CN115378734A - Vulnerability screening system and method based on industrial firewall - Google Patents

Abstract

Embodiments of the present application provide a vulnerability screening system and method based on an industrial firewall, which relate to the technical field of industrial control security. The vulnerability screening system based on industrial firewall includes multiple vulnerability screening modules, and different vulnerability screening modules can be used to perform vulnerability screening on different screening targets, so that it can comprehensively and accurately screen various vulnerabilities existing in the industrial control system. Vulnerability issues, such as various security vulnerabilities, security configuration issues, and non-compliance behaviors, the output vulnerability analysis report provides the administrator with vulnerability analysis data before the industrial control system is compromised, so that the administrator can conduct professional and effective vulnerability analysis Analyze and fix.

Description

A vulnerability screening system and method based on industrial firewall

technical field

The embodiments of the present application relate to the technical field of industrial control security, and in particular, relate to a vulnerability screening system and method based on an industrial firewall.

Background technique

With the development of industrial technology, industrial control system has an important position that cannot be ignored in industrial informationization. Industrial control systems are widely used in high-end manufacturing, electric power, energy, transportation, water conservancy and other aspects. The industrial control system is an important part of the country's critical infrastructure and information systems, and it has also become the target of international hostile forces and hackers.

For example, in 2014, a new type of attack targeting industrial control systems—Havex—has many variants and great harm. Another example is that in March 2019, the Venezuelan power system suffered a large-scale network outage across the country. Such industrial control security incidents are caused by attackers using the "loopholes" of the industrial control system to launch attacks on the entire industrial control system. It can be seen that for important basic industrial facilities, how to find vulnerabilities before attackers attack is an urgent problem to be solved.

Contents of the invention

Embodiments of the present application provide a vulnerability screening system and method based on an industrial firewall to improve the above problems.

In the first aspect, the embodiment of the present application provides a vulnerability screening system based on an industrial firewall. This vulnerability screening system based on industrial firewall includes: a vulnerability screening module, the vulnerability screening module includes a plurality of vulnerability screening modules, and different vulnerability screening modules have different screening functions; a data management module, the data The management module is connected with the vulnerability screening module, and is used to manage the vulnerability analysis report uploaded by the vulnerability screening module; the webpage interface module, the webpage interface module is connected with the vulnerability screening module and the data management module respectively , the web page interface module interacts with the user through the SSL encrypted channel and the browser.

In a second aspect, the embodiment of the present application provides a vulnerability screening method based on an industrial firewall, which is applied to the aforementioned vulnerability screening system based on an industrial firewall. The vulnerability screening method based on the industrial firewall includes: when the above-mentioned vulnerability screening system based on the industrial firewall is used to find the screening target, the vulnerability screening system based on the industrial firewall obtains the target information of the screening target, the The target information is determined according to the screening target; the vulnerability screening system based on the industrial firewall performs vulnerability screening and analysis on the screening target according to the obtained target information to determine whether there is a security hole in the screening target .

The embodiment of the present application provides a vulnerability screening system and method based on an industrial firewall. The vulnerability screening system based on an industrial firewall includes a plurality of vulnerability screening modules, and different vulnerability screening modules can be used for different screening targets. Vulnerability screening, so that various vulnerabilities in industrial control systems can be comprehensively and accurately screened, such as various security vulnerabilities, security configuration problems and non-compliance behaviors, and the output vulnerability analysis report is compromised in the industrial control system Previously, administrators were provided with vulnerability analysis data, so that administrators can conduct professional and effective vulnerability analysis and patching.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present application. For those skilled in the art, other drawings can also be obtained based on these drawings without any creative effort.

Fig. 1 is the institutional block diagram of the vulnerability screening system based on industrial firewall provided by an embodiment of the present application;

FIG. 2 is a schematic diagram of a network topology diagram under a stand-alone deployment management mechanism provided by an exemplary embodiment of the present application;

FIG. 3 is a schematic diagram of a network topology diagram under a distributed management mechanism provided by an exemplary embodiment of the present application;

Fig. 4 is a schematic flowchart of a vulnerability screening method based on an industrial firewall provided by an embodiment of the present application.

Detailed ways

In order to enable those skilled in the art to better understand the solutions of the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application.

Please refer to FIG. 1 . FIG. 1 is a structural block diagram of a vulnerability screening system based on an industrial firewall provided by an embodiment of the present application. The vulnerability screening system 100 based on an industrial firewall includes a plurality of vulnerability screening modules 110 , a data management module 120 and a web interface module 130 connected to each other. The vulnerability screening system 100 based on the industrial firewall adopts a browser/server (Browser/Server, B/S) management mode and a Linux system. The vulnerability screening system 100 based on the industrial firewall includes a business database, a knowledge base and a compliance database. These databases are called during the vulnerability screening process, and the content contained in these databases can be dynamically set and changed according to actual needs. The vulnerability screening system 100 based on the industrial firewall is deployed on a separate link of the core switch.

Different vulnerability screening modules in the plurality of vulnerability screening modules 110 have different screening functions. Multiple vulnerability screening modules 110 may perform vulnerability screening and analysis on multiple screening targets, and generate vulnerability analysis reports corresponding to each of the multiple vulnerability screening modules 110 . Multiple vulnerability screening modules 110 may send the vulnerability analysis report to the data management module 120, so that the data management module 120 stores and manages the vulnerability analysis report for subsequent reference or call. Multiple vulnerability screening modules 110 may also send vulnerability analysis reports to users at the same time, so that users can perform corresponding operations based on the vulnerability analysis reports, such as patching operations.

The data management module 120 is connected to a plurality of vulnerability screening modules 110 for managing the vulnerability analysis reports uploaded by the plurality of vulnerability screening modules 130 . Referring to FIG. 1 for details, the data management module 120 may include a report management submodule, and the report management submodule may be used for report management.

In some optional implementation manners, the data management module 120 may include multiple management sub-modules to manage different system data respectively. A plurality of management sub-modules can be set according to actual management requirements. As an example, as shown in FIG. module. It should be noted that each management sub-module can independently manage data and perform corresponding decision-making operations. For example, the upgrade cycle can be set in the upgrade management submodule. After the vulnerability screening system 100 based on the industrial firewall is deployed or upgraded, the upgrade management submodule can set a timer to start counting. Online upgrade or local upgrade with software, so as to ensure the real-time and accuracy of the vulnerability screening system 100 based on the industrial firewall, and improve system security.

The web interface module 130 is connected to a plurality of vulnerability screening modules 110 and the data management module 120 respectively. The web interface module 130 outputs the vulnerability analysis report to the user through a secure socket layer (Secure Socket Layer, SSL) encrypted channel and a WEB browser. Among them, SSL is a security and confidentiality protocol, and an SSL encrypted channel refers to an encrypted secure channel constructed between a browser and a WEB server. The user can use the browser to interact with the web interface module through the SSL encrypted channel, so that the user can manage the vulnerability screening system 100 based on the industrial firewall. As shown in FIG. 1 , users may include but not limited to administrators, auditors, and operators.

In some optional implementations, as shown in Figure 1, multiple vulnerability screening modules 110 may include an industrial control vulnerability screening module 111, a system vulnerability screening module 112, a WEB vulnerability screening module 113, and a database security screening module 114. A security baseline screening module 115 and an APP vulnerability screening module 116.

The industrial control vulnerability screening module 111 can be used to perform vulnerability screening and analysis on pre-designated screening targets in the industrial control system, and generate a corresponding vulnerability analysis report. The pre-specified screening target may be a screening target specified by a user or a screening target determined by the industrial firewall-based vulnerability screening system 100 . The industrial control vulnerability screening module 111 supports remote and non-contact vulnerability screening, which can reduce economic risks caused by industrial control vulnerabilities during the security vulnerability screening process of the industrial control system.

In some optional implementation manners, the pre-designated screening target may be a specific device or system in the industrial control system. Specific equipment or systems may include, but are not limited to, supervisory control and data acquisition (SCADA), distributed control system (Distributed Control System, DCS), programmable logic controller (Programmable Logic Controller, PLC) and other control systems.

In some optional implementation manners, the industrial control vulnerability screening module 111 can also check the security of protocols such as ModbusTCP and S7 based on Ethernet Transmission Control Protocol/Internet Protocol (Transmission Control Protocol/Internet Protocol, TCP/IP). Vulnerabilities are screened and analyzed.

In some optional implementation manners, the industrial control vulnerability screening module 111 may also perform vulnerability screening on information technology (Information Technology, IT) equipment or systems used in traditional industrial control systems.

The system vulnerability screening module 112 is used for performing vulnerability screening and analysis on operating systems, application services, databases and network devices, and generating corresponding vulnerability analysis reports. The Windows operating systems supported by the system vulnerability screening module 112 include but are not limited to NT, 2000, XP, 2003, Win7, Win10, 2008, 2012, 2016 and so on. The Linux operating systems supported by the system vulnerability screening module 112 include but are not limited to Amazon Linux, CentOS, Debian, Fedora, Red Hat, SuSE, and Ubuntu. The Unix operating systems supported by the system vulnerability screening module 112 include but are not limited to AIX, FreeBSD, HP-UX, Solaris, and Mac OS X. The application services supported by the system vulnerability screening module 112 may include but not limited to Microsoft Internet Explorer, PHP, IIS, Apache, Tomcat, PHP, and Adobe Flash. The databases supported by the system vulnerability screening module 112 include but not limited to Oracle, MySQL, SQL Server, DB2, Informix, MsSQL, and SyBase. The virtualization platforms supported by the system vulnerability screening module 112 include but not limited to Vmware EXSi and XenServer. The security devices supported by the system vulnerability screening module 112 include juniper and netgod, etc.

The system vulnerability screening module 112 may also include, but not limited to, an intelligent service identification function, an authorized login screening function, and a security optimization screening function. For example, when the smart service identification function is activated, the system vulnerability screening module 112 may determine which application service the screening target belongs to according to the above application services. When the authorized login screening function is started, the system vulnerability screening module 112 can start vulnerability screening only after the user is authorized to log in. When the security optimization screening function is started, the system vulnerability screening module 112 will obtain more screening data on the basis of the original vulnerability screening, and select a more accurate and complex algorithm to perform vulnerability screening on the screening target.

It should be noted that when the system vulnerability screening module 112 is running, other modules (such as the industrial control vulnerability screening module 111, the WEB vulnerability screening module 113, The database security screening module 114, the security baseline screening module 115, and the APP vulnerability screening module 116) do not operate, because the system vulnerability screening module 112 screens the screening target as a whole, and other screening modules focus on a certain side screening. Compared with the screening results of the system vulnerability screening module 112, the screening results of other screening modules are more accurate, and the screening results of the system vulnerability screening module 112 are more comprehensive than those of other single screening modules. Performing vulnerability screening at the same time as other screening modules consumes fewer computing resources and shorter computing time.

The WEB vulnerability screening module 113 is used for performing vulnerability screening and analysis on the WEB application, and generating a corresponding vulnerability analysis report. The WEB vulnerability screening module 113 supports OWASP TOP 10 vulnerability screening, for example, SQL injection, cross-site scripting attack XSS, website Trojan horse, web page Trojan horse, and CGI vulnerability. Among them, the OWASP Top 10 is established by the Open WEB Application Security Project, which provides free articles and other information on WEB application security. The protocols supported by the WEB vulnerability screening module 113 may include but not limited to Hypertext Transfer Protocol (Hyper Text Transfer Protocol, HTTP) and HTTPS, etc., wherein the HTTPS protocol is composed of HTTP plus Transport Layer Security (Transport Layer Security, TLS) protocol/SSL A network protocol constructed by the protocol that can perform encrypted transmission and identity authentication. The WEB servers supported by the WEB vulnerability screening module 113 may include but not limited to IIS, Websphere, Weblogic, Apache, Tomcat, and Nginx. The programming languages supported by the WEB vulnerability screening module 113 may include but not limited to Asp, Jsp, .Net, J2EE, and Php. The database types supported by the WEB vulnerability screening module 113 may include but not limited to Access, MySQL, Oracle, DB2, PostgreSQL, SyBase, Informix, sqlite, and MSSQL SERVER. The third-party components supported by the WEB vulnerability screening module 113 may include but not limited to WordPress, eWebEditor, FCKeditor, Struts2 and other common third-party components at home and abroad.

The WEB vulnerability screening module 113 can parse and screen json and base64 data, and supports custom cookies for in-depth screening. The WEB vulnerability screening module 113 supports web vulnerability screening based on authentication methods such as basic and cookies. The WEB vulnerability screening module 113 also supports passive screening, and supports users to input urls, so that some urls that cannot be screened by conventional page crawling software can be screened, so that users can timely discover security loopholes existing in WEB websites and avoid information security incidents happened.

The WEB vulnerability screening module 113 is also used to verify the screened WEB vulnerabilities by adopting a WEB vulnerability verification mechanism. Specifically, the test data packets found during vulnerability screening can be recorded for evidence collection. For injection vulnerabilities, the database type can be automatically identified, and the instance name/database name (InstanceName) and user name (UserName) can be obtained, thereby effectively reducing the false positive rate.

The database security screening module 114 is used for performing vulnerability screening and analysis on various databases, and generating corresponding vulnerability analysis reports. Databases include but are not limited to Oracle, Mysql, Sqlserver, Sybase, DB2, Informix, Postgresql, Kingbase, and Dameng. The vulnerability screening strategy adopted by the database security screening module 114 may include, but not limited to, authority bypassing vulnerabilities, SQL injection vulnerabilities, and access control vulnerabilities.

The database security screening module 114 includes two vulnerability screening methods, namely authorized screening and unauthorized screening. Users can choose the vulnerability screening method in different scenarios (authorization or not), and select the corresponding vulnerability screening strategy to realize the security screening of the database. After the screening is completed, the screening analysis report is automatically generated, and the screening analysis report includes the screening analysis report. Detailed description of the detected vulnerabilities and suggestions for repairing, so that users can discover the security holes in the database in time and ensure the security of users' data.

The database security screening module 114 can also compare database objects and binary files to determine potential Trojan horses in the data center.

The security baseline screening module 115 is used to perform vulnerability screening and analysis on the system baseline under the current vulnerability screening network, and generate a corresponding vulnerability analysis report. The security baseline screening module 115 provides professional configuration hardening suggestions and compliance reports. The operating systems supported by the security baseline screening module 115 may include, but are not limited to, Windows, Linux (Centos, Debian, Fedora, Redhat, Suse, and Ubuntu, etc.), Unix (Aix, HP-UX, and Solaris, etc.) Kirin and Red Flag, etc.), etc. The middleware supported by the security baseline screening module 115 may include, but not limited to, IIS, Apache, Tomcat, Weblogic, Websphere, Nginx, Jboss, and Resin. The databases supported by the security baseline screening module 115 may include, but not limited to, Oracle, Mysql, DB2, Informix, Mssql, and Sybase. The virtualization platforms supported by the security baseline screening module 115 may include but not limited to Vmware EXSi, XenServer and so on. The security devices supported by the security baseline screening module 115 may include, but are not limited to, juniper, netgod, and the like.

The security baseline screening module 115 supports multiple protocols to remotely log in to the system for baseline screening, including but not limited to Server Message Block (SMB), Remote Terminal Protocol (Telnet Protocol) and Secure Shell Protocol (Secure Shell Protocol, SSH), etc. The security baseline screening module 115 supports agent local screening and provides a dedicated Windows configuration checking tool. The security baseline screening module 115 supports online device baseline screening and offline device baseline screening. The baseline screening process only checks the system configuration and does not make any changes to the system configuration, thereby ensuring business continuity and business security, making the security configuration maintenance work orderly, simple, and easy to operate, which is convenient for users to timely discover information systems. Unsafe configurations to improve the security protection level of the target system.

The APP vulnerability screening module 116 is used to screen and analyze APP vulnerabilities in a static analysis manner, and generate a corresponding vulnerability analysis report. By using static analysis, security risks such as component security, configuration security, data security, and malicious behavior in the Android application package (APK) can be accurately discovered, thereby greatly improving the security of mobile APPs and avoiding vulnerabilities caused by APPs. cause loss of business.

In some optional implementation manners, the multiple vulnerability screening modules 110 also include a WIFI security screening module. The WIFI security screening module is used to screen and analyze vulnerabilities of WIFI wireless networks, and generate corresponding vulnerability analysis reports. Specifically, the access point and WIFI channel can be identified, and information such as the server identifier (Service Set Identifier, SSID), hardware manufacturer, and MAC address and the corresponding MAC address of the client connected to each wireless node can be searched out. In addition, multiple vulnerability screening modules 110 can also perform weak password screening on WIFI, and generate a vulnerability analysis report.

In some optional implementation manners, the multiple vulnerability screening modules 110 also include a big data vulnerability screening module. The big data vulnerability screening module is used to perform vulnerability screening and security compliance inspection on big data components, and generate statistical analysis reports. Security configuration compliance checks may include, but are not limited to, Hadoop, Spark, Hbase, Solr, and ES. By generating statistical analysis reports, detailed vulnerability descriptions and vulnerability repair suggestions can be provided, thereby enhancing the compliance of the security of each component of the big data platform.

In some optional implementations, after vulnerability screening is performed to generate screening results, multiple vulnerability screening modules 110 can analyze the screening results in the form of reports and graphs respectively, and generate multiple vulnerability screening modules 110 Corresponding vulnerability analysis report, which includes vulnerability risk level, vulnerability category, vulnerability description, vulnerability type, and vulnerability solution. Vulnerability screening system 100 based on industrial firewalls provides related vulnerabilities, including records of international authoritative organizations supported by Common Vulnerabilities & Exposures (CVE) numbers and links related to manufacturers' patches, so that administrators and ordinary users can quickly and accurately Solve various security issues in a timely manner, so that users can learn more about a certain host or detailed information about a certain vulnerability. Vulnerability analysis reports can provide administrators, technicians, security experts, and custom reports. The output format of vulnerability analysis reports can include but not limited to file formats with .html, .doc, .docx, or .pdf suffixes. At the same time, the screening results can be correlated with the compliance library of information security level protection to generate a level protection evaluation report that meets the requirements of the specification.

In some optional implementation manners, the industrial firewall-based vulnerability screening system 100 includes a stand-alone deployment management mechanism and a distributed management mechanism. The vulnerability screening system 100 based on an industrial firewall also includes a decision module, which is used to determine that the vulnerability screening system 100 based on an industrial firewall adopts a distributed network when the current vulnerability screening network is a distributed network. The management mechanism performs vulnerability screening, or when it is detected that the current vulnerability screening network is not a distributed network, it is determined that the industrial firewall-based vulnerability screening system 100 adopts a stand-alone deployment management mechanism for vulnerability screening. As an example, a network topology diagram using a single-machine deployment management mechanism is shown in FIG. 2 , and a network topology diagram using a distributed management mechanism is shown in FIG. 3 . It can be seen that when the distributed management mechanism is adopted, the vulnerability screening system based on the industrial firewall at the lower level will upload the screening results or the screening analysis report to the vulnerability screening system based on the industrial firewall at the upper level. Or the lower-level vulnerability screening system based on industrial firewalls can also upload the target information of the screening targets obtained to the above-mentioned vulnerability screening system based on industrial firewalls, so that the upper-level vulnerability screening system based on industrial firewalls can uniformly perform vulnerability screening. Check and analyze operations.

In some optional implementations, the industrial firewall-based vulnerability screening system 100 also includes a Windows security hardening module, and the Windows security hardening module is used to perform security hardening on the Windows operating system, wherein the hardening content may include but not It is limited to configuration management, network management, access management, log audit, and malicious code prevention. The configuration management may include but not limited to host configuration, user policy, identity authentication, patch management, and software management. Network management may include, but is not limited to, service ports and firewalls, etc. Access management may include but not limited to peripheral management, autoplay, remote login and wireless network card, etc. Malicious code prevention may include but not limited to data protection and antivirus software.

In some optional implementations, the industrial firewall-based vulnerability screening system 100 also includes a screening preparation module, which is used to find the screening target and the screening target in the current vulnerability screening network. Target information of the screening target, the target information is determined according to the screening target. The screening targets may include, but are not limited to, surviving hosts, network devices, and databases in the current vulnerability screening network. Target information may include but not limited to host name, IP address, port, operating system, software version, person in charge, and region. With the Screening Preparation module, you can prepare for vulnerability screening.

In some optional implementation manners, the industrial firewall-based vulnerability screening system 100 further includes a network topology generation module, which is configured to generate a network topology map under the current vulnerability screening network. The network topology diagram may be as shown in FIG. 2 or FIG. 3 . The network topology generation module is a dynamic module. Users can modify the network topology generation module and perform query operations on the network topology generation module, such as querying the detailed information of each asset. The network topology generation module supports asset export and import, which is convenient for users to quickly discover and count the information assets of the entire network, and understand the security risk level of each asset.

The vulnerability screening system based on the industrial firewall provided by the embodiment of the present application includes multiple vulnerability screening modules, and different vulnerability screening modules can be used to perform vulnerability screening on different screening targets, so that the industrial firewall can be screened comprehensively and accurately. Various vulnerability problems in the control system, such as various security vulnerabilities, security configuration problems and non-compliance behaviors, provide the administrator with vulnerability analysis data before the industrial control system is compromised through the output vulnerability analysis report, so that the administrator Professional and effective vulnerability analysis and patching are possible.

Please refer to FIG. 4 . FIG. 4 is a schematic flowchart of a vulnerability screening method based on an industrial firewall provided by an embodiment of the present application. The vulnerability screening method based on an industrial firewall can be applied to the above-mentioned vulnerability screening system 100 based on an industrial firewall shown in FIG. 1 . The vulnerability screening method based on industrial firewall may include the following steps S110-S120.

Step S110, when the vulnerability screening system based on the industrial firewall is used to find the screening target, the vulnerability screening system based on the industrial firewall acquires the target information of the screening target, and the target information is determined according to the screening target .

Among them, the screening target refers to the equipment or system or protocol that needs to be screened for vulnerabilities. As mentioned above, screening targets may include but not limited to surviving hosts, network devices, and databases in the current vulnerability screening network.

The target information has a mapping relationship with the screening target, and the mapping relationship may be one of one-to-one mapping, one-to-many mapping, many-to-one mapping, and many-to-many mapping. The mapping relationship can be preset and stored in the system, so that target information corresponding to the screening target can be directly obtained according to the screening target. Target information may include but not limited to host name, Internet Protocol (Internet Protocol, IP) address, port, operating system, software version, person in charge, and region.

In some optional implementations, the vulnerability screening system based on the industrial firewall can sort the devices or systems connected to it according to a preset order, and determine the devices or systems connected to it as screening targets in sequence according to the sorting order. Wherein, the preset sequence may be set according to actual requirements, for example, the preset sequence may be a device or system access sequence.

In some optional implementations, the vulnerability screening system based on the industrial firewall can set different vulnerability screening cycles for the devices or systems connected to it, and determine the screening targets from the devices and systems connected to it according to the vulnerability screening cycle . The vulnerability screening cycle can be set according to actual needs, for example, the vulnerability screening cycle can be one week, one day, or one month.

In step S120, the industrial firewall-based vulnerability screening system performs vulnerability screening and analysis on the screening target according to the acquired target information, so as to determine whether the screening target has security vulnerabilities.

In some optional implementation manners, the vulnerability screening system based on the industrial firewall can determine the type of the screening target, and use a vulnerability screening module corresponding to the type of the screening target to perform vulnerability screening and analysis on the screening target . For example, if the screening target is a database, the database security screening module can be used to screen and analyze vulnerabilities in the database.

In some optional implementation manners, if there are multiple screening targets, the vulnerability screening modules corresponding to the multiple screening targets may be used in parallel to perform vulnerability screening and analysis on the multiple screening targets respectively. For example, if the screening targets include databases, WEB applications, and system baselines, you can use the database security screening module to screen and analyze vulnerabilities in databases, use the WEB vulnerability screening module to screen and analyze vulnerabilities in WEB applications, and use the security baseline The screening module performs vulnerability screening and analysis on the system baseline. This can improve screening accuracy and efficiency.

In some optional implementations, after the screening target is screened for vulnerabilities, a screening analysis report can be generated, further, the screening analysis report can be notified to the user by email or telephone, and corresponding preventive measures can be provided Suggest. If there are multiple screening targets, the priority of the screening target can be obtained, and multiple screening analysis reports are sent to the user in sequence according to the priority of the screening target. Among them, the priority can be customized. Usually, the priority of the database and the operating system is higher than that of the application service.

The vulnerability screening method based on the industrial firewall provided by the embodiment of the present application, through the vulnerability screening system based on the industrial firewall including multiple vulnerability screening modules, different vulnerability screening modules can be used to perform vulnerability screening for different screening targets In this way, various vulnerability problems in the industrial control system can be comprehensively and accurately screened, such as various security vulnerabilities, security configuration problems and non-compliance behaviors. Administrators provide vulnerability analysis data so that administrators can conduct professional and effective vulnerability analysis and repair.

In summary, the embodiments of the present application provide a vulnerability screening system and method based on an industrial firewall, which relate to the technical field of industrial control security. The vulnerability screening system based on industrial firewall includes multiple vulnerability screening modules, and different vulnerability screening modules can be used to perform vulnerability screening on different screening targets, so that it can comprehensively and accurately screen various vulnerabilities existing in the industrial control system. Vulnerability issues, such as various security vulnerabilities, security configuration issues, and non-compliance behaviors, the output vulnerability analysis report provides the administrator with vulnerability analysis data before the industrial control system is compromised, so that the administrator can conduct professional and effective vulnerability analysis Analyze and fix.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present application, rather than to limit them. Although the present application has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: they can still modify the technical solutions described in the aforementioned embodiments, or perform equivalent replacements for some of the technical features; and these modifications or The replacement does not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present application.

Claims (10)

1. A vulnerability screening system based on industrial firewall, characterized in that, comprising: Multiple vulnerability screening modules, different vulnerability screening modules have different screening functions; A data management module, the data management module is connected to the plurality of vulnerability screening modules, and is used to manage the vulnerability analysis reports uploaded by the plurality of vulnerability screening modules; A webpage interface module, the webpage interface module is respectively connected with the plurality of vulnerability screening modules and data management modules, and the webpage interface module outputs the vulnerability analysis report to the user through an SSL encrypted channel and a browser. 2. The system according to claim 1, wherein the plurality of vulnerability screening modules include an industrial control vulnerability screening module, a system vulnerability screening module, a WEB vulnerability screening module, a database security screening module, and a security baseline Screening module and APP vulnerability screening module, in which: The industrial control vulnerability screening module is used to perform vulnerability screening and analysis on pre-designated screening targets in the industrial control system, and generate a corresponding vulnerability analysis report; The system vulnerability screening module is used to perform vulnerability screening and analysis on operating systems, application services, databases, and network devices, and generate corresponding vulnerability analysis reports. When the system vulnerability screening module is running, the multiple Other modules in the vulnerability screening module except the system vulnerability screening module do not run; The WEB vulnerability screening module is used to screen and analyze the vulnerabilities of WEB applications, and generate corresponding vulnerability analysis reports. authenticating; The database security screening module is used for performing vulnerability screening and analysis on various databases, and generating a corresponding vulnerability analysis report; The security baseline screening module is used to perform vulnerability screening and analysis on the system baseline under the current vulnerability screening network, and generate a corresponding vulnerability analysis report; The APP vulnerability screening module is used to screen and analyze APP vulnerabilities in a static analysis manner, and generate a corresponding vulnerability analysis report. 3. system according to claim 1, is characterized in that, described a plurality of vulnerability screening modules also comprise WIFI security screening module, described WIFI security screening module is used for carrying out vulnerability screening and analysis to WIFI wireless network , and generate the corresponding vulnerability analysis report. 4. The system according to claim 1, wherein the multiple vulnerability screening modules also include a big data vulnerability screening module, and the big data vulnerability screening module is used to perform vulnerability screening on big data components and security compliance checks, and generate statistical analysis reports. 5. The system according to any one of claims 2-4, characterized in that, after the vulnerability screening is performed to generate screening results, the plurality of vulnerability screening modules use the forms of reports and graphs to analyze the Analyze the inspection results, and generate vulnerability analysis reports corresponding to each of the plurality of vulnerability screening modules, wherein the report content includes vulnerability risk level, vulnerability category, vulnerability description, vulnerability type and vulnerability solution. 6. The system according to claim 1, wherein the vulnerability screening system based on the industrial firewall includes a stand-alone deployment management mechanism and a distributed management mechanism, and the vulnerability screening system based on the industrial firewall also includes a decision-making module , the decision-making module is used to determine that the vulnerability screening system based on the industrial firewall adopts a distributed management mechanism for vulnerability screening when the current vulnerability screening network is a distributed network, or when the current vulnerability screening network is detected When the screening network is not a distributed network, it is determined that the vulnerability screening system based on the industrial firewall adopts a stand-alone deployment management mechanism for vulnerability screening. 7. The system according to claim 1, wherein the vulnerability screening system based on the industrial firewall also includes a Windows security hardening module, and the Windows security hardening module is used to carry out security hardening to the Windows operating system, wherein the hardening The contents include configuration management, network management, access management, log audit and malicious code prevention. 8. The system according to claim 1, wherein the vulnerability screening system based on the industrial firewall also includes a screening preparation module, and the screening preparation module is used to find the screening in the current vulnerability screening network A target and target information of the screening target, the target information is determined according to the screening target. 9. The system according to claim 1, wherein the vulnerability screening system based on the industrial firewall also includes a network topology generation module, the network topology generation module is used to generate the network topology under the current vulnerability screening network picture. 10. A vulnerability screening method based on industrial firewall, characterized in that, comprising: When using the vulnerability screening system based on industrial firewall according to any one of claims 1-9 to find the screening target, the vulnerability screening system based on industrial firewall obtains the target information of the screening target, the The target information is determined according to the screening target; The vulnerability screening system based on the industrial firewall performs vulnerability screening and analysis on the screening target according to the obtained target information, so as to determine whether the screening target has security vulnerabilities.

Images