CN114844766A - Method and device for building industrial information security guarantee system - Google Patents

Method and device for building industrial information security guarantee system Download PDF

Info

Publication number
CN114844766A
CN114844766A CN202210309247.6A CN202210309247A CN114844766A CN 114844766 A CN114844766 A CN 114844766A CN 202210309247 A CN202210309247 A CN 202210309247A CN 114844766 A CN114844766 A CN 114844766A
Authority
CN
China
Prior art keywords
determining
target area
communication data
risk parameter
risk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210309247.6A
Other languages
Chinese (zh)
Other versions
CN114844766B (en
Inventor
周星
赵重浩
刘茂林
龚亮华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fengtai Technology Beijing Co ltd
Original Assignee
Fengtai Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fengtai Technology Beijing Co ltd filed Critical Fengtai Technology Beijing Co ltd
Priority to CN202210309247.6A priority Critical patent/CN114844766B/en
Publication of CN114844766A publication Critical patent/CN114844766A/en
Application granted granted Critical
Publication of CN114844766B publication Critical patent/CN114844766B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/20Administration of product repair or maintenance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/40Business processes related to the transportation industry
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
    • H04L41/0609Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time based on severity or priority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
    • H04L41/0618Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time based on the physical or logical position
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Human Resources & Organizations (AREA)
  • Strategic Management (AREA)
  • Economics (AREA)
  • Entrepreneurship & Innovation (AREA)
  • General Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Marketing (AREA)
  • Signal Processing (AREA)
  • General Physics & Mathematics (AREA)
  • Tourism & Hospitality (AREA)
  • Physics & Mathematics (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Game Theory and Decision Science (AREA)
  • Educational Administration (AREA)
  • Development Economics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Primary Health Care (AREA)
  • Alarm Systems (AREA)

Abstract

The application provides a method and a device for building an industrial information security guarantee system, wherein the method comprises the following steps: determining a target area, acquiring M alarm events of the target area, and acquiring M groups of communication data corresponding to the M alarm events, wherein the target area comprises at least one industrial control device; acquiring a device type corresponding to each industrial control device; determining key equipment in the target area and the weight of the importance of the key equipment according to the equipment type of each industrial control equipment; determining the number of times that the M groups of communication data are accessed; determining a risk parameter of the target area according to the accessed times of the M groups of communication data, the M alarm events and the weight of the importance of the key equipment in the target area, and judging whether the risk parameter meets a preset condition; and when the risk parameter does not meet the preset condition, determining information related to the target area based on the risk parameter. The method can improve the monitoring efficiency of industrial control equipment and improve the safety of an industrial production system.

