CN115037508B - A multi-step attack modeling method and system for industrial control systems - Google Patents

Abstract

A multi-step attack modeling method and system for industrial control systems, which includes performing system topology analysis and system vulnerability processing to generate an attack graph; constructing an AND or graph according to the functional dependencies of each physical component device; according to the attack graph and AND The OR graph generates an AND or attack graph; expanding the AND or attack graph solves the technical problem of high complexity in the existing attack modeling method, and the invention enables security analysts to grasp the attacker's behavior and Its intention is to fully understand the threat situation that the industrial control system is currently facing, and can be widely used in the field of big data processing.

Description

A multi-step attack modeling method and system for industrial control systems

technical field

The invention relates to the field of big data processing, in particular to a multi-step attack modeling method and system for industrial control systems.

Background technique

The continuous integration of industrial control systems and Internet technologies has gradually broken the original closed environment. In addition, the original configuration software, communication protocols, programmable logic controllers, actuators, etc. of industrial control systems also have security loopholes. In recent years, security incidents targeting industrial control systems often combine multiple vulnerabilities into multi-step attacks, which ultimately affect the normal operation of the physical execution layer of the industrial control system. Therefore, it is particularly important to model attacks combined with multiple vulnerabilities and non-networked devices so that threat analysts can keep abreast of the security situation in the current environment. At present, attack modeling methods for industrial control systems include traditional attack modeling methods and new attack modeling methods.

Traditional attack modeling methods include attack tree and attack graph methods, etc. The attack tree model displays the attack behavior and results through the root node and the leaf node, and the path from the root node to the leaf node is the attack path. When analyzing complex multi-step attacks, the attack tree reveals shortcomings such as huge data structure and low analysis efficiency. The attack graph model can display more complex attack situations than the attack tree model. It can enumerate and visualize all possible paths that the attacker can successfully reach. It is an important tool for analyzing multi-step combined attacks. However, the attack graph is often generated using the network reachability relationship, and lacks the non-networked devices that consider the physical process layer of the industrial control system. In addition, traditional attack modeling methods often focus on the specific information of system vulnerabilities, ignoring the attacker's global attack purpose and the correlation between attack behaviors, making it difficult for security analysts to understand attack scenarios.

In response to the frequent new APT attacks in recent years, kill chains, MITER ATT&CK models, etc. have been proposed one after another. Based on the attack life cycle, the kill chain model shows the attacker's goal and the risk of the protection system from a higher level of abstraction, and it is difficult to express the specific attack behavior and its associated specific data, protection measures, configuration resources, etc. Based on the kill chain model, the MITER ATT&CK model describes attacks from abstract purpose, implementation technology to specific examples around tactics, techniques and processes, which is closer to the behavior of real attackers. Although the MITER ATT&CK model provides detailed analysis for attack implementation, the detailed natural language makes it difficult for machines to understand, which increases the complexity of attack analysis to a certain extent.

Contents of the invention

In order to solve the above technical problems, the present invention provides a multi-step attack modeling method and system for industrial control systems.

The first aspect of the embodiment of the present application provides a multi-step attack modeling method for industrial control systems, which includes:

Perform system topology analysis and system vulnerability processing to generate attack graphs;

Construct an AND or graph according to the functional dependencies of each physical component device;

generating an AND-OR attack graph based on the attack graph and the AND-OR graph;

The AND-OR attack graph is extended.

Preferably, the generation of the attack graph is specifically implemented in the following ways:

Grasp system equipment information and initial topology structure through system network topology analysis, use topology scanning and vulnerability scanning tools to update topology information, and collect vulnerability information; extract pre- and post-conditions, affected products, attack modes, and attack consequences information of vulnerabilities based on the security information base. Based on device, topology and vulnerability information, a breadth-first search algorithm is used to generate an attack graph of networked devices.

Preferably, the system topology analysis is specifically implemented in the following ways:

Analyze the system equipment and its connection relationship in the system design document, obtain the system topology structure in the initial stage, and collect the network information of the equipment, use the scanning tool to detect the industrial control equipment without affecting the normal operation of the system, and update the topology of the industrial control system structure, thereby updating the attack graph; at the same time, extract and save device IP, type, manufacturer, and communication information according to scanning results and configuration files.

Preferably, the system vulnerability processing is specifically implemented in the following ways:

Based on the obtained system equipment information and network information, use the vulnerability scanning tool to scan the system without affecting the normal operation of the system, collect vulnerability information, and extract and save the vulnerability name, source IP, destination IP, Network and communication protocol information; for device vulnerability information, collect vulnerability descriptions from security information sources, extract vulnerability numbers, vulnerability products, vulnerability types, pre- and post-conditions, attack modes, and attack consequences and save them.

Preferably, the construction of the AND-OR graph is specifically implemented in the following ways:

For non-networked devices, obtain the physical component equipment information of PLC, sensors, and actuators according to the system design documents and configuration files, read the PLC program, and obtain the functional dependency construction and/or diagram among PLC, sensors, and actuators.

Preferably, the generation of the AND-OR attack graph is specifically implemented in the following manner:

The and-or attack graph is generated by judging whether the vulnerability of the control device in the attack graph affects its connected physical devices in the and-or graph.

Preferably, the attack graph is composed of nodes and directed edges, the nodes include device nodes, vulnerability nodes and intermediate nodes, first determine the corresponding relationship between the control device in the attack graph and the control device in the graph, and then judge the attack graph Whether the vulnerability attack consequences of the control device in the figure will affect other devices connected to or the control device in the figure, if so, keep the affected device, and convert the AND node or OR node into an and or or edge between the two devices , if there are two logical nodes directly connected between two devices, convert the two logical nodes and the edges between them into intermediate nodes, and add and or or edges according to the logical nodes, and the generated AND/OR Attack graph.

Preferably, the extension of the AND-OR attack graph is specifically implemented in the following ways:

Using the object-oriented attack description, the AND-OR attack graph is extended by matching vulnerability information and attack information.

The second aspect of the present application provides a multi-step attack modeling system for industrial control systems, including:

Attack graph generation module: used for system topology analysis and system vulnerability processing to generate attack graphs;

AND-OR graph building block: used to build AND-OR graphs according to the functional dependencies of each physical component device;

And or attack graph generating module: used for generating an AND or attack graph according to the attack graph and the AND or graph;

Extension module: used to extend the AND or attack graph.

The present invention combines the networked equipment attack graph and the non-networked device AND or graph by using the vulnerability information to form an AND or attack graph covering the overall equipment of the industrial control system; using an object-oriented language to describe the ATT&CK Matri knowledge base, and adding attack tactics to the AND or attack graph , technical and process information to describe multi-step attack information, so that security analysts can grasp the security status of the industrial control system from a global perspective; through object-oriented language description of attack knowledge, it can be extended and generalized; it can target industrial control system networking equipment and non- Networked devices generate a multi-step attack graph; attack graphs can be presented at a more specific vulnerability level and at a more abstract tactical, technical, and process level.

Description of drawings

FIG. 1 is a schematic flow diagram of a multi-step attack modeling method for industrial control systems provided by an embodiment of the present application;

FIG. 2 is a schematic diagram of a topology structure of an industrial control system provided by an embodiment of the present application;

FIG. 3 is a schematic diagram of an attack graph provided by an embodiment of the present application;

FIG. 4 is a schematic diagram of an AND/OR topology of an industrial control system provided by an embodiment of the present application;

FIG. 5 is a schematic flow diagram of generating and or attack graphs provided by an embodiment of the present application;

FIG. 6 is a schematic diagram of an AND-OR attack graph provided by an embodiment of the present application;

FIG. 7 is an asset class relationship diagram of an industrial control system provided by an embodiment of the present application;

Fig. 8 is the corresponding relationship between ATT&CK Matrix and attack class provided by an embodiment of the present application;

FIG. 9 is a schematic diagram of an asset attack description provided by an embodiment of the present application;

FIG. 10 is a relationship diagram of vulnerability attacks provided by an embodiment of the present application;

FIG. 11 is a schematic diagram of an AND or extension attack path provided by an embodiment of the present application;

Fig. 12 is a schematic structural diagram of a multi-step attack modeling system oriented to an industrial control system provided by an embodiment of the present application.

Detailed ways

In order to make the technical problems, technical solutions and beneficial effects to be solved by the present application clearer, the present application will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present application, and are not intended to limit the present application.

Please refer to FIG. 1 , which is a schematic flowchart of a multi-step attack modeling method for industrial control systems provided by an embodiment of the present application. For the convenience of description, only the parts related to this embodiment are shown, and the details are as follows:

In one of the embodiments, a multi-step attack modeling method for industrial control systems includes the following steps:

S101: Perform system topology analysis and system vulnerability processing to generate an attack graph.

Specifically, grasp system equipment information and initial topology structure through system network topology analysis, use topology scanning and vulnerability scanning tools to update topology information, and collect vulnerability information; extract pre- and post-conditions of vulnerabilities, affected products, attack modes, attack Consequence information, based on device, topology, and vulnerability information, uses a breadth-first search algorithm to generate an attack graph for networked devices.

S1011: System topology analysis

As shown in Figure 2, taking the industrial control system as an example, analyze the system equipment and its connection relationship in the system design document, obtain the system topology in the initial stage, and collect the network information of the equipment. Considering that the system may change during the actual production process, various scanning tools can be used to detect industrial control equipment without affecting the normal operation of the system, update the topology of the industrial control system, and update the attack graph described later. At the same time, extract and save device IP, type, manufacturer, communication and other information based on scan results and configuration files.

S1012: System vulnerability handling

Based on the obtained system equipment information and network information, use a variety of vulnerability scanning tools to scan the system and collect vulnerability information without affecting the normal operation of the system. For communication vulnerabilities, extract and save vulnerability name, source IP, destination IP, subnet, communication protocol and other information; for device vulnerability information, collect vulnerability descriptions from security information sources such as CVE, CNNVD, CWE, CAPEC, and extract vulnerability numbers from them , vulnerability products, vulnerability types, pre- and post-conditions, attack modes, attack consequences and save them.

Among them, the vulnerability number refers to the CVE number or the abstract vulnerability type; the vulnerability product refers to the product with the vulnerability, such as remote connection service, operating system, communication protocol, programming software, etc.; the precondition refers to the condition of exploiting the vulnerability; the vulnerability type refers to the type of vulnerability ;Attack mode comes from CAPEC, which refers to the possible methods of exploiting vulnerabilities; attack consequences refer to the possible consequences of exploiting vulnerabilities, such as tampering, injection and other consequences of destroying integrity; privilege escalation and other consequences of destroying access control; data and file reading Consequences of breach of confidentiality; consequences of breach of availability, denial of service, system crashes, etc.

S1013: Generation of attack graph

The attack graph consists of nodes and directed edges. Nodes include device nodes, network nodes, and vulnerability nodes. Edges are directed edges connecting nodes, including has and reach. The device node is described by the device information DEV=(device IP, device name, device type, vulnerability set), and the vulnerability node is described by the vulnerability information VUL=(vulnerability number, vulnerability product, vulnerability type, attack mode, attack consequence) , a device may have multiple vulnerabilities, the directed edge between the device node and the vulnerability node is defined as has relationship, and the edge between devices is defined as reach relationship. Based on the system topology analysis and device vulnerability processing results, generate a device information table as shown in Table 1, a vulnerability information table as shown in Table 2, and a device reachable relationship table as shown in Table 3. In the device reachable relationship table, 1 means reachable and 0 means unavailable Da.

Table 1 Equipment Information Table

Device IP device name Equipment type Vulnerability number IP1 PC1 host CVE-2020-0662 IP2 PC2 host CVE-2016-10010 IP3 PC3 host CVE-2021-41617 IP4 Database Server database CVE-2020-16924 IP5 operator station operator station CVE-2014-8551 IP6 engineer station engineer station CVE-2015-1601 IP7 SCADA SCADA CVE-2018-11453 IP8 PLC controlling device CVE-2021-37204

Table 2 Vulnerability information table

Table 3-3 Device reachability relationship table

Device IP IP1 IP2 IP3 IP4 IP5 IP6 IP7 IP8 IP1 0 1 1 0 0 0 0 0 IP2 0 0 1 0 0 0 0 0 IP3 0 0 0 1 0 0 0 0 IP4 0 0 0 0 1 0 0 0 IP5 0 0 0 0 0 1 1 1 IP6 0 0 0 0 0 0 0 1 IP7 0 0 0 0 0 0 0 1 IP8 0 0 0 0 0 0 0 0

When constructing the attack graph, the attack access point can be selected according to the specific attack scenario. This application uses PC1 as the attack access point, adopts the breadth-first search algorithm to construct an attack graph containing multiple vulnerabilities, reads device information, vulnerability information, and device reachability information, adds device nodes and vulnerability nodes, Add a has edge between them, starting from PC1, traverse all reachable nodes of this node, and traverse its vulnerability information for all reachable nodes, if the vulnerability postcondition of the current node meets the vulnerability precondition of the reachable node, then in Add a reach edge between two device nodes, and mark the traversed nodes until all nodes are marked. The cycle in the graph is processed according to the principle of monotonicity, and the devices that are not on the attack path and the unexploited vulnerability nodes are deleted. The attack diagram generated by this application is shown in Figure 3, in which the device node is identified by the device name, and the vulnerability node is identified by the vulnerability number.

S102: Construct an AND-OR graph according to the functional dependencies of each physical component device.

Specifically, for non-networked devices, according to system design documents and configuration files, obtain physical component equipment information such as PLC, sensors, and actuators, read PLC programs, and obtain functional dependencies between PLCs, sensors, and actuators. .

This application expresses the AND/OR graph as G={V,E}, V represents the node set V={N∪L}, and E represents the directed edge set E={E _N,N ∪ E _N,L ∪E _L,N ∪E _N,L ∪E _L,L }, where N represents a collection of physical devices such as PLCs, actuators, sensors, etc.; L represents a collection of logical connectives AND and OR; E _N,N ＝{(m,n),m,n∈N} is the edge between physical devices, indicating that node n needs the required resources provided by node m to operate normally; E _N,L ＝{(m,n),m∈ N,n∈L} means that the input of AND/OR node is node m; E _L,N ＝{(n,m),m∈N,n∈L} means output from AND/OR node to m, if n is OR node, then when at least one input of the OR node is satisfied, m works normally; if n is an AND node, then m works normally when all the inputs of the AND node are satisfied; E _L,N ={(m,n),m ,n∈L} represents the connection between AND/OR nodes.

Figure 4 is a schematic diagram of the AND/OR topology of an industrial control system. The actuator relies on the output of the PLC to work; there are two ways for the PLC to work normally, one is to use the readings of sensors 1 and 2, and the other is to use Readings from Sensor 2 and Sensor 3.

S103: Generate an AND-OR attack graph according to the attack graph and the AND-OR graph.

Specifically, in industrial control systems, non-networked devices are usually controlled by the control device, so according to whether the vulnerability of the control device affects the function of the physical device it is connected to, attack modeling can be performed on the networked device and the non-networked device, that is, by judging the attack Whether the vulnerability of the control device in the graph affects the physical devices connected to it in the AND/OR graph generates an AND/OR attack graph.

The AND/OR attack graph is composed of nodes and directed edges. The nodes include device nodes, vulnerability nodes and intermediate nodes. The information of device nodes and vulnerability nodes is shown in Table 1 and Table 2. For the convenience of expression, two directly connected AND /OR Logical nodes and the edges between them are represented as intermediate nodes, which have no practical significance. The edges include has, reach, and, or, and execute. And means that the terminal device of this edge needs to satisfy all the and edges it connects to. or means that the normal operation of the end device of this side needs to meet the starting device of at least one or side connected to it, and execute means that the normal operation of the end device requires the normal resources provided by the starting device.

Figure 5 is a schematic flow chart of generating an AND or attack graph. First, determine the corresponding relationship between the control device in the attack graph and the control device in the AND or graph, and then determine whether the vulnerability attack consequences of the control device in the attack graph will affect the AND or attack graph. Or other devices connected to the control device in the figure, if there is an influence, keep the affected device, and convert the AND node or OR node into an and or or edge between the two devices, if there are two logic between the two devices If the nodes are directly connected, convert the two logical nodes and the edges between them into intermediate nodes, and add and or or edges according to the logical nodes. The generated AND/OR attack graph is shown in Figure 6, and in Figure 6 The device is represented by the device name, and the vulnerability is represented by the vulnerability number.

S104: Extend the AND-OR attack graph.

Specifically, the AND-OR attack graph is extended by matching vulnerability information and attack information by using an object-oriented attack description.

Firstly, the object of the attack description is determined as the industrial control assets and the corresponding attack. For common industrial control systems, industrial control assets include industrial control equipment and industrial control networks. Among them, industrial control equipment can be generalized into controllers, I/O servers, safety instrumented systems (SIS), historical databases, engineer stations, control servers, man-machine interfaces, and safety protection equipment. Therefore, to construct abstract device classes and abstract network classes, a network is required for communication between devices. The abstract device class can be generalized into general device class and industrial control device class, the abstract network class can be generalized into general network class and industrial control network class, and the industrial control asset class can be generalized into controller class, I/O server class, and SIS class , historical database class, engineer station class, control server class, man-machine interface class, and security protection equipment class. The inheritance and association relationship of each asset class is shown in Figure 7. In addition, each asset class has an asset description attribute for introduction assets.

Attack objects are represented by tactics, techniques, and procedures in the ATT&CK Matrix. Tactical (Tatic) is expressed as the column name of the matrix in ATT&CKMatrix, which refers to the purpose of the attacker using the technology; Technology (Technology) is expressed in each box in the tactical column in the ATT&CK Matrix, which refers to the attack technology used by the attacker; the process ( Procedures) are displayed on the technology page, which refers to the specific process by which the attacker executes a certain technology. Use tactics to determine attack class names, including initial access class, execution class, persistence class, privilege escalation class, bypass class, discovery class, lateral movement class, collection class, control and command class, suppression response function class, damage process control Classes and impact classes, add tactics description attributes to each attack class to describe the tactics, and then add technology to each attack class as a function function, and the process is the return value of the technology function. The corresponding relationship is shown in Figure 8. At the same time, the object and operation are extracted from the Description of the technology page, and stored in the database together with the technology and tactics. The object refers to the object targeted by the technology, such as the operating system, and the operation refers to the possible method of exploiting the vulnerability, such as tampering.

According to the application relationship between industrial control assets and technology, add the association relationship between the asset class and the attack class, and the asset class can apply the methods in the attack class. The schematic diagram of some classes is shown in Figure 9.

From the perspective of system vulnerabilities, there are one or more vulnerabilities in the device, which can be exploited by one or more attack modes, and have one or more effects on the system; from the perspective of attacks, the attacker uses a There is a corresponding relationship between the impact of the vulnerability and the attacker's purpose, and there is also a corresponding relationship between the attack technology and the attack mode, as shown in Figure 10. Regarding the attack modes and technologies, the 112 attack modes in CAPEC can directly correspond to the technologies of ATT&CK, and these direct correspondences are stored in the database.

In order to realize the mapping between vulnerabilities and attacks, the exploit method is added to the asset class to obtain the attack information corresponding to the vulnerabilities. The exploit method takes the vulnerability product, vulnerability type, attack mode, and attack consequence in the vulnerability information as input, first checks whether there is a corresponding technology in the database according to the attack mode, and returns the technology function if it exists; if not, returns the vulnerability type Query the database table with attack consequences and attack consequences respectively as the operation, technology or tactics fields, get the corresponding technology name and return the corresponding technology function, and finally get the process information through the return value of the technology function.

Add attack nodes in the AND/OR attack graph to display multi-step attack information, and the attack information is represented by a quaternion ATT=(attack number, tactics, technology, process), where the attack number increases by 1 each time starting from 1, for Uniquely identifies the attack node information. In addition, the exploit side is added, indicating that the attack node can be used to exploit the vulnerability node. Traverse the device nodes and their vulnerability nodes in the AND/OR attack graph, find the corresponding asset class according to the device type of the device node, and use the exploit method of the asset class to obtain attack information through the vulnerability information for each vulnerability of the device node. If the same attack information already exists in the attack graph, directly add an exploit directed edge between the attack node and the vulnerability node, if not, add the attack node containing the attack information, and add a record in the attack information table . This method is used to generate an attack graph. The schematic diagram of one of the attack paths is shown in Figure 11. In Figure 11, the attack node is represented by the attack number, and the attack information table is shown in Table 4.

Table 4 Attack Information Table

Please refer to FIG. 12 , which is a schematic structural diagram of a multi-step attack modeling system oriented to an industrial control system provided by an embodiment of the present application. For the convenience of description, only the parts related to this embodiment are shown, and the details are as follows:

The second aspect of the present application provides a multi-step attack modeling system for industrial control systems, including an attack graph generation module 100 , an AND-OR graph construction module 200 , an AND-OR attack graph generation module 300 and an extension module 400 .

Attack graph generation module: used for system topology analysis and system vulnerability processing to generate attack graphs;

AND-OR graph building block: used to build AND-OR graphs according to the functional dependencies of each physical component device;

And or attack graph generating module: used for generating an AND or attack graph according to the attack graph and the AND or graph;

Extension module: used to extend the AND or attack graph.

It should be noted that the multi-step attack modeling system oriented to industrial control systems in this embodiment is an embodiment of the modeling system corresponding to the above-mentioned multi-step attack modeling method oriented to industrial control systems, so the For the specific implementation of the software method in each module of the traffic routing system, reference may be made to the embodiments in FIGS. 1-11 , and details will not be repeated here.

The present invention combines the networked equipment attack graph and the non-networked device AND or graph by using the vulnerability information to form an AND or attack graph covering the overall equipment of the industrial control system; using an object-oriented language to describe the ATT&CK Matri knowledge base, and adding attack tactics to the AND or attack graph , technical and process information to describe multi-step attack information, so that security analysts can grasp the security status of the industrial control system from a global perspective; through object-oriented language description of attack knowledge, it can be extended and generalized; it can target industrial control system networking equipment and non- Networked devices generate a multi-step attack graph; attack graphs can be presented at a more specific vulnerability level and at a more abstract tactical, technical, and process level.

Those skilled in the art can appreciate that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.

The above-described embodiments are only used to illustrate the technical solutions of the present application, rather than to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still implement the foregoing embodiments Modifications to the technical solutions described in the examples, or equivalent replacements for some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the application, and should be included in the Within the protection scope of this application.

Claims (2)

1. A multi-step attack modeling method for industrial control systems, characterized in that it comprises the following steps: Perform system topology analysis and system vulnerability processing to generate attack graphs, specifically through the following methods: Grasp system equipment information and initial topology structure through system network topology analysis, use topology scanning and vulnerability scanning tools to update topology information, and collect vulnerability information; extract pre- and post-conditions, affected products, attack modes, and attack consequences information of vulnerabilities based on the security information base. Based on device, topology and vulnerability information, use breadth-first search algorithm to generate networked device attack graph; The system topology analysis is specifically implemented in the following ways: Analyze the system equipment and its connection relationship in the system design document, obtain the system topology structure in the initial stage, and collect the network information of the equipment, use the scanning tool to detect the industrial control equipment without affecting the normal operation of the system, and update the topology of the industrial control system structure, thereby updating the attack graph; at the same time, extract and save device IP, type, manufacturer, and communication information according to scanning results and configuration files; The system vulnerability processing is specifically implemented in the following ways: Based on the obtained system equipment information and network information, use the vulnerability scanning tool to scan the system without affecting the normal operation of the system, collect vulnerability information, and extract and save the vulnerability name, source IP, destination IP, Network and communication protocol information; for device vulnerability information, collect vulnerability descriptions from security information sources, extract and save vulnerability numbers, vulnerable products, vulnerability types, pre- and post-conditions, attack modes, and attack consequences; Construct an AND or graph according to the functional dependencies of each physical component device, specifically through the following methods: For non-networked devices, obtain the physical component equipment information of PLC, sensors, and actuators according to the system design documents and configuration files, read the PLC program, and obtain the functional dependency construction and/or diagram among PLC, sensors, and actuators; Generate an AND-OR attack graph according to the attack graph and the AND-OR graph, specifically through the following methods: Generating the AND or attack graph by judging whether the vulnerability of the control device in the attack graph affects the physical device connected to it in the AND OR graph; The attack graph is composed of nodes and directed edges, and the nodes include device nodes, vulnerability nodes and intermediate nodes. First, determine the corresponding relationship between the control device in the attack graph and the control device in the graph, and then judge the control device in the attack graph. Whether the consequences of the vulnerability attack will affect other devices connected with or the control device in the figure, if it is affected, the affected device will be retained, and the AND node or OR node will be converted into an and or or edge between the two devices, if the two If there are two logical nodes directly connected between two devices, convert the two logical nodes and the edges between them into intermediate nodes, and add and or or edges according to the logical nodes to generate an AND/OR attack graph; The AND-OR attack graph is extended, specifically through the following methods: Using the object-oriented attack description, the AND-OR attack graph is extended by matching vulnerability information and attack information. 2. A multi-step attack modeling system for industrial control systems, characterized in that it includes an attack graph generation module, an AND or graph building module, an AND or attack graph generation module, an extension module, the attack graph generation module, the The AND-OR graph construction module, the AND-OR attack graph generation module, and the extension module cooperate to execute the multi-step attack modeling method according to claim 1.