CN111669381A - Risk early warning method and device for industrial control network - Google Patents

Risk early warning method and device for industrial control network Download PDF

Info

Publication number
CN111669381A
CN111669381A CN202010470139.8A CN202010470139A CN111669381A CN 111669381 A CN111669381 A CN 111669381A CN 202010470139 A CN202010470139 A CN 202010470139A CN 111669381 A CN111669381 A CN 111669381A
Authority
CN
China
Prior art keywords
industrial control
control network
tlv
asset
comparison result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010470139.8A
Other languages
Chinese (zh)
Other versions
CN111669381B (en
Inventor
宁力军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN202010470139.8A priority Critical patent/CN111669381B/en
Publication of CN111669381A publication Critical patent/CN111669381A/en
Application granted granted Critical
Publication of CN111669381B publication Critical patent/CN111669381B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure relates to a risk early warning method and device for an industrial control network, electronic equipment and a computer readable medium. The method comprises the following steps: acquiring a current message of a link layer discovery protocol in an industrial control network; analyzing a current message of a link layer discovery protocol to acquire a management address TLV and a system description TLV; generating current asset information according to the management address TLV and the system description TLV; comparing the current asset information with an asset base table of the industrial control network to generate a comparison result; and generating risk early warning information when the comparison result has preset change. The risk early warning method, the risk early warning device, the electronic equipment and the computer readable medium of the industrial control network can provide a simple, effective and low-risk industrial control network risk self-evaluation method and can provide a basis for subsequent vulnerability risk evaluation of the industrial control network.

Description

Risk early warning method and device for industrial control network
Technical Field
The disclosure relates to the field of computer information processing, and in particular relates to a risk early warning method and device for an industrial control network, electronic equipment and a computer readable medium.
Background
With the increasing diversity of the network topology and the devices in the environment of the industrial control network, the management local device cannot timely judge the problem fault point, and the network environment is more complex and the maintenance cost is higher and higher due to the fact that the opposite device is not known and the function difference cannot be analyzed.
Many network management software use an "automatic Discovery" function (Automated Discovery) to track topology changes and conditions, but most software only reaches the third layer at best, grouping devices into individual IP subnets. These are very raw data that can only handle basic events related to device addition and removal, and cannot discover where or how these devices operate with network services, etc.
Therefore, a new risk pre-warning method, device, electronic device and computer readable medium for an industrial control network are needed.
The above information disclosed in this background section is only for enhancement of understanding of the background of the disclosure and therefore it may contain information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of this, the present disclosure provides a risk early warning method, device, electronic device and computer readable medium for an industrial control network, which can provide a simple, effective and low-risk industrial control network risk self-evaluation method and provide a basis for subsequent vulnerability risk evaluation of the industrial control network.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to one aspect of the disclosure, a risk early warning method for an industrial control network is provided, which includes: acquiring a current message of a link layer discovery protocol in an industrial control network; analyzing a current message of a link layer discovery protocol to acquire a management address TLV and a system description TLV; generating current asset information according to the management address TLV and the system description TLV; comparing the current asset information with an asset base table of the industrial control network to generate a comparison result; and generating risk early warning information when the comparison result has preset change.
In an exemplary embodiment of the present disclosure, further comprising: carrying out global vulnerability inspection on the industrial control network at regular time to generate an inspection result; and generating a vulnerability assessment result according to the asset information in the asset base table and the inspection result.
In an exemplary embodiment of the present disclosure, further comprising: and generating the asset base table according to the history message of the link layer discovery protocol in the industrial control network.
In an exemplary embodiment of the disclosure, generating the asset library table according to a history packet of a link layer discovery protocol in an industrial control network includes: analyzing a historical message of a link layer discovery protocol in an industrial control network to obtain a management address TLV and a system description TLV; extracting message source MAC and management address from the management address TLV; extracting manufacturer type and version information from the system description TLV; and generating the asset base table according to the message source MAC, the management address, the manufacturer type and the version information.
In an exemplary embodiment of the present disclosure, acquiring a link layer discovery protocol packet in an industrial control network includes: and acquiring the link layer discovery protocol message in the industrial control network through a switch.
In an exemplary embodiment of the present disclosure, generating the current asset information according to the management address TLV and the system description TLV includes: and extracting message source MAC, management address, manufacturer type and version information from the management address TLV and the system description TLV to generate current asset information.
In an exemplary embodiment of the present disclosure, when there is a predetermined change in the comparison result, the method includes: determining that a predetermined change exists in the comparison result when a new source MAC exists in the comparison result; and/or determining that a predetermined change exists in the comparison result when a new management address exists in the comparison result; and/or determining that there is a predetermined change in the comparison result when there is a new MAC and address binding in the comparison result.
In an exemplary embodiment of the present disclosure, further comprising: and sending the risk early warning information to a network management platform through a simple network management protocol.
In an exemplary embodiment of the present disclosure, further comprising: and setting a change mark for the assets in the asset library table based on the comparison result.
According to an aspect of the present disclosure, a risk early warning device of an industrial control network is provided, the device including: the message module is used for acquiring a current message of a link layer discovery protocol in an industrial control network; the analysis module is used for analyzing the current message of the link layer discovery protocol to acquire a management address TLV and a system description TLV; the asset module is used for generating current asset information according to the management address TLV and the system description TLV; the comparison module is used for comparing the current asset information with an asset base table of the industrial control network to generate a comparison result; and the early warning module is used for generating risk early warning information when the comparison result has preset change.
In an exemplary embodiment of the present disclosure, further comprising: the vulnerability checking module is used for carrying out global vulnerability checking on the industrial control network at regular time to generate a checking result; and the vulnerability assessment module is used for generating a vulnerability assessment result according to the asset information in the asset base table and the inspection result.
According to an aspect of the present disclosure, an electronic device is provided, the electronic device including: one or more processors; storage means for storing one or more programs; when executed by one or more processors, cause the one or more processors to implement a method as above.
According to an aspect of the disclosure, a computer-readable medium is proposed, on which a computer program is stored, which program, when being executed by a processor, carries out the method as above.
According to the risk early warning method, the risk early warning device, the electronic equipment and the computer readable medium of the industrial control network, the current message of the link layer discovery protocol is analyzed to obtain a management address TLV and a system description TLV; generating current asset information according to the management address TLV and the system description TLV; comparing the current asset information with an asset base table of the industrial control network to generate a comparison result; when the comparison result has the preset change, the risk early warning information is generated, so that a simple, effective and low-risk industrial control network risk self-evaluation method can be provided, and a foundation can be provided for the subsequent vulnerability risk evaluation of the industrial control network.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are merely some embodiments of the present disclosure, and other drawings may be derived from those drawings by those of ordinary skill in the art without inventive effort.
Fig. 1 is a system block diagram of a risk early warning method of an industrial control network in the prior art.
Fig. 2 is a system block diagram illustrating a risk pre-warning method of an industrial control network according to an example embodiment.
Fig. 3 is a schematic diagram illustrating a risk pre-warning method of an industrial control network according to an example embodiment.
Fig. 4 is a flowchart illustrating a risk pre-warning method of an industrial control network according to another exemplary embodiment.
Fig. 5 is a schematic diagram illustrating a risk pre-warning method of an industrial control network according to another exemplary embodiment.
FIG. 6 is a flow diagram illustrating a risk pre-warning method for an industrial control network, according to another example embodiment.
Fig. 7 is a flowchart illustrating a risk pre-warning method of an industrial control network according to another exemplary embodiment.
FIG. 8 is a block diagram illustrating a risk pre-warning device of an industrial control network, according to an example embodiment.
FIG. 9 is a block diagram illustrating an electronic device in accordance with an example embodiment.
FIG. 10 is a block diagram illustrating a computer-readable medium in accordance with an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus, a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another. Thus, a first component discussed below may be termed a second component without departing from the teachings of the disclosed concept. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
It is to be understood by those skilled in the art that the drawings are merely schematic representations of exemplary embodiments, and that the blocks or processes shown in the drawings are not necessarily required to practice the present disclosure and are, therefore, not intended to limit the scope of the present disclosure.
The present disclosure relates to the following abbreviations for nouns:
Figure BDA0002513986830000051
Figure BDA0002513986830000061
as shown in fig. 1, existing industrial control security vulnerability risk assessment mainly depends on industrial control vulnerability scanning equipment, vulnerability scanning first needs to perform vulnerability detection of a scanning target, a vulnerability detection mode generally sends TCP SYN and ICMP messages, the scanning target is an engineer station, an operator station, a PLC and other assets in the figure, vulnerability risk assessment needs to be performed after vulnerability detection, and the following two methods are mainly used:
1. principle scanning: forming corresponding defect messages by utilizing the vulnerability characteristics, and verifying the defects of the assets, wherein the method is not suitable for an operating industrial control network, and the defect messages possibly cause the downtime of the PLC and can only be used when the PLC is shut down and overhauled;
2. version scanning: the method comprises the steps of acquiring information such as manufacturers, models and firmware versions of target assets through an asset fingerprint identification technology, carrying out correlation query on the information and vulnerability information published by CVE, CNVD, CNNVD and the like, and comparing the information and the vulnerability risk condition to obtain the vulnerability risk condition of the target assets. The existing industrial control vulnerability scanning equipment depends on a scanning target IP address, vulnerability scanning can be carried out only when the IP can be reached, and in an actual network, safety protection equipment such as an industrial control firewall and the like sometimes exists before a target is scanned, so that the industrial control vulnerability scanning equipment cannot detect the scanning target, and vulnerability evaluation failure is caused; in a remote SCADA system, assets are often far away, and corresponding industrial control vulnerability scanning equipment needs to be deployed in a slave station to evaluate vulnerability risks in a remote slave station, so that the safety cost is increased rapidly.
In view of the defects in the prior art, the inventor of the present disclosure provides a risk early warning method and device for an industrial control network, which can be used for a simple, effective and low-risk self-evaluation method for the industrial control network, can be used for the industrial control network risk self-evaluation in daily work, and can provide a basis for subsequent deep risk evaluation.
Fig. 2 is a system block diagram illustrating a risk pre-warning method of an industrial control network according to an example embodiment.
As shown in fig. 2, the industrial control network system architecture 20 may include an operator station 201, an engineer station 202, a PLC device 203, a switch 204, and a firewall 205, a network management server 206. The network is used to provide a medium for communication links between the operator stations 201, the engineer stations 202, the PLC devices 203, the switches 204, and the firewall 205 and the network management server 206. The network may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
In fig. 2, the operator station 201, the engineer station 202, and the PLC device 203 to which the switch 204 is connected are only referred to by the minimum component, the actual industrial control network asset scale is larger, the network hierarchy is more complex, the switch 204 may be in different production lines in the same workshop, or in different workshops, and they are logically isolated by using the firewall 205, and each switch 204 is uniformly managed by the network management server 206.
The network management server 206 can be a server that provides various services, such as a backend server (for example only) of network management that the industrial control network 20 provides support. The network management server 206 may analyze and process the received network topology data, and feed back the processing result to the administrator.
The switch 204 may, for example, obtain a current message of a link layer discovery protocol in the industrial control network; switch 204 may, for example, parse a current packet of the link layer discovery protocol to obtain a management address TLV and a system description TLV; the network management server 206 may generate the current asset information, for example, according to the management address TLV and the system description TLV; the network management server 206 may, for example, compare the current asset information with an asset library table of the industrial control network to generate a comparison result; the webmaster server 206 may generate risk pre-warning information, for example, when there is a predetermined change in the comparison result.
The network management server 206 may also perform global vulnerability check on the industrial control network at regular time, for example, to generate a check result; and generating a vulnerability assessment result according to the asset information in the asset base table and the inspection result.
The network management server 206 may be an entity server, or may be composed of a plurality of servers, for example, it should be noted that the risk early warning method for the industrial control network provided by the embodiment of the present disclosure may be executed by the network management server 206 and the switch 204, and accordingly, the risk early warning device for the industrial control network may be disposed in the server 205 and the switch 204.
Fig. 3 is a schematic diagram illustrating a risk pre-warning method of an industrial control network according to an example embodiment. As shown in fig. 3, which is a schematic diagram of the network management server 106 and the switch 104 in the present disclosure, the switch 104 may be used for LLDP message analysis and LLDP event analysis, and reporting a corresponding event to a platform of the network management server 106, where the platform of the network management server 106 is used for event reception, global asset management, and vulnerability assessment.
FIG. 4 is a flow diagram illustrating a risk pre-warning method for an industrial control network, according to an example embodiment. The risk early warning method 40 of the industrial control network at least includes steps S402 to S410.
As shown in fig. 4, in S402, a current packet of a link layer discovery protocol in an industrial control network is obtained. The discovery protocol message may be obtained through the switch.
Among them, LLDP (Link Layer Discovery Protocol) is an auto Discovery Protocol that deeply touches information such as which devices are accompanied by which ports and which switches are interconnected with other devices, and shows paths between clients, switches, routers and application servers, and network servers. Such detailed information would be of interest to query the root cause of network failure. LLDP information is transmitted periodically and is only retained for a certain period of time. The IEEE has defined a proposed transmission frequency, i.e. one transmission every 30 seconds. The LLDP device, upon receiving the LLDP information from the neighboring network device, stores the LLDP information in an IEEE defined Simple Network Management Protocol (SNMP) Management Information Base (MIB) and remains valid for a certain time period. The LLDP "time to live" (TTL) value defining the time limit is included in the received packet.
LLDP is widely used, and the kinds of assets supporting LLDP protocol are increasing, such as switches, routers, PLCs, hosts, servers, etc., and the support of LLDP by these core assets provides a solid foundation for network topology information collection.
In S404, the current packet of the link layer discovery protocol is parsed to obtain the management address TLV and the system description TLV. Fig. 5 is an LLDP frame encapsulated in Ethernet II format, and as shown in fig. 5, the fields of the LLDP frame have the following meanings:
DA: the destination MAC address is a fixed multicast MAC address 0x 0180-C200-000E.
And SA: the source MAC address is either a port MAC address or a device MAC address (if the port address is used, the port MAC address is used, otherwise the device MAC address is used).
Type: frame type, 0x88 CC.
Data: and the data is LLDPDU.
FCS: the frame check sequence.
Wherein, LLDPPDU is payload of LLDP for carrying message to be transmitted, TLV are units constituting LLDPDU, and each TLV represents an information. The system mainly comprises a basic TLV and an extended TLV, wherein the basic TLV comprises a chatiss ID, a PortID, a Time To Live, a port description, a system name, a system description, a system capability, an management address and the like, and the extended TLV is customized by a manufacturer. The LLDPPDU data in the current message can be analyzed, and the management address TLV and the system description TLV are obtained.
In S406, current asset information is generated according to the management address TLV and the system description TLV. And extracting message source MAC, management address, manufacturer type and version information from the management address TLV and the system description TLV to generate current asset information.
In S408, the current asset information is compared with the asset library table of the industrial control network, and a comparison result is generated.
In one embodiment, further comprising: and generating the asset base table according to the history message of the link layer discovery protocol in the industrial control network.
More specifically, the asset library table is generated according to a history message of a link layer discovery protocol in an industrial control network, and the method includes: analyzing a historical message of a link layer discovery protocol in an industrial control network to obtain a management address TLV and a system description TLV; extracting message source MAC and management address from the management address TLV; extracting manufacturer type and version information from the system description TLV; and generating the asset base table according to the message source MAC, the management address, the manufacturer type and the version information.
In S410, when there is a predetermined change in the comparison result, risk early warning information is generated. When a new source MAC exists in the comparison result, determining that a preset change exists in the comparison result; and/or determining that a predetermined change exists in the comparison result when a new management address exists in the comparison result; and/or determining that there is a predetermined change in the comparison result when there is a new MAC and address binding in the comparison result.
According to the risk early warning method of the industrial control network, the current message of a link layer discovery protocol in the industrial control network is obtained; analyzing a current message of a link layer discovery protocol to acquire a management address TLV and a system description TLV; generating current asset information according to the management address TLV and the system description TLV; comparing the current asset information with an asset base table of the industrial control network to generate a comparison result; when the comparison result has the preset change, the risk early warning information is generated, so that a simple, effective and low-risk industrial control network risk self-evaluation method can be provided, and a foundation can be provided for the subsequent vulnerability risk evaluation of the industrial control network.
It should be clearly understood that this disclosure describes how to make and use particular examples, but the principles of this disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
FIG. 6 is a flow diagram illustrating a risk pre-warning method for an industrial control network, according to another example embodiment. The process 60 shown in fig. 6 is a detailed description of the process shown in fig. 4.
As shown in fig. 6, in S601, the LLDP packet is parsed.
In S602, a management address TLV is acquired.
In S603, a system description TLV is acquired.
In S604, the source MAC is extracted and the IP is managed.
In S605, vendor type and version information are extracted.
In S606, LLDP event analysis.
In S607, whether reporting is required.
In S608, an event is transmitted.
In S609, no processing is performed.
In S610, the network management platform creates or updates an asset library table.
In S611, it is checked whether there is a change flag.
In S612, vulnerability assessment.
In S613, the evaluation result is output.
In S614, the change flag is cleared.
Before the current message analysis of the industrial control network, the switch obtains message source MAC and management IP from management address TLV through LLDP analysis, and obtains manufacturer type and version information from system description TLV to form an asset library table.
Table 1 is an example of asset information in an asset library table, specifically, an LLDP message captured on an XX brand PLC, and according to a message management address TLV and a system description TLV, the following asset table can be obtained, where the table is information that needs to be managed by an asset library of a network management platform, and version information is used for subsequent vulnerability assessment:
asset name Asset MAC Asset IP Type of manufacturer Version information
PLC_1 e0:dc:a0:72:e7:44 10.121.21.223 XX S7-1200 V 4.2.3
In the embodiment shown in fig. 6, first, it is determined whether to report an event through LLDP event analysis, and there are three main aspects of the analysis content: new source MAC appears, such as new device access; new management IP appears, such as new device access; new MAC and IP binding relations appear, such as change of IP addresses of operation stations and equipment; in the three cases, the report needs to be reported to a network management platform to newly build an asset in an asset base table or update asset information, and the event reporting mode is SNMP TRAP. And the network management platform sets a change mark for the asset according to the global asset library and the event receiving condition, wherein the change mark is used for judging whether the asset needs to enter a vulnerability assessment process, if so, the vulnerability assessment is carried out, an assessment result is output, the change mark is removed, and if not, the event receiving processing process is ended.
Fig. 7 is a flowchart illustrating a risk pre-warning method of an industrial control network according to another exemplary embodiment. The flow 70 shown in fig. 7 is a supplementary description of the flow shown in fig. 6.
As shown in fig. 7, in S701, the global evaluation timer is read.
In S702, it is determined whether the timer has timed out.
In S703, global asset assessment is performed.
In S704, the evaluation result is output.
The method can be used for carrying out periodical vulnerability assessment on assets in a global asset base table, specifically can be arranged in a global assessment timer, and after the global assessment timer is overtime, an assessment result is output, otherwise, the process is ended, the time of the global timer can be configured by a user, such as on-time, day, week, month and user-defined modes, and the starting/stopping can be carried out through an enabling button.
The asset vulnerability assessment takes the XX brand PLC asset in table 1 as an example, assuming that vulnerabilities CVE-2018-: the PLC has CVE-2019-.
Furthermore, the CVE, CNVD and CNNVD information required in vulnerability assessment can be updated periodically and imported into the device, and corresponding vulnerability identification information can be extracted and associated with asset version information for searching to perform vulnerability assessment operation.
The method is simple, effective and low-risk, is used for industrial control network risk self-evaluation in daily work, and can provide a basis for subsequent deep risk evaluation. Due to the fact that the LLDP message is passively acquired, the message cannot be sent to industrial control assets such as a PLC, and risks caused by risk assessment are reduced. Meanwhile, scanning behaviors cannot be generated, so that related behaviors cannot be identified and intercepted by safety protection equipment such as an industrial control firewall and the like, and the success rate of vulnerability assessment is improved.
Those skilled in the art will appreciate that all or part of the steps implementing the above embodiments are implemented as computer programs executed by a CPU. When executed by the CPU, performs the functions defined by the above-described methods provided by the present disclosure. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic or optical disk, or the like.
Furthermore, it should be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
The following are embodiments of the disclosed apparatus that may be used to perform embodiments of the disclosed methods. For details not disclosed in the embodiments of the apparatus of the present disclosure, refer to the embodiments of the method of the present disclosure.
FIG. 8 is a block diagram illustrating a risk pre-warning device of an industrial control network, according to an example embodiment. As shown in fig. 8, the risk early warning apparatus 80 of the industrial control network includes: a message module 802, a parsing module 804, an asset module 806, a comparison module 808, and an early warning module 810.
The message module 802 is configured to obtain a current message of a link layer discovery protocol in an industrial control network; the message module 802 may be disposed in a switch, and the link layer discovery protocol message in the industrial control network is obtained through the message module 802 in the switch.
The parsing module 804 is configured to parse a current packet of the link layer discovery protocol to obtain a management address TLV and a system description TLV; the parsing module 804 may be disposed in the switch, and configured to parse LLDPPDU data in the current packet, and obtain a management address TLV and a system description TLV.
The asset module 806 is configured to generate current asset information according to the management address TLV and the system description TLV; and extracting message source MAC, management address, manufacturer type and version information from the management address TLV and the system description TLV to generate current asset information.
The comparison module 808 is configured to compare the current asset information with an asset library table of the industrial control network, and generate a comparison result;
the early warning module 810 is configured to generate risk early warning information when there is a predetermined change in the comparison result. When a new source MAC exists in the comparison result, determining that a preset change exists in the comparison result; and/or determining that a predetermined change exists in the comparison result when a new management address exists in the comparison result; and/or determining that there is a predetermined change in the comparison result when there is a new MAC and address binding in the comparison result.
The risk early warning device 80 of the industrial control network may further include: the vulnerability checking module is used for carrying out global vulnerability checking on the industrial control network at regular time to generate a checking result; and the vulnerability assessment module is used for generating a vulnerability assessment result according to the asset information in the asset base table and the inspection result.
According to the risk early warning device of the industrial control network, the current message of a link layer discovery protocol in the industrial control network is analyzed to obtain a management address TLV and a system description TLV; generating current asset information according to the management address TLV and the system description TLV; comparing the current asset information with an asset base table of the industrial control network to generate a comparison result; when the comparison result has the preset change, the risk early warning information is generated, so that a simple, effective and low-risk industrial control network risk self-evaluation method can be provided, and a foundation can be provided for the subsequent vulnerability risk evaluation of the industrial control network.
FIG. 9 is a block diagram illustrating an electronic device in accordance with an example embodiment.
An electronic device 900 according to this embodiment of the disclosure is described below with reference to fig. 9. The electronic device 900 shown in fig. 9 is only an example and should not bring any limitations to the functionality or scope of use of the embodiments of the present disclosure.
As shown in fig. 9, the electronic device 900 is embodied in the form of a general purpose computing device. Components of electronic device 900 may include, but are not limited to: at least one processing unit 910, at least one storage unit 920, a bus 930 connecting different system components (including the storage unit 920 and the processing unit 910), a display unit 940, and the like.
Wherein the storage unit stores program codes, which can be executed by the processing unit 910, so that the processing unit 910 performs the steps according to various exemplary embodiments of the present disclosure described in the above-mentioned electronic prescription flow processing method section of this specification. For example, the processing unit 910 may perform the steps shown in fig. 4, 6, and 7.
The storage unit 920 may include a readable medium in the form of a volatile storage unit, such as a random access memory unit (RAM)9201 and/or a cache memory unit 9202, and may further include a read only memory unit (ROM) 9203.
The memory unit 920 may also include a program/utility 9204 having a set (at least one) of program modules 9205, such program modules 9205 including but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 930 can be any of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 900 may also communicate with one or more external devices 900' (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 900, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 900 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interface 950. Also, the electronic device 900 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet) via the network adapter 960. The network adapter 960 may communicate with other modules of the electronic device 900 via the bus 930. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 900, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, as shown in fig. 10, the technical solution according to the embodiment of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, or a network device, etc.) to execute the above method according to the embodiment of the present disclosure.
The software product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The computer readable medium carries one or more programs which, when executed by a device, cause the computer readable medium to perform the functions of: acquiring a current message of a link layer discovery protocol in an industrial control network; analyzing a current message of a link layer discovery protocol to acquire a management address TLV and a system description TLV; generating current asset information according to the management address TLV and the system description TLV; comparing the current asset information with an asset base table of the industrial control network to generate a comparison result; and generating risk early warning information when the comparison result has preset change.
Those skilled in the art will appreciate that the modules described above may be distributed in the apparatus according to the description of the embodiments, or may be modified accordingly in one or more apparatuses unique from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that the present disclosure is not limited to the precise arrangements, instrumentalities, or instrumentalities described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (11)

1. A risk early warning method of an industrial control network is characterized by comprising the following steps:
acquiring a current message of a link layer discovery protocol in an industrial control network;
analyzing a current message of a link layer discovery protocol to acquire a management address TLV and a system description TLV;
generating current asset information according to the management address TLV and the system description TLV;
comparing the current asset information with an asset base table of the industrial control network to generate a comparison result;
and generating risk early warning information when the comparison result has preset change.
2. The method of claim 1, further comprising:
carrying out global vulnerability inspection on the industrial control network at regular time to generate an inspection result;
and generating a vulnerability assessment result according to the asset information in the asset base table and the inspection result.
3. The method of claim 1, further comprising:
and generating the asset base table according to the history message of the link layer discovery protocol in the industrial control network.
4. The method of claim 3, wherein generating the asset library table from historical messages of a link layer discovery protocol in an industrial control network comprises:
analyzing a historical message of a link layer discovery protocol in an industrial control network to obtain a management address TLV and a system description TLV;
extracting message source MAC and management address from the management address TLV;
extracting manufacturer type and version information from the system description TLV;
and generating the asset base table according to the message source MAC, the management address, the manufacturer type and the version information.
5. The method of claim 1, wherein obtaining a link layer discovery protocol message in an industrial control network comprises:
and acquiring the link layer discovery protocol message in the industrial control network through a switch.
6. The method of claim 1, wherein generating current asset information according to the management address TLV and the system description TLV comprises:
and extracting message source MAC, management address, manufacturer type and version information from the management address TLV and the system description TLV to generate current asset information.
7. The method of claim 1, wherein when there is a predetermined change in the comparison result, comprising:
determining that a predetermined change exists in the comparison result when a new source MAC exists in the comparison result; and/or
When a new management address exists in the comparison result, determining that a preset change exists in the comparison result; and/or
Determining that there is a predetermined change in the comparison result when there is a new MAC and address binding in the comparison result.
8. The method of claim 1, further comprising:
and sending the risk early warning information to a network management platform through a simple network management protocol.
9. The method of claim 1, further comprising:
and setting a change mark for the assets in the asset library table based on the comparison result.
10. A risk early warning device of an industrial control network, comprising:
the message module is used for acquiring a current message of a link layer discovery protocol in an industrial control network;
the analysis module is used for analyzing the current message of the link layer discovery protocol to acquire a management address TLV and a system description TLV;
the asset module is used for generating current asset information according to the management address TLV and the system description TLV;
the comparison module is used for comparing the current asset information with an asset base table of the industrial control network to generate a comparison result;
and the early warning module is used for generating risk early warning information when the comparison result has preset change.
11. The apparatus of claim 10, further comprising:
the vulnerability checking module is used for carrying out global vulnerability checking on the industrial control network at regular time to generate a checking result;
and the vulnerability assessment module is used for generating a vulnerability assessment result according to the asset information in the asset base table and the inspection result.
CN202010470139.8A 2020-05-28 2020-05-28 Risk early warning method and device for industrial control network Active CN111669381B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010470139.8A CN111669381B (en) 2020-05-28 2020-05-28 Risk early warning method and device for industrial control network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010470139.8A CN111669381B (en) 2020-05-28 2020-05-28 Risk early warning method and device for industrial control network

Publications (2)

Publication Number Publication Date
CN111669381A true CN111669381A (en) 2020-09-15
CN111669381B CN111669381B (en) 2022-02-01

Family

ID=72385209

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010470139.8A Active CN111669381B (en) 2020-05-28 2020-05-28 Risk early warning method and device for industrial control network

Country Status (1)

Country Link
CN (1) CN111669381B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114666241A (en) * 2022-05-18 2022-06-24 浙江国利网安科技有限公司 Method and device for identifying industrial control asset information
CN115361308A (en) * 2022-08-19 2022-11-18 一汽解放汽车有限公司 Industrial control network data risk determination method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130176900A1 (en) * 2012-01-05 2013-07-11 Entropic Communications, Inc. Discovery in MoCA Networks
CN103441983A (en) * 2013-07-11 2013-12-11 盛科网络(苏州)有限公司 Information protection method and device based on link layer discovery protocol
US20180006833A1 (en) * 2016-06-29 2018-01-04 Argela Yazilim ve Bilisim Teknolojileri San. ve Tic. A.S. System and method for controller-initiated simultaneous discovery of the control tree and data network topology in a software defined network
CN110752959A (en) * 2019-10-31 2020-02-04 国网四川省电力公司电力科学研究院 Intelligent substation process layer physical link fault positioning system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130176900A1 (en) * 2012-01-05 2013-07-11 Entropic Communications, Inc. Discovery in MoCA Networks
CN103441983A (en) * 2013-07-11 2013-12-11 盛科网络(苏州)有限公司 Information protection method and device based on link layer discovery protocol
US20180006833A1 (en) * 2016-06-29 2018-01-04 Argela Yazilim ve Bilisim Teknolojileri San. ve Tic. A.S. System and method for controller-initiated simultaneous discovery of the control tree and data network topology in a software defined network
CN110752959A (en) * 2019-10-31 2020-02-04 国网四川省电力公司电力科学研究院 Intelligent substation process layer physical link fault positioning system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
姜海涛等: "智能变电站网络异常分析方法", 《电力信息与通信技术》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114666241A (en) * 2022-05-18 2022-06-24 浙江国利网安科技有限公司 Method and device for identifying industrial control asset information
CN115361308A (en) * 2022-08-19 2022-11-18 一汽解放汽车有限公司 Industrial control network data risk determination method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN111669381B (en) 2022-02-01

Similar Documents

Publication Publication Date Title
Coffey et al. Vulnerability analysis of network scanning on SCADA systems
EP3175579B1 (en) Systems and methods for network management
CN103795817B (en) The method and system of the lease time value in procotol is set for equipment
CN111669381B (en) Risk early warning method and device for industrial control network
CN103546343B (en) The network traffics methods of exhibiting of network traffic analysis system and system
CN114157554B (en) Fault checking method and device, storage medium and computer equipment
US8190416B2 (en) Computer network management
US11777799B2 (en) Cloud portal system for managing networking and computing equipment by generating contextual guides specific to affected resource(s)
EP3813328A1 (en) Apparatus, method, and computer program product for automatic improved network architecture generation
CN114666101B (en) Attack tracing detection system and method
CN114598506A (en) Industrial control network security risk tracing method and device, electronic equipment and storage medium
US10338544B2 (en) Communication configuration analysis in process control systems
CN115297006A (en) Map anomaly detection and isolation method and system based on cooperation network space asset information
CN112583825B (en) Method and device for detecting abnormality of industrial system
Husák et al. System for continuous collection of contextual information for network security management and incident handling
Zahran et al. Security of IT/OT Convergence: Design and Implementation Challenges
CN113315769A (en) Industrial control asset information collection method and device
Thomas et al. Identification of assets in industrial control systems using passive scanning
CN114006838B (en) Testing method and system of flow control device
Hareesh et al. Critical Infrastructure Asset Discovery and Monitoring for Cyber Security
JP2009246679A (en) Method for analyzing cause of network fault
CN115022082B (en) Network security detection method, network security detection system, terminal and medium
Yu et al. A graph-based proactive fault identification approach in computer networks
Wei et al. Network anomaly detection and localization
US20240163668A1 (en) Apparatuses, computer-implemented methods, and computer program products for managing access of wireless nodes to a network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant