wireless users’ access should utilize IEEE 802.1x authentication using a secure authentication
protocol (e.g., Extensible Authentication Protocol [EAP] with TLS [EAP-TLS]) that authenticates
users via a user certificates or a Remote Authentication Dial In User Service (RADIUS) server.
 The wireless access points and data servers for wireless worker devices should be located on an
isolated network with documented and minimal (single if possible) connections to the ICS network.
 Wireless access points should be configured to have a unique service set identifier (SSID), disable
SSID broadcast, and enable MAC filtering at a minimum.
 Wireless devices, if being utilized in a Microsoft Windows ICS network, should be configured into a
separate organizational unit of the Windows domain.
 Wireless device communications should be encrypted and integrity-protected. The encryption must
not degrade the operational performance of the end device. Encryption at OSI Layer 2 should be
considered, rather than at Layer 3 to reduce encryption latency. The use of hardware accelerators to
perform cryptographic functions should also be considered.
For mesh networks, consider the use of broadcast key versus public key management implemented at OSI
Layer 2 to maximize performance. Asymmetric cryptography should be used to perform administrative
functions, and symmetric encryption should be used to secure each data stream as well as network control
traffic. An adaptive routing protocol should be considered if the devices are to be used for wireless
mobility. The convergence time of the network should be as fast as possible supporting rapid network
recovery in the event of a failure or power loss. The use of a mesh network may provide fault tolerance thru
alternate route selection and pre-emptive fail-over of the network.
Wireless field networks
The ISA10039 Committee is working to establish standards, recommended practices, technical reports, and
related information that will define procedures for implementing wireless systems in the automation and
control environment with a focus on the field level (e.g., IEEE 802.15.4). Guidance is directed towards
those responsible for the complete life cycle including the designing, implementing, on-going maintenance,
scalability or managing industrial automation and control systems, and applies to users, system integrators,
practitioners, and control systems manufacturers and vendors.
39 Additional information on ISA100 at: http://www.isa.org/isa100.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
152
6.2.1.5 ワイヤレス
ICS 内ã§ã®ãƒ¯ã‚¤ãƒ¤ãƒ¬ã‚¹ã®åˆ©ç”¨ã¯ã€ãƒªã‚¹ã‚¯ã«åŸºã¥ã決定事項ã§ã‚ã‚Šã€çµ„ç¹”ãŒæ±ºå®šã—ãªã‘ã‚Œã°ãªã‚‰ãª
ã„。一般ã«ãƒ¯ã‚¤ãƒ¤ãƒ¬ã‚¹ LAN ã¯ã€å¥åº·ãƒ»å®‰å…¨ãƒ»ç’°å¢ƒãƒ»è²¡æ”¿ä¸Šã®åˆ¶ç´„ãŒå°‘ãªã„å ´åˆã«ã®ã¿å±•é–‹ã™ã¹
ãã§ã‚る。NIST SP 800-48 åŠã³ SP 800-97 ã«ã¯ã€ãƒ¯ã‚¤ãƒ¤ãƒ¬ã‚¹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æŽ¥ç¶šã«ä¿‚るガイダンス
ãŒã‚る。
ワイヤレス LAN ã«ä¿‚ã‚‹ ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
 設置å‰ã«ç„¡ç·šçŠ¶æ…‹ã‚’調査ã—ã€ã‚¢ãƒ³ãƒ†ãƒŠä½ç½®ã¨å¼·åº¦ã‚’判定ã—ã€ãƒ¯ã‚¤ãƒ¤ãƒ¬ã‚¹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®éœ²å‡º
度を最å°é™ã«ã™ã‚‹ã€‚攻撃å´ãŒåˆ©ç”¨ã™ã‚‹å¼·åŠ›æŒ‡å‘性アンテナã¯ã€ãƒ¯ã‚¤ãƒ¤ãƒ¬ã‚¹ LAN ã®æœ‰åŠ¹è·é›¢
ã‚’ã€æ¨™æº–çš„ãªäºˆæƒ³è·é›¢ã‚’超ãˆã¦å»¶ä¼¸ã§ãã‚‹ã“ã¨ã‚’念頭ã«ç½®ã„ã¦èª¿æŸ»ã‚’è¡Œã†ã¹ãã§ã‚る。ファ
ラデー箱ãã®ä»–ã®æ‰‹æ®µã‚‚利用ã—ã¦ã€æ‰€æœŸã®ã‚¨ãƒªã‚¢å¤–ã«ã¯ã¿å‡ºã‚‹ãƒ¯ã‚¤ãƒ¤ãƒ¬ã‚¹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®éœ²
出度を最å°ã«æŠ‘ãˆã‚‹ã€‚
 ワイヤレスユーザã®ã‚¢ã‚¯ã‚»ã‚¹ã¯ã€ãƒ¦ãƒ¼ã‚¶è¨¼æ˜Žæ›¸åˆã¯é éš”èªè¨¼ãƒ€ã‚¤ã‚¢ãƒ«ã‚¤ãƒ³ãƒ¦ãƒ¼ã‚¶ã‚µãƒ¼ãƒ“ス
(RADIUS)サーãƒã‚’介ã—ã¦ãƒ¦ãƒ¼ã‚¶èªè¨¼ã‚’è¡Œã†ã€ã‚»ã‚­ãƒ¥ã‚¢ãªãƒ—ロトコル(TLS 付ãæ‹¡å¼µèªè¨¼
プロトコル[EAP-TLS]等)を使用ã—㟠IEEE802.1xèªè¨¼ã‚’利用ã™ã¹ãã§ã‚る。
 ワイヤレスアクセスãƒã‚¤ãƒ³ãƒˆåŠã³ãƒ¯ã‚¤ãƒ¤ãƒ¬ã‚¹ãƒ¯ãƒ¼ã‚«ãƒ‡ãƒã‚¤ã‚¹ç”¨ãƒ‡ãƒ¼ã‚¿ã‚µãƒ¼ãƒã¯ã€ICS ãƒãƒƒãƒˆ
ワーク接続を最å°é™ã«ã—(ã§ãれ㰠1ã¤ã®ã¿ï¼‰ã€æ–‡æ›¸åŒ–ã•ã‚ŒãŸéš”絶ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã«ç½®ãã¹
ãã§ã‚る。
 ワイヤレスアクセスãƒã‚¤ãƒ³ãƒˆã¯ã€ã‚µãƒ¼ãƒ“スセット識別å­ï¼ˆSSID)を一æ„ã«ã—ã€SSID ブロー
ドキャストを使用ç¦æ­¢ã€æœ€å°é™ã® MAC フィルタリングを使用å¯èƒ½ã«è¨­å®šã™ã¹ãã§ã‚る。
 ワイヤレスデãƒã‚¤ã‚¹ã‚’ Microsoft Windows ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ä½¿ç”¨ã™ã‚‹å ´åˆã€Windows 領域
ã®åˆ¥ã®çµ„織ユニットã«è¨­å®šã™ã¹ãã§ã‚る。
 ワイヤレスデãƒã‚¤ã‚¹é€šä¿¡ã¯ã€æš—å·åŒ–ã—ã¦ä¿å…¨ã™ã¹ãã§ã‚る。暗å·åŒ–ã«ã‚ˆã‚Šã€ã‚¨ãƒ³ãƒ‰ãƒ‡ãƒã‚¤ã‚¹
ã®å‹•ä½œãƒ‘フォーマンスãŒä½Žä¸‹ã—ã¦ã¯ãªã‚‰ãªã„。暗å·åŒ–ã®å¾…ã¡æ™‚間を短縮ã™ã‚‹ãŸã‚ã€OSI レイ
ヤー3ã§ã¯ãªãレイヤー2ã§ã®æš—å·åŒ–を考慮ã™ã¹ãã§ã‚る。ã¾ãŸæš—å·é–¢æ•°ã‚’実行ã™ã‚‹ãƒãƒ¼ãƒ‰
ウエア加速器ã®åˆ©ç”¨ã‚‚考慮ã™ã¹ãã§ã‚る。
メッシュãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ã¯ã€ãƒ‘フォーマンスを最大ã«ä¸Šã’ã‚‹ãŸã‚ã€OSI レイヤー2ã«å®Ÿè£…ã•
れるブロードキャストキー対公開éµç®¡ç†ã®ä½¿ç”¨ã‚’検討ã™ã‚‹ã€‚éžå¯¾ç§°æš—å·ã‚’利用ã—ã¦ç®¡ç†æ©Ÿèƒ½
を実施ã—ã€å¯¾ç§°æš—å·ã‚’利用ã—ã¦å„データストリームã¨ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åˆ¶å¾¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã®ã‚»ã‚­
ュリティを確ä¿ã™ã¹ãã§ã‚る。デãƒã‚¤ã‚¹ã‚’ワイヤレス移動目的ã§ä½¿ç”¨ã™ã‚‹å ´åˆã¯ã€æœ€é©çµŒè·¯
指定プロトコルã®åˆ©ç”¨ã‚’考慮ã™ã¹ãã§ã‚る。障害時や電力喪失時ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å›žå¾©ã‚’æ—©ã‚
ã‚‹ãŸã‚ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®åŽæŸæ™‚é–“ã¯ã§ãã‚‹ã ã‘短ãã™ã¹ãã§ã‚る。メッシュãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’
使用ã™ã‚‹ã“ã¨ã§ã€ä»£æ›¿çµŒè·¯é¸å®šã¨å…ˆè¡Œçš„フェイルオーãƒãƒ¼ã‚’通ã˜ã¦ã€ãƒ•ã‚©ãƒ¼ãƒ«ãƒˆãƒˆãƒ¬ãƒ©ãƒ³ã‚¹
ãŒå¾—られよã†ã€‚
ワイヤレスフィールドãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
フィールドレベル(IEEE 802.15.4 等)ã«ç‰¹åŒ–ã—ãŸã‚ªãƒ¼ãƒˆãƒ¡ãƒ¼ã‚·ãƒ§ãƒ³åŠã³åˆ¶å¾¡ç’°å¢ƒã«ãŠã‘るワイヤ
レスシステムã®æ‰‹é †ã‚’定ã‚ã‚‹ãŸã‚ã€ISA 10040委員会ã¯è¦æ ¼ã€æŽ¨å¥¨è¦ç¯„ã€æŠ€è¡“レãƒãƒ¼ãƒˆåŠã³é–¢é€£æƒ…
å ±ã®ç­–定ã«å‘ã‘ã¦ä½œæ¥­ä¸­ã§ã‚る。産業オートメーションåŠã³åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®è¨­è¨ˆã€å®Ÿè£…ã€ä¿å®ˆã€
スケーラビリティã€ç®¡ç†ç­‰ã®ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«æ‹…当者å‘ã‘ã«ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ãŒæ示ã•ã‚Œã¦ãŠã‚Šã€ãƒ¦ãƒ¼
ザã€ã‚·ã‚¹ãƒ†ãƒ ã‚¤ãƒ³ãƒ†ã‚°ãƒ¬ãƒ¼ã‚¿ã€å®Ÿæ–½æ‹…当者åŠã³åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®ãƒ¡ãƒ¼ã‚«ãƒ¼/ベンダーã«é©ç”¨ã•ã‚Œ
る。
40 ISA100 ã«é–¢ã™ã‚‹è¿½åŠ æƒ…å ±ãŒæ¬¡ã® URL ã«ã‚る。http://www.isa.org/isa100.
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
153
6.2.2 Awareness and Training
The security controls that fall within the NIST SP 800-53 Awareness and Training (AT) family provide
policy and procedures for ensuring that all users of an information system are provided basic information
system security awareness and training materials before authorization to access the system is granted.
Personnel training must be monitored and documented.
Supplemental guidance for the AT controls can be found in the following documents:
 NIST SP 800-50 provides guidance on security awareness training [61].
 NIST SP 800-100 provides guidance on information security governance and planning [27].
ICS-specific Recommendations and Guidance
For the ICS environment, this must include control system-specific information security awareness and
training for specific ICS applications. In addition, an organization must identify, document, and train all
personnel having significant ICS roles and responsibilities. Awareness and training must cover the physical
process being controlled as well as the ICS.
Security awareness is a critical part of ICS incident prevention, particularly when it comes to social
engineering threats. Social engineering is a technique used to manipulate individuals into giving away
private information, such as passwords. This information can then be used to compromise otherwise secure
systems.
Implementing an ICS security program may bring changes to the way in which personnel access computer
programs, applications, and the computer desktop itself. Organizations should design effective training
programs and communication vehicles to help employees understand why new access and control methods
are required, ideas they can use to reduce risks, and the impact on the organization if control methods are
not incorporated. Training programs also demonstrate management’s commitment to, and the value of, a
cybersecurity program. Feedback from staff exposed to this type of training can be a valuable source of
input for refining the charter and scope of the security program.
6.2.3 Audit and Accountability
An audit is an independent review and examination of records and activities to assess the adequacy of
system controls, to ensure compliance with established policies and operational procedures, and to
recommend necessary changes in controls, policies, or procedures. The security controls that fall within the
NIST SP 800-53 Audit and Accountability (AU) family provide policies and procedures for generating
audit records, their content, capacity, and retention requirements. The controls also provide safeguards to
react to problems such as an audit failure or audit log capacity being reached. Audit data should be
protected from modification and be designed with non-repudiation capability.
Supplemental guidance for the AU controls can be found in the following documents:
 NIST SP 800-61 provides guidance on computer security incident handling and audit log retention
[59].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
154
6.2.2 æ„è­˜åŠã³è¨“ç·´
NIST SP 800-53 ã®æ„è­˜åŠã³è¨“練(AT)ファミリã«å«ã¾ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã«ã¯ã€ã‚·ã‚¹ãƒ†ãƒ ã¸
ã®ã‚¢ã‚¯ã‚»ã‚¹æ¨©é™ã‚’付与ã™ã‚‹å‰ã«ã€æƒ…報システムã®å…¨ãƒ¦ãƒ¼ã‚¶ã«åŸºæœ¬çš„ãªã‚·ã‚¹ãƒ†ãƒ ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«
対ã™ã‚‹æ„識・訓練資料ãŒè¡Œã渡るよã†ã«ã™ã‚‹ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ãŒå®šã‚られã¦ã„る。
訓練ã¯ç›£è¦–ã¨æ–‡æ›¸åŒ–ãŒæ±‚ã‚られる。
AT 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-50:セキュリティæ„識訓練ã«ä¿‚るガイダンス[61]
 NIST SP 800-100:情報セキュリティガãƒãƒŠãƒ³ã‚¹åŠã³ãƒ—ランニングã«ä¿‚るガイダンス[27]
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
ICS 環境ã§ã¯ã€ç‰¹å®šã® ICS 用途ã«é–¢ã™ã‚‹åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ å›ºæœ‰ã®æƒ…報セキュリティæ„識・訓練をå«ã‚
ãªã‘ã‚Œã°ãªã‚‰ãªã„。ã¾ãŸçµ„ç¹”ã¯ã€ICS ã«å¤§ããªå½¹å‰²ã¨è²¬ä»»ã‚’有ã—ã¦ã„ã‚‹è·å“¡å…¨ã¦ã‚’特定ã—ã€è¨˜éŒ²
ã—ã€è¨“ç·´ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。æ„識・訓練ã¯ã€åˆ¶å¾¡ã•ã‚Œã‚‹ç‰©ç†çš„プロセス㨠ICS ã«ã¤ã„ã¦å–り上
ã’ãªã‘ã‚Œã°ãªã‚‰ãªã„。
セキュリティæ„è­˜ã¯ã€ICS インシデントã®äºˆé˜²ã€ç‰¹ã«ã‚½ãƒ¼ã‚·ãƒ£ãƒ«ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°è„…å¨ã«é–¢ã—
ã¦ã€ICS ã®è‚è¦ãªä¸€éƒ¨ã§ã‚る。ソーシャルエンジニアリングã¨ã¯ã€å€‹äººã‚’æ“作ã—ã¦ãƒ‘スワード等
ã®å€‹äººæƒ…報を引ã出ã™æŠ€è¡“ã®ã“ã¨ã§ã‚る。引ã出ã—ãŸæƒ…報を利用ã—ã¦ã€ã‚·ã‚¹ãƒ†ãƒ ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
を低下ã•ã›ã‚‹ã“ã¨ãŒã§ãる。
ICS セキュリティプログラムを実施ã™ã‚‹ã“ã¨ã§ã€è·å“¡ã«ã‚ˆã‚‹ã‚³ãƒ³ãƒ”ュータプログラムã€ã‚¢ãƒ—リケ
ーションåŠã³ã‚³ãƒ³ãƒ”ュータデスクトップãã®ã‚‚ã®ã®åˆ©ç”¨æ–¹æ³•ã‚’変ãˆã‚‹ã“ã¨ãŒã§ãる。組織ã¯åŠ¹æžœ
çš„ãªè¨“練プログラムã¨ä¼é”手段を考案ã—ã¦ã€æ–°ãŸãªã‚¢ã‚¯ã‚»ã‚¹ãƒ»ç®¡ç†è¦é ˜ãŒå¿…è¦ãªç†ç”±ã€ãƒªã‚¹ã‚¯ã‚’
減らã™ãŸã‚ã®ã‚¢ã‚¤ãƒ‡ã‚£ã‚¢ã€ç®¡ç†è¦é ˜ãŒå®ˆã‚‰ã‚Œãªã„å ´åˆã®çµ„ç¹”ã¸ã®å½±éŸ¿ã«ã¤ã„ã¦å¾“業員ãŒç†è§£ã§ã
るよã†ã«ã™ã¹ãã§ã‚る。ã¾ãŸè¨“練プログラムã§ã¯ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ—ログラムã«å¯¾ã™ã‚‹çµŒ
営陣ã®å¼·ã„関心ã¨ã€ãƒ—ログラムã®ä¾¡å€¤ã‚’実証ã™ã‚‹ã€‚被訓練者ã‹ã‚‰ã®ãƒ•ã‚£ãƒ¼ãƒ‰ãƒãƒƒã‚¯ã¯ã€ã‚»ã‚­ãƒ¥ãƒª
ティプログラムã®æ†²ç« åŠã³é©ç”¨ç¯„囲を改善ã™ã‚‹ãŸã‚ã®è²´é‡ãªè³‡ã¨ãªã‚‹ã€‚
6.2.3 監査åŠã³èª¬æ˜Žè²¬ä»»
監査ã¯ã‚·ã‚¹ãƒ†ãƒ åˆ¶å¾¡ã®å¦¥å½“性を評価ã—ã€è¦å®šã®ãƒãƒªã‚·ãƒ¼åŠã³æ¥­å‹™æ‰‹é †ã‚’éµå®ˆã•ã›ã€åˆ¶å¾¡ãƒ»ãƒ
リシー・手順ã«å¿…è¦ãªå¤‰æ›´ã‚’推奨ã™ã‚‹ãŸã‚ã®è¨˜éŒ²åŠã³æ´»å‹•ã«å¯¾ã™ã‚‹ç‹¬ç«‹ã®å¯©æŸ»ãƒ»æ¤œè¨¼ã§ã‚る。
NIST SP 800-53 ã®ç›£æŸ»åŠã³èª¬æ˜Žè²¬ä»»ï¼ˆAU)ファミリã«å«ã¾ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã§ã¯ã€ç›£æŸ»
記録ã€å†…容ã€èƒ½åŠ›åŠã³ä¿æŒè¦ä»¶ã«ä¿‚ã‚‹ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã‚’定ã‚ã¦ã„る。ã¾ãŸç›£æŸ»ã®ä¸å‚™ã‚„監
査記録能力ãŒé™ç•Œã«é”ã—ãŸéš›ã®å•é¡Œã«å¯¾å‡¦ã™ã‚‹ãŸã‚ã®å¯¾ç­–も定ã‚られã¦ã„ã„る。監査データ
ã¯æ”¹å¤‰ã§ããªã„よã†ã«ä¿è­·ã—ã€å¦èªä¸èƒ½ã®ã‚‚ã®ã¨ã—ã¦ç­–定ã™ã¹ãã§ã‚る。
AU 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-61:コンピュータセキュリティインシデントã®å‡¦ç†åŠã³ç›£æŸ»è¨˜éŒ²ã®ä¿æŒã«ä¿‚ã‚‹
ガイダンス[59]
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
155
 NIST SP 800-92 provides guidance on log management (including audit logs) [68].
 NIST SP 800-100 provides guidance on information security governance and planning [27].
ICS-specific Recommendations and Guidance
It is necessary to determine that the system is performing as intended. Periodic audits of the ICS should be
performed to validate the following items:
 The security controls present during system validation testing (e.g., factory acceptance testing and site
acceptance testing) are still installed and operating correctly in the production system.
 The production system is free from security compromises and provides information on the nature and
extent of compromises as feasible, should they occur.
 The management of change program is being rigorously followed with an audit trail of reviews and
approvals for all changes.
The results from each periodic audit should be expressed in the form of performance against a set of
predefined and appropriate metrics to display security performance and security trends. Security
performance metrics should be sent to the appropriate stakeholders, along with a view of security
performance trends.
Traditionally, the primary basis for audit in IT systems has been recordkeeping. Using appropriate tools
within an ICS environment requires extensive knowledge from an IT professional familiar with the ICS,
critical production and safety implications for the facility. Many of the process control devices that are
integrated into the ICS have been installed for many years and do not have the capability to provide the
audit records described in this section. Therefore, the applicability of these more modern tools for auditing
system and network activity is dependent upon the capabilities of the components in the ICS.
The critical tasks in managing a network in an ICS environment are ensuring reliability and availability to
support safe and efficient operation. In regulated industries, regulatory compliance can add complexity to
security and authentication management, registry and installation integrity management, and all functions
that can augment an installation and operational qualification exercise. Diligent use of auditing and log
management tools can provide valuable assistance in maintaining and proving the integrity of the ICS from
installation through the system life cycle. The value of these tools in this environment can be calculated by
the effort required to re-qualify or otherwise retest the ICS where the integrity due to attack, accident, or
error is in question. The system should provide reliable, synchronized time stamps in support of the audit
tools.
Monitoring of sensors, logs, Intrusion Detection Systems (IDS), antivirus, patch management, policy
management software, and other security mechanisms should be done on a real-time basis where feasible.
A first-line monitoring service would receive alarms, do rapid initial problem determination and take action
to alert appropriate facility personnel to intervene.
System auditing utilities should be incorporated into new and existing ICS projects. These auditing utilities
should be tested (e.g., off-line on a comparable ICS) before being deployed on an operational ICS. These
tools can provide tangible records of evidence and system integrity. Additionally, active log management
utilities may actually flag an attack or event in progress and provide location and tracing information to
help respond to the incident [34].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
156
 NIST SP 800-92:記録管ç†ï¼ˆç›£æŸ»è¨˜éŒ²ã‚’å«ã‚€ï¼‰ã«ä¿‚るガイダンス[68]
 NIST SP 800-100:情報セキュリティガãƒãƒŠãƒ³ã‚¹åŠã³ãƒ—ランニングã«ä¿‚るガイダンス[27]
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
システムãŒäºˆå®šã©ãŠã‚Šã«ç¨¼åƒã—ã¦ã„ã‚‹ã‹åˆ¤å®šã™ã‚‹å¿…è¦ãŒã‚る。ICS ã®å®šæœŸçš„監査を行ã„ã€æ¬¡ã®
点を検証ã™ã¹ãã§ã‚る。
 システムã®å¦¥å½“性検証(工場ã®æ¤œåŽåŠã³ç¾å ´ã§ã®æ¤œåŽç­‰ï¼‰æ™‚ã«ã‚ã£ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ãŒã
ã®ã¾ã¾è¨­ç½®ã•ã‚Œã€ç”Ÿç”£ã‚·ã‚¹ãƒ†ãƒ ã§æ­£å¸¸ã«ç¨¼åƒã—ã¦ã„る。
 生産システムã«ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä¸Šã®æ€§èƒ½ä½Žä¸‹ãŒãªãã€æ€§èƒ½ä½Žä¸‹ãŒç”Ÿã˜ãŸå ´åˆã«ã¯ã€å¯èƒ½ã§ã‚ã‚Œ
ã°ãã®æ€§è³ªã‚„程度ã«ã¤ã„ã¦æƒ…報をæä¾›ã™ã‚‹ã€‚
 プログラム変更ã®ç®¡ç†ã¯ã€å…¨ã¦ã®å¤‰æ›´å†…容ã®å¯©æŸ»ãƒ»æ‰¿èªç›£æŸ»è¨¼è·¡ã«å¾“ã£ã¦éµå®ˆã•ã‚Œã¦ã„る。
å„定期監査ã®çµæžœã¯ã€äº‹å‰ã«å®šã‚られãŸé©æ­£ãªè©•ä¾¡åŸºæº–ã«ç…§ã‚‰ã—ã¦æˆç¸¾ã®å½¢ã§è¨˜è¼‰ã—ã€ã‚»ã‚­
ュリティパフォーマンスã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å‹•å‘ã¨ã‚’示ã™ã¹ãã§ã‚る。セキュリティパフォーマ
ンス評価基準ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å‹•å‘ã«é–¢ã™ã‚‹æ„見ã¨ã¨ã‚‚ã«ã€é–¢ä¿‚者ã«é€è‡´ã™ã¹ãã§ã‚る。
ä¼çµ±çš„ã« IT システムã«ãŠã‘る監査ã®åŸºæœ¬ã¯ã€è¨˜éŒ²ç®¡ç†ã«ã‚ã£ãŸã€‚ICS 環境ã§é©æ­£ãªãƒ„ールを
使用ã™ã‚‹ã«ã¯ã€ICS ã«é€šã˜ã€æ–½è¨­ã«é–¢ã™ã‚‹é‡è¦ç”Ÿç”£ãƒ»å®‰å…¨æ€§ã®åˆ¶ç´„ã‚’ç†è§£ã—㟠IT 専門員ã®åºƒ
範ãªçŸ¥è¦‹ãŒå¿…è¦ã¨ãªã‚‹ã€‚ICS ã«çµ„ã¿è¾¼ã¾ã‚ŒãŸãƒ—ロセス制御デãƒã‚¤ã‚¹ã®å¤šãã¯ã€ä½•å¹´ã‚‚å‰ã«è¨­ç½®
ã•ã‚Œã€ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§è¿°ã¹ãŸç›£æŸ»è¨˜éŒ²ã®æ供能力ãŒãªã„。ã—ãŸãŒã£ã¦ã€ç›£æŸ»ã‚·ã‚¹ãƒ†ãƒ åŠã³ãƒ
ットワーク活動用ã®ã“れら最新ツールã®é©ç”¨ã¯ã€ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã®èƒ½åŠ›ã«å·¦å³ã•ã‚Œã‚‹ã€‚
ICS 環境ã«ãŠã‘ã‚‹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç®¡ç†ã®é‡è¦ã‚¿ã‚¹ã‚¯ã¯ã€ä¿¡é ¼æ€§ã¨å¯ç”¨æ€§ã‚’確ä¿ã—ã¦ã€å®‰å…¨ã§åŠ¹çŽ‡
çš„ãªæ¥­å‹™ã‚’支ãˆã‚‹ã“ã¨ã«ã‚る。è¦åˆ¶ã‚’å—ã‘る業界ã§ã¯ã€è¦åˆ¶ã‚’éµå®ˆã™ã‚‹ã“ã¨ã§ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
ã¨èªè¨¼ç®¡ç†ã€å¸³ç°¿åŠã³æ–½è¨­ã®å®Œå…¨æ€§ç®¡ç†ã€æ–½è¨­åŠã³æ¥­å‹™é©æ ¼æ€§æ¼”習を強化ã™ã‚‹ãŸã‚ã®ã‚らゆ
る機能ãŒè¤‡é›‘ã«ãªã‚‹ã€‚監査・記録管ç†ãƒ„ールを利活用ã™ã‚‹ã“ã¨ã§ã€ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã‹ã‚‰ãƒ©ã‚¤ãƒ•
サイクル全般を通ã˜ã¦ã€ICS ã‚’ä¿å®ˆã—完全性を実証ã™ã‚‹ä¸Šã§ã€è²´é‡ãªåŠ©ã‘ãŒå¾—られる。ICS ç’°
境ã«ãŠã‘ã‚‹ã“れらツールã®ä¾¡å€¤ã¯ã€æ”»æ’ƒãƒ»å®Ÿè¡Œãƒ»éŽèª¤ç­‰ã«ã‚ˆã‚Šå®Œå…¨æ€§ãŒç–‘å•è¦–ã•ã‚Œã‚‹å ´åˆã«
å¿…è¦ã¨ãªã‚‹ã€é©æ ¼æ€§ã®å†å–å¾—ã‚„ ICS ã®å†æ¤œæŸ»ã¨ã„ã£ãŸåŠ´åŠ›ã«ç…§ã‚‰ã—ã¦è¨ˆç®—ã§ãよã†ã€‚システ
ムã¯ç›£æŸ»ãƒ„ールã«å¯¾å¿œã—ã¦ã€ä¿¡é ¼æ€§ã®é«˜ã„åŒæœŸã‚¿ã‚¤ãƒ ã‚¹ã‚¿ãƒ³ãƒ—ã‚’å‚™ãˆã¦ã„ã‚‹ã¹ãã§ã‚る。
センサã€ãƒ­ã‚°ã€ä¾µå…¥æ¤œçŸ¥ã‚·ã‚¹ãƒ†ãƒ ï¼ˆIDS)ã€ã‚¢ãƒ³ãƒã‚¦ã‚¤ãƒ«ã‚¹ã€ãƒ‘ッãƒç®¡ç†ã€ãƒãƒªã‚·ãƒ¼ç®¡ç†ã‚½
フトウエアãã®ä»–ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã¯ã€å¯èƒ½ã§ã‚ã‚Œã°ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ ã§å®Ÿè¡Œã§ãã‚‹ã¹
ãã§ã‚る。最å‰ç·šã®ç›£è¦–サービスã¯ã‚¢ãƒ©ãƒ¼ãƒ ã‚’å—é ˜ã—ã€åˆæœŸã®å•é¡Œåˆ¤åˆ¥ã‚’迅速ã«è¡Œã„ã€è©²å½“
施設è·å“¡ãŒå¯¾å‡¦ã™ã‚‹ã‚ˆã†ã«ã‚¢ã‚¯ã‚·ãƒ§ãƒ³ã‚’èµ·ã“ã™ã€‚
システム監査ユーティリティを新è¦åŠã³æ—¢å­˜ ICS プロジェクトã«çµ„ã¿è¾¼ã‚€ã¹ãã§ã‚る。ユーティ
リティã¯ã€ç¨¼åƒä¸­ã® ICS ã«å±•é–‹ã™ã‚‹å‰ã«ã€è©¦é¨“ã‚’è¡Œã†ã¹ãã§ã‚る(åŒç­‰ã® ICS ã§ã®ã‚ªãƒ•ãƒ©ã‚¤ãƒ³è©¦
験)。ã“れらツールã¯ã€è¨¼æ‹ åŠã³ã‚·ã‚¹ãƒ†ãƒ ã®å®Œå…¨æ€§ã«é–¢ã™ã‚‹æœ‰å½¢ã®è¨˜éŒ²ã‚’æä¾›ã§ãる。ã¾ãŸã‚¢ã‚¯
ティブログ管ç†ãƒ¦ãƒ¼ãƒ†ã‚£ãƒªãƒ†ã‚£ã¯ã€é€²è¡Œä¸­ã®æ”»æ’ƒã‚„事象ã«ãƒ•ãƒ©ã‚°ã‚’ç«‹ã¦ã€ä½ç½®ã¨è¿½è·¡æƒ…報をæä¾›
ã—ã¦ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã¸ã®å¯¾å¿œã‚’助ã‘ã‚‹
[34]
。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
157
There should be a method for tracing all console activities to a user, either manually (e.g., control
room sign in) or automatic (e.g., login at the application and/or OS layer). Policies and procedures for
what is logged, how the logs are stored (or printed), how they are protected, who has access to the logs
and how/when are they reviewed should be developed. These policies and procedures will vary with
the ICS application and platform. Legacy systems typically employ printer loggers, which are
reviewed by administrative, operational, and security staff. Logs maintained by the ICS application
may be stored at various locations and may or may not be encrypted.
6.2.4 Security Assessment and Authorization
The security controls that fall within the NIST SP 800-53 Assessment and Authorization (CA) family
provide the basis for performing periodic assessments and providing certification of the security controls
implemented in the information system to determine if the controls are implemented correctly, operating as
intended, and producing the desired outcome to meet the system security requirements. A senior
organizational official is responsible for accepting residual risk and authorizing system operation. These
steps constitute accreditation. In addition, all security controls should be monitored on an ongoing basis.
Monitoring activities include configuration management and control of information system components,
security impact analysis of changes to the system, ongoing assessment of security controls, and status
reporting.
Supplemental guidance for the CA controls can be found in the following documents:
 NIST SP 800-53A provides guidance on security control assessments [23].
 NIST SP 800-37 provides guidance defining the information system boundary and security
certification and accreditation of the information system [21].
 NIST SP 800-100 provides guidance on information security governance and planning [27].
6.2.5 Configuration Management
Configuration management policy and procedures are used to control modifications to hardware, firmware,
software, and documentation to ensure that the information system is protected against improper
modifications prior to, during, and after system implementation. The security controls that fall within the
NIST SP 800-53 Configuration Management (CM) family provide policy and procedures for establishing
baseline controls for information systems. Controls are also specified for maintaining, monitoring, and
documenting configuration control changes. There should be restricted access to configuration settings, and
security settings of IT products should be set to the most restrictive mode consistent with ICS operational
requirements.
Supplemental guidance for the CM controls can be found in the following documents:
 NIST SP 800-70 provides guidance on configuration settings for IT products [26].
 NIST SP 800-100 provides guidance on information security governance and planning [27].
 NIST SP 800-128 provides guidance on implementation of a security-focused configuration
management program [80].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
158
手動(制御室ã¸ã®ç«‹å…¥ç½²å等)åˆã¯è‡ªå‹•ï¼ˆã‚¢ãƒ—リケーションや OS ã¸ã®ãƒ­ã‚°ã‚¤ãƒ³ç­‰ï¼‰ã«ã‚ˆã‚‹ã€ã‚
るユーザã®å…¨ã¦ã®ã‚³ãƒ³ã‚½ãƒ¼ãƒ«æ´»å‹•ã«å¯¾ã™ã‚‹è¿½è·¡æ–¹æ³•ã‚’æŒã¤ã¹ãã§ã‚る。記録内容ã€è¨˜éŒ²ã®ä¿ç®¡
(åˆã¯ãƒ—リント)方法ã€ä¿è­·è¦é ˜ã€è¨˜éŒ²ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ä»¶ä¿æŒè€…ã€è¨˜éŒ²ã®å¤‰æ›´æ–¹æ³•ãƒ»æ™‚期ã«é–¢ã™ã‚‹
ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã‚’作æˆã™ã¹ãã§ã‚る。ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã¯ã€ICS ã®ç”¨é€”åŠã³ãƒ—ラットホームã«
より異ãªã‚‹ã€‚レガシーシステムã§ã¯ãƒ—リンタロガーを通常ã€æŽ¡ç”¨ã—ã¦ãŠã‚Šã€ç®¡ç†ã€æ¥­å‹™åŠã³ã‚»ã‚­
ュリティè·å“¡ãŒç›®ã‚’通ã—ã¦ã„る。ICS アプリケーションãŒç¶­æŒã™ã‚‹ãƒ­ã‚°ã¯ã€ç¨®ã€…ã®å ´æ‰€ã«ä¿ç®¡ã•
ã‚Œã€æš—å·åŒ–ã•ã‚Œã¦ã„ã‚‹ã‚‚ã®ã‚‚ã‚ã‚Œã°ã€ã•ã‚Œã¦ã„ãªã„ã‚‚ã®ã‚‚ã‚る。
6.2.4 セキュリティ評価åŠã³æ¨©é™ä»˜ä¸Ž
NIST SP 800-53 ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è©•ä¾¡åŠã³æ¨©é™ä»˜ä¸Žï¼ˆCA)ファミリã«å«ã¾ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾
ç­–ã¯ã€å®šæœŸçš„評価を行ã„ã€æƒ…報システムã«å®Ÿè£…ã•ã‚Œã¦ã„るセキュリティ対策ã®è¨¼æ˜Žæ›¸ã‚’交付ã™
る根拠を定ã‚ã¦ãŠã‚Šã€ã“ã‚Œã«å¾“ã„管ç†ãŒé©æ€§ã«è¡Œã‚ã‚Œã€äºˆå®šã©ãŠã‚Šã«ç¨¼åƒã—ã€ã‚·ã‚¹ãƒ†ãƒ ã‚»ã‚­ãƒ¥
リティè¦ä»¶ã«åˆè‡´ã—ãŸçµæžœã«ãªã£ã¦ã„ã‚‹ã‹ã©ã†ã‹ã‚’判定ã§ãる。組織ã®å¹¹éƒ¨ã¯æ®‹ç•™ãƒªã‚¹ã‚¯ã‚’å—
ã‘入れã€ã‚·ã‚¹ãƒ†ãƒ ã®ç¨¼åƒã‚’許å¯ã™ã‚‹è²¬ä»»ã‚’有ã™ã‚‹ã€‚ã“ã®ã‚ˆã†ãªæ‰‹é †ãŒèªå®šã‚’構æˆã™ã‚‹ã€‚ã¾ãŸã€
å…¨ã¦ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã¯ç¶™ç¶šçš„ã«ç›£è¦–ã™ã¹ãã§ã‚る。監視活動ã«ã¯æƒ…報システムコンãƒãƒ¼ãƒ
ントã®è¨­å®šç®¡ç†ã€ã‚·ã‚¹ãƒ†ãƒ å¤‰æ›´ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å½±éŸ¿åˆ†æžã€é€²å±•ä¸­ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®è©•ä¾¡åŠ
ã³ç¾çŠ¶å ±å‘ŠãŒå«ã¾ã‚Œã‚‹ã€‚
CA 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-53A:セキュリティ対策評価ã«ä¿‚るガイダンス[23]
 NIST SP 800-37:情報システム境界åŠã³æƒ…報システムセキュリティ証明・èªå®šã®å®šç¾©ã«ä¿‚ã‚‹
ガイダンス[21]
 NIST SP 800-100:情報セキュリティガãƒãƒŠãƒ³ã‚¹åŠã³ãƒ—ランニングã«ä¿‚るガイダンス[27]
6.2.5 構æˆç®¡ç†
構æˆç®¡ç†ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã«å¾“ã„ã€ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ãƒ»ãƒ•ã‚¡ãƒ¼ãƒ ã‚¦ã‚¨ã‚¢ãƒ»ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ãƒ»æ–‡æ›¸ã¸
ã®å¤‰æ›´ã‚’管ç†ã—ã€ã‚·ã‚¹ãƒ†ãƒ å®Ÿè£…å‰ãƒ»ä¸­ãƒ»å¾Œã®ä¸é©åˆ‡ãªæ”¹å¤‰ã‹ã‚‰æƒ…報システムをä¿è­·ã™ã‚‹ã€‚
NIST SP 800-53 ã®æ§‹æˆç®¡ç†ï¼ˆCM)ファミリã«å«ã¾ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã«ã¯ã€æƒ…報システム
ã®ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ç®¡ç†ã‚’策定ã™ã‚‹ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ãŒå®šã‚られã¦ã„る。構æˆç®¡ç†ã®å¤‰æ›´
を維æŒãƒ»ç›£è¦–・記録ã™ã‚‹ãŸã‚ã®ç®¡ç†ã‚‚ã‚る。構æˆè¨­å®šã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã¯åˆ¶é™ã•ã‚Œã€IT 製å“ã®ã‚»
キュリティ設定ã¯ã€ICS 業務è¦ä»¶ã«å¾“ã„最も厳格ãªãƒ¢ãƒ¼ãƒ‰ã«è¨­å®šã™ã¹ãã§ã‚る。
CM 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-70:IT 製å“ã®æ§‹æˆè¨­å®šã«ä¿‚るガイダンス[26]
 NIST SP 800-100:情報セキュリティガãƒãƒŠãƒ³ã‚¹åŠã³ãƒ—ランニングã«ä¿‚るガイダンス[27]
 NIST SP 800-128 ã«ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é‡è¦–構æˆç®¡ç†ãƒ—ログラムã«ä¿‚るガイダンス[80]。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
159
ICS-specific Recommendations and Guidance
A formal change management program should be established and procedures used to insure that all
modifications to an ICS network meet the same security requirements as the original components identified
in the asset evaluation and the associated risk assessment and mitigation plans. Risk assessment should be
performed on all changes to the ICS network that could affect security, including configuration changes,
the addition of network components, and installation of software. Changes to policies and procedures may
also be required. The current ICS network configuration and device configurations must always be known
and documented.
6.2.6 Contingency Planning
Contingency plans are designed to maintain or restore business operations, including computer operations,
possibly at an alternate location, in the event of emergencies, system failures, or disaster. The security
controls that fall within the NIST SP 800-53 Contingency Planning (CP) family provide policies and
procedures to implement a contingency plan by specifying roles and responsibilities, and assigning
personnel and activities associated with restoring the information system after a disruption or failure. Along
with planning, controls also exist for contingency training, testing, and plan update, and for backup
information processing and storage sites.
Supplemental guidance for the CP controls can be found in the following documents:
 NIST SP 800-34 provides guidance on contingency planning [52].
 NIST SP 800-100 provides guidance on information security governance and planning [27].
ICS-specific Recommendations and Guidance
Contingency plans should cover the full range of failures or problems that could be caused by cyber
incidents. Contingency plans should include procedures for restoring systems from known valid backups,
separating systems from all non-essential interferences and connections that could permit cybersecurity
intrusions, and alternatives to achieve necessary interfaces and coordination. Employees should be trained
and familiar with the contents of the contingency plans. Contingency plans should be periodically reviewed
with employees responsible for restoration of the ICS, and tested to ensure that they continue to meet their
objectives. Organizations also have business continuity plans and disaster recovery plans that are closely
related to contingency plans. Because business continuity and disaster recovery plans are particularly
important for ICS, they are described in more detail in the sections to follow.
6.2.6.1 Business Continuity Planning
Business continuity planning addresses the overall issue of maintaining or reestablishing production in the
case of an interruption. These interruptions may take the form of a natural disaster (e.g., hurricane, tornado,
earthquake, flood), an unintentional man-made event (e.g., accidental equipment damage, fire or explosion,
operator error), an intentional man-made event (e.g., attack by bomb, firearm or vandalism, attacker or
virus), or an equipment failure. From a potential outage perspective, this may involve typical time spans of
days, weeks, or months to recover from a natural disaster, or minutes or hours to recover from a malware
infection or a mechanical/electrical failure. Because there is often a separate discipline
that deals with reliability and electrical/mechanical maintenance, some organizations choose to define
business continuity in a way that excludes these sources of failure. Because business continuity also deals
primarily with
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
160
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
æ­£è¦ã®å¤‰æ›´ç®¡ç†ãƒ—ログラムを策定ã—ã€ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã®å…¨ã¦ã®å¤‰æ›´å†…容ãŒã€è³‡ç”£è©•ä¾¡è¨ˆç”»
書åŠã³é–¢é€£ãƒªã‚¹ã‚¯è©•ä¾¡ãƒ»ç·©å’Œè¨ˆç”»æ›¸ã«ç‰¹å®šã•ã‚Œã‚‹å½“åˆã®ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã¨åŒã˜ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
è¦ä»¶ã«åˆè‡´ã™ã‚‹ã‚ˆã†ã«æ‰‹é †ã‚’行使ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。リスク評価ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«å½±éŸ¿
ã™ã‚‹ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã®å…¨ã¦ã®å¤‰æ›´ã«å¯¾ã—ã¦è¡Œã†ã¹ãã§ã€ã“ã‚Œã«ã¯æ§‹æˆå¤‰æ›´ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼
クコンãƒãƒ¼ãƒãƒ³ãƒˆã®è¿½åŠ ã€ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã‚‚å«ã¾ã‚Œã‚‹ã€‚ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã®å¤‰
æ›´ã‚‚å¿…è¦ã¨ãªã‚‹ã€‚ç¾åœ¨ã® ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æ§‹æˆã¨ãƒ‡ãƒã‚¤ã‚¹æ§‹æˆã¯å¸¸ã«çŸ¥ã‚‰ã•ã‚Œã€è¨˜éŒ²ã•ã‚Œã¦
ã„ãªã‘ã‚Œã°ãªã‚‰ãªã„。
6.2.6 ä¸æ¸¬äº‹æ…‹è¨ˆç”»
緊急時対応計画ã¯ã€ç·Šæ€¥æ™‚・システム障害時・ç½å®³æ™‚ã«ä»£æ›¿åœ°ãªã©ã§ã‚³ãƒ³ãƒ”ュータをæ“作ã™
ã‚‹ãªã©ã€æ¥­å‹™ã‚’維æŒãƒ»å¾©æ—§ã™ã‚‹ãŸã‚ã«ä½œæˆã•ã‚Œã‚‹ã€‚ NIST SP 800-53 ã®ä¸æ¸¬äº‹æ…‹è¨ˆç”»ï¼ˆCP)フ
ァミリã«å«ã¾ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã¯ã€å½¹å‰²ã¨è²¬ä»»ã‚’定ã‚ã€ä¸­æ–­ãƒ»æ•…障後ã®æƒ…報システムã®
復旧ã«é–¢é€£ã—ãŸäººå“¡ãƒ»æ´»å‹•ã‚’割り当ã¦ã¦ã€ä¸æ¸¬äº‹æ…‹è¨ˆç”»ã‚’実行ã™ã‚‹ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †
を定ã‚ã¦ã„る。
プランニングã®ã¿ãªã‚‰ãšã€ç®¡ç†ã¯ã€ä¸æ¸¬äº‹æ…‹å¯¾å‡¦è¨“ç·´ã€è©¦é¨“ã€è¨ˆç”»ã®æ›´æ–°ã€ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—情報
処ç†ãƒ»ä¿ç®¡ã‚µã‚¤ãƒˆã«ã¤ã„ã¦ã‚‚å–り上ã’ã¦ã„る。
CP 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-34:ä¸æ¸¬äº‹æ…‹è¨ˆç”»ã®ç«‹æ¡ˆã«ä¿‚るガイダンス[52]
 NIST SP 800-100:情報セキュリティガãƒãƒŠãƒ³ã‚¹åŠã³ãƒ—ランニングã«ä¿‚るガイダンス[27]
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
緊急時対応計画ã¯ã€ã‚µã‚¤ãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã«ã‚ˆã‚Šç”Ÿã˜å¾—ã‚‹ã‚らゆる障害やå•é¡Œã«ã¤ã„ã¦å–り上ã’
ã‚‹ã¹ãã§ã‚る。緊急時対応計画ã«ã¯ã€æ—¢çŸ¥ã®æœ‰åŠ¹ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã‹ã‚‰ã‚·ã‚¹ãƒ†ãƒ ã‚’復旧ã—ã€ã‚µã‚¤ãƒãƒ¼
セキュリティ侵入を許ã™é‡è¦ã§ãªã„å…¨ã¦ã®å¹²æ¸‰ãƒ»æŽ¥ç¶šã‹ã‚‰ã‚·ã‚¹ãƒ†ãƒ ã‚’分離ã™ã‚‹ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠ
ã³æ‰‹é †ã®ã»ã‹ã€å¿…è¦ãªã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ãƒ»èª¿æ•´ã‚’実ç¾ã™ã‚‹ãŸã‚ã®ä»£æ›¿æ–¹æ³•ã‚‚å«ã‚ã‚‹ã¹ãã§ã‚る。従
業員ã¯è¨“ç·´ã‚’å—ã‘ã€ä¸æ¸¬äº‹æ…‹è¨ˆç”»ã®å†…容ã«ç²¾é€šã—ã¦ã„ã‚‹ã¹ãã§ã‚る。計画書ã¯ã€ICS ã®å¾©æ—§æ‹…当
者ã¨ã¨ã‚‚ã«å®šæœŸçš„ã«è¦‹ç›´ã—ã€å¸¸ã«ç›®çš„ã«åˆè‡´ã—ã¦ã„ã‚‹ã‹è©¦é¨“ã‚’è¡Œã†ã¹ãã§ã‚る。組織ã¯ã€ç·Šæ€¥æ™‚
対応計画ã¨å¯†æŽ¥ãªé–¢ã‚ã‚Šã‚’æŒã¤äº‹æ¥­ç¶™ç¶šè¨ˆç”»æ›¸ã¨ç½å®³å¾©æ—§è¨ˆç”»æ›¸ã‚‚ä¿æŒã™ã‚‹ã€‚両計画書ã¯ç‰¹ã«
ICS ã«ã¨ã£ã¦é‡è¦ã§ã‚ã‚‹ãŸã‚ã€ç¶šãセクションã§è©³è¿°ã™ã‚‹ã€‚
6.2.6.1 事業継続計画
事業継続計画ã®ç«‹æ¡ˆã§ã¯ã€ä¸­æ–­æ™‚ã®ç”Ÿç”£ã®ç¶­æŒåˆã¯å†é–‹ã«é–¢ã™ã‚‹å…¨èˆ¬çš„ãªå•é¡Œã‚’å–り上ã’る。
中断ã«ã¯è‡ªç„¶ç½å®³ï¼ˆãƒãƒªã‚±ãƒ¼ãƒ³ã€ãƒˆãƒ«ãƒãƒ¼ãƒ‰ã€åœ°éœ‡ã€æ´ªæ°´ç­‰ï¼‰ã€äººç‚ºçš„ãªäºˆæœŸã—ãªã„事象(å¶
発的ãªè£…å‚™å“ã®æ害ã€ç«ç½ãƒ»çˆ†ç™ºã€æ“作ミス等)ã€äººç‚ºçš„ãªæ•…æ„ã®äº‹è±¡ï¼ˆçˆ†å¼¾ã€éŠƒå™¨ãƒ»ç ´å£Šè¡Œ
為ã«ã‚ˆã‚‹æ”»æ’ƒã€æ”»æ’ƒè€…・ウイルス等)ã€è£…å‚™å“ã®æ•…éšœãªã©ãŒã‚る。æ“業åœæ­¢ã®è¦³ç‚¹ã‹ã‚‰ã™ã‚‹ã¨ã€
自然ç½å®³ã‹ã‚‰ã®å¾©æ—§ã«ã¯ä¸€èˆ¬ã«æ—¥ãƒ»é€±ãƒ»æœˆå˜ä½ã®æœŸé–“ã‚’è¦ã—ã€ãƒžãƒ«ã‚¦ã‚¨ã‚¢æ„ŸæŸ“や機械・電å­çš„
æ•…éšœã®å ´åˆã¯åˆ†ãƒ»æ™‚é–“å˜ä½ã¨ãªã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
161
that deals with reliability and electrical/mechanical maintenance, some organizations choose to define
business continuity in a way that excludes these sources of failure. Because business continuity also deals
primarily with the long-term implications of production outages, some organizations also choose to place a
minimum interruption limit on the risks to be considered. For the purposes of ICS cybersecurity, it is
recommended that neither of these constraints be made. Long-term outages (disaster recovery) and short-
term outages (operational recovery) should both be considered. Because some of these potential
interruptions involve man-made events, it is also important to work collaboratively with the physical
security organization to understand the relative risks of these events and the physical security
countermeasures that are in place to prevent them. It is also important for the physical security organization
to understand which areas of a production site house data acquisition and control systems that might have
higher-level risks.
Before creating a business continuity plan (BCP) to deal with potential outages, it is important to specify
the recovery objectives for the various systems and subsystems involved based on typical business needs.
There are two distinct types of objectives: system recovery and data recovery. System recovery involves
the recovery of communication links and processing capabilities, and it is usually specified in terms of a
Recovery Time Objective (RTO). This is defined as the time required to recover the required
communication links and processing capabilities. Data recovery involves the recovery of data describing
production or product conditions in the past and is usually specified in terms of a Recovery Point Objective
(RPO). This is defined as the longest period of time for which an absence of data can be tolerated.
Once the recovery objectives are defined, a list of potential interruptions should be created and the recovery
procedure developed and described. For most of the smaller scale interruptions, repair and replace activities
based on a critical spares inventory will prove adequate to meet the recovery objectives. When this is not
true, contingency plans need to be developed. Due to the potential cost and importance of these
contingency plans, they should be reviewed with the managers responsible for business continuity planning
to verify that they are justified. Once the recovery procedures are documented, a schedule should be
developed to test part or all of the recovery procedures. Particular attention must be paid to the verification
of backups of system configuration data and product or production data. Examples of system configuration
data include computer configuration backups, application configuration backups, operational control limits,
control bands and setpoints for pre-incident operation for all ICS programmable equipment. Not only
should these be tested when they are produced, but the procedures followed for their storage should also be
reviewed periodically to verify that the backups are kept in environmental conditions that will not render
them unusable and that they are kept in a secure location, so they can be quickly obtained by authorized
individuals when needed.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
162
信頼性や電気・機械ã®ä¿å®ˆã«é–¢ã™ã‚‹åˆ¥ã®è¦å‰‡ã‚‚多分ã«ã‚ã‚‹ãŸã‚ã€çµ„ç¹”ã«ã‚ˆã£ã¦ã¯ã“ã®ã‚ˆã†ãªæ•…éšœ
原因を排除ã—ãŸä¸Šã§äº‹æ¥­ç¶™ç¶šã‚’定ã‚ã¦ã„ã‚‹ã¨ã“ã‚ã‚‚ã‚る。事業継続ã¯ã€ä¸»ã«é•·æœŸçš„ãªæ“業åœæ­¢ã®
制約を扱ã†ãŸã‚ã€è€ƒæ…®ã™ã¹ãリスクã«æœ€çŸ­ä¸­æ–­é™ç•Œã‚’設定ã—ã¦ã„る組織もã‚る。ICS サイãƒãƒ¼ã‚»
キュリティã®ç›®çš„上ã€ã“ã®ã‚ˆã†ãªåˆ¶ç´„事項ã¯è¨­ã‘ãªã„ã“ã¨ãŒè–¦ã‚られる。長期æ“業åœæ­¢ï¼ˆç½å®³å¾©
旧)ã¨çŸ­æœŸæ“業åœæ­¢ï¼ˆæ¥­å‹™å¾©æ—§ï¼‰ã®ä¸¡æ–¹ã‚’検討ã™ã¹ãã§ã‚る。ã“ã®ã‚ˆã†ãªä¸­æ–­ã«ã¯äººç‚ºçš„ãªäº‹è±¡
ã‚‚å«ã¾ã‚Œã‚‹ãŸã‚ã€ç‰©ç†çš„セキュリティ組織ã¨é€£æºã—ã¦ã€ã“ã†ã—ãŸäº‹è±¡ã®ç›¸å¯¾çš„リスクã¨ã€ãれを
防止ã™ã‚‹ãŸã‚ã«è¬›ã˜ã‚‰ã‚Œã¦ã„る物ç†çš„セキュリティ対策ã«ã¤ã„ã¦ç†è§£ã™ã‚‹ã“ã¨ãŒè‚è¦ã§ã‚る。ã¾
ãŸç‰©ç†çš„セキュリティ組織もã€ç”Ÿç”£ç¾å ´ã®ã©ã“ã«é«˜ãƒªã‚¹ã‚¯ã®ãƒ‡ãƒ¼ã‚¿å–得・制御システムãŒã‚ã‚‹ã‹
を把æ¡ã—ã¦ãŠãã“ã¨ãŒè‚è¦ã§ã‚る。
æ“業åœæ­¢ã‚’å–り上ã’ãŸäº‹æ¥­ç¶™ç¶šè¨ˆç”»æ›¸ï¼ˆBCP)を作æˆã™ã‚‹å‰ã«ã€ä¸€èˆ¬çš„ãªäº‹æ¥­ãƒ‹ãƒ¼ã‚ºã«åŸºã¥ãã€
種々ã®ã‚·ã‚¹ãƒ†ãƒ ãƒ»ã‚µãƒ–システムã®å¾©æ—§å¯¾è±¡ã‚’指定ã™ã‚‹ã“ã¨ãŒè‚è¦ã§ã‚る。復旧対象ã¯ã‚·ã‚¹ãƒ†ãƒ 
ã¨ãƒ‡ãƒ¼ã‚¿ã® 2種類ã§ã‚る。システム復旧ã¯ã€é€šä¿¡ãƒªãƒ³ã‚¯ã¨å‡¦ç†æ©Ÿèƒ½ã®å¾©æ—§ãŒé–¢ä¿‚ã—ã€é€šå¸¸ã€ç›®
標復旧時間(RTO)ã¨ã—ã¦å®šã‚られã¦ã„る。ã“ã‚Œã¯å¿…須通信リンクåŠã³å‡¦ç†æ©Ÿèƒ½ã‚’復旧ã™ã‚‹ãŸ
ã‚ã®æ™‚é–“ã¨ã—ã¦å®šç¾©ã•ã‚Œã‚‹ã€‚データ復旧ã¯ã€éŽåŽ»ã®ç”Ÿç”£åˆã¯è£½å“状態を記述ã—ãŸãƒ‡ãƒ¼ã‚¿ã®å¾©æ—§
ãŒé–¢ä¿‚ã—ã€é€šå¸¸ã€ç›®æ¨™å¾©æ—§æ™‚点(RPO)ã¨ã—ã¦å®šã‚られã¦ã„る。ã“ã‚Œã¯ãƒ‡ãƒ¼ã‚¿ãŒãªãã¦ã‚‚許容
ã§ãる最長時間ã¨ã—ã¦å®šç¾©ã•ã‚Œã‚‹ã€‚
復旧対象を定ã‚ãŸãªã‚‰ã€ä¸­æ–­å¯èƒ½æ€§ãƒªã‚¹ãƒˆã‚’作æˆã—ã€å¾©æ—§æ‰‹é †ã‚’作æˆã—記述ã™ã¹ãã§ã‚る。大
抵ã®å°è¦æ¨¡ä¸­æ–­ã§ã¯ã€é‡è¦è£œç”¨å“在庫ã«åŸºã¥ãä¿®ç†ãƒ»äº¤æ›ã§å¾©æ—§å¯¾è±¡ã«å分対応ã§ãる。ã“ã‚Œ
ãŒå½“ã¦ã¯ã¾ã‚‰ãªã„å ´åˆã«ã¯ã€ç·Šæ€¥æ™‚対応計画を作æˆã™ã‚‹å¿…è¦ãŒã‚る。緊急時対応計画ã®ã‚³ã‚¹ãƒˆ
ã¨é‡è¦æ€§ã‹ã‚‰ã€ç·Šæ€¥æ™‚対応計画ã¯äº‹æ¥­ç¶™ç¶šãƒ—ランニング担当管ç†è€…ã¨ã¨ã‚‚ã«è¦‹ç›´ã—ã€ãã®å¦¥å½“
性を検証ã™ã¹ãã§ã‚る。復旧手順を文書化ã—ãŸãªã‚‰ã€å¾©æ—§æ‰‹é †ã®ä¸€éƒ¨åˆã¯å…¨éƒ¨ã®è©¦é¨“ã‚’è¡Œã†ãŸ
ã‚ã®ã‚¹ã‚±ã‚¸ãƒ¥ãƒ¼ãƒ«ã‚’ç«‹ã¦ã‚‹ã¹ãã§ã‚る。システム構æˆãƒ‡ãƒ¼ã‚¿åŠã³è£½å“・生産データã®ãƒãƒƒã‚¯ã‚¢
ップ検証ã«ã¯ã€ç‰¹ã«æ³¨æ„を払ã‚ãªã‘ã‚Œã°ãªã‚‰ãªã„。システム構æˆãƒ‡ãƒ¼ã‚¿ã®ä¾‹ã¨ã—ã¦ã€ã‚³ãƒ³ãƒ”ュ
ータ構æˆãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã€ã‚¢ãƒ—リケーション構æˆãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã€æ¥­å‹™ä¸Šã®ç®¡ç†é™ç•Œã€å…¨ã¦ã® ICS
プログラムå¯èƒ½è£…å‚™å“ã®ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆå‰ã®ç®¡ç†ç¯„囲・設定点等ãŒã‚る。ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã¯ä½œæˆã®
都度試験を行ã†ã ã‘ã§ãªãã€ãれらã®ä¿å­˜æ‰‹é †ã‚‚定期的ã«è¦‹ç›´ã—ã¦ã€ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ãŒç’°å¢ƒæ¡ä»¶
ã«é©åˆã—ã¦åˆ©ç”¨å¯èƒ½ã§ã€ã‚»ã‚­ãƒ¥ã‚¢ãªå ´æ‰€ã«ä¿ç®¡ã•ã‚Œã€å¿…è¦ãªå ´åˆã«ã¯æ¨©é™ã®ã‚る人員ãŒã™ãã«
入手ã§ãるよã†ã«ãªã£ã¦ã„ã‚‹ã‹æ¤œè¨¼ã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
163
6.2.6.2 Disaster Recovery Planning
A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect an IT
infrastructure in the event of a disaster. The DRP, ordinarily documented in written form, specifies
procedures an organization is to follow in the event of a disaster. It is a comprehensive statement of
consistent actions to be taken before, during and after a disaster. The disaster could be natural,
environmental or man-made. Man-made disasters could be intentional or unintentional.
ICS-specific Recommendations and Guidance
A DRP is essential to continued availability of the ICS. The DRP should include the following items:
 Required response to events or conditions of varying duration and severity that would activate the
recovery plan.
 Procedures for operating the ICS in manual mode with all external electronic connections severed
until secure conditions can be restored.
 Roles and responsibilities of responders.
 Processes and procedures for the backup and secure storage of information.
 Complete and up-to-date logical network diagram.
 Personnel list for authorized physical and cyber access to the ICS.
 Communication procedure and list of personnel to contact in the case of an emergency including ICS
vendors, network administrators, ICS support personnel, etc.
 Current configuration information for all components.
 Schedule for exercising the DRP.
The plan should also indicate requirements for the timely replacement of components in the case of an
emergency. If possible, replacements for hard-to-obtain critical components should be kept in inventory.
The security plan should define a comprehensive backup and restore policy. In formulating this policy, the
following should be considered:
 The speed at which data or the system must be restored. This requirement may justify the need for a
redundant system, spare offline computer, or valid file system backups.
 The frequency at which critical data and configurations are changing. This will dictate the frequency
and completeness of backups.
 The safe onsite and offsite storage of full and incremental backups.
 The safe storage of installation media, license keys, and configuration information.
 Identification of individuals responsible for performing, testing, storing, and restoring backups.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
164
6.2.6.2 ç½å®³å¾©æ—§è¨ˆç”»
ç½å®³å¾©æ—§è¨ˆç”»ï¼ˆDRP)ã¯ã€ç½å®³æ™‚ã« IT インフラを復旧ã—ä¿è­·ã™ã‚‹ãŸã‚ã®æ–‡æ›¸åŒ–ã•ã‚ŒãŸãƒ—ロセス
åˆã¯æ‰‹é †ã§ã‚る。DRP ã¯é€šå¸¸æ–‡æ›¸åŒ–ã•ã‚Œã€ç½å®³æ™‚ã«çµ„ç¹”ãŒå–る手順を定ã‚る。ç½å®³å‰ãƒ»ä¸­ãƒ»å¾Œã«
å–ã‚‹ã¹ã一貫ã—ãŸè¡Œå‹•ã«ã¤ã„ã¦ã€åŒ…括的ã«è¨˜è¿°ã™ã‚‹ã€‚ç½å®³ã¯è‡ªç„¶ç’°å¢ƒã®å ´åˆã‚‚ã‚ã‚Œã°ã€äººç‚ºçš„ãª
ã‚‚ã®ã‚‚ã‚る。人為ç½å®³ã¯æ•…æ„åˆã¯å¶ç™ºã«ã‚ˆã‚Šç”Ÿã˜ã‚‹ã€‚
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
DRP ã¯ã€ICS ã®å¯ç”¨æ€§ã‚’ä¿æŒã™ã‚‹ãŸã‚ã«ä¸å¯æ¬ ã§ã‚る。DRP ã«ã¯ä»¥ä¸‹ã‚’å«ã‚ã‚‹ã¹ãã§ã‚る。
 復旧計画書ãŒç™ºå‹•ã•ã‚Œã‚‹äº‹è±¡åˆã¯çŠ¶æ…‹ã®æœŸé–“ã¨é‡å¤§æ€§ã«å¿œã˜ã¦æ±‚ã‚られる対応
 外部ã¸ã®é›»å­æŽ¥ç¶šãŒå…¨ã¦æ–­ãŸã‚ŒãŸä¸­ã§ã€ã‚»ã‚­ãƒ¥ã‚¢ãªçŠ¶æ…‹ã«å¾©æ—§ã™ã‚‹ã¾ã§ã€æ‰‹å‹•ãƒ¢ãƒ¼ãƒ‰ã§ ICS
を稼åƒã•ã›ã‚‹ãŸã‚ã®æ‰‹é †
 対応者ã®å½¹å‰²ã¨è²¬ä»»
 情報ã®ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã¨ã‚»ã‚­ãƒ¥ã‚¢ãªä¿å­˜ã‚’è¡Œã†ãŸã‚ã®ãƒ—ロセスã¨æ‰‹é †
 完全ãªæœ€æ–°ã®è«–ç†ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å›³
 ICS ã¸ã®ç«‹å…¥åŠã³ã‚µã‚¤ãƒãƒ¼ã‚¢ã‚¯ã‚»ã‚¹æ¨©é™ã®ã‚る人員リスト
 緊急時ã®é€šä¿¡æ‰‹é †åŠã³é€£çµ¡ç›¸æ‰‹ã®ãƒªã‚¹ãƒˆï¼ˆICS ベンダーã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç®¡ç†è€…ã€ICS サãƒãƒ¼
トè¦å“¡ç­‰ã‚’å«ã‚る)
 å…¨ã¦ã®ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã®æœ€æ–°æ§‹æˆæƒ…å ±
 DRP 演習スケジュール
計画書ã«ã¯ã€ç·Šæ€¥æ™‚ã®ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã‚’é©æ™‚交æ›ã™ã‚‹ãŸã‚ã®è¦ä»¶ã‚‚å«ã‚ã‚‹ã¹ãã§ã‚る。ã§ãã‚Œã°
入手困難ãªé‡è¦ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã®ä»£æ›¿å“ã¯ã€åœ¨åº«ã•ã›ã¦ãŠãã¹ãã§ã‚る。
セキュリティ計画書ã¯ã€åŒ…括的ãªãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—åŠã³å¾©æ—§ãƒãƒªã‚·ãƒ¼ã‚’定ã‚ã‚‹ã¹ãã§ã‚る。ãƒãƒªã‚·ãƒ¼
ã®ç­–定ã«å½“ãŸã£ã¦ã¯ã€æ¬¡ã®ç‚¹ã‚’考慮ã«å…¥ã‚Œã‚‹ã¹ãã§ã‚る。
 データåˆã¯ã‚·ã‚¹ãƒ†ãƒ ã®å¾©æ—§ã«è¦ã™ã‚‹é€Ÿåº¦ã€‚ã“ã®è¦ä»¶ãŒã‚ã‚‹ã“ã¨ã‹ã‚‰å†—長システムã€ã‚¹ãƒšã‚¢ã®
オフラインコンピュータåˆã¯æœ‰åŠ¹ãƒ•ã‚¡ã‚¤ãƒ«ã‚·ã‚¹ãƒ†ãƒ ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ãŒå¿…è¦ã¨ã•ã‚Œã‚‹ã€‚
 é‡è¦ãƒ‡ãƒ¼ã‚¿åŠã³æ§‹æˆå¤‰æ›´ã®é »åº¦ã€‚ã“ã‚Œã«ã‚ˆã‚Šãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã®é »åº¦ã‚„完全性ãŒæ±ºã¾ã‚‹ã€‚
 å…¨é¢ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—åŠã³å·®åˆ†ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã®å®‰å…¨ãªã‚ªãƒ³ã‚µã‚¤ãƒˆåŠã³ã‚ªãƒ•ã‚µã‚¤ãƒˆä¿ç®¡
 インストールメディアã€ãƒ©ã‚¤ã‚»ãƒ³ã‚¹ã‚­ãƒ¼åŠã³è¨­å®šæƒ…å ±ã®å®‰å…¨ãªä¿ç®¡
 ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã®å®Ÿæ–½ãƒ»è©¦é¨“・ä¿ç®¡ãƒ»å¾©æ—§æ‹…当者ã®ç‰¹å®š
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
165
6.2.7 Identification and Authentication
Authentication describes the process of positively identifying potential network users, hosts, applications,
services, and resources using a combination of identification factors or credentials. The result of this
authentication process then becomes the basis for permitting or denying further actions (e.g., when an
automatic teller machine asks for a PIN). Based on the authentication determination, the system may or
may not allow the potential user access to its resources. Authorization is the process of determining who
and what should be allowed to have access to a particular resource; access control is the mechanism for
enforcing authorization. Access control is described in Section 6.2.1.
There are several possible factors for determining the authenticity of a person, device, or system, including
something you know, something you have or something you are. For example, authentication could be
based on something known (e.g., PIN number or password), something possessed (e.g., key, dongle, smart
card), something you are such as a biological characteristic (e.g., fingerprint, retinal signature), a location
(e.g., Global Positioning System [GPS] location access), the time a request is made, or a combination of
these attributes. In general, the more factors that are used in the authentication process, the more robust the
process will be. When two or more factors are used, the process is known generically as multi-factor
authentication.
The security controls that fall within the NIST SP 800-53 Identification and Authentication (IA) family
provide policy and guidance for the identification and authentication of users of and devices within the
information system. These include controls to manage identifiers and authenticators within each technology
used (e.g., tokens, certificates, biometrics, passwords, key cards).
Supplemental guidance for the IA controls can be found in the following documents:
 NIST SP 800-63 provides guidance on remote electronic authentication [53].
 NIST SP 800-73 provides guidance on interfaces for personal identity verification [49].
 NIST SP 800-76 provides guidance on biometrics for personal identity verification [50].
 NIST SP 800-100 provides guidance on information security governance and planning [27].
ICS-specific Recommendations and Guidance
Computer systems in ICS environments typically rely on traditional passwords for authentication. Control
system suppliers often supply systems with default passwords. These passwords are factory set and are
often easy to guess or are changed infrequently, which creates additional security risks. Also, protocols
currently used in ICS environments generally have inadequate or no network service authentication. There
are now several forms of authentication available in addition to traditional password techniques being used
with ICS. Some of these, including password authentication, are presented in the following sections with
discussions regarding their use with ICS.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
166
6.2.7 識別åŠã³èªè¨¼
èªè¨¼ã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ¦ãƒ¼ã‚¶ã€ãƒ›ã‚¹ãƒˆã€ã‚¢ãƒ—リケーションã€ã‚µãƒ¼ãƒ“スåŠã³ãƒªã‚½ãƒ¼ã‚¹ã‚’識別è¦ç´ 
ã‚„èªè¨¼æƒ…報を組ã¿åˆã‚ã›ã¦ã€èƒ½å‹•çš„ã«è­˜åˆ¥ã™ã‚‹ãƒ—ロセスã§ã‚る。èªè¨¼ãƒ—ロセスã®çµæžœãŒã€æ¬¡ã®
アクションを許å¯ã™ã‚‹ã‹æ‹’絶ã™ã‚‹ã‹ã®æ ¹æ‹ ã¨ãªã‚‹ï¼ˆATM ã®PIN è¦æ±‚時等)。èªè¨¼åˆ¤å®šã«åŸºã¥ãã€
システムã¯ãƒ¦ãƒ¼ã‚¶ã®ãƒªã‚½ãƒ¼ã‚¹ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’許å¯åˆã¯æ‹’絶ã™ã‚‹ã€‚権é™ä»˜ä¸Žã¨ã¯ã€ç‰¹å®šã®ãƒªã‚½ãƒ¼
スã«ã‚¢ã‚¯ã‚»ã‚¹ãŒè¨±ã•ã‚Œã‚‹ä¸»ä½“を判定ã™ã‚‹ãƒ—ロセスã®ã“ã¨ã§ã€ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ã¨ã¯æ¨©é™ä»˜ä¸Žã‚’è¡Œã†
メカニズムをã„ã†ã€‚アクセス制御ã«ã¤ã„ã¦ã¯ã‚»ã‚¯ã‚·ãƒ§ãƒ³ 6.2.1 ã§èª¬æ˜Žã™ã‚‹ã€‚
個人ã€ãƒ‡ãƒã‚¤ã‚¹åˆã¯ã‚·ã‚¹ãƒ†ãƒ ã®æ­£å½“性を判定ã™ã‚‹è¦ç´ ãŒã„ãã¤ã‹ã‚ã‚Šã€å€‹äººãŒçŸ¥ã£ã¦ã„ã‚‹ã“
ã¨ã€æŒã£ã¦ã„ã‚‹ã‚‚ã®åˆã¯ä½•è€…ã§ã‚ã‚‹ã‹ãªã©ã§ã‚る。例ãˆã°ã€èªè¨¼ã¯æ—¢çŸ¥ã®äº‹æŸ„(PIN 番å·ã‚„パ
スワード等)ã€æ‰€æœ‰ç‰©ï¼ˆã‚­ãƒ¼ã€ãƒ‰ãƒ³ã‚°ãƒ«ã€ã‚¹ãƒžãƒ¼ãƒˆã‚«ãƒ¼ãƒ‰ç­‰ï¼‰ã€ç”Ÿç‰©å­¦çš„特徴等ã®å€‹äººæƒ…å ±
(指紋ã€ç¶²è†œç…§åˆç­‰ï¼‰ã€å ´æ‰€ï¼ˆå…¨åœ°çƒæ¸¬ä½ã‚·ã‚¹ãƒ†ãƒ [GPS]ä½ç½®ã‚¢ã‚¯ã‚»ã‚¹ç­‰ï¼‰ã€è¦æ±‚時刻åˆã¯ã“
れら属性を併用ã—ã¦è¡Œã‚れる。ç·ã˜ã¦ã€èªè¨¼ãƒ—ロセスã§åˆ©ç”¨ã™ã‚‹è¦ç´ ãŒå¢—ãˆã‚Œã°å¢—ãˆã‚‹ã»ã©ã€
プロセスã¯å¼·åŠ›ã«ãªã‚‹ã€‚2ã¤ä»¥ä¸Šã®è¦ç´ ã‚’利用ã™ã‚‹ãƒ—ロセスã¯å¤šè¦ç´ èªè¨¼ã¨ã—ã¦çŸ¥ã‚‰ã‚Œã¦ã„る。
NIST SP 800-53 ã®è­˜åˆ¥åŠã³èªè¨¼ï¼ˆIA)ファミリã«å«ã¾ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã¯ã€æƒ…報システ
ムã«ãŠã‘るユーザåŠã³ãƒ‡ãƒã‚¤ã‚¹ã®è­˜åˆ¥åŠã³èªè¨¼ã«ä¿‚ã‚‹ãƒãƒªã‚·ãƒ¼åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã‚’定ã‚ã¦ã„る。
使用ã•ã‚Œã‚‹å„技術(トークンã€è¨¼æ˜Žæ›¸ã€ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªã‚¯ã‚¹ã€ãƒ‘スワードã€ã‚­ãƒ¼ã‚«ãƒ¼ãƒ‰ç­‰ï¼‰ã§ã®
識別åŠã³èªè¨¼ã®ç®¡ç†ãŒå«ã¾ã‚Œã¦ã„る。
IA 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-63:é éš”é›»å­èªè¨¼ã«ä¿‚るガイダンス[53]
 NIST SP 800-73:個人身元確èªã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã«ä¿‚るガイダンス[49]
 NIST SP 800-76:個人身元確èªãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªã‚¯ã‚¹ã«ä¿‚るガイダンス[50]
 NIST SP 800-100:情報セキュリティガãƒãƒŠãƒ³ã‚¹åŠã³ãƒ—ランニングã«ä¿‚るガイダンス[27]
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
ICS 環境ã«ãŠã‘るコンピュータシステムã¯ã€ä¸€èˆ¬ã«ä¼çµ±çš„ãªèªè¨¼ãƒ‘スワードã«ä¾å­˜ã—ã¦ã„る。制
御システムサプライヤã¯ã€ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã®ãƒ‘スワードを設定ã—ã¦ã‚·ã‚¹ãƒ†ãƒ ã‚’供給ã™ã‚‹ã“ã¨ãŒå¤šã„。
パスワードã¯å·¥å ´ã§è¨­å®šã•ã‚Œã€ç°¡å˜ã«æŽ¨æ¸¬ã§ãã‚‹ã‚‚ã®ãŒå¤šãã€æ»…多ã«å¤‰æ›´ã•ã‚Œãªã„ã“ã¨ã‹ã‚‰ã€ã‚»
キュリティリスクã¨ãªã‚‹ã€‚ã¾ãŸç¾åœ¨ ICS 環境ã§åˆ©ç”¨ã•ã‚Œã¦ã„るプロトコルã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚µãƒ¼ãƒ“
スèªè¨¼ã¯ã€ç·ã˜ã¦ä¸é©åˆ‡ã§ã‚ã‚‹ã‹å…¨ããªã„。ç¾åœ¨ã§ã¯ã€ICS ã§åˆ©ç”¨ã•ã‚Œã‚‹ä¼çµ±çš„ãªãƒ‘スワード技
è¡“ã«åŠ ãˆã¦ã€ã„ãã¤ã‹ã®èªè¨¼å½¢æ…‹ãŒã‚る。パスワードèªè¨¼ã‚’å«ã‚ã€ã“れらã®ã„ãã¤ã‹ã‚’ ICS ã§åˆ©
用ã™ã‚‹ã“ã¨ã«ã¤ã„ã¦ã€ç¶šãセクションã§èª¬æ˜Žã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
167
6.2.7.1 Password Authentication
Password authentication technologies determine authenticity based on testing for something the device or
human requesting access should know, such as a PIN number or password. Password authentication
schemes are thought of as the simplest and most common forms of authentication.
Password vulnerabilities can be reduced by using an active password checker that prohibits weak, recently
used, or commonly used passwords. Another weakness is the ease of third-party eavesdropping. Passwords
typed at a keyboard are easily observed or recorded, especially in areas where adversaries could plant tiny
wireless cameras or keystroke loggers. Network service authentication often transmits passwords as
plaintext (unencrypted), allowing any network capture tool to expose the passwords.
ICS-specific Recommendations and Guidance
One problem with passwords unique to the ICS environment is that a user’s ability to recall and enter a
password may be impacted by the stress of the moment. During a major crisis when human intervention is
critically required to control the process, an operator may panic and have difficulty remembering or
entering the password and either be locked out completely or be delayed in responding to the event. If the
password has been entered wrong and the system has a limit on allowed wrong password entries, the
operator may be locked out permanently until an authorized employee can reset the account. Biometric
identifiers may have similar drawbacks. Organizations should carefully consider the security needs and the
potential ramifications of the use of authentication mechanisms on these critical systems.
In situations where the ICS cannot support, or the organization determines it is not advisable (e.g.,
performance, safety, or reliability are adversely impacted), to implement authentication mechanisms in an
ICS, the organization uses compensating controls, such as rigorous physical security controls (e.g., control
center keycard access for authorized users) to provide an equivalent security capability or level of
protection for the ICS. This guidance also applies to the use of session lock and session termination in an
ICS.
Special consideration must be made when pushing down policies based on login password authentication
within the ICS environment. Without an exclusion list based on machine identification (ID), non-operator
logon can result in policies being pushed down such as auto- logoff timeout and administrator password
replacement that can be detrimental to the operation of the system.
Some ICS operating systems make setting secure passwords difficult, as the password size is very small
and the system allows only group passwords at each level of access, not individual passwords. Some
industrial (and Internet) protocols transmit passwords in plaintext, making them susceptible to interception.
In cases where this practice cannot be avoided, it is important that users have different (and unrelated)
passwords for use with encrypted and non-encrypted protocols.
The following are general recommendations and considerations with regards to the use of passwords.
 The length, strength, and complexity of passwords should balance security and operational ease of
access within the capabilities of the software and underlying OS.
 Passwords should have appropriate length and complexity for the required security. In particular, they
should not be able to be found in a dictionary or contain predictable sequences of numbers or letters.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
168
6.2.7.1 パスワードèªè¨¼
パスワードèªè¨¼æŠ€è¡“ã¯ã€ã‚¢ã‚¯ã‚»ã‚¹ã‚’求ã‚ã¦ã„るデãƒã‚¤ã‚¹ã‚„人ãŒçŸ¥ã£ã¦ã„ã‚‹ã¹ã情報(PIN 番å·ã‚„
パスワード等)を検証ã—ã¦æ­£å½“性を判定ã™ã‚‹æŠ€è¡“ã§ã‚る。パスワードèªè¨¼æ³•ã¯ã€èªè¨¼ã®æœ€ã‚‚å˜ç´”
ã‹ã¤æ…£ç”¨çš„ãªå½¢ã¨è¦‹ãªã•ã‚Œã¦ã„る。
パスワードã®è„†å¼±æ€§ã¯ã€å˜ç´”ãªã‚‚ã®ã€æœ€è¿‘使用ã—ãŸã‚‚ã®ã€ã‚ˆã使用ã•ã‚Œã‚‹ã‚‚ã®ã‚’ç¦æ­¢ã™ã‚‹ã‚¢ã‚¯ãƒ†
ィブパスワードãƒã‚§ãƒƒã‚«ãƒ¼ã‚’利用ã™ã‚‹ã“ã¨ã§æ¸›ã‚‰ã™ã“ã¨ãŒã§ãる。別ã®å¼±ç‚¹ã¯ã€ã‚µãƒ¼ãƒ‰ãƒ‘ーティ
ãŒå®¹æ˜“ã«å‚å—ã§ãã‚‹ã“ã¨ã§ã‚る。キーボードã§ã‚¿ã‚¤ãƒ—ã—ãŸãƒ‘スワードã¯ã€ç‰¹ã«æ”»æ’ƒå´ãŒå°åž‹ãƒ¯ã‚¤
ヤレスカメラやキーストロークロガーを設置ã—ãŸå ´æ‰€ã§ã¯ã€å®¹æ˜“ã«è¦³å¯Ÿåˆã¯è¨˜éŒ²ã§ãる。ãƒãƒƒãƒˆ
ワークサービスèªè¨¼ã¯ã€ãƒ‘スワードを平文(暗å·åŒ–ãªã—)ã§é€ä¿¡ã™ã‚‹ã“ã¨ãŒå¤šãã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
キャプãƒãƒ£ãƒ„ールãŒã‚ã‚Œã°ãƒ‘スワードãŒéœ²è¦‹ã—ã¦ã—ã¾ã†ã€‚
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
ICS ã«ä¸€æ„ã®ãƒ‘スワードを使用ã™ã‚‹å•é¡Œç‚¹ã¯ã€ãƒ¦ãƒ¼ã‚¶ãŒãƒ‘スワードをæ€ã„出ã—ã¦å…¥åŠ›ã™ã‚‹èƒ½åŠ›
ã¯ã€ãã®ã¨ãã®ã‚¹ãƒˆãƒ¬ã‚¹ã«å½±éŸ¿ã•ã‚Œã‚‹ã“ã¨ã«ã‚る。å±æ©Ÿã®éš›ã«ã€ãƒ—ロセスã®åˆ¶å¾¡ã«äººã®å¯¾å¿œãŒæ˜¯
éžã¨ã‚‚å¿…è¦ã¨ã•ã‚Œã‚‹å ´åˆã€æ“作員ãŒãƒ‘ニックã«é™¥ã‚Šã€ãƒ‘スワードãŒæ€ã„出ã›ãšã«ãƒ­ã‚°ã‚¤ãƒ³ã§ããª
ã‹ã£ãŸã‚Šã€å¯¾å¿œãŒé…ã‚ŒãŸã‚Šã™ã‚‹ã“ã¨ãŒã‚る。間é•ã£ãŸãƒ‘スワードを入力ã—ã€ã‚·ã‚¹ãƒ†ãƒ ã«é–“é•ã„パ
スワードã®å…¥åŠ›åˆ¶é™ãŒã‚ã‚‹å ´åˆã€ãã®æ“作員ã¯ã€æ¨©é™ã®ã‚る従業員ãŒã‚¢ã‚«ã‚¦ãƒ³ãƒˆã‚’リセットã™ã‚‹
ã¾ã§ã€ãšã£ã¨ãƒ­ã‚°ã‚¤ãƒ³ã§ããªããªã‚‹ã€‚ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯è­˜åˆ¥å­ã«ã‚‚åŒæ§˜ã®æ¬ é™¥ãŒã‚る。組織ã¯ã€
セキュリティニーズã¨é‡è¦ã‚·ã‚¹ãƒ†ãƒ ã«ãŠã‘ã‚‹èªè¨¼ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã®åˆ©ç”¨ã«é–¢ã™ã‚‹å•é¡Œã«ã¤ã„ã¦æ…Žé‡ã«
検討ã™ã¹ãã§ã‚る。
ICS ãŒå¯¾å¿œã—ã¦ãŠã‚‰ãšã€åˆã¯ ICS ã¸ã®èªè¨¼ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã®å®Ÿè£…ã‚’ä¸é©åˆ‡ã¨åˆ¤æ–­ã™ã‚‹å ´åˆï¼ˆãƒ‘フォー
マンスã€å®‰å…¨æ€§ã€ä¿¡é ¼æ€§ãŒä½Žä¸‹ã™ã‚‹ãªã©ï¼‰ã€çµ„ç¹”ã¯åŽ³æ ¼ãªç‰©ç†çš„セキュリティ対策等ã®ä»£æ›¿ç®¡ç†
を利用ã—ã¦ï¼ˆåˆ¶å¾¡ã‚»ãƒ³ã‚¿ãƒ¼ã¸ã®ã€æ¨©é™ã®ã‚るユーザã«ã‚ˆã‚‹ã‚­ãƒ¼ã‚«ãƒ¼ãƒ‰ã‚’利用ã—ãŸç«‹å…¥ç­‰ï¼‰ã€ICS
ã®åŒç­‰ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ©Ÿèƒ½åˆã¯ä¿è­·ãƒ¬ãƒ™ãƒ«ã‚’確ä¿ã™ã‚‹ã€‚ã“ã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã¯ã€ICS ã®ã‚»ãƒƒã‚·ãƒ§ãƒ³ãƒ­
ックåŠã³ã‚»ãƒƒã‚·ãƒ§ãƒ³çµ‚了ã«ã‚‚当ã¦ã¯ã¾ã‚‹ã€‚
ICS 環境ã§ã®ãƒ­ã‚°ã‚¤ãƒ³ãƒ‘スワードèªè¨¼ã‚’基ã«ã€ãƒãƒªã‚·ãƒ¼ã‚’引ã下ã’ã‚‹å ´åˆã¯ã€ç‰¹åˆ¥ãªè€ƒæ…®ã‚’è¦ã™
る。マシン ID ã«åŸºã¥ã排除リストãŒãªã„å ´åˆã€æ“作員以外ã®ãƒ­ã‚°ã‚ªãƒ³ã¯ã€ã‚·ã‚¹ãƒ†ãƒ ã®å‹•ä½œã‚’悪
化ã•ã›ã‚‹è‡ªå‹•ãƒ­ã‚°ã‚ªãƒ•ã‚¿ã‚¤ãƒ ã‚¢ã‚¦ãƒˆã‚„管ç†è€…パスワードã®ç½®æ›ã¨ã„ã£ãŸã€ãƒãƒªã‚·ãƒ¼ã®å¼•ã下ã’ãŒ
生ã˜å¾—る。
ICS ã®OS ã«ã‚ˆã£ã¦ã¯ã€ãƒ‘スワードサイズãŒçŸ­ãã€å„レベルã§ã®ã‚¢ã‚¯ã‚»ã‚¹æ™‚ã€ã‚·ã‚¹ãƒ†ãƒ ãŒå€‹äººãƒ‘
スワードã§ã¯ãªãグループパスワードã®ã¿å—ã‘付ã‘るよã†ã«ãªã£ã¦ã„ã‚‹ãŸã‚ã€ã‚»ã‚­ãƒ¥ã‚¢ãªãƒ‘スワ
ード設定ãŒå›°é›£ã§ã‚る。特定ã®ç”£æ¥­ç”¨ï¼ˆåŠã³ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆï¼‰ãƒ—ロトコルã¯ã€ãƒ‘スワードを平文
ã§é€ä¿¡ã™ã‚‹ãŸã‚å‚å—ã•ã‚Œã‚„ã™ã„。ã“ã®è¦ç¯„ã®åˆ©ç”¨ãŒé¿ã‘られãªã„å ´åˆã€ãƒ¦ãƒ¼ã‚¶ã¯åˆ¥ã®ï¼ˆç„¡é–¢ä¿‚
ãªï¼‰ãƒ‘スワードをæŒã¡ã€æš—å·åŒ–プロトコルåŠã³éžæš—å·åŒ–プロトコルã§åˆ©ç”¨ã™ã‚‹ã“ã¨ãŒè‚è¦ã§ã‚
る。
以下ã¯ãƒ‘スワードã®åˆ©ç”¨ã«é–¢ã™ã‚‹ä¸€èˆ¬çš„ãªæŽ¨å¥¨äº‹é …åŠã³è€ƒæ…®äº‹é …ã§ã‚る。
 パスワードã®é•·ã•ã€å¼·åº¦åŠã³è¤‡é›‘ã•ã¯ã€ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢åŠã³ä½¿ç”¨ OS ã®èƒ½åŠ›å†…ã§ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†
ã‚£ã¨ã‚¢ã‚¯ã‚»ã‚¹ã—ã‚„ã™ã•ã®ãƒãƒ©ãƒ³ã‚¹ã‚’å–ã‚‹ã¹ãã§ã‚る。
 パスワードã®é•·ã•ã¨è¤‡é›‘ã•ã¯ã€å¿…è¦ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«è¦‹åˆã£ãŸã‚‚ã®ã¨ã™ã¹ãã§ã‚る。特ã«è¾ž
書ã«è¼‰ã£ã¦ã„る用語やã€æ•°å­—や文字ã®é †åºãŒäºˆæƒ³å¯èƒ½ãªã‚‚ã®ã¯ä½¿ç”¨ã™ã¹ãã§ãªã„。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
169
 Passwords should be used with care on operator interface devices such as control consoles on critical
processes. Using passwords on these consoles could introduce potential safety issues if operators are
locked out or delayed access during critical events. Physical security should supplement operator
control consoles when password protection is not feasible.
 The keeper of master passwords should be a trusted employee, available during emergencies. Any
copies of the master passwords must be stored in a very secure location with limited access.
 The passwords of privileged users (such as network technicians, electrical or electronics technicians
and management, and network designers/operators) should be most secure and be changed frequently.
Authority to change master passwords should be limited to trusted employees. A password audit
record, especially for master passwords, should be maintained separately from the control system.
 In environments with a high risk of interception or intrusion (such as remote operator interfaces in a
facility that lacks local physical security access controls), organizations should consider
supplementing password authentication with other forms of authentication such as multi-factor
authentication using biometric or physical tokens.
 For user authentication purposes, password use is common and generally acceptable for users logging
directly into a local device or computer. Passwords should not be sent across any network unless
protected by some form of FIPS-approved encryption or salted cryptographic hash specifically
designed to prevent replay attacks. It is assumed that the device used to enter a password is connected
to the network in a secure manner.
 For network service authentication purposes, passwords should not be passed as plain text. There are
more secure alternatives available, such as challenge/response or public key authentication.
6.2.7.2 Challenge/response Authentication
Challenge/response authentication requires that both the service requester and service provider know a
“secret†code in advance. When service is requested, the service provider sends a random number or string
as a challenge to the service requester. The service requester uses the secret code to generate a unique
response for the service provider. If the response is as expected, it proves that the service requester has
access to the “secret†without ever exposing the secret on the network.
Challenge/response authentication addresses the security vulnerabilities of traditional password
authentication. When passwords (hashed or plain) are sent across a network, a portion of the actual “secretâ€
itself is being sent, giving the secret to the remote device performs authentication. Therefore, traditional
password exchange always suffers the risk of discovery or replay. Because the secret is known in advance
and never sent in challenge/response systems, the risk of discovery is eliminated. If the service provider can
never send the same challenge twice, and the receiver can detect all duplications, the risks of network
capture and replay attacks are eliminated.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
170

é‡è¦ãƒ—ロセスã®åˆ¶å¾¡ã‚³ãƒ³ã‚½ãƒ¼ãƒ«ç­‰ã€æ“作員インタフェースデãƒã‚¤ã‚¹ã§ã¯ã€ãƒ‘スワードを注æ„
æ·±ã使用ã™ã¹ãã§ã‚る。ã“ã®ã‚ˆã†ãªã‚³ãƒ³ã‚½ãƒ¼ãƒ«ä¸Šã§ã®ãƒ‘スワードã®ä½¿ç”¨ã¯ã€ç·Šæ€¥æ™‚ã«æ“作員
ãŒãƒ­ã‚°ã‚¤ãƒ³ã§ããšã€åˆã¯å¯¾å¿œãŒé…ã‚ŒãŸå ´åˆã«ã€å®‰å…¨ä¸Šã®å•é¡ŒãŒç”Ÿèµ·ã™ã‚‹ã€‚パスワードä¿è­·ãŒ
利用ã§ããªã„å ´åˆã€ç‰©ç†çš„セキュリティã¯æ“作員制御コンソールを補完ã™ã‚‹ã‚‚ã®ã¨ãªã‚‹ã€‚
 マスターパスワードã®ä¿ç®¡è€…ã¯ã€ç·Šæ€¥æ™‚ã«é€£çµ¡ãŒä»˜ãä¿¡é ¼ã®ç½®ã‘る従業員ã¨ã™ã¹ãã§ã‚る。
マスターパスワードã®å†™ã—を作æˆã—ãŸå ´åˆã¯ã€ç«‹å…¥ãŒåˆ¶é™ã•ã‚ŒãŸå®‰å…¨ãªå ´æ‰€ã«ä¿ç®¡ã—ãªã‘ã‚Œ
ã°ãªã‚‰ãªã„。
 特権ユーザ(ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æŠ€è¡“者ã€é›»æ°—・電å­æŠ€å¸«ãƒ»ç®¡ç†è€…ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯è¨­è¨ˆè€…・æ“作員
等)ã®ãƒ‘スワードã¯ã‚»ã‚­ãƒ¥ã‚¢ã§ã€é »ç¹ã«å¤‰æ›´ã™ã¹ãã§ã‚る。マスターパスワードã®å¤‰æ›´æ¨©é™
ã¯ä¿¡é ¼ã®ç½®ã‘る従業員ã«é™å®šã™ã¹ãã§ã‚る。パスワード監査記録ã€ç‰¹ã«ãƒžã‚¹ã‚¿ãƒ¼ãƒ‘スワード
用ã¯ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã‹ã‚‰ç‹¬ç«‹ã—ã¦ä¿ç®¡ã™ã¹ãã§ã‚る。
 å‚å—åˆã¯ä¾µå…¥ãƒªã‚¹ã‚¯ã®é«˜ã„環境(ローカルã®ç‰©ç†çš„セキュリティ立入制é™ã®ãªã„施設ã«ãŠã‘
ã‚‹é éš”æ“作員インタフェース等)ã§ã¯ã€çµ„ç¹”ã¯ã€ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯ã‚„物ç†çš„トークンを利用
ã—ãŸå¤šè¦ç´ èªè¨¼ç­‰ã€åˆ¥å½¢æ…‹ã®è£œè¶³çš„パスワードèªè¨¼ã‚’考慮ã™ã¹ãã§ã‚る。
 ユーザèªè¨¼ç›®çš„ã§ã¯ã€ãƒ‘スワードã®åˆ©ç”¨ã¯ä¸€èˆ¬çš„ã§ã€ãƒ¦ãƒ¼ã‚¶ãŒç›´æŽ¥ãƒ­ãƒ¼ã‚«ãƒ«ãƒ‡ãƒã‚¤ã‚¹ã‚„コン
ピュータã«ãƒ­ã‚°ã‚¤ãƒ³ã™ã‚‹æ–¹æ³•ã¨ã—ã¦åºƒãå—ã‘入れられã¦ã„る。特定ã®å½¢æ…‹ã® FIPS 承èªæš—å·
åˆã¯ãƒªãƒ—レー攻撃防止用ソルト併用暗å·å­¦çš„ãƒãƒƒã‚·ãƒ¥ã§ä¿è­·ã•ã‚Œã¦ã„ãªã„å ´åˆã€ãƒ‘スワード
ã‚’ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’越ãˆã¦é€ä¿¡ã™ã¹ãã§ãªã„。パスワード入力デãƒã‚¤ã‚¹ã¯ã€ã‚»ã‚­ãƒ¥ã‚¢ãªæ–¹æ³•ã§
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æŽ¥ç¶šã•ã‚Œã¦ã„ã‚‹ã“ã¨ãŒå‰æã§ã‚る。
 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚µãƒ¼ãƒ“スèªè¨¼ç›®çš„ã§ã¯ã€ãƒ‘スワードを平文ã§æ¸¡ã™ã¹ãã§ãªã„。ã“れら以外ã«
ã‚‚ã€ãƒãƒ£ãƒ¬ãƒ³ã‚¸/レスãƒãƒ³ã‚¹èªè¨¼ã‚„公開éµèªè¨¼ç­‰ã®ã‚»ã‚­ãƒ¥ã‚¢ãªä»£æ›¿æ‰‹æ®µãŒã‚る。
6.2.7.2 ãƒãƒ£ãƒ¬ãƒ³ã‚¸/レスãƒãƒ³ã‚¹èªè¨¼
ãƒãƒ£ãƒ¬ãƒ³ã‚¸/レスãƒãƒ³ã‚¹èªè¨¼ã¯ã€ã‚µãƒ¼ãƒ“スã®è¦æ±‚å´ã¨æä¾›å´ãŒå‰ã‚‚ã£ã¦ã€Œç§˜å¯†ã®ã€ã‚³ãƒ¼ãƒ‰ã‚’知ã£
ã¦ã„ãªã‘ã‚Œã°ãªã‚‰ãªã„。サービスè¦æ±‚ãŒã‚ã‚‹ã¨ã€ã‚µãƒ¼ãƒ“スプロãƒã‚¤ãƒ€ã¯ãƒ©ãƒ³ãƒ€ãƒ ãªæ•°å­—や文字列
ã‚’ãƒãƒ£ãƒ¬ãƒ³ã‚¸ã¨ã—ã¦è¦æ±‚者ã«é€ä¿¡ã™ã‚‹ã€‚è¦æ±‚者ã¯ç§˜å¯†ã‚³ãƒ¼ãƒ‰ã‚’使用ã—ã¦ã€ä¸€æ„ã®ãƒ¬ã‚¹ãƒãƒ³ã‚¹ã‚’プ
ロãƒã‚¤ãƒ€å‘ã‘ã«ç”Ÿæˆã™ã‚‹ã€‚レスãƒãƒ³ã‚¹ãŒæœŸå¾…ã©ãŠã‚Šã ã¨ã€è¦æ±‚者ã¯ã€ã€Œç§˜å¯†ã€ã‚’ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Š
ã«ã•ã‚‰ã™ã“ã¨ãªãã€ç§˜å¯†ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹æ¨©ã‚’æŒã£ã¦ã„ã‚‹ã“ã¨ã«ãªã‚‹ã€‚
ãƒãƒ£ãƒ¬ãƒ³ã‚¸/レスãƒãƒ³ã‚¹èªè¨¼ã¯ã€ä¼çµ±çš„ãªãƒ‘スワードèªè¨¼ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä¸Šã®è„†å¼±æ€§ã«å¯¾å¿œã™ã‚‹
ã‚‚ã®ã¨ãªã‚‹ã€‚ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’越ãˆã¦ãƒ‘スワード(ãƒãƒƒã‚·ãƒ¥åŒ–åˆã¯å¹³æ–‡ï¼‰ãŒé€ä¿¡ã•ã‚Œã‚‹å ´åˆã€å®Ÿéš›
ã®ã€Œç§˜å¯†ã€ãã®ã‚‚ã®ãŒé€ä¿¡ã•ã‚Œã€ç§˜å¯†ã‚’é éš”デãƒã‚¤ã‚¹ã«ä¸Žãˆã‚‹ã“ã¨ã§èªè¨¼ãŒè¡Œã‚れる。ã—ãŸãŒã£
ã¦ã€ä¼çµ±çš„ãªãƒ‘スワード交æ›ã«ã¯ã€å¸¸ã«éœ²è¦‹åˆã¯ãƒªãƒ—レーã®ãƒªã‚¹ã‚¯ãŒã¤ãã¾ã¨ã†ã€‚ãƒãƒ£ãƒ¬ãƒ³ã‚¸/
レスãƒãƒ³ã‚¹ã‚·ã‚¹ãƒ†ãƒ ã§ã¯ç§˜å¯†ã¯äº‹å‰ã«çŸ¥ã‚‰ã•ã‚Œã€é€ä¿¡ã•ã‚Œãªã„ãŸã‚ã€éœ²è¦‹ãƒªã‚¹ã‚¯ã¯æŽ’除ã•ã‚Œã‚‹ã€‚
サービスプロãƒã‚¤ãƒ€ãŒåŒã˜ãƒãƒ£ãƒ¬ãƒ³ã‚¸ã‚’二度é€ã‚‹ã“ã¨ãŒã§ããªã‘ã‚Œã°ã€å—信者ãŒå…¨ã¦ã®è¤‡è£½ã‚’探
知ã—ã¦ã‚‚ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚­ãƒ£ãƒ—ãƒãƒ£ã¨ãƒªãƒ—レー攻撃ã®ãƒªã‚¹ã‚¯ã¯æŽ’除ã•ã‚Œã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
171
ICS-specific Recommendations and Guidance
For User Authentication, the direct use of challenge/response authentication may not be feasible for control
system due to the possible latency that may be introduced in the necessary fast dynamics required for
access to a control system or industrial network. For Network Service Authentication, the use of
challenge/response authentication is preferable to more traditional password or source identity
authentication schemes.
Challenge/response authentication provides more security than encrypted passwords for user authentication
across a network. Managing master encryption algorithms and master passwords becomes increasing more
complex as more parties are involved in the security processes and is an important consideration in the
robustness of the security scheme.
6.2.7.3 Physical Token Authentication
Physical or token authentication is similar to password authentication, except that these technologies
determine authenticity by testing for secret code or key produced by a device or token the person requesting
access has in their possession, such as security tokens or smart cards. Increasingly, private keys are being
embedded in physical devices such as USB dongles. Some tokens support single-factor authentication only,
so that simply having possession of the token is sufficient to be authenticated. Others support multi-factor
authentication that requires knowledge of a PIN or password in addition to possessing the token.
The primary vulnerability that token authentication addresses is easily duplicating a secret code or sharing
it with others. It eliminates the all-too-common scenario of a password to a “secure†system being left on
the wall next to a PC or operator station. The security token cannot be duplicated without special access to
equipment and supplies.
A second benefit is that the secret within a physical token can be very large, physically secure, and
randomly generated. Because it is embedded in metal or silicon, it does not have the same risks that
manually entered passwords do. If a security token is lost or stolen, the authorized user loses access, unlike
traditional passwords that can be lost or stolen without notice.
Common forms of physical/token authentication include:
 Traditional physical lock and keys.
 Security cards (e.g., magnetic, smart chip, optical coding).
 Radio frequency devices in the form of cards, key fobs, or mounted tags.
 Dongles with secure encryption keys that attach to the USB, serial, or parallel ports of computers.
 One-time authentication code generators (e.g., key fobs).
For single-factor authentication, the largest weakness is that physically holding the token means access is
granted (e.g., anyone finding a set of lost keys now has access to whatever they open). Physical/token
authentication is more secure when combined with a second form of authentication, such as a memorized
PIN used along with the token.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
172
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
ユーザèªè¨¼ã«é–¢ã—ã¦ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã§ã¯ãƒãƒ£ãƒ¬ãƒ³ã‚¸/レスãƒãƒ³ã‚¹èªè¨¼ã®ç›´æŽ¥çš„ãªä½¿ç”¨ã¯ä¸å¯èƒ½ã‹
ã‚‚ã—ã‚Œãªã„。ã¨è¨€ã†ã®ã¯ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ åˆã¯ç”£æ¥­ç”¨ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã«å¿…è¦ã¨ã•ã‚Œã‚‹é«˜
速ダイナミクスã§ã¯ã€å¾…ã¡æ™‚é–“ãŒç”Ÿã˜ã‹ã­ãªã„ã‹ã‚‰ã§ã‚る。ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚µãƒ¼ãƒ“スèªè¨¼ã§ã¯ã€ãƒ
ャレンジ/レスãƒãƒ³ã‚¹èªè¨¼ã®ä½¿ç”¨ã¯ã€ä¼çµ±çš„ãªãƒ‘スワード方å¼ã‚„ソース識別èªè¨¼æ–¹å¼ã‚ˆã‚Šã‚‚望ã¾
ã—ã„。
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’越ãˆã‚‹ãƒ¦ãƒ¼ã‚¶èªè¨¼ã§ã¯ã€ãƒãƒ£ãƒ¬ãƒ³ã‚¸/レスãƒãƒ³ã‚¹èªè¨¼ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¯æš—å·ãƒ‘ス
ワードよりも強ã„。マスター暗å·ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ åŠã³ãƒžã‚¹ã‚¿ãƒ¼ãƒ‘スワードã®ç®¡ç†ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
プロセスã«é–¢ä¿‚ã™ã‚‹å½“事者ãŒå¢—ãˆã‚‹ã«ã¤ã‚Œã¦ã€ã¾ã™ã¾ã™è¤‡é›‘ã«ãªã£ã¦ãŠã‚Šã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä½“制ã®
堅牢性ã«ãŠã‘ã‚‹é‡è¦ãªè€ƒæ…®äº‹é …ã§ã‚る。
6.2.7.3 物ç†çš„トークンèªè¨¼
物ç†çš„åˆã¯ãƒˆãƒ¼ã‚¯ãƒ³èªè¨¼ã¯ãƒ‘スワードèªè¨¼ã«ä¼¼ã¦ã„ã‚‹ãŒã€é•ã„ã¯ã‚¢ã‚¯ã‚»ã‚¹è¦æ±‚者ãŒæŒã£ã¦ã„
るデãƒã‚¤ã‚¹ã‚„トークン(セキュリティトークンやスマートカード)ãŒç”Ÿæˆã™ã‚‹ç§˜å¯†ã‚³ãƒ¼ãƒ‰ã‚„
キーを検証ã—ã¦èªè¨¼ã‚’判別ã™ã‚‹ç‚¹ã«ã‚る。ã¾ã™ã¾ã™ USB ドングル等ã®ç‰©ç†çš„デãƒã‚¤ã‚¹ã«ãƒ—ラ
イベートキーãŒåŸ‹ã‚è¾¼ã¾ã‚Œã‚‹ã‚ˆã†ã«ãªã£ã¦ã„る。å˜è¦ç´ èªè¨¼ã«ã—ã‹å¯¾å¿œã—ã¦ã„ãªã„トークン
ã‚‚ã‚ã‚Šã€ãƒˆãƒ¼ã‚¯ãƒ³ã‚’æŒã£ã¦ã„ã•ãˆã™ã‚Œã°èªè¨¼ã«å分ã¨ã„ã†ã“ã¨ã§ã‚る。トークンã®ä¿æœ‰ã«åŠ 
ãˆã¦ã€PIN やパスワードをè¦æ±‚ã™ã‚‹å¤šè¦ç´ èªè¨¼ã«å¯¾å¿œã—ãŸã‚‚ã®ã‚‚ã‚る。
トークンèªè¨¼ã®ä¸»ãªè„†å¼±æ€§ã¯ã€ç§˜å¯†ã‚³ãƒ¼ãƒ‰ã®è¤‡è£½ãŒå®¹æ˜“ãªã“ã¨ã¨ä»–人ã¨ã®å…±æœ‰ãŒå¯èƒ½ãªã“ã¨ã§
ã‚る。トークンを使ãˆã°ã€ã€Œã‚»ã‚­ãƒ¥ã‚¢ãªã€ã‚·ã‚¹ãƒ†ãƒ ã®ãƒ‘スワードを PC ã‚„æ“作員ステーション
ã®è¿‘ãã«æ›¸ãã¨ã©ã‚ã¦ãŠãよã†ãªã€ã‚ˆãã‚るシナリオã¯ãªããªã‚‹ã€‚セキュリティトークンã®è¤‡
製ã¯ã€è£…å‚™å“やサプライå“ã¸ã®ç‰¹åˆ¥ãªã‚¢ã‚¯ã‚»ã‚¹æ¨©ãŒãªã‘ã‚Œã°ã§ããªã„。
2ã¤ç›®ã®åˆ©ç‚¹ã¯ã€ç‰©ç†çš„トークン内部ã®ç§˜å¯†ã¯ã‚µã‚¤ã‚ºãŒå¤§ããã€ç‰©ç†çš„ã«ã‚»ã‚­ãƒ¥ã‚¢ã§ã€ãƒ©
ンダム生æˆã•ã‚Œã‚‹ã€‚金属やシリコンã«åŸ‹ã‚è¾¼ã¾ã‚Œã¦ã„ã‚‹ãŸã‚ã€ãƒžãƒ‹ãƒ¥ã‚¢ãƒ«æ“作ã§ãƒ‘スワー
ドを入力ã™ã‚‹ã‚ˆã†ãªãƒªã‚¹ã‚¯ã¯ãªã„。セキュリティトークンをãªãã—ãŸå ´åˆã‚„ç›—ã¾ã‚ŒãŸå ´åˆã€
ユーザã¯ã‚¢ã‚¯ã‚»ã‚¹æ¨©ã‚’失ã†ã€‚ã“ã‚Œã¯æ°—ã¥ã‹ãªã„ã†ã¡ã«ãªãã—ãŸã‚Šç›—ã¾ã‚ŒãŸã‚Šã™ã‚‹ãƒ‘スワー
ドã¨ã®é•ã„ã§ã‚る。
物ç†çš„/トークンèªè¨¼ã®å…±é€šå½¢æ…‹ã¨ã—ã¦æ¬¡ã®ã‚‚ã®ãŒã‚る。
 ä¼çµ±çš„ãªç‰©ç†ãƒ­ãƒƒã‚¯ã¨ã‚­ãƒ¼
 セキュリティカード(ç£æ°—ã€ã‚¹ãƒžãƒ¼ãƒˆãƒãƒƒãƒ—ã€å…‰ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ç­‰ï¼‰
 カードã€ã‚­ãƒ¼ãƒ•ã‚©ãƒ–åˆã¯å–付ã‘ã‚¿ã‚°ç­‰ã®ç„¡ç·šå‘¨æ³¢æ•°ãƒ‡ãƒã‚¤ã‚¹
 USBã€ã‚³ãƒ³ãƒ”ュータã®ã‚·ãƒªã‚¢ãƒ«åˆã¯ãƒ‘ラレルãƒãƒ¼ãƒˆã«å–り付ã‘るセキュアãªæš—å·éµä»˜ãドン
グル
 ワンタイムèªè¨¼ã‚³ãƒ¼ãƒ‰ã‚¸ã‚§ãƒãƒ¬ãƒ¼ã‚¿ï¼ˆã‚­ãƒ¼ãƒ•ã‚©ãƒ–等)
å˜è¦ç´ èªè¨¼ã®æœ€å¤§ã®å¼±ç‚¹ã¯ã€ãƒˆãƒ¼ã‚¯ãƒ³ã‚’物ç†çš„ã«ä¿æœ‰ã—ã¦ã„ã‚Œã°ã‚¢ã‚¯ã‚»ã‚¹ã§ãã‚‹ã“ã¨ã«ã‚ã‚‹
(éµæŸã®æ‹¾å¾—者ã¯ä»–人ã®å®¶ã«è‡ªç”±ã«å‡ºå…¥ã‚Šã§ãる)。物ç†çš„/トークンèªè¨¼ã¯ã€åˆ¥å½¢æ…‹ã®èªè¨¼ã¨
併用ã™ã‚‹ã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãŒå‘上ã™ã‚‹ï¼ˆè¨˜æ†¶ã—㟠PIN ã¨ã®ä½µç”¨ãªã©ï¼‰ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
173
ICS-specific Recommendations and Guidance
Multi-factor authentication is an accepted good practice for access to ICS applications from outside the ICS
firewall.
Physical/token authentication has the potential for a strong role in ICS environments. An access card or
other token can be an effective form of authentication for computer access, as long as the computer is in a
secure area (e.g., once the operator has gained access to the room with appropriate secondary
authentication, the card alone can be used to enable control actions).
6.2.7.4 Smart Card Authentication
Smart cards are similar to token authentication, but can provide additional functionality. Smart cards can be
configured to run multiple on-board applications to support building access, computer dual-factor or triple-
factor authentication and cashless vending on a single card, while also acting as the company photo ID for
the individual.
Typically, smart cards come in a credit card size form-factor that can be printed, embossed, and
individually personalized. Smart cards can be customized, individualized, and issued in-house or
outsourced to service providers who typically issue hundreds of thousands of cards per day.
Smart cards enhance software-only solutions, such as password authentication, by offering an additional
authentication factor and removing the human element in memorizing complex secrets. They also:
 Isolate security-critical computations, involving authentication, digital signatures, and key exchange
from other parts of the system that do not have a need to know.
 Enable portability of credentials and other private information between multiple computer systems.
 Provide tamper-resistant storage for protecting private keys and other forms of personal information.
The majority of issues are logistical around issuing the cards, particularly to replace lost or stolen cards.
ICS-specific Recommendations and Guidance
Although smart cards are relatively inexpensive and offer useful functionality in an industrial control
system context, their implementation must be done within the overall security context of the plant. The
necessary identification of individuals, issuance of cards, revocation should compromise be suspected, and
the assignment of authorizations to authenticated identities, represents a significant initial and on-going
challenge. In some cases corporate IT or other resources may be available to assist in the deployment of
smart card and public key based infrastructures.
If smart cards are implemented in an industrial control setting, provisions for management of lost or
damaged cards should be considered, as well as the costs to incorporate a respective access control system
and provide a management process for card distribution and retrieval.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
174
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
多è¦ç´ èªè¨¼ã¯ã€ICS ファイアウォール外ã‹ã‚‰ ICS アプリケーションã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹éš›ã®å—ã‘入れ
られる優良è¦ç¯„ã§ã‚る。
物ç†çš„/トークンèªè¨¼ã¯ã€ICS 環境ã§å¤§ããªå½¹å‰²ã‚’æžœãŸã™å¯èƒ½æ€§ãŒã‚る。アクセスカードãã®ä»–ã®
トークンã¯ã€ã‚³ãƒ³ãƒ”ュータãŒã‚»ã‚­ãƒ¥ã‚¢ãªã‚¨ãƒªã‚¢ã«ã‚ã‚‹é™ã‚Šã€ã‚³ãƒ³ãƒ”ュータã¸ã®åŠ¹æžœçš„ãªèªè¨¼å½¢æ…‹
ã§ã‚る(æ“作員㌠2ã¤ç›®ã®é©æ­£ãªèªè¨¼ã‚’経ã¦å®¤å†…ã«ç«‹ã¡å…¥ã‚‹ã¨ã€åˆ¶å¾¡è¡Œç‚ºã‚’è¡Œã†ã«ã¯ã‚«ãƒ¼ãƒ‰ã®ã¿
ã¨ãªã‚‹ï¼‰ã€‚
6.2.7.4 スマートカードèªè¨¼
スマートカードã¯ãƒˆãƒ¼ã‚¯ãƒ³èªè¨¼ã«ä¼¼ã¦ã„ã‚‹ãŒã€ä»˜åŠ çš„ãªæ©Ÿèƒ½ãŒã‚る。スマートカードã¯ã€è¤‡æ•°
ã®ã‚ªãƒ³ãƒœãƒ¼ãƒ‰ã‚¢ãƒ—リケーションを実行ã—ã¦ã€å»ºç‰©ã¸ã®ç«‹å…¥ã€ã‚³ãƒ³ãƒ”ュータ㮠2é‡è¦ç´ åˆã¯ 3é‡
è¦ç´ èªè¨¼åŠã³ 1æžšã®ã‚«ãƒ¼ãƒ‰ã§ã®ã‚­ãƒ£ãƒƒã‚·ãƒ¥ãƒ¬ã‚¹è²©å£²ã«å¯¾å¿œã§ãるよã†ã«è¨­å®šå¯èƒ½ã§ã€ä¼æ¥­ã®å†™
真付ã個人用 ID カードã¨ã—ã¦ã‚‚使用ã§ãる。
一般ã«ã‚¹ãƒžãƒ¼ãƒˆã‚«ãƒ¼ãƒ‰ã¯ã‚¯ãƒ¬ã‚¸ãƒƒãƒˆã‚«ãƒ¼ãƒ‰ã‚µã‚¤ã‚ºã§ã€å°å­—・エンボス・個別化ãŒå¯èƒ½ã§ã‚る。
カスタマイズや個人別ã®å€‹åˆ¥åŒ–ãŒå¯èƒ½ã§ã€çµ„織内ã§ç™ºè¡Œã§ãã‚‹ã»ã‹ã€æ•°å万ã®ã‚«ãƒ¼ãƒ‰ã‚’毎日発
è¡Œã—ã¦ã„るサービスプロãƒã‚¤ãƒ€ã«å¤–注ã™ã‚‹ã“ã¨ã‚‚ã§ãる。
スマートカードã¯ã€ä»˜åŠ çš„ãªèªè¨¼è¦ç´ ã‚’æä¾›ã—ã€è¤‡é›‘ãªç§˜å¯†ã‚’覚ãˆã‚‹ã¨ã„ã†äººçš„è¦å› ã‚’排除ã™
ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€ãƒ‘スワードèªè¨¼ç­‰ã®ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®ã¿ã«ä¾å­˜ã™ã‚‹ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã‚’æ‹¡å¼µã™ã‚‹ã€‚
ã¾ãŸæ¬¡ã®ã‚ˆã†ãªç‰¹å¾´ãŒã‚る。
 セキュリティã®é‡è¦ãªæ¼”ç®—ã€ä¾‹ãˆã°èªè¨¼ã€ãƒ‡ã‚¸ã‚¿ãƒ«ç½²åã€çŸ¥ã‚‹å¿…è¦ã®ãªã„システムã®ä»–ã®éƒ¨
ä½ã‹ã‚‰ã®ã‚­ãƒ¼äº¤æ›ã®éš”離
 複数コンピュータシステム間ã§ã®èªè¨¼æƒ…å ±ãã®ä»–個人情報ã®ãƒãƒ¼ã‚¿ãƒ“リティã®å®Ÿç¾
 プライベートキーãã®ä»–ã®å€‹äººæƒ…å ±ã®æ”¹å¤‰é˜²æ­¢ä¿ç®¡
å•é¡Œã®å¤§åŠã¯ã€ã‚«ãƒ¼ãƒ‰ç™ºè¡Œã«é–¢ã™ã‚‹æ¥­å‹™çš„ãªå†…容ã§ã€ç‰¹ã«ã‚«ãƒ¼ãƒ‰ã®ç´›å¤±ãƒ»ç›—難ãŒå¤šã„。
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
スマートカードã¯æ¯”較的安価ã§ã€ç”£æ¥­ç”¨åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã«ãŠã„ã¦ä¾¿åˆ©ãªæ©Ÿèƒ½ã‚’発æ®ã™ã‚‹ãŒã€ãã®å®Ÿ
装ã¯ã€ãƒ—ラントã®å…¨ä½“çš„ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’考慮ã—ãŸä¸Šã§è¡Œã‚ãªã‘ã‚Œã°ãªã‚‰ãªã„。必è¦ãªå€‹äººè­˜
別ã€ã‚«ãƒ¼ãƒ‰ç™ºè¡Œã€å–消ã«ã‚ˆã‚‹ãƒžã‚¤ãƒŠã‚¹è¦ç´ ã‚’考慮ã«å…¥ã‚Œã‚‹ãªã‚‰ã€èªè¨¼æ¸ˆã¿å€‹äººã«å¯¾ã™ã‚‹æ¨©é™ã®ä»˜
与ã¯ã€å½“åˆã«ã‚‚ãれ以後も大ããªèª²é¡Œã¨ãªã‚‹ã€‚å ´åˆã«ã‚ˆã£ã¦ã¯ã€ä¼æ¥­ IT ãã®ä»–ã®ãƒªã‚½ãƒ¼ã‚¹ã‚’利
用ã—ã¦ã€ã‚¹ãƒžãƒ¼ãƒˆã‚«ãƒ¼ãƒ‰ã¨å…¬é–‹éµãƒ™ãƒ¼ã‚¹ã®ã‚¤ãƒ³ãƒ•ãƒ©ã‚’展開ã™ã‚‹è³‡ã¨ã§ãよã†ã€‚
スマートカードを産業用制御環境ã«å®Ÿè£…ã™ã‚‹å ´åˆã€ç´›å¤±ãƒ»æ¯€æカードã®ç®¡ç†è¦å®šã‚„ãã‚Œãžã‚Œã®ã‚¢
クセス制御システムã®çµ„è¾¼ã¿ã«è¦ã™ã‚‹ã‚³ã‚¹ãƒˆã‚’検討ã—ã€ã‚«ãƒ¼ãƒ‰é…布・回åŽã®ç®¡ç†ãƒ—ロセスを定ã‚
ã‚‹ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
175
6.2.7.5 Biometric Authentication
Biometric authentication technologies determine authenticity by determining presumably unique biological
characteristics of the human requesting access. Usable biometric features include finger minutiae, facial
geometry, retinal and iris signatures, voice patterns, typing patterns, and hand geometry.
Like physical tokens and smart cards, biometric authentication enhances software-only solutions, such as
password authentication, by offering an additional authentication factor and removing the human element
in memorizing complex secrets. In addition, because biometric characteristics are unique to a given
individual, biometric authentication addresses the issues of lost or stolen physical tokens and smart cards.
Noted issues with biometric authentication include:
 Distinguishing a real object from a fake (e.g., how to distinguish a real human finger from a silicon-
rubber cast of one or a real human voice from a recorded one).
 Generating type-I and type-II errors (the probability of rejecting a valid biometric image, and the
probability of accepting an invalid biometric image, respectively). Biometric authentication devices
should be configured to the lowest crossover between these two probabilities, also known as the
crossover error rate.
 Handling environmental factors such as temperature and humidity to which some biometric devices
are sensitive.
 Addressing industrial applications where employees may have on safety glasses and/or gloves and
industrial chemicals may impact biometric scanners.
 Retraining biometric scanners that occasionally “drift†over time. Human biometric traits may also
shift over time, necessitating periodic scanner retraining.
 Requiring face-to-face technical support and verification for device training, unlike a password that
can be given over a phone or an access card that can be handed out by a receptionist.
 Denying needed access to the control system because of a temporary inability of the sensing device to
acknowledge a legitimate user.
 Being socially acceptable. Users consider some biometric authentication devices more acceptable than
others. For example, retinal scans may be considered very low on the scale of acceptability, while
thumb print scanners may be considered high on the scale of acceptability. Users of biometric
authentication devices will need to take social acceptability for their target group into consideration
when selecting among various biometric authentication technologies.
ICS-specific Recommendations and Guidance
Biometric devices make a useful secondary check versus other forms of authentication that can become lost
or borrowed. Using biometric authentication in combination with token-based access control or badge-
operated employee time clocks increases the security level. A possible application is in a control room that
is environmentally controlled and physically secured [34].
Biometrics can provide a valuable authentication mechanism, but need to be carefully assessed for
industrial applications because physical and environmental issues within the installation environment may
need to be restructured for reliable authorized authentication. The exact physical and environmental
properties of an installation should be coordinated with a system vendor or manufacturer.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
176
6.2.7.5 ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯èªè¨¼
ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯èªè¨¼æŠ€è¡“ã¯ã€ã‚¢ã‚¯ã‚»ã‚¹è¦æ±‚ã™ã‚‹å€‹äººã®ã€å„人ã«å›ºæœ‰ã¨è€ƒãˆã‚‰ã‚Œã¦ã„る生物
学的特徴を判別ã—ã¦èªè¨¼ã‚’判定ã™ã‚‹ã€‚利用ã§ãã‚‹ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯ç‰¹æ€§ã«ã¯æŒ‡ç´‹ã€é¡”ã®è¼ªéƒ­ã€
網膜åŠã³å…‰å½©ç‰¹æ€§ã€éŸ³å£°ãƒ‘ターンã€ã‚¿ã‚¤ãƒ”ングパターンã€æ‰‹ã®è¼ªéƒ­ç­‰ãŒã‚る。
物ç†çš„トークンやスマートカードã¨åŒæ§˜ã€ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯èªè¨¼ã¯ã€ä»˜åŠ çš„ãªèªè¨¼è¦ç´ ã‚’æ
ä¾›ã—ã€è¤‡é›‘ãªç§˜å¯†ã‚’覚ãˆã‚‹ã¨ã„ã†äººçš„è¦å› ã‚’排除ã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€ãƒ‘スワードèªè¨¼ç­‰ã®ã‚½ãƒ•
トウエアã®ã¿ã«ä¾å­˜ã™ã‚‹ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã‚’強化ã™ã‚‹ã“ã¨ãŒã§ãる。ã¾ãŸã€ç”Ÿç‰©å­¦çš„特徴ã¯ç‰¹
定ã®å€‹äººã«å›ºæœ‰ã§ã‚ã‚‹ã“ã¨ã‹ã‚‰ã€ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯èªè¨¼ã¯ã€ç‰©ç†çš„トークンやスマートカー
ドã®ç´›å¤±ãƒ»ç›—難å•é¡Œã«å¯¾å¿œã™ã‚‹ã‚‚ã®ã¨ãªã‚‹ã€‚
ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯èªè¨¼ã«ã¤ã„ã¦çŸ¥ã‚‰ã‚Œã¦ã„ã‚‹å•é¡Œã«ã¯æ¬¡ã®ã‚ˆã†ãªã‚‚ã®ãŒã‚る。
 実物ã¨å½ç‰©ã®åŒºåˆ¥ï¼ˆäººã®æŒ‡ã¨åž‹å–ã‚Šã—ãŸã‚·ãƒªã‚³ãƒ³è£½ã®æŒ‡ã€å®Ÿéš›ã®ç™ºå£°ã¨éŒ²éŸ³ã—ãŸå£°ã®åŒºåˆ¥æ–¹
法)
 タイプ 1エラーã¨ã‚¿ã‚¤ãƒ— 2エラーã®ç”Ÿæˆï¼ˆæœ‰åŠ¹ãªãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯ç”»åƒã‚’拒絶ã™ã‚‹ç¢ºçŽ‡ã€ç„¡
効ãªãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯ç”»åƒã‚’å—ã‘入れる確率)。ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯èªè¨¼ãƒ‡ãƒã‚¤ã‚¹ã¯ã€ã“れら
2ã¤ã®ç¢ºçŽ‡ã®é–“ã®æœ€ä½Žã®ã‚¯ãƒ­ã‚¹ã‚ªãƒ¼ãƒãƒ¼ã«è¨­å®šã•ã‚Œã‚‹ã¹ãã§ã€ã‚¯ãƒ­ã‚¹ã‚ªãƒ¼ãƒãƒ¼èª¤å·®çŽ‡ã¨ã—ã¦
も知られる。
 特定ã®ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯ãƒ‡ãƒã‚¤ã‚¹ãŒæ•æ„Ÿã«åå¿œã™ã‚‹æ¸©åº¦ãƒ»æ¹¿åº¦ç­‰ã®ç’°å¢ƒå› å­ã®å‡¦ç†
 従業員ãŒå®‰å…¨ã‚´ãƒ¼ã‚°ãƒ«ã‚„グローブをç€ç”¨ã—ã€å·¥æ¥­ç”¨åŒ–学物質ãŒãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯ã‚¹ã‚­ãƒ£ãƒŠãƒ¼
ã«å½±éŸ¿ã™ã‚‹ç”£æ¥­ç”¨ã‚¢ãƒ—リケーションã®å‡¦ç†
 経時的ã«ã€Œãƒ‰ãƒªãƒ•ãƒˆã€ã™ã‚‹ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯ã‚¹ã‚­ãƒ£ãƒŠãƒ¼ã®å†è¨“練。人ã®ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯ç‰¹
性ã¯çµŒæ™‚çš„ã«å¤‰åŒ–ã™ã‚‹ãŸã‚ã€ã‚¹ã‚­ãƒ£ãƒŠãƒ¼ã®å®šæœŸçš„å†è¨“ç·´ãŒå¿…è¦ã«ãªã‚‹ã€‚
 1対1ã®æŠ€è¡“支æ´ã¨ãƒ‡ãƒã‚¤ã‚¹è¨“ç·´ã®æ¤œè¨¼ãŒå¿…è¦ã€‚å—付係ã‹ã‚‰é›»è©±ã§æ•™ãˆã‚‰ã‚Œã‚‹ãƒ‘スワードやã€
手渡ã—å¯èƒ½ãªã‚¢ã‚¯ã‚»ã‚¹ã‚«ãƒ¼ãƒ‰ã¨ç•°ãªã‚‹ã€‚
 é©æ ¼ãƒ¦ãƒ¼ã‚¶ã‚’èªçŸ¥ã™ã‚‹æ¤œçŸ¥ãƒ‡ãƒã‚¤ã‚¹ã®ä¸€æ™‚çš„ä¸èª¿ã«ã‚ˆã‚‹åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹æ‹’å¦
 社会ã®å—入れ態勢。ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯èªè¨¼ã«å¯¾ã™ã‚‹ãƒ¦ãƒ¼ã‚¶ã®å—容度ã¯ãƒ‡ãƒã‚¤ã‚¹ã«ã‚ˆã‚Šã°ã‚‰ã¤
ããŒã‚る。例ãˆã°ã€å—容度ã¯ç¶²è†œã‚¹ã‚­ãƒ£ãƒ³ã®å ´åˆä½Žãã€è¦ªæŒ‡ã®ãƒ—リントスキャナーã¯é«˜ã„。
多様ãªãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯æŠ€è¡“ã®ä¸­ã‹ã‚‰ã„ãšã‚Œã‹ã‚’é¸æŠžã™ã‚‹éš›ã€ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯èªè¨¼ãƒ‡ãƒã‚¤
スユーザã¯ã€å¯¾è±¡ã‚°ãƒ«ãƒ¼ãƒ—ã«å¯¾ã™ã‚‹ç¤¾ä¼šã®å—容度を考慮ã«å…¥ã‚Œã‚‹å¿…è¦ãŒã‚る。
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯ãƒ‡ãƒã‚¤ã‚¹ã¯ã€ç´›å¤±ã—ãŸã‚Šè²¸å€Ÿã—ãŸã‚Šã§ãã‚‹ä»–ã®å½¢æ…‹ã®èªè¨¼ã«å¯¾ã—ã¦ã€æœ‰ç”¨ãª
副次的ãƒã‚§ãƒƒã‚¯ãŒã§ãる。トークンベースã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ã‚„ãƒãƒƒã‚¸æ“業ã™ã‚‹å¾“業員ã®ã‚¿ã‚¤ãƒ ãƒ¬
コーダã¨ä½µç”¨ã™ã‚Œã°ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ¬ãƒ™ãƒ«ãŒå‘上ã™ã‚‹ã€‚考ãˆã‚‰ã‚Œã‚‹ç”¨é€”ã¨ã—ã¦ã€ç’°å¢ƒçš„ã«åˆ¶å¾¡
ã•ã‚Œç‰©ç†çš„ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãŒç¢ºä¿ã•ã‚Œã¦ã„る制御室ãŒã‚ã‚‹[34]。
ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªã‚¯ã‚¹ã¯è²´é‡ãªèªè¨¼ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã¨ãªã‚‹ãŒã€ä¿¡é ¼æ€§ã®é«˜ã„èªè¨¼ã‚’å¾—ã‚‹ã«ã¯è¨­ç½®ç’°å¢ƒã®
物ç†ãƒ»ç’°å¢ƒå•é¡Œã‚’解決ã™ã‚‹å¿…è¦ãŒã‚ã‚‹ãŸã‚ã€ç”£æ¥­ç”¨é€”ã¨ã—ã¦ã¯æ…Žé‡ãªè©•ä¾¡ã‚’è¦ã™ã‚‹ã€‚設置ã®æ­£
確ãªç‰©ç†ãƒ»ç’°å¢ƒç‰¹æ€§ã«ã¤ã„ã¦ã€ã‚·ã‚¹ãƒ†ãƒ ãƒ™ãƒ³ãƒ€ãƒ¼ã‚„メーカーã¨èª¿æ•´ã™ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
177
6.2.8 Incident Response
An incident response plan is documentation of a predetermined set of instructions or procedures to detect,
respond to, and limit consequences of incidents against an organization’s information systems. Response
should be measured first and foremost against the “service being provided,†not just the system that was
compromised. If an incident is discovered, there should be a quick risk assessment performed to evaluate
the effect of both the attack and the options to respond. For example, one possible response option is to
physically isolate the system under attack. However, this may have such a dire impact on the service that it
is dismissed as not viable.
The security controls that fall within the NIST SP 800-53 Incident Response (IR) family provide policies
and procedures for incident response monitoring, handling, and reporting. The handling of a security
incident includes preparation, detection and analysis, containment, eradication, and recovery. Controls also
cover incident response training for personnel and testing the incident response capability for an
information system.
Supplemental guidance for the IR controls can be found in the following documents:
 NIST SP 800-61 provides guidance on incident handling and reporting [59].
 NIST SP 800-83 provides guidance on malware incident prevention and handling [60].
 NIST SP 800-100 provides guidance on information security governance and planning [27] .
ICS-specific Recommendations and Guidance
Regardless of the steps taken to protect an ICS, it is always possible that it may be compromised by an
intentional or unintentional incident. The following symptoms can arise from normal network problems,
but when several symptoms start to appear, a pattern may indicate the ICS is under attack and may be
worth investigating further. If the adversary is skilled, it may not be very obvious that an attack is
underway.
The symptoms of an incident could include any of the following:
 Unusually heavy network traffic.
 Out of disk space or significantly reduced free disk space.
 Unusually high CPU usage.
 Creation of new user accounts.
 Attempted or actual use of administrator-level accounts.
 Locked-out accounts.
 Account in-use when the user is not at work.
 Cleared log files.
 Full log files with unusually large number of events.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
178
6.2.8 インシデント対応
インシデント対応計画書ã¯ã€çµ„ç¹”ã®æƒ…報システムã«å¯¾ã™ã‚‹ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®çµæžœã‚’検知ã—ã€å¯¾å¿œ
ã—ã€å±€é™ã™ã‚‹ãŸã‚ã®äº‹å‰ã«æ±ºã‚られãŸä¸€é€£ã®æŒ‡ç¤ºåˆã¯æ‰‹é †ã‚’文書化ã—ãŸã‚‚ã®ã§ã‚る。対応ã¯ã€
ã¾ãšè¨ˆæ¸¬ã™ã‚‹ã“ã¨ã€ãã—ã¦ã€Œæ供中ã®ã‚µãƒ¼ãƒ“スã€ã«å¯¾ã—ã¦è¡Œã†ã‚‚ã®ã§ã‚ã‚Šã€æ€§èƒ½ãŒä½Žä¸‹ã—ãŸã‚·
ステムã ã‘ã«è¡Œã†ã®ã§ã¯ãªã„。インシデントãŒç™ºè¦‹ã•ã‚ŒãŸãªã‚‰ã€è¿…速ã«ãƒªã‚¹ã‚¯è©•ä¾¡ã‚’è¡Œã„ã€æ”»
æ’ƒã®å½±éŸ¿ã¨å¯¾å¿œã‚ªãƒ—ションã®ä¸¡æ–¹ã‚’評価ã™ã‚‹ã€‚例ãˆã°ã€å¯¾å¿œã‚ªãƒ—ションã®ä¸€ä¾‹ã¨ã—ã¦ã€æ”»æ’ƒã•
ã‚ŒãŸã‚·ã‚¹ãƒ†ãƒ ã‚’物ç†çš„ã«éš”絶ã™ã‚‹ã“ã¨ãŒã§ãよã†ã€‚ãŸã ã—ã“ã®å¯¾å¿œã ã¨ã€ã‚µãƒ¼ãƒ“スã«æ·±åˆ»ãªå½±
響ãŒåŠã¶ãŸã‚ã€å®Ÿè¡Œä¸èƒ½ã¨ä¸€è¹´ã•ã‚Œã‚‹ã€‚
NIST SP 800-53 ã®ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆå¯¾å¿œï¼ˆIR)ファミリã«å«ã¾ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã«ã¯ã€ã‚¤ãƒ³
シデント対応ã®ç›£è¦–ã€å‡¦ç†åŠã³å ±å‘Šã®ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ãŒå®šã‚られã¦ã„る。セキュリテ
ィインシデントã®å‡¦ç†ã«ã¯ã€æº–å‚™ã€æ¤œå‡ºãƒ»åˆ†æžã€å°ã˜è¾¼ã‚ã€æ ¹çµ¶åŠã³å¾©æ—§ãŒå«ã¾ã‚Œã‚‹ã€‚管ç†ç­–
ã‚‚è·å“¡ã®ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆå¯¾å¿œè¨“ç·´åŠã³æƒ…報システムã®ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆå¯¾å¿œèƒ½åŠ›è©¦é¨“ã‚’å«ã‚€ã€‚
IR 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-61:インシデント処ç†åŠã³å ±å‘Šã«ä¿‚るガイダンス[59]
 NIST SP 800-83:マルウエアインシデント防止åŠã³å‡¦ç†ã«ä¿‚るガイダンス[60]
 NIST SP 800-100:情報セキュリティガãƒãƒŠãƒ³ã‚¹åŠã³ãƒ—ランニングã«ä¿‚るガイダンス[27]
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
ICS ã®ä¿è­·æ‰‹é †ã¨ã¯ç„¡é–¢ä¿‚ã«ã€æ•…æ„åˆã¯å¶ç™ºçš„ãªã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã«ã‚ˆã‚Š ICS ã®æ€§èƒ½ãŒä½Žä¸‹ã™ã‚‹å ´
åˆãŒã‚る。正常ãªãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å•é¡Œã¨ã—ã¦ä»¥ä¸‹ã®ã‚ˆã†ãªå¾´å€™ãŒè¦‹ã‚‰ã‚Œã‚‹ãŒã€ã„ãã¤ã‹ã®å¾´å€™ãŒ
出始ã‚ãŸãªã‚‰ã€ICS ãŒæ”»æ’ƒã•ã‚Œã¦ã„ã‚‹ã“ã¨ã‚’示ã™ãƒ‘ターンã§ã‚ã‚Šã€èª¿æŸ»ã‚’è¡Œã†ã«å€¤ã™ã‚‹ã€‚攻撃
å´ãŒå·§å¦™ã ã¨ã€æ”»æ’ƒä¸­ã§ã‚ã‚‹ã“ã¨ãŒæ˜Žç¢ºã«ã¯ãªã‚‰ãªã„。
インシデントã®å¾´å€™ã«ã¯æ¬¡ã®ã‚ˆã†ãªã‚‚ã®ãŒã‚る。
 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ãŒç•°å¸¸ã«é‡ã„
 ディスク容é‡ãŒãªã„åˆã¯ç©ºã容é‡ãŒè‘—ã—ãå°‘ãªã„
 CPU 利用率ãŒç•°å¸¸ã«é«˜ã„
 æ–°è¦ãƒ¦ãƒ¼ã‚¶ã‚¢ã‚«ã‚¦ãƒ³ãƒˆãŒä½œæˆã•ã‚Œã¦ã„ã‚‹
 管ç†è€…レベルアカウントを使用åˆã¯ä½¿ç”¨ã—よã†ã¨ã—ãŸå½¢è·¡ãŒã‚ã‚‹
 アカウントãŒãƒ­ãƒƒã‚¯ã‚¢ã‚¦ãƒˆã•ã‚ŒãŸ
 ãã®ãƒ¦ãƒ¼ã‚¶ãŒä¸åœ¨ãªã®ã«ã‚¢ã‚«ã‚¦ãƒ³ãƒˆãŒä½¿ç”¨ã•ã‚Œã¦ã„ã‚‹
 ログファイルãŒã‚¯ãƒªã‚¢ã•ã‚Œã¦ã„ã‚‹
 ログファイルãŒä¸€æ¯ã§ã‚¤ãƒ™ãƒ³ãƒˆæ•°ãŒç•°å¸¸ã«å¤šã„
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
179

Antivirus or IDS alerts.
 Disabled antivirus software and other security controls.
 Unexpected patch changes.
 Machines connecting to outside IP addresses.
 Requests for information about the system (social engineering attempts).
 Unexpected changes in configuration settings.
 Unexpected system shutdown.
To minimize the effects of these intrusions, it is necessary to plan a response. Incident response planning
defines procedures to be followed when an intrusion occurs. NIST SP 800-61 Revision 2, Computer
Security Incident Handling Guide [59], provides guidance on incident response planning, which might
include the following items:
 Classification of Incidents. The various types of ICS incidents should be identified and classified as
to potential impact so that a proper response can be formulated for each potential incident.
 Response Actions. There are several responses that can be taken in the event of an incident. These
range from doing nothing to full system shutdown (although full shutdown of an ICS is a highly
unlikely response). The response taken will depend on the type of incident and its effect on the ICS
system and the physical process being controlled. A written plan documenting the types of incidents
and the response to each type should be prepared. This will provide guidance during times when there
might be confusion or stress due to the incident. This plan should include step-by-step actions to be
taken by the various organizations. If there are reporting requirements, these should be noted as well
as where the report should be made and phone numbers to reduce reporting confusion.
 Recovery Actions. The results of the intrusion could be minor, or the intrusion could cause many
problems in the ICS. Risk analysis should be conducted to determine the sensitivity of the physical
system being controlled to failure modes in the ICS. In each case, step-by-step recovery actions should
be documented so that the system can be returned to normal operations as quickly and safely as
possible. Recovery actions for an intrusion that affects operation of the ICS will closely align with the
system's Disaster Recovery Plan, and should take into account the planning and coordination already
established.
During the preparation of the incident response plan, input should be obtained from the various
stakeholders including operations, engineering, IT, system support vendors, management, organized labor,
legal, and safety. These stakeholders should also review and approve the plan.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
180

アンãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚¢ãƒ©ãƒ¼ãƒˆåˆã¯
IDS
アラートãŒå‡ºã¦ã„ã‚‹
 アンãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ãã®ä»–ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ãŒç„¡åŠ¹ã«ãªã£ã¦ã„ã‚‹
 予定外ã®ãƒ‘ッãƒå¤‰æ›´ãŒãªã•ã‚Œã¦ã„ã‚‹
 マシンãŒå¤–部 IP アドレスã«æŽ¥ç¶šã•ã‚Œã¦ã„ã‚‹
 システムã«é–¢ã™ã‚‹æƒ…報請求ãŒã‚ã£ãŸï¼ˆã‚½ãƒ¼ã‚·ãƒ£ãƒ«ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°ã®ã‚‚ãã‚ã¿ï¼‰
 構æˆã®è¨­å®šã«äºˆå®šå¤–ã®å¤‰æ›´ãŒãªã•ã‚Œã¦ã„ã‚‹
 予定外ã®ã‚·ã‚¹ãƒ†ãƒ é®æ–­ãŒã‚ã£ãŸ
ã“ã®ã‚ˆã†ãªä¾µå…¥ã®å½±éŸ¿ã‚’最å°é™ã«é£Ÿã„æ­¢ã‚ã‚‹ãŸã‚ã€å¯¾å¿œã‚’計画ã™ã‚‹å¿…è¦ãŒã‚る。インシデン
ト対応計画ã®ç«‹æ¡ˆã§ã¯ã€ä¾µå…¥ãŒã‚ã£ãŸéš›ã«å–ã‚‹ã¹ã手順を定ã‚る。NIST SP 800-61 改訂第2
版『コンピュータセキュリティインシデントã®å‡¦ç†ã€[59]ã«ã¯ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆå¯¾å¿œè¨ˆç”»ã®ç«‹
案ã«ä¿‚るガイダンスãŒç¤ºã•ã‚Œã¦ãŠã‚Šã€ä»¥ä¸‹ã®é …ç›®ãŒå«ã¾ã‚Œã¦ã„る。

