CN112507317A - Electric power Internet of things safety protection method based on zero trust - Google Patents
Electric power Internet of things safety protection method based on zero trust Download PDFInfo
- Publication number
- CN112507317A CN112507317A CN202011418437.9A CN202011418437A CN112507317A CN 112507317 A CN112507317 A CN 112507317A CN 202011418437 A CN202011418437 A CN 202011418437A CN 112507317 A CN112507317 A CN 112507317A
- Authority
- CN
- China
- Prior art keywords
- access
- identity
- trust
- certificate
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000011156 evaluation Methods 0.000 claims abstract description 15
- 230000008569 process Effects 0.000 claims abstract description 10
- 238000012795 verification Methods 0.000 claims abstract description 8
- 238000004891 communication Methods 0.000 claims description 7
- 238000013507 mapping Methods 0.000 claims description 7
- 238000004519 manufacturing process Methods 0.000 claims description 6
- 238000010248 power generation Methods 0.000 claims description 6
- 239000011159 matrix material Substances 0.000 claims description 4
- 238000003860 storage Methods 0.000 claims description 4
- 230000035945 sensitivity Effects 0.000 claims description 3
- 238000009826 distribution Methods 0.000 claims description 2
- 230000007613 environmental effect Effects 0.000 claims 1
- 238000005516 engineering process Methods 0.000 description 4
- 238000010276 construction Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000007123 defense Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004575 stone Substances 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y40/00—IoT characterised by the purpose of the information processing
- G16Y40/50—Safety; Security of things, users, data or systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a zero trust-based electric power Internet of things security protection method.A main access body performs identity registration on an identity authentication platform; the access subjects are all untrusted subjects, and each time an access request is initiated, authentication needs to be carried out through the identity authentication platform; after passing the identity authentication, giving an identity to the access subject, wherein each identity corresponds to a corresponding access authority; judging the level of the access object, and if the level is the important level, performing ACL authority verification; in the access process, multiple factors of access subject environment, operation risk, external threat and access context are combined to carry out security continuous evaluation; and dynamically adjusting the identity of the access subject and the access authority according to the security continuous evaluation result. The invention solves the problems that the traditional boundary safety protection is gradually invalid and the zero trust safety protection is not mature.
Description
Technical Field
The invention relates to the technical field of electronic information, in particular to a zero-trust-based electric power Internet of things security protection method.
Background
With the rapid development of the internet technology of 'big cloud moving along with the intelligent chain', the power users and equipment thereof, power grid enterprises and equipment thereof, power generation enterprises and equipment thereof, suppliers and equipment thereof, and people and objects are connected to generate shared data, so that a new road is opened up for the power grid safe operation, lean management, accurate investment and high-quality service for the power internet of things construction of the users, the power grid, the power generation, the suppliers and government social services.
The traditional safety protection is network boundary protection, and software and hardware equipment such as a firewall, flow monitoring, unknown threat monitoring, DDoS (distributed denial of service) protection and the like are deployed on the network boundary to identify and intercept malicious or unauthorized access, so that normal access and legal operation of an access subject are guaranteed, the aim of isolating dangers is fulfilled, and the system belongs to passive protection. The traditional safety protection has certain disadvantages, namely, strict access control is suitable for scenes with stable access main bodies or services and less change, trust on certain people, equipment, systems and applications is defaulted to a certain degree, so that safety measures are ignored, and the traditional safety protection has different safety protection product manufacturers, different functional modules and configuration management and complex operation and maintenance management work. The application of the internet of things of the company at present has a certain foundation, the number of terminals connected into the intelligent electric meter, the camera, the monitoring device and the like exceeds 5 hundred million, the variety of the terminals is various, the daily increment of data is increased, the network boundary is gradually blurred along with the promotion of the construction of the electric power internet of things, the traditional safety protection defect is increasingly prominent, and a single boundary-based protection system cannot completely meet the safety protection requirement of the electric power internet of things and is gradually invalid.
At present, in order to solve the problem that the traditional security protection is gradually invalid, zero trust security protection is provided, and is based on four key capabilities of identity as a foundation stone, service security access, continuous trust evaluation and dynamic access control, and any person, equipment and system inside and outside the network are not trusted under the default condition, and the trust basis of access control needs to be reconstructed based on authentication and authorization. Although the zero trust security architecture is being accepted, it is under development and not yet mature, and its security needs further research.
Disclosure of Invention
In order to solve the problems, the invention provides a zero-trust-based electric power internet of things security protection method.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
a zero trust-based electric power Internet of things security protection method comprises the following steps:
the access subject performs identity registration on an identity authentication platform;
the access subjects are all untrusted subjects, and each time an access request is initiated, authentication needs to be carried out through the identity authentication platform;
after passing the identity authentication, giving an identity to the access subject, wherein each identity corresponds to a corresponding access authority;
judging the level of the access object, and if the level is the important level, performing ACL authority verification;
in the access process, multiple factors of access subject environment, operation risk, external threat and access context are combined to carry out security continuous evaluation;
according to the security continuous evaluation result, dynamically adjusting the identity of the access subject and the access authority;
optionally, the access subject user generates a certificate through the characteristics of name, identity card number, mobile phone number, detailed address information, factory code, model and the like of the equipment, the application system generates a certificate through the self information of the access address and the like of the application system, the user certificate and the application system certificate exist in the usb key, and the equipment certificate exists in the security chip and is implanted in the equipment.
Optionally, the certificate includes a certificate body and a variable body, the certificate body includes an attribute of the access subject and is not changeable, and the variable body defines a private key, a public key matrix and other parameters of the access subject.
Optionally, the access subject includes a user, a device, and an application system, the user includes a power grid enterprise employee, a power generation enterprise employee, a provider, a power consumer, and other users, the device includes a field acquisition component, an intelligent service terminal, and a local communication network, and the application system includes a national grid system push or a company self-built application system.
Optionally, the access object includes an application system, an interface and data, the application system and the interface include a push or self-built application system and an interface, the data includes data generated by a field acquisition component, an intelligent service terminal and a local communication network terminal device, information of staff of a power grid enterprise, staff of a power generation enterprise, suppliers, power users and other users, data generated in a full-link of source, grid, load, storage and power production, and various data of the service application system.
Optionally, the access object is sequentially divided into an a-type information system, a B-type information system and a C-type information system from strong to weak according to the importance degree of the information system, is sequentially divided into an a-type interface, a B-type interface and a C-type interface from strong to weak according to the importance degree of the interfaces, is sequentially divided into a-type data, B-type data and C-type data from strong to weak according to the data sensitivity, and deploys firewall security devices for the a-type information system, the interfaces and the data.
Optionally, the main access device is implanted with a security chip and mounted for secure communication, so that the main access device stores the certificate information generated by the identity authentication platform and can communicate normally.
Optionally, the identity authentication platform includes a key production center, a key management center, and a registration management center;
the key production center is responsible for key production, distribution and backup work, and is also responsible for generating an initial key and other important parameters in the system initialization process, and the key production center is not connected with any network and independently processes various transactions;
the key management center is responsible for generating certificate service in the system, storing and maintaining a public and private key matrix and other parameters generated by the key production center, receiving a registration request of a registration management center user, and generating an ID certificate through a user private key;
the registration management center provides certificate application, certificate issuing and certificate revocation services for the medium between the key management system and the access object.
Optionally, the identity can only access the application system, data or interface if the identity is given corresponding rights, otherwise, the identity cannot be accessed.
Optionally, when the class B or class C application system, the interface, or the data is used, it is not necessary to deploy firewall security equipment, and after the access subject obtains the access right through identity authentication, the access subject can directly access the object without ACL verification.
Optionally, the authority management is based on identity to perform authority allocation, and an identity library, an authority library, and an authority identity mapping relation library need to be established.
Optionally, the new technology is combined with multiple factors such as environment to generate an evaluation result to generate a trust library, the identity of the access subject is adjusted according to the evaluation result, and the access authority is modified.
Compared with the prior art, the invention has the technical progress that:
by combining the zero trust protection method and the traditional boundary protection method, the invention not only solves the problem that the traditional boundary safety protection method is gradually invalid, but also realizes the double protection effects of important information systems, applications and data. The identity authentication platform is based on the CPK authentication technology, so that the problem of secret key management is solved, the interaction steps of two communication parties are reduced, and the resource consumption is reduced. And the identity is initially given with the minimum authority, so that the exposure degree of the access objects such as application systems, data and the like is reduced to a great extent, and further the risk is reduced. Through continuous monitoring, risks, threat discovery and perception are constructed by utilizing big data and artificial intelligence technology, the authority of an access subject is dynamically adjusted, and the transition from passive defense to active defense is realized.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention.
In the drawings:
FIG. 1 is a flow chart of the present invention.
Detailed Description
The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present invention will be described below with reference to the accompanying drawings.
As shown in fig. 1, the invention discloses a zero trust-based electric power internet of things security protection method, which comprises the following steps.
The method specifically comprises the following steps:
s101: and the access subject performs identity registration on the identity authentication platform. The identity authentication platform produces an elliptic curve by the key production center during initialization, is physically isolated from the registration management center for the key management and is independently stored in an environment with high security level.
In the embodiment of the invention, the access subject is assumed to be a power grid enterprise employee, an electric energy meter, an acquisition terminal and a big data platform.
When the staff of the power enterprise registers on the identity authentication platform, the name, the gender, the identification number, the telephone number, the unit name and the department name are required to be provided as registration information, for example: zhang III, women, 120 XXXXXXXXXXXXXXXXX, 17783485829, XX Power saving, Inc., XX department, identity authentication platform, check registration information entry compliance.
When the electric energy meter and the acquisition terminal equipment are registered on the identity authentication platform, equipment entity ID codes, equipment types, models, manufacturers and production dates are required to be provided as registration information, such as xx000000001, the electric energy meter, DD862, Weisheng, 20190819.
When the information system is registered on the identity authentication platform, information such as the standard name, the access address, the construction form, the system level and the like of the information system are required to be provided as registration information, such as a big data platform, https:// X.X.X.X.X, a system for building and a secondary system.
After the identity authentication platform fills in the registration information and submits, the registration management center receives the registration request of the access subject. The certificate is made through a key management center, stored in a security authentication card (USBKEY or a security chip), encrypted and distributed to a registration management center through a physical channel, and the registration management center distributes the authentication card to each access subject applying for the certificate. For convenience of management, each authentication card is in a normal state or a failure state, and can be normally used only when the state is normal, otherwise, when the access subject passes through the identity authentication platform for authentication, the access subject cannot normally read related information in the authentication card, and cannot normally perform identity authentication, and the default authentication fails.
When the authentication card is issued to the access subject, the registration information of the access subject is stored in the database of the registration management center, and the table main content in the database is shown in the following tables 1, 2 and 3.
Table 1 user registration storage information
Table 2 device registration storage information table
| Name of data column | Data type | Data length | Whether or not it is empty | Whether or not to make a key | Data field meaning |
| Dev_id | int | 20 | Whether or not | Is that | Device encoding |
| Dev_id_sw | int | 20 | Whether or not | Whether or not | Equipment entity ID coding |
| Dev_type | varchar | 20 | Whether or not | Whether or not | Class of devices |
| Dev_model | varchar | 10 | Whether or not | Whether or not | Model number |
| Dev_proc | varchar | 30 | Whether or not | Whether or not | Manufacturer of the product |
| Dev_proctime | datetime | Whether or not | Whether or not | Date of manufacture | |
| device_regtime | datetime | Registration time | |||
| device_endtime | datetime | Period of validity | |||
| device | varchar | 20 | Whether or not | Whether or not | User identification |
| deviece_state | varchar | 20 | Whether or not | Whether or not | Authenticating card status |
Table 3 application system registration information table
S102: whether the access subject is a user, equipment or an application system, the access subject is regarded as an untrusted subject, and identity authentication needs to be performed on an identity authentication platform every time an access request is initiated.
In the embodiment of the invention, the access subject power grid enterprise user initiates a request for accessing the power utilization information acquisition system, firstly, the user inserts the USBKEY issued during registration into a certain terminal, identity verification is not carried out through the USBKEY user, identity authentication cannot be carried out, and the authentication fails. When the identity authentication is carried out through the USBKEY, the identity authentication platform firstly checks the state of the certificate, if the state of the certificate is checked to be invalid, the authentication fails, and the power grid enterprise user cannot continuously access the power utilization information acquisition system. If the certificate is in a normal state, the private key of the user is used for encrypting the request initiated by the power grid enterprise user, the identity authentication platform intercepts the access information of the power grid enterprise user and decrypts the access information by using the public key of the user, so that the identity authentication work is completed, and step S103 is executed.
When the access subject is the electric energy meter and the acquisition terminal device, because the certificate generated during identity authentication is stored in the built-in chip, the security authentication card does not need to be inserted into a certain carrier, the identity authentication process is similar to user authentication, firstly, whether the state of the certificate is invalid or not is inquired, if the certificate is invalid, the authentication fails, otherwise, the content sent by the electric energy meter or the acquisition terminal device is encrypted by using a private key of the device, if the identity authentication platform is successfully decrypted by a public key of the device, the identity authentication succeeds, and the step S103 is executed.
And S103, giving an identity to the access subject after the identity authentication is passed, wherein each identity corresponds to a corresponding access right.
In the invention, the user, the device or the application system is not distinguished in detail when the access subject is accessed, and the access purpose of the access subject is normal access or malicious attack is not distinguished, but all the access subjects are defaulted to be untrusted access subjects, and an identity is distributed to each access subject.
In the present invention, Token is a string of characters representing identity information, such as 10000001,10000011, 10010101, etc., and Token has uniqueness and randomness. After the access subject passes the identity authentication, each access subject is assigned with a Token, and the mapping relationship is shown in table 4.
Table 4 access principal and identity mapping relationships
| Serial number | Accessing a principal | Token |
| 1 | Zhang three | 10000001 |
| 2 | Electric energy meter | 10000011 |
| 3 | Big data platform | 10010101 |
An identity library and an authority library are established in the system, Token is mapped to different identities in the system, the identities correspond to different authorities, and the mapping relation is shown in tables 5 and 6.
TABLE 5Token and identity mapping relationship
| Serial number | Token | Identity |
| 1 | 10000001 | Administrator |
| 2 | 10000011 | Terminal device |
TABLE 6 identity and Authority mapping relationship
| Serial number | Identity | Authority (Power consumption information acquisition system) |
| 1 | Administrator | Read, write |
| 2 | Terminal device | Writing |
After the access subject is given the identity and the right, S104 is executed.
S104: and judging the access object level, and if the access object level is the important level, performing ACL authority verification.
The access objects are sequentially divided into an A-type information system, a B-type information system and a C-type information system according to the importance degree of the information systems from strong to weak, are sequentially divided into an A-type interface, a B-type interface and a C-type interface according to the importance degree of the interfaces from strong to weak, and are sequentially divided into A-type data, B-type data and C-type data according to the data sensitivity from strong to weak. And deploying safety equipment such as a firewall and the like for the A-type information system, the interface and the data.
In the invention, ACL is set for an A-type application system, an interface and data, and only a user, equipment and a system of a specific IP are allowed to access, namely, if an access subject passes identity authentication and is endowed with an identity and has access authority of the A-type application system, the interface or the data, the ACL is set for the A-type application system, the interface or the data, only the specific IP is allowed to access, the ACL authority authentication is still required, the ACL authority authentication can be carried out after the authentication passes the access subject, the related operation can be carried out, step 105 is executed, if the authentication does not pass, the related operation is forbidden, and the authority endowed before is changed.
And B or C type information systems, interfaces, data departments and security equipment such as firewalls are not deployed. When the access subject accesses, after the identity authentication is performed and an identity and a right are given, the access operation of the related object is directly performed without performing ACL right verification, and step 105 is performed.
S105: in the access process, multiple factors such as access subject environment, operation risk, external threat, access context and the like are combined for security continuous evaluation.
After an access subject is endowed with an identity and an authority, different behaviors are generated for the access subject, in the invention, a trust library is set, a large data platform is fully utilized, and the security continuous evaluation is carried out by combining access log information, security time information, the identity, the authority and the like, so that various attack threats and abnormalities, particularly targeted attacks, can be found in time. When 10000001 is given read and write operations of the power consumption information system, 10000001 a large number of time-regular login operations, authority bypass operations, and the like are recorded in the access log, the result is continuously evaluated as distrusted, the result of the trust library is modified, and step S106 is executed.
S106: and dynamically adjusting the identity of the access subject and the access authority according to the security continuous evaluation result.
In the invention, since the result of the continuous evaluation of the security of 10000001 is untrusted, the identity of 10000001 is modified to be untrusted access, the access right of the identity is cancelled, and the access of the access subject is forced to be ended. .
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the claims of the present invention.
Claims (10)
1. A zero trust-based electric power Internet of things security protection method is characterized by comprising the following steps: the method comprises the steps that an access subject registers identities on an identity authentication platform, the access subject is an untrusted subject, an access request is initiated each time, authentication needs to be conducted through the identity authentication platform, an identity is given to the access subject after the authentication is passed, each identity corresponds to a corresponding access right, the level of an access object is judged, if the access object is an important level, ACL right verification needs to be conducted, in the access process, safety continuous evaluation is conducted by combining multiple factors of access subject environment, operation risk, external threat and access context, the identity of the access subject is dynamically adjusted according to a safety continuous evaluation result, and the access right is dynamically adjusted;
the method comprises the steps that an access subject user generates a certificate through self information such as a self access address and the like through a name, an identity card number, a mobile phone number and detailed address information, equipment and self information such as a factory code and a model, an application system generates the certificate through an identity authentication platform, the certificate comprises a certificate body and a variable body, the certificate body contains the attribute of the access subject and cannot be changed, and the variable body defines a private key, a public key matrix and other parameters of the access subject.
2. The zero-trust-based power internet of things security protection method according to claim 1, characterized in that: the access subject comprises users, equipment and an application system, wherein the users comprise power grid enterprise employees, power generation enterprise employees, suppliers, power users and other users, the equipment comprises a field acquisition component, an intelligent service terminal and a local communication network, and the application system comprises a national grid system pushing or company self-building application system.
3. The zero-trust-based power internet of things security protection method according to claim 1, characterized in that: the access object comprises an application system, an interface and data, the application system and the interface comprise a push application system or a self-built application system and an interface, the data comprises data generated by a field acquisition component, an intelligent service terminal and a local communication network terminal device, information of staff of a power grid enterprise, staff of a power generation enterprise, suppliers, power users and other users, data generated in a source, grid, load, storage and power production full-link mode, and various data of the service application system.
4. The zero trust based power internet of things security protection method according to claim 1 or 3, characterized in that: the access objects are sequentially divided into an A-type information system, a B-type information system and a C-type information system from strong to weak according to the importance degree of the information systems, are sequentially divided into an A-type interface, a B-type interface and a C-type interface from strong to weak according to the importance degree of the interfaces, are sequentially divided into A-type data, B-type data and C-type data from strong to weak according to the data sensitivity, and deploy firewall safety equipment for the A-type information system, the interfaces and the data.
5. The zero-trust-based power internet of things security protection method according to claim 2, characterized in that: and accessing the main body equipment, implanting a safety chip, and mounting safety communication so that the main body equipment stores the certificate information generated by the identity authentication platform and can normally communicate.
6. The zero-trust-based power internet of things security protection method according to claim 2, characterized in that: the identity authentication platform comprises a secret key production center, a secret key management center and a registration management center;
the key production center is responsible for key production, distribution and backup work, and is also responsible for generating an initial key and other important parameters in the system initialization process, and the key production center is not connected with any network and independently processes various transactions;
the key management center is responsible for generating certificate service in the system, storing and maintaining a public and private key matrix and other parameters generated by the key production center, receiving a registration request of a registration management center user, and generating an ID certificate through a user private key;
the registration management center provides certificate application, certificate issuing and certificate revocation services for the medium between the key management system and the access object.
7. The zero trust based power internet of things security protection method according to claim 1 or 4, characterized in that: the identity can only access the application system, data or interface if the identity is endowed with corresponding authority, otherwise, the identity cannot be accessed.
8. The zero-trust-based power internet of things security protection method according to claim 4, characterized in that: when the B-type or C-type application system, the interface or the data are used, firewall safety equipment does not need to be deployed, and the access subject can directly access the object without ACL verification after obtaining the access authority through identity authentication.
9. The zero-trust-based power internet of things security protection method according to claim 1, characterized in that: the method also comprises authority management, wherein the authority management is based on identity to distribute authority, and an identity library, an authority library and an authority identity mapping relation library need to be established.
10. The zero-trust-based power internet of things security protection method according to claim 1, characterized in that: the system also comprises a trust library, wherein a security continuous evaluation result is generated by combining environmental factors to generate the trust library, the identity of the access subject is adjusted according to the security continuous evaluation result, and the access authority is modified.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011418437.9A CN112507317A (en) | 2020-12-07 | 2020-12-07 | Electric power Internet of things safety protection method based on zero trust |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011418437.9A CN112507317A (en) | 2020-12-07 | 2020-12-07 | Electric power Internet of things safety protection method based on zero trust |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112507317A true CN112507317A (en) | 2021-03-16 |
Family
ID=74970933
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011418437.9A Pending CN112507317A (en) | 2020-12-07 | 2020-12-07 | Electric power Internet of things safety protection method based on zero trust |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112507317A (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112217786A (en) * | 2020-08-28 | 2021-01-12 | 广东亚灏科技有限公司 | Information security protection method based on zero trust technology |
| CN113487218A (en) * | 2021-07-21 | 2021-10-08 | 国网浙江省电力有限公司电力科学研究院 | Internet of things trust evaluation method |
| CN113824732A (en) * | 2021-10-13 | 2021-12-21 | 成都安恒信息技术有限公司 | Zero trust-based multi-factor authentication method |
| CN113872944A (en) * | 2021-09-07 | 2021-12-31 | 湖南大学 | Block chain-oriented zero-trust security architecture and cluster deployment framework thereof |
| CN114189380A (en) * | 2021-12-09 | 2022-03-15 | 四川启睿克科技有限公司 | Zero-trust-based distributed authentication system and authorization method for Internet of things equipment |
| CN114338105A (en) * | 2021-12-16 | 2022-04-12 | 山西云时代研发创新中心有限公司 | Bastion creating bastion machine system based on zero trust |
| CN114785577A (en) * | 2022-04-12 | 2022-07-22 | 中国联合网络通信集团有限公司 | Zero trust verification method, system and storage medium |
| CN115051877A (en) * | 2022-08-12 | 2022-09-13 | 国网浙江省电力有限公司杭州供电公司 | Power grid cloud service security access method based on zero trust model |
| CN115361186A (en) * | 2022-08-11 | 2022-11-18 | 哈尔滨工业大学(威海) | Zero trust network architecture for industrial internet platform |
| CN115967584A (en) * | 2023-03-16 | 2023-04-14 | 深圳市永达电子信息股份有限公司 | Zero trust gateway implementation method and system based on PKI and CPK mixed authentication |
| CN116228167A (en) * | 2023-05-04 | 2023-06-06 | 南京瑞拷得智慧信息科技有限公司 | Intelligent archive borrowing and utilizing platform based on zero trust authority authentication |
| CN116319026A (en) * | 2023-03-23 | 2023-06-23 | 北京神州泰岳软件股份有限公司 | Trust assessment method and device in zero-trust architecture and electronic equipment |
| CN117113411A (en) * | 2023-09-11 | 2023-11-24 | 北京发祥地科技发展有限责任公司 | Internet of Things data processing technology based on artificial intelligence |
| CN116633696B (en) * | 2023-07-25 | 2024-01-02 | 深圳市永达电子信息股份有限公司 | Network computing node access controller system, management and control method and electronic equipment |
| CN117978548A (en) * | 2024-03-29 | 2024-05-03 | 常州芯佰微电子有限公司 | Network security access method for electronic information storage system |
-
2020
- 2020-12-07 CN CN202011418437.9A patent/CN112507317A/en active Pending
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112217786A (en) * | 2020-08-28 | 2021-01-12 | 广东亚灏科技有限公司 | Information security protection method based on zero trust technology |
| CN113487218A (en) * | 2021-07-21 | 2021-10-08 | 国网浙江省电力有限公司电力科学研究院 | Internet of things trust evaluation method |
| CN113872944A (en) * | 2021-09-07 | 2021-12-31 | 湖南大学 | Block chain-oriented zero-trust security architecture and cluster deployment framework thereof |
| CN113824732A (en) * | 2021-10-13 | 2021-12-21 | 成都安恒信息技术有限公司 | Zero trust-based multi-factor authentication method |
| CN114189380A (en) * | 2021-12-09 | 2022-03-15 | 四川启睿克科技有限公司 | Zero-trust-based distributed authentication system and authorization method for Internet of things equipment |
| CN114189380B (en) * | 2021-12-09 | 2023-09-15 | 四川启睿克科技有限公司 | Zero-trust-based distributed authentication system and authorization method for Internet of things equipment |
| CN114338105A (en) * | 2021-12-16 | 2022-04-12 | 山西云时代研发创新中心有限公司 | Bastion creating bastion machine system based on zero trust |
| CN114338105B (en) * | 2021-12-16 | 2024-04-05 | 山西云时代研发创新中心有限公司 | Zero trust based system for creating fort |
| CN114785577A (en) * | 2022-04-12 | 2022-07-22 | 中国联合网络通信集团有限公司 | Zero trust verification method, system and storage medium |
| CN114785577B (en) * | 2022-04-12 | 2024-02-06 | 中国联合网络通信集团有限公司 | Zero trust verification method, system and storage medium |
| CN115361186A (en) * | 2022-08-11 | 2022-11-18 | 哈尔滨工业大学(威海) | Zero trust network architecture for industrial internet platform |
| CN115361186B (en) * | 2022-08-11 | 2024-04-19 | 哈尔滨工业大学(威海) | Zero trust network architecture for industrial Internet platform |
| CN115051877B (en) * | 2022-08-12 | 2022-11-01 | 国网浙江省电力有限公司杭州供电公司 | Zero-trust model-based power grid cloud service security access method |
| CN115051877A (en) * | 2022-08-12 | 2022-09-13 | 国网浙江省电力有限公司杭州供电公司 | Power grid cloud service security access method based on zero trust model |
| CN115967584A (en) * | 2023-03-16 | 2023-04-14 | 深圳市永达电子信息股份有限公司 | Zero trust gateway implementation method and system based on PKI and CPK mixed authentication |
| CN116319026A (en) * | 2023-03-23 | 2023-06-23 | 北京神州泰岳软件股份有限公司 | Trust assessment method and device in zero-trust architecture and electronic equipment |
| CN116228167A (en) * | 2023-05-04 | 2023-06-06 | 南京瑞拷得智慧信息科技有限公司 | Intelligent archive borrowing and utilizing platform based on zero trust authority authentication |
| CN116633696B (en) * | 2023-07-25 | 2024-01-02 | 深圳市永达电子信息股份有限公司 | Network computing node access controller system, management and control method and electronic equipment |
| CN117113411A (en) * | 2023-09-11 | 2023-11-24 | 北京发祥地科技发展有限责任公司 | Internet of Things data processing technology based on artificial intelligence |
| CN117113411B (en) * | 2023-09-11 | 2024-03-08 | 北京发祥地科技发展有限责任公司 | Internet of things data processing technology based on artificial intelligence |
| CN117978548A (en) * | 2024-03-29 | 2024-05-03 | 常州芯佰微电子有限公司 | Network security access method for electronic information storage system |
| CN117978548B (en) * | 2024-03-29 | 2024-05-31 | 常州芯佰微电子有限公司 | Network security access method for electronic information storage system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112507317A (en) | Electric power Internet of things safety protection method based on zero trust | |
| US11314891B2 (en) | Method and system for managing access to personal data by means of a smart contract | |
| CN111429254B (en) | Business data processing method and device and readable storage medium | |
| Sookhak et al. | Security and privacy of smart cities: a survey, research issues and challenges | |
| AU2021203598B2 (en) | Systems and mechanism to control the lifetime of an access token dynamically based on access token use | |
| EP3073670B1 (en) | A system and a method for personal identification and verification | |
| CN103442354B (en) | A kind of movable police terminal security managing and control system | |
| CN110622490A (en) | Core network access provider | |
| CN110190971B (en) | JWT token authentication method based on block chain | |
| CN110326251A (en) | The system and method that the general dispersion solution of user is verified using cross validation feature are provided | |
| CN103152179A (en) | Uniform identity authentication method suitable for multiple application systems | |
| CN105430000A (en) | Cloud computing security management system | |
| CN111431707B (en) | Service data information processing method, device, equipment and readable storage medium | |
| CN104184713A (en) | Terminal identification method, machine identification code registration method, and corresponding system and equipment | |
| CN103310161A (en) | Protection method and system for database system | |
| CN101827101A (en) | Information asset protection method based on credible isolated operating environment | |
| CN108701094A (en) | The safely storage and distribution sensitive data in application based on cloud | |
| US8700909B2 (en) | Revocation of a biometric reference template | |
| CN106936588A (en) | A kind of trustship method, the apparatus and system of hardware controls lock | |
| KR20120112598A (en) | Implementing method, system of universal card system and smart card | |
| CN103986734A (en) | Authentication management method and authentication management system applicable to high-security service system | |
| CN102983969B (en) | Security login system and security login method for operating system | |
| CN106713228A (en) | Cloud platform key management method and system | |
| CN111538973A (en) | Personal authorization access control system based on state cryptographic algorithm | |
| CN115643573A (en) | Privileged account authentication method and system based on dynamic security environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20210316 |
|
| WD01 | Invention patent application deemed withdrawn after publication |