Description

Method and device for building industrial information security guarantee system
Technical Field
The present application relates to the field of industrial control network security technologies, and in particular, to a method and an apparatus for building an industrial information security system.
Background
With the continuous maturity of internet technology, scientific technology has also been rapidly developed. The application of the internet technology in the field of industrial control network security enables the operation and production of industrial control equipment to be more intelligent. Some problems may occur in the production and operation process of the industrial control equipment, such as operation failure of the industrial control equipment, a parameter of a certain production link exceeding a threshold value, excessive toxic and harmful gas in the production process, attack of viruses (such as trojans) on the industrial control equipment, and the like. In the production and operation process of the industrial control equipment, in order to effectively solve the possible problems and ensure that the production and operation process is not affected, an alarm event of a corresponding production accident needs to be generated in time and fed back to operation and maintenance personnel. Furthermore, operation and maintenance personnel can formulate a corresponding emergency scheme according to the received alarm event, thereby effectively avoiding industrial production accidents.
In one possible scenario, the alarm event of the production accident may be based on the collected operation data of the industrial control device, and the operation data of the industrial control device may be matched with the corresponding preset condition. The types of data generated during operation may also vary from industrial control device to industrial control device. For example, when the industrial control device is a security device (e.g., a firewall, an isolation gateway, etc.) and a Network device (e.g., a router, a firewall, a Virtual Private Network (VPN)), the industrial control data may be collected based on a Simple Network Management Protocol (SNMP); when the industrial control equipment is an industrial control host (such as Windows XP, Windows 7 and Windows server 2000), industrial control data can be collected in a mode of installing a collector. Different data types and corresponding preset conditions are different. When the operation data of the industrial control equipment is not matched with the corresponding preset conditions, the corresponding alarm event is generated and reported to the operation and maintenance personnel, so that the operation and maintenance personnel corresponding to the industrial control equipment can make a corresponding maintenance strategy in time according to the alarm event, the safety of each industrial control equipment in the operation process of the industrial production is guaranteed, and a safe and stable operation system is provided for the industrial production.
In the above process, the generated alarm event may be only associated with the industrial control device that directly generated the alarm event. In the field of actual industrial control network security, different industrial control devices are in communication connection through the internet, and the different industrial control devices have relevance, so that the number of the industrial control devices related to one alarm event may be more than one. In addition, when the operation and maintenance personnel troubleshoot the industrial control equipment according to the alarm information, the operation and maintenance personnel may need to know the historical data, the operating conditions and other related parameters of various industrial control equipment, and a single alarm event is not enough to feed back the historical data, the operating conditions and other parameters of the industrial control equipment.
Therefore, how to quickly and effectively push the production accident of the industrial control equipment to the operation and maintenance personnel, improve the troubleshooting and fault solving efficiency of the industrial control equipment, establish a safe industrial production system and a safe production environment becomes a problem which needs to be solved urgently.
Disclosure of Invention
The method can further calculate the risk coefficient in the target area on the basis of the acquired alarm event in the target area, and sends the information related to the target area to corresponding operation and maintenance personnel under the condition that the risk coefficient does not meet preset conditions, so that the monitoring efficiency of the industrial control equipment in the target area is improved, the workload of the operation and maintenance personnel is effectively reduced, the working efficiency of the operation and maintenance personnel is improved, the safe operation and transmission of each data information in the industrial production process are realized, and the production safety system of the industrial control equipment is perfected.
In a first aspect, a method for building an industrial information security system is provided, which is characterized by comprising: determining a target area from a plurality of areas, acquiring M alarm events of the target area, and acquiring M groups of communication data corresponding to the M alarm events in the process of transmission, wherein the target area comprises at least one industrial control device, and M is an integer greater than or equal to 1; acquiring a device type corresponding to each industrial control device, wherein the device types comprise key devices, core devices, important devices and common devices; determining key equipment in the target area and the weight of the importance of the key equipment according to the equipment type of each industrial control equipment; determining the accessed times of the M groups of communication data according to the M groups of communication data; determining a risk parameter of the target area according to the accessed times of the M groups of communication data, the M alarm events and the weight of the importance of the key equipment, and judging whether the risk parameter meets a preset condition; and when the risk parameter does not meet the preset condition, determining information related to the target area based on the risk parameter.
According to the technical scheme, when a single alarm event is generated and is not enough to be used for judging fault information of industrial control equipment, a method for building an industrial information safety guarantee system is provided, on the premise that the alarm event of a target area is obtained, corresponding communication data in the process of transmitting the alarm event are obtained, on the basis, key equipment in the target area, the importance weight of the key equipment and the access frequency of the communication data are further determined, risk parameters in the target area are calculated through the parameters, the risk parameters are compared with corresponding preset conditions, and information related to the target area is further calculated under the condition that the preset conditions are not met. According to the process, the risk parameters of the target area are dynamically calculated, the associated information of the target area is calculated according to the risk parameters, operation and maintenance personnel can quickly and detailedly know the fault information in the target area, meanwhile, a more perfect solution can be made according to the fault information, the workload of the operation and maintenance personnel is reduced, the safety monitoring efficiency of industrial control equipment in the target area is effectively improved, a good foundation is provided for maintaining and perfecting a safety system of industrial production, and the safety transmission of data information in the industrial production process is guaranteed.
With reference to the first aspect, in some possible implementations, the determining the risk parameter of the target area according to the number of times that the M sets of communication data are accessed, the M alarm events, and the weight of the importance of the key device in the target area includes: determining a product of the number of times the M sets of communication data were accessed, the M alarm events, and a weight of importance of the key device in the target area as the propagation risk parameter; acquiring the danger level of each alarm event in the M alarm events, and determining the proportion coefficient of the alarm event corresponding to each danger level to the M alarm events; determining the product of the proportion coefficient of the alarm event corresponding to each danger level in the M alarm events, the weight of the operation risk level of the target area and the propagation risk parameter as the safety risk parameter; determining the sum of the propagation risk parameter and the safety risk parameter, and determining the product of the sum of the propagation risk parameter and the safety risk parameter, the weight of the operation risk level of the target area and the M alarm events as the hazard risk parameter.
With reference to the first aspect and the foregoing implementation manners, in some possible implementation manners, determining a proportion coefficient of the alarm event corresponding to each risk level to the M alarm events includes: acquiring an alarm event corresponding to each danger level and the weight of each danger level; determining the ratio of the alarm event corresponding to each danger level to the M alarm events; and determining the product of the ratio and the weight of each danger level as a ratio coefficient of the alarm event corresponding to each danger level to the M alarm events.
With reference to the first aspect and the foregoing implementation manners, in some possible implementation manners, when the risk parameter does not satisfy the preset condition, determining information related to the target area based on the risk parameter includes: determining that the risk parameter does not satisfy the preset condition when the propagation risk parameter is greater than a first threshold, and/or when the safety risk parameter is greater than a second threshold, and/or when the hazard risk parameter is greater than a third threshold; determining the operation condition of the key equipment in the target area, the occurrence frequency of each alarm event in a preset period and the historical data of each alarm event in the preset period.
In the above process, under the condition that the risk parameter does not meet the preset condition, the parameter associated with the target area is further calculated, such as the operating conditions of critical devices within the target area, the impact of each of the M alarm events, the frequency of occurrence of each alarm event within a certain period, and historical data of each alarm event within the period, according to the influence of each alarm event, the hazard range of each alarm event can be effectively determined, and by analyzing the historical data corresponding to each alarm event, the floating and changing trend of the data corresponding to each alarm event can be further determined, according to the change trend of the data corresponding to each alarm event, the tracing of each alarm event can be analyzed and determined, the fault position can be accurately positioned, the efficiency of determining the fault is improved, and the influence of the fault of the industrial control equipment on the surrounding environment is reduced to a great extent.
With reference to the first aspect and the foregoing implementation manners, in some possible implementation manners, determining the number of times the M groups of communication data are accessed according to the M groups of communication data includes: determining quintuple information corresponding to each group of communication data according to each group of communication data in the M groups of communication data; determining the accessed times of each group of communication data based on the quintuple information corresponding to each group of communication data; determining the sum of the number of times each set of communication data was accessed as the number of times each set of communication data was accessed.
With reference to the first aspect and the foregoing implementation manners, in some possible implementation manners, determining the number of times each group of communication data is accessed based on five-tuple information corresponding to each group of communication data includes: acquiring an IP address of each of the plurality of areas; determining the IP range of each region according to the IP address of each region; and determining the accessed times of each group of communication data according to the IP range of each region and the quintuple information corresponding to each group of communication data.