インシデントã®åŒºåˆ†ã€‚
種々㮠ICS インシデントを識別ã—ã€å½±éŸ¿åº¦ã‚’区分ã—ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã”
ã¨ã«é©æ­£ãªå¯¾å¿œãŒå–れるよã†ã«ã™ã¹ãã§ã‚る。

対応行動。
インシデントãŒãŠããŸéš›ã«ã¯ã€å–り得る対応ãŒã„ãã¤ã‹ã‚る。何もã—ãªã„ã“ã¨ã‹
らシステムã®å…¨é¢é®æ–­ã¾ã§ã‚る(もã¡ã‚ã‚“ã€ICS ã®å…¨é¢é®æ–­ã¯ã»ã¼ã‚ã‚Šãã†ã«ãªã„対応ã§ã¯
ã‚る)。対応ã¯ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®ã‚¿ã‚¤ãƒ—ã€ICS システムã¸ã®å½±éŸ¿åŠã³åˆ¶å¾¡ä¸­ã«ç‰©ç†ãƒ—ロセスã«
å¿œã˜ã¦å–られる。インシデントã®ã‚¿ã‚¤ãƒ—ã¨å„タイプã¸ã®å¯¾å¿œã‚’記録ã—ãŸè¨ˆç”»æ›¸ã‚’用æ„ã™ã¹ã
ã§ã‚る。ãã‚ŒãŒã‚ã‚‹ã¨ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã«ã‚ˆã‚‹æ··ä¹±ã‚„ストレス下ã«ã‚ã£ã¦ã‚‚ガイダンスã¨ãª
る。計画書ã«ã¯ã€å¤šæ§˜ãªçµ„ç¹”ãŒå–ã‚‹ã¹ã段階ã”ã¨ã®è¡Œå‹•ã‚’å«ã‚ã‚‹ã¹ãã§ã‚る。報告è¦ä»¶ãŒã‚
ã‚Œã°ã€å ±å‘Šå…ˆã®ã»ã‹ã€å ±å‘Šæ™‚ã®æ··ä¹±ã‚’å°‘ãªãã™ã‚‹ãŸã‚電話番å·ã¨ã¨ã‚‚ã«ã€è¦ä»¶ã‚‚記載ã—ã¦ãŠ
ã。

復旧対策。
侵入ã®çµæžœãŒå–ã‚‹ã«è¶³ã‚Šãªã„ã“ã¨ã‚‚ã‚ã‚Œã°ã€ICS ã«å¤šãã®å•é¡Œã‚’生ã˜ã•ã›ã‚‹ã“ã¨
ã‚‚ã‚る。リスク分æžã‚’è¡Œã„ã€ICS ã®æ•…障態様ã«å½±éŸ¿ã‚’å—ã‘る制御中ã®ç‰©ç†ã‚·ã‚¹ãƒ†ãƒ ã®æ„Ÿåº¦ã‚’
判定ã™ã‚‹ã€‚ã„ãšã‚Œã®å ´åˆã‚‚ã€æ®µéšŽã”ã¨ã®å¾©æ—§å¯¾ç­–を文書化ã—ã€ã§ãã‚‹ã ã‘迅速ã‹ã¤å®‰å…¨ã«ã‚·
ステムãŒæ­£å¸¸æ¥­å‹™ã«å¾©å¸°ã§ãるよã†ã«ã™ã‚‹ã€‚ICS ã®ç¨¼åƒã«å½±éŸ¿ã™ã‚‹ä¾µå…¥ã¸ã®å¾©æ—§å¯¾ç­–ã¯ã€ã‚·
ステムã®ç½å®³å¾©æ—§è¨ˆç”»æ›¸ã¨å¯†æŽ¥ã«é€£æºã—ã€æ—¢ã«ãªã•ã‚ŒãŸãƒ—ランニングや調整事項を考慮ã«å…¥
れるã¹ãã§ã‚る。
インシデント対応計画書を準備ã™ã‚‹éš›ã«ã¯ã€é‹ç”¨ã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°ã€ITã€ã‚·ã‚¹ãƒ†ãƒ ã‚µãƒãƒ¼ãƒˆãƒ™
ンダーã€çµŒå–¶æ™‚ã€çµ„åˆåŠ´åƒè€…ã€æ³•å¾‹ã€å®‰å…¨ç­‰ã®é–¢ä¿‚者ã‹ã‚‰å¹…広ãæ„見をèžãã¹ãã§ã‚る。ã¾ãŸã“
れら関係者ã¯ã€è¨ˆç”»æ›¸ã®å¯©æŸ»ãƒ»æ‰¿èªã«ã‚‚é–¢ã‚ã‚‹ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
181
6.2.9 Maintenance
The security controls that fall within the NIST SP 800-53 Maintenance (MA) family provide policy and
procedure for performing routine and preventative maintenance on the components of an information
system. This includes the usage of maintenance tools (both local and remote) and management of
maintenance personnel.
Supplemental guidance for the MA controls can be found in the following documents:
 NIST SP 800-63 provides guidance on electronic authentication for remote maintenance [53].
 NIST SP 800-100 provides guidance on information security governance and planning [27].
6.2.10 Media Protection
The security controls that fall within the NIST SP 800-53 Media Protection (MP) family provide policies
and procedures for limiting the access to media to authorized users. Controls also exist for labeling media
for distribution and handling requirements, as well as storage, transport, sanitization (removal of
information from digital media), destruction, and disposal of the media.
Supplemental guidance for the MP controls can be found in the following documents:
 NIST SP 800-88 provides guidance on appropriate sanitization equipment, techniques, and procedures
[78].
 NIST SP 800-100 provides guidance on information security governance and planning [27].
ICS-specific Recommendations and Guidance
Media assets include removable media and devices such as floppy disks, CDs, DVDs and USB memory
sticks, as well as printed reports and documents. Physical security controls should address specific
requirements for the safe and secure maintenance of these assets and provide specific guidance for
transporting, handling, and erasing or destroying these assets. Security requirements could include safe
storage from loss, fire, theft, unintentional distribution, or environmental damage.
If an adversary gains access to backup media associated with an ICS, it could provide valuable data for
launching an attack. Recovering an authentication file from the backups might allow an adversary to run
password cracking tools and extract usable passwords. In addition, the backups typically contain machine
names, IP addresses, software version numbers, usernames, and other data useful in planning an attack.
The use of any unauthorized CDs, DVDs, floppy disks, USB memory sticks, or similar removable media
on any node that is part of or connected to the ICS should not be permitted in order to prevent the
introduction of malware or the inadvertent loss or theft of data. Where the system components use
unmodified industry standard protocols, mechanized policy management software can be used to enforce
media protection policy.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
182
6.2.9 ä¿å®ˆ
NIST SP 800-53 ã®ä¿å®ˆï¼ˆMA)ファミリã«å«ã¾ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã¯ã€æƒ…報システムコンãƒãƒ¼
ãƒãƒ³ãƒˆã®æ’常整備ã¨äºˆé˜²æ•´å‚™ã«ä¿‚ã‚‹ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã‚’定ã‚ã¦ã„る。ã“ã‚Œã«ã¯æ•´å‚™ãƒ„ール(ロ
ーカルã¨é éš”)ã®åˆ©ç”¨åŠã³æ•´å‚™è¦å“¡ã®ç®¡ç†ã‚‚å«ã¾ã‚Œã‚‹ã€‚
MA 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-63:é éš”ä¿å®ˆã®é›»å­èªè¨¼ã«ä¿‚るガイダンス[53]
 NIST SP 800-100:情報セキュリティガãƒãƒŠãƒ³ã‚¹åŠã³ãƒ—ランニングã«ä¿‚るガイダンス[27]
6.2.10 メデイアä¿è­·
NIST SP 800-53 ã®ãƒ¡ãƒ‡ã‚¤ã‚¢ä¿è­·ï¼ˆMP)ファミリã«å«ã¾ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã«ã¯ã€ãƒ¡ãƒ‡ã‚£ã‚¢ã¸
ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’許å¯ã‚’å—ã‘ãŸãƒ¦ãƒ¼ã‚¶ã ã‘ã«åˆ¶é™ã™ã‚‹ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ãŒå®šã‚られã¦ã„る。
管ç†ã«ã¯ã€é…布è¦ä»¶åŠã³å‡¦ç†è¦ä»¶ç”¨ã®ãƒ¡ãƒ‡ã‚£ã‚¢ã®ãƒ©ãƒ™ãƒªãƒ³ã‚°ã®ã»ã‹ã€ãƒ¡ãƒ‡ã‚£ã‚¢ã®ä¿ç®¡ã€è¼¸é€ã€
サニタイズ(デジタルメディアã‹ã‚‰ã®æƒ…報削除)ã€ç ´å£Šã€ç ´æ£„ã‚‚å«ã¾ã‚Œã‚‹ã€‚
MP 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-88:é©åˆ‡ãªã‚µãƒ‹ã‚¿ã‚¤ã‚ºè£…å‚™å“ã€æŠ€è¡“åŠã³æ‰‹é †ã«ä¿‚るガイダンス[78]
 NIST SP 800-100:情報セキュリティガãƒãƒŠãƒ³ã‚¹åŠã³ãƒ—ランニングã«ä¿‚るガイダンス[27]
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
メディア資産ã«ã¯ãƒ•ãƒ­ãƒƒãƒ”ーディスクã€CDã€DVDã€USB メモリスティック等ã®å–り外ã—å¯èƒ½
メディアåŠã³ãƒ‡ãƒã‚¤ã‚¹ã®ã»ã‹å°åˆ·ç‰©ã‚‚ã‚る。物ç†çš„セキュリティ対策ã§ã¯ã€ã“れら資産ã®å®‰å…¨
ã‹ã¤ã‚»ã‚­ãƒ¥ã‚¢ãªä¿å®ˆè¦ä»¶ã‚’å–り上ã’ã€ãれらã®è¼¸é€ã€å‡¦ç†åŠã³æ¶ˆåŽ»åˆã¯ç ´å£Šã«ä¿‚る具体的ãªã‚¬
イダンスを容易ã™ã¹ãã§ã‚る。セキュリティè¦ä»¶ã«ã¯ã€ç´›å¤±ãƒ»ç«ç½ãƒ»ç›—難・想定外ã®é…布・環
境被害ã‹ã‚‰ã®å®‰å…¨ãªä¿å­˜ã‚’å«ã‚ã‚‹ã“ã¨ãŒã§ãる。
攻撃å´ãŒ ICS 関連ã®ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—メディアã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ã¨ã€è²´é‡ãªãƒ‡ãƒ¼ã‚¿ã‚’攻撃ã«åˆ©ç”¨ã•ã‚Œ
ã‚‹å¯èƒ½æ€§ãŒã‚る。攻撃å´ã¯ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã‹ã‚‰èªè¨¼ãƒ•ã‚¡ã‚¤ãƒ«ã‚’回復ã—ã¦ã€ãƒ‘スワード解æžãƒ„ール
を実行ã—ã€ãƒ‘スワードを抜ãå–ã‚‹ã“ã¨ãŒã§ãる。ã¾ãŸãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã«ã¯é€šå¸¸ã€ãƒžã‚·ãƒ³åã€IP ã‚¢
ドレスã€ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ç•ªå·ã€ãƒ¦ãƒ¼ã‚¶åãã®ä»–攻撃ã«å½¹ç«‹ã¤ãƒ‡ãƒ¼ã‚¿ãŒå…¥ã£ã¦ã„る。
ICS ã®ä¸€éƒ¨åˆã¯ ICS ã«æŽ¥ç¶šã•ã‚ŒãŸãƒŽãƒ¼ãƒ‰ä¸Šã®è¨±å¯ã•ã‚Œã¦ã„ãªã„ CDã€DVDã€ãƒ•ãƒ­ãƒƒãƒ”ーディス
クã€USB メモリスティック等ã®å–り外ã—å¯èƒ½ãƒ¡ãƒ‡ã‚£ã‚¢ã®ä½¿ç”¨ã¯ã€ãƒžãƒ«ã‚¦ã‚¨ã‚¢åˆã¯æƒ³å®šå¤–ã®ãƒ‡ãƒ¼ã‚¿
喪失・盗難を予防ã™ã‚‹ãŸã‚ã«è¨±å¯ã™ã¹ãã§ãªã„。システムコンãƒãƒ¼ãƒãƒ³ãƒˆãŒæœªä¿®æ­£ã®æ¥­ç•Œæ¨™æº–プ
ロトコルを使用ã™ã‚‹å ´åˆã€ãƒãƒªã‚·ãƒ¼ç®¡ç†ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã‚’利用ã—ã¦ãƒ¡ãƒ‡ã‚£ã‚¢ä¿è­·ãƒãƒªã‚·ãƒ¼ã‚’施行ã™
ã‚‹ã“ã¨ãŒã§ãる。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
183
6.2.11 Physical and Environmental Protection
The security controls that fall within the NIST SP 800-53 Physical and Environmental Protection (PE)
family provide policy and procedures for all physical access to an information system including designated
entry/exit points, transmission media, and display media. These include controls for monitoring physical
access, maintaining logs, and handling visitors. This family also includes controls for the deployment and
management of emergency protection controls such as emergency shutdown of the IT system, backup for
power and lighting, controls for temperature and humidity, and protection against fire and water damage.
Supplemental guidance for the PE controls can be found in the following documents:
 NIST SP 800-46 provides guidance on telecommuting and broadband communication security [51].
 NIST SP 800-100 provides guidance on information security governance and planning [27].
Physical security measures are designed to reduce the risk of accidental or deliberate loss or damage to
plant assets and the surrounding environment. The assets being safeguarded may be physical assets such as
tools and plant equipment, the environment, the surrounding community, and intellectual property,
including proprietary data such as process settings and customer information. The deployment of physical
security controls is often subject to environmental, safety, regulatory, legal, and other requirements that
must be identified and addressed specific to a given environment. The subject of deploying physical
security controls is vast and needs to be specific to the type of protection needed.
ICS-specific Recommendations and Guidance
The physical protection of the cyber components and data associated with the ICS must be addressed as
part of the overall security of a plant. Security at many ICS facilities is closely tied to plant safety. A
primary goal is to keep people out of hazardous situations without preventing them from doing their job or
carrying out emergency procedures. Physical security controls are any physical measures, either active or
passive, that limit physical access to any information assets in the ICS environment. These measures are
employed to prevent many types of undesirable effects, including:
 Unauthorized physical access to sensitive locations.
 Physical modification, manipulation, theft or other removal, or destruction of existing systems,
infrastructure, communications interfaces, personnel, or physical locations.
 Unauthorized observation of sensitive informational assets through visual observation, note taking,
photographs, or other means.
 Prevention of unauthorized introduction of new systems, infrastructure, communications interfaces, or
other hardware.
 Prevention of unauthorized introduction of devices intentionally designed to cause hardware
manipulation, communications eavesdropping, or other harmful impact.
Gaining physical access to a control room or control system components often implies gaining logical
access to the process control system as well. Likewise, having logical access to systems such as main
servers and control room computers allows an adversary to exercise control over the physical process.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
184
6.2.11 物ç†ç’°å¢ƒä¸Šã®ä¿è­·ï¼ˆPE)
NIST SP 800-53 ã®ç‰©ç†ç’°å¢ƒä¸Šã®ä¿è­·ï¼ˆPE)ファミリã«å«ã¾ã‚Œã¦ã„るセキュリティ対策ã«ã¯ã€æƒ…å ±
システムã¸ã®ã‚らゆる物ç†çš„ç«‹å…¥ã«ä¿‚ã‚‹ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ãŒå®šã‚られã¦ãŠã‚Šã€æŒ‡å®šã•ã‚ŒãŸå…¥é€€å ´
点ã€é€ä¿¡åª’体ã€è¡¨ç¤ºåª’体ã«ã¤ã„ã¦è¨˜è¿°ã•ã‚Œã¦ã„る。物ç†çš„ç«‹å…¥ã®ç›£è¦–ã€è¨˜éŒ²ã®ç¶­æŒã€æ¥è¨ªè€…ã®å–
扱ã«é–¢ã™ã‚‹ç®¡ç†ã‚‚å«ã¾ã‚Œã¦ã„る。ã¾ãŸã“ã®ãƒ•ã‚¡ãƒŸãƒªã«ã¯ã€ç·Šæ€¥ä¿è­·å¯¾ç­–ã®å±•é–‹åŠã³ç®¡ç†ã«é–¢ã™ã‚‹
対策もå«ã¾ã‚Œã€IT システムã®ç·Šæ€¥é®æ–­ã€é›»åŠ›ãƒ»ç…§æ˜Žã®ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã€æ¸©åº¦ãƒ»æ¹¿åº¦ç®¡ç†ã€ç«ç½ãƒ»æ°´
害対策等ã«ã¤ã„ã¦å–り上ã’ã¦ã„る。
PE 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-46:在宅勤務åŠã³ãƒ–ロードãƒãƒ³ãƒ‰é€šä¿¡ã«ä¿‚るガイダンス[51]
 NIST SP 800-100:情報セキュリティガãƒãƒŠãƒ³ã‚¹åŠã³ãƒ—ランニングã«ä¿‚るガイダンス[27]
物ç†çš„セキュリティ対策ã¯ã€ãƒ—ラント資産や周辺環境ã«å¯¾ã™ã‚‹å¶ç™ºçš„åˆã¯æ•…æ„ã®å–ªå¤±ãƒ»æ害リス
クを軽減ã™ã‚‹ãŸã‚ã®ã‚‚ã®ã§ã‚る。ä¿è­·å¯¾è±¡ã•ã‚Œã‚‹ã®ã¯ã€ãƒ„ール・プラント装備å“ã€ç’°å¢ƒã€å‘¨è¾ºå…±
åŒä½“ã€çŸ¥çš„財産(プロセス設定や顧客情報ã¨ã„ã£ãŸå°‚有データ)等ã®ç‰©ç†çš„資産ãŒå¯¾è±¡ã§ã‚る。
物ç†çš„セキュリティ対策ã®å±•é–‹ã¯ç’°å¢ƒã€å®‰å…¨æ€§ã€è¦åˆ¶ã€æ³•å¾‹ãã®ä»–特定ã®ç’°å¢ƒã«å›ºæœ‰ã®è¦ä»¶ã«ã‚ˆ
ã‚Šå·¦å³ã•ã‚Œã‚‹ã“ã¨ãŒå¤šã„。物ç†çš„セキュリティ対策ã®å±•é–‹å¯¾è±¡ã¯åºƒç¯„ã§ã€å¿…è¦ã¨ã•ã‚Œã‚‹ä¿è­·ã®ã‚¿
イプã«ç‰¹åŒ–ã™ã‚‹å¿…è¦ãŒã‚る。
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
サイãƒãƒ¼ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆåŠã³ ICS 関連データã®ç‰©ç†çš„ä¿è­·ã¯ã€ãƒ—ラント全体ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®ä¸€
ç’°ã¨ã—ã¦æ¤œè¨Žã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。多ãã® ICS 施設ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¯ã€ãƒ—ラントã®å®‰å…¨æ€§ã¨å¯†æŽ¥
ã«çµã³ã¤ã„ã¦ã„る。主ãªç›®æ¨™ã¯ã€å¾“業員ãŒè·å‹™ã‚„緊急手順をé‚è¡Œã™ã‚‹ã®ã‚’妨ã’ã‚‹ã“ã¨ãªãã€å±é™º
状態ã«ã¯ç½®ã‹ãªã„ã“ã¨ã«ã‚る。物ç†çš„セキュリティ対策ã¯ã€èƒ½å‹•çš„åˆã¯å—å‹•çš„ãªç‰©ç†çš„対策ã§ã€
ICS 環境ã«ãŠã‘る情報資産ã¸ã®ç‰©ç†çš„立入を制é™ã™ã‚‹ã€‚ã“ã®ã‚ˆã†ãªå¯¾ç­–を採用ã™ã‚‹ã“ã¨ã§ã€æ¬¡ã®
よã†ãªæœ›ã¾ã—ããªã„種々ã®å½±éŸ¿ã‚’防ãã“ã¨ãŒã§ãる。
 注æ„ã‚’è¦ã™ã‚‹å ´æ‰€ã¸ã®ç„¡æ–­ç«‹å…¥
 既存システムã€ã‚¤ãƒ³ãƒ•ãƒ©ã€é€šä¿¡ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã€è·å“¡åˆã¯å ´æ‰€ã®ç‰©ç†çš„変更ã€æ“作ã€ç›—難ã
ã®ä»–ã®é™¤åŽ»åˆã¯ç ´å£Š
 視èªã€ãƒ¡ãƒ¢ã€å†™çœŸãã®ä»–ã®æ‰‹æ®µã«ã‚ˆã‚‹è¦æ³¨æ„情報資産ã®ç„¡æ–­åµå¯Ÿ
 æ–°è¦ã‚·ã‚¹ãƒ†ãƒ ã€ã‚¤ãƒ³ãƒ•ãƒ©ã€é€šä¿¡ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ãã®ä»–ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã®ç„¡æ–­å°Žå…¥
 ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢æ“作ã€é€šä¿¡å‚å—ãã®ä»–有害影響をæ„図ã—ãŸãƒ‡ãƒã‚¤ã‚¹ã®ç„¡æ–­å°Žå…¥
制御室や制御システムコンãƒãƒ¼ãƒãƒ³ãƒˆã¸ã®ç«‹å…¥ã¯ã€ãƒ—ロセス制御システムã¸ã®è«–ç†ã‚¢ã‚¯ã‚»ã‚¹ã‚‚å¯
能ã«ãªã‚‹ã“ã¨ãŒå¤šã„。åŒæ§˜ã«ã€ãƒ¡ã‚¤ãƒ³ã‚µãƒ¼ãƒã‚„制御室ã®ã‚³ãƒ³ãƒ”ュータ等ã®ã‚·ã‚¹ãƒ†ãƒ ã¸ã®è«–ç†ã‚¢ã‚¯
セスãŒå¾—られれã°ã€æ”»æ’ƒå´ã¯ç‰©ç†ãƒ—ロセスを制御ã§ãるよã†ã«ãªã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
185
If computers are readily accessible, and they have removable media drives (e.g., floppy disks, compact
discs, external hard drives) or USB ports, the drives can be fitted with locks or removed from the
computers and USB ports disabled. Depending on security needs and risks, it might also be prudent to
disable or physically protect power buttons to prevent unauthorized use. For maximum security, servers
should be placed in locked areas and authentication mechanisms (such as keys) protected. Also, the
network devices on the ICS network, including switches, routers, network jacks, servers, workstations, and
controllers, should be located in a secured area that can only be accessed by authorized personnel. The
secured area should also be compatible with the environmental requirements of the devices.
A defense-in-depth solution to physical security should include the following attributes:
 Protection of Physical Locations. Classic physical security considerations typically refer to a ringed
architecture of layered security measures. Creating several physical barriers, both active and passive,
around buildings, facilities, rooms, equipment, or other informational assets, establishes these physical
security perimeters. Physical security controls meant to protect physical locations include fences, anti-
vehicle ditches, earthen mounds, walls, reinforced barricades, gates, or other measures. Most
organizations include this layered model by preventing access to the plant first by the use of fences,
guard shacks, gates, and locked doors.
 Access Control. Access control systems should ensure that only authorized people have access to
controlled spaces. An access control system should be flexible. The need for access may be based on
time (day vs. night shift), level of training, employment status, work assignment, plant status, and a
myriad of other factors. A system must be able to verify that persons being granted access are who
they say they are (usually using something the person has, such as an access card or key; something
they know, such as a personal identification number (PIN); or something they are, using a biometric
device). Access control should be highly reliable, yet not interfere with the routine or emergency
duties of plant personnel. Integration of access control into the process system allows a view into not
only security access, but also physical and personnel asset tracking, dramatically accelerating response
time in emergencies, helping to direct individuals to safe locations, and improving overall
productivity. Within an area, access to network and computer cabinets should be limited to only those
who have a need, such as network technicians and engineers, or computer maintenance staff.
Equipment cabinets should be locked and wiring should be neat and within cabinets. Consider keeping
all computers in secure racks and using peripheral extender technology to connect human-machine
interfaces to the racked computers.
Access Monitoring Systems. Access monitoring systems include still and video cameras, sensors, and
various types of identification systems. Examples of these systems include cameras that monitor
parking lots, convenience stores, or airline security. These devices do not specifically prevent access
to a particular location; rather, they store and record either the physical presence or the lack of
physical presence of individuals, vehicles, animals, or other physical entities. Adequate lighting
should be provided based on the type of access monitoring device deployed.
Access Limiting Systems. Access limiting systems may employ a combination of devices to
physically control or prevent access to protected resources. Access limiting systems include both
active and passive security devices such as fences, doors, safes, gates, and guards. They are often
coupled with identification and monitoring systems to provide role-based access for specific
individuals or groups of individuals.
 People and Asset Tracking. Locating people and vehicles in a large installation is important for
safety reasons, and it is increasingly important for security reasons as well. Asset location
technologies can be used to track the movements of people and vehicles within the plant, to ensure
that they stay in authorized areas, to identify personnel needing assistance, and to support emergency
response.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
186
コンピュータã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ãŒå®¹æ˜“ã§ã€å–り外ã—å¯èƒ½ãƒ¡ãƒ‡ã‚£ã‚¢ãƒ‰ãƒ©ã‚¤ãƒ–(フロッピーディスクã€
CD
ã€å¤–
付ã‘ãƒãƒ¼ãƒ‰ãƒ‡ã‚£ã‚¹ã‚¯ç­‰ï¼‰åˆã¯ USB ãƒãƒ¼ãƒˆãŒä»˜ã„ã¦ã„ã‚‹å ´åˆã€ãƒ‰ãƒ©ã‚¤ãƒ–をロックã™ã‚‹ã‹ã‚³ãƒ³ãƒ”ュータã‹
らå–り外ã—ã€USB ãƒãƒ¼ãƒˆã‚’無効ã«ã™ã‚‹ã“ã¨ãŒã§ãる。セキュリティ上ã®ãƒ‹ãƒ¼ã‚ºåŠã³ãƒªã‚¹ã‚¯ã«å¿œã˜ã¦ã€
é›»æºãƒœã‚¿ãƒ³ã‚‚ç„¡æ–­ã§æ“作ã§ããªã„よã†ã«ã€ä½¿ç”¨ä¸èƒ½ã«ã™ã‚‹ã‹ç‰©ç†çš„ã«ä¿è­·ã™ã‚‹ã®ãŒã‚ˆã„。セキュリテ
ィを最大化ã™ã‚‹ãŸã‚ã€ã‚µãƒ¼ãƒã¯éµã®ã‹ã‹ã‚‹ã‚¨ãƒªã‚¢ã«ç½®ãã€èªè¨¼ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ï¼ˆã‚­ãƒ¼ç­‰ï¼‰ã‚’ä¿è­·ã™ã¹ãã§
ã‚る。ã¾ãŸ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒã‚¤ã‚¹ï¼ˆã‚¹ã‚¤ãƒƒãƒã€ãƒ«ãƒ¼ã‚¿ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¸ãƒ£ãƒƒ
クã€ã‚µãƒ¼ãƒã€ãƒ¯ãƒ¼ã‚¯ã‚¹ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³ã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ç­‰ï¼‰ã¯ã€è¨±å¯ã•ã‚ŒãŸè·å“¡ã—ã‹ç«‹ã¡å…¥ã‚‹ã“ã¨ã®ã§ããª
ã„セキュアãªå ´æ‰€ã«ç½®ãã¹ãã§ã‚る。セキュアãªå ´æ‰€ã¯ã€ãƒ‡ãƒã‚¤ã‚¹ã®ç’°å¢ƒè¦ä»¶ã«ã‚‚é©åˆã—ã¦ã„ã‚‹ã¹ã
ã§ã‚る。
物ç†çš„セキュリティã®å¤šå±¤é˜²å¾¡ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã¯ã€æ¬¡ã®ã‚ˆã†ãªå±žæ€§ã‚’å«ã‚“ã§ã„ã‚‹ã¹ãã§ã‚る。

場所ã®ä¿è­·ã€‚
æ—¢æˆã®ç‰©ç†çš„セキュリティã§ã¯ã€è€ƒæ…®äº‹é …ã¨ã—ã¦é€šå¸¸å¤šé‡ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®
リングアーキテクãƒãƒ£ã«è¨€åŠã—ã¦ã„る。建物ã€æ–½è¨­ã€éƒ¨å±‹ã€è£…å‚™å“ãã®ä»–情報資産ã®å‘¨ã‚Šã«
能動的・å—動的物ç†ãƒãƒªã‚¢ãƒ¼ã‚’設置ã—ã€ç‰©ç†çš„セキュリティ境界を構築ã™ã‚‹ã€‚場所をä¿è­·ã™
ã‚‹ãŸã‚ã®ç‰©ç†çš„セキュリティ対策ã«ã¯ãƒ•ã‚§ãƒ³ã‚¹ã€è»Šæ­¢ã‚æºã€åœŸç››ã‚Šã€å£ã€ãƒãƒªã‚±ãƒ¼ãƒ‰ã€ã‚²ãƒ¼
トãã®ä»–ãŒã‚る。大抵ã®çµ„ç¹”ã§ã¯ã€ã¾ãšãƒ•ã‚§ãƒ³ã‚¹ã€ã‚¬ãƒ¼ãƒ‰ãƒžãƒ³å¾…機所ã€ã‚²ãƒ¼ãƒˆåŠã³æ–½éŒ ãƒ‰ã‚¢
ã«ã‚ˆã‚Šãƒ—ラントã¸ã®ç«‹å…¥ã‚’防ãã“ã¨ã§ã€ã“ã®å¤šé‡ãƒ¢ãƒ‡ãƒ«ã‚’å–り込んã§ã„る。

立入管ç†ã€‚
立入管ç†ã‚·ã‚¹ãƒ†ãƒ ã¯ã€è¨±å¯ã‚’å—ã‘ãŸäººå“¡ã ã‘ãŒç®¡ç†ç©ºé–“ã«ç«‹ã¡å…¥ã‚‹ã“ã¨ãŒã§ãã‚‹
よã†ã«ã™ã¹ãã§ã‚る。立入管ç†ã‚·ã‚¹ãƒ†ãƒ ã¯æŸ”軟性を備ãˆã¦ã„ã‚‹ã¹ãã§ã‚る。立入ã®å¿…è¦æ€§ã¯
時間(日中・夜間シフト勤務)ã€è¨“練レベルã€é›‡ç”¨å½¢æ…‹ã€å½¹è·ã€ãƒ—ラントã®çŠ¶æ…‹ãã®ä»–多種
多様ãªè¦å› ã§ç”Ÿã˜ã‚‹ã€‚システムã¯ã€ç«‹å…¥è¨±å¯ã‚’å—ã‘ãŸäººå“¡ãŒè‡ªã‚‰ã‚’ã©ã†è‡ªç§°ã—ã¦ã„ã‚‹ã‹ç¢ºèª
ã§ããªã‘ã‚Œã°ãªã‚‰ãªã„(通常ã€ç«‹å…¥ã‚«ãƒ¼ãƒ‰ã‚„éµç­‰ã®æ‰€æŒç‰©ã€å€‹äººè­˜åˆ¥ç•ªå·[PIN]等何らã‹ã®
知識ã€ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯ãƒ‡ãƒã‚¤ã‚¹ã«ã‚ˆã‚‹å€‹äººæƒ…報等を利用ã™ã‚‹ï¼‰ã€‚立入管ç†ã¯é«˜ã„信頼性を
æŒã¤ã¹ãã§ã‚ã‚‹ãŒã€ãƒ—ラントè·å“¡ã®æ’常任務や緊急任務を妨ã’ã¦ã¯ãªã‚‰ãªã„。立入管ç†ã‚’プ
ロセスシステムã«å–ã‚Šè¾¼ã‚ã°ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¢ã‚¯ã‚»ã‚¹ã®ã¿ãªã‚‰ãšã€ç‰©ç†çš„・人的資産ã®è¿½è·¡
ã‚‚å¯èƒ½ã«ãªã‚Šã€ç·Šæ€¥æ™‚ã®å¯¾å¿œæ™‚é–“ãŒè‘—ã—ã短縮ã•ã‚Œã€å¾“業員を安全ãªå ´æ‰€ã¸èª˜å°Žã™ã‚‹åŠ©ã‘ã¨
ãªã‚Šã€å…¨ä½“çš„ãªç”Ÿç”£æ€§ã‚’高ã‚ã‚‹ã“ã¨ãŒã§ãる。エリア内ã§ã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚„コンピュータ
キャビãƒãƒƒãƒˆã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æŠ€å¸«ãƒ»ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã€ã‚³ãƒ³ãƒ”ュータä¿å®ˆè¦å“¡ç­‰ã€
å¿…è¦ãªäººå“¡ã®ã¿ã«åˆ¶é™ã•ã‚Œã‚‹ã€‚装備å“キャビãƒãƒƒãƒˆã¯æ–½éŒ ã—ã€é…ç·šã‚’æ•´ç†ã—ã¦ã‚­ãƒ£ãƒ“ãƒãƒƒãƒˆ
内ã«ç´ã‚ã‚‹ã¹ãã§ã‚る。全ã¦ã®ã‚³ãƒ³ãƒ”ュータを安全ãªãƒ©ãƒƒã‚¯ã«ç´ã‚ã€å‘¨è¾ºå»¶é•·æŠ€è¡“を利用ã—
ã¦ã€ãƒ©ãƒƒã‚¯ã®ã‚³ãƒ³ãƒ”ュータã«ãƒžãƒ³ãƒžã‚·ãƒ³ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã‚’接続ã™ã‚‹ã€‚
立入監視システム
。立入監視システムã«ã¯ãƒ“デオカメラã€ã‚»ãƒ³ã‚µåŠã³å¤šæ§˜ãªè­˜åˆ¥ã‚·ã‚¹ãƒ†ãƒ ãŒ
å«ã¾ã‚Œã‚‹ã€‚システムã«ã¯é§è»Šå ´ã€ã‚³ãƒ³ãƒ“ニエンスストアã€èˆªç©ºä¼šç¤¾ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç›£è¦–用ã®
カメラもå«ã¾ã‚Œã‚‹ã€‚ã“れらデãƒã‚¤ã‚¹ã¯ç‰¹å®šã®å ´æ‰€ã¸ã®ç«‹å…¥ã‚’防ãã®ã§ã¯ãªãã€å€‹äººã€è»Šä¸¡ã€
動物ãã®ä»–物体ã®å­˜åœ¨ã®æœ‰ç„¡ã‚’ä¿å­˜ã—記録ã™ã‚‹ã€‚監視デãƒã‚¤ã‚¹ã®ç¨®é¡žã«å¿œã˜ã¦é©åˆ‡ãªç…§æ˜Žã‚’
å‚™ãˆã‚‹ã¹ãã§ã‚る。
立入制é™ã‚·ã‚¹ãƒ†ãƒ 
。立入制é™ã‚·ã‚¹ãƒ†ãƒ ã¯ã€ä¿è­·ãƒªã‚½ãƒ¼ã‚¹ã‚’物ç†çš„ã«ç®¡ç†ã™ã‚‹ãƒ‡ãƒã‚¤ã‚¹åˆã¯ä¿
護リソースã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’防止ã™ã‚‹ãƒ‡ãƒã‚¤ã‚¹ã‚’併用ã™ã‚‹ã€‚立入制é™ã‚·ã‚¹ãƒ†ãƒ ã«ã¯ã€ãƒ•ã‚§ãƒ³
スã€ãƒ‰ã‚¢ã€é‡‘庫ã€ã‚²ãƒ¼ãƒˆã€ç›£è¦–ç­‰ã®èƒ½å‹•çš„・å—動的セキュリティデãƒã‚¤ã‚¹ãŒå«ã¾ã‚Œã‚‹ã€‚è­˜
別・監視システムã¨é€£å‹•ã™ã‚‹ã“ã¨ãŒå¤šãã€ç‰¹å®šã®å€‹äººã‚„グループã«å½¹å‰²ã«å¿œã˜ãŸã‚¢ã‚¯ã‚»ã‚¹ã‚’
与ãˆã‚‹ã€‚

人員・資産ã®è¿½è·¡ã€‚
広大ãªç”£æ¥­æ–½è¨­ã§ã¯ã€å®‰å…¨ä¸Šã®ç†ç”±ã‹ã‚‰äººã‚„車両を見ã¤ã‘出ã™ã“ã¨ãŒé‡
è¦ã§ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä¸Šã®ç†ç”±ã‹ã‚‰ã‚‚ã¾ã™ã¾ã™é‡è¦ã«ãªã£ã¦ã„る。プラント内ã§ã®äººã‚„車両ã®
移動を追跡ã§ãる資産ä½ç½®æ¨™å®šæŠ€è¡“を使用ã™ã‚Œã°ã€è¨±å¯ã‚¨ãƒªã‚¢å†…ã«ã¨ã©ã¾ã‚Šã€æ”¯æ´ã‚’å¿…è¦ã¨
ã—ã¦ã„ã‚‹è·å“¡ã‚’識別ã—ã€ç·Šæ€¥å¯¾å¿œã‚’支æ´ã§ãる。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
187
 Environmental Factors. In addressing the security needs of the system and data, it is important to
consider environmental factors. For example, if a site is dusty, systems should be placed in a filtered
environment. This is particularly important if the dust is likely to be conductive or magnetic, as in the
case of sites that process coal or iron. If vibration is likely to be a problem, systems should be
mounted on rubber bushings to prevent disk crashes and wiring connection problems. In addition, the
environments containing systems and media (e.g., backup tapes, floppy disks) should have stable
temperature and humidity. An alarm to the process control system should be generated when
environmental specifications such as temperature and humidity are exceeded.
 Environmental Control Systems. Heating, ventilation, and air conditioning (HVAC) systems for
control rooms must support plant personnel during normal operation and emergency situations, which
could include the release of toxic substances. Fire systems must be carefully designed to avoid causing
more harm than good (e.g., to avoid mixing water with incompatible products). HVAC and fire
systems have significantly increased roles in security that arise from the interdependence of process
control and security. For example, fire prevention and HVAC systems that support industrial control
computers need to be protected against cyber incidents.
 Power. Reliable power for the ICS is essential, so an uninterruptible power supply (UPS) should be
provided. If the site has an emergency generator, the UPS battery life may only need to be a few
seconds; however, if the site relies on external power, the UPS battery life may need to be hours. It
should be sized, at a minimum, so that the system can be shutdown safely.
6.2.11.1 Control Center/Control Room
ICS-specific Recommendations and Guidance
Providing physical security for the control center/control room is essential to reduce the potential of many
threats. Control centers/control rooms frequently have consoles continuously logged onto the primary
control server, where speed of response and continual view of the plant is of utmost importance. These
areas will often contain the servers themselves, other critical computer nodes, and sometimes plant
controllers. It is essential that access to these areas be limited to authorized users only, using authentication
methods such as smart or magnetic identity cards or biometric devices. In extreme cases, it may be
considered necessary to make the control center/control room blast-proof, or to provide an offsite
emergency control center/control room so that control can be maintained if the primary control
center/control room becomes uninhabitable.
6.2.11.2 Portable Devices
ICS-specific Recommendations and Guidance
Computers and computerized devices used for ICS functions (such as PLC programming) should never be
allowed to leave the ICS area. Laptops, portable engineering workstations and handhelds (e.g., 375 HART
communicator) should be tightly secured and should never be allowed to be used outside the ICS network.
Antivirus and patch management should be kept current.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
188

環境è¦å› ã€‚
システムåŠã³ãƒ‡ãƒ¼ã‚¿ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ‹ãƒ¼ã‚ºã‚’検討ã™ã‚‹ä¸Šã§ã€ç’°å¢ƒè¦å› ã‚’考慮ã«å…¥
れるã“ã¨ãŒè‚è¦ã§ã‚る。例ãˆã°ã€ç¾å ´ãŒã»ã“ã‚Šã£ã½ã„å ´åˆã€ãƒ•ã‚£ãƒ«ã‚¿ã‚’å°Žå…¥ã—ãŸç’°å¢ƒã«ã‚·ã‚¹
テムを設置ã™ã¹ãã§ã‚る。特ã«çŸ³ç‚­ã‚„鉄ã®å‡¦ç†ç¾å ´ã®ã‚ˆã†ã«ã€å¡µèŠ¥ã«å°Žé›»æ€§ã‚„ç£æ€§ãŒã‚ã‚‹å ´
åˆã«ã¯ç‰¹ã«é‡è¦ã¨ãªã‚‹ã€‚振動ãŒå•é¡Œã«ãªã‚Šãã†ã§ã‚ã‚Œã°ã€ã‚·ã‚¹ãƒ†ãƒ ã‚’ラãƒãƒ¼ãƒ–ッシング上ã«
æ®ãˆä»˜ã‘ã€ãƒ‡ã‚£ã‚¹ã‚¯ã‚¯ãƒ©ãƒƒã‚·ãƒ¥ã‚„é…線接続ã®å•é¡Œã‚’予防ã™ã¹ãã§ã‚る。ã¾ãŸã‚·ã‚¹ãƒ†ãƒ ã¨ãƒ¡ãƒ‡
ィア(ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—テープã€ãƒ•ãƒ­ãƒƒãƒ”ーディスク等)ãŒã‚る環境ã§ã¯ã€æ¸©åº¦ãƒ»æ¹¿åº¦ã‚’一定ã«
ä¿ã¤ã¹ãã§ã‚る。プロセス制御システムã®ã‚¢ãƒ©ãƒ¼ãƒ ã¯ã€æ¸©åº¦ãƒ»æ¹¿åº¦ã¨ã„ã£ãŸç’°å¢ƒä»•æ§˜ãŒé™ç•Œ
を超ãˆãŸã¨ãã«ç™ºç”Ÿã™ã¹ãã§ã‚る。

環境制御システム。
制御室ã®æš–房æ›æ°—空調(HVAC)システムã¯ã€æ­£å¸¸æ“業時åŠã³ç·Šæ€¥äº‹æ…‹
時ã«ãƒ—ラントè·å“¡ã‚’支æ´ã§ããªã‘ã‚Œã°ãªã‚‰ãšã€ã“ã‚Œã«ã¯æ¯’物ã®æŽ’出もå«ã¾ã‚Œã‚‹ã€‚防ç«è£…ç½®ã®
設計ã¯æ…Žé‡ã«è¡Œã„ã€åˆ©ç‚¹ã‚ˆã‚Šã‚‚欠点ãŒå¤§ãããªã‚‰ãªã„よã†ã«ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„(水ã¨ç›¸å®¹
ã‚Œãªã„物質ã®æ··åˆå›žé¿ç­‰ï¼‰ã€‚
プロセス制御ã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®ç›¸äº’ä¾å­˜æ€§ã«ã‚ˆã‚Šã€HVAC システムã¨é˜²ç«è£…ç½®ãŒã‚»ã‚­ãƒ¥ãƒªãƒ†
ã‚£ã§æžœãŸã™å½¹å‰²ã¯è‘—ã—ã増大ã—ã¦ã„る。例ãˆã°ã€ç”£æ¥­ç”¨åˆ¶å¾¡ã‚³ãƒ³ãƒ”ュータã«å¯¾å¿œã—ãŸé˜²ç«è£…
置㨠HVAC システムã¯ã€ã‚µã‚¤ãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã‹ã‚‰å®ˆã‚‹å¿…è¦ãŒã‚る。

é›»æºã€‚
ICS ã«ã¯ä¿¡é ¼æ€§ã®é«˜ã„é›»æºãŒä¸å¯æ¬ ãªãŸã‚ã€ç„¡åœé›»é›»æºè£…置(UPS)を装備ã™ã¹ãã§
ã‚る。ç¾å ´ã«ç·Šæ€¥ç”¨ã®ç™ºé›»æ©ŸãŒã‚ã‚‹å ´åˆã€UPS ã®ãƒãƒƒãƒ†ãƒªå¯¿å‘½ã¯æ•°ç§’程度ã§ã‚ˆã„ãŒã€å¤–部
é›»æºã«ä¾å­˜ã—ã¦ã„ã‚‹å ´åˆã¯ã€æ•°æ™‚é–“ã‚‚ãŸãªã‘ã‚Œã°ãªã‚‰ãªã„。少ãªãã¨ã‚‚大ãã•ã‚’定ã‚ã¦ã€ã‚·
ステムãŒå®‰å…¨ã«é®æ–­ã§ãるよã†ã«ã™ã¹ãã§ã‚る。
6.2.11.1 コントロールセンター/制御室
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
種々ã®è„…å¨ã®å¯èƒ½æ€§ã‚’減らã™ãŸã‚ã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«ã‚»ãƒ³ã‚¿ãƒ¼/制御室ã®ç‰©ç†çš„セキュリティã®ç¢ºä¿
ãŒä¸å¯æ¬ ã§ã‚る。コントロールセンター/制御室ã«ã¯ã€ãƒ—ライマリ制御サーãƒã«å¸¸ç¶šçš„ã«æŽ¥ç¶šã—
ã¦ã„るコンソールãŒã‚ã‚‹å ´åˆãŒå¤šãã€å¯¾å¿œé€Ÿåº¦ã¨ãƒ—ラントを継続的ã«è¦‹ã‚‹ã“ã¨ãŒæ¥µã‚ã¦é‡è¦ã§
ã‚る。サーãƒãã®ä»–ã®é‡è¦ã‚³ãƒ³ãƒ”ュータノードãŒã‚ã‚‹å ´åˆãŒå¤šãã€ã¨ãã«ã¯ãƒ—ラントコントロ
ーラもã‚る。コントロールセンター/制御室ã¸ã®ç«‹å…¥ã¯ã€ã‚¹ãƒžãƒ¼ãƒˆã‚«ãƒ¼ãƒ‰ã€ç£æ°—カードã€ãƒã‚¤ã‚ª
メトリックデãƒã‚¤ã‚¹ç­‰ã‚’利用ã—ã€è¨±å¯ã‚’å—ã‘ãŸãƒ¦ãƒ¼ã‚¶ã«é™å®šã™ã‚‹ã“ã¨ãŒè‚è¦ã§ã‚る。極端ãªå ´
åˆã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«ã‚»ãƒ³ã‚¿ãƒ¼/制御室を防爆仕様ã«ã—ãŸã‚Šã€ã‚ªãƒ•ã‚µã‚¤ãƒˆã®ç·Šæ€¥ç”¨ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«ã‚»ãƒ³
ター/制御室を用æ„ã—ã¦ã€ãƒ—ライマリã®ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«ã‚»ãƒ³ã‚¿ãƒ¼/制御室ã®ç«‹å…¥ä¸èƒ½æ™‚ã«åˆ¶å¾¡ã‚’続行
ã§ãるよã†ãªæ¤œè¨Žã‚‚å¿…è¦ã«ãªã‚ã†ã€‚
6.2.11.2 ãƒãƒ¼ã‚¿ãƒ–ルデãƒã‚¤ã‚¹
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
ICS 機能用ã«åˆ©ç”¨ã™ã‚‹ã‚³ãƒ³ãƒ”ュータåŠã³ã‚³ãƒ³ãƒ”ュータデãƒã‚¤ã‚¹ï¼ˆPLC プログラミング等)ã¯ã€ICS
エリアã‹ã‚‰æ¬å‡ºã—ã¦ã¯ãªã‚‰ãªã„。ラップトップã€ãƒãƒ¼ã‚¿ãƒ–ルエンジニアリングワークステーショ
ンåŠã³ãƒãƒ³ãƒ‰ãƒ˜ãƒ«ãƒ‰ï¼ˆ375 HART コミュニケータ等)ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¯åŽ³æ ¼ã«ã—ã€ICS ãƒãƒƒãƒˆãƒ¯
ーク外ã§ã¯ä½¿ç”¨ã™ã¹ãã§ãªã„。アンãƒã‚¦ã‚¤ãƒ«ã‚¹åŠã³ãƒ‘ッãƒã®ç®¡ç†ã‚’最新状態ã«ä¿ã¤ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
189
6.2.11.3 Cabling
ICS-specific Recommendations and Guidance
Cabling design and implementation for the control network should be addressed in the cybersecurity plan.
Unshielded twisted pair communications cable, while acceptable for the office environment, is generally
not suitable for the plant environment due to its susceptibility to interference from magnetic fields, radio
waves, temperature extremes, moisture, dust, and vibration. Industrial RJ-45 connectors should be used in
place of other types of twisted pair connectors to provide protection against moisture, dust and vibration.
Fiber-optic cable and coaxial cable are often better network cabling choices for the control network because
they are immune to many of the typical environmental conditions including electrical and radio frequency
interference found in an industrial control environment. Cable and connectors should be color-coded and
labeled so that the ICS and IT networks are clearly delineated and the potential for an inadvertent cross-
connect is reduced. Cable runs should be installed so that access is minimized (i.e., limited to authorized
personnel only) and equipment should be installed in locked cabinets with adequate ventilation and air
filtration.
6.2.12 Planning
A security plan is a formal document that provides an overview of the security requirements for an
information system and describes the security controls in place or planned for meeting those requirements.
The security controls that fall within the NIST SP 800-53 Planning (PL) family provide the basis for
developing a security plan. These controls also address maintenance issues for periodically updating a
security plan. A set of rules describes user responsibilities and expected behavior regarding information
system usage with provision for signed acknowledgement from users indicating that they have read,
understand, and agree to abide by the rules of behavior before authorizing access to the information system.
Supplemental guidance for the PL controls can be found in the following documents:
 NIST SP 800-18 provides guidance on preparing rules of behavior [19].
 NIST SP 800-100 provides guidance on information security governance and planning [27].
ICS-specific Recommendations and Guidance
A security plan for an ICS should build on appropriate existing IT security experience, programs, and
practices. However, the critical differences between IT and ICS addressed in Section 2.4 will influence how
security will be applied to the ICS. A forward-looking plan is needed to provide a method for continuous
security improvements. Whenever a new system is being designed and installed, it is imperative to take the
time to address security throughout the lifecycle, from architecture to procurement to installation to
maintenance to decommissioning. ICS security is a rapidly evolving field requiring the security planning
process to constantly explore emerging ICS security capabilities as well as new threats that are identified
by organizations such as the ICS-CERT.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
190
6.2.11.3 ケーブルé…ç·š
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç”¨ã‚±ãƒ¼ãƒ–ルé…ç·šã®è¨­è¨ˆåŠã³å®Ÿè£…ã¯ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¨ˆç”»æ›¸ã®ä¸­ã§å–り上
ã’ã‚‹ã¹ãã§ã‚る。通信用ã®ã‚·ãƒ¼ãƒ«ãƒ‰ã®ãªã„撚り対線ã¯ã€ã‚ªãƒ•ã‚£ã‚¹ç’°å¢ƒã§ã¯å—ã‘入れられるãŒã€é€š
常プラント環境ã§ã¯ç£å ´ã€ç„¡ç·šå‘¨æ³¢æ•°ã€æ¸©åº¦ã®å¯’æš–ã€æ¹¿æ°—ã€å¡µèŠ¥åŠã³æŒ¯å‹•ã«ã‚ˆã‚‹å¹²æ¸‰ã‚’å—ã‘ã‚„ã™
ã„ãŸã‚ä¸å‘ãã§ã‚る。湿気・塵芥・振動対策ã¨ã—ã¦ã€ç”£æ¥­ç”¨ RJ-45 コãƒã‚¯ã‚¿ã‚’ãã®ä»–ã®æ’šã‚Šå¯¾ç·š
コãƒã‚¯ã‚¿ã®ä»£ã‚ã‚Šã«ä½¿ç”¨ã™ã¹ãã§ã‚る。光ケーブルåŠã³åŒè»¸ã‚±ãƒ¼ãƒ–ルã¯ã€ç”£æ¥­ç”¨åˆ¶å¾¡ç’°å¢ƒã«ã‚ˆã
ã‚る電気・無線周波数干渉等ã®ç’°å¢ƒæ¡ä»¶ã®å¤šãã«å½±éŸ¿ã‚’å—ã‘ãªã„ãŸã‚ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç”¨ã®é…
ç·šé¸æŠžè‚¢ã¨ã—ã¦è‰¯ã„å ´åˆãŒå¤šã„。ケーブルåŠã³ã‚³ãƒã‚¯ã‚¿ã«ã¯ã‚«ãƒ©ãƒ¼ã‚³ãƒ¼ãƒ‰ã¨ãƒ©ãƒ™ãƒ«ã‚’付ã‘ã€ICS
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ IT ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®è­˜åˆ¥ã‚’明確ã«ã—ã€ã†ã£ã‹ã‚Šäº¤å·®é…ç·šã—ãªã„よã†ã«ã™ã¹ãã§ã‚
る。é…ç·šã¯ã€é…ç·šã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ãŒæœ€å°ã§æ¸ˆã‚€ã‚ˆã†ã«è¡Œã„(許å¯ã•ã‚ŒãŸè·å“¡ã®ã¿ï¼‰ã€è£…å‚™å“ã¯æ–½éŒ 
ã§ãるキャビãƒãƒƒãƒˆã«åŽç´ã—ã€æ›æ°—ã¨ç©ºæ°—濾éŽã‚’è¡Œã†ã€‚
6.2.12 プランニング
セキュリティ計画書ã¯ã€æƒ…報システムã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ä»¶ã‚’概説ã—ãŸæ­£å¼æ–‡æ›¸ã§ã€ãã®è¦ä»¶
を満足ã™ã‚‹å®Ÿæ–½ä¸­åˆã¯è¨ˆç”»ä¸­ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã«ã¤ã„ã¦è¨˜è¿°ã™ã‚‹ã€‚NIST SP 800-53 プラン
ニング(PL)ファミリã«ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¨ˆç”»æ›¸ã‚’作æˆã™ã‚‹ãŸã‚ã®æ ¹æ‹ ãŒç¤ºã•ã‚Œã¦ã„る。管
ç†ç­–ã«ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¨ˆç”»æ›¸ã‚’定期的ã«æ›´æ–°ã™ã‚‹ãŸã‚ã®ä¿å®ˆå•é¡ŒãŒå«ã¾ã‚Œã‚‹ã€‚一連ã®è¦å‰‡
ã¯ã€æƒ…報システムã®åˆ©ç”¨ã«é–¢ã™ã‚‹ãƒ¦ãƒ¼ã‚¶ã®è²¬ä»»ã¨æœŸå¾…ã•ã‚Œã‚‹è¡Œå‹•ã«ã¤ã„ã¦èª¬æ˜Žã—ã€æƒ…報シス
テムã¸ã®ã‚¢ã‚¯ã‚»ã‚¹è¨±å¯ã‚’å¾—ã‚‹å‰ã«ã€ãƒ¦ãƒ¼ã‚¶ãŒè¡Œå‹•è¦å‰‡ã‚’読ã¿ã€ç†è§£ã—ã€éµå®ˆã™ã‚‹æ—¨ã®ç½²åå…¥
ã‚ŠåŒæ„書ãŒä»˜ã„ã¦ã„る。
PL 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-18:行動è¦å‰‡ã®ä½œæˆã«ä¿‚るガイダンス[19]
 NIST SP 800-100:情報セキュリティガãƒãƒŠãƒ³ã‚¹åŠã³ãƒ—ランニングã«ä¿‚るガイダンス[27]
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¨ˆç”»æ›¸ã¯ã€è©²å½“ã™ã‚‹æ—¢å­˜ã® IT セキュリティ経験ã€ãƒ—ログラムåŠã³è¦ç¯„を基本
ã¨ã™ã‚‹ã€‚セクション 2.4 ã§èª¬æ˜Žã—㟠IT ã¨ICS ã®é‡è¦ãªç›¸é•ã¯ã€ICS ã¸ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é©ç”¨æ–¹æ³•ã«
影響ã™ã‚‹ã€‚絶ãˆãšã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’改善ã—ã¦ãŸã‚ã®æ–¹æ³•ã‚’示ã™ãŸã‚ã€å‰å‘ããªè¨ˆç”»æ›¸ãŒå¿…è¦ã¨ãª
る。新ã—ã„システムを設計・導入ã™ã‚‹å ´åˆã¯å¸¸ã«ã€ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã‹ã‚‰èª¿é”ã€å°Žå…¥ã€ä¿å®ˆã€å»ƒæ£„
ã«è‡³ã‚‹ã¾ã§ã€ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«å…¨ä½“を見通ã—ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«ã¤ã„ã¦è€ƒå¯Ÿã™ã‚‹æ™‚é–“ã‚’å–り分ã‘ã‚‹ã“
ã¨ãŒè‚è¦ã§ã‚る。ICS セキュリティã¯æ€¥é€Ÿã«é€²å±•ä¸­ã®åˆ†é‡Žã§ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®ãƒ—ランニングプロ
セスã§ã¯ã€ICS セキュリティã®æ–°èˆˆæ©Ÿèƒ½ã¨ã€ICS-CERT ãªã©ã®æ©Ÿé–¢ã«ã‚ˆã‚Šç‰¹å®šã•ã‚ŒãŸæ–°ã—ã„è„…å¨
を絶ãˆãšæŽ¢ç´¢ã™ã‚‹ã“ã¨ãŒæ±‚ã‚られる。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
191
6.2.13 Personnel Security
The security controls that fall within the NIST SP 800-53 Personnel Security (PS) family provide policies
and procedures to reduce the risk of human error, theft, fraud, or other intentional or unintentional misuse
of information systems.
Supplemental guidance for the PS controls can be found in the following documents:
 NIST SP 800-35 provides guidance on information technology security services [44].
 NIST SP 800-73 provides guidance on interfaces for personal identity verification [49].
 NIST SP 800-76 provides guidance on biometrics for personal identity verification [50].
 NIST SP 800-100 provides guidance on information security governance and planning [27].
Personnel security measures are meant to reduce the possibility and risk of human error, theft, fraud, or
other intentional or unintentional misuse of informational assets. There are three main aspects to personnel
security:
 Hiring Policies. This includes pre-employment screening such as background checks, the interview
process, employment terms and conditions, complete job descriptions and detailing of duties, terms
and condition of employment, and legal rights and responsibilities of employees or contractors.
 Organization Policies and Practices. These include security policies, information classification,
document and media maintenance and handling policies, user training, acceptable usage policies for
organization assets, periodic employee performance reviews, appropriate background checks, and any
other policies and actions that detail expected and required behavior of organization employees,
contractors, and visitors. Organization policies to be enforced should be written down and readily
available to all workers through an employee handbook, distributed as email notices, located in a
centralized resource area, or posted directly at a worker’s area of responsibility.
 Terms and Conditions of Employment. This category includes job and position responsibilities,
notification to employees of terminable offenses, disciplinary actions and punishments, and periodic
employee performance reviews.
ICS-specific Recommendations and Guidance
Positions should be categorized with a risk designation and screening criteria, and individuals filling a
position should be screened against this criteria as well as complete an access agreement before being
granted access to an information system. Personnel should be screened for the critical positions controlling
and maintaining the ICS.
Additionally, training programs should be carefully developed to ensure that each employee has received
training relevant and necessary to his job functions. Further, ensure that the employees have demonstrated
their competence in their job functions.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
192
6.2.13 人員ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
NIST SP 800-53 ã®äººå“¡ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ï¼ˆPS)ファミリã«å«ã¾ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã¯ã€äººçš„éŽ
誤ã€ç›—難ã€è©æ¬ºãã®ä»–æ•…æ„åˆã¯ä¸ä½œç‚ºã«ã‚ˆã‚‹æƒ…報システムã®èª¤ç”¨ã‚’減らã™ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³
手順を定ã‚ã¦ã„る。
PS 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-35:情報技術セキュリティサービスã«ä¿‚るガイダンス[44]
 NIST SP 800-73:個人身元確èªã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã«ä¿‚るガイダンス[49]
 NIST SP 800-76:個人身元確èªãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªã‚¯ã‚¹ã«ä¿‚るガイダンス[50]
 NIST SP 800-100:情報セキュリティガãƒãƒŠãƒ³ã‚¹åŠã³ãƒ—ランニングã«ä¿‚るガイダンス[27]
人員ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã¯ã€äººçš„éŽèª¤ã€ç›—難ã€è©æ¬ºãã®ä»–æ•…æ„åˆã¯ä¸ä½œç‚ºã«ã‚ˆã‚‹æƒ…報資産ã®
誤用機会を減らã™ãŸã‚ã®ã‚‚ã®ã§ã‚る。人員ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«ã¯æ¬¡ã® 3ã¤ã®é¢ãŒã‚る。
 雇用ãƒãƒªã‚·ãƒ¼ã€‚ã“ã‚Œã«èƒŒæ™¯èª¿æŸ»ã€é¢æŽ¥ãƒ—ロセス等ã®é›‡ç”¨å‰ã®ã‚¹ã‚¯ãƒªãƒ¼ãƒ‹ãƒ³ã‚°ã€é›‡ç”¨å¥‘ç´„ã€è·
務明細ã€é›‡ç”¨æ¡ä»¶ã€å¾“業員・請負業者ã®æ³•çš„権利ã¨è²¬å‹™ãŒå«ã¾ã‚Œã‚‹ã€‚
 組織ã®ãƒãƒªã‚·ãƒ¼åŠã³è¦ç¯„。ã“ã‚Œã«å«ã¾ã‚Œã‚‹ã®ã¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã€æƒ…報区分ã€æ–‡æ›¸åŠã³
メディアã®ç¶­æŒåŠã³å–扱ãƒãƒªã‚·ãƒ¼ã€ãƒ¦ãƒ¼ã‚¶è¨“ç·´ã€çµ„織資産ã®å—ã‘入れられる利用ãƒãƒªã‚·ãƒ¼ã€
従業員定期勤務評定ã€é–¢é€£ã™ã‚‹èƒŒæ™¯èª¿æŸ»ãã®ä»–従業員・請負業者・æ¥è¨ªè€…ã®æœŸå¾…・義務行動
を詳述ã—ãŸãƒãƒªã‚·ãƒ¼åŠã³è¡Œç‚ºã§ã‚る。施行ã™ã¹ã組織ã®ãƒãƒªã‚·ãƒ¼ã¯æ›¸é¢ã«ã—ã€å¾“業員ãƒãƒ³ãƒ‰
ブックを通ã˜ã¦å…¨å“¡ãŒå®¹æ˜“ã«åˆ©ç”¨ã§ãã€é›»å­ãƒ¡ãƒ¼ãƒ«é€šçŸ¥ã§é…布ã•ã‚Œã€é›†ä¸­ãƒªã‚½ãƒ¼ã‚¹ã‚¨ãƒªã‚¢ã«
ç½®ã‹ã‚Œã€åˆã¯å¾“業員ã®æ‹…当エリアã«æŽ²ç¤ºã™ã¹ãã§ã‚る。
 雇用æ¡ä»¶ã€‚ã“ã‚Œã«ã¯è·å‹™åŠã³å½¹è·ã®è²¬å‹™ã€å¾“業員ã«å¯¾ã™ã‚‹å¥‘約解除ã¨ãªã‚‹é•åã®é€šçŸ¥ã€æ‡²ç½°
åŠã³å®šæœŸå‹¤å‹™è©•å®šãŒå«ã¾ã‚Œã‚‹ã€‚
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
å½¹è·ã¯ãƒªã‚¹ã‚¯æŒ‡å®šåŠã³é¸æŠœåŸºæº–ã§åˆ†é¡žã•ã‚Œã€å½¹è·ã«å°±ã個人ã¯ã“ã®åŸºæº–ã«ç…§ã‚‰ã—ã¦é¸æŠœã•ã‚Œã€
情報システムã¸ã®ã‚¢ã‚¯ã‚»ã‚¹æ¨©ã‚’å¾—ã‚‹å‰ã«ã‚¢ã‚¯ã‚»ã‚¹åŒæ„書を作æˆã™ã¹ãã§ã‚る。ICS ã®åˆ¶å¾¡åŠã³
ä¿å®ˆã‚’担当ã™ã‚‹é‡è¦å½¹è·ã«å°±ãè·å“¡ã¯é¸æŠœã™ã¹ãã§ã‚る。
ã¾ãŸæ…Žé‡ã«è¨“練プログラムを作æˆã—ã€å„従業員ãŒè·ä½ã«å¿œã˜ãŸè¨“ç·´ã‚’å—ã‘られるよã†ã«ã™ã¹
ãã§ã‚る。更ã«å¾“業員ãŒè·å‹™ã«ãŠã‘ã‚‹é©æ€§ã‚’実証ã§ãるよã†ã«ã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
193
6.2.14 Risk Assessment
The security controls that fall within the NIST SP 800-53 Risk Assessment (RA) family provide policy and
procedures to develop, distribute, and maintain a documented risk assessment policy that describes purpose,
scope, roles, responsibilities, and compliance as well as policy implementation procedures. An information
system and associated data is categorized based on the security objectives and a range of risk levels. A risk
assessment is performed to identify risks and the magnitude of harm that could result from the unauthorized
access, use, disclosure, disruption, modification, or destruction of an information system and data. Also
included in these controls are mechanisms for keeping risk assessments up-to-date and performing periodic
testing and vulnerability assessments.
Supplemental guidance for the RA controls can be found in the following documents:
 NIST SP 800-30 provides guidance on conducting risk assessments and updates [79].
 NIST SP 800-39 provides guidance on risk management at all organizational levels [20].
 NIST SP 800-40 provides guidance on handling security patches [40].
 NIST SP 800-115 provides guidance on network security testing [41].
 NIST SP 800-60 provides guidance on determining security categories for information types [25].
 NIST SP 800-100 provides guidance on information security governance and planning [27].
ICS-specific Recommendations and Guidance
Organizations must consider the potential consequences resulting from an incident on an ICS. Well-defined
policies and procedures lead to mitigation techniques designed to thwart incidents and manage the risk to
eliminate or minimize the consequences. The potential degradation of the physical plant, economic status,
or stakeholder/national confidence could justify mitigation.
For an ICS, a very important aspect of the risk assessment is to determine the value of the data that is
flowing from the control network to the corporate network. In instances where pricing decisions are
determined from this data, the data could have a very high value. The fiscal justification for mitigation has
to be derived by comparing the mitigation cost to the effects of the consequence. However, it is not
possible to define a one-size-fits-all set of security requirements. A very high level of security may be
achievable but undesirable in many situations because of the loss of functionality and other associated
costs. A well-thought-out security implementation is a balance of risk versus cost. In some situations the
risk may be safety, health, or environment-related rather than purely economic. The risk may result in an
unrecoverable consequence rather than a temporary financial setback
6.2.15 System and Services Acquisition
The security controls that fall within the NIST SP 800-53 System and Services Acquisition (SA) family
provide the basis for developing policies and procedures for acquisition of resources required to adequately
protect an information system. These acquisitions are based on security requirements and security
specifications. As part of the acquisition procedures, an information system is managed using a system
development life cycle methodology that includes information security considerations. As part of
acquisition, adequate documentation must be maintained on the information system and constituent
components.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
194
6.2.14 リスク評価
NIST SP 800-53 ã®ãƒªã‚¹ã‚¯è©•ä¾¡ï¼ˆRA)ファミリã«å«ã¾ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã«ã¯ã€ç›®çš„ã€é©ç”¨
範囲ã€å½¹å‰²ã€è²¬ä»»ã€ã‚³ãƒ³ãƒ—ライアンスåŠã³ãƒãƒªã‚·ãƒ¼å®Ÿæ–½æ‰‹é †ã‚’記述ã—ãŸãƒªã‚¹ã‚¯è©•ä¾¡ãƒãƒªã‚·ãƒ¼æ–‡
書を作æˆãƒ»é…布・ä¿æŒã™ã‚‹ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ãŒå®šã‚られã¦ã„る。情報システムåŠã³é–¢é€£
データã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç›®æ¨™åŠã³ãƒªã‚¹ã‚¯ãƒ¬ãƒ™ãƒ«ã®ç¯„囲を基ã«åˆ†é¡žã•ã‚Œã‚‹ã€‚リスク評価ã¯ãƒªã‚¹ã‚¯
ã¨ã€ä¸æ­£ã‚¢ã‚¯ã‚»ã‚¹ã€åˆ©ç”¨ã€æ¼æ´©ã€å¦¨å®³ã€æ”¹å¤‰åˆã¯æƒ…報システム・データã®ç ´å£Šã‹ã‚‰ç”Ÿã˜å¾—ã‚‹æ
害ã®è¦æ¨¡ã‚’明らã‹ã«ã™ã‚‹ãŸã‚ã«å®Ÿæ–½ã™ã‚‹ã€‚ã¾ãŸãƒªã‚¹ã‚¯è©•ä¾¡ã‚’最新状態ã«ä¿ã¡ã€å®šæœŸçš„検証åŠã³
脆弱性評価を実施ã™ã‚‹ãŸã‚ã®ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚‚ã“ã®ç®¡ç†ã§å–り上ã’る。
RA 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-30:リスク評価ã®å®Ÿæ–½åŠã³æ›´æ–°ã«ä¿‚るガイダンス[79]
 NIST SP 800-39:ã‚らゆる組織レベルã«ãŠã‘るリスク管ç†ã«ä¿‚るガイダンス[20]
 NIST SP 800-40:セキュリティパッãƒã®å–扱ã«ä¿‚るガイダンス[40]
 NIST SP 800-115:ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®è©¦é¨“ã«ä¿‚るガイダンス[41]
 NIST SP 800-60:情報種類ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£åˆ†é¡žåˆ¤å®šã«ä¿‚るガイダンス[25]
 NIST SP 800-100:情報セキュリティガãƒãƒŠãƒ³ã‚¹åŠã³ãƒ—ランニングã«ä¿‚るガイダンス[27]
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
組織㯠ICS 上ã®ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã‹ã‚‰ç”Ÿã˜å¾—ã‚‹çµæžœã‚’検討ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。ã—ã£ã‹ã‚Šå®šç¾©ã•ã‚Œ
ãŸãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã¯ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã‚’阻止ã—ã€ãƒªã‚¹ã‚¯ã‚’管ç†ã—ã¦çµæžœã‚’排除åˆã¯æœ€å°é™ã«é£Ÿ
ã„æ­¢ã‚ã‚‹ãŸã‚ã®ç·©å’ŒæŠ€è¡“ã«é€šã˜ã‚‹ã€‚プラントã€çµŒæ¸ˆçŠ¶æ…‹åˆã¯åˆ©å®³é–¢ä¿‚者・国民ã®ä¿¡é ¼æ„ŸãŒä½Žä¸‹
ã™ã‚‹ã“ã¨ã‹ã‚‰ã€ç·©å’Œç­–ã¯æ˜¯éžã¨ã‚‚å¿…è¦ã¨ãªã‚‹ã€‚
ICS ã«ãŠã‘るリスク評価ã®æ¥µã‚ã¦é‡è¦ãªä¸€é¢ã¯ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸æµ
れるデータã®ä¾¡å€¤ã‚’判定ã™ã‚‹ã“ã¨ã§ã‚る。例ãˆã°ã€ã“ã®ãƒ‡ãƒ¼ã‚¿ã‚’基ã«ä¾¡æ ¼ã‚’決定ã™ã‚‹å ´åˆã€ãƒ‡
ータã¯æ¥µã‚ã¦é«˜ã„価値をæŒã¤ã€‚緩和を正当化ã™ã‚‹ä¼šè¨ˆä¸Šã®ç†ç”±ã¯ã€ç·©å’Œã«è¦ã™ã‚‹ã‚³ã‚¹ãƒˆã¨çµæžœ
ã‹ã‚‰ç”Ÿã˜ã‚‹å½±éŸ¿ã®æ¯”較ã‹ã‚‰å¼•ã出ã•ãªã‘ã‚Œã°ãªã‚‰ãªã„。ã¨ã¯è¨€ãˆã€1ã¤ã§å…¨ã¦ã«é©åˆã™ã‚‹ã‚ˆã†
ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ä»¶ã‚’定義ã™ã‚‹ã“ã¨ã¯ä¸å¯èƒ½ã§ã‚る。高レベルã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¯é”æˆå¯èƒ½ã§ã¯
ã‚ã‚‹ãŒã€æ©Ÿèƒ½ãŒå¤±ã‚ã‚Œãã®ä»–関連コストãŒã‹ã‹ã‚‹ã“ã¨ã‹ã‚‰ã€å¤§æŠµã¯æœ›ã¾ã—ããªã„。よã検討ã•
ã‚ŒãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¯ã€ãƒªã‚¹ã‚¯ã¨ã‚³ã‚¹ãƒˆã®ãƒãƒ©ãƒ³ã‚¹ãŒå–ã‚Œã¦ã„る。ã‚ã‚‹å ´åˆã€ãƒªã‚¹ã‚¯ã¯ç´”粋ãªçµŒ
済よりもã€å®‰å…¨ã€å¥åº·åˆã¯ç’°å¢ƒé–¢é€£ã¨ãªã‚‹ã€‚リスクã¯ã€ä¸€æ™‚çš„ãªè²¡æ”¿ä¸Šã®å¤±æ•—ã¨ã„ã†ã‚ˆã‚Šã€å–
ã‚Šè¿”ã—ã®ã¤ã‹ãªã„çµæžœã‚’æ‹›ãã“ã¨ãŒã‚る。
6.2.15 システムåŠã³ã‚µãƒ¼ãƒ“スã®å–å¾—
NIST SP 800-53 ã®ã‚·ã‚¹ãƒ†ãƒ åŠã³ã‚µãƒ¼ãƒ“スã®å–得(SA)ファミリã«å«ã¾ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–
ã«ã¯ã€æƒ…報システムを守るãŸã‚ã«å¿…è¦ã¨ã•ã‚Œã‚‹ãƒªã‚½ãƒ¼ã‚¹ã®å–å¾—ã«ä¿‚ã‚‹ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã®ç­–定
根拠ãŒç¤ºã•ã‚Œã¦ã„る。å–å¾—ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ä»¶åŠã³ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä»•æ§˜æ›¸ã«åŸºã¥ã。å–得手順
ã®ä¸€ç’°ã¨ã—ã¦ã€æƒ…報システムã¯ã€æƒ…報セキュリティã®è€ƒæ…®äº‹é …ã‚’å«ã‚ãŸã‚·ã‚¹ãƒ†ãƒ é–‹ç™ºãƒ©ã‚¤ãƒ•ã‚µ
イクル方法論を利用ã—ã¦ç®¡ç†ã•ã‚Œã‚‹ã€‚å–å¾—ã®ä¸€ç’°ã¨ã—ã¦ã€æƒ…報システムåŠã³æ§‹æˆã‚³ãƒ³ãƒãƒ¼ãƒãƒ³
トã«é–¢ã™ã‚‹æ–‡æ›¸ã‚’ä¿æŒã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
195
The SA family also addresses outsourced systems and the inclusion of adequate security controls by
vendors as specified by the supported organization. Vendors are also responsible for configuration
management and security testing for these outsourced information systems.
Supplemental guidance for the SA controls can be found in the following documents:
 NIST SP 800-23 provides guidance on the acquisition and use of tested/evaluated information
technology products [42].
 NIST SP 800-27 provides guidance on engineering principles for information system security [43].
 NIST SP 800-35 provides guidance on information technology security services [44].
 NIST SP 800-36 provides guidance on the selection of information security products [45].
 NIST SP 800-64 provides guidance on security considerations in the system development life cycle
[46].
 NIST SP 800-65 provides guidance on integrating security into the capital planning and investment
control process [47].
 NIST SP 800-70 provides guidance on configuration settings for information technology products [26].
 NIST SP 800-100 provides guidance on information security governance and planning [27].
ICS-specific Recommendations and Guidance
The security requirements of an organization outsourcing the management and control of all or some of its
information systems, networks, and desktop environments should be addressed in a contract agreed
between the parties. External suppliers that have an impact on the security of the organization must be held
to the same security policies and procedures to maintain the overall level of ICS security. Security policies
and procedures of second and third-tier suppliers should also be in compliance with corporate cybersecurity
policies and procedures in the case that they impact ICS security.
DHS has developed a procurement language document [48] for specifying security requirements when
procuring new systems or maintaining existing systems.
6.2.16 System and Communications Protection
The security controls that fall within the NIST SP 800-53 System and Communications Protection (SC)
family provide policy and procedures for protecting systems and data communications components.
Supplemental guidance for the SC controls can be found in the following documents:
 NIST SP 800-28 provides guidance on active content and mobile code [69].
 NIST SP 800-52 provides guidance on Transport Layer Security (TLS) Implementations [70].
 NIST SP 800-56 provides guidance on cryptographic key establishment [71].
 NIST SP 800-57 provides guidance on cryptographic key management [72].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
196
SA ファミリã§ã¯å¤–注システムやã€ã‚µãƒãƒ¼ãƒˆã‚’å—ã‘る組織ãŒæŒ‡å®šã—ãŸãƒ™ãƒ³ãƒ€ãƒ¼ã«ã‚ˆã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†
ィ対策ã®å–ã‚Šè¾¼ã¿ã«ã¤ã„ã¦ã‚‚å–り上ã’ã¦ã„る。ベンダーã¯ã€ã“ã®ã‚ˆã†ãªå¤–注情報システムã®æ§‹æˆ
管ç†åŠã³ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è©¦é¨“ã«ã‚‚責任を負ã†ã€‚
SA 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-23:試験・評価済ã¿æƒ…報技術製å“ã®å–å¾—åŠã³åˆ©ç”¨ã«ä¿‚るガイダンス[42]
 NIST SP 800-27:情報システムセキュリティã®ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°åŽŸå‰‡ã«ä¿‚るガイダンス[43]
 NIST SP 800-35:情報技術セキュリティサービスã«ä¿‚るガイダンス[44]
 NIST SP 800-36:情報セキュリティ製å“ã®é¸å®šã«ä¿‚るガイダンス[45]
 NIST SP 800-64:システム開発ライフサイクルã«ãŠã‘るセキュリティ考慮事項ã«ä¿‚るガイダ
ンス[46]
 NIST SP 800-65:資本計画åŠã³æŠ•è³‡ç®¡ç†ãƒ—ロセスã¸ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£çµ±åˆã«ä¿‚るガイダンス
[47]
 NIST SP 800-70:情報技術製å“ã®æ§‹æˆè¨­å®šã«ä¿‚るガイダンス[26]
 NIST SP 800-100:情報セキュリティガãƒãƒŠãƒ³ã‚¹åŠã³ãƒ—ランニングã«ä¿‚るガイダンス[27]
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
情報システムã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åŠã³ãƒ‡ã‚¹ã‚¯ãƒˆãƒƒãƒ—環境ã®å…¨éƒ¨åˆã¯ä¸€éƒ¨ã®ç®¡ç†ãƒ»å¯¾ç­–を外注ã™ã‚‹éš›
ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ä»¶ã¯ã€ä¸¡å½“事者間ã®å¥‘約書ã§å–り上ã’ã‚‹ã¹ãã§ã‚る。組織ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«
影響を与ãˆã‚‹ç¤¾å¤–サプライヤã¯ã€ICS セキュリティã®å…¨ä½“レベルを維æŒã™ã‚‹ãŸã‚ã®åŒã˜ã‚»ã‚­ãƒ¥
リティãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã«å¾“ã‚ãªã‘ã‚Œã°ãªã‚‰ãªã„。孫請ã‘以é™ã®ã‚µãƒ—ライヤã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ
リシーåŠã³æ‰‹é †ã‚‚ã€ICS セキュリティã«å½±éŸ¿ã™ã‚‹å ´åˆã¯ã€ä¼æ¥­ã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·
ーåŠã³æ‰‹é †ã‚’éµå®ˆã™ã¹ãã§ã‚る。
DHS ã¯ã€æ–°è¦ã‚·ã‚¹ãƒ†ãƒ èª¿é”åˆã¯æ—¢å­˜ã‚·ã‚¹ãƒ†ãƒ ä¿å®ˆã®éš›ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ä»¶ã‚’定ã‚ã‚‹ãŸã‚ã®èª¿
é”言語文書[48]を作æˆã—ãŸã€‚
6.2.16 システムåŠã³é€šä¿¡ä¿è­·
NIST SP 800-53 ã®ã‚·ã‚¹ãƒ†ãƒ åŠã³é€šä¿¡ä¿è­·ï¼ˆSC)ファミリã«å«ã¾ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã«ã¯ã€ã‚·
ステムåŠã³ãƒ‡ãƒ¼ã‚¿é€šä¿¡ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã‚’ä¿è­·ã™ã‚‹ãŸã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ãŒå®šã‚られã¦ã„る。
SC 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-28:アクティブコンテンツåŠã³ãƒ¢ãƒã‚¤ãƒ«ã‚³ãƒ¼ãƒ‰ã«ä¿‚るガイダンス[69]
 NIST SP 800-52:トランスãƒãƒ¼ãƒˆãƒ¬ã‚¤ãƒ¤ãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ï¼ˆTLS)ã®å®Ÿè£…ã«ä¿‚るガイダンス[70]
 NIST SP 800-56:暗å·éµã®è¨­å®šã«ä¿‚るガイダンス[71]
 NIST SP 800-57:暗å·éµã®ç®¡ç†ã«ä¿‚るガイダンス[72]
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
197
 NIST SP 800-58 provides guidance on security considerations for VoIP technologies [73].
 NIST SP 800-63 provides guidance on remote electronic authentication [53].
 NIST SP 800-77 provides guidance on IPsec VPNs [74].
6.2.16.1 Encryption
Encryption is the cryptographic transformation of data (called plaintext) into a form (called ciphertext) that
conceals the data’s original meaning to prevent it from being known or used. If the transformation is
reversible, the corresponding reversal process is called decryption, which is a transformation that restores
encrypted data to its original state [75].
ICS-specific Recommendations and Guidance
Before deploying encryption, first determine if encryption is an appropriate solution for the specific ICS
application, because authentication and integrity are generally the key security issues for ICS applications.
Other cryptographic solutions such as cryptographic hashes should also be considered.
The use of encryption within an ICS environment could introduce communications latency due to the
additional time and computing resources required to encrypt, decrypt, and authenticate each message. For
ICS, any latency induced from the use of encryption, or any other security technique, must not degrade the
operational performance of the end device or system. Before deploying encryption within an ICS
environment, solutions should go through extensive performance testing. Encryption at OSI Layer 2 should
be considered, rather than at Layer 3 to reduce encryption latency.
In addition, encrypted messages are often larger than unencrypted messages due to one or more of the
following:
 Additional checksums to reduce errors.
 Protocols to control the cryptography.
 Padding (for block ciphers).
 Authentication procedures.
 Other required cryptographic processes.
Cryptography also introduces key management issues. Sound security policies require periodic key
changes. This process becomes more difficult as the geographic size of the ICS increases, with extensive
SCADA systems being the most severe example. Because site visits to change keys can be costly and slow,
it is useful to be able to change keys remotely.
If cryptography is selected, the most effective safeguard is to use a complete cryptographic system
approved by the NIST/ Communications Security Establishment (CSE) Cryptographic Module Validation
Program (CMVP)41. Within this program standards are maintained to ensure that cryptographic systems
were studied carefully for weaknesses by a wide range of experts, rather than being developed by a few
engineers in a single organization. At a minimum, certification makes it probable that:
 Some method (such as counter mode) will be used to ensure that the same message does not
41 Information on the CMVP can be found on the CMVP web site http://csrc.nist.gov/cryptval/cmvp.htm.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
198
 NIST SP 800-58:VoIP 技術ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è€ƒæ…®äº‹é …ã«ä¿‚るガイダンス[73]
 NIST SP 800-63:é éš”é›»å­èªè¨¼ã«ä¿‚るガイダンス[53]
 NIST SP 800-77:IPsec VPNs ã«ä¿‚るガイダンス[74]
6.2.16.1 æš—å·åŒ–
æš—å·åŒ–ã¨ã¯ãƒ‡ãƒ¼ã‚¿ï¼ˆå¹³æ–‡ã¨å‘¼ã°ã‚Œã‚‹ï¼‰ã‚’æš—å·å¤‰æ›ã—ã¦ã€ã‚る形態(暗å·æ–‡ã¨å‘¼ã°ã‚Œã‚‹ï¼‰ã«ã™ã‚‹ã“
ã¨ã§ã€ãƒ‡ãƒ¼ã‚¿ã®åŸºã®æ„味を秘匿ã—ã€çŸ¥ã‚‰ã‚ŒãŸã‚Šåˆ©ç”¨ã•ã‚ŒãŸã‚Šã§ããªã„よã†ã«ã™ã‚‹ã€‚変æ›ãŒé€†å¤‰æ›
ã‚‚å¯èƒ½ãªå ´åˆã€ãã®ãƒ—ロセスã¯å¾©å·ã¨å‘¼ã°ã‚Œã€æš—å·åŒ–ã•ã‚ŒãŸãƒ‡ãƒ¼ã‚¿ã‚’å…ƒã®çŠ¶æ…‹ã«æˆ»ã™[75]。
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
èªè¨¼ã¨å®Œå…¨æ€§ã¯ã€ç·ã˜ã¦ ICS 用途ã§ã¯ä¸»è¦ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å•é¡Œã¨ãªã‚‹ãŸã‚ã€æš—å·åŒ–ã‚’è¡Œã†å‰ã«ã€
ã¾ãšãã‚ŒãŒç‰¹å®šã® ICS 用途ã«é©ã—ãŸã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã‹ã©ã†ã‹ã‚’判定ã™ã‚‹ã€‚æš—å·å­¦çš„ãƒãƒƒã‚·ãƒ¥ç­‰ã€
ãã®ä»–ã®æš—å·ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã«ã¤ã„ã¦ã‚‚考慮ã™ã¹ãã§ã‚る。
ICS 環境ã§æš—å·ã‚’使用ã™ã‚‹ã¨ã€å„メッセージã®æš—å·ã€å¾©å·åŠã³èªè¨¼ã«ä»˜åŠ çš„ãªæ™‚é–“ã¨è¨ˆç®—リソー
スをè¦ã™ã‚‹ãŸã‚ã€é€šä¿¡ã®å¾…ã¡æ™‚é–“ãŒç”Ÿã˜ã‚‹å ´åˆãŒã‚る。ICS ã§ã¯ã€æš—å·ã®ä½¿ç”¨åˆã¯ä»–ã®ã‚»ã‚­ãƒ¥ãƒª
ティ技術ã‹ã‚‰ç”Ÿã˜ã‚‹å¾…ã¡æ™‚é–“ã¯ã€ã‚¨ãƒ³ãƒ‰ãƒ‡ãƒã‚¤ã‚¹ã‚„システムã®é‹ç”¨ãƒ‘フォーマンスを低下ã•ã›ã¦
ã¯ãªã‚‰ãªã„。ICS 環境ã§æš—å·ã‚’展開ã™ã‚‹å‰ã«ã€å¾¹åº•çš„ãªãƒ‘フォーマンス試験を行ã†ã¹ãã§ã‚る。
æš—å·åŒ–ã®å¾…ã¡æ™‚間を短縮ã™ã‚‹ãŸã‚ã€OSI レイヤー3ã§ã¯ãªãレイヤー2ã§ã®æš—å·åŒ–を考慮ã™ã¹ã
ã§ã‚る。
ã¾ãŸä»¥ä¸‹ã«æŒ™ã’ãŸç†ç”±ã‹ã‚‰ã€æš—å·ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã¯å¹³æ–‡ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã‚ˆã‚Šå¤§ãããªã‚‹ã“ã¨ãŒå¤šã„。
 エラーを減らã™ãŸã‚ã®ä»˜åŠ çš„ãªãƒã‚§ãƒƒã‚¯ã‚µãƒ 
 æš—å·åŒ–を制御ã™ã‚‹ãŸã‚ã®ãƒ—ロトコル
 パディング(ブロック暗å·ç”¨ï¼‰
 èªè¨¼æ‰‹é †
 ä»–ã®å¿…須暗å·åŒ–プロセス
æš—å·åŒ–ã«ã¯éµç®¡ç†ã®å•é¡Œã‚‚生ã˜ã‚‹ã€‚å¥å…¨ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã«ã¯å®šæœŸçš„ãªéµã®å¤‰æ›´ãŒå¿…é ˆã§
ã‚る。ã“ã®ãƒ—ロセスã¯ã€ICS ã®åœ°ç†çš„ãªè¦æ¨¡ãŒæ‹¡å¤§ã™ã‚‹ã¨ã„ã£ãã†é›£ã—ããªã‚‹ã€‚典型例ãŒå¤§è¦æ¨¡
SCADA システムã§ã‚る。ç¾å ´ã«å‡ºå‘ã„ã¦ã‚­ãƒ¼å¤‰æ›´ã‚’è¡Œã†ã®ã¯ã‚³ã‚¹ãƒˆã¨æ™‚é–“ãŒã‹ã‹ã‚‹ãŸã‚ã€é éš”
æ“作ãŒä¾¿åˆ©ã§ã‚る。
æš—å·åŒ–ã®å°Žå…¥ã‚’é¸æŠžã—ãŸãªã‚‰ã€æœ€ã‚‚効果的ãªå®‰å…¨å¯¾ç­–ã¯ã€ カナダ通信安全ä¿éšœå±€ï¼ˆCSE)ã®æš—å·
モジュール妥当性検証プログラム(CMVP)42ãŒæ‰¿èªã—ãŸå®Œå…¨ãªæš—å·åŒ–モジュールを利用ã™ã‚‹ã“
ã¨ã§ã‚る。ã“ã®ãƒ—ログラムã§ã¯ã€æš—å·åŒ–システムã¯å˜ä¸€çµ„ç¹”ã®å°‘数エンジニアã«é–‹ç™ºã‚’委ã­ã‚‹ã®
ã§ã¯ãªãã€åºƒç¯„ãªå°‚門家ãŒãã®å¼±ç‚¹ã‚’æ…Žé‡ã«èª¿æŸ»ã™ã‚‹ã‚ˆã†ã«åŸºæº–を定ã‚ã¦ã„る。少ãªãã¨ã‚‚èªå®š
書ã¯ä»¥ä¸‹ã®å¯èƒ½æ€§ã‚’èªã‚ã¦ã„る。
 特定ã®æ–¹æ³•ï¼ˆã‚«ã‚¦ãƒ³ã‚¿ãƒ¼ãƒ¢ãƒ¼ãƒ‰ç­‰ï¼‰ã‚’利用ã—ã¦ã€åŒã˜ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ãŒæ¯Žå›žåŒã˜å€¤ã‚’生æˆã—ãªã„
よã†ã«ã™ã‚‹ã€‚
42 CMVP ã«é–¢ã™ã‚‹æƒ…å ±ã¯æ¬¡ã® CMVP サイトã«ã‚る。http://csrc.nist.gov/cryptval/cmvp.htm.
訳注)我ãŒå›½ã§ã¯ã€FIPS140-2 ã«èµ·æºã‚’æŒã¤ JIS X 19790 ã«åŸºã¥ãæš—å·ãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«è©¦é¨“åŠã³èªè¨¼åˆ¶åº¦ã‚’ã€IPA セキュリティセン
ターãŒé‹ç”¨ã—ã¦ã„ã‚‹(http://www.ipa.go.jp/security/jcmvp/index.html
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
199
generate the same value each time.
 ICS messages are protected against replay and forging.
 Key management is secure throughout the life cycle of the key.
 The system is using an effective random number generator.
 The entire system has been implemented securely.
Even then, the technology is effective only if it is an integral part of an effectively enforced information
security policy. American Gas Association (AGA) report 12-1 [5] contains an example of such a security
policy. While it is directed toward a natural gas SCADA system, many of its policy recommendations
could apply to any ICS.
For an ICS, encryption can be deployed as part of a comprehensive, enforced security policy. Organizations
should select cryptographic protection based on a risk assessment and the identified value of the
information being protected and ICS operating constraints. Specifically, a cryptographic key should be long
enough so that guessing it or determining it through analysis takes more effort, time, and cost than the
value of the protected asset.
The encryption hardware should be protected from physical tampering and uncontrolled electronic
connections. Assuming cryptography is the appropriate solution, organizations should select cryptographic
protection with remote key management if the units being protected are so numerous or geographically
dispersed that changing keys is difficult or expensive.
Use separate plaintext and ciphertext ports unless the network absolutely requires the restriction to pass
both plaintext and ciphertext through each port.
Use only modules that can be certified to comply with a standard, such as FIPS 140-2 [90] through the
Cryptographic Module Validation Program (CMVP).
6.2.16.2 Virtual Private Network (VPN)
One method of encrypting communication data is through a VPN, which is a private network that operates
as an overlay on a public infrastructure, so that the private network can function across a public network.
The most common types of VPN technologies implemented today are:
 Internet Protocol Security (IPsec). IPsec is a set of standards defined by IETF to govern the secure
communications of data across public networks at the IP layer. IPsec is included in many current
operating systems. The intent of the standards is to guarantee interoperability across vendor platforms;
however, the reality is that the determination of interoperability of multi-vendor implementations
depends on specific implementation testing conducted by the end-user organization. IPsec supports
two encryption modes: transport and tunnel. Transport mode encrypts only the data portion (payload)
of each packet, but leaves the header untouched. The more secure tunnel mode adds a new header to
each packet and encrypts both the original header and the payload. On the receiving side, an IPsec-
compliant device decrypts each packet. The protocol has been continually enhanced to address
specific requirements, such as extensions to the protocol to address individual user authentication and
NAT device transversal. These extensions are typically vendor-specific and can lead to interoperability
issues primarily in host-to-security gateway environments. NIST SP 800-77 provides guidance on
IPsec VPNs [74].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
200
 ICS メッセージãŒãƒªãƒ—レーや欺瞞ã‹ã‚‰ä¿è­·ã•ã‚Œã‚‹ã€‚
 キー管ç†ãŒã‚­ãƒ¼ã®ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«ä¸­ã‚»ã‚­ãƒ¥ã‚¢ã«ãªã‚‹ã€‚
 システムãŒåŠ¹æžœçš„ãªä¹±æ•°ç™ºç”Ÿå™¨ã‚’使用ã™ã‚‹ã€‚
 システム全体ãŒã‚»ã‚­ãƒ¥ã‚¢ã«å®Ÿè£…ã•ã‚Œã‚‹ã€‚
ãã‚Œã§ã‚‚ã“ã®æŠ€è¡“ãŒåŠ¹æžœçš„ã§ã‚ã‚‹ãŸã‚ã«ã¯ã€ãã‚ŒãŒæœ‰åŠ¹ã«å®Ÿæ–½ã•ã‚Œã¦ã„る情報セキュリティãƒãƒª
シーã®ä¸å¯æ¬ ãªä¸€éƒ¨ã«ãªã£ã¦ã„ã‚‹å ´åˆã®ã¿ã§ã‚る。米国ガスå”会(AGA)報告書12-1[5]ã«ã¯ã€
ã“ã®ã‚ˆã†ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã®ä¸€ä¾‹ãŒè¼‰ã£ã¦ã„る。天然ガス SCADA システムå‘ã‘ã®ã‚‚ã®ã§
ã¯ã‚ã‚‹ãŒã€ãã®ãƒãƒªã‚·ãƒ¼æŽ¨å¥¨äº‹é …ã®å¤šãã¯ã©ã® ICS ã«ã‚‚当ã¦ã¯ã¾ã‚‹ã€‚
ICS ã§ã¯ã€æš—å·åŒ–ã¯åŒ…括的ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ–½è¡Œã®ä¸€ç’°ã¨ã—ã¦å±•é–‹å¯èƒ½ã§ã‚る。組織ã¯ã€ãƒªã‚¹ã‚¯è©•
価ã€ä¿è­·ã•ã‚Œã‚‹æƒ…å ±ã®ä¾¡å€¤åŠã³ ICS 業務ã®åˆ¶ç´„事項を基ã«ã€æš—å·åŒ–ä¿è­·ã‚’é¸æŠžã™ã¹ãã§ã‚る。特
ã«æš—å·éµã¯å分長ãã—ã€è§£æžã«ã‚ˆã‚‹æŽ¨æ¸¬ãƒ»åˆ¤åˆ¥ã«è¦ã™ã‚‹åŠ´åŠ›ãƒ»æ™‚間・コストãŒã€ä¿è­·ã•ã‚ŒãŸè³‡ç”£
価値ã«è¦‹åˆã‚ãªã„よã†ã«ã™ã¹ãã§ã‚る。
æš—å·åŒ–ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã¯ã€ç‰©ç†çš„改竄や管ç†å¤–ã®é›»å­æŽ¥ç¶šã‹ã‚‰ä¿è­·ã™ã¹ãã§ã‚る。暗å·åŒ–ãŒãµã•ã‚
ã—ã„ソリューションã§ã‚ã‚‹ã¨ã¿ãªã™ãªã‚‰ã€ä¿è­·ã™ã‚‹éƒ¨ç½²ãŒå¤šã地ç†çš„ã«åˆ†æ•£ã—ã¦ã„ã¦ã‚­ãƒ¼å¤‰æ›´ãŒ
困難・割高ã«ãªã‚‹å ´åˆã€çµ„ç¹”ã¯é éš”キー管ç†ã®å¯èƒ½ãªæš—å·åŒ–ä¿è­·ã‚’é¸æŠžã™ã¹ãã§ã‚る。
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãŒå¹³æ–‡ã‚‚æš—å·æ–‡ã‚‚å„ãƒãƒ¼ãƒˆã‹ã‚‰æ¸¡ã™ã“ã¨ã‚’絶対的ã«åˆ¶é™ã—ã¦ã„ã‚‹ã®ã§ãªã‘ã‚Œã°ã€å¹³
æ–‡ãƒãƒ¼ãƒˆã¨æš—å·æ–‡ãƒãƒ¼ãƒˆã‚’分離ã—ã¦ä½¿ç”¨ã™ã‚‹ã€‚
æš—å·ãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«å¦¥å½“性検証プログラム(CMVP)を通ã˜ã¦ã€FIPS 140-2 [90]ç­‰ã®è¦æ ¼ã«é©åˆã—ãŸ
モジュールã®ã¿ã‚’使用ã™ã‚‹ã€‚
6.2.16.2 仮想プライベートãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ï¼ˆVPN)
通信データを暗å·åŒ–ã™ã‚‹ 1ã¤æ–¹æ³•ã¯ VPN を経由ã™ã‚‹ã“ã¨ã§ã‚る。VPN ã¯å…¬é–‹ã‚¤ãƒ³ãƒ•ãƒ©ä¸Šã®ã‚ªãƒ¼
ãƒãƒ¼ãƒ¬ã‚¤ã¨ã—ã¦æ©Ÿèƒ½ã—ã€ãƒ—ライベートãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯å…¬é–‹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ã®é–“ã§ç¨¼åƒã™ã‚‹ã€‚今日
実装ã•ã‚Œã¦ã„る最も一般的㪠VPN 技術ã«ã¯ä»¥ä¸‹ãŒã‚る。
 インターãƒãƒƒãƒˆãƒ—ロトコルセキュリティ(IPSec)。IPSec ã¯IETF ãŒå®šç¾©ã—ãŸè¦æ ¼ã§ã€IP レ
イヤーã«ãŠã‘る公開ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’越ãˆã¦ã€ã‚»ã‚­ãƒ¥ã‚¢ãªãƒ‡ãƒ¼ã‚¿é€šä¿¡ã‚’制御ã™ã‚‹ã€‚IPSec ã¯ç¾
è¡ŒOS ã®å¤šãã«çµ„ã¿è¾¼ã¾ã‚Œã¦ã„る。ã“ã®è¦æ ¼ã®ç›®çš„ã¯ã€ãƒ™ãƒ³ãƒ€ãƒ¼ãƒ—ラットホーム間ã®ç›¸äº’é‹
用性をä¿å®ˆã™ã‚‹ã“ã¨ã«ã‚る。ãŸã ã—ç¾å®Ÿã«ã¯ã€è¤‡æ•°ãƒ™ãƒ³ãƒ€ãƒ¼å®Ÿè£…é–“ã®ç›¸äº’é‹ç”¨æ€§ã®åˆ¤å®šã¯ã€
エンドユーザ組織ãŒè¡Œã†å€‹åˆ¥ã®å®Ÿè£…試験ã«å·¦å³ã•ã‚Œã‚‹ã€‚IPSec ã¯ã€ãƒˆãƒ©ãƒ³ã‚¹ãƒãƒ¼ãƒˆã¨ãƒˆãƒ³ãƒ
ルã¨ã„ㆠ2ã¤ã®æš—å·ãƒ¢ãƒ¼ãƒ‰ã«å¯¾å¿œã—ã¦ã„る。トランスãƒãƒ¼ãƒˆãƒ¢ãƒ¼ãƒ‰ã¯ã€å„パケットã®ãƒ‡ãƒ¼ã‚¿
部分(ペイロード)ã®ã¿ã‚’æš—å·åŒ–ã—ã€ãƒ˜ãƒƒãƒ€ãƒ¼ã¯ãã®ã¾ã¾ã«ã™ã‚‹ã€‚よりセキュアãªãƒˆãƒ³ãƒãƒ«
モードã¯ã€å„パケットã«æ–°ã—ã„ヘッダーを付ã‘ã€å…ƒã®ãƒ˜ãƒƒãƒ€ãƒ¼ã¨ãƒšã‚¤ãƒ­ãƒ¼ãƒ‰ã‚’ã¨ã‚‚ã«æš—å·åŒ–
ã™ã‚‹ã€‚å—ä¿¡å´ã§ã¯ã€IPSec ã«é©åˆã—ãŸãƒ‡ãƒã‚¤ã‚¹ãŒå„パケットを復å·ã™ã‚‹ã€‚プロトコルã¯ç¶™ç¶š
çš„ã«æ‹¡å¼µã•ã‚Œã€ç‰¹å®šã®è¦ä»¶ã«ã‚‚対応ã™ã‚‹ã‚ˆã†ã«ãªã£ã¦ãŠã‚Šã€å€‹ã€…ã®ãƒ¦ãƒ¼ã‚¶èªè¨¼åŠã³ NAT デ
ãƒã‚¤ã‚¹æ¨ªæ–­ã«å¯¾å¿œã—ãŸãƒ—ロトコル拡張もãã®ä¸­ã«å«ã¾ã‚Œã‚‹ã€‚ã“ã®ã‚ˆã†ãªæ‹¡å¼µã¯ä¸€èˆ¬ã«ãƒ™ãƒ³ãƒ€
ー固有ã®ã‚‚ã®ã§ã‚ã‚‹ãŸã‚ã€ç‰¹ã«ãƒ›ã‚¹ãƒˆã‹ã‚‰ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚²ãƒ¼ãƒˆã‚¦ã‚§ã‚¤ç’°å¢ƒã«ãŠã„ã¦ã€ç›¸äº’é‹
用性ã®å•é¡Œç‚¹ã¨ãªã‚‹ã€‚NIST SP 800-77 ã«ã¯ã€IPsec VPN ã«ä¿‚るガイダンス[74]ãŒã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
201
 Secure Sockets Layer (SSL). SSL provides a secure channel between two machines that encrypts the
contents of each packet. The IETF made slight modifications to the SSL version 3 protocol and
created a new protocol called Transport Layer Security (TLS). The terms “SSL†and “TLS†are often
used interchangeably, and this document generically uses the SSL terminology. SSL is most often
recognized for securing HTTP traffic; this protocol implementation is known as HTTP Secure
(HTTPS). However, SSL is not limited to HTTP traffic; it can be used to secure many different
application layer programs. SSL-based VPN products have gained acceptance because of the market
for “clientless†VPN products. These products use standard Web browsers as clients, which have built-
in SSL support. The “clientless†term means that there is no need to install or configure third-party
VPN “client†software on users’ systems. NIST SP 800-52 provides guidance on SSL configuration
[70].
 Secure Shell (SSH). SSH is a command interface and protocol for securely gaining access to a remote
computer. It is widely used by network administrators to remotely control Web servers and other types
of servers. The latest version, SSH2, is a proposed set of standards from the IETF. Typically, SSH is
deployed as a secure alternative to a telnet application. SSH is included in most UNIX distributions,
and is typically added to other platforms through a third-party package.
ICS-specific Recommendations and Guidance
VPNs are most often used in the ICS environment to provide secure access from an untrusted network to
the ICS control network. Untrusted networks can range from the Internet to the corporate LAN. Properly
configured, VPNs can greatly restrict access to and from control system host computers and controllers,
thereby improving security. They can also potentially improve control network responsiveness by removing
unauthorized non-essential traffic from the intermediary network.
Other possible deployments include using either host-based or mini-standalone security gateways, either
interposed before or running on individual control devices. This technique of implementing VPNs on an
individual device basis can have significant administration overhead.
VPN devices used to protect control systems should be thoroughly tested to verify that the VPN technology
is compatible with the application and that implementation of the VPN devices does not unacceptably
affect network traffic characteristics.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
202
 セキュアソケットレイヤー(SSL)。SSL ã¯2å°ã®ãƒžã‚·ãƒ³é–“ã«ã‚»ã‚­ãƒ¥ã‚¢ãªçµŒè·¯ã‚’与ãˆã€å„パ
ケットã®å†…容を暗å·åŒ–ã™ã‚‹ã€‚IETF ã¯SSL を若干改修ã—㦠SSL ãƒãƒ¼ã‚¸ãƒ§ãƒ³ 3ã¨ã—ã€ãƒˆãƒ©ãƒ³ã‚¹
ãƒãƒ¼ãƒˆãƒ¬ã‚¤ãƒ¤ãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ï¼ˆTLS)を新è¦ãƒ—ロトコルã¨ã—ã¦ä½œæˆã—ãŸã€‚「SSLã€ã¨
「TLSã€ã¯ã€ç”¨èªžã¨ã—ã¦äº’æ›çš„ã«ä½¿ã‚れるã“ã¨ãŒå¤šãã€æœ¬æ›¸ã§ã¯å…¨èˆ¬çš„ã« SSL ã®ç”¨èªžã‚’用ã„
る。SSL ã¯HTTP トラフィックをセキュアã«ã™ã‚‹æŠ€è¡“ã¨ã—ã¦ã‚ˆã知られã¦ãŠã‚Šã€ã“ã®ãƒ—ロト
コル実装㯠HTTP セキュア(HTTPS)ã¨ã—ã¦çŸ¥ã‚‰ã‚Œã¦ã„る。ã—ã‹ã— SSL ã¯HTTP トラフィ
ックã«é™å®šã•ã‚Œãªã„。多様ãªã‚¢ãƒ—リケーション層プログラムをセキュアã«ã™ã‚‹ãŸã‚ã«åˆ©ç”¨ã•
れる。SSL ベース㮠VPN 製å“ã¯ã€Œã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆãƒ¬ã‚¹ã€VPN 製å“市場ã®ã›ã„ã§ã€å—ã‘入れら
ã‚Œã¦ã„る。ã“ã†ã—ãŸè£½å“ã§ã¯ã€SSL サãƒãƒ¼ãƒˆãŒå†…蔵ã•ã‚ŒãŸæ¨™æº–的ウェブブラウザーをクライ
アントã¨ã—ã¦åˆ©ç”¨ã™ã‚‹ã€‚「クライアントレスã€ã¨ã¯ã€ã‚µãƒ¼ãƒ‰ãƒ‘ーティ㮠VPN「クライアン
トã€ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã‚’ユーザシステムã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«åˆã¯è¨­å®šã™ã‚‹å¿…è¦ãŒãªã„ã¨ã„ã†æ„味ã§ã‚
る。NIST SP 800-52 ã«ã¯ã€SSL ã®è¨­å®šã«ä¿‚るガイダンス[70]ãŒã‚る。
 セキュアシェル(SSH)。SSH ã¯ã€é éš”コンピュータã¸ã®ã‚»ã‚­ãƒ¥ã‚¢ãªã‚¢ã‚¯ã‚»ã‚¹ã‚’å¾—ã‚‹ãŸã‚ã®
コマンドインタフェースåŠã³ãƒ—ロトコルã§ã‚る。ウェブサーãƒãã®ä»–ã®ã‚µãƒ¼ãƒã‚’é éš”æ“作ã™
ã‚‹ãŸã‚ã€åºƒããƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç®¡ç†è€…ã«åˆ©ç”¨ã•ã‚Œã¦ã„る。最新ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã® SSH2 ãŒæ–°ã—ã„è¦æ ¼
ã¨ã—ã¦ã€IETF ã‹ã‚‰æå”±ã•ã‚Œã¦ã„る。一般㫠SSH ã¯ã€ãƒ†ãƒ«ãƒãƒƒãƒˆã«ä»£ã‚るセキュアãªä»£æ›¿æ‰‹
段ã¨ã—ã¦å±•é–‹ã•ã‚Œã¦ã„る。SSH ã¯ã»ã¨ã‚“ã©ã® UNIX ディストリビューションã«çµ„ã¿è¾¼ã¾ã‚Œã¦
ãŠã‚Šã€é€šå¸¸ã€ã‚µãƒ¼ãƒ‰ãƒ‘ーティパッケージを通ã˜ã¦ã€ä»–ã®ãƒ—ラットホームã«ã‚‚追加ã•ã‚Œã¦ã„る。
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
VPN ã¯ã€ä¿¡é ¼ã®ç½®ã‘ãªã„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰ ICS 制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã‚»ã‚­ãƒ¥ã‚¢ã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ãŸ
ã‚ã€ICS 環境ã§åˆ©ç”¨ã•ã‚Œã‚‹ã“ã¨ãŒå¤šã„。信頼ã®ç½®ã‘ãªã„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ã¯ã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã‹
らä¼æ¥­ LAN ã¾ã§å¤šå²ã«ã‚ãŸã‚‹ã€‚æ­£ã—ã設定ã™ã‚Œã°ã€VPN ã¯åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®ãƒ›ã‚¹ãƒˆã‚³ãƒ³ãƒ”ュー
ã‚¿ãŠã‚ˆã³ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã¨ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’è‘—ã—ã制é™ã—ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’改善ã™ã‚‹ã€‚ã¾ãŸæœªè¨±å¯ã®
ä¸è¦ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’媒介ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰é™¤åŽ»ã™ã‚‹ã“ã¨ã§ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®å¿œç­”感度も改
å–„ã§ãる。
ãã®ä»–å¯èƒ½ãªå±•é–‹ã¨ã—ã¦ã¯ã€ãƒ›ã‚¹ãƒˆãƒ™ãƒ¼ã‚¹åˆã¯å°åž‹ã®ã‚¹ã‚¿ãƒ³ãƒ‰ã‚¢ãƒ­ãƒ¼ãƒ³ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚²ãƒ¼
トウェイを個々ã®åˆ¶å¾¡ãƒ‡ãƒã‚¤ã‚¹ã®å‰é¢ã«åˆã¯é€£ç¶šã§é…ç½®ã—ã¦ä½¿ç”¨ã™ã‚‹æ¡ˆã‚‚ã‚る。個々ã®ãƒ‡
ãƒã‚¤ã‚¹ã”ã¨ã« VPN を実装ã™ã‚‹ã“ã®æŠ€è¡“ã¯ã€ç®¡ç†ã‚ªãƒ¼ãƒãƒ¼ãƒ˜ãƒƒãƒ‰ãŒå¤§ãããªã‚‹ã€‚
制御システムã®ä¿è­·ã«ä½¿ç”¨ã™ã‚‹ VPN デãƒã‚¤ã‚¹ã¯ã€å¾¹åº•çš„ã«è©¦é¨“ã‚’è¡Œã„ã€VPN 技術ãŒã‚¢ãƒ—リケー
ションã«é©åˆã—ã¦ã„ã‚‹ã“ã¨ã€VPN デãƒã‚¤ã‚¹ã®å®Ÿè£…ã«ã‚ˆã‚Šãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ç‰¹æ€§ãŒè¨±å®¹
é™åº¦ã‚’超ãˆã¦å½±éŸ¿ã•ã‚Œãªã„ã“ã¨ã‚’確èªã™ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
203
6.2.17 System and Information Integrity
Maintaining system and information integrity assures that sensitive data has not been modified or deleted in
an unauthorized and undetected manner. The security controls that fall within the NIST SP 800-53 System
and Information Integrity (SI) family provide policies and procedures for identifying, reporting, and
correcting information system flaws. Controls exist for malicious code detection, spam and spyware
protection, and intrusion detection, although they may not be appropriate for all ICS applications. Also
provided are controls for receiving security alerts and advisories, and the verification of security functions
on the information system. In addition, there are controls within this family to detect and protect against
unauthorized changes to software and data, provide restrictions to data input and output, and check for the
accuracy, completeness, and validity of data as well as handle error conditions, although they may not be
appropriate for all ICS applications.
Supplemental guidance for the SI controls can be found in the following documents:
 NIST SP 800-40 provides guidance on security patch installation [40].
 NIST SP 800-94 provides guidance on Intrusion Detection and Prevention (IDP) Systems [55].
 NIST SP 800-100 provides guidance on information security governance and planning [27].
ICS-specific Recommendations and Guidance
Controls exist for malicious code detection, spam and spyware protection, and intrusion detection, although
they may not be appropriate for all ICS applications. ICS-specific recommendations and guidance for these
controls are included in Sections Error! Reference source not found.and 0.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
204
6.2.17 システムåŠã³æƒ…å ±ã®ä¿å…¨
システムåŠã³æƒ…å ±ä¿å…¨ã‚’維æŒã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€è¦æ³¨æ„データãŒæ”¹å¤‰ã•ã‚Œãšã€ç„¡æ–­ã§æ°—ã¥ã‹ãªã„
ã†ã¡ã«å‰Šé™¤ã•ã‚Œã‚‹ã‚ˆã†ãªã“ã¨ãŒãªããªã‚‹ã€‚NIST SP 800-53 ã®ã‚·ã‚¹ãƒ†ãƒ åŠã³æƒ…å ±ã®ä¿å…¨ï¼ˆSI)フ
ァミリã«å«ã¾ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã«ã¯ã€æƒ…報システムã®æ¬ é™¥ã‚’識別ã—ã€å ±å‘Šã—ã€æ˜¯æ­£ã™ã‚‹ãŸ
ã‚ã®ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ãŒå®šã‚られã¦ã„る。全ã¦ã® ICS 用途ã«é©åˆã™ã‚‹ã‚ã‘ã§ã¯ãªã„ãŒã€æ‚ªæ„ã‚
るコードã®æ¤œå‡ºã€ã‚¹ãƒ‘ムåŠã³ã‚¹ãƒ‘イウエアä¿è­·åŠã³ä¾µå…¥æ¤œçŸ¥ã®ãŸã‚ã®å¯¾ç­–ãŒã‚る。ã¾ãŸã‚»ã‚­ãƒ¥
リティアラートや勧告をå—ã‘ã‚‹ãŸã‚ã®å¯¾ç­–ã‚„ã€æƒ…報システム上ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ©Ÿèƒ½ã®æ¤œè¨¼å¯¾ç­–
ã‚‚ã‚る。加ãˆã¦ã€å…¨ã¦ã® ICS 用途ã«é©åˆã™ã‚‹ã‚ã‘ã§ã¯ãªã„ãŒã€ã“ã®ãƒ•ã‚¡ãƒŸãƒªã§ã¯ã€ã‚½ãƒ•ãƒˆã‚¦ã‚¨
アやデータã¸ã®ç„¡æ–­å¤‰æ›´ã‚’検出・防止ã™ã‚‹ãŸã‚ã®å¯¾ç­–ã€ãƒ‡ãƒ¼ã‚¿å…¥å‡ºåŠ›ã‚’制é™ã™ã‚‹ãŸã‚ã®å¯¾ç­–ã€
データã®æ­£ç¢ºæ€§ãƒ»å®Œå…¨æ€§ãƒ»å¦¥å½“性を確èªã™ã‚‹ãŸã‚ã®å¯¾ç­–ã€ã‚¨ãƒ©ãƒ¼çŠ¶æ…‹ã‚’処ç†ã™ã‚‹ãŸã‚ã®å¯¾ç­–ã‚‚
ã‚る。
SI 管ç†ã®è£œè¶³çš„ガイダンスãŒä»¥ä¸‹ã®æ–‡æ›¸ã«æŽ²è¼‰ã•ã‚Œã¦ã„る。
 NIST SP 800-40:セキュリティパッãƒã®ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã«ä¿‚るガイダンス[40]
 NIST SP 800-94:侵入検知åŠã³é˜²æ­¢ã«ä¿‚るガイダンス[55]
 NIST SP 800-100:情報セキュリティガãƒãƒŠãƒ³ã‚¹åŠã³ãƒ—ランニングã«ä¿‚るガイダンス[27]
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
å…¨ã¦ã® ICS 用途ã«é©åˆã™ã‚‹ã‚ã‘ã§ã¯ãªã„ãŒã€æ‚ªæ„ã‚るコードã®æ¤œå‡ºã€ã‚¹ãƒ‘ムåŠã³ã‚¹ãƒ‘イウエアä¿
è­·åŠã³ä¾µå…¥æ¤œçŸ¥ã®ãŸã‚ã®å¯¾ç­–ãŒã‚る。ã“れら対策ã«é–¢ã™ã‚‹ ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ãŒ
セクション Error!Reference source not found.and 0ã«ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
205
6.2.17.1 Virus and Malicious Code Detection
Antivirus and malware code detection products evaluate files on a computer’s storage devices against an
inventory of known malware signature files. If one of the files on a computer matches the profile of a
known virus, the virus is removed through a disinfection process (e.g., quarantine, deletion) so it cannot
infect other local files or communicate across a network to infect other files. Antivirus software can be
deployed on workstations, servers, firewalls and handheld devices.
ICS-specific Recommendations and Guidance
Antivirus tools only function effectively when installed, configured, running full-time, and maintained
properly against the state of known attack methods and payloads. While antivirus tools are common
security practice in IT computer systems, their use with ICS may require adopting special practices
including compatibility checks, change management issues, and performance impact metrics. These special
practices should be utilized whenever new signatures or new versions of antivirus software are installed.
Major ICS vendors recommend and even support the use of particular antivirus tools. In some cases,
control system vendors may have performed regression testing across their product line for supported
versions of a particular antivirus tool and also provide associated installation and configuration
documentation. There is also an effort to develop a general set of guidelines and test procedures focused on
ICS performance impacts to fill the gaps where ICS and antivirus vendor guidance is not available [56].
Generally:

