製造業，如石化工廠，其製造流程隨著科技的進步而電腦化，而負責監控製造流程的系統，在石化業界則通稱為製程控制系統。企業往往透過製程的改善方案，來達到降低生產成本以及提升產品的品質。製程改善方案的進行需要充分的資訊與技術來支持，使得製程控制網路（Process Control Network）與製程資訊系統（Process Information System）所在的製程資訊網路（Process Information Network）以及企業內部網路（Intranet）的連接逐漸成為趨勢。由於各個網路的相連接，製程控制系統處於電腦病毒、蠕蟲、駭客以及其他惡意程式攻擊的威脅。製程控制系統依照操作員的指令控制生產流程，維持工廠在安全的操作條件下運轉，製程控制系統可以說是工廠運轉的核心。製程控制系統如果發生了駭客攻擊或是電腦病毒感染等資訊安全事件，其影響將有可能是製程重要資訊外洩、監控製程的主機或工作站當機、甚至有可能是造成整個製程控制系統癱瘓而危害到工廠之運轉，更嚴重的狀況可能是造成環境污染、工廠爆炸、或生命財產損傷的工安事件。因此，強化製程控制系統的資訊安全機制，確保工廠操作的可靠性以及安全性，是企業必須重視的課題。
本研究的目的乃藉由文獻探討，瞭解製程控制系統在資訊安全方面所面臨的挑戰與威脅；並針對製程控制系統，依實體、網路、伺服器等不同層面探討有關資訊安全管理方面的問題與解決方式，進而探討個案公司製程控制系統資訊安全管理模式以及資訊安全架構導入之效益，作為相關產業建置的參考。

In manufacturing industrial, for example, petrochemical plant, the promotion of technology makes manufacturing process computerization to be possible. The systems which control the manufacturing process are called Process Control System. Enterprises introduce the projects of process improvement to reduce the operation cost and enhance the product quality. It is necessary to have comprehensive information and technology to support the success of project for process improvement. Thus, it is a trend to setup the connections among Process Control Network, Process Information Network and Intranet. Due to the connections among networks, Process Control System is facing the threats of computer viruses, worms, attackers, and other malicious codes. Process Control System controls the manufacturing process base on the instructions issued from operators to maintain plant operations in a safe condition. Process Control System is the kernel of process operations. If Process Control System is being attacked or infected by computer viruses, the impacts would be the disclosure of critical business information, the failure of servers/workstations for monitoring process, or Process Control System fails totally that result in the plant operations with risky. The worst case would be an incident about pollution of environment, explosion, properties destroyed, or life lost. Therefore, enterprise should focus on reinforcing the information security mechanism of Process Control System to ensure plant operations reliably and safely.
The objectives of this study are: a) To realize the challenges and threats that Process Control System is facing by the way of literature review. b) To discuss information security management related issues and resolutions of Process Control System base on physical, network, and servers respectively. c) To discuss the efficiency of the model of information security management that has been implemented in the enterprise. d) To make this study as a reference for related industries.

第一章 緒論 --------------------------------------------------- 1
第一節 研究背景 --------------------------------------------- 1
第二節 研究動機 --------------------------------------------- 4
第三節 問題描述與研究目的 ------------------------------ 5
第四節 研究方法 --------------------------------------------- 7
第二章 文獻探討 ---===------------------------------------- 8
第一節 製程控制系統資訊安全的需求 ------------------ 8
第二節 製程控制系統資訊安全的威脅 ------------------- 11
第三節 製程控制系統資訊安全的建置 ------------------- 13
第三章 製程控制系統與資訊安全 --------------------------20
第一節 製程控制系統的演進 ------------------------------- 20
第二節 網路的整合與製程資訊的應用-------------------- 25
第三節 製程控制系統面臨的資訊安全威脅 ------------- 29
第四節 製程控制系統資訊安全的診斷 ------------------- 32
第四章 建立製程控制系統的資訊安全機制 --------------42
第一節 製程控制系統資訊安全的缺失 ------- ----------- 42
第二節 管理制度與製程控制網路的設計規範 ---------- 49
第三節 資訊科技產品的應用 ------------------------------- 57
第四節 製程控制系統資訊安全的成效 ------------------- 66
第五章 結論與建議 ------------------------------------------- 73
第一節 結論 ---------------------------------------------------- 73
第二節 建議與未來的研究 ---------------------------------- 75
參考文獻 ---------------------------------------------------------78

1. 賴溪松，資訊安全稽核，http://www.fin.ncku.edu.tw/ch/data/94/94semeior/%E8%B3%87%E8%A8%8A%E5%AE%89%E5%85%A8%E7%A8%BD%E6%A0%B8.ppt
2. Daecy, F. (2003), “Critical Infrastructure Protection - Challenges in Securing Control System”, United States General Accounting Office
3. Hahn, J., Guillen D. and Anderson T. (2005), “Process Control Systems in the Chemical Industry：Safety vs. Security”, 20th Annual CCPS International Conference
4. Geer, D. (2006), “Security of Critical Control Systems Sparks Concern”, IEEE Computer Society, Technology News, pp.20-23
5. Idaho National Laboratory (2006), “Control System Cyber Security - Defense in Depth Strategies”, Control Systems Security Center, U.S. Department of Homeland Security
6. Butchko, B. (2006), “Cyber and Process Control Security”, Butchko Security Solutions
7. Henderson,I. (2005), “Process Control Security - The bp Experience”, Process Control System Forum Spring Meeting
8. National Infrastructure Security Co-Ordination Centre (2006), “Good Practice Guide – Process Control and SCADA Security”
9. Emerson (2006),“Security Assessment Service”
10. 樊國楨 (2007)，“重要民生基礎建設資訊分享與分析中心初探”
11. Finco, G., Lee, K., Miller, G., Tebbe, J. and Wells, R. (2007), “Cyber Security Procurement Language for Control Systems Version 1.6”, Idaho National Laboratory Critical Infrastructure Protection/Resilience Center
12. Stamp, J., Dillinger, J., Young, W. and Depoy, J. (2003), “Common Vulnerabilities in Critical Infrastructure Control System”, Sandia National Laboratories
13. Stouffer, K., Falco, J. and Scarfone, K. (2007), “Guide to Industrial Control Systems (ICS) Security”, National Institute of Standards and Technology
14. IBM Internet Security Systems (2007), “A Strategic Approach to Protecting SCADA and Process Control Systems”
15. Saydjari, O. (2005), “Trend in Process Control Systems Security”, IEEE Computer Society, IEEE SECURITY & PRIVACY, pp.57-60
16. PA Consulting Group, National Infrastructure Security Co-ordination Centre (2005), “Good Practice Guide - Process Control and SCADA Security”
17. Nash, T. (2005), “An Undirected Attack Against Critical Infrastructure - A Case Study for Improving Your Control System Security”, Lawrence Livermore National Laboratory
18. U.S. Department of Energy, “21 Steps to Improve Cyber Security of SCADA Networks”
19. Nash, T.(2003), “Critical Infrastructure : Control Systems and the Terrorist Threat”, Congressional Research Service
20. The Instrumentation, Systems and Automation Society (2006), “Mitigations for Security Vulnerabilities Found in Control System Networks”, 16th Annual Joint ISA POWID/EPRI Controls and Instrumentation Conference
21. Clark, R. (2005), “Security Considerations in Process Control and SCADA Environments”, The Instrumentation, Systems and Automation Society, ISA EXPO 2005
22. American Petroleum Institute, National Petrochemical & Refiners Association (2004), “Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries”
23. Kertzner, P., Bodeau, D. and Nitschke, R. (2005), “Process Control System Security Technical Risk Assessment : Analysis of Problem Domain”, Institue for Information Infrastructure Protection (I3P)
24. McCue, A., (2008), “Beware the insider security threat”, CIO Jury Article，http://www.silicon.com/ciojury/0,3800003161,39188671,00.htm
25. National Infrastructure Security Co-Ordination Centre (2006), “Good Practice Guide Process Control and SCADA Security - Guide 3. Establish response capabilities”
26. Byres, E. and Hoffman, D. (2004), “The Myths and Facts behind Cyber Security Risks for Industrial Control System”, PA Consulting Group
27. Peterson, D. (2004), “Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks”, The Instrumentation, Systems and Automation Society
28. Idaho National Laboratory (2005), “Common Control System Vulnerability”, Control Systems Security Center, U.S. Department of Homeland Security
29. McAfee (2005), “Mitigating the Top 10 Network Security Risks in SCADA and Process”
30. Pangemanan, D. (2005), “Cyber Security Overview - Protecting Control Layer of Plant Automation and Control System”, Honeywell Inc.
31. http://www.theregister.co.uk/2004/03/16/explosive_cold_war_trojan_has/
32. http://news.bbc.co.uk/1/hi/technology/3682803.stm
33. http://www.iranvajahan.net/cgi-bin/news.pl?l=en&y=2003&m=10&d=03&a=1
34. http://zh.wikipedia.org/w/index.php?title=Router&variant=zh-tw
35. http://www.i-security.tw/learn/learn_az.asp?Code=F
36. Conklin, A., White, G., Cothren, C., Williams, D. and Davis, R. (2006), “Principles of Computer Security – Security+ and Beyond”, McGraw-Hill Technology Education, Burr Ridge, Illinois.
37. http://zh.wikipedia.org/w/index.php?title=%E8%AE%8A%E6%9B%B4%E7%AE%A1%E7%90%86&variant=zh-tw
38. 黃承聖（2000)，企業資訊安全的起點－資訊安全政策，網路通訊
39. 洪國興、季延平與趙榮耀（2003)，組織制定資訊安全政策對資訊安全影響之研究