Risk Quantified Evaluation Method and Platform Design for Grade Protection

Regarding all the issues that Corporation faced during the grade evaluation, e.g.lack of accuracy on risk analysis, over dependence on the capability of the evaluater, etc. We bring out a new evaluation method on grade protection and the distributed platform RQEP. With them we can quantify the risk objectively, improve the efficiency of grade evaluation, and standardize evaluation process. Keywords-Information Security of Power System, Grade Protection, Security Evaluation Grade protection is our nation's critical infrastructure and assets, and maintain social stability [1]. The implementation of grade protection includes five important links: grade record, safety construction, grade assessment, safety improvement and examination. Grade assessment, run through the stages of information system construction, operation maintenance and system return, is an very important driving factor for grade protection improvement and safety construction [2,3]. This paper proposes a kind of risk quantified method for grade protection evaluation and also design a risk quantified evaluation platform for grade protection of information system(RQEP) after further research. This platform has solved a lot of problems, such as, grade protection evaluation results that affected by human factors seriously, non-standard evaluation process, evaluation with low efficiency, report with big error, data difficult to count and so on. I. Present Situation of Grade Protection Evaluation Information security grade protection evaluation has strong policy, the evaluation implementation process must strictly abide by national standards, which reveals the security protection capability, evaluation requirement, assessment result ect. A set of perfect grade protection standard systems are initially established in our country, there are standards for evaluation implementation to follow, the evaluation organization has been managed strictly and the assessors of grade evaluation have been required work with certificate, but there still exist problems in the process of evaluation implementation. There is a list of some typical problems as following: 1) Excessively rely on the personal ability of assessors in evaluation implementation, so that there are too high requirements for them. In the process of grade evaluation, although testing personnel abide by relevant norms and standards of grade protection, they need the help of personal experience more often. For example, when analysis IDS log, experience must be need to found invasion traces rapidly in a large number of log. 2) The risk analysis is not accurate enough in evaluation results. Report Template requires that risk analysis must done for problems of grade protection evaluation results, but the evaluation method is single, it only focus on risk vulnerability, and threats are usually not taken into consideration , so the assessment way is informal and inexact, which can not express evaluation target timely and accurately. 3) The evaluation workload is huge but efficiency is low. With the deepening of informationization degree, enterprise information systems have proliferated, especially those companies that have molecular company as Guangdong Grid Co, the evaluation workload is huge, partial evaluation work rely on manual and the process repeats, so an automatic and efficient evaluation mode is needed. 4) The evaluation data management is difficult, and it is hard to support further analysis. Grade protection evaluation data are the foundation data of enterprise information security. To analysis those data from different dimensions can provide decision support for enterprise information security. It is lack of the tools for evaluation data analysis and historical data management nowadays. II. Risk Quantified Model for Grade Protection Evaluation For existing typical problems of grade protection, this section proposes a quantified risk technology for grade devaluation, which use systematic, quantitative and effective methods to measure and evaluate the incapability(the partial conforming and nonconforming items in grade evaluation results ) of security protection of information system, to find out the risk of information system and its influence. A Basic Element Description The basic elements of model are information system asset, threat, vulnerability, system risk. Asset is the valuable information or resource for an organization. Threat refers to the possible damage of information system asset safety, such as software failure, deliberate destruction, equipment failure or aging, eavesdropping, earthquake, typhoon, ect. Vulnerability refers to the flaw or weakness of system itself, includes: database vulnerability, operating system vulnerability,code security vulnerability of application system, management weakness and system security configuration problem. Vulnerabilities themselves are National Conference on Information Technology and Computer Science (CITCS 2012) © 2012. The authors Published by Atlantis Press 1013 harmless, but they can be used and bring negative effect on asset after threatened [5,6]. Risk is the potential that specific threats use the vulnerability of assets and cause assets loss or damage. When threat behavior occurs on specific asset, it has impact on the assets and accompanying business.The influence degree not only depend on level of threat and vulnerability, but also the value of assets.That is, risk (R) consists of three independent elements: threat level (T), vulnerability level (V) and asset value (A). Using formula can be expressed as: R= f(T,V,AV) (2-1) Security risk consists of three parameters( T, V, A ). Risk quantification of grade evaluation is the process that aroud information system assets and grade evaluation of implementation, quantitative analysis threats and the vulnerability of system assets, host system, applications system and data, obtain the information system risk after scientific analysis. B Evaluation Methods According to the requirements of state grade protection policy and their own present information construction situations, we sum up the evaluating process, including three phases: evaluation preparation, site evaluation, analysis and reporting, as shown below: Figure 2-1 Schematics of the information security grade protection evaluation process 1) Evaluation Preparation The major work of this stage are to prepare project plan, choose suitable project of evaluation tools, identify detected information system assets etc. to determine access point, and according to requirements to reuse or develop evaluation implementation manual finally. Unlike other general evaluation, it is needed to add asset identification content in this preparation stage. Through investigation, collect assets information, make assets attribute assignment, and form a complete asset information table. According to the standard of information security grade protection, information assets are divided into five categories: system assets, netword assets, medium assets, terminal assets and management measures, which is shown as below. Table 2-1 Asset Classification List Classification General Description System Assets Identify the assets of business systems, including host, application, database, backup and recovery Netword Assets Do asset identification for internal network equipments, including core switch, router, firewall, IDS, IPS, etc. Medium Assets Recognize various hardware facilities and IT physical equipments that are related to business, support to install identified software and store identified system assets, including storage device, computer peripheral, mobile device, mobile storage media and wiring system etc. Terminal Assets Identify PC terminal Management Measures Recognize the responsibilities and operation measures of roles who use, operate and support all the identified system assets, netword assets, medium assets and terminal assets