摘要
随着信息化时代的来临,网络的开放性和互联性日益增强。在铁路行业,基于无线通信和物联网技术构建的车-地通信网络和相关铁路信息系统,目前尚缺乏足够的安全防御能力,在遭受非法访问或恶意攻击时,可能会引起网络通信中断、设备失效、数据丢失;病毒、木马等威胁有可能从无线网络侧向列车通信网络及铁路内网侧扩散;此外系统的数据流采用明文传输,可能导致数据泄露甚至被篡改,严重时引发行车安全事故。文章以LKJ设备运行监测管理系统(LKJ monitoring and management device, LMD)为研究对象,针对LMD自身及对其关联的LKJ列控系统产生的信息安全隐患进行深入分析,根据系统安全等级保护要求,有针对性地提出一种安全型的网络拓扑结构,其在网络边界采用防火墙技术构建基于车-地IPsecVPN虚拟专用传输通道,在旁路部署安全监管和审计平台对网络行为进行监视、报警及追溯,在关键网络节点采用双路冗余架构以提高网络健壮性;并分别从物理环境、通信网络、区域边界、计算环境及安全管理5个方面提出相应的安全防护策略,为LMD构建完善的信息安全防护体系以保障系统安全平稳运行,同时为相关铁路信息系统的信息安全建设提供借鉴。
With the advent of the information age, openness and internet nature of network are increasing enhanced. At present,in railway industry, vehicle-ground communication network and related railway information systems based on wireless communication and internet of things technology lack adequate security defense capability. When they are subjected to illegal access or malicious attacks, they may cause network communication interruption, equipment failure, data loss. Viruses, trojans and other threats may spread from the wireless network to the side of train communication network and railway network. In addition, data flow of the system is transmitted in plaintext, which may lead to data leakage or even tampering, causing serious traffic accidents. In this paper, LMD(LKJ monitoring and management device) is taken as the research object, aiming at LMD itself and its associated LKJ series control system, the hidden risk of information security is analyzed. According to the system security level protection requirements, this paper proposes a secure network topology, which uses firewall technology to construct vehicle-ground IPsecVPN virtual private transport channel at the network boundary, deploys security supervision and audit platform to monitor, alarm and trace network behavior in bypass, and adopts dual-path redundancy architecture at key network nodes to improve network robustness.Corresponding security protection strategies are put forward from five aspects: physical environment, communication network,regional boundary, computing environment, security management, etc., which provides reference for LMD to construct perfect information security protection system to ensure safe and stable operation of the system, and provide reference for information security construction of related railway information systems.
作者
肖立志
汤紫霖
阳亦斌
XIAO Lizhi;TANG Zilin;YANG Yibin(Hunan CRRC Times Signal&Communication Co.,Ltd.,Changsha,Hunan 410005,China)
出处
《控制与信息技术》
2022年第1期97-102,共6页
CONTROL AND INFORMATION TECHNOLOGY
基金
长沙市科技重大专项(kh2102026)。