With reference to the first aspect and the foregoing implementation manners, in some possible implementation manners, the method further includes: determining the operation risk level of each area according to the operation characteristics and the operation environment of each area; and determining the operation risk level of the target area and the weight of the operation risk level of the target area based on the operation risk level of each area.
In summary, the embodiment of the present application provides a method for building an industrial information security system when a single alarm event is generated and is not enough for determining fault information of an industrial control device, and the method mainly includes, on the premise of obtaining an alarm event of a target area, obtaining communication data corresponding to the process of transmitting the alarm event, further determining key devices in the target area, the importance weight of the key devices, and the access times of the communication data on the basis of obtaining the communication data corresponding to the process of transmitting the alarm event, calculating a risk parameter in the target area according to the parameters, comparing the risk parameter with a preset condition corresponding to the risk parameter, and further calculating information related to the target area when the preset condition is not satisfied. According to the process, the risk parameters of the target area are dynamically calculated, the associated information of the target area is calculated according to the risk parameters, operation and maintenance personnel can quickly and detailedly know the fault information in the target area, meanwhile, a more perfect solution can be made according to the fault information, the workload of the operation and maintenance personnel is reduced, the safety monitoring efficiency of industrial control equipment in the target area is effectively improved, a good foundation is provided for maintaining and perfecting a safety system of industrial production, and the safety transmission of data information in the industrial production process is guaranteed. Further, in the case that the risk parameter does not satisfy the preset condition, further calculating a parameter associated with the target area, such as the operating conditions of critical devices within the target area, the impact of each of the M alarm events, the frequency of occurrence of each alarm event within a certain period, and historical data of each alarm event within the period, according to the influence of each alarm event, the hazard range of each alarm event can be effectively determined, and by analyzing the historical data corresponding to each alarm event, the floating and changing trend of the data corresponding to each alarm event can be further determined, according to the change trend of the data corresponding to each alarm event, the tracing of each alarm event can be analyzed and determined, the fault position can be accurately positioned, the efficiency of determining the fault is improved, and the influence of the fault of the industrial control equipment on the surrounding environment is reduced to a great extent.
In a second aspect, an apparatus for building an industrial information security system is provided, wherein the apparatus comprises: the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for determining a target area from a plurality of areas, acquiring M alarm events of the target area and acquiring M groups of communication data corresponding to the process of transmitting the M alarm events, the target area comprises at least one industrial control device, and M is an integer greater than or equal to 1; the second acquisition module is used for acquiring the equipment type corresponding to each industrial control equipment, wherein the equipment type comprises key equipment, core equipment, important equipment and common equipment; the first determining module is used for determining key equipment in the target area and the weight of the importance of the key equipment according to the equipment type of each industrial control equipment; the second determining module is used for determining the accessed times of the M groups of communication data according to the M groups of communication data; the processing module is used for determining a risk parameter of the target area according to the accessed times of the M groups of communication data, the M alarm events and the weight of the importance of the key equipment and judging whether the risk parameter meets a preset condition or not; and the third determining module is used for determining the information related to the target area based on the risk parameter when the risk parameter does not meet the preset condition.
With reference to the second aspect, in some possible implementations, the risk parameter includes a propagation risk parameter, a security risk parameter, and a hazard risk parameter, and the first processing module is specifically configured to: determining a product of the number of times the M sets of communication data were accessed, the M alarm events, and a weight of importance of the key device in the target area as the propagation risk parameter; acquiring the danger level of each alarm event in the M alarm events, and determining the proportion coefficient of the alarm event corresponding to each danger level to the M alarm events; determining the product of the proportion coefficient of the alarm event corresponding to each danger level in the M alarm events, the weight of the operation risk level of the target area and the propagation risk parameter as the safety risk parameter; determining the sum of the propagation risk parameter and the safety risk parameter, and determining the product of the sum of the propagation risk parameter and the safety risk parameter, the weight of the operation risk level of the target area and the M alarm events as the hazard risk parameter.
With reference to the second aspect and the foregoing implementation manners, in some possible implementation manners, the first processing module is further configured to: acquiring an alarm event corresponding to each danger level and the weight of each danger level; determining the ratio of the alarm event corresponding to each danger level to the M alarm events; and determining the product of the ratio and the weight of each danger level as the ratio coefficient of the alarm event corresponding to each danger level to the M alarm events.
With reference to the second aspect and the foregoing implementation manners, in some possible implementation manners, the third determining module is specifically configured to: determining that the risk parameter does not satisfy the preset condition when the propagation risk parameter is greater than a first threshold, and/or when the safety risk parameter is greater than a second threshold, and/or when the hazard risk parameter is greater than a third threshold; determining the operation condition of the key equipment in the target area, the occurrence frequency of each alarm event in a preset period and the historical data of each alarm event in the preset period.
With reference to the second aspect and the foregoing implementation manners, in some possible implementation manners, the second determining module is specifically configured to: determining quintuple information corresponding to each group of communication data according to each group of communication data in the M groups of communication data; determining the accessed times of each group of communication data based on the quintuple information corresponding to each group of communication data; determining the sum of the number of times each of the sets of communication data was accessed as the number of times the M sets of communication data were accessed.
With reference to the second aspect and the foregoing implementations, in some possible implementations, the second determining module is further configured to: acquiring an IP address of each of the plurality of areas; determining the IP range of each region according to the IP address of each region; and determining the accessed times of each group of communication data according to the IP range of each region and the quintuple information corresponding to each group of communication data.
With reference to the second aspect and the foregoing implementation manners, in some possible implementation manners, the apparatus further includes: the fourth determining module is used for determining the operation risk level of each area according to the operation characteristics and the operation environment of each area; and determining the operation risk level of the target area and the weight of the operation risk level of the target area based on the operation risk level of each area.
In a third aspect, an electronic device is provided that includes a memory and a processor. The memory is used for storing a computer program, and the processor is used for calling and running the computer program from the memory, so that the electronic device executes the method in the first aspect or any one of the possible implementation manners of the first aspect.
In a fourth aspect, there is provided a computer program product comprising: computer program code for causing a computer to perform the method of the first aspect or any one of the possible implementations of the first aspect when the computer program code runs on the computer.
In a fifth aspect, a computer-readable storage medium is provided, which stores computer program code, which, when run on a computer, causes the computer to perform the method of the first aspect or any one of the possible implementation manners of the first aspect.
Drawings
FIG. 1 is a schematic flow chart of a method for building an industrial information security and safety system according to an embodiment of the present disclosure;
FIG. 2 is a schematic diagram of a scenario for determining communication data according to an alarm event according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an apparatus for building an industrial information security system according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solution of the present application will be described in detail and clearly with reference to the accompanying drawings. In the description of the embodiments of the present application, where "/" denotes an or meaning, for example, a/B may denote a or B: "and/or" in the text is only an association relationship describing an associated object, and means that three relationships may exist, for example, a and/or B may mean: three cases of a alone, a and B both, and B alone exist, and in addition, "a plurality" means two or more than two in the description of the embodiments of the present application.
In the following, the terms "first", "second" are used for descriptive purposes only and are not to be understood as implying or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature.
Fig. 1 is a schematic flowchart of a method for building an industrial information security and safety system according to an embodiment of the present application.
101, determining a target area from a plurality of areas, acquiring M alarm events of the target area, and acquiring M groups of communication data corresponding to the M alarm events in the process of transmission, wherein the target area comprises at least one industrial control device, and M is an integer greater than or equal to 1.
It should be understood that during the production operation, the industrial control equipment may divide the operation area into a plurality of different areas according to the operation type, the operation environment or the maintenance requirement, and each area includes at least one industrial control equipment. When a certain area of the plurality of areas needs to be monitored, the area can be regarded as a target area, and firstly, an alarm event of the target area needs to be acquired.
Specifically, the step of obtaining the alarm event of the target area may be summarized as follows: the method comprises the steps of firstly collecting current data of each industrial control device in at least one industrial control device in a target area, further determining a preset condition corresponding to the current data of each industrial control device according to the specific type of the current data of each industrial control device, judging whether the current data of each industrial control device is matched with the corresponding preset condition, and if the current data of a certain industrial control device is not matched with the corresponding preset condition, generating an alarm event corresponding to the data type of the industrial control device according to the data type of the industrial control device.
The attributes of the industrial control equipment may include an industrial control host, a network device, a security device, a control device, a sensor, and the like, and based on the industrial control equipment with different attributes, the corresponding data types and the data acquisition modes are also different.
For example, for a Programmable Logic Controller (PLC), a Distributed Control System (DCS), and a Remote Terminal Unit (RTU)), data of an industrial Control device may be collected based on a Recommendation Standard (RS) 485, an object linking and embedded Process Control (OLE for Process Control, OPC) protocol, and a modbus protocol; for the sensor class (such as temperature sensor, pressure sensor, speed sensor, gas sensor), the data of the industrial control equipment can be collected based on the field bus mode. The data type of each industrial control device and the data acquisition mode of each industrial control device are described in detail in table 1 according to the difference between the attributes of the industrial control devices.
Table 1 shows data types and data acquisition modes corresponding to industrial control equipment with different attributes
Figure BDA0003565488970000061
Based on the acquisition modes corresponding to the industrial control devices with different attributes, the data of at least one industrial control device in the target area can be acquired, after the data of at least one industrial control device is acquired, the data needs to be preprocessed firstly, and the preprocessing process specifically comprises the following steps: and associating the data with the corresponding industrial control equipment, accurately establishing the corresponding relation between each kind of data and the corresponding industrial control equipment, and storing the corresponding relation so as to facilitate subsequent data processing. In the process of simultaneously acquiring data of each type of industrial control equipment, operations of repeatedly acquiring the data may occur, and if the same data exists in the acquired data, the repeated data needs to be removed.
Further, according to the type of each group of data in at least one group of data, a preset rule corresponding to each group of data is determined. For example, for data such as the operating state, network connection, network service and the like of the industrial control host, the feature metadata can be extracted according to a built-in rule base, matching is performed on the basis of the feature metadata and built-in rules, whether the host is infected with Trojan horse virus, abnormal behaviors, network attacks and other alarm events is judged through matching, and whether the alarm events with harmful gas substance concentration exceeding a threshold exist in a production field or not is judged by comparing data such as temperature, pressure and gas measured by a sensor with a preset threshold.
Through the judgment and comparison process, different types of alarm events can be generated in the target area, wherein the total number of the alarm events is M, and M is an integer greater than or equal to 1.
Based on the M alarm events, the communication data in the process of transmitting each alarm event in the M alarm events can be determined, wherein the alarm events and the communication data have one-to-one relationship, that is, according to the M alarm events, M groups of communication data can be determined.
And 102, acquiring a device type corresponding to each industrial control device, wherein the device types comprise key devices, core devices, important devices and common devices.
It should be understood that at least one industrial control device may be included in a target area. And before monitoring, the type of each industrial control device is preset in advance, that is, the device type may be identified in advance according to the type of the device before the device is used. The types of the devices can be mainly classified into key devices, core devices, important devices and common devices.
Optionally, for the industrial control equipment, the types of the industrial control equipment may be classified in advance according to the influence that the operation type corresponding to the equipment may have on the target area.
Optionally, the types of the industrial control devices may be divided according to the degree of influence on the production of the target area and the cost, safety, quality and the like of the production operation and the size of the loss when the industrial control devices are in failure and maintained, and the specific dividing manner of the types of the industrial control devices is not specifically limited in the embodiment of the present application.
103, determining the key equipment in the target area and the weight of the importance of the key equipment according to the equipment type of each industrial control equipment.
It should be understood that critical devices generally include switches, control devices, operator station hosts, etc., and that a zone includes at least one critical device, which is essential in a zone because it plays an important role in the production of each zone. Meanwhile, each type of equipment is preset with a weight value for measuring the importance index of each type of equipment.
In 102, the device type of each industrial control device in the target area is obtained in advance, and on the basis, the key devices and the weights of the key devices in the target area can be further determined.
And 104, determining the accessed times of the M groups of communication data according to the M groups of communication data.
In 101, M groups of communication data in the process of transmitting M alarm events are obtained through M alarm events, and further, the number of times of accessing the M groups of communication data needs to be determined, so as to dynamically calculate the risk parameter of the target area.
Specifically, when the number of times of accessing the M groups of communication data is determined according to the M groups of communication data, the method may include the following steps:
(1) determining quintuple information corresponding to each group of communication data according to each group of communication data in the M groups of communication data;
(2) determining the accessed times of each group of communication data based on the quintuple information corresponding to each group of communication data;
(3) the sum of the number of times each set of communication data was accessed is determined as the number of times M sets of communication data were accessed.
It should be understood that in the process of data communication between devices, each group of communication data corresponds to a group of five-tuple information, and the five-tuple information comprises a source IP address, a destination IP address, a source port, a destination port and a transport layer protocol.
When determining the number of times each group of communication data is accessed based on the quintuple information corresponding to each group of communication data, the method may include the following steps:
(1) acquiring an IP address of each of a plurality of areas;
(2) determining the IP range of each region according to the IP address of each region;
(3) and determining the accessed times of each group of communication data according to the IP range of each region and the quintuple information corresponding to each group of communication data.
It should be understood that, in the process of safety production of the industrial control device, the total production area may include a plurality of IP addresses, the total production area may be divided into a plurality of areas in advance according to the plurality of IP addresses, each of the plurality of areas corresponds to a unique IP address, and meanwhile, according to each IP address, an IP range of each area may be obtained through simple calculation.
It should also be understood that for each set of communication data, the source IP address must be within the IP range of the target zone, but the destination IP address may not be within the IP range of the target zone. Therefore, when calculating M sets of communication data, it is necessary to determine the number of times each set of communication data is accessed based on the quintuple information of each set of communication data in combination with the IP range of each area, not only based on the IP range of the target area. Furthermore, the accessed times of each group of communication data are summed, and the accessed times of the M groups of communication data can be obtained.
When the source IP address and the destination IP address of the communication data are in the IP range of the same area, that is, both are in the IP range of the target area, the communication may be regarded as "non-cross-domain communication", and conversely, when the source IP address and the destination IP address of the communication data are not in the IP range of the same area, that is, the source IP address of the communication data is in the IP range of the target area, and the destination IP address is not in the IP range of the target area, the communication may be regarded as "cross-domain communication".
It should be understood that cross-domain communication is generally possible with data that needs to be communicated via a network connection, and for industrial control devices such as sensors, the collected data is originated from production equipment of an entity, and cross-domain communication is not possible.
It should also be appreciated that regardless of the communication means, non-cross-domain communication and cross-domain communication, there is no difference in the manner of calculation in calculating the number of times communication data is accessed. Generally, each area has key equipment, communication can be realized in the area, and cross-domain communication is usually not allowed, so that the probability of generating safety alarm information is higher for the cross-domain communication relative to non-cross-domain communication.
Fig. 2 is a scene diagram illustrating a determination of communication data according to an alarm event according to an embodiment of the present application.
Illustratively, as shown in fig. 2, the target area currently being monitored is an area 201, where the IP address of the area 201 is: 192.168.1.0/24, and the IP range of the area 201 is obtained according to calculation: 192.168.1.1-192.168.1.254, the area 201 includes a temperature sensor 202, a router 203 and an industrial control host 204, the temperature sensor 202 is connected to the production equipment in the area 201 and is configured to collect temperature data of the production equipment (for example, the heating temperature of the heating furnace), and if the temperature range of the heating furnace is 700 ℃ -900 ℃ during heating, a target temperature (i.e., a temperature threshold) can be preset to 900 ℃ according to the temperature range. During the operation of the heating furnace, the temperature value of the temperature sensor 202 is received in real time or at regular time and compared with the corresponding preset condition (i.e. temperature threshold). When a value of 950 ℃ is received from the temperature sensor 202 at a certain time, the result of comparison with the temperature threshold of the temperature sensor 202 indicates that the temperature threshold has been exceeded, and an alarm event with an excessively high temperature may be generated, and the alarm event may be regarded as "alarm event 1". In addition, data information such as a production running state, a user operation behavior, a network connection, a network service and the like reported by the industrial control host 204 and data information such as a memory and a throughput of the router 203 can be received, when the data information from the industrial control host 204 is received, the data information is compared with the corresponding preset condition by presetting the preset condition related to the industrial control host 204 and the preset condition (for example, a memory threshold) related to the router 203, specifically, feature metadata is extracted based on the reported data information such as the production running state, the network connection, the user operation behavior, the network service and the like, and the matching is performed based on the feature metadata and the preset condition. Similarly, data information from router 203 may be compared to preset conditions. At a certain moment, the industrial control host 204 is judged to be infected by the Trojan horse virus according to the comparison between the data of the industrial control host 204 and the corresponding preset conditions, at this moment, an alarm event that the industrial control host 204 corresponding to the judgment result is attacked by the virus can be generated, and the alarm event is regarded as an alarm event 2.
From alarm event 1, a set of communication data, defined as "communication data A", may be determined that transmitted alarm event 1. As can be understood from the foregoing description, the communication mode corresponding to the communication data a is determined as non-cross-domain access, and will not be described in detail here. According to the alarm event 2 related to the industrial control host 204, a corresponding group of communication data is determined, and defined as communication data B. As shown in fig. 2, the industrial host 204 is connected to the router 203, and also includes a router 206 and an industrial host 207 in the area 205. The industrial personal computer 204 can communicate with the industrial personal computer 207 through the router 203 and the router 206. Wherein, the IP address of the area 205 is 192.168.2.0/24, and the IP range of the area 205 is calculated as follows: 192.168.2.1-192.168.2.254, it is assumed that parsing the quintuple information of the communication data B results in that the source IP address of the communication data B is 192.168.1.1 and the destination IP address is 192.168.2.1. Therefore, in the process of transmitting the alarm event 2, the destination IP address of the communication data B is included in the IP range of the area 205, and therefore, for the communication data B, the source IP address and the destination IP address belong to different areas, so that the communication mode of the communication data B is cross-domain communication, and the sum of the accessed times of the two sets of communication data is obtained by determining the accessed times of the communication data a in the area 201 and the accessed times of the communication data B between the area 201 and the area 205.
And 105, determining a risk parameter of the target area according to the accessed times of the M groups of communication data, the M alarm events and the weight of the importance of the key equipment in the target area, and judging whether the risk parameter meets a preset condition.
It will be appreciated that critical equipment plays a crucial role in the production run of a region compared to other types of equipment. Thus, the risk parameter for an area may be calculated based on the weight of the importance of the critical device, in combination with the number of times the communication data is accessed, the total number of area alarm events. Wherein, regional risk parameter includes three parameter index, is respectively: a propagation risk parameter, a safety risk parameter, and a hazard risk parameter. Specifically, in the process of calculating the propagation risk parameter, the safety risk parameter and the hazard risk parameter, the following steps may be performed:
(1) determining the product of the accessed times of the M groups of communication data, the M alarm events and the weight of the importance of the key equipment in the target area as a propagation risk parameter;
(2) acquiring the danger level of each alarm event in the M alarm events, and determining the proportion coefficient of the alarm event corresponding to each danger level in the M alarm events;
(3) determining the product of the proportion coefficient of the alarm event corresponding to each danger level in M alarm events, the weight of the operation risk level of the target area and the propagation risk parameter as a safety risk parameter;
(4) and determining the sum of the propagation risk parameter and the safety risk parameter, and determining the product of the sum of the propagation risk parameter and the safety risk parameter, the weight of the operation risk level of the target area and the M alarm events as the hazard risk parameter.
For example, as shown in fig. 2, it is assumed that the number of times that the obtained communication data a is accessed in the area 201 is 20, the number of times that the communication data B is accessed between the area 201 and the area 102 is 40, the total number of alarm events in the area 201 is 2, the key device in the area 201 is the industrial control host 204, and the weight of the importance of the industrial control host is 0.5, and then the propagation risk parameter of the area 201 (the number of times that the communication data a is accessed + the number of times that the communication data B is accessed) may be calculated as 60 — 2.5 — 60.
Based on the propagation risk parameter, a security risk parameter may be further calculated, which may be specifically calculated by equation (1):
safety risk coefficient (region operation risk grade) threshold alarm event proportion coefficient (high-risk alarm event proportion coefficient) dangerous alarm event proportion coefficient formula (1)
The detailed explanation of equation (1) is as follows: the operation risk level of the region is divided in advance according to the operation intensity, the operation difficulty, the operation environment and other factors of the region, the operation risk level of the region plays an important role in the safety risk of the region, and the operation risk level of the region can be divided into a high operation risk level, a medium operation risk level and a low operation risk level. For example, if the operation type in a region includes a relatively dangerous operation process such as high temperature, high pressure, flammability, explosiveness, downhole, etc., the operation risk level of the region is a high risk level operation; the job type in an area is a job type with a relatively low risk such as centralized metering and transportation, so the job risk level in the area is a low job risk level, and each job risk level corresponds to a unique weight value.
Specifically, the obtaining of the operation risk level of the target area may be divided into the following steps:
(1) determining the operation risk level of each area according to the operation characteristics and the operation environment of each area;
(2) and determining the operation risk level of the target area and the weight of the operation risk level of the target area based on the operation risk level of each area.
It should be understood that the alarm data type corresponding to the threshold alarm event is a numerical value, the judgment process of such alarm event is relatively simple, and only the comparison with the preset threshold is needed, so that the alarm event can be divided into the threshold alarm event and other alarm events. In the threshold alarm event, the threshold alarm event can be divided into the following parts according to the importance degree and the influence degree of data in the working environment: a threshold high-risk alarm event, a threshold dangerous alarm event; other types of alarm events can be classified into high-risk alarm events, high-risk alarm events and dangerous alarm events according to the influence degree and importance. Based on the above description, that is, all alarm event categories include: the method comprises the steps of threshold value high-risk alarm events, threshold value danger alarm events, high-risk alarm events and danger alarm events, wherein correspondingly, the danger grades are totally divided into 6 types.
For each alarm event, its fractional coefficient in the total number of alarm events within the area may be calculated. In equation (1), the actual meaning of the fraction factor of the threshold alarm event is: the product of the fraction coefficients for each threshold alarm event.
In the embodiment of the present application, the target area corresponds to M alarm events, and each alarm event corresponds to a unique risk level, but it can be understood that: more than one alarm event may be associated with each hazard level, for example: the total number of alarm events in one area is 5, which are respectively an alarm event a, an alarm event B, an alarm event C, an alarm event D and an alarm event E, wherein the risk level of the alarm event a is high-risk of a threshold value, the risk level of the alarm event B is high-risk, the risk level of the alarm event C is high-risk, the risk level of the alarm event D is high-risk, and the risk level of the alarm event E is risk, and it can be seen that: and when the danger level is high and high risk, the corresponding alarm event is an alarm event C and an alarm event D.
Each proportion coefficient in the formula (1) is a proportion coefficient of the alarm event corresponding to each danger level to M alarm events, and specifically for the alarm event corresponding to each danger level to M alarm events:
(1) acquiring an alarm event corresponding to each danger level and the weight of each danger level;
(2) determining the ratio of the alarm event corresponding to each danger level to M alarm events;
(3) and determining the product of the ratio and the weight of each danger level as a ratio coefficient of the alarm event corresponding to each danger level to M alarm events.
It should be understood that each risk level also corresponds to a weight value according to the influence generated by the risk level, and the weight value is preset according to the classification of the risk levels. For the above-mentioned obtaining of the proportion coefficient of the alarm event corresponding to each danger level in the M alarm events, the following embodiment of the present application takes the parameter "threshold alarm event proportion coefficient" as an example, and describes in detail the determination process of the proportion coefficient of the alarm event corresponding to each danger level in the M alarm events.
Illustratively, the target area corresponds to 4 alarm events, and the risk level of each alarm event is determined to obtain that the risk level of each alarm event is as follows: the threshold value is high-risk, dangerous and high-risk, wherein the weight of the threshold value in all the risk levels corresponding to the threshold value alarm event is 0.6, the weight of the threshold value in all the risk levels corresponding to the threshold value alarm event is 0.3, the number of alarm events corresponding to the threshold value high-risk level is 1, and the number of alarm events corresponding to the threshold value high-risk level is 1, so based on the above parameters, the following can be calculated: the ratio of the alarm event corresponding to the threshold high-risk level to the total alarm event is as follows: 1/4, similarly, the ratio of the alarm event corresponding to the high-risk threshold level to the total alarm event is: 1/4 ═ 0.25. Based on the two ratios and the weights of the two threshold risk levels, the proportion coefficient of the alarm event corresponding to each risk level in the total alarm event can be obtained respectively, and the proportion coefficient of the alarm event with high risk and high threshold in the total alarm event is as follows: the ratio of the alarm events at the high-risk level with the threshold to the total alarm events, the weight of the high-risk level with the threshold is 0.25 × 0.6 — 0.15, and the same can be calculated: and the proportion coefficient of the alarm events corresponding to the high-risk threshold level to the total alarm events is 0.25 × 0.3 — 0.075. Therefore, the alarm event occupancy coefficient corresponding to the threshold alarm event occupancy coefficient high-risk level is 0.15 × 0.075 — 0.01125 in the total alarm events.
Finally, on the basis of obtaining the propagation risk parameter and the safety risk parameter, the hazard risk parameter can be further obtained through a formula (2).
The risk parameter is the weight of the operation risk grade in the region, the total number of alarm events in the region (the propagation risk parameter + the safety risk parameter) formula (2)
Alternatively, for other types of devices within the target area, for example: the important device, the core device, may also calculate the risk parameter, and the specific manner of calculating the risk parameter is similar to the above process, and the description is not repeated here.
And 106, when the risk parameter does not meet the preset condition, determining the information related to the target area based on the risk parameter.
After calculating the risk parameters of all target areas in 105, the risk parameters of the target areas need to be further compared with preset conditions. Specifically, when comparing the risk parameters of the target area with the preset conditions, each risk parameter corresponds to one threshold, and as long as any one of the risk parameters is greater than the corresponding threshold, it can be determined that the risk parameter does not satisfy the preset conditions. Specifically, the method comprises the following steps:
when the propagation risk parameter is greater than a first threshold value, and/or when the safety risk parameter is greater than a second threshold value, and/or when the hazard risk parameter is greater than a third threshold value, determining that the risk parameter does not meet a preset condition;
determining the operation condition of key equipment in the target area, the occurrence frequency of each alarm event in a preset period and the historical data of each alarm event in the preset period.
When the risk parameter is judged not to meet the preset condition, the influence of all events in the association range of the target area needs to be calculated, namely the operation condition of key equipment in the target area, the historical data of each alarm event in a certain time period and the occurrence frequency of each alarm event in a certain time period are determined.
For example, when the risk parameter does not meet the preset condition, the current operating condition of the key equipment in the target area may be obtained, the operating data corresponding to each alarm event within a 24-hour range is obtained by taking 24 hours as a period and taking the current time as a deadline, and the up-and-down floating trend of the historical operating data is analyzed. In addition, the frequency of each alarm event within 24 hours can be counted, the probability of each alarm event possibly occurring in the future is further analyzed according to the frequency and the up-and-down floating trend of historical data, and the influence of the key event on the associated equipment is analyzed and predicted according to the current operating condition of the key equipment.
In the above process, under the condition that the risk parameter does not meet the preset condition, the parameter associated with the target area is further calculated, such as the operating conditions of key devices within the target area, historical data for each of the M alarm events within a preset time period and for each alarm event within the preset time period, according to the influence of each alarm event, the hazard range of each alarm event can be effectively determined, and by analyzing the historical data corresponding to each alarm event, the floating and changing trend of the data corresponding to each alarm event can be further determined, according to the change trend of the data corresponding to each alarm event, the tracing of each alarm event can be analyzed and determined, the fault position can be accurately positioned, the efficiency of determining the fault is improved, and the influence of the fault of the industrial control equipment on the surrounding environment is reduced to a great extent.
Further, after the information related to the target area is determined, the information may be further forwarded to the operation and maintenance personnel in the target area.
Optionally, the information may be sent to the terminal device of the operation and maintenance personnel by sending an email, or the information may be sent to the terminal device of the operation and maintenance personnel by sending a short message, where the terminal device may be any one or more of a smart phone, a tablet, a wearable device, and a computer, and the sending method of the information, the type of the terminal device, and the number of the terminal device are not specifically limited in the embodiment of the present application.
After receiving the information related to the target area, the operation and maintenance personnel can determine the troubleshooting and maintenance scheme of the target area in time according to the specific content of the information, compared with the traditional troubleshooting and maintenance process, the method is more efficient and accurate, the safe operation of data information in the industrial production process is guaranteed, the data safety system and the industrial production system of the industrial production are improved, the safety and the stability of the industrial production system are enhanced, and the cost of the industrial production is saved.
In summary, the embodiment of the present application provides a method for building an industrial information security system when a single alarm event is generated and is not enough for determining fault information of an industrial control device, and the method mainly includes, on the premise of obtaining an alarm event of a target area, obtaining communication data corresponding to the process of transmitting the alarm event, further determining key devices in the target area, the importance weight of the key devices, and the access times of the communication data on the basis of obtaining the communication data corresponding to the process of transmitting the alarm event, calculating a risk parameter in the target area according to the parameters, comparing the risk parameter with a preset condition corresponding to the risk parameter, and further calculating information related to the target area when the preset condition is not satisfied. According to the process, the risk parameters of the target area are dynamically calculated, the associated information of the target area is calculated according to the risk parameters, operation and maintenance personnel can quickly and detailedly know the fault information in the target area, meanwhile, a more perfect solution can be made according to the fault information, the workload of the operation and maintenance personnel is reduced, the safety monitoring efficiency of industrial control equipment in the target area is effectively improved, a good foundation is provided for maintaining and perfecting a safety system of industrial production, and the safety transmission of data information in the industrial production process is guaranteed. Further, in the case that the risk parameter does not satisfy the preset condition, further calculating a parameter associated with the target area, such as the operating conditions of key devices in the target area, the occurrence frequency of each of the M alarm events within a preset period and the historical data of each alarm event within the preset period, according to the influence of each alarm event, the hazard range of each alarm event can be effectively determined, and by analyzing the historical data corresponding to each alarm event, the floating and changing trend of the data corresponding to each alarm event can be further determined, according to the change trend of the data corresponding to each alarm event, the tracing of each alarm event can be analyzed and determined, the fault position can be accurately positioned, the efficiency of determining the fault is improved, and the influence of the fault of the industrial control equipment on the surrounding environment is reduced to a great extent.
Fig. 3 is a schematic structural diagram of an apparatus for building an industrial information security and safety system according to an embodiment of the present application.
Illustratively, as shown in fig. 3, the apparatus 300 includes:
a first obtaining module 301, configured to determine a target area from multiple areas, obtain M alarm events of the target area, and obtain M groups of communication data corresponding to the M alarm events in a transmission process, where the target area includes at least one industrial control device, and M is an integer greater than or equal to 1;
a second obtaining module 302, configured to obtain a device type corresponding to each industrial control device, where the device type includes a key device, a core device, an important device, and a common device;
a first determining module 303, configured to determine, according to the device type of each industrial control device, a key device in the target area and a weight of importance of the key device;
a second determining module 304, configured to determine, according to the M groups of communication data, the number of times the M groups of communication data are accessed;
a processing module 305, configured to determine a risk parameter of the target area according to the number of times of access to the M groups of communication data, the M alarm events, and a weight of importance of the key device in the target area, and determine whether the risk parameter meets a preset condition;
a third determining module 306, configured to determine information related to the target area based on the risk parameter when the risk parameter does not satisfy the preset condition.
In a possible implementation manner, the risk parameters include a propagation risk parameter, a security risk parameter, and a hazard risk parameter, and the first processing module 305 is specifically configured to: determining a product of the number of times the M sets of communication data were accessed, the M alarm events, and a weight of importance of the key device in the target area as the propagation risk parameter; acquiring the danger level of each alarm event in the M alarm events, and determining the proportion coefficient of the alarm event corresponding to each danger level to the M alarm events; determining the product of the proportion coefficient of the alarm event corresponding to each danger level in the M alarm events, the weight of the operation risk level of the target area and the propagation risk parameter as the safety risk parameter; and determining the sum of the propagation risk parameter and the safety risk parameter, and determining the sum as the hazard risk parameter according to the product of the sum of the propagation risk parameter and the safety risk parameter, the weight of the operation risk level of the target area and the M alarm events.
In a possible implementation manner, the first processing module 305 is further configured to: acquiring an alarm event corresponding to each danger level and the weight of each danger level; determining the ratio of the alarm event corresponding to each danger level to the M alarm events; and determining the product of the ratio and the weight of each danger level as the ratio coefficient of the alarm event corresponding to each danger level to the M alarm events.
In a possible implementation manner, the third determining module 306 is specifically configured to: determining that the risk parameter does not satisfy the preset condition when the propagation risk parameter is greater than a first threshold, and/or when the safety risk parameter is greater than a second threshold, and/or when the hazard risk parameter is greater than a third threshold; determining the operation condition of the key equipment in the target area, the occurrence frequency of each alarm event in a preset period and the historical data of each alarm event in the preset period.
In a possible implementation manner, the second determining module 304 is specifically configured to: determining quintuple information corresponding to each group of communication data according to each group of communication data in the M groups of communication data; determining the accessed times of each group of communication data based on the quintuple information corresponding to each group of communication data; the sum of the number of times each set of communication data was accessed is determined as the number of times the M sets of communication data were accessed.
In a possible implementation manner, the second determining module 304 is further configured to: acquiring an IP address of each of the plurality of areas; determining the IP range of each region according to the IP address of each region; and determining the accessed times of each group of communication data according to the IP range of each region and the quintuple information corresponding to each group of communication data.
Optionally, the apparatus further comprises: the fourth determining module is used for determining the operation risk level of each area according to the operation characteristics and the operation environment of each area; and determining the operation risk level of the target area and the weight of the operation risk level of the target area based on the operation risk level of each area.
It should be noted that, the first obtaining module and the second obtaining module provided in the embodiment of the present application may be multiple obtaining units under the same obtaining module. The first determination processing module, the second determination module, and the third determination module may all be a plurality of determination units under the same determination module.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Illustratively, as shown in fig. 4, the electronic device 400 includes: a memory 401 and a processor 402.
In one possible implementation, the memory 401 is used to store a computer program 4011; the processor 402 is used to call and run the computer program 4011 from the memory 401 to implement a method for industrial information security and safety architecture, such as 101 to 106 in fig. 1.
In this embodiment, the electronic device may be divided into functional modules according to the above method example, for example, the method may correspond to each functional module, or two or more functions may be integrated into one processing module, and the integrated module may be implemented in a hardware form. It should be noted that the division of the modules in this embodiment is schematic, and is only a logic function division, and there may be another division manner in actual implementation.
In the case of dividing each functional module with corresponding each function, the electronic apparatus may include: the device comprises a first obtaining module, a second obtaining module, a first determining module, a second determining module, a processing module, a third determining module and the like. It should be noted that all relevant contents of each step related to the above method embodiment may be referred to as a functional description of the corresponding functional module, and are not described herein again.
The electronic device provided by the embodiment is used for executing the method for building the industrial information security system, so that the same effect as that of the implementation method can be achieved.
In case an integrated unit is employed, the electronic device may comprise a processing module, a memory module. The processing module can be used for controlling and managing the action of the electronic equipment. The memory module may be used to support the electronic devices in executing the mutual program code and data, etc.
Wherein a processing module may be a processor or controller that may implement or execute the various illustrative logical blocks, modules, and circuits described in connection with the present disclosure. The processor may also be a combination of computing functions, including, for example, one or more microprocessors, a Digital Signal Processing (DSP) and microprocessor combination, and the storage module may be a memory.
The present embodiment also provides a computer-readable storage medium, in which computer program codes are stored, and when the computer program codes are run on a computer, the computer is caused to execute the above related method steps to implement the method for building the industrial information security and safety system in the above embodiments.
The embodiment also provides a computer program product, which when running on a computer, causes the computer to execute the relevant steps to implement the method for building the industrial information security and safety system in the above embodiment.
In addition, embodiments of the present application also provide an apparatus, which may be specifically a chip, a component or a module, and may include a processor and a memory connected to each other; the memory is used for storing instructions, and when the device runs, the processor can call and execute the instructions, so that the chip executes the method for building the industrial information security system in the embodiment.
The apparatus, the computer-readable storage medium, the computer program product, or the chip provided in this embodiment are all configured to execute the corresponding methods provided above, so that the beneficial effects achieved by the apparatus, the computer-readable storage medium, the computer program product, or the chip may refer to the beneficial effects of the corresponding methods provided above, and are not described herein again.
Through the description of the foregoing embodiments, those skilled in the art will understand that, for convenience and simplicity of description, only the division of the functional modules is used for illustration, and in practical applications, the above function distribution may be completed by different functional modules as needed, that is, the internal structure of the device may be divided into different functional modules, so as to complete all or part of the functions described above.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, a module or a unit may be divided into only one logic function, and may be implemented in other ways, for example, a plurality of units or components may be combined or integrated into another apparatus, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A method for building an industrial information security system is characterized by comprising the following steps:
determining a target area from a plurality of areas, acquiring M alarm events of the target area, and acquiring M groups of communication data corresponding to the M alarm events in the process of transmission, wherein the target area comprises at least one industrial control device, and M is an integer greater than or equal to 1;
acquiring a device type corresponding to each industrial control device, wherein the device types comprise key devices, core devices, important devices and common devices;
determining key equipment in the target area and the weight of the importance of the key equipment according to the equipment type of each industrial control equipment;
determining the accessed times of the M groups of communication data according to the M groups of communication data;
determining a risk parameter of the target area according to the accessed times of the M groups of communication data, the M alarm events and the weight of the importance of the key equipment in the target area, and judging whether the risk parameter meets a preset condition;
when the risk parameter does not meet the preset condition, determining information related to the target area based on the risk parameter.
2. The method of claim 1, wherein the risk parameters comprise a propagation risk parameter, a security risk parameter, and a hazard risk parameter, and wherein determining the risk parameter for the target area based on the number of times the M sets of communication data are accessed, the M alarm events, and a weight of importance of the critical devices in the target area comprises:
determining a product of the number of times the M sets of communication data were accessed, the M alarm events, and a weight of importance of the critical device in the target area as the propagation risk parameter;
acquiring the danger level of each alarm event in the M alarm events, and determining the proportion coefficient of the alarm event corresponding to each danger level in the M alarm events;
determining the product of the proportion coefficient of the alarm event corresponding to each danger level in the M alarm events, the weight of the operation risk level of the target area and the propagation risk parameter as the safety risk parameter;
determining the sum of the propagation risk parameter and the safety risk parameter, and determining the product of the sum of the propagation risk parameter and the safety risk parameter, the weight of the operation risk level of the target area and the M alarm events as the hazard risk parameter.
3. The method of claim 2, wherein determining the proportion coefficient of the alarm event corresponding to each risk level to the M alarm events comprises:
acquiring an alarm event corresponding to each danger level and the weight of each danger level;
determining the ratio of the alarm event corresponding to each danger level to the M alarm events;
and determining the product of the ratio and the weight of each danger level as the ratio coefficient of the alarm event corresponding to each danger level to the M alarm events.
4. The method according to claim 2, wherein the determining information related to the target area based on the risk parameter when the risk parameter does not satisfy the preset condition comprises:
determining that the risk parameter does not satisfy the preset condition when the propagation risk parameter is greater than a first threshold, and/or when the safety risk parameter is greater than a second threshold, and/or when the hazard risk parameter is greater than a third threshold;
determining the operating condition of key equipment in the target area, the occurrence frequency of each alarm event in a preset period and the historical data of each alarm event in the preset period.
5. The method of claim 2, wherein said determining said number of times said M sets of communication data are accessed based on said M sets of communication data comprises:
determining quintuple information corresponding to each group of communication data according to each group of communication data in the M groups of communication data;
determining the accessed times of each group of communication data based on five-tuple information corresponding to each group of communication data;
determining a sum of said number of times said each set of communication data was accessed as said number of times said M sets of communication data were accessed.
6. The method according to claim 5, wherein the determining the number of times each group of communication data is accessed based on five-tuple information corresponding to each group of communication data comprises:
acquiring an IP address of each of the plurality of areas;
determining the IP range of each region according to the IP address of each region;
and determining the accessed times of each group of communication data according to the IP range of each region and the quintuple information corresponding to each group of communication data.
7. The method of claim 5, further comprising:
determining the operation risk level of each region according to the operation characteristics and the operation environment of each region;
and determining the operation risk level of the target area and the weight of the operation risk level of the target area based on the operation risk level of each area.
8. An apparatus for construction of an industrial information security system, the apparatus comprising:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for determining a target area from a plurality of areas, acquiring M alarm events of the target area and acquiring M groups of communication data corresponding to the process of transmitting the M alarm events, the target area comprises at least one industrial control device, and M is an integer greater than or equal to 1;
the second acquisition module is used for acquiring the equipment type corresponding to each industrial control equipment, wherein the equipment type comprises key equipment, core equipment, important equipment and common equipment;
the first determining module is used for determining key equipment in the target area and the weight of the importance of the key equipment according to the equipment type of each industrial control equipment;
the second determining module is used for determining the accessed times of the M groups of communication data according to the M groups of communication data;
the processing module is used for determining a risk parameter of the target area according to the accessed times of the M groups of communication data, the M alarm events and the weight of the importance of the key equipment in the target area, and judging whether the risk parameter meets a preset condition or not;
a third determining module, configured to determine, based on the risk parameter, information related to the target area when the risk parameter does not satisfy the preset condition.
9. An electronic device, characterized in that the electronic device comprises:
a memory for storing a computer program;
a processor for invoking and running the computer program from the memory, such that the electronic device performs the method of any one of claims 1-7.
10. A computer-readable storage medium, characterized in that it stores computer program code which, when executed, implements the method of any one of claims 1 to 7.
CN202210309247.6A 2022-03-25 2022-03-25 Method and device for building industrial information security guarantee system Active CN114844766B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210309247.6A CN114844766B (en) 2022-03-25 2022-03-25 Method and device for building industrial information security guarantee system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210309247.6A CN114844766B (en) 2022-03-25 2022-03-25 Method and device for building industrial information security guarantee system