Windows, Unix, Linux systems, etc. used as consoles, engineering workstations, data historians, HMIs
and general purpose SCADA and backup servers can be secured just like commercial IT equipment:
install push- or auto-updated antivirus and patch management software with updates distributed via an
antivirus server and patch management server located inside the process control network and auto-
updated from the IT network.
 Follow vendor recommendations on all other servers and computers (DCS, PLC, instruments) that
have time-dependent code, modified or extended the operating system or any other change that makes
it different from any standard PC that one could buy at an office supply or computer store. Expect the
vendor to make periodic maintenance releases that include security patches.
6.2.17.2 Intrusion Detection and Prevention
Intrusion detection systems (IDS) monitor events on a network, such as traffic patterns, or a system, such as
log entries or file accesses, so that they can identify an intruder breaking into or attempting to break into a
system [57]. IDS ensure that unusual activity such as new open ports, unusual traffic patterns, or changes to
critical operating system files is brought to the attention of the appropriate security personnel.
The two most commonly used types of IDS are:
 Network-Based IDS. These systems monitor network traffic and generate alarms when they identify
traffic that they deem to be an attack.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
206
6.2.17.1 ウイルスåŠã³æ‚ªæ„ã‚るコードã®æ¤œå‡º
ウイルスåŠã³æ‚ªæ„ã‚るコードã®æ¤œå‡ºè£½å“ã¯ã€ã‚³ãƒ³ãƒ”ュータã®ã‚¹ãƒˆãƒ¬ãƒ¼ã‚¸ãƒ‡ãƒã‚¤ã‚¹ä¸Šã«ã‚るファイ
ルをã€æ—¢çŸ¥ã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã‚·ã‚°ãƒãƒãƒ£ãƒ•ã‚¡ã‚¤ãƒ«ã®ç›®éŒ²ã«ç…§ã‚‰ã—ã¦è©•ä¾¡ã™ã‚‹ã€‚コンピュータ上ã®ãƒ•ã‚¡
イル㮠1ã¤ãŒæ—¢çŸ¥ã®ã‚¦ã‚¤ãƒ«ã‚¹ã®ãƒ—ロファイルã«åˆè‡´ã™ã‚‹ã¨ã€ãã®ã‚¦ã‚¤ãƒ«ã‚¹ã¯æ¶ˆæ¯’プロセス(検疫ã€
削除等)を通ã˜ã¦æŽ’除ã•ã‚Œã€ä»–ã®ãƒ­ãƒ¼ã‚«ãƒ«ãƒ•ã‚¡ã‚¤ãƒ«ã‚„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’越ãˆãŸä»–ã®ãƒ•ã‚¡ã‚¤ãƒ«ã¸ã®æ„Ÿ
染力を失ã†ã€‚アンãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã¯ãƒ¯ãƒ¼ã‚¯ã‚¹ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³ã€ã‚µãƒ¼ãƒã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«åŠ
ã³ãƒãƒ³ãƒ‰ãƒ˜ãƒ«ãƒ‰ãƒ‡ãƒã‚¤ã‚¹ã«å±•é–‹ã§ãる。
ICS 固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
アンãƒã‚¦ã‚¤ãƒ«ã‚¹ãƒ„ールã¯ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã•ã‚Œã€è¨­å®šã•ã‚Œã€å¸¸æ™‚実行ã•ã‚Œã€æ­£ã—ã維æŒã•ã‚Œã¦ã„ã‚‹å ´
åˆã«ã®ã¿ã€æ—¢çŸ¥ã®æ”»æ’ƒæ–¹æ³•åŠã³ãƒšã‚¤ãƒ­ãƒ¼ãƒ‰çŠ¶æ…‹ã«å¯¾ã—ã¦æœ‰åŠ¹ã«æ©Ÿèƒ½ã™ã‚‹ã€‚IT コンピュータシステ
ムã§ã¯ä¸€èˆ¬çš„ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ç¯„ã¨ãªã£ã¦ã„ã‚‹ãŒã€ICS ã§ä½¿ç”¨ã™ã‚‹ã«ã¯ã€æ•´åˆæ€§ãƒã‚§ãƒƒã‚¯ã€ç®¡ç†
変更å•é¡Œã€ãƒ‘フォーマンス影響評価基準等ã®ç‰¹åˆ¥ãªè¦ç¯„を採用ã™ã‚‹å¿…è¦ãŒã‚る。ã“ã®ã‚ˆã†ãªç‰¹åˆ¥
è¦ç¯„ã¯ã€ã‚¢ãƒ³ãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®æ–°è¦ã‚·ã‚°ãƒãƒãƒ£ã‚„æ–°ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚’インストールã—ãŸã¨ã
ã«ã¯å¿…ãšæŽ¡ç”¨ã™ã¹ãã§ã‚る。
大手 ICS ベンダーã¯ã€ç‰¹å®šã®ã‚¢ãƒ³ãƒã‚¦ã‚¤ãƒ«ã‚¹ãƒ„ールã®ä½¿ç”¨ã‚’推奨ã—ã€ã‚µãƒãƒ¼ãƒˆã‚‚è¡Œã£ã¦ã„る。場
åˆã«ã‚ˆã£ã¦ã¯ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ãƒ™ãƒ³ãƒ€ãƒ¼ã¯ã€è£½å“系列全体ã®ãƒªã‚°ãƒ¬ãƒƒã‚·ãƒ§ãƒ³è©¦é¨“ã‚’è¡Œã„ã€ç‰¹å®šã®ã‚¢
ンãƒã‚¦ã‚¤ãƒ«ã‚¹ãƒ„ールã®å„ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã®å¯¾å¿œçŠ¶æ³ã‚’検証ã—ã¦ã„ã‚‹ã“ã¨ã‚‚ã‚ã‚Šã€é–¢ä¿‚ã™ã‚‹ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼
ルåŠã³è¨­å®šã«é–¢ã™ã‚‹æ–‡æ›¸ã‚‚æä¾›ã—ã¦ã„る。ã¾ãŸ ICS アンãƒã‚¦ã‚¤ãƒ«ã‚¹ãƒ™ãƒ³ãƒ€ãƒ¼ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ãŒãªã„å ´
åˆã«ã¯ã€ä¸è¶³ã‚’補ã†ãŸã‚ã€ICS パフォーマンスã®å½±éŸ¿ã«ç‰¹åŒ–ã—ãŸæ±Žç”¨çš„ãªã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³åŠã³è©¦é¨“
手順ã®ä½œæˆã«ã‚‚å–り組んã§ã„ã‚‹[56]。
一般的ã«ã€
 コンソールã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°ãƒ¯ãƒ¼ã‚¯ã‚¹ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³ã€ãƒ‡ãƒ¼ã‚¿ãƒ’ストリアンã€HMIã€æ±Žç”¨
SCADA åŠã³ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—サーãƒã¨ã—ã¦åˆ©ç”¨ã™ã‚‹ Windowsã€Unixã€Linux システム等ã¯ã€å¸‚
販㮠IT 装備å“åŒæ§˜ã«ã‚»ã‚­ãƒ¥ã‚¢ã«ã™ã‚‹ã“ã¨ãŒå¯èƒ½ã§ã‚る。ãã®å ´åˆã€ãƒ—ッシュå¼åˆã¯è‡ªå‹•æ›´
æ–°å¼ã®ã‚¢ãƒ³ãƒã‚¦ã‚¤ãƒ«ã‚¹åŠã³ãƒ‘ッãƒç®¡ç†ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã‚’インストールã™ã‚‹ï¼ˆæ›´æ–°ã¯ãƒ—ロセス制
御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å†…ã«ã‚るアンãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚µãƒ¼ãƒåŠã³ãƒ‘ッãƒç®¡ç†ã‚µãƒ¼ãƒçµŒç”±ã§é…布ã•ã‚Œã€IT
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰è‡ªå‹•æ›´æ–°ã•ã‚Œã‚‹ï¼‰ã€‚
 時間ä¾å­˜ã‚³ãƒ¼ãƒ‰ã‚’æŒã¡ã€OS を改修・拡張ã™ã‚‹ã‹ã€ãã®ä»–ã®å¤‰æ›´ã‚’加ãˆã¦ã€å¸‚販ã®æ¨™æº– PC ã¨
ã¯ç•°ãªã£ã¦ã„る上記以外ã®å…¨ã¦ã®ã‚³ãƒ³ãƒ”ュータ(DCSã€PLCã€ã‚¤ãƒ³ã‚¹ãƒ„ルメンツ)ã«ã¤ã„ã¦
ã¯ã€ãƒ™ãƒ³ãƒ€ãƒ¼ã®æŽ¨å¥¨äº‹é …ã«å¾“ã†ã€‚ベンダーãŒå®šæœŸçš„ã«ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ‘ッãƒã®å…¥ã£ãŸä¿å®ˆãƒªãƒª
ースをæä¾›ã™ã‚‹ã“ã¨ã‚’期待ã™ã‚‹ã€‚
6.2.17.2 侵入検知åŠã³é˜²æ­¢
侵入検知システム(IDS)ã¯ã€ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ãƒ‘ターン等ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¤ãƒ™ãƒ³ãƒˆã€ãƒ­ã‚°é …目やフ
ァイルアクセス等ã®ã‚·ã‚¹ãƒ†ãƒ ã‚’監視ã—ã€ã‚·ã‚¹ãƒ†ãƒ ã«å…¥ã‚Šè¾¼ã‚€ä¾µå…¥è€…やシステムã«å…¥ã‚Šè¾¼ã‚‚ã†ã¨ã™
る侵入者を見極ã‚ã‚‹ã“ã¨ãŒã§ãã‚‹[57]。IDS ã¯ã€ãƒãƒ¼ãƒˆã®æ–°è¦é–‹è¨­ã€é€šå¸¸ã¨ç•°ãªã‚‹ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯
パターンã€é‡è¦ãª OS ファイルã¸ã®å¤‰æ›´ã¨ã„ã£ãŸæ™®æ®µã¨é•ã†æ´»å‹•ãŒã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ‹…当è·å“¡ã®æ³¨æ„
を引ãよã†ã«ã™ã‚‹ã€‚
IDS ãŒä½¿ç”¨ã™ã‚‹ä¸€èˆ¬çš„ãªç¨®é¡žã¯æ¬¡ã® 2ã¤ã§ã‚る。
 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ™ãƒ¼ã‚¹ IDS。システムã¯ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’監視ã—ã¦ã€æ”»æ’ƒã¨è¦‹ãªã•
れるトラフィックを特定ã™ã‚‹ã¨ã‚¢ãƒ©ãƒ¼ãƒ ã‚’発ã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
207
 Host-Based IDS. This software monitors one or more types of characteristics of a system, such as
application log file entries, system configuration changes, and access to sensitive data on a system and
responds with an alarm or countermeasure when a user attempts to breach security.
ICS-specific Recommendations and Guidance
An effective IDS deployment typically involves both host-based and network-based IDS. In the current ICS
environment, network-based IDS are most often deployed between the control network and the corporate
network in conjunction with a firewall; host-based IDS are most often deployed on the computers that use
general-purpose OSs or applications such as HMIs, SCADA servers, and engineering workstations.
Properly configured, an IDS can greatly enhance the security management team’s ability to detect attacks
entering or leaving the system, thereby improving security. They can also potentially improve a control
network’s efficiency by detecting non-essential traffic on the network. However, even when IDS are
implemented, security staff can primarily recognize individual attacks, as opposed to organized patterns of
attacks over time. Network security monitoring and an understanding of the normal state of the ICS
network can help distinguish attacks from transient conditions, and both trigger and provide information
into events that are outside the normal state.
Current IDS and IPS products are effective in detecting and preventing well-known Internet attacks, but
until recently they have not addressed ICS protocol attacks. IDS and IPS vendors are beginning to develop
and incorporate attack signatures for various ICS protocols such as Modbus, DNP3, and ICCP [58].
6.2.17.3 Patch Management
Patches are additional pieces of code that have been developed to address specific problems or flaws in
existing software. Vulnerabilities are flaws that can be exploited, enabling unauthorized access to IT
systems or enabling users to have access to greater privileges than authorized.
A systematic approach to managing and using software patches can help organizations to improve the
overall security of their IT systems in a cost-effective way. Organizations that actively manage and use
software patches can reduce the chances that the vulnerabilities in their IT systems can be exploited; in
addition, they can save time and money that might be spent in responding to vulnerability-related incidents.
NIST SP 800-40 Revision 3 [40] provides guidance for organizational security managers who are
responsible for designing and implementing security patch and vulnerability management programs and for
testing the effectiveness of the programs in reducing vulnerabilities. The guidance is also useful to system
administrators and operations personnel who are responsible for applying and testing patches and for
deploying solutions to vulnerability problems.
ICS-specific Recommendations and Guidance
Applying patches to OS components creates another situation where significant care should be exercised in
the ICS environment. Patches should be adequately tested (e.g., off-line on a comparable ICS) to determine
the acceptability of side effects. Regression testing is advised. It is not uncommon for patches to have an
adverse effect on other software. A patch may remove a vulnerability, but it can
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
208
 ホストベース IDS。ã“ã®ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã¯ã€ã‚¢ãƒ—リケーションログファイルエントリã€ã‚·ã‚¹ãƒ†
ム設定変更ã€ã‚·ã‚¹ãƒ†ãƒ ä¸Šã®è¦æ³¨æ„データã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã¨ã„ã£ãŸã‚·ã‚¹ãƒ†ãƒ ç‰¹æ€§ã‚¿ã‚¤ãƒ—ã‚’ 1ã¤ã‹
複数監視ã—ã¦ã€ãƒ¦ãƒ¼ã‚¶ãŒã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é•åã‚’ã‚‚ãã‚ã‚€ã¨ã€ã‚¢ãƒ©ãƒ¼ãƒ åˆã¯å¯¾ç­–ã‚’ã‚‚ã£ã¦å¯¾å¿œã™
る。
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
効果的㪠IDS ã®å±•é–‹ã«ã¯ã€é€šå¸¸ãƒ›ã‚¹ãƒˆãƒ™ãƒ¼ã‚¹ã¨ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ™ãƒ¼ã‚¹ã® IDS ãŒã¨ã‚‚ã«å«ã¾ã‚Œã‚‹ã€‚
ç¾åœ¨ã® ICS 環境ã§ã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ™ãƒ¼ã‚¹ IDS ã¯ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«çµŒç”±
ã®ä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ã®é–“ã§å±•é–‹ã•ã‚Œã‚‹ã“ã¨ãŒå¤šã„。一方ホストベース IDS ã¯ã€æ±Žç”¨ OS ã‚„
HMIã€SCADA サーãƒã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°ãƒ¯ãƒ¼ã‚¯ã‚¹ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³ç­‰ã®ã‚¢ãƒ—リケーションを使用ã™ã‚‹
コンピュータã§å±•é–‹ã•ã‚Œã‚‹ã“ã¨ãŒå¤šã„。正ã—ã設定ã™ã‚Œã°ã€IDS ã¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒ¼ãƒ ã®èƒ½åŠ›
ã‚’è‘—ã—ãå‘上ã•ã›ã€ã‚·ã‚¹ãƒ†ãƒ ã¸ã®ä¾µå…¥ãƒ»é€€å‡ºã‚’検知ã—ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’改善ã™ã‚‹ã€‚ã¾ãŸãƒãƒƒãƒˆ
ワーク上ã®ä¸è¦ãªãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’検出ã—ã¦ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®åŠ¹çŽ‡ã‚‚改善ã§ãる。ãŸã ã—
IDS を実装ã—ãŸå ´åˆã§ã‚‚ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦å“¡ã¯ã€çµŒæ™‚çš„ãªæ”»æ’ƒã®çµ„織的パターンã¨ã¯å対ã«ã€
個々ã®æ”»æ’ƒã‚’èªè­˜ã§ãる。ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç›£è¦–åŠã³ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®æ­£å¸¸çŠ¶æ…‹ã«
対ã™ã‚‹ç†è§£ãŒã‚ã‚Œã°ã€éŽæ¸¡çš„状態ã‹ã‚‰ã®æ”»æ’ƒã‚’見極ã‚ã€æ­£å¸¸çŠ¶æ…‹ã‚’逸脱ã—ãŸã‚¤ãƒ™ãƒ³ãƒˆã«å¯¾ã—ã¦
トリガーã¨æƒ…報を発信ã—ã‚„ã™ããªã‚‹ã€‚
ç¾åœ¨ã® IDS åŠã³ IPS 製å“ã¯ã€è‰¯ã知られãŸã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆæ”»æ’ƒã®æ¤œçŸ¥ãƒ»é˜²æ­¢ã«åŠ¹æžœãŒã‚ã‚‹ãŒã€æœ€
è¿‘ã«ãªã‚‹ã¾ã§ ICS プロトコル攻撃ã«ã¯å¯¾å¿œã—ã¦ã„ãªã‹ã£ãŸã€‚IDS åŠã³ IPS ベンダーã¯ã€Modbusã€
DNP3
åŠã³
ICCP
ç­‰ã®å¤šæ§˜ãª
ICS
プロトコルã®æ”»æ’ƒã‚·ã‚°ãƒãƒãƒ£ã‚’開発ã—ã€çµ„ã¿è¾¼ã¿ã¤ã¤ã‚ã‚‹
[58]
。
6.2.17.3 パッãƒç®¡ç†
パッãƒã¯ã‚³ãƒ¼ãƒ‰ã®è¿½åŠ ãƒ”ースã§ã€æ—¢å­˜ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®å•é¡Œã‚„欠陥ã«å¯¾å¿œã™ã‚‹ãŸã‚ã«é–‹ç™ºã•ã‚Œã‚‹ã€‚
脆弱性ã¯æ‚ªç”¨å¯èƒ½ãªæ¬ é™¥ã§ã€IT システムã¸ã®ä¸æ­£ã‚¢ã‚¯ã‚»ã‚¹ã‚’å¯èƒ½ã«ã—ã€ãƒ¦ãƒ¼ã‚¶ã«ä»˜ä¸Žã•ã‚Œã¦ã„
る以上ã®æ¨©é™ã‚’与ãˆã‚‹ã€‚
ソフトウエアパッãƒã‚’体系的ã«ç®¡ç†ãƒ»åˆ©ç”¨ã™ã‚‹å–組をã™ã‚‹ã“ã¨ã§ã€çµ„ç¹”ã¯è²»ç”¨åŠ¹æžœã®é«˜ã„方法
ã§ã€IT システム全体ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’改善ã§ãる。ソフトウエアパッãƒã‚’ç©æ¥µçš„ã«ç®¡ç†ãƒ»åˆ©
用ã™ã‚‹çµ„ç¹”ã§ã¯ã€IT システムã®è„†å¼±æ€§ã‚’悪用ã•ã‚Œã‚‹å¯èƒ½æ€§ãŒæ¸›ã‚‹ã€‚ã¾ãŸè„†å¼±æ€§ã«é–¢ä¿‚ã—ãŸã‚¤
ンシデント対応ã«è¦ã™ã‚‹æ™‚é–“ã¨ã‚³ã‚¹ãƒˆã‚‚節約ã§ãる。
NIST SP 800-40 第3版[40]ã«ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ‘ッãƒã®è¨­è¨ˆãƒ»å®Ÿè£…ã€è„†å¼±æ€§ç®¡ç†ãƒ—ログラム
åŠã³è„†å¼±æ€§è»½æ¸›ãƒ—ログラムã®åŠ¹æžœæ€§æ¤œè¨¼ã‚’担当ã™ã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†è€…å‘ã‘ã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ãŒã‚
る。ã“ã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã¯ã€ãƒ‘ッãƒã®é©ç”¨ã¨è©¦é¨“ã€è„†å¼±æ€§å•é¡Œã®ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³å±•é–‹ã‚’担当ã™ã‚‹ã‚·
ステム管ç†è€…ã‚„è·å“¡ã«ã‚‚役立ã¤ã€‚
ICS
固有ã®æŽ¨å¥¨äº‹é …åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
OS コンãƒãƒ¼ãƒãƒ³ãƒˆã¸ã®ãƒ‘ッãƒé©ç”¨ã¯ã€ICS 環境ã§ã¯ç‰¹ã«æ…Žé‡ã‚’期ã™ã¹ã別ã®çŠ¶æ³ãŒç”Ÿã˜ã‚‹ã€‚パ
ッãƒã®è©¦é¨“ã¯å分ã«è¡Œã„(åŒç­‰ã® ICS 環境ã§ã‚ªãƒ•ãƒ©ã‚¤ãƒ³ã§ï¼‰ã€å‰¯æ¬¡çš„影響ã®è¨±å®¹åº¦ã‚’判定ã™ã¹
ãã§ã‚る。リグレッション試験ãŒæŽ¨å¥¨ã•ã‚Œã‚‹ã€‚パッãƒãŒä»–ã®ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã«æ‚ªå½±éŸ¿ã‚’åŠã¼ã™ã“
ã¨ã¯çã—ããªã„。パッãƒã¯è„†å¼±æ€§ã‚’ãªãã™ã‚‹ãŒã€
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
209
also introduce a greater risk from a production or safety perspective. Patching the vulnerability may also
change the way the OS or application works with control applications, causing the control application to
lose some of its functionality. Another issue is that many ICS utilize older versions of operating systems
that are no longer supported by the vendor. Consequently, available patches may not be applicable.
Organizations should implement a systematic, accountable, and documented ICS patch management
process for managing exposure to vulnerabilities.
Once the decision is made to deploy a patch, there are other tools that automate this process from a
centralized server and with confirmation that the patch has been deployed correctly. Consider separating
the automated process for ICS patch management from the automated process for non-ICS applications.
Patching should be scheduled to occur during planned ICS outages.
6.2.18 Program Management
The security controls that fall within the NIST SP 800-53 Program Management (PM) focus on the
organization-wide information security requirements that are independent of any particular information
system and are essential for managing information security programs.
Organizations document program management controls in the information security program plan. The
organization-wide information security program plan supplements the individual security plans developed
for each organizational information system. In addition to documenting the information security program
management controls, the security program plan provides a vehicle for the organization, in a central
repository, to document all security controls that have been designated as common controls (i.e., security
controls inherited by organizational information systems).
6.2.19 Privacy Controls
Protecting the privacy of personally identifiable information (PII)43 collected, used, maintained, shared, and
disposed of by programs and information systems is critical given the advances in information technologies
and applications of those technologies. Effective privacy for individuals depends on the safeguards
employed within the organizational information systems that are processing, storing, and transmitting PII.
Organizations cannot have effective privacy without a foundation of information security. However,
privacy is more than security and includes, for example, the principles of transparency, notice, and choice.
The privacy controls focus on information privacy as a value distinct from, but highly interrelated with,
information security. The privacy controls are based on the Fair Information Practice Principles (FIPPs)
embodied in the Privacy Act of 1974, Section 208 of the E-Government Act of 2002, and related Office of
Management and Budget (OMB) guidance. The FIPPs are designed to build public trust in an
organization’s privacy practices and to help organizations avoid tangible costs and intangible damages
stemming from privacy incidents.
43 OMB Memorandum 07-16 defines PII as “information which can be used to distinguish or trace an individual’s
identity such as their name, social security number, biometric records, etc., alone, or when combined with
other personal or identifying information which is linked or linkable to a specific individual, such as date
and place of birth, mother’s maiden name, etc.†[86]. OMB Memorandum 10-22 reaffirmed this definition [87].
NIST Special Publication 800-122 defines PII as “any information about an individual [that is] maintained
by an agency, including: (i) any information that can be used to distinguish or trace an individual‘s
identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric
records; and (ii) any other information that is linked or linkable to an individual, such as medical,
educational, financial, and employment information†[88].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
210
生産や安全性ã®è¦³ç‚¹ã‹ã‚‰ã¯ã€ã‚ˆã‚Šå¤§ããªãƒªã‚¹ã‚¯ã«ãªã‚‹å ´åˆãŒã‚る。脆弱性ã«ãƒ‘ッãƒã‚’当ã¦ã‚‹ã¨ã€
OS やアプリケーションã¨åˆ¶å¾¡ã‚¢ãƒ—リケーションã®é€£å‹•æ–¹æ³•ãŒå¤‰ã‚ã‚Šã€åˆ¶å¾¡ã‚¢ãƒ—リケーションã®
機能ãŒå¤±ã‚れるã“ã¨ãŒã‚る。別ã®å•é¡Œã¨ã—ã¦ã€ãƒ™ãƒ³ãƒ€ãƒ¼ãŒã‚µãƒãƒ¼ãƒˆã‚’打ã¡åˆ‡ã£ãŸ OS ã®æ—§ãƒãƒ¼ã‚¸
ョンを使用ã™ã‚‹ ICS ãŒå¤šã„ã“ã¨ãŒæŒ™ã’られる。ãã®çµæžœã€å…¥æ‰‹å¯èƒ½ãªãƒ‘ッãƒãŒé©ç”¨ã§ããªã„ã“ã¨
ã«ãªã‚‹ã€‚組織ã¯è„†å¼±æ€§ã®éœ²å‡ºã‚’管ç†ã™ã‚‹ãŸã‚ã€ä½“系的ã§èª¬æ˜Žã®ã¤ãã€æ–‡æ›¸åŒ–ã•ã‚ŒãŸ ICS パッãƒç®¡
ç†ãƒ—ロセスを実行ã™ã¹ãã§ã‚る。
パッãƒã®å±•é–‹ã‚’決定ã—ãŸãªã‚‰ã€é›†ä¸­åž‹ã‚µãƒ¼ãƒã‹ã‚‰ã“ã®ãƒ—ロセスを自動化ã—ã€ãƒ‘ッãƒãŒæ­£ã—ã展開
ã•ã‚ŒãŸã“ã¨ã‚’確èªã§ãる別ã®ãƒ„ールãŒã‚る。ICS パッãƒç®¡ç†ã®è‡ªå‹•åŒ–プロセスをã€ICS 以外ã®ã‚¢
プリケーションã®è‡ªå‹•åŒ–プロセスã‹ã‚‰åˆ†é›¢ã™ã‚‹ã“ã¨ã‚’検討ã™ã‚‹ã€‚パッãƒã®é©ç”¨ã¯ã€è¨ˆç”»ã•ã‚ŒãŸ
ICS ã®æ“業åœæ­¢æ™‚ã«è¡Œã†ã‚ˆã†ã«äºˆå®šã™ã¹ãã§ã‚る。
6.2.18 プログラム管ç†
NIST SP 800-53 ã®ãƒ—ログラム管ç†ï¼ˆPM)ã«å«ã¾ã‚Œã¦ã„るセキュリティ対策ã¯ã€ç‰¹å®šã®æƒ…報シス
テムã‹ã‚‰ç‹¬ç«‹ã—ãŸã€æƒ…報セキュリティプログラムã®ç®¡ç†ã«ä¸å¯æ¬ ãªã€å…¨çµ„織的情報セキュリティ
è¦ä»¶ã«ç„¦ç‚¹ã‚’当ã¦ã¦ã„る。
組織ã¯ã€ãƒ—ログラム管ç†åˆ¶å¾¡ã‚’情報セキュリティプログラム計画書ã®ä¸­ã«è¨˜è¼‰ã™ã‚‹ã€‚全組織的情
報セキュリティプログラム計画書ã¯ã€å„組織ã®æƒ…報システム用個別セキュリティ計画書を補完ã™
る。情報セキュリティプログラム管ç†å¯¾ç­–ã®æ–‡æ›¸åŒ–ã«åŠ ãˆã¦ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ—ログラム計画書ã¯ã€
共通管ç†ï¼ˆçµ„ç¹”ã®æƒ…報システムãŒç¶™æ‰¿ã—ã¦ã„るセキュリティ対策)ã¨ã—ã¦æŒ‡å®šã•ã‚Œã¦ã„ã‚‹å…¨ã¦ã®
セキュリティ対策を文書化ã™ã‚‹æ‰‹æ®µã‚’集中ä¿ç®¡å ´æ‰€ã«ç”¨æ„ã™ã‚‹ã€‚
6.2.19 プライãƒã‚·ãƒ¼ç®¡ç†
情報技術ã®é€²æ­©ã‚„ãã®æŠ€è¡“ã®é©ç”¨ã‚’考慮ã™ã‚‹ã¨ã€ãƒ—ログラムåŠã³æƒ…報システムãŒåŽé›†ãƒ»åˆ©ç”¨ãƒ»ç¶­
æŒãƒ»å…±æœ‰ãƒ»å»ƒæ£„ã—ãŸå€‹äººã‚’特定å¯èƒ½ãªæƒ…報(PII)44ã®ãƒ—ライãƒã‚·ãƒ¼ä¿è­·ã¯é‡è¦ã§ã‚る。効果的ãª
個人プライãƒã‚·ãƒ¼ã¯ã€PII を処ç†ãƒ»ä¿ç®¡ãƒ»è»¢é€ã™ã‚‹çµ„ç¹”ã®æƒ…報システムã§æŽ¡ç”¨ã•ã‚Œã¦ã„る安全対
ç­–ã«å·¦å³ã•ã‚Œã‚‹ã€‚情報セキュリティã®åŸºç¤ŽãŒç¢ºç«‹ã•ã‚Œã¦ã„ãªã„組織ã«ã¯ã€åŠ¹æžœçš„ãªãƒ—ライãƒã‚·ãƒ¼
ã¯ãªã„。ã¨ã¯è¨€ãˆã€ãƒ—ライãƒã‚·ãƒ¼ã¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä»¥ä¸Šã®ã‚‚ã®ã§ã‚ã‚Šã€ä¾‹ãˆã°é€æ˜Žæ€§ã€é€šçŸ¥åŠã³é¸
択ã®åŽŸå‰‡ãŒå«ã¾ã‚Œã‚‹ã€‚
プライãƒã‚·ãƒ¼ç®¡ç†ã¯ã€æƒ…報セキュリティã¨ã®é–¢ä¿‚ã¯å¼·ã„ã‚‚ã®ã®ã€ãã‚Œã¨ã¯åˆ¥ã®ä¾¡å€¤ã¨ã—ã¦ã®ãƒ—ラ
イãƒã‚·ãƒ¼æƒ…報をé‡ç‚¹ã¨ã™ã‚‹ã€‚プライãƒã‚·ãƒ¼ç®¡ç†ã¯ã€ãƒ—ライãƒã‚·ãƒ¼æ³•ï¼ˆ1974 年)ã®å…¬æ­£æƒ…å ±è¦ç¯„
原則(FIPPs)ã€é›»å­æ”¿åºœæ³•ï¼ˆ2002 年)第 208 æ¡åŠã³é–¢ä¿‚ã™ã‚‹è¡Œæ”¿äºˆç®—管ç†å±€ï¼ˆOMB)ガイダン
スを根拠ã¨ã—ã¦ã„る。FIPPs ã¯ã€çµ„ç¹”ã®ãƒ—ライãƒã‚·ãƒ¼è¦ç¯„ã«å¯¾ã™ã‚‹å›½æ°‘ã®ä¿¡é ¼ã‚’醸æˆã—ã€ãƒ—ライ
ãƒã‚·ãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã‹ã‚‰ç”Ÿã˜ã‚‹æœ‰å½¢ã®çµŒè²»ã‚„ç„¡å½¢ã®æ害ã®å›žé¿ã‚’目指ã—ã¦ã„る。
44 OMB 覚書 07-16 ã¯PII を「æ°åã€ç¤¾ä¼šä¿éšœç•ªå·ã€ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯è¨˜éŒ²ç­‰ã‚’å˜ç‹¬ã§ã€åˆã¯èª•ç”Ÿæ—¥ã€å‡ºç”Ÿåœ°ã€æ¯è¦ªã®æ—§å§“ç­‰
特定ã®å€‹äººã«çµã³ã¤ãã‹çµã³ã¤ã‘られるãã®ä»–ã®å€‹äººè‹¥ã—ãã¯èº«åˆ†æƒ…å ±ã¨çµ„ã¿åˆã‚ã›ã¦ã€å€‹äººã®èº«åˆ†ã‚’判別åˆã¯è¿½è·¡ã§ã
る情報ã€ã¨å®šç¾©ã—ã¦ã„ã‚‹[86]。OMB 覚書 10-22 ã¯ã“ã®å®šç¾©ã‚’追èªã—ã¦ã„ã‚‹[87]。NIST SP800-122 ã¯PII ã‚’ã‚ã‚‹æ©Ÿé–¢ãŒä¿æŒ
ã—ã¦ã„る個人ã«é–¢ã™ã‚‹æƒ…å ±ã§ã€ï¼ˆ1)æ°åã€ç¤¾ä¼šä¿éšœç•ªå·ã€èª•ç”Ÿæ—¥ã€å‡ºç”Ÿåœ°ã€æ¯è¦ªã®æ—§å§“ã€ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªãƒƒã‚¯è¨˜éŒ²ç­‰ã€å€‹
人ã®èº«åˆ†ã‚’判別åˆã¯è¿½è·¡ã§ãる情報åŠã³ï¼ˆ2)医療ã€æ•™è‚²ã€è²¡æ”¿ã€å°±æ¥­æƒ…報等ã€å€‹äººã«çµã³ã¤ãã‹çµã³ã¤ã‘られるãã®ä»–
ã®æƒ…å ±ã€ã¨å®šç¾©ã—ã¦ã„ã‚‹[88]。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
211
Privacy controls are the administrative, technical, and physical safeguards employed within organizations
to protect and ensure the proper handling of PII. There are eight privacy control families with each family
aligning with one of the FIPPs. The privacy control families can be implemented at the organization,
department, agency, component, office, program, or information system level. The privacy controls are
structured in a similar manner to the information system security controls in Appendix F of NIST SP 800-
53.
The Privacy Appendix of NIST SP 800-53, Rev. 4 [22], provides a structured set of privacy controls, based
on international standards and best practices to help organizations enforce requirements derived from
federal privacy legislation, policies, regulations, directives, standards, and guidance. Additionally, it
establishes a linkage and relationship between privacy and security controls for purposes of enforcing
respective privacy and security requirements that may overlap in concept and in implementation within
federal information systems, programs, and organizations.
The privacy controls are intended primarily for use by an organization’s Senior Agency Official for Privacy
(SAOP)/Chief Privacy Officer (CPO) when working with program managers, information system
developers, and information security personnel to determine how best to incorporate effective privacy
protections and practices within those programs and/or systems. These controls facilitate the organization’s
efforts to comply with privacy requirements affecting those programs and/or systems that collect, use,
maintain, share, or dispose of PII. This promotes closer cooperation between privacy and security officials
within the federal government to help achieve the objectives of senior leaders/executives in enforcing the
requirements in federal privacy legislation, policies, regulations, directives, standards, and guidance.
The 8 privacy control families include:
 Authority and Purpose (AP).
 Accountability, Audit, and Risk Management (AR).
 Data Quality and Integrity (DI).
 Data Minimization and Retention (DM).
 Individual Participation and Redress (IP).
 Security (SE).
 Transparency (TR).
 Use Limitation (UL).
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
212
プライãƒã‚·ãƒ¼ç®¡ç†ã¯ã€PII ã«å¯¾ã™ã‚‹ä¿è­·ã¨é©æ­£ãªå–扱を確ä¿ã™ã‚‹ãŸã‚ã«çµ„織内ã§æŽ¡ç”¨ã•ã‚Œã‚‹ç®¡ç†
上ã®æŠ€è¡“的・物ç†çš„安全対策ã§ã‚る。プライãƒã‚·ãƒ¼ç®¡ç†ã® 8ファミリãŒãã‚Œãžã‚Œã® FIPPS ã«æ•´åˆ
ã—ã¦ã„る。プライãƒã‚·ãƒ¼ç®¡ç†åˆ†é‡Žã¯ã€çµ„織・部署・機関・コンãƒãƒ¼ãƒãƒ³ãƒˆã€ã‚ªãƒ•ã‚£ã‚¹ã€ãƒ—ログラ
ムåˆã¯æƒ…報システムレベルã§å®Ÿæ–½ã§ãる。プライãƒã‚·ãƒ¼ç®¡ç†ã¯ã€NIST SP 800- 53 付録 Fã«ã‚る情
報システムã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã¨åŒæ§˜ã®æ–¹æ³•ã§æ§‹ç¯‰ã•ã‚Œã‚‹ã€‚
NIST SP 800-53 改訂第4版[22]ã«ã¯ã€å›½éš›è¦æ ¼åŠã³é©æ€§è¦ç¯„ã«åŸºã¥ã„ã¦æ§‹ç¯‰ã•ã‚ŒãŸãƒ—ライãƒã‚·
ー管ç†ãŒã‚ã‚Šã€çµ„ç¹”ãŒé€£é‚¦ãƒ—ライãƒã‚·ãƒ¼æ³•ã€æ”¿ç­–ã€è¦å‰‡ã€å‘½ä»¤ã€è¦æ ¼åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã‹ã‚‰ç”Ÿã˜
ã‚‹è¦ä»¶ã‚’実施ã™ã‚‹åŠ©ã‘ã¨ãªã‚‹ã€‚ã¾ãŸã€é€£é‚¦æƒ…報システムã€ãƒ—ログラムåŠã³çµ„織内ã§æ¦‚念上も実
施上もé‡ãªã‚Šåˆã†ã€ãƒ—ライãƒã‚·ãƒ¼è¦ä»¶ã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ä»¶ã‚’施行ã™ã‚‹ä¸Šã§ã€ãƒ—ライãƒã‚·ãƒ¼ç®¡ç†
ã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®çµã³ã¤ãや関係ã«ã¤ã„ã¦ã‚‚記述ã—ã¦ã„る。
プライãƒã‚·ãƒ¼ç®¡ç†ã®ç›®çš„ã¯ã€ä¸»ã«çµ„ç¹”ã®ãƒ—ライãƒã‚·ãƒ¼æ‹…当上級官å(SAOP)/プライãƒã‚·ãƒ¼æ‹…当
主任(CPO)ãŒãƒ—ログラム管ç†è€…ã€æƒ…報システム開発者åŠã³æƒ…報セキュリティè·å“¡ã¨å”åƒã™ã‚‹éš›
ã«ã€åŠ¹æžœçš„ãªãƒ—ライãƒã‚·ãƒ¼ä¿è­·ãƒ»è¦ç¯„ã‚’ã“れらプログラムやシステムã«çµ„ã¿è¾¼ã‚€æœ€å–„ã®æ–¹æ³•ã®
判定ã«ä½¿ç”¨ã™ã‚‹ã“ã¨ã«ã‚る。ã“ã®ã‚ˆã†ãªç®¡ç†ã«ã‚ˆã£ã¦ã€PII ã‚’åŽé›†ãƒ»åˆ©ç”¨ãƒ»ç¶­æŒãƒ»å…±æœ‰ãƒ»å»ƒæ£„
ã™ã‚‹ãƒ—ログラムやシステムã«å½±éŸ¿ã‚’与ãˆã‚‹ãƒ—ライãƒã‚·ãƒ¼è¦ä»¶éµå®ˆã«å¯¾ã™ã‚‹çµ„ç¹”ã®å–組ãŒå®¹æ˜“ã«
ãªã‚‹ã€‚ã“ã‚Œã«ã‚ˆã‚Šé€£é‚¦æ”¿åºœã®ãƒ—ライãƒã‚·ãƒ¼æ‹…当者ã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ‹…当者間ã®é€£æºãŒç·Šå¯†ã«ãªã‚Šã€
幹部ãŒé€£é‚¦ãƒ—ライãƒã‚·ãƒ¼æ³•ã€æ”¿ç­–ã€è¦åˆ¶ã€æŒ‡ä»¤ã€è¦æ ¼åŠã³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã®è¦ä»¶ã‚’施行ã—ã¦ç›®æ¨™ã‚’
é”æˆã§ãるよã†ã«ã™ã‚‹ã€‚
8ã¤ã®ãƒ—ライãƒã‚·ãƒ¼ç®¡ç†åˆ†é‡Žã¯æ¬¡ã®ã¨ãŠã‚Šã€‚
 権é™åŠã³ç›®çš„(AP)
 説明責任ã€ç›£æŸ»åŠã³ãƒªã‚¹ã‚¯ç®¡ç†ï¼ˆAR)
 データå“質åŠã³å®Œå…¨æ€§ï¼ˆDI)
 データã®æœ€å°åŒ–åŠã³ä¿æŒï¼ˆDM)
 個人ã®å‚加åŠã³è³ å„Ÿï¼ˆIP)
 セキュリティ(SE)
 é€æ˜Žæ€§ï¼ˆTR)
 使用é™ç•Œï¼ˆUL)
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
213
Appendix A—Acronyms and Abbreviations
Selected acronyms and abbreviations used in the Guide to Industrial Control Systems (ICS) Security are
defined below.
AC Alternating Current
ACL Access Control List
AGA American Gas Association
API American Petroleum Institute
ARP Address Resolution Protocol
BCP Business Continuity Plan
CIDX Chemical Industry Data Exchange
CIGRE International Council on Large Electric Systems
CIP Critical Infrastructure Protection
CMVP Cryptographic Module Validation Program
COTS Commercial Off-the-Shelf
CPNI Centre for the Protection of National Infrastructure
CPU Central Processing Unit
CSE Communications Security Establishment
CSRC Computer Security Resource Center
CSSC Control System Security Center
CVE Common Vulnerabilities and Exposures
DCOM Distributed Component Object Model
DCS Distributed Control System(s)
DETL Distributed Energy Technology Laboratory
DHS Department of Homeland Security
DMZ Demilitarized Zone
DNP3 DNP3 Distributed Network Protocol (published as IEEE 1815)
DNS Domain Name System
DOE Department of Energy
DoS Denial of Service
DRP Disaster Recovery Plan
EAP Extensible Authentication Protocol
EMS Energy Management System
EPRI Electric Power Research Institute
ERP Enterprise Resource Planning
FIPS Federal Information Processing Standards
FISMA Federal Information Security Modernization Act
FTP File Transfer Protocol
GAO Government Accountability Office
GPS Global Positioning System
HMI Human-Machine Interface
HSPD Homeland Security Presidential Directive
HTTP Hypertext Transfer Protocol
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
214
付録 A 頭字語åŠã³ç•¥èªž
産業用制御システム(ICS)セキュリティガイドã§ä½¿ç”¨ã™ã‚‹ä¸»ãªé ­å­—語åŠã³ç•¥èªžã®å®šç¾©ã¯ä»¥ä¸‹ã®
ã¨ãŠã‚Šã€‚
AC 交æµ
ACL アクセス制御リスト
AGA 米国ガスå”会
API 米国石油å”会
ARP アドレス解決プロトコル
BCP 事業継続計画書
CIDX
化学業界データ交æ›
CIGRE 国際大電力システム会議
CIP é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ä¿è­·
CMVP æš—å·ãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«å¦¥å½“性検証プログラム
COTS 民生å“
CPNI 国家インフラä¿è­·ã‚»ãƒ³ã‚¿ãƒ¼
CPU 中央演算装置
CSE 通信セキュリティ局
CSRC コンピュータセキュリティリソースセンター
CSSC 制御システムセキュリティセンター
CVE 共通脆弱性æ›éœ²
DCOM 分散型コンãƒãƒ¼ãƒãƒ³ãƒˆã‚ªãƒ–ジェクトモデル
DCS 分散制御システム
DETL 分散エãƒãƒ«ã‚®ãƒ¼æŠ€è¡“研究所
DHS 国土安全ä¿éšœçœ
DMZ éžæ­¦è£…地帯
DNP3 DNP3 分散ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ—ロトコル(IEEE 1815 ã¨ã—ã¦ç™ºè¡Œ)
DNS 領域åシステム
DOE
エãƒãƒ«ã‚®ãƒ¼çœ
DoS サービス妨害
DRP ç½å®³å¾©æ—§è¨ˆç”»æ›¸
EAP æ‹¡å¼µå¯èƒ½èªè¨¼ãƒ—ロトコル
EMS エãƒãƒ«ã‚®ãƒ¼ç®¡ç†ã‚·ã‚¹ãƒ†ãƒ 
EPRI 電力研究所
ERP ä¼æ¥­è³‡æºè¨ˆç”»
FIPS 連邦情報処ç†è¦æ ¼
FISMA 連邦情報セキュリティ強化法
FTP ファイル転é€ãƒ—ロトコル
GAO 政府説明責任局
GPS グローãƒãƒ«ãƒã‚¸ã‚·ãƒ§ãƒ‹ãƒ³ã‚°ã‚·ã‚¹ãƒ†ãƒ 
HMI マンマシンインタフェース
HSPD 国土安全ä¿éšœå¤§çµ±é ˜å‘½ä»¤
HTTP ãƒã‚¤ãƒ‘ーテキスト転é€ãƒ—ロトコル
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
215
HTTPS Hypertext Transfer Protocol Secure
HVAC Heating, Ventilation, and Air Conditioning
I/O Input/Output
I3P Institute for Information Infrastructure Protection
IACS Industrial Automation and Control System
IAONA Industrial Automation Open Networking Association
ICCP Inter-control Center Communications Protocol
ICMP Internet Control Message Protocol
ICS Industrial Control System(s)
ICS-CERT Industrial Control Systems - Cyber Emergency Response Team
IDS Intrusion Detection System
IEC International Electrotechnical Commission
IED Intelligent Electronic Device
IEEE Institute of Electrical and Electronics Engineers
IETF Internet Engineering Task Force
IGMP Internet Group Management Protocol
INL Idaho National Laboratory
IP Internet Protocol
IPS Intrusion Prevention System
IPsec Internet Protocol Security
ISA International Society of Automation
ISID Industrial Security Incident Database
ISO International Organization for Standardization
IT Information Technology
ITL Information Technology Laboratory
LAN Local Area Network
MAC Media Access Control
MES Manufacturing Execution System
MIB Management Information Base
MTU Master Terminal Unit (also Master Telemetry Unit)
NAT Network Address Translation
NCCIC National Cybersecurity and Communications Integration Center
NCSD National Cyber Security Division
NERC North American Electric Reliability Council
NFS Network File System
NIC Network Interface Card
NISCC National Infrastructure Security Coordination Centre
NIST National Institute of Standards and Technology
NSTB National SCADA Testbed
OLE Object Linking and Embedding
OMB Office of Management and Budget
OPC OLE for Process Control
OS Operating System
OSI Open Systems Interconnection
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
216
HTTPS ãƒã‚¤ãƒ‘ーテキスト転é€ãƒ—ロトコルセキュア
HVAC
冷暖房空調設備
I/O 入出力
I3P 情報インフラä¿è­·å”会
IACS 産業用オートメーション制御システム
IAONA
産業オートメーションオープンãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ã‚½ã‚·ã‚¨ãƒ¼ã‚·ãƒ§ãƒ³
ICCP 制御間センター通信プロトコル
ICMP インターãƒãƒƒãƒˆã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ«ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ãƒ—ロトコル
ICS
産業用制御システム
ICS-CERT 産業用制御システム - サイãƒãƒ¼ç·Šæ€¥å¯¾å¿œãƒãƒ¼ãƒ 
IDS
侵入検知システム
IEC 国際電気技術委員会
IED インテリジェント電å­æ©Ÿå™¨
IEEE 電気電å­æŠ€è¡“者å”会
IETF インターãƒãƒƒãƒˆã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°ã‚¿ã‚¹ã‚¯ãƒ•ã‚©ãƒ¼ã‚¹
IGMP インターãƒãƒƒãƒˆã‚°ãƒ«ãƒ¼ãƒ—管ç†ãƒ—ロトコル
INL
アイダホ国立研究所
IP インターãƒãƒƒãƒˆãƒ—ロトコル
IPS 侵入防止システム
IPsec インターãƒãƒƒãƒˆãƒ—ロトコルセキュリティ
ISA 国際オートメーションå”会
ISID 産業セキュリティインシデントデータベース
ISO 国際標準化機構
IT 情報技術
ITL 情報技術研究所
LAN ローカルエリアãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
MAC メディアアクセス制御
MES 生産実行システム
MIB 管ç†æƒ…報ベース
MTU マスター端末装置(マスターテレメトリ装置ã¨ã‚‚ã„ã†ï¼‰
NAT ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ‰ãƒ¬ã‚¹å¤‰æ›
NCCIC 米国サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é€šä¿¡çµ±åˆã‚»ãƒ³ã‚¿ãƒ¼
NCSD 米国サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£éƒ¨
NERC 北米電力信頼度å”議会
NFS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ•ã‚¡ã‚¤ãƒ«ã‚·ã‚¹ãƒ†ãƒ 
NIC ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã‚«ãƒ¼ãƒ‰
NISCC 米国インフラセキュリティ調整センター
NIST 米国標準技術局
NSTB 米国 SCADA テストベッド
OLE オブジェクトã®ãƒªãƒ³ã‚¯ã¨åŸ‹ã‚è¾¼ã¿
OMB 管ç†äºˆç®—å±€
OPC プロセス制御用 OLE
OS オペレーティングシステム
OSI オープンシステム相互接続
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
217
PCII Protected Critical Infrastructure Information
PDA Personal Digital Assistant
PIN Personal Identification Number
PID Proportional – Integral - Derivative
PIV Personal Identity Verification
PLC Programmable Logic Controller
PP Protection Profile
PPP Point-to-Point Protocol
R&D Research and Development
RADIUS Remote Authentication Dial In User Service
RBAC Role-Based Access Control
RFC Request for Comments
RMA Reliability, Maintainability, and Availability
RMF Risk Management Framework
RPC Remote Procedure Call
RPO Recovery Point Objective
RTO Recovery Time Objective
RTU Remote Terminal Unit (also Remote Telemetry Unit)
SC Security Category
SCADA Supervisory Control and Data Acquisition
SCP Secure Copy
SFTP Secure File Transfer Protocol
SIS Safety Instrumented System
SMTP Simple Mail Transfer Protocol
SNL Sandia National Laboratories
SNMP Simple Network Management Protocol
SP Special Publication
SPP-ICS System Protection Profile for Industrial Control Systems
SQL Structured Query Language
SSH Secure Shell
SSID Service Set Identifier
SSL Secure Sockets Layer
TCP Transmission Control Protocol
TCP/IP Transmission Control Protocol/Internet Protocol
TFTP Trivial File Transfer Protocol
TLS Transport Layer Security
UDP User Datagram Protocol
UPS Uninterruptible Power Supply
US-CERT United States Computer Emergency Readiness Team
USB Universal Serial Bus
VFD Variable Frequency Drive
VLAN Virtual Local Area Network
VPN Virtual Private Network
WAN Wide Area Network
XML Extensible Markup Language
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
218
PCII ä¿è­·ã•ã‚ŒãŸé‡è¦ã‚¤ãƒ³ãƒ•ãƒ©æƒ…å ±
PDA æºå¸¯æƒ…報端末
PIN 個人識別番å·
PID 比例・ç©åˆ†ãƒ»å¾®åˆ†
PIV 個人ã®èº«å…ƒç¢ºèª
PLC プログラマブル論ç†åˆ¶å¾¡è£…ç½®
PP ä¿è­·ãƒ—ロファイル
PPP ãƒã‚¤ãƒ³ãƒˆãƒ„ーãƒã‚¤ãƒ³ãƒˆãƒ—ロトコル
R&D 研究開発
RADIUS é éš”èªè¨¼ãƒ€ã‚¤ã‚¢ãƒ«ã‚¤ãƒ³ãƒ¦ãƒ¼ã‚¶ã‚µãƒ¼ãƒ“ス
RBAC 役割ベースアクセス制御
RFC コメントè¦æ±‚(リクエスト フォー コメンツ)
RMA 信頼性・ä¿å®ˆæ€§ãƒ»å¯ç”¨æ€§
RMF リスク管ç†ä½“制
RPC é éš”手順呼出ã—
RPO 目標復旧点
RTO 目標復旧時間
RTU é éš”端末装置(é éš”テレメトリ装置ã¨ã‚‚ã„ã†ï¼‰
SC セキュリティ分類
SCADA 監視制御データå–得(スキャダ)
SCP セキュアコピー
SFTP セキュアファイル転é€ãƒ—ロトコル
SIS 安全計装システム
SMTP シンプルメール転é€ãƒ—ロトコル
SNL サンディア国立研究所
SNMP シンプルãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç®¡ç†ãƒ—ロトコル
SP 特別出版物
SPP-ICS 産業制御システム用システムä¿è­·ãƒ—ロファイル
SQL 構造化照会言語
SSH セキュアシェル
SSID サービスセット識別å­
SSL セキュアソケットレイヤー
TCP 通信制御プロトコル
TCP/IP 通信制御プロトコル/インターãƒãƒƒãƒˆãƒ—ロトコル
TFTP トリビアルファイル転é€ãƒ—ロトコル
TLS トランスãƒãƒ¼ãƒˆå±¤ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
UDP ユーザデータグラムプロトコル
UPS ç„¡åœé›»é›»æºè£…ç½®
US-CERT 米国コンピュータ緊急時å³å¿œãƒãƒ¼ãƒ 
USB ユニãƒãƒ¼ã‚µãƒ«ã‚·ãƒªã‚¢ãƒ«ãƒã‚¹
VFD å¯å¤‰å‘¨æ³¢æ•°é§†å‹•
VLAN 仮想 LAN
VPN 仮想プライベートãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
WAN 広域ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
XML 拡張マークアップ言語
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
219
Appendix B—Glossary of Terms
Selected terms used in the Guide to Industrial Control Systems (ICS) Security are defined below. Source
References for certain definitions are listed at the end of this appendix.
Alternating Current Drive
Synonymous with Variable Frequency Drive (VFD).
SOURCE: NIST IR 6859 [2]
Access Control List (ACL)
A mechanism that implements access control for a system resource by
enumerating the identities of the system entities that are permitted to
access the resources.
SOURCE: RFC 4949 [75]
Accreditation
The official management decision given by a senior agency official to
authorize operation of an information system and to explicitly accept the
risk to agency operations (including mission, functions, image, or
reputation), agency assets, or individuals, based on the implementation of
an agreed-upon set of security controls.
SOURCE: NIST SP 800-53 [22]
Actuator
A device for moving or controlling a mechanism or system. It is operated
by a source of energy, typically electric current, hydraulic fluid pressure,
or pneumatic pressure, and converts that energy into motion. An actuator
is the mechanism by which a control system acts upon an environment.
The control system can be simple (a fixed mechanical or electronic
system), software-based (e.g. a printer driver, robot control system), or a
human or other agent.
Alarm
A device or function that signals the existence of an abnormal condition
by making an audible or visible discrete change, or both, so as to attract
attention to that condition.
SOURCE: ANSI/ISA-5.1-2009
Antivirus Tools
Software products and technology used to detect malicious code, prevent
it from infecting a system, and remove malicious code that has infected
the system.
Application Server
A computer responsible for hosting applications to user workstations.
Attack
An attempt to gain unauthorized access to system services, resources, or
information, or an attempt to compromise system integrity, availability,
or confidentiality.
SOURCE: CNSSI-4009
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
220
付録 B 用語集
産業用制御システム(
ICS
)セキュリティガイド
ã§ä½¿ç”¨ã™ã‚‹ä¸»ãªç”¨èªžã®å®šç¾©ã¯ä»¥ä¸‹ã®ã¨ãŠã‚Šã€‚ã„
ãã¤ã‹ã®å®šç¾©ã«ã¤ã„ã¦ã¯ã€æœ¬ä»˜éŒ²ã®æœ«å°¾ã«ãã®å‡ºå…¸ãŒæŽ²è¼‰ã•ã‚Œã¦ã„る。
Alternating Current Drive:
交æµé§†å‹•
å¯å¤‰å‘¨æ³¢æ•°é§†å‹•ï¼ˆ
VFD)ã¨åŒç¾©
出典:
NIST IR 6859 [2]
Access Control List (ACL):
アクセス制御リスト
リソースã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’許å¯ã•ã‚ŒãŸã‚·ã‚¹ãƒ†ãƒ å®Ÿä½“ã®ä¸€è‡´ç‚¹ã‚’列挙ã™ã‚‹
ã“ã¨
ã«ã‚ˆã‚Šã‚·ã‚¹ãƒ†ãƒ ãƒªã‚½ãƒ¼ã‚¹ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ã‚’è¡Œã†ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã€‚
出典:
RFC 4949 [75]
Accreditation:èªå®š
åˆæ„ã•ã‚ŒãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
対策
ã®å®Ÿè£…ã«åŸºã¥ãã€æƒ…報システムã®é‹ç”¨ã‚’
èªå¯ã—ã€
政府機関ã®æ¥­å‹™ï¼ˆä»»å‹™ã€æ©Ÿèƒ½ã€ã‚¤ãƒ¡ãƒ¼ã‚¸ã€è©•åˆ¤ç­‰ï¼‰ã€
政府機
é–¢ã®
資産åˆã¯å€‹äººã®ãƒªã‚¹ã‚¯ã‚’明示的ã«å—ã‘入れるãŸã‚政府機関
ã®ä¸Šç´š
官å
ãŒä¸‹ã™å…¬çš„管ç†æ±ºå®šã€‚
出典:
NIST SP 800-53 [22]
Actuator:アクãƒãƒ¥ã‚¨ãƒ¼ã‚¿
機構åˆã¯ã‚·ã‚¹ãƒ†ãƒ ã‚’å‹•ã‹ã—åˆã¯åˆ¶å¾¡ã™ã‚‹ãŸã‚ã®ãƒ‡ãƒã‚¤ã‚¹ã€‚一般ã«é›»
æµã€æ²¹åœ§ã€ç©ºæ°—圧等ã®ã‚¨ãƒãƒ«ã‚®ãƒ¼æºã§ä½œå‹•ã—ã€ãã®ã‚¨ãƒãƒ«ã‚®ãƒ¼ã‚’é‹å‹•
ã«å¤‰ãˆã‚‹ã€‚アクãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã¯ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ãŒç’°å¢ƒã«åƒãã‹ã‘る機構
ã§ã‚る。制御システムã¯å˜ç´”ã§ï¼ˆå›ºå®šæ©Ÿæ§‹ã‚„é›»å­ã‚·ã‚¹ãƒ†ãƒ ï¼‰ã€ã‚½ãƒ•ãƒˆ
ウエア
ベース(プリンタドライãƒ
ã€ãƒ­ãƒœãƒƒãƒˆåˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ç­‰ï¼‰ã‚„人ã
ã®ä»–ã«ã‚ˆã‚‹ã€‚
Alarm:アラーム
異常状態を知らã›ã‚‹ãƒ‡ãƒã‚¤ã‚¹åˆã¯æ©Ÿèƒ½ã§ã€éŸ³ã‚„視覚的変化ã«ã‚ˆã‚Šç•°å¸¸
状態ã«æ³¨æ„を引ã。
出典:
ANSI/ISA-5.1-2009
Ant
ivirus Tools
:
アンãƒã‚¦ã‚¤ãƒ«ã‚¹ãƒ„ール
ソフトウエア
製å“åŠã³æŠ€è¡“ã§ã€æ‚ªæ„ã‚るコードを検出ã—ã¦ã‚·ã‚¹ãƒ†ãƒ ã¸
ã®æ„ŸæŸ“を防ãŽã€æ„ŸæŸ“ã—ã¦ã„ã‚‹å ´åˆã«ã¯æ‚ªæ„ã‚るコードを排除ã™ã‚‹ã€‚
Application Server:
アプリケーションサーãƒ
ユーザワークステーションã«ã‚¢ãƒ—リケーションをホスティングã™ã‚‹ã‚³
ンピュータ。
Attack:攻撃
システムサービスã€ãƒªã‚½ãƒ¼ã‚¹è‹¥ã—ãã¯æƒ…å ±ã«ç„¡æ–­ã§ã‚¢ã‚¯ã‚»ã‚¹ã—よã†ã¨
ã™ã‚‹ã‚‚ãã‚ã¿åˆã¯ã‚·ã‚¹ãƒ†ãƒ ã®
完全性ã€å¯ç”¨æ€§è‹¥ã—ãã¯æ©Ÿå¯†æ€§ã‚’低下ã•
ã›ã‚ˆã†ã¨ã™ã‚‹ã‚‚ãã‚ã¿ã€‚
出典:
CNSSI-4009
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
221
Authentication
Verifying the identity of a user, process, or device, often as a prerequisite
to allowing access to resources in an information system.
SOURCE: NIST SP 800-53 [22]
Authorization
The right or a permission that is granted to a system entity to access a
system resource.
SOURCE: RFC 4949 [75]
Backdoor
An undocumented way of gaining access to a computer system. A
backdoor is a potential security risk.
Batch Process
A process that leads to the production of finite quantities of material by
subjecting quantities of input materials to an ordered set of processing
activities over a finite time using one or more pieces of equipment.
SOURCE: ANSI/ISA-88.01-1995
Broadcast
Transmission to all devices in a network without any acknowledgment by
the receivers.
SOURCE: IEC/PAS 62410
Buffer Overflow
A condition at an interface under which more input can be placed into a
buffer or data holding area than the capacity allocated, overwriting other
information. Adversaries exploit such a condition to crash a system or to
insert specially crafted code that allows them to gain control of the system.
SOURCE: NIST SP 800-28 [69]
Certification
A comprehensive assessment of the management, operational, and
technical security controls in an information system, made in support of
security accreditation, to determine the extent to which the controls are
implemented correctly, operating as intended, and producing the desired
outcome with respect to meeting the security requirements for the system.
SOURCE: NIST SP 800-37 [21]
Clear Text
Information that is not encrypted.
Communications Router
A communications device that transfers messages between two networks.
Common uses for routers include connecting a LAN to a WAN, and
connecting MTUs and RTUs to a long-distance network medium for
SCADA communication.
Confidentiality
Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary
information.
SOURCE: NIST SP 800-53 [22]
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
222
Authentication:èªè¨¼
ユーザã€ãƒ—ロセスåˆã¯ãƒ‡ãƒã‚¤ã‚¹ã®åŒä¸€æ€§ã‚’検証ã™ã‚‹ã“ã¨ã§ã€æƒ…報シス
テム中ã®ãƒªã‚½ãƒ¼ã‚¹ã¸ã®å‰æã¨ãªã‚‹ã“ã¨ãŒå¤šã„。
出典:
NIST SP 800-53 [22]
Authorization:権é™ä»˜ä¸Ž
システムã®å®Ÿåœ¨è€…ãŒã‚·ã‚¹ãƒ†ãƒ ãƒªã‚½ãƒ¼ã‚¹ã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ãŸã‚ã«ä¸Žãˆã‚‰ã‚Œ
る権利åˆã¯è¨±å¯ã€‚
出典:
RFC 4949 [75]
Backdoor:ãƒãƒƒã‚¯ãƒ‰ã‚¢
コンピュータシステムã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’å¾—ã‚‹ä¸æ­£ãªæ–¹æ³•ã€‚ãƒãƒƒã‚¯ãƒ‰ã‚¢ã¯
セキュリティリスクã¨ãªã‚‹ã€‚
Batch Process:
ãƒãƒƒãƒãƒ—ロセス
大é‡ã®å…¥åŠ›ç‰©ã‚’
1
ã¤åˆã¯è¤‡æ•°ã®è£…å‚™å“を用ã„ã¦ã€ã‚る時間をã‹ã‘ã¦é †
番ã«ä¸€é€£ã®å‡¦ç†ã«ã‹ã‘ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€é™å®šã•ã‚ŒãŸé‡ã«ã™ã‚‹ãƒ—ロセス。
出典:
ANSI/ISA-88.01-1995
Broadcast:
ブロードキャスト
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å†…ã®å…¨ã¦ã®ãƒ‡ãƒã‚¤ã‚¹ã«ã€
å—ã‘手å´ã®äº†è§£ã‚’å¾—ã‚‹ã“ã¨ãªã
é€ä¿¡ã™ã‚‹ã“ã¨ã€‚
出典:
IEC/PAS 62410
Bu
ffer Overflow
:
ãƒãƒƒãƒ•ã‚¡ã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒ­ãƒ¼
割り当ã¦ã‚‰ã‚ŒãŸå®¹é‡ã‚’超ãˆã¦å…¥åŠ›ãŒãƒãƒƒãƒ•ã‚¡åˆã¯ãƒ‡ãƒ¼ã‚¿ä¿æŒé ˜åŸŸã«ç½®
ã‹ã‚Œã€ä»–ã®æƒ…報を上書ãã™ã‚‹
インタフェースã®çŠ¶æ…‹ã€‚
攻撃å´ã¯ã“ã®ã‚ˆã†ãªçŠ¶æ…‹ã‚’利用ã—ã¦ã€ã‚·ã‚¹ãƒ†ãƒ ã‚’クラッシュã•ã›ã€ç‰¹
殊コードを挿入ã—ã¦ã‚·ã‚¹ãƒ†ãƒ ã®åˆ¶å¾¡ã‚’å¾—ã‚‹ã“ã¨ãŒã§ãる。
出典:
NIST SP 800-28 [69]
Certification:証明
セキュリティèªå®šã‚’支æ´ã™ã‚‹ãŸã‚ã«è¡Œã†æƒ…報システムã®ç®¡ç†ã€é‹ç”¨åŠ
ã³æŠ€è¡“上ã®
セキュリティ対策ã«å¯¾ã™ã‚‹åŒ…括的評価ã§ã€ã‚³ãƒ³ãƒˆãƒ­
ールãŒ
ã©ã®ç¨‹åº¦é©æ­£ã«å®Ÿè£…ã•ã‚Œã¦ã„ã‚‹ã‹ã€äºˆå®šã©ãŠã‚Šã«ç¨¼åƒã—ã¦ã„ã‚‹ã‹ã€ã‚·
ステムセキュリティè¦ä»¶ã«åˆè‡´ã—ãŸçµæžœã«ãªã£ã¦ã„ã‚‹ã‹åˆ¤å®šã™ã‚‹ã€‚
出典:
NIST SP 800-37 [21]
Clear Text:平文
æš—å·åŒ–ã•ã‚Œã¦ã„ãªã„情報。
Communications Router:
通信ルータ
2
ã¤ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã§ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã‚’転é€ã™ã‚‹é€šä¿¡ãƒ‡ãƒã‚¤ã‚¹ã€‚ルータ
ã®ä¸€èˆ¬çš„ãªä½¿ç”¨æ–¹æ³•ã¨ã—ã¦ã€
LAN ã¨WAN ã®æŽ¥ç¶šã‚„ã€SCADA 通信用
ã®
MTU åŠã³ RTU ã¨é è·é›¢ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åª’体ã®æŽ¥ç¶šãŒã‚る。
Confidentiality:機密性
情報ã®åˆ©ç”¨åŠã³æ¼æ´©ã«å…¬èªã®åˆ¶é™ã‚’課ã™ã“ã¨ã§ã€å€‹äººæƒ…å ±åŠã³å°‚有情
報をä¿è­·ã™ã‚‹æ‰‹æ®µã‚‚å«ã¾ã‚Œã‚‹ã€‚
出典:
NIST SP 800-53 [22]
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
223
Configuration (of a system or
device)
Step in system design; for example, selecting functional units, assigning
their locations, and defining their interconnections.
SOURCE: IEC/PAS 62409
Configuration Control
Process for controlling modifications to hardware, firmware, software,
and documentation to ensure the information system is protected against
improper modifications before, during, and after system implementation.
SOURCE: CNSSI-4009
Continuous Process
A process that operates on the basis of continuous flow, as opposed to
batch, intermittent, or sequenced operations.
Control Algorithm
A mathematical representation of the control action to be performed.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Control
The part of the ICS used to perform the monitoring and control of the
physical process. This includes all control servers, field devices, actuators,
sensors, and their supporting communication systems.
Control Center
An equipment structure or group of structures from which a process is
measured, controlled, and/or monitored.
SOURCE: ANSI/ISA-51.1-1979
Control Loop
A control loop consists of sensors for measurement, controller hardware
such as PLCs, actuators such as control valves, breakers, switches and
motors, and the communication of variables. Controlled variables are
transmitted to the controller from the sensors. The controller interprets the
signals and generates corresponding manipulated variables, based on set
points, which it transmits to the actuators. Process changes from
disturbances result in new sensor signals, identifying the state of the
process, to again be transmitted to the controller.
Control Network
Those networks of an enterprise typically connected to equipment that
controls physical processes and that is time or safety critical. The control
network can be subdivided into zones, and there can be multiple separate
control networks within one enterprise and site.
SOURCE: ISA99 [34]
Control Server
A controller that also acts as a server that hosts the control software that
communicates with lower-level control devices, such as Remote Terminal
Units (RTUs) and Programmable Logic Controllers (PLCs), over an ICS
network. In a SCADA system, this is often called a SCADA server, MTU,
or supervisory controller.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
224
Configuration (of a system
or device):
(システムåˆã¯ãƒ‡ãƒã‚¤ã‚¹
ã®ï¼‰æ§‹æˆ
システム設計ã«ä»‹å…¥ã™ã‚‹ã“ã¨ã€‚例ãˆã°ã€æ©Ÿèƒ½ãƒ¦ãƒ‹ãƒƒãƒˆã®é¸å®šã€å ´æ‰€ã®
割当ã€ãれらã®ç›¸äº’接続等。
出典:
IEC/PAS 62409
Configuration Control:
構æˆç®¡ç†
システム実装å‰ãƒ»ä¸­ãƒ»å¾Œã®ä¸é©åˆ‡ãªæ”¹å¤‰ã‹ã‚‰æƒ…報システムをä¿è­·ã™ã‚‹
ãŸã‚
ã«ã€ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ãƒ»ãƒ•ã‚¡ãƒ¼ãƒ ã‚¦ã‚¨ã‚¢ãƒ»ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ãƒ»æ–‡æ›¸ã¸ã®å¤‰
更を管ç†ã™ã‚‹ãƒ—ロセス。
出典:
CNSSI-4009
Continuous Process:
継続プロセス
継続的ãªæµã‚Œã‚’基本ã¨ã™ã‚‹æ“作プロセスã§ã€ãƒãƒƒãƒã€é–“欠åˆã¯ä¸€é€£æ“
作ã®å対。
Control Algorithm:
制御アルゴリズム
実施ã™ã¹ã制御行為ã®æ•°å­¦çš„表ç¾ã€‚出典:オートメーション・システ
ム・計装事典
Control:制御
物ç†ãƒ—ロセスã®ç›£è¦–åŠã³åˆ¶å¾¡ã‚’è¡Œã†ãŸã‚ã«ç”¨ã„ã‚‹
ICS ã®ä¸€éƒ¨ã€‚å…¨ã¦ã®
制御サーãƒã€ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒ‡ãƒã‚¤ã‚¹ã€ã‚¢ã‚¯ãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã€
センサ
åŠã³ã“ã‚Œ
らã®æ”¯æ´é€šä¿¡ã‚·ã‚¹ãƒ†ãƒ ã‚’å«ã‚€ã€‚
Control Center:
制御センター
1
ã¤åˆã¯ä¸€ç¾¤ã®è£…å‚™å“構造体ã§ã€ãã“ã‹ã‚‰ãƒ—ロセスを計測ã—ã€åˆ¶å¾¡
ã—ã€ç›£è¦–ã™ã‚‹ã€‚
出典:
ANSI/ISA-51.1-1979
Control Loop:
制御ループ
制御ループã¯è¨ˆæ¸¬
センサã€åˆ¶å¾¡ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ï¼ˆPLC
等)ã€ã‚¢ã‚¯ãƒãƒ¥ã‚¨
ータ(制御å¼ã€ãƒ–レーカã€ã‚¹ã‚¤ãƒƒãƒã€ãƒ¢ãƒ¼ã‚¿ç­‰ï¼‰åŠã³å¤‰æ•°ã®é€šä¿¡ã§æ§‹
æˆã•ã‚Œã‚‹ã€‚制御変数ã¯
センサ
経由ã§ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã«è»¢é€ã•ã‚Œã‚‹ã€‚コン
トローラã¯ä¿¡å·ã‚’解釈ã—ã€è¨­å®šç‚¹ã‚’基ã«å¯¾å¿œã™ã‚‹æ“作変数を生æˆã—ã€
アクãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã«é€ä¿¡ã™ã‚‹ã€‚
妨害ã®çµæžœãƒ—ロセスãŒå¤‰æ›´ã•ã‚Œã‚‹ã¨ã€
センサ信å·ãŒå¤‰ã‚ã‚Šã€ãƒ—ロセス
状態を識別ã—ã¦ã€å†åº¦ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã«é€ä¿¡ã™ã‚‹ã€‚
Control Network:
制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
ã“ã®ã‚ˆã†ãªä¼æ¥­ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯ã€ä¸€èˆ¬ã«ç‰©ç†ãƒ—ロセスをセットã™ã‚‹è£…
å‚™å“ã«æŽ¥ç¶šã•ã‚Œã€æ™‚間や安全性ã®ç‚¹ã§é‡è¦
ã§ã‚る。制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
ã¯ã‚¾ãƒ¼ãƒ³ã«åˆ†ã‹ã‚Œã€ã‚¾ãƒ¼ãƒ³ã”ã¨ã«
1ã¤ã®ä¼æ¥­åˆã¯ç¾å ´å†…ã«åˆ¥ã€…ãªè¤‡æ•°
ã®åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãŒå­˜åœ¨ã™ã‚‹ã€‚
出典:
ISA99 [34]
Control Server:
制御サーãƒ
サーãƒã¨ã—ã¦æ©Ÿèƒ½ã™ã‚‹ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã§ã€
ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã§ä¸‹ä½ãƒ¬
ベルã®ãƒ‡ãƒã‚¤ã‚¹ï¼ˆ
RTUã€PLC 等)ã¨ã®é€šä¿¡ã‚’è¡Œã†åˆ¶å¾¡ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢
ã‚’
ホストã™ã‚‹ã€‚
SCADA システムã§ã¯ SCADA サーãƒã€MTU åˆã¯ç›£è¦–コ
ントローラã¨å‘¼ã°ã‚Œã‚‹ã“ã¨ãŒå¤šã„。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
225
Control system
A system in which deliberate guidance or manipulation is used to achieve
a prescribed value for a variable. Control systems include SCADA, DCS,
PLCs and other types of industrial measurement and control systems.
Controlled Variable
The variable that the control system attempts to keep at the set point value.
The set point may be constant or variable.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Controller
A device or program that operates automatically to regulate a controlled
variable.
SOURCE: ANSI/ISA-51.1-1979
Cycle Time
The time, usually expressed in seconds, for a controller to complete one
control loop where sensor signals are read into memory, control
algorithms are executed, and corresponding control signals are transmitted
to actuators that create changes the process resulting in new sensor
signals.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Data Diode
A data diode (also referred to as a unidirectional gateway, deterministic
one-way boundary device or unidirectional network) is a network
appliance or device allowing data to travel only in one direction.
Database
A repository of information that usually holds plant-wide information
including process data, recipes, personnel data, and financial data.
SOURCE: NIST IR 6859 [2]
Data Historian
A centralized database supporting data analysis using statistical process
control techniques.
DC Servo Drive
A type of drive that works specifically with servo motors. It transmits
commands to the motor and receives feedback from the servo motor
resolver or encoder.
SOURCE: NIST IR 6859 [2]
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
226
Control System:
制御システム
ã‚る変数ã®äºˆå®šå€¤ã‚’実ç¾ã™ã‚‹ãŸã‚ã«ã€è¨ˆç”»çš„ãªã‚¬ã‚¤ãƒ€ãƒ³ã‚¹åˆã¯æ“作を
利用ã™ã‚‹ã‚·ã‚¹ãƒ†ãƒ ã€‚制御システムã«ã¯
SCADAã€DCSã€PLC ãã®ä»–ã®
産業用計測制御
仕様ãŒã‚る。
Controlled Variable:
制御変数
制御システムãŒè¨­å®šç‚¹ã‚’維æŒã—よã†ã¨ã™ã‚‹å¤‰æ•°ã€‚設定点ã¯å®šæ•°åˆã¯å¤‰
æ•°ã¨ãªã‚‹ã€‚
出典:
オートメーション・システム・計装事典
Controller:
コントローラ
制御変数を自動的ã«èª¿æ•´ã™ã‚‹ãƒ‡ãƒã‚¤ã‚¹åˆã¯ãƒ—ログラム。出典:
ANSI/ISA
-51.1-1979
Cycle Time:
サイクル時間
コントローラãŒ
1
ã¤ã®åˆ¶å¾¡ãƒ«ãƒ¼ãƒ—を完了ã™ã‚‹ãŸã‚ã®ã€é€šå¸¸ç§’å˜ä½ã§ç¤º
ã•ã‚Œã‚‹æ™‚é–“ã§ã€
センサ
ä¿¡å·ãŒãƒ¡ãƒ¢ãƒªã«èª­ã¿è¾¼ã¾ã‚Œã€åˆ¶å¾¡ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ 
ãŒå®Ÿè¡Œã•ã‚Œã€å¯¾å¿œã™ã‚‹åˆ¶å¾¡ä¿¡å·ãŒã‚¢ã‚¯ãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã«é€ã‚‰ã‚Œã¦ãƒ—ロセス
を変更ã—ã€æ–°ãŸãª
センサ信å·ãŒç”Ÿã˜ã‚‹ã€‚
出典:
オートメーション・システム・計装事典
Data Diode:
データダイオード
データダイオード(å˜æ–¹å‘ゲートウェイã€æ±ºå®šè«–的一方通行境界デãƒ
イスåˆã¯å˜æ–¹å‘ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ã‚‚呼ã°ã‚Œã‚‹ï¼‰ã¯ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æ©Ÿå™¨åˆã¯
デãƒã‚¤ã‚¹ã§ã€ãƒ‡ãƒ¼ã‚¿ãŒä¸€æ–¹å‘ã«æµã‚Œã‚‹ã‚ˆã†ã«ã™ã‚‹ã€‚
Database:
データベース
情報ãŒè“„ãˆã‚‰ã‚ŒãŸã‚‚ã®ã§ã€é€šå¸¸ãƒ—ロセスデータã€ãƒ¬ã‚·ãƒ”ã€äººäº‹ãƒ‡ãƒ¼
ã‚¿ã€ä¼šè¨ˆãƒ‡ãƒ¼ã‚¿ç­‰ã®ãƒ—ラント全体ã®æƒ…å ±ãŒè“„ç©ã•ã‚Œã¦ã„る。
出典:
NIST IR 6859 [2]
Data Histo
rian
:
データヒストリアン
集中データベースã§ã€é™çš„プロセス管ç†
技術
を用ã„ã¦ãƒ‡ãƒ¼ã‚¿è§£æžã‚’è¡Œ
ã†ã€‚
DC Servo Drive:
ç›´æµã‚µãƒ¼ãƒœé§†å‹•
特ã«ã‚µãƒ¼ãƒœãƒ¢ãƒ¼ã‚¿ã§ä½œå‹•ã™ã‚‹é§†å‹•ã®ç¨®é¡žã€‚コマンドをモータã«é€ä¿¡
ã—ã€ã‚µãƒ¼ãƒœãƒ¢ãƒ¼ã‚¿
リゾルãƒ
åˆã¯ã‚¨ãƒ³ã‚³ãƒ¼ãƒ€ã‹ã‚‰ãƒ•ã‚£ãƒ¼ãƒ‰ãƒãƒƒã‚¯ã‚’å—ä¿¡
ã™ã‚‹ã€‚
出典:
NIST IR 6859 [2]
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
227
Demilitarized Zone
(DMZ)
An interface on a routing firewall that is similar to the interfaces found on
the firewall’s protected side. Traffic moving between the DMZ and other
interfaces on the protected side of the firewall still goes through the firewall
and can have firewall protection policies applied.
SOURCE: SP 800-41 [85]
A host or network segment inserted as a “neutral zone†between an
organization’s private network and the Internet.
SOURCE: SP 800-45 [91]
Perimeter network segment that is logically between internal and external
networks. Its purpose is to enforce the internal network’s Information
Assurance policy for external information exchange and to provide external,
untrusted sources with restricted access to releasable information while
shielding the internal networks from outside attacks.
SOURCE: CNSSI-4009
Denial of Service (DoS)
The prevention of authorized access to a system resource or the delaying of
system operations and functions.
SOURCE: RFC 4949 [75]
Diagnostics
Information concerning known failure modes and their characteristics. Such
information can be used in troubleshooting and failure analysis to help
pinpoint the cause of a failure and help define suitable corrective measures.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Disaster Recovery Plan
(DRP)
A written plan for processing critical applications in the event of a major
hardware or software failure or destruction of facilities.
SOURCE: NIST SP 800-34 [52]
Discrete Process
A type of process where a specified quantity of material moves as a unit
(part or group of parts) between work stations and each unit maintains its
unique identity.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Distributed Control System
(DCS)
In a control system, refers to control achieved by intelligence that is
distributed about the process to be controlled, rather than by a centrally
located single unit.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Distributed Plant
A geographically distributed factory that is accessible through the Internet
by an enterprise.
SOURCE: NIST IR 6859 [2]
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
228
Demilitarized Zone
(DMZ):
éžæ­¦è£…地帯
ルーティングファイアウォール上ã®
インタフェースã§ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©
ールã®ä¿è­·å´ã®
インタフェースã«ä¼¼ã¦ã„る。DMZ ã¨ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼
ルã®ä¿è­·å´ã«ã‚る別ã®
インタフェース間ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã¯ã€ãƒ•ã‚¡ã‚¤ã‚¢
ウォールを通éŽã—ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ä¿è­·ãƒãƒªã‚·ãƒ¼ãŒé©ç”¨ã•ã‚Œã‚‹ã€‚
出典:
SP 800-41 [85]
「中立地帯ã€ã¨ã—ã¦çµ„ç¹”ã®ãƒ—ライベートãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒ
ト間ã«æŒ¿å…¥ã•ã‚Œã‚‹ãƒ›ã‚¹ãƒˆåˆã¯ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚°ãƒ¡ãƒ³ãƒˆã€‚
出典:
SP 800-45 [91]
内部ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨å¤–部ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®é–“ã«è«–ç†çš„ã«ã‚る周辺ãƒãƒƒãƒˆ
ワークセグメント。目的ã¯ã€å¤–部ã¨ã®æƒ…報交æ›ç”¨å†…部ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®
情報ä¿è¨¼ãƒãƒªã‚·ãƒ¼ã‚’施行ã—ã€å†…部ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’外部脅å¨ã‹ã‚‰ã‚·ãƒ¼ãƒ«
ドã—ã¤ã¤ã€å¤–部ã®ä¿¡é ¼ã®ç½®ã‘ãªã„è¦æ±‚ソースã«ã‚ˆã‚‹æƒ…å ±ã¸ã®ã‚¢ã‚¯ã‚»
ス
ã«åˆ¶é™ã‚’課ã™ã‚‹ã“ã¨ã«ã‚る。
出典:
CNSSI-4009
Denial of Service (DoS):
サービス妨害
システムリソースã¸ã®å…¬èªã‚¢ã‚¯ã‚»ã‚¹ã‚’妨ã’åˆã¯ã‚·ã‚¹ãƒ†ãƒ ã®é‹ç”¨åŠã³æ©Ÿ
能をé…らã›ã‚‹ã“ã¨ã€‚
出典:
RFC 4949 [75]
Diagnostics:診断
既知ã®éšœå®³æ…‹æ§˜åŠã³ãã®ç‰¹å¾´ã«é–¢ã™ã‚‹æƒ…報。ã“ã®ã‚ˆã†ãªæƒ…å ±ã¯ãƒˆãƒ©ãƒ–
ルシューティングや故障解æžã«ä½¿ç”¨ã§ãã€åŽŸå› ã‚„é©æ­£ãªå¯¾ç­–を割り出
ã™åŠ©ã‘ã¨ãªã‚‹ã€‚
出典:
オートメーション・システム・計装事典
Disaster Recovery Plan
(DRP):ç½å®³å¾©æ—§è¨ˆç”»æ›¸
大è¦æ¨¡ãª
ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢/ソフトウエア障害や施設破壊ã®éš›ã«é‡è¦äº‹é …
を処ç†ã™ã‚‹ãŸã‚ã®æ–‡æ›¸ã€‚
出典:
NIST SP 800-34 [52]
Discrete Process:
離散プロセス
指定é‡ã®ææ–™ãŒã‚ã‚‹å˜ä½ï¼ˆãƒ‘ーツåˆã¯ãƒ‘ーツグループ)ã¨ã—ã¦ãƒ¯ãƒ¼ã‚¯
ステーション間を移動ã—ã€å„å˜ä½ãŒãã®å›ºæœ‰ã®ã‚¢ã‚¤ãƒ‡ãƒ³ãƒ†ã‚£ãƒ†ã‚£ã‚’ä¿
æŒã™ã‚‹ãƒ—ロセスã®ç¨®é¡žã€‚出典:オートメーション・システム・計装事
å…¸
Distributed Control System
(DCS):
分散制御システム
制御システムã«ã‚ã£ã¦ã€ä¸­å¤®ã«ç½®ã‹ã‚ŒãŸ
1ã¤ã®è£…ç½®ã§ã¯ãªãã€åˆ¶å¾¡ã™
るプロセスã«ã¤ã„ã¦åˆ†æ•£ã•ã‚ŒãŸã‚¤ãƒ³ãƒ†ãƒªã‚¸ã‚§ãƒ³ã‚¹ã«ã‚ˆã£ã¦è¡Œã‚れる制
御をã„ã†ã€‚出典:オートメーション・システム・計装事典
Distributed Plant:
分散プラント
ä¼æ¥­ãŒã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã‚’通ã˜ã¦ã‚¢ã‚¯ã‚»ã‚¹ã§ãã‚‹
地ç†
çš„ã«åˆ†æ•£ã•ã‚ŒãŸå·¥
場。
出典:
NIST IR 6859 [2]
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
229
Disterbance
An undesired change in a variable being applied to a system that tends to
adversely affect the value of a controlled variable.
SOURCE: ANSI/ISA-51.1-1979
Domain
An environment or context that includes a set of system resources and a set
of system entities that have the right to access the resources as defined by a
common security policy, security model, or security architecture. See
Security Domain.
SOURCE: CNSSI-4009; SP 800-53 [22]; SP 800-37 [21]
Domain Controller
A server responsible for managing domain information, such as login
identification and passwords.
SOURCE: NIST IR 6859 [2]
Encryption
Cryptographic transformation of data (called “plaintextâ€) into a form (called
“ciphertextâ€) that conceals the data’s original meaning to prevent it from
being known or used. If the transformation is reversible, the corresponding
reversal process is called “decryption,†which is a transformation that
restores encrypted data to its original state.
SOURCE: RFC 4949 [75]
Enterprise
An organization that coordinates the operation of one or more processing
sites.
SOURCE: ANSI/ISA-88.01-1995
Enterprise Resource
Planning (ERP) System
A system that integrates enterprise-wide information including human
resources, financials, manufacturing, and distribution as well as connects the
organization to its customers and suppliers.
Extensible Markup
Language (XML)
A specification for a generic syntax to mark data with simple, human-
readable tags, enabling the definition, transmission, validation, and
interpretation of data between applications and between organizations.
Fault Tolerant
Of a system, having the built-in capability to provide continued, correct
execution of its assigned function in the presence of a hardware and/or
software fault.
Field Device
Equipment that is connected to the field side on an ICS. Types of field
devices include RTUs, PLCs, actuators, sensors, HMIs, and associated
communications.
Field Site
A subsystem that is identified by physical, geographical, or logical
segmentation within the ICS. A field site may contain RTUs, PLCs,
actuators, sensors, HMIs, and associated communications.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
230
Disturbance:撹乱
制御ã•ã‚ŒãŸå¤‰æ•°å€¤ã«æ‚ªå½±éŸ¿ã‚’与ãˆã‚„ã™ã„システムã«åŠ ãˆã‚‰ã‚Œã‚‹æœ›ã¾ã—
ããªã„変数ã®å¤‰æ›´ã€‚
出典:
ANSI/ISA-51.1-1979
Domain:領域
システムリソースåŠã³å…±é€šæŽ¥ç¶šãƒãƒªã‚·ãƒ¼ã€æŽ¥ç¶šãƒ¢ãƒ‡ãƒ«åˆã¯
接続アーキ
テクãƒãƒ£ã®è¦å®šã©ãŠã‚Šãƒªã‚½ãƒ¼ã‚¹ã¸
ã®ã‚¢ã‚¯ã‚»ã‚¹æ¨©ã‚’æŒã¤ã‚·ã‚¹ãƒ†ãƒ å®Ÿä½“ã‚’
å«ã‚€
環境åˆã¯ã‚³ãƒ³ãƒ†ã‚­ã‚¹ãƒˆã€‚セキュリティ領域をå‚照。
出典:
CNSSI-4009; SP 800-53 [22]; SP 800-37 [21]
Domain Controller:
領域コントローラ
ログイン識別やパスワードã¨ã„ã£ãŸé ˜åŸŸæƒ…報を管ç†ã™ã‚‹ã‚µãƒ¼ãƒã€‚
出典:
NIST IR 6859 [2]
Encryption:暗å·åŒ–
æš—å·å¤‰æ›ã¯ãƒ‡ãƒ¼ã‚¿ï¼ˆå¹³æ–‡ã¨å‘¼ã°ã‚Œã‚‹ï¼‰ã‚’æš—å·å¤‰æ›ã—ã¦ã€ã‚る形態(暗
å·æ–‡ã¨å‘¼ã°ã‚Œã‚‹ï¼‰ã«ã™ã‚‹ã“ã¨ã§ã€ãƒ‡ãƒ¼ã‚¿ã®
å…ƒã®æ„味を秘匿ã—ã€çŸ¥ã‚‰ã‚Œ
ãŸã‚Šåˆ©ç”¨ã•ã‚ŒãŸã‚Šã§ããªã„よã†ã«ã™ã‚‹ã€‚変æ›ãŒé€†å¤‰æ›ã‚‚å¯èƒ½ãªå ´åˆã€
ãã®ãƒ—ロセスã¯å¾©å·ã¨å‘¼ã°ã‚Œã€æš—å·åŒ–ã•ã‚ŒãŸãƒ‡ãƒ¼ã‚¿ã‚’å…ƒã®çŠ¶æ…‹ã«æˆ»
ã™ã€‚
出典:
RFC 4949 [75]
Enterprise:ä¼æ¥­
1
ã¤ã¾ãŸã¯ãれ以上ã®å‡¦ç†ç¾å ´ã®é‹ç”¨ã‚’調整ã™ã‚‹çµ„織。
出
典:ANSI/ISA-88.01-1995
Enterprise Resource
Planning (ERP) System:
ä¼æ¥­è³‡æºè¨ˆç”»ã‚·ã‚¹ãƒ†ãƒ 
人的資æºã€è²¡æ”¿ã€ç”Ÿç”£ã€æµé€šç­‰ã®å…¨ä¼æ¥­çš„情報を一体化ã—ã€çµ„織をã
ã®é¡§å®¢ã‚„
サプライヤã«æŽ¥ç¶šã™ã‚‹ã‚·ã‚¹ãƒ†ãƒ ã€‚
Extensible Markup
Language (XML):
拡張マークアップ言語
データをå˜ç´”ã§äººãŒèª­ã‚るタグを付ã‘ã¦è¨˜è¿°ã™ã‚‹æ±Žç”¨æ§‹æ–‡ä»•æ§˜ã§ã€ã‚¢
プリケーション間åŠã³çµ„織間ã§ã®
データã®
定義ã€é€ä¿¡ã€å¦¥å½“性検証åŠ
ã³è§£é‡ˆã‚’å¯èƒ½ã«ã™ã‚‹ã€‚
Fault To
lerant
:
フォールトトレラント
システムã§ã€
ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢åŠã³ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ãŒæ•…éšœã—ãŸã¨ãã§ã‚‚ã€å‰²
り当ã¦ã‚‰ã‚ŒãŸæ©Ÿèƒ½ã‚’継続ã—ã¦æ­£ã—ã実行ã§ãã‚‹
ã€çµ„ã¿è¾¼ã¿ã®èƒ½åŠ›ã€‚
Field Device:
フィールドデãƒã‚¤ã‚¹
ICS
ã®ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰å´ã«æŽ¥ç¶šã•ã‚ŒãŸè£…å‚™å“。種類ã¨ã—㦠RTUã€PLCã€ã‚¢
クãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã€
センサã€HMI åŠã³é–¢é€£é€šä¿¡æ©Ÿå™¨ãŒã‚る。
Field Site:
フィールドサイト
ICS
内ã®ç‰©ç†çš„ã€åœ°ç†çš„åˆã¯è«–ç†çš„区画ã«ã‚ˆã‚Šè­˜åˆ¥ã•ã‚Œã‚‹ã‚µãƒ–システ
ム。フィールドサイトã«ã¯
RTUã€PLCã€ã‚¢ã‚¯ãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã€ã‚»ãƒ³ã‚µã€
HMI
åŠã³é–¢é€£é€šä¿¡æ©Ÿå™¨ãŒã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
231
Fieldbus
A digital, serial, multi-drop, two-way data bus or communication path or
link between low-level industrial field equipment such as sensors,
transducers, actuators, local controllers, and even control room devices. Use
of fieldbus technologies eliminates the need of point-to-point wiring
between the controller and each device. A protocol is used to define
messages over the fieldbus network with each message identifying a
particular sensor on the network.
File Transfer Protocol (FTP)
FTP is an Internet standard for transferring files over the Internet. FTP
programs and utilities are used to upload and download Web pages,
graphics, and other files between local media and a remote server which
allows FTP access.
SOURCE: API 1164
Firewall
An inter-network gateway that restricts data communication traffic to and
from one of the connected networks (the one said to be “inside†the
firewall) and thus protects that network’s system resources against threats
from the other network (the one that is said to be “outside†the firewall).
SOURCE: RFC 4949 [75]
An inter-network connection device that restricts data communication
traffic between two connected networks. A firewall may be either an
application installed on a general-purpose computer or a dedicated platform
(appliance), which forwards or rejects/drops packets on a network.
Typically firewalls are used to define zone borders. Firewalls generally
have rules restricting which ports are open. SOURCE: ISA-62443-1-1 [34]
Human-Machine Interface
(HMI)
The hardware or software through which an operator interacts with a
controller. An HMI can range from a physical control panel with buttons
and indicator lights to an industrial PC with a color graphics display
running dedicated HMI software.
SOURCE: NIST IR 6859 [2]
Software and hardware that allows human operators to monitor the state of
a process under control, modify control settings to change the control
objective, and manually override automatic control operations in the event
of an emergency. The HMI also allows a control engineer or operator to
configure set points or control algorithms and parameters in the controller.
The HMI also displays process status information, historical information,
reports, and other information to operators, administrators, managers,
business partners, and other authorized users. Operators and engineers use
HMIs to monitor and configure set points, control algorithms, send
commands, and adjust and establish parameters in the controller. The HMI
also displays process status information and historical information.
Identification
The process of verifying the identity of a user, process, or device, usually as
a prerequisite for granting access to resources in an IT system.
SOURCE: NIST SP 800-47 [92]
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
232
Fieldbus:フィールドãƒã‚¹
センサ
ã€ãƒˆãƒ©ãƒ³ã‚¹ãƒ‡ãƒ¥ãƒ¼ã‚µã€ã‚¢ã‚¯ãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã€ãƒ­ãƒ¼ã‚«ãƒ«ã‚³ãƒ³ãƒˆãƒ­ãƒ¼
ラã€åˆ¶å¾¡å®¤ãƒ‡ãƒã‚¤ã‚¹ç­‰ã®ä½Žãƒ¬ãƒ™ãƒ«ç”£æ¥­ç”¨ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰è£…å‚™å“é–“ã®ãƒ‡ã‚¸ã‚¿
ルã€
シリアルã€
マルãƒãƒ‰ãƒ­ãƒƒãƒ—ã€åŒæ–¹å‘データãƒã‚¹ã€é€šä¿¡çµŒè·¯åˆã¯ãƒª
ンク。フィールドãƒã‚¹æŠ€è¡“を利用ã™ã‚‹ã¨ã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã¨å„デãƒã‚¤ã‚¹
é–“ã§ã®
2
地点間é…ç·šã®å¿…è¦ãŒãªããªã‚‹ã€‚プロトコルを使用ã—ã¦ãƒ•ã‚£ãƒ¼
ルドãƒã‚¹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã‚’定義ã—ã€å„メッセージã¯ãƒãƒƒ
トワーク上ã®ç‰¹å®šã®
センサã§è­˜åˆ¥ã™ã‚‹ã€‚
File Transfer Protocol
(FT
P)
:
ファイル転é€ãƒ—ロトコル
インターãƒãƒƒãƒˆä¸Šã§ãƒ•ã‚¡ã‚¤ãƒ«ã‚’転é€ã™ã‚‹ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆè¦æ ¼ã€‚
FTP プ
ログラムåŠã³ãƒ¦ãƒ¼ãƒ†ã‚£ãƒªãƒ†ã‚£ã‚’使用ã—ã¦ã€ã‚¦ã‚§ãƒ–ページã€ã‚°ãƒ©ãƒ•ã‚£ãƒƒ
クãã®ä»–ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’ローカルメディアã¨
FTP アクセスを許å¯ã™ã‚‹
é éš”サーãƒã§ã‚¢ãƒƒãƒ—ロード
/ダウンロードã™ã‚‹ã€‚
出典:
API 1164
Firewall:
ファイアウォール
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ゲートウェイã§ã€æŽ¥ç¶šã•ã‚ŒãŸãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ï¼ˆãƒ•ã‚¡ã‚¤ã‚¢
ウォールã®ã€Œä¸­ã€ã«ã‚る)間ã§ã®ãƒ‡ãƒ¼ã‚¿é€šä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’制é™ã—ã€
当該ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ã‚·ã‚¹ãƒ†ãƒ ãƒªã‚½ãƒ¼ã‚¹ã‚’ä»–ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ï¼ˆãƒ•ã‚¡
イア
ウォールã®ã€Œå¤–ã€ã«ã‚る)ã‹ã‚‰ã®è„…å¨ã‹ã‚‰å®ˆã‚‹ã€‚
出典:
RFC 4949 [75]
接続ã•ã‚ŒãŸ
2ã¤ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã§ãƒ‡ãƒ¼ã‚¿é€šä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’制é™ã™
ã‚‹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“
接続デãƒã‚¤ã‚¹ã€‚ファイアウォールã¯ã€æ±Žç”¨ã‚³ãƒ³ãƒ”ュ
ータåˆã¯å°‚用プラットホーム(機器)ã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã•ã‚ŒãŸã‚¢ãƒ—リケ
ーションã§ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã®ãƒ‘ケットを転é€åˆã¯æ‹’絶
/ドロップã™
る。一般ã«ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã¯ã‚¾ãƒ¼ãƒ³å¢ƒç•Œã‚’定ã‚ã‚‹ã®ã«ä½¿ç”¨ã™ã‚‹ã€‚フ
ァイアウォールã¯ã©ã®ãƒãƒ¼ãƒˆã‚’開放ã™ã‚‹ã‹ã‚’制é™ã™ã‚‹ã€‚
出
典:ISA-62443-1-1 [34]
Human
-Machine Interface
(HMI):
マンマシンインタフェース
æ“作員ãŒã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã¨ç›¸äº’作用を行ã†ãŸã‚ã«ä½¿ç”¨ã™ã‚‹ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢
åˆã¯
ソフトウエア
。ボタンやインジケータライトã®ä»˜ã„ãŸç‰©ç†çš„制御
パãƒãƒ«ã‹ã‚‰ã€ã‚«ãƒ©ãƒ¼ã‚°ãƒ©ãƒ•ã‚£ãƒƒã‚¯ãƒ‡ã‚£ã‚¹ãƒ—レイã®ä»˜ã„ãŸå°‚用
HMI ソ
フトウエア
を実行ã™ã‚‹ç”£æ¥­ç”¨ PC ã¾ã§å¤šæ§˜ã§ã‚る。
出典:
NIST IR 6859 [2]
æ“作員ãŒåˆ¶å¾¡ä¸­ã®ãƒ—ロセス状態を監視ã—ã€åˆ¶å¾¡è¨­å®šã‚’変ãˆã¦åˆ¶å¾¡å¯¾è±¡
を変更ã—ã€ç·Šæ€¥æ™‚ã«è‡ªå‹•åˆ¶å¾¡é‹è»¢ã‚’手動ã«å¤‰æ›´ã§ãã‚‹
ソフトウエアåŠ
ã³
ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã€‚制御エンジニアやæ“作員ã¯ã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã®è¨­å®šç‚¹
åˆã¯åˆ¶å¾¡ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ åŠã³ãƒ‘ラメータを変更ã™ã‚‹ã“ã¨ã‚‚ã§ãる。ã¾ãŸ
HMI
ã¯ãƒ—ロセス状態ã€å±¥æ­´æƒ…å ±ã€ãƒ¬ãƒãƒ¼ãƒˆãã®ä»–ã®æƒ…報をæ“作員ã€ç®¡
ç†è€…ã€ãƒžãƒãƒ¼ã‚¸ãƒ£ã€ãƒ“ジãƒã‚¹ãƒ‘ートナーãã®ä»–許å¯ã•ã‚ŒãŸãƒ¦ãƒ¼ã‚¶ã«è¡¨
示ã™ã‚‹ã€‚æ“作員åŠã³ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã¯
HMI を利用ã—ã€è¨­å®šç‚¹ã‚’監視・設
定ã—ã€ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã‚’制御ã—ã€
コマンドをé€ä¿¡ã—ã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã®ãƒ‘
ラメータを調整・設定ã™ã‚‹ã€‚ã¾ãŸ
HMI ã¯ãƒ—ロセスã®ã‚¹ãƒ†ãƒ¼ã‚¿ã‚¹æƒ…å ±
åŠã³å±¥æ­´æƒ…報を表示ã™ã‚‹ã€‚
Identification:識別
ユーザã€ãƒ—ロセスåˆã¯ãƒ‡ãƒã‚¤ã‚¹ã®åŒä¸€æ€§ã‚’検証ã™ã‚‹ãƒ—ロセスã§ã€é€šå¸¸
IT
システム中ã®ãƒªã‚½ãƒ¼ã‚¹ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ä»˜ä¸Žã®å‰æã¨ãªã‚‹ã€‚
出典:
NIST SP 800-47 [92]
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
233
Incident
An occurrence that actually or potentially jeopardizes the confidentiality,
integrity, or availability of an information system or the information the
system processes, stores, or transmits or that constitutes a violation or
imminent threat of violation of security policies, security procedures, or
acceptable use policies
SOURCE: FIPS 200 [16]; SP 800-53 [22]
Industrial Control System
(ICS)
General term that encompasses several types of control systems, including
supervisory control and data acquisition (SCADA) systems, distributed
control systems (DCS), and other control system configurations such as
Programmable Logic Controllers (PLC) often found in the industrial sectors
and critical infrastructures. An ICS consists of combinations of control
components (e.g., electrical, mechanical, hydraulic, pneumatic) that act
together to achieve an industrial objective (e.g., manufacturing,
transportation of matter or energy).
Information Security
Program Plan
Formal document that provides an overview of the security requirements for
an organization-wide information security program and describes the
program management controls and common controls in place or planned for
meeting those requirements.
SOURCE: NIST SP 800-53 [22]
Input/Output (I/O)
A general term for the equipment that is used to communicate with a
computer as well as the data involved in the communications.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Insider
An entity inside the security perimeter that is authorized to access system
resources but uses them in a way not approved by those who granted the
authorization.
SOURCE: RFC 4949 [75]
Integrity
Guarding against improper information modification or destruction, and
includes ensuring information non-repudiation and authenticity.
SOURCE: NIST SP 800-53 [22]
Intelligent Electronic Device
(IED)
Any device incorporating one or more processors with the capability to
receive or send data/control from or to an external source (e.g., electronic
multifunction meters, digital relays, controllers).
SOURCE: AGA 12 [5]
Internet
The single interconnected world-wide system of commercial, government,
educational, and other computer networks that share the set of protocols
specified by the Internet Architecture Board (IAB) and the name and
address spaces managed by the Internet Corporation for Assigned Names
and Numbers (ICANN). SOURCE: RFC 4949 [75]
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
234
Incident:インシデント
情報システムåˆã¯ã‚·ã‚¹ãƒ†ãƒ ãŒå‡¦ç†ã€ä¿ç®¡è‹¥ã—ãã¯é€ä¿¡ã™ã‚‹æƒ…å ±ã®
機密
性ã€
完全性若ã—ãã¯å¯ç”¨æ€§ã‚’ç¾å®Ÿã«åˆã¯å¯èƒ½æ€§ã¨ã—ã¦å±é™ºã«é™¥ã‚Œã‚‹äº‹
象åˆã¯æŽ¥ç¶šãƒãƒªã‚·ãƒ¼ã€æŽ¥ç¶šæ‰‹é †è‹¥ã—ãã¯
妥当ãªä½¿ç”¨ãƒãƒªã‚·ãƒ¼ã«é•åã™
ã‚‹ã‹ã€ç›´ã¡ã«é•åã—ãã†ãªäº‹è±¡ã€‚
出典:
FIPS 200 [16]; SP 800-53 [22]
Industrial Control System
(ICS):
産業用制御システム
(
ICS
)
数種ã®åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã‚’包括ã—ãŸæ±Žç”¨çš„ãªç”¨èªžã§ã€ã“ã‚Œã«ã¯
å„種産業部
門やé‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã§ä½¿ç”¨ã•ã‚Œã¦ã„ã‚‹
SCADAã€DCSã€PLCã€ãã®ä»–ã®
制御システムã®è¨­å®š
ãŒå«ã¾ã‚Œã‚‹ã€‚ICS ã¯ç”£æ¥­ä¸Šã®ç›®çš„(物å“やエãƒãƒ«
ギーã®ç”Ÿç”£ãƒ»è¼¸é€ç­‰ï¼‰ã‚’é”æˆã™ã‚‹ãŸã‚ã«ä½µç”¨ã•ã‚Œã‚‹åˆ¶å¾¡ç”¨ã‚³ãƒ³ãƒãƒ¼ãƒ
ント(電気・機械・油圧・空気等)ãŒçµ„ã¿åˆã‚ã•ã£ã¦æ§‹æˆã•ã‚Œã¦ã„
る。
Information Security
Program Plan:
情報セキュリティプログラ
ム計画書
全組織的情報セキュリティプログラムã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ä»¶ã«ã¤ã„ã¦æ¦‚
説ã—ã€è¦ä»¶ã‚’満足ã™ã‚‹ãŸã‚ã«å®Ÿæ–½ä¸­åˆã¯è¨ˆç”»ä¸­ã®ãƒ—ログラム管ç†å¯¾ç­–
åŠã³å…±é€šç®¡ç†
ã«ã¤ã„ã¦è¨˜è¿°ã—ãŸæ­£å¼æ–‡æ›¸ã€‚
出典:
NIST SP 800-53 [22]
Input/Output (I/O):入出力
コンピュータã¨é€šä¿¡ã™ã‚‹ãŸã‚ã®è£…å‚™å“åŠã³é€šä¿¡ã«å«ã¾ã‚Œã‚‹ãƒ‡ãƒ¼ã‚¿ã‚’示
ã™ä¸€èˆ¬ç”¨èªžã€‚
出典:
オートメーション・システム・計装事典
Insider:インサイダー
セキュリティ境界内ã«ã„ã¦ã‚·ã‚¹ãƒ†ãƒ ãƒªã‚½ãƒ¼ã‚¹ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ãŒè¨±ã•ã‚Œã¦
ã„ã‚‹ãŒã€è¨±å¯ã•ã‚ŒãŸä»¥å¤–ã®æ–¹æ³•ã§ä½¿ç”¨ã™ã‚‹å®Ÿåœ¨è€…。
出典:
RFC 4949 [75]
Integrity:完全性
ä¸æ­£ãªæƒ…å ±ã®æ”¹å¤‰åˆã¯ç ´å£Šã‚’防ãã“ã¨ã§ã€æƒ…å ±ã®å¦èªé˜²æ­¢åŠã³æ­£å½“性
を確ä¿ã™ã‚‹ã€‚
出典:
NIST SP 800-53 [22]
Intelligent Electronic Device
(IED):
インテリジェント電å­æ©Ÿå™¨
1
ã¤åˆã¯è¤‡æ•°ã®ãƒ—ロセスを組ã¿è¾¼ã‚“ã ãƒ‡ãƒã‚¤ã‚¹ã§ã€å¤–部ソースã¨ã®é–“
ã§ãƒ‡ãƒ¼ã‚¿
/制御をé€å—ä¿¡ã™ã‚‹èƒ½åŠ›ã‚’æŒã¤ï¼ˆé›»å­å¤šæ©Ÿèƒ½ãƒ¡ãƒ¼ã‚¿ã€ãƒ‡ã‚¸ã‚¿
ルリレーã€ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ç­‰ï¼‰ã€‚
出典:
AGA 12 [5]
Internet:インターãƒãƒƒãƒˆ
産官学ãã®ä»–ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’
1
ã¤ã«é€£æŽ¥ã—ãŸä¸–界的システムã§ã€ã‚¤
ンターãƒãƒƒãƒˆã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£å§”員会(
IAB)ãŒæŒ‡å®šã—ãŸãƒ—ロトコルåŠ
ã³
ICANN ãŒç®¡ç†ã™ã‚‹åå‰åŠã³ã‚¢ãƒ‰ãƒ¬ã‚¹ç©ºé–“を共有ã™ã‚‹ã€‚出典:RFC
4949 [75]
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
235
Intrusion Determination
System (IDS)
A security service that monitors and analyzes network or system events for
the purpose of finding, and providing real-time or near real-time warning of,
attempts to access system resources in an unauthorized manner.
SOURCE: RFC 4949 [75]
Intrusion Prevention System
(IPS)
A system that can detect an intrusive activity and can also attempt to stop
the activity, ideally before it reaches its targets.
Jitter
The time or phase difference between the data signal and the ideal clock.
Key Logger
A program designed to record which keys are pressed on a computer
keyboard used to obtain passwords or encryption keys and thus bypass other
security measures.
Light Tower
A device containing a series of indicator lights and an embedded controller
used to indicate the state of a process based on an input signal.
SOURCE: NIST IR 6859 [2]
Local Area Network (LAN)
A group of computers and other devices dispersed over a relatively limited
area and connected by a communications link that enables any device to
interact with any other on the network.
Machine Controller
A control system/motion network that electronically synchronizes drives
within a machine system instead of relying on synchronization via
mechanical linkage.
Maintenance
Any act that either prevents the failure or malfunction of equipment or
restores its operating capability.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Malware
Software or firmware intended to perform an unauthorized process that will
have adverse impact on the confidentiality, integrity, or availability of an
information system. A virus, worm, Trojan horse, or other code-based entity
that infects a host. Spyware and some forms of adware are also examples of
malicious code (malware).
SOURCE: NIST SP 800-53 [22]
Management Controls
The security controls (i.e., safeguards or countermeasures) for an
information system that focus on the management of risk and the
management of information security.
SOURCE: NIST SP 800-18 [19]
Manipulated Variable
In a process that is intended to regulate some condition, a quantity or a
condition that the control alters to initiate a change in the value of the
regulated condition.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
236
Intrusion Detection System
(ID
S)
:
侵入検知システム
システムリソースã«ç„¡æ–­ã§ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ã‚‚ãã‚ã¿ã‚’発見ã—ã€ãƒªã‚¢ãƒ«ã‚¿
イムåˆã¯ã»ã¼ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ ã§è­¦å‘Šã™ã‚‹ãŸã‚ã«ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åˆã¯ã‚·ã‚¹
テムイベントを監視・分æžã™ã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚µãƒ¼ãƒ“ス。
出典:
RFC 4949 [75]
Intrusion Prevention System
(IPS):
侵入防止システム
侵入活動を検知ã—ã€å¯èƒ½ã§ã‚ã‚Œã°ç›®æ¨™ã«é”ã™ã‚‹å‰ã«æ´»å‹•ã‚’ã‚„ã‚ã•ã›ã‚‹
ã“ã¨ãŒã§ãるシステム。
Jitter:ジッター
データ信å·ã¨ç†æƒ³
的クロック間ã®æ™‚é–“å·®åˆã¯ãƒ•ã‚§ãƒ¼ã‚ºã€‚
Key Logger:キーロガー
パスワードや
æš—å·éµ
ã‚’å–å¾—ã—ã€ä»–ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ‰‹æ®µã‚’迂回ã™ã‚‹ãŸã‚
ã«ã€ã‚³ãƒ³ãƒ”ュータã®ã‚­ãƒ¼ãƒœãƒ¼ãƒ‰ã§æŠ¼ã•ã‚ŒãŸã‚­ãƒ¼ã‚’記録ã™ã‚‹ãƒ—ログラ
ム。
Light Tower:ライトタワー
入力信å·ã«åŸºã¥ã„ã¦ãƒ—ロセス状態を表示ã™ã‚‹ã€ä¸€é€£ã®ã‚¤ãƒ³ã‚¸ã‚±ãƒ¼ã‚¿ãƒ©
イトã¨çµ„è¾¼ã¿ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã‚’å‚™ãˆãŸãƒ‡ãƒã‚¤ã‚¹ã€‚
出典:
NIST IR 6859 [2]
Local Area Network
(LAN):
ローカルエリアãƒãƒƒãƒˆãƒ¯ãƒ¼
ク
比較的é™å®šã•ã‚ŒãŸã‚¨ãƒªã‚¢å†…ã«åˆ†æ•£ã—ã€é€šä¿¡ãƒªãƒ³ã‚¯ã§æŽ¥ç¶šã•ã‚Œã€ãã‚Œãž
ã‚ŒãŒãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¸Šã§é€£å‹•ã™ã‚‹ã‚³ãƒ³ãƒ”ュータãã®ä»–ã®ãƒ‡ãƒã‚¤ã‚¹ã‚°ãƒ«ãƒ¼
プ。
Machine Controller:
マシンコントローラ
マシンシステム内ã®ãƒ‰ãƒ©ã‚¤ãƒ–ã‚’ã€æ©Ÿæ¢°å¼ãƒªãƒ³ã‚¯çµŒç”±ã®åŒæœŸã«ä¾å­˜ã›
ãšã€é›»å­çš„ã«åŒæœŸã™ã‚‹åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ 
/モーションãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã€‚
Maintenance:ä¿å®ˆ
装備å“ã®æ•…éšœåˆã¯ä¸å…·åˆã‚’防止åˆã¯ç¨¼åƒçŠ¶æ…‹ã«å›žå¾©ã™ã‚‹è¡Œç‚ºã€‚
出典:
オートメーション・システム・計装事典
Malware:マルウエア
情報システムã®
機密性ã€å®Œå…¨æ€§åˆã¯å¯ç”¨æ€§ã«æ‚ªå½±éŸ¿ã™ã‚‹ä¸æ­£ã‚¢ã‚¯ã‚»ã‚¹
ã‚’è¡Œã†ãŸã‚ã®
ソフトウエアåˆã¯ãƒ•ã‚¡ãƒ¼ãƒ ã‚¦ã‚¨ã‚¢ã€‚ウイルスã€ãƒ¯ãƒ¼ãƒ ã€
トロイã®æœ¨é¦¬ãã®ä»–コードベースã®ã‚‚ã®ãŒãƒ›ã‚¹ãƒˆã‚’感染ã•ã›ã‚‹ã€‚
スパ
イウエア
ã‚„ã„ãã¤ã‹ã®å½¢æ…‹ã®ã‚¢ãƒ‰ã‚¦ã‚§ã‚¢ã‚‚悪æ„ã‚るコード(マルウエ
ã‚¢
)ã®ä¾‹ã§ã‚る。
出典:
NIST SP 800-53 [22]
Management Controls:
管ç†å¯¾ç­–
リスク管ç†åŠã³æƒ…報セキュリティ管ç†ã«ç‰¹åŒ–ã—ãŸæƒ…報システムã®ã‚»ã‚­
ュリティ
対策(安全策åˆã¯å¯¾ç­–)。
出典:
NIST SP 800-18 [19]
Manipulated Variable:
æ“作ã•ã‚ŒãŸå¤‰æ•°
特定ã®çŠ¶æ…‹ã‚’調整ã™ã‚‹ãŸã‚ã®ãƒ—ロセスã«ãŠã„ã¦ã€èª¿æ•´æ¸ˆã¿çŠ¶æ…‹ã®å€¤ã‚’
制御ãŒå¤‰æ›´ã™ã‚‹ã¨ãã®é‡åˆã¯çŠ¶æ…‹ã€‚出典:オートメーション・システ
ム・計装事典
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
237
Manufacturing Execution
System (MES)
A system that uses network computing to automate production control and
process automation. By downloading recipes and work schedules and
uploading production results, a MES bridges the gap between business and
plant-floor or process-control systems.
SOURCE: NIST IR 6859 [2]
Master Terminal Unit
(MTU)
See Control Server.
Modem
A device used to convert serial digital data from a transmitting terminal to a
signal suitable for transmission over a telephone channel to reconvert the
transmitted signal to serial digital data for the receiving terminal.
SOURCE: NIST IR 6859 [2]
Motion Control Network
The network supporting the control applications that move parts in
industrial settings, including sequencing, speed control, point-to-point
control, and incremental motion.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Network Interface Card
(NIC)
A circuit board or card that is installed in a computer so that it can be
connected to a network.
Object Linking and
Embedding (OLE) for
Process Control (OPC)
A set of open standards developed to promote interoperability between
disparate field devices, automation/control, and business systems.
Operating System
An integrated collection of service routines for supervising the sequencing
of programs by a computer. An operating system may perform the functions
of input/output control, resource scheduling, and data management. It
provides application programs with the fundamental commands for
controlling the computer.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Operational Controls
The security controls (i.e., safeguards or countermeasures) for an
information system that are primarily implemented and executed by people
(as opposed to systems).
SOURCE: NIST SP 800-18 [19]
Password
A string of characters (letters, numbers, and other symbols) used to
authenticate an identity or to verify access authorization.
Phishing
Tricking individuals into disclosing sensitive personal information by
claiming to be a trustworthy entity in an electronic communication (e.g.,
internet web sites).
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
238
Manufacturing Execution
System (MES):
生産実行システム
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚³ãƒ³ãƒ”ューティングを利用ã—ã¦ç”Ÿç”£åˆ¶å¾¡åŠã³ãƒ—ロセスã®
自動化を行ã†ã‚·ã‚¹ãƒ†ãƒ ã€‚レシピã¨ä½œæ¥­ã‚¹ã‚±ã‚¸ãƒ¥ãƒ¼ãƒ«ã‚’ダウンロード
ã—ã€ç”Ÿç”£çµæžœã‚’アップロードã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€
MES ã¯äº‹æ¥­ã‚·ã‚¹ãƒ†ãƒ 
ã¨ãƒ—ラントç¾å ´ã‚·ã‚¹ãƒ†ãƒ åˆã¯ãƒ—ロセス制御システム間ã®ã‚®ãƒ£ãƒƒãƒ—を埋
ã‚る。
出典:
NIST IR 6859 [2]
Master
Terminal Unit
(MTU):
マスター端末装置
制御サーãƒã‚’å‚照。
Modem:モデム
通信端末ã‹ã‚‰ã®ã‚·ãƒªã‚¢ãƒ«ãƒ‡ã‚¸ã‚¿ãƒ«ãƒ‡ãƒ¼ã‚¿ã‚’電話網通信ã«é©ã—ãŸä¿¡å·ã«
変æ›ã—ã€å—信端末ã«ã¯ã‚·ãƒªã‚¢ãƒ«ãƒ‡ã‚¸ã‚¿ãƒ«ãƒ‡ãƒ¼ã‚¿ã«å†å¤‰æ›ã™ã‚‹ãŸã‚ã®ãƒ‡
ãƒã‚¤ã‚¹ã€‚
出典:
NIST IR 6859 [2]
Motion
Control Network
:
動作制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
産業環境ã«ãŠã„ã¦ãƒ‘ーツを動ã‹ã™åˆ¶å¾¡ã‚¢ãƒ—リケーションã«å¯¾å¿œã—ãŸãƒ
ットワークã§ã€å‹•ä½œã«ã¯ã‚·ãƒ¼ã‚±ãƒ³ã‚·ãƒ³ã‚°ã€é€Ÿ
度制御ã€2点間制御ã€å·®
分動作等ãŒã‚る。
出典:
オートメーション・システム・計装事典
Network Interface Card
(NIC):ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¤ãƒ³
タフェースカード
コンピュータã«è¨­ç½®ã•ã‚Œã‚‹å›žè·¯åŸºæ¿åˆã¯ã‚«ãƒ¼ãƒ‰ã§ã€ã‚³ãƒ³ãƒ”ュータをãƒ
ットワークã«æŽ¥ç¶šã™ã‚‹ã€‚
Object Linking and
Embedding (OLE) for
Process Control (OPC):
プロセス制御用
OLE
異種フィールドデãƒã‚¤ã‚¹é–“ã€ã‚ªãƒ¼ãƒˆãƒ¡ãƒ¼ã‚·ãƒ§ãƒ³
/制御間åŠã³äº‹æ¥­ã‚·ã‚¹
テム間ã®ç›¸äº’é‹ç”¨æ€§ã‚’促進ã™ã‚‹ãŸã‚ã«é–‹ç™º
ã•ã‚ŒãŸã‚ªãƒ¼ãƒ—ンè¦æ ¼ã€‚
Operating System:
オペレーティングシステム
コンピュータã«ã‚ˆã‚Šãƒ—ログラムã®ã‚·ãƒ¼ã‚±ãƒ³ã‚·ãƒ³ã‚°ã‚’監視ã•ã›ã‚‹
定常サ
ービスã®é›†åˆä½“。入出力制御ã€ãƒªã‚½ãƒ¼ã‚¹ã‚¹ã‚±ã‚¸ãƒ¥ãƒ¼ãƒªãƒ³ã‚°åŠã³ãƒ‡ãƒ¼ã‚¿
管ç†ã‚’è¡Œã†ã€‚コンピュータを制御ã™ã‚‹ãŸã‚ã®æ©Ÿèƒ½ã‚³ãƒžãƒ³ãƒ‰ã‚’アプリケ
ーションプログラムã«æä¾›ã™ã‚‹ã€‚
出典:
オートメーション・システム・計装事典
Operational Controls:
é‹ç”¨åˆ¶å¾¡
主ã«äººé–“(システムã§ã¯ãªã)ãŒå®Ÿè£…ã—実行ã™ã‚‹æƒ…報システムã®ã‚»ã‚­
ュリティ
対策(安全策åˆã¯å¯¾ç­–)。
出典:
NIST SP 800-18 [19]
Password:パスワード
身分をèªè¨¼åˆã¯ã‚¢ã‚¯ã‚»ã‚¹æ¨©é™ã‚’確èªã™ã‚‹ãŸã‚ã®æ–‡å­—列(文字ã€æ•°å­—ã
ã®ä»–記å·ï¼‰ã€‚
Phishing:フィッシング
é›»å­é€šä¿¡
(インターãƒãƒƒãƒˆã‚¦ã‚§ãƒ–サイト等)ã«ãŠã„ã¦ä¿¡é ¼ã§ãる実体
ã§ã‚ã‚‹ã¨ä¸»å¼µã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€æ¬ºã„ã¦å€‹äººæƒ…報を開示ã•ã›ã‚‹ã“ã¨ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
239
Photo Eye
A light sensitive sensor utilizing photoelectric control that converts a light
signal into an electrical signal, ultimately producing a binary signal based
on an interruption of a light beam.
SOURCE: NIST IR 6859 [2]
Plant
The physical elements necessary to support the physical process. This can
include many of the static components not controlled by the ICS; however,
the operation of the ICS may impact the adequacy, strength, and durability
of the plant’s components.
Port
The entry or exit point from a computer for connecting communications or
peripheral devices.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Port Scanning
Using a program to remotely determine which ports on a system are open
(e.g., whether systems allow connections through those ports).
SOURCE: NIST SP 800-61 [59]
Predisposing Condition
A condition that exists within an organization, a mission/business
process, enterprise architecture, or information system including its
environment of operation, which contributes to (i.e., increases or
decreases) the likelihood that one or more threat events, once
initiated, will result in undesirable consequences or adverse impact to
organizational operations and assets, individuals, other organizations,
or the Nation.
SOURCE: SP 800-30 [79]
Pressure Regulator
A device used to control the pressure of a gas or liquid.
SOURCE: NIST IR 6859 [2]
Pressure Sensor
A sensor system that produces an electrical signal related to the pressure
acting on it by its surrounding medium. Pressure sensors can also use
differential pressure to obtain level and flow measurements.
SOURCE: NIST IR 6859 [2]
Printer
A device that converts digital data to human-readable text on a paper
medium.
SOURCE: NIST IR 6859 [2]
Process Controller
A type of computer system, typically rack-mounted, that processes sensor
input, executes control algorithms, and computes actuator outputs.
SOURCE: NIST IR 6859 [2]
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
240
Photo Eye:フォトアイ
光信å·ã‚’é›»å­ä¿¡å·ã«å¤‰æ›ã™ã‚‹å…‰é›»å­åˆ¶å¾¡ã‚’利用
ã—ãŸæ„Ÿå…‰ã‚»ãƒ³ã‚µ
ã§ã€å…‰
線を中断ã—ã¦ãƒã‚¤ãƒŠãƒªä¿¡å·ã‚’生æˆã™ã‚‹ã€‚
出典:
NIST IR 6859 [2]
Plant:プラント
物ç†ãƒ—ロセスを支ãˆã‚‹ãŸã‚ã®ç‰©ç†è¦ç´ ã€‚
ICS ã§åˆ¶å¾¡ã•ã‚Œãªã„多ãã®é™
的コンãƒãƒ¼ãƒãƒ³ãƒˆãŒå«ã¾ã‚Œå¾—ã‚‹ãŒã€
ICS ã®é‹ç”¨ã¯ãƒ—ラットホームコン
ãƒãƒ¼ãƒãƒ³ãƒˆã®é©åˆ‡æ€§ã€å¼·åº¦åŠã³è€ä¹…性ã«å½±éŸ¿ã™ã‚‹ã€‚
Port:ãƒãƒ¼ãƒˆ
コンピュータãŒé€šä¿¡æ©Ÿå™¨åˆã¯å‘¨è¾ºãƒ‡ãƒã‚¤ã‚¹ã«æŽ¥ç¶šã™ã‚‹ãŸã‚ã®å‡ºå…¥å£ã¨
ãªã‚‹ç‚¹ã€‚
出典
:オートメーション・システム・計装事典
Port Scanning:
ãƒãƒ¼ãƒˆã‚¹ã‚­ãƒ£ãƒ‹ãƒ³ã‚°
プログラムを利用ã—ã¦é–‹æ”¾ã•ã‚Œã¦ã„ã‚‹ãƒãƒ¼ãƒˆï¼ˆãã“ã‹ã‚‰ã‚·ã‚¹ãƒ†ãƒ ã«æŽ¥
続ã§ãã‚‹ã‹ï¼‰ã‚’判定ã™ã‚‹ã“ã¨ã€‚
出典:
NIST SP 800-61 [59]
Predisposing Condition:
素因的状態
組織ã€ä»»å‹™ãƒ»äº‹æ¥­ã€ä¼æ¥­ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£åˆã¯æƒ…報システム内ã«å­˜åœ¨ã™
る状態ã®ã“ã¨ã§ã€ã„ã£ãŸã‚“発動ã™ã‚‹ã¨ã€çµ„ç¹”ã®é‹å–¶åŠã³è³‡ç”£ã€å€‹äººã€
ä»–ã®çµ„ç¹”åˆã¯å›½ã«æ‚ªå½±éŸ¿ã‚’与ãˆã‚‹è„…å¨äº‹è±¡ã«å¯„与(増減)ã™ã‚‹é‹ç”¨ç’°
境ãŒå«ã¾ã‚Œã‚‹ã€‚
出典:
SP 800-30 [79]
Pressure Regulator:
圧力レギュレータ
ガスåˆã¯æ¶²ä½“ã®åœ§åŠ›ã‚’制御ã™ã‚‹ãƒ‡ãƒã‚¤ã‚¹ã€‚出典:
NIST IR 6859 [2]
Pressure Sensor:
圧力センサ
周辺媒体ã‹ã‚‰å—ã‘る圧力ã«é–¢ã™ã‚‹é›»æ°—ä¿¡å·ã‚’発生ã™ã‚‹
センサシステ
ム。圧力
センサã¯å·®åœ§ã‚’利用ã—ã¦ãƒ¬ãƒ™ãƒ«åŠã³æµé‡ã®è¨ˆæ¸¬ã‚‚è¡Œã†ã€‚
出
典:NIST IR 6859 [2]
Printer:プリンタ
デジタルデータを人ãŒèª­ã‚ã‚‹ç´™ã®ãƒ†ã‚­ã‚¹ãƒˆã«å¤‰æ›ã™ã‚‹ãƒ‡ãƒã‚¤ã‚¹ã€‚出
典:
NIST IR 6859 [2]
Process Controller:
プロセスコントローラ
通常ラックã«è¨­ç½®ã•ã‚ŒãŸ
1種ã®ã‚³ãƒ³ãƒ”ュータシステムã§ã€ã‚»ãƒ³ã‚µå…¥åŠ›
を処ç†ã—ã€åˆ¶å¾¡ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã‚’実行ã—ã€ã‚¢ã‚¯ãƒãƒ¥ã‚¨ãƒ¼ã‚¿å‡ºåŠ›ã‚’計算ã™
る。
出典:
NIST IR 6859 [2]
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
241
Programmable Logic
Controller
(PLC)
A solid-state control system that has a user-programmable memory for
storing instructions for the purpose of implementing specific functions such
as I/O control, logic, timing, counting, three mode (PID) control,
communication, arithmetic, and data and file processing.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
A small industrial computer originally designed to perform the logic
functions executed by electrical hardware (relays, switches, and mechanical
timer/counters). PLCs have evolved into controllers with the capability of
controlling complex processes, and they are used substantially in SCADA
systems and DCS. PLCs are also used as the primary controller in smaller
system configurations. PLCs are used extensively in almost all industrial
processes.
Protocol
A set of rules (i.e., formats and procedures) to implement and control some
type of association (e.g., communication) between systems.
SOURCE: RFC 4949 [75]
Protocol Analyzer
A device or software application that enables the user to analyze the
performance of network data so as to ensure that the network and its
associated hardware/software are operating within network specifications.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Proximity Sensor
A non-contact sensor with the ability to detect the presence of a target
within a specified range. SOURCE: NIST IR 6859 [2]
Proxy Server
A server that services the requests of its clients by forwarding those requests
to other servers.
SOURCE: CNSSI-4009
Real-Time
Pertaining to the performance of a computation during the actual time that
the related physical process transpires so that the results of the computation
can be used to guide the physical process.
SOURCE: NIST IR 6859 [2]
Redundant Control Server
A backup to the control server that maintains the current state of the control
server at all times.
SOURCE: NIST IR 6859 [2]
Relay
An electromechanical device that completes or interrupts an electrical circuit
by physically moving conductive contacts. The resultant motion can be
coupled to another mechanism such as a valve or breaker.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
242
Pr
ogrammable Logic
Controller (PLC):
プログラマブル論ç†åˆ¶å¾¡è£…
ç½®
ソリッドステート制御システムã§ã€ãƒ¦ãƒ¼ã‚¶ãŒãƒ—ログラムå¯èƒ½ãªãƒ¡ãƒ¢ãƒª
ãŒã‚ã‚Šã€
I/O 制御ã€è«–ç†ã€ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã€ã‚«ã‚¦ãƒ³ãƒˆã€3モード(PID)ã®
制御ã€é€šä¿¡ã€æ¼”ç®—ã€ãƒ‡ãƒ¼ã‚¿ã‚„ファイルã®å‡¦ç†ç­‰ã®å…·ä½“çš„ãªæ©Ÿèƒ½ã‚’実装
ã™ã‚‹ãŸã‚ã®å‘½ä»¤ã‚’æ ¼ç´ã™ã‚‹ã€‚
出典:
オートメーション・システム・計装事典
元々ã¯é›»æ°—çš„
ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ï¼ˆãƒªãƒ¬ãƒ¼ã€ã‚¹ã‚¤ãƒƒãƒåŠã³æ©Ÿæ¢°çš„タイマー/
カウンター)ã«ã‚ˆã‚Šå®Ÿè¡Œã•ã‚Œã‚‹è«–ç†æ©Ÿèƒ½ã‚’実行ã™ã‚‹ãŸã‚ã«è¨­è¨ˆã•ã‚ŒãŸ
å°åž‹ã®ç”£æ¥­ç”¨ã‚³ãƒ³ãƒ”ュータ。複雑ãªãƒ—ロセスã®åˆ¶å¾¡èƒ½åŠ›ã‚’æŒã£ãŸã‚³ãƒ³
トローラã«é€²åŒ–ã—ã€
SCADA システムåŠã³ DCS ã§å¤šç”¨ã•ã‚Œã‚‹ã€‚ã¾ãŸã€
よりå°åž‹ã®ã‚·ã‚¹ãƒ†ãƒ æ§‹æˆä¸­ã§
プライマリ
コントローラã¨ã—ã¦ã‚‚利用ã•
ã‚Œã¦ã„る。
PLC
ã¯ã»ã¨ã‚“ã©å…¨ã¦ã®ç”£æ¥­ãƒ—ロセスã§åºƒç¯„ã«åˆ©ç”¨ã•ã‚Œã‚‹ã€‚
Protocol:プロトコル
システム間ã®ã‚る種ã®é–¢ä¿‚(通信等)を実行ã—制御ã™ã‚‹ãŸã‚ã®ä¸€é€£ã®
è¦å‰‡ï¼ˆå½¢å¼åŠã³æ‰‹é †ï¼‰ã€‚
出典:
RFC 4949 [75]
Protocol Analyzer:
プロトコル分æžå™¨
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åŠã³é–¢é€£
ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢/ソフトウエアãŒãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä»•
様内ã§å‹•ä½œã™ã‚‹ã‚ˆã†ã«ã€ãƒ¦ãƒ¼ã‚¶ãŒãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒ¼ã‚¿ã®ãƒ‘フォーマン
スを分æžã§ãるよã†ã«ã™ã‚‹ãƒ‡ãƒã‚¤ã‚¹ã¾ãŸã¯
ソフトウエア。
出典:
オートメーション・システム・計装事典
Proximity Sensor:
近接センサ
目標値ãŒæŒ‡å®šç¯„囲ã«ã‚ã‚‹ã“ã¨ã‚’検出ã§ãã‚‹éžæŽ¥è§¦åž‹
センサ。
出典:
NIST IR 6859 [2]
Proxy Server:
プロキシサーãƒ
クライアントã‹ã‚‰ã®è¦æ±‚ã‚’ä»–ã®ã‚µãƒ¼ãƒã«è»¢é€ã™ã‚‹ã‚µãƒ¼ãƒã€‚
出典:
CNSSI-4009
Real
-Time
:リアルタイム
計算ã«é–¢ä¿‚ã™ã‚‹ç‰©ç†ãƒ—ロセスãŒç™ºç”Ÿã—ã¦ã€è¨ˆç®—çµæžœãŒç‰©ç†ãƒ—ロセスã®
制御ã«åˆ©ç”¨ã§ãる実時間計算をã„ã†ã€‚
出典:
NIST IR 6859 [2]
Redundant Control
Server:
冗長制御サーãƒ
制御サーãƒã®ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã§ã€åˆ¶å¾¡ã‚µãƒ¼ãƒã®ç¾åœ¨ã®çŠ¶æ…‹ã‚’常時ä¿æŒã™
る。
出典:
NIST IR 6859 [2]
Relay:リレー
接点を物ç†çš„ã«å‹•ã‹ã—ã¦é›»æ°—回路を接続åˆã¯ä¸­æ–­
ã™ã‚‹é›»å­æ©Ÿæ¢°å¼ãƒ‡ãƒ
イス。ãã®çµæžœç”Ÿã˜ã‚‹é‹å‹•ã¯ã€ãƒãƒ«ãƒ–やブレーカã¨ã„ã£ãŸåˆ¥ã®ãƒ‡ãƒã‚¤
スã«é€£æºã™ã‚‹ã€‚
出典:
オートメーション・システム・計装事典
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
243
Remote Access
Access by users (or information systems) communicating external to an
information system security perimeter.
SOURCE: NIST SP 800-53 [22]
Remote Access Point
Distinct devices, areas and locations of a control network for remotely
configuring control systems and accessing process data. Examples include
using a mobile device to access data over a LAN through a wireless access
point, and using a laptop and modem connection to remotely access an ICS
system.
Remote Diagnostics
Diagnostics activities conducted by individuals communicating external to
an information system security perimeter.
Remote Maintenance
Maintenance activities conducted by individuals communicating external to
an information system security perimeter.
Remote Terminal Unit
(RTU)
A computer with radio interfacing used in remote situations where
communications via wire is unavailable. Usually used to communicate with
remote field equipment. PLCs with radio communication capabilities are
also used in place of RTUs.
Special purpose data acquisition and control unit designed to support DCS
and SCADA remote stations. RTUs are field devices often equipped with
network capabilities, which can include wired and wireless radio interfaces
to communicate to the supervisory controller. Sometimes PLCs are
implemented as field devices to serve as RTUs; in this case, the PLC is often
referred to as an RTU.
Resource Starvation
A condition where a computer process cannot be supported by available
computer resources. Resource starvation can occur due to the lack of
computer resources or the existence of multiple processes that are competing
for the same computer resources.
Risk
The level of impact on agency operations (including mission, functions,
image, or reputation), agency assets, or individuals resulting from the
operation of an information system, given the potential impact of a threat
and the likelihood of that threat occurring.
SOURCE: NIST SP 800-30 [79]
Risk Assessment
The process of identifying risks to agency operations (including mission,
functions, image, or reputation), agency assets, or individuals by
determining the probability of occurrence, the resulting impact, and
additional security controls that would mitigate this impact. Part of risk
management, synonymous with risk analysis. Incorporates threat and
vulnerability analyses.
SOURCE: NIST SP 800-30 [79]
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
244
Remote Access:
リモートアクセス
情報システムã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å‘¨è¾ºå¤–ã‹ã‚‰é€šä¿¡ã‚’è¡Œã†ãƒ¦ãƒ¼ã‚¶ï¼ˆåˆã¯æƒ…å ±
システム
)ã®ã‚¢ã‚¯ã‚»ã‚¹ã€‚
出典:
NIST SP 800-53 [22]
Remote Access
Point
:
リモートアクセス点
制御システムをé éš”設定ã—ã€ãƒ—ロセスデータã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ãŸã‚ã®åˆ¶
御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®æ˜Žç¢ºãªãƒ‡ãƒã‚¤ã‚¹ã€ã‚¨ãƒªã‚¢åŠã³å ´æ‰€ã€‚例ãˆã°ãƒ¢ãƒã‚¤ãƒ«
デãƒã‚¤ã‚¹ã‚’利用ã—ã¦ã€ãƒ¯ã‚¤ãƒ¤ãƒ¬ã‚¹ã‚¢ã‚¯ã‚»ã‚¹ç‚¹ã‹ã‚‰
LAN 経由ã®ãƒ‡ãƒ¼ã‚¿
アクセスã€ãƒ©ãƒƒãƒ—トップåŠã³ãƒ¢ãƒ‡ãƒ ã‚’利用ã—ãŸ
ICS システムアクセス
ãŒã‚る。
Remote Diagnostics:
リモート診断
情報シス
テムセキュリティ周辺外ã‹ã‚‰å€‹äººãŒè¡Œã†è¨ºæ–­æ´»å‹•ã€‚
Remote Maintenance:
é éš”ä¿å®ˆ
情報システムセキュリティ周辺外ã‹ã‚‰å€‹äººãŒè¡Œã†ä¿å®ˆæ´»å‹•ã€‚
Remote Terminal Unit
(
RTU)
:
é éš”端末装置
有線通信ãŒåˆ©ç”¨ã§ããªã„é éš”環境ã§ä½¿ç”¨ã™ã‚‹ç„¡ç·š
インタフェース
付ã
コンピュータ。通常
ã€
é éš”フィールド装備å“ã¨ã®é€šä¿¡ã«ä½¿ç”¨ã™ã‚‹ã€‚ç„¡
線通信機能付ã
PLC ã‚‚RTU ã®ä»£ã‚ã‚Šã«ä½¿ç”¨ã•ã‚Œã‚‹ã€‚
DCS
åŠã³ SCADA é éš”ステーションをサãƒãƒ¼ãƒˆã™ã‚‹ãŸã‚ã®ç‰¹æ®Šç›®çš„ã§
ã®ãƒ‡ãƒ¼ã‚¿å–得制御装置。
RTU ã¯ã€ç›£è¦–コン
トローラã¨ã®é€šä¿¡ç”¨æœ‰ç·šãƒ»
ç„¡ç·š
インタフェース等ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æ©Ÿèƒ½ã‚’装備ã—ã¦ã„ã‚‹å ´åˆãŒå¤š
ã„。
PLC ã¯ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒ‡ãƒã‚¤ã‚¹ã¨ã—ã¦å®Ÿè£…ã•ã‚Œ RTU ã¨ã—ã¦åˆ©ç”¨ã•ã‚Œ
ã‚‹ã“ã¨ã‚‚ã‚る。
PLC ã¯RTU ã¨å‘¼ã°ã‚Œã‚‹ã“ã¨ãŒå¤šã„。
Resource Starvation:
リソース枯渇
利用å¯èƒ½ãªã‚³ãƒ³ãƒ”ュータリソースã§ã¯ã‚³ãƒ³ãƒ”ュータプロセスãŒã‚µãƒãƒ¼
トã§ããªã„状態。コンピュータリソースã®æ¬ ä¹åˆã¯åŒã˜ã‚³ãƒ³ãƒ”ュータ
リソースをã‚ãる複数プロセスã®ç«¶åˆã«ã‚ˆã‚Šç”Ÿã˜ã‚‹ã“ã¨ãŒã‚る。
Risk:リスク
è„…å¨ã®æ½œåœ¨çš„影響åŠã³å½“該脅å¨ãŒç”Ÿã˜ã‚‹è“‹ç„¶æ€§ã«é‘‘ã¿ã€æƒ…報システム
ã®é‹ç”¨ã‹ã‚‰ç”Ÿã˜ã‚‹
政府機関ã®æ¥­å‹™ï¼ˆä»»å‹™ã€æ©Ÿèƒ½ã€ã‚¤ãƒ¡ãƒ¼ã‚¸ã€è©•åˆ¤
等)ã€
政府機関ã®è³‡ç”£åˆã¯å€‹äººã¸ã®å½±éŸ¿åº¦ã€‚
出典:
NIST SP 800-30 [79]
Risk Assessment:
リスク評価
発生確率ã€ãã®å½±éŸ¿ã€å½±éŸ¿ã‚’ç·©å’Œã™ã‚‹ãŸã‚ã®ä»˜åŠ çš„セキュリティ対策
ã®åˆ¤å®šã‚’通ã˜ãŸ
政府機関ã®
業務(任務ã€æ©Ÿèƒ½ã€ã‚¤ãƒ¡ãƒ¼ã‚¸ã€è©•åˆ¤ç­‰ï¼‰ã€
資産åˆã¯å€‹äººã«å¯¾ã™ã‚‹ãƒªã‚¹ã‚¯è­˜åˆ¥ãƒ—ロセス。リスク管ç†ã®ä¸€éƒ¨ã§ã€ãƒª
スク分æžã¨åŒç¾©ã€‚è„…å¨åˆ†æžåŠã³è„†å¼±æ€§åˆ†æžã‚’å–り入れる。
出典
:NIST SP 800-30 [79]
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
245
Risk Management
The process of managing risks to organizational operations (including
mission, functions, image, reputation), organizational assets, individuals,
other organizations, and the Nation, resulting from the operation of an
information system, and includes: (i) the conduct of a risk assessment; (ii)
the implementation of a risk mitigation strategy; and (iii) employment of
techniques and procedures for the continuous monitoring of the security
state of the information system.
SOURCE: FIPS 200, Adapted [16]
Risk Management
Framework
The Risk Management Framework (RMF), presented in NIST SP 800-37,
provides a disciplined and structured process that integrates information
security and risk management activities into the system development life
cycle.
SOURCE: SP 800-37 [21]
Router
A computer that is a gateway between two networks at OSI layer 3 and that
relays and directs data packets through that inter-network. The most
common form of router operates on IP packets.
SOURCE: RFC 4949 [75]
Router Flapping
A router that transmits routing updates alternately advertising a destination
network first via one route, then via a different route.
Safety Instrumented System
(SIS)
A system that is composed of sensors, logic solvers, and final control
elements whose purpose is to take the process to a safe state when
predetermined conditions are violated. Other terms commonly used include
emergency shutdown system (ESS), safety shutdown system (SSD), and
safety interlock system (SIS).
SOURCE: ANSI/ISA-84.00.01
SCADA Server
The device that acts as the master in a SCADA system.
SOURCE: NIST IR 6859 [2]
Security Audit
Independent review and examination of a system’s records and activities to
determine the adequacy of system controls, ensure compliance with
established security policy and procedures, detect breaches in security
services, and recommend any changes that are indicated for
countermeasures.
SOURCE: ISO/IEC 7498
Security Controls
The management, operational, and technical controls (i.e., safeguards or
countermeasures) prescribed for an information system to protect the
confidentiality, integrity, and availability of the system and its information.
SOURCE: FIPS PUB 199 [15]
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
246
Risk Management:
リスク管ç†
情報システムã®é‹ç”¨ã‹ã‚‰ç”Ÿã˜ã‚‹ã€çµ„ç¹”ã®é‹å–¶ï¼ˆä»»å‹™ã€æ©Ÿèƒ½ã€ã‚¤ãƒ¡ãƒ¼
ジã€è©•åˆ¤ç­‰ï¼‰åŠã³è³‡ç”£ã€å€‹äººã€ä»–ã®çµ„ç¹”åˆã¯å›½ã¸ã®ãƒªã‚¹ã‚¯ã‚’管ç†ã™ã‚‹
プロセスã§ã€ä»¥ä¸‹ã‚’å«ã‚€ã€‚(
1)リスク評価ã®å®Ÿæ–½ã€ï¼ˆ2
)リスク緩和
ç­–ã®å®Ÿæ–½ã€ï¼ˆ
3)情報システムã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£çŠ¶æ…‹ã‚’常続監視ã™ã‚‹ãŸ
ã‚ã®
技術åŠã³æ‰‹é †ã®æŽ¡ç”¨ã€‚
出典:
FIPS 200, Adapted [16]
Risk Management
Framework:
リスク管ç†ä½“制
NIST SP 800
-37 ã«ç¤ºã•ã‚Œã‚‹ãƒªã‚¹ã‚¯ç®¡ç†ä½“制(RMF
)ã¯ã€æƒ…報セキュリ
ティ活動ã¨ãƒªã‚¹ã‚¯ç®¡ç†æ´»å‹•ã‚’システム開発ライフサイクルã«çµ±åˆåŒ–ã™
ã‚‹ãŸã‚ã®çµ±åˆ¶ã®å–ã‚ŒãŸçµ„織化ã•ã‚ŒãŸãƒ—ロセスã¨å®šã‚ã¦ã„る。
出典:
SP 800-37 [21]
Router:ルータ
OSI
レイヤー3ã§ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ãƒ‡ãƒ¼ã‚¿ãƒ‘ッケージを中継指å‘ã™ã‚‹
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ã‚²ãƒ¼ãƒˆã‚¦ã‚§ã‚¤ã¨ãªã‚‹ã‚³ãƒ³ãƒ”ュータ。最も一般的ãªå½¢
æ…‹ã®ãƒ«ãƒ¼ã‚¿ã¯
IP パケットã§å‹•ä½œã™ã‚‹ã€‚
出典:
RFC 4949 [75]
Router Flapping:
ルータフラッピング
経路更新を交互ã«é€ä¿¡ã™ã‚‹ãƒ«ãƒ¼ã‚¿ã€‚
宛先ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’ã¾ãš
ã‚る経路
ã§åºƒå‘Š
ã—ã€æ¬¡ã„ã§åˆ¥çµŒè·¯ã§è¡Œã†ã€‚
Safety Instrumented System
(SIS):安全計装システム
センサã€ãƒ­ã‚¸ãƒƒã‚¯ã‚½ãƒ«ãƒãƒ¼åŠã³æœ€çµ‚制御エレメントã§æ§‹æˆã•ã‚Œã‚‹ã‚·ã‚¹
テムã§ã€ç›®çš„ã¯äºˆã‚定ã‚られãŸæ¡ä»¶ã‹ã‚‰é€¸è„±ã—ãŸéš›ã«ã€ãƒ—ロセスを安
全状態ã«æˆ»ã™ã“ã¨ã«ã‚る。一般ã«ä½¿ç”¨ã•ã‚Œã‚‹ãã®ä»–ã®ç”¨èªžã¨ã—ã¦ç·Šæ€¥
é®æ–­ã‚·
ステム(ESS)ã€å®‰å…¨é®æ–­ã‚·ã‚¹ãƒ†ãƒ ï¼ˆSSD)ã€å®‰å…¨é€£å‹•ã‚·ã‚¹ãƒ†
ム(
SIS)等ãŒã‚る。
出典:
ANSI/ISA-84.00.01
SCADA Server:
SCADA サーãƒ
SCADA
システムã§ãƒžã‚¹ã‚¿ãƒ¼ã¨ãªã‚‹ãƒ‡ãƒã‚¤ã‚¹ã€‚
出典:
NIST IR 6859 [2]
Security Audit:
セキュリティ監査
システム制御ã®é©åˆ‡æ€§ã‚’判定ã—ã€è¦å®šã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹
é †ã®éµå®ˆã‚’確ä¿ã—ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚µãƒ¼ãƒ“スé•åを検出ã—ã€å¯¾ç­–ã¨ã—ã¦
示唆ã•ã‚Œã‚‹å¤‰æ›´
内容を勧告ã™ã‚‹ãŸã‚ã®ã‚·ã‚¹ãƒ†ãƒ ã®è¨˜éŒ²åŠã³æ´»å‹•ã«å¯¾ã™
る独立的ãªå¯©æŸ»åŠã³æ¤œè¨¼ã€‚
出典:
ISO/IEC 7498
Security Controls:
セキュリティ対策
システムã¨ãã®æƒ…å ±ã®
機密性ã€å®Œå…¨æ€§
åŠã³å¯ç”¨æ€§ã‚’ä¿è­·ã™ã‚‹ãŸã‚ã®æƒ…
報システム用管ç†ãƒ»é‹ç”¨ãƒ»æŠ€è¡“対策(安全策ã€å¯¾æŠ—手段等)。
出典:
FIPS PUB 199 [15]
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
247
Security Plan
Formal document that provides an overview of the security requirements for
the information system and describes the security controls in place or
planned for meeting those requirements.
SOURCE: NIST SP 800-53 [22]
Security Policy
Security policies define the objectives and constraints for the security
program. Policies are created at several levels, ranging from organization or
corporate policy to specific operational constraints (e.g., remote access). In
general, policies provide answers to the questions “what†and “whyâ€
without dealing with “how.†Policies are normally stated in terms that are
technology-independent.
SOURCE: ISA99
Sensor
A device that produces a voltage or current output that is representative of
some physical property being measured (e.g., speed, temperature, flow).
SOURCE: The Automation, Systems, and Instrumentation Dictionary
A device that measures a physical quantity and converts it into a signal
which can be read by an observer or by an instrument. A sensor is a device,
which responds to an input quantity by generating a functionally related
output usually in the form of an electrical or optical signal.
Servo Valve
An actuated valve whose position is controlled using a servo actuator.
SOURCE: NIST IR 6859 [2]
Set Point
An input variable that sets the desired value of the controlled variable. This
variable may be manually set, automatically set, or programmed.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Simple Network
Management Protocol
(SNMP)
A standard TCP/IP protocol for network management. Network
administrators use SNMP to monitor and map network availability,
performance, and error rates. To work with SNMP, network devices utilize a
distributed data store called the Management Information Base (MIB). All
SNMP-compliant devices contain a MIB which supplies the pertinent
attributes of a device. Some attributes are fixed or “hard-coded†in the MIB,
while others are dynamic values calculated by agent software running on the
device.
SOURCE: API 1164
Single Loop Controller
A controller that controls a very small process or a critical process.
SOURCE: NIST IR 6859 [2]
Social Engineering
An attempt to trick someone into revealing information (e.g., a password)
that can be used to attack systems or networks.
SOURCE: NIST SP 800-61 [59]
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
248
Security Plan:
セキュリティ計画書
情報システムã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ä»¶ã‚’概説ã—ãŸæ­£å¼æ–‡æ›¸ã§ã€ãã®è¦ä»¶ã‚’
満足ã™ã‚‹å®Ÿæ–½ä¸­åˆã¯è¨ˆç”»ä¸­ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
対策ã«ã¤ã„ã¦è¨˜è¿°ã—ãŸã‚‚
ã®ã€‚
出典:
NIST SP 800-53 [22]
Security Policy:
セキュリティãƒãƒªã‚·ãƒ¼
セキュリティãƒãƒªã‚·ãƒ¼ã¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ—ログラムã®ç›®çš„ã¨åˆ¶ç´„事項を
定義ã™ã‚‹ã€‚ãƒãƒªã‚·ãƒ¼ã¯
ã„ãã¤ã‹ã®ãƒ¬ãƒ™ãƒ«ã§ä½œæˆã•ã‚Œã€çµ„ç¹”åˆã¯ä¼æ¥­ãƒ
リシーã‹ã‚‰å…·ä½“çš„ãªé‹ç”¨ä¸Šã®åˆ¶ç´„事項(
リモートアクセス等)ã¾ã§ã‚
る。ç·ã˜
ã¦ãƒãƒªã‚·ãƒ¼ã¯ã€Œä½•ãŒã€ã¨ã‹ã€Œãªãœã€ã«ã¯ç­”ãˆã‚‹ãŒã€ã€Œã©ã®ã‚ˆ
ã†ã«ã€ã¨ã„ã†è³ªå•ã«ã¯ç­”ãˆã¦ã„ãªã„。通常
ã€æŠ€è¡“ã¨ã¯ç„¡é–¢ä¿‚ã®ç”¨èªžã§
記述ã•ã‚Œã‚‹ã€‚
出典:
ISA99
Sensor:センサ
計測中ã®ç‰©ç†ç‰¹æ€§ï¼ˆé€Ÿåº¦ã€æ¸©åº¦ã€æµé‡ç­‰ï¼‰ã‚’表ã—ãŸé›»åœ§åˆã¯é›»æµå‡ºåŠ›
を発生ã•ã›ã‚‹ãƒ‡ãƒã‚¤ã‚¹ã€‚
出典:
オートメーション・システム・計装事典
物ç†çš„é‡ã‚’計測ã—ã¦ä¿¡å·ã«å¤‰æ›ã™ã‚‹ãƒ‡ãƒã‚¤ã‚¹ã§ã€ä¿¡å·ã¯è¦³å¯Ÿè€…や計器
ã§èª­ã¿å–ã‚‹ã“ã¨ãŒã§ãる。機能的ã«é–¢ã‚ã‚Šã®ã‚る出力をã€é€šå¸¸
ã€
電気
åˆã¯å…‰å­¦ä¿¡å·ã¨ã—ã¦ç”Ÿæˆã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€å…¥åŠ›ã«å¯¾å¿œã™ã‚‹ãƒ‡ãƒã‚¤ã‚¹ã€‚
Servo Val
ve
:
サーボãƒãƒ«ãƒ–
サーボアクãƒãƒ¥ã‚¨ãƒ¼ã‚¿ã‚’使用ã—ã¦ä½ç½®ã‚’制御ã™ã‚‹ä½œå‹•å¼ã€‚
出典:
NIST IR 6859 [2]
Set Point:設定点
制御変数ã®æ‰€æœ›ã®å€¤ã‚’設定ã™ã‚‹å…¥åŠ›å¤‰æ•°ã€‚ã“ã®å¤‰æ•°ã¯
マニュアルæ“
作
ã€è‡ªå‹•ã€ãƒ—ログラム化ã®ã„ãšã‚Œã«ã‚ˆã£ã¦ã‚‚設定å¯èƒ½ã§ã‚る。
出典:
オートメーション・システム・計装事典
Simple Network
Management Protocol
(SNMP):
シンプルãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç®¡ç†
プロトコル
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç®¡ç†ç”¨
標準 TCP/IP プロトコル。ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç®¡ç†è€…ã¯
ã“ã®ãƒ—ロトコルを使用ã—ã¦ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®å¯ç”¨æ€§ã€ãƒ‘フォーマンスåŠ
ã³ã‚¨ãƒ©ãƒ¼çŽ‡ã‚’監視ã™ã‚‹ã€‚
SNMP ã«å¯¾å¿œã—ã¦ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ‡ãƒã‚¤ã‚¹ã¯
管ç†æƒ…報ベース(
MIB)ã¨å‘¼ã°ã‚Œã‚‹åˆ†æ•£ãƒ‡ãƒ¼ã‚¿ã‚¹ãƒˆã‚¢ã‚’使用ã™ã‚‹ã€‚å…¨
ã¦ã®
SNMP é©åˆãƒ‡ãƒã‚¤ã‚¹ã¯ MIB ã‚’æŒã£ã¦ãŠã‚Šã€ãƒ‡ãƒã‚¤ã‚¹ã®é–¢é€£å±žæ€§
を供給ã™ã‚‹ã€‚ã‚る属性ã¯
MIB ã«å›ºå®šåˆã¯ã€Œãƒãƒ¼ãƒ‰ã‚³ãƒ¼ãƒ‰ã€ã•ã‚Œã€ã¾
ãŸã‚ã‚‹ã‚‚ã®ã¯ãƒ‡ãƒã‚¤ã‚¹ã§å®Ÿè¡Œä¸­ã®ã‚¨ãƒ¼ã‚¸ã‚§ãƒ³ãƒˆã«ã‚ˆã‚Šè¨ˆç®—ã•ã‚Œã‚‹å‹•çš„
値ã¨ãªã‚‹ã€‚
出典:
API 1164
Single Loop Controller:
å˜ä¸€ãƒ«ãƒ¼ãƒ—コントローラ
極ã‚ã¦å°ã•ãªãƒ—ロセスåˆã¯é‡è¦ãƒ—ロセスを制御ã™ã‚‹ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ã€‚出
典:
NIST IR 6859 [2]
Social Engineering:
ソーシャルエンジニアリン
ã‚°
システムやãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®æ”»æ’ƒã«ä½¿ç”¨ã™ã‚‹ãŸã‚ã€äººã‚’欺ã„ã¦æƒ…報(パ
スワード等)をæ¼æ´©ã•ã›ã‚‹ã‚‚ãã‚ã¿ã€‚
出典:
NIST SP 800-61 [59]
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
249
Solenoid Value
A valve actuated by an electric coil. A solenoid valve typically has two
states: open and closed.
SOURCE: NIST IR 6859 [2]
Spyware
Software that is secretly or surreptitiously installed onto an information
system to gather information on individuals or organizations without their
knowledge; a type of malicious code.
SOURCE: NIST SP 800-53 [22]
Statistical Process Control
(SPC)
The use of statistical techniques to control the quality of a product or
process.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Steady State
A characteristic of a condition, such as value, rate, periodicity, or amplitude,
exhibiting only negligible change over an arbitrarily long period of time.
SOURCE: ANSI/ISA-51.1-1979
Supervisory Control
A term that is used to imply that the output of a controller or computer
program is used as input to other controllers. See Control Server
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Supervisory Control and
Data Acquisition (SCADA)
A generic name for a computerized system that is capable of gathering and
processing data and applying operational controls over long distances.
Typical uses include power transmission and distribution and pipeline
systems. SCADA was designed for the unique communication challenges
(e.g., delays, data integrity) posed by the various media that must be used,
such as phone lines, microwave, and satellite. Usually shared rather than
dedicated.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
System Security Plan
Formal document that provides an overview of the security requirements for
a system and describes the security controls in place or planned for meeting
those requirements.
SOURCE: NIST SP 800-18, Adapted [19]
Technical Controls
The security controls (i.e., safeguards or countermeasures) for an
information system that are primarily implemented and executed by the
information system through mechanisms contained in the hardware,
software, or firmware components of the system.
SOURCE: NIST SP 800-18 [19]
Temperature Sensor
A sensor system that produces an electrical signal related to its temperature
and, as a consequence, senses the temperature of its surrounding medium.
SOURCE: NIST IR 6859 [2]
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
250
Solenoid Valve:
ソレノイドãƒãƒ«ãƒ–
電気コ
イルã§ä½œå‹•ã™ã‚‹å¼ã€‚通常「開ã€ã¨ã€Œé–‰ã€ã® 2ã¤ã®çŠ¶æ…‹ãŒã‚る。
出典:
NIST IR 6859 [2]
Spyware:スパイウエア
æ°—ã¥ã‹ã‚Œãšã«å€‹äººåˆã¯çµ„ç¹”ã®æƒ…報をåŽé›†ã™ã‚‹ãŸã‚ã€ç§˜å¯†è£ã«åˆã¯ä¸æ­£
ã«æƒ…報システムã«å–り付ã‘られる
ソフトウエアã§ã€æ‚ªæ„ã‚るコードã®
1
種。
出典:
NIST SP 800-53 [22]
Statistical Process Control
(SPC):
統計的プロセス管ç†
製å“åˆã¯ãƒ—ロセスã®å“質を管ç†ã™ã‚‹ãŸã‚ã®çµ±è¨ˆ
技術ã®ä½¿ç”¨ã€‚
出典:オートメーション・システム・計装事典
Steady State:定常状態
値ã€çŽ‡ã€å‘¨æœŸã€è¦æ¨¡ç­‰ã®çŠ¶æ…‹ç‰¹æ€§ã‚’ã„ã„ã€ä»»æ„ã®é•·æœŸé–“ã«ã‚ãŸã‚Šå¤‰åŒ–
ãŒç„¡è¦–ã§ãã‚‹ã“ã¨ã€‚
出典:
ANSI/ISA-51.1-1979
Supervisory Control:
監視制御
コントローラåˆã¯ã‚³ãƒ³ãƒ”ュータプログラムã®å‡ºåŠ›ãŒä»–ã®ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©
ã®å…¥åŠ›ã¨ã—ã¦ä½¿ç”¨ã•ã‚Œã¦ã„ã‚‹ã“ã¨ã‚’示ã™ç”¨èªžã€‚制御サーãƒã‚’å‚ç…§
出典:
オートメーション・システム・計装事典
Supervi
sory Control and
Data Acquisition
(SCADA):
監視制御データå–å¾—
é•·è·é›¢ã®ãƒ‡ãƒ¼ã‚¿åŽé›†å‡¦ç†ã¨é‹ç”¨åˆ¶å¾¡ã‚’è¡Œãˆã‚‹ã‚³ãƒ³ãƒ”ュータ制御システ
ムã®æ±Žç”¨çš„ãªå称。é€é…é›»åŠã³ãƒ‘イプライン等ã«ã‚ˆã利用ã•ã‚Œã‚‹ã€‚é›»
話回線ã€ãƒžã‚¤ã‚¯ãƒ­æ³¢ã€äººå·¥è¡›æ˜Ÿç­‰ã§ä½¿ç”¨ã•ã‚Œã‚‹å¤šæ§˜ãªåª’体ã«ç‰¹æœ‰ã®é€š
ä¿¡å•é¡Œï¼ˆé…延ã€ãƒ‡ãƒ¼ã‚¿æ•´åˆæ€§ç­‰ï¼‰ã«å¯¾å¿œã—ã¦è¨­è¨ˆã•ã‚ŒãŸã€‚通常専用ã§
ã¯ãªã共有ã•ã‚Œã‚‹ã“ã¨ãŒå¤šã„。
出典:
オートメーション・システム・計装事典
System Security Plan:
システムセキュリティ計画
書
システムセ
キュリティè¦ä»¶ã®æ¦‚è¦ã‚’示ã—ã€è¦ä»¶ã‚’éµå®ˆã™ã‚‹ãŸã‚ã«æ–½è¡Œ
中åˆã¯è¨ˆç”»ä¸­ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
対策ã«ã¤ã„ã¦èª¬æ˜Žã—ãŸæ­£å¼æ–‡æ›¸ã€‚
出典
:NIST SP 800-18, Adapted [19]
Technical Controls:
技術制御
システムã®
ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã€ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢åˆã¯ãƒ•ã‚¡ãƒ¼ãƒ ã‚¦ã‚¨ã‚¢
コンãƒãƒ¼
ãƒãƒ³ãƒˆã«å«ã¾ã‚Œã‚‹ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’通ã˜ã¦ã€ä¸»ã«æƒ…報システムã«ã‚ˆã‚Šå®Ÿè£…
ã•ã‚Œå®Ÿæ–½ã•ã‚Œã‚‹æƒ…報システム用ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–(安全策åˆã¯å¯¾æŠ—
手段)。
出典:
NIST SP 800-18 [19]
Temperature Sensor:
温度センサ
温度ã«é–¢ã™ã‚‹é›»æ°—ä¿¡å·ã‚’発生ã•ã›ã€ãã®çµæžœå‘¨è¾ºåª’体ã®æ¸©åº¦ã‚’検知ã™
ã‚‹
センサシステム。
出典:
NIST IR 6859 [2]
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
251
Threat
Any circumstance or event with the potential to adversely impact agency
operations (including mission, functions, image, or reputation), agency
assets, or individuals through an information system via unauthorized
access, destruction, disclosure, modification of information, and/or denial of
service.
SOURCE: NIST SP 800-53 [22]
Threat Event
An event or situation that has the potential for causing undesirable
consequences or impact.
SOURCE: SP 800-30 [79]
Threat Source
The intent and method targeted at the intentional exploitation of a
vulnerability or a situation and method that may accidentally trigger a
vulnerability. Synonymous with Threat Agent.
SOURCE: FIPS 200 [16]; SP 800-53 [22]; SP 800-53A [23]; SP 800-37
[21]
Transmission Control
Protocol (TCP)
TCP is one of the main protocols in TCP/IP networks. Whereas the IP
protocol deals only with packets, TCP enables two hosts to establish a
connection and exchange streams of data. TCP guarantees delivery of data
and also guarantees that packets will be delivered in the same order in which
they were sent.
SOURCE: API 1164
Trojan Horse
A computer program that appears to have a useful function, but also has a
hidden and potentially malicious function that evades security mechanisms,
sometimes by exploiting legitimate authorizations of a system entity that
invokes the program.
SOURCE: RFC 4949 [75]
Unauthorized Access
A person gains logical or physical access without permission to a network,
system, application, data, or other resource.
SOURCE: NIST SP 800-61 [59]
Unidirectional Gateway
Unidirectional gateways are a combination of hardware and software. The
hardware permits data to flow from one network to another, but is
physically unable to send any information at all back into the source
network. The software replicates databases and emulates protocol servers
and devices.
Valve
An in-line device in a fluid-flow system that can interrupt flow, regulate the
rate of flow, or divert flow to another branch of the system.
SOURCE: The Automation, Systems, and Instrumentation Dictionary
Variable Frequency Drive
(VFD)
A type of drive that controls the speed, but not the precise position, of a
non-servo, AC motor by varying the frequency of the electricity going to
that motor. VFDs are typically used for applications where speed and power
are important, but precise positioning is not.
SOURCE: NIST IR 6859 [2]
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
252
Threat:脅å¨
ä¸æ­£ã‚¢ã‚¯ã‚»ã‚¹
ã€ç ´å£Šã€é–‹ç¤ºã€æƒ…å ±ã®æ”¹å¤‰åˆã¯ã‚µãƒ¼ãƒ“ス妨害を通ã˜ã¦ã€
政府機関ã®
業務(任務ã€æ©Ÿèƒ½ã€ã‚¤ãƒ¡ãƒ¼ã‚¸ã€è©•åˆ¤ç­‰ï¼‰ã€æ”¿åºœæ©Ÿé–¢ã®è³‡ç”£
åˆã¯å€‹äººã«æ‚ªå½±éŸ¿ã‚’åŠã¼ã—ã‹ã­ãªã„状æ³åˆã¯äº‹è±¡ã€‚
出典:
NIST SP 800-53 [22]
Threat Event:脅å¨äº‹è±¡
望ã¾ã—ããªã„çµæžœã‚„影響を生ã˜ã‹ã­ãªã„事象åˆã¯çŠ¶æ³ã€‚
出典:
SP 800-30 [79]
Threat Source:脅å¨æº
脆弱性åˆã¯çŠ¶æ³åŠã³æ–¹æ³•ã‚’æ•…æ„ã«åˆ©ç”¨ã™ã‚‹ã“ã¨ã‚’ã‚‚ãã‚ã‚€æ„æ€åŠã³æ–¹
法ã§ã€å¶ç™ºçš„ã«è„†å¼±æ€§ã‚’生ã˜ã•ã›ã‚‹åŽŸå› ã¨ãªã‚Šå¾—る。脅å¨ã‚¨ãƒ¼ã‚¸ã‚§ãƒ³
トã¨åŒç¾©ã€‚
出典:
FIPS 200 [16]; SP 800-53 [22]; SP 800-53A [23]; SP 800-37 [21]
Transmission Control
Protocol (TCP):
通信制御プロトコル
TCP/IP
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«ãŠã‘る主ãªãƒ—ロトコル㮠1ã¤ã€‚IP プロトコル
ãŒãƒ‘ケット処ç†ã ã‘ãªã®ã«å¯¾ã—ã€
TCP ã¯2
å°ã®ãƒ›ã‚¹ãƒˆãŒæŽ¥ç¶šã‚’確立ã—
ã¦ãƒ‡ãƒ¼ã‚¿ã‚¹ãƒˆãƒªãƒ¼ãƒ ã‚’交æ›ã§ãるよã†ã«ã™ã‚‹ã€‚データã®é…é€ã‚’ä¿è¨¼
ã—ã€ãƒ‘ケットをé€ä¿¡é †ã«å±Šãよã†ã«ã§ãる。
出典:
API 1164
Trojan Horse:
トロイã®æœ¨é¦¬
コンピュータプログラムã§ã€ä¾¿åˆ©ãªæ©Ÿèƒ½ã‚‚æŒã¤ãŒã€éš ã‚ŒãŸæ‚ªæ„ã‚ã‚‹æ©Ÿ
能ãŒã‚ã‚Šã€ãƒ—ログラムを起動ã—ãŸã‚·ã‚¹ãƒ†ãƒ å®Ÿåœ¨è€…ã®
é©æ ¼æ€§ã‚’利用ã—
ã¦ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ©Ÿæ§‹ã«ä¾µå…¥ã™ã‚‹ã€‚
出典:
RFC 4949 [75]
Unauthorized Access:
ä¸æ­£ã‚¢ã‚¯ã‚»ã‚¹
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã€ã‚·ã‚¹ãƒ†ãƒ ã€ã‚¢ãƒ—リケーションã€ãƒ‡ãƒ¼ã‚¿ãã®ä»–ã®ãƒªã‚½ãƒ¼
スã«ã€äººãŒè¨±å¯ãªãè«–ç†çš„åˆã¯ç‰©ç†çš„アクセスã™ã‚‹ã“ã¨ã€‚
出典:
NIST SP 800-61 [59]
Unidirectional Gateway:
å˜æ–¹å‘ゲートウェイ
å˜æ–¹å‘性ゲートウ
ェイã¯ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã¨ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã‚’組ã¿åˆã‚ã›ãŸ
ã‚‚ã®ã§ã‚る。
ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã¯ãƒ‡ãƒ¼ã‚¿ãŒä¸€æ–¹ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‹ã‚‰ä»–æ–¹ã®
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸æµã‚Œã‚‹ã®ã‚’許å¯ã™ã‚‹ãŒã€ã‚½ãƒ¼ã‚¹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«æƒ…報を
è¿”ã™ã“ã¨ã¯ç‰©ç†çš„ã«ä¸å¯èƒ½ã§ã‚る。
ソフトウエアã¯ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ã‚’複
製ã—ã¦ã€ãƒ—ロトコルサーãƒåŠã³ãƒ‡ãƒã‚¤ã‚¹ã‚’エミュレートã™ã‚‹ã€‚
Valve:ãƒãƒ«ãƒ–(å¼ï¼‰
æµä½“システム中ã®ã‚¤ãƒ³ãƒ©ã‚¤ãƒ³ãƒ‡ãƒã‚¤ã‚¹ã§ã€æµã‚Œã‚’é®æ–­ã—ã€æµé‡ã‚’調節
ã—ã€ã‚·ã‚¹ãƒ†ãƒ ä¸­ã§ã®æµã‚Œã®æ–¹å‘を変ãˆã‚‹ã“ã¨ãŒã§ãる。
出典:オートメーション・システム・計装事典
Variable Frequenc
y Drive
(VFD):å¯å¤‰å‘¨æ³¢æ•°é§†å‹•
モータã¸ã®é›»æ°—周波数を変ãˆã‚‹ã“ã¨ã«ã‚ˆã‚Šã€éžã‚µãƒ¼ãƒœåž‹ã®äº¤æµãƒ¢ãƒ¼ã‚¿
ã®é€Ÿåº¦ã‚’制御ã™ã‚‹é§†å‹•ã®
1種ã§ã€ç²¾ç¢ºãªä½ç½®ã¯åˆ¶å¾¡ã§ããªã„。一般ã«
速度ã¨é›»åŠ›ãŒé‡è¦–ã•ã‚Œã€ç²¾ç¢ºãªä½ç½®ã¯é‡è¦ã§ãªã„用途ã«åˆ©ç”¨ã•ã‚Œã‚‹ã€‚
出典:
NIST IR 6859 [2]
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
253
Virtual Private Network
(VPN)
A restricted-use, logical (i.e., artificial or simulated) computer network that
is constructed from the system resources of a relatively public, physical
(i.e., real) network (such as the Internet), often by using encryption (located
at hosts or gateways), and often by tunneling links of the virtual network
across the real network.
SOURCE: RFC 4949 [75]
Virus
A hidden, self-replicating section of computer software, usually malicious
logic, that propagates by infecting (i.e., inserting a copy of itself into and
becoming part of) another program. A virus cannot run by itself; it requires
that its host program be run to make the virus active.
SOURCE: RFC 4949 [75]
Virus Definitions
Predefined signatures for known malware used by antivirus detection
algorithms.
Vulnerability
Weakness in an information system, system security procedures, internal
controls, or implementation that could be exploited or triggered by a threat
source.
SOURCE: NIST SP 800-53 [22]
Whitelist
A list of discrete entities, such as hosts or applications that are known to be
benign and are approved for use within an organization and/or information
system.
SOURCE: SP 800-128 [80]
Wide Area Network (WAN)
A physical or logical network that provides data communications to a larger
number of independent users than are usually served by a local area
network (LAN) and that is usually spread over a larger geographic area than
that of a LAN.
SOURCE: API 1164
Wireless Device
Any device that can connect to an ICS network via radio or infrared waves,
usually to collect or monitor data, but also in some cases to modify control
set points.
Workstation
A computer used for tasks such as programming, engineering, and design.
SOURCE: NIST IR 6859 [2]
Worm
A computer program that can run independently, can propagate a complete
working version of itself onto other hosts on a network, and may consume
computer resources destructively.
SOURCE: RFC 4949 [75]
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
254
Virtual Private Network
(VPN):
仮想プライベートãƒãƒƒãƒˆãƒ¯
ーク
é™å®šçš„ã«ä½¿ç”¨ã•ã‚Œã‚‹è«–ç†çš„(人工的åˆã¯æ¨¡æ“¬çš„)コンピューターãƒãƒƒ
トワークã§ã€æ¯”較的公開ã•ã‚ŒãŸç‰©ç†çš„(ç¾å®Ÿçš„)ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ï¼ˆã‚¤ãƒ³
ターãƒãƒƒãƒˆç­‰ï¼‰ã‹ã‚‰æ§‹ç¯‰ã•ã‚Œã€æš—å·åŒ–を利用ã™ã‚‹ã“ã¨ãŒå¤šã(ホスト
åˆã¯ã‚²ãƒ¼ãƒˆã‚¦ã‚§ã‚¤ã§ï¼‰ã€ä»®æƒ³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒªãƒ³ã‚¯ã‚’実ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«
トンãƒãƒªãƒ³ã‚°ã™ã‚‹ã“ã¨ãŒå¤šã„。
出典:
RFC 4949 [75]
Virus:ウイルス
コンピューター
ソフトウエア
ã®éš ã‚ŒãŸè‡ªå·±è¤‡è£½ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã€é€šå¸¸æ‚ª
æ„ã‚るロジックã§ã‚ã‚Šã€ä»–ã®ãƒ—ログラムを感染ã•ã›ã‚‹ï¼ˆã‚³ãƒ”ーを挿入
ã—ã¦è‡ªåˆ†ãŒãƒ—ログラムã®ä¸€éƒ¨ã¨ãªã‚‹ï¼‰ã“ã¨ã§å¢—æ®–ã™ã‚‹ã€‚ウイルスã¯ã
れ自体ã§å®Ÿè¡Œã™ã‚‹ã“ã¨ã¯ã§ããšã€ãƒ›ã‚¹ãƒˆãƒ—ログラムã«ã‚ˆã£ã¦ã‚¢ã‚¯ãƒ†ã‚£
ブã«ã•ã‚Œã‚‹å¿…è¦ãŒã‚る。
出典:
RFC 4949 [75]
Virus Definitions:
ウイルス定義
アンãƒã‚¦ã‚¤ãƒ«ã‚¹æ¤œçŸ¥ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã§ä½¿ç”¨ã•ã‚Œã‚‹æ—¢çŸ¥ã®
マルウエアã®äº‹
å‰å®šç¾©ã‚·ã‚°ãƒãƒãƒ£ã€‚
Vulnerability:脆弱性
情報システムã€ã‚·ã‚¹ãƒ†ãƒ ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ‰‹é †ã€å†…部制御åˆ
ã¯å®Ÿè£…ã«ãŠã‘
る弱点ã§ã€è„…å¨æºã«ã‚ˆã‚Šåˆ©ç”¨åˆã¯èµ·å‹•ã•ã‚Œã‚‹ã€‚
出典:
NIST SP 800-53 [22]
Whitelist:ホワイトリスト
善良ã§ã‚ã‚‹ã“ã¨ãŒçŸ¥ã‚‰ã‚Œã¦ãŠã‚Šã€çµ„ç¹”åˆã¯æƒ…報システム中ã§ã€åˆ©ç”¨ã‚’
許å¯ã•ã‚Œã¦ã„るホストやアプリケーション等ã®å€‹åˆ¥å®Ÿä½“
リスト。
出典:
SP 800-128 [80]
Wide Area Network
(WAN):
広域ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
通常
ã€LAN サービスよりもユーザ数ãŒå¤šãã€ã‚ˆã‚ŠåºƒåŸŸã«ã¾ãŸãŒã£ã¦
データ通信サービスを行ã†ç‰©ç†çš„åˆã¯è«–ç†çš„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã€‚
出典:
API 1164
Wireless Device:
ワイヤレスデãƒã‚¤ã‚¹
通常
ã€ãƒ‡ãƒ¼ã‚¿ã®åŽé›†åˆã¯ç›£è¦–を目的ã«ç„¡ç·šåˆã¯èµ¤å¤–線㧠ICS ãƒãƒƒãƒˆãƒ¯
ークã«æŽ¥ç¶šã§ãるデãƒã‚¤ã‚¹ã§ã€åˆ¶å¾¡è¨­å®šç‚¹ã®å¤‰æ›´ã«ä½¿ç”¨ã™ã‚‹ã“ã¨ã‚‚ã‚
る。
Workstation:
ワークステーション
プログラミングã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°ã€è¨­è¨ˆç­‰ã®ã‚¿ã‚¹ã‚¯ã«ä½¿ç”¨ã™ã‚‹ã‚³ãƒ³
ピュータ。
出典:
NIST IR 6859 [2]
Worm:ワーム
独立ã—ã¦å®Ÿè¡Œã§ãるコンピュータプログラムã§ã€è‡ªåˆ†è‡ªèº«ã®å®Œå…¨ãªå‹•
作ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚’ä»–ã®ãƒ›ã‚¹ãƒˆä¸Šã«ä¼æ’­ã•ã›ã€ã‚³ãƒ³ãƒ”ュータリソースを破
壊的ã«æ¶ˆè²»ã™ã‚‹ã€‚
出典:
RFC 4949 [75]
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
255
Appendix C—Threat Sources, Vulnerabilities, and Incidents
Several terms are used to describe the inter-related concepts of threat, threat source, threat event, and
incident. A threat is any circumstance or event with the potential to adversely impact organizational
operations (including mission, functions, image, or reputation), organizational assets, individuals, other
organizations, or the Nation through an information system via unauthorized access, destruction, disclosure,
modification of information, and/or denial of service. Threats have some intent or method that may exploit
of a vulnerability through either intentional or unintentional means, this intent or method referred to as the
threat source. A vulnerability is a weakness in an information system (including an ICS), system security
procedures, internal controls, or implementation that could be exploited or triggered by a threat source. A
threat event is an event or situation that has the potential for causing undesirable consequences or impact.
When a threat event occurs it becomes an incident that actually or potentially jeopardizes the
confidentiality, integrity, or availability of an information system or the information the system processes,
stores, or transmits or that constitutes a violation or imminent threat of violation of security policies,
security procedures, or acceptable use policies. This section will explore ICS-specific threat sources,
vulnerabilities, and incidents.
Threat Sources
Threats to ICS can come from numerous sources, which can be classified as adversarial, accidental,
structural, and environmental. Table C-1 lists and defines known threats sources to ICS. It is necessary to
create a risk management strategy for the ICS that protects the system against these possible threat sources.
The threat source must be well understood in order to define and implement adequate protection. For
example, environmental events (e.g. floods, earthquakes) are well understood, but may vary in their
magnitude, frequency, and their ability to compound other interconnected events. However, adversarial
threats depend on the resources available to the adversary and the emergence of previously unknown
vulnerabilities or attacks.
Table C-1. Threats to ICS
Type of Threat Source
Description
Characteristics
ADVERSARIAL
- Individual
- Outsider
- Insider
- Trusted Insider
- Privileged Insider
- Group
- Ad hoc
- Established
- Organization
- Competitor
- Supplier
- Partner
- Customer
- Nation-State
Individuals, groups, organizations, or states that
seek to exploit the organization’s dependence on
cyber resources (e.g., information in electronic
form, information and communications
technologies, and the communications and
information-handling capabilities provided by
those technologies)
Capability, Intent, Targeting
ACCIDENTAL
- User
- Privileged User/Administrator
Erroneous actions taken by individuals in the
course of executing their everyday
responsibilities.
Range of effects
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
256
付録 C è„…å¨æºã€è„†å¼±æ€§åŠã³ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆ
è„…å¨ã€è„…å¨æºã€è„…å¨äº‹è±¡åŠã³ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®ç›¸äº’ã«é–¢é€£ã—åˆã£ãŸæ¦‚念を示ã™ã®ã«ã„ãã¤ã‹ã®ç”¨èªž
ãŒç”¨ã„られる。脅å¨ã¨ã¯ã€ä¸æ­£ã‚¢ã‚¯ã‚»ã‚¹ã€ç ´å£Šã€é–‹ç¤ºã€æƒ…å ±ã®æ”¹å¤‰åˆã¯ã‚µãƒ¼ãƒ“ス妨害ã«ã‚ˆã‚Šã€æƒ…
報システムを通ã˜ã¦ã€çµ„織業務(任務ã€æ©Ÿèƒ½ã€ã‚¤ãƒ¡ãƒ¼ã‚¸ã€è©•åˆ¤ç­‰ï¼‰ã€çµ„織資産ã€å€‹äººã€ä»–ã®çµ„ç¹”
åˆã¯å›½ã«æ‚ªå½±éŸ¿ã‚’åŠã¼ã—ã‹ã­ãªã„状æ³åˆã¯äº‹è±¡ã‚’ã„ã†ã€‚è„…å¨ã«ã¯ã€æ•…æ„åˆã¯æ„図ã—ãªã„手段ã§è„†
弱性を利用ã™ã‚‹æ„æ€åˆã¯æ–¹æ³•ãŒã‚ã‚Šã€ã“ã®æ„æ€åˆã¯æ–¹æ³•ã‚’è„…å¨æºã¨ã„ã†ã€‚脆弱性ã¨ã¯æƒ…報システ
ム(ICS ã‚’å«ã‚€ï¼‰ã€ã‚·ã‚¹ãƒ†ãƒ ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ‰‹é †ã€å†…部制御åˆã¯å®Ÿè£…ã«ãŠã‘る弱点ã§ã€è„…å¨æºã«ã‚ˆ
り利用åˆã¯èµ·å‹•ã•ã‚Œã‚‹ã€‚è„…å¨äº‹è±¡ã¯ã€æœ›ã¾ã—ããªã„çµæžœã‚„影響を生ã˜ã‹ã­ãªã„事象åˆã¯çŠ¶æ³ã‚’ã„
ã†ã€‚è„…å¨äº‹è±¡ãŒç”Ÿèµ·ã™ã‚‹ã¨ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã¨ãªã‚Šã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã¯ã€æƒ…報システムåˆã¯ã‚·ã‚¹ãƒ†ãƒ ãŒ
処ç†ãƒ»ä¿ç®¡ãƒ»é€ä¿¡ã™ã‚‹æƒ…å ±ã®æ©Ÿå¯†æ€§ãƒ»å®Œå…¨æ€§ãƒ»å¯ç”¨æ€§ã‚’実際ã«å±é™ºã«é™¥ã‚Œã‚‹ã‹ã€ãã®å¯èƒ½æ€§ãŒã‚
ã‚Šã€ã¾ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ‰‹é †åˆã¯å—ã‘入れられるãƒãƒªã‚·ãƒ¼ã®ä½¿ç”¨ã®é•ååˆ
ã¯ç›´ã¡ã«é•åã¨ãªã‚‹è„…å¨ã‚’構æˆã™ã‚‹ã€‚ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã¯ã€ICS 固有ã®è„…å¨æºã€è„†å¼±æ€§åŠã³ã‚¤ãƒ³
シデントã«ã¤ã„ã¦èª¬æ˜Žã™ã‚‹ã€‚
è„…å¨æº
ICS ã®è„…å¨ã«ã¯å¤šæ§˜ãªèµ·æºãŒã‚ã‚Šã€æ•µæ€§ã€å¶ç™ºæ€§ã€æ§‹é€ æ€§åŠã³ç’°å¢ƒæ€§ã«åˆ†é¡žã§ãる。表 C-1 ã¯ã€
ICS ã®æ—¢çŸ¥ã®è„…å¨ã¨ãã®å®šç¾©ã‚’示ã™ã€‚システムをã“ã®ã‚ˆã†ãªè„…å¨æºã‹ã‚‰å®ˆã‚‹ãŸã‚ã€ICS リスク管
ç†æˆ¦ç•¥ã‚’策定ã™ã‚‹å¿…è¦ãŒã‚る。ã—ã£ã‹ã‚Šä¿è­·ã§ãるよã†ã€è„…å¨æºã‚’å分ç†è§£ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。
例ãˆã°ã€ç’°å¢ƒçš„事象(洪水ã€åœ°éœ‡ç­‰ï¼‰ã«ã¤ã„ã¦ã¯ã‚ˆãç†è§£ã§ãã¦ã‚‚ã€ãã®ãƒžã‚°ãƒ‹ãƒãƒ¥ãƒ¼ãƒ‰ã€é »åº¦
åŠã³ä»–ã®é–¢é€£äº‹è±¡ã¨è¤‡åˆã—ãŸã¨ãã®æ½œåœ¨åŠ›ã¯ä¸€æ§˜ã§ãªã„。ã—ã‹ã—敵性脅å¨ã¯ã€æ•µãŒåˆ©ç”¨ã§ãるリ
ソースã¨ã€ä»¥å‰çŸ¥ã‚‰ã‚Œã¦ã„ãŸè„†å¼±æ€§åˆã¯æ”»æ’ƒã®å‡ºç¾ã«ä¾å­˜ã™ã‚‹ã€‚
表C-1. ICS ã®è„…å¨
è„…å¨æºã®ç¨®é¡ž
内容
特徴
敵性
- 個人
- 部外者
- インサイダー
- ä¿¡é ¼ã®ç½®ã‘るインサイダー
- 権é™ã®ã‚るインサイダー
- グループ
- アドホック
- 常勤
- 組織
- 競åˆç›¸æ‰‹
- サプライヤ
- パートナー
- 顧客
-
国・州
組織ã®ã‚µã‚¤ãƒãƒ¼ãƒªã‚½ãƒ¼ã‚¹ï¼ˆé›»å­æƒ…å ±ã€æƒ…
報・通信技術ã€ã“れら技術ã«ã‚ˆã‚Šæä¾›ã•ã‚Œ
る通信・情報処ç†èƒ½åŠ›ç­‰ï¼‰ã¸ã®ä¾å­˜æ€§ã‚’利
用ã—よã†ã¨ã‚‚ãã‚む個人ã€ã‚°ãƒ«ãƒ¼ãƒ—ã€çµ„ç¹”
åˆã¯å›½
能力ã€æ„æ€ã€ç›®æ¨™é¸å®š
å¶ç™ºæ€§
- ユーザ
-
特権ユーザ
/
管ç†è€…
個人ãŒæ—¥å¸¸æ¥­å‹™ã‚’æžœãŸã™éš›ã®éŽèª¤è¡Œç‚º
影響範囲
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
257
Type of Threat Source
Description
Characteristics
STRUCTURAL
- Information Technology (IT) Equipment
- Storage
- Processing
- Communications
- Display
- Sensor
- Controller
- Environmental Controls
- Temperature/Humidity Controls
- Power Supply
- Software
- Operating System
- Networking
- General-Purpose Application
- Mission-Specific Application
Failures of equipment, environmental controls, or
software due to aging, resource depletion, or
other circumstances which exceed expected
operating parameters.
Range of effects
ENVIRONMENTAL
- Natural or man-made disaster
- Fire
- Flood/Tsunami
- Windstorm/Tornado
- Hurricane
- Earthquake
- Bombing
- Overrun
- Unusual Natural Event (e.g., sunspots)
- Infrastructure Failure/Outage
- Telecommunications
- Electrical Power
Natural disasters and failures of critical
infrastructures on which the organization
depends, but which are outside the control of the
organization.
Note: Natural and man-made disasters can also
be characterized in terms of their severity and/or
duration. However, because the threat source
and the threat event are strongly identified,
severity and duration can be included in the
description of the threat event (e.g., Category 5
hurricane causes extensive damage to the
facilities housing mission-critical systems, making
those systems unavailable for three weeks).
Range of effects
Vulnerabilities and Predisposing Conditions
This section addresses vulnerabilities and predisposing conditions that may be found in typical ICS.
Vulnerabilities are weaknesses in information systems, system procedures, controls, or implementations the
can be exploited by a threat source. Predisposing conditions are properties of the organization,
mission/business process, architecture, or information systems that contribute to the likelihood of a threat
event. The order of these vulnerabilities and predisposing conditions does not necessarily reflect any
priority in terms of likelihood of occurrence or severity of impact. Additionally, the vulnerabilities and
predisposing conditions identified in this section should not be considered a complete list; it should also not
be assumed that these issues are found within every ICS.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
258
è„…å¨æºã®ç¨®é¡ž
内容
特徴
構造的
- 情報技術(IT)装備å“
- ストレージ
- 処ç†
- 通信
- ディスプレイ
- センサ
- コントローラ
- 環境制御
- 温度・湿度制御
- é›»æº
- ソフトウエア
- オペレーティングシステム
- ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚­ãƒ³ã‚°
- 汎用アプリケーション
-
任務固有アプリケーション
経年ã€ãƒªã‚½ãƒ¼ã‚¹ä¸è¶³ãã®ä»–ã®çŠ¶æ³ã«ã‚ˆã‚‹äºˆæƒ³é‹è»¢
パラメータを超ãˆã‚‹è£…å‚™å“ã€ç’°å¢ƒåˆ¶å¾¡åˆã¯ã‚½ãƒ•ãƒˆ
ウエアã®éšœå®³
影響範囲
環境的
- 自然・人為ç½å®³
- ç«ç½
- 洪水・津波
- 暴風・トルãƒãƒ¼ãƒ‰
- ãƒãƒªã‚±ãƒ¼ãƒ³
- 地震
- 爆破
- オーãƒãƒ¼ãƒ©ãƒ³
- 異常天然ç¾è±¡ï¼ˆå¤ªé™½é»’点等)
- インフラ障害/åœæ­¢
- 無線通信
-
電力
自然ç½å®³åŠã³çµ„ç¹”ãŒä¾å­˜ã™ã‚‹é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®éšœå®³
ã§ã€çµ„ç¹”ã®åˆ¶å¾¡å¤–ã®ã‚‚ã®
注:自然・人為ç½å®³ã¯é‡å¤§æ€§ã¨æœŸé–“ã«ã‚ˆã‚Šç‰¹å¾´ã¥
ã‘られる。ã—ã‹ã—è„…å¨æºåŠã³è„…å¨äº‹è±¡ã¯ç‰¹å®šã•ã‚Œ
ã¦ã„ã‚‹ã®ã§ã€é‡å¤§æ€§ã¨æœŸé–“ã¯ã€è„…å¨äº‹è±¡ä¸­ã«å«ã‚
られる(例ãˆã°ã‚«ãƒ†ã‚´ãƒªãƒ¼5ã®ãƒãƒªã‚±ãƒ¼ãƒ³ã¯ã€ä»»
å‹™ã«ä¸å¯æ¬ ãªã‚·ã‚¹ãƒ†ãƒ ã®ã‚る施設ã«ç”šå¤§ãªè¢«å®³ã‚’
与ãˆã€ã‚·ã‚¹ãƒ†ãƒ ãŒ 3週間使用ä¸èƒ½ã«ãªã‚‹ï¼‰ã€‚
影響範囲
脆弱性åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹
ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã¯ã€ä¸€èˆ¬çš„㪠ICS ã«ã‚ã‚ŠãŒã¡ãªè„†å¼±æ€§ã¨å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ã«ã¤ã„ã¦å–り上ã’る。
脆弱性ã¯æƒ…報システムã€ã‚·ã‚¹ãƒ†ãƒ æ‰‹é †ã€åˆ¶å¾¡åˆã¯å®Ÿè£…ã«ãŠã‘る弱点ã§ã€è„…å¨æºã«ã‚ˆã‚Šåˆ©ç”¨ã•ã‚Œã‚„
ã™ã„。弱点ã¨ãªã‚‹çŠ¶æ…‹ã¨ã¯ã€çµ„ç¹”ã€ä»»å‹™ãƒ»äº‹æ¥­ãƒ—ロセスã€ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£åˆã¯æƒ…報システムã®ç‰¹
性ã§ã€è„…å¨äº‹è±¡ãŒç”Ÿã˜ã‚‹å…¬ç®—を高ã‚る。ã“ã®ã‚ˆã†ãªè„†å¼±æ€§ã¨å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ã¯ã€ç™ºç”Ÿã®å…¬ç®—ã¨å½±
響ã®é‡å¤§æ€§ã®ç‚¹ã§å¿…ãšã—も優先ã¥ã‘ãŒã‚ã‚‹ã‚ã‘ã§ã¯ãªã„。ã¾ãŸã€ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§å–り上ã’ã‚‹ã‚‚
ã®ãŒå…¨ã¦ã¨ã„ã†ã‚ã‘ã§ã‚‚ãªã„。逆ã«ã©ã® ICS ã«ã‚‚ã“れらãŒå¿…ãšã‚ã‚‹ã¨ã„ã†ã‚‚ã®ã§ã‚‚ãªã„。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
259
The vulnerabilities and predisposing conditions are grouped according to where they exist–such as in the
organization’s policy and procedures, or the inadequacy of security mechanisms implemented in hardware,
firmware, and software. The former are referred to as being in the organization and the latter as being in the
system. Understanding the source of vulnerabilities and predisposing conditions can assist in determining
optimal mitigation strategies. The groups of vulnerabilities used in this appendix are:
 Policy and Procedure.
 Architecture and Design.
 Configuration and Maintenance.
 Physical.
 Software Development.
 Communication and Network.
Deeper analysis may uncover that causes and observations may not be one-to-one; that is, some underlying
causes may exhibit multiple symptoms and some symptoms may come from more than one cause. SP 800-
53 contains a taxonomy of security controls, or countermeasures, to mitigate vulnerabilities and
predisposing conditions. These are categorized in families, where each family contains security controls
related to the general security topic of the family. While the families and controls from 800-53 provide a
more complete overview of the potential vulnerabilities and predisposing conditions within in an ICS, this
section briefly reviews those issues known to be common within ICS.
Any given ICS will usually exhibit a subset of the identified vulnerabilities, but may also contain additional
vulnerabilities and predisposing conditions unique to the particular ICS implementation that do not appear
in this appendix. Specific current information on ICS vulnerabilities can be researched at the Industrial
Control System Computer Emergency Response Team (ICS-CERT) Web site.45
Some vulnerabilities and predisposing conditions can be mitigated; others can only be accepted and
controlled by appropriate countermeasures, but will result in some residual risk to the ICS. For example,
some existing policies and procedures may be changed with a level of effort that the organization considers
acceptable; others are more expeditiously dealt with by instituting additional policies and procedures.
Vulnerabilities in products and services acquired from outside the organization are rarely under the direct
control of the organization. Changes may be influenced by market forces, but this is a slow and indirect
approach. Instead, the organization may change predisposing conditions to reduce the likelihood that a
systemic vulnerability will be exploited.
Policy and Procedure Vulnerabilities and Predisposing Conditions
Vulnerabilities and predisposing conditions are often introduced into the ICS because of incomplete,
inappropriate, or nonexistent security policy, including its documentation, implementation guides (e.g.,
procedures), and enforcement. Management support of security policy and procedures is the cornerstone of
any security program. Organization security policy can reduce vulnerabilities by mandating and enforcing
proper conduct. Written policy and procedures are mechanisms for informing staff and stakeholders of
decisions about behavior that is beneficial to the organization. From this perspective, policy is an
educational and instructive way to reduce vulnerabilities. Enforcement is partner to policy, encouraging
people to do the “right†thing. Various forms of corrective action are the usual consequences
45 http://ics-cert.us-cert.gov.http://ics-cert.us-cert.gov..
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
260
脆弱性ã¨å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ã¯ã€ã©ã“ã«ã‚ã‚‹ã‹ã«å¿œã˜ã¦ã‚°ãƒ«ãƒ¼ãƒ—分ã‘ã§ãる。例ãˆã°ã€çµ„ç¹”ã®ãƒãƒªã‚·
ーåŠã³æ‰‹é †ã€ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã€ãƒ•ã‚¡ãƒ¼ãƒ ã‚¦ã‚¨ã‚¢ã€ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã®ä¸å‚™ç­‰
ã§ã‚る。å‰è€…ã¯çµ„ç¹”ã€å¾Œè€…ã¯ã‚·ã‚¹ãƒ†ãƒ ã«ã‚ã‚‹ã¨ã„ã†ã“ã¨ã«ãªã‚‹ã€‚脆弱性ã¨å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ã®èµ·æº
ã‚’ç†è§£ã™ã‚‹ã¨ã€æœ€é©ã®ç·©å’Œç­–ãŒæ±ºã‚ã‚„ã™ããªã‚‹ã€‚ã“ã®ä»˜éŒ²ã§ä½¿ç”¨ã™ã‚‹è„†å¼±æ€§ã®ã‚°ãƒ«ãƒ¼ãƒ—ã¯ä»¥ä¸‹ã®
ã¨ãŠã‚Šã€‚
 ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †
 アーキテクãƒãƒ£åŠã³è¨­è¨ˆ
 構æˆåŠã³ä¿å®ˆ
 物ç†é¢
 ソフトウエア開発
 通信åŠã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
æ·±ã分æžã™ã‚‹ã¨ã€åŽŸå› ã¨è¦³å¯ŸçµæžœãŒ 1対1ã§ãªã„ã“ã¨ãŒåˆ†ã‹ã‚‹ã€‚ã¤ã¾ã‚Šã€ç‰¹å®šã®æ ¹æœ¬åŽŸå› ã‹ã‚‰è¤‡
æ•°ã®å¾´å€™ãŒç”Ÿã˜ã€ç‰¹å®šã®å¾´å€™ã¯è¤‡æ•°ã®åŽŸå› ã‹ã‚‰ç”Ÿã˜ã¦ã„る。SP 800-53 ã«ã¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®
分類ã€è¨€ã„æ›ãˆã‚Œã°è„†å¼±æ€§ã¨å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ã‚’ç·©å’Œã™ã‚‹å¯¾ç­–ãŒè¼‰ã›ã‚‰ã‚Œã¦ã„る。ファミリ別ã«åˆ†
é¡žã•ã‚Œã€å„ファミリã«ã¯ãã®ãƒ•ã‚¡ãƒŸãƒªã®å…¨èˆ¬çš„セキュリティå•é¡Œã«é–¢ã™ã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ãŒå«
ã¾ã‚Œã¦ã„る。800-53 ã®ç³»åˆ—ã¨ç®¡ç†ã¯ã€ICS 内ã®è„†å¼±æ€§ã¨å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ã«é–¢ã™ã‚‹ã‚ˆã‚Šå®Œæˆåº¦ã®é«˜
ã„概説ãŒã‚ã‚Šã€ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã¯ã€ICS ã«å…±é€šçš„ãªå•é¡Œã‚’手短ã«æŒ¯ã‚Šè¿”る。
ã©ã® ICS ã§ã‚‚通常明らã‹ã«ãªã£ã¦ã„る脆弱性ã®ä¸€éƒ¨ãŒéœ²å‘ˆã—ã¦ã„ã‚‹ãŒã€ç‰¹å®šã® ICS 実装ã«å›ºæœ‰ã®ã€
ã“ã®ä»˜éŒ²ã§ã¯å–り上ã’られã¦ã„ãªã„脆弱性ã¨å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ã‚‚ã‚る。ICS ã®è„†å¼±æ€§ã«é–¢ã™ã‚‹ç‰¹å®š
ã®ç¾è¡Œæƒ…å ±ãŒç”£æ¥­ç”¨åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã‚³ãƒ³ãƒ”ュータ緊急時対応ãƒãƒ¼ãƒ ï¼ˆICS-CERT)ã®ã‚µã‚¤ãƒˆã«ã‚
る46。
ã„ãã¤ã‹ã®è„†å¼±æ€§ã¨å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ã¯ç·©å’Œã§ãる。ãã®ä»–ã«ã¤ã„ã¦ã¯ã€è¨±å®¹ã™ã‚‹ã‹é©å½“ãªå¯¾ç­–ã§
管ç†ã™ã‚‹ã—ã‹ãªã„ãŒã€ICS ã®æ®‹ç•™ãƒªã‚¹ã‚¯ã¨ãªã‚‹ã€‚例ãˆã°ã€æ—¢å­˜ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã¯ã€çµ„ç¹”ãŒè¨±å®¹
ã§ãã‚‹ã‚るレベルã®å–組ã§å¤‰æ›´ã•ã‚Œã‚‹ã‚‚ã®ã‚‚ã‚ã‚Œã°ã€è£œè¶³çš„ãªãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã‚’制定ã—ã¦ã€ã‚‚
ã£ã¨è¿…速ã«å‡¦ç†ã§ãã‚‹ã‚‚ã®ã‚‚ã‚る。
組織外ã‹ã‚‰å–å¾—ã—ãŸè£½å“やサービスã®è„†å¼±æ€§ã¯ã€çµ„ç¹”ã®ç›´æŽ¥ã®ç®¡ç†ä¸‹ã«ç½®ã‹ã‚Œã‚‹ã“ã¨ã¯ã¾ãšãªã„。
変更ã¯å¸‚場力ã«å½±éŸ¿ã•ã‚Œã‚‹ãŒã€ç·©æ…¢ã§é–“接的ã§ã‚る。代ã‚ã‚Šã«ã€çµ„ç¹”ã¯å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ã‚’変ãˆã¦ã€
システムã®è„†å¼±æ€§ã‚’ã¤ã‹ã‚Œã‚‹å¯èƒ½æ€§ã‚’低ãã™ã‚‹ã“ã¨ãŒã§ãよã†ã€‚
ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹
脆弱性åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ã®ä¸å‚™ã€ä¸é©åˆ‡åˆã¯æ¬ å¦‚ã«ã‚ˆã‚Š ICS ã«æŒã¡
è¾¼ã¾ã‚Œã‚‹ã“ã¨ãŒå¤šãã€ä¾‹ãˆã°æ–‡æ›¸ã€å®Ÿæ–½ã‚¬ã‚¤ãƒ‰ï¼ˆæ‰‹é †ç­‰ï¼‰ã€æ–½è¡Œç­‰ã§ã‚る。セキュリティåŠã³æ‰‹
é †ã«å¯¾ã™ã‚‹çµŒå–¶é™£ã«ã‚ˆã‚‹æ”¯æ´ã¯ã€ã‚らゆるセキュリティプログラムã®åœŸå°ã¨ãªã‚‹ã€‚組織ã®ã‚»ã‚­ãƒ¥
リティãƒãƒªã‚·ãƒ¼ã¯ã€é©æ­£ãªè¡Œå‹•ã‚’義務ã¥ã‘ã¦æ–½è¡Œã™ã‚‹ã“ã¨ã§ã€è„†å¼±æ€§ã‚’減らã™ã“ã¨ãŒã§ãる。書
é¢ã«ã—ãŸãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã¯ã€è·å“¡åŠã³é–¢ä¿‚者ã«ã€çµ„ç¹”ã®åˆ©ç›Šã¨ãªã‚‹è¡Œå‹•ã«é–¢ã™ã‚‹æ±ºå®šäº‹é …を知
らã—ã‚るメカニズムã¨ãªã‚‹ã€‚ã“ã®è¦³ç‚¹ã‹ã‚‰ã€ãƒãƒªã‚·ãƒ¼ã¯è„†å¼±æ€§ã‚’減らã™ãŸã‚ã®æ•™è‚²çš„・教訓的方
法ã¨ãªã‚‹ã€‚施行ã¯ãƒãƒªã‚·ãƒ¼ã®ã€Œãƒ‘ートナーã€ã§ã‚ã‚Šã€ã€Œæ­£ã—ã„ã€ã“ã¨ã‚’è¡Œã†ã‚ˆã†äººã‚’奨励ã™ã‚‹ã€‚
多様ãªå½¢æ…‹ã®æ˜¯æ­£å‡¦ç½®ã¯ã€ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã‚’éµå®ˆã—ã¦ã„ãªã„è·å“¡ã«å¯¾ã—ã¦é€šå¸¸ã€é©ç”¨ã•ã‚Œã‚‹ã€‚
46 http://ics-cert.us-cert.gov.http://ics-cert.us-cert.gov.
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
261
to personnel not following policy and procedures. Policies should be explicit about the consequences to
individuals or organizations that do not conform.
There is usually a complex policy and procedure environment that includes laws and regulations,
overlapping jurisdictions and spheres of influence, economics, custom, and history. The larger enterprise is
often subdivided into organizational units that should work together to reduce vulnerabilities. The scope
and hierarchical relationship among policies and procedures needs to be managed for maximum
effectiveness.
Certain controls in SP 800-53 and the ICS overlay in Appendix G— specify responsibilities and
requirements for the organization, while others focus on the capabilities and operation of the various
systems within the organization. For example, the control AC-6, Least Privilege, states “The organization
employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on
behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational
missions and business functions.†The organization has to make decisions that get codified in policy and
procedures. Some resulting artifacts, such as job descriptions that include roles, responsibilities, and
authority, remain in a form suitable for people, while other artifacts, such as attributes, privileges, and
access control rules, are implemented in IT.
Note that the ICS overlay follows SP 800-53 in employing the term “organization†very flexibly so that its
guidance can be used by all sizes of organizational entities up and down an organization chart. Specific
organizations should be identified, starting with the organization responsible for issuing and maintaining
the policy or procedure.
Table C-2 presents examples of observed policy and procedure vulnerabilities for ICS.
Table C-2. Policy and Procedure Vulnerabilities and Predisposing Conditions
Vulnerability
Description
Inadequate security policy for the ICS Vulnerabilities are often introduced into ICS due to inadequate policies or the
lack of policies specifically for control system security. Every countermeasure
should be traceable to a policy. This ensures uniformity and accountability.
Policy must include portable and mobile devices used with ICS.
No formal ICS security training and awareness
program
A documented formal security training and awareness policy and program is
designed to keep staff up to date on organizational security policies and
procedures as well as threats, industry cybersecurity standards, and
recommended practices. Without training on specific ICS policies and
procedures, staff cannot be expected to maintain a secure ICS environment.
Absent or deficient ICS equipment implementation
guidelines
Equipment implementation guidelines should be kept up to date and readily
available. These guidelines are an integral part of security procedures in the
event of an ICS malfunction.
Lack of administrative mechanisms for security policy
enforcement
Staff responsible for enforcing security should be held accountable for
administering documented security policies and procedures.
Inadequate review of the effectiveness of the ICS
security controls
Procedures and schedules should exist to determine the extent to which the
security program and its constituent controls are implemented correctly,
operating as intended, and producing the desired outcome with respect to
meeting the security requirements for the ICS. The examination is sometimes
called an “audit,†“evaluation,†or “assessment.†Policy should address the
stage of the life-cycle, purpose, technical expertise, methodology, and level
of independence.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
262
ãƒãƒªã‚·ãƒ¼ã¯ã€éµå®ˆã—ã¦ã„ãªã„個人åˆã¯çµ„ç¹”ã«å¯¾ã—ã€çµæžœã«é–¢ã—ã¦æ˜Žç¤ºçš„ã§ã‚ã‚‹ã¹ãã§ã‚る。
法è¦ã‚’包å«ã—ã€å½±éŸ¿ã€çµŒæ¸ˆã€ç¿’æ…£åŠã³æ­´å²ã®ç®¡è½„åŠã³ç¯„囲ãŒé‡ãªã‚Šåˆã†ã€è¤‡é›‘ãªãƒãƒªã‚·ãƒ¼åŠã³æ‰‹
順環境ãŒå¸¸ã«å­˜åœ¨ã™ã‚‹ã€‚大ä¼æ¥­ã¯ã€è„†å¼±æ€§ã‚’減らã™ãŸã‚ã«å”åƒã§ãる組織å˜ä½ã«ç´°åˆ†åŒ–ã•ã‚Œã‚‹ã“
ã¨ãŒå¤šã„。ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †é–“ã®ç¯„囲ã¨éšŽå±¤çš„関係を管ç†ã—ã¦ã€æœ€å¤§ã®åŠ¹æžœã‚’上ã’ã‚‹ã¹ãã§ã‚る。
SP 800-53 åŠã³ä»˜éŒ² Gã®ICS オーãƒãƒ¼ãƒ¬ã‚¤ã«å«ã¾ã‚Œã¦ã„る特定ã®ç®¡ç†ã«ã¯ã€è²¬ä»»ã¨çµ„ç¹”è¦ä»¶ãŒè¨˜
載ã•ã‚Œã¦ãŠã‚Šã€ã¾ãŸåˆ¥ãªã‚‚ã®ã¯çµ„織内ã®å¤šæ§˜ãªã‚·ã‚¹ãƒ†ãƒ ã®èƒ½åŠ›ã¨é‹ç”¨ãŒé‡ç‚¹ã«ãªã£ã¦ã„る。例ãˆ
ã°ã€ç®¡ç† AC-6 最å°æ¨©é™ã«ã¯ã€ã€Œçµ„ç¹”ã¯æœ€å°æ¨©é™ã®åŽŸå‰‡ã‚’採用ã—ã€çµ„ç¹”ã®ä»»å‹™ãƒ»äº‹æ¥­ä¸Šã®æ©Ÿèƒ½ã«
å¿œã˜ã¦å‰²ã‚Šå½“ã¦ã‚‰ã‚ŒãŸä»•äº‹ã‚’é‚è¡Œã™ã‚‹ã®ã«å¿…è¦ãªãƒ¦ãƒ¼ã‚¶ï¼ˆåˆã¯ãã®ä»£ã‚ã‚Šã¨ãªã‚‹ãƒ—ロセス)ã ã‘
ã«ã‚¢ã‚¯ã‚»ã‚¹æ¨©é™ã‚’与ãˆã‚‹ã€ã¨ã‚る。組織ã¯æ±ºå®šã—ãªã‘ã‚Œã°ãªã‚‰ãšã€æ±ºå®šäº‹é …ã¯ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †
ã«æ˜Žè¨˜ã•ã‚Œã‚‹ã€‚ãã®çµæžœã¯ã€ä¾‹ãˆã°å½¹å‰²ãƒ»è²¬ä»»ãƒ»æ¨©é™ã‚’明記ã—ãŸè·å‹™æ˜Žç´°æ›¸ã¨ãªã‚Šã€è·å“¡ã«é©ã—
ãŸå½¢æ…‹ã‚’å–ã‚‹ã‚‚ã®ã‚‚ã‚ã‚Œã°ã€å±žæ€§ãƒ»ç‰¹æ¨©ãƒ»ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡è¦å‰‡ã®ã‚ˆã†ã«ã€IT ã«ãŠã„ã¦å®Ÿæ–½ã•ã‚Œã‚‹ã‚‚
ã®ã‚‚ã‚る。
ICS オーãƒãƒ¼ãƒ¬ã‚¤ã¯ SP 800-53 ã«æº–æ‹ ã—ã¦ã€ã€Œçµ„ç¹”ã€ã¨ã„ã†èªžã‚’極ã‚ã¦æŸ”軟ã«ç”¨ã„ã¦ã„ã‚‹ãŸã‚ã€
ãã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã¯ã€çµ„ç¹”ã®å¤§å°æ§˜ã€…ãªéƒ¨ç½²ã§ä½¿ç”¨ã§ãる。ã¾ãšãƒãƒªã‚·ãƒ¼åˆã¯æ‰‹é †ã®ç™ºå‡ºãƒ»ç¶­æŒã‚’
担当ã™ã‚‹çµ„織を皮切りã«ã€ç‰¹å®šã®çµ„織を明らã‹ã«ã™ã¹ãã§ã‚る。
表C-2 ã¯ã€è¦³å¯Ÿã•ã‚Œã¦ã„ã‚‹ ICS 用ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã®è„†å¼±æ€§ã‚’示ã™ã€‚
表C-2. ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹
脆弱性
内容
ICS 用セキュリティãƒãƒªã‚·ãƒ¼ã®ä¸å‚™ 特ã«åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«é–¢ã™ã‚‹ãƒãƒªã‚·ãƒ¼ã®ä¸å‚™åˆã¯æ¬ å¦‚ã‹ã‚‰ã€ICS
ã«è„†å¼±æ€§ãŒå…¥ã‚Šè¾¼ã‚€ã“ã¨ãŒå¤šã„。ãã‚Œãžã‚Œã®å¯¾ç­–ã¯ãƒãƒªã‚·ãƒ¼ã‹ã‚‰å‡ºã¦ã„ã‚‹ã¹
ãã§ã‚る。ã“ã‚Œã«ã‚ˆã‚Šçµ±ä¸€æ€§ã¨èª¬æ˜Žè²¬ä»»ãŒç¢ºä¿ã•ã‚Œã‚‹ã€‚ãƒãƒªã‚·ãƒ¼ã¯æºè¡Œ/モãƒ
イルデãƒã‚¤ã‚¹ã‚‚å«ã‚ãªã‘ã‚Œã°ãªã‚‰ãªã„。
æ­£è¦ã® ICS セキュリティ訓練・æ„è­˜
プログラム計画ã®æ¬ å¦‚
文書化ã•ã‚ŒãŸæ­£è¦ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¨“練・æ„è­˜ãƒãƒªã‚·ãƒ¼è¨ˆç”»ã¯ã€å¸¸ã«æœ€æ–°ã®ã‚»
キュリティãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †ã€è„…å¨ã€ç”£æ¥­ç”¨ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦æ ¼åŠã³æŽ¨
奨è¦ç¯„ã‚’è·å“¡ã«çŸ¥ã‚‰ã—ã‚ã‚‹ãŸã‚ã«ã‚る。具体的㪠ICS ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ãŒãª
ã‘ã‚Œã°ã€è·å“¡ã« ICS 環境ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’維æŒã§ãã‚‹ã¨æœŸå¾…ã™ã‚‹ã“ã¨ã¯ã§ã
ãªã„。
ICS 装備å“実装ガイドラインã®æ¬ å¦‚
åˆã¯æ¬ é™¥
装備
å“実装ガイドラインã¯æœ€æ–°çŠ¶æ…‹ã«ä¿ã¡ã€ã™ãã«åˆ©ç”¨ã§ãã‚‹ã¹ãã§ã‚る。
ガイドラインã¯ã€ICS 障害ã®éš›ã«ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ‰‹é †ã®ä¸å¯æ¬ ãªä¸€éƒ¨ã¨ãªã‚‹ã€‚
セキュリティãƒãƒªã‚·ãƒ¼ã‚’施行ã™ã‚‹ç®¡
ç†æ©Ÿæ§‹ã®æ¬ å¦‚
セキュリティã®æ–½è¡Œæ‹…当è·å“¡ã¯ã€æ–‡æ›¸åŒ–ã•ã‚ŒãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹
é †ã®ç®¡ç†ã«èª¬æ˜Žè²¬ä»»ã‚’有ã™ã‚‹ã€‚
ICS セキュリティ対策ã®åŠ¹æžœæ€§ã«å¯¾
ã™ã‚‹è¦‹ç›´ã—ã®ä¸å‚™
セキュリティプログラムã¨ãã®å¯¾ç­–ãŒã©ã®ç¨‹åº¦é©æ­£ã«å®Ÿæ–½ã•ã‚Œã¦ã„ã‚‹ã‹ã€äºˆ
定ã©ãŠã‚Šç¨¼åƒã—ã¦ã„ã‚‹ã‹ã€æ‰€æœŸã®çµæžœã‚’ã‚‚ãŸã‚‰ã—ã¦ã„ã‚‹ã‹ã‚’ã€ICS セキュリ
ティè¦ä»¶ã®é”æˆã¨ã„ã†è¦³ç‚¹ã§åˆ¤å®šã™ã‚‹æ‰‹é †åŠã³ã‚¹ã‚±ã‚¸ãƒ¥ãƒ¼ãƒ«ã‚’定ã‚ã‚‹ã¹ãã§
ã‚る。ã“ã®æ¤œè¨¼ã‚’「監査ã€ã€ã€Œè©•ä¾¡ï¼ˆevaluation)ã€åˆã¯ã€Œè©•ä¾¡
(assessment)ã€ã¨å‘¼ã¶ã“ã¨ã‚‚ã‚る。ãƒãƒªã‚·ãƒ¼ã¯ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«ã®æ®µéšŽã€ç›®
çš„ã€æŠ€è¡“知見ã€æ–¹æ³•è«–åŠã³ç‹¬ç«‹ãƒ¬ãƒ™ãƒ«ã‚’å–り上ã’ã‚‹ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
263
Vulnerability
Description
No ICS-specific contingency plan A contingency plan should be prepared, tested and available in the
event of a major hardware or software failure or destruction of
facilities. Lack of a specific plan for the ICS could lead to extended
downtimes and production loss.
Lack of configuration management policy Lack of policy and procedures for ICS configuration change
management can lead to unmanageable and highly vulnerable
inventory of hardware, firmware, and software.
Lack of adequate access control policy Access control enforcement depends of policy the correctly models
roles, responsibilities, and authorizations. The policy model must
enable the way the organization functions.
Lack of adequate authentication policy Authentication policies are needed to define when authentication
mechanisms (e.g., passwords, smart cards) must be used, how
strong they must be, and how they must be maintained. Without
policy, systems might not have appropriate authentication controls,
making unauthorized access to systems more likely. Authentication
policies should be developed as part of an overall ICS security
program taking into account the capabilities of the ICS and its
personnel to handle more complex passwords and other
mechanisms.
Inadequate incident detection and response
plan and procedures
Incident detection and response plans, procedures, and methods are
necessary for rapidly detecting incidents, minimizing loss and
destruction, preserving evidence for later forensic examination,
mitigating the weaknesses that were exploited, and restoring ICS
services. Establishing a successful incident response capability
includes continually monitoring for anomalies, prioritizing the
handling of incidents, and implementing effective methods of
collecting, analyzing, and reporting data.
Lack of redundancy for critical components Lack of redundancy in critical components could provide single point
of failure possibilities
System Vulnerabilities and Predisposing Conditions
Security controls must clearly identify the systems to which they apply. Systems range widely in size,
scope, and capability. At the small end of the spectrum, a system may be an individual hardware or
software product or service. At the other end of the spectrum we find large complex systems, systems-of-
systems, and networks, all of which incorporate hardware architecture and software framework (including
application frameworks), where the combination supports the operation of the ICS.
System vulnerabilities can occur in the hardware, firmware, and software used to build the ICS. Sources of
vulnerabilities include design flaws, development flaws, misconfigurations, poor maintenance, poor
administration, and connections with other systems and networks. Many of the controls in the SP 800-53
and the ICS overlay in Appendix G— specify what the system must do to mitigate these vulnerabilities.
The potential vulnerabilities and predisposing conditions commonly found within ICS systems are
categorized with the following tables:
 Table C-3. Architecture and Design Vulnerabilities and Predisposing Conditions.
 Table C-4. Configuration and Maintenance Vulnerabilities and Predisposing Conditions.
 Table C-5. Physical Vulnerabilities and Predisposing Conditions.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
264
脆弱性
内容
ICS 固有ã®ç·Šæ€¥æ™‚対応計画ã®æ¬ å¦‚ 緊急時対応計画を作æˆã—ã€æ¤œè¨¼ã—ã€å¤§è¦æ¨¡ãªãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢åˆã¯ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢
障害時や施設破壊時ã«åˆ©ç”¨ã§ãるよã†ã«ã™ã¹ãã§ã‚る。ICS ã®å…·ä½“的計画書
ãŒãªã„ã¨ã€ãƒ€ã‚¦ãƒ³ã‚¿ã‚¤ãƒ ã‚„生産æ失ãŒæ‹¡å¤§ã—ã‹ã­ãªã„。
構æˆç®¡ç†ãƒãƒªã‚·ãƒ¼ã®æ¬ å¦‚ ICS 構æˆç®¡ç†ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã®æ¬ å¦‚ã¯ã€ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã€ãƒ•ã‚¡ãƒ¼ãƒ ã‚¦ã‚¨ã‚¢åŠ
ã³ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®ç®¡ç†ã§ããªã„大ããªè„†å¼±æ€§ã«ã¤ãªãŒã‚‹ã€‚
é©æ­£ãªã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ãƒãƒªã‚·ãƒ¼ã®æ¬ å¦‚ アクセス制御ã®æ–½è¡Œã¯ã€ãƒãƒªã‚·ãƒ¼ã®æ­£ã—ã„モデル役割ã€è²¬ä»»åŠã³æ¨©é™ä»˜ä¸Žã«
ã‹ã‹ã£ã¦ã„る。ãƒãƒªã‚·ãƒ¼ãƒ¢ãƒ‡ãƒ«ã¯ã€çµ„ç¹”ãŒæ©Ÿèƒ½ã™ã‚‹ãŸã‚ã®æ–¹æ³•ã‚’実ç¾ã—ãªã‘
ã‚Œã°ãªã‚‰ãªã„。
é©æ­£ãªèªè¨¼ãƒãƒªã‚·ãƒ¼ã®æ¬ å¦‚ èªè¨¼ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ï¼ˆãƒ‘スワードã€ã‚¹ãƒžãƒ¼ãƒˆã‚«ãƒ¼ãƒ‰ç­‰ï¼‰ã‚’利用ã™ã‚‹éš›ã«ã€èªè¨¼ãƒ
リシーã¯ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã®å¼·åº¦åŠã³ç¶­æŒæ–¹æ³•ã‚’明らã‹ã«ã™ã‚‹å¿…è¦ãŒã‚る。ãƒãƒªã‚·
ーãŒãªã‘ã‚Œã°ã€ã‚·ã‚¹ãƒ†ãƒ ã¯é©æ­£ãªèªè¨¼ç®¡ç†ãŒã§ããšã€ç„¡é§„アクセスを許ã™ã“
ã¨ã«ãªã‚‹ã€‚èªè¨¼ãƒãƒªã‚·ãƒ¼ã¯ã€å…¨ä½“的㪠ICS セキュリティプログラムã®ä¸€ç’°ã¨
ã—ã¦ä½œæˆã—ã€ICS ã®èƒ½åŠ›ã¨ã€ã‚ˆã‚Šè¤‡é›‘ãªãƒ‘スワードãã®ä»–ã®ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’扱
ã†è·å“¡ã®èƒ½åŠ›ã¨ã‚’考慮ã«å…¥ã‚Œã‚‹ã¹ãã§ã‚る。
インシデント検知・対応計画書åŠã³
手順ã®ä¸å‚™
インシデント検知・対応計画書ã€æ‰‹é †åŠã³æ–¹æ³•ã¯ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®è¿…速ãªæ¤œ
知ã€æ失・破壊ã®å±€é™ã€å¾Œæ—¥å¿…è¦ã¨ãªã‚‹èª¿æŸ»æ¤œè¨¼ç”¨è¨¼æ‹ ã®ä¿å­˜ã€åˆ©ç”¨ã•ã‚ŒãŸ
弱点ã®ç·©å’ŒåŠã³ ICS サービスã®å¾©æ—§ã‚’è¡Œã†ä¸Šã§å¿…è¦ã§ã‚る。有効ãªã‚¤ãƒ³ã‚·ãƒ‡
ント対応能力ã«ã¯ã€ç•°å¸¸ã«å¯¾ã™ã‚‹ç¶™ç¶šç›£è¦–ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆå‡¦ç†ã®å„ªå…ˆã¥ã‘ã€
効果的ãªãƒ‡ãƒ¼ã‚¿åŽé›†ãƒ»åˆ†æžãƒ»å ±å‘Šæ–¹æ³•ã®å®Ÿæ–½ãŒå«ã¾ã‚Œã‚‹ã€‚
é‡è¦ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã®å†—長性ã®æ¬ å¦‚
é‡è¦ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã®å†—長性ã®æ¬ å¦‚ã¯ã€å˜ä¸€éšœå®³ç‚¹ã¨ãªã‚Šã‹ã­ãªã„。
システムã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹
セキュリティ対策ã§ã¯ã€é©ç”¨å¯¾è±¡ã¨ãªã‚‹ã‚·ã‚¹ãƒ†ãƒ ã‚’特定ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。システムã®è¦æ¨¡ã€
範囲åŠã³èƒ½åŠ›ã¯å¤šç¨®å¤šæ§˜ã§ã‚る。最å°ã‚·ã‚¹ãƒ†ãƒ ã¯ã€å€‹ã€…ã®ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢è‹¥ã—ãã¯ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢è£½
å“åˆã¯ã‚µãƒ¼ãƒ“スã§ã‚‚よã„。å対ã«æœ€å¤§ã‚·ã‚¹ãƒ†ãƒ ã¯ã€å¤§è¦æ¨¡è¤‡åˆã‚·ã‚¹ãƒ†ãƒ ã€ã‚·ã‚¹ãƒ†ãƒ ä¸­ã«ã‚·ã‚¹ãƒ†ãƒ 
ã®ã‚ã‚‹ã‚‚ã®åŠã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ã€ã“れらã¯ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£åŠã³ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ãƒ•ãƒ¬ãƒ¼
ムワーク(アプリケーションフレームワーク等)をå«ã¿ã€ãれらãŒä¸€ä½“ã¨ãªã£ã¦ ICS ã®é‹ç”¨ã‚’支
ãˆã‚‹ã€‚
システム脆弱性㯠ICS を構築ã™ã‚‹ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã€ãƒ•ã‚¡ãƒ¼ãƒ ã‚¦ã‚¨ã‚¢åŠã³ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã§ç”Ÿã˜å¾—る。
脆弱性ã®åŽŸå› ã«ã¯è¨­è¨ˆä¸Šã®æ¬ é™¥ã€é–‹ç™ºä¸Šã®æ¬ é™¥ã€è¨­å®šãƒŸã‚¹ã€ä¿å®ˆã®ä¸å‚™ã€ç®¡ç†ã®ä¸å‚™åŠã³ä»–ã®ã‚·
ステムやãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã®æŽ¥ç¶šç­‰ãŒã‚る。SP 800-53 åŠã³ä»˜éŒ² Gã®ICS オーãƒãƒ¼ãƒ¬ã‚¤ã«å«ã¾ã‚Œã¦
ã„る管ç†ã®å¤šãã¯ã€ã“ã®ã‚ˆã†ãªè„†å¼±æ€§ã‚’ç·©å’Œã™ã‚‹ãŸã‚ã«ã‚·ã‚¹ãƒ†ãƒ ãŒè¡Œã‚ãªã‘ã‚Œã°ãªã‚‰ãªã„事柄を
è¦å®šã—ã¦ã„る。
ICS ã§ä¸€èˆ¬çš„ã«è¦‹ã‚‰ã‚Œã‚‹è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹ã‚’以下ã®è¡¨ã«åˆ†é¡žã™ã‚‹ã€‚
 表C-3.アーキテクãƒãƒ£åŠã³è¨­è¨ˆä¸Šã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹
 表C-4.構æˆåŠã³ä¿å®ˆä¸Šã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹
 表C-5.物ç†çš„脆弱性åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
265
 Table C-6. Software Development Vulnerabilities and Predisposing Conditions.
 Table C-7. Communication and Network Configuration Vulnerabilities and Predisposing Conditions.
Table C-3. Architecture and Design Vulnerabilities and Predisposing Conditions
Vulnerability
Description
Inadequate incorporation of
security into architecture and
design.
Incorporating security into the ICS architecture, design must start with budget, and
schedule of the ICS. The security architecture is part of the Enterprise Architecture. The
architectures must address the identification and authorization of users, access control
mechanism, network topologies, and system configuration and integrity mechanisms.
Insecure architecture
allowed to evolve
The network infrastructure environment within the ICS has often been developed and
modified based on business and operational requirements, with little consideration for
the potential security impacts of the changes. Over time, security gaps may have been
inadvertently introduced within particular portions of the infrastructure. Without
remediation, these gaps may represent backdoors into the ICS.
No security perimeter
defined
If the ICS does not have a security perimeter clearly defined, then it is not possible to
ensure that the necessary security controls are deployed and configured properly. This
can lead to unauthorized access to systems and data, as well as other problems.
Control networks used for
non-control traffic
Control and non-control traffic have different requirements, such as determinism and
reliability, so having both types of traffic on a single network makes it more difficult to
configure the network so that it meets the requirements of the control traffic. For
example, non-control traffic could inadvertently consume resources that control traffic
needs, causing disruptions in ICS functions.
Control network services not
within the control network
Where IT services such as Domain Name System (DNS), and Dynamic Host
Configuration Protocol (DHCP) are used by control networks, they are often
implemented in the IT network, causing the ICS network to become dependent on the IT
network that may not have the reliability and availability requirements needed by the
ICS.
Inadequate collection of
event data history
Forensic analysis depends on collection and retention of sufficient data. Without proper
and accurate data collection, it might be impossible to determine what caused a security
incident to occur. Incidents might go unnoticed, leading to additional damage and/or
disruption. Regular security monitoring is also needed to identify problems with security
controls, such as misconfigurations and failures.
Table C-4. Configuration and Maintenance Vulnerabilities and Predisposing Conditions
Vulnerability
Description
Hardware, firmware, and
software not under
configuration management.
The organization doesn’t know what it has, what versions it has, where they are, or what
their patch status is, resulting in an inconsistent, and ineffective defense posture. A
process for controlling modifications to hardware, firmware, software, and
documentation should be implemented to ensure an ICS is protected against inadequate
or improper modifications before, during, and after system implementation. A lack of
configuration change management procedures can lead to security oversights,
exposures, and risks. To properly secure an ICS, there should be an accurate listing of
the assets in the system and their current configurations. These procedures are critical
to executing business continuity and disaster recovery plans.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
266
 表C-6.ソフトウエア開発上ã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹
 表C-7.通信åŠã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æ§‹æˆä¸Šã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹
表C-3.アーキテクãƒãƒ£åŠã³è¨­è¨ˆä¸Šã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹
脆弱性
内容
アーキテクãƒãƒ£åŠã³è¨­è¨ˆã¸ã®ã‚»ã‚­ãƒ¥
リティ組込ã¿ä¸Šã®ä¸å‚™
セキュリティを ICS アーキテクãƒãƒ£ã«çµ„ã¿è¾¼ã‚€éš›ã€äºˆç®—åŠã³ ICS ã®ã‚¹ã‚±ã‚¸ãƒ¥
ールã‹ã‚‰è¨­è¨ˆã‚’開始ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。セキュリティアーキテクãƒãƒ£ã¯ä¼
業アーキテクãƒãƒ£ã®ä¸€éƒ¨ã¨ãªã‚‹ã€‚アーキテクãƒãƒ£ã¯ãƒ¦ãƒ¼ã‚¶ã®è­˜åˆ¥ãƒ»èªè¨¼ã€ã‚¢
クセス制御メカニズムã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆãƒãƒ­ã‚¸ãƒ¼åŠã³ã‚·ã‚¹ãƒ†ãƒ æ§‹æˆãƒ»å®Œå…¨æ€§
メカニズムをå–り上ã’ãªã‘ã‚Œã°ãªã‚‰ãªã„。
æ›´ã«é€²è¡Œã—ãã†ãªã‚»ã‚­ãƒ¥ã‚¢ã§ãªã„ã‚¢
ーキテクãƒãƒ£
ICS 内ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¤ãƒ³ãƒ•ãƒ©ç’°å¢ƒã¯ã€äº‹æ¥­ãƒ»é‹ç”¨ä¸Šã®è¦ä»¶ã‚’基ã«é–‹ç™ºãƒ»æ”¹
ä¿®ã•ã‚Œã¦ã„ã‚‹ã“ã¨ãŒå¤šãã€å¤‰æ›´å†…容ãŒã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«åŠã¼ã™å½±éŸ¿ã¯ã‚ã¾ã‚Šè€ƒ
æ…®ã•ã‚Œã¦ã„ãªã„。時間ã®çµŒéŽã¨ã¨ã‚‚ã«ã€æƒ³å®šå¤–ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚®ãƒ£ãƒƒãƒ—ãŒã‚¤
ンフラã®ç‰¹å®šéƒ¨ä½ã«ç”Ÿã˜ã‚‹ã“ã¨ãŒã‚る。対策をå–らãšã«ã„ã‚‹ã¨ã€ãã®ã‚ˆã†ãª
ギャップãŒ
ICS
ã®ãƒãƒƒã‚¯ãƒ‰ã‚¢ã«ãªã‚‹ã“ã¨ãŒã‚る。
セキュリティ境界ãŒæœªå®šç¾© ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å‘¨è¾ºã®å®šç¾©ãŒæ˜Žã‚‰ã‹ã§ãªã„ã¨ã€å¿…è¦ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–
ã®å±•é–‹ãƒ»è¨­å®šãŒæ­£ã—ã実施ã§ããªã„。ã“ã®ãŸã‚システムやデータã¸ã®ä¸æ­£ã‚¢
クセスを許ã—ã€ä»–ã®å•é¡Œã‚‚発生ã—ã‹ã­ãªã„。
制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’制御以外ã®ãƒˆãƒ©
フィックã«ä½¿ç”¨
決定論や信頼性等ã€åˆ¶å¾¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã¨éžåˆ¶å¾¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã®è¦ä»¶ã¯ç•°ãªã‚‹
ãŸã‚ã€åŒæ–¹ã‚’ 1ã¤ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ä½¿ç”¨ã™ã‚‹ã¨ã€åˆ¶å¾¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯è¦ä»¶ã‚’é”
æˆã™ã‚‹ãŸã‚ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯è¨­å®šãŒé›£ã—ããªã‚‹ã€‚例ãˆã°éžåˆ¶å¾¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯
ã¯ã€åˆ¶å¾¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ãŒå¿…è¦ã¨ã™ã‚‹ãƒªã‚½ãƒ¼ã‚¹ã‚’想定外ã«æ¶ˆè²»ã™ã‚‹ã“ã¨ãŒã‚
ã‚Šã€
ICS
機能ã®ä¸­æ–­ã‚’æ‹›ãã“ã¨ãŒã‚る。
制御ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚µãƒ¼ãƒ“スãŒåˆ¶å¾¡ãƒ
ットワーク内ã«ãªã„
制御システムã«é ˜åŸŸåシステム(DNS)や動的ホスト構æˆãƒ—ロトコル
(DHCP)等㮠IT サービスを利用ã—ã¦ã„ã‚‹å ´åˆã€ã‚µãƒ¼ãƒ“ス㯠IT ãƒãƒƒãƒˆãƒ¯ãƒ¼
ク内ã«å®Ÿè£…ã•ã‚Œã¦ã„ã‚‹ã“ã¨ãŒå¤šã„ãŸã‚ã€ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãŒ ICS ã®ä¿¡é ¼æ€§åŠ
ã³å¯ç”¨æ€§è¦ä»¶ã«æº€ãŸãªã„
IT
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«ä¾å­˜ã™ã‚‹çµæžœã«ãªã‚‹ã€‚
イベントデータヒストリアンåŽé›†ã®
ä¸å‚™
調査分æžã¯å分ãªãƒ‡ãƒ¼ã‚¿åŽé›†ãƒ»ä¿æŒã«ä¾å­˜ã™ã‚‹ã€‚é©æ­£ã‹ã¤æ­£ç¢ºãªãƒ‡ãƒ¼ã‚¿ã®åŽ
集ãŒãªã‘ã‚Œã°ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®ç™ºç”Ÿç†ç”±ã‚’判別ã§ããªã„。イン
シデントã«æ°—ã¥ã‹ãšã€æ害や中断を拡大ã—ã‹ã­ãªã„。設定ミスや障害等ã€ã‚»
キュリティ対策ã®å•é¡Œç‚¹ã‚’見極ã‚ã‚‹ãŸã‚ã€å®šæœŸçš„ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç›£è¦–ã‚‚å¿…è¦
ã¨ãªã‚‹ã€‚
表C-4.構æˆåŠã³ä¿å®ˆä¸Šã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹
脆弱性
内容
ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢/ファームウエア/ソフ
トウエアãŒæ§‹æˆç®¡ç†å¤–ã«ã‚ã‚‹
何を使用ã—ã¦ã„ã‚‹ã‹ã€ã©ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‹ã€ã©ã“ã«ã‚ã‚‹ã‹ã€ãƒ‘ッãƒã‚¹ãƒ†ãƒ¼ã‚¿ã‚¹
ãŒã©ã†ãªã£ã¦ã„ã‚‹ã‹ã‚’組織ãŒçŸ¥ã‚‰ãšã€ä¸€è²«æ€§ã¨åŠ¹æžœæ€§ã®ãªã„防御態勢ã«ãª
る。ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢/ファームウエア/ソフトウエア・文書
ã¸ã®å¤‰æ›´ã‚’管ç†ã™ã‚‹ãƒ—
ロセスを実施ã—ã€ã‚·ã‚¹ãƒ†ãƒ å®Ÿè£…å‰ãƒ»ä¸­ãƒ»å¾Œã®ä¸é©åˆ‡ãªæ”¹å¤‰ã‹ã‚‰ ICS ã‚’ä¿è­·ã™
る。構æˆå¤‰æ›´ç®¡ç†æ‰‹é †ã®æ¬ å¦‚ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®æ‰‹æŠœã‹ã‚Šã€æ›éœ²åŠã³ãƒªã‚¹ã‚¯
ã«ã¤ãªãŒã‚‹ã€‚ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’ã—ã£ã‹ã‚Šç¢ºä¿ã™ã‚‹ã«ã¯ã€ã‚·ã‚¹ãƒ†ãƒ è³‡ç”£ã¨
ãã®ç¾è¡Œæ§‹æˆã®æ­£ç¢ºãªãƒªã‚¹ãƒˆãŒæŒã¤ã¹ãã§ã‚る。ã“ã®ã‚ˆã†ãªæ‰‹é †ãŒäº‹æ¥­ç¶™ç¶š
性ã¨ç½å®³å¾©æ—§è¨ˆç”»ã®å®Ÿæ–½ã«é‡è¦ã¨ãªã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
267
Vulnerability
Description
OS and vendor software
patches may not be
developed until significantly
after security vulnerabilities
are found
Because of the tight coupling between ICS software and the underlying ICS, changes must
undergo expensive and time-consuming comprehensive regression testing. The elapsed time
for such testing and subsequent distribution of updated software provides a long window of
vulnerability
OS and application security
patches are not maintained or
vendor declines to patch
vulnerability
Out-of-date OSs and applications may contain newly discovered vulnerabilities that could be
exploited. Documented procedures should be developed for how security patches will be
maintained. Security patch support may not even be available for ICS that use outdated OSs,
so procedures should include contingency plans for mitigating vulnerabilities where patches
may never be available.
Inadequate testing of security
changes
Modifications to hardware, firmware, and software deployed without testing could compromise
normal operation of the ICS. Documented procedures should be developed for testing all
changes for security impact. The live operational systems should never be used for testing.
The testing of system modifications may need to be coordinated with system vendors and
integrators.
Poor remote access controls There are many reasons why an ICS may need to be remotely accessed, including vendors
and system integrators performing system maintenance functions, and also ICS engineers
accessing geographically remote system components. Remote access capabilities must be
adequately controlled to prevent unauthorized individuals from gaining access to the ICS.
Poor configurations are used Improperly configured systems may leave unnecessary ports and protocols open, these
unnecessary functions may contain vulnerabilities that increase the overall risk to the system.
Using default configurations often exposes vulnerabilities and exploitable services. All
settings should be examined.
Critical configurations are not
stored or backed up
Procedures should be available for restoring ICS configuration settings in the event of
accidental or adversary-initiated configuration changes to maintain system availability and
prevent loss of data. Documented procedures should be developed for maintaining ICS
configuration settings.
Data unprotected on portable
device
If sensitive data (e.g., passwords, dial-up numbers) is stored in the clear on portable devices
such as laptops and mobile devices and these devices are lost or stolen, system security
could be compromised. Policy, procedures, and mechanisms are required for protection.
Passwords generation, use,
and protection not in accord
with policy
There is a large body of experience with using passwords in IT that is applicable to ICS.
Password policy and procedure must be followed to be effective. Violations of password
policy and procedures can drastically increase ICS vulnerability.
Inadequate access controls
applied
Access controls must be matched to the way the organization allocates responsibilities and
privilege to its personnel. Poorly specified access controls can result in giving an ICS user too
many or too few privileges. The following exemplify each case:
・ System configured with default access control settings gives an operator
administrative privileges
・ System improperly configured results in an operator being unable to take
corrective actions in an emergency situation
Improper data linking ICS data storage systems may be linked with non-ICS data sources. An example of this is
database links, which allow data from one database to be automatically replicated to others.
Data linkage may create a vulnerability if it is not properly configured and may allow
unauthorized data access or manipulation.
Malware protection not
installed or up to date
Installation of malicious software, or malware, is a common attack. Malware protection
software, such as antivirus software, must be kept current in a very dynamic environment.
Outdated malware protection software and definitions leave the system open to new malware
threats.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
268
脆弱性
内容
OS やベンダーã®ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢
パッãƒ
ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®è„†å¼±æ€§ãŒæ˜Žã‚‰ã‹
ã«ãªã£ã¦ã—ã°ã‚‰ã経ã¤ã¾ã§ã¯é–‹ç™ºã•
ã‚Œãªã„。
ICS ソフトウエアã¨åŸºæœ¬ ICS ã®ç·Šå¯†ãªçµã³ã¤ããŒã‚ã‚‹ãŸã‚ã€å¤‰æ›´ã‚’加ãˆãŸå ´
åˆã¯ã€æ™‚é–“ã¨ã‚³ã‚¹ãƒˆã®ã‹ã‹ã‚‹å¾¹åº•çš„ãªãƒªã‚°ãƒ¬ãƒƒã‚·ãƒ§ãƒ³è©¦é¨“ã‚’è¡Œã‚ãªã‘ã‚Œã°ãª
らãªã„。ã“ã®ã‚ˆã†ãªè©¦é¨“ã¨ãã®å¾Œã®ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢æ›´æ–°ç‰ˆã®é…布ã¾ã§ã®çµŒéŽæ™‚
é–“ã«ã‚ˆã‚Šã€è„†å¼±æ€§ã®ç©´ã¯å¤§ãããªã‚‹ã€‚
OS
やアプリケーションã®ã‚»ã‚­ãƒ¥ãƒªãƒ†
ィパッãƒãŒä¿å®ˆã•ã‚Œãšã€ãƒ™ãƒ³ãƒ€ãƒ¼ã¯
脆弱性を顧ã¿ãªã„
æ—§å¼ OS やアプリケーションã«ã¯ã€æ–°ãŸã«è¦‹ã¤ã‹ã£ãŸæ‚ªç”¨ã•ã‚Œã‚„ã™ã„脆弱性
ãŒã‚る。セキュリティパッãƒã®ä¿å®ˆè¦é ˜ã«é–¢ã—ã¦ã€æ›¸é¢ã«ã—ãŸæ‰‹é †ã‚’作æˆã™
ã¹ãã§ã‚る。旧版 OS を使ã£ãŸ ICS ã§ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ‘ッãƒã‚µãƒãƒ¼ãƒˆã¯ãª
ã„å ´åˆãŒã‚ã‚‹ãŸã‚ã€æ‰‹é †ã«ã¯ãã®å ´åˆã®è„†å¼±æ€§ç·©å’Œç·Šæ€¥æ™‚対応計画もå«ã‚ã‚‹
ã¹ãã§ã‚る。
セキュリティ変更試験ã®ä¸å‚™ 試験を行ã‚ãšã«å±•é–‹ã—ãŸãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢/ファームウエア/ソフトウエア
変更ã¯ã€
ICS ã®æ­£å¸¸é‹ç”¨èƒ½åŠ›ã‚’低下ã•ã›ã‚‹å¯èƒ½æ€§ãŒã‚る。全ã¦ã®å¤‰æ›´å†…容ã®ã‚»ã‚­ãƒ¥ãƒª
ティ影響試験ã«é–¢ã—ã¦ã€æ›¸é¢ã«ã—ãŸæ‰‹é †ã‚’作æˆã™ã¹ãã§ã‚る。稼åƒä¸­ã®ã‚·ã‚¹
テムã¯æ±ºã—ã¦è©¦é¨“ã«ä½¿ã†ã¹ãã§ãªã„。システム変更試験ã¯ã€ã‚·ã‚¹ãƒ†ãƒ ãƒ™ãƒ³ãƒ€
ーやインテグレータã¨é€£æºã—ã¦è¡Œã†å¿…è¦ãŒã‚る。
リモートアクセス制御ã®ä¸å‚™ ICS ã¸ã®ãƒªãƒ¢ãƒ¼ãƒˆã‚¢ã‚¯ã‚»ã‚¹ãŒå¿…è¦ãªç†ç”±ã¯æ§˜ã€…ã§ã€ä¾‹ãˆã°ãƒ™ãƒ³ãƒ€ãƒ¼ã‚„システ
ムインテグレータã®é éš”ä¿å®ˆã€é æ–¹ã«ã„ã‚‹ ICS エンジニアã«ã‚ˆã‚‹ã‚·ã‚¹ãƒ†ãƒ ã‚³
ンãƒãƒ¼ãƒãƒ³ãƒˆã®åˆ©ç”¨ãªã©ãŒã‚る。リモートアクセス機能ã¯ã—ã£ã‹ã‚Šç®¡ç†ã—
ã¦ã€
ICS
ã¸ã®ä¸æ­£ã‚¢ã‚¯ã‚»ã‚¹ã‚’防止ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。
設定ã®ä¸å‚™ システム設定ã«ä¸å‚™ãŒã‚ã‚Šã€ä¸å¿…è¦ã«ãƒãƒ¼ãƒˆã‚„プロトコルを開放ã—ãŸã¾ã¾ã«
ã—ã¦ãŠãã¨ã€è„†å¼±æ€§ã¨ãªã‚Šã‚·ã‚¹ãƒ†ãƒ ã®å…¨ä½“的リスクãŒé«˜ã¾ã‚‹ã€‚デフォルト設
定を使用ã™ã‚‹ã¨ã€è„†å¼±æ€§ã‚„悪用å¯èƒ½ãªã‚µãƒ¼ãƒ“スを露出ã™ã‚‹ã“ã¨ã«ãªã‚‹ã€‚å…¨ã¦
ã®è¨­å®šã‚’検証ã™ã¹ãã§ã‚る。
é‡è¦ãªè¨­å®šã®ä¿å­˜ã‚„ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ãŒ
ãªã•ã‚Œã¦ã„ãªã„
å¶ç™ºçš„åˆã¯æ”»æ’ƒã«ã‚ˆã‚‹è¨­å®šå¤‰æ›´ãŒã‚ã£ãŸéš›ã«ã€ã‚·ã‚¹ãƒ†ãƒ ã®å¯ç”¨æ€§ã‚’維æŒã—ã€
データ喪失を防止ã™ã‚‹ãŸã‚ã€ICS 設定ã®å›žå¾©æ‰‹é †ã‚’利用ã§ãるよã†ã«ã™ã¹ã
ã§ã‚る。
ICS
設定を維æŒã™ã‚‹ãŸã‚ã€æ›¸é¢ã«ã—ãŸæ‰‹é †ã‚’作æˆã™ã¹ãã§ã‚る。
æºè¡Œãƒ‡ãƒã‚¤ã‚¹ã®ãƒ‡ãƒ¼ã‚¿ãŒä¿è­·ã•ã‚Œã¦
ã„ãªã„
注æ„ã‚’è¦ã™ã‚‹ãƒ‡ãƒ¼ã‚¿ï¼ˆãƒ‘スワードã€ãƒ€ã‚¤ã‚¢ãƒ«ã‚¢ãƒƒãƒ—番å·ç­‰ï¼‰ãŒå¹³æ–‡ã®ã¾ã¾ãƒ©
ップトップやモãƒã‚¤ãƒ«ãƒ‡ãƒã‚¤ã‚¹ç­‰ã®æºè¡Œãƒ‡ãƒã‚¤ã‚¹ä¸Šã«ä¿ç®¡ã•ã‚Œã¦ã„ã¦ã€ãƒ‡ãƒ
イスを紛失ã—ãŸã‚Šç›—ã¾ã‚ŒãŸã‚Šã—ãŸå ´åˆã€ã‚·ã‚¹ãƒ†ãƒ ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãŒå±ã†ããª
る。ä¿è­·ãƒãƒªã‚·ãƒ¼ã€æ‰‹é †åŠã³ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ãŒå¿…è¦ã¨ãªã‚‹ã€‚
パスワードã®ç”Ÿæˆã€ä½¿ç”¨åŠã³ä¿è­·ãŒ
ãƒãƒªã‚·ãƒ¼ã«å¾“ã£ã¦ã„ãªã„
ICS ã«ã‚‚é©ç”¨å¯èƒ½ãª IT
ã§ã®ãƒ‘スワード利用経験ãŒè“„ç©ã•ã‚Œã¦ã„る。パスワー
ドãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †ã¯åŠ¹æžœçš„ã§ãªã‘ã‚Œã°ãªã‚‰ãªã„。パスワードãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹
é †é•åã¯ã€
ICS
ã®è„†å¼±æ€§ã‚’è‘—ã—ã高ã‚る。
アクセス制御ã®ä¸å‚™ アクセス制御ã¨çµ„ç¹”ãŒè·å“¡ã«è²¬ä»»åŠã³ç‰¹æ¨©ã‚’与ãˆã‚‹æ–¹æ³•ã¯ã€æ•´åˆã—ã¦ã„ãªã‘
ã‚Œã°ãªã‚‰ãªã„。アクセス制御ãŒã—ã£ã‹ã‚Šã—ã¦ã„ãªã„ã¨ã€ICS ユーザã®ç‰¹æ¨©ã«
éŽä¸è¶³ãŒç”Ÿã˜ã‚‹ã€‚以下ã¯éŽä¸è¶³ã®ä¾‹ã§ã‚る。
• デフォルトアクセス設定ã«ãªã£ãŸã‚·ã‚¹ãƒ†ãƒ ã¯ã€æ“作員ã«ç®¡ç†è€…特権を
与ãˆã‚‹ã€‚
• システム設定ã«ä¸å‚™ãŒã‚ã‚‹ã¨ã€æ“作員ãŒç·Šæ€¥æ™‚ã«å¯¾ç­–を講ã˜ã‚‹ã“ã¨ãŒ
ã§ããªã„。
データリンキングã®ä¸å‚™ ICS データストレージシステムã¯ã€ICS 以外ã®ãƒ‡ãƒ¼ã‚¿ã‚½ãƒ¼ã‚¹ã«ãƒªãƒ³ã‚¯ã—ã¦ã„
ã‚‹å ´åˆãŒã‚る。一例ãŒãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ãƒªãƒ³ã‚¯ã§ã€ã‚るデータベースã®ãƒ‡ãƒ¼ã‚¿ãŒ
自動的ã«ä»–ã®ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ã«è¤‡è£½ã•ã‚Œã‚‹ã€‚データリンクã¯è¨­å®šãŒã—ã£ã‹ã‚Šã—
ã¦ã„ãªã„ã¨ã€è„†å¼±æ€§ãŒç”Ÿã˜ã€ç„¡è¨±å¯ã®ãƒ‡ãƒ¼ã‚¿ã‚¢ã‚¯ã‚»ã‚¹ã‚„データæ“作を許ã™ã“
ã¨ã«ãªã‚‹ã€‚
マルウエアä¿è­·ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ãŒã‚¤ãƒ³
ストールã•ã‚Œã¦ã„ãªã„ã‹æœ€æ–°ã§ãªã„
悪æ„ã‚るソフトウエア(マルウエア)ã®ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã¯ä¸€èˆ¬çš„ãªæ”»æ’ƒã§ã‚
る。アンãƒã‚¦ã‚¤ãƒ«ã‚¹ç­‰ã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢ä¿è­·ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã¯ã€å‹•çš„環境ã«ãŠã„ã¦
常ã«æœ€æ–°çŠ¶æ…‹ã«ä¿ãŸã‚Œãªã‘ã‚Œã°ãªã‚‰ãªã„。å¤ããªã£ãŸãƒžãƒ«ã‚¦ã‚¨ã‚¢ä¿è­·ã‚½ãƒ•ãƒˆ
ウエアåŠã³å®šç¾©ã§ã¯ã€ã‚·ã‚¹ãƒ†ãƒ ãŒæ–°ã—ã„マルウエア脅å¨ã«ã•ã‚‰ã•ã‚Œã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
269
Vulnerability
Description
Malware protection
implemented without
sufficient testing
Malware protection software deployed without sufficient testing could impact normal
operation of the ICS and block the system from performing necessary control actions.
Denial of service (DoS) ICS software could be vulnerable to DoS attacks, resulting in the prevention of
authorized access to a system resource or delaying system operations and functions.
Intrusion
detection/prevention
software not installed
Incidents can result in loss of system availability and integrity; the capture, modification,
and deletion of data; and incorrect execution of control commands. IDS/IPS software
may stop or prevent various types of attacks, including DoS attacks, and also identify
attacked internal hosts, such as those infected with worms. IDS/IPS software must be
tested prior to deployment to determine that it does not compromise normal operation of
the ICS.
Logs not maintained Without proper and accurate logs, it might be impossible to determine what caused a
security event to occur.
Table C-5. Physical Vulnerabilities and Predisposing Conditions
Vulnerability
Description
Unauthorized personnel
have physical access to
equipment
Physical access to ICS equipment should be restricted to only the necessary personnel,
taking into account safety requirements, such as emergency shutdown or restarts.
Improper access to ICS equipment can lead to any of the following:
・ Physical theft of data and hardware
・ Physical damage or destruction of data and hardware
・ Unauthorized changes to the functional environment (e.g., data connections,
unauthorized use of removable media, adding/removing resources)
・ Disconnection of physical data links
・ Undetectable interception of data (keystroke and other input logging)
Radio frequency,
electromagnetic pulse
(EMP), static discharge,
brownouts and voltage
spikes
The hardware used for control systems is vulnerable to radio frequency and electro-
magnetic pulses (EMP), static discharge, brownouts and voltage spikes.. The impact can
range from temporary disruption of command and control to permanent damage to circuit
boards. Proper shielding, grounding, power conditioning, and/or surge suppression is
recommended.
Lack of backup power Without backup power to critical assets, a general loss of power will shut down the ICS
and could create an unsafe situation. Loss of power could also lead to insecure default
settings.
Loss of environmental
control
Loss of environmental control (e.g., temperatures, humidity) could lead to equipment
damage, such as processors overheating. Some processors will shut down to protect
themselves; some may continue to operate but in a minimal capacity and may produce
intermittent errors, continually reboot, or become permanently incapacitated.
Unsecured physical ports Unsecured universal serial bus (USB) and PS/2 ports could allow unauthorized
connection of thumb drives, keystroke loggers, etc.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
270
脆弱性
内容
マルウエアä¿è­·ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã‚’å分
試験ã›ãšã«å®Ÿè£…ã—ã¦ã„ã‚‹
å分ãªè©¦é¨“ã‚’è¡Œã‚ãšã«ãƒžãƒ«ã‚¦ã‚¨ã‚¢ä¿è­·ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã‚’展開ã™ã‚‹ã¨ã€ICS ã®æ­£
常é‹ç”¨ã«å½±éŸ¿ã—ã€ã‚·ã‚¹ãƒ†ãƒ ã®å¿…è¦ãªåˆ¶å¾¡å‹•ä½œãŒå¦¨å®³ã•ã‚Œã‚‹ã€‚
サービス妨害(DoS) ICS ソフトウエア㯠DoS 攻撃ã«è„†å¼±æ€§ãŒã‚ã‚‹ã‹ã‚‚ã—ã‚Œãšã€ã‚·ã‚¹ãƒ†ãƒ ãƒªã‚½ãƒ¼ã‚¹
ã¸ã®è¨±å¯ã•ã‚ŒãŸã‚¢ã‚¯ã‚»ã‚¹ã‚’妨ã’ãŸã‚Šã€ã‚·ã‚¹ãƒ†ãƒ ã®å‹•ä½œã‚„機能をé…らã›ãŸã‚Šã™
ã‚‹ã“ã¨ãŒã‚る。
侵入検知・防止ソフトウエアãŒã‚¤ãƒ³
ストールã•ã‚Œã¦ã„ãªã„
インシデントã¯ã‚·ã‚¹ãƒ†ãƒ ã®å¯ç”¨æ€§åŠã³å®Œå…¨æ€§ã®å–ªå¤±ã€ãƒ‡ãƒ¼ã‚¿ã®ã‚­ãƒ£ãƒ—ãƒãƒ£ãƒ»
改変・削除åŠã³åˆ¶å¾¡ã‚³ãƒžãƒ³ãƒ‰ã®ä¸é©åˆ‡ãªå®Ÿè¡Œã«çµã³ã¤ãã“ã¨ãŒã‚る。IDS/IPS
ソフトウエアã¯ã€DoS 攻撃等多様ãªæ”»æ’ƒã‚’åœæ­¢åˆã¯å¦¨å®³ã—ã€ãƒ¯ãƒ¼ãƒ ã«æ„ŸæŸ“ã—
ãŸã‚‚ã®ãªã©ã€æ”»æ’ƒã•ã‚ŒãŸå†…部ホストã®è­˜åˆ¥ã‚‚è¡Œã†ã€‚IDS/IPS ソフトウエアã¯å±•
é–‹å‰ã«è©¦é¨“ã‚’è¡Œã„ã€ICS ã®æ­£å¸¸é‹ç”¨ã«æ‚ªå½±éŸ¿ãŒãªã„ã‹åˆ¤å®šã—ãªã‘ã‚Œã°ãªã‚‰ãª
ã„。
ログãŒç¶­æŒã•ã‚Œã¦ã„ãªã„ é©æ­£ã‹ã¤æ­£ç¢ºãªãƒ­ã‚°ãŒãªã‘ã‚Œã°ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£äº‹è±¡ã®ç™ºç”Ÿç†ç”±ã‚’判別ã§ããª
ã„。
表C-5.物ç†çš„脆弱性åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹
脆弱性
内容
無許å¯ã®äººå“¡ãŒè£…å‚™å“ã«è¿‘ã¥ã„ã¦ã„
ã‚‹
ICS 装備å“ã¸ã®æŽ¥è¿‘ã¯ã€ç·Šæ€¥åœæ­¢ã‚„å†å§‹å‹•ã¨ã„ã£ãŸå®‰å…¨è¦ä»¶ã‚’考慮ã«å…¥ã‚Œ
ã¦ã€å¿…è¦ãªè·å“¡ã ã‘ã«åˆ¶é™ã™ã¹ãã§ã‚る。ICS 装備å“ã«ä¸ç”¨æ„ã«æŽ¥è¿‘を許ã™
ã¨ã€æ¬¡ã®ã‚ˆã†ãªçµæžœãŒç”Ÿã˜ã‹ã­ãªã„。
• データåŠã³ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã®ç›—難
• データåŠã³ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã®æå‚·ã‚„ç ´æ
•
許å¯ã•ã‚Œã¦ã„ãªã„機能環境ã®å¤‰æ›´ï¼ˆãƒ‡ãƒ¼ã‚¿æŽ¥ç¶šã€å–り外ã—å¯èƒ½ãƒ¡ãƒ‡
ィアã®ç„¡æ–­ä½¿ç”¨ã€ãƒªã‚½ãƒ¼ã‚¹ã®è¿½åŠ ãƒ»å‰Šé™¤ï¼‰
• データリンクã®ç‰©ç†çš„切断
•
検知ä¸èƒ½ã®ãƒ‡ãƒ¼ã‚¿å‚å—(キーストロークãã®ä»–入力記録)
無線周波数・電ç£æ³¢ï¼ˆEMP)ã€é™é›»
æ°—ã€é›»åœ§ä½Žä¸‹ãƒ»é›»åœ§ãƒŽã‚¤ã‚º
制御システムã«åˆ©ç”¨ã™ã‚‹ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã¯ã€ç„¡ç·šå‘¨æ³¢æ•°ãƒ»é›»ç£æ³¢ï¼ˆEMP)ã€é™
電気ã€é›»åœ§ä½Žä¸‹ãƒ»é›»åœ§ãƒŽã‚¤ã‚ºã«å¼±ã„。影響ã¯ã€ä¸€æ™‚çš„ãªã‚³ãƒžãƒ³ãƒ‰ã®ä¸­æ–­ã‹ã‚‰
回路基æ¿ã®æ’ä¹…çš„æå‚·ã¾ã§å¤šå²ã«ã‚ãŸã‚‹ã€‚é©åˆ‡ãªã‚·ãƒ¼ãƒ«ãƒ‰ã€ã‚¢ãƒ¼ã‚¹ã€é›»åœ§ç®¡
ç†åˆã¯ã‚µãƒ¼ã‚¸é›»åœ§æŠ‘制ãŒæŽ¨å¥¨ã•ã‚Œã‚‹ã€‚
ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—é›»æºã®æ¬ å¦‚ 回路ã¸ã®ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—é›»æºãŒãªã„ã¨ã€é›»æºã®å–ªå¤±æ™‚ã€ICS
ãŒåˆ‡æ–­ã•ã‚Œã¦ä¸å®‰
å…¨ãªçŠ¶æ³ã«ãªã‚Šã‹ã­ãªã„。ã¾ãŸã‚»ã‚­ãƒ¥ã‚¢ã§ãªã„デフォルト設定ã«æˆ»ã‚‹ã“ã¨ãŒ
ã‚る。
環境制御ã®å–ªå¤± 環境制御(温度ã€æ¹¿åº¦ç­‰ï¼‰ã®å–ªå¤±ã¯ã€ãƒ—ロセッサã®ã‚ªãƒ¼ãƒãƒ¼ãƒ’ートãªã©è£…å‚™
å“ã®æå‚·ã«ã¤ãªãŒã‚‹ã€‚プロセッサã«ã‚ˆã£ã¦ã¯è‡ªå·±é˜²è­·ã®ãŸã‚切断ã™ã‚‹ã‚‚ã®ã‚‚
ã‚る。ãã®ã¾ã¾ç¶šè¡Œã™ã‚‹ã‚‚ã®ã‚‚ã‚ã‚‹ãŒã€æ©Ÿèƒ½ã¯æœ€å°é™ã§ã€é–“欠的ã«ã‚¨ãƒ©ãƒ¼ã¨
ãªã‚Šã€ãƒªãƒ–ートを繰り返ã—ã€æ’ä¹…çš„ã«æ•…éšœã™ã‚‹ã“ã¨ã‚‚ã‚る。
セキュアã§ãªã„物ç†ãƒãƒ¼ãƒˆ セキュアã§ãªã„ USB åŠã³ PS/2 ãƒãƒ¼ãƒˆã¯ã€ã‚µãƒ ãƒ‰ãƒ©ã‚¤ãƒ–ã€ã‚­ãƒ¼ã‚¹ãƒˆãƒ­ãƒ¼ã‚¯ãƒ­
ガー等ã®ç„¡æ–­æŽ¥ç¶šã‚’許ã™ã“ã¨ã«ãªã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
271
Table C-6. Software Development Vulnerabilities and Predisposing Conditions
Vulnerability
Description
Improper Data Validation ICS software may not properly validate user inputs or received data to ensure validity.
Invalid data may result in numerous vulnerabilities including buffer overflows, command
injections, cross-site scripting, and path traversals.
Installed security
capabilities not enabled by
default
Security capabilities that were installed with the product are useless if they are not
enabled or at least identified as being disabled.
Inadequate authentication,
privileges, and access
control in software
Unauthorized access to configuration and programming software could provide the ability
to corrupt a device.
Table C-7. Communication and Network Configuration Vulnerabilities and Predisposing
Conditions
Vulnerability
Description
Data flow controls not
employed
Data flow controls, based on data characteristics, are needed to restrict which information
is permitted between systems. These controls can prevent exfiltration of information and
illegal operations.
Firewalls nonexistent or
improperly configured
A lack of properly configured firewalls could permit unnecessary data to pass between
networks, such as control and corporate networks, allowing attacks and malware to
spread between networks, making sensitive data susceptible to
monitoring/eavesdropping, and providing individuals with unauthorized access to systems.
Inadequate firewall and
router logs
Without proper and accurate logs, it might be impossible to determine what caused a
security incident to occur.
Standard, well-
documented
communication protocols
are used in plain text
Adversaries that can monitor the ICS network activity can use a protocol analyzer or other
utilities to decode the data transferred by protocols such as telnet, File Transfer Protocol
(FTP), Hypertext Transfer Protocol (HTTP), and Network File System (NFS). The use of
such protocols also makes it easier for adversaries to perform attacks against the ICS and
manipulate ICS network activity.
Authentication of users,
data or devices is
substandard or
nonexistent
Many ICS protocols have no authentication at any level. Without authentication, there is
the potential to replay, modify, or spoof data or to spoof devices such as sensors and user
identities.
Use of unsecure industry-
wide ICS protocols
ICS protocols often have few or no security capabilities, such as authentication and
encryption, to protect data from unauthorized access or tampering. Additionally, incorrect
implementation of the protocols can lead to additional vulnerabilities.
Lack of integrity checking
for communications
There are no integrity checks built into most industrial control protocols; adversaries could
manipulate communications undetected. To ensure integrity, the ICS can use lower-layer
protocols (e.g., IPsec) that offer data integrity protection.
Inadequate authentication
between wireless clients
and access points
Strong mutual authentication between wireless clients and access points is needed to
ensure that clients do not connect to a rogue access point deployed by an adversary, and
also to ensure that adversaries do not connect to any of the ICS’s wireless networks.
Inadequate data protection
between wireless clients
and access points
Sensitive data between wireless clients and access points should be protected using
strong encryption to ensure that adversaries cannot gain unauthorized access to the
unencrypted data.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
272
表C-6.ソフトウエア開発上ã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹
脆弱性
内容
データ検証ã®ä¸å‚™ ICS ソフトウエアã¯ã€ãƒ¦ãƒ¼ã‚¶å…¥åŠ›ã‚„å—信データã®å¦¥å½“性検証を正ã—ãè¡Œã£ã¦
ã„ãªã„ã“ã¨ãŒã‚る。無効ãªãƒ‡ãƒ¼ã‚¿ã¯ãƒãƒƒãƒ•ã‚¡ã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒ­ãƒ¼ã€ã‚³ãƒžãƒ³ãƒ‰ã‚¤ãƒ³
ジェクションã€ã‚¯ãƒ­ã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ティングã€ãƒ‘ストラãƒãƒ¼ã‚µãƒ«ç­‰ã€ç¨®ã€…
ã®è„†å¼±æ€§ã«ã¤ãªãŒã‚‹ã€‚
インストールã—ãŸæŽ¥ç¶šã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢
ãŒãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§æ©Ÿèƒ½ã—ãªã„
製å“ã®ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã«ã‚ˆã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ©Ÿèƒ½ã¯ã€ç„¡åŠ¹çŠ¶æ…‹ã‚’解除ã—ã¦æœ‰åŠ¹ã«
ã—ãªã„ã¨ã€ã¾ãŸã¯å°‘ãªãã¨ã‚‚ã€ç„¡åŠ¹çŠ¶æ…‹ã§ã‚ã‚‹ã“ã¨ãŒåˆ†ã‹ã‚‰ãªã„ã¨åŠ¹æžœãŒãª
ã„。
ソフトウエアã®èªè¨¼ãƒ»ç‰¹æ¨©ãƒ»ã‚¢ã‚¯ã‚»
ス制御ã®ä¸å‚™
設定åŠã³ãƒ—ログラミングソフトウエアã¸ã®ä¸æ­£ã‚¢ã‚¯ã‚»ã‚¹ã¯ã€ãƒ‡ãƒã‚¤ã‚¹ã®ç ´å£Š
を許ã™ã“ã¨ã«ãªã‚‹ã€‚
表C-7.通信åŠã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æ§‹æˆä¸Šã®è„†å¼±æ€§åŠã³å¼±ç‚¹ã¨ãªã‚‹çŠ¶æ…‹
脆弱性
内容
データフローãŒåˆ¶å¾¡ã•ã‚Œã¦ã„ãªã„ データ特性ã«åŸºã¥ãデータフロー制御ã¯ã€ã‚·ã‚¹ãƒ†ãƒ é–“ã®æƒ…報交æ›ã‚’制御ã™ã‚‹
ã‚‚ã®ã§ã‚ã‚Šã€åˆ¶é™ã‚’加ãˆã‚‹å¿…è¦ãŒã‚る。制御ã«ã‚ˆã‚Šæƒ…å ±ã®å¼•å‡ºã—ã‚„ä¸æ³•æ“作
を防止ã§ãる。
ファイアウォールã®æ¬ å¦‚åˆã¯è¨­å®šä¸
å‚™
ファイアウォールãŒæ­£ã—ã設定ã•ã‚Œã¦ã„ãªã„ã¨ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ä¼æ¥­ãƒ
ットワーク等ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã§ã€ãƒ‡ãƒ¼ã‚¿ã‚’ä¸å¿…è¦ã«é€šéŽã•ã›ã€æ”»æ’ƒåŠã³ãƒž
ルウエアãŒãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã§æ‹¡æ•£ã—ã€è¦æ³¨æ„データãŒç›£è¦–・å‚å—ã«ã•ã‚‰ã•
ã‚Œã€ã‚·ã‚¹ãƒ†ãƒ ã¸ã®ä¸æ­£ã‚¢ã‚¯ã‚»ã‚¹ã‚’許ã™ã“ã¨ã«ãªã‚‹ã€‚
ファイアウォールåŠã³ãƒ«ãƒ¼ã‚¿ã®ãƒ­ã‚°
ã®ä¸å‚™
é©æ­£ã‹ã¤æ­£ç¢ºãªãƒ­ã‚°ãŒãªã‘ã‚Œã°ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®ç™ºç”Ÿç†ç”±ã‚’判
別ã§ããªã„。
標準ã®æ–‡æ›¸åŒ–ã•ã‚ŒãŸé€šä¿¡ãƒ—ロトコル
ãŒå¹³æ–‡ã§ä½¿ç”¨ã•ã‚Œã¦ã„ã‚‹ ICS ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æ´»å‹•ã‚’監視ã™ã‚‹æ”»æ’ƒå´ã¯ã€ãƒ—ロトコルアナライザãã®ä»–
ã®ãƒ¦ãƒ¼ãƒ†ã‚£ãƒªãƒ†ã‚£ã‚’利用ã—ã¦ã€ãƒ†ãƒ«ãƒãƒƒãƒˆã€FTPã€HTTPã€NFS ç­‰ã®ãƒ—ロトコ
ルãŒè»¢é€ã™ã‚‹ãƒ‡ãƒ¼ã‚¿ã‚’デコードã™ã‚‹ã€‚ã“ã®ã‚ˆã†ãªãƒ—ロトコルを使用ã™ã‚‹ã¨ã€
攻撃å´ã¯ã€ICS ã¸ã®æ”»æ’ƒã‚„ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æ´»å‹•ã®æ“作を容易ã«ã§ãるよã†
ã«ãªã‚‹ã€‚
ユーザã€ãƒ‡ãƒ¼ã‚¿åˆã¯ãƒ‡ãƒã‚¤ã‚¹èªè¨¼ã®
欠如åˆã¯ä¸é©æ ¼ ICS プロトコルã®å¤šãã¯ã€ã©ã®ãƒ¬ãƒ™ãƒ«ã§ã‚‚èªè¨¼æ©Ÿèƒ½ãŒãªã„。èªè¨¼ãŒãªã„ã¨ãƒ‡
ータã®ãƒªãƒ—レーã€æ”¹å¤‰ã€ãªã‚Šã™ã¾ã—ã‚„ã€ã‚»ãƒ³ã‚µåŠã³ãƒ¦ãƒ¼ã‚¶ ID ç­‰ã®ãƒ‡ãƒã‚¤ã‚¹ã®
ãªã‚Šã™ã¾ã—ãŒç”Ÿã˜å¾—る。
業界ã§å¤šç”¨ã•ã‚Œã‚‹ã‚»ã‚­ãƒ¥ã‚¢ã§ãªã„
ICS ã®ä½¿ç”¨
ICS プロトコルã«ã¯ã€èªè¨¼ã‚„æš—å·åŒ–ã¨ã„ã£ãŸã€ä¸æ­£ã‚¢ã‚¯ã‚»ã‚¹ã‚„改竄を防止ã™
るセキュリティ機能ãŒã»ã¨ã‚“ã©åˆã¯å…¨ããªã„ã‚‚ã®ãŒå¤šã„。ã¾ãŸãƒ—ロトコル実
装ã®ä¸å‚™ã«ã‚ˆã£ã¦ã‚‚付加的ãªè„†å¼±æ€§ãŒç”Ÿã˜ã‚‹ã€‚
通信完全性確èªã®æ¬ å¦‚ 産業用制御プロトコルã®ã»ã¨ã‚“ã©ã¯å®Œå…¨æ€§ãƒã‚§ãƒƒã‚¯æ©Ÿèƒ½ãŒãªãã€æ”»æ’ƒå´ã¯æ¤œ
知ã•ã‚Œãšã«é€šä¿¡ã‚’æ“作ã§ãる。完全性を確ä¿ã™ã‚‹ã«ã¯ã€ãƒ‡ãƒ¼ã‚¿å®Œå…¨æ€§ä¿è­·ã®
ã‚る下層プロトコル(
IPsec
等)を使用ã™ã‚‹ã“ã¨ã§ã‚る。
ワイヤレスクライアントã¨ã‚¢ã‚¯ã‚»ã‚¹
ãƒã‚¤ãƒ³ãƒˆé–“ã®èªè¨¼ã®ä¸å‚™
攻撃å´ãŒå±•é–‹ã—ãŸãƒ­ãƒ¼ã‚°ã‚¢ã‚¯ã‚»ã‚¹ãƒã‚¤ãƒ³ãƒˆã«ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆãŒæŽ¥ç¶šã—ãªã„よã†
ã«ã—ã€æ”»æ’ƒå´ãŒ ICS ワイヤレスãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«æŽ¥ç¶šã§ããªã„よã†ã«ã™ã‚‹ã«
ã¯ã€ãƒ¯ã‚¤ãƒ¤ãƒ¬ã‚¹ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã¨ã‚¢ã‚¯ã‚»ã‚¹ãƒã‚¤ãƒ³ãƒˆé–“ã«å¼·å›ºãªç›¸äº’èªè¨¼ãŒå¿…è¦
ã¨ãªã‚‹ã€‚
ワイヤレスクライアントã¨ã‚¢ã‚¯ã‚»ã‚¹
ãƒã‚¤ãƒ³ãƒˆé–“ã®ãƒ‡ãƒ¼ã‚¿ä¿è­·ã®ä¸å‚™
ワイヤレスクライアントã¨ã‚¢ã‚¯ã‚»ã‚¹ãƒã‚¤ãƒ³ãƒˆé–“ã®è¦æ³¨æ„データã¯ã€å¼·å›ºãªæš—
å·åŒ–ã«ã‚ˆã‚Šã€æ”»æ’ƒå´ãŒæš—å·åŒ–ã•ã‚Œã¦ã„ãªã„データã«ä¸æ­£ã‚¢ã‚¯ã‚»ã‚¹ã§ããªã„よ
ã†ã«ã™ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
273
Incidents
A threat event is an event or situations that could potentially cause an undesirable consequence or impact to
the ICS resulting from some threat source. In NIST SP 800-30 Rev. 1, Appendix E identifies a broad set of
threat events that could potentially impact information systems [79]. The properties of an ICS may also
present unique threat events, specifically addressing how the threat events can manipulates the process of
the ICS to cause physical damage. Table C-8 provides an overview of potential ICS threat events.
Table C-8. Example Adversarial Incidents
Threat Event
Description
Denial of Control Action Control systems operation disrupted by delaying or blocking the flow of information,
thereby denying availability of the networks to control system operators or causing
information transfer bottlenecks or denial of service by IT-resident services (such as DNS)
Control Devices
Reprogrammed
Unauthorized changes made to programmed instructions in PLCs, RTUs, DCS, or SCADA
controllers, alarm thresholds changed, or unauthorized commands issued to control
equipment, which could potentially result in damage to equipment (if tolerances are
exceeded), premature shutdown of processes (such as prematurely shutting down
transmission lines), causing an environmental incident, or even disabling control
equipment
Spoofed System Status
Information
False information sent to control system operators either to disguise unauthorized
changes or to initiate inappropriate actions by system operators
Control Logic Manipulation Control system software or configuration settings modified, producing unpredictable
results
Safety Systems Modified Safety systems operation are manipulated such that they either (1) do not operate when
needed or (2) perform incorrect control actions that damage the ICS
Malware on Control
Systems
Malicious software (e.g., virus, worm, Trojan horse) introduced into the system.
In addition, in control systems that cover a wide geographic area, the remote sites are often not staffed and
may not be physically monitored. If such remote systems are physically breached, the adversaries could
establish a connection back to the control network.
Sources of Incidents
An accurate accounting of cyber incidents on control systems is difficult to determine. However,
individuals in the industry who have been focusing on this issue see similar growth trends between
vulnerabilities exposed in traditional IT systems and those being found in control systems. ICS-CERT is a
DHS organization that focuses on reducing the risk across critical infrastructure by identifying threats and
vulnerabilities, while also providing mitigation strategies. ICS-CERT provides a trusted party where system
owners and operators can report information about incidents within their ICS and obtain advice on
mitigating their risk. Information submitted by infrastructure owners and operators is protected under the
Critical Infrastructure Information Act of 2002 as Protected Critical Infrastructure Information (PCII) from
disclosure under the Freedom of Information Act (FOIA), disclosure under state, tribal, and local disclosure
laws, use in regulatory actions, and use in civil litigation. In the event of an incident at critical infrastructure
facilities, ICS-CERT can also perform onsite deployments to respond to and analyze incidents. ICS-CERT
publishes advisories of new security vulnerabilities discovered in common ICS platforms. Figure C-1
demonstrates (1) the number of ICS incidents reported, (2) the number of onsite ICS deployments taken by
ICS-CERT, and (3) number of ICS vulnerabilities reported between years 2010 and 201347.
47 https://ics-cert.us-cert.gov/
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
274
インシデント
è„…å¨äº‹è±¡ã¨ã¯ã€ãªã‚“らã‹ã®è„…å¨æºã«èµ·å› ã—ã¦ã€ICS ã«æœ›ã¾ã—ããªã„çµæžœã‚„影響を与ãˆã‹ã­ãªã„事
象åˆã¯çŠ¶æ³ã‚’ã„ã†ã€‚NIST SP 800-30 第1版付録 Eã«ã¯ã€æƒ…報システムã«å½±éŸ¿ã‚’åŠã¼ã™å¤šç¨®å¤šæ§˜ãª
è„…å¨äº‹è±¡ãŒæ˜Žã‚‰ã‹ã«ã•ã‚Œã¦ã„ã‚‹[79]。ICS ã®ç‰¹æ€§ã‚‚固有ã®è„…å¨äº‹è±¡ã¨ãªã‚‹ã“ã¨ãŒã‚ã‚Šã€ç‰©ç†çš„æ
傷を与ãˆã‚‹ãŸã‚ã€è„…å¨äº‹è±¡ãŒã©ã®ã‚ˆã†ã« ICS ã®ãƒ—ロセスをæ“作ã™ã‚‹ã‹ãŒå–り上ã’られã¦ã„る。表
C-8 ã«ICS è„…å¨äº‹è±¡ã®æ¦‚è¦ã‚’示ã™ã€‚
表C-8. 攻撃インシデントã®ä¾‹
è„…å¨äº‹è±¡
内容
制御妨害 情報ã®æµã‚Œã®é…延åˆã¯å¦¨å®³ã«ã‚ˆã‚Šåˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®é‹ç”¨ãŒä¸­æ–­ã™ã‚‹ã¨ã€åˆ¶å¾¡ã‚·
ステムæ“作員ãŒãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’使用ã§ããªããªã‚Šã€æƒ…報転é€ãŒãƒœãƒˆãƒ«ãƒãƒƒã‚¯
ã¨ãªã£ãŸã‚Šã€IT 抵抗性ã®ã‚るサービス(DNS 等)ã«ã‚ˆã‚‹ã‚µãƒ¼ãƒ“スã®å¦¨å®³ãŒç”Ÿ
ã˜ãŸã‚Šã™ã‚‹ã€‚
制御デãƒã‚¤ã‚¹ã®ãƒ—ログラムãŒå¤‰æ›´ã•
ã‚Œã¦ã„ã‚‹
PLCã€RTUã€DCS è‹¥ã—ã㯠SCADA コントローラã®ãƒ—ログラム化命令ã«å¯¾ã™
る許å¯ã•ã‚Œã¦ã„ãªã„変更ã€ã‚¢ãƒ©ãƒ¼ãƒ é–¾ã®å¤‰æ›´åˆã¯åˆ¶å¾¡è£…å‚™å“ã«å¯¾ã™ã‚‹è¨±å¯ã•
ã‚Œã¦ã„ãªã„コマンド発行ã¯ã€è£…å‚™å“ã®æ傷(トレランスを超ãˆãŸå ´åˆï¼‰ã‚„プ
ロセスã®éŽæ—©åˆ‡æ–­ï¼ˆé€šä¿¡ç·šç­‰ï¼‰ã‚’ã‚‚ãŸã‚‰ã—ã€ç’°å¢ƒã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã¨ãªã‚‹ã»ã‹ã€
制御製å“を無効ã«ã™ã‚‹ã€‚
システム状態情報ã®ãªã‚Šã™ã¾ã— 許å¯ã•ã‚Œã¦ã„ãªã„変更を隠蔽ã™ã‚‹ã‹ã€ä¸é©æ­£è¡Œç‚ºã‚’システムæ“作員ã«é–‹å§‹ã•
ã›ã‚‹ãŸã‚ã€å½æƒ…å ±ãŒåˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ æ“作員ã«é€ä¿¡ã•ã‚Œã‚‹ã€‚
制御ロジックã®æ“作 制御システムソフトウエアåˆã¯æ§‹æˆè¨­å®šãŒå¤‰æ›´ã•ã‚Œã€äºˆæƒ³ä¸èƒ½ã®çµæžœãŒç”Ÿã˜
る。
安全システムã®å¤‰æ›´ 安全システムã®å‹•ä½œãŒæ“作ã•ã‚Œã€ï¼ˆ1)必è¦ãªã¨ãã«ç¨¼åƒã—ãªã„ã‹ã€
(2)ICS
ã‚’æå‚·ã™ã‚‹ä¸æ­£ç¢ºãªåˆ¶å¾¡ã‚’è¡Œã†ã€‚
制御システムã«ãƒžãƒ«ã‚¦ã‚¨ã‚¢ 悪æ„ã‚るソフトウエア(ウイルスã€ãƒ¯ãƒ¼ãƒ ã€ãƒˆãƒ­ã‚¤ã®æœ¨é¦¬ç­‰ï¼‰ãŒã‚·ã‚¹ãƒ†ãƒ ã«
入り込んã§ã„る。
ã¾ãŸåŒºåŸŸã‚’網羅ã™ã‚‹åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã§ã€é éš”サイトã«è·å“¡ãŒé…ç½®ã•ã‚Œã¦ãŠã‚‰ãšã€ç‰©ç†çš„監視ãŒã§ã
ã¦ã„ãªã„。ã“ã®ã‚ˆã†ãªé éš”システムãŒç‰©ç†çš„ã«ä¾µå®³ã•ã‚Œã‚‹ã¨ã€æ”»æ’ƒå´ã¯åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¾ã§æŽ¥
続を確立ã§ãる。
インシデントã®åŽŸå› 
制御システム上ã®ã‚µã‚¤ãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®åŽŸå› ã‚’正確ã«åˆ¤åˆ¥ã™ã‚‹ã®ã¯é›£ã—ã„。ã¨ã¯è¨€ãˆã€æ¥­ç•Œã§
ã“ã®å•é¡Œã¨å–り組んã§ããŸäººã‚‚ãŠã‚Šã€å¾“æ¥ã® IT システムã§éœ²å‘ˆã•ã‚ŒãŸè„†å¼±æ€§ã¨åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã§
明らã‹ã«ãªã£ã¦ããŸè„†å¼±æ€§ã«ã¯ã€å…±é€šçš„ãªãƒˆãƒ¬ãƒ³ãƒ‰ãŒã‚ã‚‹ã“ã¨ã«æ°—ã¥ã„ã¦ã„る。ICS-CERT ã¯
DHS ã®çµ„ç¹”ã§ã€è„…å¨ã‚„脆弱性を明らã‹ã«ã—ã¦é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®ãƒªã‚¹ã‚¯ã‚’軽減ã—ã€ç·©å’Œç­–ã‚’æä¾›ã—
ã¦ã„る。ICS-CERT ã¯ã€ã‚·ã‚¹ãƒ†ãƒ ã®ä¿æœ‰è€…ã‚„æ“作員㌠ICS 内ã®ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆæƒ…報をレãƒãƒ¼ãƒˆã—ã€
リスク緩和策ã«é–¢ã™ã‚‹åŠ©è¨€ã‚’å¾—ã‚‹ã“ã¨ãŒã§ãã‚‹ã€ä¿¡é ¼ã®ç½®ã‘る関係者ã«æä¾›ã—ã¦ã„る。インフラ
ä¿æœ‰è€…åŠã³æ“作員ã‹ã‚‰æ出ã•ã‚ŒãŸæƒ…å ±ã¯ã€é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©æƒ…報法(2002 年)ã«å¾“ã„ã€æƒ…å ±ã®è‡ªç”±
法(FOIA)ã«åŸºã¥ã開示ã€å·žãƒ»éƒ¨æ—・地方開示法ã«åŸºã¥ã開示ã€è¦åˆ¶è¡Œç‚ºã«ãŠã‘る使用åŠã³æ°‘
事訴訟ã«ãŠã‘る使用ã«åŸºã¥ãã€ä¿è­·ã•ã‚ŒãŸé‡è¦ã‚¤ãƒ³ãƒ•ãƒ©æƒ…報(PCII)ã¨ã—ã¦ä¿è­·ã‚’å—ã‘る。é‡è¦
インフラã«ãŠã‘るイベントã®éš›ã«ã¯ã€ICS-CERT ã¯ç¾å ´å±•é–‹ã—ã¦ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®å¯¾å¿œã¨åˆ†æžã«
当ãŸã‚‹ã€‚ICS-CERT ã¯ã€ICS プラットホームã§å…±é€šã—ã¦è¦‹ã¤ã‹ã£ãŸæŽ¥ç¶šä¸Šã®è„†å¼±æ€§ã«ã¤ã„ã¦ã€ã‚¢
ドãƒã‚¤ã‚µãƒªãƒ¼ã‚’発刊ã—ã¦ã„る。図 C-1 ã«ã€(1) ICS インシデントã®å±Šå‡ºä»¶æ•°ã€(2) ICS-CERT ã®ICS
ç¾å ´å±•é–‹ä»¶æ•°ã€(3) 2010 年~2013 å¹´ICS 脆弱性届出件数を示㙠48。
48 https://ics-cert.us-cert.gov/
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
275
Other sources of control system impact information show an increase in control system incidents as well.
This information should not be assumed to contain all ICS related incidents or discovered vulnerabilities as
some information may go unreported.
Figure C-1. ICS-CERT Reported Incidents by Year
Documented Incidents
Numerous ICS incidents have been reported that demonstrate how threat sources can negatively impact an
ICS. These events help demonstrate the severity of the threat sources, vulnerabilities, and impacts within
the ICS domain. As mentioned in Section C.2, the four broad categories of threat sources are adversarial,
accidental, structural, and environmental. Often the incident can be the result of multiple threat sources (e.g.
an environmental event causes a system failure, which is responded to incorrectly by an operator resulting
in an accidental event). Reported incidents from these categories include the following:
Adversarial Events
 Worcester Air Traffic Communications49. In March 1997, a teenager in Worcester, Massachusetts
disabled part of the public switched telephone network using a dial-up modem connected to the
system. This knocked out phone service at the control tower, airport security, the airport fire
department, the weather service, and carriers that use the airport. Also, the tower’s main radio
transmitter and another transmitter that activates runway lights were shut down, as well as a printer
that controllers use to monitor flight progress. The attack also knocked out phone service to 600
homes and businesses in the nearby town of Rutland.
49 Additional information on the Worcester Air Traffic Communications incident can be found at:
http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/index.html
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
276
制御システムã«å½±éŸ¿ã™ã‚‹æƒ…å ±ã®ä»–ã®åŽŸå› ã‚‚ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®å¢—加を示ã—ã¦ã„る。未
報告ã®æƒ…報もã‚ã‚‹ãŸã‚ã€ã“ã®æƒ…報㌠ICS 関連インシデントåˆã¯è§£æ˜Žã•ã‚ŒãŸè„†å¼±æ€§ã®å…¨ã¦ã§ã‚ã‚‹ã¨
解ã™ã¹ãã§ãªã„。
図C-1. ICS-CERT ã«å±Šå‡ºã®ã‚ã£ãŸå¹´åº¦åˆ¥ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆä»¶æ•°
文書化ã•ã‚ŒãŸã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆ
ã“ã‚Œã¾ã§å¤šæ•°ã® ICS インシデントã®å±Šå‡ºãŒã‚ã‚Šã€è„…å¨æºãŒ ICS ã«ã©ã®ã‚ˆã†ãªæ‚ªå½±éŸ¿ã‚’与ãˆå¾—ã‚‹ã‹
を実証ã—ã¦ã„る。ã“れらã®äº‹è±¡ã¯ã€è„…å¨æºã€è„†å¼±æ€§åŠã³ ICS ドメイン内ã§ã®å½±éŸ¿ã®é‡å¤§æ€§ã‚’実証
ã™ã‚‹ã®ã«å½¹ç«‹ã¤ã€‚セクション C.2 ã§è¨€åŠã—ãŸã‚ˆã†ã«ã€è„…å¨æºã¯æ•µæ€§ã€å¶ç™ºæ€§ã€æ§‹é€ çš„åŠã³ç’°å¢ƒçš„
ã®4ã¤ã®åˆ†é¡žã«å¤§åˆ¥ã§ãる。インシデントã¯è¤‡æ•°ã®è„…å¨æºã«èµ·å› ã™ã‚‹ã“ã¨ãŒå°‘ãªããªã„(環境的
事象ãŒã‚·ã‚¹ãƒ†ãƒ éšœå®³ã®åŽŸå› ã¨ãªã‚Šã€ãã‚Œã«å¯¾ã™ã‚‹ã‚ªãƒšãƒ¬ãƒ¼ã‚¿ã®å¯¾å¿œãŒã¾ãšã„ã¨å¶ç™ºçš„事象ã¨ãª
る)。届出ã®ã‚ã£ãŸã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã«ã¯ã€åˆ†é¡žåˆ¥ã«æ¬¡ã®ã‚ˆã†ãªã‚‚ã®ãŒã‚る。
敵性事象
 ウースター航空交通通信 501997 å¹´3月ã€ãƒžã‚µãƒãƒ¥ãƒ¼ã‚»ãƒƒãƒ„州ウースターã®ãƒ†ã‚£ãƒ¼ãƒ³ã‚¨ã‚¤ã‚¸ãƒ£
ーãŒãƒ€ã‚¤ã‚¢ãƒ«ã‚¢ãƒƒãƒ—モデムã§ã‚·ã‚¹ãƒ†ãƒ ã«æŽ¥ç¶šã—ã€å…¬å…±äº¤æ›é›»è©±ç¶²ã®ä¸€éƒ¨ã‚’使用ä¸èƒ½ã«ã—ãŸã€‚
ã“ã®ãŸã‚管制塔ã€ç©ºæ¸¯è­¦å‚™ã€ç©ºæ¸¯æ¶ˆé˜²éšŠã€æ°—象サービスåŠã³ç©ºæ¸¯ã‚’利用ã™ã‚‹èˆªç©ºä¼šç¤¾ã«å¯¾ã™
る電話サービスãŒéº»ç—ºã—ãŸã€‚ã¾ãŸç®¡åˆ¶å¡”ã®ä¸»ç„¡ç·šé€ä¿¡æ©Ÿã‚„滑走路ç¯ã‚’点ç¯ã™ã‚‹é€ä¿¡æ©ŸãŒé®æ–­
ã•ã‚ŒãŸã»ã‹ã€é£›è¡Œã®é€²æ—を監視ã™ã‚‹ç®¡åˆ¶å®˜ã®ãƒ—リンタãŒä½¿ãˆãªããªã£ãŸã€‚ã“ã®æ”»æ’ƒã§ãƒ©ãƒˆãƒ©
ンド町近å‚ã®ä¸€èˆ¬å®¶åº­ 600 世帯ã¨ä¼æ¥­ã®é›»è©±ã‚‚使用ä¸èƒ½ã«ãªã£ãŸã€‚
50 ウースター航空交通通信インシデントã®è©³ç´°ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。
http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/index.html
ICS
インシデントã®å±Šå‡º
–
記帳
ICS インシデント対応ç¾å ´å±•é–‹
ICS 関連脆弱性報告書 – 記帳
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
277
 Maroochy Shire Sewage Spill51. In the spring of 2000, a former employee of an Australian
organization that develops manufacturing software applied for a job with the local government, but
was rejected. Over a two-month period, the disgruntled rejected employee reportedly used a radio
transmitter on as many as 46 occasions to remotely break into the controls of a sewage treatment
system. He altered electronic data for particular sewerage pumping stations and caused malfunctions
in their operations, ultimately releasing about 264 000 gallons of raw sewage into nearby rivers and
parks.
 Davis-Besse52. In August 2003, the Nuclear Regulatory Commission confirmed that in January 2003,
the Microsoft SQL Server worm known as Slammer infected a private computer network at the i d le d
Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly
five hours. In addition, the plant’s process computer failed, and it took about six hours for it to become
available again. Slammer reportedly also affected communications on the control networks of at least
five other utilities by propagating so quickly that control system traffic was blocked.
 Zotob Worm53. In August 2005, a round of Internet worm infections knocked 13 of
DaimlerChrysler’s U.S. automobile manufacturing plants offline for almost an hour, stranding workers
as infected Microsoft Windows systems were patched. Plants in Illinois, Indiana, Wisconsin, Ohio,
Delaware, and Michigan were knocked offline. While the worm affected primarily Windows 2000
systems, it also affected some early versions of Windows XP. Symptoms include the repeated
shutdown and rebooting of a computer. Zotob and its variations caused computer outages at heavy-
equipment maker Caterpillar Inc., aircraft-maker Boeing, and several large U.S. news organizations.
 Stuxnet Worm54. Stuxnet was a Microsoft Windows computer worm discovered in July 2010 that
specifically targeted industrial software and equipment. The worm initially spread indiscriminately,
but included a highly specialized malware payload that was designed to target only specific SCADA
systems that were configured to control and monitor specific industrial processes
 Brute Force Attacks on Internet-Facing Control Systems55. On February 22, 2013 ICS-CERT
received a report from a gas compressor station owner about an increase in brute force attempts to
access their process control network. The forensic evidence contained 10 separate IPs and additional
calls of a similar nature from additional natural gas pipeline asset owners, which yielded 39 additional
IPs of concern. Log analysis showed a date range from January 16, 2013 but there have been no
reports since March 8, 2013.
 Shamoon56. Saudi Aramco, which is the world’s 8th largest oil refiner, experienced a malware attack
that targeted their refineries and overwrote the attacked system’s Master Boot Records (MBR),
partition tables and other random data files. This caused the systems to become unusable.
51 Additional information on the Maroochy Shire Sewage Spill incident can be found at:
http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf and
http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/ [each accessed 4/16/15].
52 Additional information on the Davis-Besse incident can be found at:
http://www.securityfocus.com/news/6767 [accessed 4/16/15].
53 Additional information on the Zotob Worm incident can be found at: http://www.eweek.com/c/a/Security/Zotob-
PnP-Worms-Slam-13-DaimlerChrysler-Plants [accessed 4/16/15].
54 Additional information on the Stuxnet worm can be found at: http://en.wikipedia.org/wiki/Stuxnet [accessed
4/16/15].
55 Additional information on ICS-CERT reported incidents can be found at:
https://ics-cert.us-cert.gov/Information-Products [accessed 4/16/15].
56 Additional information on Shamoon can be found at:
http://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2012.pdf [accessed 4/16/15].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
278
 マルーãƒãƒ¼å¸‚ã®ä¸‹æ°´æµå‡º 57 2000 年春ã€è±ªå·žã®å…ƒã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢é–‹ç™ºä¼šç¤¾ç¤¾å“¡ãŒåœ°æ–¹è‡ªæ²»ä½“è·
å“¡ã®å‹Ÿé›†ã«å¿œå‹Ÿã—ãŸãŒä¸æŽ¡ç”¨ã«ãªã£ãŸã€‚ä¸æº€ã‚’抱ã„ãŸå½“人ã¯ã€2ã‹æœˆé–“ã«ã‚ãŸã‚Š 46 回ã€ç„¡
ç·šé€ä¿¡æ©Ÿã§ä¸‹æ°´å‡¦ç†è£…ç½®ã«ä¾µå…¥ã—ãŸã€‚ã‚る下水ãƒãƒ³ãƒ—ステーションã®é›»å­ãƒ‡ãƒ¼ã‚¿ã‚’改変ã—ã¦ã€
é‹è»¢éšœå®³ã‚’発生ã•ã›ã€çµå±€ 26 万4,000 ガロンもã®ä¸‹æ°´ã‚’近隣ã®æ²³å·ã‚„公園ã«æ”¾å‡ºã•ã›ãŸã€‚
 デイビス・ベス 58 2003 å¹´8月ã€åŽŸå­åŠ›è¦åˆ¶å§”員会ã¯åŒå¹´ 1月ã€ã‚¹ãƒ©ãƒžãƒ¼ã¨ã—ã¦çŸ¥ã‚‰ã‚Œã‚‹ãƒž
イクロソフト SQLサーãƒã®ãƒ¯ãƒ¼ãƒ ãŒã€ã‚ªãƒã‚¤ã‚ªå·žã‚ªãƒ¼ã‚¯ãƒãƒ¼ãƒãƒ¼ã«ã‚ã‚‹éžç¨¼åƒä¸­ã®ãƒ‡ã‚¤ãƒ“
ス・ベス原å­åŠ›ç™ºé›»æ‰€ã®ãƒ—ライベートコンピュータãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«æ„ŸæŸ“ã—ã¦ã„ã‚‹ã“ã¨ã‚’確èª
ã—ã€5時間程度安全監視装置ãŒä½¿ç”¨ã§ããªã‹ã£ãŸã€‚ã¾ãŸã€ç™ºé›»æ‰€ã®ãƒ—ロセスコンピュータãŒ
æ•…éšœã—ã€å¾©æ—§ã«ç´„ 6時間è¦ã—ãŸã€‚報告ã«ã‚ˆã‚Œã°ã‚¹ãƒ©ãƒžãƒ¼ã¯ã€å°‘ãªãã¨ã‚‚ä»–ã® 5ã¤ã®å…¬å…±äº‹æ¥­
団体ã®åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®é€šä¿¡ã«ã‚‚影響をåŠã¼ã—ã€æ¥µã‚ã¦è¿…速ã«ä¼æ’­ã—ã¦åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ãƒˆãƒ©
フィックをé®æ–­ã—ãŸã€‚
 Zotob ワーム 59 2005 å¹´8月ã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆãƒ¯ãƒ¼ãƒ ã«æ„ŸæŸ“ã—ãŸãƒ€ã‚¤ãƒ ãƒ©ãƒ¼ã‚¯ãƒ©ã‚¤ã‚¹ãƒ©ãƒ¼ã®
米国自動車生産プラント 13 箇所ãŒç´„ 1時間ã«ã‚ãŸã‚Šã‚ªãƒ•ãƒ©ã‚¤ãƒ³ã«ãªã‚Šã€Windows システム
ã¸ã®ãƒ‘ッãƒä½œæ¥­ã®é–“ã€ä½œæ¥­å“¡ãŒç«‹ã¡å¾€ç”Ÿã—ãŸã€‚イリノイã€ã‚¤ãƒ³ãƒ‡ã‚£ã‚¢ãƒŠã€ã‚¦ã‚£ã‚¹ã‚³ãƒ³ã‚·ãƒ³ã€
オãƒã‚¤ã‚ªã€ãƒ‡ãƒ©ã‚¦ã‚§ã‚¢ã€ãƒŸã‚·ã‚¬ãƒ³ã®å„å·žã§ã¯ãƒ—ラントãŒã‚ªãƒ•ãƒ©ã‚¤ãƒ³ã«ãªã£ãŸã€‚感染ã—ãŸã®ã¯
主㫠Windows2000 ã ã£ãŸãŒã€Windows XP ã®åˆæœŸãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚‚感染ã—ãŸã€‚感染ã®å¾´å€™ã¯ã€åˆ‡
æ–­ã¨å†èµ·å‹•ã®ç¹°ã‚Šè¿”ã—ã ã£ãŸã€‚Zotob åŠã³ãã®æ´¾ç”Ÿåž‹ã¯ã€å¤§åž‹è£…å‚™å“メーカー㮠Caterpillar
Inc.ã€èˆªç©ºæ©Ÿãƒ¡ãƒ¼ã‚«ãƒ¼ã® Boeingã€ãã®ä»–大手ã®å ±é“æ©Ÿé–¢ã®ã‚³ãƒ³ãƒ”ュータãŒè¢«å®³ã«é­ã£ãŸã€‚
 Stuxnet ワーム 60 Stuxnet ã¯2010 å¹´7月ã«è¦‹ã¤ã‹ã£ãŸ Windows コンピュータã®ãƒ¯ãƒ¼ãƒ ã§ã€
産業用ソフトウエアåŠã³è£…å‚™å“を主ãªæ¨™çš„ã¨ã—ã¦ã„る。当åˆã“ã®ãƒ¯ãƒ¼ãƒ ã¯å¯¾è±¡ã‚’é¸ã°ãšæ‹¡æ•£
ã—ãŸãŒã€ç‰¹æ®Šãªãƒžãƒ«ã‚¦ã‚¨ã‚¢ãƒšã‚¤ãƒ­ãƒ¼ãƒ‰ã‚’組ã¿è¾¼ã‚“ã§ã€ç‰¹å®šã®ç”£æ¥­ãƒ—ロセスã®åˆ¶å¾¡ãƒ»ç›£è¦–ã«ç‰¹
化ã—㟠SCADA システムã ã‘を標的ã¨ã™ã‚‹ã‚ˆã†ã«ãªã£ãŸã€‚
 インターãƒãƒƒãƒˆã«å¯¾é¢ã™ã‚‹åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã¸ã®å¼·åŠ›æ”»æ’ƒ 61 2013 å¹´2月22 æ—¥ã€ICS-CERT ã¯
ガスコンプレッサステーションã®ä¿æœ‰è€…ã‹ã‚‰ã€åˆ¶å¾¡ç®¡ç†ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’ã‚‚ãã‚
む強大ãªåŠ›ã®å¢—加ãŒã‚る旨報告をå—ã‘ãŸã€‚調査ã®çµæžœã€åˆ¥å€‹ã® IP ãŒ10 ã¨ã€åŒç¨®ã®è£œè¶³çš„ãª
呼出ã—ãŒã»ã‹ã®å¤©ç„¶ã‚¬ã‚¹ãƒ‘イプラインä¿æœ‰è€…ã‹ã‚‰ã‚‚ã‚ã‚Šã€å…¨éƒ¨ã§ 39 ã®è¿½åŠ  IP 事案ã¨ãªã£ãŸã€‚
ログ解æžã®çµæžœã€2013 å¹´1月16 æ—¥ã‹ã‚‰å§‹ã¾ã£ã¦ã„ãŸãŒã€åŒå¹´ 3月8日以é™ã®å±Šå‡ºã¯ãªã‹ã£
ãŸã€‚
 シャムーン 62 世界第 8ä½ã®è£½æ²¹ä¼šç¤¾ Saudi Aramco ã¯ã€åŒç¤¾ã®è£½æ²¹æ–½è¨­ã‚’標的ã¨ã—ãŸãƒžãƒ«ã‚¦
エア攻撃ã«é­ã„ã€ã‚·ã‚¹ãƒ†ãƒ ã®ãƒžã‚¹ã‚¿ãƒ¼ãƒ–ートレコード(MBR)ã€ãƒ‘ーティションテーブル
ãã®ä»–ランダムデータファイルãŒæ›¸ãæ›ãˆã‚‰ã‚ŒãŸã€‚システムã¯ä½¿ç”¨ä¸èƒ½ã«ãªã£ãŸã€‚
57 マルーãƒãƒ¼å¸‚ã®ä¸‹æ°´æµå‡ºã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®è©³ç´°ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。
http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf
and http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/ [each accessed
4/16/15].
58 デイビス・ベスインシデントã®è©³ç´°ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。http://www.securityfocus.com/news/6767 [accessed
4/16/15].
59 Zotob ワームインシデントã®è©³ç´°ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。http://www.eweek.com/c/a/Security/Zotob-PnP-Worms-
Slam-13-DaimlerChrysler-Plants [accessed 4/16/15].
60 Stuxnet ワームインシデントã®è©³ç´°ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。http://en.wikipedia.org/wiki/Stuxnet [accessed
4/16/15].
61 ICS-CERT 届出インシデントã®è©³ç´°ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。https://ics-cert.us-cert.gov/Information-Products
[accessed 4/16/15].
62 シャムーンã®è©³ç´°ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。http://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-
CERT_Monitor_Sep2012.pdf [accessed 4/16/15].
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
279
 German Steel Mill Attack63. In 2014, hackers manipulated and disrupted control systems to such a
degree that a blast furnace could not be properly shut down, resulting in “massiveâ€â€”though
unspecified—damage.
Structural Events
 CSX Train Signaling System64. In August 2003, the Sobig computer virus was blamed for shutting
down train signaling systems throughout the east coast of the U.S. The virus infected the computer
system at CSX Corp.’s Jacksonville, Florida headquarters, shutting down signaling, dispatching, and
other systems. According to Amtrak spokesman Dan Stessel, ten Amtrak trains were affected in the
morning. Trains between Pittsburgh and Florence, South Carolina were halted because of dark signals,
and one regional Amtrak train from Richmond, Virginia to Washington and New York was delayed for
more than two hours. Long-distance trains were also delayed between four and six hours.
 Northeast Power Blackout65. In August 2003, failure of the alarm processor in First Energy’s
SCADA system prevented control room operators from having adequate situational awareness of
critical operational changes to the electrical grid. Additionally, effective reliability oversight was
prevented when the state estimator at the Midwest Independent System Operator failed due to
incomplete information on topology changes, preventing contingency analysis. Several key 345 kV
transmission lines in Northern Ohio tripped due to contact with trees. This eventually initiated
cascading overloads of additional 345 kV and 138 kV lines, leading to an uncontrolled cascading
failure of the grid. A total of 61 800 MW load was lost as 508 generating units at 265 power plants
tripped.
 Taum Sauk Water Storage Dam Failure66. In December 2005, the Taum Sauk Water Storage Dam
suffered a catastrophic failure releasing a billion gallons of water. The failure of the reservoir occurred
as the reservoir was being filled to capacity or may have possibly been overtopped. The current
working theory is that the reservoir's berm was overtopped when the routine nightly pump-back
operation failed to cease when the reservoir was filled. According to the utility, the gauges at the dam
read differently than the gauges at the Osage plant at the Lake of the Ozarks, which monitors and
operates the Taum Sauk plant remotely. The stations are linked together using a network of microwave
towers, and there are no operators on-site at Taum Sauk.
 Bellingham, Washington Gasoline Pipeline Failure67. In June 1999, 900 000 liters (237 000
gallons) of gasoline leaked from a 16 in. (40.64 cm) pipeline and ignited 1.5 hours later causing 3
deaths, 8 injuries, and extensive property damage. The pipeline failure was exacerbated by control
systems not able to perform control and monitoring functions. “Immediately prior to and during the
incident, the SCADA system exhibited poor performance that inhibited the pipeline controllers from
seeing and reacting to the development of an abnormal pipeline operation.†A key recommendation
63 Additional information on the German steel mill incident can be found at:
http://www.wired.com/2015/01/german-steel-mill-hack-destruction/ [accessed 4/16/15].
64 Additional information on the CSX Train Signaling System incident can be found at:
http://www.cbsnews.com/stories/2003/08/21/tech/main569418.shtml and
http://www.informationweek.com/story/showArticle.jhtml?articleID=13100807 [each accessed 4/16/15].
65 Additional information on the Northeast Power Blackout incident can be found at:
http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/BlackoutFinalImplementationReport%282%29.pdf
[accessed 4/16/15].http://www.oe.energy.gov/DocumentsandMedia/BlackoutFinal-Web.pdf
66 Additional information on the Taum Sauk Water Storage Dam Failure incident can be found at:
http://www.ferc.gov/industries/hydropower/safety/projects/taum-sauk/ipoc-rpt/full-rpt.pdf [accessed 4/16/15].
67 Additional information on the Bellingham, Washington Gasoline Pipeline Failure incident can be found at
http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Bellingham_Case_Study_report%2020Sep071.pdf and
http://www.ntsb.gov/investigations/AccidentReports/Reports/PAR0202.pdf [each accessed 4/16/15].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
280
 ドイツ鉄工所攻撃 68 2014 å¹´ã«ãƒãƒƒã‚«ãƒ¼ã¯åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã‚’æ“作ã—ã¦ä¸­æ–­ã—ã€é«˜ç‚‰ãŒæ­£å¸¸ã«é®
æ–­ã§ããªããªã‚Šã€ç‰¹å®šä¸èƒ½ã®ã€Œå¤§è¦æ¨¡ã€æ害ã«è‡³ã£ãŸã€‚
構造的事象
 CSX 列車信å·ã‚·ã‚¹ãƒ†ãƒ  69 2003 å¹´8月ã€Sobig コンピュータウイルスãŒåŽŸå› ã¨è¨€ã‚る列車信
å·ã‚·ã‚¹ãƒ†ãƒ ã®é®æ–­ãŒç±³å›½æ±æµ·å²¸ä¸€å¸¯ã‚’襲ã£ãŸã€‚ウイルス㯠CSX Corp.ã®ãƒ•ãƒ­ãƒªãƒ€ï¼ˆã‚¸ãƒ£ã‚¯ã‚½
ンビル)本部コンピュータシステムã«æ„ŸæŸ“ã—ã€ä¿¡å·ã€ãƒ‡ã‚£ã‚¹ãƒ‘ッãƒãã®ä»–ã®ã‚·ã‚¹ãƒ†ãƒ ã‚’é®æ–­
ã—ãŸã€‚Amtrak ã®ã‚¹ãƒãƒ¼ã‚¯ã‚¹ãƒžãƒ³ Dan Stessel ã«ã‚ˆã‚Œã°ã€ãã®æœåˆ—車 10 両ã«å½±éŸ¿ãŒå‡ºãŸã€‚サウ
スカロライナ州ピッツãƒãƒ¼ã‚°ã¨ãƒ•ãƒ­ãƒ¼ãƒ¬ãƒ³ã‚¹é–“ã§ã€æš—ä¿¡å·ã®ãŸã‚列車ãŒç«‹ã¡å¾€ç”Ÿã—ã€ãƒªãƒƒãƒ
モンドã€ãƒãƒ¼ã‚¸ãƒ‹ã‚¢ã€ãƒ¯ã‚·ãƒ³ãƒˆãƒ³ã€ãƒ‹ãƒ¥ãƒ¼ãƒ¨ãƒ¼ã‚¯é–“ã§ã‚‚ 2時間以上ã«ã‚ãŸã‚Šãƒ€ã‚¤ãƒ¤ã«é…ã‚ŒãŒ
生ã˜ãŸã€‚é•·è·é›¢åˆ—車ã«ã‚‚ 4~6時間ã®é…ã‚ŒãŒå‡ºãŸã€‚
 北æ±éƒ¨ã®åœé›» 70 2003 å¹´8月ã€First Energy ã®SCADA システムã®ã‚¢ãƒ©ãƒ¼ãƒ ãƒ—ロセッサãŒæ•…éšœ
ã—ã€é…電網ã®é‡å¤§ãªé‹ç”¨å¤‰æ›´ãŒã‚ã£ãŸã“ã¨ã«ã€åˆ¶å¾¡å®¤æ“作員ãŒæ°—ã¥ã‹ãªã‹ã£ãŸã€‚ã¾ãŸã€
Midwest Independent System Operator ã®æŸ»å®šå®˜ãŒã€ãƒˆãƒãƒ­ã‚¸ãƒ¼å¤‰æ›´ã«é–¢ã™ã‚‹æƒ…å ±ã®ä¸å‚™ã‹ã‚‰è·
務をé‚è¡Œã§ããšã€ä¸æ¸¬äº‹æ…‹åˆ†æžãŒä¸èƒ½ã§ã€ä¿¡é ¼æ€§ã«å¯¾ã™ã‚‹åŠ¹æžœçš„ãªç›£ç£æ¥­å‹™ãŒé˜»å®³ã•ã‚ŒãŸã€‚
オãƒã‚¤ã‚ªå·žåŒ—部ã®ä¸»è¦ãª 345kV é€é›»ç·šãŒã€æ¨¹æœ¨ã¨æŽ¥è§¦ã—ãŸãŸã‚ã«é®æ–­ã•ã‚ŒãŸã€‚ã“ã®ãŸã‚連
鎖的ãªéŽè² è·ãŒåˆ¥ã® 345kV åŠã³ 138kV ã«ã‹ã‹ã‚Šã€é€é›»ç¶²ã®åˆ¶å¾¡ä¸èƒ½ãªé€£éŽ–障害ã«è‡³ã£ãŸã€‚
çµå±€ 265 ã®ç™ºé›»æ‰€ã®ç™ºé›»è£…ç½® 508 基ãŒé®æ–­ã•ã‚Œã€åˆè¨ˆ 61,800MW ãŒå¤±ã‚ã‚ŒãŸã€‚
 Taum Sauk 貯水ダムã®éšœå®³ 71 2005 å¹´12 月ã€Taum Sauk 貯水ダムãŒå£Šæ»…çš„ãªè¢«å®³ã«é­ã„ã€
æ•°å億ガロンã®æ°´ãŒæ”¾å‡ºã•ã‚ŒãŸã€‚障害ã¯ã€è²¯æ°´æ± ãŒæº€æ°´ã‚ã‚‹ã„ã¯ãれを越ãˆãŸãŸã‚ã«ç”Ÿã˜ãŸã€‚
ç¾åœ¨ã®ä½œæ¥­ç†è«–ã§ã¯ã€è²¯æ°´æ± ã®æº€æ°´æ™‚ã«ã€æ¯Žå¤œè¡Œã‚れるãƒãƒ³ãƒ—ãƒãƒƒã‚¯æ“作ãŒåœæ­¢ã›ãšã€è²¯æ°´
æ± ã®é ‚部ã‹ã‚‰æº¢ã‚Œå‡ºãŸã¨ã•ã‚Œã¦ã„る。事業者ã«ã‚ˆã‚Œã°ã€ãƒ€ãƒ ã®ã‚²ãƒ¼ã‚¸ã¨ã€Taum Sauk 発電所
ã‚’é éš”監視・é‹ç”¨ã™ã‚‹ Ozarks æ¹–ã«ã‚ã‚‹ Osage 発電所ã®ã‚²ãƒ¼ã‚¸ã®å€¤è¡¨ç¤ºãŒé•ã£ã¦ã„ãŸã€‚å„ス
テーションã¯ã€ãƒžã‚¤ã‚¯ãƒ­æ³¢ã‚¿ãƒ¯ãƒ¼ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’利用ã—ã¦çµã°ã‚Œã¦ãŠã‚Šã€Taum Sauk ã«ã¯
ç¾å ´æ“作員ãŒã„ãªã„。
 ワシントン州ベリンガムã®ã‚¬ã‚½ãƒªãƒ³ãƒ‘イプライン障害 72 1999 å¹´6月ã€ã‚¬ã‚½ãƒªãƒ³ 90 万リッ
トル(23 万7,000 ガロン)㌠16 インãƒï¼ˆ40.64cm)ã®ãƒ‘イプラインã‹ã‚‰æ¼ã‚Œã€1時間åŠå¾Œã«
発ç«ã—ã€æ­»è€… 3人ã€è² å‚·è€… 8人ã®ã»ã‹ç”šå¤§ãªç‰©æãŒç”Ÿã˜ãŸã€‚制御システムã®åˆ¶å¾¡ãƒ»ç›£è¦–機能
ãŒåƒã‹ãšã€ãƒ‘イプライン障害ãŒæ‚ªåŒ–ã—ãŸã€‚「インシデントã®ç›´å‰åŠã³æœ€ä¸­ã«ã€SCADA シス
テムã®ãƒ‘フォーマンスãŒåŠ£ã‚Šã€ãƒ‘イプラインæ“作員ã¯ã€ç•°å¸¸ãªãƒ‘イプライン動作ã«å¯¾ã—ã¦ã€
確èªã‚‚対処もã§ããªã‹ã£ãŸã€‚
68 ドイツã®é‰„工所インシデントã®è©³ç´°ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。http://www.wired.com/2015/01/german-steel-mill-
hack-destruction/ [accessed 4/16/15].
69 CSX 列車信å·ã‚·ã‚¹ãƒ†ãƒ ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®è©³ç´°ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。
http://www.cbsnews.com/stories/2003/08/21/tech/main569418.shtml and
http://www.informationweek.com/story/showArticle.jhtml?articleID=13100807 [each accessed 4/16/15].
70 北æ±éƒ¨ã®åœé›»ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®è©³ç´°ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。
http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/BlackoutFinalImplementationReport%282
%29.pdf [accessed 4/16/15].http://www.oe.energy.gov/DocumentsandMedia/BlackoutFinal-Web.pdf
71 Taum Sauk 貯水ダム障害インシデントã®è©³ç´°ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。
http://www.ferc.gov/industries/hydropower/safety/projects/taum-sauk/ipoc-rpt/full-rpt.pdf
[accessed 4/16/15].
72 ワシントン州ベリンガムã®ã‚¬ã‚½ãƒªãƒ³ãƒ‘イプライン障害インシデントã®è©³ç´°ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。
http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Bellingham_Case_Study_report%2020Sep071.pdf
and http://www.ntsb.gov/investigations/AccidentReports/Reports/PAR0202.pdf [each accessed
4/16/15].
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
281
from the NTSB report issued October 2002 was to utilize an off-line development and testing system
for implementing and testing changes to the SCADA database.
 Browns Ferry-3 PLC Failure73. In August 2006, TVA was forced to manually shut down one of their
plant's two reactors after unresponsive PLCs problems caused two water pumps to fail and threatened
the stability of the plant itself. Although there were dual redundant PLCs, they were connected to the
same Ethernet network. Later testing on the failed devices discovered that they would crash when they
encountered excessive network traffic.
Environmental Events
 Fukushima Daiichi Nuclear Disaster74. The Great East Japan Earthquake on 11 March 2011 struck
off the coast of Japan, sending a massive tsunami inland towards the nuclear plant. The tsunami
compromised the plants seawall, flooding much of the plant including the location housing the
emergency generators. This emergency power was critical to operate the control rooms and also to
provide coolant water for the reactors. The loss of coolant caused the reactor cores to overheat to the
point where the fuel's zirconium cladding reacted with water, releasing hydrogen gas and fueling large
explosions in three of the four reactor buildings. This resulted in large-scale radiation leakage that has
impacted plant employees, nearby citizens, and the local environment. Post event analysis found that
the plant’s emergency response center had insufficient secure communication lines to provide other
areas of the plant with information on key safety related instrumentation.
Accidental Events
 Vulnerability Scanner Incidents75. While a ping sweep was being performed on an active SCADA
network that controlled 3 meter (9 foot) robotic arms, it was noticed that one arm became active and
swung around 180 degrees. The controller for the arm was in standby mode before the ping sweep was
initiated. In a separate incident, a ping sweep was being performed on an ICS network to identify all
hosts that were attached to the network, for inventory purposes, and it caused a system controlling the
creation of integrated circuits in the fabrication plant to hang. This test resulted in the destruction of
$50,000 worth of wafers.
 Penetration Testing Incident76. A natural gas utility hired an IT security consulting organization to
conduct penetration testing on its corporate IT network. The consulting organization carelessly
ventured into a part of the network that was directly connected to the SCADA system. The penetration
test locked up the SCADA system and the utility was not able to send gas through its pipelines for four
hours. The outcome was the loss of service to its customer base for those four hours.
73 Additional information on the Browns Ferry -3 PLC Failure incident can be found at:
http://www.nrc.gov/reading-rm/doc-collections/gen-comm/info-notices/2007/in200715.pdf [accessed 4/16/15].
74 Additional information can be found at: http://www-
pub.iaea.org/MTCD/meetings/PDFplus/2011/cn200/documentation/cn200_Final-Fukushima-Mission_Report.pdf and
http://pbadupws.nrc.gov/docs/ML1414/ML14140A185.pdf [each accessed 4/16/15].
75 Additional information on the vulnerability scanner incidents can be found at:
http://energy.sandia.gov/wp/wp-
content/gallery/uploads/sand_2005_2846p.pdfhttp://www.sandia.gov/scada/documents/sand_2005_2846p.pdf
[accessed 4/16/15].
76 Additional information on penetration testing incidents can be found at: http://energy.sandia.gov/wp/wp-
content/gallery/uploads/sand_2005_2846p.pdf [accessed 4/16/15].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
282
2002 å¹´10 月発行㮠NTSB 報告書ã®ä¸»ãªæŽ¨å¥¨äº‹é …ã¯ã€SCADA データベースã¸ã®å¤‰æ›´ã®å®Ÿè£…
åŠã³è©¦é¨“ã¯ã€ã‚ªãƒ•ãƒ©ã‚¤ãƒ³é–‹ç™ºè©¦é¨“システムを使用ã™ã‚‹ã“ã¨ã«ãªã£ã¦ã„る。
 Browns Ferry-3 å°ã® PLC 障害 77 2006 å¹´8月ã€PLC ãŒåå¿œã—ãªããªã‚Š 2基ã®æ°´ãƒãƒ³ãƒ—ãŒæ­¢
ã¾ã‚Šã€ç™ºé›»æ‰€è‡ªä½“ã®å®‰å®šæ€§ç¶­æŒãŒå±ã†ããªã£ãŸãŸã‚ã€2基ã®åŽŸå­ç‚‰ã®ã†ã¡ã® 1基を手動ã§åœ
æ­¢ã—ãŸã€‚2é‡å†—長性㮠PLC ã ã£ãŸãŒã€ã„ãšã‚Œã‚‚åŒã˜ Ethernet ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«æŽ¥ç¶šã•ã‚Œã¦ã„ãŸã€‚
æ•…éšœã—ãŸãƒ‡ãƒã‚¤ã‚¹ã‚’後日試験ã—ãŸçµæžœã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ãŒéŽå¤§ã«ãªã‚Šã€ã‚¯ãƒ©ãƒƒã‚·
ュã—ã¦ã„ãŸã“ã¨ãŒåˆ†ã‹ã£ãŸã€‚
環境的事象
 ç¦å³¶ç¬¬ 1原å­ç‚‰ç½å®³ 78 2011 å¹´3月11 æ—¥ã€æ±æ—¥æœ¬å¤§åœ°éœ‡ãŒæ—¥æœ¬ã®æ²–åˆã§ç™ºç”Ÿã—ã€å¤§åž‹ã®æ´¥
æ³¢ãŒç™ºé›»æ‰€ã‚’襲ã£ãŸã€‚津波ã¯ç™ºé›»æ‰€ã®é˜²æ³¢å ¤ã‚’çªç ´ã—ã€ç·Šæ€¥ç”¨ç™ºé›»æ©Ÿã‚’åŽå®¹ã—ãŸå ´æ‰€ã‚‚å«ã‚ã€
発電所ã®å¤§éƒ¨åˆ†ãŒæµ¸æ°´ã—ãŸã€‚ã“ã®ç·Šæ€¥ç”¨é›»åŠ›ã¯ã€åˆ¶å¾¡å®¤ã®é‹ç”¨ã¨åŽŸå­ç‚‰ç”¨å†·å´æ°´ã®çµ¦æ°´ã«ä¸
å¯æ¬ ã ã£ãŸã€‚冷å´æ°´ãŒå¤±ã‚ã‚ŒãŸãŸã‚炉心ãŒéŽç†±ã—ã€ç‡ƒæ–™ã®ã‚¸ãƒ«ã‚³ãƒ‹ã‚¦ãƒ è¢«è¦†ãŒæ°´ã¨åå¿œã—ã¦
水素を放出ã—ã€4棟ã‚る建屋㮠3棟ã§çˆ†ç™ºãŒç”Ÿã˜ãŸã€‚ã“ã®ãŸã‚大è¦æ¨¡ã®æ”¾å°„能æ¼ã‚ŒãŒç”Ÿã˜ã€
発電所従業員ã€è¿‘隣ä½äººåŠã³åœ°å…ƒç’°å¢ƒã«å½±éŸ¿ãŒåŠã‚“ã ã€‚事後解æžã®çµæžœã€é‡è¦ãªå®‰å…¨é–¢é€£è¨ˆ
装情報を発電所ã®ä»–ã®ã‚¨ãƒªã‚¢ã«ä¼ãˆã‚‹ãŸã‚ã®ç·Šæ€¥æ™‚対応センターã®é€šä¿¡ç·šã«ä¸å‚™ãŒã‚ã£ãŸã€‚
å¶ç™ºçš„事象
 脆弱性スキャナーインシデント 79 3m(9フィート)ã®ãƒ­ãƒœãƒƒãƒˆã‚¢ãƒ¼ãƒ ã‚’制御ã™ã‚‹ã‚¢ã‚¯ãƒ†ã‚£
ブSCADA システムãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ã€ãƒ”ンスイープを行ã£ã¦ã„ãŸã¨ã“ã‚ã€1本ã®ã‚¢ãƒ¼ãƒ ãŒã‚¢
クティブã«ãªã‚Šã»ã¼ 180°振れãŸã€‚ピンスイープã®é–‹å§‹å‰ã€ã‚¢ãƒ¼ãƒ æ“作員ã¯ã‚¹ã‚¿ãƒ³ãƒã‚¤ãƒ¢ãƒ¼
ドã ã£ãŸã€‚別ã®ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã§ã¯ã€ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ãƒ”ンスイープを行ã„ã€åœ¨åº«ç®¡ç†ç›®çš„
ã§ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«æŽ¥ç¶šã—ã¦ã„ã‚‹å…¨ã¦ã®ãƒ›ã‚¹ãƒˆã‚’識別ã—ã¦ã„ãŸã¨ã“ã‚ã€IC ã®ä½œæˆã‚’制御ã—
ã¦ã„る製造プラントã®ã‚·ã‚¹ãƒ†ãƒ ã‚’ãƒãƒ³ã‚°ã•ã›ãŸã€‚çµæžœã¨ã—ã¦ã€5万ドル分ã®ã‚¦ã‚§ãƒãƒ¼ãŒç ´æ
ã—ãŸã€‚
 ペãƒãƒˆãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãƒ»ãƒ†ã‚¹ãƒˆãƒ»ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆ 80 天然ガス事業体ã¯ã€è‡ªç¤¾ IT ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®
ペãƒãƒˆãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãƒ»ãƒ†ã‚¹ãƒˆå®Ÿæ–½ã®ãŸã‚ã€IT 接続コンサルティング組織を雇用ã—ãŸã€‚コンサ
ルティング組織ã¯ã€ä¸æ³¨æ„ã«ã‚‚ SCADA システムã«ç›´æŽ¥ã¤ãªãŒã£ãŸãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ä¸€éƒ¨ã«å…¥
ã£ãŸã€‚ペãƒãƒˆãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãƒ»ãƒ†ã‚¹ãƒˆã®ã›ã„㧠SCADA システムãŒãƒ­ãƒƒã‚¯ã—ã€åŒäº‹æ¥­ä½“㯠4時間
ã«ã‚ãŸã‚Šã‚¬ã‚¹ã‚’é…é€ã§ããªã‹ã£ãŸã€‚çµæžœã¯ 4時間ã«ã‚ãŸã‚‹é¡§å®¢ã¸ã®ã‚µãƒ¼ãƒ“スæä¾›ã®å–ªå¤±ã¨ãª
ã£ãŸã€‚
77 Browns Ferry-3 å°ã® PLC 障害インシデントã®è©³ç´°ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。http://www.nrc.gov/reading-rm/doc-
collections/gen-comm/info-notices/2007/in200715.pdf [accessed 4/16/15].
78 詳細ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。http://www-
pub.iaea.org/MTCD/meetings/PDFplus/2011/cn200/documentation/cn200_Final-Fukushima-
Mission_Report.pdf and http://pbadupws.nrc.gov/docs/ML1414/ML14140A185.pdf [each accessed
4/16/15].
79 脆弱性スキャナーインシデントã®è©³ç´°ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。http://energy.sandia.gov/wp/wp-
content/gallery/uploads/sand_2005_2846p.pdfhttp://www.sandia.gov/scada/documents/sand_2005_2846p.
pdf [accessed 4/16/15].
80 ペãƒãƒˆãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãƒ»ãƒ†ã‚¹ãƒˆãƒ»ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®è©³ç´°ã¯æ¬¡ã®ã‚µã‚¤ãƒˆã«ã‚る。http://energy.sandia.gov/wp/wp-
content/gallery/uploads/sand_2005_2846p.pdf [accessed 4/16/15].
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
283
Appendix D—Current Activities in Industrial Control System Security
This appendix contains abstracts of some of the many activities that are addressing ICS cybersecurity.
Please be aware that organization descriptions and related information provided in this appendix has been
drawn primarily from the listed organizations’ Web sites and from other reliable public sources, but has not
been verified. Readers are encouraged to contact the organizations directly for the most up-to-date and
complete information.
American Gas Association (AGA) Standard 12, “Cryptographic Protection of SCADA
Communicationsâ€
American Gas Association: http://www.aga.org/
The American Gas Association, representing 195 local energy utility organizations that deliver natural gas
to more than 56 million homes, businesses, and industries throughout the United States, advocates the
interests of its energy utility members and their customers, and provides information and services. The
AGA 12 series of documents recommends practices designed to protect SCADA communications against
cyber incidents. The recommended practices focus on ensuring the confidentiality of SCADA
communications.
The purpose of the AGA 12 series is to save SCADA system owners’ time and effort by recommending a
comprehensive system designed specifically to protect SCADA communications using cryptography. The
AGA 12 series may be applied to water, wastewater, and electric SCADA-based distribution systems
because of their similarities with natural gas systems, however timing requirements may be different.
Recommendations included in the series 12 documents may also apply to other ICS. Additional topics
planned for future addendums in this series include key management, protection of data at rest, and security
policies.
American Petroleum Institute (API) Standard 1164, “Pipeline SCADA Securityâ€
American Petroleum Institute: http://www.api.org/
The American Petroleum Institute represents more than 400 members involved in all aspects of the oil and
natural gas industry. API 1164 provides guidance to the operators of oil and natural gas pipeline systems
for managing SCADA system integrity and security. The guideline is specifically designed to provide
operators with a description of industry practices in SCADA security, and to provide the framework needed
to develop sound security practices within the operator’s individual organizations. It stresses the
importance of operators understanding system vulnerability and risks when reviewing the SCADA system
for possible system improvements. API 1164 provides a means to improve the security of SCADA pipeline
operations by:
 Listing the processes used to identify and analyze the SCADA system’s susceptibility to incidents.
 Providing a comprehensive list of practices to harden the core architecture.
 Providing examples of industry recommended practices.
The guideline targets small to medium pipeline operators with limited IT security resources. The guideline
is applicable to most SCADA systems, not just oil and natural gas SCADA systems. The appendices of the
document include a checklist for assessing a SCADA system and an example of a SCADA control system
security plan.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
284
付録 D 産業用制御システムセキュリティã«ãŠã‘ã‚‹ç¾åœ¨ã®æ´»å‹•
ã“ã®ä»˜éŒ²ã§ã¯ã€ICS サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’対象ã¨ã—ãŸè«¸æ´»å‹•ã®ã„ãã¤ã‹ã‚’å–ã‚Šã¾ã¨ã‚る。記載
ã•ã‚Œã¦ã„る組織ã¨é–¢é€£æƒ…å ±ã¯ã€ä¸»ã«è¨˜è¼‰ã•ã‚Œã¦ã„る組織ã®ã‚¦ã‚§ãƒ–サイトãã®ä»–ä¿¡é ¼ã§ãる公開ã®
出所ã‹ã‚‰å–ã£ãŸã‚‚ã®ã§ã€æœªæ¤œè¨¼ã§ã‚ã‚‹ã“ã¨ã«ç•™æ„ã•ã‚ŒãŸã„。直接ã“れら組織ã«å•ã„åˆã‚ã›ã€æœ€æ–°
情報を入手ã™ã‚‹ã‚ˆã†ã«å¥¨åŠ±ã™ã‚‹ã€‚
米国ガスå”会(AGA)è¦æ ¼ 12「SCADA 通信ã®æš—å·åŒ–ä¿è­·ã€
米国ガスå”会:http://www.aga.org/
195 ã®åœ°æ–¹ã‚¨ãƒãƒ«ã‚®ãƒ¼ä¾›çµ¦äº‹æ¥­ä½“を代表ã™ã‚‹ç±³å›½ã‚¬ã‚¹å”会ã¯ã€å…¨ç±³ã®ä¸€èˆ¬å®¶åº­ 5,600 万世帯ã€ä¼
業åŠã³æ¥­ç•Œã«å¤©ç„¶ã‚¬ã‚¹ã‚’供給ã—ã€äº‹æ¥­è€…ã¨é¡§å®¢åŒæ–¹ã®åˆ©ç›Šã‚’æ“è­·ã—ã€æƒ…å ±åŠã³ã‚µãƒ¼ãƒ“スをæä¾›ã—
ã¦ã„る。AGA12 シリーズã¯ã€SCADA システムをサイãƒãƒ¼ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã‹ã‚‰å®ˆã‚‹ãŸã‚ã®è¦ç¯„を推
奨ã—ã¦ã„る。推奨è¦ç¯„ã¯ã€SCADA 通信ã®æ©Ÿå¯†æ€§ã®ç¢ºä¿ã«é‡ç‚¹ã‚’ç½®ã„ã¦ã„る。
åŒã‚·ãƒªãƒ¼ã‚ºã®ç›®çš„ã¯ã€æš—å·ã‚’利用ã—㦠SCADA 通信をä¿è­·ã™ã‚‹åŒ…括的システムã®æŽ¨å¥¨ã«ã‚ˆã‚Šã€
SCADA システムä¿æœ‰è€…ã®æ™‚é–“ã¨åŠ´åŠ›ã‚’節約ã™ã‚‹ã“ã¨ã«ã‚る。åŒã‚·ãƒªãƒ¼ã‚ºã¯ã€å¤©ç„¶ã‚¬ã‚¹ã‚·ã‚¹ãƒ†ãƒ 
ã¨ã®å…±é€šæ€§ãŒå¤šã„æ°´é“ã€ä¸‹æ°´åŠã³ SCADA ベースã®é…電システムã«é©ç”¨ã§ãã‚‹ãŒã€ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã«
é–¢ã™ã‚‹è¦ä»¶ã¯ç•°ãªã‚‹ã“ã¨ãŒã‚る。
推奨事項ã¯ä»–ã® ICS ã«ã‚‚é©ç”¨ã§ãる。補éºã¨ã—ã¦å°†æ¥è¨ˆç”»ã•ã‚Œã¦ã„ã‚‹ã‚‚ã®ã«ã¯ã€é‡è¦ç®¡ç†äº‹é …ã€
休眠中ã®ãƒ‡ãƒ¼ã‚¿ä¿è­·ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ç­‰ãŒã‚る。
米国石油å”会(API)è¦æ ¼ 1164「パイプライン SCADA セキュリティã€
米国石油å”会:http://www.api.org/
米国石油å”会ã¯ã€çŸ³æ²¹åŠã³å¤©ç„¶ã‚¬ã‚¹æ¥­ç•Œã®ã‚らゆるé¢ã«å¾“事ã™ã‚‹ 400 以上ã®ãƒ¡ãƒ³ãƒãƒ¼ã‚’代表ã—ã¦
ã„る。API1164 ã¯ã€SCADA システムã®å®Œå…¨æ€§åŠã³ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®ç®¡ç†ã«æºã‚ã‚‹ã€çŸ³æ²¹åŠã³å¤©ç„¶
ガスパイプラインシステムæ“作員å‘ã‘ガイダンスã¨ãªã‚‹ã€‚特㫠SCADA セキュリティã®æ¥­ç•Œè¦ç¯„
ã«ã¤ã„ã¦èª¬æ˜Žã—ã€æ“作員ã®çµ„ç¹”ã«ãŠã‘ã‚‹å¥å…¨ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ç¯„を策定ã™ã‚‹ãŸã‚ã®åŸºæœ¬æ§‹æˆã‚’示
ã—ã¦ã„る。SCADA システムを精査ã—ã¦æ”¹å–„を図る際ã«ã€æ“作員ãŒã‚·ã‚¹ãƒ†ãƒ ã®è„†å¼±æ€§ã¨ãƒªã‚¹ã‚¯ã‚’
ç†è§£ã™ã‚‹å¤§åˆ‡ã•ã‚’強調ã—ã¦ã„る。API1164 ã¯ã€SCADA パイプラインé‹ç”¨ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’å‘上
ã•ã›ã‚‹æ‰‹æ®µã¨ã—ã¦ã€ä»¥ä¸‹ã‚’挙ã’ã¦ã„る。
 SCADA システムã®ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆæ„Ÿå—性を識別・分æžã™ã‚‹ãŸã‚ã®ãƒ—ロセスã®åˆ—挙
 コアアーキテクãƒãƒ£ã‚’強固ã«ã™ã‚‹ãŸã‚ã®åŒ…括的è¦ç¯„リストã®ä½œæˆ
 業界推奨è¦ç¯„ã®ä¾‹ç¤º
ã“ã®ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã¯ã€IT セキュリティリソースãŒé™ã‚‰ã‚ŒãŸä¸­å°è¦æ¨¡ã®ãƒ‘イプライン事業者を対象
ã¨ã—ã¦ã„る。石油åŠã³å¤©ç„¶ã‚¬ã‚¹ã®ã¿ãªã‚‰ãšã€ã»ã¨ã‚“ã©ã® SCADA システムã«é©ç”¨ã§ãる。ガイド
ラインã®ä»˜éŒ²ã«ã¯ã€SCADA システム評価ã®ãƒã‚§ãƒƒã‚¯ãƒªã‚¹ãƒˆã‚„ SCADA 制御システムセキュリテ
ィ計画書ã®ä¾‹ã‚‚ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
285
Electric Power Research Institute (EPRI)
http://www.epri.com/Our-Work/Pages/Cyber-Security.aspx,
http://smartgrid.epri.com/NESCOR.aspx
The Electric Power Research Institute (EPRI) is a nonprofit center for public interest energy and
environmental research. EPRI brings together member organizations, the Institute's scientists and engineers,
and other leading experts to work collaboratively on solutions to the challenges of electric power. These
solutions span nearly every area of power generation, delivery, and use, including health, safety, and
environment. EPRI's members represent over 90% of the electricity generated in the United States.
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
https://ics-cert.us-cert.gov/About-Industrial-Control-Systems-Cyber-Emergency-Response-Team
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) operates within the
National Cybersecurity and Integration Center (NCCIC), a division of the Department of Homeland
Security's Office of Cybersecurity and Communications (DHS CS&C). NCCIC/ICS-CERT is a key
component of the DHS Strategy for Securing Control Systems. The primary goal of the Strategy is to build
a long-term common vision where effective risk management of control systems security can be realized
through successful coordination efforts. ICS-CERT provides a control system security focus in
collaboration with US-CERT to:
 Respond to and analyze control systems related incidents.
 Conduct vulnerability and malware analysis.
 Provide onsite support for incident response and forensic analysis.
 Provide situational awareness in the form of actionable intelligence.
 Coordinate the responsible disclosure of vulnerabilities/mitigations.
 Share and coordinate vulnerability information and threat analysis through information products and
alerts.
ICS-CERT coordinates control systems-related security incidents and information sharing with Federal,
State, and local agencies and organizations, the intelligence community, and private sector constituents,
including vendors, owners and operators, and international and private sector CERTs. The focus on control
systems cybersecurity provides a direct path for coordination of activities among all members of the critical
infrastructure stakeholder community.
As a functional component of the NCCIC, ICS-CERT provides focused operational capabilities for defense
of control system environments against emerging cyber threats.
ICS-CERT provides efficient coordination of control-systems-related security incidents and information
sharing with federal, state, and local agencies and organizations, the Intelligence Community, private sector
constituents including vendors, owners, and operators, and international and private sector computer
security incident response teams (CSIRTs). The focus on control systems cybersecurity provides a direct
path for coordination of activities for all members of the stakeholder community.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
286
米国電力研究所(EPRI)
http://www.epri.com/Our-Work/Pages/Cyber-Security.aspx,
http://smartgrid.epri.com/NESCOR.aspx
米国電力研究所(EPRI)ã¯ã€å…¬ç›Šã‚¨ãƒãƒ«ã‚®ãƒ¼ç’°å¢ƒç ”究ã«é–¢ã™ã‚‹éžå–¶åˆ©å›£ä½“ã§ã‚る。加盟団体ã€ç ”
究所ã®ç§‘学者・エンジニアãã®ä»–専門家をæŸã­ã¦ã€é›»åŠ›å•é¡Œã®è§£æ±ºã«å–り組んã§ã„る。解決策ã¯
発電ã€é…é›»ã€åˆ©ç”¨ãªã©ã‚らゆる分野ã«ã¾ãŸãŒã‚Šã€å¥åº·ã€å®‰å…¨ã€ç’°å¢ƒç­‰ã‚‚å«ã¾ã‚Œã‚‹ã€‚加盟メンãƒãƒ¼
ã¯ã€ç±³å›½ç™ºé›»é‡ã® 90%以上を生産ã—ã¦ã„る。
産業用制御システムサイãƒãƒ¼ç·Šæ€¥å¯¾å¿œãƒãƒ¼ãƒ (ICS-CERT)
https://ics-cert.us-cert.gov/About-Industrial-Control-Systems-Cyber-Emergency-Response-Team
産業用制御システムサイãƒãƒ¼ç·Šæ€¥å¯¾å¿œãƒãƒ¼ãƒ (ICS-CERT)ã¯ã€å›½å®¶ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é€šä¿¡çµ±åˆ
センター(NCCIC)内ã§ã€å›½åœŸå®‰å…¨ä¿éšœçœã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é€šä¿¡å±€ï¼ˆDHS CS&C)ã®ä¸‹ã«ã‚
る。NCCIC/ICS-CERT ã¯ã€åˆ¶å¾¡ã‚µãƒ¼ãƒ“スã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’確ä¿ã™ã‚‹ DHS 施策ã®ä¸»è¦ãªæ§‹æˆè¦ç´ 
ã§ã‚る。ã“ã®æ–½ç­–ã®ä¸»ãªç›®çš„ã¯ã€é•·æœŸã®å…±é€šçš„ビジョンを打ã¡ç«‹ã¦ã€ç›¸äº’連æºã‚’通ã˜ã¦åˆ¶å¾¡ã‚·ã‚¹
テムセキュリティã®åŠ¹æžœçš„リスク管ç†ã‚’実ç¾ã™ã‚‹ã“ã¨ã«ã‚る。ICS-CERT ã¯US-CERT ã¨ã®é€£æº
を通ã˜ã¦ã€ä»¥ä¸‹ã‚’é‡ç‚¹ã¨ã™ã‚‹åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’推進ã™ã‚‹ã€‚
 制御システム関連インシデントã¸ã®å¯¾å¿œã¨åˆ†æž
 脆弱性ã¨ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã®åˆ†æž
 ç¾å ´ã§ã®ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆå¯¾å¿œã¨èª¿æŸ»åˆ†æžæ”¯æ´
 実用的ãªæƒ…å ±æä¾›ã«ã‚ˆã‚‹æ„è­˜ã®é«˜æš
 脆弱性・緩和策ã®è²¬ä»»ã‚る開示ã®èª¿æ•´
 情報通知・アラートã«ã‚ˆã‚‹è„†å¼±æ€§æƒ…å ±ã¨è„…å¨åˆ†æžã®å…±æœ‰ã¨èª¿æ•´
ICS-CERT ã¯åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ é–¢é€£ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã¨æƒ…報を調整ã—ã€å›½ãƒ»å·žãƒ»åœ°æ–¹è‡ªæ²»
体・組織・情報共åŒä½“・民間ä¼æ¥­ï¼ˆãƒ™ãƒ³ãƒ€ãƒ¼ãƒ»ä¿æœ‰è€…・国際民間ä¼æ¥­ CERT 等)ã¨å…±æœ‰ã™ã‚‹ã€‚制
御システムã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«æ³¨åŠ›ã™ã‚‹ã“ã¨ã§ã€å…¨é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©é–¢ä¿‚者間ã®æ´»å‹•ã‚’直接調
æ•´ã™ã‚‹é“ç­‹ãŒé–‹ã‘る。
NCCIC ã®æ©Ÿèƒ½è¦ç´ ã¨ã—㦠ICS-CERT ã¯ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ç’°å¢ƒã‚’新興サイãƒãƒ¼è„…å¨ã‹ã‚‰å®ˆã‚‹ãŸã‚ã€é›†
中的ãªé‹ç”¨èƒ½åŠ›ã‚’付与ã™ã‚‹ã€‚
ICS-CERT ã¯åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ é–¢é€£ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã¨æƒ…報を調整ã—ã€å›½ãƒ»å·žãƒ»åœ°æ–¹è‡ªæ²»
体・組織・情報共åŒä½“・民間ä¼æ¥­ï¼ˆãƒ™ãƒ³ãƒ€ãƒ¼ãƒ»ä¿æœ‰è€…・æ“作員・国際/æ°‘é–“ä¼æ¥­ã‚³ãƒ³ãƒ”ュータセ
キュリティインシデント対応ãƒãƒ¼ãƒ [CSIRT]等)ã¨å…±æœ‰ã™ã‚‹ã€‚制御システムã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒª
ティã«æ³¨åŠ›ã™ã‚‹ã“ã¨ã§ã€å…¨é–¢ä¿‚者ã«æ´»å‹•ã‚’直接調整ã™ã‚‹é“ç­‹ã‚’é–‹ã。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
287
ICS-CERT Cyber Security Evaluation Tool (CSET®)
http://ics-cert.us-cert.gov/Assessments
The Cyber Security Evaluation Tool (CSET®) is a DHS product that assists organizations in protecting
their key national cyber assets. It was developed under the direction of the DHS ICS-CERT by
cybersecurity experts and with assistance from NIST. This tool provides users with a systematic and
repeatable approach for assessing the security posture of their cyber systems and networks. It includes both
high-level and detailed questions related to all industrial control and IT systems.
CSET is a desktop software tool that guides users through a step-by-step process to assess their control
system and information technology network security practices against recognized industry standards. The
output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the
organization's enterprise and industrial control cyber systems. The tool derives the recommendations from a
database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of
actions that can be applied to enhance cybersecurity controls.
CSET has been designed for easy installation and use on a stand-alone laptop or workstation. It
incorporates a variety of available standards from organizations such as NIST, NERC, Transportation
Security Administration (TSA), U.S. Department of Defense (DoD), and others. When the tool user selects
one or more of the standards, CSET will open a set of questions to be answered. The answers to these
questions will be compared against a selected security assurance level, and a detailed report will be
generated to show areas for potential improvement. CSET provides an excellent means to perform a self-
assessment of the security posture of your control system environment.
ICS-CERT Recommended Practices
https://ics-cert.us-cert.gov/Introduction-Recommended-Practices
ICS-CERT works with the control systems community to ensure that recommended practices, which are
made available, have been vetted by subject-matter experts in industry before being made publicly
available in support of this program.
Recommended practices are developed to help users reduce their exposure and susceptibility to cyber
attacks. These recommendations are based on understanding the cyber threats, control systems
vulnerabilities and attack paths, and secure architecture design.
The recommended practices working group selects topics to be implemented in the recommended practices
section. Additional supporting documents detailing a wide variety of control systems topics associated
with cyber vulnerabilities and their mitigation have been developed and vetted by the working group for
accuracy. These documents will be updated and topics added to address additional content and emerging
issues.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
288
ICS-CERT サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è©•ä¾¡ãƒ„ール(CSET®)
http://ics-cert.us-cert.gov/Assessments
ICS-CERT サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è©•ä¾¡ãƒ„ール(CSET®)ã¯ã€çµ„ç¹”ãŒå›½ã®é‡è¦ã‚µã‚¤ãƒãƒ¼è³‡ç”£ã‚’守るã®
を支æ´ã™ã‚‹ DHS ã®è£½å“ã§ã‚る。DHS ICS-CERT ã®æŒ‡å°Žä¸‹ã§ã€NIST ã®æ”¯æ´ã‚’å¾—ã¦ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥
リティ専門家ãŒé–‹ç™ºã—ãŸã€‚サイãƒãƒ¼ã‚·ã‚¹ãƒ†ãƒ åŠã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£çŠ¶æ…‹ã‚’評価ã™ã‚‹éš›
ã®ä½“系的ã‹ã¤å復的ãªå–組ãŒå¯èƒ½ã¨ãªã‚‹ã€‚ã‚らゆる産業用制御åŠã³ IT システムã«é–¢ä¿‚ã—ãŸé«˜åº¦
ã®è©³ç´°ãªç–‘å•ã«ç­”ãˆã¦ã„る。
CSET ã¯ãƒ‡ã‚¹ã‚¯ãƒˆãƒƒãƒ—ソフトウエアツールã§ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ åŠã³æƒ…報技術ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚­ãƒ¥ãƒª
ティè¦ç¯„ã‚’ã€åºƒãèªã‚られãŸæ¥­ç•ŒåŸºæº–ã«ç…§ã‚‰ã—ã¦ã€æ®µéšŽçš„ã«è©•ä¾¡ã™ã‚‹ã“ã¨ãŒã§ãる。CSET ã«ã‚ˆ
ã‚Šã€çµ„ç¹”ã®ä¼æ¥­ãƒ»ç”£æ¥­ç”¨åˆ¶å¾¡ã‚µã‚¤ãƒãƒ¼ã‚·ã‚¹ãƒ†ãƒ ã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£çŠ¶æ…‹ã‚’改善ã™ã‚‹ãŸã‚ã®å„ª
先的推奨事項リストを作æˆã§ãる。ã“ã®ãƒ„ールã¯ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£åŸºæº–ã€ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³åŠ
ã³è¦ç¯„データベースã‹ã‚‰æŽ¨å¥¨äº‹é …ã‚’å°Žã出ã™ã€‚ãã‚Œãžã‚Œã®æŽ¨å¥¨äº‹é …ã¯ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡
ç†ã®æ‹¡å¼µã«é©ç”¨å¯èƒ½ãªä¸€é€£ã®è¡Œå‹•ã«çµã³ã¤ã„ã¦ã„る。
CSET ã¯ã€ã‚¹ã‚¿ãƒ³ãƒ‰ã‚¢ãƒ­ãƒ¼ãƒ³ãƒ©ãƒƒãƒ—トップやワークステーションã«ã€ç°¡å˜ã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ã¦åˆ©
用ã§ãるよã†ã«ãªã£ã¦ã„る。NISTã€NERCã€é‹è¼¸ä¿å®‰å±€(TSA)ã€å›½é˜²ç·çœãã®ä»–ã®çµ„ç¹”ã‹ã‚‰å…¥æ‰‹
å¯èƒ½ãªç¨®ã€…ã®åŸºæº–ãŒå–ã‚Šã¾ã¨ã‚ã¦ã‚‰ã‚Œã¦ã„る。ツールã®ãƒ¦ãƒ¼ã‚¶ãŒã“れら基準ã®ã„ãšã‚Œã‹ã‚’é¸æŠžã™
ã‚‹ã¨ã€ä¸€é€£ã®è³ªå•ãŒæ示ã•ã‚Œã‚‹ã€‚質å•ã¸ã®å›žç­”ã‚’ã€é¸æŠžã•ã‚ŒãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä¿è¨¼ãƒ¬ãƒ™ãƒ«ã¨ç…§ã‚‰ã—
åˆã‚ã›ã€æ”¹å–„ã§ãる分野を示ã—ãŸè©³ç´°ãªãƒ¬ãƒãƒ¼ãƒˆãŒä½œæˆã•ã‚Œã‚‹ã‚ˆã†ã«ãªã£ã¦ã„る。CSET ã¯ã€åˆ¶
御システム環境ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£çŠ¶æ…‹ã‚’自己評価ã§ãる優れãŸæ‰‹æ®µã¨ãªã‚‹ã€‚
ICS-CERT 推奨è¦ç¯„
https://ics-cert.us-cert.gov/Introduction-Recommended-Practices
ICS-CERT ã¯åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®å…±åŒä½“ã¨é€£æºã—ã€å…¥æ‰‹å¯èƒ½ã«ãªã£ãŸæŽ¨å¥¨è¦ç¯„を公開ã™ã‚‹å‰ã«ã€æ¥­ç•Œ
ã®å¯¾è±¡å°‚門家ã«æ¤œè¨¼ã‚’ä¾é ¼ã™ã‚‹ã€‚
推奨è¦ç¯„ã¯ã€ã‚µã‚¤ãƒãƒ¼æ”»æ’ƒã«å¯¾ã™ã‚‹éœ²å‡ºã‚„æ„Ÿå—性を減らã™ãŸã‚ã«ä½œæˆã•ã‚Œã‚‹ã€‚サイãƒãƒ¼è„…å¨ã€åˆ¶
御システムã®è„†å¼±æ€§ãƒ»æ”»æ’ƒçµŒè·¯åŠã³ã‚»ã‚­ãƒ¥ã‚¢ãªã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£è¨­è¨ˆã«å¯¾ã™ã‚‹ç†è§£ã‚’基ã«ã—ã¦ã„る。
推奨è¦ç¯„作業グループã¯ã€æŽ¨å¥¨è¦ç¯„セクションã§å–り上ã’ã‚‹ã¹ã論題をé¸å®šã™ã‚‹ã€‚サイãƒãƒ¼è„†å¼±
性ã¨ãã®ç·©å’Œç­–ã«é–¢ã™ã‚‹å¤šæ§˜ãªåˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ è«–é¡Œã«ã¤ã„ã¦è©³è¿°ã—ãŸè£œè¶³æ–‡æ›¸ãŒä½œæ¥­ã‚°ãƒ«ãƒ¼ãƒ—ã«ã‚ˆ
り作æˆã•ã‚Œã€æ­£ç¢ºæ€§ãŒæ¤œè¨¼ã•ã‚Œã¦ã„る。文書ã¯æ›´æ–°ã•ã‚Œã€è£œè¶³çš„ãªå†…容や新ã—ã„å•é¡Œã‚’å–り上ã’
ãŸè«–é¡ŒãŒè¿½åŠ ã•ã‚Œã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
289
Institute of Electrical and Electronics Engineers, Inc. (IEEE)
http://www.ieee.org
IEEE 1686-2007 – Standard for Substation IED Cybersecurity Capabilities. The functions and features to
be provided in substation intelligent electronic devices (lEDs) to accommodate critical infrastructure
protection programs are defined in this standard. Security regarding the access, operation, configuration,
firmware revision, and data retrieval from an IED is addressed in this standard. Communications for the
purpose of power system protection (teleprotection) is not addressed. Encryption for the secure
transmission of data both within and external to the substation, including supervisory control and data
acquisition, is not part of this standard as this is addressed in other efforts."
IEEE P1711 - Standard for a Cryptographic Protocol for Cybersecurity of Substation Serial Links. This
standard defines a cryptographic protocol to provide integrity, and optional confidentiality, for
cybersecurity of serial links. It does not address specific applications or hardware implementations, and is
independent of the underlying communications protocol.
IEEE 1815-2012 - Standard for Electric Power System Communications-Distributed Network Protocol
(DNP3). This standard describes the DNP3 SCADA protocol, incorporating version five of the application-
layer authentication procedure called DNP3 Secure Authentication (DNP3-SAv5). DNP3-SAv5 uses a
HMAC process to verify that data and commands are received (without tampering) from authorized
individual users or devices while limiting computational and communications overhead. SAv5 supports
remote update (add/change/revoke) of user credentials using either symmetric or PKI techniques. SAv5
authenticates but does not encrypt messages, hence it does not provide confidentiality. SAv5 can be used
together with encryption techniques such as TLS or IEEE 1711 where confidentiality is required.
Institute for Information Infrastructure Protection (I3P)
http://www.thei3p.org/
The I3P is a consortium of leading national cybersecurity institutions, including academic research centers,
government laboratories, and non-profit organizations. It was founded in September 2001 to help meet a
well-documented need for improved research and development (R&D) to protect the nation's information
infrastructure against catastrophic failures. The institute's main role is to coordinate a national cybersecurity
R&D program and help build bridges between academia, industry, and government. The I3P continues to
work toward identifying and addressing critical research problems in information infrastructure protection
and opening information channels between researchers, policymakers, and infrastructure operators.
Currently, the I3P does the following:
 Fosters collaboration among academia, industry, and government on pressing cybersecurity problems.
 Develops, manages, and supports national-scale research projects.
 Provides research fellowship opportunities to qualified post-doctoral researchers, faculty, and research
scientists.
 Hosts workshops, meetings, and events on cybersecurity and information infrastructure protection
issues.
 Builds and supports a knowledge base as an online vehicle for sharing and distributing information to
I3P members and others working on information security challenges.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
290
電気電å­æŠ€è¡“者å”会(IEEE)
http://www.ieee.org
IEEE 1686-2007 – 変電所 IEDサイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦æ ¼ã€‚é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©é˜²è­·ãƒ—ログラムã«åˆã£ãŸ
変電所情報電å­ãƒ‡ãƒã‚¤ã‚¹ï¼ˆIEDs)ã«è¨˜è¼‰ã™ã‚‹æ©Ÿèƒ½ãƒ»ç‰¹æ€§ã¯ã€ã“ã®è¦æ ¼ã§å®šç¾©ã•ã‚Œã‚‹ã€‚アクセスã€
é‹ç”¨ã€æ§‹æˆã€ãƒ•ã‚¡ãƒ¼ãƒ ã‚¦ã‚¨ã‚¢æ”¹æ­£åŠã³ IED ã‹ã‚‰ã®ãƒ‡ãƒ¼ã‚¿å–å¾—ã¯ã€ã“ã®è¦æ ¼ã§å–り上ã’られる。電
力システムä¿è­·ç”¨é€šä¿¡ï¼ˆé€šä¿¡ä¿è­·ï¼‰ã¯å¯¾è±¡å¤–ã¨ãªã‚‹ã€‚SCADA ã‚’å«ã‚ãŸå¤‰é›»æ‰€å†…外ã§ã®ã‚»ã‚­ãƒ¥ã‚¢
ãªãƒ‡ãƒ¼ã‚¿é€šä¿¡ã®ãŸã‚ã®æš—å·åŒ–ã¯ã€åˆ¥ã«æ‰±ã‚れるãŸã‚ã€ã“ã®è¦æ ¼ã§ã¯å–り上ã’られãªã„。
IEEE P1711 - 変電所シリアルリンクã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç”¨æš—å·åŒ–プロトコルè¦æ ¼ã€‚ã“ã®è¦æ ¼
ã¯æš—å·åŒ–プロトコルã«ã¤ã„ã¦å®šã‚ã€ã‚·ãƒªã‚¢ãƒ«ãƒªãƒ³ã‚¯ã®å®Œå…¨æ€§åŠã³ã‚ªãƒ—ションã®æ©Ÿå¯†æ€§ã«ã¤ã„ã¦è¦
定ã™ã‚‹ã€‚特定ã®ã‚¢ãƒ—リケーションやãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢å®Ÿè£…ã¯å–り上ã’ãšã€åŸºæœ¬é€šä¿¡ãƒ—ロトコルã«ã¯ä¾
å­˜ã—ã¦ã„ãªã„。
IEEE 1815-2012 - 電力システム通信・é…電網プロトコルè¦æ ¼(DNP3)。ã“ã®è¦æ ¼ã¯ã€DNP3 セキュ
ã‚¢èªè¨¼(DNP3-SAv5)ã¨å‘¼ã°ã‚Œã‚‹ã‚¢ãƒ—リケーション層èªè¨¼æ‰‹é †ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ 5ã‚’å–り入れãŸã€
DNP3 SCADA ã«ã¤ã„ã¦è¨˜è¿°ã—ã¦ã„る。DNP3-SAv5 ã¯HMAC プロセスを使用ã—ã¦ã€æ¼”ç®—åŠã³é€šä¿¡
オーãƒãƒ¼ãƒ˜ãƒƒãƒ‰ã‚’抑ãˆã¤ã¤ã€æ¨©é™ã‚るユーザåˆã¯ãƒ‡ãƒã‚¤ã‚¹ã‹ã‚‰ãƒ‡ãƒ¼ã‚¿åŠã³ã‚³ãƒžãƒ³ãƒ‰ã‚’(改竄ãª
ã)å—ä¿¡ã—ãŸã‹ã©ã†ã‹ã‚’検証ã™ã‚‹ã€‚SAv5 ã¯ã€å¯¾ç§°æŠ€è¡“åˆã¯ PKI 技術を用ã„ã¦ãƒ¦ãƒ¼ã‚¶èªè¨¼æƒ…å ±ã®
é éš”更新(追加・変更・å–消)をサãƒãƒ¼ãƒˆã™ã‚‹ã€‚èªè¨¼ã¯è¡Œã†ãŒã€æ©Ÿå¯†æ€§ãŒãªã„ãŸã‚メッセージã®
æš—å·åŒ–ã¯è¡Œã‚ãªã„。機密性ãŒå¿…è¦ãªå ´åˆã¯ã€TLS ã‚„IEEE 1711 ç­‰ã®æš—å·åŒ–技術を併用ã™ã‚‹ã€‚
情報インフラä¿è­·ç ”究所(I3P)
http://www.thei3p.org/
I3P ã¯å¤§å­¦ã®ç ”究所ã€å›½ç«‹ç ”究所ã€NPO ç­‰ã®ä¸»è¦ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ©Ÿé–¢ã‹ã‚‰ãªã‚‹ã‚³ãƒ³ã‚½ãƒ¼ã‚·
アムã§ã‚る。国ã®æƒ…報インフラを壊滅的障害ã‹ã‚‰å®ˆã‚‹ç›®çš„ã§ã€ç ”究開発を改善ã—ã¦æ–‡æ›¸åŒ–ã™ã‚‹ãŸ
ã‚2001 å¹´9月ã«å‰µè¨­ã•ã‚ŒãŸã€‚主ãªå½¹å‰²ã¯ã€å›½ã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç ”究開発プログラムã®èª¿
æ•´ã‚’è¡Œã„ã€ç”£å®˜å­¦ã®é€£æºã‚’図るã“ã¨ã«ã‚る。I3P ã¯æƒ…報インフラã®ä¿è­·ã«ãŠã‘ã‚‹é‡è¦ãªç ”究上ã®
å•é¡Œã‚’明らã‹ã«ã—ã¦å–り上ã’ã‚‹ã¨ã¨ã‚‚ã«ã€ç ”究者ã€æ”¿ç­–立案者åŠã³ã‚¤ãƒ³ãƒ•ãƒ©é‹ç”¨è€…é–“ã®æƒ…報経路
ã®é–‹æ‹“を目指ã—ã¦ã„る。ç¾åœ¨æ¬¡ã®ã‚ˆã†ãªå–組を行ã£ã¦ã„る。
 サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å•é¡Œã¨å–り組む産官学間ã®é€£æºå¼·åŒ–
 国家è¦æ¨¡ã®ç ”究プロジェクトã®ç­–定・管ç†ãƒ»æ”¯æ´
 有資格åšå£«èª²ç¨‹ä¿®äº†å¾Œç ”究者・教員・研究者ã¸ã®ç ”究機会ã®æä¾›
 サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ»æƒ…報インフラä¿è­·å•é¡Œã«é–¢ã™ã‚‹ãƒ¯ãƒ¼ã‚¯ã‚·ãƒ§ãƒƒãƒ—・会議・イベントã®
開催
 I3P メンãƒãƒ¼ãã®ä»–情報セキュリティå•é¡Œé–¢ä¿‚者ã¸ã®æƒ…報共有・é…信媒体ã¨ã—ã¦ã®çŸ¥è­˜åŸºç›¤
ã®æ§‹ç¯‰
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
291
International Electrotechnical Commission (IEC) Technical Committees 65 and 57
http://www.iec.ch/
IEC is a standards organization that prepares and publishes international standards for all electrical,
electronic, and related technologies. These standards serve as a basis for creating national standards and as
references for drafting international tenders and contracts. IEC’s members include manufacturers, providers,
distributors, vendors, consumers, and users, all levels of governmental agencies, professional societies,
trade associations, and standards developers from over 60 countries.
In 2004 the IEC Technical Sub-Committee 65C (Industrial Networks), through its working group WG13
(cybersecurity), started to address security issues - within the IEC 61784 standard – for field buses and
other industrial communication networks. Results of this work are outlined in part 4, entitled “Digital data
communications for measurement and control – Profiles for secure communications in industrial
networks.â€
TC65 WG10 is working to extend this field level communication to address security standards across
common automation networking scenarios. The standard being drafted as a result of this work is IEC 62443,
entitled “Security for industrial process measurement and control – Network and system security.†It is
based on a modular security architecture consisting of requirement sets. These modules are mapped into
ICS component and network architecture. The resulting requirements can then be formulated for use as the
basis for Requests for Proposals (RFP) for data communication standards, and security audits.
TC 57 is focused on Power Systems Management and Associated Information Exchange and is divided up
into a series of working groups. Each working group is comprised of members of national standards
committees from the countries that participate in the IEC. Each working group is responsible for the
development of standards within its domain. The current working groups are:
 WG 3: Telecontrol protocols.
 WG 9: Distribution automation using distribution line carrier systems.
 WG 10: Power system IED communication and associated data models.
 WG 13: Energy management system application program interface (EMS-API).
 WG 14: System interfaces for distribution management (SIDM).
 WG 15: Data and communication security.
 WG 16: Deregulated energy market communications.
 WG 17: Communications Systems for Distributed Energy Resources (DER).
 WG 18: Hydroelectric power plants – Communication for monitoring and control.
 WG 19: Interoperability within TC 57 in the long term.
 WG 20: Planning of (single-sideband) power line carrier systems (IEC 60495) Planning of (single-
sideband) power line carrier systems (IEC 60663).
 WG 21: Interfaces and protocol profiles relevant to systems connected to the electrical grid.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
292
国際電気標準会議(IEC)技術委員会 65 åŠã³ 57
http://www.iec.ch/
IEC ã¯ã‚らゆる電気ã€é›»å­åŠã³é–¢é€£æŠ€è¡“ã«é–¢ã™ã‚‹å›½éš›è¦æ ¼ã‚’作æˆã—ã€ç™ºè¡¨ã™ã‚‹è¦æ ¼çµ„ç¹”ã§ã‚る。
è¦æ ¼ã¯ã€å›½ã®è¦æ ¼ä½œæˆã®æ ¹æ‹ ã¨ãªã‚Šã€å›½éš›å…¥æœ­ãƒ»å¥‘ç´„ã‚’èµ·è‰ã™ã‚‹éš›ã®å‚考ã¨ãªã‚‹ã€‚IEC メンãƒãƒ¼
ã¯ãƒ¡ãƒ¼ã‚«ãƒ¼ã€ãƒ—ロãƒã‚¤ãƒ€ã€æµé€šæ¥­è€…ã€ãƒ™ãƒ³ãƒ€ãƒ¼ã€æ¶ˆè²»è€…・ユーザã€å„級レベルã®è¡Œæ”¿æ©Ÿé–¢ã€å°‚é–€
家å”会ã€è²¿æ˜“å”会åŠã³ 60 ã‹å›½ã®è¦æ ¼ä½œæˆå›£ä½“ã§ã‚る。
IEC 技術下部委員会 65C(産業用ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ï¼‰ã¯ 2004 å¹´ã€ãã®ä½œæ¥­ã‚°ãƒ«ãƒ¼ãƒ— WG13(サイãƒãƒ¼
セキュリティ)を通ã˜ã¦ã€IEC61784 è¦æ ¼ã®ä¸€éƒ¨ã¨ã—ã¦ã€ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒã‚¹ãã®ä»–産業用通信ãƒãƒƒ
トワークã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å•é¡Œã®æ¤œè¨Žã«ç€æ‰‹ã—ãŸã€‚ã“ã®ä½œæ¥­ã®çµæžœã¯ã€ãƒ‘ート 4「計測制御ã®ãŸã‚
ã®ãƒ‡ã‚¸ã‚¿ãƒ«ãƒ‡ãƒ¼ã‚¿é€šä¿¡ï¼ç”£æ¥­ç”¨ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«ãŠã‘るセキュアãªé€šä¿¡ã®ãƒ—ロファイルã€ã«æ¦‚説ã•
ã‚Œã¦ã„る。
TC65 WG10 ã¯ã€ã“ã®ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒ¬ãƒ™ãƒ«é€šä¿¡ã‚’æ‹¡å¼µã—ã¦ã€å…±é€šã‚ªãƒ¼ãƒˆãƒ¡ãƒ¼ã‚·ãƒ§ãƒ³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚­ãƒ³
グシナリオã§ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦æ ¼ã‚’å–り上ã’ãŸã€‚ãã®çµæžœèµ·è‰ã•ã‚ŒãŸè¦æ ¼ãŒ IEC 62433 ã§ã€ã€Žç”£
業用計測制御ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ - ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åŠã³ã‚·ã‚¹ãƒ†ãƒ ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã€ã¨é¡Œã™ã‚‹ã€‚ã„ãã¤ã‹ã®
è¦ä»¶ã‹ã‚‰ãªã‚‹ãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«å¼ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã‚’基本ã¨ã—ã¦ã„る。ãã‚Œãžã‚Œã®ãƒ¢ã‚¸ãƒ¥
ールã¯ã€ICS コンãƒãƒ¼ãƒãƒ³ãƒˆåŠã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£ã«ãƒžãƒƒãƒ”ングã•ã‚Œã‚‹ã€‚ãã“ã‹ã‚‰è¦
件ãŒå®šã‚られã€ãƒ‡ãƒ¼ã‚¿é€šä¿¡è¦æ ¼åŠã³ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç›£æŸ»ã«å¯¾ã™ã‚‹æ案è¦æ±‚(RFP)ã®åŸºç¤Žã¨ã—ã¦åˆ©
用ã•ã‚Œã‚‹ã€‚
TC57 ã¯é›»åŠ›ã‚·ã‚¹ãƒ†ãƒ ç®¡ç†åŠã³é–¢é€£æƒ…報交æ›ã«ç‰¹åŒ–ã—ã¦ãŠã‚Šã€ä¸€é€£ã®ã‚°ãƒ«ãƒ¼ãƒ—ã«åˆ†åŒ–ã—ã¦ã„る。
å„作業グループã¯ã€IEC 加盟å„国ã®è¦æ ¼å§”員会メンãƒãƒ¼ã§æ§‹æˆã•ã‚Œã¦ã„る。å„グループã¯ã€ãã‚Œ
ãžã‚Œã®ãƒ‰ãƒ¡ã‚¤ãƒ³å†…ã§ã®è¦æ ¼ä½œæˆã‚’担当ã™ã‚‹ã€‚ç¾åœ¨ã®ä½œæ¥­ã‚°ãƒ«ãƒ¼ãƒ—ã¯ä»¥ä¸‹ã®ã¨ãŠã‚Šã€‚
 WG 3:é éš”制御プロトコル
 WG 9:é…電線æ¬é€ã‚·ã‚¹ãƒ†ãƒ ã‚’利用ã—ãŸé…電自動化
 WG 10:電力システム IED 通信åŠã³é–¢é€£ãƒ‡ãƒ¼ã‚¿ãƒ¢ãƒ‡ãƒ«
 WG 13:緊急管ç†ã‚·ã‚¹ãƒ†ãƒ ã‚¢ãƒ—リケーションプログラムインタフェース(EMS-API)
 WG 14:é…電管ç†ã‚·ã‚¹ãƒ†ãƒ ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ï¼ˆSIDM)
 WG 15:データåŠã³é€šä¿¡ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
 WG 16:エãƒãƒ«ã‚®ãƒ¼å¸‚場通信ã®è¦åˆ¶ç·©å’Œ
 WG 17:分散エãƒãƒ«ã‚®ãƒ¼ãƒªã‚½ãƒ¼ã‚¹é€šä¿¡ã‚·ã‚¹ãƒ†ãƒ ï¼ˆDER)
 WG 18:水力発電所 - 監視制御用通信
 WG 19:TC57 内ã§ã®é•·æœŸç›¸äº’é‹ç”¨æ€§
 WG 20:(å˜å´æ³¢å¸¯ï¼‰é€é›»ç·šæ¬é€ã‚·ã‚¹ãƒ†ãƒ ã®ãƒ—ランニング(IEC 60495)ã€ï¼ˆå˜å´æ³¢å¸¯ï¼‰é€
電線æ¬é€ã‚·ã‚¹ãƒ†ãƒ ã®ãƒ—ランニング(IEC 60663)
 WG 21:é…電網接続システムã«ä¿‚るインタフェースåŠã³ãƒ—ロトコルプロファイル
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
293
ISA99 Industrial Automation and Control Systems Security Standards
http://www.isa.org/isa99
The ISA99 standards development committee brings together industrial cybersecurity experts from across
the globe to develop ISA standards on industrial automation and control system (IACS) security. This
original and ongoing ISA99 work is being standardized by the IEC in producing the multi-standard IEC
62443 series. The committee’s focus is to improve the confidentiality, integrity, and availability of
components or systems used for automation or control and provides criteria for procuring and
implementing secure control systems. Compliance with the committee’s guidance will improve industrial
automation and control system electronic security, and will help identify vulnerabilities and address them,
thereby reducing the risk of compromising confidential information or causing industrial automation
control system degradation or failure.
All ISA-62443 standards and technical reports are organized into four general categories called General,
Policies and Procedures, System, and Component.
 General category includes common or foundational information such as concepts, models and
terminology. Also included are work products that describe security metrics and security life cycles for
IACS.
 Policies and Procedures category of work products targets the Asset Owner. These address various
aspects of creating and maintaining an effective IACS security program.
 System category includes work products that describe system design guidance and requirements for
the secure integration of control systems. Core in this is the zone and conduit design model.
 Component category includes work products that describe the specific product development and
technical requirements of control system products. This is primarily intended for control product
vendors, but can be used by integrator and asset owners for to assist in the procurement of secure
products.
The current status of the ISA-62443 documents is provided on the ISA99 Wiki at
http://isa99.isa.org/ISA99 Wiki/
General
 ISA-62443-1-1 (IEC/TS 62443-1-1) (formerly referred to as "ISA-99 Part 1") was originally
published as ISA standard ANSI/ISA-99.00.01-2007, as well as an IEC technical specification IEC/TS
62443-1-1. The ISA99 committee is currently revising it to make it align with other documents in the
series, and to clarify normative content.
 ISA-TR62443-1-2 (IEC 62443-1-2) is a master glossary of terms used by the ISA99 committee. This
document is a working draft.
 ISA-62443-1-3 (IEC 62443-1-3) identifies a set of compliance metrics for IACS security. This
document is currently under development and the committee will be releasing a draft for comment in
2013.
 ISA-TR62443-1-4 (IEC/TS 62443-1-4) defines the IACS security life cycle and use case. This work
product has been proposed as part of the series, but as of January 2013 development had not yet
started.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
294
ISA99 産業オートメーションåŠã³åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦æ ¼
http://www.isa.org/isa99
ISA99 è¦æ ¼ä½œæˆå§”員会ã¯ã€ä¸–ç•Œã®ç”£æ¥­ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å°‚門家を招集ã—ã¦ã€ç”£æ¥­ã‚ªãƒ¼ãƒˆãƒ¡ãƒ¼
ション制御システム(IACS)セキュリティ㮠ISA è¦æ ¼ã®ä½œæˆã«å–り組んã§ã„る。当åˆåŠã³ç¾è¡Œ
ã®ISA99 作業ã¯ã€IEC ã«ã‚ˆã‚Šæ¨™æº–化ã•ã‚Œã€è¤‡æ•°ã®è¦æ ¼ IEC62443 シリーズã®ä½œæˆã‚’目指ã—ã¦ã„る。
委員会ã®ç„¦ç‚¹ã¯ã€è‡ªå‹•åŒ–や制御ã«ä½¿ç”¨ã™ã‚‹ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã‚„システムã®æ©Ÿå¯†æ€§ãƒ»å®Œå…¨æ€§ãƒ»å¯ç”¨æ€§
を改善ã—ã€ã‚»ã‚­ãƒ¥ã‚¢ãªåˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®èª¿é”・実装基準を定ã‚ã‚‹ã“ã¨ã«ã‚る。委員会ã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
ã«å¾“ã†ã“ã¨ã§ã€ç”£æ¥­ã‚ªãƒ¼ãƒˆãƒ¡ãƒ¼ã‚·ãƒ§ãƒ³ã‚„制御システムã®é›»å­çš„セキュリティãŒæ”¹å–„ã•ã‚Œã€è„†å¼±æ€§
ã¨å¯¾å‡¦æ–¹æ³•ãŒæ˜Žã‚‰ã‹ã«ãªã‚Šã€ç§˜å¯†æƒ…å ±ã®æ¼æ´©ã‚„産業オートメーション制御システムã®åŠ£åŒ–・故障
リスクãŒæ¸›ã‚‹ã€‚
ISA-62443 è¦æ ¼åŠã³æŠ€è¡“報告書ã¯ã€ã©ã‚Œã‚‚全般ã€ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †ã€ã‚·ã‚¹ãƒ†ãƒ åŠã³ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆ
ã®ã„ãšã‚Œã‹ã«åˆ†é¡žã•ã‚Œã‚‹ã€‚
 全般区分ã«ã¯æ¦‚念・モデル・用語ã¨ã„ã£ãŸå…±é€šçš„åˆã¯åŸºæœ¬çš„情報ãŒå«ã¾ã‚Œã‚‹ã€‚ã¾ãŸã€IACS
ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è©•ä¾¡åŸºæº–åŠã³ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«ã«ã¤ã„ã¦è¨˜è¿°ã—ãŸä½œæ¥­æˆæžœã‚‚å«ã¾
れる。
 作業æˆæžœã®ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †åŒºåˆ†ã¯ã€è³‡ç”£ä¿æœ‰è€…を対象ã«ã—ãŸã‚‚ã®ã§ã‚る。効果的㪠IACS ã‚»
キュリティプログラムã®ä½œæˆåŠã³ä¿å®ˆã®æ§˜ã€…ãªé¢ã‚’å–り上ã’ã¦ã„る。
 システム区分ã«ã¯ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®ã‚»ã‚­ãƒ¥ã‚¢ãªçµ±åˆåŒ–ã«é–¢ã™ã‚‹ã‚·ã‚¹ãƒ†ãƒ è¨­è¨ˆã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã¨è¦
件ã«ã¤ã„ã¦è¨˜è¿°ã—ãŸä½œæ¥­æˆæžœãŒå«ã¾ã‚Œã‚‹ã€‚中心ã¨ãªã‚‹ã®ã¯åœ°åŸŸåŠã³ã‚³ãƒ³ã‚¸ãƒƒãƒˆè¨­è¨ˆãƒ¢ãƒ‡ãƒ«ã§
ã‚る。
 コンãƒãƒ¼ãƒãƒ³ãƒˆåŒºåˆ†ã«ã¯ã€ç‰¹å®šè£½å“ã®é–‹ç™ºã¨åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ è£½å“ã®æŠ€è¡“è¦ä»¶ã«ã¤ã„ã¦è¨˜è¿°ã—ãŸ
作業æˆæžœãŒå«ã¾ã‚Œã‚‹ã€‚主ãªå¯¾è±¡ã¯åˆ¶å¾¡è£½å“ベンダーã§ã‚ã‚‹ãŒã€ã‚¤ãƒ³ãƒ†ã‚°ãƒ¬ãƒ¼ã‚¿ã‚„資産ä¿æœ‰è€…
ãŒã‚»ã‚­ãƒ¥ã‚¢ãªè£½å“を調é”ã™ã‚‹éš›ã®è³‡ã¨ã™ã‚‹ã“ã¨ã‚‚ã§ãる。
ISA-62443 文書ã®ç¾çŠ¶ã«ã¤ã„ã¦ã¯ã€æ¬¡ã® ISA99 Wiki サイトã§ç¢ºèªã§ãる。
http://isa99.isa.org/ISA99 Wiki/
全般
 ISA-62443-1-1 (IEC/TS 62443-1-1)(旧称『ISA-99 Part 1ã€ï¼‰ã¯å½“åˆ ISA è¦æ ¼ ANSI/ISA-
99.00.01-2007 åŠã³ IEC 技術仕様書 IEC/TS 62443-1-1 ã¨ã—ã¦ç™ºè¡¨ã•ã‚ŒãŸã€‚ISA99 委員会ã¯ã€ã‚·
リーズã®ä»–ã®æ–‡æ›¸ã¨ã®æ•´åˆæ€§ã‚’確ä¿ã—ã€æ¨™æº–çš„ãªå†…容を明確ã«ã™ã‚‹ãŸã‚ã€ç¾åœ¨ã“ã‚Œã®è¦‹ç›´ã—
中ã§ã‚る。
 ISA-TR62443-1-2 (IEC 62443-1-2)ã¯ã€ISA99 ãŒä½¿ç”¨ã™ã‚‹ç”¨èªžã®ç·ç”¨èªžé›†ã§ã‚る。ã¾ã è‰æ¡ˆæ®µ
階ã«ã‚る。
 ISA-62443-1-3 (IEC 62443-1-3)ã¯ã€IACS セキュリティã®ä¸€é€£ã®ã‚³ãƒ³ãƒ—ライアンス評価基準ã¨
ãªã‚‹ã€‚ç¾åœ¨ä½œæˆä¸­ã§ã€2013 å¹´ã«æ¡ˆã‚’発表ã—ã€æ„見を募集ã™ã‚‹ã€‚
 ISA-TR62443-1-4 (IEC/TS 62443-1-4)ã¯ã€IACS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«ã¨ä½¿ç”¨ä¾‹ã‚’記
載ã—ã¦ã„る。ã“ã®ä½œæ¥­æˆæžœã¯ã‚·ãƒªãƒ¼ã‚ºã®ä¸€éƒ¨ã¨ã—ã¦æå”±ã•ã‚ŒãŸãŒã€2013 å¹´1月時点ã§ä½œæˆ
ã«æœªç€æ‰‹ã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
295
Policies and Procedures
 ISA-62443-2-1 (IEC 62443-2-1) (formerly referred to as "ANSI/ISA 99.02.01-2009 or ISA-99 Part
2") addresses how to establish an IACS security program. This standard is approved and published the
IEC as IEC 62443-2-1. It now being revised to permit closer alignment with the ISO 27000 series of
standards.
 ISA-TR62443-2-2 (IEC 62443-2-2) addresses how to operate an IACS security program. This
standard is currently under development.
 ISA-TR62443-2-3 (IEC/TR 62443-2-3) is a technical report on the subject of patch management in
IACS environments. This report is currently under development.
 ISA-62443-2-4 (IEC 62443-2-4) focuses on the certification of IACS supplier security policies and
practices. This document was adopted from the WIB organization and is now a working product of the
IEC TC65/WG10 committee. The proposed ISA version will be a U.S. national publication of the IEC
standard.
System
 ISA-TR62443-3-1 (IEC/TR 62443-3-1) is a technical report on the subject of suitable technologies
for IACS security. This report is approved and published as ANSI/ISA-TR99.00.01-2007 and is now
being revised.
 ISA-62443-3-2 (IEC 62443-3-2) addresses how to define security assurance levels using the zones
and conduits concept. This standard is currently under development.
 ISA-62443-3-3 (IEC 62443-3-3) defines detailed technical requirements for IACS security. This
standard has been published as ANSI/ISA-62443-3-3 (99.03.03)-2013. It was previously numbered as
ISA-99.03.03.
Component
 ISA-62443-4-1 (IEC 62443-4-1) addresses the requirements for the development of secure IACS
products and solutions. This standard is currently under development.
 ISA-62443-4-2 (IEC 62443-4-2) series address detailed technical requirements for IACS components
level. This standard is currently under development.
ISA100 Wireless Systems for Automation
http://www.isa.org/isa100
The ISA100 Committee will establish standards, recommended practices, technical reports, and related
information that will define procedures for implementing wireless systems in the automation and control
environment with a focus on the field level. Guidance is directed towards those responsible for the
complete life cycle including the designing, implementing, on-going maintenance, scalability or managing
industrial automation and control systems, and shall apply to users, system integrators, practitioners, and
control systems manufacturers and vendors.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
296
ãƒãƒªã‚·ãƒ¼åŠã³æ‰‹é †
 ISA-62443-2-1 (IEC 62443-2-1) (旧称『ANSI/ISA 99.02.01-2009 åˆã¯ ISA-99 Part 2ã€)ã¯ã€IACS
セキュリティプログラムã®ç­–定方法をå–り上ã’ã¦ã„る。ã“ã®è¦æ ¼ã¯æ‰¿èªã•ã‚Œã€IEC 62443-2-
1ã¨ã—ã¦ç™ºè¡¨ã•ã‚ŒãŸã€‚ç¾åœ¨ ISO27000 シリーズè¦æ ¼ã¨ã®æ•´åˆæ€§ã‚’確ä¿ã™ã‚‹ãŸã‚改訂中ã§ã‚る。
 ISA-TR62443-2-2 (IEC 62443-2-2)ã¯ã€IACS セキュリティプログラムã®é‹ç”¨æ–¹æ³•ã‚’å–り上ã’る。
ã“ã®è¦æ ¼ã¯ç¾åœ¨ä½œæˆä¸­ã§ã‚る。
 ISA-TR62443-2-3 (IEC/TR 62443-2-3)ã¯ã€IACS 環境ã«ãŠã‘るパッãƒç®¡ç†ã«é–¢ã™ã‚‹æŠ€è¡“報告書
ã§ã‚る。ã“ã®å ±å‘Šæ›¸ã¯ç¾åœ¨ä½œæˆä¸­ã§ã‚る。
 ISA-62443-2-4 (IEC 62443-2-4)ã¯ã€IACS サプライヤã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼åŠã³è¦ç¯„ã®èªå®š
書ã«ç‰¹åŒ–ã—ã¦ã„る。本書㯠WIB 組織ãŒæŽ¡ç”¨ã—ã€IEC TC65/WG10 委員会ã®ä½œæ¥­æˆæžœã¨ãªã£ã¦
ã„る。ISA 版ã®æ¡ˆã¯ã€IEC è¦æ ¼ã®æ”¿åºœæ–‡æ›¸ã¨ãªã‚ã†ã€‚
システム
 ISA-TR62443-3-1 (IEC/TR 62443-3-1)ã¯ã€IACS セキュリティã®é©åˆæŠ€è¡“ã«é–¢ã™ã‚‹æŠ€è¡“報告書
ã§ã‚る。本報告書ã¯æ‰¿èªã•ã‚Œã€ANSI/ISA-TR99.00.01-2007 ã¨ã—ã¦ç™ºè¡¨ã•ã‚Œã€ç¾åœ¨æ”¹è¨‚中ã§ã‚
る。
 ISA-62443-3-2 (IEC 62443-3-2)ã¯ã€åœ°åŸŸåŠã³ã‚³ãƒ³ã‚¸ãƒƒãƒˆè¨­è¨ˆæ¦‚念を利用ã—ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä¿
証レベルã®å®šç¾©æ–¹æ³•ã«ã¤ã„ã¦å–り上ã’ã¦ã„る。ã“ã®è¦æ ¼ã¯ç¾åœ¨ä½œæˆä¸­ã§ã‚る。
 ISA-62443-3-3 (IEC 62443-3-3)ã¯ã€IACS セキュリティã®è©³ç´°ãªæŠ€è¡“è¦ä»¶ã«ã¤ã„ã¦æ˜Žã‚‰ã‹ã«ã—
ã¦ã„る。ã“ã®è¦æ ¼ã¯ ANSI/ISA-62443-3-3 (99.03.03)-2013 ã¨ã—ã¦ç™ºè¡¨ã•ã‚ŒãŸã€‚旧番å·ã¯ ISA-
99.03.03 ã ã£ãŸã€‚
コンãƒãƒ¼ãƒãƒ³ãƒˆ
 ISA-62443-4-1 (IEC 62443-4-1)ã¯ã€ã‚»ã‚­ãƒ¥ã‚¢ãª IACS 製å“åŠã³ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã®é–‹ç™ºè¦ä»¶ã«ã¤
ã„ã¦å–り上ã’ã¦ã„る。ã“ã®è¦æ ¼ã¯ç¾åœ¨ä½œæˆä¸­ã§ã‚る。
 ISA-62443-4-2 (IEC 62443-4-2)シリーズã¯ã€IACS コンãƒãƒ¼ãƒãƒ³ãƒˆãƒ¬ãƒ™ãƒ«ã®è©³ç´°ãªæŠ€è¡“è¦ä»¶ã«
ã¤ã„ã¦å–り上ã’ã¦ã„る。ã“ã®è¦æ ¼ã¯ç¾åœ¨ä½œæˆä¸­ã§ã‚る。
ISA100 オートメーション用ワイヤレスシステム
http://www.isa.org/isa100
ISA100 委員会ã¯ã€ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒ¬ãƒ™ãƒ«ã«ç‰¹åŒ–ã—ãŸã‚ªãƒ¼ãƒˆãƒ¡ãƒ¼ã‚·ãƒ§ãƒ³åŠã³åˆ¶å¾¡ç’°å¢ƒã«ãŠã‘るワイヤ
レスシステムã®æ‰‹é †ã‚’è¦å®šã—ãŸè¦æ ¼ã‚„推奨è¦ç¯„を定ã‚ã€æŠ€è¡“報告書や関連情報をé…ä¿¡ã™ã‚‹ã€‚ガイ
ダンスã¯ç”£æ¥­ã‚ªãƒ¼ãƒˆãƒ¡ãƒ¼ã‚·ãƒ§ãƒ³åŠã³åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®è¨­è¨ˆã€å®Ÿè£…ã€æ’常的ä¿å®ˆã€ã‚¹ã‚±ãƒ¼ãƒ©ãƒ“リティã€
管ç†ç­‰ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«å…¨èˆ¬ã®æ‹…当者を対象ã¨ã—ã€ãƒ¦ãƒ¼ã‚¶ã€ã‚·ã‚¹ãƒ†ãƒ ã‚¤ãƒ³ãƒ†ã‚°ãƒ¬ãƒ¼ã‚¿ã€å®Ÿå‹™å¾“事者
åŠã³åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ãƒ¡ãƒ¼ã‚«ãƒ¼ãƒ»ãƒ™ãƒ³ãƒ€ãƒ¼ã«é©ç”¨ã•ã‚Œã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
297
ISO 27001
http://www.iso.org/, http://www.27000.org
ISO 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining
and improving an Information Security Management System. The objective of the standard itself is to
"provide requirements for establishing, implementing, maintaining and continuously improving an
Information Security Management System (ISMS).†Regarding its adoption, this should be a strategic
decision. Further, "The design and implementation of an organization's information security management
system is influenced by the organization's needs and objectives, security requirements, the organizational
processes used and the size and structure of the organization.†The content sections of the standard include:
 Context of the Organization.
 Information Security Leadership.
 Planning an ISMS.
 Support.
 Operation.
 Performance Evaluation.
 Improvement.
 Annex A – List of controls and their objectives.
The 2005 version of the standard heavily employed the Plan-Do-Check-Act model to structure the
processes, and reflect the principles set out in the OECG guidelines (see oecd.org). However, the latest,
2013 version, places more emphasis on measuring and evaluating how well an organization’s ISMS is
performing.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
298
ISO 27001
http://www.iso.org/, http://www.27000.org
ISO27001 ã¯ã€æƒ…報セキュリティ管ç†ã‚·ã‚¹ãƒ†ãƒ ã®ç¢ºç«‹ã€å®Ÿè£…ã€é‹ç”¨ã€ç›£è¦–ã€èª¿æŸ»ã€ä¿å®ˆåŠã³æ”¹å–„
ã«é–¢ã™ã‚‹ãƒ¢ãƒ‡ãƒ«ã¨ãªã‚‹ã€‚ã“ã®ä¼ç”»ã®ç›®çš„ã¯ã€ã€Œæƒ…報セキュリティ管ç†ã‚·ã‚¹ãƒ†ãƒ ï¼ˆISMS)ã®ç¢ºç«‹ã€
実装ã€ä¿å®ˆåŠã³ç¶™ç¶šçš„改善ã«é–¢ã™ã‚‹è¦ä»¶ã‚’示ã™ã€ã“ã¨ã«ã‚る。ãã®æŽ¡ç”¨ã«ã¤ã„ã¦ã¯ã€æˆ¦ç•¥çš„ãªæ±º
定事項ã¨ãªã‚‹ã€‚æ›´ã«ã€Œçµ„ç¹”ã®æƒ…報セキュリティ管ç†ã‚·ã‚¹ãƒ†ãƒ ã®è¨­è¨ˆåŠã³å®Ÿè£…ã¯ã€çµ„ç¹”ã®å¿…è¦ãƒ»ç›®
çš„ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ä»¶ã€çµ„織的プロセスåŠã³çµ„ç¹”ã®è¦æ¨¡ãƒ»æ§‹é€ ã«å½±éŸ¿ã•ã‚Œã‚‹ã€ã€‚è¦æ ¼ã®ç›®æ¬¡æ§‹æˆ
ã¯ä»¥ä¸‹ã®ã¨ãŠã‚Šã€‚
 組織ã®æƒ…æ³
 情報セキュリティã®æŒ‡å°Ž
 ISMS ã®ãƒ—ランニング
 支æ´
 é‹ç”¨
 業績評価
 改善
 付録 A - 制御ã¨ãã®ç›®çš„リスト
2005 年版è¦æ ¼ã§ã¯ã€è¨ˆç”»ãƒ»å®Ÿè¡Œãƒ»ç¢ºèªãƒ»è¡Œå‹•ãƒ¢ãƒ‡ãƒ«ã‚’大ã„ã«å–り入れã€ãƒ—ロセスを構造化ã—ã€
OECG ガイドラインã«è¨˜è¼‰ã•ã‚Œã¦ã„る原則をå映ã—ã¦ã„る(oecd.org ã‚’å‚照)。ã—ã‹ã—最新ã®
2013 年版ã§ã¯ã€çµ„織㮠ISMS 業務é‚行状æ³ã®è¨ˆæ¸¬ãƒ»è©•ä¾¡ã«ã„ã£ãã†ã®é‡ç‚¹ãŒç½®ã‹ã‚Œã¦ã„る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
299
ISO 27002
http://www.iso.org/, http://www.27000.org
ISO 27002 "established guidelines and general principles for initiating, implementing, maintaining, and
improving information security management within an organization." The actual controls listed in the
standard are intended to address the specific requirements identified via a formal risk assessment. The
standard is also intended to provide a guide for the development of "organizational security standards and
effective security management practices and to help build confidence in inter-organizational activities."81
In 2013 the current version was published. ISO 27002:2013 contains 114 controls, fewer than the 133
documented in the 2005 version. However for additional granularity, these are presented in 14 sections,
rather than the original 11:
 Security Policy.
 Organization of Information Security.
 Human Resource Security.
 Asset Management.
 Access Control.
 Cryptography.
 Physical and Environmental Security.
 Operations Security.
 Communications Security.
 Information Systems Acquisition, Development, Maintenance.
 Supplier Relationships.
 Information Security Incident Management.
 Information Security Aspects of Business Continuity.
 Compliance.
81 http://www.27000.org/iso-27002.htm.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
300
ISO 27002
http://www.iso.org/, http://www.27000.org
ISO 27002 ã¯ã€Œçµ„織内ã«ãŠã‘る情報セキュリティ管ç†ã®é–‹å§‹ã€å®Ÿè£…ã€ä¿å®ˆåŠã³æ”¹å–„ã«é–¢ã™ã‚‹ã‚¬
イドラインã¨ä¸€èˆ¬åŽŸå‰‡ã‚’定ã‚ãŸã€ã€‚è¦æ ¼ã®ãƒªã‚¹ãƒˆã«å«ã¾ã‚Œã¦ã„る実際ã®åˆ¶å¾¡ã¯ã€æ­£è¦ã®ãƒªã‚¹ã‚¯è©•
価ã§å®šã‚られãŸå…·ä½“çš„è¦ä»¶ã‚’å–り上ã’ã¦ã„る。ã¾ãŸã€Œçµ„ç¹”ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£åŸºæº–åŠã³åŠ¹æžœçš„ãªã‚»ã‚­
ュリティ管ç†è¦ç¯„(ã®ç™ºå±•ã«å‘ã‘ãŸã‚¬ã‚¤ãƒ‰ã‚’与ãˆï¼‰ã€çµ„織間活動ã¸ã®ä¿¡é ¼ã®é†¸æˆã«è³‡ã™ã‚‹ã€ã“ã¨
を目的ã¨ã—ã¦ã„る。82
ç¾è¡Œç‰ˆã¯ 2013 å¹´ã«ç™ºè¡¨ã•ã‚ŒãŸã€‚ISO 27002:2013 ã«ã¯ 114 ã®åˆ¶å¾¡ãŒç´ã‚られã¦ãŠã‚Šã€2005 年版ã®
133 よりも減ã£ã¦ã„る。ãŸã ã—セクション㯠11 ã‹ã‚‰æ¬¡ã® 14 ã«å¢—ãˆã€ãã‚ç´°ã‹ããªã£ã¦ã„る。
 セクションãƒãƒªã‚·ãƒ¼
 情報セキュリティ組織
 人的資産ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
 資産管ç†
 アクセス制御
 æš—å·åŒ–
 物ç†çš„・環境的セキュリティ
 é‹ç”¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
 通信セキュリティ
 情報システムã®å–得・開発・ä¿å®ˆ
 サプライヤã¨ã®é–¢ä¿‚
 情報セキュリティインシデント管ç†
 情報セキュリティé¢ã‹ã‚‰è¦‹ãŸäº‹æ¥­ç¶™ç¶šæ€§
 コンプライアンス
82 http://www.27000.org/iso-27002.htm.
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
301
International Council on Large Electric Systems (CIGRE)
http://www.cigre.org/
The International Council on Large Electric Systems (CIGRE) is a nonprofit international association based
in France. It has established several study committees to promote and facilitate the international exchange
of knowledge in the electrical industry by identifying recommended practices and developing
recommendations. Three of its study committees focus on control systems:
 The objectives of the B3 Substations Committee include the adoption of technological advances in
equipment and systems to achieve increased reliability and availability.
 The C2 System Operation and Control Committee focuses on the technical capabilities needed for the
secure and economical operation of existing power systems including control centers and operators.
 The D2 Information Systems and Telecommunication for Power Systems Committee monitors
emerging technologies in the industry and evaluates their possible impact. In addition, it focuses on
the security requirements of the information systems and services of control systems.
LOGIIC – Linking the Oil and Gas Industry to Improve Cybersecurity
http://www.dhs.gov/csd-logiic
The LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity) program is an ongoing
collaboration of oil and natural gas companies and the DHS Science and Technology Directorate (S&T).
LOGIIC was formed in 2004 to facilitate cooperative research, development, testing, and evaluation
procedures to improve cybersecurity in petroleum industry digital control systems. The program undertakes
collaborative R&D projects to improve the level of cybersecurity in critical systems of interest to the oil
and natural gas sector. The program objective is to promote the interests of the sector while maintaining
impartiality, the independence of the participants, and vendor neutrality. After a successful first project, the
LOGIIC consortium was formally established as a collaboration between DHS, the Automation Federation,
and five of the major oil and gas companies. The LOGIIC program has completed several R&D projects,
and more projects are being planned and started.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
302
国際大電力システム会議(CIGRE)
http://www.cigre.org/
CIGRE ã¯ãƒ•ãƒ©ãƒ³ã‚¹ã«æ‹ ç‚¹ã‚’ç½®ãéžå–¶åˆ©å›½éš›æ©Ÿé–¢ã§ã‚る。ã„ãã¤ã‹ã®ç ”究委員会ãŒã‚ã‚Šã€æŽ¨å¥¨è¦
範ã®å®šç¾©ã¥ã‘や推奨事項ã®ç­–定を通ã˜ã¦ã€é›»åŠ›æ¥­ç•Œã«ãŠã‘る国際的ãªæ„見交æ›ã‚’促進ã—ã¦ã„る。
ã“ã®ã†ã¡æ¬¡ã® 3委員会ãŒåˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã«ç‰¹åŒ–ã—ã¦ã„る。
 B3 変電所委員会ã®ç›®çš„ã«ã¯ã€è£…å‚™å“やシステムã®æŠ€è¡“的進歩をå–り入れã¦ã€ä¿¡é ¼æ€§ã¨å¯ç”¨
性を確ä¿ã™ã‚‹ã“ã¨ãŒå«ã¾ã‚Œã‚‹ã€‚
 C2 システムé‹ç”¨åˆ¶å¾¡å§”員会ã¯ã€åˆ¶å¾¡ã‚»ãƒ³ã‚¿ãƒ¼ã‚„æ“作員をå«ã‚ãŸæ—¢å­˜é›»åŠ›ã‚·ã‚¹ãƒ†ãƒ ã®é‹ç”¨ã‚’
セキュアã‹ã¤çµŒæ¸ˆçš„ã«ã™ã‚‹ãŸã‚ã®æŠ€è¡“力ã«é‡ç‚¹ã‚’ç½®ã„ã¦ã„る。
 D2 電力システム用情報システム電気通信委員会ã¯ã€æ¥­ç•Œã®æ–°èˆˆæŠ€è¡“を注視ã—ã€ãã®å½±éŸ¿ã‚’
評価ã™ã‚‹ã€‚ã¾ãŸåˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®æƒ…報システム・サービスã«é–¢ã™ã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ä»¶ã‚’ã‚‚é‡è¦–
ã—ã¦ã„る。
LOGIIC – サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’改善ã™ã‚‹çŸ³æ²¹ãƒ»ã‚¬ã‚¹æ¥­ç•Œã®é€£æº
http://www.dhs.gov/csd-logiic
LOGIIC(サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’改善ã™ã‚‹çŸ³æ²¹ãƒ»ã‚¬ã‚¹æ¥­ç•Œã®é€£æºï¼‰ãƒ—ログラムã¯ã€çŸ³æ²¹ãƒ»ã‚¬ã‚¹
会社åŠã³ DHS 科学技術局(S&T)間ã§ç¾åœ¨é€²å±•ä¸­ã®å”力活動ã§ã‚る。LOGIIC ã¯2004 å¹´ã«åˆ¶å®š
ã•ã‚Œã€å…±åŒç ”究・開発・試験・評価手順を促進ã—ã€çŸ³æ²¹æ¥­ç•Œã®ãƒ‡ã‚¸ã‚¿ãƒ«åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®ã‚µã‚¤ãƒãƒ¼
セキュリティå‘上を目指ã—ã¦ã„る。 石油・天然ガス業界ã®åˆ©ç›Šã«ç›´çµã—ãŸé‡è¦ã‚·ã‚¹ãƒ†ãƒ ã®ã‚µã‚¤
ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ¬ãƒ™ãƒ«ã‚’上ã’ã‚‹ãŸã‚ã€å…±åŒç ”究・開発を手ãŒã‘ã¦ã„る。プログラムã®ç›®çš„ã¯ã€
メンãƒãƒ¼é–“ã®å…¬å¹³ã€ç‹¬ç«‹æ€§åŠã³ãƒ™ãƒ³ãƒ€ãƒ¼ã®ä¸­ç«‹æ€§ã‚’ä¿ã¡ã¤ã¤ã€æ¥­ç•Œã®åˆ©ç›Šã‚’促進ã™ã‚‹ã“ã¨ã«ã‚る。
最åˆã®ãƒ—ロジェクトãŒæˆåŠŸã—ãŸå¾Œã€LOGIIC コンソーシアム㌠DHSã€ã‚ªãƒ¼ãƒˆãƒ¡ãƒ¼ã‚·ãƒ§ãƒ³é€£ç›ŸåŠã³
石油・ガス大手 5社間ã§æ­£å¼ã«ç™ºè¶³ã—ãŸã€‚ã“ã‚Œã¾ã§ã„ãã¤ã‹ã®ç ”究開発プロジェクトãŒå®Œäº†ã—ã¦
ãŠã‚Šã€ä»Šå¾Œæ›´ã«æ–°è¦è¨ˆç”»ãŒäºˆå®šã•ã‚Œã¦ã„る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
303
National SCADA Test Bed (NSTB)
http://energy.sandia.gov/infrastructure-security/cyber/scada-systems/testbeds/national-scada-testbed/
The National Supervisory Control and Data Acquisition (SCADA) Test Bed is a DOE Office of Electricity
Delivery and Energy Reliability (OE) -sponsored resource to help secure our nation’s energy control
systems. It combines state-of-the-art operational system testing facilities with research, development, and
training to discover and address critical security vulnerabilities and threats to the energy sector.
Working in partnership with the energy sector, the National SCADA Test Bed seeks to:
 Identify and mitigate existing vulnerabilities.
 Facilitate development of security standards.
 Serve as an independent entity to test SCADA systems and related control system technologies.
 Identify and promote best cybersecurity practices.
 Increase awareness of control systems security within the energy sector.
 Develop advanced control system architectures and technologies that are more secure and robust.
Partners in the NSTB include Idaho National Laboratory, Sandia National Laboratories, Argonne National
Laboratory, Pacific Northwest National Laboratory, and the National Institute of Standards and Technology.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
304
米国 SCADA テストベッド(NSTB)
http://energy.sandia.gov/infrastructure-security/cyber/scada-systems/testbeds/national-scada-testbed/
米国 SCADA テストベッドã¯ã€DOE ã®é…電エãƒãƒ«ã‚®ãƒ¼ä¿¡é ¼æ€§å±€ï¼ˆOE)ã®æ”¯æ´ã«ã‚ˆã‚‹ãƒªã‚½ãƒ¼ã‚¹ã§ã€
米国ã®ã‚¨ãƒãƒ«ã‚®ãƒ¼åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®ã‚»ã‚­ãƒ¥ã‚¢åŒ–を助æˆã™ã‚‹ã€‚最新ã®é‹ç”¨ã‚·ã‚¹ãƒ†ãƒ è©¦é¨“施設ã¨ç ”究・
開発・訓練を一体化ã—ã¦ã€ã‚¨ãƒãƒ«ã‚®ãƒ¼æ¥­ç•Œã«ã¨ã£ã¦ã®é‡å¤§ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è„†å¼±æ€§ãƒ»è„…å¨ã‚’見ã¤ã‘
ã¦å–り組む。
エãƒãƒ«ã‚®ãƒ¼æ¥­ç•Œã¨é€£æºã—ã€ç±³å›½ SCADA テストベッドã¯ä»¥ä¸‹ã‚’目標ã¨ã—ã¦ã„る。
 既存ã®è„†å¼±æ€§ã‚’明らã‹ã«ã—ã¦ç·©å’Œã™ã‚‹
 セキュリティè¦æ ¼ã®é–‹ç™ºã‚’促進ã™ã‚‹
 SCADA システム技術åŠã³é–¢é€£åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ æŠ€è¡“ã®ç‹¬ç«‹è©¦é¨“æ©Ÿé–¢ã¨ã—ã¦æ©Ÿèƒ½ã™ã‚‹
 サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®æœ€è‰¯è¦ç¯„を定ã‚ã¦ä¿ƒé€²ã™ã‚‹
 エãƒãƒ«ã‚®ãƒ¼æ¥­ç•Œã«ãŠã‘る制御システムセキュリティã«å¯¾ã™ã‚‹æ„識を高ã‚ã‚‹
 よりセキュアã§å¼·å›ºãªæœ€æ–°åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£åŠã³æŠ€è¡“を開発ã™ã‚‹
NSTB ã«ã¯ã‚¢ã‚¤ãƒ€ãƒ›å›½ç«‹ç ”究所ã€ã‚µãƒ³ãƒ‡ã‚£ã‚¢å›½ç«‹ç ”究所ã€ã‚¢ãƒ¼ã‚´ãƒ³å›½ç«‹ç ”究所ã€å¤ªå¹³æ´‹åŒ—西国立
研究所åŠã³ç±³å›½æ¨™æº–技術局ãŒåŠ ç›Ÿã—ã¦ã„る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
305
NIST Special Publication 800 Series Security Guidelines
http://csrc.nist.gov/publications/nistpubs/index.html
The NIST Special Publication 800 series of documents on information technology reports on the NIST
Information Technology Laboratory (ITL) research, guidance, and outreach efforts in computer security,
and its collaborative activities with industry, government, and academic organizations. Focus areas include
cryptographic technology and applications, advanced authentication, public key infrastructure,
internetworking security, criteria and assurance, and security management and support. In addition to NIST
SP 800-82, the following is a listing of some additional 800 series documents that have significant
relevance to the ICS security community. These as well as many others are available through the URL
listed above.
 NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems
[19].
 NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments [79].
 NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal
Information Systems: A Security Life Cycle Approach [21].
 NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information
System View [20].
 NIST SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies [40].
 NIST SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy [85].
 NIST SP 800-48 Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks 0.
 NIST SP 800-50, Building an Information Technology Security Awareness and Training Program [61].
 NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and
Organizations [22].
 NIST SP 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information
Systems and Organizations: Building Effective Security Assessment Plans [23].
 NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide [59].
 NIST SP 800-63-2, Electronic Authentication Guideline [53].
 NIST SP 800-64 Revision 2, Security Considerations in the Information System Development Life
Cycle [46].
 NIST SP 800-70 Revision 2, National Checklist Program for IT Products: Guidelines for Checklist
Users and Developers [26].
 NIST SP 800-77, Guide to IPsec VPNs [74].
 NIST SP 800-83 Revision 1, Guide to Malware Incident Prevention and Handling for Desktops and
Laptops [60].
 NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response [93].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
306
NIST 特別出版物 800 シリーズセキュリティガイドライン
http://csrc.nist.gov/publications/nistpubs/index.html
SP800 シリーズã¯ã€æƒ…報技術研究所(ITL)ã®ç ”究ã€ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹åŠã³ã‚³ãƒ³ãƒ”ュータセキュリティ
ã«ãŠã‘ã‚‹å–組並ã³ã«ç”£å®˜å­¦ã¨ã®é€£æºã«é–¢ã™ã‚‹æƒ…報技術報告書ã§ã‚る。é‡ç‚¹åˆ†é‡Žã¨ã—ã¦æš—å·æŠ€è¡“ã¨
ãã®å¿œç”¨ã€æœ€æ–°èªè¨¼ã€å…¬é–‹éµã‚¤ãƒ³ãƒ•ãƒ©ã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆä½œæ¥­ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã€åŸºæº–・ä¿è¨¼ã€ã‚»ã‚­
ュリティ管ç†ãƒ»æ”¯æ´ç­‰ãŒå«ã¾ã‚Œã¦ã„る。NIST SP 800-82 ã«åŠ ãˆã¦ã€ICS セキュリティ関係者ã«å¤§
ã„ã«é–¢ä¿‚ã™ã‚‹ã‚‚ã®ã¨ã—ã¦ã€æ¬¡ã® 800 シリーズ文書も用æ„ã•ã‚Œã¦ã„る。ã“れら以外ã«ã‚‚ã€ä¸Šè¨˜ã®
URL ã‹ã‚‰åˆ©ç”¨ã§ãã‚‹ã‚‚ã®ãŒã‚る。
 NIST SP 800-18 第1版『連邦情報システム用セキュリティ計画書ã®ä½œæˆã‚¬ã‚¤ãƒ‰ã€[19]
 NIST SP 800-30 第1版『リスク評価実施ガイドã€[79]
 NIST SP 800-37 第1版『連邦情報システムã¸ã®ãƒªã‚¹ã‚¯ç®¡ç†ä½“ç³»é©ç”¨ã‚¬ã‚¤ãƒ‰ï¼šã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ©
イフサイクルアプローãƒã€[21]
 NIST SP 800-39『情報セキュリティリスクã®ç®¡ç†ï¼šçµ„ç¹”ã€ä»»å‹™åŠã³æƒ…報システム概説ã€[20]
 NIST SP 800-40 第3版『ä¼æ¥­ãƒ‘ッãƒç®¡ç†æŠ€è¡“ガイドã€[40]
 NIST SP 800-41 第1版『ファイアウォールåŠã³ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ãƒãƒªã‚·ãƒ¼ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã€
[85]
 NIST SP 800-48 第1版『レガシーIEEE 802.11 ワイヤレスãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¬ã‚¤
ドã€[0]
 NIST SP 800-50『情報技術セキュリティæ„識訓練プログラムã®æ§‹ç¯‰ã€[61]
 NIST SP 800-53 第4版『連邦情報システム・組織ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ»ãƒ—ライãƒã‚·ãƒ¼ç®¡ç†ã€[22]
 NIST SP 800-53A 第4版『連邦情報システム・組織ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ»ãƒ—ライãƒã‚·ãƒ¼ç®¡ç†è©•
価:効果的セキュリティ評価計画書ã®ä½œæˆã€[23]
 NIST SP 800-61 第2版『コンピュータセキュリティインシデント処ç†ã‚¬ã‚¤ãƒ‰ã€[59]
 NIST SP 800-63-2『電å­èªè¨¼ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã€[53]
 NIST SP 800-64 第2版『情報システム開発ライフサイクルã«ãŠã‘るセキュリティ考慮事項ã€
[46]
 NIST SP 800-70 第2版『IT 製å“ã®å›½å®¶ãƒã‚§ãƒƒã‚¯ãƒªã‚¹ãƒˆãƒ—ログラム:ãƒã‚§ãƒƒã‚¯ãƒªã‚¹ãƒˆãƒ¦ãƒ¼ã‚¶ãƒ»
開発者ガイドラインã€[26]
 NIST SP 800-77『IPSsec VPNs ガイドã€[74]
 NIST SP 800-83 第1版『マルウエアインシデント防止åŠã³ãƒ‡ã‚¹ã‚¯ãƒˆãƒƒãƒ—・ラップトップã®å–
扱ガイドã€[60]
 NIST SP 800-86『インシデント対応時ã®èª¿æŸ»æŠ€è¡“ã®é©ç”¨ã‚¬ã‚¤ãƒ‰ã€[93]
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
307
 NIST SP 800-88 Revision 1, Guidelines for Media Sanitization [78].
 NIST SP 800-92, Guide to Computer Security Log Management [68].
 NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS) [55].
 NIST SP 800-97, Establishing Robust Security Networks: a Guide to IEEE 802.11i [64].
 NIST SP 800-100, Information Security Handbook: A Guide for Managers [27].
 NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices [94].
 NIST SP 800-115, Technical Guide to Information Security Testing and Assessment [41].
 NIST SP 800-123, Guide to General Server Security [95].
 NIST SP 800-127, Guide to Securing WiMAX Wireless Communications [96].
 NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems
[97].
 NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information
Systems and Organizations [81].
NIST Cybersecurity Framework
http://www.nist.gov/cyberframework/index.cfm
Recognizing that the national and economic security of the United States depends on the reliable
functioning of critical infrastructure, the President issued Executive Order 13636, Improving Critical
Infrastructure Cybersecurity, in February 2013 [83]. It directed NIST to work with stakeholders to develop
a voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to
critical infrastructure.
NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity
on February 12, 2014 [83]. The Framework, created through collaboration between industry and
government, consists of standards, guidelines, and practices to promote the protection of critical
infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps
owners and operators of critical infrastructure to manage cybersecurity-related risk.
The Department of Homeland Security's Critical Infrastructure Cyber Community C³ Voluntary Program
helps align critical infrastructure owners and operators with existing resources that will assist their efforts
to adopt the Cybersecurity Framework and manage their cyber risks. Learn more about the C³ Voluntary
Program by visiting: www.dhs.gov/ccubedvp.
NIST has also issued a companion Roadmap that discusses NIST's next steps with the Framework and
identifies key areas of cybersecurity development, alignment, and collaboration.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
308
 NIST SP 800-88 第1版『メディアサニタイズガイドラインã€[78]
 NIST SP 800-92『コンピュータセキュリティログ管ç†ã‚¬ã‚¤ãƒ‰ã€[68]
 NIST SP 800-94『侵入検知防止システム(IDPS)ガイドã€[55]
 NIST SP 800-97『強固ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®æ§‹ç¯‰ï¼šIEEE 802.11i ガイドã€[64]
 NIST SP 800-100『情報セキュリティãƒãƒ³ãƒ‰ãƒ–ック:管ç†è€…ガイドã€[27]
 NIST SP 800-111『エンドユーザデãƒã‚¤ã‚¹ç”¨ã‚¹ãƒˆãƒ¬ãƒ¼ã‚¸æš—å·åŒ–技術ガイドã€[94]
 NIST SP 800-115『情報セキュリティ試験評価技術ガイドã€[41]
 NIST SP 800-123『一般的サーãƒã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¬ã‚¤ãƒ‰ã€[95]
 NIST SP 800-127『WiMAX ワイヤレス通信ガイドã€[96]
 NIST SP 800-128『情報システムã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é‡è¦–設定管ç†ã‚¬ã‚¤ãƒ‰ã€[97]
 NIST SP 800-137『連邦情報システム・組織ã®æƒ…報セキュリティ継続監視ã€[81]
NIST ã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä½“ç³»
http://www.nist.gov/cyberframework/index.cfm
米国ã®å›½å®¶ãƒ»çµŒæ¸ˆå®‰å…¨ä¿éšœã¯ã€ä¿¡é ¼æ€§ã®é«˜ã„é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®æ©Ÿèƒ½ã«ä¾å­˜ã—ã¦ã„ã‚‹ã¨ã—ã¦ã€å¤§çµ±é ˜
命令 13636 é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®æ”¹å–„ã‚’2013 å¹´2月ã«ç™ºä»¤ã—ãŸ[83]。ãã®ä¸­ã§
NIST ã¯é–¢ä¿‚者ã¨é€£æºã—ã€æ—¢å­˜ã®è¦æ ¼ã€ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³åŠã³è¦ç¯„を基ã«ã€é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã¸ã®ã‚µã‚¤ãƒ
ーリスクã®è»½æ¸›ã«å‘ã‘ã¦ã€è‡ªç™ºçš„ãªä½“系を構築ã™ã‚‹ã‚ˆã†å‘½ãœã‚‰ã‚ŒãŸã€‚
NIST ã¯2014 å¹´2月14 æ—¥ã€é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ”¹å–„体系第1版を発表ã—ãŸ[83]。
産・官間ã®é€£æºã§æ§‹ç¯‰ã•ã‚ŒãŸä½“ç³»ã¯ã€é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ä¿è­·ã‚’促進ã™ã‚‹è¦æ ¼ã€ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³åŠã³è¦ç¯„
ã‹ã‚‰æ§‹æˆã•ã‚Œã¦ã„る。優先順ä½ã¥ã‘ã•ã‚ŒæŸ”軟性ãŒã‚ã‚Šã€å復å¯èƒ½ã§è²»ç”¨åŠ¹æžœã®é«˜ã„å–組ã«ã‚ˆã‚Šã€
é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®æ‰€æœ‰è€…åŠã³é‹ç”¨è€…ãŒã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é–¢é€£ãƒªã‚¹ã‚¯ã‚’管ç†ã§ãるよã†ã«æ”¯æ´ã™
る。
国土安全ä¿éšœçœã®é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã‚µã‚¤ãƒãƒ¼ã‚³ãƒŸãƒ¥ãƒ‹ãƒ†ã‚£ C³ ä»»æ„プログラムã¯ã€é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®ä¿
有者åŠã³æ“作員ãŒæ—¢å­˜ãƒªã‚½ãƒ¼ã‚¹ã‚’活用ã—ã¤ã¤ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä½“系をå–り入れã€ã‚µã‚¤ãƒãƒ¼
リスクを管ç†ã™ã‚‹è³‡ã¨ãªã‚‹ã€‚C³ ä»»æ„プログラムã®è©³ç´°ã¯ä»¥ä¸‹ã® URL ã«ã‚る。
www.dhs.gov/ccubedvp.
NIST ã¯æ‰‹å¼•ãã¨ãªã‚‹ãƒ­ãƒ¼ãƒ‰ãƒžãƒƒãƒ—も発表ã—ã€ã“ã®ä½“ç³»ã®æ¬¡ãªã‚‹ã‚¹ãƒ†ãƒƒãƒ—ã«ã¤ã„ã¦èª¬æ˜Žã—ã€ã‚µã‚¤
ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é–‹ç™ºãƒ»èª¿æ•´ãƒ»é€£æºã®ä¸»ãªåˆ†é‡Žã‚’明らã‹ã«ã—ã¦ã„る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
309
NIST Industrial Control System Security Project
http://csrc.nist.gov/groups/SMA/fisma/ics/
As part of the continuing effort to provide effective security standards and guidance to federal agencies and
their contractors in support of the Federal Information Security Management Act and as part of the effort to
protect the nation's critical infrastructure, NIST continues to work with public and private sector entities on
sector-specific security issues.
Industrial and process control systems are an integral part of the US critical infrastructure and the
protection of those systems is a priority for the federal government. This project intends to build upon the
current FISMA security standards and provide targeted extensions and/or interpretations of those standards
for industrial and process controls systems where needed. Since many industrial and process controls
systems are supporting private sector organizations, NIST will collaborate with ongoing standards efforts
addressing these sector-specific types of systems.
NIST Cybersecurity for Manufacturing Systems Project
http://www.nist.gov/el/isd/cs/csms.cfm
Smart manufacturing systems need to be protected from vulnerabilities that may arise as a result of their
increased connectivity, use of wireless networks and sensors, and use of widespread information
technology. Manufacturers are hesitant to adopt common security technologies, such as encryption and
device authentication, due to concern for potential negative performance impacts in their systems. This is
exacerbated by a threat environment that has changed dramatically with the appearance of advanced
persistent attacks specifically targeting industrial systems, such as Stuxnet. This project will develop a
cybersecurity risk management framework with supporting guidelines, methods, metrics and tools to enable
manufacturers, technology providers, and solution providers to assess and assure cybersecurity for smart
manufacturing systems. The cybersecurity risk management framework and methodology will stimulate
manufacturer adoption and enable effective use of security technologies, leading to smart manufacturing
systems that offer security, reliability, resilience and continuity in the face of disruption and major incidents.
NIST Cybersecurity for Smart Grid Systems Project
http://www.nist.gov/el/smartgrid/cybersg.cfm
Smart grid cybersecurity must address not only deliberate attacks, such as from disgruntled employees,
industrial espionage, and terrorists, but also inadvertent compromises of the information infrastructure due
to user errors, equipment failures, and natural disasters. The Smart Grid Interoperability Panel (SGIP)
Cybersecurity Committee (SGCC), which is led and managed by the NIST Information Technology
Laboratory (ITL), Computer Security Division, is moving forward in fiscal year 2014 to address the critical
cybersecurity needs in the areas of Advanced Metering Infrastructure (AMI) security requirements, cloud
computing, supply chain, and privacy recommendations related to emerging standards. This project will
provide foundational cybersecurity guidance, cybersecurity reviews of standards and requirements,
outreach, and foster collaborations in the cross-cutting issue of cybersecurity in the smart grid.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
310
NIST 産業用制御システムセキュリティプロジェクト
http://csrc.nist.gov/groups/SMA/fisma/ics/
連邦政府機関åŠã³é€£é‚¦æƒ…報セキュリティ管ç†æ³•ã‚’支ãˆã‚‹å¥‘約業者ã«åŠ¹æžœçš„ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦æ ¼ãƒ»
ガイダンスをæä¾›ã™ã‚‹ç¶™ç¶šçš„ãªå–組ã®ä¸€ç’°ã¨ã—ã¦ã€ã¾ãŸå›½ã®é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã‚’ä¿è­·ã™ã‚‹å–組ã®ä¸€ç’°
ã¨ã—ã¦ã€NIST ã¯å®˜æ°‘諸団体ã¨é€£æºã—ã¦ã€æ¥­ç•Œå›ºæœ‰ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å•é¡Œã¨ç¶™ç¶šçš„ã«å”åƒã—ã¦ã„る。
産業用システムåŠã³ãƒ—ロセス制御システムã¯ã€ç±³å›½ã®é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®ä¸å¯æ¬ ãªä¸€éƒ¨ã§ã‚ã‚Šã€ã“ã‚Œ
らシステムã«å¯¾ã™ã‚‹ä¿è­·ã¯ã€é€£é‚¦æ”¿åºœã®å„ªå…ˆçš„課題ã§ã‚る。本プロジェクトã¯ã€ç¾è¡Œ FISMA ã‚»
キュリティè¦æ ¼ã‚’基礎ã¨ã—ã¦ã€ã“れら産業用システムåŠã³ãƒ—ロセス制御システムã®è¦æ ¼ã‚’ã€å¿…è¦
ã«å¿œã˜ã¦æ‹¡å¼µãƒ»è§£é‡ˆã™ã‚‹ã“ã¨ã‚’主眼ã¨ã—ã¦ã„る。多ãã®ç”£æ¥­ç”¨ã‚·ã‚¹ãƒ†ãƒ åŠã³ãƒ—ロセス制御システ
ムã¯ã€æ°‘間業界組織を支ãˆã¦ã„ã‚‹ãŸã‚ã€NIST ã¯ã€ã“ã®ã‚ˆã†ãªæ¥­ç•Œå›ºæœ‰ã®ã‚·ã‚¹ãƒ†ãƒ ã‚’対象ã¨ã—ãŸ
ç¾è¡Œè¦æ ¼ã®å–組ã¨é€£æºã—ã¦ã„る。
生産システムプロジェクト用 NIST サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
http://www.nist.gov/el/isd/cs/csms.cfm
スマート生産システムã¯ã€æŽ¥ç¶šæ•°ã€ãƒ¯ã‚¤ãƒ¤ãƒ¬ã‚¹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯/センサã®åˆ©ç”¨åŠã³åºƒç¯„ãªæƒ…報技術
ã®åˆ©ç”¨ãŒå¢—ãˆãŸçµæžœã€è„†å¼±æ€§ãŒç”Ÿã˜ãŸãŸã‚ä¿è­·ãŒå¿…è¦ã¨ãªã‚‹ã€‚メーカーã¯ã€ã‚·ã‚¹ãƒ†ãƒ ã«ãƒžã‚¤ãƒŠã‚¹
ã®å½±éŸ¿ãŒå‡ºã‚‹ã“ã¨ã‚’æã‚Œã¦ã€æš—å·åŒ–やデãƒã‚¤ã‚¹èªè¨¼ã¨ã„ã£ãŸã€ä¸€èˆ¬çš„ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æŠ€è¡“ã®æŽ¡ç”¨
ã«æ¶ˆæ¥µçš„ã§ã‚る。Stuxnet ã®ã‚ˆã†ãªç”£æ¥­ç”¨ã‚·ã‚¹ãƒ†ãƒ ã«ç‰¹åŒ–ã—ãŸåŸ·æ‹—ãªæ”»æ’ƒãŒå‡ºç¾ã—ãŸãŸã‚ã«ã€è„…
å¨ç’°å¢ƒãŒæ¿€å¤‰ã—ãŸã“ã¨ã¨ã‚ã„ã¾ã£ã¦ã€ã„ã£ãã†äº‹æ…‹ã¯æ‚ªåŒ–ã™ã‚‹ã€‚本プロジェクトã§ã¯ã€æ ¹æ‹ ã¨ãª
るガイドラインã€æ–¹æ³•ã€è©•ä¾¡åŸºæº–åŠã³ãƒ„ールã®ä¼´ã£ãŸã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒªã‚¹ã‚¯ç®¡ç†ä½“系を策
定ã—ã€ãƒ¡ãƒ¼ã‚«ãƒ¼ã€æŠ€è¡“æ供者åŠã³ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³æ供者ãŒã‚¹ãƒžãƒ¼ãƒˆç”Ÿç”£ã‚·ã‚¹ãƒ†ãƒ ç”¨ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­
ュリティã®è©•ä¾¡ãƒ»ä¿è¨¼ã‚’実施ã§ãるよã†ã«ã™ã‚‹ã€‚サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒªã‚¹ã‚¯ç®¡ç†ä½“ç³»åŠã³æ–¹æ³•
è«–ã¯ã€ãƒ¡ãƒ¼ã‚«ãƒ¼ãŒã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æŠ€è¡“を採用ã—ã¦æœ‰åŠ¹åˆ©ç”¨ã™ã‚‹å¼¾ã¿ã‚’ã¤ã‘ã€ä¸­æ–­ã‚„大è¦æ¨¡ã‚¤ãƒ³ã‚·ãƒ‡
ント時ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã€ä¿¡é ¼æ€§ã€æŸ”軟性åŠã³ç¶™ç¶šæ€§ã‚’確ä¿ã§ãるスマート生産システムã¸å°Žãã‚‚
ã®ã¨ãªã‚‹ã€‚
スマートグリッドシステムプロジェクト用 NIST サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
http://www.nist.gov/el/smartgrid/cybersg.cfm
スマートグリッドサイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã§ã¯ã€ä¸æº€ã‚’抱ã„ãŸå¾“業員ã€ç”£æ¥­ã‚¹ãƒ‘イã€ãƒ†ãƒ­ãƒªã‚¹ãƒˆç­‰
ã«ã‚ˆã‚‹è¨ˆç”»çš„ãªæ”»æ’ƒã ã‘ã§ãªãã€ãƒ¦ãƒ¼ã‚¶ã®éŽèª¤ã€è£…å‚™å“障害åŠã³è‡ªç„¶ç½å®³ã«èµ·å› ã™ã‚‹æƒ…報インフ
ラã®æƒ³å®šå¤–ã®æ©Ÿèƒ½ä½Žä¸‹ã‚‚検討対象ã«ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。NIST ã®æƒ…報技術研究所(ITL)コンピ
ュータセキュリティ部ã®ç›£ç£ä¸‹ã«ã‚るスマートグリッド相互é‹ç”¨ãƒ‘ãƒãƒ«ï¼ˆSGIP)サイãƒãƒ¼ã‚»ã‚­ãƒ¥
リティ委員会㯠2014 会計年度ã«ã€æœ€æ–°è¨ˆé‡ã‚¤ãƒ³ãƒ•ãƒ©ï¼ˆAMI)セキュリティè¦ä»¶ã€ã‚¯ãƒ©ã‚¦ãƒ‰ã‚³ãƒ³
ピューティングã€ã‚µãƒ—ライãƒã‚§ãƒ¼ãƒ³åŠã³æ–°èˆˆè¦æ ¼é–¢é€£æ°‘間推奨事項分野ã§ã®é‡è¦ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥
リティã®å¿…è¦æ€§ã®æ¤œè¨Žã«å‘ã‘ã¦æ´»å‹•ã‚’開始ã—ãŸã€‚本プロジェクトã¯åŸºæœ¬çš„サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
ガイダンスã€è¦æ ¼åŠã³è¦ä»¶ã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£èª¿æŸ»ã«ã¤ã„ã¦è¨˜è¿°ã—ã€ã‚¹ãƒžãƒ¼ãƒˆã‚°ãƒªãƒƒãƒ‰ã®åˆ†
野横断的ãªã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å•é¡Œã§ã®é€£æºã‚’構築ã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
311
NIST Smart Grid System Testbed Facility
http://www.nist.gov/el/smartgrid/sgtf.cfm
NIST is charged by the 2007 Energy Independence and Security Act (EISA) with facilitation of
interoperability standards to enable successful implementation of the evolving cyber-physical national
electric grid system known as the smart grid (SG). The Smart Grid Testbed Facility will create a unique set
of interconnected and interacting labs in several key measurement areas—contiguously located on the
NIST Gaithersburg site—that will accelerate the development of SG interoperability standards by
providing a combined testbed platform for system measurements, characterization of smart grid protocols,
and validation of SG standards, with particular emphasis on microgrids. (A microgrid is defined as a subset
of the grid which has the capability of being quickly disconnected from, and functioning independently of,
the larger grid.) Measurements will include eight areas: power conditioning, synchrophasor metrology,
cybersecurity, precision time synchronization, electric power metering, modeling/evaluation of SG
communications, sensor interfaces, and energy storage. The testbed will serve as a core Smart Grid
Program research facility to address measurement needs of the evolving SG industrial community including
the measurement and validation issues.
North American Electric Reliability Corporation (NERC)
http://www.nerc.com/
NERC’s mission is to improve the reliability and security of the bulk power system in North America. To
achieve that, NERC develops and enforces reliability standards; monitors the bulk power system; assesses
future adequacy; audits owners, operators, and users for preparedness; and educates and trains industry
personnel. NERC is a self-regulatory organization that relies on the diverse and collective expertise of
industry participants. As the Electric Reliability Organization, NERC is subject to audit by the U.S. Federal
Energy Regulatory Commission and governmental authorities in Canada
NERC has issued a set of cybersecurity standards to reduce the risk of compromise to electrical generation
resources and high-voltage transmission systems above 100 kV, also referred to as bulk electric systems.
Bulk electric systems include Balancing Authorities, Reliability Coordinators, Interchange Authorities,
Transmission Providers, Transmission Owners, Transmission Operators, Generation Owners, Generation
Operators, and Load Serving Entities. The cybersecurity standards include audit measures and levels of
non-compliance that can be tied to penalties.
The set of NERC cybersecurity Standards includes the following:
 CIP-002, Cyber Security - Critical Cyber Asset Identification.
 CIP-003, Cyber Security - Security Management Controls.
 CIP-004, Cyber Security - Personnel & Training.
 CIP-005, Cyber Security - Electronic Security Perimeter(s).
 CIP-006, Cyber Security - Physical Security of Critical Cyber Assets.
 CIP-007, Cyber Security - Systems Security Management.
 CIP-008, Cyber Security - Incident Reporting and Response Planning.
 CIP-009, Cyber Security - Recovery Plans for Critical Cyber Assets.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
312
NIST スマートグリッドシステムテストベッド施設
http://www.nist.gov/el/smartgrid/sgtf.cfm
NIST ã¯2007 å¹´ã€ã‚¨ãƒãƒ«ã‚®ãƒ¼ç‹¬ç«‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ³•ï¼ˆEISA)ã«ã‚ˆã‚Šã€ã‚¹ãƒžãƒ¼ãƒˆã‚°ãƒªãƒƒãƒ‰ï¼ˆSG)ã¨
ã—ã¦çŸ¥ã‚‰ã‚Œã‚‹å›½ã®ã‚µã‚¤ãƒãƒ¼ç‰©ç†çš„é…電システムを効果的ã«å®Ÿè£…ã™ã‚‹ãŸã‚ã®ç›¸äº’é‹ç”¨æ€§è¦æ ¼ã‚’作æˆ
ã™ã‚‹ã‚ˆã†ç¾©å‹™ã¥ã‘られãŸã€‚スマートグリッドシステムテストベッド施設ã¯ã€ç›¸äº’接続ã•ã‚Œç›¸äº’作
用ã™ã‚‹ä¸€é€£ã®ç ”究所群をã„ãã¤ã‹ã®é‡è¦è¨ˆæ¸¬ã‚¨ãƒªã‚¢å†…ã«æ§‹ç¯‰ã—(NIST ã®ã‚²ã‚¤ã‚µãƒ¼ã‚ºãƒãƒ¼ã‚°æ–½è¨­
ã«éš£æŽ¥ï¼‰ã€ã‚·ã‚¹ãƒ†ãƒ è¨ˆæ¸¬ã€ã‚¹ãƒžãƒ¼ãƒˆã‚°ãƒªãƒƒãƒ‰ãƒ—ロトコルã®ç‰¹æ€§åˆ†æžåŠã³ SG è¦æ ¼æ¤œè¨¼ç”¨ã®çµåˆãƒ†
ストベッドプラットホームをæä¾›ã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€ç‰¹ã«ãƒžã‚¤ã‚¯ãƒ­ã‚°ãƒªãƒƒãƒ‰ã‚’é‡ç‚¹ã¨ã—㟠SG 相互
é‹ç”¨æ€§è¦æ ¼ã®ä½œæˆã‚’急ã„ã§ã„る。(マイクログリッドã¯ã€å¤§è¦æ¨¡ã‚°ãƒªãƒƒãƒ‰ã‹ã‚‰è¿…速ã«åˆ†é›¢ã—ã¦ã€
独立ã—ãŸæ©Ÿèƒ½èƒ½åŠ›ã‚’発æ®ã™ã‚‹ã‚°ãƒªãƒƒãƒ‰ã‚µãƒ–セットã¨å®šç¾©ã•ã‚Œã‚‹ã€‚)次㮠8項目を計測ã™ã‚‹ã€‚電力
状態ã€ã‚·ãƒ³ã‚¯ãƒ­ãƒ•ã‚§ãƒ¼ã‚¶è¨ˆæ¸¬ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã€ç²¾å¯†æ™‚é–“åŒæœŸã€é›»åŠ›æ¸¬å®šã€SG 通信ã®ãƒ¢
デリング・評価ã€ã‚»ãƒ³ã‚µã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤ã‚¹åŠã³ã‚¨ãƒãƒ«ã‚®ãƒ¼ä¿å­˜ã€‚テストベッドã¯ã€ä¸­æ ¸çš„ãªã‚¹ãƒž
ートグリッドプログラム研究施設ã¨ã—ã¦æ©Ÿèƒ½ã—ã€è¨ˆæ¸¬ãƒ»æ¤œè¨¼å•é¡Œã‚’å«ã‚ã¦é€²å±•ä¸­ã®ã€SG 産業共
åŒä½“ã®è¨ˆæ¸¬ãƒ‹ãƒ¼ã‚ºã«å¯¾å¿œã—ã¦ã„る。
北米電力信頼性評議会(NERC)
http://www.nerc.com/
NERC ã®ä»»å‹™ã¯ã€åŒ—ç±³ã«ãŠã‘る大電力システムã®ä¿¡é ¼æ€§ã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’改善ã™ã‚‹ã“ã¨ã«ã‚る。
ã“ã®ãŸã‚ NERC ã¯ã€ä¿¡é ¼æ€§è¦æ ¼ã®ä½œæˆãƒ»æ–½è¡Œã€å¤§é›»åŠ›ã‚·ã‚¹ãƒ†ãƒ ã®ç›£è¦–ã€å°†æ¥çš„ãªå¦¥å½“性ã®è©•ä¾¡ã€
ä¿æœ‰è€…・æ“作員・ユーザã®å³å¿œæ€§ç›£æŸ»ã€æ¥­ç•Œè·å“¡ã®æ•™è‚²è¨“ç·´ã‚’è¡Œã£ã¦ã„る。NERC ã¯è‡ªä¸»è¦åˆ¶çµ„
ç¹”ã§ã€æ¥­ç•Œå‚加者ã®å¤šæ§˜ã‹ã¤åŒ…括的専門知識ã«ä¾å­˜ã—ã¦ã„る。電力信頼性組織ã¨ã—ã¦ã€ç±³å›½ã®é€£
邦エãƒãƒ«ã‚®ãƒ¼è¦åˆ¶å§”員会ã¨ã‚«ãƒŠãƒ€ã®è¡Œæ”¿å½“å±€ã®ç›£æŸ»ã‚’å—ã‘る義務ãŒã‚る。
発電リソースåŠã³ 100kV 超高電圧é€é›»ã‚·ã‚¹ãƒ†ãƒ ï¼ˆå¤§é›»åŠ›ã‚·ã‚¹ãƒ†ãƒ ã¨ã‚‚ã„ã†ï¼‰ã®æ©Ÿèƒ½ä½Žä¸‹ãƒªã‚¹ã‚¯ã‚’
軽減ã™ã‚‹ãŸã‚ã€NERC ã¯ä¸€é€£ã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦æ ¼ã‚’発表ã—ã¦ããŸã€‚大電力システã«ã¯äº‹
業者(Balancing Authorities)ã€ä¿¡é ¼æ€§ã‚³ãƒ¼ãƒ‡ã‚£ãƒãƒ¼ã‚¿ã€é€é›»ãƒ—ロãƒã‚¤ãƒ€ã€é€é›»ä¿æœ‰è€…ã€é€é›»äº‹æ¥­
者ã€ç™ºé›»ä¿æœ‰è€…ã€ç™ºé›»äº‹æ¥­è€…åŠã³å°å£²äº‹æ¥­è€…ãŒå«ã¾ã‚Œã‚‹ã€‚サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦æ ¼ã«ã¯ã€ç›£æŸ»
手段åŠã³ç½°å‰‡ã«çµã³ã¤ãå„級ノンコンプライアンスãŒå«ã¾ã‚Œã‚‹ã€‚
一連㮠NERC サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦æ ¼ã«ã¯ä»¥ä¸‹ã®ã‚‚ã®ãŒã‚る。
 CIP-002『サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ - é‡è¦ã‚µã‚¤ãƒãƒ¼è³‡ç”£ã®è­˜åˆ¥ã€
 CIP-003『サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ - セキュリティ管ç†å¯¾ç­–ã€
 CIP-004『サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ - è·å“¡åŠã³è¨“ç·´ã€
 CIP-005『サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ - é›»å­ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®å‘¨è¾ºã€
 CIP-006『サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ - é‡è¦ã‚µã‚¤ãƒãƒ¼è³‡ç”£ã®ç‰©ç†çš„セキュリティã€
 CIP-007『サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ - システムセキュリティ管ç†ã€
 CIP-008『サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ - インシデントã®å±Šå‡ºåŠã³å¯¾å¿œè¨ˆç”»ã®ç«‹æ¡ˆã€
 CIP-009『サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ - é‡è¦ã‚µã‚¤ãƒãƒ¼è³‡ç”£å¾©æ—§è¨ˆç”»ã€
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
313
SANS ICS Security Courses
http://ics.sans.org/
The ICS curriculum provides hands-on training courses focused on Attacking and Defending ICS
environments. These courses equip both security professionals and control system engineers with the
knowledge and skills they need to safeguard our critical infrastructures.
The Global Industrial Cyber Security Professional (GICSP) is the newest certification in the Global
Information Assurance Certification (GIAC) family and focuses on the foundational knowledge of securing
critical infrastructure assets. The GICSP bridges together IT, engineering and cybersecurity to achieve
security for industrial control systems from design through retirement.
Smart Grid Interoperability Panel (SGIP) Cyber Security Working Group (CSWG)
http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/CyberSecurityCTG
The primary goal of the working group is to develop an overall cybersecurity strategy for the Smart Grid
that includes a risk mitigation strategy to ensure interoperability of solutions across different
domains/components of the infrastructure. The cybersecurity strategy needs to address prevention,
detection, response, and recovery. Implementation of a cybersecurity strategy requires the definition and
implementation of an overall cybersecurity risk assessment process for the Smart Grid.
The working group’s effort is documented in NIST Interagency Report (NISTIR) 7628 Revision 1,
Guidelines for Smart Grid Cybersecurity [98].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
314
SANS ICS セキュリティ課程
http://ics.sans.org/
ICS カリキュラムã¯ã€ICS 環境ã«å¯¾ã™ã‚‹æ”»æ’ƒã¨é˜²å¾¡ã«ç‰¹åŒ–ã—ãŸå®Ÿåœ°è¨“練課程ã§ã‚る。セキュリテ
ィ専門員ã¨åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢åŒæ–¹ã«ã€é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã‚’守るãŸã‚ã®çŸ¥è­˜ã¨æŠ€é‡ã‚’教示ã™ã‚‹ã€‚
世界産業サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å°‚門家(GICSP)ã¯ã€ä¸–界情報ä¿è¨¼èªå®šæ›¸ï¼ˆGIAC)ファミリã®
中ã§ã‚‚最新ã®èªå®šæ›¸ã§ã€é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©è³‡ç”£ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«é–¢ã™ã‚‹åŸºæœ¬çŸ¥è­˜ã‚’é‡è¦–ã—ã¦ã„る。
GICSP ã¯ã€ITã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°åŠã³ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®æž¶ã‘æ©‹ã¨ãªã‚Šã€è¨­è¨ˆã‹ã‚‰ç”¨é€”廃止
ã¾ã§ã€ç”£æ¥­ç”¨åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’実ç¾ã™ã‚‹ã€‚
スマートグリッド相互é‹ç”¨æ€§ãƒ‘ãƒãƒ«ï¼ˆSGIP)サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä½œæ¥­ã‚°ãƒ«ãƒ¼ãƒ—(CSWG)
http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/CyberSecurityCTG
作業グループã®ä¸»ãªç›®çš„ã¯ã€ã‚¹ãƒžãƒ¼ãƒˆã‚°ãƒªãƒƒãƒ‰ã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æˆ¦ç•¥ã‚’策定ã™ã‚‹ã“ã¨ã«ã‚
ã‚Šã€ãã‚Œã«ã¯ã‚¤ãƒ³ãƒ•ãƒ©ã®ç¨®ã€…ã®é ˜åŸŸãƒ»ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã«ã¾ãŸãŒã‚‹ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã®ç›¸äº’é‹ç”¨æ€§ã‚’
確ä¿ã™ã‚‹ãŸã‚ã®ãƒªã‚¹ã‚¯ç·©å’Œç­–ã‚‚å«ã¾ã‚Œã‚‹ã€‚サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æˆ¦ç•¥ã¯ã€äºˆé˜²ãƒ»æ¤œçŸ¥ãƒ»å¯¾å¿œãƒ»å¾©
旧をå–り上ã’ã‚‹å¿…è¦ãŒã‚る。サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æˆ¦ç•¥ã‚’実施ã™ã‚‹ã«ã¯ã€ã‚¹ãƒžãƒ¼ãƒˆã‚°ãƒªãƒƒãƒ‰ã®å…¨
般的サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒªã‚¹ã‚¯è©•ä¾¡ãƒ—ロセスを明らã‹ã«ã—ã¦ã€å®Ÿæ–½ã™ã‚‹å¿…è¦ãŒã‚る。
作業グループã®å–組ã¯ã€NIST 政府機関間報告書(NISTIR)7628 第1版『スマートグリッドサイ
ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã€ã«è¨˜è¼‰ã•ã‚Œã¦ã„ã‚‹[98]。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
315
Appendix E—ICS Security Capabilities and Tools
This section provides an overview of security capabilities that are available to or being developed in
support of the ICS community. There are several security products that are marketed specifically for ICS,
while others are general IT security products that are being used with ICS. Many of the products available
offer “single point solutions,†where a single security product offers multiple levels of protection. In
addition to available products, this section also discusses some research and development work towards
new products and technologies. Each organization should make a risk-based determination whether to
employ the security capabilities and tools mentioned in this appendix.
Data Diode
A data diode (also referred to as a unidirectional gateway, deterministic one-way boundary device or
unidirectional network) is a network appliance or device allowing data to travel only in one direction, used
in guaranteeing information security or protection of critical digital systems, such as industrial control
systems, from inbound cyber attacks. While use of these devices is common in high security environments
such as defense, where they serve as connections between two or more networks of differing security
classifications, the technology is also being used to enforce one-way communications outbound from
critical digital systems to untrusted networks.
Encryption
Encryption protects the confidentiality of data by encoding the data to ensure that only the intended
recipient can decode it. There are some commercially available encryption products designed specifically
for ICS applications, as well as general encryption products that support basic serial and Ethernet-based
communications.
Firewalls
Firewalls are commonly used to segregate networks to protect and isolate ICS. These implementations use
commercially available firewalls that are focused on Internet and corporate application layer protocols and
are not equipped to handle ICS protocols. Research was performed by an IT security vendor in 2003 to
develop a Modbus-based firewall that allows policy decisions to be made on Modbus/TCP header values
just as traditional firewalls filter on TCP/UDP ports and IP addresses [76]. There are currently several
firewalls available for ICS.
Intrusion Detection and Prevention
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are being deployed on ICS
networks and components to detect well-known cyber attacks. Network IDS products monitor network
traffic and use various detection methods, such as comparing portions of the traffic to signatures of known
attacks. In contrast, host intrusion detection uses software loaded on a host computer, often with attack
signatures, to monitor ongoing events and data on a computer system for possible exploits. IPS products
take intrusion detection a step further by automatically acting on detected exploits to attempt to stop them
[57].
The required task of a security team to constantly monitor, evaluate, and quickly respond to intrusion
detection events is sometimes contracted to a managed security service provider (MSSP). MSSPs have
correlation and analysis engines to process and reduce the vast amounts of events logged per day to a small
subset that needs to be manually evaluated. There are also correlation and analysis engine products
available to large organizations wanting to perform this function in-house. Security information and event
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
316
付録 E ICS セキュリティ機能åŠã³ãƒ„ール
ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã¯ã€ICS å…±åŒä½“ãŒåˆ©ç”¨ã§ãるセキュリティ機能やã€ç¾åœ¨é–‹ç™ºä¸­ã®ã‚‚ã®ã«ã¤ã„ã¦
概説ã™ã‚‹ã€‚市場ã«ã¯ ICS ã«ç‰¹åŒ–ã—ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è£½å“ãŒã„ãã¤ã‹ã‚ã‚Šã€ICS ã§åˆ©ç”¨ã•ã‚Œã¦ã„る一
般的㪠IT セキュリティ製å“ã‚‚ã‚る。入手å¯èƒ½ãªè£½å“ã®å¤šãã¯ã€Œå˜ä¸€ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã€ã§ã€1ã¤ã®
セキュリティ製å“ãŒå¤šæ§˜ãªãƒ¬ãƒ™ãƒ«ã®ä¿è­·ã‚’与ãˆã¦ã„る。入手å¯èƒ½ãªè£½å“ã«åŠ ãˆã¦ã€ã“ã®ã‚»ã‚¯ã‚·ãƒ§
ンã§ã¯ã€æ–°è£½å“・新技術ã«å‘ã‘ãŸç ”究開発ã«ã¤ã„ã¦ã‚‚ã„ãã¤ã‹å–り上ã’る。å„組織ã¯ã€ã“ã®ä»˜éŒ²
ã§è¨€åŠã•ã‚Œã¦ã„るセキュリティ機能åŠã³ãƒ„ールã®æŽ¡ç”¨ã®æ˜¯éžã«ã¤ã„ã¦ã€ãƒªã‚¹ã‚¯ã«ç«‹è„šã—ã¦åˆ¤æ–­ã™
ã¹ãã§ã‚る。
データダイオード
データダイオード(å˜æ–¹å‘ゲートウェイã€æ±ºå®šè«–的一方通行境界デãƒã‚¤ã‚¹åˆã¯å˜æ–¹å‘ãƒãƒƒãƒˆãƒ¯ãƒ¼
クã¨ã‚‚呼ã°ã‚Œã‚‹ï¼‰ã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æ©Ÿå™¨åˆã¯ãƒ‡ãƒã‚¤ã‚¹ã§ã€ãƒ‡ãƒ¼ã‚¿ã‚’一方å‘ã«ã®ã¿æµã—ã¦ã€æƒ…報セ
キュリティをä¿è¨¼ã—ã€ç”£æ¥­ç”¨åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ç­‰ã®é‡è¦ãƒ‡ã‚¸ã‚¿ãƒ«ã‚·ã‚¹ãƒ†ãƒ ã‚’外部サイãƒãƒ¼æ”»æ’ƒã‹ã‚‰ä¿
è­·ã™ã‚‹ã€‚ã“ã®ã‚ˆã†ãªãƒ‡ãƒã‚¤ã‚¹ã®åˆ©ç”¨ã¯ã€å›½é˜²ç­‰ã®ãƒã‚¤ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç’°å¢ƒã§ã¯æ™®é€šã«è¦‹ã‚‰ã‚Œã€ç•°ç¨®
セキュリティ区分を有ã™ã‚‹ã€2ã¤ä»¥ä¸Šã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®æŽ¥ç¶šã‚’確立ã—ã€ãã®æŠ€è¡“ã¯ã€é‡è¦ãƒ‡ã‚¸
タルシステムã‹ã‚‰å¤–部ã®ä¿¡é ¼ã§ããªã„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«å‘ã‹ã†å˜æ–¹å‘ã®é€šä¿¡ã«ã‚‚利用ã•ã‚Œã‚‹ã€‚
æš—å·åŒ–
æš—å·åŒ–ã¯ã€ãƒ‡ãƒ¼ã‚¿ã‚’コード化ã—ã¦æ‰€æœŸã®å—信者ã ã‘ãŒå¾©å·ã§ãるよã†ã«ã™ã‚‹ã“ã¨ã§ã€ãƒ‡ãƒ¼ã‚¿ã®æ©Ÿ
密性をä¿è­·ã™ã‚‹ã€‚ICS 用途ã«ç‰¹åŒ–ã—ãŸå¸‚販ã®æš—å·åŒ–製å“ãŒã„ãã¤ã‹ã‚ã‚Šã€åŸºæœ¬çš„ãªã‚·ãƒªã‚¢ãƒ«åŠã³
Ethernet ベースã®é€šä¿¡ã«å¯¾å¿œã—ãŸæ±Žç”¨æš—å·åŒ–製å“ã‚‚ã‚る。
ファイアウォール
ファイアウォールã¯é€šå¸¸ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’分離ã—㦠ICS ã‚’ä¿è­·ãƒ»éš”離ã™ã‚‹ãŸã‚ã«ä½¿ç”¨ã™ã‚‹ã€‚実装
ã¯ã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆåŠã³ä¼æ¥­ã‚¢ãƒ—リケーション層プロトコルã«ç‰¹åŒ–ã—ã€ICS プロトコルã¯å‡¦ç†ã—
ãªã„市販ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã‚’使用ã—ã¦è¡Œã†ã€‚2003 å¹´ã« IT セキュリティベンダー㌠Modbus ベ
ースファイアウォールã®é–‹ç™ºã«å‘ã‘ã¦ç ”究を行ã£ãŸã€‚ã“ã‚Œã¯å¾“æ¥ã®ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ãŒ
TCP/UDP ãƒãƒ¼ãƒˆåŠã³ IP アドレスã§ãƒ•ã‚£ãƒ«ã‚¿ãƒªãƒ³ã‚°ã‚’è¡Œã†ã‚ˆã†ã«ã€Modbus/TCP ヘッダー値ã§ãƒ
リシー決定を行ã†ã“ã¨ãŒã§ãる。ç¾åœ¨ ICS 用ã«åˆ©ç”¨ã§ãるファイアウォールãŒã„ãã¤ã‹ã‚る。
侵入検知åŠã³é˜²æ­¢
侵入検知システム(IDS)åŠã³ä¾µå…¥é˜²æ­¢ã‚·ã‚¹ãƒ†ãƒ ï¼ˆIPS)ã¯ã€æ—¢çŸ¥ã®ã‚µã‚¤ãƒãƒ¼æ”»æ’ƒã‚’検知ã™ã‚‹ãŸã‚ã€
ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åŠã³ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã«å±•é–‹ã•ã‚Œã¦ã„る。ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ IDS 製å“ã¯ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
トラフィックを監視ã—ã€æ—¢çŸ¥ã®æ”»æ’ƒã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚·ã‚°ãƒãƒãƒ£ã®ä¸€éƒ¨ã‚’比較ã™ã‚‹ãªã©ã€ç¨®ã€…ã®æ¤œ
知方法を利用ã—ã¦ã„る。対照的ã«ãƒ›ã‚¹ãƒˆä¾µå…¥æ¤œçŸ¥ã§ã¯ã€ãƒ›ã‚¹ãƒˆã‚³ãƒ³ãƒ”ュータã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ãŸ
ソフトウエアを利用ã—ã€å¤šãã¯æ”»æ’ƒã‚·ã‚°ãƒãƒãƒ£ã‚’å‚考ã«ã—ã¦ã€ã‚³ãƒ³ãƒ”ュータシステム上ã§é€²è¡Œä¸­
ã®äº‹è±¡åŠã³ãƒ‡ãƒ¼ã‚¿ã‚’監視ã—ã€æ‚ªç”¨ã®æœ‰ç„¡ã‚’検知ã™ã‚‹ã€‚IPS 製å“ã¯ã€ä¾µå…¥æ¤œçŸ¥ã‹ã‚‰ä¸€æ­©é€²ã‚ã¦ã€æ¤œ
知ã—ãŸæ‚ªç”¨ã®ä¸­æ­¢ã‚’試ã¿ã‚‹[57]。
セキュリティãƒãƒ¼ãƒ ã«æ±‚ã‚られる侵入検知ã®å¸¸ç¶šç›£è¦–・評価・迅速対応ã¨ã„ã†æ¥­å‹™ã¯ã€ç®¡ç†ã‚»ã‚­
ュリティサービスプロãƒã‚¤ãƒ€ï¼ˆMSSP)ã«å§”託ã•ã‚Œã‚‹ã“ã¨ã‚‚ã‚る。MSSP ã®ç›¸é–¢åˆ†æžã‚¨ãƒ³ã‚¸ãƒ³ã¯ã€
毎日記録ã•ã‚Œã‚‹è†¨å¤§ãªäº‹è±¡ã‚’処ç†ã—ã¦å°ã•ãªã‚µãƒ–セットã«ã—ã€ãƒžãƒ‹ãƒ¥ã‚¢ãƒ«æ“作ã§è©•ä¾¡ã§ãるよã†
ã«ã™ã‚‹ã€‚ã“ã®æ©Ÿèƒ½ã‚’社内ã§æžœãŸã—ãŸã„大ä¼æ¥­å‘ã‘ã«ã€ç›¸é–¢åˆ†æžã‚¨ãƒ³ã‚¸ãƒ³è£½å“ãŒç”¨æ„ã•ã‚Œã¦ã„る。
セキュリティ情報・事象管ç†ï¼ˆSIEM)製å“を利用ã—ã¦ã€IDS åŠã³ IPS ログã®äº‹è±¡ã®ã»ã‹ã€ä»–ã®ã‚³
ンピュータシステムã€ã‚¢ãƒ—リケーションã€ã‚¤ãƒ³ãƒ•ãƒ©è£…å‚™å“ãã®ä»–ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢/ソフトウエアã®
監査ログを監視・分æžãƒ»ç›¸é–¢ã—ã¦ã€ä¾µå…¥ã®ã‚‚ãã‚ã¿ã‚’検出ã—ã¦ã„る組織もã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
317
management (SIEM) products are used in some organizations to monitor, analyze, and correlate events
from IDS and IPS logs, as well as audit logs from other computer systems, applications, infrastructure
equipment, and other hardware and software, to look for intrusion attempts.
IDS and IPS vendors are developing and incorporating attack signatures for various ICS protocols such as
Modbus, DNP3, and ICCP [58]. Snort rules have been developed for Modbus TCP, DNP3, and ICCP.
Snort is an open source network intrusion detection and prevention system using a rule-driven language to
perform signature, protocol, and anomaly-based inspections. Rules for DNP3 and Modbus protocols have
also been added to the Bro IDS platform.
As with any software added to an ICS component, the addition of host IDS or IPS software could affect
system performance. IPSs are commonplace in today’s information security industry, but can be very
resource intensive. These systems have the ability to automatically reconfigure systems if an intrusion
attempt is identified. This automated and fast reaction is designed to prevent successful exploits; however,
an automated tool such as this could be used by an adversary to adversely affect the operation on an ICS by
shutting down segments of a network or server. False positives can also hinder ICS operation.
Malware/Antivirus Software
Because early malware threats were primarily viruses, the software to detect and remove malware has
historically been called “antivirus software,†even though it can detect many types of malware. Antivirus
software is used to counter the threats of malware by evaluating files on a computer’s storage devices
(some tools also detect malware in real-time at the network perimeter and/or on the user’s workstation)
against an inventory of malware signature files. If one of the files on a computer matches the profile of
known malware, the malware is removed through a disinfection process so it cannot infect other local files
or communicate across a network to infect other files on other computers. There are also techniques
available to identify unknown malware “in-the-wild†when a signature file is not yet available.
Many end-users and vendors of ICS are recommending the use of COTS antivirus software with their
systems and have even developed installation and configuration guidance based on their own laboratory
testing. Some ICS vendors recommend the use of antivirus software with their products, but offer little to
no guidance. Some end users and vendors are hesitant to use antivirus software due to fears that its use
would cause ICS performance problems or even failure. NIST and Sandia National Laboratories (SNL)
conducted a study and produced a report aimed at helping ICS owners/operators to deploy antivirus
software and to minimize and assess performance impacts of workstation and server-based antivirus
products. This study assembled ICS-based antivirus knowledge and serves as a starting point or a
secondary resource when installing, configuring, running, and maintaining antivirus software on an ICS
[56]. In many cases, performance impacts can be reduced through configuration settings as well as antivirus
scanning and maintenance scheduling outside of the antivirus software practices recommended for typical
IT systems.
In summary, COTS antivirus software can be used successfully on most ICS components. However, special
ICS specific considerations should be taken into account during the selection, installation, configuration,
operational, and maintenance procedures. ICS end-users should consult with the ICS vendors regarding the
use of antivirus software.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
318
IDS åŠã³ IPS ベンダーã¯ã€Modbusã€DNP3 åŠã³ ICCP ç­‰ã€ç¨®ã€…ã® ICS プロトコルã®æ”»æ’ƒã‚·ã‚°ãƒãƒ
ャを作æˆã—ã€çµ„ã¿è¾¼ã‚“ã§ã„ã‚‹[58]。Modbus TCPã€DNP3 åŠã³ ICCP å‘ã‘ã« Snort ルールãŒä½œæˆã•ã‚Œ
ã¦ã„る。Snort ã¨ã¯ã‚ªãƒ¼ãƒ—ンソースãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä¾µå…¥æ¤œçŸ¥é˜²æ­¢ã‚·ã‚¹ãƒ†ãƒ ã®ã“ã¨ã§ã€ãƒ«ãƒ¼ãƒ«ãƒ‰ãƒªãƒ–
ン言語を使用ã—ã¦ã€ã‚·ã‚°ãƒãƒãƒ£ã€ãƒ—ロトコルåŠã³ç•°çŠ¶ã‚’主体ã«æ¤œæŸ»ã‚’è¡Œã†ã€‚DNP3 åŠã³ Modbus
プロトコルã®ãƒ«ãƒ¼ãƒ«ã‚‚ Bro IDS プラットホームã«è¿½åŠ ã•ã‚Œã¦ã„る。
ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã«è¿½åŠ ã•ã‚Œã‚‹ä»–ã®ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã¨åŒæ§˜ã€ãƒ›ã‚¹ãƒˆ IDS åˆã¯ IPS ソフトウエアã®
追加ã¯ã€ã‚·ã‚¹ãƒ†ãƒ ãƒ‘フォーマンスã«å½±éŸ¿ã™ã‚‹ã“ã¨ãŒã‚る。IPSs ã¯æ˜¨ä»Šã®æƒ…報セキュリティ業界ã§
ã¯æ™®é€šã«è¦‹ã‚‰ã‚Œã‚‹ãŒã€æ¥µã‚ã¦è³‡æºã‚’消費ã™ã‚‹ã€‚ã“れらã®ã‚·ã‚¹ãƒ†ãƒ ã§ã¯ã€ä¾µå…¥ã®ã‚‚ãã‚ã¿ãŒæ¤œçŸ¥ã•
れるã¨ã€ã‚·ã‚¹ãƒ†ãƒ è¨­å®šã‚’自動的ã«å¤‰æ›´ã™ã‚‹èƒ½åŠ›ãŒå‚™ã‚ã£ã¦ã„る。ã“ã®ã‚ˆã†ãªè‡ªå‹•è¿…速対応ã¯æ‚ªç”¨
を防止ã™ã‚‹ãŸã‚ã®ã‚‚ã®ã§ã‚ã‚‹ãŒã€æ”»æ’ƒå´ã«é€†ç”¨ã•ã‚Œã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚„サーãƒã®ã‚»ã‚°ãƒ¡ãƒ³ãƒˆã‚’切断
ã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€ICS é‹ç”¨ã«æ‚ªå½±éŸ¿ãŒåŠã¶å ´åˆãŒã‚る。擬陽性ã«ã‚ˆã£ã¦ã‚‚ ICS é‹ç”¨ãŒé˜»å®³ã•ã‚Œã‚‹ã€‚
マルウエア/アンãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢
åˆæœŸã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢è„…å¨ã¯ä¸»ã«ã‚¦ã‚¤ãƒ«ã‚¹ã§ã‚ã£ãŸãŸã‚ã€ãƒžãƒ«ã‚¦ã‚¨ã‚¢æ¤œå‡ºãƒ»æŽ’除ソフトウエアã¯ã€
種々ã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã«å¯¾ã™ã‚‹æ¤œå‡ºèƒ½åŠ›ã‚’æŒã¤ã‚‚ã®ã®ã€å¾“æ¥ã€Œã‚¢ãƒ³ãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã€ã¨å‘¼ã°
ã‚Œã¦ããŸã€‚アンãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã¯ã€ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã‚·ã‚°ãƒãƒãƒ£ãƒ•ã‚¡ã‚¤ãƒ«ã®ç›®éŒ²ã«ç…§ã‚‰ã—ã¦ã€
コンピュータã®ã‚¹ãƒˆãƒ¬ãƒ¼ã‚¸ãƒ‡ãƒã‚¤ã‚¹ä¸Šã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’評価ã—(ツールã«ã‚ˆã£ã¦ã¯ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å‘¨è¾º
åˆã¯ãƒ¦ãƒ¼ã‚¶ãƒ¯ãƒ¼ã‚¯ã‚¹ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³ä¸Šã§ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ ã«ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã‚’検出ã™ã‚‹ã‚‚ã®ã‚‚ã‚る)ã€ãƒžãƒ«ã‚¦
エアã®è„…å¨ã«å¯¾æŠ—ã™ã‚‹ã€‚コンピュータ上ã®ãƒ•ã‚¡ã‚¤ãƒ«ã® 1ã¤ãŒæ—¢çŸ¥ã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã®ãƒ—ロファイルã«
一致ã™ã‚‹ã¨ã€æ¶ˆæ¯’プロセスを経ã¦ãã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã¯æŽ’除ã•ã‚Œã€ä»–ã®ãƒ­ãƒ¼ã‚«ãƒ«ãƒ•ã‚¡ã‚¤ãƒ«ã‚„ãƒãƒƒãƒˆãƒ¯
ークを越ãˆãŸä»–ã®ã‚³ãƒ³ãƒ”ュータ上ã®ãƒ•ã‚¡ã‚¤ãƒ«ã¸ã®æ„ŸæŸ“ã¯ç”Ÿã˜ãªããªã‚‹ã€‚ã¾ãŸã‚·ã‚°ãƒãƒãƒ£ãƒ•ã‚¡ã‚¤ãƒ«
ãŒãªã„å ´åˆã§ã‚‚ã€æœªçŸ¥ã®ã€Œé‡Žç”Ÿã€ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã‚’識別ã™ã‚‹æŠ€è¡“も利用ã§ãる。
多ãã® ICS エンドユーザåŠã³ãƒ™ãƒ³ãƒ€ãƒ¼ã¯ã€ã‚·ã‚¹ãƒ†ãƒ ã¸ã® COTS アンãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®å°Ž
入を推奨ã—ã¦ãŠã‚Šã€ç‹¬è‡ªã®ãƒ©ãƒœè©¦é¨“を基ã«ã€ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ãƒ»è¨­å®šã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã‚‚作æˆã—ã¦ã„る。
ICS ベンダーã«ã‚ˆã£ã¦ã¯ã€è‡ªç¤¾è£½å“ã«ã‚¢ãƒ³ãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®ä½¿ç”¨ã‚’推奨ã—ã¦ã„ã‚‹ã‚‚ã®ã®ã€
ガイダンスãŒå…¨ãåˆã¯ã»ã¨ã‚“ã©ç”¨æ„ã§ãã¦ã„ãªã„å ´åˆã‚‚ã‚る。アンãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®åˆ©
用ã«ã‚ˆã‚Šã€ICS ã®ãƒ‘フォーマンスå•é¡Œã‚„障害ãŒç™ºç”Ÿã™ã‚‹ã®ã‚’æã‚Œã¦ã€ä½¿ç”¨ã«æ¶ˆæ¥µçš„ãªãƒ¦ãƒ¼ã‚¶ã‚„ベ
ンダーもã„る。NIST ã¨ã‚µãƒ³ãƒ‡ã‚£ã‚¢å›½ç«‹ç ”究所(SNL)ã¯èª¿æŸ»ã‚’è¡Œã„ã€ICS ä¿æœ‰è€…・æ“作員å‘ã‘レ
ãƒãƒ¼ãƒˆã‚’作æˆã—ã€ã‚¢ãƒ³ãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®å±•é–‹ã‚’助ã‘ã€ãƒ¯ãƒ¼ã‚¯ã‚¹ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³/サーãƒãƒ™ãƒ¼
スアンãƒã‚¦ã‚¤ãƒ«ã‚¹è£½å“ã®ãƒ‘フォーマンス影響を最å°åŒ–ã—ã€è©•ä¾¡ã™ã‚‹è³‡ã¨ã—ã¦ã„る。本研究ã«ã‚ˆã‚Š
ICS ベースã®ã‚¢ãƒ³ãƒã‚¦ã‚¤ãƒ«ã‚¹çŸ¥è¦‹ãŒã¾ã¨ã¾ã‚Šã€ICS ã¸ã®ã‚¢ãƒ³ãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®ã‚¤ãƒ³ã‚¹ãƒˆ
ール・設定・実行・ä¿å®ˆã‚’è¡Œã†éš›ã®å‡ºç™ºç‚¹åˆã¯äºŒæ¬¡ãƒªã‚½ãƒ¼ã‚¹ã¨ãªã£ã¦ã„ã‚‹[56]。多ãã®å ´åˆã€è¨­
定やアンãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚¹ã‚­ãƒ£ãƒ‹ãƒ³ã‚°ãƒ»ä¿å®ˆã‚¹ã‚±ã‚¸ãƒ¥ãƒ¼ãƒ«ã‚’ã€ä¸€èˆ¬çš„㪠IT システムã§æŽ¨å¥¨ã•ã‚Œã¦ã„
るアンãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢è¦ç¯„を離れã¦å®Ÿæ–½ã™ã‚‹ã“ã¨ã§ã€ãƒ‘フォーマンス影響を減らã™ã“ã¨
ãŒã§ãる。
ã¾ã¨ã‚ã¨ã—ã¦ã€COTS アンãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã¯ã€ã»ã¨ã‚“ã©ã® ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã§ä½¿ç”¨å¯
能ã§ã‚る。ãŸã ã—ãã®é¸å®šãƒ»ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ãƒ»è¨­å®šãƒ»é‹ç”¨ãƒ»ä¿å®ˆæ‰‹é †ã«éš›ã—ã¦ã¯ã€ç‰¹æ®Šãª ICS 固有
ã®è€ƒæ…®äº‹é …を検討ã«å…¥ã‚Œã‚‹ã¹ãã§ã‚る。ICS エンドユーザã¯ã€ã‚¢ãƒ³ãƒã‚¦ã‚¤ãƒ«ã‚¹ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®ä½¿
用ã«é–¢ã—ã¦ã€ICS ベンダーã«ç›¸è«‡ã™ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
319
Vulnerability Assessment Tools
There are many tools available for performing network vulnerability assessments for typical IT networks;
however, the impacts these tools may have on the operation of an ICS should be carefully considered [77].
The additional traffic and exploits used during active vulnerability and penetration testing, combined with
the limited resources of many ICS, have been known to cause ICS to malfunction. As guidance in this area,
SNL developed a preferred list of vulnerability and penetration testing techniques for ICS [77]. These are
less intrusive methods, passive instead of active, to collect the majority of information that is often queried
by automated vulnerability and penetration testing tools. These methods are intended to allow collection of
the necessary vulnerability information without the risk of causing a failure while testing.
Sophia is a patent-pending, passive, real-time diagnostic and security tool designed and built specifically
for control systems professionals. Sophia builds and maintains an ICS network fingerprint and continuously
monitors activity against it, with white, gray and black-listing capabilities, alerting its managers of any
abnormal activity for further investigation, monitoring and/or action. Beta testing conducted by the Battelle
Energy Alliance (BEA) at the Idaho National Laboratories (INL) recently concluded with a group of over
30 participants, including major utilities and control system vendors. Those Beta participants reported
immediate benefits in the fingerprinting process and longer-term benefits in monitoring, securing, and
making on-going modifications to ICS configurations during the Beta testing period. Beta participants, as
well as non-participants, who have been following the development of Sophia by BEA/INL, have long
expressed interest in obtaining commercial grade Sophia software, services and support. Beta testing has
proven that this suite of tools offers unique capabilities, including visualization of activity and tailored
reporting to meet customer needs.
Shodan is a search engine that lets you find specific types of computers (routers, servers, etc.) on the
Internet using a variety of filters. Some have also described it as a search engine of service banners, which
are meta-data the server sends back to the client. This can be information about the server software, what
options the service supports, a welcome message or anything else that the client can find out before
interacting with the server. Shodan users are able to find systems including traffic lights, security cameras,
home heating systems as well as control systems. Users can use Shodan to determine if any of the devices
on their ICS are accessible from the internet.
The Cyber Security Evaluation Tool (CSET) is a Department of Homeland Security (DHS) product that
assists organizations in protecting their key national cyber assets. It was developed under the direction of
the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) by cybersecurity
experts and with assistance from NIST. This tool provides users with a systematic and repeatable approach
for assessing the security posture of their cyber systems and networks. It includes both high-level and
detailed questions related to all industrial control and IT systems. CSET is a desktop software tool that
guides users through a step-by-step process to assess their control system and information technology
network security practices against recognized industry standards. The output from CSET is a prioritized list
of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial
control cyber systems. The tool derives the recommendations from a database of cybersecurity standards,
guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance
cybersecurity controls. CSET has been designed for easy installation and use on a stand-alone laptop or
workstation. It incorporates a variety of available standards from organizations such as NIST, NERC, TSA,
DoD, and others. When the tool user selects one or more of the standards, CSET will open a set of
questions to be answered. The answers to these questions will be compared against a selected security
assurance level, and a detailed report will be generated to show areas for potential improvement. CSET
provides an excellent means to perform a self-assessment of the security posture of your control system
environment.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
320
脆弱性評価ツール
一般的㪠IT ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®è„†å¼±æ€§è©•ä¾¡ç”¨ãƒ„ールã¯å¤šæ•°ã‚ã‚‹ãŒã€ã“れら㌠ICS ã®é‹ç”¨ã«åŠã¼ã™å½±
響を慎é‡ã«æ¤œè¨Žã™ã¹ãã§ã‚ã‚‹[77]。多ãã® ICS ã®ãƒªã‚½ãƒ¼ã‚¹ã‚’制é™ã—ãŸã€ã‚¢ã‚¯ãƒ†ã‚£ãƒ–脆弱性・ペãƒ
トレーション・テストã«ãŠã„ã¦ã€ä»˜åŠ çš„ãªãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚„脆弱性ã®æ‚ªç”¨ãŒã‚ã‚‹ã¨ã€ICS ã«éšœå®³ã®
出るã“ã¨ãŒåˆ†ã‹ã£ã¦ã„る。ã“ã®åˆ†é‡Žã§ã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã¨ã—ã¦ã€SNL ã¯ICS ã®å¥½ã¾ã—ã„脆弱性・ペãƒ
トレーション・テスト技術リストを作æˆã—ãŸ[77]。ã“れらã¯ã‚ˆã‚Šä¾µè¥²æ€§ã®å°‘ãªã„方法ã§ã€ã‚¢ã‚¯ãƒ†
ィブã¨ã„ã†ã‚ˆã‚Šã‚‚パッシブã§ã‚ã‚Šã€è‡ªå‹•åŒ–脆弱性・ペãƒãƒˆãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãƒ»ãƒ†ã‚¹ãƒˆãƒ„ールã‹ã‚‰ç…§ä¼šã‚’
å—ã‘ã‚‹ã“ã¨ãŒå¤šã„情報ã®å¤§åŠã‚’åŽé›†ã§ãる。ã“ã®ã‚ˆã†ãªæ–¹æ³•ã¯ã€è©¦é¨“時ã«éšœå®³ã‚’発生ã•ã›ã‚‹ã“ã¨
ãªãã€å¿…è¦ãªè„†å¼±æ€§æƒ…報をåŽé›†ã§ãるよã†ã«ãªã£ã¦ã„る。
Sophia ã¯ç‰¹è¨±ç”³è«‹ä¸­ã®ãƒ‘ッシブã€ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ è¨ºæ–­ãƒ»ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ„ールã§ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ å°‚é–€
員用ã«è¨­è¨ˆãƒ»æ§‹ç¯‰ã•ã‚Œã¦ã„る。ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ•ã‚£ãƒ³ã‚¬ãƒ¼ãƒ—リントを生æˆã—ã¦ç¶­æŒã—ã€ãã‚Œã«
対ã™ã‚‹æ´»å‹•ã‚’常続的ã«ç›£è¦–ã™ã‚‹ã€‚ホワイトリストã€ã‚°ãƒ¬ãƒ¼ãƒªã‚¹ãƒˆåŠã³ãƒ–ラックリストã®ä½œæˆèƒ½åŠ›
ãŒã‚ã‚Šã€è©³ç´°ãªèª¿æŸ»ãƒ»ç›£è¦–・行動をè¦ã™ã‚‹ç•°å¸¸æ´»å‹•ã«ã¤ã„ã¦ç®¡ç†è€…ã«è­¦å ±ã‚’発ã™ã‚‹ã€‚アイダホ国
立研究所(INL)ã«ãŠã„㦠Battelle Energy Alliance(BEA)ã«ã‚ˆã‚‹ãƒ™ãƒ¼ã‚¿è©¦é¨“ãŒè¡Œã‚ã‚Œã€å¤§æ‰‹å…¬å…±
ä¼æ¥­ã‚„制御システムベンダー等 30 を超ãˆã‚‹ã‚°ãƒ«ãƒ¼ãƒ—ãŒå‚加ã—ã¦ã€ã“ã®ã»ã©çµ‚了ã—ãŸã€‚
å‚加者ã¯ã€ãƒ•ã‚£ãƒ³ã‚¬ãƒ¼ãƒ—リント処ç†ã«ã¯å½“é¢ã®åˆ©ç›ŠãŒã‚ã‚Šã€ãƒ™ãƒ¼ã‚¿è©¦é¨“期間中㮠ICS 設定ã®ç›£
視・セキュリティ確ä¿ãƒ»è¨­å®šå¤‰æ›´ã«ã¯é•·æœŸçš„利益ãŒã‚ã‚‹ã¨å ±å‘Šã—ã¦ã„る。å‚加者ã®ã¿ãªã‚‰ãšã€
BEA/INL ã«ã‚ˆã‚‹ Sophia ã®æˆã‚Šè¡Œãを注視ã—ã¦ããŸéžå‚加者もã€å¸‚販レベル㮠Sophia ソフトウエ
ã‚¢ã€ã‚µãƒ¼ãƒ“スåŠã³ã‚µãƒãƒ¼ãƒˆã«é–¢å¿ƒã‚’寄ã›ã¦ã„る。ベータ試験ã«ã‚ˆã‚Šã€ã“ã®ãƒ„ールã«ã¯æ´»å‹•ã®è¦–覚
化ã€é¡§å®¢éœ€è¦ã«åˆã‚ã›ãŸã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºåŒ–報告等ã®ãƒ¦ãƒ‹ãƒ¼ã‚¯ãªæ©Ÿèƒ½ãŒã‚ã‚‹ã“ã¨ãŒå®Ÿè¨¼ã•ã‚Œã¦ã„る。
Shodan ã¯æ¤œç´¢ã‚¨ãƒ³ã‚¸ãƒ³ã§ã€ç¨®ã€…ã®ãƒ•ã‚£ãƒ«ã‚¿ã‚’使用ã—ã¦ã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆä¸Šã®ç‰¹æ®Šãªã‚³ãƒ³ãƒ”ュー
タ(ルータã€ã‚µãƒ¼ãƒç­‰ï¼‰ã‚’探ã—出ã™ã“ã¨ãŒã§ãる。サーãƒãŒã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã«é€ã‚Šè¿”ã™ãƒ¡ã‚¿ãƒ‡ãƒ¼ã‚¿
ã§ã‚ã‚‹ã€ã‚µãƒ¼ãƒ“スãƒãƒŠãƒ¼ã®æ¤œç´¢ã‚¨ãƒ³ã‚¸ãƒ³ã¨è©•ã™ã‚‹å‘ãã‚‚ã‚る。ã“ã‚Œã¯ã‚µãƒ¼ãƒã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã€ã‚µãƒ¼
ビスã®å¯¾å¿œã‚ªãƒ—ションã€ã‚¦ã‚§ãƒ«ã‚«ãƒ ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã€ã‚µãƒ¼ãƒã¨ã®ç›¸äº’作用を行ã†å‰ã«ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆãŒ
検索ã§ãã‚‹ãã®ä»–ã«ã¤ã„ã¦ã®æƒ…å ±ã¨ãªã‚‹ã€‚Shodan ユーザã¯ä¿¡å·æ©Ÿã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚«ãƒ¡ãƒ©ã€å®¶åº­
暖房システムã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ç­‰ã®ã‚·ã‚¹ãƒ†ãƒ ã‚’検索ã§ãる。ã“れを利用ã™ã‚Œã°ã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆçµŒ
ç”±ã§ã‚¢ã‚¯ã‚»ã‚¹å¯èƒ½ãª ICS 上ã®ãƒ‡ãƒã‚¤ã‚¹ã‚’判別ã§ãる。
サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è©•ä¾¡ãƒ„ール(CSET)ã¯ã€çµ„ç¹”ãŒå›½ã®é‡è¦ã‚µã‚¤ãƒãƒ¼è³‡ç”£ã‚’守るã®ã‚’支æ´ã™ã‚‹å›½
土安全ä¿éšœçœ(DHS)ã®è£½å“ã§ã‚る。DHS 産業用制御システムサイãƒãƒ¼ç·Šæ€¥å¯¾å¿œãƒãƒ¼ãƒ (ICS-CERT)
ã®æŒ‡å°Žä¸‹ã§ã€NIST ã®æ”¯æ´ã‚’å¾—ã¦ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å°‚門家ãŒé–‹ç™ºã—ãŸã€‚サイãƒãƒ¼ã‚·ã‚¹ãƒ†ãƒ åŠ
ã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£çŠ¶æ…‹ã‚’評価ã™ã‚‹éš›ã®ä½“系的ã‹ã¤å復的ãªå–組ãŒå¯èƒ½ã¨ãªã‚‹ã€‚ã‚ら
ゆる産業用制御åŠã³ IT システムã«é–¢ä¿‚ã—ãŸé«˜åº¦ã®è©³ç´°ãªç–‘å•ã«ç­”ãˆã¦ã„る。CSET ã¯ãƒ‡ã‚¹ã‚¯ãƒˆãƒƒ
プソフトウエアツールã§ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ åŠã³æƒ…報技術ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ç¯„ã‚’ã€åºƒãèª
ã‚られãŸæ¥­ç•ŒåŸºæº–ã«ç…§ã‚‰ã—ã¦ã€æ®µéšŽçš„ã«è©•ä¾¡ã™ã‚‹ã“ã¨ãŒã§ãる。CSET ã«ã‚ˆã‚Šã€çµ„ç¹”ã®ä¼æ¥­ãƒ»ç”£
業用制御サイãƒãƒ¼ã‚·ã‚¹ãƒ†ãƒ ã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£çŠ¶æ…‹ã‚’改善ã™ã‚‹ãŸã‚ã®å„ªå…ˆçš„推奨事項リスト
を作æˆã§ãる。ã“ã®ãƒ„ールã¯ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£åŸºæº–ã€ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³åŠã³è¦ç¯„データベース
ã‹ã‚‰æŽ¨å¥¨äº‹é …ã‚’å°Žã出ã™ã€‚ãã‚Œãžã‚Œã®æŽ¨å¥¨äº‹é …ã¯ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£åˆ¶å¾¡ã®æ‹¡å¼µã«é©ç”¨å¯èƒ½
ãªä¸€é€£ã®è¡Œå‹•ã«çµã³ã¤ã„ã¦ã„る。CSET ã¯ã€ã‚¹ã‚¿ãƒ³ãƒ‰ã‚¢ãƒ­ãƒ¼ãƒ³ãƒ©ãƒƒãƒ—トップやワークステーショ
ンã«ã€ç°¡å˜ã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ã¦åˆ©ç”¨ã§ãるよã†ã«ãªã£ã¦ã„る。NISTã€NERCã€TSAã€DoD ãã®ä»–
ã®çµ„ç¹”ã‹ã‚‰å…¥æ‰‹å¯èƒ½ãªç¨®ã€…ã®åŸºæº–ãŒå–ã‚Šã¾ã¨ã‚ã¦ã‚‰ã‚Œã¦ã„る。ツールã®ãƒ¦ãƒ¼ã‚¶ãŒã“れら基準ã®ã„
ãšã‚Œã‹ã‚’é¸æŠžã™ã‚‹ã¨ã€ä¸€é€£ã®è³ªå•ãŒæ示ã•ã‚Œã‚‹ã€‚質å•ã¸ã®å›žç­”ã‚’ã€é¸æŠžã•ã‚ŒãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä¿è¨¼
レベルã¨ç…§ã‚‰ã—åˆã‚ã›ã€æ”¹å–„ã§ãる分野を示ã—ãŸè©³ç´°ãªãƒ¬ãƒãƒ¼ãƒˆãŒä½œæˆã•ã‚Œã‚‹ã‚ˆã†ã«ãªã£ã¦ã„る。
CSET ã¯ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ç’°å¢ƒã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£çŠ¶æ…‹ã‚’自己評価ã§ãる優れãŸæ‰‹æ®µã¨ãªã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
321
SamuraiSTFU is the Samurai Project’s Security Testing Framework for Utilities and takes best in breed
security tools for traditional network and web penetration testing and adds specialized tools for embedded
and RF testing and mixes in energy sector context, documentation and sample files. It also includes
emulators for SCADA, Smart Meters, and other types of energy sector systems to provide leverage for a
full test lab.
ICS owners must make the individuals using vulnerability assessment tools aware of the criticality of
continuous operation and the risks involved with performing these tests on operational systems. It may be
possible to mitigate these risks by performing tests on ICS components such as redundant servers or
independent test systems in a laboratory setting. Laboratory tests can be used to screen out test procedures
that might harm the operational system. Even with very good configuration management to assure that the
test system is highly representative, tests on the actual system are likely to uncover flaws not represented in
the laboratory.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
322
SamuraiSTFU ã¯ã€ãƒ¦ãƒ¼ãƒ†ã‚£ãƒªãƒ†ã‚£ç”¨ã‚µãƒ ãƒ©ã‚¤ãƒ—ロジェクトã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è©¦é¨“体系ã§ã€ä¼çµ±çš„ãª
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯/ウェブペãƒãƒˆãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãƒ»ãƒ†ã‚¹ãƒˆç”¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ„ールã®æœ€è‰¯ã®ã‚‚ã®ã‚’使用ã—ã€
組込ã¿/RF 試験用ã®ç‰¹æ®Šãƒ„ールを加ãˆã€ã‚¨ãƒãƒ«ã‚®ãƒ¼æ¥­ç•Œã«ãŠã„ã¦æ–‡æ›¸ã¨ãƒ•ã‚¡ã‚¤ãƒ«ã‚’一体化ã™ã‚‹ã€‚
ã¾ãŸ SCADAã€ã‚¹ãƒžãƒ¼ãƒˆãƒ¡ãƒ¼ã‚¿ãƒ¼ãã®ä»–エãƒãƒ«ã‚®ãƒ¼æ¥­ç•Œã®ã‚·ã‚¹ãƒ†ãƒ ç”¨ã‚¨ãƒŸãƒ¥ãƒ¬ãƒ¼ã‚¿ã‚’組ã¿è¾¼ã‚“ã§ã€
å…¨é¢è©¦é¨“ラボã«å¼¾ã¿ã‚’付ã‘ã¦ã„る。
ICS ä¿æœ‰è€…ã¯ã€è„†å¼±æ€§è©•ä¾¡ãƒ„ールを使用ã—ã¦ã€å€‹ã€…人ãŒç¶™ç¶šé‹ç”¨ã®é‡è¦æ€§ã¨ã€ã“ã†ã—ãŸè©¦é¨“ã‚’é‹
用システムã§è¡Œã†å ´åˆã®ãƒªã‚¹ã‚¯ã‚’èªè­˜ã•ã›ãªã‘ã‚Œã°ãªã‚‰ãªã„。冗長サーãƒã‚„ラボ環境ã«ã‚る独立
試験システム等㮠ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã§è©¦é¨“ã‚’è¡Œã†ã“ã¨ã«ã‚ˆã‚Šã€ã“ã®ã‚ˆã†ãªãƒªã‚¹ã‚¯ã‚’ç·©å’Œã™ã‚‹ã“
ã¨ãŒã§ãる。ラボ試験を行ãˆã°ã€é‹ç”¨ã‚·ã‚¹ãƒ†ãƒ ã«æœ‰å®³ãªè©¦é¨“手順を排除ã§ãる。極ã‚ã¦è‰¯å¥½ãªè¨­
定管ç†ã§è©¦é¨“システムãŒä»£è¡¨çš„ãªã‚‚ã®ã«ãªã‚‹ã‚ˆã†ã«ã—ã¦ã‚‚ã€å®Ÿéš›ã®ã‚·ã‚¹ãƒ†ãƒ ã§è¡Œã†è©¦é¨“ã¯ã€ãƒ©ãƒœ
ã§ã¯åˆ†ã‹ã‚‰ãªã„欠陥を検出ã§ãã‚‹ã“ã¨ãŒã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
323
Appendix F—References
[1] Fraser, Roy E., Process Measurement and Control:Introduction to Sensors, Communication,
Adjustment, and Control, Upper Saddle River, New Jersey:Prentice-Hall, Inc., 2001.
[2] Falco, Joe, et al., IT Security for Industrial Control Systems, NIST Internal Report (NISTIR) 6859,
February 2002, http://www.nist.gov/customcf/get_pdf.cfm?pub_id=821684 [accessed 4/16/15].
[3] Bailey, David, and Edwin Wright, Practical SCADA for Industry, Vancouver: IDC Technologies, 2003.
[4] Boyer, Stuart, SCADA:Supervisory Control and Data Acquisition.4th ed. Research Triangle Park,
North Carolina:International Society of Automation, 2010.
[5] American Gas Association, AGA Report No. 12, Cryptographic Protection of SCADA
Communications, Part 1:Background, Policies and Test Plan, September, March 14, 2006.
[6] Erickson, Kelvin, and John Hedrick, Plantwide Process Control, New York:John Wiley & Sons, Inc.,
1999.
[7] Berge, Jonas, Fieldbuses for Process Control:Engineering, Operation, and Maintenance, Research
Triangle Park, North Carolina:ISA, 2002.
[8] Peerenboom, James, “Infrastructure Interdependencies:Overview of Concepts and Terminology,â€
invited paper, NSF/OSTP Workshop on Critical Infrastructure:Needs in Interdisciplinary Research and
Graduate Training, Washington, D.C., June 14-15, 2001.
[9] Rinaldi, Steven, et al., “Identifying, Understanding, and Analyzing Critical Infrastructure
Interdependencies,†IEEE Control Systems Magazine, (December 2001), pp. 11-25,
http://dx.doi.org/10.1109/37.969131.
[10] GAO-04-354, Critical Infrastructure Protection:Challenges and Efforts to Secure Control Systems,
U.S. GAO, 2004, http://www.gao.gov/new.items/d04354.pdf.
[11] Weiss, Joseph, “Current Status of Cybersecurity of Control Systems,†Presentation to Georgia Tech
Protective Relay Conference, May 8, 2003.
[12] Keeney, Michelle et al., Insider Threat Study:Computer System Sabotage in Critical Infrastructure
Sectors, United States Secret Service and Carnegie Mellon Software Institute, 2005,
http://www.cert.org/archive/pdf/insidercross051105.pdf.
[13] Federal Information Security Management Act of 2002, Pub.L. 107-347 (Title III), 116 Stat 2946,
http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf [accessed 4/16/15].
[14] Federal Information Security Management Act Implementation Project [Web site],
http://csrc.nist.gov/groups/SMA/fisma/index.html [accessed 4/16/15].
[15] U.S. Department of Commerce, Federal Information Processing Standards (FIPS) Publication 199,
Standards for Security Categorization of Federal Information and Information Systems, February 2004,
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf [accessed 4/16/15].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
324
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
325
[16] U.S. Department of Commerce, Federal Information Processing Standards (FIPS) Publication 200,
Minimum Security Requirements for Federal Information and Information Systems, March 2006,
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf [accessed 4/16/15].
[17] Knapp, Eric, Industrial Network Security:Securing Critical Infrastructure Networks for Smart Grid,
SCADA, and Other Industrial Control Systems, Waltham, Massachusetts:Syngress, 2011.
[18] U.S. Government Accountability Office (GAO), GAO-15-6, Federal Facility Cybersecurity:DHS and
GSA Should Address Cyber Risk to Building and Access Control Systems, December 12, 2014,
http://www.gao.gov/products/GAO-15-6 [accessed 4/16/15].
[19] Swanson, Marianne, et al., NIST SP 800-18 Revision 1, Guide for Developing Security Plans for
Federal Information Systems, February 2006,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-18
[accessed 4/16/15].
[20] Joint Task Force Transformation Initiative, NIST SP 800-39, Managing Information Security
Risk:Organization, Mission, and Information System View, March 2011,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-39
[accessed 4/16/15].
[21] Joint Task Force Transformation Initiative, NIST SP 800-37 Revision 1, Guide for Applying the Risk
Management Framework to Federal Information Systems: a Security Life Cycle Approach, February
2010 (updated June 5, 2014), http://dx.doi.org/10.6028/NIST.SP.800-37r1.
[22] Joint Task Force Transformation Initiative, NIST SP 800-53 Revision 4, Security and Privacy
Controls for Federal Information Systems and Organizations, April 2013 (updated January 22, 2015),
http://dx.doi.org/10.6028/NIST.SP.800-53r4.
[23] Joint Task Force Transformation Initiative, NIST SP 800-53A Revision 4, Assessing Security and
Privacy Controls in Federal Information Systems and Organizations:Building Effective Security
Assessment Plans, December 2014 (updated December 18, 2014),
http://dx.doi.org/10.6028/NIST.SP.800-53Ar4.
[24] Barker, William, NIST SP 800-59, Guideline for Identifying an Information System as a National
Security System, August 2003,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-59
[accessed 4/16/15].
[25] Stine, Kevin, et al., NIST SP 800-60 Revision 1 (2 vols.), Guide for Mapping Types of Information and
Information systems to Security Categories, August 2008,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-60
[accessed 4/16/15].
[26] Quinn, Stephen, et al., NIST SP 800-70 Revision 2, National Checklist Program for IT
Products:Guidelines for Checklist Users and Developers, February 2011,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-70
[accessed 4/16/15].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
326
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
327
[27] Bowen, Pauline, et al., NIST SP 800-100, Information Security Handbook:A Guide for Managers,
October 2006 (updated March 7, 2007),
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-100
[accessed 4/16/15].
[28] NIST Security Configurations Checklists Program for IT Products [Web site],
http://web.nvd.nist.gov/view/ncp/repository [accessed 4/16/15].
[29] Stamp, Jason, et al., Common Vulnerabilities in Critical Infrastructure Control Systems, Sandia
National Laboratories, 2003,
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.132.3264&rep=rep1&type=pdf.
[30] SCADA Security - Advice for CEOs, IT Security Expert Advisory Group (ITSEAG)
[31] Franz, Matthew, Vulnerability Testing of Industrial Network Devices, Critical Infrastructure Assurance
Group, Cisco Systems, 2003, http://blogfranz.googlecode.com/files/franz-isa-device-testing-oct03.pdf.
[32] Duggan, David, et al., Penetration Testing of Industrial Control Systems, Sandia National Laboratories,
Report No SAND2005-2846P, 2005.
[33] President’s Critical Infrastructure Protection Board, and U.S. Department of Energy, Office of Energy
Assurance, 21 Steps to Improve Cybersecurity of SCADA Networks, [2002],
http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/21_Steps_-_SCADA.pdf [accessed
4/16/15].
[34] ISA-62443[multiple parts], Security for Industrial Automation and Control Systems, Research Triangle
Park, North Carolina:International Society of Automation,
http://isa99.isa.org/ISA99%20Wiki/WP_List.aspx [accessed 4/16/15].
[35] Centre for the Protection of National Infrastructure (CPNI), Firewall Deployment for SCADA and
Process Control Networks:Good Practice Guide, February 15, 2005,
http://energy.gov/sites/prod/files/Good%20Practices%20Guide%20for%20Firewall%20Deployment.pd
f [accessed 4/16/15].
[36] U.S. Department of Homeland Security, Recommended Practice:Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies, October 2009, https://ics-cert.us-
cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf [accessed 4/16/15].
[37] Industrial Automation Open Networking Association (IAONA), The IAONA Handbook for Network
Security, Version 1.3, 2005, http://www.iaona.org/pictures/files/1122888138-IAONA_HNS_1_3-
reduced_050725.pdf [accessed 4/16/15].
[38] U.S. Department of Homeland Security, Common Cybersecurity Vulnerabilities in Industrial Control
Systems, May 2011, https://ics-cert.us-
cert.gov/sites/default/files/recommended_practices/DHS_Common_Cybersecurity_Vulnerabilities_I
CS_2010.pdf [accessed 4/16/15].
[39] NIST SP 800-12, An Introduction to Computer Security:The NIST Handbook, 1995,
http://csrc.nist.gov/publications/PubsSPs.html.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
328
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
329
[40] Souppaya, Murugiah, and Karen Scarfone, NIST SP 800-40 Revision 3, Guide to Enterprise Patch
Management Technologies, July 2013, http://dx.doi.org/10.6028/NIST.SP.800-40r3.
[41] Scarfone, Karen, et al., NIST SP 800-115, Technical Guide to Information Security Testing and
Assessment, September 2008,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-115
[accessed 4/16/15].
[42] Roback, Edward, NIST SP 800-23, Guidelines to Federal Organizations on Security Assurance and
Acquisition/ Use of Tested/Evaluated Products, August 2000,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-23
[accessed 4/16/15].
[43] Stoneburner, Gary, et al., NIST SP 800-27 Revision A, Engineering Principles for Information
Technology Security (A Baseline for Achieving Security), June 2004,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-27A
[accessed 4/16/15].
[44] Grance, Tim, et al., NIST SP 800-35, Guide to Information Technology Security Services, October
2003,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-35
[accessed 4/16/15].
[45] Grance, Tim, et al., NIST SP 800-36, Guide to Selecting Information Technology Security Products,
October 2003,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-36
[accessed 4/16/15].
[46] Grance, Tim, et al., NIST SP 800-64 Revision 2, Security Considerations in the System Development
Life Cycle, October 2008,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-64
[accessed 4/16/15].
[47] Hash, Joan, et al., NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment
Control Process, January 2005,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-65
[accessed 4/16/15].
[48] U.S. Department of Homeland Security, Department of Homeland Security:Cyber Security
Procurement Language for Control Systems, September 2009 https://ics-cert.us-
cert.gov/sites/default/files/documents/Procurement_Language_Rev4_100809.pdf [accessed 4/16/15].
[49] Dray, James, et al., NIST SP 800-73-3, Interfaces for Personal Identity Verification (4 parts), February
2010,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-73
[accessed 4/16/15].
[50] Grother, Patrick, et al., NIST SP 800-76-2, Biometric Data Specification for Personal Identity
Verification, July 2013, http://dx.doi.org/10.6028/NIST.SP.800-76-2.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
330
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
331
[51] Kuhn, D. Richard, et al., NIST SP 800-46 Revision 1, Guide to Enterprise Telework and Remote
Access Security, June 2009,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-46
[accessed 4/16/15].
[52] Swanson, Marianne, et al., NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal
Information Systems, May 2010,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-34
[accessed 4/16/15].
[53] Burr, William, et al., NIST SP 800-63-2, Electronic Authentication Guideline, August 2013,
http://dx.doi.org/10.6028/NIST.SP.800-63-2.
[54] Bace, Rebecca, and Mell, Peter, NIST SP 800-31, Intrusion Detection Systems, 2001,
http://csrc.nist.gov/publications/PubsSPs.html.
[55] Scarfone, Karen, and Peter Mell, NIST SP 800-94, Guide to Intrusion Detection and Prevention
Systems (IDPS), February 2007,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-94
[accessed 4/16/15].
[56] Falco, Joe, et al., NIST SP 1058, Using Host-based Anti-virus Software on Industrial Control
Systems:Integration Guidance and a Test Methodology for Assessing Performance Impacts, September
18, 2006, http://www.nist.gov/manuscript-publication-search.cfm?pub_id=823596 [accessed 4/16/15].
[57] Peterson, Dale, “Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks,â€
ISA Automation West (AUTOWEST 2004), Long Beach, California, April 2004,
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.121.3420&rep=rep1&type=pdf [accessed
4/16/15].
[58] Symantec Corporation, “Symantec Expands SCADA Protection for Electric Utilities,†[press release],
September 14, 2005, http://www.symantec.com/about/news/release/article.jsp?prid=20050914_01
[accessed 4/16/15].
[59] Grance, Tim, et al., NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide, August
2012, http://dx.doi.org/10.6028/NIST.SP.800-61r2.
[60] Mell, Peter, et al., NIST SP 800-83 Revision 1, Guide to Malware Incident Prevention and Handling
for Desktops and Laptops, July 2013, http://dx.doi.org/10.6028/NIST.SP.800-83r1.
[61] Wilson, Mark, and Joan Hash, NIST SP 800-50, Building an Information Technology Security
Awareness and Training Program, October 2003,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-50
[accessed 4/16/15].
[62] Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, Electric Power
Research Institute (EPRI), 2003.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
332
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
333
[63] Scarfone, Karen, et al., NIST SP 800-48 Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless
Networks, July 2008,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-48
[accessed 4/16/15].
[64] Frankel, Sheila, et al, NIST SP 800-97, Establishing Wireless Robust Security Networks: a Guide to
IEEE 802.11i, February 2007,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-97
[accessed 4/16/15].
[65] U.S. Department of Commerce, Federal Information Processing Standards (FIPS) Publication 201-2,
Personal Identity Verification (PIV) of Federal Employees and Contractors, August 2013,
http://dx.doi.org/10.6028/NIST.FIPS.201-2.
[66] Dray, James, et al, NIST SP 800-96, PIV Card to Reader Interoperability Guidelines, September 2006,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-96
[accessed 4/16/15].
[67] Polk, W. Timothy, et al, NIST SP 800-78-3, Cryptographic Algorithms and Key Sizes for Personal
Identity Verification, December 2010,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-78
[accessed 4/16/15].
[68] Kent, Karen, and Murugiah Souppaya, NIST SP 800-92, Guide to Computer Security Log
Management, September 2006,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-92
[accessed 4/16/15].
[69] Jansen, Wayne, et al., NIST SP 800-28 Version 2, Guidelines on Active Content and Mobile Code,
March 2008,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-28
[accessed 4/16/15].
[70] Polk, Tim, et al., NIST SP 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of
Transport Layer Security (TLS) Implementations, April 2014, http://dx.doi.org/10.6028/NIST.SP.800-
52r1.
[71] Barker, Elaine, et al., NIST SP 800-56A Revision 2, Recommendation for Pair-Wise Key
Establishment Schemes Using Discrete Logarithm Cryptography, May 2013,
http://dx.doi.org/10.6028/NIST.SP.800-56Ar2.
[72] Baker, Elaine, et al., NIST SP 800-57 (3 parts), Recommendation for Key Management:Part 1 Revision
3, General, July 2012
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-
57pt1; Part 2, Best Practices for Key Management Organization, August 2005,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-
57pt2; Part 3 Revision 1, Application-Specific Key Management Guidance, January 2015,
http://dx.doi.org/10.6028/NIST.SP.800-57pt3r1.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
334
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
335
[73] Kuhn, D. Richard, et al., NIST SP 800-58, Security Considerations for Voice Over IP Systems, January
2005,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-58
[accessed 4/16/15].
[74] Frankel, Sheila, et al., NIST SP 800-77, Guide to IPsec VPNs, December 2005,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-77
[accessed 4/16/15].
[75] Shirey, R., Internet Security Glossary, Version 2, RFC 4949, August 2007, http://www.rfc-
editor.org/rfc/rfc4949.txt [accessed 4/16/15].
[76] Franz, Matthew, and Venkat Pothamsetty, ModbusFW:Deep Packet Inspection for Industrial Ethernet,
Critical Infrastructure Assurance Group, Cisco Systems, 2004,
http://blogfranz.googlecode.com/files/franz-niscc-modbusfw-may04.pdf [accessed 4/16/15].
[77] Duggan, David, Penetration Testing of Industrial Control Systems, SAND2005-2846P, Sandia
National Laboratories, March 2005, http://energy.sandia.gov/wp/wp-
content/gallery/uploads/sand_2005_2846p.pdf [accessed 4/16/15].
[78] Kissel, Richard, et al., NIST SP 800-88 Revision 1, Guidelines for Media Sanitization, December 2014,
http://dx.doi.org/10.6028/NIST.SP.800-88r1.
[79] Joint Task Force Transformation Initiative, NIST SP 800-30 Revision 1, Guide for Conducting Risk
Assessments, September 2012,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-30
[accessed 4/16/15].
[80] Johnson, Arnold, et al., NIST SP 800-128, Guide for Security-Focused Configuration Management of
Information Systems, August 2011,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-128
[accessed 4/16/15].
[81] Dempsey, Kelley, et al., NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for
Federal Information Systems and Organizations, September 2011,
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-137
[accessed 4/16/15].
[82] Waltermire, David, et al., NIST SP 800-126 Revision 2, The Technical Specification for the Security
Content Automation Protocol (SCAP):SCAP Version 1.2, September 2011 (updated March 19, 2012),
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-126-
rev2 [accessed 4/16/15].
[83] Executive Order no. 13636, Improving Critical Infrastructure Cybersecurity, DCPD-201300091,
February 12, 2013, http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf [accessed
4/16/15].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
336
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
337
[84] National Institute of Standards and Technology, Framework for Improving Critical Infrastructure
Cybersecurity, version 1.0, February 12, 2014,
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf [accessed 4/16/15].
[85] Scarfone, Karen, and Paul Hoffman, NIST SP 800-41 Revision 1, Guidelines on Firewalls and
Firewall Policy, September 2009, http://csrc.nist.gov/publications/PubsSPs.html#800-41 [accessed
4/16/15].
[86] Office of Management and Budget, OMB Memorandum M-07-16, Safeguarding Against and
Responding to the Breach of Personally Identifiable Information, May 22, 2007,
https://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf [accessed 4/16/15].
[87] Office of Management and Budget, OMB Memorandum M-10-22, Guidance for Online Use of Web
Measurement and Customization Technologies, June 25, 2010,
https://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-22.pdf [accessed
4/16/15].
[88] McCallister, Erika, et al., NIST SP 800-122, Guide to Protecting the Confidentiality of Personally
Identifiable Information (PII), April 2010, http://csrc.nist.gov/publications/PubsSPs.html#800-122
[accessed 4/16/15].
[89] Federal Enterprise Architecture Security and Privacy Profile, Version 3.0, September 2010,
https://cio.gov/wp-content/uploads/downloads/2012/09/FEA-Security-Privacy-Profile-v3-09-30-
2010.pdf [accessed 4/16/15].
[90] U.S. Department of Commerce, Federal Information Processing Standards (FIPS) Publication 140-2,
Security Requirements for Cryptographic Modules, May 25, 2001 (Change Notice 2, 12/3/2002),
http://csrc.nist.gov/publications/PubsFIPS.html#140-2 [accessed 4/16/15].
[91] Tracy, Miles, et al., NIST SP 800-45 Version 2, Guidelines on Electronic Mail Security, February
2007, http://csrc.nist.gov/publications/PubsSPs.html#800-45 [accessed 4/16/15].
[92] Grance, Tim, et al., NIST SP 800-47, Security Guide for Interconnecting Information Technology
Systems, August 2002, http://csrc.nist.gov/publications/PubsSPs.html#800-47 [accessed 4/16/15].
[93] Kent, Karen, et al., NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response,
August 2006, http://csrc.nist.gov/publications/PubsSPs.html#800-86 [accessed 4/16/15].
[94] Scarfone, Karen, et al., NIST SP 800-111, Guide to Storage Encryption Technologies for End User
Devices, November 2007, http://csrc.nist.gov/publications/PubsSPs.html#800-111 [accessed 4/16/15].
[95] Scarfone, Karen, et al., NIST SP 800-123, Guide to General Server Security, July 2008,
http://csrc.nist.gov/publications/PubsSPs.html#800-123 [accessed 4/16/15].
[96] Scarfone, Karen, et al., NIST SP 800-127, Guide to Securing WiMAX Wireless Communications,
September 2010, http://csrc.nist.gov/publications/PubsSPs.html#800-127 [accessed 4/16/15].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
338
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
339
[97] Johnson, Arnold, et al., NIST SP 800-128, Guide for Security-Focused Configuration Management of
Information Systems, August 2011, http://csrc.nist.gov/publications/PubsSPs.html#800-128 [accessed
4/16/15].
[98] Smart Grid Interoperability Panel, Smart Grid Cybersecurity Committee, NISTIR 7628 Revision 1,
Guidelines for Smart Grid Cybersecurity, September 2014, http://dx.doi.org/10.6028/NIST.IR.7628r1
[accessed 4/16/15].
[99] Kissel, Richard (ed.), NISTIR 7298 Revision 2, Glossary of Key Information Security Terms, May
2013, http://dx.doi.org/10.6028/NIST.IR.7298r2 [accessed 4/16/15].
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
340
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
341
Appendix G—ICS Overlay
NOTE TO READERS
The ICS overlay is a partial tailoring of the controls and control baselines in SP 800-53, Revision 4,
and adds supplementary guidance specific to ICS. The concept of overlays is introduced in Appendix I
of SP 800-53, Revision 4. The ICS overlay is intended to be applicable to all ICS systems in all
industrial sectors. Further tailoring can be performed to add specificity to a particular sector (e.g.,
pipeline, energy). Ultimately, an overlay may be produced for a specific system (e.g., the XYZ
company). This ICS overlay constitutes supplemental guidance and tailoring for SP 800-53, Revision
4. Please be sure you are looking at the correct version of SP 800-53. Duplicating Appendix F of SP
800-53 would increase the size of this Appendix by over 65 pages. Therefore, the drafting committee
has decided to not duplicate Appendix F. The reader should have SP 800-53, Revision 4 available. The
authoring team also considered that this ICS overlay may serve as a model for other overlays.
Feedback on this Appendix’s structure would be appreciated, especially in the following areas: the
level of abstraction and whether the examples provided in the supplemental guidance are
sufficient/beneficial for implementation.
Since the ICS overlay exists in the context of SP 800-53, Revision 4, it is important to review that
context. SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and
Organizations, represents the most comprehensive update to the security controls catalog since its
inception in 2005. This update was motivated principally by the expanding threat space—
characterized by the increasing sophistication of cyber attacks and the operations tempo of adversaries
(i.e., the frequency of such attacks, the professionalism of the attackers, and the persistence of
targeting by attackers). State-of-the-practice security controls and control enhancements have been
developed and integrated into the catalog addressing such areas as: mobile and cloud computing;
applications security; trustworthiness, assurance, and resiliency of information systems; insider threat;
supply chain security; and the advanced persistent threat.
To take advantage of the expanded set of security and privacy controls, and to give organizations
greater flexibility and agility in defending their information systems, the concept of overlays was
introduced in this revision. Overlays provide a structured approach to help organizations tailor security
control baselines and develop specialized security plans that can be applied to specific
missions/business functions, environments of operation, and/or technologies. This specialization
approach is important as the number of threat-driven controls and control enhancements in the catalog
increases and organizations develop risk management strategies to address their specific protection
needs within defined risk tolerances.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
342
付録 G ICS オーãƒãƒ¼ãƒ¬ã‚¤
読者ã¸ã®æ³¨è¨˜
ICS オーãƒãƒ¼ãƒ¬ã‚¤ã¯ã€SP 800-53 第4版ã«ç¤ºã•ã‚Œã‚‹åˆ¶å¾¡åŠã³åˆ¶å¾¡ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã‚’部分的ã«ã‚«ã‚¹ã‚¿ãƒž
イズã—ãŸã‚‚ã®ã§ã€ICS ã«ç‰¹åŒ–ã—ãŸè£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã¨ãªã‚‹ã€‚オーãƒãƒ¼ãƒ¬ã‚¤ã®æ¦‚念㯠SP 800-53 第4
版ã®ä»˜éŒ² Iã«èª¬æ˜ŽãŒã‚る。ICS オーãƒãƒ¼ãƒ¬ã‚¤ã¯ã€ã‚らゆる産業界ã®ã‚らゆる ICS システムã«é©ç”¨
ã™ã‚‹ã‚ˆã†ã«ã§ãã¦ã„る。更ã«ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã—ã¦ã€ç‰¹å®šã®æ¥­ç•Œå‘ã‘ã«ã™ã‚‹ã“ã¨ã‚‚ã§ãる(パイプラ
インã€ã‚¨ãƒãƒ«ã‚®ãƒ¼ç­‰ï¼‰ã€‚最終的ã«ã¯ã€1ã¤ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã‚’ 1ã¤ã®ã‚·ã‚¹ãƒ†ãƒ ç”¨ã«ä½œæˆã§ãã‚‹
(XYZ 社用等)。ICS オーãƒãƒ¼ãƒ¬ã‚¤ã¯ã€SP 800-53 第4版ã®è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºç‰ˆã¨ãª
る。該当ã™ã‚‹ SP 800-53 を使用ã™ã‚‹ã‚ˆã†ç•™æ„ã•ã‚ŒãŸã„。SP 800-53 ã®ä»˜éŒ² Fã‚’å†éŒ²ã™ã‚‹ã¨ã€ç´™æ•°ãŒ
65 ページ増ãˆã‚‹ã“ã¨ã«ãªã‚‹ã®ã§ã€èµ·æ¡ˆå§”員会ã¯è¤‡å†™ã—ãªã„ã“ã¨ã«ã—ãŸã€‚読者㯠SP 800-53 第4版
を手許ã«ç½®ãよã†ã«ã™ã¹ãã§ã‚る。ã¾ãŸåŸ·ç­†ãƒãƒ¼ãƒ ã¯ã€ã“ã® ICS オーãƒãƒ¼ãƒ¬ã‚¤ãŒä»–ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬
イã®ã²ãªå½¢ã¨ãªã‚‹ã‚ˆã†ã«ã—ãŸã€‚付録ã®æ§‹æˆã€ç‰¹ã«æ¦‚念化ã®ãƒ¬ãƒ™ãƒ«åŠã³è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã®æ示例
ã¯ã€å®Ÿè£…上å分ã§å½¹ç«‹ã¤ã‹ã©ã†ã‹ã«ã¤ã„ã¦ã€ãƒ•ã‚£ãƒ¼ãƒ‰ãƒãƒƒã‚¯ã‚’ã„ãŸã ã‘ã‚Œã°å¹¸ã„ã§ã‚る。
ICS オーãƒãƒ¼ãƒ¬ã‚¤ã¯ã€SP 800-53 第4版ã®æ–‡è„ˆã«æ²¿ã£ã¦å­˜åœ¨ã—ã¦ã„ã‚‹ãŸã‚ã€ãã®æ–‡è„ˆã‚’見直ã™ã“ã¨
ã¯è‚è¦ã§ã‚る。SP 800-53 第4版ã®é€£é‚¦æƒ…報システム・組織ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ»ãƒ—ライãƒã‚·ãƒ¼ç®¡ç†
ã«ã¯ã€2005 å¹´ã®æ¦‚念化以æ¥ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–カタログã«å¯¾ã™ã‚‹åŒ…括的ãªæ›´æ–°å†…容ãŒç¤ºã•ã‚Œã¦
ã„る。更新ã¯ã€ã‚µã‚¤ãƒãƒ¼æ”»æ’ƒãŒã¾ã™ã¾ã™å·§å¦™åŒ–ã—ã€è„…å¨ãŒæ‹¡å¤§ã—ã¦ã„ã‚‹ã“ã¨ãŒä¸»ãªç†ç”±ã§ã‚ã‚‹
(攻撃ã®é »åº¦ã€æ”»æ’ƒå´ã®å°‚門化ã€æ¨™çš„ã«å¯¾ã™ã‚‹åŸ·æ‹—性等)。実用ã«ä¾›ã•ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã‚„
管ç†æ‹¡å¼µã¯ã€é€²å±•ã‚’é‚ã’ã€æ¬¡ã®åˆ†é‡Žã®ã‚«ã‚¿ãƒ­ã‚°ã«çµ„ã¿è¾¼ã¾ã‚Œã¦ã„る。モãƒã‚¤ãƒ«/クラウドコンピ
ューティング。アプリケーションセキュリティ。情報システムã®ä¿¡é ¼æ€§ãƒ»ä¿è¨¼ãƒ»å¼¾åŠ›æ€§ã€‚インサ
イダー脅å¨ã€‚サプライãƒã‚§ãƒ¼ãƒ³ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã€‚最新ã®æŒç¶šçš„è„…å¨ã€‚
æ‹¡å¼µã•ã‚ŒãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£/プライãƒã‚·ãƒ¼ç®¡ç†ã‚’利用ã—ã€æƒ…報システムを守るãŸã‚ã®æŸ”軟性ã¨æ©Ÿæ•
性を組織ã«å¢—ã—加ãˆã‚‹ãŸã‚ã€ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤æ¦‚念ãŒã“ã®ç‰ˆã«å°Žå…¥ã•ã‚ŒãŸã€‚オーãƒãƒ¼ãƒ¬ã‚¤ã¯ç³»çµ±ç«‹ã£
ãŸå–組ã§ã€çµ„ç¹”ãŒã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã‚’微調整ã—ã€å›ºæœ‰ã®ä»»å‹™ãƒ»äº‹æ¥­æ©Ÿèƒ½ã€é‹ç”¨ç’°
境åˆã¯æŠ€è¡“ã«é©ç”¨å¯èƒ½ãªç‹¬è‡ªã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¨ˆç”»æ›¸ã‚’作æˆã™ã‚‹ã®ã‚’支æ´ã™ã‚‹ã€‚è„…å¨ã«å¯¾å¿œã—ãŸã‚«
タログã®ç®¡ç†åŠã³ãã®æ‹¡å¼µä»¶æ•°ãŒå¢—ãˆã¦ãŠã‚Šã€å„組織ã¯ãƒªã‚¹ã‚¯ç®¡ç†æˆ¦ç•¥ã‚’作æˆã—ã€å›ºæœ‰ã®ä¿è­·ãƒ‹
ーズをè¦å®šã®ãƒªã‚¹ã‚¯ãƒˆãƒ¬ãƒ©ãƒ³ã‚¹å†…ã§å–り上ã’ã¦ã„ã‚‹ãŸã‚ã€ã“ã®ç‹¬è‡ªåŒ–ã«å‘ã‘ãŸå–組ã¯è‚è¦ã§ã‚
る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
343
Identification
This overlay may be referenced as the NIST Special Publication 800-82 Revision 2 Industrial Control
System Overlay (“NIST SP 800-82 Rev 2 ICS Overlayâ€). It is based on NIST SP 800-53 Revision 4 [22].
NIST developed this overlay in furtherance of its statutory responsibilities under the Federal Information
Security Modernization Act (FISMA) of 2014 (Public Law 113-283), Presidential Policy Directive (PPD)-
21 and Executive Order 13636. NIST is responsible for developing standards and guidelines, including
minimum requirements, for providing adequate information security for all agency operations and assets,
but such standards and guidelines shall not apply to national security systems without the express approval
of appropriate federal officials exercising policy authority over such systems. Comments may be directed to
icsoverlaycomments@nist.gov.
Overlay Characteristics
Industrial Control Systems (ICS) are typically used in industries such as electric, water and wastewater, oil
and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete
manufacturing (e.g., automotive, aerospace, and durable goods). Supervisory control and data acquisition
(SCADA) systems are generally used to control dispersed assets using centralized data acquisition and
supervisory control. Distributed Control Systems (DCS) are generally used to control production systems
within a local area such as a factory using supervisory and regulatory control. Programmable Logic
Controllers (PLCs) are generally used for discrete control for specific applications and generally provide
regulatory control. These control systems are vital to the operation of the U.S. critical infrastructures that
are often highly interconnected and mutually dependent systems. It is important to note that approximately
90 percent of the nation's critical infrastructures are privately owned and operated. Federal agencies also
operate many of the ICS mentioned above; other examples include air traffic control and materials handling
(e.g., Postal Service mail handling.)
Applicability
The purpose of this overlay is to provide guidance for securing ICS, including SCADA and DCS systems,
PLCs, and other systems performing industrial control functions. This overlay has been prepared for use by
federal agencies. It may be used by nongovernmental organizations on a voluntary basis.
Overlay Summary
Table G-1 provides a summary of the security controls and control enhancements from NIST SP 800-53
Appendix F [22, App. F] that have been allocated to the initial security control baselines (i.e., Low,
Moderate, and High) along with indications of ICS Supplemental Guidance and ICS tailoring. Controls and
control enhancements for which there is ICS Supplemental Guidance are bolded. If the control baselines
are supplemented by the addition of a control to the baseline, the control or control enhancement is
underlined. If a control or control enhancement is removed from the baseline, the control or control
enhancement is struck out.
Example:
AU-4
Audit Storage Capacity
AU-4 (1)
AU-4 (1)
AU-4 (1)
In this example, ICS Supplemental Guidance was added to Control Enhancement 1 of AU-4 (bolded). In
addition, Control Enhancement 1 of AU-4 was added to the Low, Moderate (Mod), and High baselines
(underlined).
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
344
識別
ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã¯ NIST SP 800-82 第2版産業用制御システムオーãƒãƒ¼ãƒ¬ã‚¤(『NIST SP 800-82
第2版ICS オーãƒãƒ¼ãƒ¬ã‚¤ã€)ã¨å‘¼ã°ã‚Œã‚‹ã“ã¨ãŒã‚る。ã“れ㯠NIST SP 800-53 第4版[22]ã«åŸºã¥ã„
ã¦ã„る。
NIST ã¯ã€2014 年連邦情報強化法(FISMA)(Public Law 113-283)ã€å¤§çµ±é ˜æ”¿ç­–指示(PPD)-21 åŠã³
大統領命令 13636 ã«å¾“ã„ã€ãã®æ³•çš„責務を推進ã™ã‚‹ãŸã‚ã«ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã‚’作æˆã—ãŸã€‚NIST
ã¯ã‚らゆる政府機関業務・資産ã®æƒ…報セキュリティを確ä¿ã™ã‚‹ãŸã‚ã€æœ€ä½Žè¦ä»¶ç­‰ã‚’å«ã‚“ã è¦æ ¼åŠ
ã³ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã®ä½œæˆã‚’担当ã—ã¦ã„ã‚‹ãŒã€ã“ã®ã‚ˆã†ãªè¦æ ¼åŠã³ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã¯ã€ã“ã®ã‚ˆã†ãªã‚·ã‚¹
テムã«å¯¾ã™ã‚‹æ–½ç­–権é™ã‚’æŒã£ãŸé€£é‚¦è¡Œæ”¿å®˜ã®æ˜Žç¢ºãªæ‰¿èªãŒãªã‘ã‚Œã°ã€å›½ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚·ã‚¹ãƒ†ãƒ 
ã«ã¯é©ç”¨ã•ã‚Œãªã„。æ„見ã¯æ¬¡å®›ã«å¯„ã›ã‚‰ã‚ŒãŸã„。icsoverlaycomments@nist.gov.
オーãƒãƒ¼ãƒ¬ã‚¤ã®ç‰¹å¾´
産業用制御システム(ICS)ã¯ä¸€èˆ¬çš„ã«é›»æ°—ã€ä¸Šä¸‹æ°´ã€çŸ³æ²¹ãƒ»ã‚¬ã‚¹ã€è¼¸é€ã€åŒ–å­¦ã€åŒ»è–¬å“ã€ãƒ‘ル
プ・製紙ã€é£Ÿå“・飲料åŠã³çµ„立製造(自動車ã€èˆªç©ºå®‡å®™ã€è€ä¹…消費財等)業界ã§åˆ©ç”¨ã•ã‚Œã¦ã„る。
SCADA ã¯ã€é€šå¸¸ã€é›†ä¸­ãƒ‡ãƒ¼ã‚¿å–得監視制御ã«ã‚ˆã‚Šã€åˆ†æ•£åŒ–ã•ã‚ŒãŸè³‡ç”£ã‚’制御ã™ã‚‹ãŸã‚ã«ä½¿ç”¨ã™ã‚‹ã€‚
DCS ã¯ã€é€šå¸¸ã€ãƒ­ãƒ¼ã‚«ãƒ«ã‚¨ãƒªã‚¢å†…ã«ã‚る工場等ã®ç”Ÿç”£ã‚·ã‚¹ãƒ†ãƒ ã‚’ã€ç›£è¦–・è¦åˆ¶åˆ¶å¾¡ã«ã‚ˆã‚Šåˆ¶å¾¡ã™
ã‚‹ãŸã‚ã«ä½¿ç”¨ã™ã‚‹ã€‚プログラマブル論ç†ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ï¼ˆPLC)ã¯ã€é€šå¸¸ã€ç‰¹æ®Šç”¨é€”ã§ã®é›¢æ•£åˆ¶å¾¡
ã«ä½¿ç”¨ã—ã€è¦åˆ¶åˆ¶å¾¡ã‚’通常行ã†ã€‚ã“ã®ã‚ˆã†ãªåˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã¯ã€é«˜åº¦ã«é€£æºãƒ»ç›¸äº’ä¾å­˜ã—ãŸã‚·ã‚¹ãƒ†
ムã¨ãªã‚‹ã€ç±³å›½ã®é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®é‹å–¶ã«ç·Šè¦ãªå½¹å‰²ã‚’æžœãŸã—ã¦ã„る。国ã®é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã®ãŠã‚ˆã
90%ã¯ã€ç§ä¼æ¥­ãŒä¿æœ‰ã—é‹å–¶ã—ã¦ã„る点を銘記ã™ã‚‹ã®ã¯è‚è¦ã§ã‚る。連邦政府機関もå‰è¿°ã® ICS
ã®å¤šãã‚’é‹å–¶ã—ã¦ã„ã‚‹ãŒã€ãã®ã»ã‹ã«ã‚‚航空交通管制や物æµå‡¦ç†ï¼ˆæ¸¯æ¹¾æ¥­å‹™ã€éƒµä¾¿ç­‰ï¼‰ãªã©ãŒã‚
る。
é©ç”¨æ€§
ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã®ç›®çš„ã¯ã€SCADA システムã€DCS システムã€PLC ãã®ä»–産業用制御機能をã¤ã‹
ã•ã©ã‚‹ã‚·ã‚¹ãƒ†ãƒ ç­‰ã€ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’確ä¿ã™ã‚‹ãŸã‚ã®ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã¨ãªã‚‹ã€‚連邦政府機関å‘ã‘
ã«æº–å‚™ã•ã‚Œã¦ã„る。éžæ”¿åºœçµ„ç¹”ãŒè‡ªä¸»çš„ã«åˆ©ç”¨ã—ã¦ã‚‚ã‹ã¾ã‚ãªã„。
オーãƒãƒ¼ãƒ¬ã‚¤ã®ã¾ã¨ã‚
表G-1 ã¯ã€NIST SP 800-53 付録 F[22, App. F]ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–åŠã³ç®¡ç†æ‹¡å¼µã‚’ã¾ã¨ã‚ãŸã‚‚ã®
ã§ã‚る。管ç†æ‹¡å¼µã¯ã€å½“åˆã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ベースライン(低・中・高)ã«ã€ICS 補足ガイダ
ンスåŠã³ ICS ã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã¨ã¨ã‚‚ã«å‰²ã‚Šå½“ã¦ã‚‰ã‚ŒãŸã‚‚ã®ã§ã‚る。ICS 補足ガイダンスã®ã‚る管
ç†åŠã³ç®¡ç†æ‹¡å¼µã¯å¤ªå­—ã«ãªã£ã¦ã„る。対策ベースラインã«è£œè¶³ç®¡ç†ãŒè¿½åŠ ã•ã‚Œã¦ã„ã‚‹å ´åˆã€ç®¡ç†
åŠã³ç®¡ç†æ‹¡å¼µã«ä¸‹ç·šãŒä»˜ã„ã¦ã„る。管ç†åŠã³ç®¡ç†æ‹¡å¼µãŒãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã‹ã‚‰å‰Šé™¤ã•ã‚Œã¦ã„ã‚‹å ´åˆã€
ç·šã§æ¶ˆã•ã‚Œã¦ã„る。
例
AU-4 ç›£æŸ»ã‚¹ãƒˆãƒ¬ãƒ¼ã‚¸å®¹é‡ AU-4 (1) AU-4 (1) AU-4 (1)
ã“ã®ä¾‹ã§ã¯ã€ICS 補足ガイダンスãŒç®¡ç†æ‹¡å¼µ AU-4 ã®1(太字)ã«è¿½åŠ ã•ã‚Œã¦ã„る。ã¾ãŸã€ç®¡ç†æ‹¡
å¼µAU-4 ã®1ãŒä½Žãƒ»ä¸­ãƒ»é«˜ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã«è¿½åŠ ã•ã‚Œã¦ã„る(下線)。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
345
Table G-1 Security Control Baselines
CNTL
NO.
CONTROL NAME
INITIAL CONTROL BASELINES
LOW
MOD
HIGH
AC-1
Access Control Policy and Procedures
AC-1
AC-1
AC-1
AC-2 Account Management AC-2 AC-2 (1) (2) (3) (4) AC-2 (1) (2) (3) (4)
(5) (11) (12) (13)
AC-3
Access Enforcement
AC-3
AC-3
AC-3
AC-4
Information Flow Enforcement
Not Selected
AC-4
AC-4
AC-5
Separation of Duties
Not Selected
AC-5
AC-5
AC-6 Least Privilege Not Selected AC-6 (1) (2) (5) (9)
(10)
AC-6 (1) (2) (3) (5)
(9) (10)
AC-7
Unsuccessful Logon Attempts
AC-7
AC-7
AC-7
AC-8
System Use Notification
AC-8
AC-8
AC-8
AC-10
Concurrent Session Control
Not Selected
Not Selected
AC-10
AC-11
Session Lock
Not Selected
AC-11 (1)
AC-11 (1)
AC-12
Session Termination
Not Selected
AC-12
AC-12
AC-14 Permitted Actions without Identification or
Authentication
AC-14 AC-14 AC-14
AC-17
Remote Access
AC-17
AC-17 (1) (2) (3) (4)
AC-17 (1) (2) (3) (4)
AC-18
Wireless Access
AC-18
AC-18 (1)
AC-18 (1) (4) (5)
AC-19
Access Control for Mobile Devices
AC-19
AC-19 (5)
AC-19 (5)
AC-20
Use of External Information Systems
AC-20
AC-20 (1) (2)
AC-20 (1) (2)
AC-21
Collaboration and Information Sharing
AC-21
AC-21
AC-21
AC-22
Publicly Accessible Content
AC-22
AC-22
AC-22
AT-1 Security Awareness and Training Policy and
Procedures
AT-1 AT-1 AT-1
AT-2
Security Awareness Training
AT-2
AT-2 (2)
AT-2 (2)
AT-3
Role-Based Security Training
AT-3
AT-3
AT-3
AT-4
Security Training Records
AT-4
AT-4
AT-4
AU-1 Audit and Accountability Policy and
Procedures
AU-1 AU-1 AU-1
AU-2
Audit Events
AU-2
AU-2 (3)
AU-2 (3)
AU-3
Content of Audit Records
AU-3
AU-3 (1)
AU-3 (1) (2)
AU-4
Audit Storage Capacity
AU-4 (1)
AU-4 (1)
AU-4 (1)
AU-5
Response to Audit Processing Failures
AU-5
AU-5
AU-5 (1) (2)
AU-6
Audit Review, Analysis, and Reporting
AU-6
AU-6 (1) (3)
AU-6 (1) (3) (5) (6)
AU-7
Audit Reduction and Report Generation
Not Selected
AU-7 (1)
AU-7 (1)
AU-8
Time Stamps
AU-8
AU-8 (1)
AU-8 (1)
AU-9
Protection of Audit Information
AU-9
AU-9 (4)
AU-9 (2) (3) (4)
AU-10
Non-repudiation
Not Selected
Not Selected
AU-10
AU-11
Audit Record Retention
AU-11
AU-11
AU-11
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
346
表G-1 セキュリティ対策ベースライン
管ç†ç•ªå·
管ç†å
当åˆã®å¯¾ç­–ベースライン
低
中
高
AC-1
アクセス制御
ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
AC-1
AC-1
AC-1
AC-2
アカウント管ç†
AC-2 AC-2 (1) (2)
(3) (4)
AC-2 (1) (2)
(3) (4) (5) (11)
(12) (13)
AC-3
アクセス施行
AC-3
AC-3
AC-3
AC-4
情報フロー施行
未é¸æŠž
AC-4
AC-4
AC-5
任務ã®åˆ†å‰²
未é¸æŠž
AC-5
AC-5
AC-6
最å°æ¨©é™
未é¸æŠž AC-6 (1) (2)
(5) (9) (10)
AC-6 (1) (2)
(3) (5) (9) (10)
AC-7
ログイン失敗
AC-7
AC-7
AC-7
AC-8
システム利用通知
AC-8
AC-8
AC-8
AC-10
ç¾è¡Œã‚»ãƒƒã‚·ãƒ§ãƒ³ç®¡ç†
未é¸æŠž
未é¸æŠž
AC-10
AC-11
セッションロック
未é¸æŠž
AC-11 (1)
AC-11 (1)
AC-12
セッション終了
未é¸æŠž
AC-12
AC-12
AC-14
識別・èªè¨¼ã®ãªã„
許å¯æ¸ˆã¿è¡Œç‚º
AC-14
AC-14
AC-14
AC-17
リモートアクセス
AC-17 AC-17 (1) (2)
(3) (4)
AC-17 (1) (2)
(3) (4)
AC-18
ワイヤレスアクセス
AC-18 AC-18 (1) AC-18 (1) (4)
(5)
AC-19
モãƒã‚¤ãƒ«ãƒ‡ãƒã‚¤ã‚¹ç”¨
アクセス制御
AC-19
AC-19 (5)
AC-19 (5)
AC-20
外部情報システムã®åˆ©ç”¨
AC-20
AC-20 (1) (2)
AC-20 (1) (2)
AC-21
連æºãƒ»æƒ…å ±
共有
AC-21
AC-21
AC-21
AC-22
公開コンテンツ
AC-22
AC-22
AC-22
AT-1
セキュリティæ„識・訓練ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
AT-1
AT-1
AT-1
AT-2
セキュリティæ„識訓練
AT-2
AT-2 (2)
AT-2 (2)
AT-3
役割ベースセキュリティ訓練
AT-3
AT-3
AT-3
AT-4
セキュリティ訓練記録
AT-4
AT-4
AT-4
AU-1
監査・説明責任ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
AU-1
AU-1
AU-1
AU-2
監査事象
AU-2
AU-2 (3)
AU-2 (3)
AU-3
監査記録内容
AU-3
AU-3 (1)
AU-3 (1) (2)
AU-4
監査ストレージ容é‡
AU-4 (1)
AU-4 (1)
AU-4 (1)
AU-5
監査処ç†ä¸å‚™ã¸ã®å¯¾å¿œ
AU-5
AU-5
AU-5 (1) (2)
AU-6
監査ã®å¯©æŸ»ãƒ»åˆ†æžãƒ»å ±å‘Š
AU-6 AU-6 (1) (3) AU-6 (1) (3) (5)
(6)
AU-7
監査削減・報告書作æˆ
未é¸æŠž
AU-7 (1)
AU-7 (1)
AU-8
タイムスタンプ
AU-8
AU-8 (1)
AU-8 (1)
AU-9
監査情報ã®ä¿è­·
AU-9
AU-9 (4)
AU-9 (2) (3) (4)
AU-10
å¦èªé˜²æ­¢
未é¸æŠž
未é¸æŠž
AU-10
AU-11
監査記録ä¿ç•™
AU-11
AU-11
AU-11
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
347
AU-12
Audit Generation
AU-12
AU-12
AU-12 (1) (3)
CA-1 Security Assessment and Authorization
Policies and Procedures
CA-1 CA-1 CA-1
CA-2
Security Assessments
CA-2
CA-2 (1)
CA-2 (1) (2)
CA-3
System Interconnections
CA-3
CA-3 (5)
CA-3 (5)
CA-5
Plan of Action and Milestones
CA-5
CA-5
CA-5
CA-6
Security Authorization
CA-6
CA-6
CA-6
CA-7
Continuous Monitoring
CA-7
CA-7 (1)
CA-7 (1)
CA-8
Penetration Testing
Not Selected
Not Selected
CA-8
CA-9
Internal System Connections
CA-9
CA-9
CA-9
CM-1 Configuration Management Policy and
Procedures
CM-1 CM-1 CM-1
CM-2
Baseline Configuration
CM-2
CM-2 (1) (3) (7)
CM-2 (1) (2) (3) (7)
CM-3
Configuration Change Control
Not Selected
CM-3 (2)
CM-3 (1) (2)
CM-4
Security Impact Analysis
CM-4
CM-4
CM-4 (1)
CM-5
Access Restrictions for Change
Not Selected
CM-5
CM-5 (1) (2) (3)
CM-6
Configuration Settings
CM-6
CM-6
CM-6 (1) (2)
CM-7
Least Functionality
CM-7 (1)
CM-7 (1) (2) (4) (5)
CM-7 (1) (2) (5)
CM-8 Information System Component Inventory CM-8 CM-8 (1) (3) (5) CM-8 (1) (2) (3) (4)
(5)
CM-9
Configuration Management Plan
Not Selected
CM-9
CM-9
CM-10
Software Usage Restrictions
CM-10
CM-10
CM-10
CM-11
User-Installed Software
CM-11
CM-11
CM-11
CP-1
Contingency Planning Policy and Procedures
CP-1
CP-1
CP-1
CP-2 Contingency Plan CP-2 CP-2 (1) (3) (8) CP-2 (1) (2) (3) (4)
(5) (8)
CP-3
Contingency Training
CP-3
CP-3
CP-3 (1)
CP-4
Contingency Plan Testing
CP-4
CP-4 (1)
CP-4 (1) (2)
CP-6
Alternate Storage Site
Not Selected
CP-6 (1) (3)
CP-6 (1) (2) (3)
CP-7
Alternate Processing Site
Not Selected
CP-7 (1) (2) (3)
CP-7 (1) (2) (3) (4)
CP-8
Telecommunications Services
Not Selected
CP-8 (1) (2)
CP-8 (1) (2) (3) (4)
CP-9
Information System Backup
CP-9
CP-9 (1)
CP-9 (1) (2) (3) (5)
CP-10 Information System Recovery and
Reconstitution
CP-10 CP-10 (2) CP-10 (2) (4)
CP-12
Safe Mode
CP-12
CP-12
CP-12
IA-1 Identification and Authentication Policy and
Procedures
IA-1 IA-1 IA-1
IA-2 Identification and Authentication
(Organizational Users)
IA-2 (1) (12) IA-2 (1) (2) (3) (8)
(11) (12)
IA-2 (1) (2) (3) (4)
(8) (9) (11) (12)
IA-3
Device Identification and Authentication
IA-3
IA-3 (1) (4)
IA-3 (1) (4)
IA-4
Identifier Management
IA-4
IA-4
IA-4
IA-5
Authenticator Management
IA-5 (1) (11)
IA-5 (1) (2) (3) (11)
IA-5 (1) (2) (3) (11)
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
348
AU-12
監査作æˆ
AU-12
AU-12
AU-12 (1) (3)
CA-1
セキュリティ評価・権é™ä»˜ä¸Žãƒãƒªã‚·ãƒ¼ãƒ»
手順
CA-1 CA-1 CA-1
CA-2
セキュリティ評価
CA-2
CA-2 (1)
CA-2 (1) (2)
CA-3
システム相互連接
CA-3
CA-3 (5)
CA-3 (5)
CA-5
行動・
マイルストーン計画書
CA-5
CA-5
CA-5
CA-6
セキュリティ権é™
CA-6
CA-6
CA-6
CA-7
継続監視
CA-7
CA-7 (1)
CA-7 (1)
CA-8
ペãƒãƒˆãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãƒ»ãƒ†ã‚¹ãƒˆ
未é¸æŠž
未é¸æŠž
CA-8
CA-9
内部システム接続
CA-9
CA-9
CA-9
CM-1
設定管ç†ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
CM-1
CM-1
CM-1
CM-2
ベースライン設定
CM-2 CM-2 (1) (3) (7) CM-2 (1) (2) (3)
(7)
CM-3
設定変更管ç†
未é¸æŠž
CM-3 (2)
CM-3 (1) (2)
CM-4
接続影響分æž
CM-4
CM-4
CM-4 (1)
CM-5
変更用アクセス制é™
未é¸æŠž
CM-5
CM-5 (1) (2) (3)
CM-6
構æˆè¨­å®š
CM-6
CM-6
CM-6 (1) (2)
CM-7
最低é™æ©Ÿèƒ½
CM-7 (1) CM-7 (1) (2)
(4) (5)
CM-7 (1) (2) (5)
CM-8
情報システムコンãƒãƒ¼ãƒãƒ³ãƒˆç›®éŒ²
CM-8 CM-8 (1) (3) (5) CM-8 (1) (2) (3)
(4) (5)
CM-9
設定管ç†è¨ˆç”»æ›¸
未é¸æŠž
CM-9
CM-9
CM-10
ソフトウエア
使用制é™
CM-10
CM-10
CM-10
CM-11
ユーザãŒã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ãŸ
ソフトウエア
CM-11
CM-11
CM-11
CP-1
ä¸æ¸¬äº‹æ…‹è¨ˆç”»ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
CP-1
CP-1
CP-1
CP-2
緊急時対応計画
CP-2 CP-2 (1) (3)
(8)
CP-2 (1) (2) (3)
(4) (5) (8)
CP-3
ä¸æ¸¬äº‹æ…‹è¨“ç·´
CP-3
CP-3
CP-3 (1)
CP-4
緊急時対応計画
訓練
CP-4
CP-4 (1)
CP-4 (1) (2)
CP-6
代替ストレージサイト
未é¸æŠž
CP-6 (1) (3)
CP-6 (1) (2) (3)
CP-7
代替処ç†ã‚µã‚¤ãƒˆ
未é¸æŠž CP-7 (1) (2) (3) CP-7 (1) (2) (3)
(4)
CP-8
電気通信サー
ビス 未é¸æŠž CP-8 (1) (2) CP-8 (1) (2) (3)
(4)
CP-9
情報システムãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—
CP-9 CP-9 (1) CP-9 (1) (2) (3)
(5)
CP-10
情報システムã®å¾©æ—§ãƒ»å†æ§‹ç¯‰
CP-10
CP-10 (2)
CP-10 (2) (4)
CP-12
セーフモード
CP-12
CP-12
CP-12
IA-1
識別・èªè¨¼ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
IA-1
IA-1
IA-1
IA-2
識別・èªè¨¼ï¼ˆçµ„織ユーザ)
IA-2 (1) (12) IA-2 (1) (2)
(3) (8) (11)
(12)
IA-2 (1) (2) (3)
(4) (8) (9) (11)
(12)
IA-3
デãƒã‚¤ã‚¹è­˜åˆ¥ãƒ»èªè¨¼
IA-3
IA-3 (1) (4)
IA-3 (1) (4)
IA-4
識別å­ç®¡ç†
IA-4
IA-4
IA-4
IA-5
èªè¨¼ã‚³ãƒ¼ãƒ‰ç®¡ç†
IA-5 (1) (11) IA-5 (1) (2) (3)
(11)
IA-5 (1) (2) (3)
(11)
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
349
IA-6
Authenticator Feedback
IA-6
IA-6
IA-6
IA-7
Cryptographic Module Authentication
IA-7
IA-7
IA-7
IA-8 Identification and Authentication (Non-
Organizational Users)
IA-8 (1) (2) (3) (4) IA-8 (1) (2) (3) (4) IA-8 (1) (2) (3) (4)
IR-1
Incident Response Policy and Procedures
IR-1
IR-1
IR-1
IR-2
Incident Response Training
IR-2
IR-2
IR-2 (1) (2)
IR-3
Incident Response Testing
Not Selected
IR-3 (2)
IR-3 (2)
IR-4
Incident Handling
IR-4
IR-4 (1)
IR-4 (1) (4)
IR-5
Incident Monitoring
IR-5
IR-5
IR-5 (1)
IR-6
Incident Reporting
IR-6
IR-6 (1)
IR-6 (1)
IR-7
Incident Response Assistance
IR-7
IR-7 (1)
IR-7 (1)
IR-8
Incident Response Plan
IR-8
IR-8
IR-8
MA-1
System Maintenance Policy and Procedures
MA-1
MA-1
MA-1
MA-2
Controlled Maintenance
MA-2
MA-2
MA-2 (2)
MA-3
Maintenance Tools
Not Selected
MA-3 (1) (2)
MA-3 (1) (2) (3)
MA-4
Nonlocal Maintenance
MA-4
MA-4 (2)
MA-4 (2) (3)
MA-5
Maintenance Personnel
MA-5
MA-5
MA-5 (1)
MA-6
Timely Maintenance
Not Selected
MA-6
MA-6
MP-1
Media Protection Policy and Procedures
MP-1
MP-1
MP-1
MP-2
Media Access
MP-2
MP-2
MP-2
MP-3
Media Marking
Not Selected
MP-3
MP-3
MP-4
Media Storage
Not Selected
MP-4
MP-4
MP-5
Media Transport
Not Selected
MP-5 (4)
MP-5 (4)
MP-6
Media Sanitization
MP-6
MP-6
MP-6 (1) (2) (3)
MP-7
Media Use
MP-7
MP-7 (1)
MP-7 (1)
PE-1 Physical and Environmental Protection Policy
and Procedures
PE-1 PE-1 PE-1
PE-2
Physical Access Authorizations
PE-2
PE-2
PE-2
PE-3
Physical Access Control
PE-3
PE-3
PE-3 (1)
PE-4
Access Control for Transmission Medium
Not Selected
PE-4
PE-4
PE-5
Access Control for Output Devices
Not Selected
PE-5
PE-5
PE-6
Monitoring Physical Access
PE-6
PE-6 (1) (4)
PE-6 (1) (4)
PE-8
Visitor Access Records
PE-8
PE-8
PE-8 (1)
PE-9
Power Equipment and Cabling
Not Selected
PE-9 (1)
PE-9 (1)
PE-10
Emergency Shutoff
Not Selected
PE-10
PE-10
PE-11
Emergency Power
PE-11 (1)
PE-11 (1)
PE-11 (1) (2)
PE-12
Emergency Lighting
PE-12
PE-12
PE-12
PE-13
Fire Protection
PE-13
PE-13 (3)
PE-13 (1) (2) (3)
PE-14
Temperature and Humidity Controls
PE-14
PE-14
PE-14
PE-15
Water Damage Protection
PE-15
PE-15
PE-15 (1)
PE-16
Delivery and Removal
PE-16
PE-16
PE-16
PE-17
Alternate Work Site
Not Selected
PE-17
PE-17
PE-18
Location of Information System Components
Not Selected
Not Selected
PE-18
PL-1
Security Planning Policy and Procedures
PL-1
PL-1
PL-1
PL-2
System Security Plan
PL-2 (3)
PL-2 (3)
PL-2 (3)
PL-4
Rules of Behavior
PL-4
PL-4 (1)
PL-4 (1)
PL-7
Security Concept of Operations
PL-7
PL-7
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
350
IA-6
èªè¨¼ãƒ•ã‚£ãƒ¼
ドãƒãƒƒã‚¯
IA-6
IA-6
IA-6
IA-7
æš—å·åŒ–モジュールèªè¨¼
IA-7
IA-7
IA-7
IA-8
識別・èªè¨¼ï¼ˆçµ„織外ユーザ)
IA-8 (1) (2)
(3) (4)
IA-8 (1) (2)
(3) (4)
IA-8 (1) (2) (3)
(4)
IR-1
インシデント対応ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
IR-1
IR-1
IR-1
IR-2
インシデント対応訓練
IR-2
IR-2
IR-2 (1) (2)
IR-3
インシデント対応試験
未é¸æŠž
IR-3 (2)
IR-3 (2)
IR-4
インシデント処ç†
IR-4
IR-4 (1)
IR-4 (1) (4)
IR-5
インシデント監視
IR-5
IR-5
IR-5 (1)
IR-6
インシデント報告
IR-6
IR-6 (1)
IR-6 (1)
IR-7
インシデント対応支æ´
IR-7
IR-7 (1)
IR-7 (1)
IR-8
インシデント対応計画書
IR-8
IR-8
IR-8
MA-1
システムä¿å®ˆãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
MA-1
MA-1
MA-1
MA-2
管ç†ä¿å®ˆ
MA-2
MA-2
MA-2 (2)
MA-3
ä¿å®ˆãƒ„
ール
未é¸æŠž
MA-3 (1) (2)
MA-3 (1) (2) (3)
MA-4
ローカル以外ã®ä¿å®ˆ
MA-4
MA-4 (2)
MA-4 (2) (3)
MA-5
ä¿å®ˆè¦å“¡
MA-5
MA-5
MA-5 (1)
MA-6
é©æ™‚çš„ä¿å®ˆ
未é¸æŠž
MA-6
MA-6
MP-1
メディアä¿è­·ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
MP-1
MP-1
MP-1
MP-2
メディアアクセス
MP-2
MP-2
MP-2
MP-3
メディアマーキング
未é¸æŠž
MP-3
MP-3
MP-4
メディアストレージ
未é¸æŠž
MP-4
MP-4
MP-5
メディア転é€
未é¸æŠž
MP-5 (4)
MP-5 (4)
MP-6
メディアサニタイズ
MP-6
MP-6
MP-6 (1) (2) (3)
MP-7
メディア利用
MP-7
MP-7 (1)
MP-7 (1)
PE-1
物ç†ç’°å¢ƒä¿è­·ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
PE-1
PE-1
PE-1
PE-2
物ç†çš„アクセス権é™
PE-2
PE-2
PE-2
PE-3
物ç†çš„
アクセス制御
PE-3
PE-3
PE-3 (1)
PE-4
通信メディアã®
アクセス制御
未é¸æŠž
PE-4
PE-4
PE-5
出力デãƒã‚¤ã‚¹ã®
アクセス制御
未é¸æŠž
PE-5
PE-5
PE-6
物ç†çš„アクセス監視
PE-6
PE-6 (1) (4)
PE-6 (1) (4)
PE-8
æ¥è¨ªè€…立入記録
PE-8
PE-8
PE-8 (1)
PE-9
電気装置åŠã³é…ç·š
未é¸æŠž
PE-9 (1)
PE-9 (1)
PE-10
緊急é®æ–­
未é¸æŠž
PE-10
PE-10
PE-11
緊急電æº
PE-11 (1)
PE-11 (1)
PE-11 (1) (2)
PE-12
緊急照明
PE-12
PE-12
PE-12
PE-13
防ç«
PE-13
PE-13 (3)
PE-13 (1) (2) (3)
PE-14
温度・湿度制御
PE-14
PE-14
PE-14
PE-15
水害防護
PE-15
PE-15
PE-15 (1)
PE-16
é…é€ãƒ»æ’¤åŽ»
PE-16
PE-16
PE-16
PE-17
代替作業場
未é¸æŠž
PE-17
PE-17
PE-18
情報システムコンãƒãƒ¼ãƒãƒ³ãƒˆã®å ´æ‰€
未é¸æŠž
未é¸æŠž
PE-18
PL-1
セキュリティ計画ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
PL-1
PL-1
PL-1
PL-2
システムセキュ
リティ計画書
PL-2 (3)
PL-2 (3)
PL-2 (3)
PL-4
行動è¦å‰‡
PL-4
PL-4 (1)
PL-4 (1)
PL-7
é‹ç”¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ¦‚念
PL-7 PL-7
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
351
PL-8
Information Security Architecture
Not Selected
PL-8
PL-8
PS-1
Personnel Security Policy and Procedures
PS-1
PS-1
PS-1
PS-2
Position Risk Designation
PS-2
PS-2
PS-2
PS-3
Personnel Screening
PS-3
PS-3
PS-3
PS-4
Personnel Termination
PS-4
PS-4
PS-4 (2)
PS-5
Personnel Transfer
PS-5
PS-5
PS-5
PS-6
Access Agreements
PS-6
PS-6
PS-6
PS-7
Third-Party Personnel Security
PS-7
PS-7
PS-7
PS-8
Personnel Sanctions
PS-8
PS-8
PS-8
RA-1
Risk Assessment Policy and Procedures
RA-1
RA-1
RA-1
RA-2
Security Categorization
RA-2
RA-2
RA-2
RA-3
Risk Assessment
RA-3
RA-3
RA-3
RA-5
Vulnerability Scanning
RA-5
RA-5 (1) (2) (5)
RA-5 (1) (2) (4) (5)
SA-1 System and Services Acquisition Policy and
Procedures
SA-1 SA-1 SA-1
SA-2
Allocation of Resources
SA-2
SA-2
SA-2
SA-3
System Development Life Cycle
SA-3
SA-3
SA-3
SA-4
Acquisition Process
SA-4 (10)
SA-4 (1) (2) (9) (10)
SA-4 (1) (2) (9) (10)
SA-5
Information System Documentation
SA-5
SA-5
SA-5
SA-8
Security Engineering Principles
Not Selected
SA-8
SA-8
SA-9
External Information System Services
SA-9
SA-9 (2)
SA-9 (2)
SA-10
Developer Configuration Management
Not Selected
SA-10
SA-10
SA-11
Developer Security Testing and Evaluation
Not Selected
SA-11
SA-11
SA-12
Supply Chain Protection
Not Selected
Not Selected
SA-12
SA-15
Development Process, Standards, and Tools
Not Selected
Not Selected
SA-15
SA-16
Developer-Provided Training
Not Selected
Not Selected
SA-16
SA-17
Developer Security Architecture and Design
Not Selected
Not Selected
SA-17
SC-1 System and Communications Protection Policy
and Procedures
SC-1 SC-1 SC-1
SC-2
Application Partitioning
Not Selected
SC-2
SC-2
SC-3
Security Function Isolation
Not Selected
Not Selected
SC-3
SC-4
Information in Shared Resources
Not Selected
SC-4
SC-4
SC-5
Denial of Service Protection
SC-5
SC-5
SC-5
SC-7 Boundary Protection SC-7 SC-7 (3) (4) (5) (7)
(18)
SC-7 (3) (4) (5) (7)
(8) (18) (21)
SC-8
Transmission Confidentiality and Integrity
Not Selected
SC-8 (1)
SC-8 (1)
SC-10
Network Disconnect
Not Selected
SC-10
SC-10
SC-12 Cryptographic Key Establishment and
Management
SC-12 SC-12 SC-12 (1)
SC-13
Cryptographic Protection
SC-13
SC-13
SC-13
SC-15
Collaborative Computing Devices
SC-15
SC-15
SC-15
SC-17
Public Key Infrastructure Certificates
Not Selected
SC-17
SC-17
SC-18
Mobile Code
Not Selected
SC-18
SC-18
SC-19
Voice Over Internet Protocol
Not Selected
SC-19
SC-19
SC-20 Secure Name /Address Resolution Service
(Authoritative Source)
SC-20 SC-20 SC-20
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
352
PL-8
情報セキュリティアーキテクãƒãƒ£
未é¸æŠž
PL-8
PL-8
PS-1
人員ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
PS-1
PS-1
PS-1
PS-2
é…置リスク指定
PS-2
PS-2
PS-2
PS-3
人é¸
PS-3
PS-3
PS-3
PS-4
退è·
PS-4
PS-4
PS-4 (2)
PS-5
転勤
PS-5
PS-5
PS-5
PS-6
アクセスåŒæ„
PS-6
PS-6
PS-6
PS-7
サードパーティ社員セキュリティ
PS-7
PS-7
PS-7
PS-8
懲戒
PS-8
PS-8
PS-8
RA-1
リスク評価ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
RA-1
RA-1
RA-1
RA-2
セキュリティ分類
RA-2
RA-2
RA-2
RA-3
リスク評価
RA-3
RA-3
RA-3
RA-5
脆弱性検索
RA-5 RA-5 (1) (2)
(5)
RA-5 (1) (2) (4)
(5)
SA-1
システムåŠã³ã‚µãƒ¼ãƒ“スå–å¾—ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
SA-1
SA-1
SA-1
SA-2
リソース割当
SA-2
SA-2
SA-2
SA-3
システム開発ライフサイクル
SA-3
SA-3
SA-3
SA-4
å–得プロセス
SA-4 (10) SA-4 (1) (2)
(9) (10)
SA-4 (1) (2) (9)
(10)
SA-5
情報システム文書化
SA-5
SA-5
SA-5
SA-8
セキュリティエンジニアリン
グ原則
未é¸æŠž
SA-8
SA-8
SA-9
外部情報システムサービス
SA-9
SA-9 (2)
SA-9 (2)
SA-10
開発者設定管ç†
未é¸æŠž
SA-10
SA-10
SA-11
開発者セキュリティ試験評価
未é¸æŠž
SA-11
SA-11
SA-12
サプライãƒã‚§ãƒ¼ãƒ³ä¿è­·
未é¸æŠž
未é¸æŠž
SA-12
SA-15
開発プロセス・è¦æ ¼ãƒ»ãƒ„ール
未é¸æŠž
未é¸æŠž
SA-15
SA-16
開発者ã«ã‚ˆã‚‹è¨“ç·´
未é¸æŠž
未é¸æŠž
SA-16
SA-17
開発者セキュリティアーキテクãƒãƒ£ãƒ»è¨­è¨ˆ
未é¸æŠž
未é¸æŠž
SA-17
SC-1
ã‚·
ステム通信ä¿è­·ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
SC-1
SC-1
SC-1
SC-2
アプリケーション分割
未é¸æŠž
SC-2
SC-2
SC-3
セキュリティ機能隔絶
未é¸æŠž
未é¸æŠž
SC-3
SC-4
共有リソース内情報
未é¸æŠž
SC-4
SC-4
SC-5
サービスä¿è­·å¦¨å®³
SC-5
SC-5
SC-5
SC-7
境界ã®ä¿è­·
SC-7 SC-7 (3) (4) (5)
(7) (18)
SC-7 (3) (4) (5)
(7) (8) (18) (21)
SC-8
通信
機密性・完全性
未é¸æŠž
SC-8 (1)
SC-8 (1)
SC-10
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åˆ‡æ–­
未é¸æŠž
SC-10
SC-10
SC-12
æš—å·éµ
設定管ç†
SC-12
SC-12
SC-12 (1)
SC-13
æš—å·ä¿è­·
SC-13
SC-13
SC-13
SC-15
å…±åŒã‚³ãƒ³ãƒ”ューティングデãƒã‚¤ã‚¹
SC-15
SC-15
SC-15
SC-17
PKI
証明書
未é¸æŠž
SC-17
SC-17
SC-18
モãƒã‚¤ãƒ«ã‚³ãƒ¼ãƒ‰
未é¸æŠž
SC-18
SC-18
SC-19
VoIP
未é¸æŠž
SC-19
SC-19
SC-20
セキュアãªåå‰
/アドレス解決サービス
(権é™ã‚½ãƒ¼ã‚¹ï¼‰
SC-20 SC-20 SC-20
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
353
SC-21 Secure Name /Address Resolution Service
(Recursive or Caching Resolver)
SC-21 SC-21 SC-21
SC-22 Architecture and Provisioning for
Name/Address Resolution Service
SC-22 SC-22 SC-22
SC-23
Session Authenticity
Not Selected
SC-23
SC-23
SC-24
Fail in Known State
Not Selected
SC-24
SC-24
SC-28
Protection of Information at Rest
Not Selected
SC-28
SC-28
SC-39
Process Isolation
SC-39
SC-39
SC-39
SC-41
Port and I/O Device Access
SC-41
SC-41
SC-41
SI-1 System and Information Integrity Policy and
Procedures
SI-1 SI-1 SI-1
SI-2
Flaw Remediation
SI-2
SI-2 (2)
SI-2 (1) (2)
SI-3
Malicious Code Protection
SI-3
SI-3 (1) (2)
SI-3 (1) (2)
SI-4
Information System Monitoring
SI-4
SI-4 (2) (4) (5)
SI-4 (2) (4) (5)
SI-5
Security Alerts, Advisories, and Directives
SI-5
SI-5
SI-5 (1)
SI-6
Security Function Verification
Not Selected
Not Selected
SI-6
SI-7 Software, Firmware, and Information Integrity Not Selected SI-7 (1) (7) SI-7 (1) (2) (5) (7)
(14)
SI-8
Spam Protection
Not Selected
SI-8 (1) (2)
SI-8 (1) (2)
SI-10
Information Input Validation
Not Selected
SI-10
SI-10
SI-11
Error Handling
Not Selected
SI-11
SI-11
SI-12
Information Handling and Retention
SI-12
SI-12
SI-12
SI-13
Predictable Failure Prevention
Not Selected
Not Selected
SI-13
SI-14
Non-Persistence
Not Selected
Not Selected
Not Selected
SI-15
Information Output Filtering
Not Selected
Not Selected
Not Selected
SI-16
Memory Protection
Not Selected
SI-16
SI-16
SI-17
Fail-Safe Procedures
SI-17
SI-17
SI-17
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
354
SC-21
セキュアãªåå‰
/アドレス解決サービス
(å†å¸°åˆã¯ã‚­ãƒ£ãƒƒã‚·ãƒ³ã‚°ãƒªã‚¾ãƒ«ãƒï¼‰
SC-21 SC-21 SC-21
SC-22
åå‰
/アドレス解決サービス用アーキテク
ãƒãƒ£ãƒ¼ãƒ—ロビジョニング
SC-22 SC-22 SC-22
SC-23
セッション信頼性
未é¸æŠž
SC-23
SC-23
SC-24
既知状態ã®å¤±æ•—
未é¸æŠž
SC-24
SC-24
SC-28
休眠情報ã®ä¿è­·
未é¸æŠž
SC-28
SC-28
SC-39
プロセス隔離
SC-39
SC-39
SC-39
SC-41
ãƒãƒ¼ãƒˆåŠã³
I/O デãƒã‚¤ã‚¹ã‚¢ã‚¯ã‚»ã‚¹
SC-41
SC-41
SC-41
SI-1
システム情報
完全性ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
SI-1
SI-1
SI-1
SI-2
欠陥修正
SI-2
SI-2 (2)
SI-2 (1) (2)
SI-3
悪æ„ã‚るコードä¿è­·
SI-3
SI-3 (1) (2)
SI-3 (1) (2)
SI-4
情報システム監視
SI-4 SI-4 (2) (4)
(5)
SI-4 (2) (4) (5)
SI-5
セキ
ュリティ警報・勧告・指示
SI-5
SI-5
SI-5 (1)
SI-6
セキュリティ機能検証
未é¸æŠž
未é¸æŠž
SI-6
SI-7
ソフトウエア
・ファームウエア・情報ã®å®Œ
全性
未é¸æŠž SI-7 (1) (7) SI-7 (1) (2) (5)
(7) (14)
SI-8
スパムä¿è­·
未é¸æŠž
SI-8 (1) (2)
SI-8 (1) (2)
SI-10
情報入力検証
未é¸æŠž
SI-10
SI-10
SI-11
エラー処ç†
未é¸æŠž
SI-11
SI-11
SI-12
情報処ç†ä¿ç•™
SI-12
SI-12
SI-12
SI-13
予想ã•ã‚Œã‚‹æ•…éšœã®é˜²æ­¢
未é¸æŠž
未é¸æŠž
SI-13
SI-14
éžåŸ·æ‹—性
未é¸æŠž
未é¸æŠž
未é¸æŠž
SI-15
情報出力フィルタリング
未é¸æŠž
未é¸æŠž
未é¸æŠž
SI-16
メモリä¿è­·
未é¸æŠž
SI-16
SI-16
SI-17
フェールセーフ手順
SI-17 SI-17 SI-17
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
355
The PM-family is deployed organization-wide, supporting the information security program. It is not
associated with security control baselines and is independent of any system impact level.
PM-1
Information Security Program Plan
PM-1
PM-2
Senior Information Security Officer
PM-2
PM-3
Information Security Resources
PM-3
PM-4
Plan of Action and Milestones Process
PM-4
PM-5
Information System Inventory
PM-5
PM-6
Information Security Measures of Performance
PM-6
PM-7
Enterprise Architecture
PM-7
PM-8
Critical Infrastructure Plan
PM-8
PM-9
Risk Management Strategy
PM-9
PM-10
Security Authorization Process
PM-10
PM-11
Mission/Business Process Definition
PM-11
PM-12
Insider Threat Program
PM-12
PM-13
Information Security Workforce
PM-13
PM-14
Testing, Training, and Monitoring
PM-14
PM-15
Contacts with Security Groups and Associations
PM-15
PM-16
Threat Awareness Program
PM-16
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
356
PM ファミリã¯å…¨çµ„ç¹”ã«å±•é–‹ã•ã‚Œã€æƒ…報セキュリティプログラムを支ãˆã¦ã„る。セキュリティ対
策ベースラインã¯ä»˜éšã—ã¦ãŠã‚‰ãšã€ã„ã‹ãªã‚‹ã‚·ã‚¹ãƒ†ãƒ å½±éŸ¿ãƒ¬ãƒ™ãƒ«ã¨ã‚‚無関係ã§ã‚る。
PM-1
情報セキュリティプログラム計画書
PM-1
PM-2
上級情報セキュリティ担当官
PM-2
PM-3
情報セキュリティリソース
PM-3
PM-4
行動・
マイルストーンプロセス計画書
PM-4
PM-5
情報システム目録
PM-5
PM-6
情報セキュリティ
ã«é–¢ã™ã‚‹ãƒ‘フォーマンスã®è¨ˆæ¸¬
PM-6
PM-7
ä¼æ¥­ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£
PM-7
PM-8
é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©è¨ˆç”»æ›¸
PM-8
PM-9
リスク管ç†
戦略
PM-9
PM-10
セキュリティ権é™ãƒ—ロセス
PM-10
PM-11
任務・事業プロセス定義
PM-11
PM-12
インサイダー脅å¨ãƒ—ログラム
PM-12
PM-13
情報セキュリティリワークフォース
PM-13
PM-14
試験・訓練・監視
PM-14
PM-15
セキュリティグループ・å”会ã¨ã®å¥‘ç´„
PM-15
PM-16
è„…å¨æ„識プログラム
PM-16
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
357
Tailoring Considerations
Due to the unique characteristics of ICS, these systems may require a greater use of compensating security
controls than is the case for general purpose information systems. Compensating controls are not
exceptions or waivers to the baseline controls; rather, they are alternative safeguards and countermeasures
employed within the ICS that accomplish the intent of the original security controls that could not be
effectively employed. See “Selecting Compensating Security Controls†in section 3.2 of NIST SP 800-53
Rev. 4 [22].
In situations where the ICS cannot support, or the organization determines it is not advisable to implement,
particular security controls or control enhancements in an ICS (e.g., performance, safety, or reliability are
adversely impacted), the organization provides a complete and convincing rationale for how the selected
compensating controls provide an equivalent security capability or level of protection for the ICS and why
the related baseline security controls could not be employed.
In accordance with the Technology-related Considerations of the Scoping Guidance in NIST SP 800-53
Rev. 4, section 3.2, if automated mechanisms are not readily available, cost-effective, or technically
feasible in the ICS, compensating security controls, implemented through nonautomated mechanisms or
procedures are employed [22].
Compensating controls are alternative security controls employed by organizations in lieu of specific
controls in the baselines—controls that provide equivalent or comparable protection for organizational
information systems and the information processed, stored, or transmitted by those systems.83 This may
occur, for example, when organizations are unable to effectively implement specific security controls in the
baselines or when, due to the specific nature of the ICS or environments of operation, the controls in the
baselines are not a cost-effective means of obtaining the needed risk mitigation. Compensating controls
may include control enhancements that supplement the baseline. Using compensating controls may involve
a trade-off between additional risk and reduced functionality. Every use of compensating controls should
involve a risk-based determination of: (i) how much residual risk to accept, and (ii) how much functionality
should be reduced. Compensating controls may be employed by organizations under the following
conditions:
 Organizations select compensating controls from NIST SP 800-53 Rev. 4, Appendix F. If appropriate
compensating controls are not available, organizations adopt suitable compensating controls from
other sources 84
 Organizations provide supporting rationale for how compensating controls provide equivalent security
capabilities for organizational information systems and why the baseline security controls could not be
employed.
 Organizations assess and accept the risk associated with implementing compensating controls in ICS.
Organizational decisions on the use of compensating controls are documented in the security plan for the
ICS.
83 42 More than one compensating control may be required to provide the equivalent protection for a particular
security control in Appendix F. For example, organizations with significant staff limitations may compensate
for the separation of duty security control by strengthening the audit, accountability, and personnel
security controls.
84 43 Organizations should make every attempt to select compensating controls from the security control catalog
in Appendix F. Organization-defined compensating controls are employed
only
when organizations determine
that the security control catalog does not contain suitable compensating controls.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
358
カスタマイズã®è€ƒæ…®äº‹é …
ICS 独特ã®ç‰¹å¾´ã‹ã‚‰ã€ã“れらシステムã«å¿…è¦ã¨ã•ã‚Œã‚‹è£œå„Ÿã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ã¯ã€æ±Žç”¨ã®æƒ…報シス
テムよりも多ã„。代替管ç†ã¯ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ç®¡ç†ã®ä¾‹å¤–や放棄ã§ã¯ãªãã€ä»£æ›¿ã®å®‰å…¨ç­–åŠã³å¯¾ç­–ã¨
ã—㦠ICS 内ã§æŽ¡ç”¨ã•ã‚Œã€æœ‰åŠ¹åˆ©ç”¨ã§ããªã„å…ƒã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®ç›®çš„ã‚’æžœãŸã™ã€‚NIST SP 800-
53 第4版[22]ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ 3.2「補償セキュリティ対策ã€ã‚’å‚ç…§ã®ã“ã¨ã€‚
ICS ãŒICS ã«ãŠã‘るセキュリティ対策若ã—ãã¯ç®¡ç†æ‹¡å¼µã«å¯¾å¿œã—ã¦ã„ãªã„å ´åˆåˆã¯çµ„織㌠ICS ã«
ãŠã‘るセキュリティ対策若ã—ãã¯ç®¡ç†æ‹¡å¼µã®å®Ÿè£…ã‚’ä¸é©ã¨åˆ¤æ–­ã™ã‚‹å ´åˆï¼ˆãƒ‘フォーマンスã€å®‰å…¨
性ã€ä¿¡é ¼æ€§ã¸ã®æ‚ªå½±éŸ¿ç­‰ï¼‰ã€é¸å®šã—ãŸè£œå„Ÿçš„管ç†ç­–ã«åŒç­‰ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ©Ÿèƒ½åˆã¯åŒç­‰ãƒ¬ãƒ™ãƒ«ã®
ICS ä¿è­·èƒ½åŠ›ãŒã‚ã‚Šã€é–¢é€£ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ãŒæŽ¡ç”¨ã§ããªã‹ã£ãŸç†ç”±ã«ã¤ã„ã¦ã€çµ„
ç¹”ã¯ç´å¾—ã®ã„ãç†ç”±ã‚’示ã™ã€‚
自動化メカニズムãŒã™ãã«åˆ©ç”¨ã§ããªã„ã€è²»ç”¨åŠ¹æžœãŒãªã„åˆã¯æŠ€è¡“çš„ã«ä¸å¯èƒ½ãªå ´åˆã€NIST SP
800-53 第4版ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ 3.2 ã®ã€Œé©ç”¨ç¯„囲ガイダンスã®æŠ€è¡“関連考慮事項ã€ã«å¾“ã„ã€è£œå„Ÿã‚»
キュリティ対策をéžè‡ªå‹•åŒ–メカニズムåˆã¯æ‰‹é †ã®å®Ÿæ–½ã‚’通ã˜ã¦æŽ¡ç”¨ã™ã‚‹[22]。
補償的管ç†ç­–ã¯ã€ç‰¹å®šã®ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ç®¡ç†ã«ä»£ãˆã¦çµ„ç¹”ãŒå–る代替セキュリティ対策ã§ã€çµ„ç¹”ã®
情報システムã¨ãã“ã§å‡¦ç†ã€ä¿ç®¡åˆã¯é€ä¿¡ã•ã‚Œã‚‹æƒ…å ±ã«åŒç­‰ã®ä¿è­·ã‚’与ãˆã‚‹ã‚‚ã®ã‚’ã„ã†ã€‚85 例ãˆ
ã°ã€ç‰¹å®šã®ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ç®¡ç†ã‚’効果的ã«å®Ÿæ–½ã§ããªã„å ´åˆã‚„ã€ICS 固有ã®æ€§è³ªè‹¥ã—ãã¯é‹ç”¨ç’°å¢ƒ
ã«èµ·å› ã—ã¦ã€ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã®ç®¡ç†ãŒãƒªã‚¹ã‚¯ç·©å’Œä¸Šè²»ç”¨å¯¾åŠ¹æžœã®ãªã„å ´åˆã«ã€è£œå„Ÿçš„管ç†ç­–ãŒè¬›ã˜
られる。補償的管ç†ç­–ã«ã¯ã€ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã‚’補完ã™ã‚‹ç®¡ç†æ‹¡å¼µãŒå«ã¾ã‚Œã‚‹ã“ã¨ãŒã‚る。補償的管
ç†ç­–ã‚’è¡Œã†ã«ã¯ã€ãƒªã‚¹ã‚¯å¢—加ã¨æ©Ÿèƒ½ä½Žä¸‹ã®ãƒãƒ©ãƒ³ã‚¹ãŒé–¢ä¿‚ã—ã¦ãる。必ãš(1)許容ã§ãるリスク
ã®ç¨‹åº¦ã¨ã€ï¼ˆ2)ã©ã®ç¨‹åº¦æ©Ÿèƒ½ãŒä½Žä¸‹ã™ã‚‹ã‹ã‚’ã€ãƒªã‚¹ã‚¯ã«åŸºã¥ã„ã¦åˆ¤æ–­ã™ã¹ãã§ã‚る。組織ã¯ã€
次ã®ã‚ˆã†ãªæ¡ä»¶ã®ä¸‹ã§è£œå„Ÿçš„管ç†ç­–を採用ã§ãる。
 é©å½“ãªè£œå„Ÿçš„管ç†ç­–ã‚’ NIST SP 800-53 第4版付録 Fã‹ã‚‰é¸ã¶ 86。é©å½“ãªè£œå„Ÿçš„管ç†ç­–ãŒåŒä»˜
録ã«ãªã„å ´åˆã€ä»–ã®ã‚½ãƒ¼ã‚¹ã‹ã‚‰é©å½“ãªè£œå„Ÿçš„管ç†ç­–を採用ã™ã‚‹ã€‚
 組織ã¯ã€è£œå„Ÿçš„管ç†ç­–ãŒæƒ…報システムã«å¯¾ã—ã¦åŒç­‰ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ©Ÿèƒ½ã‚’有ã—ã€ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤
ンセキュリティ対策ãŒæŽ¡ç”¨ã§ããªã‹ã£ãŸæ ¹æ‹ ã¨ãªã‚‹ç†ç”±ã‚’示ã™ã€‚
 組織ã¯ã€ICS ã«ãŠã‘る補償的管ç†ç­–ã®å®Ÿæ–½ã«ä»˜éšã™ã‚‹ãƒªã‚¹ã‚¯ã‚’評価ã—å—ã‘入れる。
代替管ç†ã‚’利用ã™ã‚‹çµ„ç¹”ã®æ±ºå®šã¯ã€ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¨ˆç”»æ›¸ã«è¨˜éŒ²ã™ã‚‹ã€‚
85 付録 Fã®ç‰¹å®šã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã«åŒç­‰ã®ä¿è­·ã‚’与ãˆã‚‹ã«ã¯ã€è£œå„Ÿç®¡ç†ãŒè¤‡æ•°å¿…è¦ã¨ãªã‚‹ã“ã¨ã‚‚ã‚る。例ãˆã°ã€è·å“¡æ•°ãŒ
é™ã‚‰ã‚Œã¦ã„る組織ã§ã¯ã€ç›£æŸ»ç®¡ç†ã€èª¬æ˜Žè²¬ä»»ç®¡ç†åŠã³è·å“¡ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–を強化ã—ã¦ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ä»»å‹™ã‚’分割
ã™ã‚‹ã“ã¨ã«ãªã‚ã†ã€‚
86 組織ã¯ã‚らゆる努力を払ã£ã¦ã€ä»˜éŒ² Fã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–カタログã‹ã‚‰è£œå„Ÿçš„管ç†ç­–ã‚’é¸ã¶ã¹ãã§ã‚る。組織ãŒè‡ªã‚‰å®šç¾©
ã—ãŸè£œå„Ÿçš„管ç†ç­–ã¯ã€åŒã‚«ã‚¿ãƒ­ã‚°ã«é©å½“ãªã‚‚ã®ãŒãªã„å ´åˆã«ã®ã¿æŽ¡ç”¨ã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
359
Controls that contain assignments (e.g., Assignment: organization-defined conditions or trigger events)
may be tailored out of the baseline. This is equivalent to assigning a value of “none.†The assignment may
take on different values for different impact baselines.
Non-Addressable and Non-Routable Communications
The unique network properties within ICS warrant specific attention when applying certain security
controls. Many of the controls in NIST SP 800-53 Rev. 4 that pertain to communication, devices, and
interfaces implicitly assume the applicability of addressable and routable protocols such as the TCP/IP
Internet protocol suite87 or layers 1, 2, and 3 of the Open Systems Interconnection (OSI) model (ISO/IEC
7498-1). Some devices, or subsystems, used in ICS are exceptions to this assumption. This section
addresses how the controls may be appropriately tailored. Tailoring is primarily required due to the
following situations:
 Capabilities not present. The intent of certain controls may be more easily achieved through
compensating controls due to certain network properties or capabilities not existing in the ICS
subsystem. For example, physical protections (e.g., locked cabinets) may be used to secure an entire
point-to-point communication channel as a means to compensate for a lack of protocols that support
authentication. Security controls may warrant additional supplemental guidance to help ensure the
implementation of the control or compensating control provides the appropriate level of protection.
 Non-applicable security controls. Many communication protocols found within an ICS may have
limited functionality (e.g., not addressable or routable). Security controls dealing with addressing and
routing may not be applicable to these protocols.
Security controls for devices that communicate point-to-point using standards and protocols that do not
include addressing generally require tailoring. A modem connected to a computer through an RS-232
interface is an example. RS-232 was commonly employed in ICS equipment that is currently in use, even if
it has been superseded in newer equipment. In telecommunications, RS-232 is the traditional name for a
series of standards for serial binary single-ended data and control signals connecting between DTE (data
terminal equipment) and DCE (data circuit-terminating equipment, originally defined as data
communication equipment). The current version of the standard is Telecommunications Industry
Association (TIA)-232-F, Interface Between Data Terminal Equipment and Data Circuit-Terminating
Equipment Employing Serial Binary Data Interchange, issued in 1997.
An RS-232 serial port was once a standard feature of small computing devices, such as ICS subsystems,
used for connections to peripheral devices. However, the low transmission speed, large voltage swing, and
large standard connectors motivated development of the Universal Serial Bus (USB), which has displaced
RS-232 from most of its peripheral interface roles. RS-232 devices are still found, especially in industrial
machines, networking equipment, and scientific instruments.
Layered Network Models
The layered network models used in both TCP/IP and OSI can provide a basis for understanding the
various properties of network communications and will help identify how security controls can be
appropriately applied to systems and networks. The following table introduces key properties about the
physical, data link, and network layers regarding the application of security controls.
87 44 Currently, the Internet Engineering Task Force, or IETF, manages the TCP/IP protocol suite.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
360
割当(組織ãŒå®šç¾©ã—ãŸæ¡ä»¶ã‚„トリガー事象等)ã¯ã€ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã‚’基ã«ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã§ãる。ã“
ã‚Œã¯ã€Œãªã—ã€ã®å€¤ã‚’割り当ã¦ã‚‹ã®ã¨åŒã˜ã“ã¨ã§ã‚る。割当ã¯ã€å½±éŸ¿ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ãŒç•°ãªã‚‹ã¨å€¤ã‚‚
ç•°ãªã‚‹ã“ã¨ãŒã‚る。
アドレス指定åˆã¯çµŒè·¯æŒ‡å®šã®ãªã„通信
特定ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã‚’é©ç”¨ã™ã‚‹å ´åˆã€ICS 内ã§ã®å›ºæœ‰ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç‰¹æ€§ã«ç‰¹ã«ç•™æ„ã™ã¹ã
ã§ã‚る。NIST SP 800-53 第4版ã®é€šä¿¡ã€ãƒ‡ãƒã‚¤ã‚¹åŠã³ã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã«é–¢ã™ã‚‹ç®¡ç†ã®å¤šãã¯ã€
TCP/IP インターãƒãƒƒãƒˆã‚¹ã‚¤ãƒ¼ãƒˆ 88やオープンシステム間相互連接(OSI)モデル(ISO/IEC 7498-
1)ã®TCP/IP レイヤー1ã€2ã€3ç­‰ã€ã‚¢ãƒ‰ãƒ¬ã‚¹æŒ‡å®šå¯èƒ½åˆã¯çµŒè·¯æŒ‡å®šå¯èƒ½ãƒ—ロトコルをé©ç”¨ã™ã‚‹ã“
ã¨ã‚’æš—é»™ã®å‰æã«ã—ã¦ã„る。ICS ã§ä½¿ç”¨ã™ã‚‹ã‚る種ã®ãƒ‡ãƒã‚¤ã‚¹ã‚„サブシステムã¯ã€ã“ã®å‰æã®ä¾‹
外ã¨ãªã‚‹ã€‚ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã§ã¯ã€ç®¡ç†ã®é©æ­£ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºæ–¹æ³•ã«ã¤ã„ã¦å–り上ã’る。カスタマ
イズã¯ã€ä¸»ã¨ã—ã¦æ¬¡ã®ã‚ˆã†ãªå ´åˆã«å¿…è¦ã¨ãªã‚‹ã€‚

機能ãŒãªã„
。特定ã®ç®¡ç†ã®ç›®çš„ã¯ã€ç‰¹å®šã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç‰¹æ€§åˆã¯æ©Ÿèƒ½ãŒ ICS サブシステムã«
ãªã„ãŸã‚ã€è£œå„Ÿçš„管ç†ç­–ã«ã‚ˆã‚Šå®¹æ˜“ã«é”æˆå¯èƒ½ã§ã‚る。例ãˆã°ç‰©ç†çš„ä¿è­·ï¼ˆã‚­ãƒ£ãƒ“ãƒãƒƒãƒˆã®
施錠等)ã¯ã€èªè¨¼æ©Ÿèƒ½ä»˜ãプロトコルãŒãªã„å ´åˆã®è£œå„Ÿæ‰‹æ®µã¨ã—ã¦ã€2点間通信ãƒãƒ£ãƒ³ãƒãƒ«
ã®ã‚»ã‚­ãƒ¥ã‚¢åŒ–ã«åˆ©ç”¨ã§ãる。セキュリティ対策ã¯ä»˜åŠ çš„ãªè£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã¨ã—ã¦ã€ç®¡ç†åˆã¯
補償的管ç†ç­–ã«ã‚ˆã‚‹é©æ€§ãƒ¬ãƒ™ãƒ«ã®ä¿è­·ã®ç¢ºä¿ã«å½¹ç«‹ã¤ã€‚

é©ç”¨å¯èƒ½ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ãŒãªã„
。ICS ã§ä½¿ç”¨ã•ã‚Œã¦ã„るプロトコルã®å¤šãã¯ã€æ©Ÿèƒ½ãŒé™
られã¦ã„る(アドレス指定やルート指定ãŒã§ããªã„等)。アドレスåŠã³ãƒ«ãƒ¼ãƒˆã«é–¢ã™ã‚‹ã‚»ã‚­
ュリティ対策ã¯ã€ã“ã®ã‚ˆã†ãªãƒ—ロトコルã«ã¯é©ç”¨ã§ããªã„。
アドレス指定ã®ãªã„è¦æ ¼åŠã³ãƒ—ロトコルを使用ã—㟠2点間通信を行ã†ãƒ‡ãƒã‚¤ã‚¹ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾
ç­–ã«ã¯ã€é€šå¸¸ã€ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºãŒå¿…è¦ã¨ãªã‚‹ã€‚RS-232 インタフェース経由ã®ã‚³ãƒ³ãƒ”ュータã«æŽ¥ç¶š
ã•ã‚ŒãŸãƒ¢ãƒ‡ãƒ«ãŒãã®ä¸€ä¾‹ã§ã‚る。RS-232 ã¯ã€ç¾åœ¨åˆ©ç”¨ã•ã‚Œã¦ã„ã‚‹ ICS 装備å“ã§ä¸€èˆ¬çš„ã«ä½¿ç”¨ã•
ã‚Œã¦ã„ãŸï¼ˆãã†ã—ãŸè£…å‚™å“ãŒæ–°ã—ã„ã‚‚ã®ã«æ›è£…ã•ã‚Œã¦ã„ã‚‹å ´åˆã§ã‚ã£ã¦ã‚‚)。電気通信ã«ãŠã„ã¦
RS-232 ã¯ã€DTE(データ端末装置)㨠DCE(データ回線終端装置ã€å…ƒã¯ãƒ‡ãƒ¼ã‚¿é€šä¿¡è£…置)間ã®ã‚·
リアルãƒã‚¤ãƒŠãƒªã‚·ãƒ³ã‚°ãƒ«ã‚¨ãƒ³ãƒ‰ãƒ‡ãƒ¼ã‚¿åˆ¶å¾¡ä¿¡å·è¦æ ¼ã®ä¼çµ±çš„ãªå称ã§ã‚る。ç¾è¡Œç‰ˆè¦æ ¼ã¯ç±³å›½é›»
気通信工業会(TIA)-232-F「シリアルãƒã‚¤ãƒŠãƒªãƒ‡ãƒ¼ã‚¿äº¤æ›ã«ã‚ˆã‚‹ãƒ‡ãƒ¼ã‚¿ç«¯æœ«è£…置データ回線端
末装置間インタフェースã€ã¨ã—ã¦ã€1997 å¹´ã«ç™ºè¡¨ã•ã‚ŒãŸã€‚
RS-232 シリアルãƒãƒ¼ãƒˆã¯ã€ICS サブシステム等ã®å°åž‹ã‚³ãƒ³ãƒ”ューティングデãƒã‚¤ã‚¹ã®è¦æ ¼æ©Ÿèƒ½ã¨
ã—ã¦ã€å‘¨è¾ºãƒ‡ãƒã‚¤ã‚¹ã¸ã®æŽ¥ç¶šã«ä½¿ç”¨ã•ã‚ŒãŸã€‚ã—ã‹ã—通信速度ãŒé…ãã€é›»åœ§æŒ¯å¹…ãŒå¤§ããã€è¦æ ¼ã‚³
ãƒã‚¯ã‚¿ãŒå¤§ãã„ã“ã¨ã‹ã‚‰ USB ãŒé–‹ç™ºã•ã‚Œã€RS-232 ã®å‘¨è¾ºã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã¨ã—ã¦ã®å½¹å‰²ã¯çµ‚ã‚ã£
ãŸã€‚RS-232 デãƒã‚¤ã‚¹ã¯ã€ç‰¹ã«ç”£æ¥­ç”¨ãƒžã‚·ãƒ³ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚­ãƒ³ã‚°è£…ç½®åŠã³ç§‘学計装機器ã§ä»Šã§ã‚‚
使用ã•ã‚Œã¦ã„る。
階層型ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ¢ãƒ‡ãƒ«
TCP/IP ã¨OSI ã®åŒæ–¹ã§ä½¿ç”¨ã•ã‚Œã¦ã„ã‚‹ 階層型ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ¢ãƒ‡ãƒ«ã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é€šä¿¡ã‚’ç†è§£
ã™ã‚‹åŸºæœ¬ã§ã€ã‚·ã‚¹ãƒ†ãƒ åŠã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«é©ç”¨ã™ã¹ãセキュリティ対策è¦é ˜ã®è­˜åˆ¥ã«å½¹ç«‹ã¤ã€‚次
ã®è¡¨ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®é©ç”¨ã«é–¢ã™ã‚‹ç‰©ç†çš„階層ã€ãƒ‡ãƒ¼ã‚¿ãƒªãƒ³ã‚¯éšŽå±¤åŠã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯éšŽå±¤
ã®é‡è¦ç‰¹æ€§ã‚’示ã™ã€‚
88 ç¾åœ¨ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã‚¿ã‚¹ã‚¯ãƒ•ã‚©ãƒ¼ã‚¹ï¼ˆIETF)㌠TCP/IP プロトコルスイートã®ç®¡ç†ã‚’è¡Œã£ã¦ã„る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
361
Network Layer
Layer properties
Physical
Physical Medium – A network’s physical medium, specifically whether it’s wired or
wireless can drive the application/tailoring of certain controls. Wireless connections
cannot be physically protected; therefore, compensating controls focusing on physical
security cannot be used.
Topology – The physical topologies may also determine how controls are tailored. For
example point-to-point topologies (e.g., RS-232) generally do not need physically
addressable interfaces, while multipoint topologies (e.g., IEEE 802.3 Ethernet) do
require physically addressable interfaces.
Data link
Physically Addressable – Multipoint protocols require physically addressable
interfaces to allow for multiple systems to communicate. Systems that are not
physically addressable can only be accessed by those systems with which it shared
point-to-point connections.
Network
Network Addressable/Routable – Network addressable/routable systems can be
accessed by any system on an internetwork. That is, communications can be routed
between networks. If a system is not network addressable/routable, it can only be
accessed by systems with which it shares a local network connection.
Definitions
Terms used in this overlay are defined in Appendix B— or in NIST Internal Report (NISTIR) 7298
Revision 2, Glossary of Key Information Security Terms [99].
Additional Information or Instructions
None at this time. Organizations may provide any additional information or instructions relevant to the
overlay not covered in the previous sections.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
362
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å±¤
階層特性
物ç†
物ç†çš„媒体 -
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ç‰©ç†çš„媒体ã§ã€ç‰¹ã«æœ‰ç·š
/
ç„¡ç·šã®é•ã„ã«ã‚ˆã‚Šã€ç‰¹å®šã®
管ç†ã®é©ç”¨ã‹ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‹ãŒæ±ºã¾ã‚‹ã€‚
ワイヤレス接続ã¯ç‰©ç†çš„ã«ä¿è­·ã§ããªã„ãŸã‚ã€ç‰©ç†çš„セキュリティã«ç‰¹åŒ–ã—ãŸè£œ
償的管ç†ç­–ã¯åˆ©ç”¨ã§ããªã„。
トãƒãƒ­ã‚¸ãƒ¼ - 物ç†çš„トãƒãƒ­ã‚¸ãƒ¼ã‚‚管ç†ã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºæ–¹æ³•ã‚’決定ã¥ã‘る。例ãˆã°
2点間トãƒãƒ­ã‚¸ãƒ¼ï¼ˆRS-232 等)ã¯ã€é€šå¸¸ã€ç‰©ç†çš„ã«ã‚¢ãƒ‰ãƒ¬ã‚¹æŒ‡å®šå¯èƒ½ãªã‚¤ãƒ³ã‚¿ãƒ•
ェースãŒä¸è¦ã§ã‚ã‚‹ãŒã€ãƒžãƒ«ãƒãƒã‚¤ãƒ³ãƒˆãƒˆãƒãƒ­ã‚¸ãƒ¼ï¼ˆIEEE 802.3 Ethernet 等)ã§
ã¯å¿…è¦ã¨ãªã‚‹ã€‚
データリンク
物ç†çš„アドレス指定å¯èƒ½ -
マルãƒãƒã‚¤ãƒ³ãƒˆãƒ—ロトコルã¯ã€è¤‡æ•°ã‚·ã‚¹ãƒ†ãƒ é–“ã®é€šä¿¡
用ã«ã€ç‰©ç†çš„ã«ã‚¢ãƒ‰ãƒ¬ã‚¹æŒ‡å®šå¯èƒ½ãªã‚¤ãƒ³ã‚¿ãƒ•ã‚§ãƒ¼ã‚¹ã‚’å¿…è¦ã¨ã™ã‚‹ã€‚物ç†çš„アドレ
ス指定ä¸èƒ½ã®ã‚·ã‚¹ãƒ†ãƒ ã«ã¯ã€å…±æœ‰ 2点間通信ã®ã‚るシステム以外ã«ã¯ã‚¢ã‚¯ã‚»ã‚¹ã§
ããªã„。
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ‰ãƒ¬ã‚¹æŒ‡å®šå¯èƒ½/ルート指定å¯èƒ½ -
アドレス
/
ルート指定å¯èƒ½ã‚·ã‚¹
テムã«ã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã®ã©ã®ã‚·ã‚¹ãƒ†ãƒ ã‹ã‚‰ã‚‚アクセスã§ãる。ã¤ã¾ã‚Šé€šä¿¡
ã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã§çµŒè·¯æŒ‡å®šã•ã‚Œã‚‹ã€‚ã‚るシステムãŒã‚¢ãƒ‰ãƒ¬ã‚¹/ルート指定ä¸èƒ½
ã®å ´åˆã€ã‚¢ã‚¯ã‚»ã‚¹ã§ãã‚‹ã®ã¯ãƒ­ãƒ¼ã‚«ãƒ«ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æŽ¥ç¶šã‚’共有ã™ã‚‹ã‚·ã‚¹ãƒ†ãƒ ã®ã¿
ã¨ãªã‚‹ã€‚
定義
ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã§ä½¿ç”¨ã™ã‚‹ç”¨èªžã¯ã€ä»˜éŒ² Båˆã¯ NIST 内部報告書(NISTIR)7298 第2版è¦æƒ…報セ
キュリティ用語集[99]ã«å®šç¾©ãŒã‚る。
補足情報åˆã¯æŒ‡ç¤º
ç¾åœ¨ã®ã¨ã“ã‚ãªã„。組織ã¯ã€å‰ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã«ãªã„オーãƒãƒ¼ãƒ¬ã‚¤ã«é–¢ã™ã‚‹è£œè¶³æƒ…å ±åˆã¯æŒ‡ç¤ºã‚’与
ãˆã‚‹ã“ã¨ãŒã§ãる。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
363
Detailed Overlay Control Specifications
This Overlay is based on the NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal
Information Systems and Organizations, which provides a catalog of security and privacy controls for
federal information systems and organizations and a process for selecting controls to protect organizational
operations (including mission, functions, image, and reputation), organizational assets, individuals, other
organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters,
structural failures, and human errors (both intentional and unintentional). The security and privacy controls
are customizable and implemented as part of an organization-wide process that manages information
security and privacy risk. The controls address a diverse set of security and privacy requirements across the
federal government and critical infrastructure, derived from legislation, Executive Orders, policies,
directives, regulations, standards, and/or mission/business needs. The publication also describes how to
develop specialized sets of controls, or overlays, tailored for specific types of missions/business functions,
technologies, or environments of operation. Finally, the catalog of security controls addresses security from
both a functionality perspective (the strength of security functions and mechanisms provided) and an
assurance perspective (the measures of confidence in the implemented security capability). Addressing both
security functionality and assurance helps to ensure that information technology component products and
the information systems built from those products using sound system and security engineering principles
are sufficiently trustworthy.
In preparation for selecting and specifying the appropriate security controls for organizational information
systems and their respective environments of operation, organizations first determine the criticality and
sensitivity of the information to be processed, stored, or transmitted by those systems. This process is
known as security categorization. FIPS 199 [15] enables federal agencies to establish security categories for
both information and information systems. Other documents, such as those produced by ISA and CNSS,
also provide guidance for defining low, moderate, and high levels of security based on impact. The security
categories are based on the potential impact on an organization or on people (employees and/or the public)
should certain events occur which jeopardize the information and information systems needed by the
organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain
its day-to-day functions, and protect individuals’ safety, health and life. Security categories are to be used
in conjunction with vulnerability and threat information in assessing the risk to an organization.
This overlay provides ICS Supplemental Guidance for the security controls and control enhancements
prescribed for an information system or an organization designed to protect the confidentiality, integrity,
and availability of its information and to meet a set of defined security requirements. This overlay contains
a tailoring of the security control baselines; its specification may be more stringent or less stringent than the
original security control baseline specification and can be applied to multiple information systems. This
overlay is high-level, applicable to all ICS; it may be used as the basis for more specific overlays. Use cases
for specific systems in specific environments may be separately published (e.g., as a NISTIR).
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
364
詳細オーãƒãƒ¼ãƒ¬ã‚¤ç®¡ç†ä»•æ§˜æ›¸
ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã¯ NIST SP 800-53 第4版「連邦情報システム・組織ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ»ãƒ—ライ
ãƒã‚·ãƒ¼ç®¡ç†ã€ã‚’基ã«ã—ã¦ã„る。第 4版ã«ã¯çµ„ç¹”é‹ç”¨ï¼ˆä»»å‹™ã€æ©Ÿèƒ½ã€ã‚¤ãƒ¡ãƒ¼ã‚¸ã€è©•åˆ¤ç­‰ï¼‰ã€çµ„織資
産ã€å€‹äººã€ä»–ã®çµ„ç¹”åŠã³å›½ã‚’敵ã®ã‚µã‚¤ãƒãƒ¼æ”»æ’ƒã€è‡ªç„¶ç½å®³ã€æ§‹é€ çš„障害åŠã³äººçš„éŽèª¤ï¼ˆæ„図的åˆ
ã¯å¶ç™ºçš„)等ã®æ§˜ã€…ãªè„…å¨ã‹ã‚‰ä¿è­·ã™ã‚‹ãŸã‚ã®é€£é‚¦æƒ…報システム・組織åŠã³ç®¡ç†é¸å®šãƒ—ロセスã®
セキュリティ・プライãƒã‚·ãƒ¼ç®¡ç†ã‚«ã‚¿ãƒ­ã‚°ãŒç¤ºã•ã‚Œã¦ã„る。セキュリティ・プライãƒã‚·ãƒ¼ç®¡ç†ã¯
カスタマイズãŒå¯èƒ½ã§ã€æƒ…報セキュリティ・プライãƒã‚·ãƒ¼ã®ãƒªã‚¹ã‚¯ã‚’管ç†ã™ã‚‹å…¨çµ„織的プロセス
ã®ä¸€ç’°ã¨ã—ã¦å®Ÿæ–½ã•ã‚Œã‚‹ã€‚管ç†ã¯ã€æ³•ä»¤ã€å¤§çµ±é ˜ä»¤ã€æ”¿ç­–ã€æŒ‡ç¤ºã€è¦å‰‡ã€è¦æ ¼åˆã¯ä»»å‹™ãƒ»äº‹æ¥­ãƒ‹
ーズã‹ã‚‰ç”Ÿã˜ãŸé€£é‚¦æ”¿åºœåŠã³é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©å…¨ä½“ã®æ§˜ã€…ãªã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ»ãƒ—ライãƒã‚·ãƒ¼è¦ä»¶ã‚’対象
ã¨ã—ã¦ã„る。ã“ã®æ–‡æ›¸ã«ã¯ã€ç‰¹æ®Šç®¡ç†ã‚„オーãƒãƒ¼ãƒ¬ã‚¤ã‚’固有ã®ä»»å‹™ãƒ»äº‹æ¥­æ©Ÿèƒ½ã€æŠ€è¡“åˆã¯é‹ç”¨ç’°
境ã«åˆã‚ã›ã¦ç­–定ã™ã‚‹æ–¹æ³•ãŒèª¬æ˜Žã•ã‚Œã¦ã„る。最後ã«ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–カタログã¯ã€æ©Ÿèƒ½çš„ãªé¢
(セキュリティ機能・メカニズムã®å¼·åº¦ï¼‰ã¨ä¿è¨¼é¢ï¼ˆå®Ÿæ–½ã—ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£èƒ½åŠ›ã®ä¿¡é ¼æ€§ï¼‰ã®ä¸¡
æ–¹ã‹ã‚‰ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚’検討ã™ã‚‹ã€‚機能ã¨ä¿è¨¼ã®ä¸¡é¢ã‚’å–り上ã’ã‚‹ã“ã¨ã§ã€æƒ…報技術コンãƒãƒ¼ãƒãƒ³
ト製å“ã¨ã€ãã®è£½å“を使用ã—ã¦ã€ã—ã£ã‹ã‚Šã—ãŸã‚·ã‚¹ãƒ†ãƒ åŽŸå‰‡ã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°åŽŸ
則をé©ç”¨ã—ã€æ§‹ç¯‰ã•ã‚ŒãŸæƒ…報システムãŒå分信頼ã«å¿œãˆã‚‰ã‚Œã‚‹ã‚‚ã®ã¨ãªã‚‹ã€‚
組織ã®æƒ…報システムã¨ãã‚Œãžã‚Œã®é‹ç”¨ç’°å¢ƒã«å¯¾ã™ã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã‚’é¸å®šãƒ»æŒ‡å®šã™ã‚‹ãŸã‚ã®æº–
å‚™ã¨ã—ã¦ã€ã¾ãšçµ„ç¹”ã¯ã€ãれらシステムã«ã‚ˆã‚Šå‡¦ç†ã€ä¿ç®¡åˆã¯é€ä¿¡ã•ã‚Œã‚‹æƒ…å ±ã®é‡è¦æ€§ã¨è¦æ³¨æ„
性を判定ã™ã‚‹ã€‚ã“ã®ãƒ—ロセスã¯ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£åˆ†é¡žã¨ã—ã¦çŸ¥ã‚‰ã‚Œã¦ã„る。FIPS 199[15]ã¯ã€é€£é‚¦æ”¿
府機関ãŒæƒ…å ±åŠã³æƒ…報システム用ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£åˆ†é¡žã‚’設定ã§ãるよã†ã«ç¤ºã—ã¦ã„る。ISA ã‚„
CNSS ã«ã‚ˆã‚Šä½œæˆã•ã‚ŒãŸä»–ã®æ–‡æ›¸ã‚‚ã€å½±éŸ¿åº¦ã«å¿œã˜ã¦ä½Žãƒ»ä¸­ãƒ»é«˜ãƒ¬ãƒ™ãƒ«ã‚’定ã‚るガイダンスを示
ã—ã¦ã„る。
セキュリティ分類ã¯ã€ç‰¹å®šã®äº‹è±¡ãŒèµ·ãã¦ã€çµ„ç¹”ã®ä»»å‹™é‚è¡Œã€è³‡ç”£ä¿è­·ã€æ³•çš„責任ã®é‚è¡Œã€æ—¥å¸¸
業務ã®ç¶­æŒåŠã³å€‹äººã®å®‰å…¨ãƒ»å¥åº·ãƒ»ç”Ÿå‘½ä¿è­·ã«å¿…è¦ã¨ã•ã‚Œã‚‹æƒ…報や情報システムãŒå±é™ºã«é™¥ã‚‹å ´
åˆã®ã€çµ„ç¹”åˆã¯å€‹äººï¼ˆå¾“業員åˆã¯å›½æ°‘)ã«åŠã¶å½±éŸ¿åº¦ã‚’基ã«ã—ã¦ã„る。セキュリティ分類ã¯è„†å¼±
性åŠã³è„…å¨æƒ…å ±ã¨åˆã‚ã›ã¦ã€çµ„ç¹”ã«å¯¾ã™ã‚‹ãƒªã‚¹ã‚¯è©•ä¾¡ã«ä½¿ç”¨ã™ã¹ãã§ã‚る。
ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã¯ã€æƒ…å ±ã®æ©Ÿå¯†æ€§ã€å®Œå…¨æ€§åŠã³å¯ç”¨æ€§ã‚’ä¿è­·ã™ã‚‹ãŸã‚ã«ã€ã¾ãŸã€å®šã‚られãŸä¸€
連ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¦ä»¶ã‚’満ãŸã™ãŸã‚ã«ã€æƒ…報システムや組織å‘ã‘ã«ä½œæˆã•ã‚ŒãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾
策・管ç†æ‹¡å¼µç”¨ ICS 補足ガイダンスã¨ãªã‚‹ã€‚セキュリティ管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºãŒå«
ã¾ã‚Œã€ãã®ä»•æ§˜ã¯å…ƒã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç®¡ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ä»•æ§˜ã‚ˆã‚Šã‚‚厳ã—ã„å ´åˆã‚‚ã‚ã‚Œã°ç·©ã„å ´åˆã‚‚
ã‚ã‚Šã€ç¨®ã€…ã®æƒ…報システムã«é©ç”¨å¯èƒ½ã§ã‚る。ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã¯é«˜ãƒ¬ãƒ™ãƒ«ã§ã€å…¨ã¦ã® ICS ã«é©
用å¯èƒ½ã§ã‚ã‚Šã€ã‚ˆã‚Šå¤šãã®å€‹åˆ¥ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã®åŸºç¤Žã¨ã—ã¦ä½¿ç”¨ã§ãる。具体的ãªç’°å¢ƒã«ãŠã‘る特
定システムã§ã®ä½¿ç”¨ä¾‹ã¯åˆ¥é€”示ã•ã‚Œã¦ã„る(NISTIR 等)。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
365
Figure G-1 uses the AU-4 control as an example of the format and content of the detailed overlay control
specifications.
 Control number and title.
ï‚ Column for control and control enhancement number.
ï‚Ž Column for control and control enhancement name.
ï‚ Columns for baselines. If the baselines have been supplemented, then SUPPLEMENTED appears.
ï‚ A row for each control or control enhancement.
ï‚‘ Columns for LOW, MODERATE, and HIGH baselines.
 “Selected†indicates the control is selected in NIST SP 800-53 Rev. 4. “Added†indicates the
control is added to a baseline in the ICS overlay. A blank cell indicates the control is not selected.
“Removed†indicates the control is removed from the baseline.
ï‚“ The ICS Supplemental Guidance. If there is none, that is stated.
ï‚” The Control Enhancement ICS Supplemental Guidance. If there is none, that is stated.
ï‚• The rationale for changing the presence of a control or control enhancement in the baseline.
 AU-4 AUDIT STORAGE CAPACITY
ï‚ ï‚Ž ï‚
CNTL NO.
CONTROL NAME
Control Enhancement Name
SUPPLEMENTED
CONTROL BASELINES
LOW
MOD
HIGH
ï‚‘
AU-4
Audit Storage Capacity
Selected
Selected
Selected
ï‚’
AU-4 (1)
AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE
Added
Added
Added
ï‚“ No ICS Supplemental Guidance.
ï‚” Control Enhancement: (1) ICS Supplemental Guidance: Legacy ICS typically are typically configured with
remote storage on a separate information system (e.g., the historian in the DMZ accumulates historical operational ICS
data and is backed up for storage at a different site). ICS are currently using online backup services and increasingly
moving to Cloud based and Virtualized services. Retention of some data (e.g., SCADA telemetry) may be required by
regulatory authorities.
ï‚• Rationale for adding control to baseline: Legacy ICS components typically do not have capacity to store or
analyze audit data. The retention periods for some data, particularly compliance data, may require large volumes of
storage.
Figure G-1 Detailed Overlay Control Specifications Illustrated
NIST SP 800-53 Rev. 4, Appendix F, contains Supplemental Guidance for all Controls and Control
Enhancements [22]. ICS Supplemental Guidance in this overlay provides organizations with additional
information on the application of the security controls and control enhancements in NIST SP 800-53 Rev. 4,
Appendix F, to ICS and the environments in which these specialized systems operate. The ICS
Supplemental Guidance also provides information as to why a particular security control or control
enhancement may not be applicable in some ICS environments and may be a candidate for tailoring (i.e.,
the application of scoping guidance and/or compensating controls).
ï‚
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
366
図G-1 ã¯ã€è©³ç´°ãªã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ç®¡ç†ä»•æ§˜ã®æ§˜å¼åŠã³å†…容ã®ä¸€ä¾‹ã¨ã—ã¦ã€AU-4 管ç†ã‚’使用ã—ã¦ã„
る。
ï‚Œ 管ç†ã®ç•ªå·ã¨é¡Œå
ï‚ ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç•ªå·ã‚’示ã™ã‚«ãƒ©ãƒ 
ï‚Ž 管ç†ãƒ»ç®¡ç†æ‹¡å¼µåを示ã™ã‚«ãƒ©ãƒ 
ï‚ ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã‚’ç¤ºã™ã‚«ãƒ©ãƒ ã€‚ベースラインã®è£œè¶³ãŒã‚ã‚‹å ´åˆã€ã€Œè£œè¶³ï¼ˆSUPPLEMENTED)ã€ã¨è¡¨
示ã•ã‚Œã‚‹ã€‚
ï‚ å„管ç†ãƒ»ç®¡ç†æ‹¡å¼µã‚’示ã™è¡Œã€‚
ï‚‘ 低・中・高åŠã³é«˜ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã‚’示ã™ã‚«ãƒ©ãƒ 
ï‚’ 「é¸å®šã€ã¯ NIST SP 800-53 第4版ã§ç®¡ç†ãŒé¸å®šã•ã‚Œã¦ã„ã‚‹ã“ã¨ã‚’示ã™ã€‚「追加ã€ã¯ç®¡ç†
ãŒICS オーãƒãƒ¼ãƒ¬ã‚¤ã®ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã«è¿½åŠ ã•ã‚Œã¦ã„ã‚‹ã“ã¨ã‚’示ã™ã€‚空白セルã¯ç®¡ç†ãŒé¸
定ã•ã‚Œã¦ã„ãªã„ã“ã¨ã‚’示ã™ã€‚「削除ã€ã¯ç®¡ç†ãŒãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã‹ã‚‰å‰Šé™¤ã•ã‚ŒãŸã“ã¨ã‚’示ã™ã€‚
ï‚“ ICS 補足ガイダンス。何もãªã„å ´åˆã€ãã®æ—¨ã®è¨˜è¿°ãŒã‚る。
ï‚” 管ç†æ‹¡å¼µ ICS 補足ガイダンス。何もãªã„å ´åˆã€ãã®æ—¨ã®è¨˜è¿°ãŒã‚る。
ï‚• ベースラインã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µã®æœ‰ç„¡ãŒå¤‰ã‚ã£ãŸç†ç”±
 AU-4 AUDIT STORAGE CAPACITY
ï‚ ï‚Ž ï‚
CNTL NO.
CONTROL NAME
Control Enhancement Name
SUPPLEMENTED
CONTROL BASELINES
LOW
MOD
HIGH
ï‚‘
AU-4
Audit Storage Capacity
Selected
Selected
Selected
ï‚’
AU-4 (1)
AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE
Added
Added
Added
ï‚“ ICS 補足ガイダンスãªã—
ï‚” 管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンス:レガシーICS ã¯ã€ä¸€èˆ¬ã«åˆ¥å€‹ã®æƒ…報システム上ã®é éš”ストレージã§è¨­å®šã•ã‚Œã¦
ã„る(DMZ ã®ãƒ’ストリアン等ã§ã€ICS ã®é‹ç”¨å±¥æ­´ãƒ‡ãƒ¼ã‚¿ã‚’è“„ç©ã—ã€åˆ¥ã‚µã‚¤ãƒˆã®ã‚¹ãƒˆãƒ¬ãƒ¼ã‚¸ã«ä¿ç®¡ã™ã‚‹ï¼‰ã€‚ICS ã¯ä»Š
ã®ã¨ã“ã‚オンラインãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—サービスを利用ã—ã¦ã„ã‚‹ãŒã€ã‚¯ãƒ©ã‚¦ãƒ‰ãƒ™ãƒ¼ã‚¹ã®ä»®æƒ³ã‚µãƒ¼ãƒ“スã«æ¬¡ç¬¬ã«ç§»è¡Œã—ã¦ã„
る。特定ã®ãƒ‡ãƒ¼ã‚¿ï¼ˆSCADA テレメトリ-等)ã®ä¿æŒãŒè¦åˆ¶å½“å±€ã‹ã‚‰ç¾©å‹™ã¥ã‘られる場åˆãŒã‚る。
ï‚• ベースラインã«ç®¡ç†ã‚’追加ã™ã‚‹ç†ç”±ï¼šä¸€èˆ¬ã«ãƒ¬ã‚¬ã‚·ãƒ¼ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã«ã¯ã€ç›£æŸ»ãƒ‡ãƒ¼ã‚¿ã®ä¿å­˜åˆã¯åˆ†æžå®¹é‡ãŒ
ãªã„。特定ã®ãƒ‡ãƒ¼ã‚¿ã€ç‰¹ã«ã‚³ãƒ³ãƒ—ライアンスデータã®ä¿æŒæœŸé–“ã«ã‚ˆã£ã¦ã€ä¿ç®¡é‡ãŒå¤§ãããªã‚‹ã€‚
図G-1 詳細オーãƒãƒ¼ãƒ¬ã‚¤ç®¡ç†ä»•æ§˜ã®èª¬æ˜Ž
NIST SP 800-53 第4版付録 Fã«ã€å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µè£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ãŒã‚ã‚‹[22]。ã“ã®ã‚ªãƒ¼
ãƒãƒ¼ãƒ¬ã‚¤ã® ICS 補足ガイダンスã¯ã€NIST SP 800-53 第4版ã®ä»˜éŒ² Fã«è¨˜è¼‰ã•ã‚Œã‚‹ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
対策åŠã³ç®¡ç†æ‹¡å¼µã‚’ã€ICS åŠã³ã“れら専用システムã®å®Ÿè¡Œç’°å¢ƒã«é©ç”¨ã™ã‚‹ãŸã‚ã®è£œè¶³æƒ…報を示ã™ã€‚
ã¾ãŸã€ICS 環境ã«ã‚ˆã£ã¦ã¯ç‰¹å®šã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–や管ç†æ‹¡å¼µãŒé©ç”¨ã§ããšã€èª¿æ•´ãŒå¿…è¦ã¨ãªã‚‹
ç†ç”±ã«ã¤ã„ã¦ã‚‚示ã™ï¼ˆã‚¹ã‚³ãƒ¼ãƒ”ングガイダンスåˆã¯è£œå„Ÿåˆ¶å¾¡ï¼‰ã€‚
ï‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
367
ACCESS CONTROL – AC
Tailoring Considerations for Access Control Family
Before implementing controls in the AC family, consider the tradeoffs among security, privacy, latency, performance, throughput, and
reliability. For example, the organization considers whether latency induced from the use of confidentiality and integrity mechanisms
employing cryptographic mechanisms would adversely impact the operational performance of the ICS.
In situations where the ICS cannot support the specific Access Control requirements of a control, the organization employs
compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as
appropriate.
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in
conjunction with the ICS Supplemental Guidance in this overlay, if any.
AC-1 ACCESS CONTROL POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-1
Access Control Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems. ICS access by vendors and maintenance staff can occur over a very large facility footprint or geographic area and into
unobserved spaces such as mechanical/electrical rooms, ceilings, floors, field substations, switch and valve vaults, and pump stations.
AC-2 ACCOUNT MANAGEMENT
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-2
Account Management
Selected
Selected
Selected
AC-2 (1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT
MANAGEMENT
Selected Selected
AC-2 (2) ACCOUNT MANAGEMENT | REMOVAL OF TEMPORARY /
EMERGENCY ACCOUNTS
Selected Selected
AC-2 (3)
ACCOUNT MANAGEMENT | DISABLE INACTIVE ACCOUNTS
Selected
Selected
AC-2 (4)
ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS
Selected
Selected
AC-2 (5) ACCOUNT MANAGEMENT | INACTIVITY LOGOUT / TYPICAL
USAGE MONITORING
Selected
AC-2 (11)
ACCOUNT MANAGEMENT | USAGE CONDITIONS
Selected
AC-2 (12) ACCOUNT MANAGEMENT | ACCOUNT MONITORING /
ATYPICAL USAGE
Selected
AC-2 (13)
ACCOUNT MANAGEMENT | ACCOUNT REVIEWS
Selected
ICS Supplemental Guidance: Example compensating controls include providing increased physical security, personnel security,
intrusion detection, auditing measures.
Control Enhancement: (1, 3, 4) ICS Supplemental Guidance: Example compensating controls include employing nonautomated
mechanisms or procedures.
Control Enhancement: (2) ICS Supplemental Guidance: In situations where the ICS (e.g., field devices) cannot support
temporary or emergency accounts, this enhancement does not apply. Example compensating controls include employing nonautomated
mechanisms or procedures.
Control Enhancement: (5) ICS Supplemental Guidance: Example compensating controls include employing nonautomated
mechanisms or procedures.
Control Enhancement: (11, 12, 13) No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
368
アクセス制御 - AC
アクセス制御ファミリã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºè€ƒæ…®äº‹é …
AC ファミリã§ç®¡ç†ã‚’実施ã™ã‚‹å‰ã«ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã€ãƒ—ライãƒã‚·ãƒ¼ã€å¾…ã¡æ™‚é–“ã€ãƒ‘フォーマンスã€
スループットã€ä¿¡é ¼æ€§ã‚’比較考é‡ã™ã‚‹ã€‚例ãˆã°ã€æš—å·ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’採用ã—ã¦æ©Ÿå¯†æ€§åŠã³å®Œå…¨æ€§ãƒ¡
カニズムを利用ã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šç”Ÿã˜ã‚‹å¾…ã¡æ™‚é–“ãŒã€ICS ã®é‹ç”¨ãƒ‘フォーマンスを阻害ã—ãªã„ã‹çµ„
ç¹”ã¯æ¤œè¨Žã™ã‚‹ã€‚
ICS ãŒã‚る制御ã®ç‰¹å®šã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡è¦ä»¶ã«å¯¾å¿œã—ã¦ã„ãªã„状æ³ã§ã¯ã€å…¨ä½“çš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬
イダンスã«å¾“ã£ã¦è£œå„Ÿçš„管ç†ç­–を採用ã™ã‚‹ã€‚補償管ç†ã®ä¾‹ãŒå¿…è¦ã«å¿œã˜ã¦ã€ç®¡ç†ç­–ã”ã¨ã«ç¤ºã•ã‚Œ
る。
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
AC-1 アクセス制御ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-1
アクセス制御ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®é–¢ä¿‚
ã‚’å–り上ã’る。ベンダーåŠã³ä¿å®ˆè¦å“¡ã«ã‚ˆã‚‹ ICS ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã¯ã€æ©Ÿæ¢°ãƒ»é›»æ°—室ã€å¤©äº•ã€åºŠã€å¤‰
電設備ã€ã‚¹ã‚¤ãƒƒãƒãƒ»ãƒãƒ«ãƒ–室ã€ãƒãƒ³ãƒ—室等ã€åºƒç¯„ãªæ–½è¨­åŠã³åœ°åŸŸã‚„監視下ã«ãªã„空間ã«ã¾ãŸãŒã£
ã¦ã„る。
AC-2 アカウント管ç†
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-2
アカウント管ç†
é¸å®š
é¸å®š
é¸å®š
AC-2 (1)
アカウント管ç†
|
動システムアカウント管ç†
é¸å®š
é¸å®š
AC-2 (2)
アカウント管ç†
|
臨時・緊急用アカウントã®å‰Šé™¤
é¸å®š
é¸å®š
AC-2 (3)
アカウント管ç†
|
無活動アカウントã®ç„¡åŠ¹åŒ–
é¸å®š
é¸å®š
AC-2 (4)
アカウント管ç†
|
自動監査行為
é¸å®š
é¸å®š
AC-2 (5)
アカウント管ç†
|
無活動ログアウト・一般的利用監視
é¸å®š
AC-2 (11)
アカウント管ç†
|
利用状態
é¸å®š
AC-2 (12)
アカウント管ç†
|
アカウント監視・éžå¯¾ç§°åˆ©ç”¨
é¸å®š
AC-2 (13)
アカウント
管ç†
|
アカウント審査
é¸å®š
ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ç‰©ç†çš„セキュリティã€äººçš„セキュリティã€
侵入検知ã€ç›£æŸ»æ‰‹æ®µã®å¼·åŒ–ãŒã‚る。
管ç†æ‹¡å¼µï¼š(1, 3, 4) ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯æ‰‹
é †ãŒã‚る。
管ç†æ‹¡å¼µï¼š(2) ICS 補足ガイダンス:ICS(フィールドデãƒã‚¤ã‚¹ç­‰ï¼‰ãŒè‡¨æ™‚åˆã¯ç·Šæ€¥ã‚¢ã‚«ã‚¦ãƒ³
トã«å¯¾å¿œã§ããªã„å ´åˆã€ã“ã®æ‹¡å¼µã¯é©ç”¨ã•ã‚Œãªã„。補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ 
åˆã¯æ‰‹é †ãŒã‚る。
管ç†æ‹¡å¼µï¼š(5) ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯æ‰‹é †ãŒã‚
る。
管ç†æ‹¡å¼µï¼š(11, 12, 13) ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
369
AC-3 ACCESS ENFORCEMENT
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-3
Access Enforcement
Selected
Selected
Selected
ICS Supplemental Guidance: The organization ensures that access enforcement mechanisms do not adversely impact the
operational performance of the ICS. Example compensating controls include encapsulation. Policy for logical access control to Non-
Addressable and Non-Routable system resources and the associated information is made explicit. Access control mechanisms include
hardware, firmware, and software that controls or has device access, such as device drivers and communications controllers. Physical access
control may serve as a compensating control for logical access control, however, it may not provide sufficient granularity in situations where
users require access to different functions. Logical access enforcement may be implemented in encapsulating hardware and software.
AC-4 INFORMATION FLOW ENFORCEMENT
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-4
Information Flow Enforcement
Selected
Selected
ICS Supplemental Guidance: Physical addresses (e.g., a serial port) may be implicitly or explicitly associated with labels or
attributes (e.g., hardware I/O address). Manual methods are typically static. Label or attribute policy mechanisms may be implemented in
hardware, firmware, and software that controls or has device access, such as device drivers and communications controllers. Information
flow policy may be supported by labeling or coloring physical connectors as an aid to manual hookup. Inspection of message content may
enforce information flow policy. For example, a message containing a command to an actuator may not be permitted to flow between the
control network and any other network.
AC-5 SEPARATION OF DUTIES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-5
Separation of Duties
Selected
Selected
ICS Supplemental Guidance: Example compensating controls include providing increased personnel security and auditing. The
organization carefully considers the appropriateness of a single individual performing multiple critical roles.
AC-6 LEAST PRIVILEGE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-6
Least Privilege
Selected
Selected
AC-6 (1) LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY
FUNCTIONS
Selected Selected
AC-6 (2) LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR
NONSECURITY FUNCTIONS
Selected Selected
AC-6 (3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED
COMMANDS
Selected
AC-6 (5)
LEAST PRIVILEGE | PRIVILEGED ACCOUNTS
Selected
Selected
AC-6 (9) LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED
FUNCTIONS
Selected Selected
AC-6 (10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS
FROM EXECUTING PRIVILEGED FUNCTIONS
Selected Selected
ICS Supplemental Guidance: Example compensating controls include providing increased personnel security and auditing. The
organization carefully considers the appropriateness of a single individual having multiple critical
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
370
AC-3 アクセスã®æ–½è¡Œ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-3
アクセス施行
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:組織ã¯ã€ã‚¢ã‚¯ã‚»ã‚¹æ–½è¡Œãƒ¡ã‚«ãƒ‹ã‚ºãƒ ãŒ ICS ã®é‹ç”¨ãƒ‘フォーマンスã«æ‚ªå½±
響ã—ãªã„よã†ã«ã™ã‚‹ã€‚補償管ç†ã«ã¯ã‚«ãƒ—セル化ãŒã‚る。アドレス/ルート指定ä¸èƒ½ã‚·ã‚¹ãƒ†ãƒ ãƒªã‚½
ースåŠã³é–¢é€£æƒ…å ±ã¸ã®è«–ç†ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ãƒãƒªã‚·ãƒ¼ã¯æ˜Žç¢ºã«ã™ã‚‹ã€‚アクセス制御メカニズムã«ã¯ã€
ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã€ãƒ•ã‚¡ãƒ¼ãƒ ã‚¦ã‚¨ã‚¢ã®ã»ã‹ã€ãƒ‡ãƒã‚¤ã‚¹ãƒ‰ãƒ©ã‚¤ãƒã‚„通信コントローラ等ã€ãƒ‡ãƒã‚¤ã‚¹ã®åˆ¶
御åˆã¯ã‚¢ã‚¯ã‚»ã‚¹ã‚’è¡Œã†ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ãŒã‚る。物ç†çš„アクセス制御ã¯ã€è«–ç†ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ã«ä»£ã‚ã‚‹
補償的管ç†ç­–ã¨ãªã‚‹ãŒã€ãƒ¦ãƒ¼ã‚¶ãŒåˆ¥æ©Ÿèƒ½ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’求ã‚ã‚‹å ´åˆã®ãã‚ç´°ã‹ã•ãŒãªã„。論ç†ã‚¢
クセス施行ã¯ã€ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã¨ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã®ã‚«ãƒ—セル化ã§å®Ÿæ–½ã§ãる。
AC-4 情報フローã®æ–½è¡Œ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-4
情報フロー施行
é¸å®š
é¸å®š
ICS 補足ガイダンス:物ç†ã‚¢ãƒ‰ãƒ¬ã‚¹ï¼ˆã‚·ãƒªã‚¢ãƒ«ãƒãƒ¼ãƒˆç­‰ï¼‰ã¯ã€é»™ç¤ºçš„åˆã¯æ˜Žç¤ºçš„ã«ãƒ©ãƒ™ãƒ«åˆ
ã¯å±žæ€§ï¼ˆãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ I/O アドレス等)ã«é–¢é€£ã¥ã‘る。マニュアルæ“作ã¯ä¸€èˆ¬ã«é™çš„ã§ã‚る。ラ
ベルåˆã¯å±žæ€§ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã¯ã€ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã€ãƒ•ã‚¡ãƒ¼ãƒ ã‚¦ã‚¨ã‚¢ã®ã»ã‹ã€ãƒ‡ãƒã‚¤ã‚¹ãƒ‰ãƒ©ã‚¤ãƒã‚„通信コ
ントローラ等ã€ãƒ‡ãƒã‚¤ã‚¹ã®åˆ¶å¾¡åˆã¯ã‚¢ã‚¯ã‚»ã‚¹ã‚’è¡Œã†ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ã«å®Ÿè£…ã•ã‚Œã‚‹ã€‚情報フローãƒãƒª
シーã¯ã€ãƒžãƒ‹ãƒ¥ã‚¢ãƒ«æ“作作業ã®åŠ©ã‘ã¨ã—ã¦ã€ç‰©ç†çš„コãƒã‚¯ã‚¿ã¸ã®ãƒ©ãƒ™ãƒ«ä»˜ã‘ã‚„ç€è‰²ã«ã‚ˆã‚Šæ”¯ãˆã‚‰
れる。メッセージ内容ã®æ¤œæŸ»ã¯ã€æƒ…報フローãƒãƒªã‚·ãƒ¼ã‚’施行ã™ã‚‹ã‚‚ã®ã¨ãªã‚‹ã€‚例ãˆã°ã€ã‚¢ã‚¯ãƒãƒ¥
エータã¸ã®ã‚³ãƒžãƒ³ãƒ‰ã‚’å«ã‚“ã ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã¯ã€åˆ¶å¾¡ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¨ä»–ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–“ã§æµã‚Œãªã„
よã†ã«ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。
AC-5 任務分担
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-5
任務分担
é¸å®š
é¸å®š
ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€äººçš„セキュリティã¨ç›£æŸ»ã®å¼·åŒ–ãŒã‚る。組
ç¹”ã¯ã€1人ã§è¤‡æ•°ã®é‡è¦ãªå½¹å‰²ã‚’æžœãŸã™ã®ãŒé©åˆ‡ã‹ã©ã†ã‹ã€æ…Žé‡ã«æ¤œè¨Žã™ã‚‹ã€‚
AC-6 最å°æ¨©é™
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-6
最å°æ¨©é™
é¸å®š
é¸å®š
AC-6 (1)
最å°æ¨©é™
|
セキュリティ機能ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹è¨±å¯
é¸å®š
é¸å®š
AC-6 (2)
最å°æ¨©é™
|
éžã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ©Ÿèƒ½ã¸ã®ç„¡æ¨©é™ã‚¢ã‚¯ã‚»ã‚¹
é¸å®š
é¸å®š
AC-6 (3)
最å°æ¨©é™
|
特権コマンドã¸ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ã‚¯ã‚»ã‚¹
é¸å®š
AC-6 (5)
最å°æ¨©é™
|
特権アカウント
é¸å®š
é¸å®š
AC-6 (9)
最å°
権é™
|
特権機能ã®ç›£æŸ»åˆ©ç”¨
é¸å®š
é¸å®š
AC-6 (10)
最å°æ¨©é™
|
無権é™ãƒ¦ãƒ¼ã‚¶ã«ã‚ˆã‚‹ç‰¹æ¨©æ©Ÿèƒ½ã®å®Ÿè¡Œç¦æ­¢
é¸å®š
é¸å®š
ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€äººçš„セキュリティã¨ç›£æŸ»ã®å¼·åŒ–ãŒã‚る。組
ç¹”ã¯ã€1人ã§è¤‡æ•°ã®é‡è¦ç‰¹æ¨©ã‚’æŒã¤ã®ãŒé©åˆ‡ã‹ã©ã†ã‹ã€æ…Žé‡ã«æ¤œè¨Žã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
371
privileges. System privilege models may be tailored to enforce integrity and availability (e.g., lower privileges include read access and higher
privileges include write access).
Control Enhancement: (1) ICS Supplemental Guidance: In situations where the ICS cannot support access control to security
functions, the organization employs nonautomated mechanisms or procedures as compensating controls in accordance with the general
tailoring guidance.
Control Enhancement: (2) ICS Supplemental Guidance: In situations where the ICS cannot support access control to nonsecurity
functions, the organization employs nonautomated mechanisms or procedures as compensating controls in accordance with the general
tailoring guidance.
Control Enhancement: (3) ICS Supplemental Guidance: In situations where the ICS cannot support network access control to
privileged commands, the organization employs nonautomated mechanisms or procedures as compensating controls in accordance with the
general tailoring guidance.
Control Enhancement: (5) ICS Supplemental Guidance: In situations where the ICS cannot support access control to privileged
accounts, the organization employs nonautomated mechanisms or procedures as compensating controls in accordance with the general
tailoring guidance.
Control Enhancement: (9) ICS Supplemental Guidance: In general, audit record processing is not performed on the ICS, but on a
separate information system. Example compensating controls include providing an auditing capability on a separate information system.
Control Enhancement: (10) ICS Supplemental Guidance: Example compensating controls include enhanced auditing.
AC-7 UNSUCCESSFUL LOGIN ATTEMPTS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-7
Unsuccessful Login Attempts
Selected
Selected
Selected
ICS Supplemental Guidance: Many ICS must remain continuously on and operators remain logged onto the system at all times. A
“log-over†capability may be employed. Example compensating controls include logging or recording all unsuccessful login attempts and
alerting ICS security personnel though alarms or other means when the number of organization-defined consecutive invalid access attempts
is exceeded.
AC-8 SYSTEM USE NOTIFICATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-8
System Use Notification
Selected
Selected
Selected
ICS Supplemental Guidance: Many ICS must remain continuously on and system use notification may not be supported or
effective. Example compensating controls include posting physical notices in ICS facilities.
AC-10 CONCURRENT SESSION CONTROL
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-10
Concurrent Session Control
Selected
ICS Supplemental Guidance: The number, account type, and privileges of concurrent sessions takes into account the roles and
responsibilities of the affected individuals. Example compensating controls include providing increased auditing measures.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
372
システム特権モデルをカスタマイズã—ã¦ã€å®Œå…¨æ€§ã¨å¯ç”¨æ€§ã‚’施行ã§ãる(より低ã„特権ã«ã¯èª­ã¿
å–りアクセスã€ã‚ˆã‚Šé«˜ã„特権ã«ã¯æ›¸ãè¾¼ã¿ã‚¢ã‚¯ã‚»ã‚¹ãŒã‚る)。
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンス:ICS ãŒã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ©Ÿèƒ½ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ã«å¯¾å¿œã—ã¦ã„
ãªã„状æ³ã§ã¯ã€å…¨ä½“çš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã«å¾“ã£ã¦ã€çµ„ç¹”ã¯éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯æ‰‹é †ã‚’
採用ã™ã‚‹ã€‚
管ç†æ‹¡å¼µï¼š(2) ICS 補足ガイダンス:ICS ãŒéžã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ©Ÿèƒ½ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ã«å¯¾å¿œã—ã¦
ã„ãªã„状æ³ã§ã¯ã€å…¨ä½“çš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã«å¾“ã£ã¦ã€çµ„ç¹”ã¯éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯æ‰‹é †
を採用ã™ã‚‹ã€‚
管ç†æ‹¡å¼µï¼š(3) ICS 補足ガイダンス:ICS ãŒç‰¹æ¨©ã‚³ãƒžãƒ³ãƒ‰ã¸ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ã«å¯¾
å¿œã—ã¦ã„ãªã„状æ³ã§ã¯ã€å…¨ä½“çš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã«å¾“ã£ã¦ã€çµ„ç¹”ã¯éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆ
ã¯æ‰‹é †ã‚’採用ã™ã‚‹ã€‚
管ç†æ‹¡å¼µï¼š(5) ICS 補足ガイダンス:ICS ãŒç‰¹æ¨©ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã¸ã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ã«å¯¾å¿œã—ã¦ã„ãª
ã„状æ³ã§ã¯ã€å…¨ä½“çš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã«å¾“ã£ã¦ã€çµ„ç¹”ã¯éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯æ‰‹é †ã‚’採
用ã™ã‚‹ã€‚
管ç†æ‹¡å¼µï¼š(9) ICS 補足ガイダンス:ç·ã˜ã¦ã€ç›£æŸ»è¨˜éŒ²å‡¦ç†ã¯ ICS ã§è¡Œã‚ã‚Œãšã€åˆ¥å€‹ã®æƒ…報シ
ステムã§è¡Œã‚れる。補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€åˆ¥å€‹ã®æƒ…報システムã¸ã®ç›£æŸ»èƒ½åŠ›ã®ä»˜ä¸ŽãŒã‚る。
管ç†æ‹¡å¼µï¼š(10) ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€æ‹¡å¼µç›£æŸ»ãŒã‚る。
AC-7 ログイン失敗
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-7
ログイン失敗
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:多ãã® ICS ã¯é›»æºã‚’入れãŸã¾ã¾ã«ã—ãªã‘ã‚Œã°ãªã‚‰ãšã€æ“作員も常時シ
ステムã«ãƒ­ã‚°ã‚ªãƒ³çŠ¶æ…‹ã‚’維æŒã—ã¦ã„る。「ログオーãƒãƒ¼ã€æ©Ÿèƒ½ã‚’採用ã§ãる。補償的管ç†ç­–ã®ä¾‹
ã¨ã—ã¦ã€å…¨ã¦ãƒ­ã‚°ã‚¤ãƒ³å¤±æ•—時ã®ãƒ­ã‚°åˆã¯è¨˜éŒ²ã‚’å–ã‚Šã€äºˆã‚決ã‚ãŸé€£ç¶šå¤±æ•—æ•°ã«é”ã™ã‚‹ã¨ã€ICS ã‚»
キュリティ担当者ã«ã‚¢ãƒ©ãƒ¼ãƒ ãã®ä»–ã®æ‰‹æ®µã§è­¦å ±ã‚’é€ã‚‹ã‚ˆã†ã«ã§ãる。
AC-8 システム利用通知
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-8
システム利用通知
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:多ãã® ICS ã¯é›»æºã‚’入れãŸã¾ã¾ã«ã—ã¦ãŠã‹ãªã‘ã‚Œã°ãªã‚‰ãšã€ã‚·ã‚¹ãƒ†ãƒ 
利用通知ã¯å¯¾å¿œã—ãªã„ã‹åŠ¹æžœçš„ã§ãªã„。補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ICS 施設内ã«é€šçŸ¥ã‚’掲示ã™ã‚‹
方法ãŒã‚る。
AC-10 åŒæ™‚セッション管ç†
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-10
åŒæ™‚セッション管ç†
é¸å®š
ICS 補足ガイダンス:åŒæ™‚セッションã®ç•ªå·ã€ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã‚¿ã‚¤ãƒ—åŠã³ç‰¹æ¨©ã«ã¯ã€å½±éŸ¿ã‚’å—ã‘
る個人ã®å½¹å‰²ã¨è²¬ä»»ã‚’考慮ã«å…¥ã‚Œã‚‹ã€‚補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ç›£æŸ»æ‰‹æ®µã®å¼·åŒ–ãŒã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
373
AC-11 SESSION LOCK
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-11
Session Lock
Selected
Selected
AC-11 (1)
SESSION LOCK | PATTERN-HIDING DISPLAYS
Selected
Selected
ICS Supplemental Guidance: This control assumes a staffed environment where users interact with information system displays.
When this assumption does not apply the organization tailors the control appropriately (e.g., the ICS may be physically protected by
placement in a locked enclosure). The control may also be tailored for ICS that are not configured with displays, but which have the
capability to support displays (e.g., ICS to which a maintenance technician may attach a display). In some cases, session lock for ICS
operator workstations/nodes is not advised (e.g., when immediate operator responses are required in emergency situations). Example
compensating controls include locating the display in an area with physical access controls that limit access to individuals with permission
and need-to-know for the displayed information.
Control Enhancement: (1) ICS Supplemental Guidance: ICS may employ physical protection to prevent access to a display or to
prevent attachment of a display. In situations where the ICS cannot conceal displayed information, the organization employs nonautomated
mechanisms or procedures as compensating controls in accordance with the general tailoring guidance.
AC-12 SESSION TERMINATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-12
Session Termination
Selected
Selected
ICS Supplemental Guidance: Example compensating controls include providing increased auditing measures or limiting remote
access privileges to key personnel.
AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-14
Permitted Actions without Identification or Authentication
Selected
Selected
No ICS Supplemental Guidance.
AC-17 REMOTE ACCESS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-17
Remote Access
Selected
Selected
Selected
AC-17 (1)
REMOTE ACCESS | AUTOMATED MONITORING / CONTROL
Selected
Selected
AC-17 (2) REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY /
INTEGRITY USING ENCRYPTION
Selected Selected
AC-17 (3)
REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS
Selected
Selected
AC-17 (4)
REMOTE ACCESS | PRIVILEGED COMMANDS / ACCESS
Selected
Selected
ICS Supplemental Guidance: In situations where the ICS cannot implement any or all of the components of this control, the
organization employs other mechanisms or procedures as compensating controls in accordance with the general tailoring guidance.
Control Enhancement: (1) ICS Supplemental Guidance: Example compensating controls include employing nonautomated
mechanisms or procedures as compensating controls (e.g., following manual authentication [see IA-2], dial-in remote access may be enabled
for a specified period of time or a call may be placed from the ICS site to the authenticated remote entity.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
374
AC-11 セッションロック
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-11
セッションロック
é¸å®š
é¸å®š
AC-11 (1)
セッションロック
パターンéžè¡¨ç¤º
é¸å®š
é¸å®š
ICS 補足ガイダンス:ã“ã®ç®¡ç†ã¯ã€ãƒ¦ãƒ¼ã‚¶ãŒæƒ…報システムディスプレイã¨ã‚„ã‚Šå–ã‚Šã‚’è¡Œã†æœ‰
人環境を想定ã—ã¦ã„る。想定ã¨ç•°ãªã‚‹ç’°å¢ƒã§ã¯ã€çµ„ç¹”ã¯ç®¡ç†ã‚’é©åˆ‡ã«ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã™ã‚‹ï¼ˆéµã®ã‹
ã‹ã‚‹ã‚­ãƒ£ãƒ“ãƒãƒƒãƒˆãªã© ICS ã®ç‰©ç†çš„ä¿è­·ç­‰ï¼‰ã€‚補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ãƒ‡ã‚£ã‚¹ãƒ—レイãŒè¨­å®šã•
ã‚Œã¦ã„ãªã„ã‚‚ã®ã®ã€æŽ¥ç¶šã—よã†ã¨æ€ãˆã°ã§ãã‚‹ ICS ã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºãŒã‚る(ä¿å®ˆæŠ€è¡“者ã«ã‚ˆã‚‹ãƒ‡
ィスプレイã®è¨­ç½®ç­‰ï¼‰ã€‚å ´åˆã«ã‚ˆã£ã¦ã¯ã€ICS æ“作員ワークステーション/ノードã®ã‚»ãƒƒã‚·ãƒ§ãƒ³ãƒ­
ックãŒæŽ¨å¥¨ã§ããªã„ã“ã¨ã‚‚ã‚る(緊急時ã«æ“作員ã®å³æ™‚対応ãŒå¿…è¦ç­‰ï¼‰ã€‚補償的管ç†ç­–ã®ä¾‹ã¨ã—
ã¦ã€æ¨©é™ãŒã‚り表示情報を知る必è¦ã®ã‚る人員ã ã‘ãŒç«‹å…¥ã§ãる場所ã«ã€ãƒ‡ã‚£ã‚¹ãƒ—レイを設置ã™
ã‚‹ã“ã¨ãŒã‚る。
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンス:ディスプレイã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚„ディスプレイã®æŽ¥ç¶šã‚’防止
ã™ã‚‹ç‰©ç†çš„ä¿è­·ã‚’採用ã§ãる。ICS ãŒè¡¨ç¤ºæƒ…報を隠蔽ã§ããªã„状æ³ã§ã¯ã€å…¨ä½“çš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚º
ガイダンスã«å¾“ã£ã¦ã€çµ„ç¹”ã¯éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯æ‰‹é †ã‚’補償的管ç†ç­–ã¨ã—ã¦æŽ¡ç”¨ã™ã‚‹ã€‚
AC-12 セッション終了
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-12
セッション終了
é¸å®š
é¸å®š
ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ç›£æŸ»æ‰‹æ®µã®å¼·åŒ–やリモートアクセス特権を
é‡è¦ãªäººå“¡ã«åˆ¶é™ã™ã‚‹æ–¹æ³•ãŒã‚る。
AC-14 識別・èªè¨¼ã®ãªã„許å¯ã•ã‚ŒãŸè¡Œç‚º
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-14
識別・èªè¨¼ã®ãªã„許å¯ã•ã‚ŒãŸè¡Œç‚º
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
AC-17 リモートアクセス
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-17
リモートアクセス
é¸å®š
é¸å®š
é¸å®š
AC-17 (1)
リモートアクセス
|
自動監視・管ç†
é¸å®š
é¸å®š
AC-17 (2)
リモートアクセス
|
æš—å·åŒ–ã«ã‚ˆã‚‹æ©Ÿå¯†æ€§ãƒ»å®Œå…¨æ€§ã®ä¿è­·
é¸å®š
é¸å®š
AC-17 (3)
リモートア
クセス
|
管ç†ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ãƒã‚¤ãƒ³ãƒˆ
é¸å®š
é¸å®š
AC-17 (4)
リモートアクセス
|
特権コマンド・アクセス
é¸å®š
é¸å®š
ICS 補足ガイダンス:ICS ãŒã“ã®ç®¡ç†è¦ç´ ã®ä¸€éƒ¨åˆã¯å…¨éƒ¨ã‚’実行ã§ããªã„状æ³ã§ã¯ã€å…¨ä½“çš„
ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã«å¾“ã£ã¦ã€çµ„ç¹”ã¯éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯æ‰‹é †ã‚’補償的管ç†ç­–ã¨ã—ã¦æŽ¡
用ã™ã‚‹ã€‚
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯æ‰‹é †ã‚’
補償的管ç†ç­–ã¨ã—ã¦æŽ¡ç”¨ã§ãる(手動èªè¨¼ã«å¾“ã„[IA-2 å‚ç…§]ã€ãƒ€ã‚¤ã‚¢ãƒ«ã‚¤ãƒ³ãƒªãƒ¢ãƒ¼ãƒˆã‚¢ã‚¯ã‚»ã‚¹ã‚’
一定期間有効ã«ã™ã‚‹ã‹ã€ç™ºå‘¼ã‚’ ICS サイトã‹ã‚‰èªè¨¼æ¸ˆã¿é éš”æ©Ÿé–¢ã«ç§»è¨­ã™ã‚‹ãªã©ï¼‰ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
375
Control Enhancement: (2) ICS Supplemental Guidance: ICS security objectives often rank confidentiality below availability and
integrity. The organization explores all possible cryptographic mechanism (e.g., encryption, digital signature, hash function). Each
mechanism has a different delay impact. Example compensating controls include providing increased auditing for remote sessions or limiting
remote access privileges to key personnel).
Control Enhancement: (3) ICS Supplemental Guidance: Example compensating controls include connection-specific manual
authentication of the remote entity.
Control Enhancement: (4) No ICS Supplemental Guidance.
ICS Supplemental Guidance: Example compensating controls include employing nonautomated mechanisms or procedures as
compensating controls in accordance with the general tailoring guidance.
AC-18 WIRELESS ACCESS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-18
Wireless Access
Selected
Selected
Selected
AC-18 (1)
WIRELESS ACCESS | AUTHENTICATION AND ENCRYPTION
Selected
Selected
AC-18 (4) WIRELESS ACCESS | RESTRICT CONFIGURATIONS BY
USERS
Selected
AC-18 (5) WIRELESS ACCESS | CONFINE WIRELESS
COMMUNICATIONS
Selected
ICS Supplemental Guidance: In situations where the ICS cannot implement any or all of the components of this control, the
organization employs other mechanisms or procedures as compensating controls in accordance with the general tailoring guidance.
Control Enhancement: (1) ICS Supplemental Guidance: See AC-17 Control Enhancement: (1) ICS Supplemental Guidance.
Example compensating controls include providing increased auditing for wireless access or limiting wireless access privileges to key
personnel.
Control Enhancement: (4) (5) No ICS Supplemental Guidance.
AC-19 ACCESS CONTROL FOR MOBILE DEVICES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-19
Access Control for Mobile Devices
Selected
Selected
Selected
AC-19 (5) ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE /
CONTAINER-BASED ENCRYPTION
Selected Selected
No ICS Supplemental Guidance.
AC-20 USE OF EXTERNAL INFORMATION SYSTEMS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-20
Use of External Information Systems
Selected
Selected
Selected
AC-20 (1) USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS ON
AUTHORIZED USE
Selected Selected
AC-20 (2) USE OF EXTERNAL INFORMATION SYSTEMS | PORTABLE
STORAGE MEDIA
Selected Selected
ICS Supplemental Guidance: Organizations refine the definition of “external†to reflect lines of authority and responsibility;
granularity of organization entity; and their relationships. An organization may consider a system to be external if that system performs
different functions, implements different policies, comes under different managers, or does not provide sufficient visibility into the
implementation of security controls to allow the establishment of a satisfactory trust relationship. For example, a process control system and
a business data processing system would typically be considered external to each other. Access to an ICS for support by a business partner,
such as a vendor or support contractor, is another common example. The definition and trustworthiness of external information systems is
reexamined with respect to ICS functions, purposes, technology, and limitations to
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
376
管ç†æ‹¡å¼µï¼š(2) ICS 補足ガイダンス:ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç›®æ¨™ã§ã¯ã€æ©Ÿå¯†æ€§ãŒå¯ç”¨æ€§åŠã³å®Œå…¨
性よりも下ä½ã«ãƒ©ãƒ³ã‚¯ã•ã‚Œã‚‹ã“ã¨ãŒå¤šã„。組織ã¯ã‚らゆる暗å·ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’活用ã™ã‚‹ï¼ˆæš—å·åŒ–ã€
デジタル署åã€ãƒãƒƒã‚·ãƒ¥é–¢æ•°ç­‰ï¼‰ã€‚å„メカニズムã®é…延影響ã¯ãã‚Œãžã‚Œç•°ãªã‚‹ã€‚補償的管ç†ç­–ã®
例ã¨ã—ã¦ã€é éš”セッションã«å¯¾ã™ã‚‹ç›£æŸ»ã®å¼·åŒ–やリモートアクセス特権をé‡è¦ãªäººå“¡ã«åˆ¶é™ã™ã‚‹
方法ãŒã‚る。
管ç†æ‹¡å¼µï¼š(3) ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€é éš”æ©Ÿé–¢ã®æŽ¥ç¶šå›ºæœ‰ã®æ‰‹å‹•èª
証ãŒã‚る。
管ç†æ‹¡å¼µï¼š(4) ICS 補足ガイダンスãªã—
ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€å…¨ä½“çš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã«å¾“ã£ã¦ã€
éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯æ‰‹é †ã‚’補償的管ç†ç­–ã¨ã—ã¦æŽ¡ç”¨ã§ãる。
AC-18 ワイヤレスアクセス
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-18
ワイヤレスアクセス
é¸å®š
é¸å®š
é¸å®š
AC-18 (1)
ワイヤレスアクセス
|
èªè¨¼ãƒ»æš—å·åŒ–
é¸å®š
é¸å®š
AC-18 (4)
ワイヤレスアクセス
|
ユーザ設定ã®åˆ¶é™
é¸å®š
AC-18 (5)
ワイヤレスアクセス
|
ワイヤレス通信ã®å°ã˜è¾¼ã‚
é¸å®š
ICS 補足ガイダンス:ICS ãŒã“ã®ç®¡ç†è¦ç´ ã®ä¸€éƒ¨åˆã¯å…¨éƒ¨ã‚’実行ã§ããªã„状æ³ã§ã¯ã€å…¨ä½“çš„
ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã«å¾“ã£ã¦ã€çµ„ç¹”ã¯ä»–ã®ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯æ‰‹é †ã‚’補償的管ç†ç­–ã¨ã—ã¦æŽ¡ç”¨
ã™ã‚‹ã€‚
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンス:AC-17 管ç†æ‹¡å¼µã‚’å‚照:(1) ICS 補足ガイダンス。補償
的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ãƒ¯ã‚¤ãƒ¤ãƒ¬ã‚¹ã‚¢ã‚¯ã‚»ã‚¹ã«å¯¾ã™ã‚‹ç›£æŸ»ã®å¼·åŒ–やワイヤレスアクセス特権をé‡è¦
ãªäººå“¡ã«åˆ¶é™ã™ã‚‹æ–¹æ³•ãŒã‚る。
管ç†æ‹¡å¼µï¼š(4) (5) ICS 補足ガイダンスãªã—
AC-19 モãƒã‚¤ãƒ«ãƒ‡ãƒã‚¤ã‚¹ç”¨ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-19
モãƒã‚¤ãƒ«ãƒ‡ãƒã‚¤ã‚¹ç”¨ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡
é¸å®š
é¸å®š
é¸å®š
AC-19 (5)
モãƒã‚¤ãƒ«ãƒ‡ãƒã‚¤ã‚¹ç”¨ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡
|
フルデãƒã‚¤ã‚¹
/
コンテナベース
æš—å·åŒ–
é¸å®š é¸å®š
ICS 補足ガイダンスãªã—
AC-20 外部情報システムã®åˆ©ç”¨
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-20
外部情報システムã®åˆ©ç”¨
é¸å®š
é¸å®š
é¸å®š
AC-20 (1)
外部情報システムã®åˆ©ç”¨
|
許å¯ã•ã‚ŒãŸåˆ©ç”¨ã®åˆ¶é™
é¸å®š
é¸å®š
AC-20 (2)
外部情報システムã®åˆ©ç”¨
|
æºè¡Œã‚¹ãƒˆãƒ¬ãƒ¼ã‚¸ãƒ¡ãƒ‡ã‚£ã‚¢
é¸å®š
é¸å®š
ICS 補足ガイダンス:「外部ã€ã®å®šç¾©ã‚’精査ã—ã¦ã€æ¨©é™ãƒ»è²¬ä»»ã€çµ„織実体ã®ç²’度åŠã³ãれら
ã®é–¢ä¿‚ã‚’å映ã™ã‚‹ã€‚ã‚るシステムãŒé•ã†æ©Ÿèƒ½ã‚’実行ã—ã€é•ã†ãƒãƒªã‚·ãƒ¼ã‚’採用ã—ã€ç®¡ç†è€…ãŒé•ã„ã€
満足ã§ãる信頼関係を築ããŸã‚ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£å¯¾ç­–ã®å¯è¦–化ãŒä¸å分ãªå ´åˆã€çµ„ç¹”ã¯ãれを外部
ã¨ã¿ãªã›ã‚‹ã€‚例ãˆã°ã€ãƒ—ロセス制御システムã¨äº‹æ¥­ç”¨ãƒ‡ãƒ¼ã‚¿å‡¦ç†ã‚·ã‚¹ãƒ†ãƒ ã¯ã€é€šå¸¸ç›¸äº’ã«å¤–部ã¨
ã¿ãªã•ã‚Œã‚‹ã€‚ベンダーやサãƒãƒ¼ãƒˆå¥‘約者等ã€äº‹æ¥­ææºè€…ã‹ã‚‰ã®æ”¯æ´ã§ ICS ã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹å ´åˆã‚‚ã€
よãã‚る外部ã®ä¾‹ã§ã‚る。ICS ã®æ©Ÿèƒ½ã€ç›®çš„ã€æŠ€è¡“åŠã³åˆ¶é™ã«é–¢ã—ã¦ã€å¤–部情報システムã®å®šç¾©
ã¨ä¿¡é ¼æ€§ã‚’å†æ¤œè¨¼ã—ã€
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
377
establish a clear documented technical or business case for use and an acceptance of the risk inherent in the use of an external information
system.
Control Enhancement: (1, 2) No ICS Supplemental Guidance.
AC-21 INFORMATION SHARING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-21
Collaboration and Information Sharing
Added
Selected
Selected
ICS Supplemental Guidance: The organization should collaborate and share information about potential incidents on a timely basis.
The DHS National Cybersecurity & Communications Integration Center (NCCIC), http://www.dhs.gov/about-national-cybersecurity-
communications-integration-center serves as a centralized location where operational elements involved in cybersecurity and
communications reliance are coordinated and integrated. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
http://ics-cert.us-cert.gov/ics-cert/ collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share
control systems-related security incidents and mitigation measures. Organizations should consider having both an unclassified and classified
information sharing capability.
Rationale for adding AC-21 to low baseline: ICS systems provide essential services and control functions and are often connected
to other ICS systems or business systems that can be vectors of attack. It is therefore necessary to provide a uniform defense encompassing
all baselines.
AC-22 PUBLICLY ACCESSIBLE CONTENT
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AC-22
Publicly Accessible Content
Selected
Selected
Selected
ICS Supplemental Guidance: Generally, public access to ICS systems is not permitted. Selected information may be transferred to a
publicly accessible information system, possibly with added controls (e.g., introduction of fuzziness or delay).
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
378
外部情報システムã®åˆ©ç”¨ã¨ã€åˆ©ç”¨ã«ä¼´ã†ãƒªã‚¹ã‚¯ã‚’å—ã‘入れる旨ã®æ˜Žç¢ºãªæŠ€è¡“・事業文書を作æˆã™
る。
管ç†æ‹¡å¼µï¼š(1) (2) ICS 補足ガイダンスãªã—
AC-21 情報共有
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-21
連æºãƒ»æƒ…報共有
追加
é¸å®š
é¸å®š
ICS 補足ガイダンス:組織ã¯ã€ç”Ÿã˜å¾—るインシデントã«é–¢ã—ã¦ã€é€£æºã—情報をé©æ™‚ã«å…±æœ‰ã™
ã¹ãã§ã‚る。下記 DHS 国家サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é€šä¿¡çµ±åˆã‚»ãƒ³ã‚¿ãƒ¼(NCCIC)ã¯é›†ä¸­æ‰€åœ¨åœ°ã¨ã—ã¦
機能ã—ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¨é€šä¿¡ã®ä¿¡é ¼æ€§ã«é–¢ã‚ã‚‹é‹ç”¨è¦ç´ ã¯ãã“ã§èª¿æ•´ã•ã‚Œã€çµ±åˆåŒ–ã•ã‚Œ
ã¦ã„る。http://www.dhs.gov/about-national-cybersecurity-communications-integration-center
下記産業用制御システムサイãƒãƒ¼ç·Šæ€¥å¯¾å¿œãƒãƒ¼ãƒ (ICS-CERT)ã¯ã€æµ·å¤–åŠã³æ°‘é–“ã®ã‚³ãƒ³ãƒ”ュー
タ緊急対応ãƒãƒ¼ãƒ (CERT)ã¨é€£æºã—ã¦ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ é–¢é€£ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆæƒ…å ±ã¨ç·©å’Œ
対策を共有ã—ã¦ã„る。
http://ics-cert.us-cert.gov/ics-cert/
組織ã¯ã€ç§˜å¯†æƒ…å ±ã¨æ™®é€šæƒ…å ±ã®å…±æœ‰åŒ–ã«ã¤ã„ã¦æ¤œè¨Žã™ã¹ãã§ã‚る。
AC-21 を低ベースラインã«è¿½åŠ ã™ã‚‹ç†ç”±ï¼šICS システムã¯ã€é‡è¦ãªã‚µãƒ¼ãƒ“スã¨åˆ¶å¾¡æ©Ÿèƒ½ã‚’æ
ä¾›ã—ã¦ãŠã‚Šã€æ”»æ’ƒçµŒè·¯ã¨ãªã‚Šå¾—ã‚‹ä»–ã® ICS システムや事業システムã«æŽ¥ç¶šã—ã¦ã„ã‚‹ã“ã¨ãŒå¤šã„。
ã—ãŸãŒã£ã¦ã€å…¨ã¦ã®ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã‚’網羅ã—ãŸçµ±ä¸€çš„ãªé˜²å¾¡ãŒå¿…è¦ã¨ãªã‚‹ã€‚
AC-22 公開コンテンツ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AC-22
公開コンテンツ
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:一般的ã«ã€ICS システムã¸ã®å…¬é–‹ã‚¢ã‚¯ã‚»ã‚¹ã¯è¨±å¯ã•ã‚Œã¦ã„ãªã„。é¸åˆ¥
ã—ãŸæƒ…å ±ãŒã€ä»˜åŠ çš„ãªç®¡ç†åˆ¶é™ï¼ˆæ›–昧ã•ã‚„é…れ等)を加ãˆãŸä¸Šã§ã€å…¬é–‹ã®æƒ…報システムã«è»¢é€ã•
れるã“ã¨ã‚‚ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
379
AWARENESS AND TRAINING – AT
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in
conjunction with the ICS Supplemental Guidance in this overlay, if any.
AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AT-1
Security Awareness and Training Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems.
AT-2 SECURITY AWARENESS TRAINING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AT-2
Security Awareness
Selected
Selected
Selected
ICS Supplemental Guidance: Security awareness training includes initial and periodic review of ICS-specific policies, standard
operating procedures, security trends, and vulnerabilities. The ICS security awareness program is consistent with the requirements of the
security awareness and training policy established by the organization.
Control Enhancement: (2) No ICS Supplemental Guidance.
AT-3 ROLE-BASED SECURITY TRAINING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AT-3
Role-Based Security Training
Selected
Selected
Selected
ICS Supplemental Guidance: Security training includes initial and periodic review of ICS-specific policies, standard operating
procedures, security trends, and vulnerabilities. The ICS security training program is consistent with the requirements of the security
awareness and training policy established by the organization.
AT-4 SECURITY TRAINING RECORDS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AT-4
Security Training Records
Selected
Selected
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
380
æ„識・訓練 – AT
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
AT-1 セキュリティæ„識・訓練ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AT-1
セキュリティæ„識・訓練ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。
AT-2 セキュリティæ„識訓練
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AT-2
セキュリティæ„è­˜
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:セキュリティæ„識訓練ã«ã¯ã€ICS 固有ãƒãƒªã‚·ãƒ¼ã€æ¨™æº–é‹ç”¨æ‰‹é †ã€ã‚»ã‚­
ュリティ動å‘åŠã³è„†å¼±æ€§ã«å¯¾ã™ã‚‹å½“åˆã®è¨“ç·´ã¨å®šæœŸçš„ãªå¾©ç¿’ãŒå«ã¾ã‚Œã‚‹ã€‚ICS セキュリティæ„è­˜
プログラムã¯ã€çµ„ç¹”ãŒè¨­å®šã—ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ„識・訓練ãƒãƒªã‚·ãƒ¼è¦ä»¶ã¨æ•´åˆã—ã¦ã„る。
管ç†æ‹¡å¼µï¼š(2) ICS 補足ガイダンスãªã—
AT-3 役割ベースセキュリティ訓練
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AT-3
役割ベースセキュリティ訓練
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:セキュリティ訓練ã«ã¯ã€ICS 固有ãƒãƒªã‚·ãƒ¼ã€æ¨™æº–é‹ç”¨æ‰‹é †ã€ã‚»ã‚­ãƒ¥ãƒª
ティ動å‘åŠã³è„†å¼±æ€§ã«å¯¾ã™ã‚‹å½“åˆã®è¨“ç·´ã¨å®šæœŸçš„ãªå¾©ç¿’ãŒå«ã¾ã‚Œã‚‹ã€‚ICS セキュリティプログラ
ムã¯ã€çµ„ç¹”ãŒè¨­å®šã—ãŸã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ„識・訓練ãƒãƒªã‚·ãƒ¼è¦ä»¶ã¨æ•´åˆã—ã¦ã„る。
AT-4 セキュリティ訓練記録
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AT-4
セキュリティ訓練記録
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
381
AUDITING AND ACCOUNTABILITY – AU
Tailoring Considerations for Audit Family
In general, audit information and audit tools are not present on legacy ICS, but on a separate information system (e.g., the historian).
In situations where the ICS cannot support the specific Audit and Accountability requirements of a control, the organization employs
compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as
appropriate.
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in
conjunction with the ICS Supplemental Guidance in this overlay, if any.
AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AU-1
Audit and Accountability Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems.
AU-2 AUDIT EVENTS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AU-2
Auditable Events
Selected
Selected
Selected
AU-2 (3)
AUDITABLE EVENTS | REVIEWS AND UPDATES
Selected
Selected
ICS Supplemental Guidance: The organization may designate ICS events as audit events, requiring that ICS data and/or telemetry
be recorded as audit data.
Control Enhancement: (3) No ICS Supplemental Guidance.
AU-3 CONTENT OF AUDIT RECORDS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AU-3
Content of Audit Records
Selected
Selected
Selected
AU-3 (1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT
INFORMATION
Selected Selected
AU-3 (2) CONTENT OF AUDIT RECORDS | CENTRALIZED
MANAGEMENT OF PLANNED AUDIT RECORD CONTENT
Selected
ICS Supplemental Guidance: Example compensating controls include providing an auditing capability on a separate information
system.
Control Enhancement: (1, 2) No ICS Supplemental Guidance.
AU-4 AUDIT STORAGE CAPACITY
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AU-4
Audit Storage Capacity
Selected
Selected
Selected
AU-4 (1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE
STORAGE
Added Added Added
No ICS Supplemental Guidance.
Control Enhancement: (1) ICS Supplemental Guidance: Legacy ICS are typically configured with remote storage on a separate
information system (e.g., the historian accumulates historical operational ICS data and is backed up for
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
382
監査・説明責任 – AU
監査ファミリã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºè€ƒæ…®äº‹é …
一般ã«ã€ç›£æŸ»æƒ…報や監査ツールã¯ã€ãƒ¬ã‚¬ã‚·ãƒ¼ICS ã«ã¯ãªã„ãŒã€åˆ¥å€‹ã®æƒ…報システム上ã«ã‚る(ヒ
ストリアン等)。ICS ãŒã‚る制御ã®ç‰¹å®šã®ç›£æŸ»ãƒ»èª¬æ˜Žè²¬ä»»è¦ä»¶ã«å¯¾å¿œã—ã¦ã„ãªã„状æ³ã§ã¯ã€å…¨ä½“
çš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã«å¾“ã£ã¦è£œå„Ÿçš„管ç†ç­–を採用ã™ã‚‹ã€‚補償的管ç†ç­–ã®ä¾‹ãŒå¿…è¦ã«å¿œã˜
ã¦ã€ç®¡ç†ç­–ã”ã¨ã«ç¤ºã•ã‚Œã‚‹ã€‚
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
AU-1 監査・説明責任ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AU-1
監査・説明責任ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。
AU-2 監査事象
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AU-2
監査事象
é¸å®š
é¸å®š
é¸å®š
AU-2 (3)
監査事象
|
審査・更新
é¸å®š
é¸å®š
ICS 補足ガイダンス:組織㯠ICS 事象を監査事象ã¨æŒ‡å®šã—ã€ICS データやテレメトリ-を監査
データã¨ã—ã¦ã®è¨˜éŒ²ã‚’義務ã¥ã‘る。
管ç†æ‹¡å¼µï¼š(3) ICS 補足ガイダンスãªã—
AU-3 監査記録内容
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AU-3
監査記録内容
é¸å®š
é¸å®š
é¸å®š
AU-3 (1)
監査記録内容
|
補足監査情報
é¸å®š
é¸å®š
AU-3 (2)
監査記録内容
|
計画監査記録内容ã®é›†ä¸­ç®¡ç†
é¸å®š
ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€åˆ¥å€‹ã®æƒ…報システムã¸ã®ç›£æŸ»èƒ½åŠ›ã®ä»˜ä¸ŽãŒ
ã‚る。
管ç†æ‹¡å¼µï¼š(1) (2) ICS 補足ガイダンスãªã—
AU-4 監査ストレージ容é‡
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AU-4
監査ストレージ容é‡
é¸å®š
é¸å®š
é¸å®š
AU-4 (1)
監査ストレージ容é‡
|
代替ストレージã¸ã®ç§»è¡Œ
追加
追加
追加
ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンス:通常レガシーICS ã¯ã€åˆ¥å€‹ã®æƒ…報システム上ã®é éš”ストレージ
ã«è¨­å®šãŒã‚る(ヒストリアン㯠ICS ã®é‹ç”¨å±¥æ­´ãƒ‡ãƒ¼ã‚¿ã‚’è“„ç©ã—ã€åˆ¥ã‚µã‚¤ãƒˆã®ã‚¹ãƒˆãƒ¬ãƒ¼ã‚¸ã«ä¿ç®¡ã™ã‚‹ï¼‰ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
383
storage at a different site). ICS are currently using online backup services and increasingly moving to Cloud based and Virtualized services.
Retention of some data (e.g., SCADA telemetry) may be required by regulatory authorities.
Rationale for adding AU-4 (1) to all baselines: Legacy ICS components typically do not have capacity to store or analyze audit data.
The retention periods for some data, particularly compliance data, may require large volumes of storage.
AU-5 RESPONSE TO AUDIT PROCESSING FAILURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AU-5
Response to Audit Processing Failures
Selected
Selected
Selected
AU-5 (1) RESPONSE TO AUDIT PROCESSING FAILURES | AUDIT STORAGE
CAPACITY
Selected
AU-5 (2)
RESPONSE TO AUDIT PROCESSING FAILURES | REAL-TIME ALERTS
Selected
No ICS Supplemental Guidance.
AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AU-6
Audit Review, Analysis, and Reporting
Selected
Selected
Selected
AU-6 (1) AUDIT REVIEW, ANALYSIS, AND REPORTING | PROCESS
INTEGRATION
Selected Selected
AU-6 (3) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATE AUDIT
REPOSITORIES
Selected Selected
AU-6 (5) AUDIT REVIEW, ANALYSIS, AND REPORTING | INTEGRATION /
SCANNING AND MONITORING CAPABILITIES
Selected
AU-6 (6) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH
PHYSICAL MONITORING
Selected
No ICS Supplemental Guidance.
Control Enhancement: (1) ICS Supplemental Guidance: Example compensating controls include manual mechanisms or
procedures.
Control Enhancement: (3, 5, 6) No ICS Supplemental Guidance.
AU-7 AUDIT REDUCTION AND REPORT GENERATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AU-7
Audit Reduction and Report Generation
Selected
Selected
AU-7 (1) AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC
PROCESSING
Selected Selected
No ICS Supplemental Guidance.
Control Enhancement: (1) No ICS Supplemental Guidance.
AU-8 TIME STAMPS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AU-8
Time Stamps
Selected
Selected
Selected
AU-8 (1) TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME
SOURCE
Selected Selected
ICS Supplemental Guidance: Example compensating controls include using a separate information system designated as an
authoritative time source.
Control Enhancement: (1) ICS Supplemental Guidance: ICS employ suitable mechanisms (e.g., GPS, IEEE 1588) for time
stamps.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
384
ICS ã¯ä»Šã®ã¨ã“ã‚オンラインãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—サービスを利用ã—ã¦ã„ã‚‹ãŒã€ã‚¯ãƒ©ã‚¦ãƒ‰ãƒ™ãƒ¼ã‚¹ã®ä»®æƒ³ã‚µ
ービスã«æ¬¡ç¬¬ã«ç§»è¡Œã—ã¦ã„る。特定ã®ãƒ‡ãƒ¼ã‚¿ï¼ˆSCADA テレメトリー等)ã®ä¿æŒãŒè¦åˆ¶å½“å±€ã‹ã‚‰
義務ã¥ã‘られる場åˆãŒã‚る。
AU-4 (1)ã‚’å…¨ã¦ã®ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã«è¿½åŠ ã™ã‚‹ç†ç”±ï¼šä¸€èˆ¬ã«ãƒ¬ã‚¬ã‚·ãƒ¼ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã«ã¯ã€
監査データã®ä¿å­˜åˆã¯åˆ†æžå®¹é‡ãŒãªã„。特定ã®ãƒ‡ãƒ¼ã‚¿ã€ç‰¹ã«ã‚³ãƒ³ãƒ—ライアンスデータã®ä¿æŒæœŸé–“
ã«ã‚ˆã£ã¦ä¿ç®¡é‡ãŒå¤§ãããªã‚‹ã€‚
AU-5 監査処ç†ä¸å‚™ã¸ã®å¯¾å¿œ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AU-5
監査処ç†ä¸å‚™ã¸ã®å¯¾å¿œ
é¸å®š
é¸å®š
é¸å®š
AU-5 (1)
監査処ç†ä¸å‚™ã¸ã®å¯¾å¿œ
|
監査ストレージ容é‡
é¸å®š
AU-5 (2)
監査処ç†ä¸å‚™ã¸ã®å¯¾å¿œ
|
リアルタイム警報
é¸å®š
ICS 補足ガイダンスãªã—
AU-6 監査ã®å¯©æŸ»ãƒ»åˆ†æžãƒ»å ±å‘Š
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AU-6
監査ã®å¯©æŸ»ãƒ»åˆ†æžãƒ»å ±å‘Š
é¸å®š
é¸å®š
é¸å®š
AU-6 (1)
監査ã®å¯©æŸ»ãƒ»åˆ†æžãƒ»å ±å‘Š
|
プロセスã®ä¸€ä½“化
é¸å®š
é¸å®š
AU-6 (3)
監査ã®å¯©æŸ»ãƒ»åˆ†æžãƒ»å ±å‘Š
|
監査レãƒã‚¸ãƒˆãƒªã®ç›¸é–¢
é¸å®š
é¸å®š
AU-6 (5)
監査ã®å¯©æŸ»ãƒ»åˆ†æžãƒ»å ±å‘Š
|
一体化
スキャン・監視能力
é¸å®š
AU-6 (6)
監査ã®å¯©æŸ»ãƒ»åˆ†æžãƒ»å ±å‘Š
|
物ç†çš„監視ã¨ã®ç›¸é–¢
é¸å®š
ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€æ‰‹å‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯æ‰‹é †ãŒã‚
る。
管ç†æ‹¡å¼µï¼š(3, 5, 6) ICS 補足ガイダンスãªã—
AU-7 監査削減・報告書作æˆ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AU-7
監査削減・報告書作æˆ
é¸å®š
é¸å®š
AU-7 (1)
監査削減・報告書作æˆ
|
自動処ç†
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンスãªã—
AU-8 タイムスタンプ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AU-8
タイムスタンプ
é¸å®š
é¸å®š
é¸å®š
AU-8 (1)
タイムスタンプ
|
å…¬èªæ™‚間ソースã¨ã®åŒæœŸ
é¸å®š
é¸å®š
ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€å…¬èªæ™‚間ソースã«æŒ‡å®šã•ã‚ŒãŸåˆ¥å€‹ã®æƒ…報シ
ステムを利用ã™ã‚‹æ–¹æ³•ãŒã‚る。
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンス:タイムスタンプã¨ã—ã¦ã€ICS ã§ã¯é©æ­£ãªãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’採
用ã™ã‚‹ï¼ˆå…¨åœ°çƒæ¸¬ä½ã‚·ã‚¹ãƒ†ãƒ [GPS]ã€IEEE 1588 等)。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
385
AU-9 PROTECTION OF AUDIT INFORMATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AU-9
Protection of Audit Information
Selected Selected Selected
AU-9 (2) PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON
SEPARATE PHYSICAL SYSTEMS / COMPONENTS
Selected
AU-9 (3) PROTECTION OF AUDIT INFORMATION | CRYPTOGRAPHIC
PROTECTION
Selected
AU-9 (4) PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF
PRIVILEGED USERS
Selected Selected
No ICS Supplemental Guidance.
AU-10 NON-REPUDIATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AU-10
Non-repudiation
Selected
ICS Supplemental Guidance: Example compensating controls include providing non-repudiation on a separate information system.
AU-11 AUDIT RECORD RETENTION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AU-11
Audit Record Retention
Selected
Selected
Selected
No ICS Supplemental Guidance.
AU-12 AUDIT GENERATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
AU-12
Audit Generation
Selected Selected Selected
AU-12 (1) AUDIT GENERATION | SYSTEM-WIDE / TIME-CORRELATED AUDIT
TRAIL
Selected
AU-12 (3)
AUDIT GENERATION | CHANGES BY AUTHORIZED INDIVIDUALS
Selected
No ICS Supplemental Guidance.
Control Enhancement: (1) ICS Supplemental Guidance: Example compensating controls include providing time-correlated audit
records on a separate information system.
Control Enhancement: (3) ICS Supplemental Guidance: Example compensating controls include employing nonautomated
mechanisms or procedures.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
386
AU-9 監査情報ã®ä¿è­·
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AU-9
監査情報ã®ä¿è­·
é¸å®š
é¸å®š
é¸å®š
AU-9 (2)
監査情報ã®ä¿è­·
|
別ã®ç‰©ç†ã‚·ã‚¹ãƒ†ãƒ 
/
コンãƒãƒ¼ãƒãƒ³ãƒˆã¸ã®ç›£æŸ»ãƒãƒƒ
クアップ
é¸å®š
AU-9 (3)
監査情報ã®ä¿è­·
|
æš—å·åŒ–ä¿è­·
é¸å®š
AU-9 (4)
監査情報ã®ä¿è­·
|
特権ユーザã®ã‚µãƒ–セットã«ã‚ˆã‚‹ã‚¢ã‚¯ã‚»ã‚¹
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
AU-10 å¦èªé˜²æ­¢
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AU-10
å¦èªé˜²æ­¢
é¸å®š
ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€åˆ¥å€‹ã®æƒ…報システムã¸ã®å¦èªé˜²æ­¢æ©Ÿèƒ½ã®ä»˜
与ãŒã‚る。
AU-11 監査記録ä¿æŒ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AU-11
監査記録ä¿ç•™
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
AU-12 監査作æˆ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
AU-12
監査作æˆ
é¸å®š
é¸å®š
é¸å®š
AU-12 (1)
監査作æˆ
|
全システム
|
時間相関監査証跡
é¸å®š
AU-12 (3)
監査作æˆ
|
権é™ã‚る個人ã«ã‚ˆã‚‹å¤‰æ›´
é¸å®š
ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€åˆ¥å€‹ã®æƒ…報システムã¸ã®æ™‚é–“
相関監査記録ã®ä»˜ä¸ŽãŒã‚る。
管ç†æ‹¡å¼µï¼š(3) ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯æ‰‹
é †ãŒã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
387
SECURITY ASSESSMENT AND AUTHORIZATION – CA
Tailoring Considerations for Security Assessment and Authorization Family
In situations where the ICS cannot support the specific Security Assessment and Authorization requirements of a control, the
organization employs compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given
with each control, as appropriate.
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in
conjunction with the ICS Supplemental Guidance in this overlay, if any.
CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CA-1
Security Assessment and Authorization Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems.
CA-2 SECURITY ASSESSMENTS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CA-2
Security Assessments
Selected
Selected
Selected
CA-2 (1)
SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS
Selected
Selected
CA-2 (2)
SECURITY ASSESSMENTS | TYPES OF ASSESSMENTS
Selected
ICS Supplemental Guidance: Assessments are performed and documented by qualified assessors (i.e., experienced in assessing
ICS) authorized by the organization. The organization ensures that assessments do not interfere with ICS functions. The individual/group
conducting the assessment fully understands the organizational information security policies and procedures, the ICS security policies and
procedures, and the specific health, safety, and environmental risks associated with a particular facility and/or process. The organization
ensures that the assessment does not affect system operation or result in unintentional system modification. If assessment activities must be
performed on the production ICS, it may need to be taken off-line before an assessment can be conducted. If an ICS must be taken off-line to
conduct an assessment, the assessment is scheduled to occur during planned ICS outages whenever possible.
Control Enhancement: (1) No ICS Supplemental Guidance.
Control Enhancement: (2) ICS Supplemental Guidance: The organization conducts risk analysis to support the selection of
assessment target (e.g., the live system, an off-line replica, a simulation).
CA-3 SYSTEM INTERCONNECTIONS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CA-3
Information System Connections
Selected
Selected
Selected
CA-3 (5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL
SYSTEM CONNECTIONS
Selected
ICS Supplemental Guidance: Organizations perform risk-benefit analysis to support determination whether an ICS should be
connected to other information system(s). The Authorizing Official fully understands the organizational information security policies and
procedures; the ICS security policies and procedures; the risks to organizational operations and assets, individuals, other organizations, and
the Nation associated with the connection to other information system(s); and the specific health, safety, and environmental risks associated
with a particular interconnection. The AO documents risk acceptance in the ICS system security plan.
Control Enhancement: (5) No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
388
セキュリティ評価・権é™ä»˜ä¸Ž – CA
セキュリティ評価・権é™ä»˜ä¸Žãƒ•ã‚¡ãƒŸãƒªã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºè€ƒæ…®äº‹é …
ICS ãŒã‚る制御ã®ç‰¹å®šã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è©•ä¾¡ãƒ»æ¨©é™ä»˜ä¸Žè¦ä»¶ã«å¯¾å¿œã—ã¦ã„ãªã„状æ³ã§ã¯ã€å…¨ä½“çš„ãª
カスタマイズガイダンスã«å¾“ã£ã¦è£œå„Ÿçš„管ç†ç­–を採用ã™ã‚‹ã€‚補償管ç†ã®ä¾‹ãŒå¿…è¦ã«å¿œã˜ã¦ã€ç®¡ç†
ç­–ã”ã¨ã«ç¤ºã•ã‚Œã‚‹ã€‚
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
CA-1 セキュリティ評価・権é™ä»˜ä¸Žãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CA-1
セキュリティ評価・権é™ä»˜ä¸Žãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。
CA-2 セキュリティ評価
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CA-2
セキュリティ評価
é¸å®š
é¸å®š
é¸å®š
CA-2 (1)
セキュリティ評価
|
独立評価者
é¸å®š
é¸å®š
CA-2 (2)
セキュリティ評価
|
評価ã®ç¨®é¡ž
é¸å®š
ICS 補足ガイダンス:有資格者(ICS 評価熟練者)ã«ã‚ˆã‚‹è©•ä¾¡ã‚’è¡Œã„文書化ã—ã€çµ„ç¹”ã®æ‰¿èª
を得る。評価㌠ICS 機能ã¨å¹²æ¸‰ã—ãªã„よã†ã«ã™ã‚‹ã€‚評価を行ã†å€‹äººã‚„グループã¯ã€çµ„ç¹”ã®æƒ…報セ
キュリティãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †ã€ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †åŠã³ç‰¹å®šã®æ–½è¨­ã‚„プロセスã«ä»˜
éšã™ã‚‹å…·ä½“çš„ãªå¥åº·ãƒ»å®‰å…¨ãƒ»ç’°å¢ƒãƒªã‚¹ã‚¯ã‚’å分ç†è§£ã™ã‚‹ã€‚組織ã¯è©•ä¾¡ã«ã‚ˆã£ã¦ã‚·ã‚¹ãƒ†ãƒ é‹ç”¨ãŒå½±
響をå—ã‘ãšã€æ„図ã—ãªã„システム変更ã«ãªã‚‰ãªã„よã†ã«ã™ã‚‹ã€‚評価活動を生産 ICS ã§å®Ÿæ–½ã—ãªã‘
ã‚Œã°ãªã‚‰ãªã„å ´åˆã€è©•ä¾¡ã®å®Ÿæ–½å‰ã«ã‚ªãƒ•ãƒ©ã‚¤ãƒ³ã«ã™ã‚‹å¿…è¦ãŒã‚ã‚‹å ´åˆãŒã‚る。オフラインã«ã—ãª
ã‘ã‚Œã°ãªã‚‰ãªã„å ´åˆã€å¯èƒ½ã§ã‚ã‚Œã°ã€äºˆã‚計画ã•ã‚ŒãŸ ICS ã®æ“業åœæ­¢æ™‚ã«è©•ä¾¡ã‚’è¡Œã†ã‚ˆã†ã«äºˆå®š
を組む。
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(2) ICS 補足ガイダンス:組織ã¯ãƒªã‚¹ã‚¯åˆ†æžã‚’è¡Œã„ã€è©•ä¾¡å¯¾è±¡ã®é¸åˆ¥ã‚’支æ´ã™ã‚‹
(ライブシステムã€ã‚ªãƒ•ãƒ©ã‚¤ãƒ³ãƒ¬ãƒ—リカã€ã‚·ãƒŸãƒ¥ãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ç­‰ï¼‰ã€‚
CA-3 システム連接
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CA-3
情報システムã®æŽ¥ç¶š
é¸å®š
é¸å®š
é¸å®š
CA-3 (5)
システム連接
|
外部システムã¨ã®æŽ¥ç¶šåˆ¶é™
é¸å®š
é¸å®š
ICS 補足ガイダンス:組織ã¯ãƒªã‚¹ã‚¯ä¾¿ç›Šåˆ†æžã‚’è¡Œã„ã€ICS ã¨ä»–ã®æƒ…報システムã¨ã®æŽ¥ç¶šã®æ˜¯
éžã‚’判断ã™ã‚‹ã€‚許å¯æ¨©è€…ã¯ã€æ¬¡ã®äº‹é …ã«ã¤ã„ã¦å分ç†è§£ã™ã‚‹ã€‚組織ã®æƒ…報セキュリティãƒãƒªã‚·
ー・手順。ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †ã€‚ä»–ã®æƒ…報システムã¸ã®æŽ¥ç¶šã«ä»˜éšã™ã‚‹çµ„ç¹”ã®é‹
用ã€è³‡ç”£ã€å€‹äººã€ä»–ã®çµ„ç¹”åŠã³å›½ã«å¯¾ã™ã‚‹ãƒªã‚¹ã‚¯ã€‚特定ã®é€£æŽ¥ã«ä»˜éšã™ã‚‹å…·ä½“çš„ãªå¥åº·ãƒ»å®‰å…¨ãƒ»
環境リスク。AO ã¯ã€ICS システムセキュリティ計画書ã«ãŠã‘るリスクå—容性ã«ã¤ã„ã¦è¨˜è¼‰ã—ã¦ã„
る。
管ç†æ‹¡å¼µï¼š(5) ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
389
CA-5 PLAN OF ACTION AND MILESTONES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CA-5
Plan of Action and Milestones
Selected
Selected
Selected
No ICS Supplemental Guidance.
CA-6 SECURITY AUTHORIZATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CA-6
Security Authorization
Selected Selected Selected
No ICS Supplemental Guidance.
CA-7 CONTINUOUS MONITORING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CA-7
Continuous Monitoring
Selected
Selected
Selected
CA-7 (1)
CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT
Selected Selected
ICS Supplemental Guidance: Continuous monitoring programs for ICS are designed, documented, and implemented by qualified
personnel (i.e., experienced with ICS) selected by the organization. The organization ensures that continuous monitoring does not interfere
with ICS functions. The individual/group designing and conducting the continuous monitoring fully understands the organizational
information security policies and procedures, the ICS security policies and procedures, and the specific health, safety, and environmental
risks associated with a particular facility and/or process. The organization ensures that continuous monitoring does not affect system
operation or result in intentional or unintentional system modification. Example compensating controls include external monitoring.
Control Enhancement: (1) No ICS Supplemental Guidance.
CA-8 PENETRATION TESTING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CA-8
Penetration Testing
Selected
ICS Supplemental Guidance: Penetration testing is used with care on ICS networks to ensure that ICS functions are not adversely
impacted by the testing process. In general, ICS are highly sensitive to timing constraints and have limited resources. Example compensating
controls include employing a replicated, virtualized, or simulated system to conduct penetration testing. Production ICS may need to be taken
off-line before testing can be conducted. If ICS are taken off-line for testing, tests are scheduled to occur during planned ICS outages
whenever possible. If penetration testing is performed on non-ICS networks, extra care is taken to ensure that tests do not propagate into the
ICS network.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
390
CA-5 行動・マイルストーン計画書
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CA-5
行動・マイルストーン計画書
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
CA-6 セキュリティ権é™
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CA-6
セキュリティ権é™
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
CA-7 継続監視
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CA-7
継続監視
é¸å®š
é¸å®š
é¸å®š
CA-7 (1)
継続監視
|
独立評価
é¸å®š
é¸å®š
ICS 補足ガイダンス:ICS ã®ç¶™ç¶šç›£è¦–ã¯ã€çµ„ç¹”ãŒé¸ä»»ã—ãŸæœ‰è³‡æ ¼è€…ãŒè€ƒæ¡ˆã—ã€æ–‡æ›¸åŒ–ã—ã€å®Ÿ
æ–½ã™ã‚‹ï¼ˆICS ã®ç†Ÿç·´è€…等)。継続監視㌠ICS 機能ã¨å¹²æ¸‰ã—ãªã„よã†ã«ã™ã‚‹ã€‚継続監視を考案ã—ã¦
実施ã™ã‚‹å€‹äººã‚„グループã¯ã€çµ„ç¹”ã®æƒ…報セキュリティãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †ã€ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒª
シー・手順åŠã³ç‰¹å®šã®è¨ˆæ´¥ã‚„プロセスã«ä»˜éšã™ã‚‹å…·ä½“çš„ãªå¥åº·ãƒ»å®‰å…¨ãƒ»ç’°å¢ƒãƒªã‚¹ã‚¯ã‚’å分ç†è§£ã™
る。組織ã¯ç¶™ç¶šç›£è¦–ã«ã‚ˆã£ã¦ã‚·ã‚¹ãƒ†ãƒ é‹ç”¨ãŒå½±éŸ¿ã‚’å—ã‘ãšã€æ•…æ„åˆã¯æ„図ã—ãªã„システム変更ã«
ãªã‚‰ãªã„よã†ã«ã™ã‚‹ã€‚補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€å¤–部監視ãŒã‚る。
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンスãªã—
CA-8 ペãƒãƒˆãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãƒ»ãƒ†ã‚¹ãƒˆ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CA-8
ペãƒãƒˆãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãƒ»ãƒ†ã‚¹ãƒˆ
é¸å®š
ICS 補足ガイダンス:ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§ã®ãƒšãƒãƒˆãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãƒ»ãƒ†ã‚¹ãƒˆã¯æ…Žé‡ã«è¡Œã„ã€è©¦é¨“
プロセスã«ã‚ˆã‚Š ICS 機能ã«æ‚ªå½±éŸ¿ãŒåŠã°ãªã„よã†ã«ã™ã‚‹ã€‚ç·ã˜ã¦ ICS ã¯ã€æ™‚間的制約ã«æ•æ„Ÿã§ã€
リソースã«é™ç•ŒãŒã‚る。補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€è¤‡è£½ã€ä»®æƒ³åˆã¯æ¨¡æ“¬ã‚·ã‚¹ãƒ†ãƒ ã§ãƒšãƒãƒˆãƒ¬ãƒ¼ã‚·
ョン・テストを行ã†æ–¹æ³•ãŒã‚る。生産 ICS ã¯ã€è©¦é¨“å‰ã«ã‚ªãƒ•ãƒ©ã‚¤ãƒ³ã«ã™ã‚‹å¿…è¦ãŒã‚る。オフライ
ンã«ã™ã‚‹å ´åˆã€å¯èƒ½ã§ã‚ã‚Œã°ã€äºˆã‚計画ã•ã‚ŒãŸ ICS ã®æ“業åœæ­¢æ™‚ã«è©¦é¨“ã‚’è¡Œã†ã‚ˆã†ã«äºˆå®šã‚’組む。
ペãƒãƒˆãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãƒ»ãƒ†ã‚¹ãƒˆã‚’ICS 以外ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§è¡Œã†å ´åˆã€è©¦é¨“㌠ICS ã«æŒã¡è¾¼ã¾ã‚Œãªã„
よã†ã«æ³¨æ„ã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
391
CA-9 INTERNAL SYSTEM CONNECTIONS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CA-9
Internal System Connections
Selected
Selected
Selected
ICS Supplemental Guidance: Organizations perform risk-benefit analysis to support determination whether an ICS should be
connected to other internal information system(s) and (separate) constituent system components. The Authorizing Official fully understands
the organizational information security policies and procedures; the ICS security policies and procedures; the risks to organizational
operations and assets, individuals, other organizations, and the Nation associated with the connected to other information system(s) and
(separate) constituent system components, whether by authorizing each individual internal connection or authorizing internal connections for
a class of components with common characteristics and/or configurations; and the specific health, safety, and environmental risks associated
with a particular interconnection. The AO documents risk acceptance in the ICS system security plan.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
392
CA-9 内部システム接続
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CA-9
内部システム接続
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:組織ã¯ãƒªã‚¹ã‚¯ä¾¿ç›Šåˆ†æžã‚’è¡Œã„ã€ICS ã¨ä»–ã®å†…部情報システムや(別)
構æˆã‚·ã‚¹ãƒ†ãƒ ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã¨ã®æŽ¥ç¶šã®æ˜¯éžã‚’判断ã™ã‚‹ã€‚許å¯æ¨©è€…ã¯ã€æ¬¡ã®äº‹é …ã«ã¤ã„ã¦å分ç†
解ã™ã‚‹ã€‚組織ã®æƒ…報セキュリティãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †ã€‚ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †ã€‚個々人
ã®å†…部接続を許å¯ã™ã‚‹ã‹ã€å…±é€šç‰¹æ€§ãƒ»è¨­å®šã®ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã‚¯ãƒ©ã‚¹ã¸ã®å†…部接続を許å¯ã™ã‚‹ã“ã¨
ã«ã‚ˆã‚Šã€ä»–ã®æƒ…報システムåŠã³ï¼ˆåˆ¥ï¼‰æ§‹æˆã‚·ã‚¹ãƒ†ãƒ ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã¸ã®æŽ¥ç¶šã«ä¼´ã†çµ„ç¹”ã®é‹ç”¨ã€
資産ã€å€‹äººã€ä»–ã®çµ„ç¹”åŠã³å›½ã«å¯¾ã™ã‚‹ãƒªã‚¹ã‚¯ã€‚特定ã®é€£æŽ¥ã«ä»˜éšã™ã‚‹å…·ä½“çš„ãªå¥åº·ãƒ»å®‰å…¨ãƒ»ç’°å¢ƒ
リスク。AO ã¯ã€ICS システムセキュリティ計画書ã«ãŠã‘るリスクå—容性ã«ã¤ã„ã¦è¨˜è¼‰ã—ã¦ã„る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
393
CONFIGURATION MANAGEMENT – CM
Tailoring Considerations for Configuration Management Family
In situations where the ICS cannot be configured to restrict the use of unnecessary functions or cannot support the use of automated
mechanisms to implement configuration management functions, the organization employs nonautomated mechanisms or procedures as
compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as
appropriate.
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction
with the ICS Supplemental Guidance in this overlay, if any.
CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CM-1
Configuration Management Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems.
CM-2 BASELINE CONFIGURATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CM-2
Baseline Configuration
Selected
Selected
Selected
CM-2 (1)
BASELINE CONFIGURATION | REVIEWS AND UPDATES
Selected
Selected
CM-2 (2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR
ACCURACY / CURRENCY
Selected
CM-2 (3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS
CONFIGURATIONS
Selected Selected
CM-2 (7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS,
COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS
Selected Selected
No ICS Supplemental Guidance.
CM-3 CONFIGURATION CHANGE CONTROL
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CM-3
Configuration Change Control
Selected
Selected
CM-3 (1) CONFIGURATION CHANGE CONTROL | AUTOMATED
DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES
Selected
CM-3 (2) CONFIGURATION CHANGE CONTROL | TEST / VALIDATE /
DOCUMENT CHANGES
Selected Selected
No ICS Supplemental Guidance.
CM-4 SECURITY IMPACT ANALYSIS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CM-4
Security Impact Analysis
Selected
Selected
Selected
CM-4 (1) SECURITY IMPACT ANALYSIS | SEPARATE TEST
ENVIRONMENTS
Selected
ICS Supplemental Guidance: The organization considers ICS safety and security interdependencies.
Control Enhancement: (1) No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
394
è¨­å®šç®¡ç† â€“ CM
設定管ç†ãƒ•ã‚¡ãƒŸãƒªã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºè€ƒæ…®äº‹é …
ICS ã§ä¸è¦ãªæ©Ÿèƒ½ã®åˆ¶é™ã‚„設定管ç†æ©Ÿèƒ½ã®è‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã®åˆ©ç”¨ãŒã§ããªã„状æ³ã§ã¯ã€å…¨ä½“çš„ãª
カスタマイズガイダンスã«å¾“ã£ã¦ã€çµ„ç¹”ã¯éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯æ‰‹é †ã‚’補償的管ç†ç­–ã¨ã—ã¦æŽ¡ç”¨
ã™ã‚‹ã€‚補償的管ç†ç­–ã®ä¾‹ãŒå¿…è¦ã«å¿œã˜ã¦ã€ç®¡ç†ç­–ã”ã¨ã«ç¤ºã•ã‚Œã‚‹ã€‚
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
CM-1 設定管ç†ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CM-1
設定管ç†ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。
CM-2 ベースライン設定
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CM-2
ベースライン設定
é¸å®š
é¸å®š
é¸å®š
CM-2 (1)
ベースライン設定
|
審査・更新
é¸å®š
é¸å®š
CM-2 (2)
ベースライン設定
|
正確性・カレンシーã®è‡ªå‹•ã‚µãƒãƒ¼ãƒˆ
é¸å®š
CM-2 (3)
ベースライン設定
|
以å‰ã®è¨­å®šä¿æŒ
é¸å®š
é¸å®š
CM-2 (7)
ベースライン設定
|
高リスクエリア用システム・コンãƒãƒ¼ãƒãƒ³
ト・デãƒã‚¤ã‚¹ã®è¨­å®š
é¸å®š é¸å®š
ICS 補足ガイダンスãªã—
CM-3 設定変更管ç†
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CM-3
設定変更管ç†
é¸å®š
é¸å®š
CM-3 (1)
設定変更管ç†
|
自動文書化・
通知
・変更ç¦æ­¢
é¸å®š
CM-3 (2)
設定変更管ç†
|
試験・検証・文書変更
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
CM-4 セキュリティ影響分æž
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CM-4
セキュリティ影響分æž
é¸å®š
é¸å®š
é¸å®š
CM-4 (1)
セキュリティ影響分æž
|
独立試験環境
é¸å®š
ICS 補足ガイダンス:組織㯠ICS ã®å®‰å…¨æ€§ã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®ç›¸äº’関係を検討ã™ã‚‹ã€‚
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
395
CM-5 ACCESS RESTRICTIONS FOR CHANGE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CM-5
Access Restrictions for Change
Selected
Selected
CM-5 (1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED
ACCESS ENFORCEMENT / AUDITING
Selected
CM-5 (2) ACCESS RESTRICTIONS FOR CHANGE | AUDIT SYSTEM
CHANGES
Selected
CM-5 (3) ACCESS RESTRICTIONS FOR CHANGE | SIGNED
COMPONENTS
Selected
No ICS Supplemental Guidance.
CM-6 CONFIGURATION SETTINGS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CM-6
Configuration Settings
Selected
Selected
Selected
CM-6 (1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL
MANAGEMENT / APPLICATION / VERIFICATION
Selected
CM-6 (2) CONFIGURATION SETTINGS | RESPOND TO UNAUTHORIZED
CHANGES
Selected
No ICS Supplemental Guidance.
CM-7 LEAST FUNCTIONALITY
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CM-7
Least Functionality
Selected
Selected
Selected
CM-7 (1)
LEAST FUNCTIONALITY | PERIODIC REVIEW
Added
Selected
Selected
CM-7 (2)
LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION
Removed
Selected
CM-7 (4)
LEAST FUNCTIONALITY | UNAUTHORIZED SOFTWARE
Added
Selected
ICS Supplemental Guidance: Ports, as used in NIST SP 800-53 Rev. 4, are part of the address space in network protocols and are
often associated with specific protocols or functions. As such, ports are not relevant to non-routable protocols and devices. When dealing
with non-routable and non-addressable protocols and devices, prohibiting or restricting the use of specified functions, protocols, and/or
services must be implemented for the (sub)system granularity that is available (e.g., at a low level, interrupts could be disabled; at a high
level, set points could be made read-only except for privileged users). Example compensating controls include employing nonautomated
mechanisms or procedures.
Control Enhancement: (1, 2, 5) No ICS Supplemental Guidance.
Control Baseline Supplement Rationale: (1) Periodic review and removal of unnecessary and/or nonsecure functions,
ports, protocols, and services are added to the LOW baseline because many of the LOW impact ICS components could
adversely affect the systems to which they are connected.
(4, 5) Whitelisting (CE 5) is more effective than blacklisting (CE 4). The set of applications that run in ICS is essentially
static, making whitelisting practical. ICS-CERT recommends deploying application whitelisting on ICS. Reference: http://ics-
cert.us-cert.gov/tips/ICS-TIP-12-146-01B
CM-8 INFORMATION SYSTEM COMPONENT INVENTORY
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CM-8
Information System Component Inventory
Selected
Selected
Selected
CM-8 (1) INFORMATION SYSTEM COMPONENT INVENTORY |
UPDATES DURING INSTALLATIONS / REMOVALS
Selected Selected
CM-8 (2) INFORMATION SYSTEM COMPONENT INVENTORY |
AUTOMATED MAINTENANCE
Selected
CM-8 (3) INFORMATION SYSTEM COMPONENT INVENTORY |
AUTOMATED UNAUTHORIZED COMPONENT DETECTION
Selected Selected
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
396
CM-5 変更用アクセス制é™
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CM-5
変更用アクセス制é™
é¸å®š
é¸å®š
CM-5 (1)
変更用アクセス制é™
|
自動アクセスã®æ–½è¡Œ
/
監査
é¸å®š
CM-5 (2)
変更
用アクセス制é™
|
監査システム変更
é¸å®š
CM-5 (3)
変更用アクセス制é™
|
ç½²åコンãƒãƒ¼ãƒãƒ³ãƒˆ
é¸å®š
ICS 補足ガイダンスãªã—
CM-6 構æˆè¨­å®š
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CM-6
構æˆè¨­å®š
é¸å®š
é¸å®š
é¸å®š
CM-6 (1)
構æˆè¨­å®š
|
自動集中管ç†
アプリケーション
/
検証
é¸å®š
CM-6 (2)
構æˆè¨­å®š
|
無断変更対応
é¸å®š
ICS 補足ガイダンスãªã—
CM-7 最å°æ¨©é™
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CM-7
最低é™æ©Ÿèƒ½
é¸å®š
é¸å®š
é¸å®š
CM-7 (1)
最低é™æ©Ÿèƒ½
|
定期的見直ã—
追加
é¸å®š
é¸å®š
CM-7 (2)
最低é™æ©Ÿèƒ½
|
プログラム実行防止
削除
é¸å®š
CM-7 (4)
最低é™æ©Ÿèƒ½
|
未許å¯ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢
追加
é¸å®š
ICS 補足ガイダンス:NIST SP 800-53 第4版ã§ä½¿ç”¨ã•ã‚Œã‚‹ãƒãƒ¼ãƒˆã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ—ロトコルã«ãŠã‘るアド
レス空間ã®ä¸€éƒ¨ã§ã€ç‰¹å®šã®ãƒ—ロトコルや機能ã«é–¢é€£ã¥ã‘られã¦ã„ã‚‹ã“ã¨ãŒå¤šã„。ã“ã®ã‚ˆã†ãªãƒãƒ¼ãƒˆã¯ã€çµŒè·¯æŒ‡å®š
ä¸èƒ½ãƒ—ロトコルåŠã³ãƒ‡ãƒã‚¤ã‚¹ã§ã¯ãªã„。アドレス/ルート指定ä¸èƒ½ãƒ—ロトコルåŠã³ãƒ‡ãƒã‚¤ã‚¹ã®å ´åˆã€æŒ‡å®šæ©Ÿèƒ½ã€ãƒ—
ロトコルåˆã¯ã‚µãƒ¼ãƒ“ス利用ã®ç¦æ­¢åˆã¯åˆ¶é™ã¯ã€åˆ©ç”¨ã§ãる(サブ)システムã®ç²’度ã«å®Ÿè£…ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„
(低レベルã§ã¯ä¸­æ–­ã‚’無効ã«ã—ã€é«˜ãƒ¬ãƒ™ãƒ«ã§ã¯è¨­å®šç‚¹ã‚’特権ユーザ以外ã¯èª­ã¿å–り専用ã¨ã™ã‚‹ãªã©ï¼‰ã€‚補償的管
ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯æ‰‹é †ãŒã‚る。
管ç†æ‹¡å¼µï¼š(1, 2, 5) ICS 補足ガイダンスãªã—
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³è£œè¶³ç†ç”±ï¼š(1)ä¸è¦åˆã¯ã‚»ã‚­ãƒ¥ã‚¢ã§ãªã„機能ã€ãƒãƒ¼ãƒˆã€ãƒ—ロトコルåŠã³ã‚µãƒ¼ãƒ“スã®å®šæœŸçš„ãª
見直ã—ã¨å‰Šé™¤ã‚’低ベースラインã«è¿½åŠ ã—ãŸã€‚ç†ç”±ã¯å½±éŸ¿åº¦ä½Žã® ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã®å¤šãã¯ã€æŽ¥ç¶šå…ˆã‚·ã‚¹ãƒ†ãƒ ã«
悪影響をåŠã¼ã™ãŸã‚。
(4, 5) ホワイトリスト(CE 5)ã¯ãƒ–ラックリスト(CE 4)よりも効果的。ICS ã§å®Ÿè¡Œã™ã‚‹ã‚¢ãƒ—リケーションセットã¯åŸºæœ¬
çš„ã«é™çš„ã§ã‚ã‚‹ãŸã‚ã€ãƒ›ãƒ¯ã‚¤ãƒˆãƒªã‚¹ãƒˆãŒç¾å®Ÿçš„ã§ã‚る。ICS-CERT ã¯ã€ãƒ›ãƒ¯ã‚¤ãƒˆãƒªã‚¹ãƒˆã‚¢ãƒ—リケーション㮠ICS 展
開を推奨ã—ã¦ã„る。å‚考文献:http://ics-cert.us- cert.gov/tips/ICS-TIP-12-146-01B
CM-8 情報システムコンãƒãƒ¼ãƒãƒ³ãƒˆç›®éŒ²
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CM-8
情報システムコンãƒãƒ¼ãƒãƒ³ãƒˆç›®éŒ²
é¸å®š
é¸å®š
é¸å®š
CM-8 (1)
情報システムコンãƒãƒ¼ãƒãƒ³ãƒˆç›®éŒ²
|
インストール・削除時ã®æ›´æ–°
é¸å®š
é¸å®š
CM-8 (2)
情報システムコンãƒãƒ¼ãƒãƒ³ãƒˆç›®éŒ²
|
自動ä¿å®ˆ
é¸å®š
CM-8 (3)
情報システムコンãƒãƒ¼ãƒãƒ³ãƒˆç›®éŒ²
|
自動無許å¯ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆæ¤œçŸ¥
é¸å®š
é¸å®š
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
397
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CM-8 (4) INFORMATION SYSTEM COMPONENT INVENTORY |
PROPERTY ACCOUNTABILITY INFORMATION
Selected
CM-8 (5) INFORMATION SYSTEM COMPONENT INVENTORY | ALL
COMPONENTS WITHIN AUTHORIZATION BOUNDARY
Selected Selected
No ICS Supplemental Guidance.
CM-9 CONFIGURATION MANAGEMENT PLAN
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CM-9
Configuration Management Plan
Selected
Selected
No ICS Supplemental Guidance.
CM-10 SOFTWARE USAGE RESTRICTIONS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CM-10
Software Usage Restrictions
Selected
Selected
Selected
No ICS Supplemental Guidance.
CM-11 USER-INSTALLED SOFTWARE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CM-11
User-Installed Software
Selected
Selected
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
398
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CM-8 (4)
情報システムコンãƒãƒ¼ãƒãƒ³ãƒˆç›®
録
|
資産説明責任情報
é¸å®š
CM-8 (5)
情報システムコンãƒãƒ¼ãƒãƒ³ãƒˆç›®éŒ²
|
全コンãƒãƒ¼ãƒãƒ³ãƒˆãŒæ¨©é™å†…
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
CM-9 設定管ç†è¨ˆç”»æ›¸
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CM-9
設定管ç†è¨ˆç”»æ›¸
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
CM-10 ソフトウエア使用制é™
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CM-10
ソフトウエア使用制é™
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
CM-11 ユーザãŒã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ãŸã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CM-11
ユーザãŒã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ãŸã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
399
CONTINGENCY PLANNING - CP
Tailoring Considerations for Contingency Planning Family
ICS systems often contain a physical component at a fixed location. Such components may not be relocated logically. Some replacement
components may not be readily available. Continuance of essential missions and business functions with little or no loss of operational
continuity may not be possible. In situations where the organization cannot provide necessary essential services, support, or automated
mechanisms during contingency operations, the organization provides nonautomated mechanisms or predetermined procedures as
compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as
appropriate.
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in
conjunction with the ICS Supplemental Guidance in this overlay, if any.
CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CP-1
Contingency Planning Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems.
CP-2 CONTINGENCY PLAN
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CP-2
Contingency Plan
Selected
Selected
Selected
CP-2 (1)
CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS
Selected
Selected
CP-2 (2)
CONTINGENCY PLAN | CAPACITY PLANNING
Selected
CP-2 (3) CONTINGENCY PLAN | RESUME ESSENTIAL MISSIONS /
BUSINESS FUNCTIONS
Selected Selected
CP-2 (4) CONTINGENCY PLAN | RESUME ALL MISSIONS / BUSINESS
FUNCTIONS
Selected
CP-2 (5) CONTINGENCY PLAN | CONTINUE ESSENTIAL MISSIONS /
BUSINESS FUNCTIONS
Selected
CP-2 (8)
CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS
Selected
Selected
ICS Supplemental Guidance: The organization defines contingency plans for categories of disruptions or failures. In the event of a
loss of processing within the ICS or communication with operational facilities, the ICS executes predetermined procedures (e.g., alert the
operator of the failure and then do nothing, alert the operator and then safely shut down the industrial process, alert the operator and then
maintain the last operational setting prior to failure).
Control Enhancement: (1) ICS Supplemental Guidance: Organizational elements responsible for related plans may include
suppliers such as electric power, fuel, fresh water and wastewater.
Control Enhancement: (2) No ICS Supplemental Guidance.
Control Enhancement: (3, 4) ICS Supplemental Guidance: Plans for the resumption of essential missions and business functions,
and for resumption of all missions and business functions take into account the effects of the disruption on the environment of operation.
Restoration and resumption plans should include prioritization of efforts. Disruptions may affect the quality and quantity of resources in the
environment, such as electric power, fuel, fresh water and wastewater, and the ability of these suppliers to also resume provision of essential
mission and business functions. Contingency plans for widespread disruption may involve specialized organizations (e.g., FEMA, emergency
services, regulatory authorities). Reference: NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs.
Control Enhancement: (5, 8) No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
400
ä¸æ¸¬äº‹æ…‹è¨ˆç”» - CP
ä¸æ¸¬äº‹æ…‹è¨ˆç”»ãƒ•ã‚¡ãƒŸãƒªã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºè€ƒæ…®äº‹é …
ICS システムã«ã¯ã€å®šã‚られãŸå ´æ‰€ã«ç‰©ç†ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆãŒã‚ã‚‹å ´åˆãŒå¤šã„。ãれらã¯è«–ç†çš„ãª
移動ãŒã§ããªã„。代ã‚ã‚Šã®ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆãŒã™ãã«åˆ©ç”¨ã§ããªã„ã‚‚ã®ã‚‚ã‚る。中断ãŒã»ã¨ã‚“ã©åˆ
ã¯å…¨ã許ã•ã‚Œãªã„é‡è¦ä»»å‹™ã‚„事業もã‚る。ä¸æ¸¬äº‹æ…‹é‹ç”¨ä¸­ã«ã€å¿…è¦ãªé‡è¦ã‚µãƒ¼ãƒ“スã€ã‚µãƒãƒ¼ãƒˆåˆ
ã¯è‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’æä¾›ã§ããªã„状æ³ã§ã¯ã€å…¨ä½“çš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã«å¾“ã£ã¦ã€çµ„ç¹”ã¯
éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯äº‹å‰è¨­å®šæ‰‹é †ã‚’補償的管ç†ç­–ã¨ã—ã¦æŽ¡ç”¨ã™ã‚‹ã€‚補償的管ç†ç­–ã®ä¾‹ãŒå¿…è¦ã«
å¿œã˜ã¦ã€ç®¡ç†ç­–ã”ã¨ã«ç¤ºã•ã‚Œã‚‹ã€‚
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
CP-1 ä¸æ¸¬äº‹æ…‹è¨ˆç”»ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CP-1
ä¸æ¸¬äº‹æ…‹è¨ˆç”»ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。
CP-2 緊急時対応計画
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CP-2
緊急時対応計画
é¸å®š
é¸å®š
é¸å®š
CP-2 (1)
緊急時対応計画
|
関連計画書ã¨ã®æ•´åˆ
é¸å®š
é¸å®š
CP-2 (2)
緊急時対応計画
|
容é‡è¨ˆç”»
é¸å®š
CP-2 (3)
緊急時対応計画
|
é‡è¦ä»»å‹™ãƒ»äº‹æ¥­æ©Ÿèƒ½ã®å†é–‹
é¸å®š
é¸å®š
CP-2 (4)
緊急時対応計画
|
全任務・事業機能ã®å†é–‹
é¸å®š
CP-2 (5)
緊急時対応計画
|
é‡è¦ä»»å‹™ãƒ»äº‹æ¥­æ©Ÿèƒ½ã®å†é–‹
é¸å®š
CP-2 (8)
緊急時対応計画
|
é‡è¦è³‡ç”£è­˜åˆ¥
é¸å®š
é¸å®š
ICS 補足ガイダンス:組織ã¯ã€ä¸­æ–­ã‚„æ•…éšœã®åˆ†é¡žåˆ¥ã«ç·Šæ€¥æ™‚対応計画を定ã‚る。ICS 内ã§ã®
処ç†ã‚„é‹ç”¨æ–½è¨­ã¨ã®é€šä¿¡ãŒå¤±ã‚ã‚ŒãŸå ´åˆã€ICS ã¯äºˆã‚定ã‚られãŸæ‰‹é †ã‚’実行ã™ã‚‹ï¼ˆæ“作員ã«è­¦å ±
を発信ã—ã¦ä½•ã‚‚ã—ãªã„ã€æ“作員ã«è­¦å ±ã‚’発信ã—ã¦ç”£æ¥­ãƒ—ロセスを安全ã«é®æ–­ã™ã‚‹ã€æ“作員ã«è­¦å ±
を発信ã—ã¦æ•…障直å‰ã®å‹•ä½œã‚’維æŒã™ã‚‹ãªã©ï¼‰ã€‚
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンス:関連計画書ã®æ‹…当部署ã«ã¯ã€é›»åŠ›ã€ç‡ƒæ–™ã€ä¸Šä¸‹æ°´é“ç­‰ã®
サプライヤもå«ã¾ã‚Œã‚‹ã€‚
管ç†æ‹¡å¼µï¼š(2) ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(3, 4) ICS 補足ガイダンス:é‡è¦ä»»å‹™ãƒ»äº‹æ¥­æ©Ÿèƒ½ã®å†é–‹ã«é–¢ã™ã‚‹è¨ˆç”»æ›¸åŠã³å…¨ã¦ã®
任務・事業機能ã®å†é–‹ã«é–¢ã™ã‚‹è¨ˆç”»æ›¸ã«ã¯ã€é‹ç”¨ç’°å¢ƒãŒå´©å£Šã—ãŸå ´åˆã®å½±éŸ¿ã‚’考慮ã«å…¥ã‚Œã‚‹ã€‚復
旧・å†é–‹è¨ˆç”»æ›¸ã«ã¯ã€å–組ã®å„ªå…ˆé †ä½ã‚’å«ã‚ã‚‹ã¹ãã§ã‚る。中断ãŒç”Ÿã˜ã‚‹ã¨é›»åŠ›ã€ç‡ƒæ–™ã€ä¸Šä¸‹æ°´
é“ç­‰ã®ãƒªã‚½ãƒ¼ã‚¹ã®è³ªãƒ»é‡ã®ã¿ãªã‚‰ãšã€é‡è¦ä»»å‹™ãƒ»äº‹æ¥­ã‚’å†é–‹ã™ã‚‹ã‚µãƒ—ライヤã®èƒ½åŠ›ã«ã‚‚影響ãŒå‡º
る。大è¦æ¨¡ä¸­æ–­ã®ç·Šæ€¥æ™‚対応計画ã«ã¯ã€ç‰¹åˆ¥çµ„織をå«ã‚る(FEMAã€ç·Šæ€¥ã‚µãƒ¼ãƒ“スã€è¦åˆ¶å½“å±€
等)。å‚考文献:NFPA 1600:ç½å®³ãƒ»æ°—çƒæ™‚管ç†ãƒ»äº‹æ¥­ç¶™ç¶šãƒ—ログラムã®åŸºæº–
管ç†æ‹¡å¼µï¼š(5) (8) ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
401
CP-3 CONTINGENCY TRAINING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CP-3
Contingency Training
Selected
Selected
Selected
CP-3 (1)
CONTINGENCY TRAINING | SIMULATED EVENTS
Selected
No ICS Supplemental Guidance.
CP-4 CONTINGENCY PLAN TESTING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CP-4
Contingency Plan Testing
Selected
Selected
Selected
CP-4 (1) CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED
PLANS
Selected Selected
P-4 (2)
CONTINGENCY PLAN TESTING | ALTERNATE PROCESSING SITE
Selected
No ICS Supplemental Guidance.
CP-6 ALTERNATE STORAGE SITE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CP-6
Alternate Storage Site
Selected
Selected
CP-6 (1) ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE
Selected Selected
CP-6 (2) ALTERNATE STORAGE SITE | RECOVERY TIME / POINT
OBJECTIVES
Selected
CP-6 (3)
ALTERNATE STORAGE SITE | ACCESSIBILITY
Selected
Selected
No ICS Supplemental Guidance.
CP-7 ALTERNATE PROCESSING SITE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CP-7
Alternate Processing Site
Selected
Selected
CP-7 (1) ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY
SITE
Selected Selected
CP-7 (2)
ALTERNATE PROCESSING SITE | ACCESSIBILITY
Selected
Selected
CP-7 (3)
ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE
Selected
Selected
CP-7 (4)
ALTERNATE PROCESSING SITE | CONFIGURATION FOR USE
Selected
No ICS Supplemental Guidance.
CP-8 TELECOMMUNICATIONS SERVICES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CP-8
Telecommunications Services
Selected
Selected
CP-8 (1) TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE
PROVISIONS
Selected Selected
CP-8 (2) TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF
FAILURE
Selected Selected
CP-8 (3) TELECOMMUNICATIONS SERVICES | SEPARATION OF PRIMARY
/ ALTERNATE PROVIDERS
Selected
CP-8 (4) TELECOMMUNICATIONS SERVICES | PROVIDER CONTINGENCY
PLAN
Selected
ICS Supplemental Guidance: Quality of service factors for ICS include latency and throughput.
Control Enhancement: (1, 2, 3, 4) No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
402
CP-3 ä¸æ¸¬äº‹æ…‹è¨“ç·´
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CP-3
ä¸æ¸¬äº‹æ…‹è¨“ç·´
é¸å®š
é¸å®š
é¸å®š
CP-3 (1)
ä¸æ¸¬äº‹æ…‹è¨“ç·´
|
模擬事象
é¸å®š
ICS 補足ガイダンスãªã—
CP-4 緊急時対応計画ã®æ¤œè¨¼
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CP-4
緊急時対応計画ã®æ¤œè¨¼
é¸å®š
é¸å®š
é¸å®š
CP-4 (1)
緊急時対応計画
ã®æ¤œè¨¼
|
関連計画書ã¨ã®æ•´åˆ
é¸å®š
é¸å®š
P-4 (2)
緊急時対応計画
ã®æ¤œè¨¼
|
代替処ç†ã‚µã‚¤ãƒˆ
é¸å®š
ICS 補足ガイダンスãªã—
CP-6 代替ストレージサイト
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CP-6
代替ストレージサイト
é¸å®š
é¸å®š
CP-6 (1)
代替ストレージサイト
|
プライマリサイトã‹ã‚‰ã®åˆ†é›¢
é¸å®š
é¸å®š
CP-6 (2)
代替ストレージサイト
|
復旧時間・ãƒã‚¤ãƒ³ãƒˆç›®æ¨™
é¸å®š
CP-6 (3)
代替ストレージサイト
|
アクセシビリティ
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
CP-7 代替処ç†ã‚µã‚¤ãƒˆ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CP-7
代替処ç†ã‚µã‚¤ãƒˆ
é¸å®š
é¸å®š
CP-7 (1)
代替処ç†ã‚µã‚¤ãƒˆ
|
プライマリサイトã‹ã‚‰ã®åˆ†é›¢
é¸å®š
é¸å®š
CP-7 (2)
代替処ç†ã‚µã‚¤ãƒˆ
|
アクセシビリティ
é¸å®š
é¸å®š
CP-7 (3)
代替処ç†
サイト
|
サービスã®å„ªå…ˆé †ä½
é¸å®š
é¸å®š
CP-7 (4)
代替処ç†ã‚µã‚¤ãƒˆ
|
利用å‘ã‘設定
é¸å®š
ICS 補足ガイダンスãªã—
CP-8 電気通信サービス
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CP-8
電気通信サービス
é¸å®š
é¸å®š
CP-8 (1)
電気通信サービス
|
サービスæä¾›ã®å„ªå…ˆé †ä½
é¸å®š
é¸å®š
CP-8 (2)
電気通信サービス
|
障害å˜ç‚¹
é¸å®š
é¸å®š
CP-8 (3)
電気通信サービス
|
主・副プロãƒã‚¤ãƒ€ã®åˆ†å‰²
é¸å®š
CP-8 (4)
電気通信サービス
|
プロãƒã‚¤ãƒ€ã®ä¸æ¸¬äº‹æ…‹ä½“計画書
é¸å®š
ICS 補足ガイダンス:ICS ã®ã‚µãƒ¼ãƒ“スå“質ã«ã¯å¾…ã¡æ™‚é–“ã¨ã‚¹ãƒ«ãƒ¼ãƒ—ットãŒå«ã¾ã‚Œã‚‹ã€‚
管ç†æ‹¡å¼µï¼š(1, 2, 3, 4) ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
403
CP-9 INFORMATION SYSTEM BACKUP
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CP-9
Information System Backup
Selected
Selected
Selected
CP-9 (1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY
/ INTEGRITY
Selected Selected
CP-9 (2) INFORMATION SYSTEM BACKUP | TEST RESTORATION
USING SAMPLING
Selected
CP-9 (3) INFORMATION SYSTEM BACKUP | SEPARATE STORAGE FOR
CRITICAL INFORMATION
Selected
CP-9 (5) INFORMATION SYSTEM BACKUP | TRANSFER TO
ALTERNATE SITE
Selected
No ICS Supplemental Guidance.
CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CP-10
Information System Recovery and Reconstitution
Selected
Selected
Selected
CP-10 (2) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION |
TRANSACTION RECOVERY
Selected Selected
CP-10 (4) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION |
RESTORE WITHIN TIME PERIOD
Selected
ICS Supplemental Guidance: Reconstitution of the ICS includes consideration whether system state variables should be restored to
initial values or values before disruption (e.g., are valves restored to full open, full closed, or settings prior to disruption). Restoring system
state variables may be disruptive to ongoing physical processes (e.g., valves initially closed may adversely affect system cooling).
Control Enhancement: (2, 4) No ICS Supplemental Guidance.
CP-12 SAFE MODE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
CP-12
Safe Mode
Added
Added
Added
ICS Supplemental Guidance: The organization-defined conditions and corresponding restrictions of safe mode of operation may
vary among baselines. The same condition(s) may trigger different response depending on the impact level. The conditions may be external
to the ICS (e.g., electricity supply brown-out). Related controls: SI-17.
Rationale for adding CP-12 to all baselines: This control provides a framework for the organization to plan their policy and
procedures for dealing with conditions beyond their control in the environment of operations. Creating a written record of the decision
process for selecting incidents and appropriate response is part of risk management in light of changing environment of operations.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
404
CP-9 情報システムãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CP-9
情報システムãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—
é¸å®š
é¸å®š
é¸å®š
CP-9 (1)
情報システムãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—
|
信頼性・完全性ã®æ¤œè¨¼
é¸å®š
é¸å®š
CP-9 (2)
情報システムãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—
|
サンプリングã«ã‚ˆã‚‹å¾©æ—§è©¦é¨“
é¸å®š
CP-9 (3)
情報システムãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—
|
é‡è¦æƒ…å ±ã®åˆ†é›¢ä¿ç®¡
é¸å®š
CP-9 (5)
情報システムãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—
|
代替サイトã¸ã®ç§»è¡Œ
é¸å®š
ICS 補足ガイダンスãªã—
CP-10 情報システムã®å¾©æ—§ãƒ»å†æ§‹ç¯‰
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CP-10
情報システムã®å¾©æ—§ãƒ»å†æ§‹ç¯‰
é¸å®š
é¸å®š
é¸å®š
CP-10 (2)
情報システムã®å¾©æ—§ãƒ»å†æ§‹ç¯‰
|
トランザクションã®å¾©æ—§
é¸å®š é¸å®š
CP-10 (4)
情報システムã®å¾©æ—§ãƒ»å†æ§‹ç¯‰
|
期é™å†…ã®å¾©æ—§
é¸å®š
ICS 補足ガイダンス:ICS ã®å†æ§‹ç¯‰ã«ã¯ã€ã‚·ã‚¹ãƒ†ãƒ çŠ¶æ…‹å¤‰æ•°ã‚’中断å‰ã®åˆæœŸå€¤ã«æˆ»ã™ã‹ã©ã†
ã‹ã®æ¤œè¨ŽãŒå«ã¾ã‚Œã‚‹ï¼ˆãƒãƒ«ãƒ–ã¯å…¨é–‹ã‹å…¨é–‰ã‹ã€ä¸­æ–­å‰ã®è¨­å®šå€¤ã‹ãªã©ï¼‰ã€‚システム状態変数を元
ã«æˆ»ã™ã¨ã€é€²è¡Œä¸­ã®ç‰©ç†ãƒ—ロセスãŒä¸­æ–­ã™ã‚‹å ´åˆãŒã‚る(ãƒãƒ«ãƒ–ãŒé–‰ã˜ã¦ã‚·ã‚¹ãƒ†ãƒ ã®å†·å´ã«æ‚ªå½±
響等)。
管ç†æ‹¡å¼µï¼š(2) (4) ICS 補足ガイダンスãªã—
CP-12 セーフモード
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
CP-12
セーフモード
追加
追加
追加
ICS 補足ガイダンス:組織ãŒå®šç¾©ã—ãŸæ¡ä»¶åŠã³å¯¾å¿œã™ã‚‹å®‰å…¨é‹ç”¨ãƒ¢ãƒ¼ãƒ‰ã®åˆ¶é™ã¯ã€ãƒ™ãƒ¼ã‚¹ãƒ©
インã«ã‚ˆã£ã¦ã¾ã¡ã¾ã¡ã§ã‚る。åŒã˜æ¡ä»¶ã§ã‚‚ã€å½±éŸ¿åº¦ã«ã‚ˆã£ã¦åˆ¥ã®å¯¾å¿œã¨ãªã‚‹ã€‚æ¡ä»¶ã¯ ICS ã«ã¨
ã£ã¦ã€å¤–部ã®ã‚‚ã®ã¨ãªã‚‹ï¼ˆåœé›»ç­‰ï¼‰ã€‚関連ã™ã‚‹ç®¡ç†ï¼šSI-17
CP-12 ã‚’å…¨ã¦ã®ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã«è¿½åŠ ã™ã‚‹ç†ç”±ï¼šã“ã®ç®¡ç†ã¯ã€çµ„ç¹”ãŒé‹ç”¨ç’°å¢ƒã§è‡ªã‚‰ã®åˆ¶å¾¡ãŒ
åŠã°ãªã„æ¡ä»¶ã‚’扱ã†å ´åˆã«ã€ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †ã‚’計画ã™ã‚‹ä½“ç³»ã¨ãªã‚‹ã€‚インシデントã¨é©åˆ‡ãªå¯¾å¿œ
ã‚’é¸ã¶éš›ã®æ±ºå®šãƒ—ロセスを文書ã«ã™ã‚‹ã“ã¨ã¯ã€é‹ç”¨ç’°å¢ƒã®å¤‰åŒ–ã¨ã„ã†è¦³ç‚¹ã‹ã‚‰ã€ãƒªã‚¹ã‚¯ç®¡ç†ã®ä¸€
部ã¨ãªã‚‹
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
405
IDENTIFICATION AND AUTHENTICATION - IA
Tailoring Considerations for Identification and Authentication Family
Before implementing controls in the IA family, consider the tradeoffs among security, privacy, latency, performance, and throughput.
For example, the organization considers whether latency induced from the use of authentication mechanisms employing cryptographic
mechanisms would adversely impact the operational performance of the ICS.
In situations where the ICS cannot support the specific Identification and Authentication requirements of a control, the organization
employs compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each
control, as appropriate.
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in
conjunction with the ICS Supplemental Guidance in this overlay, if any.
IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IA-1
Security Identification and Authentication Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems.
IA-2 USER IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IA-2
Identification and Authentication (Organizational Users)
Selected
Selected
Selected
IA-2 (1) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO
PRIVILEGED ACCOUNTS
Selected Selected Selected
IA-2 (2) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO
NON-PRIVILEGED ACCOUNTS
Selected Selected
IA-2 (3) IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO
PRIVILEGED ACCOUNTS
Selected Selected
IA-2 (4) IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO NON-
PRIVILEGED ACCOUNTS
Selected
IA-2 (8) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO
PRIVILEGED ACCOUNTS - REPLAY RESISTANT
Selected Selected
IA-2 (9) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO
NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT
Selected
IA-2 (11) IDENTIFICATION AND AUTHENTICATION | REMOTE ACCESS -
SEPARATE DEVICE
Selected Selected
IA-2 (12) IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV
CREDENTIALS
Selected Selected Selected
ICS Supplemental Guidance: Where users function as a single group (e.g., control room operators), user identification and
authentication may be role-based, group-based, or device-based. For certain ICS, the capability for immediate operator interaction is critical.
Local emergency actions for ICS are not hampered by identification or authentication requirements. Access to these systems may be
restricted by appropriate physical security controls. Example compensating controls include providing increased physical security, personnel
security, and auditing measures. For example, manual voice authentication of remote personnel and local, manual actions may be required in
order to establish a remote access. See AC-17 ICS Supplemental Guidance. Local user access to ICS components is enabled only when
necessary, approved, and authenticated.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
406
識別åŠã³èªè¨¼ - IA
識別åŠã³èªè¨¼ãƒ•ã‚¡ãƒŸãƒªã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºè€ƒæ…®äº‹é …
IA ファミリã§ç®¡ç†ã‚’実施ã™ã‚‹å‰ã«ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã€ãƒ—ライãƒã‚·ãƒ¼ã€å¾…ã¡æ™‚é–“ã€ãƒ‘フォーマンスã€
スループットを比較考é‡ã™ã‚‹ã€‚例ãˆã°ã€æš—å·ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’採用ã—ã¦èªè¨¼ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’利用ã™ã‚‹ã«
より生ã˜ã‚‹å¾…ã¡æ™‚é–“ãŒã€ICS ã®é‹ç”¨ãƒ‘フォーマンスを阻害ã—ãªã„ã‹çµ„ç¹”ã¯æ¤œè¨Žã™ã‚‹ã€‚
ICS ãŒã‚る制御ã®ç‰¹å®šã®è­˜åˆ¥ãƒ»èªè¨¼è¦ä»¶ã«å¯¾å¿œã—ã¦ã„ãªã„状æ³ã§ã¯ã€å…¨ä½“çš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬ã‚¤
ダンスã«å¾“ã£ã¦è£œå„Ÿçš„管ç†ç­–を採用ã™ã‚‹ã€‚
補償的管ç†ç­–ã®ä¾‹ãŒå¿…è¦ã«å¿œã˜ã¦ã€ç®¡ç†ç­–ã”ã¨ã«ç¤ºã•ã‚Œã‚‹ã€‚
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„㦠ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
IA-1 識別・èªè¨¼ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IA-1
セキュリティ識別・èªè¨¼ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。
IA-2 ユーザ識別・èªè¨¼ï¼ˆçµ„織ユーザ)
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IA-2
識別・èªè¨¼ï¼ˆçµ„織ユーザ)
é¸å®š
é¸å®š
é¸å®š
IA-2 (1)
識別・èªè¨¼
|
特権アカウントã¸ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ã‚¯ã‚»ã‚¹
é¸å®š
é¸å®š
é¸å®š
IA-2 (2)
識別・èªè¨¼
|
特権ã®ãªã„アカウントã¸ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ã‚¯ã‚»ã‚¹
é¸å®š
é¸å®š
IA-2 (3)
識別・èªè¨¼
|
特権アカウントã¸ã®ãƒ­ãƒ¼ã‚«ãƒ«ã‚¢ã‚¯ã‚»ã‚¹
é¸å®š
é¸å®š
IA-2 (4)
識別・èªè¨¼
|
特権ã®ãªã„アカウントã¸ã®ãƒ­ãƒ¼ã‚«ãƒ«ã‚¢ã‚¯ã‚»ã‚¹
é¸å®š
IA-2 (8)
識別・èªè¨¼
|
特権アカウントã¸ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ã‚¯ã‚»ã‚¹
-
リプレー
抵抗
é¸å®š é¸å®š
IA-2 (9)
識別・èªè¨¼
|
特権ã®ãªã„アカウントã¸ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ã‚¯ã‚»ã‚¹
-
リ
プレー抵抗
é¸å®š
IA-2 (11)
識別・èªè¨¼
|
リモートアクセス
-
別デãƒã‚¤ã‚¹
é¸å®š
é¸å®š
IA-2 (12)
識別・èªè¨¼
| PIV
èªè¨¼æƒ…å ±ã®å—諾
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ユーザ㌠1ã¤ã®ã‚°ãƒ«ãƒ¼ãƒ—ã¨ã—ã¦æ©Ÿèƒ½ã™ã‚‹å ´åˆï¼ˆåˆ¶å¾¡å®¤æ“作員等)ã€ãƒ¦
ーザã®è­˜åˆ¥åŠã³èªè¨¼ã¯å½¹å‰²ãƒ™ãƒ¼ã‚¹ã€ã‚°ãƒ«ãƒ¼ãƒ—ベースåˆã¯ãƒ‡ãƒã‚¤ã‚¹ãƒ™ãƒ¼ã‚¹ã¨ãªã‚‹ã€‚ã‚る種㮠ICS ã§
ã¯ã€æ“作員ã®å³æ™‚対応ãŒç·Šè¦ã§ã‚る。ICS ã®ãƒ­ãƒ¼ã‚«ãƒ«ç·Šæ€¥å¯¾å¿œã¯ã€è­˜åˆ¥ãƒ»èªè¨¼è¦ä»¶ã«é˜»å®³ã•ã‚Œãª
ã„。ã“ã®ã‚ˆã†ãªã‚·ã‚¹ãƒ†ãƒ ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã¯ã€é©æ­£ãªç‰©ç†çš„セキュリティ対策ã«ã‚ˆã‚Šåˆ¶é™ã•ã‚Œã‚‹ã€‚
補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ç‰©ç†çš„セキュリティã€äººçš„セキュリティã€ç›£æŸ»æ‰‹æ®µã®å¼·åŒ–ãŒã‚る。例
ãˆã°ã€ãƒªãƒ¢ãƒ¼ãƒˆã‚¢ã‚¯ã‚»ã‚¹ã‚’確立ã™ã‚‹ãŸã‚ã«ã€é éš”è·å“¡ã®æ‰‹å‹•éŸ³å£°èªè¨¼åŠã³ãƒ­ãƒ¼ã‚«ãƒ«ã®æ‰‹å‹•å¯¾å¿œãŒ
å¿…è¦ã¨ãªã‚‹ã€‚AC-17 補足ガイダンスをå‚照。ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã¸ã®ãƒ­ãƒ¼ã‚«ãƒ«ãƒ¦ãƒ¼ã‚¶ã‚¢ã‚¯ã‚»ã‚¹ã¯ã€
å¿…è¦æ™‚ã«æ‰¿èªã¨æ¨©é™ãŒã‚ã‚‹å ´åˆã®ã¿è¨±å¯ã•ã‚Œã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
407
Control Enhancement: (1, 2, 3, 4) ICS Supplemental Guidance: Example compensating controls include implementing physical
security measures.
Control Enhancement: (8, 9) ICS Supplemental Guidance: Example compensating controls include provide replay-resistance in
an external system.
Control Enhancement: (11) No ICS Supplemental Guidance.
Control Enhancement: (12) ICS Supplemental Guidance: Example compensating controls include implementing support for PIV
external to the ICS.
IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IA-3
Device Identification and Authentication
Added
Selected
Selected
IA-3 (1) DEVICE IDENTIFICATION AND AUTHENTICATION |
CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION
Added Added
IA-3 (4) DEVICE IDENTIFICATION AND AUTHENTICATION | DEVICE
ATTESTATION
Added Added
ICS Supplemental Guidance: The organization may permit connection of devices, also known as non-person entities (NPE),
belonging to and authorized by another organization (e.g., business partners) to their ICS. Especially when these devices are non-local, their
identification and authentication can be vital. Organizations may perform risk and impact analysis to determine the required strength of
authentication mechanisms. Example compensating controls for devices and protocols which do not provide authentication for remote
network connections, include implementing physical security measures.
Control Enhancement: (1, 4) ICS Supplemental Guidance: Configuration management for NPE identification and authentication
customarily involves a human surrogate or representative for the NPE. Devices are provided with their identification and authentication
credentials based on assertions by the human surrogate. The human surrogate also responds to events and anomalies (e.g., credential
expiration). Credentials for software entities (e.g., autonomous processes not associated with a specific person) based on properties of that
software (e.g., digital signatures) may change every time the software is changed or patched. Special purpose hardware (e.g., custom
integrated circuits and printed-circuit boards) may exhibit similar dependencies. Organization definition of parameters may be different
among the impact levels.
Rationale (applies to control and control enhancements): ICS may exchange information with many external systems and
devices. Identifying and authenticating the devices introduces situations that do not exist with humans. These controls include assignments
that enable the organization to categorize devices by types, models, or other group characteristics. Assignments also enable the organizations
to select appropriate controls for local, remote, and network connections.
IA-4 IDENTIFIER MANAGEMENT
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IA-4
Identifier Management
Selected
Selected
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
408
管ç†æ‹¡å¼µï¼š(1, 2, 3, 4) ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ç‰©ç†çš„セキュリティ対
ç­–ãŒã‚る。
管ç†æ‹¡å¼µï¼š(8, 9) ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€å¤–部システムã¸ã®ãƒªãƒ—レー
抵抗性ã®ä»˜ä¸ŽãŒã‚る。
管ç†æ‹¡å¼µï¼š(11) ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(12) ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ICS 外部ã«å¯¾ã™ã‚‹ PIV 対応
ã®å®Ÿè£…ãŒã‚る。
IA-3 デãƒã‚¤ã‚¹è­˜åˆ¥ãƒ»èªè¨¼
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IA-3
デãƒã‚¤ã‚¹è­˜åˆ¥ãƒ»èªè¨¼
追加
é¸å®š
é¸å®š
IA-3 (1)
デãƒã‚¤ã‚¹è­˜åˆ¥ãƒ»èªè¨¼
|
æš—å·åŒ–åŒæ–¹å‘èªè¨¼
追加
追加
IA-3 (4)
デãƒã‚¤ã‚¹è­˜åˆ¥ãƒ»èªè¨¼
|
デãƒã‚¤ã‚¹èªè¨¼
追加
追加
ICS 補足ガイダンス:組織ã¯ã€ã‚ˆãã®çµ„織(ææºä¼æ¥­ç­‰ï¼‰ãŒæ‰¿èªã—ã¦ã„ã‚‹ä¿æœ‰ãƒ‡ãƒã‚¤ã‚¹ï¼ˆäºº
間以外ã®å®Ÿä½“[NPE]ã¨ã—ã¦ã‚‚知られる)ã«ã‚ˆã‚‹è‡ªç¤¾ ICS ã¸ã®æŽ¥ç¶šã‚’èªã‚ã‚‹å ´åˆãŒã‚る。ã“ã®ã‚ˆã†
ãªãƒ‡ãƒã‚¤ã‚¹ãŒãƒ­ãƒ¼ã‚«ãƒ«ä»¥å¤–ã®å ´åˆã€è­˜åˆ¥ã¨èªè¨¼ãŒé‡è¦ã¨ãªã‚‹ã€‚組織ã¯ãƒªã‚¹ã‚¯ãƒ»å½±éŸ¿åˆ†æžã‚’è¡Œã„ã€
èªè¨¼ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã®å¿…è¦å¼·åº¦ã‚’判定ã™ã‚‹ã€‚é éš”ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æŽ¥ç¶šã®èªè¨¼ãŒãªã„デãƒã‚¤ã‚¹åŠã³ãƒ—ロト
コルã«å¯¾ã™ã‚‹è£œå„Ÿçš„管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ç‰©ç†çš„セキュリティ対策ãŒã‚る。
管ç†æ‹¡å¼µï¼š(1, 4) ICS 補足ガイダンス:NEP ã®è­˜åˆ¥ãƒ»èªè¨¼ã«å¯¾ã™ã‚‹è¨­å®šç®¡ç†ã«ã¯ã€é€šå¸¸ã€äººç‰©
ã‚’NEP ã«ä»£ãˆã‚‹æ–¹æ³•ãŒã‚る。人物ã®ä»£ç†èªè¨¼ã‚’基ã«ã€ãƒ‡ãƒã‚¤ã‚¹ã«è­˜åˆ¥ãƒ»èªè¨¼æƒ…å ±ãŒä»˜ä¸Žã•ã‚Œã‚‹ã€‚
人物ã®ä»£ç†ã«ã‚ˆã‚Šã€äº‹è±¡åŠã³ç•°çŠ¶äº‹æ…‹ã«ã‚‚対応ã™ã‚‹ï¼ˆèªè¨¼æƒ…å ±ã®æœŸé™åˆ‡ã‚Œç­‰ï¼‰ã€‚ソフトウエアã®
特性(デジタル署å等)ã«åŸºã¥ãソフトウエア実体ã®èªè¨¼æƒ…報(特定ã®äººç‰©ã«é–¢é€£ã¥ã‘られã¦ã„
ãªã„自律プロセス等)ã¯ã€ã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢ãŒå¤‰æ›´ã•ã‚Œã€ãƒ‘ッãƒãŒå½“ã¦ã‚‰ã‚Œã‚‹ãŸã³ã«å¤‰ã‚る。特殊目
çš„ã®ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ï¼ˆã‚«ã‚¹ã‚¿ãƒ  IC 基æ¿ã‚„プリント基æ¿ç­‰ï¼‰ã¯ã€ä¼¼ãŸã‚ˆã†ãªä¾å­˜æ€§ã‚’æŒã¤ã€‚組織ã®
パラメータ定義ã¯ã€å½±éŸ¿åº¦ã«ã‚ˆã‚Šç•°ãªã‚‹ã€‚
ç†ç”±ï¼ˆç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µã«é©ç”¨ï¼‰ï¼šICS ã¯ã€å¤šæ•°ã®å¤–部システムやデãƒã‚¤ã‚¹ã¨æƒ…報交æ›ã‚’è¡Œã†ã€‚
デãƒã‚¤ã‚¹ã®è­˜åˆ¥ãƒ»èªè¨¼ã¯ã€äººé–“ã§ã¯å­˜åœ¨ã—ãªã„状æ³ã‚’生ã˜ã‚‹ã€‚ã“ã®ã‚ˆã†ãªç®¡ç†ã«ã¯ã€çµ„ç¹”ãŒãƒ‡ãƒ
イスをタイプã€ãƒ¢ãƒ‡ãƒ«ãã®ä»–グループ特性ã§åˆ†é¡žã™ã‚‹ãŸã‚ã®å‰²å½“ãŒå«ã¾ã‚Œã‚‹ã€‚ã¾ãŸã“ã®å‰²å½“ã«ã‚ˆ
ã‚Šã€ãƒ­ãƒ¼ã‚«ãƒ«æŽ¥ç¶šã€é éš”接続åŠã³ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æŽ¥ç¶šã‚’é¸æŠžã™ã‚‹ã“ã¨ãŒã§ãる。
IA-4 識別å­ç®¡ç†
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IA-4
識別å­ç®¡ç†
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
409
IA-5 AUTHENTICATOR MANAGEMENT
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IA-5
Authenticator Management
Selected
Selected
Selected
IA-5 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED
AUTHENTICATION
Selected Selected Selected
IA-5 (2) AUTHENTICATOR MANAGEMENT | PKI-BASED
AUTHENTICATION
Selected Selected
IA-5 (3) AUTHENTICATOR MANAGEMENT | IN PERSON
REGISTRATION
Selected Selected
IA-5 (11) AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-
BASED AUTHENTICATION
Selected Selected Selected
ICS Supplemental Guidance: Example compensating controls include physical access control, encapsulating the ICS to provide
authentication external to the ICS.
Control Enhancement: (1, 2, 3, 11) No ICS Supplemental Guidance.
IA-6 AUTHENTICATOR FEEDBACK
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IA-6
Authenticator Feedback
Selected
Selected
Selected
ICS Supplemental Guidance: This control assumes a visual interface that provides feedback of authentication information during
the authentication process. When ICS authentication uses an interface that does not support visual feedback, (e.g., protocol-based
authentication) this control may be tailored out.
IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IA-7
Cryptographic Module Authentication
Selected
Selected
Selected
No ICS Supplemental Guidance.
IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IA-8
Identification and Authentication (Non-Organizational Users)
Selected
Selected
Selected
IA-8 (1) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL
USERS) | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER
AGENCIES
Selected Selected Selected
IA-8 (2) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL
USERS) | ACCEPTANCE OF THIRD-PARTY CREDENTIALS
Selected Selected Selected
IA-8 (3) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL
USERS) | USE OF FICAM-APPROVED PRODUCTS
Selected Selected Selected
IA-8 (4) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL
USERS) | USE OF FICAM-ISSUED PROFILES
Selected Selected Selected
ICS Supplemental Guidance: The ICS Supplemental Guidance for IA-2, Identification and Authentication (Organizational Users),
is applicable for Non- Organizational Users.
Control Enhancement: (1, 2, 3, 4) ICS Supplemental Guidance: Example compensating controls include implementing support
external to the ICS and multi-factor authentication.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
410
IA-5 èªè¨¼ã‚³ãƒ¼ãƒ‰ç®¡ç†
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IA-5
èªè¨¼ã‚³ãƒ¼ãƒ‰ç®¡ç†
é¸å®š
é¸å®š
é¸å®š
IA-5 (1)
èªè¨¼ã‚³ãƒ¼ãƒ‰ç®¡ç†
|
パスワードベースèªè¨¼
é¸å®š
é¸å®š
é¸å®š
IA-5 (2)
èªè¨¼ã‚³ãƒ¼ãƒ‰ç®¡ç†
| PKI
ベースèªè¨¼
é¸å®š
é¸å®š
IA-5 (3)
èªè¨¼ã‚³ãƒ¼ãƒ‰ç®¡ç†
|
直接登録
é¸å®š
é¸å®š
IA-5 (11)
èªè¨¼ã‚³ãƒ¼ãƒ‰ç®¡ç†
|
ãƒãƒ¼ãƒ‰ã‚¦ã‚¨ã‚¢ã®ãƒˆãƒ¼ã‚¯ãƒ³ãƒ™ãƒ¼ã‚¹èªè¨¼
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ç‰©ç†çš„アクセス制御ã€ICS ã®ã‚«ãƒ—セル化ã«
よる ICS 外部èªè¨¼ãŒã‚る。
管ç†æ‹¡å¼µï¼š(1, 2, 3, 11) ICS 補足ガイダンスãªã—
IA-6 èªè¨¼ã‚³ãƒ¼ãƒ‰ãƒ•ã‚£ãƒ¼ãƒ‰ãƒãƒƒã‚¯
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IA-6
èªè¨¼ãƒ•ã‚£ãƒ¼ãƒ‰ãƒãƒƒã‚¯
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ã“ã®ç®¡ç†ã¯ã€èªè¨¼ä¸­ã®èªè¨¼æƒ…報をフィードãƒãƒƒã‚¯ã™ã‚‹è¦–覚インタフェ
ースを想定ã—ã¦ã„る。視覚フィードãƒãƒƒã‚¯ã«å¯¾å¿œã—ã¦ã„ãªã„インタフェースã®ICS èªè¨¼ã®å ´åˆ
(プロトコルベースèªè¨¼ç­‰ï¼‰ã€ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã™ã‚‹ã€‚
IA-7 æš—å·åŒ–モジュールèªè¨¼
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IA-7
æš—å·åŒ–モジュールèªè¨¼
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
IA-8 識別・èªè¨¼(組織外ユーザ)
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IA-8
識別・èªè¨¼ï¼ˆçµ„織外ユーザ)
é¸å®š
é¸å®š
é¸å®š
IA-8 (1)
識別・èªè¨¼ï¼ˆçµ„ç¹”
外ユーザ)
|
ä»–æ©Ÿé–¢
PIV
èªè¨¼æƒ…å ±ã®è¨±è«¾
é¸å®š
é¸å®š
é¸å®š
IA-8 (2)
識別・èªè¨¼ï¼ˆçµ„織外ユーザ)
|
サードパーティèªè¨¼æƒ…å ±ã®è¨±è«¾
é¸å®š
é¸å®š
é¸å®š
IA-8 (3)
識別・èªè¨¼ï¼ˆçµ„織外ユーザ)
| FICAM
èªå®šè£½å“ã®ä½¿ç”¨
é¸å®š
é¸å®š
é¸å®š
IA-8 (4)
識別・èªè¨¼ï¼ˆçµ„織外ユーザ)
| FICAM
発行プロファイルã®ä½¿ç”¨
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:IA-2 識別・èªè¨¼ã«é–¢ã™ã‚‹ ICS 補足ガイダンス(組織ユーザ)ã¯ã€çµ„ç¹”
外ユーザã«é©ç”¨ã§ãる。
管ç†æ‹¡å¼µï¼š(1, 2, 3, 4) ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ICS ã®å¤–部åŠã³å¤šè¦ç´ 
èªè¨¼ã¸ã®å¯¾å¿œå®Ÿè£…ãŒã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
411
INCIDENT RESPONSE - IR
Tailoring Considerations for Incident Response Family
The automated mechanisms used to support the tracking of security incidents are typically not part of, or connected to, the ICS.
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction
with the ICS Supplemental Guidance in this overlay, if any.
IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IR-1
Incident Response Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems.
IR-2 INCIDENT RESPONSE TRAINING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IR-2
Incident Response Training
Selected
Selected
Selected
IR-2 (1)
INCIDENT RESPONSE TRAINING | SIMULATED EVENTS
Selected
IR-2 (2) INCIDENT RESPONSE TRAINING | AUTOMATED TRAINING
ENVIRONMENTS
Selected
No ICS Supplemental Guidance.
IR-3 INCIDENT RESPONSE TESTING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IR-3
Incident Response Testing
Selected
Selected
IR-3 (2) INCIDENT RESPONSE TESTING | COORDINATION WITH
RELATED PLANS
Selected Selected
No ICS Supplemental Guidance.
IR-4 INCIDENT HANDLING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IR-4
Incident Handling
Selected
Selected
Selected
IR-4 (1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING
PROCESSES
Selected Selected
IR-4 (4)
INCIDENT HANDLING | INFORMATION CORRELATION
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
412
インシデント対応 - IR
インシデント対応ファミリã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºè€ƒæ…®äº‹é …
接続インシデント追跡用ã«ä½¿ç”¨ã™ã‚‹è‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã¯ã€é€šå¸¸ ICS ã®ä¸€éƒ¨ã§ã¯ãªãã€ICS ã«æŽ¥ç¶šã•
ã‚Œã¦ã‚‚ã„ãªã„。
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
IR-1 インシデント対応ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IR-1
インシデント対応ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。
IR-2 インシデント対応訓練
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IR-2
インシデント対応訓練
é¸å®š
é¸å®š
é¸å®š
IR-2 (1)
インシデント対応訓練
|
模擬事象
é¸å®š
IR-2 (2)
インシデント対応訓
ç·´
|
自動訓練環境
é¸å®š
ICS 補足ガイダンスãªã—
IR-3 インシデント対応試験
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IR-3
インシデント対応試験
é¸å®š
é¸å®š
IR-3 (2)
インシデント対応訓練
|
関連計画書ã¨ã®æ•´åˆ
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
IR-4 インシデントãƒãƒ³ãƒ‰ãƒªãƒ³ã‚°
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IR-4
インシデント処ç†
é¸å®š
é¸å®š
é¸å®š
IR-4 (1)
インシデント処ç†
|
自動インシデント処ç†ãƒ—ロセス
é¸å®š
é¸å®š
IR-4 (4)
インシデント処ç†
|
情報相関
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
413
IR-5 INCIDENT MONITORING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IR-5
Incident Monitoring
Selected
Selected
Selected
IR-5 (1) INCIDENT MONITORING | AUTOMATED TRACKING / DATA
COLLECTION / ANALYSIS
Selected
No ICS Supplemental Guidance.
IR-6 INCIDENT REPORTING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IR-6
Incident Reporting
Selected
Selected
Selected
IR-6 (1)
INCIDENT REPORTING | AUTOMATED REPORTING
Selected
Selected
ICS Supplemental Guidance: The organization should report incidents on a timely basis. The DHS National Cybersecurity &
Communications Integration Center (NCCIC), http://www.dhs.gov/about-national-cybersecurity-communications-integration-center, serves
as a centralized location where operational elements involved in cybersecurity and communications reliance are coordinated and integrated.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) http://ics-cert.us-cert.gov/ics-cert/, collaborates with
international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and
mitigation measures.
Control Enhancement: (1) ICS Supplemental Guidance: The automated mechanisms used to support the incident reporting process are
not necessarily part of, or connected to, the ICS.
IR-7 INCIDENT RESPONSE ASSISTANCE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IR-7
Incident Response Assistance
Selected
Selected
Selected
IR-7 (1) INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR
AVAILABILITY OF INFORMATION / SUPPORT
Selected Selected
No ICS Supplemental Guidance.
IR-8 INCIDENT RESPONSE PLAN
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
IR-8
Incident Response Plan
Selected
Selected
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
414
IR-5 インシデント監視
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IR-5
インシデント監視
é¸å®š
é¸å®š
é¸å®š
IR-5 (1)
インシデント監視
|
自動追跡・データåŽé›†ãƒ»åˆ†æž
é¸å®š
ICS 補足ガイダンスãªã—
IR-6 インシデント報告
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IR-6
インシデント報告
é¸å®š
é¸å®š
é¸å®š
IR-6 (1)
インシデント報告
|
自動報告
é¸å®š
é¸å®š
ICS 補足ガイダンス:組織ã¯ã€ã‚¿ã‚¤ãƒ ãƒªãƒ¼ã«ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆå ±å‘Šã‚’è¡Œã†ã¹ãã§ã‚る。下記 DHS
国家サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é€šä¿¡çµ±åˆã‚»ãƒ³ã‚¿ãƒ¼(NCCIC)ã¯é›†ä¸­æ‰€åœ¨åœ°ã¨ã—ã¦æ©Ÿèƒ½ã—ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­
ュリティã¨é€šä¿¡ã®ä¿¡é ¼æ€§ã«é–¢ã‚ã‚‹é‹ç”¨éƒ¨ç½²ã¯ãã“ã§èª¿æ•´ã•ã‚Œã€çµ±åˆåŒ–ã•ã‚Œã¦ã„る。
http://www.dhs.gov/about-national-cybersecurity-communications-integration-center
下記産業用制御システムサイãƒãƒ¼ç·Šæ€¥å¯¾å¿œãƒãƒ¼ãƒ (ICS-CERT)ã¯ã€æµ·å¤–åŠã³æ°‘é–“ã®ã‚³ãƒ³ãƒ”ュータ緊
急対応ãƒãƒ¼ãƒ (CERT)ã¨é€£æºã—ã¦ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ é–¢é€£ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆæƒ…å ±ã¨ç·©å’Œå¯¾ç­–
を共有ã—ã¦ã„る。http://ics-cert.us-cert.gov/ics-cert/
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンス:インシデント報告プロセスã¸ã®å¯¾å¿œã«ä½¿ç”¨ã™ã‚‹è‡ªå‹•ãƒ¡ã‚«
ニズムã¯ã€å¿…ãšã—ã‚‚ ICS ã®ä¸€éƒ¨ã§ã¯ãªãã€ICS ã«æŽ¥ç¶šã•ã‚Œã¦ã„ã‚‹ã‚ã‘ã§ã¯ãªã„。
IR-7 インシデント対応支æ´
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IR-7
インシデント対応支æ´
é¸å®š
é¸å®š
é¸å®š
IR-7 (1)
インシデント対応支æ´
|
情報・サãƒãƒ¼ãƒˆå¯ç”¨æ€§ã¸ã®è‡ªå‹•å¯¾å¿œ
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
IR-8 インシデント対応計画
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
IR-8
インシデント対応計画書
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
415
MAINTENANCE - MA
Tailoring Considerations for Maintenance Family
The automated mechanisms used to schedule, conduct, and document maintenance and repairs are not necessarily part of, or connected to,
the ICS.
In situations where the ICS cannot support the specific Maintenance requirements of a control, the organization employs compensating
controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as appropriate.
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NISTSP 800-53 Rev. 4, Appendix F, should be used in conjunction
with the ICS Supplemental Guidance in this overlay, if any.
MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
MA-1
Maintenance Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems.
MA-2 CONTROLLED MAINTENANCE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
MA-2
Controlled Maintenance
Selected
Selected
Selected
MA-2 (2) CONTROLLED MAINTENANCE | AUTOMATED MAINTENANCE
ACTIVITIES
Selected
No ICS Supplemental Guidance.
MA-3 MAINTENANCE TOOLS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
MA-3
Maintenance Tools
Selected
Selected
MA-3 (1)
MAINTENANCE TOOLS | INSPECT TOOLS
Selected
Selected
MA-3 (2)
MAINTENANCE TOOLS | INSPECT MEDIA
Selected
Selected
MA-3 (3) MAINTENANCE TOOLS | PREVENT UNAUTHORIZED
REMOVAL
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
416
ä¿å®ˆ - MA
ä¿å®ˆãƒ•ã‚¡ãƒŸãƒªã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºè€ƒæ…®äº‹é …
ä¿å®ˆãƒ»ä¿®ç†ã®äºˆå®šä½œæˆã€å®Ÿæ–½åŠã³æ–‡æ›¸åŒ–ã«ä½¿ç”¨ã™ã‚‹è‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã¯ã€å¿…ãšã—ã‚‚ ICS ã®ä¸€éƒ¨ã§ã¯
ãªãã€ICS ã«æŽ¥ç¶šã•ã‚Œã¦ã„ã‚‹ã‚ã‘ã§ã¯ãªã„。
ICS ãŒã‚る制御ã®ç‰¹å®šã®ä¿å®ˆè¦ä»¶ã«å¯¾å¿œã—ã¦ã„ãªã„状æ³ã§ã¯ã€å…¨ä½“çš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬ã‚¤ãƒ€ãƒ³ã‚¹
ã«å¾“ã£ã¦è£œå„Ÿçš„管ç†ç­–を採用ã™ã‚‹ã€‚補償的管ç†ç­–ã®ä¾‹ãŒå¿…è¦ã«å¿œã˜ã¦ã€ç®¡ç†ç­–ã”ã¨ã«ç¤ºã•ã‚Œã‚‹ã€‚
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
MA-1 システムä¿å®ˆãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
MA-1
ä¿å®ˆãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。
MA-2 管ç†ä¿å®ˆ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
MA-2
管ç†ä¿å®ˆ
é¸å®š
é¸å®š
é¸å®š
MA-2 (2)
管ç†ä¿å®ˆ
|
自動ä¿å®ˆæ´»å‹•
é¸å®š
ICS 補足ガイダンスãªã—
MA-3 ä¿å®ˆãƒ„ール
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
MA-3
ä¿å®ˆãƒ„ール
é¸å®š
é¸å®š
MA-3 (1)
ä¿å®ˆãƒ„ール
|
検査ツール
é¸å®š
é¸å®š
MA-3 (2)
ä¿å®ˆãƒ„ール
|
検査媒体
é¸å®š
é¸å®š
MA-3 (3)
ä¿å®ˆãƒ„ール
|
無断削除防止
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
417
MA-4 NONLOCAL MAINTENANCE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
MA-4
Non-Local Maintenance
Selected
Selected
Selected
MA-4 (2) NON-LOCAL MAINTENANCE | DOCUMENT NON-LOCAL
MAINTENANCE
Selected Selected
MA-4 (3) NON-LOCAL MAINTENANCE | COMPARABLE SECURITY /
SANITIZATION
Selected
No ICS Supplemental Guidance.
Control Enhancement: (2) No ICS Supplemental Guidance.
Control Enhancement: (3) ICS Supplemental Guidance: In crisis or emergency situations, the organization may need immediate
access to non-local maintenance and diagnostic services in order to restore essential ICS operations or services. Example compensating
controls include limiting the extent of the maintenance and diagnostic services to the minimum essential activities, carefully monitoring and
auditing the non-local maintenance and diagnostic activities.
MA-5 MAINTENANCE PERSONNEL
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
MA-5
Maintenance Personnel
Selected
Selected
Selected
MA-5 (1) MAINTENANCE PERSONNEL | INDIVIDUALS WITHOUT
APPROPRIATE ACCESS
Selected
No ICS Supplemental Guidance.
MA-6 TIMELY MAINTENANCE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
MA-6
Timely Maintenance
Selected
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
418
MA-4 éžãƒ­ãƒ¼ã‚«ãƒ«ä¿å®ˆ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
MA-4
éžãƒ­ãƒ¼ã‚«ãƒ«ä¿å®ˆ
é¸å®š
é¸å®š
é¸å®š
MA-4 (2)
éžãƒ­ãƒ¼ã‚«ãƒ«ä¿å®ˆ
| éžãƒ­ãƒ¼ã‚«ãƒ«ä¿å®ˆ
ã®æ–‡æ›¸åŒ–
é¸å®š
é¸å®š
MA-4 (3)
éžãƒ­ãƒ¼ã‚«ãƒ«ä¿å®ˆ
|
åŒç­‰ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ»ã‚µãƒ‹ã‚¿ã‚¤ã‚º
é¸å®š
ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(2) ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(3) ICS 補足ガイダンス:å±æ©Ÿåˆã¯ç·Šæ€¥äº‹æ…‹ã«ã¯ã€é‡è¦ ICS é‹ç”¨åˆã¯ã‚µãƒ¼ãƒ“スを復
æ—§ã™ã‚‹ãŸã‚ã€çµ„ç¹”ã¯éžãƒ­ãƒ¼ã‚«ãƒ«ä¿å®ˆåŠã³è¨ºæ–­ã‚µãƒ¼ãƒ“スを直ã¡ã«åˆ©ç”¨ã™ã‚‹å¿…è¦ãŒã‚る。補償的管ç†
ç­–ã®ä¾‹ã¨ã—ã¦ã€ä¿å®ˆåŠã³è¨ºæ–­ã‚µãƒ¼ãƒ“スを最低é™å¿…è¦ãªç¨‹åº¦ã«é™å®šã—ã€éžãƒ­ãƒ¼ã‚«ãƒ«ä¿å®ˆåŠã³è¨ºæ–­æ´»
å‹•ã‚’æ…Žé‡ã«ç›£è¦–・監査ã™ã‚‹ã€‚
MA-5 ä¿å®ˆè¦å“¡
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
MA-5
ä¿å®ˆè¦å“¡
é¸å®š
é¸å®š
é¸å®š
MA-5 (1)
ä¿å®ˆè¦å“¡
|
é©æ€§ã‚¢ã‚¯ã‚»ã‚¹ä»¥å¤–ã®å€‹äºº
é¸å®š
ICS 補足ガイダンスãªã—
MA-6 é©æ™‚çš„ä¿å®ˆ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
MA-6
é©æ™‚çš„ä¿å®ˆ
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
419
MEDIA PROTECTION –MP
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction
with the ICS Supplemental Guidance in this overlay, if any.
MP-1 MEDIA PROTECTION POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
MP-1
Media Protection Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems.
MP-2 MEDIA ACCESS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
MP-2
Media Access
Selected
Selected
Selected
No ICS Supplemental Guidance.
MP-3 MEDIA MARKING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
MP-3
Media Marking
Selected
Selected
No ICS Supplemental Guidance.
MP-4 MEDIA STORAGE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
MP-4
Media Storage
Selected
Selected
No ICS Supplemental Guidance.
MP-5 MEDIA TRANSPORT
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
MP-5
Media Transport
Selected
Selected
MP-5 (4)
MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION
Selected
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
420
メディアä¿è­· –MP
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
MP-1 メディアä¿è­·ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
MP-1
メディアä¿è­·ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。
MP-2 メディアアクセス
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
MP-2
メディアアクセス
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
MP-3 メディアマーキング
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
MP-3
メディアマーキング
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
MP-4 メディアストレージ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
MP-4
メディアストレージ
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
MP-5 メディア転é€
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
MP-5
メディア転é€
é¸å®š
é¸å®š
MP-5 (4)
メディア転é€
|
æš—å·åŒ–ä¿è­·
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
421
MP-6 MEDIA SANITIZATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
MP-6
Media Sanitization
Selected
Selected
Selected
MP-6 (1) MEDIA SANITIZATION | TRACKING / DOCUMENTING /
VERIFYING
Selected
MP-6 (2)
MEDIA SANITIZATION | EQUIPMENT TESTING
Selected
MP-6 (3)
MEDIA SANITIZATION | NON-DESTRUCTIVE TECHNIQUES
Selected
No ICS Supplemental Guidance.
MP-7 MEDIA USE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
MP-7
Media Use
Selected
Selected
Selected
MP-7 (1)
MEDIA USE | ORGANIZATIONAL RESTRICTIONS
Selected
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
422
MP-6 メディアサニタイズ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
MP-6
メディアサニタイズ
é¸å®š
é¸å®š
é¸å®š
MP-6 (1)
メディアサニタイズ
|
追跡・文書化・検証
é¸å®š
MP-6 (2)
メディアサニタイズ
|
装備å“試験
é¸å®š
MP-6 (3)
メディアサニタイズ
|
éžç ´å£ŠæŠ€è¡“
é¸å®š
ICS 補足ガイダンスãªã—
MP-7 メディア利用
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
MP-7
メディア利用
é¸å®š
é¸å®š
é¸å®š
MP-7 (1)
メディア利用
|
組織上ã®åˆ¶é™
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
423
PHYSICAL AND ENVIRONMENTAL PROTECTION – PE
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in
conjunction with the ICS Supplemental Guidance in this overlay, if any.
PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-1
Physical and Environmental Protection Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems. The ICS components can be distributed over a large facility footprint or geographic area and can be an entry point into
the entire organizational network ICS. Regulatory controls may also apply.
PE-2 PHYSICAL ACCESS AUTHORIZATIONS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-2
Physical Access Authorizations
Selected
Selected
Selected
No ICS Supplemental Guidance.
PE-3 PHYSICAL ACCESS CONTROL
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-3
Physical Access Control
Selected
Selected
Selected
PE-3 (1) PHYSICAL ACCESS CONTROL | INFORMATION SYSTEM
ACCESS
Selected
ICS Supplemental Guidance: The organization considers ICS safety and security interdependencies. The organization considers
access requirements in emergency situations. During an emergency-related event, the organization may restrict access to ICS facilities and
assets to authorized individuals only. ICS are often constructed of devices that either do not have or cannot use comprehensive access control
capabilities due to time-restrictive safety constraints. Physical access controls and defense-in-depth measures are used by the organization
when necessary and possible to supplement ICS security when electronic mechanisms are unable to fulfill the security requirements of the
organization’s security plan. Primary nodes, distribution closets, and mechanical/electrical rooms should be locked and require key or
electronic access control and incorporate intrusion detection sensors.
Control Enhancement: (1) No ICS Supplemental Guidance.
PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-4
Access Control for Transmission Medium
Selected
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
424
物ç†çš„環境的ä¿è­· – PE
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
PE-1 物ç†çš„環境的ä¿è­·ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-1
物ç†ç’°å¢ƒä¿è­·ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã¯ã€åºƒç¯„ãªæ–½è¨­åŠã³åœ°åŸŸã«ã¾ãŸãŒã£ã¦åˆ†æ•£ã—ã¦ãŠã‚Šã€çµ„
織㮠ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¸ã®å…¥å£ã«ãªã£ã¦ã„ã‚‹å ´åˆã‚‚ã‚る。è¦åˆ¶ç®¡ç†ã‚‚é©ç”¨ã§ãよã†ã€‚
PE-2 物ç†çš„アクセス権é™
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-2
物ç†çš„アクセス権é™
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
PE-3 物ç†çš„アクセス制御
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-3
物ç†çš„アクセス制御
é¸å®š
é¸å®š
é¸å®š
PE-3 (1)
物ç†çš„
アクセス制御
|
情報システムアクセス
é¸å®š
ICS 補足ガイダンス:組織㯠ICS ã®å®‰å…¨æ€§ã¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã®ç›¸äº’関係を検討ã™ã‚‹ã€‚組織ã¯ã€
緊急状æ³ä¸‹ã§ã®ã‚¢ã‚¯ã‚»ã‚¹è¦ä»¶ã‚’検討ã™ã‚‹ã€‚緊急関連事象ãŒç™ºç”Ÿã—ãŸå ´åˆã€çµ„織㯠ICS 施設åŠã³è³‡
産ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’権é™ã®ã‚る人物ã ã‘ã«åˆ¶é™ã™ã‚‹ã€‚ICS ã¯ã€æ™‚é–“çš„ãªåˆ¶ç´„ã‹ã‚‰å®‰å…¨æ€§ã«é™ç•ŒãŒã‚
ã‚‹ãŸã‚ã€åŒ…括的ãªã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡èƒ½åŠ›ãŒãªã„ã‹åˆ©ç”¨ã§ããªã„デãƒã‚¤ã‚¹ã§æ§‹æˆã•ã‚Œã¦ã„ã‚‹ã“ã¨ãŒå¤šã„。
é›»å­çš„メカニズムã§ã¯çµ„ç¹”ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¨ˆç”»æ›¸è¦ä»¶ã«æº€ãŸãªã„å ´åˆã€ICS セキュリティã«ã¨ã£
ã¦å¿…è¦ã‹ã¤è£œè¶³å¯èƒ½ã§ã‚ã‚Œã°ã€ç‰©ç†çš„アクセス制御åŠã³å¤šå±¤é˜²å¾¡å¯¾ç­–を採用ã™ã‚‹ã€‚主è¦ãƒŽãƒ¼ãƒ‰ã€
é…電クローゼットåŠã³æ©Ÿæ¢°ãƒ»é›»æ°—室ã¯æ–½éŒ ã—ã€éµåˆã¯é›»å­çš„手段ã§ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡ã—ã€ä¾µå…¥æ¤œçŸ¥ã‚»
ンサをå–り付ã‘る。
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンスãªã—
PE-4 通信メディアã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-4
通信メディアã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
425
PE-5 ACCESS CONTROL FOR OUTPUT DEVICES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-5
Access Control for Output Devices
Selected
Selected
No ICS Supplemental Guidance.
PE-6 MONITORING PHYSICAL ACCESS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-6
Monitoring Physical Access
Selected
Selected
Selected
PE-6 (1) MONITORING PHYSICAL ACCESS | INTRUSION ALARMS /
SURVEILLANCE EQUIPMENT
Selected Selected
PE-6 (4) MONITORING PHYSICAL ACCESS | MONITORING PHYSICAL
ACCESS TO INFORMATION SYSTEMS
Added Selected
ICS Supplemental Guidance: Physical access controls and defense-in-depth measures are used as compensating controls by the
organization when necessary and possible to supplement ICS security when electronic mechanisms are unable to monitor, detect and alarm
when an ICS has been accessed. These compensating controls are in addition to the PE-6 controls (e.g., employing PE-3(4) Lockable Casings
and/or PE-3(5) Tamper Protection).
Control Enhancement: (1) No ICS Supplemental Guidance.
Control Enhancement: (4) ICS Supplemental Guidance: The locations of ICS components (e.g., field devices, remote terminal
units) can include various remote locations (e.g., substations, pumping stations).
Rationale (adding CE 4 to MODERATE baseline): Many of the ICS components are in remote geographical and dispersed
locations with little capability to monitor all ICS components. Other components may be in ceilings, floors, or distribution closets with
minimal physical barriers to detect, delay or deny access to the devices and no electronic surveillance or guard forces response capability.
PE-8 VISITOR ACCESS RECORDS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-8
Visitor Access Records
Selected
Selected
Selected
PE-8 (1) VISITOR ACCESS RECORDS | AUTOMATED RECORDS
MAINTENANCE / REVIEW
Selected
No ICS Supplemental Guidance.
PE-9 POWER EQUIPMENT AND CABLING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-9
Power Equipment and Cabling
Selected
Selected
PE-9 (1)
POWER EQUIPMENT AND CABLING | REDUNDANT CABLING
Added
Added
No ICS Supplemental Guidance.
Control Enhancement: (1) No ICS Supplemental Guidance.
Rationale (for adding (1): Continuity of ICS control and operation requires redundant power cabling.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
426
PE-5 出力デãƒã‚¤ã‚¹ã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-5
出力デãƒã‚¤ã‚¹ã®ã‚¢ã‚¯ã‚»ã‚¹åˆ¶å¾¡
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
PE-6 物ç†çš„アクセス監視
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-6
物ç†çš„アクセス監視
é¸å®š
é¸å®š
é¸å®š
PE-6 (1)
物ç†çš„アクセス監視
|
侵入アラーム・サーベイランス装置
é¸å®š
é¸å®š
PE-6 (4)
物ç†çš„アクセス監視
|
情報システムã¸ã®ç‰©ç†çš„アクセス監視
追加
é¸å®š
ICS 補足ガイダンス:電å­çš„メカニズムã§ã¯ ICS ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’監視・検知・警報ã§ããªã„
å ´åˆã€ICS セキュリティã«ã¨ã£ã¦å¿…è¦ã‹ã¤è£œè¶³å¯èƒ½ã§ã‚ã‚Œã°ã€ç‰©ç†çš„アクセス制御åŠã³å¤šå±¤é˜²å¾¡
対策を補償的管ç†ç­–ã¨ã—ã¦æŽ¡ç”¨ã™ã‚‹ã€‚ã“ã®ã‚ˆã†ãªè£œå„Ÿçš„管ç†ç­–ã¯ã€PE-6 管ç†ã‚’補足ã™ã‚‹ã‚‚ã®ã¨ãª
る(PE-3(4)施錠å¯èƒ½é‡‘庫åˆã¯ PE-3(5)改竄防止)。
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(4) ICS 補足ガイダンス:ICS コンãƒãƒ¼ãƒãƒ³ãƒˆï¼ˆãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãƒ‡ãƒã‚¤ã‚¹ã€é éš”端末装
置等)ã®å ´æ‰€ã«ã¯ã€æ§˜ã€…ãªé éš”地ãŒå«ã¾ã‚Œã‚‹ï¼ˆå¤‰é›»æ‰€ã€ãƒãƒ³ãƒ—ステーション等)。
ç†ç”±ï¼ˆCE 4 を中ベースラインã«è¿½åŠ ï¼‰ï¼šICS コンãƒãƒ¼ãƒãƒ³ãƒˆã®å¤šãã¯é éš”地ã«ç‚¹åœ¨ã—ã¦ã„ã‚‹
ãŸã‚ã€ã™ã¹ã¦ã‚’監視ã™ã‚‹ã“ã¨ã¯ã»ã¼ä¸å¯èƒ½ã§ã‚る。天井ã€åºŠåŠã³é…電クローゼットã«é…ç½®ã•ã‚Œã¦
ã„ã‚‹ã‚‚ã®ã‚‚ã‚ã‚Šã€ã‚¢ã‚¯ã‚»ã‚¹ã‚’検知・é…延・防止ã™ã‚‹ç‰©ç†çš„éšœå£ã¯ä¹ã—ãã€é›»å­çš„サーベイランス
や警備員等ã®å‚™ãˆã‚‚ãªã„。
PE-8 æ¥è¨ªè€…立入記録
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-8
æ¥è¨ªè€…立入記録
é¸å®š
é¸å®š
é¸å®š
PE-8 (1)
æ¥è¨ªè€…立入記録
|
自動記録ä¿å®ˆ
見直ã—
é¸å®š
ICS 補足ガイダンスãªã—
PE-9 電気装置åŠã³é…ç·š
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-9
電気装置åŠã³é…ç·š
é¸å®š
é¸å®š
PE-9 (1)
電気装置åŠã³é…ç·š
|
冗長é…ç·š
追加
追加
ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンスãªã—
ç†ç”±ï¼ˆ(1)ã®è¿½åŠ ï¼‰ï¼šICS 制御・é‹ç”¨ã‚’継続ã™ã‚‹ãŸã‚ã«é›»æºã‚±ãƒ¼ãƒ–ルã®å†—長化ãŒå¿…è¦ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
427
PE-10 EMERGENCY SHUTOFF
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-10
Emergency Shutoff
Selected
Selected
ICS Supplemental Guidance: It may not be possible or advisable to shutoff power to some ICS. Example compensating controls
include fail in known state and emergency procedures.
PE-11 EMERGENCY POWER
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-11
Emergency Power
Added
Selected
Selected
PE-11 (1) EMERGENCY POWER | LONG-TERM ALTERNATE POWER
SUPPLY - MINIMAL OPERATIONAL CAPABILITY
Added Added Selected
PE-11 (2) EMERGENCY POWER | LONG-TERM ALTERNATE POWER
SUPPLY - SELF-CONTAINED
Added
ICS Supplemental Guidance: Emergency power production, transmission and distribution systems are a type of ICS that are
required to meet extremely high performance specifications. The systems are governed by international, national, state and local building
codes, must be tested on a continual basis, and must be repaired and placed back into operations within a short period of time. Traditionally,
emergency power has been provided by generators for short to mid-term power (typically for fire and life safety systems, some IT load, and
evacuation transport) and UPS battery packs in distribution closets and within work areas to allow some level of business continuity and for
the orderly shutdown of non-essential IT and facility systems. Traditional emergency power systems typically are off-line until a loss of
power occurs and are typically on a separate network and control system specific to the facility they support. New methods of energy
generation and storage (e.g., solar voltaic, geothermal, flywheel, microgrid, distributed energy) that have a real-time demand and storage
connection to local utilities or cross connected to multiple facilities should be carefully analyzed to ensure that the power can meet the load
and signal quality without disruption of mission essential functions.
Control Enhancement: (1) No ICS Supplemental Guidance.
Rationale for adding control to baseline: ICS may support critical activities which will be needed for safety and reliability even in
the absence of reliable power from the public grid.
PE-12 EMERGENCY LIGHTING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-12
Emergency Lighting
Selected
Selected
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
428
PE-10 緊急é®æ–­
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-10
緊急é®æ–­
é¸å®š
é¸å®š
ICS 補足ガイダンス:特定㮠ICS ã®é›»æºé®æ–­ã¯ä¸å¯èƒ½åˆã¯æŽ¨å¥¨ã§ããªã„。補償的管ç†ç­–ã®ä¾‹
ã¨ã—ã¦ã€æ—¢çŸ¥çŠ¶æ…‹ã®å¤±æ•—åŠã³ç·Šæ€¥æ‰‹é †ãŒã‚る。
PE-11 緊急電æº
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-11
緊急電æº
追加
é¸å®š
é¸å®š
PE-11 (1)
緊急電æº
|
長期代替電æº
-
最低é™ã®é‹ç”¨èƒ½åŠ›
追加
追加
é¸å®š
PE-11 (2)
緊急電æº
|
長期代替電æº
-
内蔵型
追加
ICS 補足ガイダンス:緊急発電・é€é…電システムã¯ä¸€ç¨®ã® ICS ã§ã€æ¥µã‚ã¦é«˜åº¦ãªæ€§èƒ½ä»•æ§˜è¦
件ãŒèª²ã•ã‚Œã‚‹ã€‚国際・国家・州・自治体ã®å»ºç¯‰æ³•ã«æº–æ‹ ã—ã€å®šæœŸçš„試験ãŒèª²ã•ã‚Œã€çŸ­æœŸé–“ã«ä¿®
ç†ãƒ»å¾©æ—§ã§ããªã‘ã‚Œã°ãªã‚‰ãªã„。従æ¥ã€ç·Šæ€¥é›»æºã¨ã—ã¦çŸ­ãƒ»ä¸­æœŸç”¨ç™ºé›»æ©Ÿï¼ˆé€šå¸¸ç«ç½ãƒ»å®‰å…¨è£…ç½®ã€
特定㮠IT 作業åŠã³é¿é›£è¼¸é€ï¼‰ã¨ UPS ãƒãƒƒãƒ†ãƒªãƒ¼ãƒ‘ックãŒé…電クローゼットや作業エリアã«è¨­ç½®
ã•ã‚Œã¦ãŠã‚Šã€ã‚る程度ã®äº‹æ¥­ç¶™ç¶šã‚„ä¸è¦ IT 装置・施設装置ã®ç§©åºã ã£ãŸé®æ–­ãŒã§ãるよã†ã«ãªã£
ã¦ã„る。従æ¥ç·Šæ€¥é›»æºè£…ç½®ã¯ã€é›»æºãŒå¤±ã‚れるã¾ã§ã‚ªãƒ•ãƒ©ã‚¤ãƒ³ã«ãªã£ã¦ã„ã‚‹ã“ã¨ãŒå¤šãã€å¯¾å¿œã™
る施設固有ã®åˆ¥ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åŠã³åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ä¸Šã«ç½®ã‹ã‚Œã¦ã„る。新ãŸãªã‚¨ãƒãƒ«ã‚®ãƒ¼ç™ºç”Ÿãƒ»ä¿å­˜
手段(太陽光ã€åœ°ç†±ã€ãƒ•ãƒ©ã‚¤ãƒ›ã‚¤ãƒ¼ãƒ«ã€ãƒžã‚¤ã‚¯ãƒ­ã‚°ãƒªãƒƒãƒ‰ã€åˆ†æ•£ã‚¨ãƒãƒ«ã‚®ãƒ¼ç­‰ï¼‰ã§ã€åœ°æ–¹å…¬å…±äº‹
業者や複数施設ã«ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ éœ€è¦ãƒ»è“„ç©æŽ¥ç¶šã—ã¦ã‚‚ã®ã«ã¤ã„ã¦ã¯ã€é‡å¤§ãªä»»å‹™ãƒ»æ©Ÿèƒ½ã‚’中断ã™
ã‚‹ã“ã¨ãªãã€é›»åŠ›ãŒè² è·ãƒ»ä¿¡å·å“質è¦ä»¶ã‚’満ãŸã›ã‚‹ã‹ã€æ…Žé‡ã«åˆ†æžã™ã¹ãã§ã‚る。
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンスãªã—
ベースラインã«ç®¡ç†ã‚’追加ã™ã‚‹ç†ç”±ï¼šå…¬å…±é…電網ã‹ã‚‰ã®é›»åŠ›ã‚’当ã¦ã«ã§ããªã„å ´åˆã§ã‚ã£ã¦
ã‚‚ã€ICS ã¯ã€å®‰å…¨æ€§ã‚„信頼性ã®ç¢ºä¿ã«å¿…è¦ãªé‡è¦æ´»å‹•ã‚’支ãˆã¦ã„る。
PE-12 緊急照明
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-12
緊急照明
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
429
PE-13 FIRE PROTECTION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-13
Fire Protection
Selected
Selected
Selected
PE-13 (1)
FIRE PROTECTION | DETECTION DEVICES / SYSTEMS
Selected
PE-13 (2)
FIRE PROTECTION | SUPPRESSION DEVICES / SYSTEMS
Selected
PE-13 (3)
FIRE PROTECTION | AUTOMATIC FIRE SUPPRESSION
Selected
Selected
ICS Supplemental Guidance: Fire suppression mechanisms should take the ICS environment into account (e.g., water sprinkler
systems could be hazardous in specific environments).
Control Enhancement: (1, 2, 3) No ICS Supplemental Guidance.
PE-14 TEMPERATURE AND HUMIDITY CONTROLS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-14
Temperature and Humidity Controls
Selected
Selected
Selected
ICS Supplemental Guidance: Temperature and humidity controls are typically components of other ICS systems such as the HVAC,
process, or lighting systems, or can be a standalone and unique ICS system. ICS can operate in extreme environments and both interior and
exterior locations. For a specific ICS, the temperature and humidity design and operational parameters dictate the performance specifications.
As ICS and IS become interconnected and the network provides connectivity across the hybrid domain, power circuits, distribution closets,
routers and switches that support fire protection and life safety systems must be maintained at the proper temperature and humidity.
PE-15 WATER DAMAGE PROTECTION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-15
Water Damage Protection
Selected
Selected
Selected
PE-15 (1)
WATER DAMAGE PROTECTION | AUTOMATION SUPPORT
Selected
ICS Supplemental Guidance: Water damage protection and use of shutoff and isolation valves is both a procedural action, and also
a specific type of ICS. ICS that are used in the manufacturing, hydropower, transportation/navigation, water and wastewater industries rely
on the movement of water and are specifically designed to manage the quantity/flow and pressure of water. As ICS and IS become
interconnected and the network provides connectivity across the hybrid domain, power circuits, distribution closets, routers and switches that
support fire protection and life safety systems should ensure that water will not disable the system (e.g. a fire that activates the sprinkler
system does not spray onto the fire control servers, router, switches and short out the alarms, egress systems, emergency lighting, and
suppression systems).
Control Enhancement: (1) No ICS Supplemental Guidance.
PE-16 DELIVERY AND REMOVAL
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-16
Delivery and Removal
Selected
Selected
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
430
PE-13 防ç«
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-13
防ç«
é¸å®š
é¸å®š
é¸å®š
PE-13 (1)
防ç«
|
検知デãƒã‚¤ã‚¹ãƒ»ã‚·ã‚¹ãƒ†ãƒ 
é¸å®š
PE-13 (2)
防ç«
|
消ç«ãƒ‡ãƒã‚¤ã‚¹ãƒ»ã‚·ã‚¹ãƒ†ãƒ 
é¸å®š
PE-13 (3)
防ç«
|
自動消ç«
é¸å®š
é¸å®š
ICS 補足ガイダンス:消化機構ã«ã¯ ICS 環境を考慮ã«å…¥ã‚Œã‚‹ï¼ˆã‚¹ãƒ—リンクラーã¯ç’°å¢ƒã«ã‚ˆã‚Š
有害)。
管ç†æ‹¡å¼µï¼š(1, 2, 3) ICS 補足ガイダンスãªã—
PE-14 温度・湿度制御
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-14
温度・湿度制御
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:温度・湿度制御㯠HVACã€ãƒ—ロセスã€ç…§æ˜Žè£…置等㮠ICS システムã®ã‚³
ンãƒãƒ¼ãƒãƒ³ãƒˆã§ã‚ã‚Šã€ã‚¹ã‚¿ãƒ³ãƒ‰ã‚¢ãƒ­ãƒ¼ãƒ³åž‹ã‚·ã‚¹ãƒ†ãƒ ã‚‚ã‚ã‚Œã°ç‰¹æœ‰ã® ICS システムもã‚る。ICS ã¯
屋内外ã®éŽé…·ãªç’°å¢ƒä¸‹ã«ç½®ã‹ã‚Œã‚‹å ´åˆãŒã‚る。ã‚る種㮠ICS ã¯ã€æ¸©åº¦ãƒ»æ¹¿åº¦è¨­è¨ˆã‚„é‹ç”¨ãƒ‘ラメー
ã‚¿ã«ã‚ˆã£ã¦æ€§èƒ½ä»•æ§˜ãŒæ±ºã¾ã‚‹ã€‚ICS ã¨IS ã¯é€£æŽ¥ã•ã‚Œã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯ãƒã‚¤ãƒ–リッド領域ã«ã¾ãŸãŒ
ã‚‹ãŸã‚ã€é˜²ç«è£…置や生命安全装置を支ãˆã‚‹é›»æ°—回路ã€é…電クローゼットã€ãƒ«ãƒ¼ã‚¿åŠã³ã‚¹ã‚¤ãƒƒãƒã¯ã€
é©æ€§æ¸©åº¦ãƒ»æ¹¿åº¦ã«ä¿ãŸã‚Œãªã‘ã‚Œã°ãªã‚‰ãªã„。
PE-15 水害防護
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-15
水害防護
é¸å®š
é¸å®š
é¸å®š
PE-15 (1)
水害防護
|
自動対応
é¸å®š
ICS 補足ガイダンス:水害防護ã¨é–‰æ­¢ãƒ»é®æ–­å¼ã®ä½¿ç”¨ã¯ã€ã¨ã‚‚ã«æ‰‹é †è¡Œç‚ºã§ã‚ã‚Šã€åŒæ™‚ã«ã‚
る種㮠ICS ã§ã‚‚ã‚る。製造・水力発電・輸é€/é‹èˆªãƒ»ä¸Šä¸‹æ°´é“業界ã§ä½¿ç”¨ã•ã‚Œã‚‹ ICS ã¯ã€æ°´ã®é‹å‹•
ã«ä¾å­˜ã—ã¦ãŠã‚Šã€ç‰¹ã«æ°´ã®é‡ãƒ»æµé‡åŠã³åœ§åŠ›ã‚’管ç†ã™ã‚‹ã‚ˆã†ã«è¨­è¨ˆã•ã‚Œã¦ã„る。ICS ã¨IS ã¯é€£æŽ¥
ã•ã‚Œã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯ãƒã‚¤ãƒ–リッドドメインã«ã¾ãŸãŒã‚‹ãŸã‚ã€é˜²ç«è£…置や生命安全装置を支ãˆã‚‹
電気回路ã€é…電クローゼットã€ãƒ«ãƒ¼ã‚¿åŠã³ã‚¹ã‚¤ãƒƒãƒã¯ã€æ°´å®³ã§ã‚·ã‚¹ãƒ†ãƒ ãŒä½œå‹•ä¸èƒ½ã«ãªã‚‰ãªã„よ
ã†ã«ã™ã¹ãã§ã‚る(ç«äº‹ã§ã‚¹ãƒ—リンクラーãŒä½œå‹•ã—ã¦ã‚‚ã€é˜²ç«ã‚µãƒ¼ãƒã€ãƒ«ãƒ¼ã‚¿ã€ã‚¹ã‚¤ãƒƒãƒã«ã¯æ°´
ãŒã‹ã‹ã‚‰ãªã„よã†ã«ã—ã€ã‚¢ãƒ©ãƒ¼ãƒ ã€è„±å‡ºã‚·ã‚¹ãƒ†ãƒ ã€ç·Šæ€¥ç…§æ˜Žã€æ¶ˆç«ã‚·ã‚¹ãƒ†ãƒ ãŒã‚·ãƒ§ãƒ¼ãƒˆã—ãªã„よ
ã†ã«ã™ã‚‹ï¼‰ã€‚
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンスãªã—
PE-16 é…é€ãƒ»æ’¤åŽ»
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-16
é…é€ãƒ»æ’¤åŽ»
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
431
PE-17 ALTERNATE WORK SITE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-17
Alternate Work Site
Selected
Selected
No ICS Supplemental Guidance.
PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PE-18
Location of Information System Components
Selected
Selected
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
432
PE-17 代替作業場
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-17
代替作業場
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
PE-18 情報システムコンãƒãƒ¼ãƒãƒ³ãƒˆã®å ´æ‰€
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PE-18
情報システムコンãƒãƒ¼ãƒãƒ³ãƒˆ
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
433
PLANNING – PL
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction
with the ICS Supplemental Guidance in this overlay, if any.
PL-1 SECURITY PLANNING POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PL-1
Security Planning Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems.
PL-2 SYSTEM SECURITY PLAN
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PL-2
System Security Plan
Selected
Selected
Selected
PL-2 (3) SYSTEM SECURITY PLAN | PLAN / COORDINATE WITH
OTHER ORGANIZATIONAL ENTITIES
Added Selected Selected
No ICS Supplemental Guidance.
Control Enhancement: (3) No ICS Supplemental Guidance.
Rationale for adding PL-2 (3) to low baseline: When systems are highly inter-connected, coordinated planning is essential. A low
impact system could adversely affect a higher impact system.
PL-4 RULES OF BEHAVIOR
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PL-4
Rules of Behavior
Selected
Selected
Selected
PL-4 (1) RULES OF BEHAVIOR | SOCIAL MEDIA AND NETWORKING
RESTRICTIONS
Selected Selected
No ICS Supplemental Guidance.
PL-7 SECURITY CONCEPT OF OPERATIONS (CONOPS)
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PL-7
Security Concept of Operations
Added
Added
No ICS Supplemental Guidance.
Rationale for adding PL-7 to moderate and high baselines: ICS are complex systems. Organizations typically employ a
CONOPS to help define a system and share that understanding with personnel involved with that system and other systems with which it
interacts. A CONOPS often helps identify information protection requirements.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
434
プランニング – PL
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
PL-1 セキュリティ計画ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PL-1
セキュリティ計画ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。
PL-2 システムã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£è¨ˆç”»æ›¸
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PL-2
システムセキュリティ計画書
é¸å®š
é¸å®š
é¸å®š
PL-2 (3)
システムセキュリティ計画書
|
ä»–ã®çµ„ç¹”ã¨ã®è¨ˆç”»ãƒ»èª¿æ•´
追加
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(3) ICS 補足ガイダンスãªã—
PL-2 (3)を低ベースラインã«è¿½åŠ ã™ã‚‹ç†ç”±ï¼šã‚·ã‚¹ãƒ†ãƒ åŒå£«ãŒé«˜åº¦ã«ç›¸äº’連接ã—ã¦ã„ã‚‹å ´åˆã€
計画ã®èª¿æ•´ãŒè‚è¦ã§ã‚る。影響度ã®ä½Žã„システムãŒé«˜ã„システムã«æ‚ªå½±éŸ¿ã‚’与ãˆã‚‹ã“ã¨ãŒã‚る。
PL-4 行動è¦å‰‡
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PL-4
行動è¦å‰‡
é¸å®š
é¸å®š
é¸å®š
PL-4 (1)
行動è¦å‰‡
|
ソーシャルメディア
/
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚­ãƒ³ã‚°ã®åˆ¶é™
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
PL-7 é‹ç”¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ¦‚念 (CONOPS)
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PL-7
é‹ç”¨ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ¦‚念
追加
追加
ICS 補足ガイダンスãªã—
PL-7 を中・高ベースラインã«è¿½åŠ ã™ã‚‹ç†ç”±ï¼šICS システムãŒè¤‡é›‘ãªãŸã‚。通常ã€çµ„ç¹”ã¯
CONOPS を採用ã—ã¦ã€ã‚·ã‚¹ãƒ†ãƒ ã‚’定義ã—ã€å½“該システムや相互作用を行ã†ä»–ã®ã‚·ã‚¹ãƒ†ãƒ ã®é–¢ä¿‚者
ã¨ç†è§£ã‚’共有ã™ã‚‹ã€‚CONOPS ã¯ã€æƒ…å ±ä¿è­·è¦ä»¶ã‚’明らã‹ã«ã™ã‚‹ä¸Šã§å½¹ç«‹ã¤ã“ã¨ãŒå¤šã„。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
435
PL-8 INFORMATION SECURITY ARCHITECTURE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PL-8
Information Security Architecture
Selected
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
436
PL-8 情報セキュリティアーキテクãƒãƒ£
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PL-8
情報セキュリティアーキテクãƒãƒ£
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
437
PERSONNEL SECURITY – PS
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction
with the ICS Supplemental Guidance in this overlay, if any.
PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PS-1
Personnel Security Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems.
PS-2 POSITION RISK DESIGNATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PS-2
Position Risk Designation
Selected
Selected
Selected
No ICS Supplemental Guidance.
PS-3 PERSONNEL SCREENING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PS-3
Personnel Screening
Selected
Selected
Selected
No ICS Supplemental Guidance.
PS-4 PERSONNEL TERMINATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PS-4
Personnel Termination
Selected
Selected
Selected
PS-4 (2)
PERSONNEL TERMINATION | AUTOMATED NOTIFICATION
Selected
No ICS Supplemental Guidance.
PS-5 PERSONNEL TRANSFER
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PS-5
Personnel Transfer
Selected
Selected
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
438
人員ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ – PS
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
PS-1 人員ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PS-1
人員ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。
PS-2 é…置リスク指定
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PS-2
é…置リスク指定
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
PS-3 人é¸
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PS-3
人é¸
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
PS-4 退è·
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PS-4
退è·
é¸å®š
é¸å®š
é¸å®š
PS-4 (2)
退è·
|
自動通知
é¸å®š
ICS 補足ガイダンスãªã—
PS-5 転勤
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PS-5
転勤
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
439
PS-6 ACCESS AGREEMENTS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PS-6
Access Agreements
Selected
Selected
Selected
No ICS Supplemental Guidance.
PS-7 THIRD-PARTY PERSONNEL SECURITY
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PS-7
Third-Party Personnel Security
Selected
Selected
Selected
No ICS Supplemental Guidance.
PS-8 PERSONNEL SANCTIONS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
PS-8
Personnel Sanctions
Selected
Selected
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
440
PS-6 アクセスåŒæ„
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PS-6
アクセスåŒæ„
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
PS-7 サードパーティ社員セキュリティ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PS-7
サードパーティ社員セキュリティ
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
PS-8 懲戒
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
PS-8
懲戒
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
441
RISK ASSESSMENT – RA
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in
conjunction with the ICS Supplemental Guidance in this overlay, if any.
RA-1 RISK ASSESSMENT POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
RA-1
Risk Assessment Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems.
RA-2 SECURITY CATEGORIZATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
RA-2
Security Categorization
Selected
Selected
Selected
No ICS Supplemental Guidance.
RA-3 RISK ASSESSMENT
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
RA-3
Risk Assessment
Selected
Selected
Selected
No ICS Supplemental Guidance.
RA-5 VULNERABILITY SCANNING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
RA-5
Vulnerability Scanning
Selected
Selected
Selected
RA-5 (1)
VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY
Selected
Selected
RA-5 (2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY /
PRIOR TO NEW SCAN / WHEN IDENTIFIED
Selected Selected
RA-5 (4)
VULNERABILITY SCANNING | DISCOVERABLE INFORMATION
Selected
RA-5 (5)
VULNERABILITY SCANNING | PRIVILEGED ACCESS
Selected
Selected
ICS Supplemental Guidance: Active vulnerability scanning, which introduces network traffic, is used with care on ICS systems to
ensure that ICS functions are not adversely impacted by the scanning process. The organization makes a risk-based determination whether to
employ active scanning. Passive monitoring /sniffing may be used as part of a compensating control. Example compensating controls include
providing a replicated, virtualized, or simulated system to conduct scanning. Production ICS may need to be taken off-line before scanning
can be conducted. If ICS are taken off-line for scanning, scans are scheduled to occur during planned ICS outages whenever possible. If
vulnerability scanning tools are used on non-ICS networks, extra care is taken to ensure that they do not scan the ICS network. Network
scanning is not applicable to non-addressable communications. Vulnerability examination may be performed using other mechanisms than
scanning to identify the objects being examined. Host-based vulnerability examination is an example compensating control.
Control Enhancement: (1, 2, 4, 5) No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
442
リスク評価 – RA
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
RA-1 リスク評価ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
RA-1
リスク評価ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。
RA-2 セキュリティ分類
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
RA-2
セキュリティ分類
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
RA-3 リスク評価
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
RA-3
リスク評価
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
RA-5 脆弱性検索
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
RA-5
脆弱性検索
é¸å®š
é¸å®š
é¸å®š
RA-5 (1)
脆弱性検索
|
更新ツール機能
é¸å®š
é¸å®š
RA-5 (2)
検脆弱性索
|
æ–°è¦ã‚¹ã‚­ãƒ£ãƒ³å‰ãƒ»è­˜åˆ¥æ™‚ã®å‘¨æ³¢æ•°ã«ã‚ˆã‚‹æ›´æ–°
é¸å®š
é¸å®š
RA-5 (4)
脆弱性検索
|
検出å¯èƒ½æƒ…å ±
é¸å®š
RA-5 (5)
脆弱性検索
|
特権アクセス
é¸å®š
é¸å®š
ICS 補足ガイダンス:アクティブ脆弱性計画検索ã¯ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’生ã˜ã‚‹ã®
ã§ICS システム上ã§æ…Žé‡ã«è¡Œã„ã€æ¤œç´¢ãƒ—ロセスã«ã‚ˆã‚Š ICS 機能ã«æ‚ªå½±éŸ¿ãŒåŠã°ãªã„よã†ã«ã™ã‚‹ã€‚
組織ã¯ãƒªã‚¹ã‚¯ã«ç«‹è„šã—ã¦ã€ã‚¢ã‚¯ãƒ†ã‚£ãƒ–検索実行ã®æ˜¯éžã‚’判断ã™ã‚‹ã€‚パッシブ監視・スニッフィン
ã‚°ã¯ã€è£œå„Ÿçš„管ç†ç­–ã®ä¸€ç’°ã¨ã—ã¦ä½¿ç”¨ã§ãる。補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€è¤‡è£½ã€ä»®æƒ³åˆã¯æ¨¡æ“¬ã‚·
ステムã§æ¤œç´¢ã™ã‚‹æ–¹æ³•ãŒã‚る。生産 ICS ã¯ã€æ¤œç´¢å‰ã«ã‚ªãƒ•ãƒ©ã‚¤ãƒ³ã«ã™ã‚‹å¿…è¦ãŒã‚る。オフライン
ã«ã™ã‚‹å ´åˆã€å¯èƒ½ã§ã‚ã‚Œã°ã€äºˆã‚計画ã•ã‚ŒãŸ ICS ã®æ“業åœæ­¢æ™‚ã«æ¤œç´¢ã‚’è¡Œã†ã‚ˆã†ã«äºˆå®šã‚’組む。
脆弱性検索ツールを ICS 以外ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã§è¡Œã†å ´åˆã€æ¤œç´¢ãŒ ICS ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«åŠã°ãªã„よ
ã†ã«æ³¨æ„ã™ã‚‹ã€‚ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æ¤œç´¢ã¯ã€ã‚¢ãƒ‰ãƒ¬ã‚¹æŒ‡å®šä¸èƒ½ã®é€šä¿¡ã«ã¯é©ç”¨ã•ã‚Œãªã„。
脆弱性検証ã¯ã€æ¤œè¨¼ä¸­ã®å¯¾è±¡ã‚’識別ã™ã‚‹æ¤œç´¢ä»¥å¤–ã®ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’使用ã—ã¦è¡Œã†ã€‚ホストベー
スã®è„†å¼±æ€§æ¤œè¨¼ã¯ã€è£œå„Ÿçš„管ç†ç­–ã®ä¸€ä¾‹ã§ã‚る。
管ç†æ‹¡å¼µï¼š(1, 2, 4, 5) ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
443
SYSTEM AND SERVICES ACQUISITION – SA
Tailoring Considerations for System and Services Acquisition Family
In situations where the ICS cannot support the specific System and Services Acquisition requirements of a control, the organization
employs compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each
control, as appropriate.
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in
conjunction with the ICS Supplemental Guidance in this overlay, if any.
SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SA-1
System and Services Acquisition Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems.
SA-2 ALLOCATION OF RESOURCES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SA-2
Allocation of Resources
Selected
Selected
Selected
No ICS Supplemental Guidance.
SA-3 SYSTEM DEVELOPMENT LIFE CYCLE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SA-3
System Development Life Cycle
Selected
Selected
Selected
No ICS Supplemental Guidance.
SA-4 ACQUISITION PROCESS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SA-4
Acquisition Process
Selected
Selected
Selected
SA-4 (1) ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF
SECURITY CONTROLS
Selected Selected
SA-4 (2) ACQUISITION PROCESS | DESIGN / IMPLEMENTATION
INFORMATION FOR SECURITY CONTROLS
Selected Selected
SA-4 (9) ACQUISITION PROCESS | FUNCTIONS / PORTS /
PROTOCOLS / SERVICES IN USE
Selected Selected
SA-4 (10) ACQUISITION PROCESS | USE OF APPROVED PIV
PRODUCTS
Selected Selected Selected
ICS Supplemental Guidance: Since ICS security has historically focused on physical protection and isolation, vendors and
developers may be unfamiliar with cybersecurity. Organizations should anticipate a need to engage with ICS suppliers to raise awareness of
cybersecurity needs. The SCADA/Control Systems Procurement Project provides example cybersecurity procurement language for ICS.
References: Web: https://ics-cert.us-cert.gov/sites/default/files/documents/Procurement_Language_Rev4_100809.pdf
Control Enhancements: (1, 2, 9) ICS Supplemental Guidance: Developers may not have access to required information.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
444
システムåŠã³ã‚µãƒ¼ãƒ“スå–å¾— – SA
システムåŠã³ã‚µãƒ¼ãƒ“スå–得ファミリã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºè€ƒæ…®äº‹é …
ICS ãŒã‚る制御ã®ç‰¹å®šã®ã‚·ã‚¹ãƒ†ãƒ åŠã³ã‚µãƒ¼ãƒ“スå–å¾—è¦ä»¶ã«å¯¾å¿œã—ã¦ã„ãªã„状æ³ã§ã¯ã€å…¨ä½“çš„ãªã‚«
スタマイズガイダンスã«å¾“ã£ã¦è£œå„Ÿçš„管ç†ç­–を採用ã™ã‚‹ã€‚
補償的管ç†ç­–ã®ä¾‹ãŒå¿…è¦ã«å¿œã˜ã¦ã€ç®¡ç†ç­–ã”ã¨ã«ç¤ºã•ã‚Œã‚‹ã€‚
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
SA-1 システムåŠã³ã‚µãƒ¼ãƒ“スå–å¾—ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SA-1
システムåŠã³ã‚µãƒ¼ãƒ“スå–å¾—ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。
SA-2 リソース割当
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SA-2
リソース割当
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SA-3 システム開発ライフサイクル
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SA-3
システム開発ライフサイクル
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SA-4 å–得プロセス
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SA-4
å–得プロセス
é¸å®š
é¸å®š
é¸å®š
SA-4 (1)
å–得プロセス
|
セキュリティ対策ã®æ©Ÿèƒ½ç‰¹æ€§
é¸å®š
é¸å®š
SA-4 (2)
å–得プロセス
|
セキュリティ対策ã®è¨­è¨ˆãƒ»å®Ÿè£…情報
é¸å®š
é¸å®š
SA-4 (9)
å–得プロセス
|
機能・ãƒãƒ¼ãƒˆãƒ»ãƒ—ロトコル
実用サービス
é¸å®š é¸å®š
SA-4 (10)
å–得プロセス
|
èªå¯æ¸ˆã¿
PIV
製å“ã®åˆ©ç”¨
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ICS ã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¯ã€æ­´å²çš„ã«ç‰©ç†çš„ãªä¿è­·ã¨éš”離ãŒé‡ç‚¹ã ã£ãŸãŸ
ã‚ã€ãƒ™ãƒ³ãƒ€ãƒ¼ã‚„開発者ã¯ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«ãªã˜ã¿ãŒãªã„。組織㯠ICS サプライヤã¨ã¨ã‚‚ã«ã€
サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã«å¯¾ã™ã‚‹æ„識高æšã®å¿…è¦æ€§ã‚’予期ã™ã¹ãã§ã‚る。SCADA 制御システム調
é”プロジェクトã«ã¯ã€ICS ã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ç”¨èªžãŒç¤ºã•ã‚Œã¦ã„る。å‚考文献:ウェブ:
https://ics-cert.us-
cert.gov/sites/default/files/documents/Procurement_Language_Rev4_100809.pdf
管ç†æ‹¡å¼µï¼š(1, 2, 9) ICS 補足ガイダンス:開発者ã¯å¿…è¦ãªæƒ…報を利用ã§ããªã„å¯èƒ½æ€§ãŒã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
445
Control Enhancement: (10) ICS Supplemental Guidance: Example compensating controls include employing external products
on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability in conjunction with ICS products.
SA-5 INFORMATION SYSTEM DOCUMENTATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SA-5
Information System Documentation
Selected
Selected
Selected
No ICS Supplemental Guidance.
SA-8 SECURITY ENGINEERING PRINCIPLES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SA-8
Security Engineering Principles
Selected
Selected
No ICS Supplemental Guidance.
SA-9 EXTERNAL INFORMATION SYSTEM SERVICES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SA-9
External Information System Services
Selected
Selected
Selected
SA-9 (2) EXTERNAL INFORMATION SYSTEMS | IDENTIFICATION OF
FUNCTIONS / PORTS / PROTOCOLS / SERVICES
Selected Selected
No ICS Supplemental Guidance.
SA-10 DEVELOPER CONFIGURATION MANAGEMENT
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SA-10
Developer Configuration Management
Selected
Selected
No ICS Supplemental Guidance.
SA-11 DEVELOPER SECURITY TESTING AND EVALUATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SA-11
Developer Security Testing and Evaluation
Selected
Selected
No ICS Supplemental Guidance.
SA-12 SUPPLY CHAIN PROTECTION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SA-12
Supply Chain Protection
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
446
管ç†æ‹¡å¼µï¼š(10) ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ICS 製å“ã«é–¢é€£ã—ãŸèº«åˆ†è¨¼
明(PIV)機能㮠FIPS 201 承èªè£½å“リストã®å¤–部製å“採用ãŒã‚る。
SA-5 情報システム文書化
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SA-5
情報システム文書化
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SA-8 セキュリティエンジニアリング原則
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SA-8
セキュリティエンジニアリンク原則
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SA-9 外部情報システムサービス
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SA-9
外部情報システムサービス
é¸å®š
é¸å®š
é¸å®š
SA-9 (2)
外部情報システム
|
機能・
ãƒãƒ¼ãƒˆãƒ»ãƒ—ロトコル・サービスã®è­˜åˆ¥
é¸å®š é¸å®š
ICS 補足ガイダンスãªã—
SA-10 開発者設定管ç†
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SA-10
開発者設定管ç†
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SA-11 開発者セキュリティ試験評価
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SA-11
開発者セキュリティ試験評価
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SA-12 サプライãƒã‚§ãƒ¼ãƒ³ä¿è­·
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SA-12
サプライãƒã‚§ãƒ¼ãƒ³ä¿è­·
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
447
SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SA-15
Development Process, Standards, and Tools
Selected
Selected
Selected
No ICS Supplemental Guidance.
SA-16 DEVELOPER-PROVIDED TRAINING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SA-16
Developer-Provided Training
Selected
No ICS Supplemental Guidance.
SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SA-17
Developer Security Architecture and Design
Selected
No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
448
SA-15 開発プロセス・è¦æ ¼ãƒ»ãƒ„ール
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SA-15
開発プロセス・è¦æ ¼ãƒ»ãƒ„ール
é¸å®š
ICS 補足ガイダンスãªã—
SA-16 開発者ã«ã‚ˆã‚‹è¨“ç·´
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SA-16
開発者ã«ã‚ˆã‚‹è¨“ç·´
é¸å®š
ICS 補足ガイダンスãªã—
SA-17 開発者セキュリティアーキテクãƒãƒ£ãƒ»è¨­è¨ˆ
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SA-17
開発者セキュリティアーキテクãƒãƒ£ãƒ»è¨­è¨ˆ
é¸å®š
ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
449
SYSTEM AND COMMUNICATIONS PROTECTION - SC
Tailoring Considerations for System and Communications Protection Family
The use of cryptography is determined after careful consideration of the security needs and the potential ramifications on system
performance. For example, the organization considers whether latency induced from the use of cryptography would adversely impact the
operational performance of the ICS. While the legacy devices commonly found within ICS often lack direct support of cryptographic
functions, compensating controls (e.g., encapsulations) may be used to meet the intent of the control.
In situations where the ICS cannot support the specific System and Communications Protection requirements of a control, the
organization employs compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given
with each control, as appropriate.
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in
conjunction with the ICS Supplemental Guidance in this overlay, if any.
SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-1 System and Communications Protection Policy and
Procedures
Selected Selected Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems.
SC-2 APPLICATION PARTITIONING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-2
Application Partitioning
Selected
Selected
ICS Supplemental Guidance: Systems used to manage the ICS should be separate from the operational ICS components. Example
compensating controls include providing increased auditing measures.
SC-3 SECURITY FUNCTION ISOLATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-3
Security Function Isolation
Selected
ICS Supplemental Guidance: Example compensating controls include providing increased auditing measures, limiting network
connectivity, architectural allocation.
SC-4 INFORMATION IN SHARED RESOURCES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-4
Information in Shared Resources
Selected
Selected
ICS Supplemental Guidance: Example compensating controls include architecting the use of the ICS to prevent sharing system
resources.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
450
システムåŠã³é€šä¿¡ä¿è­· - SC
システムåŠã³é€šä¿¡ä¿è­·ãƒ•ã‚¡ãƒŸãƒªã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºè€ƒæ…®äº‹é …
æš—å·åŒ–ã®ä½¿ç”¨ã¯ã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ä¸Šã®å¿…è¦æ€§ã¨ã‚·ã‚¹ãƒ†ãƒ ãƒ‘フォーマンスã¸ã®æ‚ªå½±éŸ¿ã‚’æ…Žé‡ã«è€ƒæ…®ã—
ã¦åˆ¤æ–­ã™ã‚‹ã€‚例ãˆã°ã€æš—å·ã‚’利用ã™ã‚‹ã«ã‚ˆã‚Šç”Ÿã˜ã‚‹å¾…ã¡æ™‚é–“ãŒã€ICS ã®é‹ç”¨ãƒ‘フォーマンスを阻
害ã—ãªã„ã‹çµ„ç¹”ã¯æ¤œè¨Žã™ã‚‹ã€‚通常 ICS ã«è¦‹ã‚‰ã‚Œã‚‹ãƒ¬ã‚¬ã‚·ãƒ¼ãƒ‡ãƒã‚¤ã‚¹ã¯ã€æš—å·é–¢æ•°ã«ç›´æŽ¥å¯¾å¿œã—ã¦
ã„ãªã„ã“ã¨ãŒå¤šã„ãŸã‚ã€è£œå„Ÿçš„管ç†ç­–(カプセル化等)を使用ã—ã¦ã€ç®¡ç†ç›®çš„ã‚’é”æˆã™ã‚‹ã€‚
ICS ãŒã‚る制御ã®ç‰¹å®šã®ã‚·ã‚¹ãƒ†ãƒ åŠã³é€šä¿¡ä¿è­·è¦ä»¶ã«å¯¾å¿œã—ã¦ã„ãªã„状æ³ã§ã¯ã€å…¨ä½“çš„ãªã‚«ã‚¹ã‚¿
マイズガイダンスã«å¾“ã£ã¦è£œå„Ÿçš„管ç†ç­–を採用ã™ã‚‹ã€‚補償的管ç†ç­–ã®ä¾‹ãŒå¿…è¦ã«å¿œã˜ã¦ã€ç®¡ç†ç­–
ã”ã¨ã«ç¤ºã•ã‚Œã‚‹ã€‚
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
SC-1 システムåŠã³é€šä¿¡ä¿è­·ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-1
システム通信ä¿è­·ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。
SC-2 アプリケーション分割
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-2
アプリケーション分割
é¸å®š
é¸å®š
ICS 補足ガイダンス:ICS ã®ç®¡ç†ã«ä½¿ç”¨ã™ã‚‹ã‚·ã‚¹ãƒ†ãƒ ã¯ã€å®Ÿç”¨ ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã¨åˆ¥ã«ã™
ã¹ãã§ã‚る。補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ç›£æŸ»æ‰‹æ®µã®å¼·åŒ–ãŒã‚る。
SC-3 セキュリティ機能ã®éš”離
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-3
セキュリティ機能ã®éš”離
é¸å®š
ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ç›£æŸ»æ‰‹æ®µã®å¼·åŒ–ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æŽ¥ç¶šã®åˆ¶é™ã€
アーキテクãƒãƒ£å‰²å½“ãŒã‚る。
SC-4 共有リソース内情報
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-4
共有リソース内情報
é¸å®š
é¸å®š
ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ICS ã®ä½¿ç”¨è¦é ˜ã‚’設定ã—ã¦ã‚·ã‚¹ãƒ†ãƒ ãƒªã‚½ãƒ¼
スを共有ã—ãªã„よã†ã«ã™ã‚‹æ–¹æ³•ãŒã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
451
SC-5 DENIAL OF SERVICE PROTECTION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-5
Denial of Service Protection
Selected
Selected
Selected
ICS Supplemental Guidance: Example compensating controls include ensuring a loss of communication results in the ICS
operating in nominal or safe mode. Risk-based analysis informs the establishment of policy and procedure.
SC-7 BOUNDARY PROTECTION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-7
Boundary Protection
Selected
Selected
Selected
SC-7 (3)
BOUNDARY PROTECTION | ACCESS POINTS
Selected
Selected
SC-7 (4) BOUNDARY PROTECTION | EXTERNAL
TELECOMMUNICATIONS SERVICES
Selected Selected
SC-7 (5) BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY
EXCEPTION
Selected Selected
SC-7 (7) BOUNDARY PROTECTION | PREVENT SPLIT TUNNELING FOR
REMOTE DEVICES
Selected Selected
SC-7 (8) BOUNDARY PROTECTION | ROUTE TRAFFIC TO
AUTHENTICATED PROXY SERVERS
Selected
SC-7 (18)
BOUNDARY PROTECTION | FAIL SECURE
Added
Selected
SC-7 (21) BOUNDARY PROTECTION | ISOLATION OF INFORMATION
SYSTEM COMPONENTS
Selected
No ICS Supplemental Guidance.
Control Enhancement: (3, 4, 5, 7, 8, 21) No ICS Supplemental Guidance.
Control Enhancement: (18) ICS Supplemental Guidance: The organization selects an appropriate failure mode (e.g., permit or
block all communications).
Rationale for adding SC-7 (18) to Moderate Baseline: As part of the architecture and design of the ICS, the organization selects
an appropriate failure mode in accordance with the function performed by the ICS and the operational environment. The ability to choose the
failure mode for the physical part of the ICS differentiates the ICS from other IT systems. This choice may be a significant influence in
mitigating the impact of a failure.
SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-8
Transmission Confidentiality and Integrity
Selected
Selected
SC-8 (1) transmission confidentiality and integrity | cryptographic or
alternate physical protection
Selected Selected
No ICS Supplemental Guidance.
Control Enhancement: (1) ICS Supplemental Guidance: The organization explores all possible cryptographic integrity
mechanisms (e.g., digital signature, hash function). Each mechanism has a different delay impact.
SC-10 NETWORK DISCONNECT
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-10
Network Disconnect
Selected
Selected
ICS Supplemental Guidance: Example compensating controls include providing increased auditing measures or limiting remote
access privileges to key personnel.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
452
SC-5 サービスä¿è­·å¦¨å®³
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-5
サービスä¿è­·å¦¨å®³
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€é€šä¿¡å–ªå¤±æ™‚ã« ICS ã®é‹ç”¨ãŒå…¬ç§°ãƒ¢ãƒ¼ãƒ‰åˆã¯
セーフモードã«ãªã‚‹ã‚ˆã†ã«ã™ã‚‹æ–¹æ³•ãŒã‚る。リスクã«ç«‹è„šã—ãŸåˆ†æžã«ã‚ˆã‚Šã€ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †ã®è¨­
定情報ãŒå¾—られる。
SC-7 境界ã®ä¿è­·
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-7
境界ã®ä¿è­·
é¸å®š
é¸å®š
é¸å®š
SC-7 (3)
境界ã®ä¿è­·
|
アクセスãƒã‚¤ãƒ³ãƒˆ
é¸å®š
é¸å®š
SC-7 (4)
境界ã®ä¿è­·
|
外部電気通信サービス
é¸å®š
é¸å®š
SC-7 (5)
境界ã®ä¿è­·
|
デフォルトã§æ‹’絶・例外ã§è¨±è«¾
é¸å®š
é¸å®š
SC-7 (7)
境界ã®ä¿è­·
|
é éš”デãƒã‚¤ã‚¹ã®ã‚¹ãƒ—リットトンãƒãƒªãƒ³ã‚°é˜²æ­¢
é¸å®š
é¸å®š
SC-7 (8)
境界ã®ä¿è­·
|
èªè¨¼æ¸ˆã¿ãƒ—ロã¸ã®ã‚­ã‚·ã‚µãƒ¼ãƒãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã®çµŒè·¯æŒ‡
定
é¸å®š
SC-7 (18)
境界ã®ä¿è­·
|
フェールセキュア
追加
é¸å®š
SC-7 (21)
境界ã®ä¿è­·
|
情報システムコンãƒãƒ¼ãƒãƒ³ãƒˆã®éš”離
é¸å®š
ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(3, 4, 5, 7, 8, 21) ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(18) ICS 補足ガイダンス:組織ã¯é©å½“ãªæ•…障モードをé¸æŠžã™ã‚‹ï¼ˆå…¨ã¦ã®é€šä¿¡ã‚’許
å¯åˆã¯ãƒ–ロック等)。
SC-7 (18)を中ベースラインã«è¿½åŠ ã™ã‚‹ç†ç”±ï¼šICS アーキテクãƒãƒ£åŠã³è¨­è¨ˆã®ä¸€è²«ã¨ã—ã¦ã€çµ„
ç¹”ã¯ã€ICS åŠã³é‹ç”¨ç’°å¢ƒãŒå®Ÿæ–½ã™ã‚‹æ©Ÿèƒ½ã«å¾“ã„ã€é©å½“ãªæ•…障モードをé¸æŠžã™ã‚‹ã€‚ICS ã®ç‰©ç†éƒ¨åˆ†ã«
故障モードをé¸æŠžã§ãる能力ã¯ã€ICS ã¨ä»–ã® IT システムã¨ã®é•ã„ã§ã‚る。ã“ã®é¸æŠžã¯ã€æ•…éšœã®å½±
響を緩和ã™ã‚‹ä¸Šã§å¤§ããªåŠ¹æžœãŒã‚る。
SC-8 通信機密性・完全性
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-8
通信機密性・完全性
é¸å®š
é¸å®š
SC-8 (1)
通信
機密性・完全性
|
æš—å·åŒ–åˆã¯ä»£æ›¿ç‰©ç†çš„ä¿è­·
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンス:組織ã¯ã‚らゆる暗å·ä¿å…¨ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’活用ã™ã‚‹ï¼ˆãƒ‡ã‚¸ã‚¿
ル署åã€ãƒãƒƒã‚·ãƒ¥é–¢æ•°ç­‰ï¼‰ã€‚å„メカニズムã®é…延影響ã¯ãã‚Œãžã‚Œç•°ãªã‚‹ã€‚
SC-10 ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åˆ‡æ–­
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-10
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åˆ‡æ–­
é¸å®š
é¸å®š
ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ç›£æŸ»æ‰‹æ®µã®å¼·åŒ–やリモートアクセス特権を
é‡è¦ãªäººå“¡ã«åˆ¶é™ã™ã‚‹æ–¹æ³•ãŒã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
453
SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-12
Cryptographic Key Establishment and Management
Selected
Selected
Selected
SC-12 (1) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
| AVAILABILITY
Selected
ICS Supplemental Guidance: The use of cryptographic key management in ICS is intended to support internal nonpublic use.
Control Enhancement: (1) No ICS Supplemental Guidance.
SC-13 CRYPTOGRAPHIC PROTECTION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-13
Cryptographic Protection
Selected
Selected
Selected
No ICS Supplemental Guidance.
SC-15 COLLABORATIVE COMPUTING DEVICES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-15
Collaborative Computing Devices
Selected
Selected
Selected
No ICS Supplemental Guidance.
SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-17
Public Key Infrastructure Certificates
Selected
Selected
No ICS Supplemental Guidance.
SC-18 MOBILE CODE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-18
Mobile Code
Selected
Selected
No ICS Supplemental Guidance.
SC-19 VOICE OVER INTERNET PROTOCOL
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-19
Voice Over Internet Protocol
Selected
Selected
ICS Supplemental Guidance: The use of VoIP technologies is determined after careful consideration and after verification that it
does not adversely impact the operational performance of the ICS.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
454
SC-12 æš—å·éµè¨­å®šç®¡ç†
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-12
æš—å·éµè¨­å®šç®¡ç†
é¸å®š
é¸å®š
é¸å®š
SC-12 (1)
æš—å·éµ
設定管ç†
|
å¯ç”¨æ€§
é¸å®š
ICS 補足ガイダンス:暗å·éµç®¡ç†ã‚’ ICS ã§ä½¿ç”¨ã™ã‚‹ç›®çš„ã¯ã€å†…部ã®éžå…¬é–‹åˆ©ç”¨ã«å¯¾å¿œã™ã‚‹ãŸ
ã‚ã§ã‚る。
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンスãªã—
SC-13 æš—å·ä¿è­·
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-13
æš—å·ä¿è­·
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SC-15 å…±åŒã‚³ãƒ³ãƒ”ューティングデãƒã‚¤ã‚¹
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-15
å…±åŒã‚³ãƒ³ãƒ”ューティングデãƒã‚¤ã‚¹
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SC-17 公開éµã‚¤ãƒ³ãƒ•ãƒ©è¨¼æ˜Žæ›¸
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-17
公開éµã‚¤ãƒ³ãƒ•ãƒ©è¨¼æ˜Žæ›¸
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SC-18 モãƒã‚¤ãƒ«ã‚³ãƒ¼ãƒ‰
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-18
モãƒã‚¤ãƒ«ã‚³ãƒ¼ãƒ‰
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SC-19 VoIP
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-19
VoIP
é¸å®š
é¸å®š
ICS 補足ガイダンス:VoIP 技術ã®åˆ©ç”¨ã¯ã€ICS ã®é‹ç”¨ã«æ‚ªå½±éŸ¿ãŒãªã„ã“ã¨ã‚’検証ã—ã€æ…Žé‡ã«
検討ã—ã¦ã‹ã‚‰åˆ¤æ–­ã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
455
SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-20 Secure Name /Address Resolution Service
(Authoritative Source)
Selected Selected Selected
ICS Supplemental Guidance: The use of secure name/address resolution services is determined after careful consideration and after
verification that it does not adversely impact the operation of the ICS.
SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-21 Secure Name /Address Resolution Service
(Recursive or Caching Resolver)
Selected Selected Selected
ICS Supplemental Guidance: The use of secure name/address resolution services is determined after careful consideration and after
verification that it does not adversely impact the operation of the ICS.
SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-22 Architecture and Provisioning for
Name/Address Resolution Service
Selected Selected Selected
ICS Supplemental Guidance: The use of secure name/address resolution services is determined after careful consideration and after
verification that it does not adversely impact the operational performance of the ICS.
SC-23 SESSION AUTHENTICITY
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-23
Session Authenticity
Selected
Selected
ICS Supplemental Guidance: Example compensating controls include auditing measures.
SC-24 FAIL IN KNOWN STATE
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-24
Fail in Known State
Added
Selected
ICS Supplemental Guidance: The organization selects an appropriate failure state. Preserving ICS state information includes
consistency among ICS state variables and the physical state which the ICS represents (e.g., whether valves are open or closed,
communication permitted or blocked, continue operations).
Rationale for adding SC-24 to moderate baseline: As part of the architecture and design of the ICS, the organization selects an
appropriate failure state of an ICS in accordance with the function performed by the ICS and the operational environment. The ability to
choose the failure mode for the physical part of the ICS differentiates the ICS from other IT systems. This choice may be a significant
influence in mitigating the impact of a failure, since it may be disruptive to ongoing physical processes (e.g., valves failing in closed position
may adversely affect system cooling).
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
456
SC-20 セキュアãªåå‰/アドレス解決サービス(権é™ã‚½ãƒ¼ã‚¹ï¼‰
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-20
セキュアãªåå‰/アドレス解決サービス(権é™ã‚½ãƒ¼ã‚¹ï¼‰
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:セキュアãªåå‰/アドレス解決サービスã®åˆ©ç”¨ã¯ã€ICS ã®é‹ç”¨ã«æ‚ªå½±éŸ¿
ãŒãªã„ã“ã¨ã‚’検証ã—ã€æ…Žé‡ã«æ¤œè¨Žã—ã¦ã‹ã‚‰åˆ¤æ–­ã™ã‚‹ã€‚
SC-21 セキュアãªåå‰/アドレス解決サービス(å†å¸°åˆã¯ã‚­ãƒ£ãƒƒã‚·ãƒ³ã‚°ãƒªã‚¾ãƒ«ãƒï¼‰
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-21
セキュアãªåå‰
/
アドレス解決サービス(å†å¸°åˆã¯ã‚­ãƒ£ãƒƒã‚·ãƒ³ã‚°ãƒª
ゾルãƒï¼‰
é¸å®š é¸å®š é¸å®š
ICS 補足ガイダンス:セキュアãªåå‰/アドレス解決サービスã®åˆ©ç”¨ã¯ã€ICS ã®é‹ç”¨ã«æ‚ªå½±éŸ¿
ãŒãªã„ã“ã¨ã‚’検証ã—ã€æ…Žé‡ã«æ¤œè¨Žã—ã¦ã‹ã‚‰åˆ¤æ–­ã™ã‚‹ã€‚
SC-22 åå‰/アドレス解決サービス用アーキテクãƒãƒ£ãƒ¼ãƒ—ロビジョニング
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-22
åå‰/アドレス解決サービス用アーキテクãƒãƒ£ãƒ¼ãƒ—ロビジョニング
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:セキュアãªåå‰/アドレス解決サービスã®åˆ©ç”¨ã¯ã€ICS ã®é‹ç”¨ã«æ‚ªå½±éŸ¿
ãŒãªã„ã“ã¨ã‚’検証ã—ã€æ…Žé‡ã«æ¤œè¨Žã—ã¦ã‹ã‚‰åˆ¤æ–­ã™ã‚‹ã€‚
SC-23 セッションèªè¨¼
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-23
セッションèªè¨¼
é¸å®š
é¸å®š
ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ç›£æŸ»æ‰‹æ®µãŒã‚る。
SC-24 既知状態ã®å¤±æ•—
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-24
既知状態ã®å¤±æ•—
追加
é¸å®š
ICS 補足ガイダンス:組織ã¯é©å½“ãªæ•…障状態をé¸æŠžã™ã‚‹ã€‚ICS 状態情報ã®ä¿å­˜ã«ã¯ã€ICS 状
態変数㨠ICS ã®ç‰©ç†çš„状態ã®æ•´åˆæ€§ãŒå«ã¾ã‚Œã‚‹ï¼ˆãƒãƒ«ãƒ–ã®é–‹åˆã¯é–‰ã€é€šä¿¡ã®è¨±å¯åˆã¯ãƒ–ロック
等)。
SC-24 を中ベースラインã«è¿½åŠ ã™ã‚‹ç†ç”±ï¼šICS アーキテクãƒãƒ£åŠã³è¨­è¨ˆã®ä¸€è²«ã¨ã—ã¦ã€çµ„ç¹”
ã¯ã€ICS åŠã³é‹ç”¨ç’°å¢ƒãŒå®Ÿæ–½ã™ã‚‹æ©Ÿèƒ½ã«å¾“ã„ã€é©å½“㪠ICS ã®æ•…障状態をé¸æŠžã™ã‚‹ã€‚ICS ã®ç‰©ç†éƒ¨
分ã«æ•…障モードをé¸æŠžã§ãる能力ã¯ã€ICS ã¨ä»–ã® IT システムã¨ã®é•ã„ã§ã‚る。ã“ã®é¸æŠžã¯ã€é€²è¡Œ
中ã®ç‰©ç†ãƒ—ロセスを中断ã™ã‚‹ãŸã‚ã€æ•…éšœã®å½±éŸ¿ã‚’ç·©å’Œã™ã‚‹ä¸Šã§å¤§ããªåŠ¹æžœãŒã‚る(ãƒãƒ«ãƒ–ãŒé–‰ä½
ç½®ã«ãªã‚‹ã¨ã‚·ã‚¹ãƒ†ãƒ å†·å´ã«æ‚ªå½±éŸ¿ãŒå‡ºã‚‹ãªã©ï¼‰ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
457
SC-28 PROTECTION OF INFORMATION AT REST
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-28
Protection of Information at Rest
Selected
Selected
ICS Supplemental Guidance: The use of cryptographic mechanisms is determined after careful consideration and after verification
that it does not adversely impact the operational performance of the ICS.
SC-39 PROCESS ISOLATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-39
Process Isolation
Selected
Selected
Selected
ICS Supplemental Guidance: Example compensating controls include partition processes to separate platforms.
SC-41 PORT AND I/O DEVICE ACCESS
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SC-41
Port and I/O Device Access
Added
Added
Added
No ICS Supplemental Guidance.
Rationale for adding SC-24 to all baselines: The function of ICS can be readily determined in advance, making it easier to identify
ports and I/O devices that are unnecessary. Disabling or removing ports reinforces air-gap policy.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
458
SC-28 休眠情報ã®ä¿è­·
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-28
休眠情報ã®ä¿è­·
é¸å®š
é¸å®š
ICS 補足ガイダンス:暗å·ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã®åˆ©ç”¨ã¯ã€ICS ã®é‹ç”¨ã«æ‚ªå½±éŸ¿ãŒãªã„ã“ã¨ã‚’検証ã—ã€
æ…Žé‡ã«æ¤œè¨Žã—ã¦ã‹ã‚‰åˆ¤æ–­ã™ã‚‹ã€‚
SC-39 プロセス隔離
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-39
プロセス隔離
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ãƒ—ラットホームを分離ã™ã‚‹ãŸã‚ã®ãƒ‘ーティ
ションプロセスãŒã‚る。
SC-41 ãƒãƒ¼ãƒˆåŠã³ I/O デãƒã‚¤ã‚¹ã‚¢ã‚¯ã‚»ã‚¹
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SC-41
ãƒãƒ¼ãƒˆåŠã³ I/O デãƒã‚¤ã‚¹ã‚¢ã‚¯ã‚»ã‚¹
追加
追加
追加
ICS 補足ガイダンスãªã—
SC-24 ã‚’å…¨ã¦ã®ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã«è¿½åŠ ã™ã‚‹ç†ç”±ï¼šICS ã®æ©Ÿèƒ½ã¯äºˆã‚ã™ãã«æ±ºã‚られるよã†ã«ã—ã€
ä¸è¦ãªãƒãƒ¼ãƒˆåŠã³ I/O デãƒã‚¤ã‚¹ã®è­˜åˆ¥ã‚’容易ã«ã™ã‚‹ã€‚ãƒãƒ¼ãƒˆã®ç„¡åŠ¹åŒ–や削除ã¯ã€ã‚¨ã‚¢ã‚®ãƒ£ãƒƒãƒ—ãƒ
リシーを強化ã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
459
SYSTEM AND INFORMATION INTEGRITY - SI
Tailoring Considerations for System and Information Integrity Family
In situations where the ICS cannot support the specific System and Information Integrity requirements of a control, the organization employs
compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as
appropriate.
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction
with the ICS Supplemental Guidance in this overlay, if any.
SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SI-1
System and Information Integrity Policy and Procedures
Selected
Selected
Selected
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship
to non-ICS systems.
SI-2 FLAW REMEDIATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SI-2
Flaw Remediation
Selected
Selected
Selected
SI-2 (1)
FLAW REMEDIATION | CENTRAL MANAGEMENT
Selected
SI-2 (2) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION
STATUS
Selected Selected
ICS Supplemental Guidance: Flaw Remediation is complicated since many ICS employ operating systems and other software that
is not current, is no longer being maintained by the vendors, and is not resistant to current threats. ICS operators are often dependent on
product vendors to validate the operability of a patch and also sometimes to perform the installation. Often flaws cannot be remediated based
on circumstances outside of the ICS operator's control (e.g., lack of a vendor patch). Sometime the organization has no choice but to accept
additional risk. In these situations, compensating controls should be implemented (e.g., limit the exposure of the vulnerable system). Other
compensating controls that do not decrease the residual risk but increase the ability to respond may be desirable (e.g., provide a timely
response in case of an incident; devise a plan to ensure the ICS can identify the exploitation of the flaw). Testing flaw remediation in an ICS
may require more resources than the organization can commit.
Control Enhancement: (1) No ICS Supplemental Guidance.
Control Enhancement: (2) ICS Supplemental Guidance: In situations where the ICS cannot support the use of automated
mechanisms to conduct and report on the status of flaw remediation, the organization employs nonautomated mechanisms or procedures
which incorporate methods to apply, track, and verify mitigation efforts as compensating controls in accordance with the general tailoring
guidance.
SI-3 MALICIOUS CODE PROTECTION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SI-3
Malicious Code Protection
Selected
Selected
Selected
SI-3 (1)
MALICIOUS CODE PROTECTION | CENTRAL MANAGEMENT
Selected
Selected
SI-3 (2)
MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES
Selected
Selected
ICS Supplemental Guidance: The use and deployment of malicious code protection is determined after careful consideration and
after verification that it does not adversely impact the operation of the ICS. Malicious code
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
460
システムåŠã³æƒ…å ±ã®å®Œå…¨æ€§ - SI
システムåŠã³æƒ…å ±ã®å®‰å…¨æ€§ãƒ•ã‚¡ãƒŸãƒªã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºè€ƒæ…®äº‹é …
ICS ãŒã‚る制御ã®ç‰¹å®šã®ã‚·ã‚¹ãƒ†ãƒ åŠã³æƒ…報完全性è¦ä»¶ã«å¯¾å¿œã—ã¦ã„ãªã„状æ³ã§ã¯ã€å…¨ä½“çš„ãªã‚«
スタマイズガイダンスã«å¾“ã£ã¦è£œå„Ÿçš„管ç†ç­–を採用ã™ã‚‹ã€‚
補償的管ç†ç­–ã®ä¾‹ãŒå¿…è¦ã«å¿œã˜ã¦ã€ç®¡ç†ç­–ã”ã¨ã«ç¤ºã•ã‚Œã‚‹ã€‚
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€
ンスをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
SI-1 システムåŠã³æƒ…報完全性ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SI-1
システム情報完全性ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンス:ãƒãƒªã‚·ãƒ¼ã¯ç‰¹ã« ICS ã®å›ºæœ‰ã®ç‰¹æ€§ãƒ»è¦ä»¶åŠã³ ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係をå–り上ã’る。
SI-2 欠陥修正
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SI-2
欠陥修正
é¸å®š
é¸å®š
é¸å®š
SI-2 (1)
欠陥修正
|
集中管ç†
é¸å®š
SI-2 (2)
欠陥修正
|
自動欠陥修正状態
é¸å®š
é¸å®š
ICS 補足ガイダンス:ICS ã®å¤šãã¯æœ€æ–°ç‰ˆä»¥å¤–ã® OS やソフトウエアを使用ã—ã€ãƒ™ãƒ³ãƒ€ãƒ¼ã‚‚
ä¿å®ˆã‚’è¡Œã£ã¦ãŠã‚‰ãšã€æœ€æ–°ã®è„…å¨ã«æŠµæŠ—性ãŒãªã„ãŸã‚ã€æ¬ é™¥ä¿®æ­£ã¯è¤‡é›‘ã¨ãªã‚‹ã€‚ICS æ“作員ã¯ã€
パッãƒã®å‹•ä½œæ¤œè¨¼ã‚„ã€ã¨ãã«ã¯ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã‚’è¡Œã†ã ã‘ã§ã‚‚ã€è£½å“ベンダーã«ä¾å­˜ã™ã‚‹ã“ã¨ãŒå¤š
ã„。ICS æ“作員ã®ç®¡ç†èƒ½åŠ›ã‚’超ãˆã¦ã„る状æ³ã§ã¯ã€æ¬ é™¥ã®ä¿®æ­£ãŒã§ããªã„ã“ã¨ãŒå¤šã„(ベンダー
パッãƒã®æ¬ å¦‚等)。組織ã¯ã€ä»˜åŠ çš„ãªãƒªã‚¹ã‚¯ã‚’å—ã‘入れã–ã‚‹ã‚’å¾—ãªã„ã“ã¨ãŒã‚る。ã“ã®ã‚ˆã†ãªçŠ¶
æ³ã§ã¯ã€è£œå„Ÿçš„管ç†ç­–ã‚’è¡Œã†ï¼ˆè„†å¼±ãªã‚·ã‚¹ãƒ†ãƒ ã®éœ²å‡ºåˆ¶é™ç­‰ï¼‰ã€‚ãã®ä»–ã®è£œå„Ÿçš„管ç†ç­–ã¨ã—ã¦ã¯ã€
残留リスクã¯æ¸›ã‚‰ã›ãªã„ã¾ã§ã‚‚ã€å¯¾å¿œèƒ½åŠ›ãŒé«˜ã‚るよã†ãªã‚‚ã®ãŒæœ›ã¾ã—ã„(インシデント時ã«ã‚¿
イムリーãªå¯¾å¿œã‚„ã€æ‚ªç”¨ã•ã‚Œã¦ã„る欠陥を特定ã§ãる計画ã®ä½œæˆç­‰ï¼‰ã€‚ICS ã®æ¬ é™¥ä¿®æ­£æ¤œè¨¼ã¯ã€
組織ãŒæŠ•å…¥ã§ãる以上ã®ãƒªã‚½ãƒ¼ã‚¹ã‚’è¦ã™ã‚‹å ´åˆãŒã‚る。
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンスãªã—
管ç†æ‹¡å¼µï¼š(2) ICS 補足ガイダンス:ICS ãŒæ¬ é™¥ä¿®æ­£å®Ÿæ–½ãƒ»å ±å‘Šã®è‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã«å¯¾å¿œã—ã¦
ã„ãªã„状æ³ã§ã¯ã€å…¨ä½“çš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã«å¾“ã£ã¦ã€çµ„ç¹”ã¯éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯æ‰‹é †
を緩和努力ã®é©ç”¨ãƒ»è¿½è·¡ãƒ»æ¤œè¨¼ã®ãŸã‚ã®è£œå„Ÿçš„管ç†ç­–ã¨ã—ã¦æŽ¡ç”¨ã™ã‚‹ã€‚
SI-3 悪æ„ã‚るコードä¿è­·
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SI-3
悪æ„ã‚るコードä¿è­·
é¸å®š
é¸å®š
é¸å®š
SI-3 (1)
悪æ„ã‚るコードä¿è­·
|
集中管ç†
é¸å®š
é¸å®š
SI-3 (2)
悪æ„ã‚るコードä¿è­·
|
自動更新
é¸å®š
é¸å®š
ICS 補足ガイダンス:悪æ„ã‚るコードä¿è­·ã®åˆ©ç”¨ã¯ã€ICS ã®é‹ç”¨ã«æ‚ªå½±éŸ¿ãŒãªã„ã“ã¨ã‚’検証
ã—ã€æ…Žé‡ã«æ¤œè¨Žã—ã¦ã‹ã‚‰åˆ¤æ–­ã™ã‚‹ã€‚悪æ„ã‚るコード
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
461
protection tools should be configured to minimize their potential impact on the ICS (e.g., employ notification rather than quarantine).
Example compensating controls include increased traffic monitoring and auditing.
Control Enhancement: (1) ICS Supplemental Guidance: The organization implements central management of malicious code
protection with consideration of the impact on operation of the ICS. Example compensating controls include increased auditing.
Control Enhancement: (2) ICS Supplemental Guidance: The organization implements automatic updates of malicious code
protection with consideration of the impact on operation of the ICS. In situations where the ICS cannot support the use of automatic update
of malicious code protection, the organization employs nonautomated procedures as compensating controls in accordance with the general
tailoring guidance.
SI-4 INFORMATION SYSTEM MONITORING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SI-4
Information System Monitoring
Selected
Selected
Selected
SI-4 (2) INFORMATION SYSTEM MONITORING | AUTOMATED TOOLS
FOR REAL-TIME ANALYSIS
Selected Selected
SI-4 (4) INFORMATION SYSTEM MONITORING | INBOUND AND
OUTBOUND COMMUNICATIONS TRAFFIC
Selected Selected
SI-4 (5) INFORMATION SYSTEM MONITORING | SYSTEM-GENERATED
ALERTS
Selected Selected
ICS Supplemental Guidance: The organization ensures that the use of monitoring tools and techniques does not adversely impact the
operational performance of the ICS. Example compensating controls include deploying sufficient network monitoring.
Control Enhancement: (2) ICS Supplemental Guidance: In situations where the ICS cannot support the use of automated tools to
support near-real-time analysis of events, the organization employs compensating controls (e.g., providing an auditing capability on a
separate system, nonautomated mechanisms or procedures) in accordance with the general tailoring guidance.
Control Enhancement: (4) ICS Supplemental Guidance: In situations where the ICS cannot monitor inbound and outbound
communications traffic, the organization employs compensating controls include providing a monitoring capability on a separate information
system.
Control Enhancement: (5) ICS Supplemental Guidance: Example compensating controls include manual methods of generating
alerts.
SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SI-5
Security Alerts, Advisories, and Directives
Selected
Selected
Selected
SI-5 (1) SECURITY ALERTS, ADVISORIES, AND DIRECTIVES |
AUTOMATED ALERTS AND ADVISORIES
Selected
ICS Supplemental Guidance: The DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) generates
security alerts and advisories relative to ICS http://ics-cert.us-cert.gov/ .
Control Enhancement: (1) No ICS Supplemental Guidance.
SI-6 SECURITY FUNCTIONALITY VERIFICATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SI-6
Security Function Verification
Selected
ICS Supplemental Guidance: The shutting down and restarting of the ICS may not always be feasible upon the identification of an
anomaly; these actions should be scheduled according to ICS operational requirements.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
462
ä¿è­·ãƒ„ールã¯ã€ICS ã¸ã®å½±éŸ¿ãŒæœ€å°ã«ãªã‚‹ã‚ˆã†ã«è¨­å®šã™ã¹ãã§ã‚る(検疫ã§ã¯ãªã通知を採用ã™
ã‚‹ãªã©ï¼‰ã€‚補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ç›£è¦–ã¨ç›£æŸ»ã®å¼·åŒ–ãŒã‚る。
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンス:組織ã¯ã€ICS ã®é‹ç”¨ã¸ã®å½±éŸ¿ã‚’考慮ã«å…¥ã‚Œã¦ã€æ‚ªæ„ã‚ã‚‹
コードä¿è­·ã®é›†ä¸­ç®¡ç†ã‚’実施ã™ã‚‹ã€‚補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ç›£æŸ»ã®å¼·åŒ–ãŒã‚る。
管ç†æ‹¡å¼µï¼š(2) ICS 補足ガイダンス:組織ã¯ã€ICS ã®é‹ç”¨ã¸ã®å½±éŸ¿ã‚’考慮ã«å…¥ã‚Œã¦ã€æ‚ªæ„ã‚ã‚‹
コードä¿è­·ã®è‡ªå‹•æ›´æ–°ã‚’実施ã™ã‚‹ã€‚ICS ãŒæ‚ªæ„ã‚るコードä¿è­·ã®è‡ªå‹•æ›´æ–°åˆ©ç”¨ã«å¯¾å¿œã—ã¦ã„ãªã„
状æ³ã§ã¯ã€çµ„ç¹”ã¯ã€å…¨ä½“çš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã«å¾“ã£ã¦éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã‚’補償的管ç†ç­–
ã¨ã—ã¦æŽ¡ç”¨ã™ã‚‹ã€‚
SI-4 情報システム監視
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SI-4
情報システム監視
é¸å®š
é¸å®š
é¸å®š
SI-4 (2)
情報システム監視
|
リアルタイム分æžç”¨è‡ªå‹•ãƒ„ール
é¸å®š
é¸å®š
SI-4 (4)
情報システム監視
|
ç€ä¿¡ãƒ»ç™ºä¿¡é€šä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯
é¸å®š
é¸å®š
SI-4 (5)
情報システム監視
|
システム生æˆã‚¢ãƒ©ãƒ¼ãƒˆ
é¸å®š
é¸å®š
ICS 補足ガイダンス:組織ã¯ã€ç›£è¦–ツール・技術ã®åˆ©ç”¨ãŒ ICS ã®é‹ç”¨ãƒ‘フォーマンスã«æ‚ªå½±
響ã—ãªã„よã†ã«ã™ã‚‹ã€‚補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€å分ãªãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç›£è¦–ã®å±•é–‹ãŒã‚る。
管ç†æ‹¡å¼µï¼š(2) ICS 補足ガイダンス:ICS ãŒã»ã¼ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ ã§ã®äº‹è±¡åˆ†æžå¯¾å¿œè‡ªå‹•ãƒ„ールã«
対応ã—ã¦ã„ãªã„状æ³ã§ã¯ã€çµ„ç¹”ã¯ã€å…¨ä½“çš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã«å¾“ã£ã¦è£œå„Ÿçš„管ç†ç­–を採
用ã™ã‚‹ï¼ˆåˆ¥ã‚·ã‚¹ãƒ†ãƒ ã¸ã®ç›£æŸ»æ©Ÿèƒ½ä»˜ä¸Žã€éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ãƒ»æ‰‹é †ç­‰ï¼‰ã€‚
管ç†æ‹¡å¼µï¼š(4) ICS 補足ガイダンス:ICS ãŒç€ä¿¡ãƒ»ç™ºä¿¡é€šä¿¡ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’監視ã§ããªã„状æ³
ã§ã¯ã€çµ„ç¹”ã¯ã€åˆ¥æƒ…報システムã¸ã®ç›£è¦–機能付与等ã®è£œå„Ÿçš„管ç†ç­–を採用ã™ã‚‹ã€‚
管ç†æ‹¡å¼µï¼š(5) ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€æ‰‹å‹•ã«ã‚ˆã‚‹ã‚¢ãƒ©ãƒ¼ãƒˆç”ŸæˆãŒã‚
る。
SI-5 セキュリティ警報・勧告・指示
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SI-5
セキュリティ警報・勧告・指示
é¸å®š
é¸å®š
é¸å®š
SI-5 (1)
セキュリティ警報・勧告・指示
|
自動アラート・勧告
é¸å®š
ICS 補足ガイダンス:DHS ã®ç”£æ¥­ç”¨åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ ã‚µã‚¤ãƒãƒ¼ç·Šæ€¥å¯¾å¿œãƒãƒ¼ãƒ (ICS-CERT)ã¯ã€
ICS ã«é–¢é€£ã—ãŸæŽ¥ç¶šã‚¢ãƒ©ãƒ¼ãƒˆåŠã³å‹§å‘Šã‚’作æˆã—ã¦ã„る。http://ics-cert.us-cert.gov/
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンスãªã—
SI-6 セキュリティ機能検証
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SI-6
セキュリティ機能検証
é¸å®š
ICS 補足ガイダンス:ICS ã®é®æ–­åŠã³å†èµ·å‹•ã¯ã€ç•°çŠ¶æ¤œå‡ºæ™‚ã«å¿…ãšã—ã‚‚ç›´ã¡ã«å¯èƒ½ã§ã¯ãªã„。
ICS é‹ç”¨è¦ä»¶ã«å¾“ã£ã¦ã‚¹ã‚±ã‚¸ãƒ¥ãƒ¼ãƒ«ã‚’ç«‹ã¦ã‚‹ã¹ãã§ã‚る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
463
SI-7 SOFTWARE AND INFORMATION INTEGRITY
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SI-7
Software, Firmware, and Information Integrity
Selected
Selected
SI-7 (1) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY |
INTEGRITY CHECKS
Selected Selected
SI-7 (2) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY |
AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS
Selected
SI-7 (5) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY |
AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS
Selected
SI-7 (7) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY |
INTEGRATION OF DETECTION AND RESPONSE
Selected Selected
SI-7 (14) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY |
BINARY OR MACHINE EXECUTABLE CODE
Selected
ICS Supplemental Guidance: The organization determines whether the use of integrity verification applications would adversely
impact the operation of the ICS and employs compensating controls (e.g., manual integrity verifications that do not affect performance.
Control Enhancements: (1) ICS Supplemental Guidance: The organization ensures that the use of integrity verification
applications does not adversely impact the operational performance of the ICS.
Control Enhancement: (2) ICS Supplemental Guidance: In situations where the organization cannot employ automated tools that
provide notification of integrity discrepancies, the organization employs nonautomated mechanisms or procedures. Example compensating
controls include performing scheduled manual inspections for integrity violations.
Control Enhancement: (5) ICS Supplemental Guidance: The shutting down and restarting of the ICS may not always be feasible
upon the identification of an anomaly; these actions should be scheduled according to ICS operational requirements.
Control Enhancement: (7) ICS Supplemental Guidance: In situations where the ICS cannot detect unauthorized security-relevant
changes, the organization employs compensating controls (e.g., manual procedures) in accordance with the general tailoring guidance.
Control Enhancement: (14) No ICS Supplemental Guidance.
SI-8 SPAM PROTECTION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SI-8
Spam Protection
Selected
Selected
SI-8 (1) SPAM PROTECTION | CENTRAL MANAGEMENT OF
PROTECTION MECHANISMS
Selected Selected
SI-8 (2)
SPAM PROTECTION | AUTOMATIC UPDATES
Selected
Selected
ICS Supplemental Guidance: ICS spam protection may be implemented by removing spam transport mechanisms, functions and
services (e.g., electronic mail, Internet access) from the ICS. If any spam transport mechanisms, functions and services are present in the ICS,
spam protection in ICS takes into account operational characteristics of ICS that differ from general purpose information systems, (e.g.,
unusual traffic flow that may be misinterpreted and detected as spam. Example compensating controls include whitelist mail transfer agents
(MTA), digitally signed messages, acceptable sources, and acceptable message types.
Control Enhancement: (1) ICS Supplemental Guidance: Example compensating controls include employing local mechanisms or
procedures.
Control Enhancement: (2) No ICS Supplemental Guidance.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
464
SI-7 ソフトウエアåŠã³æƒ…å ±ã®å®Œå…¨æ€§
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SI-7
ソフトウエア・ファームウエア・情報ã®å®Œå…¨æ€§
é¸å®š
é¸å®š
SI-7 (1)
ソフトウエア
・ファームウエア・情報ã®å®Œå…¨æ€§
|
完全性ãƒã‚§ãƒƒã‚¯
é¸å®š
é¸å®š
SI-7 (2)
ソフトウエア
・ファームウエア・情報ã®å®Œå…¨æ€§
|
完全性é•åã®è‡ª
動通知
é¸å®š
SI-7 (5)
ソフトウエア
・ファームウエア・情報ã®å®Œå…¨æ€§
|
完全性é•åã®è‡ª
動対応
é¸å®š
SI-7 (7)
ソフトウエア
・ファームウエア・情報ã®å®Œå…¨æ€§
|
検出・対応ã®ä¸€ä½“化
é¸å®š é¸å®š
SI-7 (14)
ソフトウエア
・ファームウエア・情報ã®å®Œå…¨æ€§
|
ãƒã‚¤ãƒŠãƒªåˆã¯ãƒž
シン実行å¯èƒ½ã‚³ãƒ¼ãƒ‰
é¸å®š
ICS 補足ガイダンス:組織ã¯ã€å®Œå…¨æ€§æ¤œè¨¼ã‚¢ãƒ—リケーションã®åˆ©ç”¨ã«ã‚ˆã‚Šã€ICS ã®é‹ç”¨ã«æ‚ª
影響ãŒåŠã°ãªã„ã‹åˆ¤å®šã—ã€è£œå„Ÿçš„管ç†ç­–を採用ã™ã‚‹ï¼ˆãƒ‘フォーマンスã«å½±éŸ¿ã—ãªã„手動検証等)。
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンス:組織ã¯ã€å®Œå…¨æ€§æ¤œè¨¼ã‚¢ãƒ—リケーションã®åˆ©ç”¨ãŒ ICS ã®é‹
用パフォーマンスã«æ‚ªå½±éŸ¿ã—ãªã„よã†ã«ã™ã‚‹ã€‚
管ç†æ‹¡å¼µï¼š(2) ICS 補足ガイダンス:完全性ã®ä¸å‚™ã‚’通知ã™ã‚‹è‡ªå‹•ãƒ„ールを採用ã§ããªã„状æ³
ã§ã¯ã€çµ„ç¹”ã¯ã€éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ãƒ»æ‰‹é †ã‚’採用ã™ã‚‹ã€‚補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€å®Œå…¨æ€§é•åã«å¯¾
ã™ã‚‹ã‚¹ã‚±ã‚¸ãƒ¥ãƒ¼ãƒ«åŒ–ã•ã‚ŒãŸæ‰‹å‹•ç‚¹æ¤œã®å®Ÿæ–½ãŒã‚る。
管ç†æ‹¡å¼µï¼š(5) ICS 補足ガイダンス:ICS ã®é®æ–­åŠã³å†èµ·å‹•ã¯ã€ç•°çŠ¶æ¤œå‡ºæ™‚ã«å¿…ãšã—ã‚‚ç›´ã¡ã«
å¯èƒ½ã¨ã„ã†ã‚ã‘ã§ã¯ãªã„。ICS é‹ç”¨è¦ä»¶ã«å¾“ã£ã¦ã‚¹ã‚±ã‚¸ãƒ¥ãƒ¼ãƒ«ã‚’ç«‹ã¦ã‚‹ã¹ãã§ã‚る。
管ç†æ‹¡å¼µï¼š(7) ICS 補足ガイダンス:ICS ãŒã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é–¢é€£ã®ç„¡æ–­å¤‰æ›´ã‚’検出ã§ããªã„状æ³
ã§ã¯ã€çµ„ç¹”ã¯ã€å…¨ä½“çš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã«å¾“ã£ã¦è£œå„Ÿçš„管ç†ç­–(手動手順等)を採用ã™
る。
管ç†æ‹¡å¼µï¼š(14) ICS 補足ガイダンスãªã—
SI-8 スパムä¿è­·
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SI-8
スパムä¿è­·
é¸å®š
é¸å®š
SI-8 (1)
スパムä¿è­·
|
ä¿è­·ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã®é›†ä¸­ç®¡ç†
é¸å®š
é¸å®š
SI-8 (2)
スパムä¿è­·
|
自動更新
é¸å®š
é¸å®š
ICS 補足ガイダンス:ICS ã®ã‚¹ãƒ‘ムä¿è­·ã¯ã€ã‚¹ãƒ‘ム転é€ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã€æ©Ÿèƒ½åŠã³ã‚µãƒ¼ãƒ“ス(電
å­ãƒ¡ãƒ¼ãƒ«ã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã‚¢ã‚¯ã‚»ã‚¹ç­‰ï¼‰ã‚’排除ã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šè¡Œã‚れる。スパム転é€ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã€
機能åŠã³ã‚µãƒ¼ãƒ“ス㌠ICS ã«å­˜åœ¨ã—ã¦ã„ã‚‹å ´åˆã€ICS ã®ã‚¹ãƒ‘ムä¿è­·ã¯ã€æ±Žç”¨çš„ãªæƒ…報システム(ス
パムã¨ã—ã¦èª¤è§£ãƒ»æ¤œå‡ºã•ã‚Œã‚‹é€šå¸¸ã¨é•ã†ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ãƒ•ãƒ­ãƒ¼ç­‰ï¼‰ã¨ã¯ç•°ãªã‚‹ ICS ã®é‹ç”¨ç‰¹æ€§ã‚’考
æ…®ã«å…¥ã‚Œã‚‹ã€‚補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ãƒ›ãƒ¯ã‚¤ãƒˆãƒªã‚¹ãƒˆãƒ¡ãƒ¼ãƒ«è»¢é€ã‚¨ãƒ¼ã‚¸ã‚§ãƒ³ãƒˆï¼ˆMTA)ã€ãƒ‡ã‚¸
タル署å入りメッセージã€å—ã‘入れられるソースã€å—ã‘入れられるメッセージタイプãŒã‚る。
管ç†æ‹¡å¼µï¼š(1) ICS 補足ガイダンス:補償的管ç†ç­–ã®ä¾‹ã¨ã—ã¦ã€ãƒ­ãƒ¼ã‚«ãƒ«ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯ãƒ­ãƒ¼
カル手順ãŒã‚る。
管ç†æ‹¡å¼µï¼š(2) ICS 補足ガイダンスãªã—
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
465
SI-10 INFORMATION INPUT VALIDATION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SI-10
Information Input Validation
Selected
Selected
No ICS Supplemental Guidance.
SI-11 ERROR HANDLING
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SI-11
Error Handling
Selected
Selected
No ICS Supplemental Guidance.
SI-12 INFORMATION HANDLING AND RETENTION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SI-12
Information Handling and Retention
Selected
Selected
Selected
No ICS Supplemental Guidance.
SI-13 PREDICTABLE FAILURE PREVENTION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SI-13
Predictable Failure Prevention
Added
ICS Supplemental Guidance: Failures in ICS can be stochastic or deterministic. Stochastic failures can be analyzed using
probability theory, while analysis of deterministic failures is based on non-random properties of the system. Known ICS failure modes and
causes are considered. The calculation and use of statistical descriptors, such as Mean Time To Failure (MTTF), should incorporate
additional analysis to determine how those failures manifest within the cyber and physical domains. Knowledge of these possible
manifestations may be necessary to detect whether a failure has occurred within the ICS, as failures of the information systems may not be
easily identifiable. Emergent properties, which may arise both within the information systems and physical processes, can potentially cause
system failures should be incorporated into the analysis. For example, cumulative effects of resource exhaustion (e.g., memory leakage) or
errors (e.g., rounding and truncation) can occur when ICS processes execute for unexpectedly long periods. Deterministic failures (e.g.,
integer counter overflow), once identified, are preventable.
Often substitute components may not be available or may not be sufficient to protect against faults occurring before predicted failure.
Non-automated mechanisms or physical safeguards should be in place in order to protect against these failures.
In addition to information concerning newly discovered vulnerabilities (i.e., latent flaws) potentially affecting the system/applications that
are discovered by forensic studies, new vulnerabilities may be identified by organizations with responsibility for disseminating vulnerability
information (e.g., ICS-CERT) based upon an analysis of a similar pattern of incidents reported to them or vulnerabilities reported by other
researchers.
Related controls: IR-5, IR-6, RA-5, SI-2, SI-5, SI-11.
Rationale for adding control to baseline: ICS are designed and built with certain boundary conditions, design parameters, and
assumptions about their environment and mode of operation. ICS may run much longer than conventional systems, allowing latent flaws to
become effective that are not manifest in other environments. For example, integer overflow might never occur in systems that are re-
initialized more frequently than the occurrence of the overflow. Experience and forensic studies of anomalies and incidents in ICS can lead
to identification of emergent properties that were previously unknown, unexpected, or unanticipated. Preventative and restorative
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
466
SI-10 情報入力検証
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SI-10
情報入力検証
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SI-11 エラー処ç†
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SI-11
エラー処ç†
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SI-12 情報処ç†ä¿ç•™
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SI-12
情報処ç†ä¿ç•™
é¸å®š
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SI-13 予想ã•ã‚Œã‚‹æ•…éšœã®é˜²æ­¢
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SI-13
予想ã•ã‚Œã‚‹æ•…éšœã®é˜²æ­¢
追加
ICS 補足ガイダンス:ICS ã«ãŠã‘ã‚‹æ•…éšœã¯ã€ç¢ºçŽ‡çš„ãªã‚‚ã®ã‹æ±ºå®šè«–çš„ãªã‚‚ã®ã®ã„ãšã‚Œã‹ã§ã‚
る。確率的故障ã¯ç¢ºç«‹ç†è«–ã§åˆ†æžã§ãã€æ±ºå®šè«–çš„æ•…éšœã®åˆ†æžã¯ã€ã‚·ã‚¹ãƒ†ãƒ ã®éžãƒ©ãƒ³ãƒ€ãƒ ç‰¹æ€§ã‚’æ ¹
æ‹ ã«è¡Œã†ã€‚既知㮠ICS 故障モードåŠã³åŽŸå› ã«ã¤ã„ã¦è€ƒæ…®ã™ã‚‹ã€‚å¹³å‡æ•…障時間(MTTF)等ã®çµ±è¨ˆ
記述å­ã®è¨ˆç®—åŠã³ä½¿ç”¨ã¯ã€ã‚µã‚¤ãƒãƒ¼é ˜åŸŸåŠã³ç‰©ç†é ˜åŸŸã«ãŠã‘ã‚‹ãã®ã‚ˆã†ãªæ•…éšœã®å‡ºç¾ã®ä»•æ–¹ã‚’判
別ã™ã‚‹éš›ã®è£œè¶³çš„ãªåˆ†æžåŠ›ã¨ãªã‚‹ã€‚情報システムã®æ•…éšœã¯å®¹æ˜“ã«ã¯ç‰¹å®šã§ããªã„ãŸã‚ã€ãã†ã—ãŸ
出ç¾ã«é–¢ã™ã‚‹çŸ¥è­˜ã¯ã€ICS ã§ã®æ•…障発生ã®æœ‰ç„¡ã‚’判断ã™ã‚‹ã®ã«å¿…è¦ã¨ãªã‚‹ã€‚情報システムã§ã‚‚物
ç†ãƒ—ロセスã§ã‚‚生ã˜ã‚‹å‰µç™ºç‰¹æ€§ã¯ã€ã‚·ã‚¹ãƒ†ãƒ æ•…éšœã«ãªã‚Šã‹ã­ãªã„ãŸã‚ã€åˆ†æžã«å«ã‚ã‚‹ã¹ãã§ã‚る。
例ãˆã°ã€ICS プロセスã®å®Ÿè¡ŒãŒäºˆå®šä»¥ä¸Šã«é•·ã³ãã¨ã€ãƒªã‚½ãƒ¼ã‚¹ã®æž¯æ¸‡ï¼ˆãƒ¡ãƒ¢ãƒªãƒªãƒ¼ã‚¯ç­‰ï¼‰ã«ã‚ˆã‚‹
ç´¯ç©å½±éŸ¿ã‚„エラー(数値ã®åˆ‡ä¸Šã’・切下ã’・切æ¨ã¦ç­‰ï¼‰ãŒç”Ÿã˜ã‚‹ã€‚一度特定ã•ã‚ŒãŸæ±ºå®šè«–çš„æ•…éšœ
(整数カウンタã®ã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒ­ãƒ¼ç­‰ï¼‰ã¯äºˆé˜²å¯èƒ½ã§ã‚る。
予想ã•ã‚Œã‚‹æ•…障よりもå‰ã«ç™ºç”Ÿã™ã‚‹æ•…éšœã«å¯¾ã—ã¦ã¯ã€ä»£æ›¿ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆãŒãªã„ã‹ã€ã‚ã£ã¦
ã‚‚å分ã«ã¯é˜²æ­¢ã§ããªã„。ã“ã®ã‚ˆã†ãªæ•…éšœã«å¯¾ã—ã¦ã¯ã€éžè‡ªå‹•ãƒ¡ã‚«ãƒ‹ã‚ºãƒ åˆã¯ç‰©ç†çš„対策を講ã˜
ã‚‹ã¹ãã§ã‚る。
調査ã§æ–°ãŸã«è¦‹ã¤ã‹ã£ãŸã€ã‚·ã‚¹ãƒ†ãƒ ã‚„アプリケーションã«å½±éŸ¿ã‚’与ãˆã‹ã­ãªã„脆弱性(潜在
的欠陥)情報ã«åŠ ãˆã¦ã€è„†å¼±æ€§æƒ…å ±ã®é…布担当機関(ICS-CERT 等)ã«ã‚ˆã£ã¦ã‚‚æ–°è¦ã®è„†å¼±æ€§ãŒ
明らã‹ã«ã•ã‚Œã‚‹ã“ã¨ãŒã‚る。ãã†ã—ãŸæƒ…å ±ã¯ã€å±Šå‡ºã®ã‚ã£ãŸåŒç¨®ãƒ‘ターンや外部研究者らã‹ã‚‰å¾—
ãŸè„†å¼±æ€§åˆ†æžã«åŸºã¥ã„ã¦ã„る。
関連ã™ã‚‹ç®¡ç†ï¼šIR-5, IR-6, RA-5, SI-2, SI-5, SI-11
ベースラインã«ç®¡ç†ã‚’追加ã™ã‚‹ç†ç”±ï¼šICS ã®è¨­è¨ˆåŠã³æ§‹ç¯‰ã«ã¯ã€ç‰¹å®šã®å¢ƒç•Œæ¡ä»¶ã€è¨­è¨ˆãƒ‘ラ
メータåŠã³ç’°å¢ƒãƒ»é‹ç”¨ãƒ¢ãƒ¼ãƒ‰æƒ³å®šãŒç››ã‚Šè¾¼ã¾ã‚Œã¦ã„る。ICS ã®é‹è»¢æ™‚é–“ã¯ã€åœ¨æ¥ã‚·ã‚¹ãƒ†ãƒ ã‚ˆã‚Šã‚‚
ã¯ã‚‹ã‹ã«é•·ãã€ä»–ã®ç’°å¢ƒã§ã¯è¡¨é¢ã«å‡ºã¦ã“ãªã„潜在的欠陥ãŒç¾ã‚Œã‚‹ã€‚例ãˆã°ã€æ•´æ•°ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ•
ローã¯ã€ã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒ­ãƒ¼é »åº¦ã‚ˆã‚Šã‚‚多ãå†åˆæœŸåŒ–ã•ã‚Œã‚‹ã‚·ã‚¹ãƒ†ãƒ ã§ã¯ã€ã¾ãšç”Ÿã˜ã‚‹ã“ã¨ãŒãªã„。
ICS ã«ãŠã‘る異常åŠã³ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã®èª¿æŸ»çµŒé¨“ãŒã€ãã‚Œã¾ã§çŸ¥ã‚‰ã‚Œã¦ãŠã‚‰ãšã€äºˆæƒ³ãƒ»äºˆæœŸã•ã‚Œã¦
ã„ãªã‹ã£ãŸå‰µç™ºç‰¹æ€§ã®ç‰¹å®šã«çµã³ã¤ã„ã¦ã„る。
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
467
actions (e.g., re-starting the system or application) are prudent but may not be acceptable for operational reasons in ICS.
SI-16 MEMORY PROTECTION
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SI-16
Memory Protection
Selected
Selected
No ICS Supplemental Guidance.
SI-17 FAIL-SAFE PROCEDURES
CNTL NO. CONTROL NAME
Control Enhancement Name
CONTROL BASELINES
LOW
MOD
HIGH
SI-17
Fail-Safe Procedures
Added
Added
Added
ICS Supplemental Guidance: The selected failure conditions and corresponding procedures may vary among baselines. The same
failure event may trigger different response depending on the impact level. Mechanical and analog system can be used to provide
mechanisms to ensure fail-safe procedures. Fail-safe states should incorporate potential impacts to human safety, physical systems, and the
environment. Related controls: CP-6.
Rationale for adding SI-17 to all baselines: This control provides a structure for the organization to identify their policy and
procedures for dealing with failures and other incidents. Creating a written record of the decision process for selecting incidents and
appropriate response is part of risk management in light of changing environment of operations.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
468
予防・回復行動(システムやアプリケーションã®å†èµ·å‹•ç­‰ï¼‰ã¯è‰¯è­˜çš„ãªæ–¹æ³•ã§ã¯ã‚ã‚‹ãŒã€ICS ã®
é‹ç”¨ä¸Šã®ç†ç”±ã‹ã‚‰å—ã‘入れられãªã„。
SI-16 メモリä¿è­·
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SI-16
メモリä¿è­·
é¸å®š
é¸å®š
ICS 補足ガイダンスãªã—
SI-17 フェールセーフ手順
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
管ç†ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³
低
中
高
SI-17
フェールセーフ手順
追加
追加
追加
ICS 補足ガイダンス:é¸å®šã—ãŸæ•…éšœæ¡ä»¶ã¨å¯¾å¿œæ‰‹é †ã¯ã€ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã«å¿œã˜ã¦ç•°ãªã‚‹ã€‚åŒã˜
故障事象ã§ã‚‚ã€å½±éŸ¿åº¦ã«ã‚ˆã£ã¦åˆ¥ã®å¯¾å¿œã¨ãªã‚‹ã€‚機械å¼ãƒ»ã‚¢ãƒŠãƒ­ã‚°ã‚·ã‚¹ãƒ†ãƒ ã‚’使用ã—ã¦ã€ãƒ•ã‚§ãƒ¼
ルセーフ手順メカニズムを備ãˆã‚‹ã“ã¨ãŒã§ãる。フェールセーフ状態ã¯ã€äººå“¡ã®å®‰å…¨ã€ç‰©ç†ã‚·ã‚¹
テムåŠã³ç’°å¢ƒã«å½±éŸ¿ã‚’åŠã¼ã—ã‹ã­ãªã„。関連ã™ã‚‹ç®¡ç†ï¼šCP-6
SI-17 ã‚’å…¨ã¦ã®ãƒ™ãƒ¼ã‚¹ãƒ©ã‚¤ãƒ³ã«è¿½åŠ ã™ã‚‹ç†ç”±ï¼šçµ„ç¹”ã¯ã“ã®ç®¡ç†ã«ã‚ˆã‚Šã€æ•…éšœãã®ä»–ã®ã‚¤ãƒ³ã‚·
デント処ç†ã®ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †ã‚’明らã‹ã«ã§ãる。インシデントã¨é©åˆ‡ãªå¯¾å¿œã‚’é¸ã¶éš›ã®æ±ºå®šãƒ—ロ
セスを文書ã«ã™ã‚‹ã“ã¨ã¯ã€é‹ç”¨ç’°å¢ƒã®å¤‰åŒ–ã¨ã„ã†è¦³ç‚¹ã‹ã‚‰ã€ãƒªã‚¹ã‚¯ç®¡ç†ã®ä¸€éƒ¨ã¨ãªã‚‹
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
469
ORGANIZATION-WIDE INFORMATION SECURITY PROGRAM MANAGEMENT CONTROLS - PM
Characteristics of Organization-Wide Information Security Program Management Control Family
Organization-Wide Information Security Program Management Controls are deployed organization-wide supporting the information
security program. They are not associated with security control baselines and are independent of any system impact level.
Supplemental Guidance
Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in
conjunction with the ICS Supplemental Guidance in this overlay, if any.
PM-1 INFORMATION SECURITY PROGRAM PLAN
CNTL NO. CONTROL NAME
Control Enhancement Name
PM-1
Information Security Program Plan Policy and Procedures
ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS, the relationship to
non-ICS systems, and the relationship to other programs concerned with operational characteristics of ICS (e.g., safety, efficiency, reliability,
resilience).
PM-2 SENIOR INFORMATION SECURITY OFFICER
CNTL NO. CONTROL NAME
Control Enhancement Name
PM-2
Senior Information Security Officer
No ICS Supplemental Guidance.
PM-3 INFORMATION SECURITY RESOURCES
CNTL NO. CONTROL NAME
Control Enhancement Name
PM-3
Information Security Resources
ICS Supplemental Guidance: Capital planning and investment decisions address all of the relevant technologies and all phases of
the life cycle and needs to be informed by ICS experts as well as other subject matter experts (e.g., information security). Marshaling
interdisciplinary working teams to advise capital planning and investment decisions can help tradeoff and balance among conflicting equities,
objectives, and responsibilities such as capability, adaptability, resilience, safety, security, usability, and efficiency.
PM-4 PLAN OF ACTION AND MILESTONES PROCESS
CNTL NO. CONTROL NAME
Control Enhancement Name
PM-4
Plan of Action and Milestones Process
ICS Supplemental Guidance: The plan of action and milestones includes both computational and physical ICS components.
Records of observed shortcomings and appropriate remedial action may be maintained in a single document or in multiple coordinated
documents (e.g., future engineering plans).
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
470
全組織的情報セキュリティプログラム管ç†å¯¾ç­– - PM
全組織的情報セキュリティプログラム管ç†å¯¾ç­–ファミリã®ç‰¹å¾´
全組織的情報セキュリティプログラム管ç†å¯¾ç­–ã¯ã€å…¨çµ„ç¹”ã«å±•é–‹ã•ã‚Œã€æƒ…報セキュリティプログ
ラムを支ãˆã‚‹ã€‚セキュリティ対策ベースラインã¯ä»˜éšã—ã¦ãŠã‚‰ãšã€ã„ã‹ãªã‚‹ã‚·ã‚¹ãƒ†ãƒ å½±éŸ¿ãƒ¬ãƒ™ãƒ«
ã¨ã‚‚無関係ã§ã‚る。
補足ガイダンス
利用ã§ãã‚‹å ´åˆã«ã¯ã€NIST SP 800-53 第4版付録 Fã«ã‚ã‚‹å…¨ã¦ã®ç®¡ç†ãƒ»ç®¡ç†æ‹¡å¼µç”¨è£œè¶³ã‚¬ã‚¤ãƒ€ãƒ³
スをã€ã“ã®ã‚ªãƒ¼ãƒãƒ¼ãƒ¬ã‚¤ã«ãŠã„ã¦ã€ICS 補足ガイダンスã¨ä½µç”¨ã™ã¹ãã§ã‚る。
PM-1 情報セキュリティプログラム計画書
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-1
情報セキュリティプログラム計画書ãƒãƒªã‚·ãƒ¼ãƒ»æ‰‹é †
ICS 補足ガイダンス:特ã«ãƒãƒªã‚·ãƒ¼ã¯ã€ICS 独特ã®ç‰¹æ€§åŠã³è¦ä»¶ã€ICS 以外ã®ã‚·ã‚¹ãƒ†ãƒ ã¨ã®
関係åŠã³ ICS ã®é‹ç”¨ç‰¹æ€§ã«é–¢ä¿‚ã™ã‚‹ä»–ã®ãƒ—ログラムã¨ã®é–¢ä¿‚(安全性ã€åŠ¹çŽ‡ã€ä¿¡é ¼æ€§ã€å¼¾åŠ›æ€§
等)をå–り上ã’る。
PM-2 上級情報セキュリティ担当官
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-2
上級情報セキュリティ担当官
ICS 補足ガイダンスãªã—
PL-3 情報セキュリティリソース
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-3
情報セキュリティリソース
ICS 補足ガイダンス:主è¦ãƒ—ランニングåŠã³æŠ•è³‡æ±ºå®šã¯ã€é–¢ä¿‚ã™ã‚‹å…¨æŠ€è¡“ã€å…¨ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯
ル段階åŠã³ ICS 専門家ãã®ä»–ã®å°‚門家(情報セキュリティ等)ã‹ã‚‰ã®æƒ…報を必è¦ã¨ã™ã‚‹åˆ†é‡Žã«ã¤
ã„ã¦å–り上ã’る。主è¦ãƒ—ランニングåŠã³æŠ•è³‡æ±ºå®šã«ã¤ã„ã¦åŠ©è¨€ã™ã‚‹åˆ†é‡Žæ¨ªæ–­çš„ãªä½œæ¥­ãƒãƒ¼ãƒ ã‚’çµ
集ã™ã‚Œã°ã€èƒ½åŠ›ãƒ»é©å¿œæ€§ãƒ»å¼¾åŠ›æ€§ãƒ»å®‰å…¨æ€§ãƒ»ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ»ãƒ¦ãƒ¼ã‚¶ãƒ“リティ・効率等ã®å…¬æ­£ã€ç›®
çš„åŠã³è²¬ä»»ã®ç«¶åˆã«ã¤ã„ã¦æ¯”較考é‡ã—ã€ãƒãƒ©ãƒ³ã‚¹ã‚’å–る上ã§æ”¯æ´ã‚’å·®ã—伸ã¹ã‚‹ã“ã¨ãŒã§ãる。
PM-4 行動・マイルストーンプロセス計画書
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-4
行動・マイルストーンプロセス計画書
ICS 補足ガイダンス:行動・マイルストーン計画書ã«ã¯ã€ã‚³ãƒ³ãƒ”ュータ関係ã¨ç‰©ç†ä¸¡é¢ã§ã®
ICS コンãƒãƒ¼ãƒãƒ³ãƒˆãŒå«ã¾ã‚Œã‚‹ã€‚観察ã•ã‚ŒãŸæ¬ ç‚¹åŠã³é©åˆ‡ãªä¿®æ­£å‡¦ç½®ã¯ã€1冊ã®æ–‡æ›¸åˆã¯è¤‡æ•°ã®
連æºæ–‡æ›¸ï¼ˆå°†æ¥ã®ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°è¨ˆç”»æ›¸ç­‰ï¼‰ã¨ã—ã¦ç¶­æŒã™ã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
471
PM-5 INFORMATION SYSTEM INVENTORY
CNTL NO. CONTROL NAME
Control Enhancement Name
PM-5
Information System Inventory
No ICS Supplemental Guidance.
PM-6 INFORMATION SECURITY MEASURES OF PERFORMANCE
CNTL NO. CONTROL NAME
Control Enhancement Name
PM-6
Information Security Measures of Performance
No ICS Supplemental Guidance.
PM-7 ENTERPRISE ARCHITECTURE
CNTL NO. CONTROL NAME
Control Enhancement Name
PM-7
Enterprise Architecture
No ICS Supplemental Guidance.
PM-8 CRITICAL INFRASTRUCTURE PLAN
CNTL NO. CONTROL NAME
Control Enhancement Name
PM-8
Critical Infrastructure Plan
No ICS Supplemental Guidance.
References: Executive Order 13636– Improving Critical Infrastructure Cybersecurity, February 12, 2013
PM-9 RISK MANAGEMENT STRATEGY
CNTL NO. CONTROL NAME
Control Enhancement Name
PM-9
Risk Management Strategy
ICS Supplemental Guidance: Risk management of ICS is considered along with other organizational risks affecting
mission/business success from an organization-wide perspective. Organization-wide risk management strategy includes sector-specific
guidance as appropriate.
PM-10 SECURITY AUTHORIZATION PROCESS
CNTL NO. CONTROL NAME
Control Enhancement Name
PM-10
Security Authorization Process
ICS Supplemental Guidance: The authorization to operate processes for ICS involves multiple disciplines that have existing
approval and risk management process (e.g., physical security, safety). Organization-wide risk management requires harmonization among
these disciplines.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
472
PM-5 情報システム目録
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-5
情報システム目録
ICS 補足ガイダンスãªã—
PM-6 情報セキュリティã«é–¢ã™ã‚‹ãƒ‘フォーマンス計測
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-6
情報セキュリティã«é–¢ã™ã‚‹ãƒ‘フォーマンス計測
ICS 補足ガイダンスãªã—
PM-7 ä¼æ¥­ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-7
ä¼æ¥­ã‚¢ãƒ¼ã‚­ãƒ†ã‚¯ãƒãƒ£
ICS 補足ガイダンスãªã—
PM-8 é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©è¨ˆç”»æ›¸
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-8
é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©è¨ˆç”»æ›¸
ICS 補足ガイダンスãªã—
å‚考文献:大統領命令 13636「é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã‚¹ãƒˆãƒ©ã‚¯ãƒãƒ£ã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£æ”¹å–„ã€
(2013 年2月12 日)
PM-9 リスク管ç†æˆ¦ç•¥
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-9
リスク管ç†æˆ¦ç•¥
ICS 補足ガイダンス:ICS ã®ãƒªã‚¹ã‚¯ç®¡ç†ã¯ã€å…¨çµ„織的観点ã«ç«‹ã¡ã€ä»»å‹™ãƒ»äº‹æ¥­ã®æˆå¦ã«å½±éŸ¿
ã™ã‚‹çµ„ç¹”ã®ä»–ã®ãƒªã‚¹ã‚¯ã¨åˆã‚ã›ã¦æ¤œè¨Žã™ã‚‹ã€‚全組織的管ç†æˆ¦ç•¥ã«ã¯ã€å¿…è¦ã«å¿œã˜ã¦éƒ¨é–€å›ºæœ‰ã®ã‚¬
イダンスãŒå«ã¾ã‚Œã‚‹ã€‚
PM-10 セキュリティ権é™ãƒ—ロセス
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-10
セキュリティ権é™ãƒ—ロセス
ICS 補足ガイダンス:ICS ã®ãƒ—ロセスをæ“作ã™ã‚‹æ¨©é™ã«ã¯ã€å¤šæ•°ã®é ˜åŸŸãŒé–¢ä¿‚ã—ã¦ãŠã‚Šã€æ—¢
å­˜ã®æ‰¿èªãƒ»ãƒªã‚¹ã‚¯ç®¡ç†ãƒ—ロセスãŒã‚る(物ç†çš„セキュリティã€å®‰å…¨æ€§ç­‰ï¼‰ã€‚全組織的リスク管ç†
ã«ã¯ã€ã“れら領域間ã§ã®è¦åˆ¶ãŒå¿…è¦ã¨ãªã‚‹ã€‚
SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
473
PM-11 MISSION/BUSINESS PROCESS DEFINITION
CNTL NO. CONTROL NAME
Control Enhancement Name
PM-11
Mission/Business Process Definition
ICS Supplemental Guidance: Mission/business processes refinement requires protection of physical assets from damage originating
in the cyber domain. These needs are derived from the mission/business needs defined by the organization, the mission/business processes
selected to meet the stated needs, and the organizational risk management strategy.
PM-12 INSIDER THREAT PROGRAM
CNTL NO. CONTROL NAME
Control Enhancement Name
PM-13
Information Security Workforce
No ICS Supplemental Guidance.
PM-13 INFORMATION SECURITY WORKFORCE
ICS Supplemental Guidance: All aspects of information security workforce development and improvement programs include
knowledge and skill levels in both computational and physical ICS components.
PM-14 TESTING, TRAINING, AND MONITORING
CNTL NO. CONTROL NAME
Control Enhancement Name
PM-14
Testing, Training, and Monitoring
No ICS Supplemental Guidance.
PM-15 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS
CNTL NO. CONTROL NAME
Control Enhancement Name
PM-15
Contacts with Security Groups and Associations
No ICS Supplemental Guidance.
PM-16 THREAT AWARENESS PROGRAM
CNTL NO. CONTROL NAME
Control Enhancement Name
PM-16
Threat Awareness Program
ICS Supplemental Guidance: The organization should collaborate and share information about potential incidents on a timely basis.
The DHS National Cybersecurity & Communications Integration Center (NCCIC), http://www.dhs.gov/about-national-cybersecurity-
communications-integration-center serves as a centralized location where operational elements involved in cybersecurity and
communications reliance are coordinated and integrated. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
http://ics-cert.us-cert.gov/ics-cert/ collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share
control systems-related security incidents and mitigation measures. Organizations should consider having both an unclassified and classified
information sharing capability.
SP800-82 第2版 産業用制御システム(ICS)セキュリティガイド
474
PM-11 任務・事業プロセス定義
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-11
任務・事業プロセス定義
ICS 補足ガイダンス:任務・事業プロセスを洗練ã•ã›ã‚‹ã«ã¯ã€ç‰©ç†çš„資産をサイãƒãƒ¼é ˜åŸŸã«
èµ·å› ã™ã‚‹æ害ã‹ã‚‰ä¿è­·ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。ã“ã®ã‚ˆã†ãªéœ€è¦ã¯ã€çµ„ç¹”ãŒæ˜Žã‚‰ã‹ã«ã—ãŸä»»å‹™ãƒ»äº‹æ¥­
上ã®éœ€è¦ã€éœ€è¦ã‚’満ãŸã™ãŸã‚ã«é¸ã‚“ã ä»»å‹™ãƒ»äº‹æ¥­ãƒ—ロセスåŠã³çµ„ç¹”ã®ãƒªã‚¹ã‚¯ç®¡ç†æˆ¦ç•¥ã‹ã‚‰ç”Ÿã˜ã‚‹ã€‚
PM-12 インサイダー脅å¨ãƒ—ログラム
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-12
インサイダー脅å¨ãƒ—ログラム
ICS 補足ガイダンスãªã—
PL-3 情報セキュリティワークフォース
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-13
情報セキュリティワークフォース
ICS 補足ガイダンス:情報セキュリティワークフォース開発改善プログラムã®ã‚らゆるé¢ã«ã¯ã€
コンピュータ関係ã¨ç‰©ç†ä¸¡é¢ã§ã® ICS コンãƒãƒ¼ãƒãƒ³ãƒˆã«é–¢ã™ã‚‹çŸ¥è­˜ãƒ»æŠ€é‡ãƒ¬ãƒ™ãƒ«ãŒå«ã¾ã‚Œã‚‹ã€‚
PM-14 試験・訓練・監視
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-14
試験・訓練・監視
ICS 補足ガイダンスãªã—
PM-15 セキュリティグループ・å”会ã¨ã®é€£çµ¡
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-15
セキュリティグループ・å”会ã¨ã®é€£çµ¡
ICS 補足ガイダンスãªã—
PM-16 è„…å¨æ„識プログラム
管ç†ç•ªå·
管ç†å
管ç†æ‹¡å¼µå
PM-16
è„…å¨æ„識プログラム
ICS 補足ガイダンス:組織ã¯ã€ç”Ÿã˜å¾—るインシデントã«é–¢ã—ã¦é€£æºã—情報をé©æ™‚ã«å…±æœ‰ã™ã¹
ãã§ã‚る。下記 DHS 国家サイãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£é€šä¿¡çµ±åˆã‚»ãƒ³ã‚¿ãƒ¼(NCCIC)ã¯é›†ä¸­æ‰€åœ¨åœ°ã¨ã—ã¦æ©Ÿ
能ã—ã€ã‚µã‚¤ãƒãƒ¼ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã¨é€šä¿¡ã®ä¿¡é ¼æ€§ã«é–¢ã‚ã‚‹é‹ç”¨è¦ç´ ã¯ãã“ã§èª¿æ•´ã•ã‚Œã€çµ±åˆåŒ–ã•ã‚Œã¦
ã„る。http://www.dhs.gov/about-national-cybersecurity-communications-integration-center 下記産業用
制御システムサイãƒãƒ¼ç·Šæ€¥å¯¾å¿œãƒãƒ¼ãƒ (ICS-CERT)ã¯ã€æµ·å¤–åŠã³æ°‘é–“ã®ã‚³ãƒ³ãƒ”ュータ緊急対応ãƒãƒ¼
ム(CERT)ã¨é€£æºã—ã¦ã€åˆ¶å¾¡ã‚·ã‚¹ãƒ†ãƒ é–¢é€£ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆæƒ…å ±ã¨ç·©å’Œå¯¾ç­–を共有ã—ã¦
ã„る。http://ics-cert.us-cert.gov/ics-cert/
組織ã¯ã€ç§˜å¯†æƒ…å ±ã¨æ™®é€šæƒ…å ±ã®å…±æœ‰åŒ–ã«ã¤ã„ã¦æ¤œè¨Žã™ã¹ãã§ã‚る。

Navigation menu