Publications (2)

Publication Number Publication Date
CN114844766A true CN114844766A (en) 2022-08-02
CN114844766B CN114844766B (en) 2023-05-23

Family

ID=82564748

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210309247.6A Active CN114844766B (en) 2022-03-25 2022-03-25 Method and device for building industrial information security guarantee system

Country Status (1)

Country Link
CN (1) CN114844766B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117495592A (en) * 2023-10-13 2024-02-02 陕西小保当矿业有限公司 Alarm grading method and system for mine industrial Internet platform

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7382244B1 (en) * 2007-10-04 2008-06-03 Kd Secure Video surveillance, storage, and alerting system having network management, hierarchical data storage, video tip processing, and vehicle plate analysis
US20140188549A1 (en) * 2012-12-28 2014-07-03 Eni S.P.A. Risk assessment method and system for the security of an industrial installation
CN110245056A (en) * 2019-06-10 2019-09-17 中国工商银行股份有限公司 O&M alarm information processing method and device
CN110659826A (en) * 2019-09-23 2020-01-07 国网辽宁省电力有限公司辽阳供电公司 Assessment method for risk influence degree of substation equipment in power grid safety early warning
CN111352808A (en) * 2020-03-03 2020-06-30 腾讯云计算(北京)有限责任公司 Alarm data processing method, device, equipment and storage medium
CN111609883A (en) * 2020-05-20 2020-09-01 合肥惠科达信息科技有限责任公司 Communication machine room protection monitoring management system based on big data
CN111740868A (en) * 2020-07-07 2020-10-02 腾讯科技(深圳)有限公司 Alarm data processing method and device and storage medium
CN112115014A (en) * 2019-06-19 2020-12-22 国际商业机器公司 Environmental monitoring and related monitoring device
CN112150020A (en) * 2020-09-29 2020-12-29 国网四川省电力公司电力科学研究院 Regional power grid equipment safety risk evaluation method based on alarm big data
CN112650180A (en) * 2020-12-23 2021-04-13 烽台科技(北京)有限公司 Safety warning method, device, terminal equipment and storage medium
US20210311162A1 (en) * 2015-07-17 2021-10-07 Chao-Lun Mai Method, apparatus, and system for wireless monitoring to ensure security
CN113687969A (en) * 2021-07-29 2021-11-23 济南浪潮数据技术有限公司 Alarm information generation method and device, electronic equipment and readable storage medium
CN114221851A (en) * 2020-09-04 2022-03-22 华为技术有限公司 Fault analysis method and device

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7382244B1 (en) * 2007-10-04 2008-06-03 Kd Secure Video surveillance, storage, and alerting system having network management, hierarchical data storage, video tip processing, and vehicle plate analysis
US20140188549A1 (en) * 2012-12-28 2014-07-03 Eni S.P.A. Risk assessment method and system for the security of an industrial installation
US20210311162A1 (en) * 2015-07-17 2021-10-07 Chao-Lun Mai Method, apparatus, and system for wireless monitoring to ensure security
CN110245056A (en) * 2019-06-10 2019-09-17 中国工商银行股份有限公司 O&M alarm information processing method and device
CN112115014A (en) * 2019-06-19 2020-12-22 国际商业机器公司 Environmental monitoring and related monitoring device
CN110659826A (en) * 2019-09-23 2020-01-07 国网辽宁省电力有限公司辽阳供电公司 Assessment method for risk influence degree of substation equipment in power grid safety early warning
CN111352808A (en) * 2020-03-03 2020-06-30 腾讯云计算(北京)有限责任公司 Alarm data processing method, device, equipment and storage medium
CN111609883A (en) * 2020-05-20 2020-09-01 合肥惠科达信息科技有限责任公司 Communication machine room protection monitoring management system based on big data
CN111740868A (en) * 2020-07-07 2020-10-02 腾讯科技(深圳)有限公司 Alarm data processing method and device and storage medium
CN114221851A (en) * 2020-09-04 2022-03-22 华为技术有限公司 Fault analysis method and device
CN112150020A (en) * 2020-09-29 2020-12-29 国网四川省电力公司电力科学研究院 Regional power grid equipment safety risk evaluation method based on alarm big data
CN112650180A (en) * 2020-12-23 2021-04-13 烽台科技(北京)有限公司 Safety warning method, device, terminal equipment and storage medium
CN113687969A (en) * 2021-07-29 2021-11-23 济南浪潮数据技术有限公司 Alarm information generation method and device, electronic equipment and readable storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
胡国华,孟承韵,代志兵,孙彬,刘振凯,俞海波,李斌,何维群,张智奇: "基于大数据安全保障的云安全体系研究" *
胡裕峰;方旎;徐越;周博曦;: "基于混合神经网络与有限状态机的区域电网智能告警处理方法研究" *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117495592A (en) * 2023-10-13 2024-02-02 陕西小保当矿业有限公司 Alarm grading method and system for mine industrial Internet platform

Also Published As

Publication number Publication date
CN114844766B (en) 2023-05-23

Similar Documents

Publication Publication Date Title
JP6749106B2 (en) Anomaly detection in an industrial communication network, anomaly detection system, and method for anomaly detection
US9130983B2 (en) Apparatus and method for detecting abnormality sign in control system
EP2721801B1 (en) Security measures for the smart grid
CN105471656B (en) A kind of abstract method for automatic system of intelligent transformer station O&M information model
CN102929773B (en) information collecting method and device
CN103684922B (en) Outlet information privacy checking detection platform system based on SDN (self-defending network) and detection method
CN110868425A (en) Industrial control information safety monitoring system adopting black and white list for analysis
CN111600863B (en) Network intrusion detection method, device, system and storage medium
CN109391613A (en) A kind of intelligent substation method for auditing safely based on SCD parsing
CN104509034A (en) Pattern consolidation to identify malicious activity
GB2532630A (en) Network intrusion alarm method and system for nuclear power station
US10645167B2 (en) Distributed setting of network security devices from power system IED settings files
CN113671909A (en) Safety monitoring system and method for steel industrial control equipment
CN108028828A (en) A kind of distributed denial of service ddos attack detection method and relevant device
CN111935189B (en) Industrial control terminal strategy control system and industrial control terminal strategy control method
CN114844766B (en) Method and device for building industrial information security guarantee system
CN105488396A (en) Intelligent power grid service security gateway system based on data stream correlation analysis technology
CN112204928B (en) Abnormality detection device, abnormality detection method, and recording medium
CN107864153A (en) A kind of internet worm method for early warning based on network security sensor
CN111680209A (en) Network security situation prediction system based on artificial intelligence
JP4095076B2 (en) Security management device, security management method, and security management program based on evaluation index calculation by security information exchange
CN106549784B (en) A kind of data processing method and equipment
CN114338221B (en) Network detection system based on big data analysis
CN101621427A (en) Anti-intrusion method and system for a communication network
CN111107035B (en) Security situation sensing and protecting method and device based on behavior identification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant